diff --git a/brom-dump/README.md b/brom-dump/README.md index 4fd63d8..1d28f5a 100644 --- a/brom-dump/README.md +++ b/brom-dump/README.md @@ -644,3 +644,15 @@ To find SRAM base I loaded the BROM dump into Ghidra and launched [starfleetcade Looks like in my case this *is* the correct part of SRAM where BROM stores its data. At this point it was just a matter of time to fill the values into `hw-api.h` and run `spft-replay` in dump mode. Later I verified a trimmed (it dumps more data than needed) BROM dump obtained with chaosmaster's bypass_utility with what I've got with my `spft-replay` and the hashes matched. + +# Dumping mt6582 / mt8382 BROM +## It was silimar to mt6580 +After implementing support for mt6580, adding mt6582 was a breeze. The flow is quite similar between the two SoCs however there are some interesting details: +1. The data exchange between the original SP Flash Tool v5.1648 and the target device was *very* short. Everything boiled down to identifying the SoCs, reading a single EFUSE register and pushing the DA right afterwards. +2. SP Flash Tool didn't bother disabling the watchdog on mt6582. I haven't checked if BROM disables it by itself but I was afraid the standalone `uart-dump` would not have enough time to complete the work and it would be interrupte. **It is the first time I modify the original SP Flash Tool traffic** adding a function to disable the watchdog. +3. Unlike mt6580, the original DA on mt6582 uses the most of its available memory (refered to as "Share SRAM" in the datasheet) and I could not come up with some specific padding offset. I kept increasing padding hoping the DA would stop overwriting the piggyback at some point. Some DA data remains after the piggyback body because of that. This is wrong and most likely will break things if someone plans to use more DA APIs in the future that could have used these memory regions. + +## Madskillz +The mt6582 part of the writeup seems to be small, so here's a photo of one of devices I've been working with. + +![The remains of the Huawei Y3II phone](../images/brom-dump-030.jpg) diff --git a/brom-dump/payloads/Makefile b/brom-dump/payloads/Makefile index b134c6b..ff370a7 100644 --- a/brom-dump/payloads/Makefile +++ b/brom-dump/payloads/Makefile @@ -39,13 +39,15 @@ SA_RELEASES = $(foreach P, $(SA_PAYLOADS), $(SA_RELEASE_DIR)/$(TARGET)-$(P).bin ALL_RELEASES = $(SA_RELEASES) $(PB_RELEASES) -AVAILABLE_SOCS := mt6573 mt6577 mt6580 mt6589 +AVAILABLE_SOCS := mt6573 mt6577 mt6580 mt6582 mt6589 MT6573_RELEASES := $(PB_RELEASES) MT6573_FLAGS := -mcpu=arm1176jzf-s MT6577_RELEASES := $(SA_RELEASES) MT6577_FLAGS := -mcpu=cortex-a9 MT6580_RELEASES := $(PB_RELEASES) $(SA_RELEASES) MT6580_FLAGS := -mcpu=cortex-a7 +MT6582_RELEASES := $(PB_RELEASES) $(SA_RELEASES) +MT6582_FLAGS := -mcpu=cortex-a7 MT6589_RELEASES := $(PB_RELEASES) MT6589_FLAGS := -mcpu=cortex-a7 @@ -178,7 +180,6 @@ $(AUX_DIR)/mt6580-da-original.bin: $(AUX_DIR)/SP_Flash_Tool_v5.1648_Linux.zip | # LAB_002014e2 # 002014e2 81 4d ldr r5,[PTR_DAT_002016e8] # 002014e4 03 f0 74 fa bl init_power_down_something - # # # After patch: @@ -193,6 +194,34 @@ $(OUT_DIR)/mt6580-da-patched.bin: $(TARGET_DA_ORIGINAL) $(TARGET_MEMORY) | $(OUT python3 scripts/patch-da.py \ "$<" $(TARGET_MEMORY) 0x002014e4 "$@" +# TARGET_DA_ORIGINAL for mt6582 +$(AUX_DIR)/mt6582-da-original.bin: $(AUX_DIR)/SP_Flash_Tool_v5.1648_Linux.zip | $(AUX_DIR) + 7z x -so "$<" "SP_Flash_Tool_v5.1648_Linux/MTK_AllInOne_DA.bin" |\ + tail -c +923301 | head -c 52316 |\ + cat - /dev/zero | head -c 65536 \ + > "$@" + +# TARGET_DA_PATCHED for mt6582 +# Patch the internal memory initialization routine to jump to our payload +# before Download Agent starts