Found area where 02035600 becomes unaccessible. Trying to patch it.

2024-09-04 18:16:37 +02:00 · 2024-09-04 18:16:37 +02:00 · 20ad0cdb45
commit 20ad0cdb45
parent 66621d36d7
1 changed files with 7 additions and 5 deletions
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@ -743,12 +743,14 @@ class ExynosDevice():

        # Modifies/disables setting up MMU (but is set up eventually) -> MMU says 0x0 instead of 0x1, but still little access (and proper USB recovyer boot!?)
        # self.cd.memwrite_region(0x020244e8, struct.pack('>I', 0x1f0c00f1)) # Change check to always false
-        
-        # Write jump backs from BL31 at different levels
-        # self.cd.memwrite_region(0x02030a28, p64(DEBUGGER_ADDR))

        # Overwrite jump back at 0202f810
-        # self.cd.memwrite_region(0x0202f818, struct.pack('>I', 0xfa610091))
+        # self.cd.memwrite_region(0x020242a8, struct.pack('>I', 0x568f0094)) # Last succesful jump back to debugger, while still having access to 0x02035600
+
+        # self.cd.memwrite_region(0x02032008, struct.pack('>I', 0x1f2003d5)) # Overwrite MAIR to NOP
+        # self.cd.memwrite_region(0x0203203c, struct.pack('>I', 0xf1570094)) # Return to debugger. (not working, it continues booting..)
+
+        # self.cd.memwrite_region(0x0203200c, struct.pack('>I', 0xfd570094)) # -> X1=0x18800, X30=0x20241a0. Device crashes when writing here.

        # Jump into BL31 and execute it
        self.cd.restore_stack_and_jump(0x02024010)
@ -778,7 +780,7 @@ class ExynosDevice():

        # ==== Stage 4  ====
        stage4 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
-        
+
        # Patching
        # stage4_len = len(stage4)
        # patch_len = len(b"USB RECOVERY MODE")