diff --git a/reven/SamsungS7.lock b/reven/SamsungS7.lock
index def5a59..f90341a 100644
--- a/reven/SamsungS7.lock
+++ b/reven/SamsungS7.lock
@@ -1,9 +1,9 @@
#Ghidra Lock File
-#Fri Aug 09 11:27:43 CEST 2024
+#Thu Aug 15 13:43:49 CEST 2024
OS\ Name=Linux
OS\ Version=6.5.0-44-generic
Username=eljakim
Hostname=levith
\ Supports\ File\ Channel\ Locking=Channel Lock
OS\ Architecture=amd64
-Timestamp=8/9/24, 11\:27 AM
+Timestamp=8/15/24, 1\:43 PM
diff --git a/reven/SamsungS7.rep/idata/~index.bak b/reven/SamsungS7.rep/idata/~index.bak
index 5a40409..30584e4 100644
--- a/reven/SamsungS7.rep/idata/~index.bak
+++ b/reven/SamsungS7.rep/idata/~index.bak
@@ -1,13 +1,17 @@
VERSION=1
/
00000006:8890_bootrom.bin:7f0119bc3142241939494339
+ 0000000a:8890_bootrom.bin.1:7f011a6853998629050259
00000002:8890_bootrom.bin.keep:7f011889d240069673442230
+ 00000008:8890_bootrom_old_bl1:7f011822f30596451841878
+/dump
+ 00000009:reloc_debugger.elf:7f0119bd531451643843511
/mib3
00000000:full_boot:7f0118059140616855428589
/s7
- 00000007:fwbl1.bin:7f011a0d5252765509589854
- 00000003:sboot.bin.2.bin:7f011ab837995028720085
+ 00000007:bl1.bin:7f011a0d5252765509589854
+ 00000003:bl31.bin:7f011ab837995028720085
00000004:sboot.bin.3.bin:7f011872b8163836628792
00000005:sboot.bin.4.bin:7f011842b8231996037592
-NEXT-ID:8
+NEXT-ID:b
MD5:d41d8cd98f00b204e9800998ecf8427e
diff --git a/reven/SamsungS7.rep/idata/~index.dat b/reven/SamsungS7.rep/idata/~index.dat
index e8f01e6..e251186 100644
--- a/reven/SamsungS7.rep/idata/~index.dat
+++ b/reven/SamsungS7.rep/idata/~index.dat
@@ -2,6 +2,10 @@ VERSION=1
/
00000006:8890_bootrom.bin:7f0119bc3142241939494339
00000002:8890_bootrom.bin.keep:7f011889d240069673442230
+ 0000000a:8890_bootrom_bl31_loaded:7f011a6853998629050259
+ 00000008:8890_bootrom_old_bl1:7f011822f30596451841878
+/dump
+ 00000009:reloc_debugger.elf:7f0119bd531451643843511
/mib3
00000000:full_boot:7f0118059140616855428589
/s7
@@ -9,5 +13,5 @@ VERSION=1
00000003:bl31.bin:7f011ab837995028720085
00000004:sboot.bin.3.bin:7f011872b8163836628792
00000005:sboot.bin.4.bin:7f011842b8231996037592
-NEXT-ID:8
+NEXT-ID:b
MD5:d41d8cd98f00b204e9800998ecf8427e
diff --git a/reven/SamsungS7.rep/user/~index.bak b/reven/SamsungS7.rep/user/~index.bak
index 77d0dfb..257c699 100644
--- a/reven/SamsungS7.rep/user/~index.bak
+++ b/reven/SamsungS7.rep/user/~index.bak
@@ -4,6 +4,7 @@ VERSION=1
00000004:udf_7f011842b8231996037592:7f01190f112184430945139
00000003:udf_7f011872b8163836628792:7f011a9478217161533597
00000001:udf_7f0119bc3142241939494339:7f011abb7142807435236045
+ 00000005:udf_7f011a0d5252765509589854:7f0118e15255467845445248
00000002:udf_7f011ab837995028720085:7f0118cdd8148515697603
-NEXT-ID:5
+NEXT-ID:6
MD5:d41d8cd98f00b204e9800998ecf8427e
diff --git a/reven/SamsungS7.rep/user/~index.dat b/reven/SamsungS7.rep/user/~index.dat
index 257c699..274b54a 100644
--- a/reven/SamsungS7.rep/user/~index.dat
+++ b/reven/SamsungS7.rep/user/~index.dat
@@ -4,7 +4,8 @@ VERSION=1
