BL31 Exploit of the Amlogic s905x2, s905x3 and s922x SOCs
- The vulnerability was discovered by Blasty for the Amlogic a113x.
- https://github.com/blasty/sonos
This is a modification of Blasty's exploit, made to work the Amlogic s905x2, s905x3 and s922x(Thanks Taco) SOCs.
Added a memory dumping function (dump_mem) to read RAM & SRAM.
The compiled Lkm_module is compatible with CoreELEC versions 19.5,20.2 and 21, Linux/arm64 4.9.269 kernel configuration.
- P.S This module not work on CE20.3,CE20.4.
All source has been compiled and is ready to use.
How to use
CoreELEC (version 19.5-21) needs to be booted on the target device to run the exploit.
Use CoreELEC's default smb server to copy & paste the exploit files to the target.
Transfer aml_pwn, khax.ko and load_lkm.sh to the Downloads folder of CoreELEC.
To run the exploit establish an ssh or uart connection with the Amlogic box.
#SSH Example
*ssh root@ip_addr_box (ssh root@192.168.x.x) *default password for ssh is "coreelec"
-
./load_lkm.sh * load khax exploit module required for aml_pwn
-
./aml_pwn dump_bootrom bootrom.bin * dump bootrom/BL1
-
./aml_pwn dump_otp otp.bin * dump efuse/otp pattern
-
./aml_pwn dump_mem 0x800 0xfffe0000 efuse.bin * dump efuse values from SRAM
-
./aml_pwn dump_mem 0x10000 0xfffa0000 bl2.bin * dump decrypted BL2 from SRAM
#Compilation resources *GCC for aml_pwn
*GCC for lkm
- sudo apt install gcc-aarch64-linux-gnu
*Linux/arm64 4.9.269 Kernel Configuration
#Video Demo YouTube * https://youtu.be/i1MrdO4PWYw