From 2d0557c5c730e6b2e13c339214f45d464a32dbe6 Mon Sep 17 00:00:00 2001 From: Eljakim Herrewijnen Date: Sat, 17 Aug 2024 20:35:52 +0200 Subject: [PATCH] update --- .../source/BootROM_8890/boot_chain.rst | 40 ++++++++++- .../images/bl31_debugger_memory_example.png | Bin 0 -> 36998 bytes .../BootROM_8890/images/boot_chain.drawio.svg | 1 - .../images/boot_chain_bl1.drawio.svg | 1 + documentation/source/BootROM_8890/notes.rst | 16 +++++ reven/SamsungS7.lock | 9 --- reven/SamsungS7.lock~ | 0 reven/SamsungS7.rep/idata/00/00000002.prp | 2 +- reven/SamsungS7.rep/idata/~index.bak | 7 +- reven/SamsungS7.rep/idata/~index.dat | 5 +- reven/SamsungS7.rep/user/~index.bak | 3 +- reven/SamsungS7.rep/user/~index.dat | 3 +- reven/SamsungS7.rep/user/~journal.bak | 4 +- source/emulator/.vscode/launch.json | 15 ++++ source/emulator/emulator.py | 36 ++++++++++ source/exploit/exploit.py | 65 ++++++++++++++++-- source/gupje_device/device.h | 4 +- source/gupje_device/reloc2_linkscript.ld | 14 ++++ source/gupje_device/reloc2_symbols.txt | 12 ++++ 19 files changed, 206 insertions(+), 31 deletions(-) create mode 100644 documentation/source/BootROM_8890/images/bl31_debugger_memory_example.png delete mode 100644 documentation/source/BootROM_8890/images/boot_chain.drawio.svg create mode 100644 documentation/source/BootROM_8890/images/boot_chain_bl1.drawio.svg create mode 100644 documentation/source/BootROM_8890/notes.rst delete mode 100644 reven/SamsungS7.lock delete mode 100644 reven/SamsungS7.lock~ create mode 100644 source/emulator/.vscode/launch.json create mode 100644 source/emulator/emulator.py create mode 100644 source/gupje_device/reloc2_linkscript.ld create mode 100644 source/gupje_device/reloc2_symbols.txt diff --git a/documentation/source/BootROM_8890/boot_chain.rst b/documentation/source/BootROM_8890/boot_chain.rst index ca78edc..6b8220e 100644 --- a/documentation/source/BootROM_8890/boot_chain.rst +++ b/documentation/source/BootROM_8890/boot_chain.rst @@ -11,15 +11,48 @@ TODO document normal samsung boot chain Exploitation ============ -After exploitation the goal is to fully boot the device. +After exploitation the goal is to fully boot the device. The following part describes the current boot chain -Current boot chain: +.. important:: -.. figure:: images/boot_chain.drawio.svg + This is under development and will still change. + +BL1 +--- +The first stage is downloading BL1, authenticating it and patching it after authentication. +This is done by overwriting the USB return address pointer and jumping back to the debugger. +In the debugger we can authenticate BL1, patch it and boot it. An overview of this process is shown below: + +Booting an authenticated and patched BL1: + +.. figure:: images/boot_chain_bl1.drawio.svg :align: center Boot chain +.. note:: + + git commit 8cb5f2e1 fully boots, you can use this commit to patch bl1 only. + +Next up is BL31, which is loaded by BL1. + +BL31 +---- +``BL31`` is the secure monitor. The monitor uses memory that is also being used by the debugger, so we will have to relocate it to keep code exeuction. + +.. figure:: images/bl31_debugger_memory_example.png + :align: center + + Example of BL31 using debugger memory. + +BL31 also configures the VBAR_EL3 and MMU so the memory mapping will probably change after this stage. + +It would be nice to patch BL31 before it is being executed. However the current exploit boot flow does not allow this because the ROM function downloads the next stage. + + +Notes +----- + As done by Frederic, the bootrom can be dumped using his provided scripts, and can the be split into different boots: .. code-block:: bash @@ -256,6 +289,7 @@ bl1 interacts with several pheriperals, from the DTB these are: clock-names = "gate_rtc"; }; +Probably the only thing it does is set some clocks and prepare for BL31 BL31 ---- diff --git a/documentation/source/BootROM_8890/images/bl31_debugger_memory_example.png b/documentation/source/BootROM_8890/images/bl31_debugger_memory_example.png new file mode 100644 index 0000000000000000000000000000000000000000..edb8628ccf5a921e163f2f0af3224ea4703fa47b GIT binary patch literal 36998 zcmc$_1yogQ+wVP5LRzGe7U}M8=}zhH?hcUN#SC7@JLcxevxOGpi- z18vyB%WrMDiI}_m$IxeH1eUcQ5sj2z1BiKEe3R%`s!hz7wUE}D&A*GKmrN;b6$p4s zX5pDiuCsr2c6~h@=OjPG*UQ(-u{G}`VX&ek_<|(xrSJ<9R`QsT#%F*35EzWy75L8$ zR|A<(zh42q%n1Ac-^+?2%UrcKT7<6#JbceuPEW~0LcZpR=z5-Hbah2u$ouV$aZ8Xr zu62u3VvuJ0ZyiA)o+CiM6YE9aC$CfmzJ0Gh55ypYcN>$;y0FvM`m2l2!;yHxdpKh6borOUw6;Z>_=) zp4LykSQL&{tL((QDPm~h-P$uFg0~(S@A-W0y><7tuKDl-?Iu#8bFfN-PM+t({ulQJ zw7;g((T>uvt*vbqcWfKat z^@LPjQQ?l@&U?SV|0~{C2Vvk-IJ!cian+3HUVY*EkM~dj2G)&tntglM!lfTOn+qYo zw*EeQxkg+JmsTXxirqwj4mgaIp&7MR^l_1;NtcU= zfUl8{iohJ+iQnB-D^(MKp0IaaF?bLj%nfy%5Op32wwXK}I=Wedp6_a+A zn_*~;zdS!bzYsNu_4hiGjp+|^=B_C!+UQZ7xH-c-+_Pg%f%<7(i?p2PLmN1#o2OtL zD4DBGA17tQgtObwFl50R(pQ#LUCV83s#ti{yJq%IRP^qS<=gn|&`>~rzRvC{q6^3C z84uSykv@G}hW%zCCUWBCiuibVQj$0+Itz=LG9?0<^5c>LfZR#ea8*aC@Jm0FM(OV6 zW;sH5WMYz+wqz2LDGTt0_RaP`1O9>3Ij{J8jWsk7@|3FY8nr?