From 20ad0cdb45fe18e23e1fe6995848b6ae1d5a59cc Mon Sep 17 00:00:00 2001
From: Jonathan Herrewijnen <j.herrewijnen@nfi.nl>
Date: Wed, 4 Sep 2024 18:16:37 +0200
Subject: [PATCH] Found area where 02035600 becomes unaccessible. Trying to
 patch it.

---
 source/exploit/exploit.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py
index 1a4b0c8..3313026 100644
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@@ -743,12 +743,14 @@ class ExynosDevice():
 
         # Modifies/disables setting up MMU (but is set up eventually) -> MMU says 0x0 instead of 0x1, but still little access (and proper USB recovyer boot!?)
         # self.cd.memwrite_region(0x020244e8, struct.pack('>I', 0x1f0c00f1)) # Change check to always false
-        
-        # Write jump backs from BL31 at different levels
-        # self.cd.memwrite_region(0x02030a28, p64(DEBUGGER_ADDR))
 
         # Overwrite jump back at 0202f810
-        # self.cd.memwrite_region(0x0202f818, struct.pack('>I', 0xfa610091))
+        # self.cd.memwrite_region(0x020242a8, struct.pack('>I', 0x568f0094)) # Last succesful jump back to debugger, while still having access to 0x02035600
+
+        # self.cd.memwrite_region(0x02032008, struct.pack('>I', 0x1f2003d5)) # Overwrite MAIR to NOP
+        # self.cd.memwrite_region(0x0203203c, struct.pack('>I', 0xf1570094)) # Return to debugger. (not working, it continues booting..)
+
+        # self.cd.memwrite_region(0x0203200c, struct.pack('>I', 0xfd570094)) # -> X1=0x18800, X30=0x20241a0. Device crashes when writing here.
 
         # Jump into BL31 and execute it
         self.cd.restore_stack_and_jump(0x02024010)
@@ -778,7 +780,7 @@ class ExynosDevice():
 
         # ==== Stage 4  ====
         stage4 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
-        
+
         # Patching
         # stage4_len = len(stage4)
         # patch_len = len(b"USB RECOVERY MODE")