From 3039e1dbc7b676ba3da32a3efe309d54a073ab65 Mon Sep 17 00:00:00 2001 From: Jonathan Herrewijnen Date: Fri, 23 Aug 2024 18:05:06 +0200 Subject: [PATCH] Debugger overwritten by BL2. Working on better memory map --- documentation/source/_ignore/draw_boot.ipynb | 437 +++++++++++++----- .../source/_ignore/stack_and_functions.csv | 4 +- source/exploit/exploit.py | 21 +- 3 files changed, 348 insertions(+), 114 deletions(-) diff --git a/documentation/source/_ignore/draw_boot.ipynb b/documentation/source/_ignore/draw_boot.ipynb index c4f5244..4fc7c83 100644 --- a/documentation/source/_ignore/draw_boot.ipynb +++ b/documentation/source/_ignore/draw_boot.ipynb @@ -2,7 +2,7 @@ "cells": [ { "cell_type": "code", - "execution_count": 263, + "execution_count": 50, "metadata": {}, "outputs": [], "source": [ @@ -20,24 +20,235 @@ }, { "cell_type": "code", - "execution_count": 264, + "execution_count": 51, "metadata": {}, "outputs": [], "source": [ "import pandas as pd\n", - "data = pd.read_csv('stack_and_functions.csv').to_dict(orient='records')" + "data = pd.read_csv('stack_and_functions.csv')\n", + "\n", + "def convert_to_int(value):\n", + " try:\n", + " if isinstance(value, str) and value.startswith('0x'):\n", + " return int(value, 16)\n", + " else:\n", + " return int(value)\n", + " except ValueError:\n", + " return value \n", + "\n", + "data.sort_values(by=['start'], inplace=True)\n", + "data['start'] = data['start'].apply(convert_to_int)\n", + "data['end'] = data['end'].apply(convert_to_int)\n", + "\n", + "# Check for overlapping ranges, annotatie row with overlap\n", + "data['overlap'] = False\n", + "for i, row in data.iterrows():\n", + " for j, row2 in data.iterrows():\n", + " if i == j:\n", + " continue\n", + " if row['start'] < row2['end'] and row['end'] > row2['start']:\n", + " data.at[i, 'overlap'] = True\n", + " data.at[j, 'overlap'] = True\n", + " data.at[i, 'overlap_with'] = j" + ] + }, + { + "cell_type": "code", + "execution_count": 52, + "metadata": {}, + "outputs": [ + { + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
startendnameordercommentoverlapoverlap_with
00131072BootROMNaNNaNTrue4.0
170421184BL1 boot entry pointENTRYNaNTrue0.0
22582446304Boot USB functionNaNNaNTrue0.0
37584896328bootrom authentication functionNaNNaNTrue0.0
4103184123664BL1 boot functionNaNNaNTrue0.0
521463042166784Frederic Destination pointerNaNNaNFalseNaN
63368944033689448Boot USB return addressNaNNaNFalseNaN
73369100033711480Event buffer pointerNaNNaNTrue8.0
83369164833712128BL1 pointerNaNNaNTrue7.0
93398451234004992First debugger locationNaNNaNTrue10.0
103399270434013184End of memory stackNaNNaNTrue9.0
\n", + "
" + ], + "text/plain": [ + " start end name order comment \\\n", + "0 0 131072 BootROM NaN NaN \n", + "1 704 21184 BL1 boot entry point ENTRY NaN \n", + "2 25824 46304 Boot USB function NaN NaN \n", + "3 75848 96328 bootrom authentication function NaN NaN \n", + "4 103184 123664 BL1 boot function NaN NaN \n", + "5 2146304 2166784 Frederic Destination pointer NaN NaN \n", + "6 33689440 33689448 Boot USB return address NaN NaN \n", + "7 33691000 33711480 Event buffer pointer NaN NaN \n", + "8 33691648 33712128 BL1 pointer NaN NaN \n", + "9 33984512 34004992 First debugger location NaN NaN \n", + "10 33992704 34013184 End of memory stack NaN NaN \n", + "\n", + " overlap overlap_with \n", + "0 True 4.0 \n", + "1 True 0.0 \n", + "2 True 0.0 \n", + "3 True 0.0 \n", + "4 True 0.0 \n", + "5 False NaN \n", + "6 False NaN \n", + "7 True 8.0 \n", + "8 True 7.0 \n", + "9 True 10.0 \n", + "10 True 9.0 " + ] + }, + "execution_count": 52, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "data" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ - "Create block diagram" + "Create stacked block diagram" ] }, { "cell_type": "code", - "execution_count": 266, + "execution_count": 53, "metadata": {}, "outputs": [ { @@ -49,7 +260,7 @@ "data": [ { "marker": { - "color": "#768f95" + "color": "#2b5c62" }, "mode": "text", "name": "BootROM", @@ -57,15 +268,15 @@ "textposition": "middle center", "type": "scatter", "x": [ - 0.5 + 1.5 ], "y": [ - 2.1463414634146343 + 2.2856563094483198 ] }, { "marker": { - "color": "#2564cb" + "color": "#c3bb78" }, "mode": "text", "name": "BL1 boot entry point", @@ -76,12 +287,12 @@ 0.5 ], "y": [ - 4.628048780487806 + 4.928446417247939 ] }, { "marker": { - "color": "#9e0519" + "color": "#086666" }, "mode": "text", "name": "Boot USB function", @@ -89,15 +300,15 @@ "textposition": "middle center", "type": "scatter", "x": [ - 0.5 + 1.5 ], "y": [ - 5.298780487804878 + 5.64271401395054 ] }, { "marker": { - "color": "#2f0c12" + "color": "#9744a8" }, "mode": "text", "name": "bootrom authentication function", @@ -105,15 +316,15 @@ "textposition": "middle center", "type": "scatter", "x": [ - 0.5 + 1.5 ], "y": [ - 5.969512195121951 + 6.356981610653138 ] }, { "marker": { - "color": "#7e4e8a" + "color": "#331fdf" }, "mode": "text", "name": "BL1 boot function", @@ -121,15 +332,15 @@ "textposition": "middle center", "type": "scatter", "x": [ - 0.5 + 1.5 ], "y": [ - 6.640243902439026 + 7.07124920735574 ] }, { "marker": { - "color": "#43f7e5" + "color": "#972c60" }, "mode": "text", "name": "Frederic Destination pointer", @@ -137,15 +348,15 @@ "textposition": "middle center", "type": "scatter", "x": [ - 0.5 + 1.5 ], "y": [ - 7.310975609756099 + 7.7855168040583385 ] }, { "marker": { - "color": "#d4b036" + "color": "#2c2ca0" }, "mode": "text", "name": "Boot USB return address", @@ -153,15 +364,15 @@ "textposition": "middle center", "type": "scatter", "x": [ - 0.5 + 1.5 ], "y": [ - 7.981707317073173 + 8.14279010779962 ] }, { "marker": { - "color": "#574d7b" + "color": "#d1058f" }, "mode": "text", "name": "Event buffer pointer", @@ -169,15 +380,15 @@ "textposition": "middle center", "type": "scatter", "x": [ - 0.5 + 1.5 ], "y": [ - 8.652439024390247 + 8.500063411540902 ] }, { "marker": { - "color": "#34619d" + "color": "#7d4052" }, "mode": "text", "name": "BL1 pointer", @@ -185,15 +396,15 @@ "textposition": "middle center", "type": "scatter", "x": [ - 0.5 + 1.5 ], "y": [ - 9.32317073170732 + 9.2143310082435 ] }, { "marker": { - "color": "#57f720" + "color": "#e8bcfa" }, "mode": "text", "name": "First debugger location", @@ -201,15 +412,15 @@ "textposition": "middle center", "type": "scatter", "x": [ - 0.5 + 1.5 ], "y": [ - 9.993902439024394 + 9.928598604946101 ] }, { "marker": { - "color": "#dca8fd" + "color": "#81a246" }, "mode": "text", "name": "End of memory stack", @@ -217,10 +428,10 @@ "textposition": "middle center", "type": "scatter", "x": [ - 0.5 + 1.5 ], "y": [ - 10.664634146341468 + 10.6428662016487 ] } ], @@ -243,20 +454,20 @@ }, "shapes": [ { - "fillcolor": "#768f95", + "fillcolor": "#2b5c62", "layer": "below", "line": { "width": 2 }, "opacity": 0.5, "type": "rect", - "x0": 0.1, - "x1": 1, + "x0": 1, + "x1": 2, "y0": 0, - "y1": 4.2926829268292686 + "y1": 4.5713126188966395 }, { - "fillcolor": "#2564cb", + "fillcolor": "#c3bb78", "layer": "below", "line": { "width": 2 @@ -265,125 +476,125 @@ "type": "rect", "x0": 0, "x1": 1, - "y0": 4.2926829268292686, - "y1": 4.963414634146342 + "y0": 