R0rt1z2’s Dumpster
رفتن به کانال در Telegram
A dumpster for personal projects and random stuff some people might find interesting
نمایش بیشترکشور مشخص نشده استفناوری و برنامهها37 504
1 271
مشترکین
+124 ساعت
+47 روز
+730 روز
آرشیو پست ها
1 271
It's been a while since the last Penumbra update here, but 1.1.0 is now out!
Mostly internal improvements, cleanup, and a lot of bug fixes, but there's also some new stuff.
GPT parser was rewritten, BROM auth support was added, and there were updates across the DA/extensions side. There's also RPMB support (EMMC only for now) and USB logging.
CLI got a few new commands (
poke, rpmb, read-offset, write-offset, etc.) and some general improvements.
TUI is kinda broken right now due to the ongoing cleanup, so it's not included in this release, that'll be sorted in a future update.
As usual, most of the work was done by shomy. I just contributed here and there, along with others.
Full changelog + downloads: https://github.com/shomykohai/penumbra/releases/tag/v1.1.01 271
I wanted to post this earlier, but I hadn't had the chance to sit down and record a video about it.
I've been working on refactoring and improving amonet-fastbrick to make it as generic as possible, and I'm really happy with the results!
The exploit can now be used on any previously supported Echo, regardless of the FireOS version. This opens up a lot of possibilities for people who were stuck on unsupported firmware.
I've also added a new UI and switched to shomy's MMC driver, which, as you can see, reduced the exploit execution time from around 3 minutes to about 10 seconds (excluding the initial timeout).
Unfortunately, I'm not planning to make the source code public for obvious reasons, since Amazon would likely patch it immediately if I did. That said, I may release it at some point in the future (alongside with a writeup).
I've published the update in the corresponding XDA threads, so if you were previously stuck on an unsupported version, give it a try and feel free to share your feedback!
1 271
Due to Crecker's uncooperative attitude, the original (and not vibe‑coded (;) PoC is now open source. Go give it some love: https://github.com/halal-beef/houston-pub
1 271
This is not related to my projects, but I'd like to raise awareness since, in my opinion, this is a bit fucked up and a real shame for the reverse engineering community.
As some might know (or not), Umer (halal-beef) primarily, and others spent months reversing an Exynos iROM exploit that was originally discovered by a friend of mine (hello AA) (but was never made public).
I knew about the PoC because of the latter and even had coverage about it, so I can definitely speak about the research efforts made by Umer for months.
He actually posted about it on his (now gone) Telegram channel, and you could tell he knew what he was doing, nothing was fake.
Then this guy somehow got his hands on halal's PoC (someone leaked it to him), ran it through AI, "improved" it without actually knowing how it works, and started teasing it like it was his own achievement.
Naturally, he got called out for stealing stuff and not giving proper credit, and all he did was delete the chat where the evidence had been posted.
Not satisfied with that, he simply cried in DMs (instead of publicly addressing everyone who confronted him) to halal and even threatened to leak the thing.
You can see a more detailed story / proof here: https://t.me/uechats/3
The bug itself (
CVE-2024-56426) is public, already used in tools like Chimera and Sigmakey, and now he's threatening to report it to big companies, even though it's already been addressed.
Crecker, do better ;)1 271
I went ahead and extended support to the Nothing Phone 2A Plus (PacmanPro).
THIS IS ONLY FOR THE NOTHING PHONE 2A PLUS. FLASHING A PRELOADER FROM ANOTHER DEVICE WILL HARD-BRICK YOUR PHONE. PROCEED WITH EXTREME CAUTION.
Nothing has patched this vulnerability. READ CAREFULLY before attempting to use it on NothingOS 4, as it now requires additional steps and manual flashing.
This release adds support for the latest NothingOS 4 stable OTA/update:
Nothing/PacmanPro/PacmanPro:16/BP2A.250605.031.A3/2602252039:user/release-keys
For this to work, your bootloader MUST be unlocked, and you MUST flash the attached Preloader partition in addition to fenrir.
Like on the Nothing Phone 2A, Nothing failed to include the fix in the NOS 4 Preloader, so it is possible to downgrade Preloader and use fenrir with it.
I am not responsible for any damaged or bricked devices. You perform these actions at your own risk.
Installation
- Ensure your bootloader is unlocked and the device is updated to NothingOS 4 (stable).
- Reboot into bootloader mode (NOT fastbootd) using adb reboot bootloader, or hold Power + Volume Up to open the boot menu.
