patching introduced bugs

This commit is contained in:
Jonathan Herrewijnen 2024-12-09 10:51:36 +01:00
parent e98ceea1d6
commit 1dec7120f1
3 changed files with 22 additions and 12 deletions

View File

@ -37,7 +37,7 @@
"program": "exploit.py", "program": "exploit.py",
"console": "integratedTerminal", "console": "integratedTerminal",
"justMyCode": false, "justMyCode": false,
"args": ["--debugger-boot", "--MIB3"], //, "--MIB3" "args": ["--debugger-boot", "--target", "MIB3"], //, "--MIB3"
}, },
{ {
"name": "Debug current file", "name": "Debug current file",

View File

@ -98,7 +98,7 @@ class S7Exploit(ExynosDevice):
bl31 = open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read() bl31 = open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()
bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read() bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()
bl33 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read() bl33 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
if args.MIB3: if args.target == "MIB3":
bl1 = open("../mib3/boot_partitions/fwbl1_a.bin", "rb").read() bl1 = open("../mib3/boot_partitions/fwbl1_a.bin", "rb").read()
bl31 = open("../mib3/boot_partitions/el3_mon_a.bin", "rb").read() bl31 = open("../mib3/boot_partitions/el3_mon_a.bin", "rb").read()
bl2 = open("../mib3/boot_partitions/bl2_a.bin", "rb").read() bl2 = open("../mib3/boot_partitions/bl2_a.bin", "rb").read()
@ -577,7 +577,7 @@ class S7Exploit(ExynosDevice):
bl31 = open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read() bl31 = open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()
bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read() bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()
bl33 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read() bl33 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
if args.MIB3: if args.target == "MIB3":
bl1 = open("../mib3/boot_partitions/fwbl1_a.bin", "rb").read() bl1 = open("../mib3/boot_partitions/fwbl1_a.bin", "rb").read()
bl1 = open("../mib3/modified_boot/fwbl1_mod.bin", "rb").read() bl1 = open("../mib3/modified_boot/fwbl1_mod.bin", "rb").read()
bl31 = open("../mib3/boot_partitions/el3_mon_a.bin", "rb").read() bl31 = open("../mib3/boot_partitions/el3_mon_a.bin", "rb").read()
@ -627,7 +627,7 @@ class S7Exploit(ExynosDevice):
self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31 self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31
BL1_POINTER = 0x02021880 BL1_POINTER = 0x02021880
if args.MIB3: if args.target == "MIB3":
BL1_POINTER = 0x02021890 BL1_POINTER = 0x02021890
self.cd.memwrite_region(BL1_POINTER, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br")) self.cd.memwrite_region(BL1_POINTER, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br"))
@ -680,7 +680,7 @@ class S7Exploit(ExynosDevice):
# Modifies/disables setting up MMU (but is set up eventually) -> MMU says 0x0 instead of 0x1, but still little access (and proper USB recovyer boot!?) # Modifies/disables setting up MMU (but is set up eventually) -> MMU says 0x0 instead of 0x1, but still little access (and proper USB recovyer boot!?)
MMU_CHECK = 0x0202a314 MMU_CHECK = 0x0202a314
if not args.MIB3: if not args.target == "MIB3":
MMU_CHECK = 0x020244e8 MMU_CHECK = 0x020244e8
self.cd.memwrite_region(MMU_CHECK, struct.pack('>I', 0x1f0c00f1)) # Change check to always be false self.cd.memwrite_region(MMU_CHECK, struct.pack('>I', 0x1f0c00f1)) # Change check to always be false
@ -689,7 +689,7 @@ class S7Exploit(ExynosDevice):
# Jump into BL31 and execute it # Jump into BL31 and execute it
BL31_POINTER = 0x02024010 BL31_POINTER = 0x02024010
if args.MIB3: if args.target == "MIB3":
BL31_POINTER = 0x0202a010 BL31_POINTER = 0x0202a010
self.cd.restore_stack_and_jump(BL31_POINTER) #BL31_RA_PTR self.cd.restore_stack_and_jump(BL31_POINTER) #BL31_RA_PTR
else: else:
@ -708,10 +708,10 @@ class S7Exploit(ExynosDevice):
self.test_write_execute(0x11207010) self.test_write_execute(0x11207010)
#if args.MIB3: #if args.target == "MIB3":
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR # self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
if args.MIB3: if args.target == "MIB3":
self.cd.memwrite_region(0x020553e4, b"\x1f\x50\x00\x71") self.cd.memwrite_region(0x020553e4, b"\x1f\x50\x00\x71")
self.cd.memwrite_region(0x020553f8, b"\x1f\x50\x00\x71") self.cd.memwrite_region(0x020553f8, b"\x1f\x50\x00\x71")
@ -747,7 +747,7 @@ class S7Exploit(ExynosDevice):
self.usb_read(0x200) self.usb_read(0x200)
# Change bootmode on S7 to SDCARD (allow normal booting, if pressing volume up) # Change bootmode on S7 to SDCARD (allow normal booting, if pressing volume up)
if not args.MIB3: if not args.target == "MIB3":
self.cd.memwrite_region(0x8f01dbdc, struct.pack('>I', 0x03030035)) self.cd.memwrite_region(0x8f01dbdc, struct.pack('>I', 0x03030035))
self.cd.memwrite_region(0x8f01dbe0, struct.pack('>I', 0x80f9ff34)) self.cd.memwrite_region(0x8f01dbe0, struct.pack('>I', 0x80f9ff34))
@ -758,7 +758,7 @@ class S7Exploit(ExynosDevice):
# Jump into a different function that continues the boot flow (different than BL33_LR) # Jump into a different function that continues the boot flow (different than BL33_LR)
BL33_AUTH = 0x02024e5c BL33_AUTH = 0x02024e5c
if args.MIB3: if args.target == "MIB3":
self.cd.memwrite_region(0xcf08aa59, b"\x4c\x44\x46\x58") #58 was 57 in INIT print self.cd.memwrite_region(0xcf08aa59, b"\x4c\x44\x46\x58") #58 was 57 in INIT print
self.cd.memwrite_region(0xcf026b94, struct.pack('>I', 0x210000b4)) # Change bootmode to GPT self.cd.memwrite_region(0xcf026b94, struct.pack('>I', 0x210000b4)) # Change bootmode to GPT
BL33_AUTH = 0x202ae18 # BL33_LR BL33_AUTH = 0x202ae18 # BL33_LR
@ -840,11 +840,14 @@ if __name__ == "__main__":
arg.add_argument("--unsecure-boot", action="store_true", help="Unsecure boot", default=False) arg.add_argument("--unsecure-boot", action="store_true", help="Unsecure boot", default=False)
arg.add_argument("--debugger-boot", action="store_true", help="Unsecure boot", default=False) arg.add_argument("--debugger-boot", action="store_true", help="Unsecure boot", default=False)
arg.add_argument("--load_ga", action="store_true", help="Load Gupje debugger", default=False) arg.add_argument("--load_ga", action="store_true", help="Load Gupje debugger", default=False)
arg.add_argument("--MIB3", action="store_true", help="Whether boot is on a MIB3", default=False) arg.add_argument("--target", type=str, help="Target device", default="s7", choices=["S7", "MIB3"])
args = arg.parse_args() args = arg.parse_args()
exynos = S7Exploit() exynos = S7Exploit()
# Load json configs from config folder
# config = open(f"config/{args.target}.json", "r").read()
if args.debug: if args.debug:
shellcode = open("../dwc3_test/dwc3.bin", "rb").read() shellcode = open("../dwc3_test/dwc3.bin", "rb").read()
exynos.exploit(shellcode) exynos.exploit(shellcode)

