diff --git a/documentation/source/BootROM_8890/boot_chain.rst b/documentation/source/BootROM_8890/boot_chain.rst
index f281a02..d49e4c0 100644
--- a/documentation/source/BootROM_8890/boot_chain.rst
+++ b/documentation/source/BootROM_8890/boot_chain.rst
@@ -3,11 +3,127 @@ Booting
=======
After exploitation the goal is to fully boot the device.
+Current boot chain:
+
+.. figure:: images/boot_chain.drawio.svg
+ :align: center
+
+ Boot chain
+
debugger
========
Some other information about the debugger and it's current state.
-ROM
----
+bl1
+===
+
+Loads at address ``0x02024000`` and contains some form of header.
+There seems to be a samsung header format, where the first 4 bytes define the entry point of the binary.
+In this case this entry is ``+0x10`` so we jump to ``0x02024010``.
+
+.. code-block:: python
+
+ fwbl1 = open("../S7/bl1.bin", "rb").read()
+ self.cd.memwrite_region(0x02024000, fwbl1)
+
+ def jump_fwbl1():
+ self.cd.arch_dbg.state.LR = 0x2069000
+ self.cd.restore_stack_and_jump(0x02024010)
+
+ jump_fwbl1()
+
+However, this does not result in a jump back to the debugger.
+The reason for this is the following code in bl1:
+
+.. code-block:: c
+
+ iVar3 = FUN_02024320();
+ if (iVar3 == 1) {
+ (*(code *)(ulong)uRam0000000002020108)(0,1);
+ }
+
+This code uses a predefined ROM function(I was looking for it) and jumps back to that function when it's done.
+This function is at address ``0x020200e8``, looking in our IMEM dump we can see where in the ROM this points to:
+
+.. code-block:: c
+
+ DAT_02020108 XREF[2]: FUN_00001708:000018b4(W),
+ FUN_02021970:02021a40(R)
+ 02020108 90 57 00 00 undefined4 00005790h
+
+Replacing this function with our debugger makes us jump back:
+
+.. code-block:: python
+
+ # Overwrite jump back
+ self.cd.memwrite_region(0x02020108, p32(0x2069000))
+ self.cd.memwrite_region(0x020200e8, p32(0x2069000))
+
+ def jump_bl1():
+ self.cd.arch_dbg.state.LR = 0x2069000
+ self.cd.restore_stack_and_jump(0x02024010)
+ # self.cd.restore_stack_and_jump(0x02021810)
+
+ bl1 = open("../S7/bl1.bin", "rb").read()
+ self.cd.memwrite_region(0x02024000, bl1)
+ self.usb_write(b"FLSH")
+
+ # auth_bl1()
+ jump_bl1()
+ assert self.usb_read(0x200) == b"GiAs", "not jumped back to debugger?"
+ self.cd.arch_dbg.state.print_ctx()
+
+ root | DEBUG |
+ X0 : 0xc00000 | X1 : 0x2069000 | X2 : 0x0 | X3 : 0x2023114 | X4 : 0x4 | X5 : 0x0 | X6 : 0x0 |
+ X7 : 0x136c0008 | X8 : 0x2069000 | X9 : 0x0 | X10 : 0x2070000 | X11 : 0x0 | X12 : 0x0 | X13 : 0x0 |
+ X14 : 0xf | X15 : 0x206d000 | X16 : 0x9 | X17 : 0x0 | X18 : 0x1 | X19 : 0x20200e8 | X20 : 0x0 |
+ X21 : 0x80000000 | X22 : 0x0 | X23 : 0x0 | X24 : 0x0 | X25 : 0x0 | X26 : 0x0 | X27 : 0x1 |
+ X28 : 0x0 | X29 : 0x2020ed8 | LR/X30 : 0x202419c | SP/X31 : 0x2020ec0
+
+However this does not fully run bl1, so we will have to dig a bit deeper to see the puropose and when to jump back to the debugger.
