diff --git a/documentation/source/BootROM_8890/images/memory_layout.png b/documentation/source/BootROM_8890/images/memory_layout.png
new file mode 100644
index 0000000..3b924fc
Binary files /dev/null and b/documentation/source/BootROM_8890/images/memory_layout.png differ
diff --git a/documentation/source/_ignore/draw_boot.ipynb b/documentation/source/_ignore/draw_boot.ipynb
index 0d8cc14..eee3ddf 100644
--- a/documentation/source/_ignore/draw_boot.ipynb
+++ b/documentation/source/_ignore/draw_boot.ipynb
@@ -2,7 +2,7 @@
"cells": [
{
"cell_type": "code",
- "execution_count": 416,
+ "execution_count": 1,
"metadata": {},
"outputs": [],
"source": [
@@ -20,7 +20,7 @@
},
{
"cell_type": "code",
- "execution_count": 417,
+ "execution_count": 2,
"metadata": {},
"outputs": [
{
@@ -49,6 +49,8 @@
" | name | \n",
" order | \n",
" comment | \n",
+ " X0 | \n",
+ " LR | \n",
" size | \n",
" overlap | \n",
" overlap_with | \n",
@@ -62,6 +64,8 @@
" BootROM | \n",
" NaN | \n",
" NaN | \n",
+ " NaN | \n",
+ " NaN | \n",
" 131072 | \n",
" True | \n",
" 0.0 | \n",
@@ -73,6 +77,8 @@
" _jump_bl1 | \n",
" NaN | \n",
" NaN | \n",
+ " NaN | \n",
+ " NaN | \n",
" 4 | \n",
" True | \n",
" 0.0 | \n",
@@ -84,6 +90,8 @@
" _boot_usb | \n",
" NaN | \n",
" NaN | \n",
+ " NaN | \n",
+ " NaN | \n",
" 172 | \n",
" True | \n",
" 0.0 | \n",
@@ -95,6 +103,8 @@
" auth_bl1 | \n",
" NaN | \n",
" NaN | \n",
+ " NaN | \n",
+ " NaN | \n",
" 160 | \n",
" True | \n",
" 0.0 | \n",
@@ -106,6 +116,8 @@
" Tried debugger space | \n",
" NaN | \n",
" NaN | \n",
+ " NaN | \n",
+ " NaN | \n",
" 28672 | \n",
" False | \n",
" 4.0 | \n",
@@ -117,6 +129,8 @@
" _boot_usb_ra | \n",
" NaN | \n",
" NaN | \n",
+ " NaN | \n",
+ " NaN | \n",
" 8 | \n",
" False | \n",
" 5.0 | \n",
@@ -128,6 +142,8 @@
" BL1 | \n",
" NaN | \n",
" NaN | \n",
+ " NaN | \n",
+ " NaN | \n",
" 8192 | \n",
" False | \n",
" 6.0 | \n",
@@ -139,6 +155,8 @@
" BL31 | \n",
" NaN | \n",
" NaN | \n",
+ " NaN | \n",
+ " NaN | \n",
" 147456 | \n",
" False | \n",
" 7.0 | \n",
@@ -150,6 +168,8 @@
" BL2 | \n",
" NaN | \n",
" NaN | \n",
+ " NaN | \n",
+ " NaN | \n",
" 158992 | \n",
" True | \n",
" 8.0 | \n",
@@ -161,6 +181,8 @@
" Debugger | \n",
" NaN | \n",
" NaN | \n",
+ " NaN | \n",
+ " NaN | \n",
" 24576 | \n",
" True | \n",
" 8.0 | \n",
@@ -172,6 +194,8 @@
" End/Start peripheral space? | \n",
" NaN | \n",
" NaN | \n",
+ " NaN | \n",
+ " NaN | \n",
" 4848 | \n",
" True | \n",
" 9.0 | \n",
@@ -183,6 +207,8 @@
" Debugger relocated | \n",
" NaN | \n",
" NaN | \n",
+ " NaN | \n",
+ " NaN | \n",
" 28672 | \n",
