bl1 authenticated and jumped to

2024-08-09 22:22:16 +02:00 · 2024-08-09 22:22:16 +02:00 · 2a0cd7ef02
commit 2a0cd7ef02
parent fbf826c99b
3 changed files with 76 additions and 21 deletions
--- a/documentation/source/BootROM_8890/boot_chain.rst
+++ b/documentation/source/BootROM_8890/boot_chain.rst
@ -14,25 +14,68 @@ debugger
 ========
 Some other information about the debugger and it's current state.

+I relocated the debugger to ``0x20c0000`` to prevent overwriting it.
+
+.. code-block:: python 
+
+    self.cd.arch_dbg.state.auto_sync = False
+    self.cd.arch_dbg.state.auto_sync_special = False
+    self.cd.arch_dbg.state.print_ctx()
+    
+    def relocate_debugger():
+        # Seems to be cleared upon cache clearing??
+        debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read()
+        self.cd.memwrite_region(0x020c0000, debugger_reloc)
+        self.usb_write(b"FLSH") # Flush cache
+        self.cd.restore_stack_and_jump(0x020c0000)
+        assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
+        self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
+    relocate_debugger()
+
+
+
+
 bl1
 ===
-
-Loads at address ``0x02024000`` and contains some form of header. 
-There seems to be a samsung header format, where the first 4 bytes define the entry point of the binary. 
-In this case this entry is ``+0x10`` so we jump to ``0x02024010``.
+BL1 needs to be authenticated.

 .. code-block:: python

-    fwbl1 = open("../S7/bl1.bin", "rb").read()
-    self.cd.memwrite_region(0x02024000, fwbl1)
+    # Try loading bl1
+    bl1 = open("../S7/bl1.bin", "rb").read()
+    self.cd.memwrite_region(0x02021800, bl1)
+    # self.usb_write(b"FLSH")
+    AUTH_BL1 = 0x00012848
+    def auth_bl1(lr=0x2069000):
+        # Load the firmware
+        self.cd.arch_dbg.state.W0 = 1
+        self.cd.arch_dbg.state.X1 = 1
+        self.cd.arch_dbg.state.LR = lr #jump back to debugger when finished
+        self.cd.restore_stack_and_jump(AUTH_BL1)
+        assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
+        assert self.cd.arch_dbg.state.X0 == 0, "auth_bl1 returned with error!"
+        
+    auth_bl1(0x020c0000)

-    def jump_fwbl1():
-            self.cd.arch_dbg.state.LR = 0x2069000
-            self.cd.restore_stack_and_jump(0x02024010)
+After authentication the bootROM jumps to it, we can execute this function with the debugger.
+
+.. code-block:: python
+
+    self.cd.memwrite_region(0x02020f60, p32(0x020c0000)) 
+        BOOT_BL1 = 0x00019310
+        def jump_bl1(lr):
+            self.cd.arch_dbg.state.LR = lr
+            self.cd.restore_stack_and_jump(BOOT_BL1)
+        
+        jump_bl1(0x020c0000)

    jump_fwbl1()

-However, this does not result in a jump back to the debugger.
+BL1 is laoded at the download buffer and self copies to ``0x02024000`` and resumes execution there(``0x02024010``).
+
+However, this does not result in a jump back to the debugger. But the ROM still receives data from the host
+
+TODO TODO TODO 
 The reason for this is the following code in bl1:

 .. code-block:: c
--- a/source/exploit/.gitignore
+++ b/source/exploit/.gitignore
@ -1,4 +1,5 @@
 *.elf
 *.o
 *.bin
-venv/
+venv/
+dump/
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@ -235,6 +235,15 @@ class ExynosDevice():
            self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
        relocate_debugger()
        
+        def memdump_imem():
+            dumped = b""
+            for block in range(0x2020000, 0x2070000, 0x200):
+                # print(hex(block))
+                dumped += self.cd.memdump_region(block, 0x200)
+            return dumped
+        
+        # dump1 = memdump_imem()
+        
        # Try loading bl1
        bl1 = open("../S7/bl1.bin", "rb").read()
        self.cd.memwrite_region(0x02021800, bl1)
@ -247,30 +256,32 @@ class ExynosDevice():
            self.cd.arch_dbg.state.LR = lr #jump back to debugger when finished
            self.cd.restore_stack_and_jump(AUTH_BL1)
            assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
+            assert self.cd.arch_dbg.state.X0 == 0, "auth_bl1 returned with error!"
            
        auth_bl1(0x020c0000)
+        # dump2 = memdump_imem()
        
-        # Works until here
+        # Works until here TODO hijack future control flow
+        # self.cd.memwrite_region(0x02020108, p32(0x020c0000)) # Hijack some weird function, original 0x00005790
+        self.cd.memwrite_region(0x02020f60, p32(0x020c0000)) 
+        BOOT_BL1 = 0x00019310
+        def jump_bl1(lr):
+            self.cd.arch_dbg.state.LR = lr
+            self.cd.restore_stack_and_jump(BOOT_BL1)
        
+        jump_bl1(0x020c0000)
        pass
        
        
        
        # Overwrite jump back
-        self.cd.memwrite_region(0x02020108, p32(0x2069000))
        self.cd.memwrite_region(0x020200e8, p32(0x2069000))
        
-        def memdump_try():
-            dumped = b""
-            for block in range(0x2020000, 0x2200000, 0x200):
-                print(hex(block))
-                dumped += self.cd.memdump_region(block, 0x200)
+        
                
        
            
-        def jump_bl1():
-            self.cd.arch_dbg.state.LR = 0x2069000
-            self.cd.restore_stack_and_jump(0x02024010)
+        
            # self.cd.restore_stack_and_jump(0x02021810)
            
        #000125b4