00000004:udf_7f011842b8231996037592:7f01190f112184430945139
00000003:udf_7f011872b8163836628792:7f011a9478217161533597
00000001:udf_7f0119bc3142241939494339:7f011abb7142807435236045
+ 00000006:udf_7f0119bd531451643843511:7f011a1c131523520933550
00000005:udf_7f011a0d5252765509589854:7f0118e15255467845445248
00000002:udf_7f011ab837995028720085:7f0118cdd8148515697603
-NEXT-ID:6
+NEXT-ID:7
MD5:d41d8cd98f00b204e9800998ecf8427e
diff --git a/reven/SamsungS7.rep/user/~journal.bak b/reven/SamsungS7.rep/user/~journal.bak
index d9b4d50..588753e 100644
--- a/reven/SamsungS7.rep/user/~journal.bak
+++ b/reven/SamsungS7.rep/user/~journal.bak
@@ -1,2 +1,2 @@
-IADD:00000005:/udf_7f011a0d5252765509589854
-IDSET:/udf_7f011a0d5252765509589854:7f0118e15255467845445248
+IADD:00000006:/udf_7f0119bd531451643843511
+IDSET:/udf_7f0119bd531451643843511:7f011a1c131523520933550
diff --git a/source/S7/g930f_latest/split-sboot-8890.sh b/source/S7/g930f_latest/split-sboot-8890.sh
new file mode 100755
index 0000000..03b4930
--- /dev/null
+++ b/source/S7/g930f_latest/split-sboot-8890.sh
@@ -0,0 +1,5 @@
+# input file argument : sboot.bin - G930W8VLS6CSH1 - sha1sum: 9322ccb4e9b382b8cc67ff9ef989c459a763621f
+dd if=$1 of=$1.1.bin skip=0 bs=512 count=16 # 0x2000 @ 0x0
+dd if=$1 of=$1.2.bin skip=16 bs=512 count=288 # 0x24000 @ 0x2000
+dd if=$1 of=$1.3.bin skip=155648 bs=1 count=158992 # 0x26d10 @ 0x26000
+dd if=$1 of=$1.4.bin skip=776 bs=512 count=1672 # 0xD1000 @ 0x61000
diff --git a/source/exploit/.vscode/launch.json b/source/exploit/.vscode/launch.json
index 024e36c..eeb4db5 100644
--- a/source/exploit/.vscode/launch.json
+++ b/source/exploit/.vscode/launch.json
@@ -21,6 +21,15 @@
"justMyCode": false,
"args": []
},
+ {
+ "name": "Run unsecure boot",
+ "type": "debugpy",
+ "request": "launch",
+ "program": "exploit.py",
+ "console": "integratedTerminal",
+ "justMyCode": false,
+ "args": ["--boot"]
+ },
{
"name": "Debug current file",
"type": "debugpy",
diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py
index b9b8054..378b100 100644
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@@ -38,6 +38,14 @@ TARGET_OFFSETS = {
"8895": (0x02021800, 0x02020F18, 0x02070000)
}
+def wait_for_device():
+ while usb.core.find(idVendor=0x04e8, idProduct=0x1234) is None:
+ pass
+
+def wait_disconnect():
+ while usb.core.find(idVendor=0x04e8, idProduct=0x1234) is not None:
+ pass
+
ENDPOINT_BULK_IN = 0x81
ENDPOINT_BULK_OUT = 0x2
@@ -82,6 +90,12 @@ class ExynosDevice():
# claim usb interface
self.handle.claimInterface(0)
print(f"Connected device! {hex(self.idVendor)} {hex(self.idProduct)}")
+
+ def disconnect(self):
+ """Disconnect the device"""
+ self.handle.releaseInterface(0)
+ self.handle.close()
+ self.context.exit()
def write(self, data):
transferred = ctypes.c_int()
@@ -128,15 +142,42 @@ class ExynosDevice():
sys.exit(0)
- def send_normal(self, payload):
+ def send_normal_stage(self, payload):
'''
TODO not working
'''
# construct dl_data
- payload = struct.pack("