mt8167 payload - SEC_REG

Question

mt8167 payload - SEC_REG

Wh1terat opened this issue 3 years ago · 2 comments

Thanks for providing the payload source for mt8167, hopefully confirmed that I am not going crazy.

function offsets match up with my bootrom but not sure about sec_reg ?

int is_daa_passed(void)

{
  if (*(int *)(skip_auth + 0xc) != 0) {
    return *(undefined4 *)(skip_auth + 0x14);
  }
  return 0;
}

skip_auth + 0xc = 0x7d34 which is a pointer to 0x10c54 (0x02000000)
skip_auth + 0x14 = 0x7d3c which is a pointer to 0x118b8 (0x64651000) (Pointer to 0x106564?)

Also (possibly because it's 01:30) I'm having a little trouble understanding:

    else if (mode==1)
    {
        fusebuffer[SEC_OFFSET/4] = 0x700; // 1026D4+0x40, << 0x1e < 0x0 (DAA),  & << 0x1f !=0 (SLA), << 0x1c < 0x0 (SBC)
        *((volatile uint32_t *)(SEC_REG + 2)) = 0xB;
        *SEC_REG2 = (volatile uint32_t *)&fusebuffer; // 1026D4, !=0 (SLA, SBC)
        *SEC_REG = (volatile uint32_t *)&fusebuffer; // 1026D4, !=0 (SLA, SBC)
    }

SEC_OFFSET/4 why?
SEC_REG+2 = 0xb why ?

Thanks

Answer 1 · 2021-06-30T00:35:03.000Z

Bootrom attached.
bootrom16_05_8167.zip

Answer 2 · 2021-07-01T15:14:56.000Z

Ok yeah blaming my lack of sleep at the time.
Everything does check out.

int is_daa_passed(void)

{
  if (*(int *)(skip_auth + 0xc) != 0) {
    return *(int *)(skip_auth + 0x14);
  }
  return 0;
}

skip_auth = 00103400 + 0xC =

volatile uint32_t **SEC_REG=(volatile uint32_t **)0x10340C;

int bit_is_sla(void)

{
  int iVar1;
  uint uVar2;
  
  iVar1 = FUN_00009668();
  uVar2 = is_daa_passed();
  if ((uVar2 & 1) != 0) {
    iVar1 = 0;
  }
  if ((*(int *)(PTR_DAT_00007d2c + 4) != 0) &&
     ((*(uint *)(*(int *)(PTR_DAT_00007d2c + 4) + 0x28) & 1) != 0)) {
    iVar1 = 0;
  }
  return iVar1;
}

PTR_DAT_00007d2c = 0x001028e0 +4 =

volatile uint32_t **SEC_REG2=(volatile uint32_t **)0x1028E4;
...
volatile uint32_t SEC_OFFSET=0x28;