[ot][spam][personal] uhhh should I understand the exploits my new phone is vulnerable to
Undiscussed Horrific Abuse, One Victim of Many
gmkarl at gmail.com
Sat May 7 00:01:17 PDT 2022
I'm not near this system and phone at this time, but that doesn't mean I
can't keep learning about it.
Here's the deployment script for the bootrom phase from the amonet kamakiri
source:
#!/usr/bin/env python3
import sys
import time
from common import Device
from logger import log
from load_payload import load_payload
from functions import *
import usb.core
import usb.util
import ctypes
import traceback
import struct
import os
def main(dev):
load_payload(dev)
if len(sys.argv) == 2 and sys.argv[1] == "fixgpt":
dev.emmc_switch(0)
log("Flashing GPT")
flash_binary(dev, "../bin/gpt-mantis.bin", 0, 34 * 0x200)
# 1) Sanity check GPT
log("Check GPT")
switch_user(dev)
# 1.1) Parse gpt
gpt = parse_gpt(dev)
log("gpt_parsed = {}".format(gpt))
if "lk" not in gpt or "tee1" not in gpt or "boot" not in gpt or
"recovery" not in gpt:
raise RuntimeError("bad gpt")
# 2) Sanity check boot0
log("Check boot0")
switch_boot0(dev)
# 3) Sanity check rpmb
log("Check rpmb")
rpmb = dev.rpmb_read()
if rpmb[0:4] != b"AMZN":
thread = UserInputThread(msg = "rpmb looks broken; if this is
expected (i.e. you're retrying the exploit) press enter, otherwise
terminate with Ctrl+C")
thread.start()
while not thread.done:
dev.kick_watchdog()
time.sleep(1)
# Clear preloader so, we get into bootrom without shorting, should the
script stall (we flash preloader as last step)
# 4) Downgrade preloader
log("Clear preloader header")
switch_boot0(dev)
flash_data(dev, b"EMMC_BOOT" + b"\x00" * ((0x200 * 4) - 9), 0)
# 5) Zero out rpmb to enable downgrade
log("Downgrade rpmb")
dev.rpmb_write(b"\x00" * 0x100)
log("Recheck rpmb")
rpmb = dev.rpmb_read()
if rpmb != b"\x00" * 0x100:
dev.reboot()
raise RuntimeError("downgrade failure, giving up")
log("rpmb downgrade ok")
dev.kick_watchdog()
# 6) Downgrade tz
log("Flash tz")
switch_user(dev)
flash_binary(dev, "../bin/tz.img", gpt["tee1"][0], gpt["tee1"][1] *
0x200)
# 7) Downgrade lk
log("Flash lk")
switch_user(dev)
flash_binary(dev, "../bin/lk.bin", gpt["lk"][0], gpt["lk"][1] * 0x200)
# 6) Install lk-payload
log("Flash lk-payload")
switch_boot0(dev)
flash_binary(dev, "../lk-payload/build/payload.bin", 1024)
# 8) Flash microloader
log("Inject microloader")
switch_user(dev)
boot_hdr1 = dev.emmc_read(gpt["boot"][0]) +
dev.emmc_read(gpt["boot"][0] + 1)
boot_hdr2 = dev.emmc_read(gpt["boot"][0] + 2) +
dev.emmc_read(gpt["boot"][0] + 3)
flash_binary(dev, "../bin/microloader.bin", gpt["boot"][0], 2 * 0x200)
if boot_hdr2[0:8] != b"ANDROID!":
flash_data(dev, boot_hdr1, gpt["boot"][0] + 2, 2 * 0x200)
log("Force fastboot")
force_fastboot(dev, gpt)
# 9) Install preloader
log("Flash preloader")
switch_boot0(dev)
flash_binary(dev, "../bin/preloader.img", 0)
# 9.1) Wait some time so data is flushed to EMMC
time.sleep(5)
# Reboot (to fastboot or recovery)
log("Reboot")
dev.reboot()
if __name__ == "__main__":
check_modemmanager()
dev = Device()
dev.find_device()
main(dev)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 6679 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20220507/f020e18d/attachment.txt>
More information about the cypherpunks
mailing list