f255dfd9b0
Do not make the same mistake as SONY |
||
|---|---|---|
| extracted_apk | ||
| fw_updater_packer_unpacker | ||
| python_api | ||
| systemimg_packer_unpacker | ||
| .gitignore | ||
| LICENSE | ||
| README.md | ||
| batch_decode.sh | ||
| dpt-tools.py | ||
README.md
0x0 Welcome
We likely have some fun stuff here!
0x1 Special Thanks
Greatly thank
- shankerzhiwu and his/her friend at XDA who made the USB hack possible
- octavianx who sheds light on the hack
- janten who initiates the commandline tool for web APIs
0x2 What does DPT stand for?
[cough cough] If you don't know what's DPT you won't need this.
0x3 Tools
dpt-tools.py
NOTE: Use at your own risk. I have tested this on my MacBook. You need pip install httpsig pyserial if you don't have it already. It only runs on Python 3.
This intends to be an interative shell commandline tool that wraps processes like updating firmware pkg, obtaining diagnosis access, etc.
Prerequirement
To use the tool properly, you also need xxd. I expect this tool to work in Linux and Mac, but I have not tested it.
Validate successful connections (normal boot)
python dpt-tools.py -id <deviceid file path> -k <your key file path> -ip <ip address>
Please refer to janten's dpt-rp1-py on how do you get deviceid and key file path for your device.
Then you will enter the interactive shell mode. Press Ctrl + C to exit, or type exit or quit.
Obtain diagnosis access (normal boot)
In the interactive shell, type root and follow the instructions.
Update firmware from pkg file (normal boot)
In the interactive shell, type fw and follow the instructions.
Boot into diagnosis mode (after gaining diagnosis access)
python dpt-tools.py --diagnosis
Or in the original interative shell, type diagnosis. And then follow the instructions.
Obtain ADB and shell sudo access
In the diagnosis mode, first backup your bootimg by backup-bootimg. It will back up the boot.img to /root/boot.img.bak and also automatically pull the file from device to the local folder (same as code directory). The pull will take about 20min.
Note: You actually do not need to back it up if you have the boot.img from firmware version 1.4.01.16100. If anything goes wrong, we can easily restore it using the boot.img from python_api/assets/.
Run restore-bootimg and follow the instruction to update the boot partition with python_api/assets/boot-1.4.01.16100-mod-happyz-181118.img. It'll take about 15min to upload due to the limit of serial port.
After the upload, it will tell you the MD5 of that file in case of corruption. Please verify it carefully with the MD5 attached with the img you got. If not correct, do NOT restore it otherwise it is guaranteed to not boot up.
It will ask you to confirm if you want to continue, type yes after you verify the MD5.
After success, type get-su-bin to enable sudo access in shell.
Finally, type reboot & and close the tool by pressing Ctrl +C or type exit or quit.
If everything goes right, it will boot up. And you can run adb devices on your computer to see if your DPT appears.
It may appear to be unauthorized. Since I did not include a vulnerable adbd, I put a master public key in DPT at /adb_keys. Please use python_api/assets/adbkey to authenticate the device.
After then, you can do adb shell and then type su to verify if you have obtained the sudo access. You can now use adb install to install any packages. However, it does appear that all third party apps have super small font.
To-Do List
Development Roadmap
Now we can enter diagnosis mode thanks to shankerzhiwu and his/her friend, we can explore more things! The things I am interested in:
- Enabling ADB in normal Android mode
- Allowing self-signed pkg (fw package) to flash
- System language and font mod
- Third-party apps verification
Methods
- Web interface hack
- USB interface hack (shankerzhiwu and his/her friend at XDA did this! Great work!)
Build update package and flash(fails as we cannot bypass pkg validation, but I can confirm the current paid hacking method can, meaning they obtained the required private key from somewhere)Web interface testmode(fails as we do not haveauth nonceand required private keyK_PRIV_DT)Official app(fails as the firmware updates purely rely on web interface API)
0xF Mission Impossible
Well, to bypass pkg validation, you can also try to decrypt the RSA key and generate corresponding private key, when we actually have enough computation resources and time to do it lol:
> openssl rsa -pubin -in key.pub -modulus -text
Public-Key: (2048 bit)
Modulus:
00:e0:b7:dd:45:af:91:99:14:ae:31:b8:84:38:f3:
f1:a7:84:90:5b:9f:a3:2b:62:dd:64:26:60:d6:14:
2d:81:e3:3d:e1:ba:96:51:10:0b:d9:b7:d3:ee:46:
48:05:b6:f0:a6:c6:3d:2f:55:93:9e:f7:6c:15:1b:
92:6c:c4:89:c1:c1:2f:8a:ad:7a:17:ff:08:83:d5:
54:a8:2b:d9:25:00:41:c7:44:0c:e9:0c:d0:45:82:
43:8a:49:63:09:8f:f3:ae:16:8c:0d:98:fe:fb:86:
6e:95:1f:e2:b7:41:57:84:f6:98:b0:6f:76:4b:5e:
5c:b5:2a:2a:80:12:40:91:08:da:e4:37:e0:17:5a:
5b:46:16:0a:d8:c4:74:dc:0e:d7:bf:f0:a3:d4:d9:
48:db:0b:46:27:79:4a:c2:48:8b:5a:61:18:37:8d:
15:b0:bf:c9:64:6d:59:6f:6a:b9:6a:07:84:4a:01:
f3:1d:8a:39:34:89:cd:67:6a:af:5c:ba:37:55:87:
cc:be:60:f5:ec:a5:5a:c5:f6:21:48:9e:a6:e2:5c:
a7:63:74:8b:dd:f8:cf:f8:0a:af:19:8e:ae:ec:a0:
7c:44:27:c5:54:66:57:71:8d:59:d0:3d:51:e5:f5:
ca:b0:89:a3:1a:4d:fe:ae:e1:65:30:90:b4:d6:1b:
bd:29
Exponent: 65537 (0x10001)
Modulus=E0B7DD45AF919914AE31B88438F3F1A784905B9FA32B62DD642660D6142D81E33DE1BA9651100BD9B7D3EE464805B6F0A6C63D2F55939EF76C151B926CC489C1C12F8AAD7A17FF0883D554A82BD9250041C7440CE90CD04582438A4963098FF3AE168C0D98FEFB866E951FE2B7415784F698B06F764B5E5CB52A2A8012409108DAE437E0175A5B46160AD8C474DC0ED7BFF0A3D4D948DB0B4627794AC2488B5A6118378D15B0BFC9646D596F6AB96A07844A01F31D8A393489CD676AAF5CBA375587CCBE60F5ECA55AC5F621489EA6E25CA763748BDDF8CFF80AAF198EAEECA07C4427C5546657718D59D03D51E5F5CAB089A31A4DFEAEE1653090B4D61BBD29