EljakimHerrewijnen/Samsung_S7
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sending incorrect data now

Browse Source
This commit is contained in:
Eljakim Herrewijnen 2024-08-02 19:53:33 +02:00
parent 10e4590faf
commit d40e818b33
2 changed files with 49 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
source/exploit/entry.S
View File

@ -1,46 +1,47 @@
start: start:
b main b main
.text ;.text
.global rom_send ;.global rom_send
rom_send: ;rom_send:
mov w1, #0x20000 // size ; mov w1, #0x20000 // size
mov w0, #0x0 // address ; mov w0, #0x0 // address
bl usb_send ; bl usb_send
ret ; ret
;
.text ;.text
.global usb_send ;.global usb_send
usb_send: ;usb_send:
stp x29, x30, [sp,#-48]! ; stp x29, x30, [sp,#-48]!
mov w3, #0x0 ; mov w3, #0x0
bfxil w3, w1, #0, #24 ; bfxil w3, w1, #0, #24
mov w1, #0xc12 ; mov w1, #0xc12
mov x29, sp ; mov x29, sp
stp x19, x20, [sp,#16] ; stp x19, x20, [sp,#16]
mov x5, #0xc834 ; mov x5, #0xc834
mov w20, #0x1 ; mov w20, #0x1
movk x5, #0x1540, lsl #16 ; movk x5, #0x1540, lsl #16
ldr x2, [x29,#40] ; ldr x2, [x29,#40]
mov x4, #0xc838 ; mov x4, #0xc838
orr w6, w1, w20 ; orr w6, w1, w20
movk x4, #0x1540, lsl #16 ; movk x4, #0x1540, lsl #16
mov x19, #0xc83c ; mov x19, #0xc83c
movk x19, #0x1540, lsl #16 ; movk x19, #0x1540, lsl #16
stp w3, w1, [x2,#8] ; stp w3, w1, [x2,#8]
mov w3, #0x406 ; mov w3, #0x406
stp w0, wzr, [x2] ; stp w0, wzr, [x2]
mov w0, w20 ; mov w0, w20
ldr x1, [x29,#40] ; ldr x1, [x29,#40]
strb w6, [x2,#12] ; strb w6, [x2,#12]
; mov x2, #0x27c8 ; ; mov x2, #0x27c8
str w1, [x5] ; str w1, [x5]
mov w1, #0x1388 ; mov w1, #0x1388
str wzr, [x4] ; str wzr, [x4]
str w3, [x19] ; str w3, [x19]
; blr x2 ; ; blr x2
mov w0, w20 ; mov w0, w20
ldr w1, [x19] ; ldr w1, [x19]
ldp x19, x20, [sp,#16] ; ldp x19, x20, [sp,#16]
ldp x29, x30, [sp],#48 ; ldp x29, x30, [sp],#48
ret ; ret
;

6
source/exploit/exploit.py
View File

@ -2,7 +2,7 @@ import usb.util
import struct, sys, usb1, libusb1, ctypes, usb, argparse import struct, sys, usb1, libusb1, ctypes, usb, argparse
from keystone import * from keystone import *
from capstone import * from capstone import *
# from ghidra_assistant.utils.utils import * from ghidra_assistant.utils.utils import *
def p32(x): def p32(x):
return struct.pack("<I", x) return struct.pack("<I", x)
@ -168,8 +168,9 @@ class ExynosDevice():
from ghidra_assistant.utils.utils import *
ks = Ks(KS_ARCH_ARM64, KS_MODE_LITTLE_ENDIAN) ks = Ks(KS_ARCH_ARM64, KS_MODE_LITTLE_ENDIAN)
cs = Cs(CS_ARCH_ARM64, CS_MODE_LITTLE_ENDIAN)
def usb_debug(): def usb_debug():
shellcode = f""" shellcode = f"""
start: start:
@ -286,6 +287,7 @@ def usb_debug():
transferred.value = 0 transferred.value = 0
buf = ctypes.c_buffer(b"", 0x200) buf = ctypes.c_buffer(b"", 0x200)
res = libusb1.libusb_bulk_transfer(exynos.handle._USBDeviceHandle__handle, 0x81, buf, len(buf), ctypes.byref(transferred), 100) res = libusb1.libusb_bulk_transfer(exynos.handle._USBDeviceHandle__handle, 0x81, buf, len(buf), ctypes.byref(transferred), 100)
hexdump(buf.raw[:0x20])
pass pass
# Should have received some bytes # Should have received some bytes