Returns to debugger and allows booting into recovery. Patching BL33 does not work. Should try patching the verification

2024-09-17 20:06:49 +02:00 · 2024-09-17 20:06:49 +02:00 · 1dc24198b6
commit 1dc24198b6
parent f431e1981f
1 changed files with 6 additions and 30 deletions
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@ -788,37 +788,13 @@ class ExynosDevice():
        self.connect_device()
        self.usb_read(0x200) # GiAs

-        self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
-        # self.cd.arch_dbg.X0 = BL33_jump
-        self.cd.jump_to(BL33_LR)
-
-        # TRYOUT PATCHING BL33
-        # BL1 is loaded, now authenticate and patch it
-        auth_bl1(DEBUGGER_ADDR)
-        self.usb_write(b"FLSH") # Flush cache (Frederic does this..)
-
-        # Hijack ROM download function
-        hijacked_fun = u32(self.cd.memdump_region(0x020200dc, 4)) 
-        self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31
-        self.cd.memwrite_region(0x02021880, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br"))
-
-        # Jump into BL1 (sboot.bin.1.bin)
-        JUMP_BL33 = 0x8f000000
-        def jump_bl33(lr):
-            self.cd.arch_dbg.state.LR = lr
-            self.cd.restore_stack_and_jump(JUMP_BL33)
-
-        # And jump into BL1 to execute it
-        jump_bl33(DEBUGGER_ADDR)
-
-        time.sleep(2)
-
-        # # # dump in stages of 100 000 bytes and append to dump
-        # dump = b""
-        # for i in range(0x80000000, 0xf0000000, 0x100000):
-        #     dump += self.cd.memdump_region(i, 0x100000)
+        # Modify something in BL33 
+        # print(self.cd.memdump_region(0x8f063710, 0x8))
+        # self.cd.memwrite_region(0x8f063710, struct.pack('>I', 0x53616d74))
+        # self.cd.memdump_region(0x8f063710, 0x8)
        
-
+        self.cd.arch_dbg.state.X0 = BL33_jump
+        self.cd.restore_stack_and_jump(BL33_LR)

        pass