View File

@ -7,6 +7,9 @@ from ghidra_assistant.utils.debugger.debugger_archs.ga_arm64 import GA_arm64_deb
from qiling.const import QL_ARCH from qiling.const import QL_ARCH
import os, tqdm, datetime import os, tqdm, datetime
ENDPOINT_BULK_IN = 0x81
ENDPOINT_BULK_OUT = 0x2
def p32(x): def p32(x):
return struct.pack("<I", x) return struct.pack("<I", x)
@ -31,6 +34,7 @@ class ExynosDevice():
self.target = "8890" # TODO auto detect device self.target = "8890" # TODO auto detect device
self.connect_device() self.connect_device()
def connect_device(self): def connect_device(self):
"""Setup proper connection, and ensure the connection is alive""" """Setup proper connection, and ensure the connection is alive"""
self.context = usb1.USBContext() self.context = usb1.USBContext()
@ -58,12 +62,14 @@ class ExynosDevice():
self.handle.claimInterface(0) self.handle.claimInterface(0)
print(f"Connected device! {hex(self.idVendor)} {hex(self.idProduct)}") print(f"Connected device! {hex(self.idVendor)} {hex(self.idProduct)}")
def disconnect(self): def disconnect(self):
"""Disconnect the device""" """Disconnect the device"""
self.handle.releaseInterface(0) self.handle.releaseInterface(0)
self.handle.close() self.handle.close()
self.context.exit() self.context.exit()
def write(self, data): def write(self, data):
"""Write data to the device""" """Write data to the device"""
transferred = ctypes.c_int() transferred = ctypes.c_int()
@ -71,6 +77,7 @@ class ExynosDevice():
assert(res == 0), "Could not perform bulk transfer" assert(res == 0), "Could not perform bulk transfer"
return res return res
def usb_write(self, data): def usb_write(self, data):
assert len(data) <= 0x200, "Data too big" assert len(data) <= 0x200, "Data too big"
transferred = ctypes.c_int() transferred = ctypes.c_int()