diff --git a/documentation/exynos_exploit_chain.odg b/documentation/exynos_exploit_chain.odg
index 7e31434..01205f5 100644
Binary files a/documentation/exynos_exploit_chain.odg and b/documentation/exynos_exploit_chain.odg differ
diff --git a/documentation/source/BootROM_8890/boot_chain.rst b/documentation/source/BootROM_8890/boot_chain.rst
index 6084f58..5920ab3 100644
--- a/documentation/source/BootROM_8890/boot_chain.rst
+++ b/documentation/source/BootROM_8890/boot_chain.rst
@@ -77,7 +77,7 @@ This results in the following files:
After loading the stage1 (entry.S - Frederic's exploit), we're allowed to send custom payloads to the device. The first payload that is then sent, is the debugger.
-debugger
+Debugger
--------
The initial debugger is written to ``0x2069000``, with debugger_stack and _storage at ``0x0206b000`` and ``0x0206d000`` respectively.
@@ -179,7 +179,7 @@ After authentication the bootROM jumps to this function at, we can execute this
jump_fwbl1()
-BL1 is laoded at the download buffer and self copies to ``0x02024000`` and resumes execution there (``0x02024010``).
+BL1 is loaded at the download buffer and self copies to ``0x02022000`` and resumes execution there (``0x02024010``), with a size of 0x2000 (0x02022000 to 0x02024000).
However, this does not result in a jump back to the debugger. But the ROM still allows receival of one data package from the USB host (this is likely the system 'waiting' to receive the bootloader).
diff --git a/documentation/source/_ignore/draw_boot.ipynb b/documentation/source/_ignore/draw_boot.ipynb
index 6641930..68d8370 100644
--- a/documentation/source/_ignore/draw_boot.ipynb
+++ b/documentation/source/_ignore/draw_boot.ipynb
@@ -2,7 +2,7 @@
"cells": [
{
"cell_type": "code",
- "execution_count": 180,
+ "execution_count": 371,
"metadata": {},
"outputs": [],
"source": [
@@ -20,7 +20,7 @@
},
{
"cell_type": "code",
- "execution_count": 197,
+ "execution_count": 372,
"metadata": {},
"outputs": [
{
@@ -49,9 +49,9 @@
"
name | \n",
" order | \n",
" comment | \n",
+ " size | \n",
" overlap | \n",
" overlap_with | \n",
- " size | \n",
" \n",
" \n",
" \n",
@@ -62,140 +62,166 @@
" BootROM | \n",
" NaN | \n",
" NaN | \n",
+ " 131072 | \n",
" True | \n",
" 0.0 | \n",
- " 131072 | \n",
" \n",
" \n",
" 1 | \n",
" 704 | \n",
- " 21184 | \n",
- " BL1 boot entry point | \n",
- " ENTRY | \n",
+ " 708 | \n",
+ " _jump_bl1 | \n",
" NaN | \n",
+ " NaN | \n",
+ " 4 | \n",
" True | \n",
" 0.0 | \n",
- " 20480 | \n",
"
\n",
" \n",
" 2 | \n",
" 25824 | \n",
- " 46304 | \n",
- " Boot USB function | \n",
+ " 25996 | \n",
+ " _boot_usb | \n",
" NaN | \n",
" NaN | \n",
+ " 172 | \n",
" True | \n",
" 0.0 | \n",
- " 20480 | \n",
"
\n",
" \n",
" 3 | \n",
" 75848 | \n",
- " 96328 | \n",
- " bootrom authentication function | \n",
+ " 76008 | \n",
+ " auth_bl1 | \n",
" NaN | \n",
" NaN | \n",
+ " 160 | \n",
" True | \n",
" 0.0 | \n",
- " 20480 | \n",
"
\n",
" \n",
" 4 | \n",
- " 103184 | \n",
- " 123664 | \n",
- " BL1 boot function | \n",
+ " 33689440 | \n",
+ " 33689448 | \n",
+ " _boot_usb_ra | \n",
" NaN | \n",
" NaN | \n",
- " True | \n",
- " 0.0 | \n",
- " 20480 | \n",
+ " 8 | \n",
+ " False | \n",
+ " 4.0 | \n",
"
\n",
" \n",
" 5 | \n",
- " 2146304 | \n",
- " 2166784 | \n",
- " Frederic Destination pointer | \n",
+ " 33693696 | \n",
+ " 33701888 | \n",
+ " BL1 | \n",
" NaN | \n",
" NaN | \n",
+ " 8192 | \n",
" False | \n",
" 5.0 | \n",
- " 20480 | \n",
"
\n",
" \n",
" 6 | \n",
- " 33689440 | \n",
- " 33689448 | \n",
- " Boot USB return address | \n",
+ " 33701888 | \n",
+ " 33849344 | \n",
+ " BL31 | \n",
" NaN | \n",
" NaN | \n",
+ " 147456 | \n",
" False | \n",
" 6.0 | \n",
- " 8 | \n",
"
\n",
" \n",
" 7 | \n",
- " 33691000 | \n",
- " 33711480 | \n",
- " Event buffer pointer | \n",
+ " 33849344 | \n",
+ " 34008336 | \n",
+ " BL2 | \n",
" NaN | \n",
" NaN | \n",
- " False | \n",
+ " 158992 | \n",
+ " True | \n",
" 7.0 | \n",
- " 20480 | \n",
"
\n",
" \n",
" 8 | \n",
" 33984512 | \n",
- " 34004992 | \n",
- " First debugger location | \n",
+ " 34009088 | \n",
+ " Debugger | \n",
" NaN | \n",
" NaN | \n",
+ " 24576 | \n",
" True | \n",
- " 9.0 | \n",
- " 20480 | \n",
+ " 7.0 | \n",
"
\n",
" \n",
" 9 | \n",
- " 33992704 | \n",
+ " 34008336 | \n",
" 34013184 | \n",
- " End of memory stack | \n",
+ " End of readable memory space in buffer | \n",
" NaN | \n",
" NaN | \n",
+ " 4848 | \n",
" True | \n",
" 8.0 | \n",
- " 20480 | \n",
+ "
\n",
+ " \n",
+ " 10 | \n",
+ " 34340864 | \n",
+ " 34369536 | \n",
+ " Debugger relocated | \n",
+ " NaN | \n",
+ " NaN | \n",
+ " 28672 | \n",
+ " True | \n",
+ " 10.0 | \n",
+ "
\n",
+ " \n",
+ " 11 | \n",
+ " 34340864 | \n",
+ " 34340868 | \n",
+ " _frederic_dest_ptr | \n",
+ " NaN | \n",
+ " NaN | \n",
+ " 4 | \n",
+ " True | \n",
+ " 10.0 | \n",
"
\n",
" \n",
"\n",
""
],
"text/plain": [
- " start end name order comment \\\n",
- "0 0 131072 BootROM NaN NaN \n",
- "1 704 21184 BL1 boot entry point ENTRY NaN \n",
- "2 25824 46304 Boot USB function NaN NaN \n",
- "3 75848 96328 bootrom authentication function NaN NaN \n",
- "4 103184 123664 BL1 boot function NaN NaN \n",
- "5 2146304 2166784 Frederic Destination pointer NaN NaN \n",
- "6 33689440 33689448 Boot USB return address NaN NaN \n",
- "7 33691000 33711480 Event buffer pointer NaN NaN \n",
- "8 33984512 34004992 First debugger location NaN NaN \n",
- "9 33992704 34013184 End of memory stack NaN NaN \n",
+ " start end name order \\\n",
+ "0 0 131072 BootROM NaN \n",
+ "1 704 708 _jump_bl1 NaN \n",
+ "2 25824 25996 _boot_usb NaN \n",
+ "3 75848 76008 auth_bl1 NaN \n",
+ "4 33689440 33689448 _boot_usb_ra NaN \n",
+ "5 33693696 33701888 BL1 NaN \n",
+ "6 33701888 33849344 BL31 NaN \n",
+ "7 33849344 34008336 BL2 NaN \n",
+ "8 33984512 34009088 Debugger NaN \n",
+ "9 34008336 34013184 End of readable memory space in buffer NaN \n",
+ "10 34340864 34369536 Debugger relocated NaN \n",
+ "11 34340864 34340868 _frederic_dest_ptr NaN \n",
"\n",
- " overlap overlap_with size \n",
- "0 True 0.0 131072 \n",
- "1 True 0.0 20480 \n",
- "2 True 0.0 20480 \n",
- "3 True 0.0 20480 \n",
- "4 True 0.0 20480 \n",
- "5 False 5.0 20480 \n",
- "6 False 6.0 8 \n",
- "7 False 7.0 20480 \n",
- "8 True 9.0 20480 \n",
- "9 True 8.0 20480 "
+ " comment size overlap overlap_with \n",
+ "0 NaN 131072 True 0.0 \n",
+ "1 NaN 4 True 0.0 \n",
+ "2 NaN 172 True 0.0 \n",
+ "3 NaN 160 True 0.0 \n",
+ "4 NaN 8 False 4.0 \n",
+ "5 NaN 8192 False 5.0 \n",
+ "6 NaN 147456 False 6.0 \n",
+ "7 NaN 158992 True 7.0 \n",
+ "8 NaN 24576 True 7.0 \n",
+ "9 NaN 4848 True 8.0 \n",
+ "10 NaN 28672 True 10.0 \n",
+ "11 NaN 4 True 10.0 "
]
},
- "execution_count": 197,
+ "execution_count": 372,
"metadata": {},
"output_type": "execute_result"
}
@@ -213,17 +239,22 @@
" except ValueError:\n",
" return value \n",
"\n",
- "data.sort_values(by=['start'], inplace=True)\n",
"data['start'] = data['start'].apply(convert_to_int)\n",
"data['end'] = data['end'].apply(convert_to_int)\n",
+ "data['size'] = data['end'] - data['start']\n",
+ "\n",
+ "data.sort_values(by=['size'], inplace=True, ascending=False)\n",
+ "data.sort_values(by=['start'], inplace=True)\n",
+ "data.reset_index(drop=True, inplace=True)\n",
+ "\n",
"data['overlap'] = False\n",
"\n",
"for i, row in data.iterrows():\n",
" for j, row2 in data.iterrows():\n",
" if i == j:\n",
" continue\n",
- " if row['start'] < row2['end'] and row['end'] > row2['start']:\n",
- " if row['end'] - row['start'] > row2['end'] - row2['start']:\n",
