Coder Social home page Coder Social logo

frederic / amlogic-usbdl Goto Github PK

View Code? Open in Web Editor NEW
64.0 7.0 22.0 29 KB

Unsigned code loader for Amlogic BootROM

License: GNU General Public License v3.0

Makefile 8.74% C 85.11% Assembly 6.16%
arm bootrom usb exploit vulnerability amlogic chromecast secure-boot superbird

amlogic-usbdl's Introduction

amlogic-usbdl : unsigned code loader for Amlogic bootrom

Disclaimer

You will be solely responsible for any damage caused to your hardware/software/warranty/data/cat/etc...

Description

Amlogic bootrom supports booting from USB. This method of boot requires an USB host to send a signed bootloader to the bootrom via USB port.

This tool exploits a vulnerability in the USB download mode to load and run unsigned code in Secure World.

Supported targets

  • s905d3 : Khadas VIM3L, Chromecast with Google TV
  • s905d2 : Spotify Car Thing

Usage

$ ./amlogic-usbdl <target_name> <input_file> [<output_file>]
	target_name: s905d3 s905d2
	input_file: payload binary to load and execute (max size 65280 bytes)
	output_file: file to write data returned by payload

Payloads

Payloads are raw binary AArch64 executables. Some are provided in directory payloads/.

License

Please see LICENSE.

amlogic-usbdl's People

Contributors

frederic avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

sirdarckcat mfkiwl askyeye raxone spuzzsomchai crackercat danielmoos pro-me3us techris45 lhlsec daivietpda chimaira88 angmolin peter1666 icodein shzlww embedded-hardware-security artesna scubasteve5555 adeepn linuxstv

amlogic-usbdl's Issues

This tool has magic superpowers!

Hi dear Frédéric!

First of all, thanks for your wonderful blog. Your work and your articles about it are truly breathtaking!
Then my little miracle story

I've got bricked Mi Box 3 (MDZ-16-AB) which is based on Amlogic S905X SoC
Box is so hardly bricked that it cannot boot to uboot shell
The standard flashing process did not work for me and the only solution left is desoldering eMMC chip...

But then i found your article about hacking Amlogic S905D3 (thanks!)
I thought that maybe with amlogic-usbdl tool and right payload i could flash it via USB
Also i found update tool from khadas utils repo

update tool include read command that can be used to read arbitrary memory at specified address
In a silly attempt, I tried to read the BootROM memory (offset 0xd9040000 size 0x10000 for S905X), but of course I only got errors back

> ./update read 0x10000 0xd9040000
[read],value=200,index=1,len=512,ret=-71 error_msg=error sending control message: Protocol error
[read],value=200,index=1,len=512,ret=-19 error_msg=error sending control message: No such device
[read],value=200,index=1,len=512,ret=-19 error_msg=error sending control message: No such device
[update]ERR(L638):read device failed

Then i tried to run amlogic-usbdl
Oddly enough, the tool reported success

> ./amlogic-usbdl ./payloads/dump_bootrom_uart.bin
- exploit: starting.
- exploit: sending payload...
libusb_bulk_transfer: transferred=256, transfers left=1078
...
libusb_bulk_transfer: transferred=256, transfers left=824
- exploit: sending 823 dummy transfers...
libusb_bulk_transfer[0]: transferred=0
...
libusb_bulk_transfer[822]: transferred=0
- exploit: sending last transfer to overwrite RAM...
libusb_bulk_transfer: transferred=140
- exploit: done.

But the payload didn't start and nothing visible happened

Then i ran update read again and... my terminal was filled with juicy BootROM dump!
I just couldn't believe what happened!

> ./amlogic-usbdl ./payloads/dump_bootrom_uart.bin && ./update read 0x10000 0xD9040000
- exploit: starting.
- exploit: sending payload...
libusb_bulk_transfer: transferred=256, transfers left=1078
...
libusb_bulk_transfer: transferred=256, transfers left=824
- exploit: sending 823 dummy transfers...
libusb_bulk_transfer[0]: transferred=0
...
libusb_bulk_transfer[822]: transferred=0
- exploit: sending last transfer to overwrite RAM...
libusb_bulk_transfer: transferred=140
- exploit: done.

