brom-dump: payloads: add mt6582 / mt8382 SoC support

arzam16 · Nov 25, 2023 · 80dab94 · 80dab94
1 parent 939e81a
commit 80dab94
Show file tree

Hide file tree

Showing 7 changed files with 110 additions and 2 deletions.
diff --git a/brom-dump/README.md b/brom-dump/README.md
@@ -644,3 +644,15 @@ To find SRAM base I loaded the BROM dump into Ghidra and launched [starfleetcade
 Looks like in my case this *is* the correct part of SRAM where BROM stores its data. At this point it was just a matter of time to fill the values into `hw-api.h` and run `spft-replay` in dump mode.
 
 Later I verified a trimmed (it dumps more data than needed) BROM dump obtained with chaosmaster's bypass_utility with what I've got with my `spft-replay` and the hashes matched.
+
+# Dumping mt6582 / mt8382 BROM
+## It was silimar to mt6580
+After implementing support for mt6580, adding mt6582 was a breeze. The flow is quite similar between the two SoCs however there are some interesting details:
+1. The data exchange between the original SP Flash Tool v5.1648 and the target device was *very* short. Everything boiled down to identifying the SoCs, reading a single EFUSE register and pushing the DA right afterwards.
+2. SP Flash Tool didn't bother disabling the watchdog on mt6582. I haven't checked if BROM disables it by itself but I was afraid the standalone `uart-dump` would not have enough time to complete the work and it would be interrupte. **It is the first time I modify the original SP Flash Tool traffic** adding a function to disable the watchdog.
+3. Unlike mt6580, the original DA on mt6582 uses the most of its available memory (refered to as "Share SRAM" in the datasheet) and I could not come up with some specific padding offset. I kept increasing padding hoping the DA would stop overwriting the piggyback at some point. Some DA data remains after the piggyback body because of that. This is wrong and most likely will break things if someone plans to use more DA APIs in the future that could have used these memory regions.
+
+## Madskillz
+The mt6582 part of the writeup seems to be small, so here's a photo of one of devices I've been working with.
+
+![The remains of the Huawei Y3II phone](../images/brom-dump-030.jpg)
diff --git a/brom-dump/payloads/Makefile b/brom-dump/payloads/Makefile
@@ -39,13 +39,15 @@ SA_RELEASES		= $(foreach P, $(SA_PAYLOADS), $(SA_RELEASE_DIR)/$(TARGET)-$(P).bin
 
 ALL_RELEASES	= $(SA_RELEASES) $(PB_RELEASES)
 
-AVAILABLE_SOCS		:= mt6573 mt6577 mt6580 mt6589
+AVAILABLE_SOCS		:= mt6573 mt6577 mt6580 mt6582 mt6589
 MT6573_RELEASES		:= $(PB_RELEASES)
 MT6573_FLAGS		:= -mcpu=arm1176jzf-s
 MT6577_RELEASES		:= $(SA_RELEASES)
 MT6577_FLAGS		:= -mcpu=cortex-a9
 MT6580_RELEASES		:= $(PB_RELEASES) $(SA_RELEASES)
 MT6580_FLAGS		:= -mcpu=cortex-a7
+MT6582_RELEASES		:= $(PB_RELEASES) $(SA_RELEASES)
+MT6582_FLAGS		:= -mcpu=cortex-a7
 MT6589_RELEASES		:= $(PB_RELEASES)
 MT6589_FLAGS		:= -mcpu=cortex-a7
 
@@ -178,7 +180,6 @@ $(AUX_DIR)/mt6580-da-original.bin: $(AUX_DIR)/SP_Flash_Tool_v5.1648_Linux.zip |
 #                    LAB_002014e2
 # 002014e2 81 4d           ldr        r5,[PTR_DAT_002016e8]
 # 002014e4 03 f0 74 fa     bl         init_power_down_something
-
 #
 #
 # After patch:
@@ -193,6 +194,34 @@ $(OUT_DIR)/mt6580-da-patched.bin: $(TARGET_DA_ORIGINAL) $(TARGET_MEMORY) | $(OUT
 	python3 scripts/patch-da.py \
 		"$<" $(TARGET_MEMORY) 0x002014e4 "$@"
 
