This repository contains a modified version of Blasty's exploit for the Amlogic A113X SoC, adapted to work with the Amlogic S905X2, S905X3, and S922X SoCs. Thanks to Taco for the assistance in modifying the original exploit.
- Compatibility with CoreELEC versions 19.5, 20.2, and 21
- Added
dump_memfunction to read from RAM and SRAM - Tested on Linux/arm64 kernel 4.9.269
Note: This module does not work with CoreELEC versions 20.3 or 20.4.
- CoreELEC: Ensure CoreELEC (versions 19.5-21) is booted on the target device.
- SMB Server: Use CoreELEC’s default SMB server to transfer files to the target.
- Clone or download the repository files.
- Transfer the following files to the
Downloadsfolder of CoreELEC:aml_pwnkhax.koload_lkm.sh
- Establish an SSH or UART connection to the CoreELEC device.
ssh root@<ip_address_of_device> # Example: ssh root@192.168.x.xDefault SSH password:
coreelec
- Load the kernel exploit module:
./load_lkm.sh
- Use
aml_pwnto dump different parts of the system memory:- Dump BootROM/BL1:
./aml_pwn dump_bootrom bootrom.bin
- Dump efuse/OTP pattern:
./aml_pwn dump_otp otp.bin
- Dump efuse values from SRAM:
./aml_pwn dump_mem 0x800 0xfffe0000 efuse.bin
- Dump decrypted BL2 from SRAM:
./aml_pwn dump_mem 0x10000 0xfffa0000 bl2.bin
- Dump BootROM/BL1:
To compile the necessary tools and kernel modules, follow these steps:
Download and install the GCC toolchain:
Install GCC for AArch64 cross-compilation:
sudo apt install gcc-aarch64-linux-gnuUse the Linux/arm64 kernel 4.9.269 configuration for compilation:
Watch a demo of the exploit in action on YouTube:
- Exploit originally discovered by Blasty for the Amlogic A113X SoC
- Modification for S905X2, S905X3, and S922X SoCs thanks to Taco
This project is licensed under the MIT License – see the LICENSE file for details.