Skip to content

Raxone/amlogic-usbdl_s905x2

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
bin
bin
 
 
password
password
 
 
payloads
payloads
 
 
python
python
 
 
scripts
scripts
 
 
src
src
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

unsigned code loader for Amlogic bootrom

Changes

  • 14.09.2024
  • add extract acs.bin, bl33.bin(U-boot_LZ4)
  • fix some script

Disclaimer

You will be solely responsible for any damage caused to your hardware/software/warranty/data/cat/etc...

Description

Amlogic bootrom supports booting from USB. This method of boot requires an USB host to send a signed bootloader to the bootrom via USB port.

This tool exploits a vulnerability in the USB download mode to load and run unsigned code in Secure World.

Supported targets

  • A95x Max secured
  • Probably work with all s905x2 box.

Scripts

  • all.sh
  • Dump bootloader+dtb, convert dtb to dts, dump efuse/sram extract asekey and iv,decrypt bootloader.
  • All files be in dump_all dir.

Usage

Box must be in usbdl mod. To put box to usbdl mod with toothpick in AV hole on box push button and connect box with USB-A to USB-A cable with PC, keep pressed (10sec) after connect usb cable with pc.

  • git clone https://github.com/Raxone/amlogic-usbdl_s905x2.git

  • cd amlogic-usbdl_s905x2

  • If board usb password protect, put password file in password folder,and rename to password.bin

  • ./scripts/all.sh

  • All files be in dump_all dir.

  • If board in nonsecured mode

  • Only dump boot.bin dtb.bin bootloader.bin efuse.bin and extract dtb.bin to dts.

  • If board in secured mode

  • bl2aeskey -Bootloader(BL2) aeskey used for decrypt bootloader.

  • bl2aesiv -Bootloader(BL2) initialization vector(IV)used for decrypt bootloader.bin.

  • bootloader.bin -Dumped main bootloader from box(BL2,FIP,BL3.1,BL33(U-boot)).

  • bootloader_dec.bin -Decrypted bootloader.bin

  • dtb.bin -Device tree blob binary

  • dtb_dts -Device tree blob txt

  • root_rsa_keys.sha -sha256 of rootkeys used for encrypt booloader.

  • pattern.secureboot.efuse -pattern burned in efuse from manufacturer to enable secureboot

  • Extract bootloader with gxlimg to part (bl2,bl30,bl31,bl33_u-boot) folder image.

./amlogic-usbdl <input_file> [<output_file>]
	input_file: payload binary to load and execute (max size 65280 bytes)
	output_file: file to write data returned by payload

Payloads

Payloads are raw binary AArch64 executables. Some are provided in directory payloads/.

License

Please see LICENSE.

About

s905x2 Dump Bootrom BL1

Resources

Readme

License

GPL-3.0 license
Activity

Stars

19 stars

Watchers

1 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages