Merge remote-tracking branch 'origin/HEAD'

documentation/source/BootROM_8890/03_exploit_boot_chain.rst

@@ -312,7 +312,7 @@ Additionally we found a space at ``0x11207010``, while looking for bit flags in
 
 Stage 4 - BL2
 =============
-This is our current progress. BL2 has booted, and shows the VBAR's for EL1.
+This is our current progress. BL2 has booted, and shows the VBAR's for EL1. 
 
 .. code:: bash
     MMU is 0x0 (0x1=enabled, 0x0=disabled)
@@ -322,3 +322,12 @@ This is our current progress. BL2 has booted, and shows the VBAR's for EL1.
     SCTLR_EL3: 0xc5183a, SCTLR_EL2: 0x30c5083a, SCTLR_EL1: 0x30c5083a
     MAIR_EL3: 0x44e048e000098aa4, MAIR_EL2: 0x1e42bb572931240b, MAIR_EL1: 0x44e048e000098aa4
     Current EL: 0xc
+
+Stage 5 - BL33
+==============
+The last stage before the kernel boots. 
+
+.. figure:: images/bl31_debugger_memory_example.png
+   :align: center
+
+   Boot chain with EL3 and EL1 areas

documentation/source/BootROM_8890/04_notes.rst

@@ -205,3 +205,5 @@ SCTLR_EL3: 0xc5183a, SCTLR_EL2: 0x30c5083a, SCTLR_EL1: 0x30c5083a
 MAIR_EL3: 0x44e048e000098aa4, MAIR_EL2: 0x9e42bf572931240b, MAIR_EL1: 0x44e048e000098aa4
 Current EL: 0xc
 
+The debugger at 0x11200000 can only dump 0x768 at a time (its space related. Before BL31 this is also an issue.).   
+

documentation/source/_ignore/stack_and_functions.csv

@@ -5,17 +5,16 @@ start,end,name,order,comment,X0,LR
 0x000064e0,0x0000658c,_boot_usb,,,,
 0x020c0000,0x020c0004,_frederic_dest_ptr,,,,
 0x000002c0,0x000002c4,_jump_bl1,,,,
-0x02022000,0x02024000,BL1,,,,
+0x02022000,0x02023fff,BL1,,,,
-0x02024000,0x02048000,BL31,,,,
+0x02024000,0x02047fff,BL31,,,,
 0x02048000,0x0206ed10,BL2,,,,
 0x02069000,0x0206f000,Debugger,,,,
 0x020c0000,0x020c7000,Debugger relocated,,,,
 0x02048000,0x0204daf0,BL2 empty space?,,,,
-0x0204eb00,0x0204eb00,BL2 copy start/source,,,,
+0x020c2000,0x020e8d10,BL2 loaded to this address,,,,
-0x020c2000,0x020e8d10,BL2 load address?,,,,
+0x0206ed10,0x02070000,Open space. Has pointers written to.,,,,
-0x0206ed10,0x02070000,End/Start peripheral space?,,,,
-0x02019e5c,0x02020e5c,Tried debugger space,,,,
 0x020C7800,0x020C8000,modem_interface,,,,
 0x14AC0000,0x14ac5000,mali@14AC0000,,,,
-0x02035600,0x02035608,TTBR0_EL3 address ptr,,,,
+0x02035600,0x02035608,TTBR0_EL3,,,,
-0x11207010,0x11207010,memread/write space,,,,
+0x11200000,0x11207000,Last relocated debugger,,,,
+0xa0000000,0xa0013fff,Parts of BL2 in IMEM,,,,

source/exploit/exploit.py

@@ -633,7 +633,7 @@ class ExynosDevice():
 
         # Relocate debugger
         debugger = open("../../dump/reloc_debugger_0x11200000.bin", "rb").read()
-        self.relocate_debugger(debugger=debugger, entry=0x11200000, storage=0x11201200, g_data_received=0x11201400)
+        self.relocate_debugger(debugger=debugger, entry=0x11200000, storage=0x11203000, g_data_received=0x11204000)
         DEBUGGER_ADDR = 0x11200000
 
         # Test debugger connection
@@ -778,6 +778,7 @@ class ExynosDevice():
         # self.cd.restore_stack_and_jump(hijacked_fun)
 
         # ==== Stage 5  ====
+        #self.cd.memwrite_region(0x020200dc, p32(hijacked_fun))
         stage4 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()  
 
         # Patching
@@ -814,7 +815,7 @@ class ExynosDevice():
         pass
 
 
-
+        
 if __name__ == "__main__":
     arg = argparse.ArgumentParser("Exynos exploit")
     arg.add_argument("--debug", action="store_true", help="Debug USB stack", default=False)