EljakimHerrewijnen/Samsung_S7
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

added docs

Browse Source
This commit is contained in:
Eljakim Herrewijnen 2024-08-03 11:27:51 +02:00
parent 58e85db48f
commit de0a929226
6 changed files with 96 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
documentation/source/BootROM_8890/images/dl_packet.drawio.svg Normal file
View File

@ -0,0 +1 @@
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="221px" height="212px" viewBox="-0.5 -0.5 221 212" content="&lt;mxfile host=&quot;04n1rgtnob7ebrhhg57mh2mjuh68d4qe61ncs1a2e1n2no0ifp02&quot; modified=&quot;2024-08-03T09:24:03.282Z&quot; agent=&quot;Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Code/1.90.2 Chrome/122.0.6261.156 Electron/29.4.0 Safari/537.36&quot; etag=&quot;4yVHPhEEQZpE4jmcyLS-&quot; version=&quot;12.2.4&quot; pages=&quot;1&quot;&gt;&lt;diagram id=&quot;94hHFOWSBfnqqOcBf2es&quot; name=&quot;Page-1&quot;&gt;vZZNc6QgEIZ/DXeV0dFrJtnsJac55JhCaJUalCkG48z++kUFP6JJprbMehHe7obmoUERPpTXZ0XOxYtkIFDgsSvCjygI/CBJzKtVbr0SJl4v5Ioz6zQKR/4HrOjcas7gMnPUUgrNz3ORyqoCqmcaUUo2c7dMivmsZ5LDQjhSIpbqK2e66NU49Eb9N/C8cDP7nrWkhJ5yJevKzocCnHVPby6JG8v6XwrCZDOR8BPCByWl7lvl9QCiZeuw9XG/PrEOeSuo9D0BQR/wTkQNLuMuL31zLLrVQOvvIfzQFFzD8Uxoa23M7hut0KUwPd80My7EQQqpulizdogoNfpFK3mCiYXtk9RrB1xmbBfxDkrDdSLZFTyDLEGrm3FxVkffVpsrtmbcugF4Mdm2odyILZd8GHpEZhqW2jpBvCBY80rj4E0bta5Om/JkBOJslWdEY0izjXj63/P01nhugHP3FU5GNHm7tLfFplBDiNluDWocpDiKfgbq0P8fVKMF1RYlCh9Q+LjtgY8prB/4NA534VYH/iNLfCdLP9oA5n61RP2oK9HMXN2gNmUKvqnQ/RrTJNpj8kP1efep/4dL1HTHT1xnm/xH4Ke/&lt;/diagram&gt;&lt;/mxfile&gt;" style="background-color: rgb(255, 255, 255);"><defs/><g><rect x="0" y="0" width="220" height="210" fill="#ffe6cc" stroke="#d79b00" pointer-events="all"/><rect x="10" y="0" width="200" height="20" fill="#dae8fc" stroke="#6c8ebf" pointer-events="all"/><g transform="translate(77.5,3.5)"><foreignObject style="overflow:visible;" pointer-events="all" width="65" height="12"><div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; width: 66px; white-space: nowrap; overflow-wrap: normal; text-align: center;"><div xmlns="http://www.w3.org/1999/xhtml" style="display:inline-block;text-align:inherit;text-decoration:inherit;white-space:normal;">uint32_t unk</div></div></foreignObject></g><rect x="10" y="20" width="200" height="20" fill="#d5e8d4" stroke="#82b366" pointer-events="all"/><g transform="translate(61.5,23.5)"><foreignObject style="overflow:visible;" pointer-events="all" width="97" height="12"><div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; width: 98px; white-space: nowrap; overflow-wrap: normal; text-align: center;"><div xmlns="http://www.w3.org/1999/xhtml" style="display:inline-block;text-align:inherit;text-decoration:inherit;white-space:normal;">uint32_t data_size</div></div></foreignObject></g><rect x="10" y="40" width="200" height="160" fill="#f8cecc" stroke="#b85450" pointer-events="all"/><g transform="translate(94.5,113.5)"><foreignObject style="overflow:visible;" pointer-events="all" width="30" height="12"><div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; width: 31px; white-space: nowrap; overflow-wrap: normal; text-align: center;"><div xmlns="http://www.w3.org/1999/xhtml" style="display:inline-block;text-align:inherit;text-decoration:inherit;white-space:normal;">data[]</div></div></foreignObject></g><rect x="10" y="200" width="200" height="10" fill="#e1d5e7" stroke="#9673a6" pointer-events="all"/><g transform="translate(71.5,198.5)"><foreignObject style="overflow:visible;" pointer-events="all" width="77" height="12"><div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; width: 78px; white-space: nowrap; overflow-wrap: normal; text-align: center;"><div xmlns="http://www.w3.org/1999/xhtml" style="display:inline-block;text-align:inherit;text-decoration:inherit;white-space:normal;">uint16_t footer</div></div></foreignObject></g></g></svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.9 KiB