" True | \n",
" 11.0 | \n",
@@ -194,6 +220,8 @@
" _frederic_dest_ptr | \n",
" NaN | \n",
" NaN | \n",
+ " NaN | \n",
+ " NaN | \n",
" 4 | \n",
" True | \n",
" 11.0 | \n",
@@ -205,6 +233,8 @@
" modem_interface | \n",
" NaN | \n",
" NaN | \n",
+ " NaN | \n",
+ " NaN | \n",
" 2048 | \n",
" False | \n",
" 13.0 | \n",
@@ -216,6 +246,8 @@
" mali@14AC0000 | \n",
" NaN | \n",
" NaN | \n",
+ " NaN | \n",
+ " NaN | \n",
" 20480 | \n",
" False | \n",
" 14.0 | \n",
@@ -225,42 +257,42 @@
""
],
"text/plain": [
- " start end name order comment size \\\n",
- "0 0 131072 BootROM NaN NaN 131072 \n",
- "1 704 708 _jump_bl1 NaN NaN 4 \n",
- "2 25824 25996 _boot_usb NaN NaN 172 \n",
- "3 75848 76008 auth_bl1 NaN NaN 160 \n",
- "4 33660508 33689180 Tried debugger space NaN NaN 28672 \n",
- "5 33689440 33689448 _boot_usb_ra NaN NaN 8 \n",
- "6 33693696 33701888 BL1 NaN NaN 8192 \n",
- "7 33701888 33849344 BL31 NaN NaN 147456 \n",
- "8 33849344 34008336 BL2 NaN NaN 158992 \n",
- "9 33984512 34009088 Debugger NaN NaN 24576 \n",
- "10 34008336 34013184 End/Start peripheral space? NaN NaN 4848 \n",
- "11 34340864 34369536 Debugger relocated NaN NaN 28672 \n",
- "12 34340864 34340868 _frederic_dest_ptr NaN NaN 4 \n",
- "13 34371584 34373632 modem_interface NaN NaN 2048 \n",
- "14 346816512 346836992 mali@14AC0000 NaN NaN 20480 \n",
+ " start end name order comment X0 LR \\\n",
+ "0 0 131072 BootROM NaN NaN NaN NaN \n",
+ "1 704 708 _jump_bl1 NaN NaN NaN NaN \n",
+ "2 25824 25996 _boot_usb NaN NaN NaN NaN \n",
+ "3 75848 76008 auth_bl1 NaN NaN NaN NaN \n",
+ "4 33660508 33689180 Tried debugger space NaN NaN NaN NaN \n",
+ "5 33689440 33689448 _boot_usb_ra NaN NaN NaN NaN \n",
+ "6 33693696 33701888 BL1 NaN NaN NaN NaN \n",
+ "7 33701888 33849344 BL31 NaN NaN NaN NaN \n",
+ "8 33849344 34008336 BL2 NaN NaN NaN NaN \n",
+ "9 33984512 34009088 Debugger NaN NaN NaN NaN \n",
+ "10 34008336 34013184 End/Start peripheral space? NaN NaN NaN NaN \n",
+ "11 34340864 34369536 Debugger relocated NaN NaN NaN NaN \n",
+ "12 34340864 34340868 _frederic_dest_ptr NaN NaN NaN NaN \n",
+ "13 34371584 34373632 modem_interface NaN NaN NaN NaN \n",
+ "14 346816512 346836992 mali@14AC0000 NaN NaN NaN NaN \n",
"\n",
- " overlap overlap_with \n",
- "0 True 0.0 \n",
- "1 True 0.0 \n",
- "2 True 0.0 \n",
- "3 True 0.0 \n",
- "4 False 4.0 \n",
- "5 False 5.0 \n",
- "6 False 6.0 \n",
- "7 False 7.0 \n",
- "8 True 8.0 \n",
- "9 True 8.0 \n",
- "10 True 9.0 \n",
- "11 True 11.0 \n",
- "12 True 11.0 \n",
- "13 False 13.0 \n",
- "14 False 14.0 "
+ " size overlap overlap_with \n",
+ "0 131072 True 0.0 \n",
+ "1 4 True 0.0 \n",
+ "2 172 True 0.0 \n",
+ "3 160 True 0.0 \n",
+ "4 28672 False 4.0 \n",
+ "5 8 False 5.0 \n",
+ "6 8192 False 6.0 \n",
+ "7 147456 False 7.0 \n",
+ "8 158992 True 8.0 \n",
+ "9 24576 True 8.0 \n",
+ "10 4848 True 9.0 \n",
+ "11 28672 True 11.0 \n",
+ "12 4 True 11.0 \n",
+ "13 2048 False 13.0 \n",
+ "14 20480 False 14.0 "
]
},
- "execution_count": 417,
+ "execution_count": 2,
"metadata": {},
"output_type": "execute_result"
}
@@ -320,7 +352,7 @@
},
{
"cell_type": "code",
- "execution_count": 418,
+ "execution_count": 3,
"metadata": {},
"outputs": [
{
@@ -332,7 +364,7 @@
"data": [
{
"marker": {
- "color": "#c574e6"
+ "color": "#46d3f4"
},
"mode": "text",
"name": "BootROM",
@@ -348,7 +380,7 @@
},
{
"marker": {
- "color": "#c574e6"
+ "color": "#46d3f4"
},
"mode": "text",
"showlegend": false,
@@ -364,7 +396,7 @@
},
{
"marker": {
- "color": "#c574e6"
+ "color": "#46d3f4"
},
"mode": "text",
"showlegend": false,
@@ -380,7 +412,7 @@
},
{
"marker": {
- "color": "#094b47"
+ "color": "#05f11d"
},
"mode": "text",
"name": "_jump_bl1",
@@ -396,7 +428,7 @@
},
{
"marker": {
- "color": "#094b47"
+ "color": "#05f11d"
},
"mode": "text",
"showlegend": false,
@@ -412,7 +444,7 @@
},
{
"marker": {
- "color": "#094b47"
+ "color": "#05f11d"
},
"mode": "text",
"showlegend": false,
@@ -428,7 +460,7 @@
},
{
"marker": {
- "color": "#f3ff4d"
+ "color": "#15ef8e"
},
"mode": "text",
"name": "_boot_usb",
@@ -444,7 +476,7 @@
},
{
"marker": {
- "color": "#f3ff4d"
+ "color": "#15ef8e"
},
"mode": "text",
"showlegend": false,
@@ -460,7 +492,7 @@
},
{
"marker": {
- "color": "#f3ff4d"
+ "color": "#15ef8e"
},
"mode": "text",
"showlegend": false,
@@ -476,7 +508,7 @@
},
{
"marker": {
- "color": "#7e3e97"
+ "color": "#d1cb9b"
},
"mode": "text",
"name": "auth_bl1",
@@ -492,7 +524,7 @@
},
{
"marker": {
- "color": "#7e3e97"
+ "color": "#d1cb9b"
},
"mode": "text",
"showlegend": false,
@@ -508,7 +540,7 @@
},
{
"marker": {
- "color": "#7e3e97"
+ "color": "#d1cb9b"
},
"mode": "text",
"showlegend": false,
@@ -524,7 +556,7 @@
},
{
"marker": {
- "color": "#e36dac"
+ "color": "#bafebb"
},
"mode": "text",
"name": "Tried debugger space",
@@ -540,7 +572,7 @@
},
{
"marker": {
- "color": "#e36dac"
+ "color": "#bafebb"
},
"mode": "text",
"showlegend": false,
@@ -556,7 +588,7 @@
},
{
"marker": {
- "color": "#e36dac"
+ "color": "#bafebb"
},
"mode": "text",
"showlegend": false,
@@ -572,7 +604,7 @@
},
{
"marker": {
- "color": "#9d6e7f"
+ "color": "#b21068"
},
"mode": "text",
"name": "_boot_usb_ra",
@@ -588,7 +620,7 @@
},
{
"marker": {
- "color": "#9d6e7f"
+ "color": "#b21068"
},
"mode": "text",
"showlegend": false,
@@ -604,7 +636,7 @@
},
{
"marker": {
- "color": "#9d6e7f"
+ "color": "#b21068"
},
"mode": "text",
"showlegend": false,
@@ -620,7 +652,7 @@
},
{
"marker": {
- "color": "#48e551"
+ "color": "#d43e00"
},
"mode": "text",
"name": "BL1",
@@ -636,7 +668,7 @@
},
{
"marker": {
- "color": "#48e551"
+ "color": "#d43e00"
},
"mode": "text",
"showlegend": false,
@@ -652,7 +684,7 @@
},
{
"marker": {
- "color": "#48e551"
+ "color": "#d43e00"
},
"mode": "text",
"showlegend": false,
@@ -668,7 +700,7 @@
},
{
"marker": {
- "color": "#082a5a"
+ "color": "#2fcf29"
},
"mode": "text",
"name": "BL31",
@@ -684,7 +716,7 @@
},
{
"marker": {
- "color": "#082a5a"
+ "color": "#2fcf29"
},
"mode": "text",
"showlegend": false,
@@ -700,7 +732,7 @@
},
{
"marker": {
- "color": "#082a5a"
+ "color": "#2fcf29"
},
"mode": "text",
"showlegend": false,
@@ -716,7 +748,7 @@
},
{
"marker": {
- "color": "#12adbc"
+ "color": "#7ac7dc"
},
"mode": "text",
"name": "BL2",
@@ -732,7 +764,7 @@
},
{
"marker": {
- "color": "#12adbc"
+ "color": "#7ac7dc"
},
"mode": "text",
"showlegend": false,
@@ -748,7 +780,7 @@
},
{
"marker": {
- "color": "#12adbc"
+ "color": "#7ac7dc"
},
"mode": "text",
"showlegend": false,
@@ -764,7 +796,7 @@
},
{
"marker": {
- "color": "#afec87"
+ "color": "#1a256d"
},
"mode": "text",
"name": "Debugger",
@@ -780,7 +812,7 @@
},
{
"marker": {
- "color": "#afec87"
+ "color": "#1a256d"
},
"mode": "text",
"showlegend": false,
@@ -796,7 +828,7 @@
},
{
"marker": {
- "color": "#afec87"
+ "color": "#1a256d"
},
"mode": "text",
"showlegend": false,
@@ -812,7 +844,7 @@
},
{
"marker": {
- "color": "#680696"
+ "color": "#b0eb7f"
},
"mode": "text",
"name": "End/Start peripheral space?",
@@ -828,7 +860,7 @@
},
{
"marker": {
- "color": "#680696"
+ "color": "#b0eb7f"
},
"mode": "text",
"showlegend": false,
@@ -844,7 +876,7 @@
},
{
"marker": {
- "color": "#680696"
+ "color": "#b0eb7f"
},
"mode": "text",
"showlegend": false,
@@ -860,7 +892,7 @@
},
{
"marker": {
- "color": "#feeb63"
+ "color": "#e42eab"
},
"mode": "text",
"name": "Debugger relocated",
@@ -876,7 +908,7 @@
},
{
"marker": {
- "color": "#feeb63"
+ "color": "#e42eab"
},
"mode": "text",
"showlegend": false,
@@ -892,7 +924,7 @@
},
{
"marker": {
- "color": "#feeb63"
+ "color": "#e42eab"
},
"mode": "text",
"showlegend": false,
@@ -908,7 +940,7 @@
},
{
"marker": {
- "color": "#51c421"
+ "color": "#b86b0c"
},
"mode": "text",
"name": "_frederic_dest_ptr",
@@ -924,7 +956,7 @@
},
{
"marker": {
