search

chainofexecution / Arcadyan-KVD21

Hardware Hacking diary for the T-Mobile 5G Home Internet Gateway (The KVD21 from Arcadyan, not the FastMile from Nokia)
GNU General Public License v3.0
49 stars 4 forks source link

Is this project abandoned? #1

Open mentaluproar opened 1 year ago

mentaluproar commented 1 year ago

Have you given up on this project? It looks like my only hope of finding a way to disable the built in routing functions and use my own external router without double NATting.

chainofexecution commented 1 year ago

TLDR; For now.

I tried fuzzing the routers config login page for vulnerabilities and actually got the web server to permanently crash but lost the hard drive to mechanical failure and therefore lost the wordlist i used (which was a few popular command injection wordlists for unix/linux/websites on github combined) and to make matters worse I incorrectly set the options for the command I was using (wfuzz i think) so I did not get to see what string caused the crash. 😅 I know the login page is vulnerable but do not know the string to get it to crash and the web server only displays 404s now so I cant continue that avenue. I tried getting a prompt that wasn't locked down and found some scripts for unlocking Mediatek bootloaders. The best luck ive had with these scripts is getting the device to switch to EDL but none of the Mediatek software recognizes it and the scripts do not support rom dumps for this SoC yet. I'm not going to be able to get into this thing until one of the Mediatek bootloader dump scripts adds support for this SoC so in the hopes someone else can do what I could not I will update the repo with all available logs and data I have on this device later on today.

rosenrot00 commented 1 year ago

As you managed to enter EDL. Tools like https://github.com/bkerler/mtkclient should be able to unlock the boot loader, shouldn't they? From what I see on their website, the variants should be supported: MT6885/MT6883/MT6889/MT6880/MT6890(Dimensity 1000L/1000)

There is also this tool: https://spflashtool.com, which can download images once the scatter file is available. By searching a bit I found a scatter file over here, I guess it would need to be reformatted into txt style: https://github.com/jchuang1977/XS_SDK_ImageBuilder/blob/66831c093249e8bc06d71f24894331fda192e8ed/imagebuilder/staging_dir/target-aarch64_cortex-a55%2Bneon-vfpv4_musl/image/MT6890_openwrt_scatter.xml

What do you think?

rosenrot00 commented 1 year ago

These tools should work by using a USB port and not by going through the UART port as far as I understood it. Did you try the scripts on USB ports?

NeverBehave commented 1 year ago

These tools should work by using a USB port and not by going through the UART port as far as I understood it. Did you try the scripts on USB ports?

Maybe add an not really useful datapoint, there is no response (lsusb) if you directly plug in to that port after starting up. Not really sure what is it about

qleseid commented 11 months ago

The USB port does show up for a second during boot, but then quickly disconnects. I get the following: Screenshot from 2023-08-02 10-59-17

Also, has anyone successfully connected through UART? My device doesn't send anything over the 4 debug pins as shown in the tear down photos.

qleseid commented 11 months ago

TLDR; For now.

I tried fuzzing the routers config login page for vulnerabilities and actually got the web server to permanently crash but lost the hard drive to mechanical failure and therefore lost the wordlist i used (which was a few popular command injection wordlists for unix/linux/websites on github combined) and to make matters worse I incorrectly set the options for the command I was using (wfuzz i think) so I did not get to see what string caused the crash. sweat_smile I know the login page is vulnerable but do not know the string to get it to crash and the web server only displays 404s now so I cant continue that avenue. I tried getting a prompt that wasn't locked down and found some scripts for unlocking Mediatek bootloaders. The best luck ive had with these scripts is getting the device to switch to EDL but none of the Mediatek software recognizes it and the scripts do not support rom dumps for this SoC yet. I'm not going to be able to get into this thing until one of the Mediatek bootloader dump scripts adds support for this SoC so in the hopes someone else can do what I could not I will update the repo with all available logs and data I have on this device later on today.

Is there any chance you remember where you found or stored these 'scripts'? I'd love to pick this project back up if at all possible. BTW, what does EDL stand for, and how did you get the device into it?