EljakimHerrewijnen/Samsung_S7
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Debugger overwritten by BL2. Working on better memory map

Browse Source
This commit is contained in:
Jonathan Herrewijnen 2024-08-23 18:05:06 +02:00
parent 98033c5d61
commit 3039e1dbc7
3 changed files with 348 additions and 114 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

437
documentation/source/_ignore/draw_boot.ipynb
View File

@ -2,7 +2,7 @@
"cells": [
{
"cell_type": "code",
"execution_count": 263,
"execution_count": 50,
"metadata": {},
"outputs": [],
"source": [
@ -20,24 +20,235 @@
},
{
"cell_type": "code",
"execution_count": 264,
"execution_count": 51,
"metadata": {},
"outputs": [],
"source": [
"import pandas as pd\n",
"data = pd.read_csv('stack_and_functions.csv').to_dict(orient='records')"
"data = pd.read_csv('stack_and_functions.csv')\n",
"\n",
"def convert_to_int(value):\n",
" try:\n",
" if isinstance(value, str) and value.startswith('0x'):\n",
" return int(value, 16)\n",
" else:\n",
" return int(value)\n",
" except ValueError:\n",
" return value \n",
"\n",
"data.sort_values(by=['start'], inplace=True)\n",
"data['start'] = data['start'].apply(convert_to_int)\n",
"data['end'] = data['end'].apply(convert_to_int)\n",
"\n",
"# Check for overlapping ranges, annotatie row with overlap\n",
"data['overlap'] = False\n",
"for i, row in data.iterrows():\n",
" for j, row2 in data.iterrows():\n",
" if i == j:\n",
" continue\n",
" if row['start'] < row2['end'] and row['end'] > row2['start']:\n",
" data.at[i, 'overlap'] = True\n",
" data.at[j, 'overlap'] = True\n",
" data.at[i, 'overlap_with'] = j"
]
},
{
"cell_type": "code",
"execution_count": 52,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"<div>\n",
"<style scoped>\n",
" .dataframe tbody tr th:only-of-type {\n",
" vertical-align: middle;\n",
" }\n",
"\n",
" .dataframe tbody tr th {\n",
" vertical-align: top;\n",
" }\n",
"\n",
" .dataframe thead th {\n",
" text-align: right;\n",
" }\n",
"</style>\n",
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: right;\">\n",
" <th></th>\n",
" <th>start</th>\n",
" <th>end</th>\n",
" <th>name</th>\n",
" <th>order</th>\n",
" <th>comment</th>\n",
" <th>overlap</th>\n",
" <th>overlap_with</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <th>0</th>\n",
" <td>0</td>\n",
" <td>131072</td>\n",
" <td>BootROM</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>True</td>\n",
" <td>4.0</td>\n",
" </tr>\n",
" <tr>\n",
" <th>1</th>\n",
" <td>704</td>\n",
" <td>21184</td>\n",
" <td>BL1 boot entry point</td>\n",
" <td>ENTRY</td>\n",
" <td>NaN</td>\n",
" <td>True</td>\n",
" <td>0.0</td>\n",
" </tr>\n",
" <tr>\n",
" <th>2</th>\n",
" <td>25824</td>\n",
" <td>46304</td>\n",
" <td>Boot USB function</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>True</td>\n",
" <td>0.0</td>\n",
" </tr>\n",
" <tr>\n",
" <th>3</th>\n",
" <td>75848</td>\n",
" <td>96328</td>\n",
" <td>bootrom authentication function</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>True</td>\n",
" <td>0.0</td>\n",
" </tr>\n",
" <tr>\n",
" <th>4</th>\n",
" <td>103184</td>\n",
" <td>123664</td>\n",
" <td>BL1 boot function</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>True</td>\n",
" <td>0.0</td>\n",
" </tr>\n",
" <tr>\n",
" <th>5</th>\n",
" <td>2146304</td>\n",
" <td>2166784</td>\n",
" <td>Frederic Destination pointer</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>False</td>\n",
" <td>NaN</td>\n",
" </tr>\n",
" <tr>\n",
" <th>6</th>\n",
" <td>33689440</td>\n",
" <td>33689448</td>\n",
" <td>Boot USB return address</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>False</td>\n",
" <td>NaN</td>\n",
" </tr>\n",
" <tr>\n",
" <th>7</th>\n",
" <td>33691000</td>\n",
" <td>33711480</td>\n",
" <td>Event buffer pointer</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>True</td>\n",
" <td>8.0</td>\n",
" </tr>\n",
" <tr>\n",
" <th>8</th>\n",
" <td>33691648</td>\n",
" <td>33712128</td>\n",
" <td>BL1 pointer</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>True</td>\n",
" <td>7.0</td>\n",
" </tr>\n",
" <tr>\n",
" <th>9</th>\n",
" <td>33984512</td>\n",
" <td>34004992</td>\n",
" <td>First debugger location</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>True</td>\n",
" <td>10.0</td>\n",
" </tr>\n",
" <tr>\n",
" <th>10</th>\n",
" <td>33992704</td>\n",
" <td>34013184</td>\n",
" <td>End of memory stack</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>True</td>\n",
" <td>9.0</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>\n",
"</div>"
],
"text/plain": [
" start end name order comment \\\n",
"0 0 131072 BootROM NaN NaN \n",
"1 704 21184 BL1 boot entry point ENTRY NaN \n",
"2 25824 46304 Boot USB function NaN NaN \n",
"3 75848 96328 bootrom authentication function NaN NaN \n",
"4 103184 123664 BL1 boot function NaN NaN \n",
"5 2146304 2166784 Frederic Destination pointer NaN NaN \n",
"6 33689440 33689448 Boot USB return address NaN NaN \n",
"7 33691000 33711480 Event buffer pointer NaN NaN \n",
"8 33691648 33712128 BL1 pointer NaN NaN \n",
"9 33984512 34004992 First debugger location NaN NaN \n",
"10 33992704 34013184 End of memory stack NaN NaN \n",
"\n",
" overlap overlap_with \n",
"0 True 4.0 \n",
"1 True 0.0 \n",
"2 True 0.0 \n",
"3 True 0.0 \n",
"4 True 0.0 \n",
"5 False NaN \n",
"6 False NaN \n",
"7 True 8.0 \n",
"8 True 7.0 \n",
"9 True 10.0 \n",
"10 True 9.0 "
]
},
"execution_count": 52,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"data"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"Create block diagram"
"Create stacked block diagram"
]
},
{
"cell_type": "code",
"execution_count": 266,
"execution_count": 53,
"metadata": {},
"outputs": [
{
@ -49,7 +260,7 @@
"data": [
{
"marker": {
"color": "#768f95"
"color": "#2b5c62"
},
"mode": "text",
"name": "BootROM",
@ -57,15 +268,15 @@
"textposition": "middle center",
"type": "scatter",
"x": [
0.5
1.5
],
"y": [
2.1463414634146343
2.2856563094483198
]
},
{
"marker": {
"color": "#2564cb"
"color": "#c3bb78"
},
"mode": "text",
"name": "BL1 boot entry point",
@ -76,12 +287,12 @@
0.5
],
"y": [
4.628048780487806
4.928446417247939
]
},
{
"marker": {
"color": "#9e0519"
"color": "#086666"
},
"mode": "text",
"name": "Boot USB function",
