usb stack likely not executable
This commit is contained in:
Jonathan Herrewijnen
parent
99385d69e9
commit
a8aed2e480
@ -78,6 +78,9 @@ class ExynosDevice():
|
||||
sys.exit(0)
|
||||
else:
|
||||
raise e
|
||||
|
||||
# claim usb interface
|
||||
self.handle.claimInterface(0)
|
||||
print(f"Connected device! {hex(self.idVendor)} {hex(self.idProduct)}")
|
||||
|
||||
def write(self, data):
|
||||
@ -356,6 +359,9 @@ class ExynosDevice():
|
||||
# Try loading bl1
|
||||
bl1 = open("../S7/bl1.bin", "rb").read()
|
||||
|
||||
# Using keystone, look for each msr instruction (AARCH64, LE)
|
||||
|
||||
|
||||
# If wanting to modify the binary
|
||||
# bl1 = bl1[:0x1C23] + b'\xaa' + bl1[0x1C24:]
|
||||
|
||||
@ -383,9 +389,7 @@ class ExynosDevice():
|
||||
|
||||
# Overwrite jump back to the debugger from functions encountered during jump_bl1
|
||||
# self.cd.memwrite_region(0x02020108, p32(0x020c0000)) # Hijack some weird function, original 0x00005790
|
||||
|
||||
#
|
||||
self.cd.memwrite_region(0x020200e8, p32(0x020c0000)) # Overwrite line register to jump back to debugger, at function
|
||||
self.cd.memwrite_region(0x020200e8, p32(0x020c0000)) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address)
|
||||
self.cd.memwrite_region(0x020200dc, p32(0x020c0000))
|
||||
|
||||
def hijack_brom_weird():
|
||||
@ -400,54 +404,40 @@ class ExynosDevice():
|
||||
jump_bl1(0x020c0000)
|
||||
while True:
|
||||
try:
|
||||
logging.debug(f'Within jump_bl1')
|
||||
resp = self.usb_read(0x200)
|
||||
logging.debug(f'Within jump_bl1. Response: {resp}.')
|
||||
if self.cd.arch_dbg.state.LR == 0x02022948:
|
||||
break # ROM will load next stage over USB
|
||||
hijack_brom_weird()
|
||||
except:
|
||||
pass
|
||||
|
||||
# TODO load bl31
|
||||
bl31 = open("../S7/bl31.bin", "rb").read()
|
||||
bl31 = bl31[:0x14] + self.cd.arch_dbg.sc.branch_absolute(0x2069000) + bl31[0x24:]
|
||||
shellcode = f"""
|
||||
ldr x0, debugger_addr
|
||||
blr x0
|
||||
debugger_addr: .quad 0x020c0000
|
||||
"""
|
||||
|
||||
# Write 0's to 0x02021800 to 0x0206ffff. Except for debugger location, at: 0x020c0000 to 0x020c6000
|
||||
self.cd.memwrite_region(0x02021800, b"\x00" * 0x4E800)
|
||||
shellcode = ks.asm(shellcode, as_bytes=True)[0]
|
||||
self.cd.memwrite_region(0x2021800, shellcode)
|
||||
|
||||
self.cd.memwrite_region(0x02021800, bl31)
|
||||
|
||||
imem_bl31_pre_auth = memdump_imem()
|
||||
with open("/tmp/imem_bl31_pre_auth.bin", "wb") as f:
|
||||
f.write(imem_bl31_pre_auth)
|
||||
|
||||
auth_bl1(0x020c0000)
|
||||
|
||||
imem_bl31_post_auth = memdump_imem()
|
||||
with open("/tmp/imem_bl31_post_auth.bin", "wb") as f:
|
||||
f.write(imem_bl31_post_auth)
|
||||
|
||||
# TEST JONATHAN
|
||||
self.cd.jump_to(0x02021800)
|
||||
self.cd.memwrite_region(0x020200e8, p32(0x020c0000))
|
||||
self.cd.memwrite_region(0x020200dc, p32(0x020c0000))
|
||||
|
||||
# Patch bl31
|
||||
# self.cd.jump_to(0x2069000)
|
||||
# self.cd.memwrite_region(0x02021800 + 0x14, self.cd.arch_dbg.sc.branch_absolute(0x2069000))
|
||||
# jump_bl1(0x2069000)
|
||||
self.cd.jump_to(0x02021800 + 0x14)
|
||||
self.cd.jump_to(0x2021800)
|
||||
pass
|
||||
|
||||
|
||||
# load bl31
|
||||
bl31 = open("../S7/bl31.bin", "rb").read()
|
||||
# bl31 = bl31[:0x14] + self.cd.arch_dbg.sc.branch_absolute(0x2069000) + bl31[0x24:] # Overwrite jump back to debugger
|
||||
|
||||
# # Write bl31 at 0x02021800 and authenticate
|
||||
self.cd.memwrite_region(0x02021800, bl31)
|
||||
auth_bl1(0x020c0000)
|
||||
|
||||
# Jump to bl31
|
||||
jump_bl1(0x02021800)
|
||||
pass
|
||||
|
||||
|
||||
|
||||
# Overwrite jump back
|
||||
self.cd.memwrite_region(0x020200e8, p32(0x2069000))
|
||||
|
||||
# OLD
|
||||
|
||||
def memdump_try():
|
||||
self.cd.arch_dbg.state.LR = 0x020200e8
|
||||
|
||||
Loading…
Reference in New Issue
Block a user