>?8s@I(>NP8F6O2_ zt}rJ^RVYzq@N!wsO|FrvlW41`99N}oR=j7O%XDxE_`&(1Uw>k;+M)tb&>i7jK0877 zP#6|J+dRejycn;*&J#ZV8QTEFMkmzmQNA}A3pA)W+m_J{31@01xE(>X*~M%Ye4BFVa-BMc7#~Y z;9zM_fBB^O?71g;Qh$6eG>v*L#apRO28sE`t1zbY@YKjO@{j7phSi$%B?hSqcl8;esan!bx>G9Kto~K=j3$JdWfddolko{ zEk8Yq18#cWU^zFDWaz@Cs4_ALoV>;INTKXKF`s=y;E#&8Lk?YuW@U4&+5owtS(++1)u_*f|T_(n}+ByyD5?H0{g7x9H@ zsf*|wYiuKIzFL%@p5~XkZen3ip>B>hN#Nom0ja+H6D6%4A5C=B)pgXT5^jUt=ohel z(#G|Yx;Mp6PO9FaZV#Gj8Jc)`nRqpJpRx0a6et|t`RZMjpD{XFSvm0`EGBmLci;~l zu39mq@!Lok_EWR zmnM)Xg(>>KV3oRZp=HI)uzjczvp{8jMGnYFBQ{4Sq8 zoA&cKw9Ss*DncTTlcXPmt4T*6L6>A4p{(R%CXrajUgTdfeVFl7SVn^MLputZHTwcr>WDcNokev2 zJIDG@qR(EzOO>&Gk%=5bQ7@ChM)1Ika9w)jt!XIBX&+v&fdvqP?q>>6FI3@*Cmf;> zNPYQLD=jB-zidN6q|Zn2SOEL$+l%(8^1Bi9+IOOB&z|Q?wXJ@9wk0lJhlf<2&S%y? zX~BGgi$s{dXvye)Osi|`GE30G!W|bXOq%D{vOtqpf3;8(8xcqTHptzHpZZS@k~5wa ztY>|9cXDGL;vCwsWa2v~qnIbWzG>RFp34ZhuMHX%$R~k;Z1$Nj@G|uJV_}hW?M!Gh z&->5#I^=O+K-AZmshvlZzB*huAAajR}M$YJHn)W9q~j4FN582uC=aC7+6@w zWYDdC>P#WPy>Z>N1~|*>F@=w)>B}sSJ|VxjUd@1E$yK6HAIef_^O)B_Lwic+={8x( zD=h`SJDld)6HYytuW&`c0vYMN9%%xtPm1ptZp2D$*>DoOyIUQ*2`ZqVSed!}du70Y z$NJU;vidG#;_T<>TY333PDxsXEeBi-gv?(OFW?t>+14OC=upd67ZM)-^JWcxRE?R9sJnLqS>zn+P7M`Au+D_59xdg|aLHPY(V(&}#BD+HHQuuOS>Z&EuG9C*g)2GbN)a|aW4-bQ*uOcP&MAxx3coNd}H8nPNG~a%F zD?Pt;{#EUx!9!@=Q*WO(26iJQePR#E!z4>AL@zb|2YYYl-lK`Z3VluZRQltdzO}mg z)K59!uhq{U32j^R^3BwBtGl_sK@bq&&V+m&p*%RarBN?hdO9j3by-;LECh}hGWt_P&n2Ihw9Wew2)zJ6v?}hHCb9puA z)rX6cUI4=u7{xUOd3k$Mx)+xaNCs!&<@I^Fck)K=(r){IvcyM zuEO!?&VKEo?cIP)@ZnKef_YgxIrhhx@#$su!y}`>^Rl_4Y2((l+Yql&OOz z!xpXdYd1qC*awrAjA>(+0j+I4%(j(7W`s};N73HBD=y$VK0(&JSo7% z3V!qaA}s&UbrKHyL&`sn?nQ(SryItfHxt-Jk5BO@sJzIoKr|Bm^9NtzH8PU_UtSL9 zp2s{^`0v(3E;S6rT$DmWLPUP&1~Hn=7GqTz3CHVKc_>tN44-kGo4w8Z_sV;XD{J-$ zZEbDI-Cvxj;dy&;e`h-y<|u?K9Z#~EOALW_%2;YDZ))mY$==?MPSR~EsHiY{7+XR) z)tHZyxbKdNQlJzShJq|*mX6^{_v1wpsc&t0t<3UzZxaIpjb4w-;irff=#(NN=)xkH zB+e)VfNSYvS@{4Gy-te+y&O8zjf_aDkW*o;y?ji?*ml}jcscp+*%V8O;gNg)-L}+8 z@FMlI7KeRlMO=2nGTg@J*%WqaW6luAj}xsmU68 z{OYnkN`lnpUnOG1>q^4+Y?Wn$9(F^LTB&%6^c66Hwv0Ce8s!6@dq11PRrIPb^L!zQ z!{ob5NS5Ir*O>PR(z|d`0lV+TW{+ash8A+Vpx}0r+d3D z<>kV|@R`HcrpPb%>Dt9&M#~AG+3RHD_pTk5U~%k*@6Ly5bhYbmwr{De&9ADOGaPYt z^;J_ij&j<9(ht(+pRaK;Se*C3K-lOR$!XV#$#y-TW};5ub{oPcO%AP#WtcrX2x4ky z!*&xaT@R*P5C2`?*12e?P;=3%0YK0@ej7*@a>!WBfW2&sxuS0PH_>~UFdlT5jy!}cI(xNb(%7Xlc$s5^DoZiibc^B zD_lgYrRwOvP4f*Xl;r&E?UMpNAtK=)hH;X{^;Ve|ZYe2nI1 zb1BWNiv(~~+Bw&`U6JEe2fyZ01&EWE4O7bMbpPHSAJcj8+DyxpD4E;Hl<1Qr^J;OB zTy%7{SW`qyrld8s2$-wBjo+=GfI;T#!vn60rHz@Hkn$M4%SliJw-)TyOacnkM-7QC zHI+7TqHbtt-o#jDAu?m7!nbsEbE-u~8<-ghxIc}{BxRbUsWF|n$ct4M=I>PvMn+B@ zqiA+we_6uy&OU`FzLpe~CMj4xrR4u>i`h%xUe}uF^=G+OS%(VN)j${NLJyC#4O)i)D%j|4l zFmCK27XsuokIfj_iJDWU) z+Hx3wIJL$fWdwxODigty&oB@iVj9XgqE0sl10&JJI}M-CLt{ciW20Z9M0JnuM5uCT zRyy_h-sDvm6cm(GAjCn>d)b9))8~#As;bh7M-~lbmfM$o;ma980!+_7HL~AfV!VC< zAQ!=goZkinZ_g-xV50x3y?W&Fm)+8T41?bQJ?3C)zY(LSvhd74n8Z<$t;ehzhg{Re zLi{Lbl>63Z3PewD5WnVxIQ9+)MlYjo4XzEF*9s`Z1gL!YS%uI62h$>8CigPj?SoM|E12ZXa1J!bXNr`)KG#t+Poc*;vQ}OwO)0}+|-!;;! zy&7xegO4YrTVZnhjy?EnTr^hgt(4=b4O>liQAo+)BSC;aLvH2p_aud)2jXM!G` zzvr0ijo#b`nq^PLeeAf;~n?&q3)gA`>JZi|>Q1x?p-!!6X z7Wd=e`?~jyTkJhXp_9qz+=sAa+Ei?uAR?t-jAJneDcz4`*MH9P>yje@) z+sP;I?Cb=x6wc2cNfxCRZ6J#ucu4y%&*!9u-b6!pyTjKiwTAt_7i#1(T}+uRvPtH5 z#*EA$iK&B=d|t5LHYhx>QBXiIdpDYeNGc(Kqa7S>)O2M@3YvtuD6WdkHzX8Te_4S{ z%gLpteW~}Q$se>8_%k&Vzf-rn z`{nmNd2zBI-TZK|wi@U|R4YU3|&cQco~K6Ijn z4Q)GZbOqnS0@0sz<~>ZJ+-Z=dy=GrpyoJ29&hy=I?g|Ur{Ps;hStdG39T_-bh6)m< zr?DE}!M_@tyB@H;6PWvtHKBdnurSMT?NTkHRP)*5rly_Z^!m=uH;1$P*a<=~K={Zr zK>3kV@(by>b_w6rrAHNbL4~|?LvhiQ?RU1y`W19GOs`Id8C3duAi044;#?x@kz-fMiFb}r|V-utdhL~0^o4ETv2c$F_Pb_ng?^pMG& zv_npAeY6b#gi%K=Z5>(`?`Ow?C1^Z?^=Z(u|67XEt=9Yea8dFY39?r+wi`Izsq}WI ztHq&Uij*B=q`8nh|I@orNxGXssrui1^8Z+EjR zD`Q-2F8k+g@+&MbxI3*Gx9-oZ?YI-wf> z%1u2_U#1S;Ika@6ZL`>roKqY!;VzgyJ2Pr8k64BUbLqs(YLZc@43cRnQEi$+j$}Ht zQ9+cDUn`8cqk?fWhOZy0uwVXsoYOnfsj-aJreAePzJwwHqI=7(6mf=au{@g#zgFJF z$ve94bIRu^VbS9|OqsS?Ybh{35coA4-c|uwjX86jOu9aQOu!Mzl_3liq=;I47ox{IwPl{laV~RQ$@^fxB{7+ zv9JLdSoxOH6eMo$RB1D(2A-O_gkIO?+pow;?J)kAt_9}1uA*8NUuMUqK2^t#!9%6W zx(%7KYD!7ttvkkO)04*diw4A6A(O|geVXh`*byd?&lx$K%Pdfva&g9KXdDCtv!ey> z&a+!~^=mvwS?;}yj3O7^Pdx5DayDxxaJFC->x926N+Qsc*FYlEt(c!j|7m z&CO1;rUb6ho7yis@YzHxix(iD3+j!TvjW5~U)=WTA5K08<^(!O_=uYzZ)r-g5CMhl zvLrre|I1ry-~}Otn*?fP>~sIxvZ5tR9;;$1IRD`6X{atN z9K(9~%wJ;tp>f%orOV6hJI=clX-$AwWd~;v;gv8{R$eve8ljiYe&-f=I^LCnZ5zR` z!1Acw!>C`=*Jl8sv}{GD!fwWp@iQPMQ?C`2;9!AI$VfQuvV3kuMR>sETM9IRjx|sE zum~9cQ+AtHE&{MX^=*AZu9oq7XUPV1baq}QWH-0q0d30p+`01aA4T;-w&zj+VoKpj z_286ZGbmz*N6Qdrt+0cU4-F1G7y#MRAxSs$k?+qz#S>;+;Ji^$tF=^=w*c;72eJ0o zd$||cofHdoN+L#Z02vu4R?S~hV=b{lAqEAdP2)u43psOE1b{P&XmL(F`J=;DdIgX* zf^oi`fv~CvxO?SB*D1S2wdBQEok)O(lbcC9m#4}@=~Z>_ae@3&ANs?grHX4I3~D;}G~Tlvj(4XgJ_JhXez3ryx3QDpd)6PG z3y6{4CN*DjST^Or%&SE~DqrD7ct=P6kE3JGYdwit7rRN4kpUXLSA`8 zek<4J&bZ?bfd<-#mF_c@?$~+;G}W`}khGl#Wjl6(llF?M%1Yx8AD(*CWOI-0COSc_ z8LS;m--(`+H_W#^er&oQ=;;B4%LnPiACR4QrLgU{=oC+J3H6lpu4o@fh=~;-68wHP zN~^PE-MF8D zh;#SiK2o;J6t-`?;otK(r};qp*3wZ8%weufz>+cq1yd#!uYId3!~I_E+J;?g$#ZZ0 z_JW=p;lHg72SQHSNzwd%-FLv8>1e0^B@U0hXkbsW)!QdGnc6+_eDXQTk!I0LLt~`Z zpX_JxLU$Q#2q)5U)L=fj;(eHsB-PP5RI~W4Uk$%t`sUEq*t&3W#bV~yqNuunE0TvzN>weYszH&}5SkaLRu0mCtL5Gc$E+c-Vjyk1nzA^3o?SkLL2gP2+ko zHg?O8OJ{g`{3tOPbm4@&?%Oi5gD>rT-LuPVN8G$zF|gEX+;Hd;L6KHfc`U@^CcI^C zO@j}6f3}&8!JBh@uZC)X(C7?TGIadGKc zwr5jZZM2K{Z_>+Zepxc@X}*?{BbvWx4ey5#92E~t?p7XU=qS2uRQC>VaYq;B==ogD zhwYj94O?lIV1?_>c|Yu(LL0 z*wmrvnTW614;SlM)bmEiIh=7KOyhb-r>A4ml`p4S32(jcG#Kc#*~XD zFFj#lV%m6{j@eIj-u=jqg%h~e&~jS~7dPYPJ>Pu&^eH^tYaP|^Td~tT;xAlKSc<6G z^4GMWty*y7XuCRp^Jq!0QF*=MvPX;6pHj1jCq7;FS1Ikd8OLTiJgum%?zcaU8X6i3 z4-en2gMAd9`p5$ee;eY-rJ#6Ag%M`d?MsZa`_e9NNy!VPI$>CXJxiU1pPvw@tg2!n z{;l7M!F+}v(LcD}rO6rjaSP=p?HuWS_2Be$ofidfOlAF~KZnNx7O4Cuj{=wP>C{oZ z52HOMiW0;w@r1qfFMg*1 zWEFJZ_WS9zcy5Phm!sk-i-8yg=*3<T*{#zuhXMaf2Nz%88u?5&QL6WKSimd(TlXH6b8ao!{rYlMoFtxi zq#3kW@~^@la6kK={oRzDM0)o>LzcwbH+oJ@+I3+53{$K+`x87OqLrCUlrr_ZJJfX^ z-dvS1D8anZ>jspXnps3_nsVJz3+rw3vE3W*$&Sz%>7?Aj^kUj_^S&YaGZ&a>_35Zn zt|(mYF=toZZ^iwkrF`Xue4a~=dTPjj&1trx#iuTKC}Mg!!Ms?o@m9K(AG>A<11P*- zKXYh9e(g5*G&4T#ac%#hVh)UQVw=`CIHB;}%hkOl<*m4f)PJwoSL9AS7R}O@hWrG% zg08N>*@Esagl%Uj7nfqSVxj;`&PMx+S3q0)^N@|1KOGxk^J!$uwBzstE2!lU6ZB%4 z`2R1ZK|Q~}l))+!U~6Bxwl^9TpY!;%+JY2i%h+UNQ%?>O9(KDHc%sey@E&xl1y!2<4QYT3Db&xl>1mLxfFPM=o$p}0>b*3x7W{dJi@Ty-mMQ|Kd;)14Q6h~qr-jdiiUgNu$R@6{eqL=2z#CRr z`!Q3-!wauKXDh@IRnuJsz`=NK9%p~7_50l+isqyGW1;OPpA6ebUD79J(Fq9Jj7O1R z(E*Sv0`-^T8gUyANAsK!b0;U7)6-(M6!zxDjtyoL=3jl7JCdQXH;AvU4x3lCA5%h@ zEv;&nyuB)_t3OD+4GDo8O3&FYW|kqRV-4i-@!a2^ajcqYFoSG-$dI#}UJmX?>%7W) zd!*M=NltY#5+4udN%G}bO>P@~mU*ka)zv)h?FU9}HIkB`Y~_=dS-!K6;dnnuMou3U z<+l-Op^k^Q+t}b)bs=Vch;4%A#K|C^Dn=3mCd~r%o;77v(gQ2JX=(R&9iklKHbXt% z%*P)0Ry*&5VX2exv2m{bDZ-O_%v2nWJMW}N}{1o$@v;!!Yrh#3zjbZ&=?5yB_)alEZoM6*8?_tzp86? zhSF({cA0HGP31g2bNjzUixpTeHbKmrxB}m+sA#QQF5u0Hj_Gb}$m$&o(9xF>4HSAT zOugHci?eV$sS#IJ0`$!k6$?gw)a9OoGarYA-d zU3gL`SK317lqaO;U&TPCzk8%T*dUq(4J1gRV`7#le6nWB7B)!blyb%nvzpq4A|{)@ z;O+9cJN0@lyh^Epnlyc~Q_>~|qBNRF!E=w}dr&`X_dLrPRD)2ueN|QB+2|d^ME8Yc zINy;%`KQadq52k5JENoff+E`MmndBWpI!jh)yqX9x8NuTm04m%M05!LIM|nXCI21zWb3TG4CQaJrC%5Z3x$NmJ zT1(d^bftxPBmkv76k5`wY4O#(KsX;n3?{wv`tJG9#m;c3pRPP_LPd8U+=%0L63j@R z{f}6s%9qT^>&!lajT+k*`C)yV^8CGp#S>+kY!)kR>!n&z=mPUo)-=VMemVv<-G@)c zqc#OgCd^#;R?-H_d>$GaDnnzZANFeR45P~^}E~=@tOE#=`x=a@F`P1p+u97irn+(*(;xh zE+hwER?U!+?dWHKXVuKd(Q|V25IHycDmPihq!PKtkM1CIqbQMk4yp6XWBq%fgg)Z= zR{WM5st88kzVb`Dv0-_afDn_K3Lh8O1}sN#M5XiV%#M#+AijVSBs(?c&-MD7HR29i zCJu?e&LReWj4U1sS%BRHAQ}din_oJ5t?Ih%qL!UKf_%mP6OmzsCX~O!oww%SIfg%y zW!m@biZ?Q^qN9oVeHzC3eOB5ql5SLkQu3nnRl;mopmi2OR!|Z6>2ZI&$lr(mndj&; z3=kp4GyGhfgabq6SwqdCoQVRuzj zT|myHVLf+IRsL?mnlZ3)rs4w>OoXg%3H+h_ALP3$UMK>6R_&!u4Kv@HH!0mlN`=OS ztj8za1>Kzu84(^2o^ikQUxi)^lPu{oCL}dpQ|oC?z5wL;nci@72g((k{*Vb0KHtx; zr=l_-oI3k2s#ww}X+m9=H>A30?5cfhioM40Nq0$9%9~;lEMErocuEPRI;P%PHqY>K zSk6D0$i&#!t1xTytu=!<5X-Hu^LY4wp)T}`fZQ)|yuaSNc7Ic5C-OHrabc#g7Wi)p zK5tLEuQS#@d!=!EQxMl7yNdS{yAAR2_5dYyQPumBArIHXfroylv(>dAhGzGuhYxlS zTipVDZ2eW9VWRgiXXw}iZWULz6-Ge!y^@RN4+oma!50*Aj}$acirV{M zf4nCR0d@LJT-;=QyavDC*hSGhmVggwEy(GVpq@I;VHJW zFf{ZPebUT`fkN@#6;V%diS^Fj%LFN-aCpSK>E!PvB_}t7cZWJ(zAAj;#1}I&yQ;Ce zxVzkH#8)9R2hs4gv0SiGy8P1CUjW2@YHD`M5?Jrgjehr2pVq{SI3QbUZq6mq{dv3@ zL)I-S>Q4r`y1qGEcb53|y1EM^ClZdQ?%C0@d1|$FeyZ=!BQ*J-nMeTbZ^c^Y3mI&o z@NR)Yi1*XnRrUEfYcdg=`Wngo_kYS$^M}9_s%KFBIeBX7ogE$1j}F_%2IUxk_UG^m zaRfx7u;dRtjn*G^hT65wqZ4U0?vEQ>u)<9SXI&ybek%Ku`Qg#o&v69WhDJrf`S0&r zBfa?R@-WT^Fr%;QSzCkBhb$h2G?MZTMH3md*5z z%Ow7oYcLwv|9{n`_~+M1%740u|C4F%x3QW2acaWm`)yzTV0k1U$@339|3AKb>J7OC zyV@=i9{M$V5#x3L*+~co*-tN!H^?bF`=Be7NH*Vw_%e;Qn*C#KNfE}9SgPos~O(ILVgw;xVVr?~4G1pN< zMA-_T0-t5H3TPFuBqp-q3zQ8($_ZsEdV70m)Jwpk6vjUwAi%C=!R2CiLP#y)S6)AM zZ>I$*d8UOqi#h!S)*%(MD;}IiiR|_I_vw13CPu;phbpbbnp+--qvr_$Gwb*AH*MHH z1eak$-_`M>M@DI0l~bIg<&+g1z`^I@j`r~6KB7IcVh!eU)Tq{~rWG|g<1_G{ZLNNnBR?!d}ZVi=p4Y;Nh%Q7U+7e|m_j z5#?74S(qqRM?^r_G&b?MJ1D!oz4bjqw|iS&z4d}=Sk2LhOgr_zt`xHd;M4^KNn?gG z_^uxPmZmJ{x+7lKZ7&9WEZG84p?zXkE04WA`Lb&Dy0bR-wW<7D@!Kf9q{L=6v*@7i zp$I7d*f)8*51k7H3qt~ZD3k@*OC%z|UBk-m-gk9pc&~S>V$$UjO&QO*b4Dh{8nAgd z#CUa$581H~6xB1!nW}NWJPv$!4)s=SG7jK$l^duLd3$-&>~**|^#l*J+}x((4ccHQ ziPGx&E;(-R%v?hJkn_EFR4l$RpP!nkEBR$Ie+zq@L|))D&`$H0YChQcrsAkw0ssi% z-jBs|nUj8Ji+2Tb>C_h1yXO~99-U3~XOtLyF*)L(pAk9Ot}s%eb~#Mr5@iNwPOo}v z4$&ys%6HaZvo|8f-o|$N$K75z1Bhj@v%93oBroi0=$xoQI>axgJrfTzc+ z*1g@`3r`;dgB87}%d1~1vHu0Tgq&{=EQg#yW!cLsx-~YI^LIFT?h!CUgH{(i^OxDt z8V@Ve1_(Yz7I(sxyRf-x$Rw6^m92i9I(5^A@$cbzlZJY- zT2I91`FYT=`D(EdVm*(8h6V+op`n3KuNS?JDm6-s1n`MuR#@5TEZ%*smGXKpzF985 zonyyf%2q2bFSE!SE39D3zTBy(c*dQsq_a>ou^WHvl*u;} zvn`y6E{!VFScym{O#I*Kl&;q+ySGgC+*)9AOK|O+A=J!Um~PG1IW{RwYZuuP#o;9hkt=*Ts$j&E-ltb&L3a8v^FPp z>y9)t&4KQx0M2YZC&P8yLHGd>bQ*C$(sruA0yv*Vo{{MCy3H|Q>`n5`kB?V_HV&l^ za*!NsY^7RP$KZmvC0Ht;9A)6j<`(qSYwv$021pScEnM(cE z#KpFBLPv>pS0MjcMkYQm(B7RlQO>TUVI&q*75f?T`1m5rzuC<0J}(wP`S-Y_;{%Nw z8Q}nCN=ix!if(9PZTofES?Fa-&Xb)ya-jx zr}q>skuf`YeleT)I?0#6ZY@)1FtX}}@K@KRGZntV5;84=IFTzKrA*Z|`DfX#itmoW}TU@p_{tyKlvT-4g zYb77`@OEr$%*dr70G67O+kRdrM%AqN^+cq!7>SukHFi+xYgOuZm!TX5o7miP?bD~X zt9jC6#>_(cSwtY<>5wdyca0h~Utu7E6(QxI;R_zyLS&%*!s~&b2{EiN2aj$EJhmpc za3y4C{aa3}<+>(aF|KO*@fX->Iv@hsEUObMy?!$~m!aR!dlPjk+-Q#xk=`nQ^Zk&0 zI@6!{Xv7h>cNA^2Bj747J7nzmQ0Q!`5NO?nUY=imos(+$ZNd_ekWgqSrvtm|WtY%x zrRz`urQ_u>9yW5RUV4zN?cN{ypOb zeC17htE;Pz_vd4C0#Duxvo*rmKWVt&aK658k=HzV?;24;3ZPE0wHCDN%QOrK2~+j@{Kb zW*`2R6@S$OrWqp@29^kTa{*^cr_W#Yr40L$d@hWaHy9_ zmig}Z&Qs~D@nb+ovzLxD(Z758tj(=JWc`5oOOP|zqy+3suT#3;y8qPUJsj%RC5`C; z+Z3Sr7?|Y*qm#;M-NU_`^cf@a)5zg2FKsl)^qW-H>T^WVdp!I&xyuY2LX^SmGTZR9 z1`V%_{j@S*re*DM|4hV;uO>()8{_Hxq0?^3qP%ehn@mFIyyx0PzM)Xk!GQ^&#CT{5 z=+NqIJeavdXN$?By|sC}wKNMK>Ghi*v+wuDBZ; zO4O{(C3=ja_!?~H1o&t=2tRfMfJo}vr?6~UQ~>F)bmFrtxALJE_M!J7%1zsK!+k?y z<>c~@tZOf0K0dy!rAB>$#$I20$R(ni9-=Wi!~&vq^fI%p1tqw!yj^z$c^@+rhpw6Q z#Pbz+i{_|-qs}&+!!ARZUa!HqH}-9~lM@3zr~7eR5aN)?AZTq8BN?OyvBWnY$na9t z;R|>)dE?ym^_u*78I!W2#?9!sYv1%it%bQ-$Pm@K?<}LTcF;>YX-pbh>0A1CsJl z&NJ|`T$((l;@U$^FM786$xvMLyskrWLCVS-pE;?zK{Lw>3Jfqv&^ufX& zJ`eA?OdG0$iwS|&t7qXv80k!PNgO^kEOkGo z<0b}1$0+!p{GO&}XS-IeO-xJ^^%$1!9S*eVSX7Y5Z zu2(&~pP7)ENK$_eXx26hwSy*}5n^LgA`gZzl^Ee0I{>yL8h)XSd(Mm2GU_lSP(o8j4%>zYj_f#-s(r}Y8zBmE}@DeWh1cla( zey=V-j!`>B`lUu{2(6onQ4}&ZD$f=^sqENJ-wB&aNhF4YM4p2=pm z$-^l@YNH*@AAWdVKm;(GU&IId8}^6(CuHa|NYMXd3UswjE0$N#)T@z`jLDqib> zI425OQvBju77KeSGT`|Tjp91TAC=liaJT($aki}&F8>M6wgBNn{g+*g#`LO8c5WAi z7EAVJU!zsN^`=fG^6N@np9=+znV(%uSac0j5QrTZ7QllC;76-bw|cQ!srTWGte@tS zvx|$1UG0$ERIBG@=f97$t%*lY81h}&9`37~j&eDNk2oGKXcu>KXPM#iGPHI%Sy|uU%wJnzLqbdYpFj#;vTZxIt2RoHk1a24<3ztJ3{^-egqi2{{NU zPsvwkmcW3^Kcx107O4aRpNBcJ>$s_~OjU@ZJ9tg6Uh z(1!!^-93^_G}~>%HmkQ6jC5V6Va7P!AhgpQ7lK`rmkr1tOm)fmYd8|SVv{cHQMDY2EZQcax-j8?u69@SAG4I$kJ>RWfoG*X=S$xC|hZWvw&Z=+3_QlZ`&*toIi!