+
+purpose
+-------
+bl1 interacts with several pheriperals, from the DTB these are:
+
+.. code-block:: dtsi
+
+ /* FSYS0 */
+ pinctrl_5: pinctrl@10E60000 {
+ compatible = "samsung,exynos8890-pinctrl";
+ reg = <0x0 0x10E60000 0x1000>;
+ interrupts = <0 212 0>;
+ };
+
+ /* FSYS1 */
+ pinctrl_6: pinctrl@15690000 {
+ compatible = "samsung,exynos8890-pinctrl";
+ reg = <0x0 0x15690000 0x1000>;
+ interrupts = <0 202 0>;
+ };
+
+ /* PERIC1 */
+ pinctrl_9: pinctrl@14CC0000 {
+ compatible = "samsung,exynos8890-pinctrl";
+ reg = <0x0 0x14CC0000 0x1000>;
+ interrupts = <0 460 0>;
+ };
+
+ pmu_system_controller: system-controller@105C0000 {
+ compatible = "samsung,exynos8890-pmu", "syscon";
+ reg = <0x0 0x105C0000 0x10000>;
+ };
+
+ rtc@10070000 {
+ compatible = "samsung,s3c6410-rtc";
+ reg = <0x0 0x10070000 0x100>;
+ interrupts = <0 73 0>, <0 74 0>;
+ clocks = <&clock 157>;
+ clock-names = "gate_rtc";
+ };
+BL31
+----
+
+Setups EL3 stuff, probably in preperation of loading trustzone
\ No newline at end of file
diff --git a/documentation/source/BootROM_8890/images/boot_chain.drawio.svg b/documentation/source/BootROM_8890/images/boot_chain.drawio.svg
new file mode 100644
index 0000000..7ae49dc
--- /dev/null
+++ b/documentation/source/BootROM_8890/images/boot_chain.drawio.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/documentation/source/BootROM_8890/images/memory_layout.drawio.svg b/documentation/source/BootROM_8890/images/memory_layout.drawio.svg
index ab60338..9f190f6 100644
--- a/documentation/source/BootROM_8890/images/memory_layout.drawio.svg
+++ b/documentation/source/BootROM_8890/images/memory_layout.drawio.svg
@@ -1 +1 @@
-
\ No newline at end of file
+
\ No newline at end of file
diff --git a/reven/SamsungS7.lock b/reven/SamsungS7.lock
index 516725f..fe6694d 100644
--- a/reven/SamsungS7.lock
+++ b/reven/SamsungS7.lock
@@ -1,9 +1,9 @@
#Ghidra Lock File
-#Sat Aug 03 17:14:04 CEST 2024
+#Tue Aug 06 19:30:30 CEST 2024
OS\ Name=Linux
OS\ Version=6.5.0-44-generic
Username=eljakim
Hostname=levith
\ Supports\ File\ Channel\ Locking=Channel Lock
OS\ Architecture=amd64
-Timestamp=8/3/24, 5\:14 PM
+Timestamp=8/6/24, 7\:30 PM
diff --git a/reven/SamsungS7.rep/idata/~index.bak b/reven/SamsungS7.rep/idata/~index.bak
index 3dd0917..5a40409 100644
--- a/reven/SamsungS7.rep/idata/~index.bak
+++ b/reven/SamsungS7.rep/idata/~index.bak
@@ -1,11 +1,13 @@
VERSION=1
/
- 00000002:8890_bootrom.bin:7f0119bc3142241939494339
+ 00000006:8890_bootrom.bin:7f0119bc3142241939494339
+ 00000002:8890_bootrom.bin.keep:7f011889d240069673442230
/mib3
00000000:full_boot:7f0118059140616855428589
/s7
+ 00000007:fwbl1.bin:7f011a0d5252765509589854
00000003:sboot.bin.2.bin:7f011ab837995028720085
00000004:sboot.bin.3.bin:7f011872b8163836628792
00000005:sboot.bin.4.bin:7f011842b8231996037592
-NEXT-ID:6
+NEXT-ID:8
MD5:d41d8cd98f00b204e9800998ecf8427e
diff --git a/reven/SamsungS7.rep/idata/~index.dat b/reven/SamsungS7.rep/idata/~index.dat
index 3dd0917..e8f01e6 100644
--- a/reven/SamsungS7.rep/idata/~index.dat
+++ b/reven/SamsungS7.rep/idata/~index.dat
@@ -1,11 +1,13 @@
VERSION=1
/
- 00000002:8890_bootrom.bin:7f0119bc3142241939494339
+ 00000006:8890_bootrom.bin:7f0119bc3142241939494339
+ 00000002:8890_bootrom.bin.keep:7f011889d240069673442230
/mib3
00000000:full_boot:7f0118059140616855428589
/s7
- 00000003:sboot.bin.2.bin:7f011ab837995028720085
+ 00000007:bl1.bin:7f011a0d5252765509589854
+ 00000003:bl31.bin:7f011ab837995028720085
00000004:sboot.bin.3.bin:7f011872b8163836628792
00000005:sboot.bin.4.bin:7f011842b8231996037592
-NEXT-ID:6
+NEXT-ID:8
MD5:d41d8cd98f00b204e9800998ecf8427e
diff --git a/reven/SamsungS7.rep/user/~index.bak b/reven/SamsungS7.rep/user/~index.bak
index f0bb25d..77d0dfb 100644
--- a/reven/SamsungS7.rep/user/~index.bak
+++ b/reven/SamsungS7.rep/user/~index.bak
@@ -1,8 +1,9 @@
VERSION=1
/
00000000:udf_7f0118059140616855428589:7f0118d0b142268235940037
