EljakimHerrewijnen/Samsung_S7
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

patching introduced bugs

Browse Source
This commit is contained in:
Jonathan Herrewijnen 2024-12-09 10:51:36 +01:00
parent e98ceea1d6
commit 1dec7120f1
3 changed files with 22 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
source/exploit/.vscode/launch.json vendored
View File

@ -37,7 +37,7 @@
"program": "exploit.py",
"console": "integratedTerminal",
"justMyCode": false,
"args": ["--debugger-boot", "--MIB3"], //, "--MIB3"
"args": ["--debugger-boot", "--target", "MIB3"], //, "--MIB3"
},
{
"name": "Debug current file",

23
source/exploit/exploit.py
View File

@ -98,7 +98,7 @@ class S7Exploit(ExynosDevice):
bl31 = open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()
bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()
bl33 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
if args.MIB3:
if args.target == "MIB3":
bl1 = open("../mib3/boot_partitions/fwbl1_a.bin", "rb").read()
bl31 = open("../mib3/boot_partitions/el3_mon_a.bin", "rb").read()
bl2 = open("../mib3/boot_partitions/bl2_a.bin", "rb").read()
@ -577,7 +577,7 @@ class S7Exploit(ExynosDevice):
bl31 = open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()
bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()
bl33 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
if args.MIB3:
if args.target == "MIB3":
bl1 = open("../mib3/boot_partitions/fwbl1_a.bin", "rb").read()
bl1 = open("../mib3/modified_boot/fwbl1_mod.bin", "rb").read()
bl31 = open("../mib3/boot_partitions/el3_mon_a.bin", "rb").read()
@ -627,7 +627,7 @@ class S7Exploit(ExynosDevice):
self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31
BL1_POINTER = 0x02021880
if args.MIB3:
if args.target == "MIB3":
BL1_POINTER = 0x02021890
self.cd.memwrite_region(BL1_POINTER, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br"))
@ -680,7 +680,7 @@ class S7Exploit(ExynosDevice):
# Modifies/disables setting up MMU (but is set up eventually) -> MMU says 0x0 instead of 0x1, but still little access (and proper USB recovyer boot!?)
MMU_CHECK = 0x0202a314
if not args.MIB3:
if not args.target == "MIB3":
MMU_CHECK = 0x020244e8
self.cd.memwrite_region(MMU_CHECK, struct.pack('>I', 0x1f0c00f1)) # Change check to always be false
@ -689,7 +689,7 @@ class S7Exploit(ExynosDevice):
# Jump into BL31 and execute it
BL31_POINTER = 0x02024010
if args.MIB3:
if args.target == "MIB3":
BL31_POINTER = 0x0202a010
self.cd.restore_stack_and_jump(BL31_POINTER) #BL31_RA_PTR
else:
@ -708,10 +708,10 @@ class S7Exploit(ExynosDevice):
self.test_write_execute(0x11207010)
#if args.MIB3:
#if args.target == "MIB3":
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
if args.MIB3:
if args.target == "MIB3":
self.cd.memwrite_region(0x020553e4, b"\x1f\x50\x00\x71")
self.cd.memwrite_region(0x020553f8, b"\x1f\x50\x00\x71")
@ -747,7 +747,7 @@ class S7Exploit(ExynosDevice):
self.usb_read(0x200)
# Change bootmode on S7 to SDCARD (allow normal booting, if pressing volume up)
if not args.MIB3:
if not args.target == "MIB3":
self.cd.memwrite_region(0x8f01dbdc, struct.pack('>I', 0x03030035))
self.cd.memwrite_region(0x8f01dbe0, struct.pack('>I', 0x80f9ff34))
@ -758,7 +758,7 @@ class S7Exploit(ExynosDevice):
# Jump into a different function that continues the boot flow (different than BL33_LR)
BL33_AUTH = 0x02024e5c
if args.MIB3:
if args.target == "MIB3":
self.cd.memwrite_region(0xcf08aa59, b"\x4c\x44\x46\x58") #58 was 57 in INIT print
self.cd.memwrite_region(0xcf026b94, struct.pack('>I', 0x210000b4)) # Change bootmode to GPT
BL33_AUTH = 0x202ae18 # BL33_LR
@ -840,11 +840,14 @@ if __name__ == "__main__":
arg.add_argument("--unsecure-boot", action="store_true", help="Unsecure boot", default=False)
arg.add_argument("--debugger-boot", action="store_true", help="Unsecure boot", default=False)
arg.add_argument("--load_ga", action="store_true", help="Load Gupje debugger", default=False)
arg.add_argument("--MIB3", action="store_true", help="Whether boot is on a MIB3", default=False)
arg.add_argument("--target", type=str, help="Target device", default="s7", choices=["S7", "MIB3"])
args = arg.parse_args()
exynos = S7Exploit()
# Load json configs from config folder
# config = open(f"config/{args.target}.json", "r").read()
if args.debug:
shellcode = open("../dwc3_test/dwc3.bin", "rb").read()
exynos.exploit(shellcode)

9
source/exploit/exynos.py
View File

@ -7,6 +7,9 @@ from ghidra_assistant.utils.debugger.debugger_archs.ga_arm64 import GA_arm64_deb
from qiling.const import QL_ARCH
import os, tqdm, datetime
ENDPOINT_BULK_IN = 0x81
ENDPOINT_BULK_OUT = 0x2
def p32(x):
return struct.pack("<I", x)
@ -31,6 +34,7 @@ class ExynosDevice():
self.target = "8890" # TODO auto detect device
self.connect_device()
def connect_device(self):
"""Setup proper connection, and ensure the connection is alive"""
self.context = usb1.USBContext()
@ -58,12 +62,14 @@ class ExynosDevice():
self.handle.claimInterface(0)
print(f"Connected device! {hex(self.idVendor)} {hex(self.idProduct)}")
def disconnect(self):
"""Disconnect the device"""
self.handle.releaseInterface(0)
self.handle.close()
self.context.exit()
def write(self, data):
"""Write data to the device"""
transferred = ctypes.c_int()
@ -71,6 +77,7 @@ class ExynosDevice():
assert(res == 0), "Could not perform bulk transfer"
return res
def usb_write(self, data):
assert len(data) <= 0x200, "Data too big"
transferred = ctypes.c_int()
@ -79,7 +86,7 @@ class ExynosDevice():
assert res == 0, f"Error sending data {res}"
assert transferred.value == len(data), f"Invalid transfered size {transferred.value} != {len(data)}"
return transferred.value
def usb_read(self, size):
transferred = ctypes.c_int()