~c|bL#RVJD0}lS7#@GABw0w5QgG&0 zV@JwA6rQ*Kn1(jMh|62QDGN)GKA2a^2n%MpRIoCS;ShYw`Mg|Qa1*Z}%g7MPMc7gg;sG;H4Os~V4t<0sg zWUkjh**dayUgOZMTx4`Rx)VVQjeVy!U@uV}nv6b}bPDCqu+cpbO3yX=H2Zq--7zSlG_${SPwE!_lpE0e+ZGnAv*U%hPFn+#Qc|G%5z9HbK0&`j#mA8u@`d?~ z2mo7(HM?gMRH)=|pPib?k3T)cpCFn(7o4=J(&3l#F08HS;_*^^Ppbw}VA@OmbN%c` z!i6vElT$L&Fkk_@CXfB|ozeV!Ijt)MfOJG6t$hCt9(dvsI)Gmtm)&g-%Kw09HJb3{ z;?}CQS~v_q={$vK1|{g_g9$)K#qs3AiT6SYYN=1y)uh)<#6K4_m-#B|rs}DZ(8;-zwW*xxw|M)Sz z7=L(pn564lUsJ(b3Vz=b@X(uk!X6+|qo*#0r+sDi{3MyAj~$#O4_pkabsoy#OuNTYyA5 z#KUCZ)d=;wt2}R3$0=kncQ?^F*Ms$*`w7qOs12iBWrAjNfv6!ofx-oO|{famd8;X5>XG%C85G|K5%OF0q z&XS9}(i}A_t(7WeqF}eKqI1JrzAJ;7ASA1m#6IkVOBOISa{N0FtSx_&f$sGVjBKy} zN(52PKU+7Aj+vU6*!Y|cUM>1;fd&7DJtsE3w);va_EeeI^_))Q>>LkoKNqo%EH@A> z6VI6|O&$i7RUG9aF1}wdP&Tnte-C+7OoCf|4Ajk{9tY8@v*q31r-$XFSxp(TbR{fh#vW}H@jGwJ#@7-bw=Lilzkl948vFxIUTyt?pq;x zbX4jdWTt3&3hOVh_x*Ia^I9_EV$A%!zOOeW;A|mX6EFOY(r46`G?5{JC3O-v%wmxx z4~mTtA~K&eelRV`82fnX%&)N;b$JnOxF^=CpRI(Wp{lj8Fmd=u`1-08<94W`=lw5f z{h_Ux*Ld7A;%G`3;Fij(PLB)fG>lIK}phHX{H=EPkZ(f zj9chbTb7NrI#yY~RZ3-YbXY9yf+Cvq{?GU46kDQj$;qeS9Q*h*%9*j^$Y3DMK%&sl za9PV5!_Rl*OOxz=2+ZT&UC{mV@L=g(f4(+$dU~3Ys`W)CpH;YM`Q*z{lTm-w4?#@6 zpN2xk$bJW$>OH-mO{R1$j%<%ik8!?k3r=!i^H}oa70rny-oJV1#4by%lJ1L4lHIFS zsC~rY<4NhuGQJhj%G=vg^#)BL7us?o`V1+~A^4YbGRq(4azb#(>06-+_4P$~kaPmJ zA4+_eoYvj{BI+%m;s}=S;ei0bf+x7UyE_RQEV#RCaCeuW!7VrhcL*BX-QC^Y`A^<^ zzwfKV+1<0u?9A!zsqVV>R<%}ik3vF{^|1vqY_uc@aYzWXReb(^HP(On=WbM-BkTT- zwTyi(qaxRzRF`~I7e9m9<#CHqci~E3JU18@4BsxzK)GMUKoL)MR{%OSS2gK_izP|# zSpW0YEP`%(Sy|aN0$Kt6LxAJ6Bd0j3=MOLp)7`%Qwd0k&BNir<$YQHLzF3F#XZ6$LKyxxSz4X=iM4Bol1o z#r#gE=`nDd4F7@?VWMdmd@zQXg-6lONdVB)*f#Q6D0vPNZGu&#qAW|@gy?R4ZW7ie z4jM$0>&a{Ip3kya!P)^3>z6yfIU8Qr(}{U_w%;0DGB3UTo-pQUfMj?(v;$giweo^)MYrFnamiX&dI2e4soJb1U07xR7|f zLE0lovdnBAY4$<`P2|(jb;LDu>GZV4O$Z^KQ}c>Lc~gBxQ{)tUc+Oe-UAabCCiB&y z5D|+q8&HI}Tau}nKWJ9hX<}wE(#gx}nQT{sP%O#E$!Qazh7#&5 zOA_f;;yT~)AGTbbw%!r=ht>ku?ya;crRm%bFfvn|Yxb6!UBgs};mpxl6)bfu5ajsV z!F}Gajjwo0@T~^VQ(LfgR!493b5;U%0V+&hm}TcNJxBBwuWh;$rW>!~-bu`}} z`>S12hNLWgwWOhTucxZMw}+W1{DT$AxR{t2E<-G411MpXwKCnc5#1TOA@2t7R*`Hh zW>42)$h@gG&)4b04_WaeKj=P#FYRy7H~%4M2OWBQ%zi;a?_ zQq9j=j!vD9+R#aN!x$GRu)-G_zfV=zp42KYeHI8eY>J7lK4~~{b=Vtwdm#svl2d#1 zq?xO&a@HJWue)jG){?3d%$q!= zA1&4#wuUNh^+mI$NP}@7T0E_!Cu4^G%R+%p9M=`fC;{_L;F!SGTASC?s_T@@%}wmY zRWq)-dWvn!>*MRo(;lPiuac$73$wB&ht>NDWgpLj5knH$x&uzMwXX+MZW`Zlez=9P z2De`p@m`&J4gRFHP3BF~Pd+NoT2i@NWDOV{5+z2Bcm2u(m@ynXO`J4TkiR_LitY*v ztYEX8sEn0*+*RndZ4@#F^}R>JVmhtrTh)CTiNHd#`$GYVT-#+rG=6Y!Q1;H0HMK355!(09pfzgW(j#uzS-#`XlLhi>0%NN8G)d6A4C}O(!}Zrv>nBH@98FT>NPU3BC8hl zn`mn9-16(T&fPy{mfNI)hkgkm9&!5TTG0v_mvS5r3#%y9|3^{ldIw8y{T(U@?G;>5 z0Hf|~^Jj~%w2~g?8&h&OM{{S7O`KeKNU=^7Cu4r^-jAj;=i06b0F}0DZN^y)Yt1ed zl|m;OE`fqXbP+I+jZ@Tu-dZ&-gok&OjpY@krEbH}Kunc>fV-}7w|d(s)OPE+!6XZ_ zeu9*XXi$44Wr;#ISuvmemj)+X99Y<)ahQO1(=k0^h_X3m3w9#d-J3y6OZH}$Av~Gl znE~|Skqaa&l)+Jx1SvMGpL5d|&SxOnvBjQzyws2^sGU)N-t+yvc@f#UCd`(&K!Ry5k|^Di`Cps=5Zi&7bPfZP$e#pWrX#U^JPz`cM7_!Fe2@tE?$_Sj zA%$bk+dqdO;qy3}waie4D5yapO&BRP z<2vIgR>FT%p>l-JHLj~>_F{xB7Ux;@$X!F)CV`7s`*)p|n%U}Ey~e`@-YMAbgWw#i zW6^oDQF|NsckxB5+BT~o44wBXiVMT~k6B!MWsG1a4aVQ+XFcz>b{9r)LWdlpFq3o1 z9ojPj)UJgF zJNBS-^(uUbF+!c?EC`bu!}ufopcO^LW2~sC3_9g6jC?M4Hj@XvRqB)&Oe9hZ^jBOJ z+=5apj7dIcy4)GGA3uUWtPSBI4H{Vxum)Far1nLzS7`KLcCFYvT;Pbxd{|wMeDH)7 zo#4r+C>`eg?(1+(wY;N%$2&XA1JR+XvWv}wp|3tNnsNC1CAqH)^$Qc{9BUDuPC)C< z4)ANC?rVdWxb%!=$Xcw6d{cWRN;cKXto7jM5T>l?ZzV6S9?fIr=XZxY)Qoed%PAUr zE<_^ynzf_y5=mnNfL?<~Ny$;kZPv1`ll{f!!AS*E-Gd?@G%0*({_NW768nB?BWX=p z&4@WXBoiGL-Y3M>GkgAGPCCVs=0BqUaf~PV@z;UCc!MoPR4&`go()e_uGf$(o$Dx7$Nc65>7u%SI}@Wkut2wW_Yy&R!O$*Yf}+@O@U@^yTDt ziC7d~mGMv_qiSj7LzyHxr9RdzxaPp0k2|$uPZeP-Q*W*>Ew$PVgga|}^PYT+zctm@ zCk9&1I}t`?DFG#A(0Y{FN$DbD$()}XH}CCwF1BR0`Z%MTh>ljaV7tEj%%l6HQryj_ z1L)P_3|b{FkUDW4__Cxx@_YRH`^&9ou+meMjU!dH+$x!scf97kG0UaOPxZ4l%nNOG z#rTcFta15%ZRTNCBPK@Su!?w6*tv5D2qME19-V;j`xmg?e}*9SSl28d0)OZ=C*+G9 zPDAM!V1TaPteL0Vpy+j*2IoClHVg{_2MBeAWqc!%3&#gAW8Gy;bGGVZ0f$fcmx8zt z$rEeJTRhbpW{@c;i(E^Np9PdGW!JIZ7-4=HtMd<~syPc$8JY9jrC{$aQ1n3wx+M*4 zi;`I?fKyM{RPtyHoHm0G=H*+xxbzQD$frJ=gPHtT~0sz;Lsed_(jFze4H#qROxoLJ8Er} z6f44Ly?8x@->@bCet(xlx533AykqbfUtpdhEhY}7F5kSHP?5*pgCGjni_6gsog zM*f>-7eq`?kKgn2Xe?aUZOrdOi|o!1q>{=v5NE!xubn!~{6~RBzke@(>=IG2gm-#G zKu`}7v1_65leA{Ti+U#{?Z+hJ^5y6T_{C*UmXo*HkBa3Wd~fA(Z*nsSjBmW!UhLO9 z*n3Fmo1n=1nOVqCHp~;fJN^zhlfU}s0UEX1*PP;%fH}I?`&hy1mEnh3C{WbLt^#u-?nRyTMfkyCd z*#YdorCAeNWCBDC45-mVRC;unt1Ad0?-m#oqKJrq2e-vFZ%fM;YH%`z1l(j~y6xOX z?7)85s0sV~>JpcBn%Gzj)*`u4yKSok^n3O==GsN!d{JrY*=UB7>s45z?nJ z4l*6=pUkI*iO>ug4aX4Nr>%*X{6HgxenUp(@aW$OAl4q44y{acIn)2KemcwOQ`5a znhtuePTPH2r1hpq@+!xl=M9t69c1NNb&8b+A8$umuA-PFHD?MNJ_5_9r`4IXG&Jt# ze$ck3Oxd)@wJ{8h&l(kJB8(71PEPCq*kKgqTGBq{8g=kMd7FEILa~+Q7F-%W zAo9tf+YU)IfSVg2swhjCn}!r(;!HaF+3#KZ7c8`0&=0h1kb;d1XKW1ND^E??COZgb zajSneWD;ECa2gELv@LGlF7Tei2c02qXCOA$vL}E z@b7Kk#w-rUU_gn&=yHbU&$kku$>`t!U&c6q^O3`fE}!DMvXXT`K*5q>VAvjhw}@6^ zZ9dR0ft(DqKdc!)YrK7&_=oIU-PJMR)ro}uNz`fS*lOrhwehiS+R8`kz!-PM!{X>L z-CHn!hUW2RD4jdkK_glq$cZ$w`>QLsQmk6ZEFr-+fF_8o895jgPC4d?cMB_vUHhoEZeNbs zs#svWK%52&yKjNnu|0DBE6Pcjij~1axE@iwel6XeSZr6LRfyK=YZ`q)(JF?q0XF>*_qXY& zY+l%=4-u_5q-gJkkUqd5m}!jI2}3!fURqzA#4m-1Zv{gKv{Ffp*m*;7Q^i|HtRZ6w zxlyU%<*=yDMiV)4)k~It&#!$+je?-F(t-8UKwQg__<5JlDVh)>@+olxu%fD$VW{}4 zs6LaX<}ATvrk{+MNRHYarT^Zz+CtsKdjHb=4dyT@`@&cdJuoBlBDGy4 zepO|o0`?B}XsVgDg0wWj{Fl)_Y@EF8I5+opTTukuk2~QXa~3}U0IVnkApWJd8u`<9 zK*#bo9mTKMKmI9@}Kk*uDzX8QKT^*e^W z9y06;b~Is?;%PY?#4vQ4*XE`NoC?ZkxB8yP0Fl^x`z#KQbacdELDlW;Olc|>ZRxnH z<#KO~k9I8tT{?4zs}mOHzG?iYK3o|aTgb*(NncKI;i>aQka;t@-uZ==#KBfem$|7_ zxa92n%I_ZqE2i<5DE(fNj_svJRm0wOZg?