This commit is contained in:
Eljakim Herrewijnen 2024-08-07 00:20:30 +02:00
parent 679d96f121
commit 0176439498
12 changed files with 177 additions and 19 deletions

View File

@ -3,11 +3,127 @@ Booting
======= =======
After exploitation the goal is to fully boot the device. After exploitation the goal is to fully boot the device.
Current boot chain:
.. figure:: images/boot_chain.drawio.svg
:align: center
Boot chain
debugger debugger
======== ========
Some other information about the debugger and it's current state. Some other information about the debugger and it's current state.
ROM bl1
--- ===
Loads at address ``0x02024000`` and contains some form of header.
There seems to be a samsung header format, where the first 4 bytes define the entry point of the binary.
In this case this entry is ``+0x10`` so we jump to ``0x02024010``.
.. code-block:: python
fwbl1 = open("../S7/bl1.bin", "rb").read()
self.cd.memwrite_region(0x02024000, fwbl1)
def jump_fwbl1():
self.cd.arch_dbg.state.LR = 0x2069000
self.cd.restore_stack_and_jump(0x02024010)
jump_fwbl1()
However, this does not result in a jump back to the debugger.
The reason for this is the following code in bl1:
.. code-block:: c
iVar3 = FUN_02024320();
if (iVar3 == 1) {
(*(code *)(ulong)uRam0000000002020108)(0,1);
}
This code uses a predefined ROM function(I was looking for it) and jumps back to that function when it's done.
This function is at address ``0x020200e8``, looking in our IMEM dump we can see where in the ROM this points to:
.. code-block:: c
DAT_02020108 XREF[2]: FUN_00001708:000018b4(W),
FUN_02021970:02021a40(R)
02020108 90 57 00 00 undefined4 00005790h
Replacing this function with our debugger makes us jump back:
.. code-block:: python
# Overwrite jump back
self.cd.memwrite_region(0x02020108, p32(0x2069000))
self.cd.memwrite_region(0x020200e8, p32(0x2069000))
def jump_bl1():
self.cd.arch_dbg.state.LR = 0x2069000
self.cd.restore_stack_and_jump(0x02024010)
# self.cd.restore_stack_and_jump(0x02021810)
bl1 = open("../S7/bl1.bin", "rb").read()
self.cd.memwrite_region(0x02024000, bl1)
self.usb_write(b"FLSH")
# auth_bl1()
jump_bl1()
assert self.usb_read(0x200) == b"GiAs", "not jumped back to debugger?"
self.cd.arch_dbg.state.print_ctx()
root | DEBUG |
X0 : 0xc00000 | X1 : 0x2069000 | X2 : 0x0 | X3 : 0x2023114 | X4 : 0x4 | X5 : 0x0 | X6 : 0x0 |
X7 : 0x136c0008 | X8 : 0x2069000 | X9 : 0x0 | X10 : 0x2070000 | X11 : 0x0 | X12 : 0x0 | X13 : 0x0 |
X14 : 0xf | X15 : 0x206d000 | X16 : 0x9 | X17 : 0x0 | X18 : 0x1 | X19 : 0x20200e8 | X20 : 0x0 |
X21 : 0x80000000 | X22 : 0x0 | X23 : 0x0 | X24 : 0x0 | X25 : 0x0 | X26 : 0x0 | X27 : 0x1 |
X28 : 0x0 | X29 : 0x2020ed8 | LR/X30 : 0x202419c | SP/X31 : 0x2020ec0
However this does not fully run bl1, so we will have to dig a bit deeper to see the puropose and when to jump back to the debugger.
purpose
-------
bl1 interacts with several pheriperals, from the DTB these are:
.. code-block:: dtsi
/* FSYS0 */
pinctrl_5: pinctrl@10E60000 {
compatible = "samsung,exynos8890-pinctrl";
reg = <0x0 0x10E60000 0x1000>;
interrupts = <0 212 0>;
};
/* FSYS1 */
pinctrl_6: pinctrl@15690000 {
compatible = "samsung,exynos8890-pinctrl";
reg = <0x0 0x15690000 0x1000>;
interrupts = <0 202 0>;
};
/* PERIC1 */
pinctrl_9: pinctrl@14CC0000 {
compatible = "samsung,exynos8890-pinctrl";
reg = <0x0 0x14CC0000 0x1000>;
interrupts = <0 460 0>;
};
pmu_system_controller: system-controller@105C0000 {
compatible = "samsung,exynos8890-pmu", "syscon";
reg = <0x0 0x105C0000 0x10000>;
};
rtc@10070000 {
compatible = "samsung,s3c6410-rtc";
reg = <0x0 0x10070000 0x100>;
interrupts = <0 73 0>, <0 74 0>;
clocks = <&clock 157>;
clock-names = "gate_rtc";
};
BL31
----
Setups EL3 stuff, probably in preperation of loading trustzone