waiting for more data from SP Flash Tool. +# +# Before patch: +# ====================================================================== +# 002005d8 03 f0 d2 fe bl init_disable_wdt +# 002005dc 0b f0 28 fa bl init_setup_config +# 002005e0 00 f0 f2 f9 bl setup_io_transport +# 002005e4 04 f0 22 f9 bl FUN_0020482c +# +# +# After patch: +# ====================================================================== +# 002005d8 03 f0 d2 fe bl init_disable_wdt +# 002005dc 0b f0 28 fa bl init_setup_config +# 002005e0 00 f0 f2 f9 bl setup_io_transport +# 002005e4 XX XX XX XX blx PAYLOAD_ENTRY_POINT +$(OUT_DIR)/mt6582-da-patched.bin: $(TARGET_DA_ORIGINAL) $(TARGET_MEMORY) | $(OUT_DIR) + python3 scripts/patch-da.py \ + "$<" $(TARGET_MEMORY) 0x002005e4 "$@" # TARGET_DA_ORIGINAL for mt6589 $(AUX_DIR)/mt6589-da-original.bin: $(AUX_DIR)/SP_Flash_Tool_v5.1648_Linux.zip | $(AUX_DIR) diff --git a/brom-dump/payloads/include/mt6582/da-api.h b/brom-dump/payloads/include/mt6582/da-api.h new file mode 100644 index 0000000..a9188f9 --- /dev/null +++ b/brom-dump/payloads/include/mt6582/da-api.h @@ -0,0 +1,33 @@ +// SPDX-License-Identifier: GPL-3.0-only +// SPDX-FileCopyrightText: 2023 arzamas-16 + +#ifndef H_MT6582_DA_API +#define H_MT6582_DA_API + +#include + +void (*DA_reset_uart_and_log)() = + ( void (*)() ) + (0x00200F40 + 1); + +void (*DA_putc_wrapper_uart)(uint8_t) = + ( void (*)(uint8_t) ) + (0x00200DF2 + 1); +void (*DA_print_hex_value)(uint32_t, uint32_t) = + ( void (*)(uint32_t, uint32_t) ) + (0x00200E08 + 1); +void (*DA_printf_uart)(uint8_t*, uint32_t, uint32_t, uint32_t) = + ( void (*)(uint8_t*, uint32_t, uint32_t, uint32_t) ) + (0x00200E34 + 1); + +void (*DA_io_usb_write)(uint8_t*, uint32_t) = + ( void (*)(uint8_t*, uint32_t) ) + (0x00203D74 + 1); +uint32_t (*DA_io_usb_readl)() = + ( uint32_t (*)() ) + (0x00203F44 + 1); +void (*DA_io_usb_writel)(uint32_t) = + ( void (*)(uint32_t) ) + (0x00203F72 + 1); + +#endif // H_MT6582_DA_API diff --git a/brom-dump/payloads/include/mt6582/hw-api.h b/brom-dump/payloads/include/mt6582/hw-api.h new file mode 100644 index 0000000..c54639d --- /dev/null +++ b/brom-dump/payloads/include/mt6582/hw-api.h @@ -0,0 +1,20 @@ +// SPDX-License-Identifier: GPL-3.0-only +// SPDX-FileCopyrightText: 2023 arzamas-16 + +#ifndef H_MT6582_HW_API +#define H_MT6582_HW_API + +#define HW_reg_chip_id 0x08000000 +#define HW_reg_uart0_base 0x11002000 +#define HW_reg_uart1_base 0x11003000 +#define HW_reg_uart2_base 0x11004000 +#define HW_reg_uart3_base 0x11005000 + +#define MEM_brom_start 0x00000000 +#define MEM_brom_length 0x10000 +#define MEM_sram_start 0x100000 +#define MEM_sram_length 0x10000 +#define MEM_da_start 0x200000 +#define MEM_da_length 0x20000 + +#endif // H_MT6582_HW_API diff --git a/brom-dump/payloads/include/mt6582/hw-api.s b/brom-dump/payloads/include/mt6582/hw-api.s new file mode 100644 index 0000000..68b8b88 --- /dev/null +++ b/brom-dump/payloads/include/mt6582/hw-api.s @@ -0,0 +1,5 @@ +@ SPDX-License-Identifier: GPL-3.0-only +@ SPDX-FileCopyrightText: 2023 arzamas-16 + +@ derived from the original mt6582 DA, see 0x002000A4 +.equ MEM_stack_base, 0x21FFFC diff --git a/brom-dump/payloads/include/mt6582/memory.ld b/brom-dump/payloads/include/mt6582/memory.ld new file mode 100644 index 0000000..d62daba --- /dev/null +++ b/brom-dump/payloads/include/mt6582/memory.ld @@ -0,0 +1,9 @@ +/* SPDX-License-Identifier: GPL-3.0-only */ +/* SPDX-FileCopyrightText: 2023 arzamas-16 */ + +MEMORY +{ + DA_RAM (IWX) : ORIGIN = 0x200000, LENGTH = 0x800 +} + +INCLUDE payload.ld diff --git a/images/brom-dump-030.jpg b/images/brom-dump-030.jpg new file mode 100644 index 0000000..80f96fa Binary files /dev/null and b/images/brom-dump-030.jpg differ