Minor update to memory map and some documentation updates

This commit is contained in:
Jonathan Herrewijnen 2024-09-14 16:41:21 +02:00
parent d9d9ae332a
commit 5bf8cf0a7f
6 changed files with 26 additions and 19 deletions

View File

@ -310,7 +310,7 @@ Additionally we found a space at ``0x11207010``, while looking for bit flags in
Stage 4 - BL2
=============
This is our current progress. BL2 has booted, and shows the VBAR's for EL1.
This is our current progress. BL2 has booted, and shows the VBAR's for EL1.
.. code:: bash
MMU is 0x0 (0x1=enabled, 0x0=disabled)
@ -320,3 +320,12 @@ This is our current progress. BL2 has booted, and shows the VBAR's for EL1.
SCTLR_EL3: 0xc5183a, SCTLR_EL2: 0x30c5083a, SCTLR_EL1: 0x30c5083a
MAIR_EL3: 0x44e048e000098aa4, MAIR_EL2: 0x1e42bb572931240b, MAIR_EL1: 0x44e048e000098aa4
Current EL: 0xc
Stage 5 - BL33
==============
The last stage before the kernel boots.
.. figure:: images/bl31_debugger_memory_example.png
:align: center
Boot chain with EL3 and EL1 areas

View File

@ -205,3 +205,5 @@ SCTLR_EL3: 0xc5183a, SCTLR_EL2: 0x30c5083a, SCTLR_EL1: 0x30c5083a
MAIR_EL3: 0x44e048e000098aa4, MAIR_EL2: 0x9e42bf572931240b, MAIR_EL1: 0x44e048e000098aa4
Current EL: 0xc
The debugger at 0x11200000 can only dump 0x768 at a time (its space related. Before BL31 this is also an issue.).

View File

@ -5,17 +5,16 @@ start,end,name,order,comment,X0,LR
0x000064e0,0x0000658c,_boot_usb,,,,
0x020c0000,0x020c0004,_frederic_dest_ptr,,,,
0x000002c0,0x000002c4,_jump_bl1,,,,
0x02022000,0x02024000,BL1,,,,
0x02024000,0x02048000,BL31,,,,
0x02022000,0x02023fff,BL1,,,,
0x02024000,0x02047fff,BL31,,,,
0x02048000,0x0206ed10,BL2,,,,
0x02069000,0x0206f000,Debugger,,,,
0x020c0000,0x020c7000,Debugger relocated,,,,
0x02048000,0x0204daf0,BL2 empty space?,,,,
0x0204eb00,0x0204eb00,BL2 copy start/source,,,,
0x020c2000,0x020e8d10,BL2 load address?,,,,
0x0206ed10,0x02070000,End/Start peripheral space?,,,,
0x02019e5c,0x02020e5c,Tried debugger space,,,,
0x020c2000,0x020e8d10,BL2 loaded to this address,,,,
0x0206ed10,0x02070000,Open space. Has pointers written to.,,,,
0x020C7800,0x020C8000,modem_interface,,,,
0x14AC0000,0x14ac5000,mali@14AC0000,,,,
0x02035600,0x02035608,TTBR0_EL3 address ptr,,,,
0x11207010,0x11207010,memread/write space,,,,
0x02035600,0x02035608,TTBR0_EL3,,,,
0x11200000,0x11207000,Last relocated debugger,,,,
0xa0000000,0xa0013fff,Parts of BL2 in IMEM,,,,
1 start end name order comment X0 LR
5 0x000064e0 0x0000658c _boot_usb
6 0x020c0000 0x020c0004 _frederic_dest_ptr
7 0x000002c0 0x000002c4 _jump_bl1
8 0x02022000 0x02024000 0x02023fff BL1
9 0x02024000 0x02048000 0x02047fff BL31
10 0x02048000 0x0206ed10 BL2
11 0x02069000 0x0206f000 Debugger
12 0x020c0000 0x020c7000 Debugger relocated
13 0x02048000 0x0204daf0 BL2 empty space?
14 0x0204eb00 0x020c2000 0x0204eb00 0x020e8d10 BL2 copy start/source BL2 loaded to this address
15 0x020c2000 0x0206ed10 0x020e8d10 0x02070000 BL2 load address? Open space. Has pointers written to.
0x0206ed10 0x02070000 End/Start peripheral space?
0x02019e5c 0x02020e5c Tried debugger space
16 0x020C7800 0x020C8000 modem_interface
17 0x14AC0000 0x14ac5000 mali@14AC0000
18 0x02035600 0x02035608 TTBR0_EL3 address ptr TTBR0_EL3
19 0x11207010 0x11200000 0x11207010 0x11207000 memread/write space Last relocated debugger
20 0xa0000000 0xa0013fff Parts of BL2 in IMEM

File diff suppressed because one or more lines are too long

Binary file not shown.

View File

@ -633,7 +633,7 @@ class ExynosDevice():
# Relocate debugger
debugger = open("../../dump/reloc_debugger_0x11200000.bin", "rb").read()
self.relocate_debugger(debugger=debugger, entry=0x11200000, storage=0x11201200, g_data_received=0x11201400)
self.relocate_debugger(debugger=debugger, entry=0x11200000, storage=0x11203000, g_data_received=0x11204000)
DEBUGGER_ADDR = 0x11200000
# Test debugger connection
@ -771,13 +771,8 @@ class ExynosDevice():
print(f'MAIR_EL3: {hex(self.cd.arch_dbg.state.MAIR_EL3)}, MAIR_EL2: {hex(self.cd.arch_dbg.state.MAIR_EL2)}, MAIR_EL1: {hex(self.cd.arch_dbg.state.MAIR_EL1)}')
print(f'Current EL: {hex(self.cd.arch_dbg.state.CURRENT_EL)}')
# Restore bootflow
# self.cd.memwrite_region(0x020200dc, p32(hijacked_fun))
# Restore this to
self.cd.restore_stack_and_jump(hijacked_fun)
# ==== Stage 5 ====
#self.cd.memwrite_region(0x020200dc, p32(hijacked_fun))
stage4 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
# Patching
@ -789,12 +784,14 @@ class ExynosDevice():
# assert len(stage4) == stage4_len, "Invalid stage4 length"
self.send_normal_stage(stage4)
self.cd.restore_stack_and_jump(hijacked_fun)
time.sleep(2)
pass
if __name__ == "__main__":
arg = argparse.ArgumentParser("Exynos exploit")
arg.add_argument("--debug", action="store_true", help="Debug USB stack", default=False)