diff --git a/documentation/source/BootROM_8890/images/dl_packet.drawio.svg b/documentation/source/BootROM_8890/images/dl_packet.drawio.svg new file mode 100644 index 0000000..af185f7 --- /dev/null +++ b/documentation/source/BootROM_8890/images/dl_packet.drawio.svg @@ -0,0 +1 @@ +
uint32_t unk
uint32_t data_size
data[]
uint16_t footer
 \ No newline at end of file diff --git a/documentation/source/BootROM_8890/images/memory_layout.drawio.svg b/documentation/source/BootROM_8890/images/memory_layout.drawio.svg new file mode 100644 index 0000000..ab60338 --- /dev/null +++ b/documentation/source/BootROM_8890/images/memory_layout.drawio.svg @@ -0,0 +1 @@ +
BootROM
0x0
0x20000
Devices
PMU
0x105C0000
IMEM? EXYNOS NAME HERE
0x?????
0x?????
 \ No newline at end of file diff --git a/documentation/source/images/underflow_bug.png b/documentation/source/BootROM_8890/images/underflow_bug.png similarity index 100% rename from documentation/source/images/underflow_bug.png rename to documentation/source/BootROM_8890/images/underflow_bug.png diff --git a/documentation/source/BootROM_8890/index.rst b/documentation/source/BootROM_8890/index.rst new file mode 100644 index 0000000..35e085d --- /dev/null +++ b/documentation/source/BootROM_8890/index.rst @@ -0,0 +1,81 @@ +=================== +Exynos BootROM 8890 +==================== +The Exynos 8890 BootROM is a small piece of code that runs on the Exynos SoC at boot time. +It is responsible for initializing the hardware and loading the first stage bootloader from storage. +The BootROM is stored in a read-only memory and cannot be modified. + +Protections +----------- +There are no stack canaries or guard pages, and no ASLR. Meaning there are almost no protections in place. + +Samsung Firmware +---------------- +Samsung releases firmware files for their devices. These files contain the bootloader, modem, and other firmware files. +To see how the ROM works we are interested in the sboot firmware, which contains multiple stages of the bootloader. +To extract the sboot.bin file from a samsung firmware file: + +.. code-block:: bash + + $ unzip -p firmware.zip 'BL_*.tar.md5' | tar -Oxf - 'sboot.bin.lz4' | lz4 -d - sboot.bin + +Memory Layout +------------- +TODO make memory layout of ROM, IMEM and some devices + +.. figure:: images/memory_layout.drawio.svg + + The memory layout of the Exynos 8890 + + +Download protocol +================= +When the ROM is unable to boot from the internal storage, it enters ``Exynos Recovery Mode``. +In this mode the bootROM accepts data over USB. +There is little functionality other than receiving data, meaning almost no additional attack surface except for the download protocol. + +The Exynos BootROM uses a custom protocol to download a bootable image over USB. +This image is verified and executed by the BootROM. Unauthorized images are rejected. (TODO verify and document) + +dldata +------ + +.. figure:: images/dl_packet.drawio.svg + + The dldata packet is used to send data to the BootROM. + + +.. info:: + + This protocol remains *mostly* the same for newer Exynos SoCs. + + +Bug 1(Integer underflow) +------------------------ +@TODO better explain frederick's bug. @JOHER + +Bug 2 +----- + +.. caution:: + + Might be a 0/N-day if exploitable + + +@ELHER + +There is a bug(unpatched?) in receiving the last packet of the usb image: + +.. figure:: images/underflow_bug.png + + The bug is an integer underflow in the calculation of the remaining size of the image. + +DWC3 +==== +The Exynos 8890 uses the Synopsys DesignWare USB 3.0 controller. +Much of the code is shared with the DWC3 driver in the Linux kernel, except that the ROM does not do any scheduling and a lot of features have been removed(OTG handling, etc). + +Gupje +----- +In order to run the debugger, a small amount of the bootROM was reversed in order to implement send/recv functionality. + diff --git a/documentation/source/dl_packet.drawio.svg b/documentation/source/dl_packet.drawio.svg deleted file mode 100644 index 892cce9..0000000 --- a/documentation/source/dl_packet.drawio.svg +++ /dev/null @@ -1 +0,0 @@ -
uint32_t unk
uint32_t data_size
data[]
uint16_t footer
 \ No newline at end of file diff --git a/documentation/source/index.rst b/documentation/source/index.rst index d864c3f..0ebc2aa 100644 --- a/documentation/source/index.rst +++ b/documentation/source/index.rst @@ -8,25 +8,22 @@ Welcome to Samsung's documentation! .. toctree:: :maxdepth: 2 - :caption: Contents: + :caption: BootROMs: + + BootROM_8890/index.rst - -Indices and tables -================== - -* :ref:`genindex` -* :ref:`modindex` -* :ref:`search` +DWC3 usb +-------- +@ELHER todo document current dwc3 implementation to receive data -.. figure:: dl_packet.drawio.svg +Samsung Firmware +---------------- +To extract the sboot.bin file from a samsung firmware file: + +.. code-block:: bash + + $ unzip -p firmware.zip 'BL_*.tar.md5' | tar -Oxf - 'sboot.bin.lz4' | lz4 -d - sboot.bin -Bug 2 ------ -@ELHER - -There is a bug(unpatched?) in receiving the last packet of the usb image: - -.. figure:: images/underflow_bug.png \ No newline at end of file