^fH2<+fqf1SyGjX6&tOOURMmlsVU^i%x zBPAx?KM3htEx)hRU>Ui_c>FRWr3}xq@%R|;rTJLN#yR#QM=Y^*Y$yHnYCv--r1{&m za@py}3|Xqo0j^V%Xw&jJLmRIEwhl~-8y`e$5=9&5e&AD71MYAlyA=7T9j7}#r&~^H z2$61)(!@w}AlX?Idr|$sPPCDc(!l2KP*`KqSBXoLXb&MO40`Kn!+HC9`6WS?rni{22k8e!w^4dHcl1b~*bdO$JRG ztsD!9>TmM&$L>M`?cI3;88Fty&^J*4PYFl%*okvGlxw zKUGE91ri?0@K{LMQrxPBINIzq9OYnOn_63(!Cj?35OcBOK71sTJ$i2UFz^_8bJQiy z6fNHF##-|2DLlgK<*7lH=CqO5z>$Z7CJ`}rZi)wg70GwhIk33@5=+f^cPYD&e$gJ zzKivWAAYfqjk$W~r+QMquZ#f{ah=j+x%g+b%ox3Lr{v9Tpy1u*blJrUvXELP(*?Ut zFYrys>DbnXR$Os3c(e^+JKPj+Hd?l3hIwD&e8mNq2Ace*9$E~d&rMZ7;aj&Wb@yV| z^f;D8j}R+v+zD)Lq8L_)-IpM;$32|WxD%mD3>O|4_7?tjIGG>>5rMUfn9dfhjjLb? zkeEjHczLnXO-4$;I$N6KbciK-^_k$}!S|XG^vPU3fc~~nv$T$jK;Y6!aVo*+ILK0z zsWB&e!@b7XuzJGAIGOYKHW~9nd=FDY^NOlR>s2Jh#p4^)$Y;P4wpuH{ZT1KPK-3E! zYgX&#D>h#Es!5ZFy1iu+{|xiq_0Iq^{~#4L9D)h(4pXiz{BLA63yX& za_za?$aS&`G?+YcF6C`G}D(-Zvsd|MjRMZRaT6tn?ZQ*hT04pMyk{} zhIr-Zx*=Apmqu+@h@G&UA^W}|U1IZ;#+Jastko}ZP<<(DI{V(d*PPx-DvQA%yafR@ zV3eH6_5n~wyz(2l)e{R&hG+JD16elO$kE%02B&Yi*CSo05~&eo2%cKFm-KZ+`pE*TPlbX5J;bC zkTT|_PvMQBOid$!62T3g(Q8B&#lR~xULau0&?^b*8)iCNvPQK~ejmWKVO8%@g96QUY}q$PtRf75yv_>~4AvTH#_&$S2=6YvYvT*4NA;CaXFxlr zJez}x-?!Y@cS6E`u{kN{vNbW0h%;Tt+CLLMYBEOVR8gW|#7>Dv?SqnuJ!06)hrM>u zJxhTTB1wgkncqskM^!(Grc4sOo3Jq8-*we`LyeITllb8R# z>PAZFb3D;}nz?uN0G8!|SU2*#@SQjy8l0iWlMOaATaTyx^_OU39&2zIad(^Q_5Sm- zbpaq1M<>i=!G3C0H?22gVTNxi3ahR(&2}mxgt9VQHi4FL&od$9OAgyY&BFa<9w%PX zoRvEBdgN{s9C%R&GzssP^&r7x}G<+;)C*u(OC@?Qd&g=>Hi=U$&-h zFGx3R)c(5ooQlG|l+Juiw*72TfGkSQ#ju!08=}8jwZNj0NX^dm8m@AeAT_gWkQfXg z!Umn%H}}@@W#2VvJ;9O`S6)lUe;&1?>)_QmDbc`hM^bTER?51ANTRhWDp+rP8fLlNtcG9kBLF{ z*#D-NKkTekbLlC@uQSU~0ET}{#e`?E!dd))85A*Bd1#J%?^-hYfP)OuyCE3VZJDxL z!@A%*1zaq6{zI#BGv=d=lN-7Tvrmob8?@z0#jE3ox3!ISyA#)Z4H3Fi$gn}>mu_3s zcaxmHdrjJ{)bK!?LNT}?b8cW`Ov(nI<_a5TRqAXJ))pP;z98sMZK#VD+4gVQu((2p zYR;ge@7RGKvd4+?>OY9Ye6QAPSHX4MBGeDznKRq+dy1e}4jcVY?N(}%a}7Lh9;>5s zx4Y5psDhT5Fq`&N)n=)`bEBLIjy`>EJ7Au zojgn|p6UF3Y4+$|vBwil>1pOj#I&~KsX$1om+8NyQ?=ygHy%wCas7xqgX1zJ#9noL zLojAdz&UCck%otQn~P6`P9l*<_e-G%i!&R=VgIgobMts}(+Ua#%5M#sL*W|?H>;_N zk@3Odp%$&`NqKqsoh#&Dq7ML8aNFH!-Nj-D#Sr$#-RB9fy-|EWqW)?*AMGXk}w{gY;88!;RX?)UKuC z<2^(=-mSL@jefGsTlvvBY$ z5^sCvt4i^oC8O}rqz;HuL$IEwAc6W6~EnxWqL-qoO0$H&Okm@rt_OJ6+Lr;r&a zsAc!LEI2oLswj!{Yv8r7nJtT=$Z>Fzm!SY+?;#spW!dAt#Ndu3X5}Cvtx!Eii8ZSf zKQ~rYy_b2{QK|P`!*hXJS`FHwuTuTf*L)#FB;tMo|M__7S_vuJa0{^s?oUVMv&ttF zq1c~}On-dX$wmQw0pPIqq6&v-95d5cb&s$5)OQA=)v%ov#}&7|trgcF)>kolAn2HI zNEy5!y9oQ4U{H)~hAg%@qL;dvfJ&uYH?A(KY1Kd9uGz~@$%5OLHy2&1vOEJvLa_z* zWE;{rbB!T(Q>3#R>WLk5_nUD}?%;R8Yo{Q-1GxHH$G5T45;C}G6x4{8CHpI?)B@8O zb)a5!h;Z8rC(dD@Yg#kAS@cDj`gtJ;{$9vr*gz0O4?yyciMqcyR5^Cibr7c<$4K7> zt9YoSm&JH!jq1}kV~KzFtnYE>qd}9Sj}p}HSF4b3n=?SSi&%OI({LdBy}e?C*}k_a zI^M2c)~qQ=iiGh}q0_F+;KP}C;MB}9EJBO}Tt7-^{#{<4pIGfuk<2GwfWuRTLF#|! zYnrM3bTt-o>}>0L0Rb#5oZO5wez%%fZX$(<$tSe3jux6PD=H~@=Q}(+> zmN@f|d`5zWScK_Jd?!I^JuViXk^l`jIY}NbfYXrcRy#;bKF8`Y-H%abn%US8@R^Oj zz3iN#avUy%%X{mjx=A#3+}~4Dl<5 z&x)EXLDxOkLPy_sUHMyXRw@FYv%W$88~?9}hPANxA1eGH0OashE0%b>$MbhTOj5YC z2VWQ{b$jqB9BPI79U!}GnKbXCnnzA#E#3womyK9d!x5b0Ag>||w5yDUQ2d|8$CtdQ z-~pYRLb9H}QtM`3wU|u!c*vhsW>FwPDh5Bn0@*m6c zpU3vg991FTSdjTnvSb4lXtohq9!NPt0%vkY-3dn zpOa9yS3F*FIfWZd=2cr(;3IXk-pr1zd223Y{s#0WMKLK~EceL2RJZ@Z(fCS@+K6ib zLDcT~rTZd#%J!>e7s)S3GBD{&`%`E|k***hkt)Jt=X1JR^ByQqari)?_HN#fL6q%X?J zduSB*{gQFvcFHO@PG9@y{3O7G>vXs8MIy3b@RlXF-lhv*962*J1 zkQ{=(wrv1!rCp`CzR;CoaCi~xp-cA6X%=Pu7cRi zD2&9CtNHZ`V%_n#T`k2EV!GwpEc#p;D>JOL!N_O%Q`Fz_=&6`i-H-O$ybLrI@VO0; zp^A>Jyi^heP<}-b)QKl?JI=!ZKJ6#ZI<0h2en++8adF4*36s@y2vn2eehx9`=fyxS&0cRmFA8|Y0m`x@rAwl3~`z;|M0S!vOPNPt| z$$oXk<;oZl_0uZVAWedwzkk8SR%&nbd!XxXjnqG*UlCRONS36mff6;C`0x-cYpWYE zPu!1()Kg_xs%6uDJQ*`HsIS&<;iScrLJr$AVaO5^z<5BwG3>M|5oj#4R{l+uLgOsF zLQzLmoQ(}67dWEvzv3d|1y5jOkABPbBqs+s<+SiVTM*k;_5wG8A{BQHM#^{MLFzKg z7-e+~wcLgU4(CB997Q=CPvh( zdcFrxp-R&N=i{Y+Wf8}&*Dl12tN2EN_Xgr_lIR-VRQLEH&;hO@AxQATZSoP}Ece+O zpX;<9Z3T2&EDE1mz6=#7&?pyjzl#vYGB>yQ%_~zz*tLzu_@P5^Q7rLf${oQlaJ^4P z1NR3}mS}=`lHkVS%#&Eue%TzYZL`yLR#NtV#gICPgowfVAgw+$bOoXJ_WD@qqzDDd z>s~+^=*N%7FIN`>os4bwlXos_>>PE@vS~a}025;C)-A$mH%|iT{k0Th; zmpF3a1;Bhzpu+G|bB1hg^Q>8WNGfKb+d9?mCN%p0G@tqd`+PT@q$kpx?Y1N0DKCQ{ zpQY%dsu?)i3e}7pG7T zLA~sUPjk3ns2iWBcPP`T!x+ewh~mdnbmoOk+!(b!5v=AgqpMQ_SaYS;=^Qhv8k@A% z30s;VZDQfx>9`zwJEt4a#Qpc#6Qt3#yT(2yetWjls<~>IUL2U(NQ9MSfge{VYC&6}g9Ix+x&C3$b)qP}q6I0`>oeXdozxu2|PlA=YGBqFKy{(u1UkUwRc z^HIFduEn=U|_V~r515&=9hV1DCFkJ){ZsZ{05<{7^IL$VObhXnbeCzU$5d`6_AAG&8+DPPl^3UpqUrcod%0ZUkuAN}9zW0#{jU3Ra>(2cG++j$giU&qCyu`CVdt#W^1(vLib9V?DG_D`cb z6^qfQXT#1a6>o^b*?#(w5eNzjL850oA)EZZbdI&jjdbF!bk7 zWEdoj|B_Y|LvV4Xj|!CO3Fz+jWi`^$JO>4pN`=LF@5GXViN>2j`^WPpF0@(loMK$Ey% zTG=jtYhHO;Ji^V5?pxY<*xuS*5abtNuv~1ResA626W_#pUClNcn-S^q|>#jagt@?>SJBh$k^GTf_}Ef zVn!8zwz0fpaq+a3z_PBqUxJD+R2V(~59(yPRS#i7u_#!MPdn9EBs&I=_1usxEW*h( zh$Tv~!ItuC{JE)&1^kk1oCaS#!*Xyh(YMyPQ;6kW5A)CZWK#I$n_SrmCh?6~l4{ax zcI{8jO)XMlKjn!5EKr6q=@=+M9m!CWmqrZ-;S15YYUMUIt424^PL)$c5}t}c02K9H zWNn8l)66i!iw^4?`DT;LLzi$zoe408Q{1>i`|d{FQ2yLUnx5k<)ow2Ld3!Ym*_V~X z)BX;KcT!SPpyF3mmoUYZoei!qxj&z%NgbNeSDD0I!#c9!?@oy}It*^NKXvIFxcUvkOXGNvLN@03k*J}o1B z5DJTD3L1;z*{DIci0Fq0;mo(6*CuY7=3m9|e@QNmFaEIxG;A$q5Q8(M( zXzl^Xdx+Qfo*l|X{V>j*uKN6yyog>$eiJsiD690!e)el#G_v61ekVfTC|FnJ?>l5i zC(S?js=EBF81P>A6XKigBsYbiHWt3ty#7C00me41*j=&wjKA4}UAP24QBhw5z5n{# zXRn?c_r4Qy6zlfQH)5;s@uas zLY$oGB)=~&de*v2AA}Jer5GKC0B;+TmvftZF`+Y07yPriz}l353lXcQj*h^CNSRd3 zbFL*ENk6W}Nt(vVFZu6Zh(I(C5iY2`w zoKfd~(MOT4nr=Tyg|7Ze$}fQ?D39%;nvHcckt`Q+U(J$nGRl}K{xd!Wpx{U(xI{`L zx2mxyiqEEW6T$FqH1G=wj6X{%X)_PCdlU8{~pjPsI9^6rX z_ReRNKcYobm2{(ak|W}*IVNzD6hC9QazkOAQ+=auBtR+kJ%W8rq4NBnncw{=2Ax8l zpP^I=@I_HYPh>ttGKc89nu>6Si&a<#{gKIs6-}pB3DhCbCkagE-pn~5lu|l&Nr|+! zyP?jZVlHXz{s<}bA?nWNA^-;saaL6HJ_a@(eDDUQ_0+~bUF80RXV;T7c+CcSvISpu zEEds3#SqUdYaRGA&&@JHM%1{o%G-y*;dg91nmw~!UibJT^PWE(AxV7WNRpYFuSH6! z28GAh68fAXRXpcc;pT;{PlJJd(B*RvY}We8c@QCJ4tRYC<~RV8ZyTF(0$s4Yof3!a zK-T}{;5j3ah*0Gif%?l|QQF0NV4g*@*YB1*6qOixB+IYr?aM7202Acj(o{_-Ov5X|x5XX4)soD{hDDb{1tceA z?z4!zgZRo4Yx})g`y;c`kdX_P%yaw4zbYQ^&WKxCmQZ>kyd-;luDGM5F&4zgy^>v+vx*hu5atYgf~aOXk_nuxVb*#~0?S1O)X8C9Ns6nJt4jPcb>d6SI%wDZ+o= zf2XWbFHfFj@vR_|%tp|a4#b9R7}_z&QLj&MVPE`4KY2h`ai?5%`<#gXfim2C#t!FL zL;5~B#9NMPP4>n~dh*f>YD0LUG9){03j>c5k)T;8`*^9E&@rO#rAlmy0DV%%9y*KG z`1jad0Y~fz{ivO)n2d2;=KuBb2kD!KHj5%m9vphb5})vR$R}gJFKj(~xO1l`--&Ue zGWP5#slI2gjUAzxLp`vm0A2i$q$L;LK9H(8(!pU&Nk0ajAa{B*Y*f$gEjljc_d(Qo zRXr1#4M(SfnFd87hJ37}T8=9%UgbVOWT3FH3;4u~SACjfT9+0x3l8>Dg<{t`CDyLx z16j7@_rW5avA5puA8te|b&9t+jSFJha9ap;Skwz<$v&wsbrbl-KI|CfWMoYE2`N~& zNNnR3TDet2!lK2>fGj{_J18l7Bu169fdm2ldsn4=rTxLcJJ*1@c+v-SXU^RwZS57P ze`-=h^VOJrG&)4qiL>_Eqk|=l{sodG!F2t|yE5B^-@0&a^Oy(_t^@k*V`ky9-|&Tr zW!8?JeTr4Aqw*Kf?F0H+(}+}he^+vf(p%V{zjekTqXtbP@cY1ePK$lZvMu4l-0<}p_D&9@kN2O`s;_~9{; z9t}y)Jfwj9Ston_#a8eSY{FS zFVwEpX^Xd2l9aXm3whXTd0Ppqc?-P-%N7DO;We`|xNFjWv>&_miHomO)1I(NqPiHs zC<4@Ovq32dSxV(mY@*A5^wleVv=Uk42hh;t)uoAs^oUb}7~!j`FuoPazda%gx)*9~ znbX=Wijd!TDcLQ*;oX`G>?~=V{6lAA@b?pFT&uG1a1cp=H8M@NIej&xu9p2u zWO#GknZtXoaEqw4%`5(O`%Alx6Rcat&tk(;T)yNuBZBFp=j}DEI`4)UW)Iwss;z>X z0>RB-oKybkz>pBX(z#3kcUUqdIEP(T{H)j}qMu(h@+~qH+#tK;eIZjb*Y7~K{v8lR zM62{WkD^!(8*%Ub^9Df7)dvoQ;ahi=-_szC1Na-U3>W#nDa0v##{)czW{0Iso^Jz0 zF4DouxI^A7eNAve4oCgA!ARI^ln-R4c(X7a|JZr^ zP=AC3FxHJjyj;wSaD-3UQYVutw+(;n5;V}JWBQ$qfE-fa zBJ14d{hbtf7R`AOg*aijM$W|f(-%<;_O3mU85`s}bxA3e6JcBn^L_)p%P;BM9}0EC z#YJ(bs1EC3^cCO7uc_yWtJv)&W{ZUdf64?tHoWGRstxtl*UxpqbA+jCw>;5%Xa5)`XT+(R(s3c7 zIJp1FHp$2UAdogWk4gTWLORZ#!Qu!*wAM3JCMpqJ-H#9={ZRn*iEIkU9i@#LV-@+r_9Z5ss!$EeyI3W z%JiX@OG2fXS25JE?>1<;%TuvYsgOm2qo)rtB_=A1-78k7VrRaIJ{6m_YuJSwr2dgG z>hzNdg=_JW{xTIfQ_cyjNUnif;!r^~^;o_3&tegD!FJG9xFpVLhUjx3PE~3_d`39) zhe*!Sm&RFX;OCNeOpyAhkGkSFVeCr4X@rOj)!CcQ)i>hMeCph6h4twR3Tao7=ILTs z4rj{n+FX{jhQ4n2;nyaR!^QI5;#!R~5Wx8MT}wd5v~E>cvrNe=JDgd05@<*sww*s| z3G)yP*O=a32M(E9us>r1_(K|4D$+Izg8s`EEIwA2({-*)uU!Y}XZHA=#baw3@k>p=C?zm9ta9hyG}WA zIH`V$I1tM{yK>iYc?Ypyt&NOakOT#z7{$uIRm-|W2`wB6Z@r4)b!-JkuE9REr>3z$ zxmXx1K-ue^=(6C*q{4hp`i|JgSYy(r-+=tdXs%yB+3Yhw8NO=GRwfrcQxtQ@rjac@ zAF6MefL~z%sye_e(<&CMTgI3m^{l<-Zm^s)7VL|DpsFzYX0olI8z90Ut-t%R8+$){ z!+?>YUpMN)ZF}u%A1H%uU|~-BPkvmeFAOYkD6XhAs5$BKN!sv$HAvH%_&F)n04G|(sRz8Aa#?ss)reS zUjoxdX=<{v;|vDXAIpyPA!cb4-U>Nuo$?zah!_S3Glk+Xp9Wt4Np@j@_u(o7p-xge zrWWjBM1USj#-|pDE*rKq5OGY3+ivzeKsHmba_AEd&Dhd_=6#Q{azgCQ`pAt z;S>J(&AK_>kv(t;n#?~69FvA-VT6CAx$%pVmH7TArT}6Y+>m5`CnY6b@{-~|Qo)r$ zcSOx{l{dMPE5~rPCtP80eJ4uaOi5U>^wEzMLXZjr)6|52+dk^%iPUB|nuxH3eeCc? zk`Nn6HWx{HRte;*=pA?8mg+@?sQJ9n7l6-KHDWKQF*&Y0O=Hd4mEx-Qr}!&Zao z!#deosD11_!#4h0g0xTGNtQGRQ}s5Qu;7_gm`67=Rhb54jO|2rpa18r$aqjNez9R3 zN={+Zi#%g6a?YaW{GG|nBn2@s z!EXI?3>d+1fGY)|YPzfH;Q%4g%#&Q;-h@fW8L;l$JqTwRa zRSk3ih+_j~U-!`81K4yPvP>~OOd5$d#QVf4R+^S)^07n!zu6y3nVreVU_)cPJ@Ii9 z41TJ3{FniSh%^nMseGmW{z`1RAxPJ6)4|yxb_=L@wu(F`{{K|T2xf~N)gx3I(fYjG zmr!W7;)8)}rLXQFFBL&;&XTg~eKhhiGlR@`t{0;9ct(o^(J_>Ca~iWaDK)91aeuA& z@_5tiefj|@gjATBSn|mML~vP6hxeBnkb&c+2HS z?%gs+Q_AgZQ%SO@pRc%>vRGJxKtmy!&8Du}uR3rbh1*F7OP5?9ab(u)w_}!Eym-3B zta;?ol}C?8Mg!~B%kt01C);eEdG~ypmR7c4wQ9>sb4tr{N=tGy8hL`&riS?WGbwT{ zQG7*l&fsi?UJ-Bx>UN&2`eJ{`+l~yp2owx2=y6_w;VgqpDWm+9^AG2-pZ++$xdx)v zKH{&Q!d%z2Nbfi?NbfiyVqPB_j{Wt-iLf!78%4`<^Qd;e8EDQ_}fb_y)5!8iTiW#;KBd?*Aqy~*22)CLx&C>8t=*EP?S-r7?moR zlj9jOBxC&s)xm@Dt{ceD3x5daGBE91}5a}H^M-bgA zaU#UO@;k0gbDc}uHCt_qwX|ignN+D`>8^zs!pCix^HP|_NuS;M4T!u%>jVQ z%DPzJ>qzW&Z*_Hj)&7(Ft4=OnJiYxDrZ#^jWysvYDwC@DX!Fi@cDZZax;)*G>jxQn z7>3LpylK%dDOA{JV(*+G*>sTJ|3!7}wi5woKw(hiRpb_5QItD0r_Y4m2Uq`|+SS`S z*L6P9J5CJJJ1$IW@3`I+b+60G|ND_z1MPdq1nOZIMOp@Mlor(00193CM x=s=*XC4%k|9RD$4IHI47)002ovPDHLkV1gp~Njm@l literal 0 HcmV?d00001 diff --git a/documentation/source/BootROM_8890/images/boot_chain.drawio.svg b/documentation/source/BootROM_8890/images/boot_chain.drawio.svg deleted file mode 100644 index 7ae49dc..0000000 --- a/documentation/source/BootROM_8890/images/boot_chain.drawio.svg +++ /dev/null @@ -1 +0,0 @@ -
Exploit
Stage1
Debugger
BL1
BL31
 \ No newline at end of file diff --git a/documentation/source/BootROM_8890/images/boot_chain_bl1.drawio.svg b/documentation/source/BootROM_8890/images/boot_chain_bl1.drawio.svg new file mode 100644 index 0000000..d7cd35d --- /dev/null +++ b/documentation/source/BootROM_8890/images/boot_chain_bl1.drawio.svg @@ -0,0 +1 @@ +
Exploit
Stage1
Debugger
ROM USB Download
Debugger

Stage1

There is not enough space to load the full debugger in one transaction, so the first stage only configures USB receive and downloads the debugger

Debugger

The debugger hijacks the USB return function and lets the ROM download the next stage. Authenticates it and jumps to it. This allows patching BL1 after authentication
Jump BL1

USB Hijack

Before jumping in BL1 the ROM function for downloading the next stage is also hijacked, giving us code execution after BL1 is loaded
Debugger
