From 5460d45bf93a87e33e9ad4bdd5639f91860be687 Mon Sep 17 00:00:00 2001
From: Eljakim Herrewijnen <eljakim.herrewijnen@gmail.com>
Date: Sun, 4 Aug 2024 11:48:31 +0200
Subject: [PATCH] stage1 seperation

---
 source/dwc3_test/Makefile              |  17 ++++++
 source/dwc3_test/Readme.md             |  14 +++++
 source/dwc3_test/dwc3.elf              | Bin 0 -> 7920 bytes
 source/dwc3_test/dwc3.o                | Bin 0 -> 1832 bytes
 source/dwc3_test/entry.S               |  47 +++++++++++++++++
 source/dwc3_test/entry.o               | Bin 0 -> 848 bytes
 source/dwc3_test/memory_map.drawio.svg |   1 +
 source/dwc3_test/symbols.txt           |   5 ++
 source/dwc3_test/test_dwc3.c           |  69 +++++++++++++++++++++++++
 source/dwc3_test/test_dwc3.ld          |  14 +++++
 source/exploit/dump_bootrom.elf        | Bin 896 -> 0 bytes
 11 files changed, 167 insertions(+)
 create mode 100644 source/dwc3_test/Makefile
 create mode 100644 source/dwc3_test/Readme.md
 create mode 100755 source/dwc3_test/dwc3.elf
 create mode 100644 source/dwc3_test/dwc3.o
 create mode 100644 source/dwc3_test/entry.S
 create mode 100644 source/dwc3_test/entry.o
 create mode 100644 source/dwc3_test/memory_map.drawio.svg
 create mode 100644 source/dwc3_test/symbols.txt
 create mode 100644 source/dwc3_test/test_dwc3.c
 create mode 100644 source/dwc3_test/test_dwc3.ld
 delete mode 100644 source/exploit/dump_bootrom.elf

diff --git a/source/dwc3_test/Makefile b/source/dwc3_test/Makefile
new file mode 100644
index 0000000..28d2fe1
--- /dev/null
+++ b/source/dwc3_test/Makefile
@@ -0,0 +1,17 @@
+ifeq ($(ANDROID_NDK_ROOT),)
+$(error Error : Set the env variable 'ANDROID_NDK_ROOT' with the path of the Android NDK (version 20))
+endif
+
+CC := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android27-clang
+AR := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ar
+OBJCOPY := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-objcopy
+LD := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ld.bfd
+
+#==================Target Samsung S7 (8890)==================
+CFLAGS_SAMSUNGS7 = -Os
+
+dwc3:
+	$(CC) entry.S -c -o entry.o $(CFLAGS_SAMSUNGS7)
+	$(CC) $(CFLAGS_SAMSUNGS7) -c test_dwc3.c -o dwc3.o
+	$(LD) -T test_dwc3.ld entry.o dwc3.o -o dwc3.elf --just-symbols=symbols.txt
+	$(OBJCOPY) -O binary dwc3.elf dwc3.bin
diff --git a/source/dwc3_test/Readme.md b/source/dwc3_test/Readme.md
new file mode 100644
index 0000000..b4ac60d
--- /dev/null
+++ b/source/dwc3_test/Readme.md
@@ -0,0 +1,14 @@
+# Test DWC3
+Code used to interact with the DWC3 implemenatation in the Exynos 8890 bootrom. Left here as reference. 
+
+## Size limitations
+This code can be compiled and pushed as first stage after running the exploit, but due to size limitations it is probably better to create a dedicated stage1 and do full send/recv in a second stage.
+
+## Building
+```bash
+export ANDROID_NDK_ROOT=$TOOLCHAINENV/android-ndk-r21_Linux
+make
+```
+
+This will result in a dwc3.bin file which can be pushed.
