[ot][spam][personal] uhhh should I understand the exploits my new phone is vulnerable to

Undiscussed Horrific Abuse, One Victim of Many gmkarl at gmail.com
Fri May 6 07:52:06 PDT 2022


2022-05-06

what I know regarding kamakiri so far:

- mediatek uses arm chips
- the uses of kamakiri choose to speak raw USB, rather than serial
- it's one of a handful of similar things
- it's used to disable boot rom protections in the phone
- code is uploaded to the phone and executed while it is connected in
preloader mode.

1032

it's hard for me to pursue this. i'm mostly right now having some downtime
while the bkerler client installs dependencies over my 5K/sec tether. when
that works out I might switch focus to seeing if I can stabilise the open
source OS.

1034

i've cloned the bkerler sources and the amonet-kamakiri sources. amonet has
three subfolders: brom-payload, lk-payload, and microloader. it also has a
kernel patch that short circuits some usb checks.

the brom payload has two stages and some library files.

stage1 looks like a simple daemon that can perform serial commands similar
to the factory preloader. it uses a magic command prefix of 0xf00dd00d.

the boot rom stage calls a handful of functions that are given by opaque
hardcoded pointer addresses:
jump_bl() = 0xB673
send_usb_response(int,int,int) = 0x55BB
ptr_send() = *0x103088 // these might be hooked
ptr_recv() = *0x103084
send_dword(int) = 0xBE09
int recv_dword() = 0xBDD5
send_data(addr,sz) = 0xBED1
int recv_data(addr,sz,flags=0) = 0xBE4B

all commands for stage1 and possible behavior:

0x4000: write data to address. replies with 0xD0D0D0D0 for success and
0xF0F0F0F0 for failure. uses recv_data

0x4001: jump to address

0x3000: reboot
   writes some hardcoded values to volatile registers at 0x10007000

0x3001: kick watchdog
    writes 0x1971 to a specific 32 bit register

In the case of a protocol error it stops listening for commands and enters
an infinite busy loop.

stage2 payload also has a command loop with the same magic prefix.
the stage2 payload appears to have a parallel informative output stream for
printf, separate from the serial. haven't looked.

0x1000: read mmc block at address
0x1001: write mmc block at address. blocksize is 0x200 . replies 0xD0D0D0D0
on success.
0x1002: set mmc partition as a dword
0x2000: read mmc rpmb. 0x100 bytes.
0x2001: write 0x100 bytes to mmc rpmb.
0x5000: read size data from ram address.
0x3000: reboot. writes to same registers. one of them is the watchdog kick.
0x3001: kick watchdog only.

stage2 has the same behavior of busylooping forever for a protocol mismatch
(0xf00dd00d not read when expected)

that's cool! my mtkclient install failed to an sha256 mismatch.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3917 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20220506/b70a9b96/attachment.txt>


More information about the cypherpunks mailing list