diff --git a/documentation/source/BootROM_8890/boot_chain.rst b/documentation/source/BootROM_8890/boot_chain.rst
new file mode 100644
index 0000000..f281a02
--- /dev/null
+++ b/documentation/source/BootROM_8890/boot_chain.rst
@@ -0,0 +1,13 @@
+=======
+Booting
+=======
+After exploitation the goal is to fully boot the device.
+
+debugger
+========
+Some other information about the debugger and it's current state.
+
+ROM
+---
+
+
diff --git a/documentation/source/BootROM_8890/index.rst b/documentation/source/BootROM_8890/index.rst
index a42c3a8..8a1d6d9 100644
--- a/documentation/source/BootROM_8890/index.rst
+++ b/documentation/source/BootROM_8890/index.rst
@@ -9,6 +9,8 @@ Protections
-----------
There are no stack canaries or guard pages, and no ASLR. Meaning there are almost no protections in place.
+Rom is at address 0x0 and is unwritable(Sometimes this is writeable due to MMU caching).
+
Samsung Firmware
----------------
Samsung releases firmware files for their devices. These files contain the bootloader, modem, and other firmware files.
diff --git a/documentation/source/index.rst b/documentation/source/index.rst
index 1dc5951..2f09656 100644
--- a/documentation/source/index.rst
+++ b/documentation/source/index.rst
@@ -12,5 +12,6 @@ Documentation on Samsung devices, currently mainly the Samsung S7.
:caption: BootROMs:
BootROM_8890/index.rst
+ BootROM_8890/boot_chain.rst
diff --git a/reven/SamsungS7.lock b/reven/SamsungS7.lock
index b791c8f..516725f 100644
--- a/reven/SamsungS7.lock
+++ b/reven/SamsungS7.lock
@@ -1,9 +1,9 @@
#Ghidra Lock File
-#Wed Jul 31 20:30:18 CEST 2024
+#Sat Aug 03 17:14:04 CEST 2024
OS\ Name=Linux
-OS\ Version=6.5.0-41-generic
+OS\ Version=6.5.0-44-generic
Username=eljakim
Hostname=levith
\ Supports\ File\ Channel\ Locking=Channel Lock
OS\ Architecture=amd64
-Timestamp=7/31/24, 8\:30 PM
+Timestamp=8/3/24, 5\:14 PM
diff --git a/reven/SamsungS7.rep/idata/00/00000002.prp b/reven/SamsungS7.rep/idata/00/00000002.prp
index e9d40f0..e9cbf94 100644
--- a/reven/SamsungS7.rep/idata/00/00000002.prp
+++ b/reven/SamsungS7.rep/idata/00/00000002.prp
@@ -2,14 +2,14 @@
-
+
-
+
-
+
-
-
+
+
diff --git a/reven/SamsungS7.rep/idata/00/~00000002.db/db.1.gbf b/reven/SamsungS7.rep/idata/00/~00000002.db/db.1.gbf
deleted file mode 100644
index d9ff928..0000000
Binary files a/reven/SamsungS7.rep/idata/00/~00000002.db/db.1.gbf and /dev/null differ
diff --git a/reven/SamsungS7.rep/idata/~index.bak b/reven/SamsungS7.rep/idata/~index.bak
index b1e697f..3dd0917 100644
--- a/reven/SamsungS7.rep/idata/~index.bak
+++ b/reven/SamsungS7.rep/idata/~index.bak
@@ -1,4 +1,11 @@
VERSION=1
/
-NEXT-ID:0
+ 00000002:8890_bootrom.bin:7f0119bc3142241939494339
+/mib3
+ 00000000:full_boot:7f0118059140616855428589
+/s7
+ 00000003:sboot.bin.2.bin:7f011ab837995028720085
+ 00000004:sboot.bin.3.bin:7f011872b8163836628792
+ 00000005:sboot.bin.4.bin:7f011842b8231996037592
+NEXT-ID:6
MD5:d41d8cd98f00b204e9800998ecf8427e
diff --git a/reven/SamsungS7.rep/idata/~index.dat b/reven/SamsungS7.rep/idata/~index.dat
index 3d79cef..3dd0917 100644
--- a/reven/SamsungS7.rep/idata/~index.dat
+++ b/reven/SamsungS7.rep/idata/~index.dat
@@ -3,5 +3,9 @@ VERSION=1
00000002:8890_bootrom.bin:7f0119bc3142241939494339
/mib3
00000000:full_boot:7f0118059140616855428589
-NEXT-ID:3
+/s7
+ 00000003:sboot.bin.2.bin:7f011ab837995028720085
+ 00000004:sboot.bin.3.bin:7f011872b8163836628792
+ 00000005:sboot.bin.4.bin:7f011842b8231996037592
+NEXT-ID:6
MD5:d41d8cd98f00b204e9800998ecf8427e
diff --git a/reven/SamsungS7.rep/idata/~journal.bak b/reven/SamsungS7.rep/idata/~journal.bak
deleted file mode 100644
index fbe0c2d..0000000
--- a/reven/SamsungS7.rep/idata/~journal.bak
+++ /dev/null
@@ -1,10 +0,0 @@
-FADD:/NewFolder
-FMV:/NewFolder:/mib3
-IADD:00000000:/mib3/fwbl1_a.bin
-IDSET:/mib3/fwbl1_a.bin:7f0118059140616855428589
-IMV:/mib3/fwbl1_a.bin:/mib3/full_boot
-IADD:00000001:/mib3/8890_bootrom.bin
-IDSET:/mib3/8890_bootrom.bin:7f011974d142238523757581
-IADD:00000002:/8890_bootrom.bin
-IDSET:/8890_bootrom.bin:7f0119bc3142241939494339
-IDEL:/mib3/8890_bootrom.bin
diff --git a/reven/SamsungS7.rep/user/00/~00000001.db/db.1.gbf b/reven/SamsungS7.rep/user/00/~00000001.db/db.1.gbf
deleted file mode 100644
index 9620672..0000000
Binary files a/reven/SamsungS7.rep/user/00/~00000001.db/db.1.gbf and /dev/null differ
diff --git a/reven/SamsungS7.rep/user/~index.bak b/reven/SamsungS7.rep/user/~index.bak
index b1e697f..f0bb25d 100644
--- a/reven/SamsungS7.rep/user/~index.bak
+++ b/reven/SamsungS7.rep/user/~index.bak
@@ -1,4 +1,8 @@
VERSION=1
/
-NEXT-ID:0
+ 00000000:udf_7f0118059140616855428589:7f0118d0b142268235940037
+ 00000003:udf_7f011872b8163836628792:7f011a9478217161533597
+ 00000001:udf_7f0119bc3142241939494339:7f011abb7142807435236045
+ 00000002:udf_7f011ab837995028720085:7f0118cdd8148515697603
+NEXT-ID:4
MD5:d41d8cd98f00b204e9800998ecf8427e
diff --git a/reven/SamsungS7.rep/user/~index.dat b/reven/SamsungS7.rep/user/~index.dat
index 441e2e0..77d0dfb 100644
--- a/reven/SamsungS7.rep/user/~index.dat
+++ b/reven/SamsungS7.rep/user/~index.dat
@@ -1,5 +1,9 @@
VERSION=1
/
00000000:udf_7f0118059140616855428589:7f0118d0b142268235940037
-NEXT-ID:1
+ 00000004:udf_7f011842b8231996037592:7f01190f112184430945139
+ 00000003:udf_7f011872b8163836628792:7f011a9478217161533597
+ 00000001:udf_7f0119bc3142241939494339:7f011abb7142807435236045
+ 00000002:udf_7f011ab837995028720085:7f0118cdd8148515697603
+NEXT-ID:5
MD5:d41d8cd98f00b204e9800998ecf8427e
diff --git a/reven/SamsungS7.rep/user/~journal.bak b/reven/SamsungS7.rep/user/~journal.bak
index c490adb..ae0f201 100644
--- a/reven/SamsungS7.rep/user/~journal.bak
+++ b/reven/SamsungS7.rep/user/~journal.bak
@@ -1,2 +1,2 @@
-IADD:00000000:/udf_7f0118059140616855428589
-IDSET:/udf_7f0118059140616855428589:7f0118d0b142268235940037
+IADD:00000004:/udf_7f011842b8231996037592
+IDSET:/udf_7f011842b8231996037592:7f01190f112184430945139
diff --git a/reven/SamsungS7.rep/user/~journal.dat b/reven/SamsungS7.rep/user/~journal.dat
deleted file mode 100644
index ca6f18b..0000000
--- a/reven/SamsungS7.rep/user/~journal.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-IADD:00000001:/udf_7f0119bc3142241939494339
-IDSET:/udf_7f0119bc3142241939494339:7f011abb7142807435236045
diff --git a/source/exploit/.gitignore b/source/exploit/.gitignore
index 59393d6..a782873 100644
--- a/source/exploit/.gitignore
+++ b/source/exploit/.gitignore
@@ -1,2 +1,4 @@
*.elf
-*.o
\ No newline at end of file
+*.o
+*.bin
+venv/
\ No newline at end of file
diff --git a/source/exploit/.vscode/launch.json b/source/exploit/.vscode/launch.json
index c52f88f..78a455b 100644
--- a/source/exploit/.vscode/launch.json
+++ b/source/exploit/.vscode/launch.json
@@ -18,6 +18,7 @@
"request": "launch",
"program": "exploit.py",
"console": "integratedTerminal",
+ "justMyCode": false,
"args": []
}
]
diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py
index e20d448..c8b46ff 100644
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@@ -4,6 +4,8 @@ from keystone import *
from capstone import *
from ghidra_assistant.utils.utils import *
from ghidra_assistant.concrete_device import *
+from ghidra_assistant.utils.debugger.debugger_archs.ga_arm64 import GA_arm64_debugger
+from qiling.const import QL_ARCH
def p32(x):
return struct.pack("