D9040000: aa1f03e0 aa1f03e1 aa1f03e2 aa1f03e3 
D9040010: aa1f03e4 aa1f03e5 aa1f03e6 aa1f03e7 
D9040020: aa1f03e8 aa1f03e9 aa1f03ea aa1f03eb 
D9040030: aa1f03ec aa1f03ed aa1f03ee aa1f03ef 
D9040040: aa1f03f0 aa1f03f1 aa1f03f2 aa1f03f3 
D9040050: aa1f03f4 aa1f03f5 aa1f03f6 aa1f03f7 
D9040060: aa1f03f8 aa1f03f9 aa1f03fa aa1f03fb 
D9040070: aa1f03fc aa1f03fd aa1f03fe 58000d60 
...

After converting this text dump to binary form i run some commands
As i can tell, my dump is pretty legit!

> sha1sum MDZ-16-AB.bootrom.bin
d3b9d047900186ad33b8db2fab1201b243c1aebe  MDZ-16-AB.bootrom.bin

> wc -c MDZ-16-AB.bootrom.bin
65536 MDZ-16-AB.bootrom.bin

> strings -13 MDZ-16-AB.bootrom.bin
auth failed, reboot...
9ac50ebe6991987
pepsi.amlogic.c
02/19/16_15:11:49
gcc version 4.8
9ac50ebe6991987

Second discussion thread

s905d2: weird address of FUN_ffff454c in bl2dump_over_usb.c

I was comparing function addresses in payloads/s905d2/bl2dump_over_usb.c with the disassembled s905d2 bootrom dump I've found in this github repository. All functions declared in code match their addresses with bootrom dump except FUN_ffff454c that points to the middle of some function.

I'm not an expert in reverse engineering but this looks quite weird. Is is supposed to be like this, or does this dumped bootrom differ from yours?
image

Unable to compile exploit

Hello, i met a problem with compiling/linking with libusb.

I tried to install requirements according to https://stackoverflow.com/questions/4853389/how-to-install-libusb-in-ubuntu
I still see errors:

cc -g -O0 -Wall -lusb-1.0  -o amlogic-usbdl amlogic-usbdl.o
amlogic-usbdl.o: In function `save_received_data':
/home/procenkoeg/amlogic-usbdl/amlogic-usbdl.c:56: undefined reference to `libusb_bulk_transfer'
amlogic-usbdl.o: In function `exploit':
/home/procenkoeg/amlogic-usbdl/amlogic-usbdl.c:81: undefined reference to `libusb_control_transfer'
/home/procenkoeg/amlogic-usbdl/amlogic-usbdl.c:85: undefined reference to `libusb_error_name'
/home/procenkoeg/amlogic-usbdl/amlogic-usbdl.c:95: undefined reference to `libusb_bulk_transfer'
/home/procenkoeg/amlogic-usbdl/amlogic-usbdl.c:99: undefined reference to `libusb_error_name'
/home/procenkoeg/amlogic-usbdl/amlogic-usbdl.c:112: undefined reference to `libusb_bulk_transfer'
/home/procenkoeg/amlogic-usbdl/amlogic-usbdl.c:116: undefined reference to `libusb_error_name'
/home/procenkoeg/amlogic-usbdl/amlogic-usbdl.c:126: undefined reference to `libusb_bulk_transfer'
/home/procenkoeg/amlogic-usbdl/amlogic-usbdl.c:130: undefined reference to `libusb_error_name'
amlogic-usbdl.o: In function `main':
/home/procenkoeg/amlogic-usbdl/amlogic-usbdl.c:184: undefined reference to `libusb_init'
/home/procenkoeg/amlogic-usbdl/amlogic-usbdl.c:187: undefined reference to `libusb_error_name'
/home/procenkoeg/amlogic-usbdl/amlogic-usbdl.c:191: undefined reference to `libusb_open_device_with_vid_pid'
/home/procenkoeg/amlogic-usbdl/amlogic-usbdl.c:195: undefined reference to `libusb_exit'
/home/procenkoeg/amlogic-usbdl/amlogic-usbdl.c:199: undefined reference to `libusb_claim_interface'
/home/procenkoeg/amlogic-usbdl/amlogic-usbdl.c:202: undefined reference to `libusb_error_name'
/home/procenkoeg/amlogic-usbdl/amlogic-usbdl.c:206: undefined reference to `libusb_control_transfer'
/home/procenkoeg/amlogic-usbdl/amlogic-usbdl.c:230: undefined reference to `libusb_release_interface'
/home/procenkoeg/amlogic-usbdl/amlogic-usbdl.c:234: undefined reference to `libusb_close'
collect2: error: ld returned 1 exit status
Makefile:13: recipe for target 'amlogic-usbdl' failed
make: *** [amlogic-usbdl] Error 1

How to fix this?
Maybe you can release compiled binaries?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.