09:46 <f_> Okay. I went back to my bootROM decomp stuff and trying to see if I can make sense out of that "FEAT:....." thing in the UART logs

09:46 <f_> I think we have a way of telling if secureboot is enabled without even testing anything!

09:48 <f_> Obviously the meaning of that FEAT: thing is not mentioned anywhere in the S905X DS.. but we still have some clues in BL2 and the S905 gpl old bl2 source code

10:45 <f_> <...>

10:45 <f_> Authentication key not yet programmed

10:45 <f_> <...>

10:45 <f_> I wonder what that "Authentication key" actually is..hm

10:46 <f_> I saw this on lepotato and didn't put much thought into it, but now that I also see it on a device I know is secureboot-enabled .. now I'm curious.

18:12 <f_> Now I have some ideas for breaking secureboot.

18:14 <f_> In the bootROM dump I found the function responsible for image decryption.. Assuming the TV Stick is vulnerable to amlogic-usbdl, one could run bootROM functions.. so one could try to read the BL2, then decrypt it, and finally dump it to UART!

18:14 <f_> this is what's basically done over here: https://github.com/frederic/amlogic-usbdl/blob/main/payloads/s905d2/bl2dump_over_usb.c

18:14 <f_> Another thing I found: the auth_image function in S905D2 and in S905X are almost the same as well

18:15 <f_> 🙃

18:36 <lvrp16> o.0

18:36 <lvrp16> I think they patched the newer chips last time I spoke to them

18:41 <f_> lvrp16: What do you mean by the newer chips?

18:42 <f_> You mean some GXL's don't have the bug?

18:45 <f_> As I understand it, lepotato's S905X and MiTV Stick's S805Y bootROM are identical

19:25 <f_> Let's note that this USB vuln can be mitigated by uhh... password-protecting USB mode

19:27 <f_> Though something puzzling.. the blogpost only mentions S905D3, the CVE only mentions Google CCwGTV, google's android security bulletin thing is very vague..