Boots a patched bl31

This commit is contained in:
Eljakim Herrewijnen 2024-08-18 13:55:11 +02:00
parent 2d0557c5c7
commit 2c20ff6255

View File

@ -623,6 +623,20 @@ class ExynosDevice():
# INSERT YOUR BL1 PATCHES HERE # INSERT YOUR BL1 PATCHES HERE
self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31 self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31
self.cd.memwrite_region(0x02021880, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br"))
# self.cd.memwrite_region(0x020200a0, p32(DEBUGGER_ADDR))
# self.cd.memwrite_region(0x020200d0, p32(DEBUGGER_ADDR))
# self.cd.memwrite_region(0x020200b4, p32(DEBUGGER_ADDR))
# self.cd.memwrite_region(0x020200a4, p32(DEBUGGER_ADDR))
# self.cd.memwrite_region(0x0202297c, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins)
GADGET_RET0 = 0x00000d58
# self.cd.memwrite_region(0x20296da , p32(GADGET_RET0))
# self.cd.memwrite_region(0x20296da + 4, p32(GADGET_RET0))
# END # END
jump_bl1(DEBUGGER_ADDR) jump_bl1(DEBUGGER_ADDR)
@ -630,29 +644,26 @@ class ExynosDevice():
# ==== BL31 ==== # ==== BL31 ====
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger" assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
self.cd.memwrite_region(self.cd.arch_dbg.state.X0, open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()) # Download next stage via ROM_DOWNLOAD_USB
lr = self.cd.arch_dbg.state.LR lr = self.cd.arch_dbg.state.LR
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
self.cd.restore_stack_and_jump(hijacked_fun) # will jump back to debugger after downloading the next stage self.cd.restore_stack_and_jump(hijacked_fun) # will jump back to debugger after downloading the next stage
time.sleep(2) time.sleep(2)
self.connect_device() self.connect_device()
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read())
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()[:0x10])
time.sleep(2) time.sleep(2)
self.usb_read(0x200) # GiAs self.usb_read(0x200) # GiAs
# lr = self.cd.arch_dbg.state.LR # lr = self.cd.arch_dbg.state.LR
self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) # Resore oginal boot flow
GADGET_RET0 = 0x00000d58
self.cd.memwrite_region(0x020200e4, p32(GADGET_RET0)) # TODO patch verification
# self.cd.memwrite_region(0x0202010c - 52, p32(GADGET_RET0))
# ====== PATCHES TO BL31 here! ======
# TODO fix not checking signatures
# self.cd.memwrite_region(0x02031008, b"ELH")
# self.cd.memwrite_region(0x02024774, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins) # self.cd.memwrite_region(0x02024774, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins)
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR # self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
# self.cd.arch_dbg.state.X0 = 0x020347f0 # self.cd.arch_dbg.state.X0 = 0x020347f0
@ -660,6 +671,16 @@ class ExynosDevice():
# self.cd.restore_stack_and_jump(0x02030464) # self.cd.restore_stack_and_jump(0x02030464)
self.cd.restore_stack_and_jump(lr) self.cd.restore_stack_and_jump(lr)
time.sleep(2)
self.usb_read(0x200) # GiAs
self.cd.memwrite_region(0x02031008, b"ELH")
# ====== PATCHES TO BL31 here! ======
# Jump BL31
self.cd.restore_stack_and_jump(0x02024010)
time.sleep(2) time.sleep(2)
self.connect_device() self.connect_device()
@ -676,12 +697,12 @@ class ExynosDevice():
# ==== Stage 4 ==== # ==== Stage 4 ====
stage4 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read() stage4 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
# Patching # Patching
# stage4_len = len(stage4) stage4_len = len(stage4)
# patch_len = len(b"USB RECOVERY MODE") patch_len = len(b"USB RECOVERY MODE")
# patch = b"ELHER HERE" + (b"\x00" * (patch_len - len(b"ELHER HERE"))) patch = b"ELHER HERE" + (b"\x00" * (patch_len - len(b"ELHER HERE")))
# patch_offset = stage4.find(b"USB RECOVERY MODE") patch_offset = stage4.find(b"USB RECOVERY MODE")
# stage4 = stage4[:patch_offset] + patch + stage4[patch_len + patch_offset:] stage4 = stage4[:patch_offset] + patch + stage4[patch_len + patch_offset:]
# assert len(stage4) == stage4_len, "Invalid stage4 length" assert len(stage4) == stage4_len, "Invalid stage4 length"
self.send_normal_stage(stage4) self.send_normal_stage(stage4)
time.sleep(2) time.sleep(2)