{"id":19512087,"url":"https://github.com/nccgroup/mtk_bp","last_synced_at":"2025-04-26T04:31:07.587Z","repository":{"id":238726621,"uuid":"795212999","full_name":"nccgroup/mtk_bp","owner":"nccgroup","description":"MediaTek BP firmware tools","archived":false,"fork":false,"pushed_at":"2024-05-30T20:51:37.000Z","size":30,"stargazers_count":54,"open_issues_count":0,"forks_count":12,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-04-04T07:51:10.572Z","etag":null,"topics":["baseband","mediatek","reverse-engineering"],"latest_commit_sha":null,"homepage":"https://research.nccgroup.com/2024/05/07/ghidra-nanomips-isa-module/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nccgroup.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-05-02T20:05:49.000Z","updated_at":"2025-03-26T12:52:57.000Z","dependencies_parsed_at":"2024-05-21T05:29:42.551Z","dependency_job_id":"9f65d5f8-59ea-43f8-8eb6-4d54e0f7913a","html_url":"https://github.com/nccgroup/mtk_bp","commit_stats":null,"previous_names":["nccgroup/mtk_bp"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Fmtk_bp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Fmtk_bp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Fmtk_bp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Fmtk_bp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nccgroup","download_url":"https://codeload.github.com/nccgroup/mtk_bp/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250931004,"owners_count":21509796,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["baseband","mediatek","reverse-engineering"],"created_at":"2024-11-10T23:24:09.683Z","updated_at":"2025-04-26T04:31:07.281Z","avatar_url":"https://github.com/nccgroup.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# MediaTek BP firmware tools\n\nFile formats are defined with [Kaitai](https://kaitai.io/). Files can be interactively explored with the [Kaitai IDE](https://ide.kaitai.io/) using the `ksy` files.\n\nUsing [`XT2205-1_TESLA_TMO_12_S2STS32.71-118-4-2-6-3_subsidy-TMO_UNI_RSU_QCOM_regulatory-DEFAULT_cid50_CFC.xml.zip`](https://mirrors.lolinet.com/firmware/lenomola/tesla/official/TMO/XT2205-1_TESLA_TMO_12_S2STS32.71-118-4-2-6-3_subsidy-TMO_UNI_RSU_QCOM_regulatory-DEFAULT_cid50_CFC.xml.zip) from\n\u003chttps://mirrors.lolinet.com/firmware/lenomola/tesla/official/TMO/\u003e as an example:\n\n## Firmware image\n\nExtract contents of `md1img.img`:\n\n```\n$ ./md1_extract.py ../XT2205-1_TESLA_TMO_12_S2STS32.71-118-4-2-6-3_subsidy-TMO_UNI_RSU_QCOM_regulatory-DEFAULT_cid50_CFC/md1img.img --outdir ./md1img_out/\nextracting files to: ./md1img_out\nmd1rom: addr=0x00000000, size=43084864\n        extracted to 000_md1rom\ncert1md: addr=0x12345678, size=1781\n        extracted to 001_cert1md\ncert2: addr=0x12345678, size=988\n        extracted to 002_cert2\nmd1drdi: addr=0x00000000, size=12289536\n        extracted to 003_md1drdi\ncert1md: addr=0x12345678, size=1781\n        extracted to 004_cert1md\ncert2: addr=0x12345678, size=988\n        extracted to 005_cert2\nmd1dsp: addr=0x00000000, size=6776460\n        extracted to 006_md1dsp\ncert1md: addr=0x12345678, size=1781\n        extracted to 007_cert1md\ncert2: addr=0x12345678, size=988\n        extracted to 008_cert2\nmd1_filter: addr=0xffffffff, size=300\n        extracted to 009_md1_filter\nmd1_filter_PLS_PS_ONLY: addr=0xffffffff, size=300\n        