+# TARGET_DA_ORIGINAL for mt6582
+$(AUX_DIR)/mt6582-da-original.bin: $(AUX_DIR)/SP_Flash_Tool_v5.1648_Linux.zip | $(AUX_DIR)
+	7z x -so "$<" "SP_Flash_Tool_v5.1648_Linux/MTK_AllInOne_DA.bin" |\
+		tail -c +923301 | head -c 52316 |\
+		cat - /dev/zero | head -c 65536 \
+		> "$@"
+
+# TARGET_DA_PATCHED for mt6582
+# Patch the internal memory initialization routine to jump to our payload
+# before Download Agent starts waiting for more data from SP Flash Tool.
+#
+# Before patch:
+# ======================================================================
+# 002005d8 03 f0 d2 fe     bl         init_disable_wdt
+# 002005dc 0b f0 28 fa     bl         init_setup_config
+# 002005e0 00 f0 f2 f9     bl         setup_io_transport
+# 002005e4 04 f0 22 f9     bl         FUN_0020482c
+#
+#
+# After patch:
+# ======================================================================
+# 002005d8 03 f0 d2 fe     bl         init_disable_wdt
+# 002005dc 0b f0 28 fa     bl         init_setup_config
+# 002005e0 00 f0 f2 f9     bl         setup_io_transport
+# 002005e4 XX XX XX XX     blx        PAYLOAD_ENTRY_POINT
+$(OUT_DIR)/mt6582-da-patched.bin: $(TARGET_DA_ORIGINAL) $(TARGET_MEMORY) | $(OUT_DIR)
+	python3 scripts/patch-da.py \
+		"$<" $(TARGET_MEMORY) 0x002005e4 "$@"
 
 # TARGET_DA_ORIGINAL for mt6589
 $(AUX_DIR)/mt6589-da-original.bin: $(AUX_DIR)/SP_Flash_Tool_v5.1648_Linux.zip | $(AUX_DIR)

diff --git a/brom-dump/payloads/include/mt6582/da-api.h b/brom-dump/payloads/include/mt6582/da-api.h
@@ -0,0 +1,33 @@
+// SPDX-License-Identifier: GPL-3.0-only
+// SPDX-FileCopyrightText: 2023 arzamas-16 <https://github.com/arzamas-16>
+
+#ifndef H_MT6582_DA_API
+#define H_MT6582_DA_API
+
+#include <stdint.h>
+
+void (*DA_reset_uart_and_log)() =
+	( void (*)() )
+	(0x00200F40 + 1);
+
+void (*DA_putc_wrapper_uart)(uint8_t) =
+	( void (*)(uint8_t) )
+	(0x00200DF2 + 1);
+void (*DA_print_hex_value)(uint32_t, uint32_t) =
+	( void (*)(uint32_t, uint32_t) )
+	(0x00200E08 + 1);
+void (*DA_printf_uart)(uint8_t*, uint32_t, uint32_t, uint32_t) =
+	( void (*)(uint8_t*, uint32_t, uint32_t, uint32_t) )
+	(0x00200E34 + 1);
+
+void (*DA_io_usb_write)(uint8_t*, uint32_t) =
+	( void (*)(uint8_t*, uint32_t) )
+	(0x00203D74 + 1);
+uint32_t (*DA_io_usb_readl)() =
+	( uint32_t (*)() )
+	(0x00203F44 + 1);
+void (*DA_io_usb_writel)(uint32_t) =
+	( void (*)(uint32_t) )
+	(0x00203F72 + 1);
+
+#endif // H_MT6582_DA_API
diff --git a/brom-dump/payloads/include/mt6582/hw-api.h b/brom-dump/payloads/include/mt6582/hw-api.h
@@ -0,0 +1,20 @@
+// SPDX-License-Identifier: GPL-3.0-only
+// SPDX-FileCopyrightText: 2023 arzamas-16 <https://github.com/arzamas-16>
+
+#ifndef H_MT6582_HW_API
+#define H_MT6582_HW_API
+
+#define HW_reg_chip_id			0x08000000
+#define HW_reg_uart0_base		0x11002000
+#define HW_reg_uart1_base		0x11003000
+#define HW_reg_uart2_base		0x11004000
+#define HW_reg_uart3_base		0x11005000
+
+#define MEM_brom_start			0x00000000
+#define MEM_brom_length			0x10000
+#define MEM_sram_start			0x100000
+#define MEM_sram_length			0x10000
+#define MEM_da_start			0x200000
+#define MEM_da_length			0x20000
+
+#endif // H_MT6582_HW_API
diff --git a/brom-dump/payloads/include/mt6582/hw-api.s b/brom-dump/payloads/include/mt6582/hw-api.s
@@ -0,0 +1,5 @@
+@ SPDX-License-Identifier: GPL-3.0-only
+@ SPDX-FileCopyrightText: 2023 arzamas-16 <https://github.com/arzamas-16>
+
+@ derived from the original mt6582 DA, see 0x002000A4
+.equ MEM_stack_base,		0x21FFFC
diff --git a/brom-dump/payloads/include/mt6582/memory.ld b/brom-dump/payloads/include/mt6582/memory.ld
@@ -0,0 +1,9 @@
+/* SPDX-License-Identifier: GPL-3.0-only */
+/* SPDX-FileCopyrightText: 2023 arzamas-16 <https://github.com/arzamas-16> */
+
+MEMORY
+{
+	DA_RAM (IWX) : ORIGIN = 0x200000, LENGTH = 0x800
+}
+
+INCLUDE payload.ld
diff --git a/images/brom-dump-030.jpg b/images/brom-dump-030.jpg