docs update and boot flow update

2024-12-07 20:58:35 +01:00 · 2024-12-07 20:58:35 +01:00 · 72a50cd648
commit 72a50cd648
parent a7a5bdeb7e
2 changed files with 34 additions and 1 deletions
--- a/documentation/source/BootROM_8890/05_notes.rst
+++ b/documentation/source/BootROM_8890/05_notes.rst
@ -291,4 +291,19 @@ If jumping into the boot BL33 function twice, the LDFW returns -. at the second
        [ERROR] Fail to load Secure payload
        => Return value : -.

+When continuing the boot flow by jumping into cf0052f8 after recovery boot

+.. code:: bash
+
+    U-Boot 2012.07-gc7c41ec14-dirty (Oct 23 2019 - 12:53:04) for SADK8890
+
+    CPU: Exynos8890 Rev2.0 [Samsung SOC on SMP Platform Base on ARM CortexA53]
+    MNGS_PLL = 1975MHz      APOLLO_PLL = 1481MHz    MIF_PLL = 1539MHz
+    BUS0_PLL = 1056MHz      BUS1_PLL = 800MHz       BUS2_PLL = 672MHz       BUS3_PLL = 1872MHz
+    MFC_PLL = 71MHz AUD_PLL = 494MHz        G3D_PLL = 650MHz        DISP_PLL = 63MHz
+
+    Board: SADK8890
+    DRAM:  6 GiB
+    ECT: PARA006o
+
+I dumped the contents of 0xcf4dfb28 to 60, which is a boot path information setter. Something in BL33 is setting this, because it is still empty (0xFF) after booting into BL2 and waiting for BL33.
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@ -793,6 +793,10 @@ class ExynosDevice():
        #if args.MIB3:
        #    self.cd.arch_dbg.state.LR = DEBUGGER_ADDR

+        if args.MIB3:
+            self.cd.memwrite_region(0x020553e4, b"\x1f\x50\x00\x71")
+            self.cd.memwrite_region(0x020553f8, b"\x1f\x50\x00\x71")
+
        self.cd.restore_stack_and_jump(hijacked_fun) # Jumps to function that waits for next boot stage

        # ==== Stage 4 BL2 ====
@ -844,6 +848,10 @@ class ExynosDevice():
            # Modifying return values to continue boot flow
            #self.cd.memwrite_region(0xcf05dea8, b"\xa0\x1f\x42\xf8")

+        # Print boot info from cf4dfb28
+        print(self.cd.memdump_region(0xcf4dfb28, 0x32))
+
+        # Start boot from BL33
        self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
        self.cd.restore_stack_and_jump(BL33_AUTH)

@ -852,7 +860,17 @@ class ExynosDevice():

        self.cd.arch_dbg.state.LR = DEBUGGER_ADDR

-        self.write_uart(DEBUGGER_ADDR, 0xcf4dfb28)th
+        self.cd.arch_dbg.state.X0 = 0x0
+        self.cd.restore_stack_and_jump(0xcf05dd00)
+        self.connect_device()
+        self.usb_read(0x200)
+
+        # Print something over uart
+        self.write_uart(DEBUGGER_ADDR, 0xcf4dfb58)
+
+        # Try to continue the bootflow
+        self.cd.restore_stack_and_jump(0xcf0052f8)
+

        # NOT WORKING
        self.read_ufs(DEBUGGER_ADDR)