extracted to 010_md1_filter_PLS_PS_ONLY\nmd1_filter_1_Moderate: addr=0xffffffff, size=300\n        extracted to 011_md1_filter_1_Moderate\nmd1_filter_2_Standard: addr=0xffffffff, size=300\n        extracted to 012_md1_filter_2_Standard\nmd1_filter_3_Slim: addr=0xffffffff, size=300\n        extracted to 013_md1_filter_3_Slim\nmd1_filter_4_UltraSlim: addr=0xffffffff, size=300\n        extracted to 014_md1_filter_4_UltraSlim\nmd1_filter_LowPowerMonitor: addr=0xffffffff, size=300\n        extracted to 015_md1_filter_LowPowerMonitor\nmd1_emfilter: addr=0xffffffff, size=2252\n        extracted to 016_md1_emfilter\nmd1_dbginfodsp: addr=0xffffffff, size=1635062\n        extracted to 017_md1_dbginfodsp\nmd1_dbginfo: addr=0xffffffff, size=1332720\n        extracted to 018_md1_dbginfo\nmd1_mddbmeta: addr=0xffffffff, size=899538\n        extracted to 019_md1_mddbmeta\nmd1_mddbmetaodb: addr=0xffffffff, size=562654\n        extracted to 020_md1_mddbmetaodb\nmd1_mddb: addr=0xffffffff, size=12280622\n        extracted to 021_md1_mddb\nmd1_mdmlayout: addr=0xffffffff, size=8341403\n        extracted to 022_md1_mdmlayout\nmd1_file_map: addr=0xffffffff, size=889\n        extracted to 023_md1_file_map\n```\n\nFirmware is in the extracted `md1rom` file (`000_md1rom`). For nanoMIPS binaries, see the [nanoMIPS Ghidra extension](https://github.com/nccgroup/ghidra-nanomips).\n\n\n## Debug symbols\n\n`mtk_dbg_extract.py` takes symbols from `md1_dbginfo` (full filename given by `md1_file_map`) and outputs them in\na text format that can be imported with Ghidra's `ImportSymbolsScript.py` script.\n\n```console\n$ ./mtk_dbg_extract.py symbols DbgInfo_NR16.R2.MT6879.TC2.PR1.SP_LENOVO_S0MP1_K6879V1_64_MT6879_NR16_TC2_PR1_SP_V17_P38_03_24_03R_2023_05_19_22_31 | tee debug_symbols.txt\nINT_Vectors 0x0000084c f\nbrom_ext_main 0x00000860 f\nINT_SetPLL_Gen98 0x00000866 f\nPLL_Set_CLK_To_26M 0x000009a2 f\nPLL_MD_Pll_Init 0x000009da f\nINT_SetPLL 0x000009dc f\nINT_Initialize_Phase1 0x027b5c80 f\nINT_Initialize_Phase2 0x027b617c f\ninit_cm 0x027b6384 f\ninit_cm_wt 0x027b641e f\n...\n```\n\nSome debug info files, such as `md1_dbginfodsp` in the example firmware, contain symbols for multiple files.\nFor now, the symbols for each file will be printed in sequence with a separator line beginning with `#`, e.g.:\n\n```\n# 0x000010 DSP_USIP0 \n_ss_reset_entry 0x00000000 l\n_vector_excpetion_veneer 0x00000404 l\n...\n# 0x081c4b DSP_USIP1 \n_ss_reset_entry 0x00000000 l\n_vector_excpetion_veneer 0x00000404 l\n...\n# 0x2cb407 DSP_SCQ16 SCQ16_LTE_ROCODE\nvoid_lte_dmrs_comm_cell_info_trace___uint___uint 0x0003aff8 l\nvoid_inv_cholesky_4x4_vst_func_Q3_VMLmvpvHalf_Q3_VMLmvpvHalf_Q3_VMLmvpvcHalf_Q3_VMLmvpvcHalf_Q3_VMLmvpvcHalf_Q3_VMLmvpvcHalf_Q3_VMLmvpvcHalf_Q3_VMLmvpvHalf_Q3_VMLmvpvHalf_Q3_VMLmvpvcHalf_Q3_VMLmvpsHalf___uint___uint___uint___uint___uint___uint___uint___uint___uint___uint___uint___uint___uint___uint___uint___uint 0x0004a5ab l\n...\n```\n\nThese comment lines are _not_ supported by `ImportSymbolsScript.py`, so splitting must be done manually.\n(TODO: Option to output a symbol text file for each entry.)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnccgroup%2Fmtk_bp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnccgroup%2Fmtk_bp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnccgroup%2Fmtk_bp/lists"}