sarunelis
commented
1 year ago your file isnt zip or ghidra project
Closed phhusson closed 5 months ago
sarunelis
commented
1 year ago your file isnt zip or ghidra project
phhusson
commented
1 year ago Right I had to rename preloader_eternals_11.bin.ghz to preloader_eternals_11.bin.zip to make github happy. Rename it back to preloader_eternals_11.bin.ghz
sarunelis
commented
1 year ago Oki, I see. I bit corrected it:
https://drive.google.com/file/d/1QUN-a2qN0-eDEqHuMXNYL7C6u2pxBFgH/view?usp=drive_link
_noGFH file
Shakib-BD
commented
1 year ago Wew. Phh sur 🥹
bkerler
commented
11 months ago @phhusson Sasi (dxcc) is only used for decryption of the data. However on newer devices, it's decrypted by the modem normally. I can have a look at the preloader. If you can give me your seccfg, I can have a look at it.
GreenIOur
commented
11 months ago Maybe some help to get the boot process of newer devices : https://mediatek.gitlab.io/aiot/doc/aiot-dev-guide/master/sw/yocto/secure-boot.html#secure-boot-bl1-to-bl2
Hello,
My device (TCL Nxtpaper 11 won't unlock with
mtk da seccfg unlock. After spending some time decompiling the preloader, my understanding is:I've attached my current state of decompilation in ghidra. I called the interesting entry point load_seccfg, we can see the call to sej_aes_crypt on the checksum field read from disk, but then we see a call to seccfg_follow_up to compute the hash, and it is more convoluted. I had a hard time tracking everything, but it looks like it initializes something with sbrom_aes_cmac_and_something, then the hashes are computed (through indirect function calls) with sbrom_something and then sbrom_something2 which add Sasi_SB descriptors that doesn't look like what's in da_x.
I'm starting to get lost here, so I'm happy to take any recommendation.
preloader_eternals_11.bin.zip