usb stack likely not executable
This commit is contained in:
parent
99385d69e9
commit
a8aed2e480
@ -78,6 +78,9 @@ class ExynosDevice():
|
|||||||
sys.exit(0)
|
sys.exit(0)
|
||||||
else:
|
else:
|
||||||
raise e
|
raise e
|
||||||
|
|
||||||
|
# claim usb interface
|
||||||
|
self.handle.claimInterface(0)
|
||||||
print(f"Connected device! {hex(self.idVendor)} {hex(self.idProduct)}")
|
print(f"Connected device! {hex(self.idVendor)} {hex(self.idProduct)}")
|
||||||
|
|
||||||
def write(self, data):
|
def write(self, data):
|
||||||
@ -356,6 +359,9 @@ class ExynosDevice():
|
|||||||
# Try loading bl1
|
# Try loading bl1
|
||||||
bl1 = open("../S7/bl1.bin", "rb").read()
|
bl1 = open("../S7/bl1.bin", "rb").read()
|
||||||
|
|
||||||
|
# Using keystone, look for each msr instruction (AARCH64, LE)
|
||||||
|
|
||||||
|
|
||||||
# If wanting to modify the binary
|
# If wanting to modify the binary
|
||||||
# bl1 = bl1[:0x1C23] + b'\xaa' + bl1[0x1C24:]
|
# bl1 = bl1[:0x1C23] + b'\xaa' + bl1[0x1C24:]
|
||||||
|
|
||||||
@ -383,9 +389,7 @@ class ExynosDevice():
|
|||||||
|
|
||||||
# Overwrite jump back to the debugger from functions encountered during jump_bl1
|
# Overwrite jump back to the debugger from functions encountered during jump_bl1
|
||||||
# self.cd.memwrite_region(0x02020108, p32(0x020c0000)) # Hijack some weird function, original 0x00005790
|
# self.cd.memwrite_region(0x02020108, p32(0x020c0000)) # Hijack some weird function, original 0x00005790
|
||||||
|
self.cd.memwrite_region(0x020200e8, p32(0x020c0000)) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address)
|
||||||
#
|
|
||||||
self.cd.memwrite_region(0x020200e8, p32(0x020c0000)) # Overwrite line register to jump back to debugger, at function
|
|
||||||
self.cd.memwrite_region(0x020200dc, p32(0x020c0000))
|
self.cd.memwrite_region(0x020200dc, p32(0x020c0000))
|
||||||
|
|
||||||
def hijack_brom_weird():
|
def hijack_brom_weird():
|
||||||
@ -400,54 +404,40 @@ class ExynosDevice():
|
|||||||
jump_bl1(0x020c0000)
|
jump_bl1(0x020c0000)
|
||||||
while True:
|
while True:
|
||||||
try:
|
try:
|
||||||
logging.debug(f'Within jump_bl1')
|
|
||||||
resp = self.usb_read(0x200)
|
resp = self.usb_read(0x200)
|
||||||
|
logging.debug(f'Within jump_bl1. Response: {resp}.')
|
||||||
if self.cd.arch_dbg.state.LR == 0x02022948:
|
if self.cd.arch_dbg.state.LR == 0x02022948:
|
||||||
break # ROM will load next stage over USB
|
break # ROM will load next stage over USB
|
||||||
hijack_brom_weird()
|
hijack_brom_weird()
|
||||||
except:
|
except:
|
||||||
pass
|
pass
|
||||||
|
|
||||||
# TODO load bl31
|
shellcode = f"""
|
||||||
bl31 = open("../S7/bl31.bin", "rb").read()
|
ldr x0, debugger_addr
|
||||||
bl31 = bl31[:0x14] + self.cd.arch_dbg.sc.branch_absolute(0x2069000) + bl31[0x24:]
|
blr x0
|
||||||
|
debugger_addr: .quad 0x020c0000
|
||||||
|
"""
|
||||||
|
|
||||||
# Write 0's to 0x02021800 to 0x0206ffff. Except for debugger location, at: 0x020c0000 to 0x020c6000
|
shellcode = ks.asm(shellcode, as_bytes=True)[0]
|
||||||
self.cd.memwrite_region(0x02021800, b"\x00" * 0x4E800)
|
self.cd.memwrite_region(0x2021800, shellcode)
|
||||||
|
|
||||||
self.cd.memwrite_region(0x02021800, bl31)
|
self.cd.jump_to(0x2021800)
|
||||||
|
|
||||||
imem_bl31_pre_auth = memdump_imem()
|
|
||||||
with open("/tmp/imem_bl31_pre_auth.bin", "wb") as f:
|
|
||||||
f.write(imem_bl31_pre_auth)
|
|
||||||
|
|
||||||
auth_bl1(0x020c0000)
|
|
||||||
|
|
||||||
imem_bl31_post_auth = memdump_imem()
|
|
||||||
with open("/tmp/imem_bl31_post_auth.bin", "wb") as f:
|
|
||||||
f.write(imem_bl31_post_auth)
|
|
||||||
|
|
||||||
# TEST JONATHAN
|
|
||||||
self.cd.jump_to(0x02021800)
|
|
||||||
self.cd.memwrite_region(0x020200e8, p32(0x020c0000))
|
|
||||||
self.cd.memwrite_region(0x020200dc, p32(0x020c0000))
|
|
||||||
|
|
||||||
# Patch bl31
|
|
||||||
# self.cd.jump_to(0x2069000)
|
|
||||||
# self.cd.memwrite_region(0x02021800 + 0x14, self.cd.arch_dbg.sc.branch_absolute(0x2069000))
|
|
||||||
# jump_bl1(0x2069000)
|
|
||||||
self.cd.jump_to(0x02021800 + 0x14)
|
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
# load bl31
|
||||||
|
bl31 = open("../S7/bl31.bin", "rb").read()
|
||||||
|
# bl31 = bl31[:0x14] + self.cd.arch_dbg.sc.branch_absolute(0x2069000) + bl31[0x24:] # Overwrite jump back to debugger
|
||||||
|
|
||||||
|
# # Write bl31 at 0x02021800 and authenticate
|
||||||
|
self.cd.memwrite_region(0x02021800, bl31)
|
||||||
|
auth_bl1(0x020c0000)
|
||||||
|
|
||||||
|
# Jump to bl31
|
||||||
|
jump_bl1(0x02021800)
|
||||||
|
pass
|
||||||
|
|
||||||
|
# OLD
|
||||||
|
|
||||||
# Overwrite jump back
|
|
||||||
self.cd.memwrite_region(0x020200e8, p32(0x2069000))
|
|
||||||
|
|
||||||
|
|
||||||
def memdump_try():
|
def memdump_try():
|
||||||
self.cd.arch_dbg.state.LR = 0x020200e8
|
self.cd.arch_dbg.state.LR = 0x020200e8
|
||||||
|
Loading…
Reference in New Issue
Block a user