File diff suppressed because one or more lines are too long

After

Width:  |  Height:  |  Size: 5.8 KiB

File diff suppressed because one or more lines are too long

Before

Width:  |  Height:  |  Size: 7.1 KiB

After

Width:  |  Height:  |  Size: 7.0 KiB

View File

@ -1,9 +1,9 @@
#Ghidra Lock File #Ghidra Lock File
#Sat Aug 03 17:14:04 CEST 2024 #Tue Aug 06 19:30:30 CEST 2024
OS\ Name=Linux OS\ Name=Linux
OS\ Version=6.5.0-44-generic OS\ Version=6.5.0-44-generic
Username=eljakim Username=eljakim
Hostname=levith Hostname=levith
<META>\ Supports\ File\ Channel\ Locking=Channel Lock <META>\ Supports\ File\ Channel\ Locking=Channel Lock
OS\ Architecture=amd64 OS\ Architecture=amd64
Timestamp=8/3/24, 5\:14 PM Timestamp=8/6/24, 7\:30 PM

View File

@ -1,11 +1,13 @@
VERSION=1 VERSION=1
/ /
00000002:8890_bootrom.bin:7f0119bc3142241939494339 00000006:8890_bootrom.bin:7f0119bc3142241939494339
00000002:8890_bootrom.bin.keep:7f011889d240069673442230
/mib3 /mib3
00000000:full_boot:7f0118059140616855428589 00000000:full_boot:7f0118059140616855428589
/s7 /s7
00000007:fwbl1.bin:7f011a0d5252765509589854
00000003:sboot.bin.2.bin:7f011ab837995028720085 00000003:sboot.bin.2.bin:7f011ab837995028720085
00000004:sboot.bin.3.bin:7f011872b8163836628792 00000004:sboot.bin.3.bin:7f011872b8163836628792
00000005:sboot.bin.4.bin:7f011842b8231996037592 00000005:sboot.bin.4.bin:7f011842b8231996037592
NEXT-ID:6 NEXT-ID:8
MD5:d41d8cd98f00b204e9800998ecf8427e MD5:d41d8cd98f00b204e9800998ecf8427e

View File

@ -1,11 +1,13 @@
VERSION=1 VERSION=1
/ /
00000002:8890_bootrom.bin:7f0119bc3142241939494339 00000006:8890_bootrom.bin:7f0119bc3142241939494339
00000002:8890_bootrom.bin.keep:7f011889d240069673442230
/mib3 /mib3
00000000:full_boot:7f0118059140616855428589 00000000:full_boot:7f0118059140616855428589
/s7 /s7
00000003:sboot.bin.2.bin:7f011ab837995028720085 00000007:bl1.bin:7f011a0d5252765509589854
00000003:bl31.bin:7f011ab837995028720085
00000004:sboot.bin.3.bin:7f011872b8163836628792 00000004:sboot.bin.3.bin:7f011872b8163836628792
00000005:sboot.bin.4.bin:7f011842b8231996037592 00000005:sboot.bin.4.bin:7f011842b8231996037592
NEXT-ID:6 NEXT-ID:8
MD5:d41d8cd98f00b204e9800998ecf8427e MD5:d41d8cd98f00b204e9800998ecf8427e

View File

@ -1,8 +1,9 @@
VERSION=1 VERSION=1
/ /
00000000:udf_7f0118059140616855428589:7f0118d0b142268235940037 00000000:udf_7f0118059140616855428589:7f0118d0b142268235940037
00000004:udf_7f011842b8231996037592:7f01190f112184430945139
00000003:udf_7f011872b8163836628792:7f011a9478217161533597 00000003:udf_7f011872b8163836628792:7f011a9478217161533597
00000001:udf_7f0119bc3142241939494339:7f011abb7142807435236045 00000001:udf_7f0119bc3142241939494339:7f011abb7142807435236045
00000002:udf_7f011ab837995028720085:7f0118cdd8148515697603 00000002:udf_7f011ab837995028720085:7f0118cdd8148515697603
NEXT-ID:4 NEXT-ID:5
MD5:d41d8cd98f00b204e9800998ecf8427e MD5:d41d8cd98f00b204e9800998ecf8427e