1
documentation/source/BootROM_8890/images/memory_layout.drawio.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 7.1 KiB

0
documentation/source/images/underflow_bug.png → documentation/source/BootROM_8890/images/underflow_bug.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 73 KiB

After

Width:  |  Height:  |  Size: 73 KiB

81
documentation/source/BootROM_8890/index.rst Normal file
View File

@ -0,0 +1,81 @@
===================
Exynos BootROM 8890
====================
The Exynos 8890 BootROM is a small piece of code that runs on the Exynos SoC at boot time.
It is responsible for initializing the hardware and loading the first stage bootloader from storage.
The BootROM is stored in a read-only memory and cannot be modified.
Protections
-----------
There are no stack canaries or guard pages, and no ASLR. Meaning there are almost no protections in place.
Samsung Firmware
----------------
Samsung releases firmware files for their devices. These files contain the bootloader, modem, and other firmware files.
To see how the ROM works we are interested in the sboot firmware, which contains multiple stages of the bootloader.
To extract the sboot.bin file from a samsung firmware file:
.. code-block:: bash
$ unzip -p firmware.zip 'BL_*.tar.md5' | tar -Oxf - 'sboot.bin.lz4' | lz4 -d - sboot.bin
Memory Layout
-------------
TODO make memory layout of ROM, IMEM and some devices
.. figure:: images/memory_layout.drawio.svg
The memory layout of the Exynos 8890
Download protocol
=================
When the ROM is unable to boot from the internal storage, it enters ``Exynos Recovery Mode``.
In this mode the bootROM accepts data over USB.
There is little functionality other than receiving data, meaning almost no additional attack surface except for the download protocol.
The Exynos BootROM uses a custom protocol to download a bootable image over USB.
This image is verified and executed by the BootROM. Unauthorized images are rejected. (TODO verify and document)
dldata
------
.. figure:: images/dl_packet.drawio.svg
The dldata packet is used to send data to the BootROM.
.. info::
This protocol remains *mostly* the same for newer Exynos SoCs.
Bug 1(Integer underflow)
------------------------
@TODO better explain frederick's bug. @JOHER
Bug 2
-----
.. caution::
Might be a 0/N-day if exploitable
@ELHER
There is a bug(unpatched?) in receiving the last packet of the usb image:
.. figure:: images/underflow_bug.png
The bug is an integer underflow in the calculation of the remaining size of the image.
DWC3
====
The Exynos 8890 uses the Synopsys DesignWare USB 3.0 controller.
Much of the code is shared with the DWC3 driver in the Linux kernel, except that the ROM does not do any scheduling and a lot of features have been removed(OTG handling, etc).
Gupje
-----
In order to run the debugger, a small amount of the bootROM was reversed in order to implement send/recv functionality.

