EljakimHerrewijnen/Samsung_S7
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

mib3 boots with debugger until after BL2. BL33 not properly booting

Browse Source
This commit is contained in:
Jonathan Herrewijnen 2024-11-05 18:30:55 +01:00
parent 1e040cbea9
commit 091efe2f80
1 changed files with 34 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
source/exploit/exploit.py
View File

@ -633,16 +633,16 @@ class ExynosDevice():
DEBUGGER_ADDR = 0x2069000 # 0x2069000 DEBUGGER_ADDR = 0x2069000 # 0x2069000
# Dump contents of TTBR0_EL3 from memory into a pandas dataframe and write it to a pickle file # Dump contents of TTBR0_EL3 from memory into a pandas dataframe and write it to a pickle file
import pandas as pd #import pandas as pd
blub = self.cd.memdump_region(0x02035000, 0x1000) #blub = self.cd.memdump_region(0x02035000, 0x1000)
try: #try:
df = pd.read_pickle('ttbr0_el3.pkl') # df = pd.read_pickle('ttbr0_el3.pkl')
# Concat data to existing dataframe # # Concat data to existing dataframe
df = pd.concat([df, pd.Series([blub])], ignore_index=True) # df = pd.concat([df, pd.Series([blub])], ignore_index=True)
except: #except:
df = pd.DataFrame() # df = pd.DataFrame()
df['TTBR0_EL3'] = [blub] # df['TTBR0_EL3'] = [blub]
df.to_pickle('ttbr0_el3.pkl') #df.to_pickle('ttbr0_el3.pkl')
# Relocate debugger # Relocate debugger
debugger = open("../../dump/reloc_debugger_0x11200000.bin", "rb").read() debugger = open("../../dump/reloc_debugger_0x11200000.bin", "rb").read()
@ -650,15 +650,16 @@ class ExynosDevice():
DEBUGGER_ADDR = 0x11200000 DEBUGGER_ADDR = 0x11200000
# Load bootloader stages # Load bootloader stages
bl1 = open("../S7/g930f_latest/fwbl1_a.bin", "rb").read()
bl31 = open("../S7/g930f_latest/el3_mon_a.bin", "rb").read() bl1 = open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read()
bl2 = open("../S7/g930f_latest/bl2_a.bin", "rb").read() bl31 = open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()
bl33 = open("../S7/g930f_latest/u-boot.bin", "rb").read() bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()
bl33 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
if args.MIB3: if args.MIB3:
bl1 = open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read() bl1 = open("../mib3/boot_partitions/fwbl1_a.bin", "rb").read()
bl31 = open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read() bl31 = open("../mib3/boot_partitions/el3_mon_a.bin", "rb").read()
bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read() bl2 = open("../mib3/boot_partitions/bl2_a.bin", "rb").read()
bl33 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read() bl33 = open("../mib3/boot_partitions/u-boot_a.bin", "rb").read()
# Test debugger connection # Test debugger connection
self.cd.test_connection() self.cd.test_connection()
@ -747,6 +748,9 @@ class ExynosDevice():
self.usb_read(0x200) # GiAs self.usb_read(0x200) # GiAs
# self.cd.memwrite_region(0x02031008, b"ELH") # self.cd.memwrite_region(0x02031008, b"ELH")
# Get pointer to BL31
BL31_POINTER = self.cd.arch_dbg.state.LR
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
TTBR0_EL3 = 0x02035600 # Zeroed out TTBR0_EL3 = 0x02035600 # Zeroed out
@ -760,9 +764,9 @@ class ExynosDevice():
# self.cd.memwrite_region(0x02021580, struct.pack('>I', 0x00000000)) # self.cd.memwrite_region(0x02021580, struct.pack('>I', 0x00000000))
# Jump into BL31 and execute it # Jump into BL31 and execute it
BL31_POINTER = 0x02024010 #BL31_POINTER = 0x02024010
if args.MIB3: #if args.MIB3:
BL31_POINTER = 0x020c0000 # BL31_POINTER = 0x020c0000
self.cd.restore_stack_and_jump(BL31_POINTER) self.cd.restore_stack_and_jump(BL31_POINTER)
# Obligatory reconnect and check of debugger # Obligatory reconnect and check of debugger
@ -784,7 +788,9 @@ class ExynosDevice():
VBAR_EL3 = self.cd.arch_dbg.state.VBAR_EL3 VBAR_EL3 = self.cd.arch_dbg.state.VBAR_EL3
self.test_write_execute(0x11207010) self.test_write_execute(0x11207010)
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
if args.MIB3:
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
self.cd.restore_stack_and_jump(hijacked_fun) self.cd.restore_stack_and_jump(hijacked_fun)
# ==== Stage 4 BL2 ==== # ==== Stage 4 BL2 ====
@ -813,15 +819,17 @@ class ExynosDevice():
self.cd.arch_dbg.state.X23 = DEBUGGER_ADDR # TEMPORARY self.cd.arch_dbg.state.X23 = DEBUGGER_ADDR # TEMPORARY
self.cd.restore_stack_and_jump(hijacked_fun) self.cd.restore_stack_and_jump(hijacked_fun)
time.sleep(1)
self.connect_device()
self.send_normal_stage(bl33) # Never return/completes
self.connect_device()
self.usb_read(0x200) # GiAs
# print_payload = open("/home/jonathan/projects/samsung_s7/source/screen_print/print.bin", "rb").read() # print_payload = open("/home/jonathan/projects/samsung_s7/source/screen_print/print.bin", "rb").read()
# off = stage4.find(bytes.fromhex("fd 7b bd a9 fd 03 00 91 f3 53 01 a9 d4 08 00 d0 f3 03 01 2a a0 17 00 f9")) # off = stage4.find(bytes.fromhex("fd 7b bd a9 fd 03 00 91 f3 53 01 a9 d4 08 00 d0 f3 03 01 2a a0 17 00 f9"))
# stage4 = stage4[off:] + print_payload + stage4[off+len(print_payload):] # stage4 = stage4[off:] + print_payload + stage4[off+len(print_payload):]
self.send_normal_stage(bl33)
self.connect_device()
self.usb_read(0x200) # GiAs
# Change bootmode to SDCARD (allow normal booting, if pressing volume up) # Change bootmode to SDCARD (allow normal booting, if pressing volume up)
self.cd.memwrite_region(0x8f01dbdc, struct.pack('>I', 0x03030035)) self.cd.memwrite_region(0x8f01dbdc, struct.pack('>I', 0x03030035))
self.cd.memwrite_region(0x8f01dbe0, struct.pack('>I', 0x80f9ff34)) self.cd.memwrite_region(0x8f01dbe0, struct.pack('>I', 0x80f9ff34))