+
diff --git a/source/dwc3_test/dwc3.elf b/source/dwc3_test/dwc3.elf
new file mode 100755
index 0000000000000000000000000000000000000000..153138950c1b18fc7f5c7a8d230c93173583a341
GIT binary patch
literal 7920
zcmeHMO>7%Q6n?wwq^*!35La!Xzy?}~E#YkJ{McNwrldk5D8;D|LY0>F?j{bhz3%SD
zG&qvoiVDMtC_$zNl%|)~5(lJKs&e2*R7i+Zl|#=Il>^7rJ){!GyxE;i+@<Y-^Q>gQ
zneTn`y_wIm7r*M{)N!8Uz<+qS4({wA&l60hiPH0Q;9^POG1Ciz%k9}s;mBL($D4<|
zq#wakhj;&U^xg;7J$};n_%zEh2bcrQ0p<X6fH}Y%U=A<`m;=lK<^XemIlvrX4loCp
z1Iz*D0CRvj(B(h@Ae@Ga8Gu>_|L|Y^Nl<RJE8jN-oWFbu66teiGi?EuTQgkqeD8(L
z5yX40T)KPdfP6o+=fdVI5RQg$zJlX^jK@M;<VLNQk(VIyyAY19Bk#BbDgOSao9h4@
z-05?fHH;b$8!}AXA{>>MH(E34X1j9Z3aNi@`iJH!e3offxMuqp))u(vN%^AXd|hqy
zb1<@ZNnZI&=#PGJcVhX8{c<wW16yzJhva&vb8-;(SLY$suB4myrhj(zT2H;Oy@Gn!
z*Z6V<bp}qnv@9c!muovUs<>wDt7?PbA7Gu^0z`ezKaFZ*9kCoQr(W!V)1(g3Z|!+w
zo9wra+Haw51lR84Ak}>aQnQ6xWd8$wN0-Gw-8HOx7VG->Z9LZ>SnoX6s|V`&=V@1d
zY?9yPw@#-4@Oef??K?RByVE(4F6x#!uZx4DDM^w>Q({)N4P7*gqLmmM9ZL*r5mC#l
z#W}HTSoS>PshAW?ii0`FDcP?N4XK_$Y|b?2@`i0LSeg;j%)*dknt3g!&KHOB`Eud4
zl4X8mXpR_{#`SSEs|~AhH9MOyW|R6zLK+@VjOk<QxRKT3@ewtik|N^Z&Q_+T-h0QZ
zYnO|WuG{$Vq1$Dm{itq+fL*BIgMLE@wmLz4p9^3%p!4J-@bDvaM3>LQRX6T_`TDB?
z{i8^E276v_9`gEPM3+2q{1DvdpKwut35<QX|6gCF01cBE3I7h&|B&L-7zzK|3I%9T
zDZcc{gE*NIoojSIhiSU%@;L|v_Fs4Lt<K>^N~GZ%j6~;ss&k6smofGs9uDYy=i*zP
zx=D$CFp7?~7&GC>nV1B&qgoC)hV3Z&$66w$!4W++47O3!6<u{yMazO^Xyu)Woi~iq
zE(8m9Rx!$`spRk?=M4+y3`fD`C37A@cWriIb`}!_yvksi1%;>sDW@1ENpZKJIF?$p
zck8;kF0Y_2W(|duu?=UTgo>&T5VIExj+({jSYFKeBgZ)70C|B5xGVqA|35y5OUWJI
z>7DvMAM`YDl4REt>Kc>b0DcHXB9pGi@6TTA!pP8<^W)Qq2>}k7PSXBxG?4Sx`7oLP
m_pJq}KkG5J=>pPIChyc<4+eTX7kgO!8okKBP`)36_5TH#&vmK*

literal 0
HcmV?d00001

diff --git a/source/dwc3_test/dwc3.o b/source/dwc3_test/dwc3.o
new file mode 100644
index 0000000000000000000000000000000000000000..bf81e162b085c496f6395244856eb2043e0ae558
GIT binary patch
literal 1832
zcmbu9O=uHQ5XUD;YZV1WEeeXR&_hyiyGi<yh~QT71FTl+2O`3{AFoYnvKx0_W2J@m
zX4OlJg5K1FU=D&8@n%K5DB?vBuYwnE*7o4R5NDFN>9UPpe2~n%-^}~ZyxsS9=IGF|
zXe0vuh`>u&o%s|X*S_kjbytNB%v>3MRk;T@N2*hiO7#dVEXN|<=hR0orrg^Wf!_7g
z>fP_LZQZwj9$MJgsb&)GuynE$GLLJub8(m*nTtZUIyG2X8GiHhbxixbym`;ByQqgf
z%%4S_eE<t8=0(-nW{nwKL;A$YevLu5pF?x{<)UhKZ#!J0I;6kcarhVM&!P4S)J@>p
z4H3u^^Y=hCmr;xQr@B(8?n6=6=U;JOe!aO+J%2ydsl`e)1`F?Nwfg|KMpV@PhW_tb
zZ3hh6mh0p#Dc+Y=6s0dK8M?<T$+0Cj-QU-rPMQhHEa>)_RA#Q1N1l}xIU~h$oR_=<
zJw19uKpu0Pu>$j)3D;z@=@fgo;}p!Cp0|4ng>rF!$#uq=$)%JsU=8SonbcFdF`8zh
z8LKy~BnQ&{R=+;L3^SGL)l*p|A;p`m3=Lg4)u`*0?F8=kpJN82ZLm}eC%vnKwlIc|
zbrM~}JCSTzLjex{g`Y>h6`~;FOQf;8VPG6>E1eg}DgTVfyCUoz!Ns&0UljbU2wWES
zf#A=@e7mr8Fk02!DdM}Z&%l*}i-O~wfepeZb4B=_AwDTM>2wI6%&hRk`tt!Ed<%40
zXi)y9hFkytAbjd)V}O4VKJ^piKLii=<9|$u2kW-soJP1V$Sy1BGG~(<=p+}J&B3~E