- Flash the Preloader to both slots:
fastboot flash preloader_a preloader_raw.img
fastboot flash preloader_b preloader_raw.img
- Flash fenrir to the LK partition on both slots:
fastboot flash lk_a pacman-fenrir.bin
fastboot flash lk_b pacman-fenrir.bin
- Reboot with fastboot reboot. A factory reset may be required.
Read more and download everything from the GitHub releases section:
https://github.com/R0rt1z2/fenrir/releases/tag/pacmanpro-v2.0
(thanks to @OmnusNight for testing and @TwistedVis518 for making me re-check whether PacmanPro was vulnerable.)1 271
Since Motorola patched the exploit, we decided to release a new version of the unlock tool.
This version !!!!!!! ONLY WORKS ON LINUX-BASED MACHINES !!!!!!!. If you use Windows, either stick to a locked bootloader or switch to an OS that actually works.
Seriously, Windows USB and driver stack is so fundamentally broken that supporting it isn't worth anyone's time. Do yourself a favor and install Linux.
This also adds support for the Motorola Moto E15. We'll probably release one for the Motorola Moto G06 and the Motorola Moto G17 in the future.
https://xdaforums.com/t/unlock-bootloader-motorola-motorola-g15-play-g05-e15-lamu-lamul-lamulg.4780735/
1 271
+1
Back in 2024 (before this channel existed) I released a writeup on how I exploited the 2014 Amazon Fire HD6, which has a MT8135 SoC.
Nobody had ever done this before and this SoC is very quirky. BROM USBDL mode is disabled, the Preloader is split into two parts, and only 3 devices in the world use this SoC.
I managed to do everything, even gain PL3 (ARMv7 equivalent of EL3) arbitrary code execution, but every attempt at dumping BROM at 0x0 returned a fake far jump instruction pointing to the Preloader entry instead of actual ROM data.
This pretty much had me stuck for almost 2 years and I eventually gave up.
Turns out the Preloader powers down the Boot ROM after boot by setting a bit in
SRAMROM_SEC_CTRL, which makes the bus interface return a generated jump instead of real ROM contents.
.. one bit flip later, the full BROM dumped cleanly :D
https://github.com/Zenofex/SoC-BootROMs/pull/23
(I know this is useful to pretty much nobody, but it feels like a trophy to me.)1 271
MediaTek DA2 exploit: heapb8
After weeks of reverse engineering and countless hours of debugging, shomy and I finally cracked the DA2 V6 exploit everyone's been talking about!
We decided to call it heapb8 ("heapbait"), because Chimera baited us into chasing the wrong vulnerability for way too long.
Full writeup with all the technical details: https://blog.r0rt1z2.com/posts/exploiting-mediatek-datwo/
Code is live in penumbra. Have fun!
1 271
+1
I actually managed to create something useful out of what I was experimenting with back then.
It’s probably not as cool as fenrir to most people (since, sadly, most people nowadays are only interested in "passing Play Integrity"), but it’s still useful for what shomy and I have been working on lately.
This is a tiny PoC / payload that, in the hackiest way possible, exposes an insecure Preloader port that you can connect to using tools like penumbra or MTKClient.
It’s a replacement for
bl2_ext. At the moment, it disables all Preloader security checks and then jumps back to the handshake handler so you can connect to it with these tools.
This will brick your device (literally, read the README), and you most likely don’t need it as a regular user so be careful.1 271
Not tech-related, but here’s a picture channel that a few others and I run, in case anyone here is interested in photography. It’s not professional photography, but you can still find some nice wallpapers :)
https://t.me/gsmc_pics
1 271
The 2nd Generation Echo Show 5 (2021), "cronos", joins the party!
Special thanks to @fieryflames, @J0SH1X and @gilderchuck for all the testing and support!
Have fun and happy hacking!
https://xdaforums.com/t/unlock-root-twrp-unbrick-amazon-echo-show-5-2nd-gen-2021-cronos.4772596/
LineageOS is also available at: https://xdaforums.com/t/rom-unofficial-11-cronos-lineageos-18-1-for-the-amazon-echo-show-5-2021.4772598/
1 271
I really wonder whether the Lab126 employee who developed the Echo Dot firmware and “backported” A/B got fired.
If the device fails to boot properly three times in a row (for example, due to a bad boot image or a bad recovery image), it will brick itself and refuse to go past the Preloader.
At that point, you’re forced to open it and short the eMMC data lines to access BROM and reset the BCB boot counter.
This isn’t really meant to be an informative post, more of a rant, because I just got absolutely owned by this piece of code that someone thought was a good idea to include.
1 271
+3
Nothing has patched fenrir with the latest NOS 4 stable OTA update, but it’s still possible to use it because they left the fix out of the NOS 4 beta.
As a result, you need to mix the beta Preloader with the stable LK for it to work on NothingOS 4.