+ " if row['start'] <= row2['end'] and row['end'] > row2['start']:\n",
+ " if row['end'] - row['start'] >= row2['end'] - row2['start']:\n",
" continue\n",
" data.at[i, 'overlap'] = True\n",
" data.at[j, 'overlap'] = True\n",
@@ -231,31 +262,14 @@
"\n",
"data['overlap_with'] = data['overlap_with'].fillna(data.index.to_series())\n",
"data['overlap_with'] = data['overlap_with'].astype(float)\n",
- "data['size'] = data['end'] - data['start']\n",
+ "\n",
+ "# Send warnings if sizes are negative\n",
+ "if (data['size'] < 0).any():\n",
+ " print(f'Warning: Negative sizes detected at indices {data[data[\"size\"] < 0].index}')\n",
"\n",
"data"
]
},
- {
- "cell_type": "code",
- "execution_count": 239,
- "metadata": {},
- "outputs": [
- {
- "data": {
- "text/plain": [
- "np.int64(34013184)"
- ]
- },
- "execution_count": 239,
- "metadata": {},
- "output_type": "execute_result"
- }
- ],
- "source": [
- "data['end'].iloc[-1]"
- ]
- },
{
"cell_type": "markdown",
"metadata": {},
@@ -265,32 +279,9 @@
},
{
"cell_type": "code",
- "execution_count": 242,
+ "execution_count": 373,
"metadata": {},
"outputs": [
- {
- "name": "stdout",
- "output_type": "stream",
- "text": [
- "8.0\n",
- "1.25\n",
- "1.25\n",
- "1.25\n",
- "1.25\n",
- "inf\n",
- "inf\n"
- ]
- },
- {
- "name": "stderr",
- "output_type": "stream",
- "text": [
- "/tmp/ipykernel_16763/1983735317.py:29: RuntimeWarning:\n",
- "\n",
- "divide by zero encountered in scalar divide\n",
- "\n"
- ]
- },
{
"data": {
"application/vnd.plotly.v1+json": {
@@ -300,7 +291,7 @@
"data": [
{
"marker": {
- "color": "#ce2c3c"
+ "color": "#856446"
},
"mode": "text",
"name": "BootROM",
@@ -308,7 +299,7 @@
"textposition": "middle center",
"type": "scatter",
"x": [
- 2
+ 2.5
],
"y": [
0.5
@@ -316,15 +307,47 @@
},
{
"marker": {
- "color": "#ee6511"
+ "color": "#856446"
},
"mode": "text",
- "name": "BL1 boot entry point",
- "text": "BL1 boot entry point",
+ "showlegend": false,
+ "text": "0x20000",
"textposition": "middle center",
"type": "scatter",
"x": [
- 2
+ 1.1400000000000001
+ ],
+ "y": [
+ 3.84
+ ]
+ },
+ {
+ "marker": {
+ "color": "#856446"
+ },
+ "mode": "text",
+ "showlegend": false,
+ "text": "0x0",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 1.1400000000000001
+ ],
+ "y": [
+ 0.14
+ ]
+ },
+ {
+ "marker": {
+ "color": "#82f92f"
+ },
+ "mode": "text",
+ "name": "_jump_bl1",
+ "text": "_jump_bl1",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 2.5
],
"y": [
1.52
@@ -332,15 +355,47 @@
},
{
"marker": {
- "color": "#157424"
+ "color": "#82f92f"
},
"mode": "text",
- "name": "Boot USB function",
- "text": "Boot USB function",
+ "showlegend": false,
+ "text": "0x2c4",
"textposition": "middle center",
"type": "scatter",
"x": [
- 2
+ 1.2400000000000002
+ ],
+ "y": [
+ 1.7100000000000002
+ ]
+ },
+ {
+ "marker": {
+ "color": "#82f92f"
+ },
+ "mode": "text",
+ "showlegend": false,
+ "text": "0x2c0",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 1.2400000000000002
+ ],
+ "y": [
+ 1.1600000000000001
+ ]
+ },
+ {
+ "marker": {
+ "color": "#bd73ad"
+ },
+ "mode": "text",
+ "name": "_boot_usb",
+ "text": "_boot_usb",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 2.5
],
"y": [
2.52
@@ -348,15 +403,47 @@
},
{
"marker": {
- "color": "#879ab3"
+ "color": "#bd73ad"
},
"mode": "text",
- "name": "bootrom authentication function",
- "text": "bootrom authentication function",
+ "showlegend": false,
+ "text": "0x658c",
"textposition": "middle center",
"type": "scatter",
"x": [
- 2
+ 1.2400000000000002
+ ],
+ "y": [
+ 2.71
+ ]
+ },
+ {
+ "marker": {
+ "color": "#bd73ad"
+ },
+ "mode": "text",
+ "showlegend": false,
+ "text": "0x64e0",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 1.2400000000000002
+ ],