+ 00000004:udf_7f011842b8231996037592:7f01190f112184430945139
00000003:udf_7f011872b8163836628792:7f011a9478217161533597
00000001:udf_7f0119bc3142241939494339:7f011abb7142807435236045
00000002:udf_7f011ab837995028720085:7f0118cdd8148515697603
-NEXT-ID:4
+NEXT-ID:5
MD5:d41d8cd98f00b204e9800998ecf8427e
diff --git a/reven/SamsungS7.rep/user/~index.dat b/reven/SamsungS7.rep/user/~index.dat
index 77d0dfb..257c699 100644
--- a/reven/SamsungS7.rep/user/~index.dat
+++ b/reven/SamsungS7.rep/user/~index.dat
@@ -4,6 +4,7 @@ VERSION=1
00000004:udf_7f011842b8231996037592:7f01190f112184430945139
00000003:udf_7f011872b8163836628792:7f011a9478217161533597
00000001:udf_7f0119bc3142241939494339:7f011abb7142807435236045
+ 00000005:udf_7f011a0d5252765509589854:7f0118e15255467845445248
00000002:udf_7f011ab837995028720085:7f0118cdd8148515697603
-NEXT-ID:5
+NEXT-ID:6
MD5:d41d8cd98f00b204e9800998ecf8427e
diff --git a/reven/SamsungS7.rep/user/~journal.bak b/reven/SamsungS7.rep/user/~journal.bak
index ae0f201..d9b4d50 100644
--- a/reven/SamsungS7.rep/user/~journal.bak
+++ b/reven/SamsungS7.rep/user/~journal.bak
@@ -1,2 +1,2 @@
-IADD:00000004:/udf_7f011842b8231996037592
-IDSET:/udf_7f011842b8231996037592:7f01190f112184430945139
+IADD:00000005:/udf_7f011a0d5252765509589854
+IDSET:/udf_7f011a0d5252765509589854:7f0118e15255467845445248
diff --git a/source/S7/fwbl1.bin b/source/S7/bl1.bin
similarity index 100%
rename from source/S7/fwbl1.bin
rename to source/S7/bl1.bin
diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py
index c8b46ff..f76a406 100644
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@@ -221,6 +221,10 @@ class ExynosDevice():
self.cd.arch_dbg.state.auto_sync = False
self.cd.arch_dbg.state.print_ctx()
+ # Overwrite jump back
+ self.cd.memwrite_region(0x02020108, p32(0x2069000))
+ # self.cd.memwrite_region(0x020200e8, p32(0x2069000))
+
AUTH_BL1 = 0x00012848
def memdump_try():
dumped = b""
@@ -234,11 +238,37 @@ class ExynosDevice():
self.cd.arch_dbg.state.X1 = 1
self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished
self.cd.restore_stack_and_jump(AUTH_BL1)
+
+ def jump_bl1():
+ self.cd.arch_dbg.state.LR = 0x2069000
+ self.cd.restore_stack_and_jump(0x02024010)
+ # self.cd.restore_stack_and_jump(0x02021810)
+
+ #000125b4
+ # self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished
+ # self.cd.restore_stack_and_jump(0x00012814)
+ # self.cd.restore_stack_and_jump(0x000125b4)
- fwbl1 = open("../S7/fwbl1.bin", "rb").read()
- self.cd.memwrite_region(0x02021800, fwbl1)
- memdump_try()
- auth_bl1()
+ bl1 = open("../S7/bl1.bin", "rb").read()
+ self.cd.memwrite_region(0x02024000, bl1)
+ self.usb_write(b"FLSH")
+
+ # auth_bl1()
+ jump_bl1()
+ assert self.usb_read(0x200) == b"GiAs", "not jumped back to debugger?"
+ self.cd.arch_dbg.state.print_ctx()
+
+ def jump_bl31():
+ self.cd.arch_dbg.state.LR = 0x2069000
+ self.cd.restore_stack_and_jump(0x02021810)
+ bl31 = open("../S7/bl31.bin", "rb").read()
+ self.cd.memwrite_region(0x02021800, bl31)
+ jump_bl31()
+ assert self.usb_read(0x200) == b"GiAs", "not jumped back to debugger?"
+ self.cd.arch_dbg.state.print_ctx()
+
+ # memdump_try()
+ # auth_bl1()
self.cd.arch_dbg.state.print_ctx()
#authenticate it
diff --git a/source/exploit/stage1/stage1.c b/source/exploit/stage1/stage1.c
index 63f3f12..052ad0b 100644
--- a/source/exploit/stage1/stage1.c
+++ b/source/exploit/stage1/stage1.c
@@ -33,7 +33,8 @@ void recv_data(uint32_t address, uint32_t size){
dwc3_ep0_start_trans(2, rbuf, 0x200);
while(1){
usb_event_handler();
- if(*(uint8_t *)dref == 1){
+ volatile val = *(volatile uint8_t *)dref;
+ if(val == 1){
break;
}
}
@@ -73,6 +74,10 @@ int main() {
recv_data(0x2069000 + block, block_sz);
}
+ // clear cache
+ // __asm__ __volatile__("ic iallu\n\t" : : :"memory");
+ // __asm__ __volatile__("ic ialluis\n\t" : : :"memory");
+
// Create function at debugger_location
void (*custom_func)() = (void*)0x2069000; //mem_off;
custom_func();