Fully booting with ability to patch BL1
This commit is contained in:
parent
6bc9156cb6
commit
c4fac034a1
@ -597,38 +597,34 @@ class ExynosDevice():
|
|||||||
|
|
||||||
# Send boot stage 1
|
# Send boot stage 1
|
||||||
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read())
|
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read())
|
||||||
# self.send_normal_stage(open("../S7/bl1.bin", "rb").read())
|
|
||||||
|
|
||||||
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
|
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
|
||||||
|
|
||||||
|
# BL1 is loaded, now authenticat and patch it
|
||||||
auth_bl1(DEBUGGER_ADDR)
|
auth_bl1(DEBUGGER_ADDR)
|
||||||
|
|
||||||
self.usb_write(b"FLSH") # Flush cache
|
self.usb_write(b"FLSH") # Flush cache
|
||||||
|
hijacked_fun = u32(self.cd.memdump_region(0x020200dc, 4))
|
||||||
# hijack rom recovery
|
self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31
|
||||||
# self.relocate_debugger()
|
|
||||||
# DEBUGGER_ADDR = 0x020c0000
|
|
||||||
self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # Rom recovery
|
|
||||||
self.cd.memwrite_region(0x02020f60, p64(DEBUGGER_ADDR))
|
|
||||||
|
|
||||||
jump_bl1(DEBUGGER_ADDR)
|
jump_bl1(DEBUGGER_ADDR)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# At this point BL1 has booted. Next up is BL31
|
||||||
|
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
|
||||||
|
self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) # To continue booting next stages
|
||||||
|
self.cd.restore_stack_and_jump(hijacked_fun)
|
||||||
time.sleep(2)
|
time.sleep(2)
|
||||||
self.connect_device()
|
self.connect_device()
|
||||||
|
|
||||||
# After booting bl1, back in debugger.
|
|
||||||
self.usb_read(0x200) # GiAs
|
|
||||||
self.cd.memwrite_region(0x02020f60, hijacked_usb_ra)
|
|
||||||
|
|
||||||
# Load bl31
|
|
||||||
self.cd.restore_stack_and_jump(0x00006590)
|
|
||||||
# self.usb_read(0x200) # GiAs
|
|
||||||
|
|
||||||
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read())
|
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read())
|
||||||
time.sleep(1)
|
time.sleep(2)
|
||||||
self.connect_device()
|
self.connect_device()
|
||||||
|
time.sleep(1)
|
||||||
|
|
||||||
### WORKS UNTIL HERE. Unsure where we are in BL31 currently
|
### WORKS UNTIL HERE. Unsure where we are in BL31 currently
|
||||||
|
|
||||||
# Load BL3
|
# Load BL3
|
||||||
|
# self.usb_read(0x200) # GiAs
|
||||||
|
# self.cd.restore_stack_and_jump(hijacked_fun)
|
||||||
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read())
|
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read())
|
||||||
time.sleep(2)
|
time.sleep(2)
|
||||||
self.connect_device()
|
self.connect_device()
|
||||||
|
Loading…
Reference in New Issue
Block a user