Exploiting MediaTek's Download Agent
6 days ago
- #HeapExploitation
- #MediaTek
- #ReverseEngineering
- Chimera announced support for MediaTek’s Dimensity 9400 and 8400 SoCs, bypassing Carbonara patches.
- Discovered heapb8, a heap overflow in DA2’s USB file download handler, allowing arbitrary code execution on patched V6 devices.
- MediaTek’s Download Agents (DAs) handle USB communication and flashing, with DA2 being the target for exploitation.
- Exploit involved USB packet captures, UART logging, and reverse engineering Chimera’s techniques.
- Identified two vulnerabilities: XML expansion overflow (unexploitable) and USB overflow (exploitable).
- USB overflow allowed controlled heap corruption, leading to arbitrary code execution via DPC callback overwrite.
- Developed hakujoudai payload to fix heap corruption and enable custom commands for persistent control.
- MediaTek patched the vulnerabilities in 2025, addressing both the XML and USB overflow issues.
- Exploit integrated into penumbra for generic use across devices.