stage1 seperation
This commit is contained in:
parent
913145a630
commit
5460d45bf9
17
source/dwc3_test/Makefile
Normal file
17
source/dwc3_test/Makefile
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
ifeq ($(ANDROID_NDK_ROOT),)
|
||||||
|
$(error Error : Set the env variable 'ANDROID_NDK_ROOT' with the path of the Android NDK (version 20))
|
||||||
|
endif
|
||||||
|
|
||||||
|
CC := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android27-clang
|
||||||
|
AR := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ar
|
||||||
|
OBJCOPY := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-objcopy
|
||||||
|
LD := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ld.bfd
|
||||||
|
|
||||||
|
#==================Target Samsung S7 (8890)==================
|
||||||
|
CFLAGS_SAMSUNGS7 = -Os
|
||||||
|
|
||||||
|
dwc3:
|
||||||
|
$(CC) entry.S -c -o entry.o $(CFLAGS_SAMSUNGS7)
|
||||||
|
$(CC) $(CFLAGS_SAMSUNGS7) -c test_dwc3.c -o dwc3.o
|
||||||
|
$(LD) -T test_dwc3.ld entry.o dwc3.o -o dwc3.elf --just-symbols=symbols.txt
|
||||||
|
$(OBJCOPY) -O binary dwc3.elf dwc3.bin
|
14
source/dwc3_test/Readme.md
Normal file
14
source/dwc3_test/Readme.md
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
# Test DWC3
|
||||||
|
Code used to interact with the DWC3 implemenatation in the Exynos 8890 bootrom. Left here as reference.
|
||||||
|
|
||||||
|
## Size limitations
|
||||||
|
This code can be compiled and pushed as first stage after running the exploit, but due to size limitations it is probably better to create a dedicated stage1 and do full send/recv in a second stage.
|
||||||
|
|
||||||
|
## Building
|
||||||
|
```bash
|
||||||
|
export ANDROID_NDK_ROOT=$TOOLCHAINENV/android-ndk-r21_Linux
|
||||||
|
make
|
||||||
|
```
|
||||||
|
|
||||||
|
This will result in a dwc3.bin file which can be pushed.
|
||||||
|
|
BIN
source/dwc3_test/dwc3.elf
Executable file
BIN
source/dwc3_test/dwc3.elf
Executable file
Binary file not shown.
BIN
source/dwc3_test/dwc3.o
Normal file
BIN
source/dwc3_test/dwc3.o
Normal file
Binary file not shown.
47
source/dwc3_test/entry.S
Normal file
47
source/dwc3_test/entry.S
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
start:
|
||||||
|
b main
|
||||||
|
|
||||||
|
;.text
|
||||||
|
;.global rom_send
|
||||||
|
;rom_send:
|
||||||
|
; mov w1, #0x20000 // size
|
||||||
|
; mov w0, #0x0 // address
|
||||||
|
; bl usb_send
|
||||||
|
; ret
|
||||||
|
;
|
||||||
|
;.text
|
||||||
|
;.global usb_send
|
||||||
|
;usb_send:
|
||||||
|
; stp x29, x30, [sp,#-48]!
|
||||||
|
; mov w3, #0x0
|
||||||
|
; bfxil w3, w1, #0, #24
|
||||||
|
; mov w1, #0xc12
|
||||||
|
; mov x29, sp
|
||||||
|
; stp x19, x20, [sp,#16]
|
||||||
|
; mov x5, #0xc834
|
||||||
|
; mov w20, #0x1
|
||||||
|
; movk x5, #0x1540, lsl #16
|
||||||
|
; ldr x2, [x29,#40]
|
||||||
|
; mov x4, #0xc838
|
||||||
|
; orr w6, w1, w20
|
||||||
|
; movk x4, #0x1540, lsl #16
|
||||||
|
; mov x19, #0xc83c
|
||||||
|
; movk x19, #0x1540, lsl #16
|
||||||
|
; stp w3, w1, [x2,#8]
|
||||||
|
; mov w3, #0x406
|
||||||
|
; stp w0, wzr, [x2]
|
||||||
|
; mov w0, w20
|
||||||
|
; ldr x1, [x29,#40]
|
||||||
|
; strb w6, [x2,#12]
|
||||||
|
; ; mov x2, #0x27c8
|
||||||
|
; str w1, [x5]
|
||||||
|
; mov w1, #0x1388
|
||||||
|
; str wzr, [x4]
|
||||||
|
; str w3, [x19]
|
||||||
|
; ; blr x2
|
||||||
|
; mov w0, w20
|
||||||
|
; ldr w1, [x19]
|
||||||
|
; ldp x19, x20, [sp,#16]
|
||||||
|
; ldp x29, x30, [sp],#48
|
||||||
|
; ret
|
||||||
|
;
|
BIN
source/dwc3_test/entry.o
Normal file
BIN
source/dwc3_test/entry.o
Normal file
Binary file not shown.
1
source/dwc3_test/memory_map.drawio.svg
Normal file
1
source/dwc3_test/memory_map.drawio.svg
Normal file
@ -0,0 +1 @@
|
|||||||
|
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="331px" height="501px" viewBox="-0.5 -0.5 331 501" content="<mxfile host="04n1rgtnob7ebrhhg57mh2mjuh68d4qe61ncs1a2e1n2no0ifp02" modified="2024-08-03T15:25:57.556Z" agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Code/1.90.2 Chrome/122.0.6261.156 Electron/29.4.0 Safari/537.36" etag="qrfqaNhvZ2EKgyu84jBL" version="12.2.4" pages="1"><diagram id="gqACR7wqsjUV6d_h3Wmy" name="Page-1">tZTBcoMgEEC/xmsHpRq91qbppacceiawKlMUB0k0/fpihKijnbYz9iS+3QX2weDhtOwOitTFm2QgvACxzsPPXhD4QZKYT0+uAwkTNIBccWaTRnDkn2ChSztzBs0sUUspNK/nkMqqAqpnjCgl23laJsV81ZrksABHSsSSvnOmi4HGIRr5K/C8cCv7yEZK4pItaArCZDtBeO/hVEmph1HZpSB6ec7LUPfyTfS+MQWV/k1BMBRciDjb3uy+9NU1q+S5YtDnIw8/tQXXcKwJ7aOtOV7DCl0K8+ebYcaFSKWQ6laLswwiSg1vtJIfMImwXXJC/YTLHdsmLqA0dBNkOziALEGrq0lx0djatNfJyW3Hs8HYsmJyLqE7FmLvQ36felRmBtbaukH8vwYZgThbNRjRGE7ZRgaTucFkxaC/YhBHGxh8XBhkLcUPJ15tahJ8FsJuzWQS7TCJtjEZoB9N3tn8Lv5ZpPkdH4pbbPLc4v0X</diagram></mxfile>"><defs/><g><rect x="0" y="0" width="330" height="500" fill="#ffe6cc" stroke="#d79b00" pointer-events="all"/><rect x="10" y="70" width="310" height="360" fill="#dae8fc" stroke="#6c8ebf" pointer-events="all"/><rect x="20" y="70" width="290" height="50" fill="#e1d5e7" stroke="#9673a6" pointer-events="all"/><g transform="translate(141.5,88.5)"><foreignObject style="overflow:visible;" pointer-events="all" width="47" height="12"><div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; width: 48px; white-space: nowrap; overflow-wrap: normal; text-align: center;"><div xmlns="http://www.w3.org/1999/xhtml" style="display:inline-block;text-align:inherit;text-decoration:inherit;white-space:normal;">dwc3.bin</div></div></foreignObject></g></g></svg>
|
After (image error) Size: 1.9 KiB |
5
source/dwc3_test/symbols.txt
Normal file
5
source/dwc3_test/symbols.txt
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
maybe_usb_setup_read = 0x00006f88;
|
||||||
|
dwc3_ep0_start_trans = 0x0000791c;
|
||||||
|
usb_event_handler = 0x00007bac;
|
||||||
|
get_endpoint_recv_buffer = 0x00007a7c;
|
||||||
|
sleep = 0x000027c8;
|
69
source/dwc3_test/test_dwc3.c
Normal file
69
source/dwc3_test/test_dwc3.c
Normal file
@ -0,0 +1,69 @@
|
|||||||
|
#include <stdint.h>
|
||||||
|
|
||||||
|
// Create external function at 0x00006f88
|
||||||
|
extern void maybe_usb_setup_read(char endpoint,void *fun,uint32_t target_buffer);
|
||||||
|
extern void dwc3_ep0_start_trans(char endpoint,uint32_t target_buf, uint32_t len);
|
||||||
|
extern int usb_event_handler(void);
|
||||||
|
extern uint32_t get_endpoint_recv_buffer(char endpoint);
