EljakimHerrewijnen/Samsung_S7
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Unable to get firmware loader to return to debugger (yet)

Browse Source
This commit is contained in:
Jonathan Herrewijnen 2024-08-22 19:50:46 +02:00
parent 416521c8c7
commit 4ab063cc71
6 changed files with 308 additions and 277 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
documentation/exynos_exploit_chain.odg Normal file
View File

Binary file not shown.

506
documentation/source/_ignore/draw_boot.ipynb
View File

@ -2,7 +2,7 @@
"cells": [
{
"cell_type": "code",
"execution_count": 2,
"execution_count": 263,
"metadata": {},
"outputs": [],
"source": [
@ -20,24 +20,12 @@
},
{
"cell_type": "code",
"execution_count": 3,
"execution_count": 264,
"metadata": {},
"outputs": [],
"source": [
"# Convert the following into an appropriate data object, which is searchable, from start, to end, to name and label\n",
"# - 0x00000000 to 0x00020000: BootROM\n",
"# - 0x000002c0: BL1 boot entry point\n",
"# - 0x00012848: bootrom authentication function\n",
"# - 0x00019310: BL1 boot function\n",
"# - 0x02069000: First debugger location\n",
"\n",
"data = [\n",
" {\"start\": 0x00000000, \"end\": 0x00020000, \"name\": \"BootROM\"},\n",
" {\"start\": 0x000002c0, \"name\": \"BL1 boot entry point\"},\n",
" {\"start\": 0x00012848, \"name\": \"bootrom authentication function\"},\n",
" {\"start\": 0x00019310, \"name\": \"BL1 boot function\"},\n",
" {\"start\": 0x02069000, \"name\": \"First debugger location\"}\n",
"]\n"
"import pandas as pd\n",
"data = pd.read_csv('stack_and_functions.csv').to_dict(orient='records')"
]
},
{
@ -49,7 +37,7 @@
},
{
"cell_type": "code",
"execution_count": 120,
"execution_count": 266,
"metadata": {},
"outputs": [
{
@ -60,7 +48,11 @@
},
"data": [
{
"marker": {
"color": "#768f95"
},
"mode": "text",
"name": "BootROM",
"text": "BootROM",
"textposition": "middle center",
"type": "scatter",
@ -68,11 +60,15 @@
0.5
],
"y": [
0.5
2.1463414634146343
]
},
{
"marker": {
"color": "#2564cb"
},
"mode": "text",
"name": "BL1 boot entry point",
"text": "BL1 boot entry point",
"textposition": "middle center",
"type": "scatter",
@ -80,11 +76,15 @@
0.5
],
"y": [
1.5
4.628048780487806
]
},
{
"marker": {
"color": "#9e0519"
},
"mode": "text",
"name": "Boot USB function",
"text": "Boot USB function",
"textposition": "middle center",
"type": "scatter",
@ -92,11 +92,15 @@
0.5
],
"y": [
2.5
5.298780487804878
]
},
{
"marker": {
"color": "#2f0c12"
},
"mode": "text",
"name": "bootrom authentication function",
"text": "bootrom authentication function",
"textposition": "middle center",
"type": "scatter",
@ -104,11 +108,15 @@
0.5
],
"y": [
3.5
5.969512195121951
]
},
{
"marker": {
"color": "#7e4e8a"
},
"mode": "text",
"name": "BL1 boot function",
"text": "BL1 boot function",
"textposition": "middle center",
"type": "scatter",
@ -116,71 +124,15 @@
0.5
],
"y": [
4.5
6.640243902439026
]
},
{
"mode": "text",
"text": "Boot USB return address",
"textposition": "middle center",
"type": "scatter",
"x": [
0.5
],
"y": [
5.5
]
"marker": {
"color": "#43f7e5"
},
{
"mode": "text",
"text": "Event buffer pointer",
"textposition": "middle center",
"type": "scatter",
"x": [
0.5
],
"y": [
6.5
]
},
{
"mode": "text",
"text": "BL1 pointer",
"textposition": "middle center",
"type": "scatter",
"x": [
0.5
],
"y": [
7.5
]
},
{
"mode": "text",
"text": "First debugger location",
"textposition": "middle center",
"type": "scatter",
"x": [
0.5
],
"y": [
8.5
]
},
{
"mode": "text",
"text": "End of memory stack",
"textposition": "middle center",
"type": "scatter",
"x": [
0.5
],
"y": [
9.5
]
},
{
"mode": "text",
"name": "Frederic Destination pointer",
"text": "Frederic Destination pointer",
"textposition": "middle center",
"type": "scatter",
@ -188,13 +140,101 @@
0.5
],
"y": [
10.5
7.310975609756099
]
},
{
"marker": {
"color": "#d4b036"
},
"mode": "text",
"name": "Boot USB return address",
"text": "Boot USB return address",
"textposition": "middle center",
"type": "scatter",
"x": [
0.5
],
"y": [
7.981707317073173
]
},
{
"marker": {
"color": "#574d7b"
},
"mode": "text",
"name": "Event buffer pointer",
"text": "Event buffer pointer",
"textposition": "middle center",
"type": "scatter",
"x": [
0.5
],
"y": [
8.652439024390247
]
},
{
"marker": {
"color": "#34619d"
},
"mode": "text",
"name": "BL1 pointer",
"text": "BL1 pointer",
"textposition": "middle center",
"type": "scatter",
"x": [
0.5
],
"y": [
9.32317073170732
]
},
{
"marker": {
"color": "#57f720"
},
"mode": "text",
"name": "First debugger location",
"text": "First debugger location",
"textposition": "middle center",
"type": "scatter",
"x": [
0.5
],
"y": [
9.993902439024394
]
},
{
"marker": {
"color": "#dca8fd"
},
"mode": "text",
"name": "End of memory stack",
"text": "End of memory stack",
"textposition": "middle center",
"type": "scatter",
"x": [
0.5
],
"y": [
10.664634146341468
]
}
],
"layout": {
"autosize": true,
"font": {
"size": 18
},
"height": 1200,
"legend": {
"title": {
"text": "Function/Locations"
}
},
"margin": {
"b": 20,
"l": 200,
@ -203,20 +243,20 @@
},
"shapes": [
{
"fillcolor": "#12e884",
"fillcolor": "#768f95",
"layer": "below",
"line": {
"width": 2
},
"opacity": 0.5,
"type": "rect",
"x0": 0,
"x0": 0.1,
"x1": 1,
"y0": 0,
"y1": 1
"y1": 4.2926829268292686
},
{
"fillcolor": "#db08ae",
"fillcolor": "#2564cb",
"layer": "below",
"line": {
"width": 2
@ -225,125 +265,125 @@
"type": "rect",
"x0": 0,
"x1": 1,
"y0": 1,
"y1": 2
"y0": 4.2926829268292686,
"y1": 4.963414634146342
},
{
"fillcolor": "#50034a",
"fillcolor": "#9e0519",
"layer": "below",
"line": {
"width": 2
},
"opacity": 0.5,
"type": "rect",
"x0": 0,
"x0": 0.1,
"x1": 1,
"y0": 2,
"y1": 3
"y0": 4.963414634146342,
"y1": 5.634146341463415
},
{
"fillcolor": "#547ec9",
"fillcolor": "#2f0c12",
"layer": "below",
"line": {
"width": 2
},
"opacity": 0.5,
"type": "rect",
"x0": 0,
"x0": 0.1,
"x1": 1,
"y0": 3,
"y1": 4
"y0": 5.634146341463415,
"y1": 6.3048780487804885
},
{
"fillcolor": "#daac51",
"fillcolor": "#7e4e8a",
"layer": "below",
"line": {
"width": 2
},
"opacity": 0.5,
"type": "rect",
"x0": 0,
"x0": 0.1,
"x1": 1,
"y0": 4,
"y1": 5
"y0": 6.3048780487804885,
"y1": 6.975609756097562
},
{
"fillcolor": "#8704ee",
"fillcolor": "#43f7e5",
"layer": "below",
"line": {
"width": 2
},
"opacity": 0.5,
"type": "rect",
"x0": 0,
"x0": 0.1,
"x1": 1,
"y0": 5,
"y1": 6
"y0": 6.975609756097562,
"y1": 7.646341463414636
},
{
"fillcolor": "#86785f",
"fillcolor": "#d4b036",
"layer": "below",
"line": {
"width": 2
},
"opacity": 0.5,
"type": "rect",
"x0": 0,
"x0": 0.1,
"x1": 1,
"y0": 6,
"y1": 7
"y0": 7.646341463414636,
"y1": 8.31707317073171
},
{
"fillcolor": "#e33d72",
"fillcolor": "#574d7b",
"layer": "below",
"line": {
"width": 2
},
"opacity": 0.5,
"type": "rect",
"x0": 0,
"x0": 0.1,
"x1": 1,
"y0": 7,
"y1": 8
"y0": 8.31707317073171,
"y1": 8.987804878048784
},
{
"fillcolor": "#2f63f4",
"fillcolor": "#34619d",
"layer": "below",
"line": {
"width": 2
},
"opacity": 0.5,
"type": "rect",
"x0": 0,
"x0": 0.1,
"x1": 1,
"y0": 8,
"y1": 9
"y0": 8.987804878048784,
"y1": 9.658536585365857
},
{
"fillcolor": "#1258f9",
"fillcolor": "#57f720",
"layer": "below",
"line": {
"width": 2
},
"opacity": 0.5,
"type": "rect",
"x0": 0,
"x0": 0.1,
"x1": 1,
"y0": 9,
"y1": 10
"y0": 9.658536585365857,
"y1": 10.329268292682931
},
{
"fillcolor": "#109cff",
"fillcolor": "#dca8fd",
"layer": "below",
"line": {
"width": 2
},
"opacity": 0.5,
"type": "rect",
"x0": 0,
"x0": 0.1,
"x1": 1,
"y0": 10,
"y1": 11
"y0": 10.329268292682931,
"y1": 11.000000000000005
}
],
"template": {
@ -1162,45 +1202,72 @@
}
}
},
"width": 800,
"width": 1000,
"xaxis": {
"range": [
0,
1
],
"showticklabels": false,
"tickvals": [
0,
1
]
},
"yaxis": {
"gridcolor": "black",
"griddash": "longdashdot",
"gridwidth": 0,
"showgrid": false,
"ticktext": [
"0x0",
"0x2c0 \n 0x12c0",
"0x64e0 \n 0x74e0",
"0x12848 \n 0x13848",
"0x19310 \n 0x1a310",
"0x2020f60 \n 0x2021f60",
"0x2021578 \n 0x2022578",
"0x2021800 \n 0x2022800",
"0x2069000 \n 0x206a000",
"0x206f000 \n 0x2070000",
"0x20c0000 \n 0x20c1000",
"0x20c1000"
"0x52c0<br>0x2c0",
"0xb4e0<br>0x64e0",
"0x17848<br>0x12848",
"0x1e310<br>0x19310",
"0x211000<br>0x20c000",
"0x2025f60<br>0x2020f60",
"0x2026578<br>0x2021578",
"0x2026800<br>0x2021800",
"0x206e000<br>0x2069000",
"0x2070000<br>0x206b000",
[
"0x0",
"0x20000",
"0x2c0",
"0x52c0",
"0x64e0",
"0xb4e0",
"0x12848",
"0x17848",
"0x19310",
"0x1e310",
"0x20c000",
"0x211000",
"0x2020f60",
"0x2025f60",
"0x2021578",
"0x2026578",
"0x2021800",
"0x2026800",
"0x2069000",
"0x206e000",
"0x206b000",
"0x2070000"
]
],
"tickvals": [
0,
1,
2,
3,
4,
5,
6,
7,
8,
9,
10,
11
4.2926829268292686,
4.963414634146342,
5.634146341463415,
6.3048780487804885,
6.975609756097562,
7.646341463414636,
8.31707317073171,
8.987804878048784,
9.658536585365857,
10.329268292682931
]
}
}
@ -1212,45 +1279,22 @@
],
"source": [
"import plotly.graph_objects as go\n",
"\n",
"# Sample data structure\n",
"data = [\n",
" {'start': 0x00000000, 'end': 0x00020000, 'name': 'BootROM'},\n",
" {'start': 0x000002c0, 'name': 'BL1 boot entry point'},\n",
" {'start': 0x000064e0, 'name': 'Boot USB function'},\n",
" {'start': 0x00012848, 'name': 'bootrom authentication function'},\n",
" {'start': 0x00019310, 'name': 'BL1 boot function'},\n",
" {'start': 0x02069000, 'name': 'First debugger location'},\n",
" {'end': 0x02070000, 'name': 'End of memory stack'},\n",
" {'start': 0x02021578, 'name': 'Event buffer pointer'},\n",
" {'start': 0x02020f60, 'name': 'Boot USB return address'},\n",
" {'start': 0x02021800, 'name': 'BL1 pointer'},\n",
" {'start': 0x020c0000, 'name': 'Frederic Destination pointer'},\n",
"]\n",
"\n",
"# _evtbuf_ptr: .dword 0x02021578\n",
"# _boot_usb_ra: .dword 0x02020f60\n",
"# _bl1_ptr: .dword 0x02021800\n",
"# _original_ra: .dword 0x00007c68\n",
"# _boot_usb: .dword 0x000064e0\n",
"# _dst_ptr: .dword 0x020c0000\n",
"# _auth_bl1: .dword 0x00012848\n",
"# _jmp_bl1: .dword 0x000002c0\n",
"import random\n",
"\n",
"# If there is no end, set it to start + 0x1000\n",
"for d in data:\n",
" if 'end' not in d:\n",
" d['end'] = d['start'] + 0x1000\n",
" d['end'] = d['start'] + 0x5000\n",
"\n",
"# If there is no start, set it to end - 0x1000\n",
"for d in data:\n",
" if 'start' not in d:\n",
" d['start'] = d['end'] - 0x1000\n",
" d['start'] = d['end'] - 0x5000\n",
"\n",
"# Sort the data by start\n",
"data = sorted(data, key=lambda x: x['start'])\n",
"\n",
"import random\n",
"total_used_len = sum([d['end']-d['start'] for d in data]) # Length of all blocks described\n",
"tickpointers = []\n",
"\n",
"def random_color():\n",
" return f'#{random.randint(0, 0xFFFFFF):06x}'\n",
@ -1258,33 +1302,46 @@
"# Create a square for each index\n",
"fig = go.Figure()\n",
"for i, d in enumerate(data):\n",
" if i == 0:\n",
" prev_y = 0\n",
" max_y = (prev_y + ((d['end'] - d['start']) / total_used_len))\n",
" fillcolor = random_color()\n",
"\n",
" if d['Order'] == \"ENTRY\":\n",
" x0 = 0\n",
" else:\n",
" x0 = 0.1\n",
"\n",
" fig.add_shape(\n",
" type=\"rect\",\n",
" x0=0,\n",
" y0=i,\n",
" x0=x0,\n",
" y0=prev_y * len(data),\n",
" x1=0 + 1,\n",
" y1=i+1,\n",
" y1=max_y * len(data),\n",
" line=dict(width=2),\n",
" fillcolor=random_color(),\n",
" fillcolor=fillcolor,\n",
" opacity=0.5,\n",
" layer=\"below\"\n",
" layer=\"below\",\n",
" )\n",
"\n",
" tickpoint = [(prev_y + (max_y - prev_y) / 2) * len(data)]\n",
" tickpointers.extend([prev_y * len(data)])\n",
"\n",
" fig.add_trace(go.Scatter\n",
" (\n",
" x=[0.5],\n",
" y=[i+ 0.5],\n",
" y=tickpoint,\n",
" text=d['name'],\n",
" mode=\"text\",\n",
" textposition=\"middle center\"\n",
" textposition=\"middle center\",\n",
" name=d['name'],\n",
" # Set color to\n",
" marker=dict(\n",
" color=fillcolor,\n",
" ),\n",
" ))\n",
" \n",
"fig.update_layout(\n",
" width=800,\n",
" height=1200,\n",
" autosize=True,\n",
" margin=dict(l=200, r=20, t=20, b=20)\n",
")\n",
" prev_y = max_y\n",
"\n",
"fig.update_xaxes(\n",
" range=[0, 1],\n",
@ -1301,59 +1358,38 @@
" elif i == len(labels) - 1:\n",
" labelset.append(labels[i])\n",
" else:\n",
" labelset.append(f\"{labels[i]} \\n {labels[i+1]}\")\n",
"labelset.append(labels[-1])\n",
" labelset.append(f\"{labels[i+1]}<br>{labels[i]}\")\n",
"labelset.append(labels)\n",
"\n",
"fig.update_yaxes(\n",
" tickvals=[i for i in range(len(data)+1)], \n",
" ticktext=labelset\n",
" # tickvals=[i for i in range(len(data)+1)], \n",
" tickvals = tickpointers,\n",
" ticktext=labelset,\n",
" griddash=\"longdashdot\",\n",
" gridwidth=0,\n",
" gridcolor=\"black\",\n",
" showgrid=False,\n",
")\n",
"\n",
"fig.update_xaxes(\n",
" # Disable ticks\n",
" showticklabels=False,\n",
")\n",
"\n",
"fig.update_layout(\n",
" width=1000,\n",
" height=1200,\n",
" autosize=True,\n",
" margin=dict(l=200, r=20, t=20, b=20),\n",
" font=dict(\n",
" size=18,\n",
" ),\n",
" # Legend being the name of the function\n",
" legend_title_text=\"Function/Locations\",\n",
")\n",
"\n",
"fig.show()"
]
},
{
"cell_type": "code",
"execution_count": 111,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"['0x0',\n",
" '0x2c0 - 0x12c0',\n",
" '0x12848 - 0x13848',\n",
" '0x19310 - 0x1a310',\n",
" '0x2069000 - 0x206a000',\n",
" '0x206f000 - 0x2070000']"
]
},
"execution_count": 111,
"metadata": {},
"output_type": "execute_result"
}
],
"source": []
},
{
"cell_type": "code",
"execution_count": 115,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"'0x2070000'"
]
},
"execution_count": 115,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"labels[-1]"
]
}
],
"metadata": {

12
documentation/source/_ignore/stack_and_functions.csv Normal file
View File

@ -0,0 +1,12 @@
start,end,name,Order,Comment
0,131072,BootROM,,
704,21184,BL1 boot entry point,ENTRY,
25824,46304,Boot USB function,,
75848,96328,bootrom authentication function,,
103184,123664,BL1 boot function,,
2146304,2166784,Frederic Destination pointer,,
33689440,33709920,Boot USB return address,,
33691000,33711480,Event buffer pointer,,
33691648,33712128,BL1 pointer,,
33984512,34004992,First debugger location,,
33992704,34013184,End of memory stack,,
1 start end name Order Comment
2 0 131072 BootROM
3 704 21184 BL1 boot entry point ENTRY
4 25824 46304 Boot USB function
5 75848 96328 bootrom authentication function
6 103184 123664 BL1 boot function
7 2146304 2166784 Frederic Destination pointer
8 33689440 33709920 Boot USB return address
9 33691000 33711480 Event buffer pointer
10 33691648 33712128 BL1 pointer
11 33984512 34004992 First debugger location
12 33992704 34013184 End of memory stack

4
requirements.txt
View File

@ -14,5 +14,7 @@ sphinxcontrib.drawio
sphinx_wagtail_theme
plotly
numpy
nbformat>4.2.0
nbformat==5.10.4
pandas
xvfbwrapper #Required for sphinx drawio
source/ghidra_assistant/ghidra_assistant-0.0.1-py3-none-any.whl

49
source/exploit/exploit.py
View File

@ -620,12 +620,9 @@ class ExynosDevice():
auth_bl1(DEBUGGER_ADDR)
self.usb_write(b"FLSH") # Flush cache
hijacked_fun = u32(self.cd.memdump_region(0x020200dc, 4))
# INSERT YOUR BL1 PATCHES HERE
self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31
self.cd.memwrite_region(0x02021880, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br"))
# END
jump_bl1(DEBUGGER_ADDR)
@ -642,53 +639,45 @@ class ExynosDevice():
time.sleep(2)
self.usb_read(0x200) # GiAs
# lr = self.cd.arch_dbg.state.LR
# self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) # Resore oginal boot flow
# TODO patch verification
# self.cd.memwrite_region(0x0202010c - 52, p32(GADGET_RET0))
# self.cd.memwrite_region(0x02024774, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins)
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
# self.cd.arch_dbg.state.X0 = 0x020347f0
# self.cd.arch_dbg.state.X1 = 0
# self.cd.restore_stack_and_jump(0x02030464)
self.cd.restore_stack_and_jump(lr)
time.sleep(2)
self.usb_read(0x200) # GiAs
self.cd.memwrite_region(0x02031008, b"ELH")
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
# ====== PATCHES TO BL31 here! ======
self.cd.memwrite_region(0x02031008, b"ELH")
# Jump entry BL31
# Jump into BL31
self.cd.restore_stack_and_jump(0x02024010)
time.sleep(2)
self.connect_device()
# WORKING
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
# print(self.cd.memdump_region(0x020200dc, 4))
self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) #Sets jump/X1 address at X0 0x2048000 -> Entry point of BL2
self.cd.memwrite_region(0x02020, p32(DEBUGGER_ADDR)) # Restore original boot flow
# Boot mode? Not sure whether its important (related to boot type at function 02023800?)
# self.cd.memwrite_region(0x02020, p32(DEBUGGER_ADDR)) # Restore original boot flow
# Jump into BL2
# Jump into USB download function
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
# WORKS
self.cd.restore_stack_and_jump(hijacked_fun)
# END
# self.usb_read(0x200) # GiAs
# self.cd.restore_stack_and_jump(hijacked_fun)
# WORKING UNTIL HERE
# ==== Stage 3 BL2 ====
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read())
BL2_FUN = 0x2048000
bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()
# bl2 = bl2[:(0x02052bf4-0x02048000)] + b"00000000" + bl2[(0x02052bf4-0x02048000)+8:]
self.send_normal_stage(bl2)
# self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read())
time.sleep(2)
self.connect_device()

8
source/exploit/modify_bin.py
View File

@ -1,8 +0,0 @@
# Open a binary file and modify it
bl1 = open('../S7/bl1.bin', 'rb').read()
# Modify the binary file at 1C10
bl1 = bl1[:0x1C1C] + b'\x48' + bl1[0x1C1D:]
# Write the modified binary file
open('../S7/bl1_mod.bin', 'wb').write(bl1)