- "color": "#51c421"
+ "color": "#b86b0c"
},
"mode": "text",
"showlegend": false,
@@ -940,7 +972,7 @@
},
{
"marker": {
- "color": "#51c421"
+ "color": "#b86b0c"
},
"mode": "text",
"showlegend": false,
@@ -956,7 +988,7 @@
},
{
"marker": {
- "color": "#a8b579"
+ "color": "#625596"
},
"mode": "text",
"name": "modem_interface",
@@ -972,7 +1004,7 @@
},
{
"marker": {
- "color": "#a8b579"
+ "color": "#625596"
},
"mode": "text",
"showlegend": false,
@@ -988,7 +1020,7 @@
},
{
"marker": {
- "color": "#a8b579"
+ "color": "#625596"
},
"mode": "text",
"showlegend": false,
@@ -1004,7 +1036,7 @@
},
{
"marker": {
- "color": "#521205"
+ "color": "#5b6129"
},
"mode": "text",
"name": "mali@14AC0000",
@@ -1020,7 +1052,7 @@
},
{
"marker": {
- "color": "#521205"
+ "color": "#5b6129"
},
"mode": "text",
"showlegend": false,
@@ -1036,7 +1068,7 @@
},
{
"marker": {
- "color": "#521205"
+ "color": "#5b6129"
},
"mode": "text",
"showlegend": false,
@@ -1070,7 +1102,7 @@
},
"shapes": [
{
- "fillcolor": "#c574e6",
+ "fillcolor": "#46d3f4",
"layer": "below",
"line": {
"width": 2
@@ -1083,7 +1115,7 @@
"y1": 3.92
},
{
- "fillcolor": "#094b47",
+ "fillcolor": "#05f11d",
"layer": "below",
"line": {
"width": 2
@@ -1096,7 +1128,7 @@
"y1": 1.79
},
{
- "fillcolor": "#f3ff4d",
+ "fillcolor": "#15ef8e",
"layer": "below",
"line": {
"width": 2
@@ -1109,7 +1141,7 @@
"y1": 2.79
},
{
- "fillcolor": "#7e3e97",
+ "fillcolor": "#d1cb9b",
"layer": "below",
"line": {
"width": 2
@@ -1122,7 +1154,7 @@
"y1": 3.79
},
{
- "fillcolor": "#e36dac",
+ "fillcolor": "#bafebb",
"layer": "below",
"line": {
"width": 2
@@ -1135,7 +1167,7 @@
"y1": 4.92
},
{
- "fillcolor": "#9d6e7f",
+ "fillcolor": "#b21068",
"layer": "below",
"line": {
"width": 2
@@ -1148,7 +1180,7 @@
"y1": 5.92
},
{
- "fillcolor": "#48e551",
+ "fillcolor": "#d43e00",
"layer": "below",
"line": {
"width": 2
@@ -1161,7 +1193,7 @@
"y1": 6.92
},
{
- "fillcolor": "#082a5a",
+ "fillcolor": "#2fcf29",
"layer": "below",
"line": {
"width": 2
@@ -1174,7 +1206,7 @@
"y1": 7.92
},
{
- "fillcolor": "#12adbc",
+ "fillcolor": "#7ac7dc",
"layer": "below",
"line": {
"width": 2
@@ -1187,7 +1219,7 @@
"y1": 9.42
},
{
- "fillcolor": "#afec87",
+ "fillcolor": "#1a256d",
"layer": "below",
"line": {
"width": 2
@@ -1200,7 +1232,7 @@
"y1": 9.79
},
{
- "fillcolor": "#680696",
+ "fillcolor": "#b0eb7f",
"layer": "below",
"line": {
"width": 2
@@ -1213,7 +1245,7 @@
"y1": 10.79
},
{
- "fillcolor": "#feeb63",
+ "fillcolor": "#e42eab",
"layer": "below",
"line": {
"width": 2
@@ -1226,7 +1258,7 @@
"y1": 12.92
},
{
- "fillcolor": "#51c421",
