boots mib3 after BL33. keeps debugger?
This commit is contained in:
parent
5bc481f321
commit
ef4b266b62
4
source/exploit/.vscode/launch.json
vendored
4
source/exploit/.vscode/launch.json
vendored
@ -28,7 +28,7 @@
|
|||||||
"program": "exploit.py",
|
"program": "exploit.py",
|
||||||
"console": "integratedTerminal",
|
"console": "integratedTerminal",
|
||||||
"justMyCode": false,
|
"justMyCode": false,
|
||||||
"args": ["--unsecure-boot"]
|
"args": ["--unsecure-boot", "--MIB3"]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"name": "Run debugger boot",
|
"name": "Run debugger boot",
|
||||||
@ -37,7 +37,7 @@
|
|||||||
"program": "exploit.py",
|
"program": "exploit.py",
|
||||||
"console": "integratedTerminal",
|
"console": "integratedTerminal",
|
||||||
"justMyCode": false,
|
"justMyCode": false,
|
||||||
"args": ["--debugger-boot", "--MIB3"],
|
"args": ["--debugger-boot", "--MIB3"], //, "--MIB3"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"name": "Debug current file",
|
"name": "Debug current file",
|
||||||
|
@ -161,28 +161,40 @@ class ExynosDevice():
|
|||||||
'''
|
'''
|
||||||
Do a normal boot process, with or without exploit.
|
Do a normal boot process, with or without exploit.
|
||||||
'''
|
'''
|
||||||
|
bl1 = open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read()
|
||||||
|
bl31 = open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()
|
||||||
|
bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()
|
||||||
|
bl33 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
|
||||||
|
if args.MIB3:
|
||||||
|
bl1 = open("../mib3/boot_partitions/fwbl1_a.bin", "rb").read()
|
||||||
|
bl31 = open("../mib3/boot_partitions/el3_mon_a.bin", "rb").read()
|
||||||
|
bl2 = open("../mib3/boot_partitions/bl2_a.bin", "rb").read()
|
||||||
|
bl33 = open("../mib3/boot_partitions/u-boot_a.bin", "rb").read()
|
||||||
|
off = bl31.find(b'Built')
|
||||||
|
bl31 = bl31[:off] + b'Built' + bl31[off+len(b'Built'):]
|
||||||
|
|
||||||
if exploit:
|
if exploit:
|
||||||
self.exploit(open("../../dump/exynos-usbdl/payloads/Exynos8890_unsecure_boot_usb.bin", "rb").read())
|
self.exploit(open("../../dump/exynos-usbdl/payloads/Exynos8890_unsecure_boot_usb.bin", "rb").read())
|
||||||
time.sleep(2)
|
time.sleep(2)
|
||||||
self.connect_device()
|
self.connect_device()
|
||||||
# self.send_normal_stage("/home/eljakim/Source/Samsung_S7/source/S7/g930f_latest/g930f_sboot.bin.1.bin")
|
# self.send_normal_stage("/home/eljakim/Source/Samsung_S7/source/S7/g930f_latest/g930f_sboot.bin.1.bin")
|
||||||
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read())
|
self.send_normal_stage(bl1)
|
||||||
# self.send_normal_stage(open("../S7/bl1.bin", "rb").read())
|
# self.send_normal_stage(open("../S7/bl1.bin", "rb").read())
|
||||||
# self.send_normal_stage(open("../../dump/rom.bin.1.bin", "rb").read())
|
# self.send_normal_stage(open("../../dump/rom.bin.1.bin", "rb").read())
|
||||||
# wait_disconnect()
|
# wait_disconnect()
|
||||||
time.sleep(2)
|
time.sleep(2)
|
||||||
self.connect_device()
|
self.connect_device()
|
||||||
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read())
|
self.send_normal_stage(bl31)
|
||||||
# self.send_normal_stage(open("../S7/bl31.bin", "rb").read())
|
# self.send_normal_stage(open("../S7/bl31.bin", "rb").read())
|
||||||
# wait_disconnect()
|
# wait_disconnect()
|
||||||
time.sleep(2)
|
time.sleep(2)
|
||||||
self.connect_device()
|
self.connect_device()
|
||||||
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read())
|
self.send_normal_stage(bl2)
|
||||||
# self.send_normal_stage(open("../S7/sboot.bin.3.bin", "rb").read())
|
# self.send_normal_stage(open("../S7/sboot.bin.3.bin", "rb").read())
|
||||||
# wait_disconnect()
|
# wait_disconnect()
|
||||||
time.sleep(2)
|
time.sleep(2)
|
||||||
self.connect_device()
|
self.connect_device()
|
||||||
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read())
|
self.send_normal_stage(bl33)
|
||||||
# self.send_normal_stage(open("../S7/sboot.bin.4.bin", "rb").read())
|
# self.send_normal_stage(open("../S7/sboot.bin.4.bin", "rb").read())
|
||||||
pass
|
pass
|
||||||
|
|
||||||
@ -765,7 +777,9 @@ class ExynosDevice():
|
|||||||
# Jump into BL31 and execute it
|
# Jump into BL31 and execute it
|
||||||
BL31_POINTER = 0x02024010
|