1
documentation/source/dl_packet.drawio.svg
View File

@ -1 +0,0 @@
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="221px" height="212px" viewBox="-0.5 -0.5 221 212" content="&lt;mxfile host=&quot;04n1rgtnob7ebrhhg57mh2mjuh68d4qe61ncs1a2e1n2no0ifp02&quot; modified=&quot;2024-07-12T12:35:28.679Z&quot; agent=&quot;Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Code/1.90.2 Chrome/122.0.6261.156 Electron/29.4.0 Safari/537.36&quot; etag=&quot;V3_warU-u5FLPEmSV7o2&quot; version=&quot;12.2.4&quot; pages=&quot;1&quot;&gt;&lt;diagram id=&quot;94hHFOWSBfnqqOcBf2es&quot; name=&quot;Page-1&quot;&gt;vZZNc4MgEEB/jXeVaPQak6aXnnLoMUNkVSYoDmJM+uuLEb+qbTMd01Pg7aLwWDAGCtLrXuA8eeMEmGGb5GqgrWHblu376qcmt4Y4/qoBsaBEJ/XgQD9AQ1PTkhIoRomScyZpPoYhzzII5YhhIXg1Tos4G781xzFMwCHEbErfKZFJQz3H7Pkr0Dhp32yZOpLiNlmDIsGEVwOEdgYKBOeyaaXXAFgtr/XSjHv5JtpNTEAmHxlgNwMumJV6bXpe8tYuVvAyI1DnmwbaVAmVcMhxWEcrtb2KJTJlqmepZkQZCzjj4j4WRRG4Yah4IQU/wyBC1v7JrB84nbFexAWEhOsA6RXsgacgxU2ltNFWry4nX3erfm864clgX7p6wroe4u7RvTLV0NbmDaKJwZJmEtlHqWiZnRf1STB40axPN/TgFC3k0/rdpznncwGdq590Eizxsaivg0WlOuCR1ZxUzz4h132O1K7/H1bdidVapeFsDGe77IH3Qpg/8CfPWTlLHfivLtGDLi13AZnr2RK13HuJRurqBrGoU7BUha7nnPruGuEn1efDp/4Pl6jq9p+4e2zwRwHtPgE=&lt;/diagram&gt;&lt;/mxfile&gt;"><defs/><g><rect x="0" y="0" width="220" height="210" fill="#ffe6cc" stroke="#d79b00" pointer-events="all"/><rect x="10" y="0" width="200" height="20" fill="#dae8fc" stroke="#6c8ebf" pointer-events="all"/><g transform="translate(77.5,3.5)"><foreignObject style="overflow:visible;" pointer-events="all" width="65" height="12"><div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; width: 66px; white-space: nowrap; overflow-wrap: normal; text-align: center;"><div xmlns="http://www.w3.org/1999/xhtml" style="display:inline-block;text-align:inherit;text-decoration:inherit;white-space:normal;">uint32_t unk</div></div></foreignObject></g><rect x="10" y="20" width="200" height="20" fill="#d5e8d4" stroke="#82b366" pointer-events="all"/><g transform="translate(61.5,23.5)"><foreignObject style="overflow:visible;" pointer-events="all" width="97" height="12"><div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; width: 98px; white-space: nowrap; overflow-wrap: normal; text-align: center;"><div xmlns="http://www.w3.org/1999/xhtml" style="display:inline-block;text-align:inherit;text-decoration:inherit;white-space:normal;">uint32_t data_size</div></div></foreignObject></g><rect x="10" y="40" width="200" height="160" fill="#f8cecc" stroke="#b85450" pointer-events="all"/><g transform="translate(94.5,113.5)"><foreignObject style="overflow:visible;" pointer-events="all" width="30" height="12"><div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; width: 31px; white-space: nowrap; overflow-wrap: normal; text-align: center;"><div xmlns="http://www.w3.org/1999/xhtml" style="display:inline-block;text-align:inherit;text-decoration:inherit;white-space:normal;">data[]</div></div></foreignObject></g><rect x="10" y="200" width="200" height="10" fill="#e1d5e7" stroke="#9673a6" pointer-events="all"/><g transform="translate(71.5,198.5)"><foreignObject style="overflow:visible;" pointer-events="all" width="77" height="12"><div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; width: 78px; white-space: nowrap; overflow-wrap: normal; text-align: center;"><div xmlns="http://www.w3.org/1999/xhtml" style="display:inline-block;text-align:inherit;text-decoration:inherit;white-space:normal;">uint16_t footer</div></div></foreignObject></g></g></svg>
Side by Side

Before

Width:  |  Height:  |  Size: 3.8 KiB

29
documentation/source/index.rst
View File

@ -8,25 +8,22 @@ Welcome to Samsung's documentation!
.. toctree::
:maxdepth: 2
:caption: Contents:
:caption: BootROMs:
BootROM_8890/index.rst
Indices and tables
==================
* :ref:`genindex`
* :ref:`modindex`
* :ref:`search`
DWC3 usb
--------
@ELHER todo document current dwc3 implementation to receive data
.. figure:: dl_packet.drawio.svg
Samsung Firmware
----------------
To extract the sboot.bin file from a samsung firmware file:
.. code-block:: bash
$ unzip -p firmware.zip 'BL_*.tar.md5' | tar -Oxf - 'sboot.bin.lz4' | lz4 -d - sboot.bin
Bug 2
-----
@ELHER
There is a bug(unpatched?) in receiving the last packet of the usb image:
.. figure:: images/underflow_bug.png