Boots a patched bl31
This commit is contained in:
parent
2d0557c5c7
commit
2c20ff6255
@ -623,6 +623,20 @@ class ExynosDevice():
|
|||||||
# INSERT YOUR BL1 PATCHES HERE
|
# INSERT YOUR BL1 PATCHES HERE
|
||||||
self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31
|
self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31
|
||||||
|
|
||||||
|
self.cd.memwrite_region(0x02021880, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br"))
|
||||||
|
|
||||||
|
# self.cd.memwrite_region(0x020200a0, p32(DEBUGGER_ADDR))
|
||||||
|
# self.cd.memwrite_region(0x020200d0, p32(DEBUGGER_ADDR))
|
||||||
|
# self.cd.memwrite_region(0x020200b4, p32(DEBUGGER_ADDR))
|
||||||
|
# self.cd.memwrite_region(0x020200a4, p32(DEBUGGER_ADDR))
|
||||||
|
|
||||||
|
# self.cd.memwrite_region(0x0202297c, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins)
|
||||||
|
|
||||||
|
|
||||||
|
GADGET_RET0 = 0x00000d58
|
||||||
|
# self.cd.memwrite_region(0x20296da , p32(GADGET_RET0))
|
||||||
|
# self.cd.memwrite_region(0x20296da + 4, p32(GADGET_RET0))
|
||||||
|
|
||||||
# END
|
# END
|
||||||
jump_bl1(DEBUGGER_ADDR)
|
jump_bl1(DEBUGGER_ADDR)
|
||||||
|
|
||||||
@ -630,29 +644,26 @@ class ExynosDevice():
|
|||||||
# ==== BL31 ====
|
# ==== BL31 ====
|
||||||
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
|
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
|
||||||
|
|
||||||
self.cd.memwrite_region(self.cd.arch_dbg.state.X0, open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read())
|
# Download next stage via ROM_DOWNLOAD_USB
|
||||||
|
|
||||||
|
|
||||||
lr = self.cd.arch_dbg.state.LR
|
lr = self.cd.arch_dbg.state.LR
|
||||||
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
|
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
|
||||||
self.cd.restore_stack_and_jump(hijacked_fun) # will jump back to debugger after downloading the next stage
|
self.cd.restore_stack_and_jump(hijacked_fun) # will jump back to debugger after downloading the next stage
|
||||||
time.sleep(2)
|
time.sleep(2)
|
||||||
self.connect_device()
|
self.connect_device()
|
||||||
|
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read())
|
||||||
|
|
||||||
|
|
||||||
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()[:0x10])
|
|
||||||
time.sleep(2)
|
time.sleep(2)
|
||||||
|
|
||||||
self.usb_read(0x200) # GiAs
|
self.usb_read(0x200) # GiAs
|
||||||
# lr = self.cd.arch_dbg.state.LR
|
# lr = self.cd.arch_dbg.state.LR
|
||||||
self.cd.memwrite_region(0x020200dc, p32(hijacked_fun))
|
self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) # Resore oginal boot flow
|
||||||
GADGET_RET0 = 0x00000d58
|
|
||||||
self.cd.memwrite_region(0x020200e4, p32(GADGET_RET0))
|
# TODO patch verification
|
||||||
|
|
||||||
|
|
||||||
|
# self.cd.memwrite_region(0x0202010c - 52, p32(GADGET_RET0))
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# ====== PATCHES TO BL31 here! ======
|
|
||||||
# TODO fix not checking signatures
|
|
||||||
# self.cd.memwrite_region(0x02031008, b"ELH")
|
|
||||||
# self.cd.memwrite_region(0x02024774, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins)
|
# self.cd.memwrite_region(0x02024774, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins)
|
||||||
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
|
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
|
||||||
# self.cd.arch_dbg.state.X0 = 0x020347f0
|
# self.cd.arch_dbg.state.X0 = 0x020347f0
|
||||||
@ -660,6 +671,16 @@ class ExynosDevice():
|
|||||||
# self.cd.restore_stack_and_jump(0x02030464)
|
# self.cd.restore_stack_and_jump(0x02030464)
|
||||||
self.cd.restore_stack_and_jump(lr)
|
self.cd.restore_stack_and_jump(lr)
|
||||||
|
|
||||||
|
time.sleep(2)
|
||||||
|
self.usb_read(0x200) # GiAs
|
||||||
|
self.cd.memwrite_region(0x02031008, b"ELH")
|
||||||
|
# ====== PATCHES TO BL31 here! ======
|
||||||
|
|
||||||
|
|
||||||
|
# Jump BL31
|
||||||
|
self.cd.restore_stack_and_jump(0x02024010)
|
||||||
|
|
||||||
|
|
||||||
time.sleep(2)
|
time.sleep(2)
|
||||||
self.connect_device()
|
self.connect_device()
|
||||||
|
|
||||||
@ -676,12 +697,12 @@ class ExynosDevice():
|
|||||||
# ==== Stage 4 ====
|
# ==== Stage 4 ====
|
||||||
stage4 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
|
stage4 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
|
||||||
# Patching
|
# Patching
|
||||||
# stage4_len = len(stage4)
|
stage4_len = len(stage4)
|
||||||
# patch_len = len(b"USB RECOVERY MODE")
|
patch_len = len(b"USB RECOVERY MODE")
|
||||||
# patch = b"ELHER HERE" + (b"\x00" * (patch_len - len(b"ELHER HERE")))
|
patch = b"ELHER HERE" + (b"\x00" * (patch_len - len(b"ELHER HERE")))
|
||||||
# patch_offset = stage4.find(b"USB RECOVERY MODE")
|
patch_offset = stage4.find(b"USB RECOVERY MODE")
|
||||||
# stage4 = stage4[:patch_offset] + patch + stage4[patch_len + patch_offset:]
|
stage4 = stage4[:patch_offset] + patch + stage4[patch_len + patch_offset:]
|
||||||
# assert len(stage4) == stage4_len, "Invalid stage4 length"
|
assert len(stage4) == stage4_len, "Invalid stage4 length"
|
||||||
self.send_normal_stage(stage4)
|
self.send_normal_stage(stage4)
|
||||||
time.sleep(2)
|
time.sleep(2)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user