Fix kamakiri2 issues

ppanzenboeck · Jan 8, 2024 · 9c7db52 · 9c7db52
1 parent f55985f
commit 9c7db52
Show file tree

Hide file tree

Showing 6 changed files with 50 additions and 7 deletions.
diff --git a/mtk b/mtk
@@ -614,12 +614,13 @@ if __name__ == '__main__':
     parser_ess.add_argument('--uart_addr', help='Set payload uart_addr value')
     parser_ess.add_argument('--da_addr', help='Set a specific da payload addr')
     parser_ess.add_argument('--brom_addr', help='Set a specific brom payload addr')
-    parser_ess.add_argument('--ptype', help='Set the payload type ( "amonet","kamakiri",'
-                                            '"kamakiri2","carbonara" kamakiri2/da used by default)')
+    parser_ess.add_argument('--ptype',
+                           help='Set the payload type ( "amonet","kamakiri","kamakiri2","carbonara" kamakiri2/da used by default)')
     parser_ess.add_argument('--preloader', help='Set the preloader filename for dram config')
     parser_ess.add_argument('--verifystage2', help='Verify if stage2 data has been written correctly')
-    parser_ess.add_argument('--parttype', help='Partition type\n\t\tEMMC: [user, boot1, boot2, '
-                                               'gp1, gp2, gp3, gp4, rpmb]\t\tUFS: [lu0, lu1, lu2, lu0_lu1]')
+    parser_ess.add_argument('--parttype', help='Partition type\n' +
+                                              '\t\tEMMC: [user, boot1, boot2, gp1, gp2, gp3, gp4, rpmb]' +
+                                              '\t\tUFS: [lu0, lu1, lu2, lu0_lu1]')
     parser_ess.add_argument('--filename', help='Optional filename')
     parser_ess.add_argument('--crash', help='Enforce crash if device is in pl mode to enter brom mode')
     parser_ess.add_argument('--socid', help='Read Soc ID')

diff --git a/mtkclient/Library/DA/mtk_da_handler.py b/mtkclient/Library/DA/mtk_da_handler.py
@@ -89,9 +89,12 @@ def configure_da(self, mtk, preloader):
         if mtk.config.target_config["daa"] and mtk.config.is_brom:
             mtk = mtk.bypass_security()
             self.mtk = mtk
-            self.info("Device is protected.")
+            if self.mtk.daloader.patch :
+                self.info("Device was protected. Successfully bypassed security.")
+            else:
+                self.info("Device is protected.")
             if mtk is not None:
-                if mtk.config.is_brom:
+                if mtk.config.is_brom and self.mtk.daloader.patch:
                     self.info("Device is in BROM mode. Trying to dump preloader.")
                     if preloader is None:
                         preloader = self.dump_preloader_ram()

diff --git a/mtkclient/Library/DA/xflash/xflash_lib.py b/mtkclient/Library/DA/xflash/xflash_lib.py
@@ -19,6 +19,7 @@
 from queue import Queue
 from threading import Thread
 
+
 rq = Queue()
 
 

diff --git a/mtkclient/Library/Exploit/kamakiri2.py b/mtkclient/Library/Exploit/kamakiri2.py
@@ -1,8 +1,10 @@
 #!/usr/bin/python3
 # -*- coding: utf-8 -*-
 # (c) B.Kerler 2018-2023 GPLv3 License
+import hashlib
 import logging
 import array
+import os
 from binascii import hexlify
 from struct import pack, unpack
 
@@ -212,3 +214,35 @@ def runpayload(self, payload, ack=0xA1A2A3A4, addr=None, dontack=False):
             else:
                 self.info("Error, payload answered instead: " + hexlify(result).decode('utf-8'))
         return None
+
+    def patchda1_and_da2(self):
+        da1offset = self.mtk.daloader.daconfig.da_loader.region[1].m_buf
+        da1size = self.mtk.daloader.daconfig.da_loader.region[1].m_len
+        da1address = self.mtk.daloader.daconfig.da_loader.region[1].m_start_addr
+        da1sig_len = self.mtk.daloader.daconfig.da_loader.region[2].m_sig_len
+        da2offset = self.mtk.daloader.daconfig.da_loader.region[2].m_buf
+        da2size = self.mtk.daloader.daconfig.da_loader.region[2].m_len
+        da2address = self.mtk.daloader.daconfig.da_loader.region[2].m_start_addr
+        da2sig_len = self.mtk.daloader.daconfig.da_loader.region[2].m_sig_len
+        loader = self.mtk.daloader.daconfig.da_loader.loader
+        if not os.path.exists(loader):
+            self.error(f"Couldn't find {loader}, aborting.")
+            return False
+        with open(loader, 'rb') as bootldr:
+            bootldr.seek(da1offset)
+            da1 = bootldr.read(da1size)
+            bootldr.seek(da2offset)
+            da2 = bootldr.read(da2size)
+            hashaddr, hashmode, hashlen = self.mtk.daloader.compute_hash_pos(da1, da2, da1sig_len, da2sig_len,
+                                                                             self.mtk.daloader.daconfig.da_loader.v6)
+            da2patched = self.mtk.daloader.patch_da2(da2)[:-da2sig_len]
+            if hashaddr is not None:
+                dahash = None
+                if hashmode == 1:
+                    dahash = hashlib.sha1(da2patched[:hashlen]).digest()
+                elif hashmode == 2:
+                    dahash = hashlib.sha256(da2patched[:hashlen]).digest()
+                da1patched = da1[:hashaddr] + dahash + da1[hashaddr+hashlen:]
+                return da1patched, da2patched
+        self.mtk.daloader.patch = False
+        return da1, da2
diff --git a/mtkclient/Library/mtk_preloader.py b/mtkclient/Library/mtk_preloader.py
@@ -13,6 +13,7 @@
 
 from mtkclient.Library.utils import LogBase, logsetup
 from mtkclient.Library.error import ErrorHandler
+from mtkclient.config.brom_config import damodes
 
 USBDL_BIT_EN = 0x00000001  # 1: download bit enabled
 USBDL_BROM = 0x00000002  # 0: usbdl by brom; 1: usbdl by bootloader
@@ -267,7 +268,7 @@ def init(self, maxtries=None, display=True):
                 self.send_root_cert(certdata)
             else:
                 self.error(f"Couldn't find cert file {self.config.cert}")
-        if self.config.target_config["sla"]:
+        if self.config.target_config["sla"] and self.config.chipconfig.damode == damodes.XML:
             self.handle_sla(func=None, isbrom=self.config.is_brom)
         return True
 
@@ -1146,6 +1147,8 @@ def handle_sla(self, func=None, isbrom: bool = True):
             for key in rsakeys:
                 if self.echo(self.Cmd.SLA.value):
                     status = self.rword()
+                    if status == 0x7017:
+                        return True
                     if status > 0xFF:
                         self.error(f"Send auth error:{self.eh.status(status)}")
                         return False

diff --git a/mtkclient/Library/pltools.py b/mtkclient/Library/pltools.py
@@ -77,6 +77,7 @@ def runpayload(self, filename, offset=0, ack=0xA1A2A3A4, addr=None, dontack=Fals
         ack = self.exploit.runpayload(payload, ack, addr, dontack)
         if ack == ack:
             self.info("Successfully sent payload: " + filename)
+            self.mtk.daloader.patch = True
             return True
         elif ack == b"\xc1\xc2\xc3\xc4":
             if "preloader" in rf.name: