diff --git a/OpenMico-Bypass/README.md b/OpenMico-Bypass/README.md new file mode 100644 index 0000000..c2e8674 --- /dev/null +++ b/OpenMico-Bypass/README.md @@ -0,0 +1,20 @@ +## How to turn off SPFlash verification +----- + +- If this is the first time you run this program on this computer: +``` +1 Make sure you have installed'Python 3.6.X' or higher and ADDED TO THE PATH +2 Make sure you have installed'python-pip3' +3 Install pyusb, json5 with command 'pip install pyusb json5' +4 Install UsbDK +``` +- How to use +``` +If you confirm that the above steps have been completed, then Run +'python bypass.py' in Windows Powershell and +connect your powered off phone with volume+ button, +you should get "Protection disabled" at the end then start Smartphone Flash Tool, +(you need to re-run them after each operation is completed). +``` + +- Based on https://github.com/MTK-bypass/bypass_utility \ No newline at end of file diff --git a/OpenMico-Bypass/bypass.py b/OpenMico-Bypass/bypass.py new file mode 100644 index 0000000..dd3b623 --- /dev/null +++ b/OpenMico-Bypass/bypass.py @@ -0,0 +1,193 @@ +#!/bin/python3 +from src .exploit import exploit #line:3 +from src .common import from_bytes ,to_bytes #line:4 +from src .config import Config #line:5 +from src .device import Device #line:6 +from src .logger import log #line:7 +from src .bruteforce import bruteforce #line:8 +import argparse #line:10 +import os #line:11 +DEFAULT_CONFIG ="default_config.json5"#line:13 +PAYLOAD_DIR ="payloads/"#line:14 +DEFAULT_PAYLOAD ="generic_dump_payload.bin"#line:15 +DEFAULT_DA_ADDRESS =0x200D00 #line:16 +def main ():#line:19 + O00O000O0O00OO0OO =argparse .ArgumentParser ()#line:20 + O00O000O0O00OO0OO .add_argument ("-c","--config",help ="Device config")#line:21 + O00O000O0O00OO0OO .add_argument ("-t","--test",help ="Testmode",const ="0x9900",nargs ='?')#line:22 + O00O000O0O00OO0OO .add_argument ("-w","--watchdog",help ="Watchdog address(in hex)")#line:23 + O00O000O0O00OO0OO .add_argument ("-u","--uart",help ="UART base address(in hex)")#line:24 + O00O000O0O00OO0OO .add_argument ("-v","--var_1",help ="var_1 value(in hex)")#line:25 + O00O000O0O00OO0OO .add_argument ("-a","--payload_address",help ="payload_address value(in hex)")#line:26 + O00O000O0O00OO0OO .add_argument ("-p","--payload",help ="Payload to use")#line:27 + O00O000O0O00OO0OO .add_argument ("-f","--force",help ="Force exploit on insecure device",action ="store_true")#line:28 + O00O000O0O00OO0OO .add_argument ("-n","--no_handshake",help ="Skip handshake",action ="store_true")#line:29 + O00O000O0O00OO0OO .add_argument ("-m","--crash_method",help ="Method to use for crashing preloader (0, 1, 2)",type =int )#line:30 + O00O000O0O00OO0OO .add_argument ("-k","--kamakiri",help ="Force use of kamakiri",action ="store_true")#line:31 + OOO00O0000000O0O0 =O00O000O0O00OO0OO .parse_args ()#line:32 + if OOO00O0000000O0O0 .config :#line:34 + if not os .path .exists (OOO00O0000000O0O0 .config ):#line:35 + raise RuntimeError ("Config file {} doesn't exist".format (OOO00O0000000O0O0 .config ))#line:36 + elif not os .path .exists (DEFAULT_CONFIG ):#line:37 + raise RuntimeError ("Default config is missing")#line:38 + O0O0O00O0OOO0OOOO =Device ().find ()#line:40 + O00O0OOOOO00O0O0O ,OOO0OOO0OOOO0000O ,O0O0O0000OOO000OO ,OOO0000O00OO000OO =get_device_info (O0O0O00O0OOO0OOOO ,OOO00O0000000O0O0 )#line:42 + while O0O0O00O0OOO0OOOO .preloader :#line:44 + O0O0O00O0OOO0OOOO =crash_preloader (O0O0O00O0OOO0OOOO ,O00O0OOOOO00O0O0O )#line:45 + O00O0OOOOO00O0O0O ,OOO0OOO0OOOO0000O ,O0O0O0000OOO000OO ,OOO0000O00OO000OO =get_device_info (O0O0O00O0OOO0OOOO ,OOO00O0000000O0O0 )#line:46 + log ("Disabling watchdog timer")#line:48 + O0O0O00O0OOO0OOOO .write32 (O00O0OOOOO00O0O0O .watchdog_address ,0x22000064 )#line:49 + if O0O0O00O0OOO0OOOO .libusb0 :#line:51 + OOO00O0000000O0O0 .kamakiri =True #line:52 + O00O0OO000O00OOOO ="bootrom_"+hex (OOO0000O00OO000OO )[2 :]+".bin"#line:54 + if OOO00O0000000O0O0 .test and not OOO00O0000000O0O0 .kamakiri :#line:56 + OOO000OOOOO0O0OOO =int (OOO00O0000000O0O0 .test ,16 )#line:57 + O0O00OOO0OO00O0O0 =False #line:58 + while not O0O00OOO0OO00O0O0 :#line:59 + log ("Test mode, testing "+hex (OOO000OOOOO0O0OOO )+"...")#line:60 + O0O00OOO0OO00O0O0 ,OOO000OOOOO0O0OOO =bruteforce (O0O0O00O0OOO0OOOO ,O00O0OOOOO00O0O0O ,OOO000OOOOO0O0OOO )#line:61 + O0O0O00O0OOO0OOOO .dev .close ()#line:62 + reconnect_message ()#line:63 + O0O0O00O0OOO0OOOO =Device ().find (wait =True )#line:64 + O0O0O00O0OOO0OOOO .handshake ()#line:65 + while O0O0O00O0OOO0OOOO .preloader :#line:66 + O0O0O00O0OOO0OOOO =crash_preloader (O0O0O00O0OOO0OOOO ,O00O0OOOOO00O0O0O )#line:67 + O0O0O00O0OOO0OOOO .handshake ()#line:68 + log ("Found "+hex (OOO000OOOOO0O0OOO )+", dumping bootrom to {}".format (O00O0OO000O00OOOO ))#line:69 + open (O00O0OO000O00OOOO ,"wb").write (bruteforce (O0O0O00O0OOO0OOOO ,O00O0OOOOO00O0O0O ,OOO000OOOOO0O0OOO ,True ))#line:70 + exit (0 )#line:71 + if OOO0OOO0OOOO0000O or O0O0O0000OOO000OO or OOO00O0000000O0O0 .force :#line:73 + log ("Disabling protection")#line:74 + OO0O00O0O0O00OO00 =prepare_payload (O00O0OOOOO00O0O0O )#line:76 + OO0O0OOOO0000OO0O =exploit (O0O0O00O0OOO0OOOO ,O00O0OOOOO00O0O0O ,OO0O00O0O0O00OO00 ,OOO00O0000000O0O0 )#line:78 + if OOO00O0000000O0O0 .test :#line:79 + while not OO0O0OOOO0000OO0O :#line:80 + O0O0O00O0OOO0OOOO .dev .close ()#line:81 + O00O0OOOOO00O0O0O .var_1 +=1 #line:82 + log ("Test mode, testing "+hex (O00O0OOOOO00O0O0O .var_1 )+"...")#line:83 + reconnect_message ()#line:84 + O0O0O00O0OOO0OOOO =Device ().find (wait =True )#line:85 + O0O0O00O0OOO0OOOO .handshake ()#line:86 + while O0O0O00O0OOO0OOOO .preloader :#line:87 + O0O0O00O0OOO0OOOO =crash_preloader (O0O0O00O0OOO0OOOO ,O00O0OOOOO00O0O0O )#line:88 + O0O0O00O0OOO0OOOO .handshake ()#line:89 + OO0O0OOOO0000OO0O =exploit (O0O0O00O0OOO0OOOO ,O00O0OOOOO00O0O0O ,OO0O00O0O0O00OO00 ,OOO00O0000000O0O0 )#line:90 + else :#line:91 + log ("Insecure device, sending payload using send_da")#line:92 + if not OOO00O0000000O0O0 .payload :#line:94 + O00O0OOOOO00O0O0O .payload =DEFAULT_PAYLOAD #line:95 + if not OOO00O0000000O0O0 .payload_address :#line:96 + O00O0OOOOO00O0O0O .payload_address =DEFAULT_DA_ADDRESS #line:97 + OO0O00O0O0O00OO00 =prepare_payload (O00O0OOOOO00O0O0O )#line:99 + OO0O00O0O0O00OO00 +=b'\x00'*0x100 #line:101 + O0O0O00O0OOO0OOOO .send_da (O00O0OOOOO00O0O0O .payload_address ,len (OO0O00O0O0O00OO00 ),0x100 ,OO0O00O0O0O00OO00 )#line:103 + O0O0O00O0OOO0OOOO .jump_da (O00O0OOOOO00O0O0O .payload_address )#line:104 + OO0O0OOOO0000OO0O =O0O0O00O0OOO0OOOO .read (4 )#line:106 + if OO0O0OOOO0000OO0O ==to_bytes (0xA1A2A3A4 ,4 ):#line:108 + log ("Protection disabled")#line:109 + elif OO0O0OOOO0000OO0O ==to_bytes (0xC1C2C3C4 ,4 ):#line:110 + dump_brom (O0O0O00O0OOO0OOOO ,O00O0OO000O00OOOO )#line:111 + elif OO0O0OOOO0000OO0O ==to_bytes (0x0000C1C2 ,4 )and O0O0O00O0OOO0OOOO .read (4 )==to_bytes (0xC1C2C3C4 ,4 ):#line:112 + dump_brom (O0O0O00O0OOO0OOOO ,O00O0OO000O00OOOO ,True )#line:113 + elif OO0O0OOOO0000OO0O !=b'':#line:114 + raise RuntimeError ("Unexpected result {}".format (OO0O0OOOO0000OO0O .hex ()))#line:115 + else :#line:116 + log ("Payload did not reply")#line:117 + O0O0O00O0OOO0OOOO .close ()#line:119 +def reconnect_message ():#line:121 + print ("")#line:122 + print ("Please reconnect device in bootrom mode")#line:123 + print ("")#line:124 +def dump_brom (OOO000OO0O0000O0O ,O0O0OOOOO0O000000 ,word_mode =False ):#line:126 + log ("Found send_dword, dumping bootrom to {}".format (O0O0OOOOO0O000000 ))#line:127 + with open (O0O0OOOOO0O000000 ,"wb")as OO0O0OO0O0O0OOO00 :#line:129 + if word_mode :#line:130 + for OO0OOOOOOO0O00000 in range (0x20000 //4 ):#line:131 + OOO000OO0O0000O0O .read (4 )#line:132 + OO0O0OO0O0O0OOO00 .write (OOO000OO0O0000O0O .read (4 ))#line:133 + else :#line:134 + OO0O0OO0O0O0OOO00 .write (OOO000OO0O0000O0O .read (0x20000 ))#line:135 +def prepare_payload (O00OO00OOOO0OO0O0 ):#line:138 + with open (PAYLOAD_DIR +O00OO00OOOO0OO0O0 .payload ,"rb")as OO0OO0OOOO0O0O000 :#line:139 + OO0OO0OOOO0O0O000 =OO0OO0OOOO0O0O000 .read ()#line:140 + OO0OO0OOOO0O0O000 =bytearray (OO0OO0OOOO0O0O000 )#line:143 + if from_bytes (OO0OO0OOOO0O0O000 [-4 :],4 ,'<')==0x10007000 :#line:144 + OO0OO0OOOO0O0O000 [-4 :]=to_bytes (O00OO00OOOO0OO0O0 .watchdog_address ,4 ,'<')#line:145 + if from_bytes (OO0OO0OOOO0O0O000 [-8 :][:4 ],4 ,'<')==0x11002000 :#line:146 + OO0OO0OOOO0O0O000 [-8 :]=to_bytes (O00OO00OOOO0OO0O0 .uart_base ,4 ,'<')+OO0OO0OOOO0O0O000 [-4 :]#line:147 + OO0OO0OOOO0O0O000 =bytes (OO0OO0OOOO0O0O000 )#line:148 + while len (OO0OO0OOOO0O0O000 )%4 !=0 :#line:150 + OO0OO0OOOO0O0O000 +=to_bytes (0 )#line:151 + return OO0OO0OOOO0O0O000 #line:153 +def get_device_info (O00000OOOO00O0OO0 ,OO0000O0000OOOO00 ):#line:156 + if not OO0000O0000OOOO00 .no_handshake :#line:157 + O00000OOOO00O0OO0 .handshake ()#line:158 + O0O000000OO0O000O =O00000OOOO00O0OO0 .get_hw_code ()#line:160 + O00OOO0OO00OO0O0O ,O0OO0OOO0OO0OO0O0 ,OO0O000OO0OOOOOOO =O00000OOOO00O0OO0 .get_hw_dict ()#line:161 + O000O0OO0O0O00O0O ,O0O00O0OO0OO0O0O0 ,O0000000OO0OOO0OO =O00000OOOO00O0OO0 .get_target_config ()#line:162 + if OO0000O0000OOOO00 .config :#line:164 + O00O0000000O0OOOO =open (OO0000O0000OOOO00 .config )#line:165 + O00O00OOO0OO00000 =Config ().from_file (O00O0000000O0OOOO ,O0O000000OO0O000O )#line:166 + O00O0000000O0OOOO .close ()#line:167 + else :#line:168 + try :#line:169 + O00O00OOO0OO00000 =Config ().default (O0O000000OO0O000O )#line:170 + except NotImplementedError as OO0OO0OOO0OO0OOOO :#line:171 + if OO0000O0000OOOO00 .test :#line:172 + O00O00OOO0OO00000 =Config ()#line:173 + log (OO0OO0OOO0OO0OOOO )#line:175 + else :#line:176 + raise OO0OO0OOO0OO0OOOO #line:177 + if OO0000O0000OOOO00 .test :#line:179 + O00O00OOO0OO00000 .payload =DEFAULT_PAYLOAD #line:180 + if OO0000O0000OOOO00 .var_1 :#line:181 + O00O00OOO0OO00000 .var_1 =int (OO0000O0000OOOO00 .var_1 ,16 )#line:182 + if OO0000O0000OOOO00 .watchdog :#line:183 + O00O00OOO0OO00000 .watchdog_address =int (OO0000O0000OOOO00 .watchdog ,16 )#line:184 + if OO0000O0000OOOO00 .uart :#line:185 + O00O00OOO0OO00000 .uart_base =int (OO0000O0000OOOO00 .uart ,16 )#line:186 + if OO0000O0000OOOO00 .payload_address :#line:187 + O00O00OOO0OO00000 .payload_address =int (OO0000O0000OOOO00 .payload_address ,16 )#line:188 + if OO0000O0000OOOO00 .payload :#line:189 + O00O00OOO0OO00000 .payload =OO0000O0000OOOO00 .payload #line:190 + if OO0000O0000OOOO00 .crash_method :#line:191 + O00O00OOO0OO00000 .crash_method =OO0000O0000OOOO00 .crash_method #line:192 + if not os .path .exists (PAYLOAD_DIR +O00O00OOO0OO00000 .payload ):#line:195 + raise RuntimeError ("Payload file {} doesn't exist".format (PAYLOAD_DIR +O00O00OOO0OO00000 .payload ))#line:196 + print ()#line:198 + log ("Reading device information...")#line:199 + log ("Device hw code: {}".format (hex (O0O000000OO0O000O )))#line:200 + if format (hex (O0O000000OO0O000O ))!="0x8167":#line:201 + log ("The connected device is not supported")#line:202 + sys .exit (1 )#line:203 + log ("Device hw sub code: {}".format (hex (O00OOO0OO00OO0O0O )))#line:204 + log ("Device hw version: {}".format (hex (O0OO0OOO0OO0OO0O0 )))#line:205 + log ("Device sw version: {}".format (hex (OO0O000OO0OOOOOOO )))#line:206 + log ("Device secure boot: {}".format (O000O0OO0O0O00O0O ))#line:207 + log ("Device serial link authorization: {}".format (O0O00O0OO0OO0O0O0 ))#line:208 + log ("Device download agent authorization: {}".format (O0000000OO0OOO0OO ))#line:209 + print ()#line:210 + return O00O00OOO0OO00000 ,O0O00O0OO0OO0O0O0 ,O0000000OO0OOO0OO ,O0O000000OO0O000O #line:212 +def crash_preloader (O0OOO0000O0OOO0OO ,OO0O00O0O000O0O0O ):#line:214 + print ("")#line:215 + log ("Found device in preloader mode, trying to crash...")#line:216 + print ("")#line:217 + if OO0O00O0O000O0O0O .crash_method ==0 :#line:218 + try :#line:219 + O00OOO000OOO0OO00 =b'\x00\x01\x9F\xE5\x10\xFF\x2F\xE1'+b'\x00'*0x110 #line:220 + O0OOO0000O0OOO0OO .send_da (0 ,len (O00OOO000OOO0OO00 ),0 ,O00OOO000OOO0OO00 )#line:221 + O0OOO0000O0OOO0OO .jump_da (0 )#line:222 + except RuntimeError as OO000O00OOOOO00OO :#line:223 + log (OO000O00OOOOO00OO )#line:224 + print ("")#line:225 + elif OO0O00O0O000O0O0O .crash_method ==1 :#line:226 + O00OOO000OOO0OO00 =b'\x00'*0x100 #line:227 + O0OOO0000O0OOO0OO .send_da (0 ,len (O00OOO000OOO0OO00 ),0x100 ,O00OOO000OOO0OO00 )#line:228 + O0OOO0000O0OOO0OO .jump_da (0 )#line:229 + elif OO0O00O0O000O0O0O .crash_method ==2 :#line:230 + O0OOO0000O0OOO0OO .read32 (0 )#line:231 + O0OOO0000O0OOO0OO .dev .close ()#line:233 + O0OOO0000O0OOO0OO =Device ().find ()#line:235 + return O0OOO0000O0OOO0OO #line:237 +if __name__ =="__main__":#line:240 + main ()#line:241 diff --git a/OpenMico-Bypass/default_config.json5 b/OpenMico-Bypass/default_config.json5 new file mode 100644 index 0000000..05d17eb --- /dev/null +++ b/OpenMico-Bypass/default_config.json5 @@ -0,0 +1,8 @@ +{ + "0x8167": { // mt8516 + "var_1": 0xCC, + "payload": "mt8167_payload.bin", + "ptr_usbdl": 0xd2e4, + "ptr_da": 0xd7ac, + }, +} diff --git a/OpenMico-Bypass/libusb-1.0.dll b/OpenMico-Bypass/libusb-1.0.dll new file mode 100644 index 0000000..a2ef58e Binary files /dev/null and b/OpenMico-Bypass/libusb-1.0.dll differ diff --git a/OpenMico-Bypass/payloads/8167_hikaru-resign.bin b/OpenMico-Bypass/payloads/8167_hikaru-resign.bin new file mode 100644 index 0000000..2770326 Binary files /dev/null and b/OpenMico-Bypass/payloads/8167_hikaru-resign.bin differ diff --git a/OpenMico-Bypass/payloads/generic_dump_payload.bin b/OpenMico-Bypass/payloads/generic_dump_payload.bin new file mode 100644 index 0000000..54142d2 Binary files /dev/null and b/OpenMico-Bypass/payloads/generic_dump_payload.bin differ diff --git a/OpenMico-Bypass/payloads/generic_loader_payload.bin b/OpenMico-Bypass/payloads/generic_loader_payload.bin new file mode 100644 index 0000000..bbaacaf Binary files /dev/null and b/OpenMico-Bypass/payloads/generic_loader_payload.bin differ diff --git a/OpenMico-Bypass/payloads/generic_reboot_payload.bin b/OpenMico-Bypass/payloads/generic_reboot_payload.bin new file mode 100644 index 0000000..6888ce3 Binary files /dev/null and b/OpenMico-Bypass/payloads/generic_reboot_payload.bin differ diff --git a/OpenMico-Bypass/payloads/generic_uart_dump_payload.bin b/OpenMico-Bypass/payloads/generic_uart_dump_payload.bin new file mode 100644 index 0000000..6081304 Binary files /dev/null and b/OpenMico-Bypass/payloads/generic_uart_dump_payload.bin differ diff --git a/OpenMico-Bypass/src/__pycache__/bruteforce.cpython-39.pyc b/OpenMico-Bypass/src/__pycache__/bruteforce.cpython-39.pyc new file mode 100644 index 0000000..6c788aa Binary files /dev/null and b/OpenMico-Bypass/src/__pycache__/bruteforce.cpython-39.pyc differ diff --git a/OpenMico-Bypass/src/__pycache__/common.cpython-39.pyc b/OpenMico-Bypass/src/__pycache__/common.cpython-39.pyc new file mode 100644 index 0000000..5aad3ec Binary files /dev/null and b/OpenMico-Bypass/src/__pycache__/common.cpython-39.pyc differ diff --git a/OpenMico-Bypass/src/__pycache__/config.cpython-39.pyc b/OpenMico-Bypass/src/__pycache__/config.cpython-39.pyc new file mode 100644 index 0000000..417c10c Binary files /dev/null and b/OpenMico-Bypass/src/__pycache__/config.cpython-39.pyc differ diff --git a/OpenMico-Bypass/src/__pycache__/device.cpython-39.pyc b/OpenMico-Bypass/src/__pycache__/device.cpython-39.pyc new file mode 100644 index 0000000..8a2d0b5 Binary files /dev/null and b/OpenMico-Bypass/src/__pycache__/device.cpython-39.pyc differ diff --git a/OpenMico-Bypass/src/__pycache__/exploit.cpython-39.pyc b/OpenMico-Bypass/src/__pycache__/exploit.cpython-39.pyc new file mode 100644 index 0000000..26a7847 Binary files /dev/null and b/OpenMico-Bypass/src/__pycache__/exploit.cpython-39.pyc differ diff --git a/OpenMico-Bypass/src/__pycache__/logger.cpython-39.pyc b/OpenMico-Bypass/src/__pycache__/logger.cpython-39.pyc new file mode 100644 index 0000000..4b39ce2 Binary files /dev/null and b/OpenMico-Bypass/src/__pycache__/logger.cpython-39.pyc differ diff --git a/OpenMico-Bypass/src/bruteforce.py b/OpenMico-Bypass/src/bruteforce.py new file mode 100644 index 0000000..508e52a --- /dev/null +++ b/OpenMico-Bypass/src/bruteforce.py @@ -0,0 +1,48 @@ +from src .common import to_bytes ,from_bytes #line:1 +import usb #line:3 +import array #line:4 +import struct #line:5 +def bruteforce (O0OOOOO00OOOO000O ,OO00OO0O000000O0O ,O00O00OOOOO0O0OO0 ,dump =False ):#line:7 + O0000000O0O00O0O0 =OO00OO0O000000O0O .watchdog_address +0x50 #line:9 + try :#line:13 + O0OOOOO00OOOO000O .dev .timeout =1 #line:14 + except Exception :#line:15 + pass #line:16 + OOO00OO0000O0O00O =O0OOOOO00OOOO000O .udev #line:18 + try :#line:20 + OOO00OO0000O0O00O ._ctx .managed_claim_interface =lambda *O0OOO0O0OOO0O00OO ,**O00O00000OOOO0O0O :None #line:22 + except AttributeError as OOO0OO000OO0000O0 :#line:23 + raise RuntimeError ("libusb is not installed for port {}".format (O0OOOOO00OOOO000O .dev .port ))from OOO0OO000OO0000O0 #line:24 + OOOO0OO0O00OO00OO =OOO00OO0000O0O00O .ctrl_transfer (0xA1 ,0x21 ,0 ,0 ,7 )+array .array ('B',[0 ])#line:26 + if dump :#line:28 + try :#line:29 + O0OOOOO00OOOO000O .cmd_da (0 ,0 ,1 )#line:30 + O0OOOOO00OOOO000O .read32 (O0000000O0O00O0O0 )#line:31 + except :#line:32 + pass #line:33 + for OO00OO0000O0000OO in range (4 ):#line:35 + OOO00OO0000O0O00O .ctrl_transfer (0x21 ,0x20 ,0 ,0 ,OOOO0OO0O00OO00OO +array .array ('B',to_bytes (O00O00OOOOO0O0OO0 -6 +(4 -OO00OO0000O0000OO ),4 ,'<')))#line:36 + OOO00OO0000O0O00O .ctrl_transfer (0x80 ,0x6 ,0x0200 ,0 ,9 )#line:37 + OOO0O0O00O00OOOOO =bytearray (O0OOOOO00OOOO000O .cmd_da (0 ,0 ,0x20000 ))#line:39 + OOO0O0O00O00OOOOO [O00O00OOOOO0O0OO0 -1 :]=b"\x00"+to_bytes (0x100030 ,4 ,'<')+OOO0O0O00O00OOOOO [O00O00OOOOO0O0OO0 +4 :]#line:40 + return OOO0O0O00O00OOOOO #line:41 + else :#line:43 + try :#line:44 + O0OOOOO00OOOO000O .cmd_da (0 ,0 ,1 )#line:45 + O0OOOOO00OOOO000O .read32 (O0000000O0O00O0O0 )#line:46 + except :#line:47 + pass #line:48 + for OOO0O0O0O0O0O000O in range (O00O00OOOOO0O0OO0 ,0xffff ,4 ):#line:50 + for OO00OO0000O0000OO in range (3 ):#line:51 + OOO00OO0000O0O00O .ctrl_transfer (0x21 ,0x20 ,0 ,0 ,OOOO0OO0O00OO00OO +array .array ('B',to_bytes (OOO0O0O0O0O0O000O -5 +(3 -OO00OO0000O0000OO ),4 ,'<')))#line:52 + OOO00OO0000O0O00O .ctrl_transfer (0x80 ,0x6 ,0x0200 ,0 ,9 )#line:53 + try :#line:54 + if (len (O0OOOOO00OOOO000O .cmd_da (0 ,0 ,0x40 )))==0x40 :#line:55 + return (True ,OOO0O0O0O0O0O000O )#line:56 + except RuntimeError :#line:57 + try :#line:58 + O0OOOOO00OOOO000O .read32 (O0000000O0O00O0O0 )#line:59 + except :#line:60 + return (False ,OOO0O0O0O0O0O000O +4 )#line:61 + except Exception :#line:62 + return (False ,OOO0O0O0O0O0O000O +4 )#line:63 diff --git a/OpenMico-Bypass/src/common.py b/OpenMico-Bypass/src/common.py new file mode 100644 index 0000000..39740eb --- /dev/null +++ b/OpenMico-Bypass/src/common.py @@ -0,0 +1,7 @@ +import struct #line:1 +def raise_ (O0O0OOOOOO0OOOO00 ):#line:4 + raise O0O0OOOOOO0OOOO00 #line:5 +def to_bytes (OO0O00O00O0OO0OO0 ,size =1 ,endian ='>'):#line:8 + return {1 :lambda :struct .pack (endian +'B',OO0O00O00O0OO0OO0 ),2 :lambda :struct .pack (endian +'H',OO0O00O00O0OO0OO0 ),4 :lambda :struct .pack (endian +'I',OO0O00O00O0OO0OO0 )}.get (size ,lambda :raise_ (RuntimeError ("invalid size")))()#line:13 +def from_bytes (O0O00OO0O0000OOOO ,size =1 ,endian ='>'):#line:16 + return {1 :lambda :struct .unpack (endian +'B',O0O00OO0O0000OOOO )[0 ],2 :lambda :struct .unpack (endian +'H',O0O00OO0O0000OOOO )[0 ],4 :lambda :struct .unpack (endian +'I',O0O00OO0O0000OOOO )[0 ]}.get (size ,lambda :raise_ (RuntimeError ("invalid size")))()#line:21 diff --git a/OpenMico-Bypass/src/config.py b/OpenMico-Bypass/src/config.py new file mode 100644 index 0000000..76c7adc --- /dev/null +++ b/OpenMico-Bypass/src/config.py @@ -0,0 +1,43 @@ +import json5 #line:1 +class Config :#line:4 + watchdog_address :int =0x10007000 #line:5 + uart_base :int =0x11002000 #line:6 + payload_address :int =0x100A00 #line:7 + var_0 :int =None #line:8 + var_1 :int =0xA #line:9 + payload :str #line:10 + crash_method :int =0 #line:11 + ptr_usbdl :int =None #line:12 + ptr_da :int =None #line:13 + def default (O00OO000000O000OO ,O0000O0O000OOOOO0 ):#line:15 + O00OO0000OOO0O00O =open ("default_config.json5")#line:16 + O00OO000000O000OO .from_file (O00OO0000OOO0O00O ,O0000O0O000OOOOO0 )#line:17 + O00OO0000OOO0O00O .close ()#line:18 + return O00OO000000O000OO #line:20 + def from_file (OOOOO0OOOOOOO000O ,OOO0O0OO000O0O000 ,OO00OOOO0OOO0O000 ):#line:22 + OO00OOOO0OOO0O000 =hex (OO00OOOO0OOO0O000 )#line:23 + OOO0O0OO000O0O000 =json5 .load (OOO0O0OO000O0O000 )#line:25 + if OO00OOOO0OOO0O000 in OOO0O0OO000O0O000 :#line:27 + OOOOO0OOOOOOO000O .from_dict (OOO0O0OO000O0O000 [OO00OOOO0OOO0O000 ])#line:28 + else :#line:29 + raise NotImplementedError ("Can't find {} hw_code in config".format (OO00OOOO0OOO0O000 ))#line:30 + return OOOOO0OOOOOOO000O #line:32 + def from_dict (O0OO00OO000O0OOOO ,O0O000O0OO0OO00O0 ):#line:34 + if "watchdog_address"in O0O000O0OO0OO00O0 :#line:35 + O0OO00OO000O0OOOO .watchdog_address =O0O000O0OO0OO00O0 ["watchdog_address"]#line:36 + if "uart_base"in O0O000O0OO0OO00O0 :#line:38 + O0OO00OO000O0OOOO .uart_base =O0O000O0OO0OO00O0 ["uart_base"]#line:39 + if "payload_address"in O0O000O0OO0OO00O0 :#line:41 + O0OO00OO000O0OOOO .payload_address =O0O000O0OO0OO00O0 ["payload_address"]#line:42 + if "var_0"in O0O000O0OO0OO00O0 :#line:44 + O0OO00OO000O0OOOO .var_0 =O0O000O0OO0OO00O0 ["var_0"]#line:45 + if "var_1"in O0O000O0OO0OO00O0 :#line:47 + O0OO00OO000O0OOOO .var_1 =O0O000O0OO0OO00O0 ["var_1"]#line:48 + if "crash_method"in O0O000O0OO0OO00O0 :#line:50 + O0OO00OO000O0OOOO .crash_method =O0O000O0OO0OO00O0 ["crash_method"]#line:51 + if "ptr_usbdl"in O0O000O0OO0OO00O0 :#line:53 + O0OO00OO000O0OOOO .ptr_usbdl =O0O000O0OO0OO00O0 ["ptr_usbdl"]#line:54 + if "ptr_da"in O0O000O0OO0OO00O0 :#line:56 + O0OO00OO000O0OOOO .ptr_da =O0O000O0OO0OO00O0 ["ptr_da"]#line:57 + O0OO00OO000O0OOOO .payload =O0O000O0OO0OO00O0 ["payload"]#line:59 + return O0OO00OO000O0OOOO #line:61 diff --git a/OpenMico-Bypass/src/device.py b/OpenMico-Bypass/src/device.py new file mode 100644 index 0000000..802a084 --- /dev/null +++ b/OpenMico-Bypass/src/device.py @@ -0,0 +1,271 @@ +from src .common import to_bytes ,from_bytes #line:1 +from src .logger import log #line:2 +import usb #line:3 +import usb .backend .libusb1 #line:4 +import usb .backend .libusb0 #line:5 +from ctypes import c_void_p ,c_int #line:6 +import array #line:7 +import os #line:8 +import time #line:10 +BAUD =115200 #line:12 +TIMEOUT =1 #line:13 +VID ="0E8D"#line:14 +PID ="0003"#line:15 +class Device :#line:18 + def __init__ (O00OOO0OOOOOO00O0 ,port =None ):#line:19 + O00OOO0OOOOOO00O0 .udev =None #line:20 + O00OOO0OOOOOO00O0 .dev =None #line:21 + O00OOO0OOOOOO00O0 .rxbuffer =array .array ('B')#line:22 + O00OOO0OOOOOO00O0 .preloader =False #line:23 + O00OOO0OOOOOO00O0 .timeout =TIMEOUT #line:24 + O00OOO0OOOOOO00O0 .usbdk =False #line:25 + O00OOO0OOOOOO00O0 .libusb0 =False #line:26 + if os .name =='nt':#line:28 + try :#line:29 + O0000O00O000O0000 =os .path .join (os .path .abspath (os .path .dirname (__file__ )),"..")#line:30 + try :#line:31 + os .add_dll_directory (O0000O00O000O0000 )#line:32 + except Exception :#line:33 + pass #line:34 + os .environ ['PATH']=O0000O00O000O0000 +';'+os .environ ['PATH']#line:35 + except Exception :#line:36 + pass #line:37 + def find (O0OOO00OOO0OO0OO0 ,wait =False ):#line:39 + if O0OOO00OOO0OO0OO0 .dev :#line:40 + raise RuntimeError ("Device already found")#line:41 + try :#line:43 + O0OOO00OOO0OO0OO0 .backend =usb .backend .libusb1 .get_backend (find_library =lambda OO0OO00O00000OO0O :"libusb-1.0.dll")#line:44 + if O0OOO00OOO0OO0OO0 .backend :#line:45 + try :#line:46 + O0OOO00OOO0OO0OO0 .backend .lib .libusb_set_option .argtypes =[c_void_p ,c_int ]#line:47 + O0OOO00OOO0OO0OO0 .backend .lib .libusb_set_option (O0OOO00OOO0OO0OO0 .backend .ctx ,1 )#line:48 + O0OOO00OOO0OO0OO0 .usbdk =True #line:49 + except ValueError :#line:50 + log ("Failed enabling UsbDk mode, please use 64-Bit Python and 64-Bit UsbDk")#line:51 + else :#line:52 + O0OOO00OOO0OO0OO0 .backend =usb .backend .libusb1 .get_backend ()#line:53 + except usb .core .USBError :#line:54 + O0OOO00OOO0OO0OO0 .backend =usb .backend .libusb1 .get_backend ()#line:55 + log ("MediaTek MT8167 Generic Bypass by Yagami Ko")#line:57 + log ("Waiting for device")#line:58 + if wait :#line:59 + O0OOO00OOO0OO0OO0 .udev =usb .core .find (idVendor =int (VID ,16 ),backend =O0OOO00OOO0OO0OO0 .backend )#line:60 + while O0OOO00OOO0OO0OO0 .udev :#line:61 + time .sleep (0.25 )#line:62 + O0OOO00OOO0OO0OO0 .udev =usb .core .find (idVendor =int (VID ,16 ),backend =O0OOO00OOO0OO0OO0 .backend )#line:63 + O0OOO00OOO0OO0OO0 .udev =None #line:64 + while not O0OOO00OOO0OO0OO0 .udev :#line:65 + O0OOO00OOO0OO0OO0 .udev =usb .core .find (idVendor =int (VID ,16 ),backend =O0OOO00OOO0OO0OO0 .backend )#line:66 + if O0OOO00OOO0OO0OO0 .udev :#line:67 + break #line:68 + time .sleep (0.25 )#line:69 + log ("Found device = {0:04x}:{1:04x}".format (O0OOO00OOO0OO0OO0 .udev .idVendor ,O0OOO00OOO0OO0OO0 .udev .idProduct ))#line:71 + O0OOO00OOO0OO0OO0 .dev =O0OOO00OOO0OO0OO0 #line:72 + try :#line:74 + if O0OOO00OOO0OO0OO0 .udev .is_kernel_driver_active (0 ):#line:75 + O0OOO00OOO0OO0OO0 .udev .detach_kernel_driver (0 )#line:76 + if O0OOO00OOO0OO0OO0 .udev .is_kernel_driver_active (1 ):#line:78 + O0OOO00OOO0OO0OO0 .udev .detach_kernel_driver (1 )#line:79 + except (NotImplementedError ,usb .core .USBError ):#line:81 + pass #line:82 + try :#line:84 + O0OOO00OOO0OO0OO0 .configuration =O0OOO00OOO0OO0OO0 .udev .get_active_configuration ()#line:85 + except (usb .core .USBError ,NotImplementedError )as OO0O0OOO0OO0O0000 :#line:86 + if type (OO0O0OOO0OO0O0000 )is usb .core .USBError and OO0O0OOO0OO0O0000 .errno ==13 or type (OO0O0OOO0OO0O0000 )is NotImplementedError :#line:87 + log ("Failed to enable libusb1, is UsbDk installed?")#line:88 + log ("Falling back to libusb0 (kamakiri only)")#line:89 + O0OOO00OOO0OO0OO0 .backend =usb .backend .libusb0 .get_backend ()#line:90 + O0OOO00OOO0OO0OO0 .udev =usb .core .find (idVendor =int (VID ,16 ),backend =O0OOO00OOO0OO0OO0 .backend )#line:91 + O0OOO00OOO0OO0OO0 .libusb0 =True #line:92 + try :#line:93 + O0OOO00OOO0OO0OO0 .udev .set_configuration ()#line:94 + except AttributeError :#line:95 + log ("Failed to enable libusb0")#line:96 + exit (1 )#line:97 + if O0OOO00OOO0OO0OO0 .udev .idProduct !=int (PID ,16 ):#line:99 + O0OOO00OOO0OO0OO0 .preloader =True #line:100 + else :#line:101 + try :#line:102 + O0OOO00OOO0OO0OO0 .udev .set_configuration (1 )#line:103 + usb .util .claim_interface (O0OOO00OOO0OO0OO0 .udev ,0 )#line:104 + usb .util .claim_interface (O0OOO00OOO0OO0OO0 .udev ,1 )#line:105 + except usb .core .USBError :#line:106 + pass #line:107 + OOO0OOOOO00OO0000 =usb .util .find_descriptor (O0OOO00OOO0OO0OO0 .udev .get_active_configuration (),bInterfaceClass =0xA )#line:109 + O0OOO00OOO0OO0OO0 .ep_in =usb .util .find_descriptor (OOO0OOOOO00OO0000 ,custom_match =lambda OO0OO00O0000OO0O0 :usb .util .endpoint_direction (OO0OO00O0000OO0O0 .bEndpointAddress )==usb .util .ENDPOINT_IN )#line:110 + O0OOO00OOO0OO0OO0 .ep_out =usb .util .find_descriptor (OOO0OOOOO00OO0000 ,custom_match =lambda OOOOOO00OOO0OO0OO :usb .util .endpoint_direction (OOOOOO00OOO0OO0OO .bEndpointAddress )==usb .util .ENDPOINT_OUT )#line:111 + try :#line:113 + O0OOO00OOO0OO0OO0 .udev .ctrl_transfer (0x21 ,0x20 ,0 ,0 ,array .array ('B',to_bytes (BAUD ,4 ,'<')+b"\x00\x00\x08"))#line:114 + except usb .core .USBError :#line:115 + pass #line:116 + return O0OOO00OOO0OO0OO0 #line:118 + @staticmethod #line:120 + def check (O0O0OOOOO0OOO0000 ,O000O000O00OO0OO0 ):#line:121 + if O0O0OOOOO0OOO0000 !=O000O000O00OO0OO0 :#line:122 + if type (O0O0OOOOO0OOO0000 )==bytes :#line:123 + O0O0OOOOO0OOO0000 ="0x"+O0O0OOOOO0OOO0000 .hex ()#line:124 + else :#line:125 + O0O0OOOOO0OOO0000 =hex (O0O0OOOOO0OOO0000 )#line:126 + if type (O000O000O00OO0OO0 )==bytes :#line:128 + O000O000O00OO0OO0 ="0x"+O000O000O00OO0OO0 .hex ()#line:129 + else :#line:130 + O000O000O00OO0OO0 =hex (O000O000O00OO0OO0 )#line:131 + raise RuntimeError ("Unexpected output, expected {} got {}".format (O000O000O00OO0OO0 ,O0O0OOOOO0OOO0000 ))#line:133 + def close (O0000O000OO0O00O0 ):#line:135 + O0000O000OO0O00O0 .dev =None #line:136 + O0000O000OO0O00O0 .rxbuffer =array .array ('B')#line:137 + try :#line:138 + usb .util .release_interface (O0000O000OO0O00O0 .udev ,0 )#line:139 + usb .util .release_interface (O0000O000OO0O00O0 .udev ,1 )#line:140 + except Exception :#line:141 + pass #line:142 + if not O0000O000OO0O00O0 .usbdk :#line:143 + try :#line:144 + O0000O000OO0O00O0 .udev .reset ()#line:145 + except Exception :#line:146 + pass #line:147 + try :#line:148 + O0000O000OO0O00O0 .udev .attach_kernel_driver (0 )#line:149 + except Exception :#line:150 + pass #line:151 + try :#line:152 + O0000O000OO0O00O0 .udev .attach_kernel_driver (1 )#line:153 + except Exception :#line:154 + pass #line:155 + if not O0000O000OO0O00O0 .usbdk :#line:156 + try :#line:157 + usb .util .dispose_resources (O0000O000OO0O00O0 .udev )#line:158 + except Exception :#line:159 + pass #line:160 + O0000O000OO0O00O0 .udev =None #line:161 + time .sleep (1 )#line:162 + def handshake (O0OO00000OOO0OO0O ):#line:164 + OOO00O000O000O00O =b"\xA0\x0A\x50\x05"#line:165 + O0O0O00O0O00OO0OO =0 #line:166 + while O0O0O00O0O00OO0OO 0xff :#line:205 + raise RuntimeError ("status is {}".format (OOO0O0OO0000O000O .hex ()))#line:206 + for _O00000O0O0OO000OO in range (size ):#line:208 + O000O00OOOOOO0OO0 =from_bytes (OOOOO0OOO0OOOO000 .dev .read (4 ),4 )#line:209 + O0O0O000O0000O00O .append (O000O00OOOOOO0OO0 )#line:210 + OOO0O0OO0000O000O =OOOOO0OOO0OOOO000 .dev .read (2 )#line:212 + if from_bytes (OOO0O0OO0000O000O ,2 )>0xff :#line:213 + raise RuntimeError ("status is {}".format (OOO0O0OO0000O000O .hex ()))#line:214 + if len (O0O0O000O0000O00O )==1 :#line:217 + return O0O0O000O0000O00O [0 ]#line:218 + else :#line:219 + return O0O0O000O0000O00O #line:220 + def write (OOOOOO0000O000O0O ,O0O000OO0O00OO00O ,size =1 ):#line:222 + if type (O0O000OO0O00OO00O )!=bytes :#line:223 + O0O000OO0O00OO00O =to_bytes (O0O000OO0O00OO00O ,size )#line:224 + O0O0000O000O00O00 =0 #line:225 + while O0O0000O000O00O00 OOOOOO0000O000O0O .ep_out .wMaxPacketSize else len (O0O000OO0O00OO00O )-O0O0000O000O00O00 ],OOOOOO0000O000O0O .timeout *1000 )#line:227 + O0O0000O000O00O00 +=OOOOOO0000O000O0O .ep_out .wMaxPacketSize #line:228 + def write32 (O0OOOOOOO0O00O0O0 ,O00O0OOO00O0OO00O ,O0OO0O00OOO0O000O ,check_status =True ):#line:230 + if not isinstance (O0OO0O00OOO0O000O ,list ):#line:232 + O0OO0O00OOO0O000O =[O0OO0O00OOO0O000O ]#line:233 + O0OOOOOOO0O00O0O0 .echo (0xD4 )#line:235 + O0OOOOOOO0O00O0O0 .echo (O00O0OOO00O0OO00O ,4 )#line:236 + O0OOOOOOO0O00O0O0 .echo (len (O0OO0O00OOO0O000O ),4 )#line:237 + O0OOOOOOO0O00O0O0 .check (O0OOOOOOO0O00O0O0 .dev .read (2 ),to_bytes (1 ,2 ))#line:239 + for O0O0OO0OOOO0OO0O0 in O0OO0O00OOO0O000O :#line:241 + O0OOOOOOO0O00O0O0 .echo (O0O0OO0OOOO0OO0O0 ,4 )#line:242 + if check_status :#line:244 + O0OOOOOOO0O00O0O0 .check (O0OOOOOOO0O00O0O0 .dev .read (2 ),to_bytes (1 ,2 ))#line:245 + def get_target_config (OO0O000OO00O0OO0O ):#line:247 + OO0O000OO00O0OO0O .echo (0xD8 )#line:248 + O0OO0OO000OOOO000 =OO0O000OO00O0OO0O .dev .read (4 )#line:250 + OOO000000O0O0OOO0 =OO0O000OO00O0OO0O .dev .read (2 )#line:251 + if from_bytes (OOO000000O0O0OOO0 ,2 )!=0 :#line:253 + raise RuntimeError ("status is {}".format (OOO000000O0O0OOO0 .hex ()))#line:254 + O0OO0OO000OOOO000 =from_bytes (O0OO0OO000OOOO000 ,4 )#line:256 + OOO0O0O0OO00O0O00 =O0OO0OO000OOOO000 &1 #line:258 + OOOO00OOO00O0OO00 =O0OO0OO000OOOO000 &2 #line:259 + O000OO000O000OOO0 =O0OO0OO000OOOO000 &4 #line:260 + return bool (OOO0O0O0OO00O0O00 ),bool (OOOO00OOO00O0OO00 ),bool (O000OO000O000OOO0 )#line:263 + def get_hw_code (OOO0OOO00000OOO0O ):#line:265 + OOO0OOO00000OOO0O .echo (0xFD )#line:266 + OOO0O00OOO0O00O0O =OOO0OOO00000OOO0O .dev .read (2 )#line:268 + OOOO00O000O0O0000 =OOO0OOO00000OOO0O .dev .read (2 )#line:269 + if from_bytes (OOOO00O000O0O0000 ,2 )!=0 :#line:271 + raise RuntimeError ("status is {}".format (OOOO00O000O0O0000 .hex ()))#line:272 + return from_bytes (OOO0O00OOO0O00O0O ,2 )#line:274 + def get_hw_dict (OO0O00000O0O0O0O0 ):#line:276 + OO0O00000O0O0O0O0 .echo (0xFC )#line:277 + OO000O000O0OOO0O0 =OO0O00000O0O0O0O0 .dev .read (2 )#line:279 + OOO0O0000OO0OO0O0 =OO0O00000O0O0O0O0 .dev .read (2 )#line:280 + O0OOOOOO0OOOOOO0O =OO0O00000O0O0O0O0 .dev .read (2 )#line:281 + OO00O00OO00O00000 =OO0O00000O0O0O0O0 .dev .read (2 )#line:282 + if from_bytes (OO00O00OO00O00000 ,2 )!=0 :#line:284 + raise RuntimeError ("status is {}".format (OO00O00OO00O00000 .hex ()))#line:285 + return from_bytes (OO000O000O0OOO0O0 ,2 ),from_bytes (OOO0O0000OO0OO0O0 ,2 ),from_bytes (O0OOOOOO0OOOOOO0O ,2 )#line:287 + def send_da (OO0000O000000O0OO ,O0O00OO0O0OOO00O0 ,OOOOOOOOO0OO000O0 ,OO000OO000000OOOO ,OOOO0OO00OO0O0OOO ):#line:289 + OO0000O000000O0OO .echo (0xD7 )#line:290 + OO0000O000000O0OO .echo (O0O00OO0O0OOO00O0 ,4 )#line:292 + OO0000O000000O0OO .echo (OOOOOOOOO0OO000O0 ,4 )#line:293 + OO0000O000000O0OO .echo (OO000OO000000OOOO ,4 )#line:294 + O0OO0000OO00O0000 =OO0000O000000O0OO .dev .read (2 )#line:296 + if from_bytes (O0OO0000OO00O0000 ,2 )!=0 :#line:298 + raise RuntimeError ("status is {}".format (O0OO0000OO00O0000 .hex ()))#line:299 + OO0000O000000O0OO .dev .write (OOOO0OO00OO0O0OOO )#line:301 + OOOO0O00O0O0OOO0O =OO0000O000000O0OO .dev .read (2 )#line:303 + O0OO0000OO00O0000 =OO0000O000000O0OO .dev .read (2 )#line:304 + if from_bytes (O0OO0000OO00O0000 ,2 )!=0 :#line:306 + raise RuntimeError ("status is {}".format (O0OO0000OO00O0000 .hex ()))#line:307 + return from_bytes (OOOO0O00O0O0OOO0O ,2 )#line:309 + def jump_da (O000OO0OOO00O00OO ,OO0O0O0OO0O0O00OO ):#line:311 + O000OO0OOO00O00OO .echo (0xD5 )#line:312 + O000OO0OOO00O00OO .echo (OO0O0O0OO0O0O00OO ,4 )#line:314 + OO0O0O00OOOOO0OOO =O000OO0OOO00O00OO .dev .read (2 )#line:316 + if from_bytes (OO0O0O00OOOOO0OOO ,2 )!=0 :#line:318 + raise RuntimeError ("status is {}".format (OO0O0O00OOOOO0OOO .hex ()))#line:319 + def cmd_da (O00O0OOOOO00000O0 ,O0O000O000OOOO00O ,OOOOOO00O0O0O00O0 ,O00O00OOOO0OOOO0O ,data =None ,check_status =True ):#line:321 + O00O0OOOOO00000O0 .echo (0xDA )#line:322 + O00O0OOOOO00000O0 .echo (O0O000O000OOOO00O ,4 )#line:324 + O00O0OOOOO00000O0 .echo (OOOOOO00O0O0O00O0 ,4 )#line:325 + O00O0OOOOO00000O0 .echo (O00O00OOOO0OOOO0O ,4 )#line:326 + OOO000OOO0O0O00OO =O00O0OOOOO00000O0 .dev .read (2 )#line:328 + if from_bytes (OOO000OOO0O0O00OO ,2 )!=0 :#line:330 + raise RuntimeError ("status is {}".format (OOO000OOO0O0O00OO .hex ()))#line:331 + if (O0O000O000OOOO00O &1 )==1 :#line:333 + O00O0OOOOO00000O0 .dev .write (data )#line:334 + else :#line:335 + data =O00O0OOOOO00000O0 .dev .read (O00O00OOOO0OOOO0O )#line:336 + if check_status :#line:338 + OOO000OOO0O0O00OO =O00O0OOOOO00000O0 .dev .read (2 )#line:339 + if from_bytes (OOO000OOO0O0O00OO ,2 )!=0 :#line:341 + raise RuntimeError ("status is {}".format (OOO000OOO0O0O00OO .hex ()))#line:342 + return data #line:344 diff --git a/OpenMico-Bypass/src/exploit.py b/OpenMico-Bypass/src/exploit.py new file mode 100644 index 0000000..d9a01ce --- /dev/null +++ b/OpenMico-Bypass/src/exploit.py @@ -0,0 +1,71 @@ +from src .common import to_bytes ,from_bytes #line:1 +from src .logger import log #line:2 +import usb #line:4 +import array #line:5 +def exploit (O0OOO0O00OO00O0OO ,O0O0OOOOO0OO00O0O ,O0OO0000OO0O00O00 ,OO00O0000O0000OO0 ):#line:8 + def OO00O0O00000O000O (OO000OOOOOO0O00O0 ,O00OOOOOO0OOO0O0O ,check_result =True ):#line:10 + return OO00OO0OOOOO00O0O (0 ,OO000OOOOOO0O00O0 ,O00OOOOOO0OOO0O0O ,None ,check_result )#line:11 + def O0OOO00OOOO0O0O0O (O00000OOO00OOO00O ,O0O0OOO00OO000OOO ,O0OO000OO00O0O000 ,check_result =True ):#line:13 + return OO00OO0OOOOO00O0O (1 ,O00000OOO00OOO00O ,O0O0OOO00OO000OOO ,O0OO000OO00O0O000 ,check_result )#line:14 + def OO00OO0OOOOO00O0O (O00O0O0O0OO00O0OO ,OO0000OO000000O0O ,OOOOOO0OOOO0O00OO ,data =None ,check_result =True ):#line:16 + try :#line:17 + O0OOO0O00OO00O0OO .cmd_da (0 ,0 ,1 )#line:18 + O0OOO0O00OO00O0OO .read32 (OOO000O0OO000000O )#line:19 + except :#line:20 + pass #line:21 + for OO0000O0OO00O0OO0 in range (3 ):#line:23 + O0O000O000OOO0OO0 .ctrl_transfer (0x21 ,0x20 ,0 ,0 ,OO0OO0O0O0O0OOOO0 +array .array ('B',to_bytes (O0O0OOOOO0OO00O0O .ptr_da +8 -3 +OO0000O0OO00O0OO0 ,4 ,'<')))#line:24 + O0O000O000OOO0OO0 .ctrl_transfer (0x80 ,0x6 ,0x0200 ,0 ,9 )#line:25 + if OO0000OO000000O0O <0x40 :#line:27 + for OO0000O0OO00O0OO0 in range (4 ):#line:28 + O0O000O000OOO0OO0 .ctrl_transfer (0x21 ,0x20 ,0 ,0 ,OO0OO0O0O0O0OOOO0 +array .array ('B',to_bytes (O0O0OOOOO0OO00O0O .ptr_da -6 +(4 -OO0000O0OO00O0OO0 ),4 ,'<')))#line:29 + O0O000O000OOO0OO0 .ctrl_transfer (0x80 ,0x6 ,0x0200 ,0 ,9 )#line:30 + return O0OOO0O00OO00O0OO .cmd_da (O00O0O0O0OO00O0OO ,OO0000OO000000O0O ,OOOOOO0OOOO0O00OO ,data ,check_result )#line:31 + else :#line:32 + for OO0000O0OO00O0OO0 in range (3 ):#line:33 + O0O000O000OOO0OO0 .ctrl_transfer (0x21 ,0x20 ,0 ,0 ,OO0OO0O0O0O0OOOO0 +array .array ('B',to_bytes (O0O0OOOOO0OO00O0O .ptr_da -5 +(3 -OO0000O0OO00O0OO0 ),4 ,'<')))#line:34 + O0O000O000OOO0OO0 .ctrl_transfer (0x80 ,0x6 ,0x0200 ,0 ,9 )#line:35 + return O0OOO0O00OO00O0OO .cmd_da (O00O0O0O0OO00O0OO ,OO0000OO000000O0O -0x40 ,OOOOOO0OOOO0O00OO ,data ,check_result )#line:36 + OOO000O0OO000000O =O0O0OOOOO0OO00O0O .watchdog_address +0x50 #line:39 + if not O0O0OOOOO0OO00O0O .ptr_usbdl or OO00O0000O0000OO0 .kamakiri :#line:41 + log ("Using kamakiri")#line:42 + O0OOO0O00OO00O0OO .write32 (OOO000O0OO000000O ,from_bytes (to_bytes (O0O0OOOOO0OO00O0O .payload_address ,4 ),4 ,'<'))#line:43 + if O0O0OOOOO0OO00O0O .var_0 :#line:44 + O00O0O000O0OOOO00 =O0O0OOOOO0OO00O0O .var_0 +0x4 #line:45 + O0OOO0O00OO00O0OO .read32 (OOO000O0OO000000O -O0O0OOOOO0OO00O0O .var_0 ,O00O0O000O0OOOO00 //4 )#line:46 + else :#line:47 + O0OO000OOOO00OO00 =15 #line:48 + for O0000OOO0O000OOOO in range (O0OO000OOOO00OO00 ):#line:49 + O0OOO0O00OO00O0OO .read32 (OOO000O0OO000000O -(O0OO000OOOO00OO00 -O0000OOO0O000OOOO )*4 ,O0OO000OOOO00OO00 -O0000OOO0O000OOOO +1 )#line:50 + O0OOO0O00OO00O0OO .echo (0xE0 )#line:52 + O0OOO0O00OO00O0OO .echo (len (O0OO0000OO0O00O00 ),4 )#line:54 + OO00OOOOO00O0O000 =O0OOO0O00OO00O0OO .read (2 )#line:56 + if from_bytes (OO00OOOOO00O0O000 ,2 )!=0 :#line:57 + raise RuntimeError ("status is {}".format (OO00OOOOO00O0O000 .hex ()))#line:58 + O0OOO0O00OO00O0OO .write (O0OO0000OO0O00O00 )#line:60 + O0OOO0O00OO00O0OO .read (4 )#line:63 + O0O000O000OOO0OO0 =O0OOO0O00OO00O0OO .udev #line:65 + try :#line:67 + if not O0O0OOOOO0OO00O0O .ptr_usbdl or OO00O0000O0000OO0 .kamakiri :#line:68 + try :#line:69 + O0O000O000OOO0OO0 ._ctx .managed_claim_interface =lambda *O0O0O00000OO0O000 ,**O0O00O0O0O00OO0OO :None #line:71 + except AttributeError as O0000OOOO0O0O0O0O :#line:72 + raise RuntimeError ("libusb is not installed for port {}".format (O0OOO0O00OO00O0OO .dev .port ))from O0000OOOO0O0O0O0O #line:73 + O0O000O000OOO0OO0 .ctrl_transfer (0xA1 ,0 ,0 ,O0O0OOOOO0OO00O0O .var_1 ,0 )#line:74 + else :#line:75 + OO0OO0O0O0O0OOOO0 =O0O000O000OOO0OO0 .ctrl_transfer (0xA1 ,0x21 ,0 ,0 ,7 )+array .array ('B',[0 ])#line:76 + O0O00OO00O00000O0 =from_bytes (OO00O0O00000O000O (O0O0OOOOO0OO00O0O .ptr_usbdl ,4 ),4 ,'<')+8 ;#line:77 + O0OOO00OOOO0O0O0O (O0O0OOOOO0OO00O0O .payload_address ,len (O0OO0000OO0O00O00 ),O0OO0000OO0O00O00 )#line:78 + O0OOO00OOOO0O0O0O (O0O00OO00O00000O0 ,4 ,to_bytes (O0O0OOOOO0OO00O0O .payload_address ,4 ,'<'),False )#line:79 + except usb .core .USBError as O0000OOOO0O0O0O0O :#line:81 + print (O0000OOOO0O0O0O0O )#line:82 + try :#line:86 + O0OOO0O00OO00O0OO .dev .timeout =1 #line:87 + except Exception :#line:88 + pass #line:89 + try :#line:91 + O0OOOOOO0O00O00O0 =O0OOO0O00OO00O0OO .read (4 )#line:92 + except usb .core .USBError as O0000OOOO0O0O0O0O :#line:93 + print (O0000OOOO0O0O0O0O )#line:94 + return False #line:95 + return O0OOOOOO0O00O00O0 #line:97 diff --git a/OpenMico-Bypass/src/logger.py b/OpenMico-Bypass/src/logger.py new file mode 100644 index 0000000..847d713 --- /dev/null +++ b/OpenMico-Bypass/src/logger.py @@ -0,0 +1,6 @@ +import datetime #line:1 +def log (O0O000O0OO00OOO00 ):#line:4 + O0O0000O00O0O0OOO ="[{}] {}".format (datetime .datetime .now (),O0O000O0OO00OOO00 )#line:5 + print (O0O0000O00O0O0OOO )#line:6 + with open ("bypass_utility.log","a")as O000O0O000O0OO0OO :#line:8 + O000O0O000O0OO0OO .write (O0O0000O00O0O0OOO +"\n")#line:9