Carbonara The MediaTek exploit nobody served

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://shomy.is-a.dev/blog/article/serving-carbonara
• Blog Title: Carbonara: The MediaTek exploit nobody served
• Suggested Section: Hardware/Physical Access -> Firmware Analysis (or create a new page under Firmware Analysis / Mobile bootchain: "MediaTek XFlash/Download Agent (DA) exploitation - Carbonara two-BOOT_TO hash bypass + arbitrary write")

🎯 Content Summary

Overview

The post documents the (re)discovery and replication of a MediaTek exploit/technique the author calls Carbonara, observed in a paid GSM tool and reproduced as a working patch against mtkclient. The core abuse occurs during MediaTek’s XFlash protocol flow where DA1 (Download Agent stage 1) loads and verifies DA2 (stage 2) into DRAM before transferring execution. Car...

🔧 Technical Details

XFlash “two BOOT_TO” integrity-bypass trick (DA1→DA2 hash expectation overwrite): When a first-stage loader (DA1) enforces DA2 integrity by hashing the received DA2 and comparing it to an expected SHA-256 embedded in DA1, an attacker can still run a modified DA2 if they can patch DA1’s in-memory “expected hash” value. The practical pattern is: (1) issue BOOT_TO once to enter the DA1-driven staging flow, (2) send a crafted payload that locates the DA2-hash storage in DA1 memory and overwrites it with the SHA-256 of the attacker’s patched DA2, then (3) issue BOOT_TO again / provide the new hash so DA1 validates the patched DA2 against the patched expected hash and jumps into it.

Unchecked memory-write primitive via user-controlled DA2 load address/size on unpatched loaders: If the protocol allows the host to choose DA2’s load address and size without validation, the DA staging mechanism becomes an arbitrary memory write...

🤖 Agent Actions

Summary:

• Added a dedicated page on the MediaTek XFlash “Carbonara” DA2 hash bypass, detailing the two-BOOT_TO flow, hash-slot overwrite primitive, arbitrary write risk, and a minimal mtkclient-style PoC snippet.
• Linked the new Carbonara page from the Firmware Analysis README for discoverability.

Testing:

• Not applicable (documentation-only changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://shomy.is-a.dev/blog/article/serving-carbonara

Content Categories: Based on the analysis, this content was categorized under "Hardware/Physical Access -> Firmware Analysis (or create a new page under Firmware Analysis / Mobile bootchain: "MediaTek XFlash/Download Agent (DA) exploitation - Carbonara two-BOOT_TO hash bypass + arbitrary write")".

Repository Maintenance:

• MD Files Formatting: 945 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0