This release supports the latest NothingOS 4 stable OTA/update:
Nothing/Pacman/Pacman:16/BP2A.250605.031.A3/2511201747:user/release-keys
As usual, to make this work, your bootloader must be unlocked, and you must flash the included Preloader along with fenrir.
No issues have been observed when combining the beta Preloader with the stable LK.
THIS IS ONLY FOR THE NOTHING PHONE 2A.
Flashing a Preloader from any other device will hard-brick the phone. Proceed with extreme caution.
You are responsible for anything that happens to your device.
Installation
- Ensure the bootloader is unlocked and the device is already on NothingOS 4 (stable).
- Reboot into bootloader mode (not fastbootd) using adb reboot bootloader or Power + Volume Up.
- Flash the Preloader to your active slot (example uses slot a):
fastboot flash preloader_a preloader_raw.img
- Flash fenrir to LK:
fastboot flash lk pacman-fenrir.bin
- Reboot with fastboot reboot. A factory reset may be required.
Read more and download everything from the GitHub releases section: https://github.com/R0rt1z2/fenrir/releases/tag/pacman-v2.01 271
It's been a while since kaeru was first released, and it's come pretty far from those early days. Lots of improvements and changes have been made over time.
The recent stage1 work by shomy (thank you!!) was the final push I needed to bump this to a major version. Feels good to hit 2.0 (I should've probably bumped this before, but oh well), the project has definitely matured quite a bit :)
This update adds a new and more reliable way to inject and load kaeru, especially on devices with legacy LKs where size constraints were usually the main blocker.
https://github.com/R0rt1z2/kaeru/commit/b55079e2d75c56fcf38ae6538dfb8bac6374e389
1 271
I don’t usually post stuff like this here (and I don’t plan to make a habit of it), but this really baffles me.
It blows my mind that people like this exist, supposedly 20 years old, same age as me, and still manage to say things so confidently wrong. Every time I think I’ve seen the peak of human stupidity, someone like this comes along and raises the bar even higher (i’m not even going to get into the earlier part, where this guy made a Telegram poll that’s apparently going to force Samsung to bring back bootloader unlocking).
Just to be clear: unlocking Amazon devices is no joke. Honestly, credit where it’s due, the Lab126 engineers did a damn good job with security. If it weren’t for SoC-specific exploits, these things would be completely locked down.
1 271
The 1st Generation Echo Show 8 (2019),"crown", joins the party!
The unlock process is the same as the Echo Show 5.
Special thanks to @fieryflames for all the testing and support, and to @TheVancedGamer and @bengris32 for figuring out how to properly reset the display.
Have fun and happy hacking!
https://xdaforums.com/t/unlock-root-twrp-unbrick-amazon-echo-show-8-1st-gen-2019-crown.4766687/
1 271
Dropping this here as well, might be of interest to anyone with this phone ;)
https://xdaforums.com/t/unlock-motorola-moto-g05-g15-lamu.4763522
1 271
+2
Following up on the Echo Spot release, we now have a LineageOS 18.1 (developed by bengris32 as well) build for the Echo Show 5 (2019, 1st Gen). It’s still considered experimental, but it’s already in a pretty usable state.
Core functionality is there, Audio (choppy), Wi-Fi, Bluetooth, and OMX all work.
Just like the rook build, this one is based on Android Pie blobs and a 4.9 kernel.
If you’re planning to give it a try, make sure you update amonet to the latest version, since TWRP needs a symlink fix to be able to flash it properly.
For all the details, updates, and downloads, check out the XDA thread here:
https://xdaforums.com/t/rom-unofficial-11-checkers-lineageos-18-1-for-the-amazon-echo-show-5-2019.4763475/
1 271
+1
Today's my birthday.. and I wanna share my gift with you :P
After a few weeks of work, I’m proud to present a bootloader unlock for the first‑generation Echo Show 5 (2019). It’s fully software‑driven (as long as your unit isn’t bricked) and uses a new exploit based on amonet.
Huge thanks to @AntiEngineer, as always, this wouldn’t have been possible without his hardware work.
Also thanks to Joel for finding the exploit I built on, I extended it into a one‑command unlock that runs through fastboot and allows people to unlock their units even if BROM USBDL is disabled!
Please read the instructions carefully. A single mistake can cause a permanent (hard) brick. I accept no responsibility for any damage to your device.
Have fun and happy hacking!
https://xdaforums.com/t/unlock-root-twrp-unbrick-amazon-echo-show-5-1st-gen-2019-checkers.4762900/
اکنون در دسترس! پژوهش تلگرام ۲۰۲۵ — مهمترین بینشهای سال 