 \ No newline at end of file diff --git a/documentation/source/BootROM_8890/notes.rst b/documentation/source/BootROM_8890/notes.rst new file mode 100644 index 0000000..59c9c0b --- /dev/null +++ b/documentation/source/BootROM_8890/notes.rst @@ -0,0 +1,16 @@ +======== +Emulator +======== +What is interesting about the ROM is that it starts by checking MPIDR_EL1 register and doing a conditional branch to 0x20e0000. + +.. code-block:: ghidra + + + undefined w0:1 + Reset XREF[1]: Entry Point(*) + 00000000 bb 00 38 d5 mrs x27,mpidr_el1 + 00000004 7b 0f 78 92 and x27,x27,#0xf00 + 00000008 7f 03 00 f1 cmp x27,#0x0 + 0000000c 41 00 00 54 b.ne LAB_00000014 + 00000010 fc 7f 83 14 b LAB_020e0000 + diff --git a/reven/SamsungS7.lock b/reven/SamsungS7.lock deleted file mode 100644 index f90341a..0000000 --- a/reven/SamsungS7.lock +++ /dev/null @@ -1,9 +0,0 @@ -#Ghidra Lock File -#Thu Aug 15 13:43:49 CEST 2024 -OS\ Name=Linux -OS\ Version=6.5.0-44-generic -Username=eljakim -Hostname=levith -\ Supports\ File\ Channel\ Locking=Channel Lock -OS\ Architecture=amd64 -Timestamp=8/15/24, 1\:43 PM diff --git a/reven/SamsungS7.lock~ b/reven/SamsungS7.lock~ deleted file mode 100644 index e69de29..0000000 diff --git a/reven/SamsungS7.rep/idata/00/00000002.prp b/reven/SamsungS7.rep/idata/00/00000002.prp index e9cbf94..aee01aa 100644 --- a/reven/SamsungS7.rep/idata/00/00000002.prp +++ b/reven/SamsungS7.rep/idata/00/00000002.prp @@ -4,7 +4,7 @@ - + diff --git a/reven/SamsungS7.rep/idata/~index.bak b/reven/SamsungS7.rep/idata/~index.bak index 30584e4..3ab1737 100644 --- a/reven/SamsungS7.rep/idata/~index.bak +++ b/reven/SamsungS7.rep/idata/~index.bak @@ -1,9 +1,7 @@ VERSION=1 / 00000006:8890_bootrom.bin:7f0119bc3142241939494339 - 0000000a:8890_bootrom.bin.1:7f011a6853998629050259 - 00000002:8890_bootrom.bin.keep:7f011889d240069673442230 - 00000008:8890_bootrom_old_bl1:7f011822f30596451841878 + 0000000a:8890_bootrom_bl31_loaded:7f011a6853998629050259 /dump 00000009:reloc_debugger.elf:7f0119bd531451643843511 /mib3 @@ -13,5 +11,8 @@ VERSION=1 00000003:bl31.bin:7f011ab837995028720085 00000004:sboot.bin.3.bin:7f011872b8163836628792 00000005:sboot.bin.4.bin:7f011842b8231996037592 +/s7/dump + 00000002:8890_bootrom.bin.keep:7f011889d240069673442230 + 00000008:8890_bootrom_old_bl1:7f011822f30596451841878 NEXT-ID:b MD5:d41d8cd98f00b204e9800998ecf8427e diff --git a/reven/SamsungS7.rep/idata/~index.dat b/reven/SamsungS7.rep/idata/~index.dat index e251186..3ab1737 100644 --- a/reven/SamsungS7.rep/idata/~index.dat +++ b/reven/SamsungS7.rep/idata/~index.dat @@ -1,9 +1,7 @@ VERSION=1 / 00000006:8890_bootrom.bin:7f0119bc3142241939494339 - 00000002:8890_bootrom.bin.keep:7f011889d240069673442230 0000000a:8890_bootrom_bl31_loaded:7f011a6853998629050259 - 00000008:8890_bootrom_old_bl1:7f011822f30596451841878 /dump 00000009:reloc_debugger.elf:7f0119bd531451643843511 /mib3 @@ -13,5 +11,8 @@ VERSION=1 00000003:bl31.bin:7f011ab837995028720085 00000004:sboot.bin.3.bin:7f011872b8163836628792 00000005:sboot.bin.4.bin:7f011842b8231996037592 +/s7/dump + 00000002:8890_bootrom.bin.keep:7f011889d240069673442230 + 00000008:8890_bootrom_old_bl1:7f011822f30596451841878 NEXT-ID:b MD5:d41d8cd98f00b204e9800998ecf8427e diff --git a/reven/SamsungS7.rep/user/~index.bak b/reven/SamsungS7.rep/user/~index.bak index 257c699..274b54a 100644 --- a/reven/SamsungS7.rep/user/~index.bak +++ b/reven/SamsungS7.rep/user/~index.bak @@ -4,7 +4,8 @@ VERSION=1 00000004:udf_7f011842b8231996037592:7f01190f112184430945139 00000003:udf_7f011872b8163836628792:7f011a9478217161533597 00000001:udf_7f0119bc3142241939494339:7f011abb7142807435236045 + 00000006:udf_7f0119bd531451643843511:7f011a1c131523520933550 00000005:udf_7f011a0d5252765509589854:7f0118e15255467845445248 00000002:udf_7f011ab837995028720085:7f0118cdd8148515697603 -NEXT-ID:6 +NEXT-ID:7 MD5:d41d8cd98f00b204e9800998ecf8427e diff --git a/reven/SamsungS7.rep/user/~index.dat b/reven/SamsungS7.rep/user/~index.dat index 274b54a..ff71ce5 100644 --- a/reven/SamsungS7.rep/user/~index.dat +++ b/reven/SamsungS7.rep/user/~index.dat @@ -6,6 +6,7 @@ VERSION=1 00000001:udf_7f0119bc3142241939494339:7f011abb7142807435236045 00000006:udf_7f0119bd531451643843511:7f011a1c131523520933550 00000005:udf_7f011a0d5252765509589854:7f0118e15255467845445248 + 00000007:udf_7f011a6853998629050259:7f011a98934430536471611 00000002:udf_7f011ab837995028720085:7f0118cdd8148515697603 -NEXT-ID:7 +NEXT-ID:8 MD5:d41d8cd98f00b204e9800998ecf8427e diff --git a/reven/SamsungS7.rep/user/~journal.bak b/reven/SamsungS7.rep/user/~journal.bak index 588753e..bd4a967 100644 --- a/reven/SamsungS7.rep/user/~journal.bak +++ b/reven/SamsungS7.rep/user/~journal.bak @@ -1,2 +1,2 @@ -IADD:00000006:/udf_7f0119bd531451643843511 -IDSET:/udf_7f0119bd531451643843511:7f011a1c131523520933550 +IADD:00000007:/udf_7f011a6853998629050259 +IDSET:/udf_7f011a6853998629050259:7f011a98934430536471611 diff --git a/source/emulator/.vscode/launch.json b/source/emulator/.vscode/launch.json new file mode 100644 index 0000000..1ddabb5 --- /dev/null +++ b/source/emulator/.vscode/launch.json @@ -0,0 +1,15 @@ +{ + // Use IntelliSense to learn about possible attributes. + // Hover to view descriptions of existing attributes. + // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387 + "version": "0.2.0", + "configurations": [ + { + "name": "Exynos Emultor", + "type": "debugpy", + "request": "launch", + "program": "emulator.py", + "console": "integratedTerminal" + } + ] +} \ No newline at end of file diff --git a/source/emulator/emulator.py b/source/emulator/emulator.py new file mode 100644 index 0000000..e81467c --- /dev/null +++ b/source/emulator/emulator.py @@ -0,0 +1,36 @@ +from ghidra_assistant.utils.utils import * +from ghidra_assistant.utils.archs.arm64.arm64_emulator import ARM64UC_Emulator +from unicorn.arm64_const import * +from unicorn.unicorn_const import * + +class ExynosEmulator(ARM64UC_Emulator): + def __init__(self, rom_path): + super().