Skip to content

Raxone/amlogic-usbdl_s905x2

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits

bin

bin

 
 

password

password

 
 

payloads

payloads

 
 

python

python

 
 

scripts

scripts

 
 

src

src

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

memdump_over_usb_all.bin

memdump_over_usb_all.bin

 
 

memdump_over_usb_bl1.bin

memdump_over_usb_bl1.bin

 
 

memdump_over_usb_efuse.bin

memdump_over_usb_efuse.bin

 
 

Repository files navigation

unsigned code loader for Amlogic bootrom

Changes

  • 22.07.2023
  • add support for usb password protect
  • fix some script

Disclaimer

You will be solely responsible for any damage caused to your hardware/software/warranty/data/cat/etc...

Description

Amlogic bootrom supports booting from USB. This method of boot requires an USB host to send a signed bootloader to the bootrom via USB port.

This tool exploits a vulnerability in the USB download mode to load and run unsigned code in Secure World.

Supported targets

  • A95x Max secured
  • Probably work with all s905x2 box.

Scripts

  • all.sh
  • Dump bootloader+dtb, convert dtb to dts, dump efuse/sram extract asekey and iv,decrypt bootloader.
  • All files be in dump_all dir.

Usage

Box must be in usbdl mod. To put box to usbdl mod with toothpick in AV hole on box push button and connect box with USB-A to USB-A cable with PC, keep pressed (10sec) after connect usb cable with pc.

  • git clone https://github.com/Raxone/amlogic-usbdl_s905x2.git

  • cd amlogic-usbdl_s905x2

  • If board usb password protect, put password file in password folder,and rename to password.bin

  • chmod +x -R . -fix permission.Command is with point

  • ./scripts/all.sh

  • All files be in dump_all dir.

  • If board in nonsecured mode

  • Only dump boot.bin dtb.bin bootloader.bin efuse.bin and extract dtb.bin to dts.

  • If board in secured mode

  • bl2aeskey -Bootloader(BL2) aeskey used for decrypt bootloader.

  • bl2aesiv -Bootloader(BL2) initialization vector(IV)used for decrypt bootloader.bin.

  • bootloader.bin -Dumped main bootloader from box(BL2,FIP,BL3.1,BL33(U-boot)).

  • bootloader_dec.bin -Decrypted bootloader.bin

  • dtb.bin -Device tree blob binary

  • dtb_dts -Device tree blob txt

  • root_rsa_keys.sha -sha256 of rootkeys used for encrypt booloader.

  • pattern.secureboot.efuse -pattern burned in efuse from manufacturer to enable secureboot

  • Extract bootloader with gxlimg to part (bl2,bl30,bl31,bl33_u-boot) folder image.

./amlogic-usbdl <input_file> [<output_file>]
	input_file: payload binary to load and execute (max size 65280 bytes)
	output_file: file to write data returned by payload

Payloads

Payloads are raw binary AArch64 executables. Some are provided in directory payloads/.

License

Please see LICENSE.

About

s905x2 Dump Bootrom BL1

Resources

Readme

License

GPL-3.0 license
Activity

Stars

11 stars

Watchers

1 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages