konsgn has quit [Remote host closed the connection]
konsgn3 has joined #linux-amlogic
naoki has quit [Quit: naoki]
<f_>
adeepn: oh, thank you :)
<f_>
All this on the TV Stick wouldn't be possible without Frédéric's amazing work finding the USB vuln in the first place :)
<f_>
And me reversing BL2 and getting it booting on both gxbb and gxl SoCs wouldn't be possible without the kind people that sent me boards to play with
<f_>
Thank you all <3
<f_>
(and yes, I still want to get it booting on g12b/sm1!)
paulk-bis has quit [Quit: WeeChat 3.0]
paulk has joined #linux-amlogic
<Daanct12>
so now you can retrieve the keys on many amlogic boards and.. basically become the manufacturer?
<f_>
Daanct12: not exactly
<f_>
Usually there's still RSA on the way
<Daanct12>
hmm
<Daanct12>
so how do you even sideload the image
<f_>
you use the usbdl vulnerability
<Daanct12>
if you didn't exactly get the key
<f_>
Thanks to that vuln you can basically bypass all checks (yes, including @AML header checks) and jump directly to the payload
<f_>
ok, to summarise:
<Daanct12>
aaaaah, so basically it's like the nintendo switch?
<Daanct12>
like.. you can only bypass the bootrom's signature check
<f_>
this means I can load unsigned code via USB and bypass verification checks
<f_>
*however* this is not enough to bypass verification checks when booting from eMMC
<f_>
Thanks to secureboot (heh) everything fw-related on the eMMC is stored encrypted. However, thanks to that vuln I can simply write a payload that dumps the AES key and IV from the OTP
<f_>
and I did. I got the AES key xiaomi uses on their sticks
<Daanct12>
understood, basically it's the same way how the nintendo switch bootrom exploit works
<f_>
However, an AES key is not enough for the bootROM to load whatever you want from eMMC, as the BL2 is signed with RSA
<Daanct12>
what level of RSA are we talking about
<f_>
I think xiaomi used rsa-1024
<f_>
According to the @KEY headers I found in my decrypted BL2 dump
<f_>
and also according to the UART:
<f_>
aml log : R1024 check pass!
<Daanct12>
mhmm
<Daanct12>
is RSA-1024 cracked yet
<f_>
¯\_(ツ)_/¯
<Daanct12>
i looked around but it's all mixed
<f_>
and tbh I don't care all that much
<Daanct12>
some say it is, some say it isn't, and microsoft dropped rsa-1024 support a year ago