View File

@ -4,6 +4,7 @@ VERSION=1
00000004:udf_7f011842b8231996037592:7f01190f112184430945139 00000004:udf_7f011842b8231996037592:7f01190f112184430945139
00000003:udf_7f011872b8163836628792:7f011a9478217161533597 00000003:udf_7f011872b8163836628792:7f011a9478217161533597
00000001:udf_7f0119bc3142241939494339:7f011abb7142807435236045 00000001:udf_7f0119bc3142241939494339:7f011abb7142807435236045
00000005:udf_7f011a0d5252765509589854:7f0118e15255467845445248
00000002:udf_7f011ab837995028720085:7f0118cdd8148515697603 00000002:udf_7f011ab837995028720085:7f0118cdd8148515697603
NEXT-ID:5 NEXT-ID:6
MD5:d41d8cd98f00b204e9800998ecf8427e MD5:d41d8cd98f00b204e9800998ecf8427e

View File

@ -1,2 +1,2 @@
IADD:00000004:/udf_7f011842b8231996037592 IADD:00000005:/udf_7f011a0d5252765509589854
IDSET:/udf_7f011842b8231996037592:7f01190f112184430945139 IDSET:/udf_7f011a0d5252765509589854:7f0118e15255467845445248

View File

@ -221,6 +221,10 @@ class ExynosDevice():
self.cd.arch_dbg.state.auto_sync = False self.cd.arch_dbg.state.auto_sync = False
self.cd.arch_dbg.state.print_ctx() self.cd.arch_dbg.state.print_ctx()
# Overwrite jump back
self.cd.memwrite_region(0x02020108, p32(0x2069000))
# self.cd.memwrite_region(0x020200e8, p32(0x2069000))
AUTH_BL1 = 0x00012848 AUTH_BL1 = 0x00012848
def memdump_try(): def memdump_try():
dumped = b"" dumped = b""
@ -235,10 +239,36 @@ class ExynosDevice():
self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished
self.cd.restore_stack_and_jump(AUTH_BL1) self.cd.restore_stack_and_jump(AUTH_BL1)
fwbl1 = open("../S7/fwbl1.bin", "rb").read() def jump_bl1():
self.cd.memwrite_region(0x02021800, fwbl1) self.cd.arch_dbg.state.LR = 0x2069000
memdump_try() self.cd.restore_stack_and_jump(0x02024010)
auth_bl1() # self.cd.restore_stack_and_jump(0x02021810)
#000125b4
# self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished
# self.cd.restore_stack_and_jump(0x00012814)
# self.cd.restore_stack_and_jump(0x000125b4)
bl1 = open("../S7/bl1.bin", "rb").read()
self.cd.memwrite_region(0x02024000, bl1)
self.usb_write(b"FLSH")
# auth_bl1()
jump_bl1()
assert self.usb_read(0x200) == b"GiAs", "not jumped back to debugger?"
self.cd.arch_dbg.state.print_ctx()
def jump_bl31():
self.cd.arch_dbg.state.LR = 0x2069000
self.cd.restore_stack_and_jump(0x02021810)
bl31 = open("../S7/bl31.bin", "rb").read()
self.cd.memwrite_region(0x02021800, bl31)
jump_bl31()
assert self.usb_read(0x200) == b"GiAs", "not jumped back to debugger?"
self.cd.arch_dbg.state.print_ctx()
# memdump_try()
# auth_bl1()
self.cd.arch_dbg.state.print_ctx() self.cd.arch_dbg.state.print_ctx()
#authenticate it #authenticate it

View File

@ -33,7 +33,8 @@ void recv_data(uint32_t address, uint32_t size){
dwc3_ep0_start_trans(2, rbuf, 0x200); dwc3_ep0_start_trans(2, rbuf, 0x200);
while(1){ while(1){
usb_event_handler(); usb_event_handler();
if(*(uint8_t *)dref == 1){ volatile val = *(volatile uint8_t *)dref;
if(val == 1){
break; break;
} }
} }
@ -73,6 +74,10 @@ int main() {
recv_data(0x2069000 + block, block_sz); recv_data(0x2069000 + block, block_sz);
} }
// clear cache
// __asm__ __volatile__("ic iallu\n\t" : : :"memory");
// __asm__ __volatile__("ic ialluis\n\t" : : :"memory");
// Create function at debugger_location // Create function at debugger_location
void (*custom_func)() = (void*)0x2069000; //mem_off; void (*custom_func)() = (void*)0x2069000; //mem_off;
custom_func(); custom_func();