|
||||||
|
extern void sleep(int endpoint,uint32_t timeout);
|
||||||
|
extern void usb_send(uint32_t address,uint32_t size);
|
||||||
|
extern void rom_send();
|
||||||
|
|
||||||
|
#define recv_buffer 0x02021800 + 0x3000
|
||||||
|
#define p_recv_buffer 0x02021800 + 0x2000
|
||||||
|
#define data_received 0x02021800 + 0x2004
|
||||||
|
|
||||||
|
void recv_data_cb(uint32_t endpoint, uint32_t len){
|
||||||
|
// Copies the data into the predetermined receive buffer and tells the event handler that the data was received
|
||||||
|
volatile void *dref = (void *)data_received;
|
||||||
|
char *dest_buf = (char *)recv_buffer;
|
||||||
|
void *rbuf = get_endpoint_recv_buffer(endpoint);
|
||||||
|
for(int i= 0; i < len; i++){
|
||||||
|
dest_buf[i] = *(char *)(void *)((int)rbuf + i);
|
||||||
|
}
|
||||||
|
*(uint8_t *)dref = 1; // Mark as ready
|
||||||
|
}
|
||||||
|
|
||||||
|
void recv_data(uint32_t address, uint32_t size){
|
||||||
|
volatile void *dref = (void *)data_received;
|
||||||
|
*(uint8_t *)dref = 0;
|
||||||
|
maybe_usb_setup_read(2, recv_data_cb, 0x200);
|
||||||
|
uint32_t rbuf = get_endpoint_recv_buffer(2);
|
||||||
|
dwc3_ep0_start_trans(2, rbuf, 0x200);
|
||||||
|
while(1){
|
||||||
|
usb_event_handler();
|
||||||
|
if(*(uint8_t *)dref == 1){
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void send_data_cb(uint32_t endpoint, uint32_t len){
|
||||||
|
// Tell event handler that the data was received
|
||||||
|
volatile void *dref = (void *)data_received;
|
||||||
|
*(uint8_t *)dref = 1; // Mark as ready
|
||||||
|
}
|
||||||
|
|
||||||
|
void send_data(uint32_t address, uint32_t size){
|
||||||
|
volatile void *dref = (void *)data_received;
|
||||||
|
*(uint8_t *)dref = 0;
|
||||||
|
maybe_usb_setup_read(0x1, send_data_cb, 0x200);
|
||||||
|
// uint32_t rbuf = get_endpoint_recv_buffer(1);
|
||||||
|
dwc3_ep0_start_trans(1, address, 0x200);
|
||||||
|
while(1){
|
||||||
|
usb_event_handler();
|
||||||
|
if(*(uint8_t *)dref == 1){
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
|
||||||
|
uint32_t count = 0;
|
||||||
|
while(1){
|
||||||
|
recv_data(recv_buffer, 0x200);
|
||||||
|
send_data(recv_buffer, 0x200);
|
||||||
|
}
|
||||||
|
}
|
14
source/dwc3_test/test_dwc3.ld
Normal file
14
source/dwc3_test/test_dwc3.ld
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
MEMORY {
|
||||||
|
ROM (rwx): ORIGIN = 0x02021800, LENGTH = 0x1000
|
||||||
|
}
|
||||||
|
|
||||||
|
SECTIONS
|
||||||
|
{
|
||||||
|
. = 0x02021800;
|
||||||
|
.text . : {
|
||||||
|
*(.text*)
|
||||||
|
*(.data*)
|
||||||
|
*(.rodata*)
|
||||||
|
} >ROM
|
||||||
|
|
||||||
|
}
|
Binary file not shown.
Loading…
Reference in New Issue
Block a user