Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

This tool has magic superpowers! #2

Open
PinkyAcorn opened this issue Oct 20, 2022 · 0 comments
Open

This tool has magic superpowers! #2

PinkyAcorn opened this issue Oct 20, 2022 · 0 comments

Comments

@PinkyAcorn
Copy link

Hi dear Frédéric!

First of all, thanks for your wonderful blog. Your work and your articles about it are truly breathtaking!
Then my little miracle story

I've got bricked Mi Box 3 (MDZ-16-AB) which is based on Amlogic S905X SoC
Box is so hardly bricked that it cannot boot to uboot shell
The standard flashing process did not work for me and the only solution left is desoldering eMMC chip...

But then i found your article about hacking Amlogic S905D3 (thanks!)
I thought that maybe with amlogic-usbdl tool and right payload i could flash it via USB
Also i found update tool from khadas utils repo

update tool include read command that can be used to read arbitrary memory at specified address
In a silly attempt, I tried to read the BootROM memory (offset 0xd9040000 size 0x10000 for S905X), but of course I only got errors back

> ./update read 0x10000 0xd9040000
[read],value=200,index=1,len=512,ret=-71 error_msg=error sending control message: Protocol error
[read],value=200,index=1,len=512,ret=-19 error_msg=error sending control message: No such device
[read],value=200,index=1,len=512,ret=-19 error_msg=error sending control message: No such device
[update]ERR(L638):read device failed

Then i tried to run amlogic-usbdl
Oddly enough, the tool reported success

> ./amlogic-usbdl ./payloads/dump_bootrom_uart.bin
- exploit: starting.
- exploit: sending payload...
libusb_bulk_transfer: transferred=256, transfers left=1078
...
libusb_bulk_transfer: transferred=256, transfers left=824
- exploit: sending 823 dummy transfers...
libusb_bulk_transfer[0]: transferred=0
...
libusb_bulk_transfer[822]: transferred=0
- exploit: sending last transfer to overwrite RAM...
libusb_bulk_transfer: transferred=140
- exploit: done.

But the payload didn't start and nothing visible happened

Then i ran update read again and... my terminal was filled with juicy BootROM dump!
I just couldn't believe what happened!

> ./amlogic-usbdl ./payloads/dump_bootrom_uart.bin && ./update read 0x10000 0xD9040000
- exploit: starting.
- exploit: sending payload...
libusb_bulk_transfer: transferred=256, transfers left=1078
...
libusb_bulk_transfer: transferred=256, transfers left=824
- exploit: sending 823 dummy transfers...
libusb_bulk_transfer[0]: transferred=0
...
libusb_bulk_transfer[822]: transferred=0
- exploit: sending last transfer to overwrite RAM...
libusb_bulk_transfer: transferred=140
- exploit: done.

D9040000: aa1f03e0 aa1f03e1 aa1f03e2 aa1f03e3 
D9040010: aa1f03e4 aa1f03e5 aa1f03e6 aa1f03e7 
D9040020: aa1f03e8 aa1f03e9 aa1f03ea aa1f03eb 
D9040030: aa1f03ec aa1f03ed aa1f03ee aa1f03ef 
D9040040: aa1f03f0 aa1f03f1 aa1f03f2 aa1f03f3 
D9040050: aa1f03f4 aa1f03f5 aa1f03f6 aa1f03f7 
D9040060: aa1f03f8 aa1f03f9 aa1f03fa aa1f03fb 
D9040070: aa1f03fc aa1f03fd aa1f03fe 58000d60 
...

After converting this text dump to binary form i run some commands
As i can tell, my dump is pretty legit!

> sha1sum MDZ-16-AB.bootrom.bin
d3b9d047900186ad33b8db2fab1201b243c1aebe  MDZ-16-AB.bootrom.bin

> wc -c MDZ-16-AB.bootrom.bin
65536 MDZ-16-AB.bootrom.bin

> strings -13 MDZ-16-AB.bootrom.bin
auth failed, reboot...
9ac50ebe6991987
pepsi.amlogic.c
02/19/16_15:11:49
gcc version 4.8
9ac50ebe6991987

Second discussion thread
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@PinkyAcorn