Serve Carbonara #1558
Serve Carbonara #1558
Conversation
Add preliminary Carbonara exploit support to mtkclient, supporting both XFlash and XML. Details on the exploit can be read on Penumbra documentation: https://shomy.is-a.dev/penumbra/Mediatek/Exploits/Carbonara from which the exploit has been ported from as well.
|
@shomykohai Adding this exploit will totally kill my running joke / easter egg hidden in my tool 8) |
|
Yes, mtkclient is pretty outdated btw., I planned for so long to update the tool ..... guess that will happen soon |
|
@bkerler , I understand your concerns for not making it public before, but now that it is public, in my opinion it would be riskier still keeping it private than not (knowing how users would first try mtkclient before paid tools). No problem in case you won't merge my commit, as I said, it's just a preliminary implementation after all! Hope to see more development happening on mtkclient soon then. As for the V6 loader thing, I do not own a V6 device to try looking for this vulnerability (the only one I have has no public loader file available yet), but I am aware of it existing, as well of some known tool having another exploit (not sure if it is the same, but at first glance i'd say yes). There's also a recently patched one (CVE-2025-20696) that seem to target V5 as well, so I'll try to get some info on that as well. Also, sorry for killing the joke ;P (I chose the PR title to stay on theme of course) |
|
On V6 devices, having the official DA1 and Patch DAA's DA2 enables normal operation. |
|
I believe CVE-2025-20696 refers to the Chimera tool executing the “SECURITY-SET-ALLINONE-SIGNATURE” command on Dimensity 9300 devices. |
I believe Chimera exploits the “CMD:SECURITY-SET-ALLINONE-SIGNATURE” command to perform an out-of-bounds write. I’m no longer able to continue the analysis… Welcome to take on this challenge! |
That CVE seem to target V5 devices as well, and I don't recall XFlash DAs implementing that CMD (I might be wrong though).
Guess it's time to finally study the V6 protocol in depth as well ;P |
Oh, you're right. I was mistaken. This is limited to V6. Through my analysis, I found that this exploit works by triggering a buffer overflow in the XML parsing section of this command to overwrite memory. However, I haven't figured out how to reproduce it—I currently only know that it overwrites some command pointers. I tried this process on my device (MT6895), and after sending the payload, the device froze..... |
I got a vague idea of how this exploit work. Not gonna add to many details, but remember what I said in the PR description?
This exploit is... insane I'd say, and it seem to be in fact related to the same one @bkerler was talking about. |
|
Just a reminder to keep this PR open. Still work in progress, expected around Dec 2025. |
|
is that giving any hope for bypassing v6 DAA enabled ex. mt6789? Infinix Hot 60 Pro I really hate how companies not enabling you to flash even their own "stock" firmware except through their customer service you are not allowed to fix / unbrick your "own" device without "our" permission |
No, Carbonara only allows to load an arbitrary DA2. |
then unlock or flash therefore after changing da? |
4 participants
Hi @bkerler!
I recently rediscovered Carbonara exploit, and used the opportunity to make my own mtk tool: penumbra.
I used mtkclient and logs to study how the protocol works, as well as taking some of the implementations for crypto.
I made Carbonara public in my tool now, considering that the exploit has been fixed long time ago.
So, take this PR as a thank you gift as well I guess!
This PR adds preliminary support for Carbonara exploit, supporting both XFlash and XML.
Details on the exploit can be read on Penumbra documentation from which the exploit has been ported from as well.
As we know, the exploit has been patched on newer devices. From what I could confirm, devices released after in 2024 and after are patched against Carbonara, but some are still vulnerable anyway (most likely, OEMs not pulling mediatek patches in time).
Some devices I could confirm being vulnerable are:
Special thanks go to @R0rt1z2 for helping me with documenting the exploit, as well as understanding it better.
Some notes I would want to add on the fix for the exploit:
It seems like the fix not only stops from overwriting the hash, but also removes the
cmd_boot_tocommands completely from DA2, meaning that even if a new exploit is found, DA extensions won't be able to be loaded anymore the way is currently done.Usually, when trying to add extensions on an unpatched DA2, the message "DA HASH MISMATCH" gets printed out, but on patched DAs, this log appears instead:
and I assume this is because it's failing on running the CMD in fact.
Last side note: Since I ported the exploit from my tool (which is AGPL), I also relicensed the exploit for mtkclient to GPL v3, but kept my name in. In case that is an issue, let me know and I'll change the licensing in the PR.