+ "fillcolor": "#b86b0c",
"layer": "below",
"line": {
"width": 2
@@ -1239,7 +1271,7 @@
"y1": 12.79
},
{
- "fillcolor": "#a8b579",
+ "fillcolor": "#625596",
"layer": "below",
"line": {
"width": 2
@@ -1252,7 +1284,7 @@
"y1": 13.92
},
{
- "fillcolor": "#521205",
+ "fillcolor": "#5b6129",
"layer": "below",
"line": {
"width": 2
@@ -2281,6 +2313,16 @@
"\n",
"fig.show()"
]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": 4,
+ "metadata": {},
+ "outputs": [],
+ "source": [
+ "# Save to html\n",
+ "fig.write_html(\"stack_and_functions.html\")"
+ ]
}
],
"metadata": {
diff --git a/documentation/source/_ignore/stack_and_functions.csv b/documentation/source/_ignore/stack_and_functions.csv
index fd87a20..e08664f 100644
--- a/documentation/source/_ignore/stack_and_functions.csv
+++ b/documentation/source/_ignore/stack_and_functions.csv
@@ -1,16 +1,16 @@
-start,end,name,order,comment
-0x00000000,0x00020000,BootROM,,
-0x02020f60,0x02020f68,_boot_usb_ra,,
-0x00012848,0x000128e8,auth_bl1,,
-0x000064e0,0x0000658c,_boot_usb,,
-0x020c0000,0x020c0004,_frederic_dest_ptr,,
-0x000002c0,0x000002c4,_jump_bl1,,
-0x02022000,0x02024000,BL1,,
-0x02024000,0x02048000,BL31,,
-0x02048000,0x0206ed10,BL2,,
-0x02069000,0x0206f000,Debugger,,
-0x020c0000,0x020c7000,Debugger relocated,,
-0x0206ed10,0x02070000,End/Start peripheral space?,,
-0x02019e5c,0x02020e5c,Tried debugger space,,
-0x020C7800,0x020C8000,modem_interface,,
-0x14AC0000,0x14ac5000,mali@14AC0000
\ No newline at end of file
+start,end,name,order,comment,X0,LR
+0x00000000,0x00020000,BootROM,,,,
+0x02020f60,0x02020f68,_boot_usb_ra,,,,
+0x00012848,0x000128e8,auth_bl1,,,,
+0x000064e0,0x0000658c,_boot_usb,,,,
+0x020c0000,0x020c0004,_frederic_dest_ptr,,,,
+0x000002c0,0x000002c4,_jump_bl1,,,,
+0x02022000,0x02024000,BL1,,,,
+0x02024000,0x02048000,BL31,,,,
+0x02048000,0x0206ed10,BL2,,,,
+0x02069000,0x0206f000,Debugger,,,,
+0x020c0000,0x020c7000,Debugger relocated,,,,
+0x0206ed10,0x02070000,End/Start peripheral space?,,,,
+0x02019e5c,0x02020e5c,Tried debugger space,,,,
+0x020C7800,0x020C8000,modem_interface,,,,
+0x14AC0000,0x14ac5000,mali@14AC0000,,,,
\ No newline at end of file
diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py
index 9efc2d9..af1a0be 100644
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@@ -321,6 +321,26 @@ class ExynosDevice():
except:
print("Error reading memory, at block: ", hex(block))
return dumped
+
+
+ def check_mem_write_execute(self, region):
+ """
+ NOT WORKING YET
+
+ Write opcode to memory which jumps back immediatelly to the LR register at that moment.
