diff --git a/mtk b/mtk index 937be762..2bbfa0fb 100755 --- a/mtk +++ b/mtk @@ -614,12 +614,13 @@ if __name__ == '__main__': parser_ess.add_argument('--uart_addr', help='Set payload uart_addr value') parser_ess.add_argument('--da_addr', help='Set a specific da payload addr') parser_ess.add_argument('--brom_addr', help='Set a specific brom payload addr') - parser_ess.add_argument('--ptype', help='Set the payload type ( "amonet","kamakiri",' - '"kamakiri2","carbonara" kamakiri2/da used by default)') + parser_ess.add_argument('--ptype', + help='Set the payload type ( "amonet","kamakiri","kamakiri2","carbonara" kamakiri2/da used by default)') parser_ess.add_argument('--preloader', help='Set the preloader filename for dram config') parser_ess.add_argument('--verifystage2', help='Verify if stage2 data has been written correctly') - parser_ess.add_argument('--parttype', help='Partition type\n\t\tEMMC: [user, boot1, boot2, ' - 'gp1, gp2, gp3, gp4, rpmb]\t\tUFS: [lu0, lu1, lu2, lu0_lu1]') + parser_ess.add_argument('--parttype', help='Partition type\n' + + '\t\tEMMC: [user, boot1, boot2, gp1, gp2, gp3, gp4, rpmb]' + + '\t\tUFS: [lu0, lu1, lu2, lu0_lu1]') parser_ess.add_argument('--filename', help='Optional filename') parser_ess.add_argument('--crash', help='Enforce crash if device is in pl mode to enter brom mode') parser_ess.add_argument('--socid', help='Read Soc ID') diff --git a/mtkclient/Library/DA/mtk_da_handler.py b/mtkclient/Library/DA/mtk_da_handler.py index 8eb92bf2..e327876e 100755 --- a/mtkclient/Library/DA/mtk_da_handler.py +++ b/mtkclient/Library/DA/mtk_da_handler.py @@ -89,9 +89,12 @@ def configure_da(self, mtk, preloader): if mtk.config.target_config["daa"] and mtk.config.is_brom: mtk = mtk.bypass_security() self.mtk = mtk - self.info("Device is protected.") + if self.mtk.daloader.patch : + self.info("Device was protected. Successfully bypassed security.") + else: + self.info("Device is protected.") if mtk is not None: - if mtk.config.is_brom: + if mtk.config.is_brom and self.mtk.daloader.patch: self.info("Device is in BROM mode. Trying to dump preloader.") if preloader is None: preloader = self.dump_preloader_ram() diff --git a/mtkclient/Library/DA/xflash/xflash_lib.py b/mtkclient/Library/DA/xflash/xflash_lib.py index fc1c6882..34c603d0 100755 --- a/mtkclient/Library/DA/xflash/xflash_lib.py +++ b/mtkclient/Library/DA/xflash/xflash_lib.py @@ -19,6 +19,7 @@ from queue import Queue from threading import Thread + rq = Queue() diff --git a/mtkclient/Library/Exploit/kamakiri2.py b/mtkclient/Library/Exploit/kamakiri2.py index 0269a445..52d34f94 100755 --- a/mtkclient/Library/Exploit/kamakiri2.py +++ b/mtkclient/Library/Exploit/kamakiri2.py @@ -1,8 +1,10 @@ #!/usr/bin/python3 # -*- coding: utf-8 -*- # (c) B.Kerler 2018-2023 GPLv3 License +import hashlib import logging import array +import os from binascii import hexlify from struct import pack, unpack @@ -212,3 +214,35 @@ def runpayload(self, payload, ack=0xA1A2A3A4, addr=None, dontack=False): else: self.info("Error, payload answered instead: " + hexlify(result).decode('utf-8')) return None + + def patchda1_and_da2(self): + da1offset = self.mtk.daloader.daconfig.da_loader.region[1].m_buf + da1size = self.mtk.daloader.daconfig.da_loader.region[1].m_len + da1address = self.mtk.daloader.daconfig.da_loader.region[1].m_start_addr + da1sig_len = self.mtk.daloader.daconfig.da_loader.region[2].m_sig_len + da2offset = self.mtk.daloader.daconfig.da_loader.region[2].m_buf + da2size = self.mtk.daloader.daconfig.da_loader.region[2].m_len + da2address = self.mtk.daloader.daconfig.da_loader.region[2].m_start_addr + da2sig_len = self.mtk.daloader.daconfig.da_loader.region[2].m_sig_len + loader = self.mtk.daloader.daconfig.da_loader.loader + if not os.path.exists(loader): + self.error(f"Couldn't find {loader}, aborting.") + return False + with open(loader, 'rb') as bootldr: + bootldr.seek(da1offset) + da1 = bootldr.read(da1size) + bootldr.seek(da2offset) + da2 = bootldr.read(da2size) + hashaddr, hashmode, hashlen = self.mtk.daloader.compute_hash_pos(da1, da2, da1sig_len, da2sig_len, + self.mtk.daloader.daconfig.da_loader.v6) + da2patched = self.mtk.daloader.patch_da2(da2)[:-da2sig_len] + if hashaddr is not None: + dahash = None + if hashmode == 1: + dahash = hashlib.sha1(da2patched[:hashlen]).digest() + elif hashmode == 2: + dahash = hashlib.sha256(da2patched[:hashlen]).digest() + da1patched = da1[:hashaddr] + dahash + da1[hashaddr+hashlen:] + return da1patched, da2patched + self.mtk.daloader.patch = False + return da1, da2 diff --git a/mtkclient/Library/mtk_preloader.py b/mtkclient/Library/mtk_preloader.py index 4659afda..ae73ae3b 100755 --- a/mtkclient/Library/mtk_preloader.py +++ b/mtkclient/Library/mtk_preloader.py @@ -13,6 +13,7 @@ from mtkclient.Library.utils import LogBase, logsetup from mtkclient.Library.error import ErrorHandler +from mtkclient.config.brom_config import damodes USBDL_BIT_EN = 0x00000001 # 1: download bit enabled USBDL_BROM = 0x00000002 # 0: usbdl by brom; 1: usbdl by bootloader @@ -267,7 +268,7 @@ def init(self, maxtries=None, display=True): self.send_root_cert(certdata) else: self.error(f"Couldn't find cert file {self.config.cert}") - if self.config.target_config["sla"]: + if self.config.target_config["sla"] and self.config.chipconfig.damode == damodes.XML: self.handle_sla(func=None, isbrom=self.config.is_brom) return True @@ -1146,6 +1147,8 @@ def handle_sla(self, func=None, isbrom: bool = True): for key in rsakeys: if self.echo(self.Cmd.SLA.value): status = self.rword() + if status == 0x7017: + return True if status > 0xFF: self.error(f"Send auth error:{self.eh.status(status)}") return False diff --git a/mtkclient/Library/pltools.py b/mtkclient/Library/pltools.py index ced8bdfc..4bbe045a 100755 --- a/mtkclient/Library/pltools.py +++ b/mtkclient/Library/pltools.py @@ -77,6 +77,7 @@ def runpayload(self, filename, offset=0, ack=0xA1A2A3A4, addr=None, dontack=Fals ack = self.exploit.runpayload(payload, ack, addr, dontack) if ack == ack: self.info("Successfully sent payload: " + filename) + self.mtk.daloader.patch = True return True elif ack == b"\xc1\xc2\xc3\xc4": if "preloader" in rf.name: