Merge branch 'main' of https://git.herreweb.nl/EljakimHerrewijnen/Samsung_S7
This commit is contained in:
commit
4bbb11908f
@ -77,24 +77,71 @@ With a modified bl1
|
|||||||
X21 : 0x0 | X22 : 0x0 | X23 : 0x0 | X24 : 0x0 | X25 : 0x0 | X26 : 0x0 | X27 : 0x1 |
|
X21 : 0x0 | X22 : 0x0 | X23 : 0x0 | X24 : 0x0 | X25 : 0x0 | X26 : 0x0 | X27 : 0x1 |
|
||||||
X28 : 0x0 | X29 : 0x2020f00 | LR/X30 : 0x20c0000 | SP/X31 : 0x2020ef0
|
X28 : 0x0 | X29 : 0x2020f00 | LR/X30 : 0x20c0000 | SP/X31 : 0x2020ef0
|
||||||
|
|
||||||
|
I relocated the debugger to ``0x20c0000`` to prevent overwriting it.
|
||||||
|
|
||||||
|
.. code-block:: python
|
||||||
|
|
||||||
|
self.cd.arch_dbg.state.auto_sync = False
|
||||||
|
self.cd.arch_dbg.state.auto_sync_special = False
|
||||||
|
self.cd.arch_dbg.state.print_ctx()
|
||||||
|
|
||||||
|
def relocate_debugger():
|
||||||
|
# Seems to be cleared upon cache clearing??
|
||||||
|
debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read()
|
||||||
|
self.cd.memwrite_region(0x020c0000, debugger_reloc)
|
||||||
|
self.usb_write(b"FLSH") # Flush cache
|
||||||
|
self.cd.restore_stack_and_jump(0x020c0000)
|
||||||
|
assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
|
||||||
|
self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
|
||||||
|
relocate_debugger()
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
bl1
|
bl1
|
||||||
===
|
===
|
||||||
|
BL1 needs to be authenticated.
|
||||||
Loads at address ``0x02024000`` and contains some form of header (ramdump).
|
Loads at address ``0x02024000`` and contains some form of header (ramdump).
|
||||||
There seems to be a samsung header format, where the first 4 bytes define the entry point of the binary.
|
There seems to be a samsung header format, where the first 4 bytes define the entry point of the binary.
|
||||||
In this case this entry is ``+0x10`` so we jump to ``0x02024010``.
|
In this case this entry is ``+0x10`` so we jump to ``0x02024010``.
|
||||||
|
|
||||||
.. code-block:: python
|
.. code-block:: python
|
||||||
|
|
||||||
fwbl1 = open("../S7/bl1.bin", "rb").read()
|
# Try loading bl1
|
||||||
self.cd.memwrite_region(0x02024000, fwbl1)
|
bl1 = open("../S7/bl1.bin", "rb").read()
|
||||||
|
self.cd.memwrite_region(0x02021800, bl1)
|
||||||
|
# self.usb_write(b"FLSH")
|
||||||
|
AUTH_BL1 = 0x00012848
|
||||||
|
def auth_bl1(lr=0x2069000):
|
||||||
|
# Load the firmware
|
||||||
|
self.cd.arch_dbg.state.W0 = 1
|
||||||
|
self.cd.arch_dbg.state.X1 = 1
|
||||||
|
self.cd.arch_dbg.state.LR = lr #jump back to debugger when finished
|
||||||
|
self.cd.restore_stack_and_jump(AUTH_BL1)
|
||||||
|
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
|
||||||
|
assert self.cd.arch_dbg.state.X0 == 0, "auth_bl1 returned with error!"
|
||||||
|
|
||||||
|
auth_bl1(0x020c0000)
|
||||||
|
|
||||||
def jump_fwbl1():
|
After authentication the bootROM jumps to it, we can execute this function with the debugger.
|
||||||
self.cd.arch_dbg.state.LR = 0x2069000
|
|
||||||
self.cd.restore_stack_and_jump(0x02024010)
|
.. code-block:: python
|
||||||
|
|
||||||
|
self.cd.memwrite_region(0x02020f60, p32(0x020c0000))
|
||||||
|
BOOT_BL1 = 0x00019310
|
||||||
|
def jump_bl1(lr):
|
||||||
|
self.cd.arch_dbg.state.LR = lr
|
||||||
|
self.cd.restore_stack_and_jump(BOOT_BL1)
|
||||||
|
|
||||||
|
jump_bl1(0x020c0000)
|
||||||
|
|
||||||
jump_fwbl1()
|
jump_fwbl1()
|
||||||
|
|
||||||
However, this does not result in a jump back to the debugger.
|
BL1 is laoded at the download buffer and self copies to ``0x02024000`` and resumes execution there(``0x02024010``).
|
||||||
|
|
||||||
|
However, this does not result in a jump back to the debugger. But the ROM still receives data from the host
|
||||||
|
|
||||||
|
TODO TODO TODO
|
||||||
The reason for this is the following code in bl1:
|
The reason for this is the following code in bl1:
|
||||||
|
|
||||||
.. code-block:: c
|
.. code-block:: c
|
||||||
|
BIN
reven/SamsungS7_2024_08_12.gar
Normal file
BIN
reven/SamsungS7_2024_08_12.gar
Normal file
Binary file not shown.