zrZrYlG>_{p*SM?O9!z+K#>yDha(E32%!M(=HD+5SCy&r&W?3^PMn^GF#ESs3?QkX^
zKYe~bs+d<1-Y}R(Djwq#C0w9ez?sK2DkqyzSFm)hYo-An3TysE_PEP+17z<;k!&+_
zH4VBfISE~pveMY+|NcKgfmjQXdGSy`g<|6IHt9O_h>;BrRZI?s76jiFrBFD`h?hiD
z{=Fl8y3Ok;h{Hecbhbz%{5YmXUAm9K;kV=4OBnS1U|w?Vr=uPY=RQN)Dm5cuMl2vh
I`waL02WHO{761SM

literal 0
HcmV?d00001

diff --git a/source/dwc3_test/entry.S b/source/dwc3_test/entry.S
new file mode 100644
index 0000000..3d4c757
--- /dev/null
+++ b/source/dwc3_test/entry.S
@@ -0,0 +1,47 @@
+start:
+    b main
+
+;.text
+;.global rom_send
+;rom_send:
+;    mov	w1, #0x20000 // size
+;	mov w0, #0x0 // address
+;	bl usb_send
+;    ret
+;
+;.text
+;.global usb_send
+;usb_send:
+;	stp	x29, x30, [sp,#-48]!
+;	mov	w3, #0x0
+;	bfxil	w3, w1, #0, #24
+;	mov	w1, #0xc12
+;	mov	x29, sp
+;	stp	x19, x20, [sp,#16]
+;	mov	x5, #0xc834
+;	mov	w20, #0x1
+;	movk	x5, #0x1540, lsl #16
+;	ldr	x2, [x29,#40]
+;	mov	x4, #0xc838
+;	orr	w6, w1, w20
+;	movk	x4, #0x1540, lsl #16
+;	mov	x19, #0xc83c
+;	movk	x19, #0x1540, lsl #16
+;	stp	w3, w1, [x2,#8]
+;	mov	w3, #0x406
+;	stp	w0, wzr, [x2]
+;	mov	w0, w20
+;	ldr	x1, [x29,#40]
+;	strb	w6, [x2,#12]
+;	; mov	x2, #0x27c8
+;	str	w1, [x5]
+;	mov	w1, #0x1388
+;	str	wzr, [x4]
+;	str	w3, [x19]
+;    ; blr	x2
+;	mov	w0, w20
+;	ldr	w1, [x19]
+;	ldp	x19, x20, [sp,#16]
+;	ldp	x29, x30, [sp],#48
+;	ret
+;
\ No newline at end of file
diff --git a/source/dwc3_test/entry.o b/source/dwc3_test/entry.o
new file mode 100644
index 0000000000000000000000000000000000000000..cfc037fa6b657a879d0579fb87669bfafc66cd97
GIT binary patch
literal 848
zcmb<-^>JfjWMqH=MuzPS2p&w7f#Cv@paWRgfq@O8QpAyAK@bB&Ll6@K!;}Ne@z?%V
z?_J3Z<SWN87&|sK2K{AbnD{xEab+vp%u6Ofan==!J}nY=_{qXP^O72ah!zWwKN-jt
z2GY(fjGBiV8iE{Z7&IR+i)bwbs&g}7uw?q#a%mw0!%oJ+rl9#iI+=-KrvroiHISM_
zCWoD$gB@4?tv<X0WIw{ym@H4Q5YVM)fCq=T5KvqIO)ZG44i;x(U_p~JfQpNtiNm;3
zz;I-SaX_?QQEE=2UP)?22}5y7Vo?c0ZenI0gI->KNvfW^U#KonFgcr{C_gv8I5jVY
zp|m&&!q6)&DJn@!V$dtD%mvXZ6?!1MDFv2515n%tHLw91|9)r|K!xF=Y(N%B3`8RX
z2PkI>vLKL+9)2Lb=wcu(8BmKPKpY@o1!7Pva)3BM023DnveDfHlD`5XumE(mjzBe-
Use^&x22}3^C=JpF3MX{?0TQ=c82|tP

literal 0
HcmV?d00001

diff --git a/source/dwc3_test/memory_map.drawio.svg b/source/dwc3_test/memory_map.drawio.svg
new file mode 100644
index 0000000..470727a
--- /dev/null
+++ b/source/dwc3_test/memory_map.drawio.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="331px" height="501px" viewBox="-0.5 -0.5 331 501" content="&lt;mxfile host=&quot;04n1rgtnob7ebrhhg57mh2mjuh68d4qe61ncs1a2e1n2no0ifp02&quot; modified=&quot;2024-08-03T15:25:57.556Z&quot; agent=&quot;Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Code/1.90.2 Chrome/122.0.6261.156 Electron/29.4.0 Safari/537.36&quot; etag=&quot;qrfqaNhvZ2EKgyu84jBL&quot; version=&quot;12.2.4&quot; pages=&quot;1&quot;&gt;&lt;diagram