stage1 seperation

This commit is contained in:
Eljakim Herrewijnen 2024-08-04 11:48:31 +02:00
parent 913145a630
commit 5460d45bf9
11 changed files with 167 additions and 0 deletions

source/dwc3_test/Makefile Normal file
View File

@ -0,0 +1,17 @@
$(error Error : Set the env variable 'ANDROID_NDK_ROOT' with the path of the Android NDK (version 20))
CC := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android27-clang
AR := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ar
OBJCOPY := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-objcopy
LD := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ld.bfd
#==================Target Samsung S7 (8890)==================
$(CC) entry.S -c -o entry.o $(CFLAGS_SAMSUNGS7)
$(CC) $(CFLAGS_SAMSUNGS7) -c test_dwc3.c -o dwc3.o
$(LD) -T test_dwc3.ld entry.o dwc3.o -o dwc3.elf --just-symbols=symbols.txt
$(OBJCOPY) -O binary dwc3.elf dwc3.bin

View File

@ -0,0 +1,14 @@
# Test DWC3
Code used to interact with the DWC3 implemenatation in the Exynos 8890 bootrom. Left here as reference.
## Size limitations
This code can be compiled and pushed as first stage after running the exploit, but due to size limitations it is probably better to create a dedicated stage1 and do full send/recv in a second stage.
## Building
export ANDROID_NDK_ROOT=$TOOLCHAINENV/android-ndk-r21_Linux
This will result in a dwc3.bin file which can be pushed.

source/dwc3_test/dwc3.elf Executable file

Binary file not shown.

source/dwc3_test/dwc3.o Normal file

Binary file not shown.

source/dwc3_test/entry.S Normal file
View File

@ -0,0 +1,47 @@
b main
;.global rom_send
; mov w1, #0x20000 // size
; mov w0, #0x0 // address
; bl usb_send
; ret
;.global usb_send
; stp x29, x30, [sp,#-48]!
; mov w3, #0x0
; bfxil w3, w1, #0, #24
; mov w1, #0xc12
; mov x29, sp
; stp x19, x20, [sp,#16]
; mov x5, #0xc834
; mov w20, #0x1
; movk x5, #0x1540, lsl #16
; ldr x2, [x29,#40]
; mov x4, #0xc838
; orr w6, w1, w20
; movk x4, #0x1540, lsl #16
; mov x19, #0xc83c
; movk x19, #0x1540, lsl #16
; stp w3, w1, [x2,#8]
; mov w3, #0x406
; stp w0, wzr, [x2]
; mov w0, w20
; ldr x1, [x29,#40]
; strb w6, [x2,#12]
; ; mov x2, #0x27c8
; str w1, [x5]
; mov w1, #0x1388
; str wzr, [x4]
; str w3, [x19]
; ; blr x2
; mov w0, w20
; ldr w1, [x19]
; ldp x19, x20, [sp,#16]
; ldp x29, x30, [sp],#48
; ret

source/dwc3_test/entry.o Normal file

Binary file not shown.

View File

@ -0,0 +1 @@
<svg xmlns="" xmlns:xlink="" version="1.1" width="331px" height="501px" viewBox="-0.5 -0.5 331 501" content="&lt;mxfile host=&quot;04n1rgtnob7ebrhhg57mh2mjuh68d4qe61ncs1a2e1n2no0ifp02&quot; modified=&quot;2024-08-03T15:25:57.556Z&quot; agent=&quot;Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Code/1.90.2 Chrome/122.0.6261.156 Electron/29.4.0 Safari/537.36&quot; etag=&quot;qrfqaNhvZ2EKgyu84jBL&quot; version=&quot;12.2.4&quot; pages=&quot;1&quot;&gt;&lt;diagram id=&quot;gqACR7wqsjUV6d_h3Wmy&quot; name=&quot;Page-1&quot;&gt;tZTBcoMgEEC/xmsHpRq91qbppacceiawKlMUB0k0/fpihKijnbYz9iS+3QX2weDhtOwOitTFm2QgvACxzsPPXhD4QZKYT0+uAwkTNIBccWaTRnDkn2ChSztzBs0sUUspNK/nkMqqAqpnjCgl23laJsV81ZrksABHSsSSvnOmi4HGIRr5K/C8cCv7yEZK4pItaArCZDtBeO/hVEmph1HZpSB6ec7LUPfyTfS+MQWV/k1BMBRciDjb3uy+9NU1q+S5YtDnIw8/tQXXcKwJ7aOtOV7DCl0K8+ebYcaFSKWQ6laLswwiSg1vtJIfMImwXXJC/YTLHdsmLqA0dBNkOziALEGrq0lx0djatNfJyW3Hs8HYsmJyLqE7FmLvQ36felRmBtbaukH8vwYZgThbNRjRGE7ZRgaTucFkxaC/YhBHGxh8XBhkLcUPJ15tahJ8FsJuzWQS7TCJtjEZoB9N3tn8Lv5ZpPkdH4pbbPLc4v0X&lt;/diagram&gt;&lt;/mxfile&gt;"><defs/><g><rect x="0" y="0" width="330" height="500" fill="#ffe6cc" stroke="#d79b00" pointer-events="all"/><rect x="10" y="70" width="310" height="360" fill="#dae8fc" stroke="#6c8ebf" pointer-events="all"/><rect x="20" y="70" width="290" height="50" fill="#e1d5e7" stroke="#9673a6" pointer-events="all"/><g transform="translate(141.5,88.5)"><foreignObject style="overflow:visible;" pointer-events="all" width="47" height="12"><div xmlns="" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; width: 48px; white-space: nowrap; overflow-wrap: normal; text-align: center;"><div xmlns="" style="display:inline-block;text-align:inherit;text-decoration:inherit;white-space:normal;">dwc3.bin</div></div></foreignObject></g></g></svg>


(image error) Size: 1.9 KiB

View File

@ -0,0 +1,5 @@
maybe_usb_setup_read = 0x00006f88;
dwc3_ep0_start_trans = 0x0000791c;
usb_event_handler = 0x00007bac;
get_endpoint_recv_buffer = 0x00007a7c;
sleep = 0x000027c8;

View File

@ -0,0 +1,69 @@
#include <stdint.h>
// Create external function at 0x00006f88
extern void maybe_usb_setup_read(char endpoint,void *fun,uint32_t target_buffer);
extern void dwc3_ep0_start_trans(char endpoint,uint32_t target_buf, uint32_t len);
extern int usb_event_handler(void);
extern uint32_t get_endpoint_recv_buffer(char endpoint);
extern void sleep(int endpoint,uint32_t timeout);
extern void usb_send(uint32_t address,uint32_t size);
extern void rom_send();
#define recv_buffer 0x02021800 + 0x3000
#define p_recv_buffer 0x02021800 + 0x2000
#define data_received 0x02021800 + 0x2004
void recv_data_cb(uint32_t endpoint, uint32_t len){
// Copies the data into the predetermined receive buffer and tells the event handler that the data was received
volatile void *dref = (void *)data_received;
char *dest_buf = (char *)recv_buffer;
void *rbuf = get_endpoint_recv_buffer(endpoint);
for(int i= 0; i < len; i++){
dest_buf[i] = *(char *)(void *)((int)rbuf + i);
*(uint8_t *)dref = 1; // Mark as ready
void recv_data(uint32_t address, uint32_t size){
volatile void *dref = (void *)data_received;
*(uint8_t *)dref = 0;
maybe_usb_setup_read(2, recv_data_cb, 0x200);
uint32_t rbuf = get_endpoint_recv_buffer(2);
dwc3_ep0_start_trans(2, rbuf, 0x200);
if(*(uint8_t *)dref == 1){
void send_data_cb(uint32_t endpoint, uint32_t len){
// Tell event handler that the data was received
volatile void *dref = (void *)data_received;
*(uint8_t *)dref = 1; // Mark as ready
void send_data(uint32_t address, uint32_t size){
volatile void *dref = (void *)data_received;
*(uint8_t *)dref = 0;
maybe_usb_setup_read(0x1, send_data_cb, 0x200);
// uint32_t rbuf = get_endpoint_recv_buffer(1);
dwc3_ep0_start_trans(1, address, 0x200);
if(*(uint8_t *)dref == 1){
int main() {
uint32_t count = 0;
recv_data(recv_buffer, 0x200);
send_data(recv_buffer, 0x200);

View File

@ -0,0 +1,14 @@
ROM (rwx): ORIGIN = 0x02021800, LENGTH = 0x1000
. = 0x02021800;
.text . : {
} >ROM

Binary file not shown.