__init__() + self.rom_path = rom_path + self.setup() + + def setup(self): + self.setup_memory() + self.setup_registers() + + def setup_memory(self): + #ROM + self.uc.mem_map(0x0, 128 * KB, UC_PROT_READ | UC_PROT_EXEC) + self.uc.mem_write(0x0, open(self.rom_path, "rb").read()) + pass + + def setup_registers(self): + self.pc = 0x0 + self.uc.reg_write(UC_ARM64_REG_PC, self.pc) + + def run(self): + try: + self.uc.emu_start(self.pc, self.pc + 1) + pass + except Exception as e: + self.print_ctx(print) + pass + +if __name__ == '__main__': + emulator = ExynosEmulator("../S7/rom.bin") + emulator.run() \ No newline at end of file diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py index 8ad0527..327374f 100644 --- a/source/exploit/exploit.py +++ b/source/exploit/exploit.py @@ -385,6 +385,23 @@ class ExynosDevice(): assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger" self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000) + def relocate_debugger_2(self): + # Seems to be cleared upon cache clearing?? + if os.getenv("USER") == "eljakim": + debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read() + else: + try: + debugger_reloc = open("../../dump/reloc_debugger.bin", "rb").read() + except Exception as e: + print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}') + sys.exit(0) + + self.cd.memwrite_region(0x020c0000, debugger_reloc) + # self.usb_write(b"FLSH") # Flush cache + self.cd.restore_stack_and_jump(0x020c0000) + assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger" + self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000) + def dumb_interact(self, dump_imems=False): ''' @@ -612,15 +629,43 @@ class ExynosDevice(): # ==== BL31 ==== assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger" - self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) # To continue booting next stages - self.cd.restore_stack_and_jump(hijacked_fun) + + self.cd.memwrite_region(self.cd.arch_dbg.state.X0, open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()) + + + lr = self.cd.arch_dbg.state.LR + self.cd.arch_dbg.state.LR = DEBUGGER_ADDR + self.cd.restore_stack_and_jump(hijacked_fun) # will jump back to debugger after downloading the next stage time.sleep(2) self.connect_device() + + - self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()) + self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()[:0x10]) + time.sleep(2) + + self.usb_read(0x200) # GiAs + # lr = self.cd.arch_dbg.state.LR + self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) + GADGET_RET0 = 0x00000d58 + self.cd.memwrite_region(0x020200e4, p32(GADGET_RET0)) + + # ====== PATCHES TO BL31 here! ====== + # TODO fix not checking signatures + # self.cd.memwrite_region(0x02031008, b"ELH") + # self.cd.memwrite_region(0x02024774, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins) + # self.cd.arch_dbg.state.LR = DEBUGGER_ADDR + # self.cd.arch_dbg.state.X0 = 0x020347f0 + # self.cd.arch_dbg.state.X1 = 0 + # self.cd.restore_stack_and_jump(0x02030464) + self.cd.restore_stack_and_jump(lr) + time.sleep(2) self.connect_device() - time.sleep(1) + + + # self.usb_read(0x200) # GiAs + # self.cd.restore_stack_and_jump(hijacked_fun) # ==== Stage 3 BL2 ==== self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()) @@ -629,9 +674,17 @@ class ExynosDevice(): # ==== Stage 4 ==== - self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()) + stage4 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read() + # Patching + # stage4_len = len(stage4) + # patch_len = len(b"USB RECOVERY MODE") + # patch = b"ELHER HERE" + (b"\x00" * (patch_len - len(b"ELHER HERE"))) + # patch_offset = stage4.find(b"USB RECOVERY MODE") + # stage4 = stage4[:patch_offset] + patch + stage4[patch_len + patch_offset:] + # assert len(stage4) == stage4_len, "Invalid stage4 length" + self.send_normal_stage(stage4) time.sleep(2) - self.connect_device() + pass diff --git a/source/gupje_device/device.h b/source/gupje_device/device.h index e3e78ff..d255992 100644 --- a/source/gupje_device/device.h +++ b/source/gupje_device/device.h @@ -25,8 +25,8 @@ int mystrlen(char *data) { #define recv_buffer 0x020c6200 #define data_received 0x020c6000 #else -#define recv_buffer 0x206fe00 //0x02021800 + 0x3000 -#define data_received 0x206fd00 +#define recv_buffer 0x206f000 //0x02021800 + 0x3000 +#define data_received 0x206f100 #endif void recv_data_cb(uint32_t endpoint, uint32_t len){ diff --git a/source/gupje_device/reloc2_linkscript.ld b/source/gupje_device/reloc2_linkscript.ld new file mode 100644 index 0000000..3d1a536 --- /dev/null +++ b/source/gupje_device/reloc2_linkscript.ld @@ -0,0 +1,14 @@ +MEMORY { + ROM (rwx): ORIGIN = 0x020c0000, LENGTH = 0x1000 +} + +SECTIONS +{ + . = 0x020c0000; + .text . : { + *(.text*) + *(.data*) + *(.rodata*) + } >ROM + +} \ No newline at end of file diff --git a/source/gupje_device/reloc2_symbols.txt b/source/gupje_device/reloc2_symbols.txt new file mode 100644 index 0000000..bab33dc --- /dev/null +++ b/source/gupje_device/reloc2_symbols.txt @@ -0,0 +1,12 @@ +debugger_storage = 0x020c4000; +debugger_stack = 0x020c2000; +debugger_entry = 0x020c0000; + +maybe_usb_setup_read = 0x00006f88; +dwc3_ep0_start_trans = 0x0000791c; +usb_event_handler = 0x00007bac; +get_endpoint_recv_buffer = 0x00007a7c; +exynos_sleep = 0x000027c8; + +g_recv_buffer = 0x020c6200; +g_data_received = 0x020c6000; \ No newline at end of file