id=&quot;gqACR7wqsjUV6d_h3Wmy&quot; name=&quot;Page-1&quot;&gt;tZTBcoMgEEC/xmsHpRq91qbppacceiawKlMUB0k0/fpihKijnbYz9iS+3QX2weDhtOwOitTFm2QgvACxzsPPXhD4QZKYT0+uAwkTNIBccWaTRnDkn2ChSztzBs0sUUspNK/nkMqqAqpnjCgl23laJsV81ZrksABHSsSSvnOmi4HGIRr5K/C8cCv7yEZK4pItaArCZDtBeO/hVEmph1HZpSB6ec7LUPfyTfS+MQWV/k1BMBRciDjb3uy+9NU1q+S5YtDnIw8/tQXXcKwJ7aOtOV7DCl0K8+ebYcaFSKWQ6laLswwiSg1vtJIfMImwXXJC/YTLHdsmLqA0dBNkOziALEGrq0lx0djatNfJyW3Hs8HYsmJyLqE7FmLvQ36felRmBtbaukH8vwYZgThbNRjRGE7ZRgaTucFkxaC/YhBHGxh8XBhkLcUPJ15tahJ8FsJuzWQS7TCJtjEZoB9N3tn8Lv5ZpPkdH4pbbPLc4v0X&lt;/diagram&gt;&lt;/mxfile&gt;"><defs/><g><rect x="0" y="0" width="330" height="500" fill="#ffe6cc" stroke="#d79b00" pointer-events="all"/><rect x="10" y="70" width="310" height="360" fill="#dae8fc" stroke="#6c8ebf" pointer-events="all"/><rect x="20" y="70" width="290" height="50" fill="#e1d5e7" stroke="#9673a6" pointer-events="all"/><g transform="translate(141.5,88.5)"><foreignObject style="overflow:visible;" pointer-events="all" width="47" height="12"><div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; width: 48px; white-space: nowrap; overflow-wrap: normal; text-align: center;"><div xmlns="http://www.w3.org/1999/xhtml" style="display:inline-block;text-align:inherit;text-decoration:inherit;white-space:normal;">dwc3.bin</div></div></foreignObject></g></g></svg>
\ No newline at end of file
diff --git a/source/dwc3_test/symbols.txt b/source/dwc3_test/symbols.txt
new file mode 100644
index 0000000..7d1870a
--- /dev/null
+++ b/source/dwc3_test/symbols.txt
@@ -0,0 +1,5 @@
+maybe_usb_setup_read = 0x00006f88;
+dwc3_ep0_start_trans = 0x0000791c;
+usb_event_handler = 0x00007bac;
+get_endpoint_recv_buffer = 0x00007a7c;
+sleep = 0x000027c8;
\ No newline at end of file
diff --git a/source/dwc3_test/test_dwc3.c b/source/dwc3_test/test_dwc3.c
new file mode 100644
index 0000000..4fbc8b1
--- /dev/null
+++ b/source/dwc3_test/test_dwc3.c
@@ -0,0 +1,69 @@
+#include <stdint.h>
+
+//  Create external function at 0x00006f88
+extern void maybe_usb_setup_read(char endpoint,void *fun,uint32_t target_buffer);
+extern void dwc3_ep0_start_trans(char endpoint,uint32_t target_buf, uint32_t len);
+extern int usb_event_handler(void);
+extern uint32_t get_endpoint_recv_buffer(char endpoint);
+extern void sleep(int endpoint,uint32_t timeout);
+extern void usb_send(uint32_t address,uint32_t size);
+extern void rom_send();
+
+#define recv_buffer 0x02021800 + 0x3000
+#define p_recv_buffer 0x02021800 + 0x2000
+#define data_received 0x02021800 + 0x2004
+
+void recv_data_cb(uint32_t endpoint, uint32_t len){
