diff --git a/.gitignore b/.gitignore index 7974a5b..8ca300e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ dump/ *.bin *.a +venv/ reven/ !dump/exynos-usbdl/ diff --git a/reven/SamsungS7.lock b/reven/SamsungS7.lock index fe6694d..def5a59 100644 --- a/reven/SamsungS7.lock +++ b/reven/SamsungS7.lock @@ -1,9 +1,9 @@ #Ghidra Lock File -#Tue Aug 06 19:30:30 CEST 2024 +#Fri Aug 09 11:27:43 CEST 2024 OS\ Name=Linux OS\ Version=6.5.0-44-generic Username=eljakim Hostname=levith \ Supports\ File\ Channel\ Locking=Channel Lock OS\ Architecture=amd64 -Timestamp=8/6/24, 7\:30 PM +Timestamp=8/9/24, 11\:27 AM diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py index 4ecddab..c01aed2 100644 --- a/source/exploit/exploit.py +++ b/source/exploit/exploit.py @@ -260,14 +260,44 @@ class ExynosDevice(): Room for playing around with the debugger ''' self.cd.arch_dbg.state.auto_sync = False + self.cd.arch_dbg.state.auto_sync_special = False self.cd.arch_dbg.state.print_ctx() - # Overwrite jump back - # self.cd.memwrite_region(0x02020108, p32(0x2069000)) - # self.cd.memwrite_region(0x02021800, p32(0x2069000)) - self.cd.memwrite_region(0x020200e8, p32(0x02069000)) # address, data. Writes + def relocate_debugger(): + # Seems to be cleared upon cache clearing?? + debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read() + self.cd.memwrite_region(0x020c0000, debugger_reloc) + self.usb_write(b"FLSH") # Flush cache + self.cd.restore_stack_and_jump(0x020c0000) + assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger" + self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000) + relocate_debugger() + # Try loading bl1 + bl1 = open("../S7/bl1.bin", "rb").read() + self.cd.memwrite_region(0x02021800, bl1) + # self.usb_write(b"FLSH") AUTH_BL1 = 0x00012848 + def auth_bl1(lr=0x2069000): + # Load the firmware + self.cd.arch_dbg.state.W0 = 1 + self.cd.arch_dbg.state.X1 = 1 + self.cd.arch_dbg.state.LR = lr #jump back to debugger when finished + self.cd.restore_stack_and_jump(AUTH_BL1) + assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger" + + auth_bl1(0x020c0000) + + # Works until here + + pass + + + + # Overwrite jump back + self.cd.memwrite_region(0x02020108, p32(0x2069000)) + self.cd.memwrite_region(0x020200e8, p32(0x2069000)) + def memdump_try(): self.cd.arch_dbg.state.LR = 0x020200e8 self.cd.restore_stack_and_jump(0x02021810) @@ -278,16 +308,8 @@ class ExynosDevice(): self.cd.arch_dbg.state.print_ctx() print(hex(block)) dumped += self.cd.memdump_region(block, 0x200) - if stack_pointer >= 0x02020F08: - print(f'stack_pointer at {stack_pointer}') - return dumped - def auth_bl1(): - # Load the firmware - self.cd.arch_dbg.state.X0 = 1 - self.cd.arch_dbg.state.X1 = 1 - self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished - self.cd.restore_stack_and_jump(AUTH_BL1) + def jump_bl1(): self.cd.arch_dbg.state.LR = 0x2069000 @@ -298,12 +320,10 @@ class ExynosDevice(): # self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished # self.cd.restore_stack_and_jump(0x00012814) # self.cd.restore_stack_and_jump(0x000125b4) - - dumped = memdump_try() - bl1 = open("../S7/bl1.bin", "rb").read() - self.cd.memwrite_region(0x02024000, bl1) - self.usb_write(b"FLSH") + + + auth_bl1() # auth_bl1() jump_bl1() diff --git a/source/gupje_device/Makefile b/source/gupje_device/Makefile index c31431e..62d0aa5 100644 --- a/source/gupje_device/Makefile +++ b/source/gupje_device/Makefile @@ -8,10 +8,21 @@ OBJCOPY := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64 LD := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ld.bfd #==================Target Samsung S7 (8890)================== +all: samsung_s7 samsung_s7_reloc + CFLAGS_SAMSUNGS7 = -Os -Idevices/samsung_s7/ samsung_s7: [ -d bin/samsung_s7 ] || mkdir -p bin/samsung_s7/ $(CC) arm64_stub.S -c -o bin/samsung_s7/entry.o $(CFLAGS_SAMSUNGS7) $(CC) debugger.c -c -o bin/samsung_s7/debugger.o $(CFLAGS_SAMSUNGS7) $(LD) -T devices/samsung_s7/linkscript.ld bin/samsung_s7/entry.o bin/samsung_s7/debugger.o -o bin/samsung_s7/debugger.elf --just-symbols=devices/samsung_s7/symbols.txt - $(OBJCOPY) -O binary bin/samsung_s7/debugger.elf bin/samsung_s7/debugger.bin \ No newline at end of file + $(OBJCOPY) -O binary bin/samsung_s7/debugger.elf bin/samsung_s7/debugger.bin + +CFLAGS_SAMSUNGS7_RELOC = -Os -DRELOC_DEBUGGER=1 -Idevices/samsung_s7/ +samsung_s7_reloc: + [ -d bin/samsung_s7 ] || mkdir -p bin/samsung_s7/ + $(CC) arm64_stub.S -c -o bin/samsung_s7/reloc_entry.o $(CFLAGS_SAMSUNGS7_RELOC) + $(CC) debugger.c -c -o bin/samsung_s7/reloc_debugger.o $(CFLAGS_SAMSUNGS7_RELOC) + $(LD) -T devices/samsung_s7/reloc_linkscript.ld bin/samsung_s7/reloc_entry.o bin/samsung_s7/reloc_debugger.o -o bin/samsung_s7/reloc_debugger.elf --just-symbols=devices/samsung_s7/reloc_symbols.txt + $(OBJCOPY) -O binary bin/samsung_s7/reloc_debugger.elf bin/samsung_s7/reloc_debugger.bin + diff --git a/source/gupje_device/Readme.md b/source/gupje_device/Readme.md index 37ebee2..0e89de2 100644 --- a/source/gupje_device/Readme.md +++ b/source/gupje_device/Readme.md @@ -1,8 +1,14 @@ # Gupje Current memory map: +## Stage 2 +Memory map in stage2 after exploitation ![memory map](memory_map.drawio.svg) +## Stage 3 +Memory map in stage3 after relocating the debugger + + ## Usage: Copy this folder to /devices/samsung_s7 and run: diff --git a/source/gupje_device/device.h b/source/gupje_device/device.h index 31506f8..e3e78ff 100644 --- a/source/gupje_device/device.h +++ b/source/gupje_device/device.h @@ -8,6 +8,8 @@ extern int usb_event_handler(void); extern uint32_t get_endpoint_recv_buffer(char endpoint); extern void exynos_sleep(int endpoint,uint32_t timeout); extern void usb_send(uint32_t address,uint32_t size); +extern uint32_t recv_buffer; +extern uint32_t data_received; int mystrlen(char *data) { int i=0; @@ -19,9 +21,13 @@ int mystrlen(char *data) { return i-1; } - +#ifdef RELOC_DEBUGGER +#define recv_buffer 0x020c6200 +#define data_received 0x020c6000 +#else #define recv_buffer 0x206fe00 //0x02021800 + 0x3000 #define data_received 0x206fd00 +#endif void recv_data_cb(uint32_t endpoint, uint32_t len){ char *dest_buf = (char *)recv_buffer; diff --git a/source/gupje_device/reloc_linkscript.ld b/source/gupje_device/reloc_linkscript.ld new file mode 100644 index 0000000..3d1a536 --- /dev/null +++ b/source/gupje_device/reloc_linkscript.ld @@ -0,0 +1,14 @@ +MEMORY { + ROM (rwx): ORIGIN = 0x020c0000, LENGTH = 0x1000 +} + +SECTIONS +{ + . = 0x020c0000; + .text . : { + *(.text*) + *(.data*) + *(.rodata*) + } >ROM + +} \ No newline at end of file diff --git a/source/gupje_device/reloc_symbols.txt b/source/gupje_device/reloc_symbols.txt new file mode 100644 index 0000000..bab33dc --- /dev/null +++ b/source/gupje_device/reloc_symbols.txt @@ -0,0 +1,12 @@ +debugger_storage = 0x020c4000; +debugger_stack = 0x020c2000; +debugger_entry = 0x020c0000; + +maybe_usb_setup_read = 0x00006f88; +dwc3_ep0_start_trans = 0x0000791c; +usb_event_handler = 0x00007bac; +get_endpoint_recv_buffer = 0x00007a7c; +exynos_sleep = 0x000027c8; + +g_recv_buffer = 0x020c6200; +g_data_received = 0x020c6000; \ No newline at end of file diff --git a/source/gupje_device/symbols.txt b/source/gupje_device/symbols.txt index cc34e41..d1f0867 100644 --- a/source/gupje_device/symbols.txt +++ b/source/gupje_device/symbols.txt @@ -6,4 +6,6 @@ maybe_usb_setup_read = 0x00006f88; dwc3_ep0_start_trans = 0x0000791c; usb_event_handler = 0x00007bac; get_endpoint_recv_buffer = 0x00007a7c; -exynos_sleep = 0x000027c8; \ No newline at end of file +exynos_sleep = 0x000027c8; + +RELOCATED = 0; \ No newline at end of file