+ "y": [
+ 2.16
+ ]
+ },
+ {
+ "marker": {
+ "color": "#7e8007"
+ },
+ "mode": "text",
+ "name": "auth_bl1",
+ "text": "auth_bl1",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 2.5
],
"y": [
3.52
@@ -364,31 +451,95 @@
},
{
"marker": {
- "color": "#a4cd2c"
+ "color": "#7e8007"
},
"mode": "text",
- "name": "BL1 boot function",
- "text": "BL1 boot function",
+ "showlegend": false,
+ "text": "0x128e8",
"textposition": "middle center",
"type": "scatter",
"x": [
- 2
+ 1.2400000000000002
],
"y": [
- 4.52
+ 3.71
]
},
{
"marker": {
- "color": "#1b44e8"
+ "color": "#7e8007"
},
"mode": "text",
- "name": "Frederic Destination pointer",
- "text": "Frederic Destination pointer",
+ "showlegend": false,
+ "text": "0x12848",
"textposition": "middle center",
"type": "scatter",
"x": [
- 2
+ 1.2400000000000002
+ ],
+ "y": [
+ 3.16
+ ]
+ },
+ {
+ "marker": {
+ "color": "#7c5233"
+ },
+ "mode": "text",
+ "name": "_boot_usb_ra",
+ "text": "_boot_usb_ra",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 2.5
+ ],
+ "y": [
+ 4.5
+ ]
+ },
+ {
+ "marker": {
+ "color": "#7c5233"
+ },
+ "mode": "text",
+ "showlegend": false,
+ "text": "0x2020f68",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 1.2400000000000002
+ ],
+ "y": [
+ 4.84
+ ]
+ },
+ {
+ "marker": {
+ "color": "#7c5233"
+ },
+ "mode": "text",
+ "showlegend": false,
+ "text": "0x2020f60",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 1.2400000000000002
+ ],
+ "y": [
+ 4.14
+ ]
+ },
+ {
+ "marker": {
+ "color": "#6f6733"
+ },
+ "mode": "text",
+ "name": "BL1",
+ "text": "BL1",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 2.5
],
"y": [
5.5
@@ -396,15 +547,47 @@
},
{
"marker": {
- "color": "#8be123"
+ "color": "#6f6733"
},
"mode": "text",
- "name": "Boot USB return address",
- "text": "Boot USB return address",
+ "showlegend": false,
+ "text": "0x2024000",
"textposition": "middle center",
"type": "scatter",
"x": [
- 2
+ 1.2400000000000002
+ ],
+ "y": [
+ 5.84
+ ]
+ },
+ {
+ "marker": {
+ "color": "#6f6733"
+ },
+ "mode": "text",
+ "showlegend": false,
+ "text": "0x2022000",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 1.2400000000000002
+ ],
+ "y": [
+ 5.14
+ ]
+ },
+ {
+ "marker": {
+ "color": "#86ce48"
+ },
+ "mode": "text",
+ "name": "BL31",
+ "text": "BL31",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 2.5
],
"y": [
6.5
@@ -412,15 +595,47 @@
},
{
"marker": {
- "color": "#d82002"
+ "color": "#86ce48"
},
"mode": "text",
- "name": "Event buffer pointer",
- "text": "Event buffer pointer",
+ "showlegend": false,
+ "text": "0x2048000",
"textposition": "middle center",
"type": "scatter",
"x": [
- 2
+ 1.2400000000000002
+ ],
+ "y": [
+ 6.84
+ ]
+ },
+ {
+ "marker": {
+ "color": "#86ce48"
+ },
+ "mode": "text",
+ "showlegend": false,
+ "text": "0x2024000",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 1.2400000000000002
+ ],
+ "y": [
+ 6.14
+ ]
+ },
+ {
+ "marker": {
+ "color": "#de3ae2"
+ },
+ "mode": "text",
+ "name": "BL2",
+ "text": "BL2",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 2.5
],
"y": [
7.5
@@ -428,15 +643,47 @@
},
{
"marker": {
- "color": "#b60e34"
+ "color": "#de3ae2"
},
"mode": "text",
- "name": "First debugger location",
- "text": "First debugger location",
+ "showlegend": false,
+ "text": "0x206ed10",
"textposition": "middle center",
"type": "scatter",
"x": [
- 2
+ 1.1400000000000001
+ ],
+ "y": [
+ 8.34
+ ]
+ },
+ {
+ "marker": {
+ "color": "#de3ae2"
+ },
+ "mode": "text",
+ "showlegend": false,
+ "text": "0x2048000",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 1.1400000000000001
+ ],
+ "y": [
+ 7.14
+ ]
+ },
+ {
+ "marker": {
+ "color": "#292d88"
+ },
+ "mode": "text",
+ "name": "Debugger",
+ "text": "Debugger",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 2.5
