Reboot on T8011, fails

Question

Reboot on T8011, fails

alfiecg24 opened this issue a year ago · comments

Hi, every time I run openra1n on my T8011 device this is what gets output to the terminal:

-=-=- openra1n -=-=-
[INFO] (openra1n.c:1058) --> Waiting for DFU mode device
[DEBUG] (openra1n.c:1038) --> Stage 1 succeeded
[INFO] (openra1n.c:1026) --> Setting up the exploit (this is the heap spray)
[DEBUG] (openra1n.c:1038) --> Stage 2 succeeded
[DEBUG] (openra1n.c:1038) --> Stage 3 succeeded
[INFO] (openra1n.c:1033) --> Right before trigger (this is the real bug setup)
[DEBUG] (openra1n.c:911) --> setting up stage 2 for t8011
[DEBUG] (openra1n.c:929) --> successfully leaked data
[DEBUG] (openra1n.c:935) --> i = 0
[DEBUG] (openra1n.c:935) --> i = 1
[DEBUG] (openra1n.c:1038) --> Stage 0 succeeded

The device then reboots. This may be to do with A10X support in gaster being broken, I will try and look into it myself over the next few days too.

Hakim BOUKHADRA · Answer 1 · Thu Jul 13 2023 21:06:49 GMT+0800 (China Standard Time)

what driver show on devicemanager on that state?
also did you tried safe dfu? like put on recovery mode then start dfu process from that state?

Alfie CG · Answer 2 · Thu Jul 13 2023 21:38:09 GMT+0800 (China Standard Time)

I’m not sure what you mean by the driver on device manager? Is that a Windows thing? Because I’m using Mac.

Also, I did try with safe DFU - it seems to be an issue with the payload that causes the reboot.

Hakim BOUKHADRA · Answer 3 · Thu Jul 13 2023 22:42:55 GMT+0800 (China Standard Time)

nvm, for me you have issue on windows xD, try dora fork for openra1n he did some change about payloads, idk maybe can help your issue on mac,

Alfie CG · Answer 4 · Thu Jul 13 2023 23:22:32 GMT+0800 (China Standard Time)

I tried the fork yesterday, it didn’t work either. I think my next step will be using Wireshark to sniff the USB transfers while booting PongoOS with checkra1n 0.1337.2 and grabbing overwrite/payload that way. If that doesn’t work, I’ll have to look into the exploit code itself.

Hakim BOUKHADRA · Answer 5 · Fri Jul 14 2023 15:34:14 GMT+0800 (China Standard Time)

by any chance is this on M1 or usb-c cable?!, also can you build with libusb on macos and see if same issue?

Alfie CG · Answer 6 · Fri Jul 14 2023 18:37:05 GMT+0800 (China Standard Time)

I am indeed using an M1 Mac, using a USB hub + USB-A lightning cable. Just as I was testing with libusb, it booted pongoOS successfully, but I've tried again several times and it doesn't seem to work. Perhaps it just has a very low success rate...

Alfie CG · Answer 7 · Fri Jul 14 2023 18:42:48 GMT+0800 (China Standard Time)

It seems to be working reliably with both libusb and IOKit now, I must have had a broken cable or something. Closing the issue now as it is no longer present.

ranzhie07 · Answer 8 · Mon Jul 17 2023 20:00:10 GMT+0800 (China Standard Time)

can u tell how to compile that works on windows? thanks