@ -89,15 +300,15 @@
"textposition": "middle center",
"type": "scatter",
"x": [
0.5
1.5
],
"y": [
5.298780487804878
5.64271401395054
]
},
{
"marker": {
"color": "#2f0c12"
"color": "#9744a8"
},
"mode": "text",
"name": "bootrom authentication function",
@ -105,15 +316,15 @@
"textposition": "middle center",
"type": "scatter",
"x": [
0.5
1.5
],
"y": [
5.969512195121951
6.356981610653138
]
},
{
"marker": {
"color": "#7e4e8a"
"color": "#331fdf"
},
"mode": "text",
"name": "BL1 boot function",
@ -121,15 +332,15 @@
"textposition": "middle center",
"type": "scatter",
"x": [
0.5
1.5
],
"y": [
6.640243902439026
7.07124920735574
]
},
{
"marker": {
"color": "#43f7e5"
"color": "#972c60"
},
"mode": "text",
"name": "Frederic Destination pointer",
@ -137,15 +348,15 @@
"textposition": "middle center",
"type": "scatter",
"x": [
0.5
1.5
],
"y": [
7.310975609756099
7.7855168040583385
]
},
{
"marker": {
"color": "#d4b036"
"color": "#2c2ca0"
},
"mode": "text",
"name": "Boot USB return address",
@ -153,15 +364,15 @@
"textposition": "middle center",
"type": "scatter",
"x": [
0.5
1.5
],
"y": [
7.981707317073173
8.14279010779962
]
},
{
"marker": {
"color": "#574d7b"
"color": "#d1058f"
},
"mode": "text",
"name": "Event buffer pointer",
@ -169,15 +380,15 @@
"textposition": "middle center",
"type": "scatter",
"x": [
0.5
1.5
],
"y": [
8.652439024390247
8.500063411540902
]
},
{
"marker": {
"color": "#34619d"
"color": "#7d4052"
},
"mode": "text",
"name": "BL1 pointer",
@ -185,15 +396,15 @@
"textposition": "middle center",
"type": "scatter",
"x": [
0.5
1.5
],
"y": [
9.32317073170732
9.2143310082435
]
},
{
"marker": {
"color": "#57f720"
"color": "#e8bcfa"
},
"mode": "text",
"name": "First debugger location",
@ -201,15 +412,15 @@
"textposition": "middle center",
"type": "scatter",
"x": [
0.5
1.5
],
"y": [
9.993902439024394
9.928598604946101
]
},
{
"marker": {
"color": "#dca8fd"
"color": "#81a246"
},
"mode": "text",
"name": "End of memory stack",
@ -217,10 +428,10 @@
"textposition": "middle center",
"type": "scatter",
"x": [
0.5
1.5
],
"y": [
10.664634146341468
10.6428662016487
]
}
],
@ -243,20 +454,20 @@
},
"shapes": [
{
"fillcolor": "#768f95",
"fillcolor": "#2b5c62",
"layer": "below",
"line": {
"width": 2
},
"opacity": 0.5,
"type": "rect",
"x0": 0.1,
"x1": 1,
"x0": 1,
"x1": 2,
"y0": 0,
"y1": 4.2926829268292686
"y1": 4.5713126188966395
},
{
"fillcolor": "#2564cb",
"fillcolor": "#c3bb78",
"layer": "below",
"line": {
"width": 2
@ -265,125 +476,125 @@
"type": "rect",
"x0": 0,
"x1": 1,
"y0": 4.2926829268292686,
"y1": 4.963414634146342
"y0": 4.5713126188966395,
"y1": 5.285580215599239
},
{
"fillcolor": "#9e0519",
"fillcolor": "#086666",
"layer": "below",
"line": {
"width": 2
},
"opacity": 0.5,
"type": "rect",
"x0": 0.1,
"x1": 1,
"y0": 4.963414634146342,
"y1": 5.634146341463415
"x0": 1,
"x1": 2,
"y0": 5.285580215599239,
"y1": 5.999847812301839
},
{
"fillcolor": "#2f0c12",
"fillcolor": "#9744a8",
"layer": "below",
"line": {
"width": 2
},
"opacity": 0.5,
"type": "rect",
"x0": 0.1,
"x1": 1,
"y0": 5.634146341463415,
"y1": 6.3048780487804885
"x0": 1,
"x1": 2,
"y0": 5.999847812301839,
"y1": 6.714115409004439
},
{
"fillcolor": "#7e4e8a",
"fillcolor": "#331fdf",
"layer": "below",
"line": {
"width": 2
},
"opacity": 0.5,
"type": "rect",
"x0": 0.1,
"x1": 1,
"y0": 6.3048780487804885,
"y1": 6.975609756097562
"x0": 1,
"x1": 2,
"y0": 6.714115409004439,
"y1": 7.428383005707039
},
{
"fillcolor": "#43f7e5",
"fillcolor": "#972c60",
"layer": "below",
"line": {
"width": 2
},
"opacity": 0.5,
"type": "rect",
"x0": 0.1,
"x1": 1,
"y0": 6.975609756097562,
"y1": 7.646341463414636
"x0": 1,
"x1": 2,
"y0": 7.428383005707039,
"y1": 8.142650602409638
},
{
"fillcolor": "#d4b036",
"fillcolor": "#2c2ca0",
"layer": "below",
"line": {
"width": 2
},
"opacity": 0.5,
"type": "rect",
"x0": 0.1,
"x1": 1,
"y0": 7.646341463414636,
"y1": 8.31707317073171
"x0": 1,
"x1": 2,
"y0": 8.142650602409638,
"y1": 8.142929613189601
},
{
"fillcolor": "#574d7b",
"fillcolor": "#d1058f",
"layer": "below",
"line": {
"width": 2
},
"opacity": 0.5,
"type": "rect",
"x0": 0.1,
"x1": 1,
"y0": 8.31707317073171,
"y1": 8.987804878048784
"x0": 1,
"x1": 2,
"y0": 8.142929613189601,
"y1": 8.8571972098922
},
{
"fillcolor": "#34619d",
"fillcolor": "#7d4052",
"layer": "below",
"line": {
"width": 2
},
"opacity": 0.5,
"type": "rect",
"x0": 0.1,
"x1": 1,
"y0": 8.987804878048784,
"y1": 9.658536585365857
"x0": 1,
"x1": 2,
"y0": 8.8571972098922,
"y1": 9.5714648065948
},
{
"fillcolor": "#57f720",
"fillcolor": "#e8bcfa",
"layer": "below",
"line": {
"width": 2
},
"opacity": 0.5,
"type": "rect",
"x0": 0.1,
"x1": 1,
"y0": 9.658536585365857,
"y1": 10.329268292682931
"x0": 1,
"x1": 2,
"y0": 9.5714648065948,
"y1": 10.2857324032974
},
{
"fillcolor": "#dca8fd",
"fillcolor": "#81a246",
"layer": "below",
"line": {
"width": 2
},
"opacity": 0.5,
"type": "rect",
"x0": 0.1,
"x1": 1,
"y0": 10.329268292682931,
"y1": 11.000000000000005
"x0": 1,
"x1": 2,
"y0": 10.2857324032974,
"y1": 11
}
],
"template": {
@ -1202,16 +1413,18 @@
}
}
},
"width": 1000,
"width": 1600,
"xaxis": {
"range": [
0,
1
3
],
"showticklabels": false,
"tickvals": [
0,
1
1,
2,
3
]
},
"yaxis": {
@ -1226,7 +1439,7 @@
"0x17848<br>0x12848",
"0x1e310<br>0x19310",
"0x211000<br>0x20c000",
"0x2025f60<br>0x2020f60",
"0x2020f68<br>0x2020f60",
"0x2026578<br>0x2021578",
"0x2026800<br>0x2021800",
"0x206e000<br>0x2069000",
@ -1245,7 +1458,7 @@
"0x20c000",
"0x211000",
"0x2020f60",
"0x2025f60",
"0x2020f68",
"0x2021578",
"0x2026578",
"0x2021800",
@ -1258,16 +1471,16 @@
],
"tickvals": [
0,
4.2926829268292686,
4.963414634146342,
5.634146341463415,
6.3048780487804885,
6.975609756097562,
7.646341463414636,
8.31707317073171,
8.987804878048784,
9.658536585365857,
10.329268292682931
4.5713126188966395,
5.285580215599239,
5.999847812301839,
6.714115409004439,
7.428383005707039,
8.142650602409638,
8.142929613189601,
8.8571972098922,
9.5714648065948,
10.2857324032974
]
}
}
@ -1281,6 +1494,8 @@
"import plotly.graph_objects as go\n",
"import random\n",
"\n",
"data = data.to_dict(orient='records')\n",
"\n",
"# If there is no end, set it to start + 0x1000\n",
"for d in data:\n",
" if 'end' not in d:\n",
@ -1307,16 +1522,16 @@
" max_y = (prev_y + ((d['end'] - d['start']) / total_used_len))\n",
