adds print screen binary. Not working for now

documentation/source/BootROM_8890/04_notes.rst

@@ -232,6 +232,30 @@ So, I've written something to dump the location of thte TTBR0_EL3 table, before
             df['TTBR0_EL3'] = [blub]
         df.to_pickle('ttbr0_el3.pkl')
 
-
+I tried modifying some code to write text to the screen. In order to view whether this would at all be possible, I tried modifying code that would alter the message printed when booting normally (it would print: USB RECOVERY MODE). But it would appear that this is already in space that is by then not accessible anymore. The 'str' function crashes the device. Doesn't really matter where I do this, but the space seems immutable.. The movz and movk is because I was having issues moving data into registers. 
+
+.. code:: python
+
+    # Write NOP from 0x8f008cb8 to 0x8f008d14 using self.cd.memwrite
+    for i in range(0x8f008cb8, 0x8f008d14, 4):
+        self.cd.memwrite_region(i, b'\x1f\x20\x03\xd5')
+    #self.cd.memwrite_region(0x8f008cb8, struct.pack('>I', 0x1f2003d5))
+
+    # Write opcode that writes 'aaaaaaaa' at 0x8f06ab10
+    shellcode = f"""
+    // Load the target address (0x8f06ab10) into x21
+    movz    x21, #0x8f06              // Load the high half of the address
+    movk    x21, #0xab10, lsl #16     // Load the low half of the address
+
+    // Load the value 'aaaa' (0x6161616161616161) into x22
+    movz    x20, #0xbeef
+
+    // Write the contents of x20 to the bytes where x21 points to
+    str    x20, [x21]
+    """
+    shellcode = ks.asm(shellcode, as_bytes=True)[0]
+    self.cd.memwrite_region(0x8f008cb8, shellcode)
+
+It would appear that I'm currently only able to modify code before executing any part of BL33. I'm as of yet unable to return to the debugger at any point in BL33. 
 
 

source/exploit/exploit.py

@@ -790,11 +790,18 @@ class ExynosDevice():
 
         # self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)
         # Disable this to keep access to the debugger after senindg the next stage
+        self.cd.arch_dbg.state.X23 = DEBUGGER_ADDR # TEMPORARY
+
         self.cd.restore_stack_and_jump(hijacked_fun)
 
         # ==== Stage 5  ====
         # Sends stage 5 (BL33) but returns to debugger after sending.
         stage4 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
+
+        print_payload = open("/home/jonathan/projects/samsung_s7/source/screen_print/print.bin", "rb").read()
+        off = stage4.find(bytes.fromhex("fd 7b bd a9 fd 03 00 91 f3 53 01 a9 d4 08 00 d0 f3 03 01 2a a0 17 00 f9"))
+        stage4 = stage4[off:] + print_payload + stage4[off+len(print_payload):]
+
         self.send_normal_stage(stage4)
         self.connect_device()
         self.usb_read(0x200) # GiAs
@@ -806,22 +813,63 @@ class ExynosDevice():
         print(self.cd.memdump_region(0x8f063710, 0x8))
 
         # Modify USB Recovyer mode string to: NFI Patched BL33
-        patch_string = b'\x4e\x46\x49\x20\x50\x61\x74\x63\x68\x69\x6e\x67\x20\x42\x4c\x33\x33'
+        # patch_string = b'\x4e\x46\x49\x20\x50\x61\x74\x63\x68\x69\x6e\x67\x20\x42\x4c\x33\x33'
-        # self.cd.memwrite_region(0x8f06ab10, b'\x4e\x46\x49\x20\x50\x61\x74\x63\x68\x69\x6e\x67\x20\x42\x4c\x33\x33')
+        # self.cd.memwrite_region(0x8f06ab10, patch_string)
 
         # Print state of x30/LR on screen
-        # self.cd.memwrite_region(0x8f01dc08, struct.pack('>I', 0xa40000f9))
+        self.cd.memwrite_region(0x8f063718, struct.pack('>I', 0x61616161))
 
-        # Write NOP from 0x8f008cb8 to 0x8f008d14
+        ### ==================== Writing nops to code cave
-        self.cd.memwrite_region(0x8f008cb8, b'\x1f\x20\x03\xd5' * 10)
+        # Write NOP from 0x8f008cb8 to 0x8f008d14 using self.cd.memwrite
+        for i in range(0x8f008cb8, 0x8f008d14, 4):
+            self.cd.memwrite_region(i, b'\x1f\x20\x03\xd5')
+        #self.cd.memwrite_region(0x8f008cb8, struct.pack('>I', 0x1f2003d5))
 