],
"y": [
8.52
@@ -444,19 +691,179 @@
},
{
"marker": {
- "color": "#4c0da0"
+ "color": "#292d88"
},
"mode": "text",
- "name": "End of memory stack",
- "text": "End of memory stack",
+ "showlegend": false,
+ "text": "0x206f000",
"textposition": "middle center",
"type": "scatter",
"x": [
- 2
+ 1.2400000000000002
+ ],
+ "y": [
+ 8.709999999999999
+ ]
+ },
+ {
+ "marker": {
+ "color": "#292d88"
+ },
+ "mode": "text",
+ "showlegend": false,
+ "text": "0x2069000",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 1.2400000000000002
+ ],
+ "y": [
+ 8.16
+ ]
+ },
+ {
+ "marker": {
+ "color": "#5d64be"
+ },
+ "mode": "text",
+ "name": "End of readable memory space in buffer",
+ "text": "End of readable memory space in buffer",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 2.5
],
"y": [
9.52
]
+ },
+ {
+ "marker": {
+ "color": "#5d64be"
+ },
+ "mode": "text",
+ "showlegend": false,
+ "text": "0x2070000",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 1.2400000000000002
+ ],
+ "y": [
+ 9.709999999999999
+ ]
+ },
+ {
+ "marker": {
+ "color": "#5d64be"
+ },
+ "mode": "text",
+ "showlegend": false,
+ "text": "0x206ed10",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 1.2400000000000002
+ ],
+ "y": [
+ 9.16
+ ]
+ },
+ {
+ "marker": {
+ "color": "#1db55c"
+ },
+ "mode": "text",
+ "name": "Debugger relocated",
+ "text": "Debugger relocated",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 2.5
+ ],
+ "y": [
+ 10.5
+ ]
+ },
+ {
+ "marker": {
+ "color": "#1db55c"
+ },
+ "mode": "text",
+ "showlegend": false,
+ "text": "0x20c7000",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 1.1400000000000001
+ ],
+ "y": [
+ 11.84
+ ]
+ },
+ {
+ "marker": {
+ "color": "#1db55c"
+ },
+ "mode": "text",
+ "showlegend": false,
+ "text": "0x20c0000",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 1.1400000000000001
+ ],
+ "y": [
+ 10.14
+ ]
+ },
+ {
+ "marker": {
+ "color": "#3d7e32"
+ },
+ "mode": "text",
+ "name": "_frederic_dest_ptr",
+ "text": "_frederic_dest_ptr",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 2.5
+ ],
+ "y": [
+ 11.52
+ ]
+ },
+ {
+ "marker": {
+ "color": "#3d7e32"
+ },
+ "mode": "text",
+ "showlegend": false,
+ "text": "0x20c0004",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 1.2400000000000002
+ ],
+ "y": [
+ 11.709999999999999
+ ]
+ },
+ {
+ "marker": {
+ "color": "#3d7e32"
+ },
+ "mode": "text",
+ "showlegend": false,
+ "text": "0x20c0000",
+ "textposition": "middle center",
+ "type": "scatter",
+ "x": [
+ 1.2400000000000002
+ ],
+ "y": [
+ 11.16
+ ]
}
],
"layout": {
@@ -478,7 +885,7 @@
},
"shapes": [
{
- "fillcolor": "#ce2c3c",
+ "fillcolor": "#856446",
"layer": "below",
"line": {
"width": 2
@@ -486,51 +893,12 @@
"opacity": 0.5,
"type": "rect",
"x0": 0.9,
- "x1": 3.1,
- "y0": 0.05,
- "y1": 4.95
- },
- {
- "fillcolor": "#ee6511",
- "layer": "below",
- "line": {
- "width": 2
- },
- "opacity": 0.5,
- "type": "rect",
- "x0": 1,
- "x1": 3,
- "y0": 1.07,
- "y1": 1.92
- },
- {
- "fillcolor": "#157424",
- "layer": "below",
- "line": {
- "width": 2
- },
- "opacity": 0.5,
- "type": "rect",
- "x0": 1,
- "x1": 3,
- "y0": 2.07,
- "y1": 2.92
- },
- {
- "fillcolor": "#879ab3",
- "layer": "below",
- "line": {
- "width": 2
- },
- "opacity": 0.5,
- "type": "rect",
- "x0": 1,
- "x1": 3,
- "y0": 3.07,
+ "x1": 4.1,
+ "y0": 0.08,
"y1": 3.92
},
{
- "fillcolor": "#a4cd2c",
+ "fillcolor": "#82f92f",
"layer": "below",
"line": {
"width": 2
@@ -538,12 +906,51 @@
"opacity": 0.5,
"type": "rect",
"x0": 1,
- "x1": 3,
- "y0": 4.069999999999999,
+ "x1": 4,
+ "y0": 1.1,
+ "y1": 1.79
+ },
+ {
+ "fillcolor": "#bd73ad",
+ "layer": "below",
+ "line": {
+ "width": 2
+ },
+ "opacity": 0.5,
+ "type": "rect",
+ "x0": 1,
+ "x1": 4,
