Add mt6752 support

bkerler · Jun 27, 2023 · 3e696d4 · 3e696d4
1 parent 416eba8
commit 3e696d4
Show file tree

Hide file tree

Showing 14 changed files with 60 additions and 10 deletions.
diff --git a/mtkclient/Library/hwcrypto.py b/mtkclient/Library/hwcrypto.py
@@ -73,7 +73,18 @@ def aes_hwcrypt(self, data=b"", iv=None, encrypt=True, otp=None, mode="cbc", bty
  if mode == "cbc":
  return self.sej.hw_aes128_cbc_encrypt(buf=data, encrypt=False)
  elif mode == "sst":
- return self.sej.SST_Secure_Algo_With_Level(buf=data, encrypt=False)
+ #return self.sej.SST_Secure_Algo_With_Level(buf=data, encrypt=False)
+ data2=self.sej.generate_hw_meta(encrypt=False,data=data)
+ CustomSeed = bytes.fromhex(
+ "00be13bb95e218b53d07a089cb935255294f70d4088f3930350bc636cc49c9025ece7a62c292853ef55b23a6ef7b7464c7f3f2a74ae919416d6b4d9c1d6809655dd82d43d65999cf041a386e1c0f1e58849d8ed09ef07e6a9f0d7d3b8dad6cbae4668a2fd53776c3d26f88b0bf617c8112b8b1a871d322d9513491e07396e1638090055f4b8b9aa2f4ec24ebaeb917e81f468783ea771b278614cd5779a3ca50df5cc5af0edc332e2b69b2b42154bcfffd0af13ce5a467abb7fb107fe794f928da44b6db7215aa53bd0398e3403126fad1f7de2a56edfe474c5a06f8dd9bc0b3422c45a9a132e64e48fcacf63f787560c4c89701d7c125118c20a5ee820c3a16")
+ seed = (CustomSeed[2] << 16) | (CustomSeed[1] << 8) | CustomSeed[0] | (CustomSeed[3] << 24)
+ iv = [seed, (~seed) & 0xFFFFFFFF, (((seed >> 16) | (seed << 16)) & 0xFFFFFFFF),
+ (~((seed >> 16) | (seed << 16)) & 0xFFFFFFFF)]
+ data4=self.sej.hw_aes128_cbc_encrypt(buf=data,encrypt=False,iv=iv)
+ data3=self.sej.SST_Secure_Algo_With_Level(buf=data, encrypt=False)
+ print(data2.hex())
+ print(data3.hex())
+ sys.stdout.flush()
  if mode == "rpmb":
  return self.sej.generate_rpmb(meid=data, otp=otp)
  elif mode == "mtee":

diff --git a/mtkclient/Library/hwcrypto_sej.py b/mtkclient/Library/hwcrypto_sej.py
@@ -438,7 +438,7 @@ def SST_Secure_Algo_With_Level(self, buf, encrypt=True, aes_top_legacy=True):
  self.SEJ_AES_HW_Init(attr, key, sej_param)
  for pos in range(3):
  src = b"".join([int.to_bytes(val,4,'little') for val in self.g_CFG_RANDOM_PATTERN])
- buf2 = self.SEJ_AES_HW_Internal(src, encrypt=False, attr=attr, sej_param=sej_param)
+ buf2 = self.SEJ_AES_HW_Internal(src, encrypt=True, attr=attr, sej_param=sej_param)
  attr = attr & 0xFFFFFFFA | 4
  self.SEJ_AES_HW_Init(attr, key, sej_param)
  buf2 = self.SEJ_AES_HW_Internal(buf, encrypt=encrypt, attr=attr, sej_param=sej_param)
@@ -728,4 +728,12 @@ def generate_hw_meta(self, otp=None, encrypt=False, data=b""):
  dec = self.SEJ_Run(data)
  self.info("HACC terminate")
  self.SEJ_Terminate()
- return dec
+ return dec
+
+
+if __name__ == "__main__":
+ CustomSeed = int.to_bytes(0x12345678,4,'little')
+ seed = (CustomSeed[2] << 16) | (CustomSeed[1] << 8) | CustomSeed[0] | (CustomSeed[3] << 24)
+ iv = [seed, (~seed) & 0xFFFFFFFF, (((seed >> 16) | (seed << 16)) & 0xFFFFFFFF),
+ (~((seed >> 16) | (seed << 16)) & 0xFFFFFFFF)]
+ print(b"".join(int.to_bytes(val,4,'little') for val in iv).hex())
diff --git a/mtkclient/Library/xflash_ext.py b/mtkclient/Library/xflash_ext.py
@@ -583,8 +583,9 @@ def generate_keys(self):
  cid = self.config.get_cid()
  otp = self.config.get_otp()
  retval = {}
- #data=hwc.aes_hwcrypt(data=bytes.fromhex("F6 25 25 AD 0C A4 3A AA CC EF 93 1F 2D C2 A3 EE"), mode="sst", btype="sej",
- # encrypt=True)
+ #data=hwc.aes_hwcrypt(data=bytes.fromhex("F2 97 D2 2C 29 05 26 6B 75 0D 2C DA AE 6B 95 A5 99 0B 8A 58 7F EC 01 1A 99 A5 1F 40 25 C3 24 96 84 2D ED 71 BD 4D 7E CD D3 2A 6C DF B5 59 41 04 64 9C 09 4A D6 65 03 89 14 C3 2F A7 18 87 41 13"), mode="sst", btype="sej",
+ # encrypt=False)
+ #self.info(data.hex())
  if meid is not None:
  self.info("MEID : " + hexlify(meid).decode('utf-8'))
  retval["meid"] = hexlify(meid).decode('utf-8')

diff --git a/mtkclient/config/brom_config.py b/mtkclient/config/brom_config.py
@@ -742,7 +742,8 @@ def __init__(self, var1=None, watchdog=None, uart=None, brom_payload_addr=None,
  damode=damodes.XFLASH,
  dacode=0x6755,
  name="MT6750"),
- 0x6752: chipconfig( # var1
+ 0x6752: chipconfig(
+ var1=0x28,
  watchdog=0x10007000,
  uart=0x11002000,
  brom_payload_addr=0x100A00,
@@ -753,11 +754,20 @@ def __init__(self, var1=None, watchdog=None, uart=None, brom_payload_addr=None,
  # no dxcc
  cqdma_base=0x10212C00,
  ap_dma_mem=0x11000000 + 0x1A0, # AP_DMA_I2C_0_RX_MEM_ADDR
- # blacklist
+ blacklist=[(0x00102764, 0x0), (0x00105704, 0x0)],
+ blacklist_count=0x00000008,
+ send_ptr=(0x1027a4,0x990c),
+ ctrl_buffer=0x00103060,
+ cmd_handler=0x0000A493,
+ brom_register_access=(0x9be0,0x9da8),
  efuse_addr=0x10206000,
- damode=damodes.DEFAULT, #
+ meid_addr=0x1030B4,
+ #no socid
+ damode=damodes.DEFAULT,
  dacode=0x6752,
- name="MT6752"),
+ #misc_lock=0x10001838,
+ name="MT6752",
+ loader="mt6752_payload.bin"),
  0x337: chipconfig(
  var1=0x28, # confirmed
  watchdog=0x10212000,

diff --git a/mtkclient/payloads/generic_dump_payload.bin b/mtkclient/payloads/generic_dump_payload.bin
diff --git a/mtkclient/payloads/generic_patcher_payload.bin b/mtkclient/payloads/generic_patcher_payload.bin
diff --git a/mtkclient/payloads/generic_preloader_dump_payload.bin b/mtkclient/payloads/generic_preloader_dump_payload.bin
diff --git a/mtkclient/payloads/generic_sram_payload.bin b/mtkclient/payloads/generic_sram_payload.bin
diff --git a/mtkclient/payloads/generic_stage1_payload.bin b/mtkclient/payloads/generic_stage1_payload.bin
diff --git a/mtkclient/payloads/generic_uart_dump_payload.bin b/mtkclient/payloads/generic_uart_dump_payload.bin
diff --git a/mtkclient/payloads/mt6752_payload.bin b/mtkclient/payloads/mt6752_payload.bin
diff --git a/mtkclient/payloads/mt8695_payload.bin b/mtkclient/payloads/mt8695_payload.bin
diff --git a/mtkclient/src/stage1/Makefile b/mtkclient/src/stage1/Makefile
@@ -13,7 +13,7 @@ endif
 VPATH := targets common generic
 DSTPATH := ../../payloads
 
-SOCS := mt2601 mt6261 mt6572 mt6580 mt6582 mt6592 mt6595 mt6735 mt6737 mt6739 mt6753 mt6755 mt6757 mt6758 mt6761 mt6763 mt6765 mt6768 mt6771 mt6779 mt6781 mt6785 mt6795 mt6797 mt6799 mt6833 mt6853 mt6873 mt6877 mt6885 mt6893 mt8127 mt8163 mt8167 mt8168 mt8173 mt8176 mt8512 mt8590 mt8695 generic_dump generic_reboot generic_uart_dump generic_patcher generic_loader generic_preloader_dump generic_stage1 generic_sram
+SOCS := mt2601 mt6261 mt6572 mt6580 mt6582 mt6592 mt6595 mt6735 mt6737 mt6739 mt6752 mt6753 mt6755 mt6757 mt6758 mt6761 mt6763 mt6765 mt6768 mt6771 mt6779 mt6781 mt6785 mt6795 mt6797 mt6799 mt6833 mt6853 mt6873 mt6877 mt6885 mt6893 mt8127 mt8163 mt8167 mt8168 mt8173 mt8176 mt8512 mt8590 mt8695 generic_dump generic_reboot generic_uart_dump generic_patcher generic_loader generic_preloader_dump generic_stage1 generic_sram
 PAYLOADS := $(SOCS:%=$(DSTPATH)/%_payload.bin)
 
 CFLAGS := -std=gnu99 -Os -mthumb -mcpu=cortex-a9 -fno-builtin-printf -fno-strict-aliasing -fno-builtin-memcpy -fPIE -mno-unaligned-access -Wall -Wextra

diff --git a/mtkclient/src/stage1/targets/mt6752.h b/mtkclient/src/stage1/targets/mt6752.h
@@ -0,0 +1,20 @@
+
+#include <inttypes.h>
+#define PAYLOAD_2_0 
+char SOC_NAME[] = "mt6752";
+
+void (*send_usb_response)(int, int, int) = (void*)0x450f;
+int (*(*usbdl_ptr))() = (void*)0x990c;
+
+const int mode=0;
+volatile uint32_t **SEC_REG=(volatile uint32_t **)0x1026d8;
+volatile uint32_t **SEC_REG2=(volatile uint32_t **)0x0;
+volatile uint32_t SEC_OFFSET=0x40;
+volatile uint32_t *bladdr=(volatile uint32_t *)0x102764;
+volatile uint32_t *bladdr2=(volatile uint32_t *)0x105704;
+volatile uint32_t *uart_reg0 = (volatile uint32_t*)0x11002014;
+volatile uint32_t *uart_reg1 = (volatile uint32_t*)0x11002000;
+
+int (*cmd_handler)() = (void*)0xa493;
+
+