BL31_POINTER = 0x02024010
|
||||||
if args.MIB3:
|
if args.MIB3:
|
||||||
BL31_POINTER = 0x020c0000
|
BL31_POINTER = 0x0202a010
|
||||||
|
self.cd.restore_stack_and_jump(BL31_POINTER) #BL31_RA_PTR
|
||||||
|
else:
|
||||||
self.cd.restore_stack_and_jump(BL31_POINTER)
|
self.cd.restore_stack_and_jump(BL31_POINTER)
|
||||||
|
|
||||||
# Obligatory reconnect and check of debugger
|
# Obligatory reconnect and check of debugger
|
||||||
@ -793,11 +807,6 @@ class ExynosDevice():
|
|||||||
|
|
||||||
self.cd.restore_stack_and_jump(hijacked_fun) # Jumps to function that waits for next boot stage
|
self.cd.restore_stack_and_jump(hijacked_fun) # Jumps to function that waits for next boot stage
|
||||||
|
|
||||||
# In BL2, find string 'APOLLO' and modify it
|
|
||||||
if args.MIB3:
|
|
||||||
off = bl2.find(b'APOLLO')
|
|
||||||
bl2 = bl2[:off] + b'GUPJE' + bl2[off+6:]
|
|
||||||
|
|
||||||
# ==== Stage 4 BL2 ====
|
# ==== Stage 4 BL2 ====
|
||||||
self.send_normal_stage(bl2)
|
self.send_normal_stage(bl2)
|
||||||
time.sleep(2)
|
time.sleep(2)
|
||||||
@ -814,7 +823,7 @@ class ExynosDevice():
|
|||||||
print(f'Current EL: {hex(self.cd.arch_dbg.state.CURRENT_EL)}')
|
print(f'Current EL: {hex(self.cd.arch_dbg.state.CURRENT_EL)}')
|
||||||
|
|
||||||
# Restore bootflow
|
# Restore bootflow
|
||||||
print(self.cd.arch_dbg.state.print_ctx())
|
print(self.cd.arch_dbg.state.print_ctx()) # X29 here determines where the 'authentication' is taking place
|
||||||
BL33_ptr = self.cd.arch_dbg.state.X0
|
BL33_ptr = self.cd.arch_dbg.state.X0
|
||||||
BL33_LR = self.cd.arch_dbg.state.LR
|
BL33_LR = self.cd.arch_dbg.state.LR
|
||||||
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
|
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
|
||||||
@ -827,15 +836,20 @@ class ExynosDevice():
|
|||||||
time.sleep(1)
|
time.sleep(1)
|
||||||
self.connect_device()
|
self.connect_device()
|
||||||
|
|
||||||
|
|
||||||
self.send_normal_stage(bl33) # Never return/completes
|
self.send_normal_stage(bl33) # Never return/completes
|
||||||
self.connect_device()
|
self.connect_device()
|
||||||
self.usb_read(0x200) # GiAs
|
self.usb_read(0x200) # GiAs
|
||||||
|
#t_lr = self.cd.arch_dbg.state.LR
|
||||||
|
|
||||||
# print_payload = open("/home/jonathan/projects/samsung_s7/source/screen_print/print.bin", "rb").read()
|
# print_payload = open("/home/jonathan/projects/samsung_s7/source/screen_print/print.bin", "rb").read()
|
||||||
# off = stage4.find(bytes.fromhex("fd 7b bd a9 fd 03 00 91 f3 53 01 a9 d4 08 00 d0 f3 03 01 2a a0 17 00 f9"))
|
# off = stage4.find(bytes.fromhex("fd 7b bd a9 fd 03 00 91 f3 53 01 a9 d4 08 00 d0 f3 03 01 2a a0 17 00 f9"))
|
||||||
# stage4 = stage4[off:] + print_payload + stage4[off+len(print_payload):]
|
# stage4 = stage4[off:] + print_payload + stage4[off+len(print_payload):]
|
||||||
|
if args.MIB3:
|
||||||
|
pass
|
||||||
|
|
||||||
# Change bootmode to SDCARD (allow normal booting, if pressing volume up)
|
# Change bootmode to SDCARD (allow normal booting, if pressing volume up)
|
||||||
|
if not args.MIB3:
|
||||||
self.cd.memwrite_region(0x8f01dbdc, struct.pack('>I', 0x03030035))
|
self.cd.memwrite_region(0x8f01dbdc, struct.pack('>I', 0x03030035))
|
||||||
self.cd.memwrite_region(0x8f01dbe0, struct.pack('>I', 0x80f9ff34))
|
self.cd.memwrite_region(0x8f01dbe0, struct.pack('>I', 0x80f9ff34))
|
||||||
|
|
||||||
@ -844,8 +858,15 @@ class ExynosDevice():
|
|||||||
self.cd.memwrite_region(0x8f021bdc, struct.pack('>I', 0x20008052))
|
self.cd.memwrite_region(0x8f021bdc, struct.pack('>I', 0x20008052))
|
||||||
self.cd.memwrite_region(0x8f021bbc, struct.pack('>I', 0x20008052))
|
self.cd.memwrite_region(0x8f021bbc, struct.pack('>I', 0x20008052))
|
||||||
|
|
||||||
|
#self.cd.memwrite_region(0xcf08aa4b, b"RRR")
|
||||||
|
|
||||||
# Jump into a different function that continues the boot flow (different than BL33_LR)
|
# Jump into a different function that continues the boot flow (different than BL33_LR)
|
||||||
self.cd.restore_stack_and_jump(0x02024e5c)
|
BL33_AUTH = 0x02024e5c
|
||||||
|
if args.MIB3:
|
||||||
|
BL33_AUTH = 0x2022ad44
|
||||||
|
|
||||||
|
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
|
||||||
|
self.cd.restore_stack_and_jump(0x202ae18)
|
||||||
|
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user