+ "y0": 2.1,
+ "y1": 2.79
+ },
+ {
+ "fillcolor": "#7e8007",
+ "layer": "below",
+ "line": {
+ "width": 2
+ },
+ "opacity": 0.5,
+ "type": "rect",
+ "x0": 1,
+ "x1": 4,
+ "y0": 3.1,
+ "y1": 3.79
+ },
+ {
+ "fillcolor": "#7c5233",
+ "layer": "below",
+ "line": {
+ "width": 2
+ },
+ "opacity": 0.5,
+ "type": "rect",
+ "x0": 1,
+ "x1": 4,
+ "y0": 4.08,
"y1": 4.92
},
{
- "fillcolor": "#1b44e8",
+ "fillcolor": "#6f6733",
"layer": "below",
"line": {
"width": 2
@@ -551,12 +958,12 @@
"opacity": 0.5,
"type": "rect",
"x0": 1,
- "x1": 3,
- "y0": 5.05,
- "y1": 5.95
+ "x1": 4,
+ "y0": 5.08,
+ "y1": 5.92
},
{
- "fillcolor": "#8be123",
+ "fillcolor": "#86ce48",
"layer": "below",
"line": {
"width": 2
@@ -564,25 +971,25 @@
"opacity": 0.5,
"type": "rect",
"x0": 1,
- "x1": 3,
- "y0": 6.05,
- "y1": 6.95
+ "x1": 4,
+ "y0": 6.08,
+ "y1": 6.92
},
{
- "fillcolor": "#d82002",
+ "fillcolor": "#de3ae2",
"layer": "below",
"line": {
"width": 2
},
"opacity": 0.5,
"type": "rect",
- "x0": 1,
- "x1": 3,
- "y0": 7.05,
- "y1": 7.95
+ "x0": 0.9,
+ "x1": 4.1,
+ "y0": 7.08,
+ "y1": 8.42
},
{
- "fillcolor": "#b60e34",
+ "fillcolor": "#292d88",
"layer": "below",
"line": {
"width": 2
@@ -590,12 +997,12 @@
"opacity": 0.5,
"type": "rect",
"x0": 1,
- "x1": 3,
- "y0": 8.07,
- "y1": 8.92
+ "x1": 4,
+ "y0": 8.1,
+ "y1": 8.79
},
{
- "fillcolor": "#4c0da0",
+ "fillcolor": "#5d64be",
"layer": "below",
"line": {
"width": 2
@@ -603,9 +1010,35 @@
"opacity": 0.5,
"type": "rect",
"x0": 1,
- "x1": 3,
- "y0": 9.07,
- "y1": 9.92
+ "x1": 4,
+ "y0": 9.1,
+ "y1": 9.79
+ },
+ {
+ "fillcolor": "#1db55c",
+ "layer": "below",
+ "line": {
+ "width": 2
+ },
+ "opacity": 0.5,
+ "type": "rect",
+ "x0": 0.9,
+ "x1": 4.1,
+ "y0": 10.08,
+ "y1": 11.92
+ },
+ {
+ "fillcolor": "#3d7e32",
+ "layer": "below",
+ "line": {
+ "width": 2
+ },
+ "opacity": 0.5,
+ "type": "rect",
+ "x0": 1,
+ "x1": 4,
+ "y0": 11.1,
+ "y1": 11.79
}
],
"template": {
@@ -1428,7 +1861,7 @@
"xaxis": {
"range": [
0,
- 4
+ 5
],
"showgrid": false,
"showticklabels": false,
@@ -1437,7 +1870,8 @@
1,
2,
3,
- 4
+ 4,
+ 5
]
},
"yaxis": {
@@ -1446,18 +1880,6 @@
"gridwidth": 0,
"showgrid": false,
"showticklabels": true,
- "ticktext": [
- "0x20000
0x0",
- "0x52c0
0x2c0",
- "0xb4e0
0x64e0",
- "0x17848
0x12848",
- "0x1e310
0x19310",
- "0x211000
0x20c000",
- "0x2020f68
0x2020f60",
- "0x2026578
0x2021578",
- "0x206e000
0x2069000",
- "0x2070000
0x206b000"
- ],
"tickvals": [
0,
1,
@@ -1468,7 +1890,9 @@
6,
7,
8,
- 9
+ 9,
+ 10,
+ 11
]
}
}
@@ -1484,8 +1908,9 @@
"\n",
"tickpointers = []\n",
"vertical_len = len(data['overlap_with'].unique())\n",
- "vertical_gap_percentage = 0.05\n",
+ "vertical_gap_percentage = 0.08\n",
"horizontal_gap = 0.1\n",
+ "labels = pd.DataFrame()\n",
"\n",
"def random_color():\n",
" return f'#{random.randint(0, 0xFFFFFF):06x}'\n",
@@ -1497,7 +1922,7 @@
" data.at[i, 'fillcolor'] = fillcolor\n",
" \n",
" x0=1\n",
- " x1=3\n",
+ " x1=4\n",
"\n",
" if d['overlap'] == False:\n",
" y0=d['overlap_with']\n",
@@ -1507,18 +1932,18 @@
"\n",
" # Calculate relative size of the overlap\n",
" overlap_sizes = data.loc[data['overlap_with'] == d['overlap_with']].iloc[1:]['size'].sum()\n",
- " print((d['size']/overlap_sizes)*overlaps)\n",
"\n",
- " if d['overlap'] == i+1:\n",
+ " if d['overlap_with'] == i:\n",
" y0=i\n",
" y1=overlaps+i\n",
- " if y1 == vertical_len:\n",
- " y1 = vertical_len + vertical_gap_percentage\n",
+ " if i != data.shape[0]+1:\n",
+ " if d['end'] > data.iloc[i+1].start and d['end'] < data.iloc[i+1].end:\n",
+ " y1=overlaps+i-0.5\n",
" x0=x0-horizontal_gap\n",
" x1=x1+horizontal_gap\n",
" else:\n",
" y0=0.02+i\n",
- " y1=0.97+i\n",
+ " y1=0.87+i\n",
" else:\n",
" print(f'Something went wrong with {d}. Skipping')\n",
" continue\n",
@@ -1527,14 +1952,15 @@
