minor docs update
This commit is contained in:
parent
6711ceea27
commit
0c84503e47
@ -350,3 +350,11 @@ At this point, we tried patching something in memory at BL33 - like we did at BL
|
|||||||
Possible integrity check of boot stages at BL2 and BL33.
|
Possible integrity check of boot stages at BL2 and BL33.
|
||||||
|
|
||||||
The decompilation is a bit broken, but we noticed that there are multiple calls to the same function, not just at the location where BL33 was returning from. With most specific things related to BL33 already done before this function. A similar verification seemed to have been done at ``0x02024e5c``. At this address, the same function was executed as at ``0x02024eec``, so instead of jumpingo into the function at ``0x02024eec``, we jumped into the function at ``0x02024e5c``. This worked, and allowed us to patch BL33, while continuing our boot flow. I assume, that we're doing an integrity check over BL2, while booting BL33.
|
The decompilation is a bit broken, but we noticed that there are multiple calls to the same function, not just at the location where BL33 was returning from. With most specific things related to BL33 already done before this function. A similar verification seemed to have been done at ``0x02024e5c``. At this address, the same function was executed as at ``0x02024eec``, so instead of jumpingo into the function at ``0x02024eec``, we jumped into the function at ``0x02024e5c``. This worked, and allowed us to patch BL33, while continuing our boot flow. I assume, that we're doing an integrity check over BL2, while booting BL33.
|
||||||
|
|
||||||
|
If removing the ROM/UFS Short, the phone will go into odin mode. And is visible in lsusb after booting:
|
||||||
|
|
||||||
|
.. code:: bash
|
||||||
|
|
||||||
|
Bus 001 Device 043: ID 04e8:685d Samsung Electronics Co., Ltd GT-I9100 Phone [Galaxy S II] (Download mode)
|
||||||
|
|
||||||
|
|
||||||
|
@ -763,8 +763,8 @@ class ExynosDevice():
|
|||||||
VBAR_EL3 = self.cd.arch_dbg.state.VBAR_EL3
|
VBAR_EL3 = self.cd.arch_dbg.state.VBAR_EL3
|
||||||
|
|
||||||
self.test_write_execute(0x11207010)
|
self.test_write_execute(0x11207010)
|
||||||
|
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
|
||||||
self.cd.restore_stack_and_jump(hijacked_fun)
|
self.cd.restore_stack_and_jump(hijacked_fun)
|
||||||
time.sleep(2)
|
|
||||||
|
|
||||||
# ==== Stage 4 BL2 ====
|
# ==== Stage 4 BL2 ====
|
||||||
bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()
|
bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()
|
||||||
@ -799,17 +799,18 @@ class ExynosDevice():
|
|||||||
self.connect_device()
|
self.connect_device()
|
||||||
self.usb_read(0x200) # GiAs
|
self.usb_read(0x200) # GiAs
|
||||||
|
|
||||||
print(self.cd.arch_dbg.state.print_ctx())
|
|
||||||
|
|
||||||
# # Modify something in BL33
|
# # Modify something in BL33
|
||||||
|
print(self.cd.arch_dbg.state.print_ctx())
|
||||||
print(self.cd.memdump_region(0x8f063710, 0x8))
|
print(self.cd.memdump_region(0x8f063710, 0x8))
|
||||||
self.cd.memwrite_region(0x8f063710, struct.pack('>I', 0x53614d74))
|
self.cd.memwrite_region(0x8f063710, struct.pack('>I', 0x53614d74))
|
||||||
|
|
||||||
# Modify USB Recovyer mode string to something else
|
# Modify USB Recovyer mode string to: NFI Patched BL33
|
||||||
self.cd.memwrite_region(0x8f06ab10, b'\x4e\x46\x49\x20\x50\x61\x74\x63\x68\x69\x6e\x67\x20\x42\x4c\x33\x33')
|
self.cd.memwrite_region(0x8f06ab10, b'\x4e\x46\x49\x20\x50\x61\x74\x63\x68\x69\x6e\x67\x20\x42\x4c\x33\x33')
|
||||||
print(self.cd.memdump_region(0x8f063710, 0x8))
|
print(self.cd.memdump_region(0x8f063710, 0x8))
|
||||||
|
|
||||||
# Do signature verification on BL2 instead of BL33 and proceed to boot (original is jump to 0x2024eec)
|
# Print state of x30/LR on screen
|
||||||
|
self.cd.memwrite_region(0x8f01dc08, struct.pack('>I', 0x7b432c91))
|
||||||
|
|
||||||
self.cd.restore_stack_and_jump(0x02024e5c)
|
self.cd.restore_stack_and_jump(0x02024e5c)
|
||||||
|
|
||||||
pass
|
pass
|
||||||
|
Binary file not shown.
Loading…
Reference in New Issue
Block a user