4.5713126188966395, + "y1": 5.285580215599239 }, { - "fillcolor": "#9e0519", + "fillcolor": "#086666", "layer": "below", "line": { "width": 2 }, "opacity": 0.5, "type": "rect", - "x0": 0.1, - "x1": 1, - "y0": 4.963414634146342, - "y1": 5.634146341463415 + "x0": 1, + "x1": 2, + "y0": 5.285580215599239, + "y1": 5.999847812301839 }, { - "fillcolor": "#2f0c12", + "fillcolor": "#9744a8", "layer": "below", "line": { "width": 2 }, "opacity": 0.5, "type": "rect", - "x0": 0.1, - "x1": 1, - "y0": 5.634146341463415, - "y1": 6.3048780487804885 + "x0": 1, + "x1": 2, + "y0": 5.999847812301839, + "y1": 6.714115409004439 }, { - "fillcolor": "#7e4e8a", + "fillcolor": "#331fdf", "layer": "below", "line": { "width": 2 }, "opacity": 0.5, "type": "rect", - "x0": 0.1, - "x1": 1, - "y0": 6.3048780487804885, - "y1": 6.975609756097562 + "x0": 1, + "x1": 2, + "y0": 6.714115409004439, + "y1": 7.428383005707039 }, { - "fillcolor": "#43f7e5", + "fillcolor": "#972c60", "layer": "below", "line": { "width": 2 }, "opacity": 0.5, "type": "rect", - "x0": 0.1, - "x1": 1, - "y0": 6.975609756097562, - "y1": 7.646341463414636 + "x0": 1, + "x1": 2, + "y0": 7.428383005707039, + "y1": 8.142650602409638 }, { - "fillcolor": "#d4b036", + "fillcolor": "#2c2ca0", "layer": "below", "line": { "width": 2 }, "opacity": 0.5, "type": "rect", - "x0": 0.1, - "x1": 1, - "y0": 7.646341463414636, - "y1": 8.31707317073171 + "x0": 1, + "x1": 2, + "y0": 8.142650602409638, + "y1": 8.142929613189601 }, { - "fillcolor": "#574d7b", + "fillcolor": "#d1058f", "layer": "below", "line": { "width": 2 }, "opacity": 0.5, "type": "rect", - "x0": 0.1, - "x1": 1, - "y0": 8.31707317073171, - "y1": 8.987804878048784 + "x0": 1, + "x1": 2, + "y0": 8.142929613189601, + "y1": 8.8571972098922 }, { - "fillcolor": "#34619d", + "fillcolor": "#7d4052", "layer": "below", "line": { "width": 2 }, "opacity": 0.5, "type": "rect", - "x0": 0.1, - "x1": 1, - "y0": 8.987804878048784, - "y1": 9.658536585365857 + "x0": 1, + "x1": 2, + "y0": 8.8571972098922, + "y1": 9.5714648065948 }, { - "fillcolor": "#57f720", + "fillcolor": "#e8bcfa", "layer": "below", "line": { "width": 2 }, "opacity": 0.5, "type": "rect", - "x0": 0.1, - "x1": 1, - "y0": 9.658536585365857, - "y1": 10.329268292682931 + "x0": 1, + "x1": 2, + "y0": 9.5714648065948, + "y1": 10.2857324032974 }, { - "fillcolor": "#dca8fd", + "fillcolor": "#81a246", "layer": "below", "line": { "width": 2 }, "opacity": 0.5, "type": "rect", - "x0": 0.1, - "x1": 1, - "y0": 10.329268292682931, - "y1": 11.000000000000005 + "x0": 1, + "x1": 2, + "y0": 10.2857324032974, + "y1": 11 } ], "template": { @@ -1202,16 +1413,18 @@ } } }, - "width": 1000, + "width": 1600, "xaxis": { "range": [ 0, - 1 + 3 ], "showticklabels": false, "tickvals": [ 0, - 1 + 1, + 2, + 3 ] }, "yaxis": { @@ -1226,7 +1439,7 @@ "0x17848
0x12848", "0x1e310
0x19310", "0x211000
0x20c000", - "0x2025f60
0x2020f60", + "0x2020f68
0x2020f60", "0x2026578
0x2021578", "0x2026800
0x2021800", "0x206e000
0x2069000", @@ -1245,7 +1458,7 @@ "0x20c000", "0x211000", "0x2020f60", - "0x2025f60", + "0x2020f68", "0x2021578", "0x2026578", "0x2021800", @@ -1258,16 +1471,16 @@ ], "tickvals": [ 0, - 4.2926829268292686, - 4.963414634146342, - 5.634146341463415, - 6.3048780487804885, - 6.975609756097562, - 7.646341463414636, - 8.31707317073171, - 8.987804878048784, - 9.658536585365857, - 10.329268292682931 + 4.5713126188966395, + 5.285580215599239, + 5.999847812301839, + 6.714115409004439, + 7.428383005707039, + 8.142650602409638, + 8.142929613189601, + 8.8571972098922, + 9.5714648065948, + 10.2857324032974 ] } } @@ -1281,6 +1494,8 @@ "import plotly.graph_objects as go\n", "import random\n", "\n", + "data = data.to_dict(orient='records')\n", + "\n", "# If there is no end, set it to start + 0x1000\n", "for d in data:\n", " if 'end' not in d:\n", @@ -1307,16 +1522,16 @@ " max_y = (prev_y + ((d['end'] - d['start']) / total_used_len))\n", " fillcolor = random_color()\n", "\n", - " if d['Order'] == \"ENTRY\":\n", + " if d['order'] == \"ENTRY\":\n", " x0 = 0\n", " else:\n", - " x0 = 0.1\n", + " x0 = 1\n", "\n", " fig.add_shape(\n", " type=\"rect\",\n", " x0=x0,\n", " y0=prev_y * len(data),\n", - " x1=0 + 1,\n", + " x1=x0 + 1,\n", " y1=max_y * len(data),\n", " line=dict(width=2),\n", " fillcolor=fillcolor,\n", @@ -1329,7 +1544,7 @@ "\n", " fig.add_trace(go.Scatter\n", " (\n", - " x=[0.5],\n", + " x=[x0+0.5],\n", " y=tickpoint,\n", " text=d['name'],\n", " mode=\"text\",\n", @@ -1344,8 +1559,8 @@ " prev_y = max_y\n", "\n", "fig.update_xaxes(\n", - " range=[0, 1],\n", - " tickvals=[0, 1],\n", + " range=[0, 3],\n", + " tickvals=[0, 1, 2, 3],\n", ")\n", "\n", "labels = [hex(value) for d in data for value in (d.get('start'), d['end']) if 'end' in d]\n", @@ -1377,7 +1592,7 @@ ")\n", "\n", "fig.update_layout(\n", - " width=1000,\n", + " width=1600,\n", " height=1200,\n", " autosize=True,\n", " margin=dict(l=200, r=20, t=20, b=20),\n", diff --git a/documentation/source/_ignore/stack_and_functions.csv b/documentation/source/_ignore/stack_and_functions.csv index 0fe150f..3cb89d1 100644 --- a/documentation/source/_ignore/stack_and_functions.csv +++ b/documentation/source/_ignore/stack_and_functions.csv @@ -1,11 +1,11 @@ -start,end,name,Order,Comment +start,end,name,order,comment 0,131072,BootROM,, 704,21184,BL1 boot entry point,ENTRY, 25824,46304,Boot USB function,, 75848,96328,bootrom authentication function,, 103184,123664,BL1 boot function,, 2146304,2166784,Frederic Destination pointer,, -33689440,33709920,Boot USB return address,, +33689440,33689448,Boot USB return address,, 33691000,33711480,Event buffer pointer,, 33691648,33712128,BL1 pointer,, 33984512,34004992,First debugger location,, diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py index 0726320..62c17b1 100644 --- a/source/exploit/exploit.py +++ b/source/exploit/exploit.py @@ -401,6 +401,25 @@ class ExynosDevice(): self.cd.restore_stack_and_jump(0x020c0000) assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger" self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000) + + def relocate_debugger_3(self): + """ + Relocate debugger to 0x0201a000, 0x0201c000, 0x0201a000 + """ + if os.getenv("USER") == "eljakim": + debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger_0x0201a000.bin", "rb").read() + else: + try: + debugger_reloc = open("../../dump/reloc_debugger.bin", "rb").read() + except Exception as e: + print(f'Are you missing your debugger? Please ensure it is present in dump/debugger_0x0201a000.bin. {e}') + sys.exit(0) + + self.cd.memwrite_region(0x020c0000, debugger_reloc) + # self.usb_write(b"FLSH") # Flush cache + self.cd.restore_stack_and_jump(0x020c0000) + assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger" + self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000) def dumb_interact(self, dump_imems=False): @@ -664,7 +683,7 @@ class ExynosDevice(): # self.cd.memwrite_region(0x02020, p32(DEBUGGER_ADDR)) # Restore original boot flow # Jump into USB download function - # self.cd.arch_dbg.state.LR = DEBUGGER_ADDR + self.cd.arch_dbg.state.LR = DEBUGGER_ADDR # WORKS self.cd.restore_stack_and_jump(hijacked_fun)