" type=\"rect\",\n",
" x0=x0,\n",
" x1=x1,\n",
- " y0=y0+gap_percentage,\n",
- " y1=y1-gap_percentage,\n",
+ " y0=y0+vertical_gap_percentage,\n",
+ " y1=y1-vertical_gap_percentage,\n",
" line=dict(width=2),\n",
" fillcolor=fillcolor,\n",
" opacity=0.5,\n",
" layer=\"below\",\n",
" )\n",
"\n",
+ " # Add middle text\n",
" fig.add_trace(go.Scatter\n",
" (\n",
" x=[(x0+x1)/2],\n",
@@ -1548,21 +1974,58 @@
" ),\n",
" ))\n",
"\n",
+ " # Add top-left text with d['end']\n",
+ " fig.add_trace(go.Scatter\n",
+ " (\n",
+ " x=[(x0+0.14+horizontal_gap)],\n",
+ " y=[y1-0.16],\n",
+ " text=hex(d['end']),\n",
+ " mode=\"text\",\n",
+ " textposition=\"middle center\",\n",
+ " marker=dict(\n",
+ " color=fillcolor,\n",
+ " ),\n",
+ " showlegend=False,\n",
+ " ))\n",
+ "\n",
+ " # Add bottom-left text with d['end']\n",
+ " fig.add_trace(go.Scatter\n",
+ " (\n",
+ " x=[(x0+0.14+horizontal_gap)],\n",
+ " y=[y0+0.14],\n",
+ " text=hex(d['start']),\n",
+ " mode=\"text\",\n",
+ " textposition=\"middle center\",\n",
+ " marker=dict(\n",
+ " color=fillcolor,\n",
+ " ),\n",
+ " showlegend=False,\n",
+ " ))\n",
+ "\n",
"fig.update_xaxes(\n",
- " range=[0, 4],\n",
- " tickvals=[0, 1, 2, 3, 4],\n",
+ " range=[0, 5],\n",
+ " tickvals=[0, 1, 2, 3, 4, 5],\n",
")\n",
"\n",
+ "start_values = data['start'].sort_values()\n",
+ "end_values = data['end'].sort_values()\n",
+ "\n",
"labels = []\n",
- "for i, j in zip(data['start'], data['end']):\n",
- " labels.append(f'{hex(j)}
{hex(i)}')\n",
+ "\n",
+ "for i, d in data.iterrows():\n",
+ " if i == 0:\n",
+ " labels.append(f'{hex(start_values.iloc[i])}')\n",
+ " elif i == len(data)-1:\n",
+ " labels.append(f'{hex(end_values.iloc[i])}')\n",
+ " else:\n",
+ " labels.append(f'{hex(start_values.iloc[i])}
{hex(end_values.iloc[i-1])}')\n",
"\n",
"tickpointers = [i for i in range(len(data))]\n",
"\n",
"fig.update_yaxes(\n",
" # tickvals=[i for i in range(len(data)+1)], \n",
" tickvals = tickpointers,\n",
- " ticktext= labels,\n",
+ " # ticktext= labels,\n",
" griddash=\"longdashdot\",\n",
" gridwidth=0,\n",
" gridcolor=\"black\",\n",
diff --git a/documentation/source/_ignore/stack_and_functions.csv b/documentation/source/_ignore/stack_and_functions.csv
index 475e541..eee5c5d 100644
--- a/documentation/source/_ignore/stack_and_functions.csv
+++ b/documentation/source/_ignore/stack_and_functions.csv
@@ -1,11 +1,13 @@
start,end,name,order,comment
-0,131072,BootROM,,
-704,21184,BL1 boot entry point,ENTRY,
-25824,46304,Boot USB function,,
-75848,96328,bootrom authentication function,,
-103184,123664,BL1 boot function,,
-2146304,2166784,Frederic Destination pointer,,
-33689440,33689448,Boot USB return address,,
-33691000,33711480,Event buffer pointer,,
-33984512,34004992,First debugger location,,
-33992704,34013184,End of memory stack,,
+0x00000000,0x00020000,BootROM,,
+0x02020f60,0x02020f68,_boot_usb_ra,,
+0x00012848,0x000128e8,auth_bl1,,
+0x000064e0,0x0000658c,_boot_usb,,
+0x020c0000,0x020c0004,_frederic_dest_ptr,,
+0x000002c0,0x000002c4,_jump_bl1,,
+0x02022000,0x02024000,BL1,,
+0x02024000,0x02048000,BL31,,
+0x02048000,0x0206ed10,BL2,,
+0x02069000,0x0206f000,Debugger,,
+0x020c0000,0x020c7000,Debugger relocated,,
+0x0206ed10,0x02070000,End of readable memory space in buffer,,
\ No newline at end of file
diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py
index 62c17b1..9efc2d9 100644
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@@ -306,25 +306,20 @@ class ExynosDevice():
count += 1
- def dump_memory(self, start: hex=0x0, end: hex=0x0206ffff, write=False):
+ def dump_memory(self, start: hex=0x0, end: hex=0x02070000, write=False):
"""
Dumps memory from the device.
Transfer XFER_BUFFER at 0x02021800, to: 0x02020F08. End of memory at 0x0206ffff.
