Minor update to memory map and some documentation updates
This commit is contained in:
parent
d9d9ae332a
commit
5bf8cf0a7f
@ -310,7 +310,7 @@ Additionally we found a space at ``0x11207010``, while looking for bit flags in
|
||||
|
||||
Stage 4 - BL2
|
||||
=============
|
||||
This is our current progress. BL2 has booted, and shows the VBAR's for EL1.
|
||||
This is our current progress. BL2 has booted, and shows the VBAR's for EL1.
|
||||
|
||||
.. code:: bash
|
||||
MMU is 0x0 (0x1=enabled, 0x0=disabled)
|
||||
@ -320,3 +320,12 @@ This is our current progress. BL2 has booted, and shows the VBAR's for EL1.
|
||||
SCTLR_EL3: 0xc5183a, SCTLR_EL2: 0x30c5083a, SCTLR_EL1: 0x30c5083a
|
||||
MAIR_EL3: 0x44e048e000098aa4, MAIR_EL2: 0x1e42bb572931240b, MAIR_EL1: 0x44e048e000098aa4
|
||||
Current EL: 0xc
|
||||
|
||||
Stage 5 - BL33
|
||||
==============
|
||||
The last stage before the kernel boots.
|
||||
|
||||
.. figure:: images/bl31_debugger_memory_example.png
|
||||
:align: center
|
||||
|
||||
Boot chain with EL3 and EL1 areas
|
@ -205,3 +205,5 @@ SCTLR_EL3: 0xc5183a, SCTLR_EL2: 0x30c5083a, SCTLR_EL1: 0x30c5083a
|
||||
MAIR_EL3: 0x44e048e000098aa4, MAIR_EL2: 0x9e42bf572931240b, MAIR_EL1: 0x44e048e000098aa4
|
||||
Current EL: 0xc
|
||||
|
||||
The debugger at 0x11200000 can only dump 0x768 at a time (its space related. Before BL31 this is also an issue.).
|
||||
|
||||
|
@ -5,17 +5,16 @@ start,end,name,order,comment,X0,LR
|
||||
0x000064e0,0x0000658c,_boot_usb,,,,
|
||||
0x020c0000,0x020c0004,_frederic_dest_ptr,,,,
|
||||
0x000002c0,0x000002c4,_jump_bl1,,,,
|
||||
0x02022000,0x02024000,BL1,,,,
|
||||
0x02024000,0x02048000,BL31,,,,
|
||||
0x02022000,0x02023fff,BL1,,,,
|
||||
0x02024000,0x02047fff,BL31,,,,
|
||||
0x02048000,0x0206ed10,BL2,,,,
|
||||
0x02069000,0x0206f000,Debugger,,,,
|
||||
0x020c0000,0x020c7000,Debugger relocated,,,,
|
||||
0x02048000,0x0204daf0,BL2 empty space?,,,,
|
||||
0x0204eb00,0x0204eb00,BL2 copy start/source,,,,
|
||||
0x020c2000,0x020e8d10,BL2 load address?,,,,
|
||||
0x0206ed10,0x02070000,End/Start peripheral space?,,,,
|
||||
0x02019e5c,0x02020e5c,Tried debugger space,,,,
|
||||
0x020c2000,0x020e8d10,BL2 loaded to this address,,,,
|
||||
0x0206ed10,0x02070000,Open space. Has pointers written to.,,,,
|
||||
0x020C7800,0x020C8000,modem_interface,,,,
|
||||
0x14AC0000,0x14ac5000,mali@14AC0000,,,,
|
||||
0x02035600,0x02035608,TTBR0_EL3 address ptr,,,,
|
||||
0x11207010,0x11207010,memread/write space,,,,
|
||||
0x02035600,0x02035608,TTBR0_EL3,,,,
|
||||
0x11200000,0x11207000,Last relocated debugger,,,,
|
||||
0xa0000000,0xa0013fff,Parts of BL2 in IMEM,,,,
|
|
File diff suppressed because one or more lines are too long
Binary file not shown.
@ -633,7 +633,7 @@ class ExynosDevice():
|
||||
|
||||
# Relocate debugger
|
||||
debugger = open("../../dump/reloc_debugger_0x11200000.bin", "rb").read()
|
||||
self.relocate_debugger(debugger=debugger, entry=0x11200000, storage=0x11201200, g_data_received=0x11201400)
|
||||
self.relocate_debugger(debugger=debugger, entry=0x11200000, storage=0x11203000, g_data_received=0x11204000)
|
||||
DEBUGGER_ADDR = 0x11200000
|
||||
|
||||
# Test debugger connection
|
||||
@ -771,13 +771,8 @@ class ExynosDevice():
|
||||
print(f'MAIR_EL3: {hex(self.cd.arch_dbg.state.MAIR_EL3)}, MAIR_EL2: {hex(self.cd.arch_dbg.state.MAIR_EL2)}, MAIR_EL1: {hex(self.cd.arch_dbg.state.MAIR_EL1)}')
|
||||
print(f'Current EL: {hex(self.cd.arch_dbg.state.CURRENT_EL)}')
|
||||
|
||||
# Restore bootflow
|
||||
# self.cd.memwrite_region(0x020200dc, p32(hijacked_fun))
|
||||
|
||||
# Restore this to
|
||||
self.cd.restore_stack_and_jump(hijacked_fun)
|
||||
|
||||
# ==== Stage 5 ====
|
||||
#self.cd.memwrite_region(0x020200dc, p32(hijacked_fun))
|
||||
stage4 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
|
||||
|
||||
# Patching
|
||||
@ -789,12 +784,14 @@ class ExynosDevice():
|
||||
# assert len(stage4) == stage4_len, "Invalid stage4 length"
|
||||
|
||||
self.send_normal_stage(stage4)
|
||||
|
||||
self.cd.restore_stack_and_jump(hijacked_fun)
|
||||
time.sleep(2)
|
||||
|
||||
pass
|
||||
|
||||
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
arg = argparse.ArgumentParser("Exynos exploit")
|
||||
arg.add_argument("--debug", action="store_true", help="Debug USB stack", default=False)
|
||||
|
Loading…
Reference in New Issue
Block a user