3
source/exploit/.gitignore
vendored
3
source/exploit/.gitignore
vendored
@ -1,4 +1,5 @@
|
|||||||
*.elf
|
*.elf
|
||||||
*.o
|
*.o
|
||||||
*.bin
|
*.bin
|
||||||
venv/
|
venv/
|
||||||
|
dump/
|
||||||
|
@ -338,6 +338,15 @@ class ExynosDevice():
|
|||||||
self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
|
self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
|
||||||
relocate_debugger()
|
relocate_debugger()
|
||||||
|
|
||||||
|
def memdump_imem():
|
||||||
|
dumped = b""
|
||||||
|
for block in range(0x2020000, 0x2070000, 0x200):
|
||||||
|
# print(hex(block))
|
||||||
|
dumped += self.cd.memdump_region(block, 0x200)
|
||||||
|
return dumped
|
||||||
|
|
||||||
|
# dump1 = memdump_imem()
|
||||||
|
|
||||||
# Try loading bl1
|
# Try loading bl1
|
||||||
bl1 = open("../S7/bl1.bin", "rb").read()
|
bl1 = open("../S7/bl1.bin", "rb").read()
|
||||||
self.cd.memwrite_region(0x02021800, bl1)
|
self.cd.memwrite_region(0x02021800, bl1)
|
||||||
@ -350,19 +359,28 @@ class ExynosDevice():
|
|||||||
self.cd.arch_dbg.state.LR = lr #jump back to debugger when finished
|
self.cd.arch_dbg.state.LR = lr #jump back to debugger when finished
|
||||||
self.cd.restore_stack_and_jump(AUTH_BL1)
|
self.cd.restore_stack_and_jump(AUTH_BL1)
|
||||||
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
|
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
|
||||||
|
assert self.cd.arch_dbg.state.X0 == 0, "auth_bl1 returned with error!"
|
||||||
|
|
||||||
auth_bl1(0x020c0000)
|
auth_bl1(0x020c0000)
|
||||||
|
# dump2 = memdump_imem()
|
||||||
|
|
||||||
# Works until here
|
# Works until here TODO hijack future control flow
|
||||||
|
# self.cd.memwrite_region(0x02020108, p32(0x020c0000)) # Hijack some weird function, original 0x00005790
|
||||||
|
self.cd.memwrite_region(0x02020f60, p32(0x020c0000))
|
||||||
|
BOOT_BL1 = 0x00019310
|
||||||
|
def jump_bl1(lr):
|
||||||
|
self.cd.arch_dbg.state.LR = lr
|
||||||
|
self.cd.restore_stack_and_jump(BOOT_BL1)
|
||||||
|
|
||||||
|
jump_bl1(0x020c0000)
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# Overwrite jump back
|
# Overwrite jump back
|
||||||
self.cd.memwrite_region(0x02020108, p32(0x2069000))
|
|
||||||
self.cd.memwrite_region(0x020200e8, p32(0x2069000))
|
self.cd.memwrite_region(0x020200e8, p32(0x2069000))
|
||||||
|
|
||||||
|
|
||||||
def memdump_try():
|
def memdump_try():
|
||||||
self.cd.arch_dbg.state.LR = 0x020200e8
|
self.cd.arch_dbg.state.LR = 0x020200e8
|
||||||
self.cd.restore_stack_and_jump(0x02021810)
|
self.cd.restore_stack_and_jump(0x02021810)
|
||||||
@ -376,9 +394,7 @@ class ExynosDevice():
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
def jump_bl1():
|
|
||||||
self.cd.arch_dbg.state.LR = 0x2069000
|
|
||||||
self.cd.restore_stack_and_jump(0x02024010)
|
|
||||||
# self.cd.restore_stack_and_jump(0x02021810)
|
# self.cd.restore_stack_and_jump(0x02021810)
|
||||||
|
|
||||||
#000125b4
|
#000125b4
|
||||||
|
Loading…
Reference in New Issue
Block a user