"""
- # NOT WORKING YET
- transferred = ctypes.c_int()
dumped = b""
# Read data from memory
- for block in tqdm.tqdm(range(start, end, 0x200)):
- self.usb_write(p32(block-0x200))
- res = self.usb_read(0x200)
- dumped += res
-
- if write:
- filename = f"dump_{hex(start)}_{hex(end)}_{self.target}_{datetime.datetime.now().strftime('%Y-%m-%d_%H-%M-%S')}.bin"
- with open(filename, "wb") as f:
- f.write(dumped)
+ try:
+ for block in tqdm.tqdm(range(start, end, 0x6000)):
+ dump = self.cd.memdump_region(block, 0x6000)
+ dumped += dump
+ except:
+ print("Error reading memory, at block: ", hex(block))
return dumped
@@ -402,26 +397,6 @@ class ExynosDevice():
assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
- def relocate_debugger_3(self):
- """
- Relocate debugger to 0x0201a000, 0x0201c000, 0x0201a000
- """
- if os.getenv("USER") == "eljakim":
- debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger_0x0201a000.bin", "rb").read()
- else:
- try:
- debugger_reloc = open("../../dump/reloc_debugger.bin", "rb").read()
- except Exception as e:
- print(f'Are you missing your debugger? Please ensure it is present in dump/debugger_0x0201a000.bin. {e}')
- sys.exit(0)
-
- self.cd.memwrite_region(0x020c0000, debugger_reloc)
- # self.usb_write(b"FLSH") # Flush cache
- self.cd.restore_stack_and_jump(0x020c0000)
- assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
- self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
-
-
def dumb_interact(self, dump_imems=False):
'''
Room for playing around with the debugger on the phone.
@@ -599,8 +574,9 @@ class ExynosDevice():
logger.debug('State after setting up initial debugger')
self.cd.arch_dbg.state.print_ctx()
- # self.relocate_debugger()
- DEBUGGER_ADDR = 0x2069000 #0x020c0000
+ # dumped = self.dump_memory(0x20000, 0x2070000)
+
+ DEBUGGER_ADDR = 0x2069000
### Overwrite boot_usb_ra to our debugger
self.cd.test_connection()
@@ -638,13 +614,13 @@ class ExynosDevice():
# BL1 is loaded, now authenticat and patch it
auth_bl1(DEBUGGER_ADDR)
self.usb_write(b"FLSH") # Flush cache
+
hijacked_fun = u32(self.cd.memdump_region(0x020200dc, 4))
self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31
self.cd.memwrite_region(0x02021880, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br"))
jump_bl1(DEBUGGER_ADDR)
-
# ==== BL31 ====
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
@@ -658,45 +634,42 @@ class ExynosDevice():
time.sleep(2)
self.usb_read(0x200) # GiAs
+ # lr = self.cd.arch_dbg.state.LR
+ self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) # Resore oginal boot flow
+
+ # TODO patch verification
+
+
+ # self.cd.memwrite_region(0x0202010c - 52, p32(GADGET_RET0))
+
+
+
# self.cd.memwrite_region(0x02024774, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins)
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
# self.cd.arch_dbg.state.X0 = 0x020347f0
# self.cd.arch_dbg.state.X1 = 0
# self.cd.restore_stack_and_jump(0x02030464)
self.cd.restore_stack_and_jump(lr)
- time.sleep(2)
- assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
-
- # ====== PATCHES TO BL31 here! ======
- self.cd.memwrite_region(0x02031008, b"ELH")
- # Jump into BL31
+ time.sleep(2)
+ self.usb_read(0x200) # GiAs
+ self.cd.memwrite_region(0x02031008, b"ELH")
+ # ====== PATCHES TO BL31 here! ======
+
+
+ # Jump BL31
self.cd.restore_stack_and_jump(0x02024010)
+
+
time.sleep(2)
self.connect_device()
- assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
- # print(self.cd.memdump_region(0x020200dc, 4))
- self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) #Sets jump/X1 address at X0 0x2048000 -> Entry point of BL2
-
- # Boot mode? Not sure whether its important (related to boot type at function 02023800?)
- # self.cd.memwrite_region(0x02020, p32(DEBUGGER_ADDR)) # Restore original boot flow
-
- # Jump into USB download function
- self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
-
- # WORKS
- self.cd.restore_stack_and_jump(hijacked_fun)
-
- # WORKING UNTIL HERE
+
+ # self.usb_read(0x200) # GiAs
+ # self.cd.restore_stack_and_jump(hijacked_fun)
# ==== Stage 3 BL2 ====
- BL2_FUN = 0x2048000
- bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()
- # bl2 = bl2[:(0x02052bf4-0x02048000)] + b"00000000" + bl2[(0x02052bf4-0x02048000)+8:]
- self.send_normal_stage(bl2)
-
- # self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read())
+ self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read())
time.sleep(2)
self.connect_device()
@@ -704,6 +677,7 @@ class ExynosDevice():
# ==== Stage 4 ====
stage4 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
# Patching
+
# stage4_len = len(stage4)
# patch_len = len(b"USB RECOVERY MODE")
# patch = b"ELHER HERE" + (b"\x00" * (patch_len - len(b"ELHER HERE")))