+    // Copies the data into the predetermined receive buffer and tells the event handler that the data was received
+    volatile void *dref = (void *)data_received;
+    char *dest_buf = (char *)recv_buffer;
+    void *rbuf = get_endpoint_recv_buffer(endpoint);
+    for(int i= 0; i < len; i++){
+        dest_buf[i] = *(char *)(void *)((int)rbuf + i);
+    }
+    *(uint8_t *)dref = 1; // Mark as ready
+}
+
+void recv_data(uint32_t address, uint32_t size){
+    volatile void *dref = (void *)data_received;
+    *(uint8_t *)dref = 0;
+    maybe_usb_setup_read(2, recv_data_cb, 0x200);
+    uint32_t rbuf = get_endpoint_recv_buffer(2);
+    dwc3_ep0_start_trans(2, rbuf, 0x200);
+    while(1){
+        usb_event_handler();
+        if(*(uint8_t *)dref == 1){
+            break;
+        }
+    }
+}
+
+void send_data_cb(uint32_t endpoint, uint32_t len){
+    // Tell event handler that the data was received
+    volatile void *dref = (void *)data_received;
+    *(uint8_t *)dref = 1; // Mark as ready
+}
+
+void send_data(uint32_t address, uint32_t size){
+    volatile void *dref = (void *)data_received;
+    *(uint8_t *)dref = 0;
+    maybe_usb_setup_read(0x1, send_data_cb, 0x200);
+    // uint32_t rbuf = get_endpoint_recv_buffer(1);
+    dwc3_ep0_start_trans(1, address, 0x200);
+    while(1){
+        usb_event_handler();
+        if(*(uint8_t *)dref == 1){
+            break;
+        }
+    }
+}
+
+
+int main() {
+    
+    uint32_t count = 0;
+    while(1){
+        recv_data(recv_buffer, 0x200);
+        send_data(recv_buffer, 0x200);
+    }
+}
\ No newline at end of file
diff --git a/source/dwc3_test/test_dwc3.ld b/source/dwc3_test/test_dwc3.ld
new file mode 100644
index 0000000..d2991ee
--- /dev/null
+++ b/source/dwc3_test/test_dwc3.ld
@@ -0,0 +1,14 @@
+MEMORY {
+    ROM (rwx): ORIGIN = 0x02021800, LENGTH = 0x1000
+}
+
+SECTIONS
+{
+     . = 0x02021800;
+     .text . : {
+          *(.text*)
+          *(.data*)
+          *(.rodata*)
+     } >ROM
+
+}
\ No newline at end of file
diff --git a/source/exploit/dump_bootrom.elf b/source/exploit/dump_bootrom.elf
deleted file mode 100644
index 570320d35fcafe2a3178b4fe6cf6799d645e7e78..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 896
zcmb<-^>JfjWMqH=MuzPS2p&w7f#Cp>paWRgfq|WYjlq#&K@bB&Ll83q!xSKWiGe}>
z+TZHEE17{}$}tSaj!lh0f0-F3ehy|_*~&Kak_k|pb;Y7ji^Ls%varv*q{bkk#RB9{
z2C{{Lv@;8%=HZ5hAcq<T%?HdPS_^^d+zc2jnSQohTFAh#ld-TVXg-imW@6asz+it3
zq$ZKcVdv*y$CZDp53e}D9DfbrYV0g#tUhF5U}j*#s(~3OgAO3UffOiE1uS5ikwFAa
z122#-fX!Z&3Wn0+r1;|0ycCA`;*!Lo5(Wmn;>z5T#3UeHQUswhV62kViV_CBl*E!m
z2EC->Vl-Pw=Sl;$fPBG*rquz;2SzFifcOs~qzGh!^rMH+6@(HL7J7)O17$fV&<`>X
zTdduH+PVTtvjS<5A3=73fCPkM-~`g>ZU;#<Kpl!6kLd0f#G!u*RG|*YFeHGk9{^=L
BRrvq_