Returns to debugger and allows booting into recovery. Patching BL33 does not work. Should try patching the verification
This commit is contained in:
parent
f431e1981f
commit
1dc24198b6
@ -788,37 +788,13 @@ class ExynosDevice():
|
|||||||
self.connect_device()
|
self.connect_device()
|
||||||
self.usb_read(0x200) # GiAs
|
self.usb_read(0x200) # GiAs
|
||||||
|
|
||||||
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
|
# Modify something in BL33
|
||||||
# self.cd.arch_dbg.X0 = BL33_jump
|
# print(self.cd.memdump_region(0x8f063710, 0x8))
|
||||||
self.cd.jump_to(BL33_LR)
|
# self.cd.memwrite_region(0x8f063710, struct.pack('>I', 0x53616d74))
|
||||||
|
# self.cd.memdump_region(0x8f063710, 0x8)
|
||||||
# TRYOUT PATCHING BL33
|
|
||||||
# BL1 is loaded, now authenticate and patch it
|
|
||||||
auth_bl1(DEBUGGER_ADDR)
|
|
||||||
self.usb_write(b"FLSH") # Flush cache (Frederic does this..)
|
|
||||||
|
|
||||||
# Hijack ROM download function
|
|
||||||
hijacked_fun = u32(self.cd.memdump_region(0x020200dc, 4))
|
|
||||||
self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31
|
|
||||||
self.cd.memwrite_region(0x02021880, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br"))
|
|
||||||
|
|
||||||
# Jump into BL1 (sboot.bin.1.bin)
|
|
||||||
JUMP_BL33 = 0x8f000000
|
|
||||||
def jump_bl33(lr):
|
|
||||||
self.cd.arch_dbg.state.LR = lr
|
|
||||||
self.cd.restore_stack_and_jump(JUMP_BL33)
|
|
||||||
|
|
||||||
# And jump into BL1 to execute it
|
|
||||||
jump_bl33(DEBUGGER_ADDR)
|
|
||||||
|
|
||||||
time.sleep(2)
|
|
||||||
|
|
||||||
# # # dump in stages of 100 000 bytes and append to dump
|
|
||||||
# dump = b""
|
|
||||||
# for i in range(0x80000000, 0xf0000000, 0x100000):
|
|
||||||
# dump += self.cd.memdump_region(i, 0x100000)
|
|
||||||
|
|
||||||
|
|
||||||
|
self.cd.arch_dbg.state.X0 = BL33_jump
|
||||||
|
self.cd.restore_stack_and_jump(BL33_LR)
|
||||||
|
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user