+ """
+ # LR to jump back to:
+ lr = self.cd.arch_dbg.state.LR
+
+ # Write opcode
+ shellcode = f"""
+ ldr x0, target_addr
+ blr x0
+ target_addr: .quad {hex(lr)}
+ """
+ shellcode = ks.asm(shellcode, as_bytes=True)[0]
+ self.cd.memwrite_region(region, shellcode)
+ self.cd.jump_to(region)
def setup_guppy_debugger(self):
@@ -339,14 +359,16 @@ class ExynosDevice():
def _initial_run_debugger():
"""Write debugger to device and test basic functionality"""
+ ### Setup debugger
if os.getenv("USER") == "eljakim":
- debugger = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin", "rb").read()
+ debugger = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin", "rb").read()
else:
try:
debugger = open("../../dump/debugger.bin", "rb").read()
except Exception as e:
print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}')
sys.exit(0)
+
debugger += ((0x2000 - len(debugger)) * b"\x00")
assert len(debugger) == 0x2000, "Invalid debugger size, stage1 requires 0x2000 size"
for block in range(0, len(debugger), 0x200):
@@ -363,39 +385,34 @@ class ExynosDevice():
_setup_debugger()
- def relocate_debugger(self):
- # Seems to be cleared upon cache clearing??
- if os.getenv("USER") == "eljakim":
- debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read()
- else:
- try:
- debugger_reloc = open("../../dump/reloc_debugger.bin", "rb").read()
- except Exception as e:
- print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}')
- sys.exit(0)
+ def relocate_debugger(self, debugger=None, entry=0x020c0000, storage=0x020c4000, g_data_received=0x020c6000):
+ """
+ Relocates the debugger to another location. Make sure to have built the debugger with the correct addresses!
- self.cd.memwrite_region(0x020c0000, debugger_reloc)
+ Args:
+ - debugger: The debugger to relocate. If None, it will use the default debugger.
+ - entry: The entry point of the debugger.
+ - storage: The storage location of the debugger.
+ - g_data_received: The location of the data received.
+ """
+ if debugger is None:
+ if os.getenv("USER") == "eljakim":
+ debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read()
+ else:
+ try:
+ debugger_reloc = open("../../dump/reloc_debugger.bin", "rb").read()
+ except Exception as e:
+ print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}')
+ sys.exit(0)
+ else:
+ debugger_reloc = debugger
+
+ self.cd.memwrite_region(entry, debugger_reloc)
# self.usb_write(b"FLSH") # Flush cache
- self.cd.restore_stack_and_jump(0x020c0000)
+ self.cd.restore_stack_and_jump(entry)
assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
- self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
+ self.cd.relocate_debugger(g_data_received+0x1000, entry, storage) #0x20c7000, 0x20c0000, 0x20c4000
- def relocate_debugger_2(self):
- # Seems to be cleared upon cache clearing??
- if os.getenv("USER") == "eljakim":
- debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read()
- else:
- try:
- debugger_reloc = open("../../dump/reloc_debugger.bin", "rb").read()
- except Exception as e:
- print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}')
- sys.exit(0)
-
- self.cd.memwrite_region(0x020c0000, debugger_reloc)
- # self.usb_write(b"FLSH") # Flush cache
- self.cd.restore_stack_and_jump(0x020c0000)
- assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
- self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
def dumb_interact(self, dump_imems=False):
'''
@@ -560,13 +577,33 @@ class ExynosDevice():
# self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished
# self.cd.restore_stack_and_jump(0x00012814)
# self.cd.restore_stack_and_jump(0x000125b4)
-
+
+ def get_ttbr0_el3(self):
+ shellcode= f"""
+ mov x1, lr
+ mrs x0, ttbr0_el3
+ ldr x2, =0x020c1000
+ str x0, [x2]
+ mov lr, x1
+ ret
+ """
+ shellcode = ks.asm(shellcode, as_bytes=True)[0]
+ self.cd.memwrite_region(0x020c0000, shellcode)
+ self.cd.jump_to(0x020c0000)
+ ttbr0 = u64(self.cd.memdump_region(0x020c1000, 8))
+ print(f"TTBR0_EL3: {hex(ttbr0)}")
+ print(f"Bits: {ttbr0:064b}")
+
+ # Overwrite it with 0's
+ self.cd.memwrite_region(0x020c1000, b"\x00" * 8)
+ ttbr0 = self.cd.memdump_region(0x020c1000, 8)
+ assert ttbr0 == b"\x00" * 8, "TTBR0_EL3 not overwritten"
+
def debugger_boot(self):
"""
Boot into USB recovery mode using the debugger.