" fillcolor = random_color()\n",
"\n",
" if d['Order'] == \"ENTRY\":\n",
" if d['order'] == \"ENTRY\":\n",
" x0 = 0\n",
" else:\n",
" x0 = 0.1\n",
" x0 = 1\n",
"\n",
" fig.add_shape(\n",
" type=\"rect\",\n",
" x0=x0,\n",
" y0=prev_y * len(data),\n",
" x1=0 + 1,\n",
" x1=x0 + 1,\n",
" y1=max_y * len(data),\n",
" line=dict(width=2),\n",
" fillcolor=fillcolor,\n",
@ -1329,7 +1544,7 @@
"\n",
" fig.add_trace(go.Scatter\n",
" (\n",
" x=[0.5],\n",
" x=[x0+0.5],\n",
" y=tickpoint,\n",
" text=d['name'],\n",
" mode=\"text\",\n",
@ -1344,8 +1559,8 @@
" prev_y = max_y\n",
"\n",
"fig.update_xaxes(\n",
" range=[0, 1],\n",
" tickvals=[0, 1],\n",
" range=[0, 3],\n",
" tickvals=[0, 1, 2, 3],\n",
")\n",
"\n",
"labels = [hex(value) for d in data for value in (d.get('start'), d['end']) if 'end' in d]\n",
@ -1377,7 +1592,7 @@
")\n",
"\n",
"fig.update_layout(\n",
" width=1000,\n",
" width=1600,\n",
" height=1200,\n",
" autosize=True,\n",
" margin=dict(l=200, r=20, t=20, b=20),\n",

4
documentation/source/_ignore/stack_and_functions.csv
View File

@ -1,11 +1,11 @@
start,end,name,Order,Comment
start,end,name,order,comment
0,131072,BootROM,,
704,21184,BL1 boot entry point,ENTRY,
25824,46304,Boot USB function,,
75848,96328,bootrom authentication function,,
103184,123664,BL1 boot function,,
2146304,2166784,Frederic Destination pointer,,
33689440,33709920,Boot USB return address,,
33689440,33689448,Boot USB return address,,
33691000,33711480,Event buffer pointer,,
33691648,33712128,BL1 pointer,,
33984512,34004992,First debugger location,,

1 start end name Order order Comment comment
2 0 131072 BootROM
3 704 21184 BL1 boot entry point ENTRY
4 25824 46304 Boot USB function
5 75848 96328 bootrom authentication function
6 103184 123664 BL1 boot function
7 2146304 2166784 Frederic Destination pointer
8 33689440 33709920 33689448 Boot USB return address
9 33691000 33711480 Event buffer pointer
10 33691648 33712128 BL1 pointer
11 33984512 34004992 First debugger location

21
source/exploit/exploit.py
View File

@ -401,6 +401,25 @@ class ExynosDevice():
self.cd.restore_stack_and_jump(0x020c0000)
assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
def relocate_debugger_3(self):
"""
Relocate debugger to 0x0201a000, 0x0201c000, 0x0201a000
"""
if os.getenv("USER") == "eljakim":
debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger_0x0201a000.bin", "rb").read()
else:
try:
debugger_reloc = open("../../dump/reloc_debugger.bin", "rb").read()
except Exception as e:
print(f'Are you missing your debugger? Please ensure it is present in dump/debugger_0x0201a000.bin. {e}')
sys.exit(0)
self.cd.memwrite_region(0x020c0000, debugger_reloc)
# self.usb_write(b"FLSH") # Flush cache
self.cd.restore_stack_and_jump(0x020c0000)
assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
def dumb_interact(self, dump_imems=False):
@ -664,7 +683,7 @@ class ExynosDevice():
# self.cd.memwrite_region(0x02020, p32(DEBUGGER_ADDR)) # Restore original boot flow
# Jump into USB download function
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
# WORKS
self.cd.restore_stack_and_jump(hijacked_fun)