From 2a0cd7ef029369b1002e928280b5d3d9e4fcd838 Mon Sep 17 00:00:00 2001 From: Eljakim Herrewijnen Date: Fri, 9 Aug 2024 22:22:16 +0200 Subject: [PATCH] bl1 authenticated and jumped to --- .../source/BootROM_8890/boot_chain.rst | 63 ++++++++++++++++--- source/exploit/.gitignore | 3 +- source/exploit/exploit.py | 31 ++++++--- 3 files changed, 76 insertions(+), 21 deletions(-) diff --git a/documentation/source/BootROM_8890/boot_chain.rst b/documentation/source/BootROM_8890/boot_chain.rst index d49e4c0..2bd5117 100644 --- a/documentation/source/BootROM_8890/boot_chain.rst +++ b/documentation/source/BootROM_8890/boot_chain.rst @@ -14,25 +14,68 @@ debugger ======== Some other information about the debugger and it's current state. +I relocated the debugger to ``0x20c0000`` to prevent overwriting it. + +.. code-block:: python + + self.cd.arch_dbg.state.auto_sync = False + self.cd.arch_dbg.state.auto_sync_special = False + self.cd.arch_dbg.state.print_ctx() + + def relocate_debugger(): + # Seems to be cleared upon cache clearing?? + debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read() + self.cd.memwrite_region(0x020c0000, debugger_reloc) + self.usb_write(b"FLSH") # Flush cache + self.cd.restore_stack_and_jump(0x020c0000) + assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger" + self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000) + relocate_debugger() + + + + bl1 === - -Loads at address ``0x02024000`` and contains some form of header. -There seems to be a samsung header format, where the first 4 bytes define the entry point of the binary. -In this case this entry is ``+0x10`` so we jump to ``0x02024010``. +BL1 needs to be authenticated. .. code-block:: python - fwbl1 = open("../S7/bl1.bin", "rb").read() - self.cd.memwrite_region(0x02024000, fwbl1) + # Try loading bl1 + bl1 = open("../S7/bl1.bin", "rb").read() + self.cd.memwrite_region(0x02021800, bl1) + # self.usb_write(b"FLSH") + AUTH_BL1 = 0x00012848 + def auth_bl1(lr=0x2069000): + # Load the firmware + self.cd.arch_dbg.state.W0 = 1 + self.cd.arch_dbg.state.X1 = 1 + self.cd.arch_dbg.state.LR = lr #jump back to debugger when finished + self.cd.restore_stack_and_jump(AUTH_BL1) + assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger" + assert self.cd.arch_dbg.state.X0 == 0, "auth_bl1 returned with error!" + + auth_bl1(0x020c0000) - def jump_fwbl1(): - self.cd.arch_dbg.state.LR = 0x2069000 - self.cd.restore_stack_and_jump(0x02024010) +After authentication the bootROM jumps to it, we can execute this function with the debugger. + +.. code-block:: python + + self.cd.memwrite_region(0x02020f60, p32(0x020c0000)) + BOOT_BL1 = 0x00019310 + def jump_bl1(lr): + self.cd.arch_dbg.state.LR = lr + self.cd.restore_stack_and_jump(BOOT_BL1) + + jump_bl1(0x020c0000) jump_fwbl1() -However, this does not result in a jump back to the debugger. +BL1 is laoded at the download buffer and self copies to ``0x02024000`` and resumes execution there(``0x02024010``). + +However, this does not result in a jump back to the debugger. But the ROM still receives data from the host + +TODO TODO TODO The reason for this is the following code in bl1: .. code-block:: c diff --git a/source/exploit/.gitignore b/source/exploit/.gitignore index a782873..3e64b67 100644 --- a/source/exploit/.gitignore +++ b/source/exploit/.gitignore @@ -1,4 +1,5 @@ *.elf *.o *.bin -venv/ \ No newline at end of file +venv/ +dump/ diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py index 917bc2f..b58725f 100644 --- a/source/exploit/exploit.py +++ b/source/exploit/exploit.py @@ -235,6 +235,15 @@ class ExynosDevice(): self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000) relocate_debugger() + def memdump_imem(): + dumped = b"" + for block in range(0x2020000, 0x2070000, 0x200): + # print(hex(block)) + dumped += self.cd.memdump_region(block, 0x200) + return dumped + + # dump1 = memdump_imem() + # Try loading bl1 bl1 = open("../S7/bl1.bin", "rb").read() self.cd.memwrite_region(0x02021800, bl1) @@ -247,30 +256,32 @@ class ExynosDevice(): self.cd.arch_dbg.state.LR = lr #jump back to debugger when finished self.cd.restore_stack_and_jump(AUTH_BL1) assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger" + assert self.cd.arch_dbg.state.X0 == 0, "auth_bl1 returned with error!" auth_bl1(0x020c0000) + # dump2 = memdump_imem() - # Works until here + # Works until here TODO hijack future control flow + # self.cd.memwrite_region(0x02020108, p32(0x020c0000)) # Hijack some weird function, original 0x00005790 + self.cd.memwrite_region(0x02020f60, p32(0x020c0000)) + BOOT_BL1 = 0x00019310 + def jump_bl1(lr): + self.cd.arch_dbg.state.LR = lr + self.cd.restore_stack_and_jump(BOOT_BL1) + jump_bl1(0x020c0000) pass # Overwrite jump back - self.cd.memwrite_region(0x02020108, p32(0x2069000)) self.cd.memwrite_region(0x020200e8, p32(0x2069000)) - def memdump_try(): - dumped = b"" - for block in range(0x2020000, 0x2200000, 0x200): - print(hex(block)) - dumped += self.cd.memdump_region(block, 0x200) + - def jump_bl1(): - self.cd.arch_dbg.state.LR = 0x2069000 - self.cd.restore_stack_and_jump(0x02024010) + # self.cd.restore_stack_and_jump(0x02021810) #000125b4