"""
- ### Setup debugger
self.setup_guppy_debugger()
self.cd.arch_dbg.state.auto_sync = False
@@ -576,10 +613,17 @@ class ExynosDevice():
# dumped = self.dump_memory(0x20000, 0x2070000)
- DEBUGGER_ADDR = 0x2069000
+ DEBUGGER_ADDR = 0x2069000 # 0x2069000
+ self.get_ttbr0_el3()
+
+ # Relocate to other debugger
+ debugger = open("../../dump/reloc_debugger_0x2019e5c.bin", "rb").read()
+ self.relocate_debugger(debugger=debugger, entry=0x02048000, storage=0x02051000, g_data_received=0x02052000)
+ DEBUGGER_ADDR = 0x02048000
### Overwrite boot_usb_ra to our debugger
self.cd.test_connection()
+
hijacked_usb_ra = self.cd.memdump_region(0x02020f60, 8)
self.cd.memwrite_region(0x02020f60, p64(DEBUGGER_ADDR))
@@ -623,6 +667,9 @@ class ExynosDevice():
# ==== BL31 ====
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
+ self.get_ttbr0_el3()
+
+ # self.check_mem_write_execute(0x020c0000)
# Download next stage via ROM_DOWNLOAD_USB
lr = self.cd.arch_dbg.state.LR
@@ -635,38 +682,39 @@ class ExynosDevice():
self.usb_read(0x200) # GiAs
# lr = self.cd.arch_dbg.state.LR
- self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) # Resore oginal boot flow
-
- # TODO patch verification
-
-
- # self.cd.memwrite_region(0x0202010c - 52, p32(GADGET_RET0))
-
-
-
- # self.cd.memwrite_region(0x02024774, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins)
- # self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
- # self.cd.arch_dbg.state.X0 = 0x020347f0
- # self.cd.arch_dbg.state.X1 = 0
- # self.cd.restore_stack_and_jump(0x02030464)
+ # self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) # Resore oginal boot flow
+
+ self.get_ttbr0_el3()
+
self.cd.restore_stack_and_jump(lr)
time.sleep(2)
self.usb_read(0x200) # GiAs
self.cd.memwrite_region(0x02031008, b"ELH")
- # ====== PATCHES TO BL31 here! ======
+
+ # trampoline = self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br") # Keep LR
+ # self.cd.memwrite_region(0x02024020, trampoline)
+ # ====== PATCHES TO BL31 here! ======
+
+ # Relocate to other debugger
+ # debugger = open("../../dump/reloc_debugger_0x2019e5c.bin", "rb").read()
+ # self.relocate_debugger(debugger=debugger, entry=0x14AC0000, storage=0x14AC3000, g_data_received=0x14AC4000)
+ # DEBUGGER_ADDR = 0x14AC0000
# Jump BL31
+ self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
+ self.cd.memwrite_region(0x20219b8, p32(DEBUGGER_ADDR))
+ # self.cd.restore_stack_and_jump(hijacked_fun)
+
self.cd.restore_stack_and_jump(0x02024010)
-
time.sleep(2)
self.connect_device()
-
- # self.usb_read(0x200) # GiAs
- # self.cd.restore_stack_and_jump(hijacked_fun)
+ self.usb_read(0x200) # GiAs
+ self.cd.arch_dbg.fetch_special_regs()
+
# ==== Stage 3 BL2 ====
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read())