-        # Write opcode that writes 'aaaaaaaa' at 0x8f06ab10 +0x8
+        # Overwrite the data pointer showing 'USB Recovery Mode' to something else
-        shellcode = f"""
+        # self.cd.memwrite_region(0x8f01dc00, struct.pack('>I', 0x24080090))
-        mov x21, #0x1
-        """
-        shellcode = ks.asm(shellcode, as_bytes=True)[0]
-        self.cd.memwrite_region(0x8f008cb8, shellcode)
 
+        # Overwrite a str to a something else
+        # self.cd.memwrite_region(0x8f01dc28, struct.pack('>I', 0xe40300f9))
+
+        # Nop initial show usb recovery mode screen function
+        # self.cd.memwrite_region(0x8f022654, struct.pack('>I', 0x1f2003d5))
+        self.cd.memwrite_region(0x8f022654, struct.pack('>I', 0xe4ff9fd2))
+
+        # Modify a mov function (0xffff into x4). If this is not nopped, or adjusted, the device will crash. But will try to continue booting (?)
+        self.cd.memwrite_region(0x8f022658, struct.pack('>I', 0x1f2003d5)) #0xe5031daa.
+
+        # Overwrite log function to display screen at end of nops
+        self.cd.memwrite_region(0x8f02265c, struct.pack('>I', 0xbbffff97)) #0xbbffff97
+        # ==================
+
+        # for i in range(0x8f008cd8, 0x8f008cf4, 4):
+        #     self.cd.memwrite_region(i, struct.pack('>I', 0x1f2003d5))
+
+        # # Write shellcode to set some contents on x0 to x5 registers
+        # shellcode = f"""
+        # // x5 is the address at x0
+        # mov x5, x0
+        # mov x0, 0x1234
+        # mov x1, 0x12
+        # mov x2, 0xffff
+        # mov x3, 0xffff
+        # mov x4, 0xffff
+        # bl      0x8f025fb8
+        # // ret
+        # """
+        # shellcode = ks.asm(shellcode, as_bytes=True)[0]
+        # self.cd.memwrite_region(0x8f008cd8, shellcode)
+        
+        # Nop a adrp towards 0x8f09a000
+        self.cd.memwrite_region(0x8f008cb8, struct.pack('>I', 0x1f2003d5))
+
+        # ODIN MODE to FACTORY mode
+        self.cd.memwrite_region(0x8f0114f8, struct.pack('>I', 0x82008052))
+        
+        # Nop a SMC call in BL2
+        self.cd.memwrite_region(0x02059650, struct.pack('>I', 0x1f2003d5))
+
+        # Jump into a different function that continues the boot flow (different than BL33_LR)
         self.cd.restore_stack_and_jump(0x02024e5c)
 
         pass

source/screen_print/Makefile

@@ -0,0 +1,18 @@
+ifeq ($(ANDROID_NDK_ROOT),)
+$(error Error : Set the env variable 'ANDROID_NDK_ROOT' with the path of the Android NDK (version 20))
+endif
+
+CC := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android27-clang
+AR := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ar
+OBJCOPY := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-objcopy
+LD := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ld.bfd
+
+#==================Target Samsung S7 (8890)==================
+CFLAGS_SAMSUNGS7 = -Os # -Os for optimization for size
+
+print:
+	$(CC) entry.S -c -o entry.o $(CFLAGS_SAMSUNGS7) # -c compiles assembly code, and -o creates an object file (containing linking and symbol information)
+	$(CC) $(CFLAGS_SAMSUNGS7) -c test_print.c -o print.o # compiles test_print.c to print.o
+	$(LD) -T test_print.ld entry.o print.o -o print.elf --just-symbols=symbols.txt # -T for linker script, --just-symbols for symbols file
+	$(OBJCOPY) -O binary print.elf print.bin
+	

source/screen_print/entry.S

@@ -0,0 +1,2 @@
+start:
+    b notmain

source/screen_print/symbols.txt

@@ -0,0 +1 @@
+jh_print_to_screen = 0x8f0222d0;

source/screen_print/test_print.c

@@ -0,0 +1,16 @@
+#include <stdint.h>
+
+void jh_print_to_screen(int param_1,int param_2,int param_3,int param_4,int param_5,char *param_6,
+                       int param_7);
+
+// uint r_log(char *fmt,...);
+
+int notmain(char *msg, int msg_len){
+    // jh_print_to_screen(0x1234, 12, 0xfff, 0xfff, msg, msg_len, 2);
+    // volatile int a = 0;
+    // for(int i = 0; i < 100000; i++){
+    //     a++;
+    // }
+    // while(1);
+    return 0;
+}

source/screen_print/test_print.ld

@@ -0,0 +1,14 @@
+MEMORY {
+    ROM (rwx): ORIGIN = 0x8f007de8, LENGTH = 0x108
+}
+
+SECTIONS
+{
+     . = 0x8f007de8;
+     .text . : {
+          *(.text*)
+          *(.data*)
+          *(.rodata*)
+     } >ROM
+
+}