diff --git a/reven/SamsungS7.lock b/reven/SamsungS7.lock
index fe6694d..def5a59 100644
--- a/reven/SamsungS7.lock
+++ b/reven/SamsungS7.lock
@@ -1,9 +1,9 @@
#Ghidra Lock File
-#Tue Aug 06 19:30:30 CEST 2024
+#Fri Aug 09 11:27:43 CEST 2024
OS\ Name=Linux
OS\ Version=6.5.0-44-generic
Username=eljakim
Hostname=levith
\ Supports\ File\ Channel\ Locking=Channel Lock
OS\ Architecture=amd64
-Timestamp=8/6/24, 7\:30 PM
+Timestamp=8/9/24, 11\:27 AM
diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py
index 0a0b754..917bc2f 100644
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@@ -222,25 +222,51 @@ class ExynosDevice():
Room for playing around with the debugger
'''
self.cd.arch_dbg.state.auto_sync = False
+ self.cd.arch_dbg.state.auto_sync_special = False
self.cd.arch_dbg.state.print_ctx()
+ def relocate_debugger():
+ # Seems to be cleared upon cache clearing??
+ debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read()
+ self.cd.memwrite_region(0x020c0000, debugger_reloc)
+ self.usb_write(b"FLSH") # Flush cache
+ self.cd.restore_stack_and_jump(0x020c0000)
+ assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
+ self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
+ relocate_debugger()
+
+ # Try loading bl1
+ bl1 = open("../S7/bl1.bin", "rb").read()
+ self.cd.memwrite_region(0x02021800, bl1)
+ # self.usb_write(b"FLSH")
+ AUTH_BL1 = 0x00012848
+ def auth_bl1(lr=0x2069000):
+ # Load the firmware
+ self.cd.arch_dbg.state.W0 = 1
+ self.cd.arch_dbg.state.X1 = 1
+ self.cd.arch_dbg.state.LR = lr #jump back to debugger when finished
+ self.cd.restore_stack_and_jump(AUTH_BL1)
+ assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
+
+ auth_bl1(0x020c0000)
+
+ # Works until here
+
+ pass
+
+
+
# Overwrite jump back
self.cd.memwrite_region(0x02020108, p32(0x2069000))
- # self.cd.memwrite_region(0x020200e8, p32(0x2069000))
+ self.cd.memwrite_region(0x020200e8, p32(0x2069000))
- AUTH_BL1 = 0x00012848
def memdump_try():
dumped = b""
for block in range(0x2020000, 0x2200000, 0x200):
print(hex(block))
dumped += self.cd.memdump_region(block, 0x200)
- def auth_bl1():
- # Load the firmware
- self.cd.arch_dbg.state.X0 = 1
- self.cd.arch_dbg.state.X1 = 1
- self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished
- self.cd.restore_stack_and_jump(AUTH_BL1)
+
def jump_bl1():
self.cd.arch_dbg.state.LR = 0x2069000
@@ -252,9 +278,9 @@ class ExynosDevice():
# self.cd.restore_stack_and_jump(0x00012814)
# self.cd.restore_stack_and_jump(0x000125b4)
- bl1 = open("../S7/bl1.bin", "rb").read()
- self.cd.memwrite_region(0x02024000, bl1)
- self.usb_write(b"FLSH")
+
+
+ auth_bl1()
# auth_bl1()
jump_bl1()
diff --git a/source/gupje_device/Makefile b/source/gupje_device/Makefile
index c31431e..62d0aa5 100644
--- a/source/gupje_device/Makefile
+++ b/source/gupje_device/Makefile
@@ -8,10 +8,21 @@ OBJCOPY := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64
LD := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ld.bfd
#==================Target Samsung S7 (8890)==================
+all: samsung_s7 samsung_s7_reloc
+
CFLAGS_SAMSUNGS7 = -Os -Idevices/samsung_s7/
samsung_s7:
[ -d bin/samsung_s7 ] || mkdir -p bin/samsung_s7/
$(CC) arm64_stub.S -c -o bin/samsung_s7/entry.o $(CFLAGS_SAMSUNGS7)
$(CC) debugger.c -c -o bin/samsung_s7/debugger.o $(CFLAGS_SAMSUNGS7)
$(LD) -T devices/samsung_s7/linkscript.ld bin/samsung_s7/entry.o bin/samsung_s7/debugger.o -o bin/samsung_s7/debugger.elf --just-symbols=devices/samsung_s7/symbols.txt
- $(OBJCOPY) -O binary bin/samsung_s7/debugger.elf bin/samsung_s7/debugger.bin
\ No newline at end of file
+ $(OBJCOPY) -O binary bin/samsung_s7/debugger.elf bin/samsung_s7/debugger.bin
+
+CFLAGS_SAMSUNGS7_RELOC = -Os -DRELOC_DEBUGGER=1 -Idevices/samsung_s7/
+samsung_s7_reloc:
+ [ -d bin/samsung_s7 ] || mkdir -p bin/samsung_s7/
+ $(CC) arm64_stub.S -c -o bin/samsung_s7/reloc_entry.o $(CFLAGS_SAMSUNGS7_RELOC)
+ $(CC) debugger.c -c -o bin/samsung_s7/reloc_debugger.o $(CFLAGS_SAMSUNGS7_RELOC)
+ $(LD) -T devices/samsung_s7/reloc_linkscript.ld bin/samsung_s7/reloc_entry.o bin/samsung_s7/reloc_debugger.o -o bin/samsung_s7/reloc_debugger.elf --just-symbols=devices/samsung_s7/reloc_symbols.txt
+ $(OBJCOPY) -O binary bin/samsung_s7/reloc_debugger.elf bin/samsung_s7/reloc_debugger.bin
+
diff --git a/source/gupje_device/Readme.md b/source/gupje_device/Readme.md
index 37ebee2..0e89de2 100644
--- a/source/gupje_device/Readme.md
+++ b/source/gupje_device/Readme.md
@@ -1,8 +1,14 @@
# Gupje
Current memory map:
+## Stage 2
+Memory map in stage2 after exploitation
![memory map](memory_map.drawio.svg)
+## Stage 3
+Memory map in stage3 after relocating the debugger
+
+
## Usage:
Copy this folder to /devices/samsung_s7 and run:
diff --git a/source/gupje_device/device.h b/source/gupje_device/device.h
index 31506f8..e3e78ff 100644
--- a/source/gupje_device/device.h
+++ b/source/gupje_device/device.h
@@ -8,6 +8,8 @@ extern int usb_event_handler(void);
extern uint32_t get_endpoint_recv_buffer(char endpoint);
extern void exynos_sleep(int endpoint,uint32_t timeout);
extern void usb_send(uint32_t address,uint32_t size);
+extern uint32_t recv_buffer;
+extern uint32_t data_received;
int mystrlen(char *data) {
int i=0;
@@ -19,9 +21,13 @@ int mystrlen(char *data) {
return i-1;
}
-
+#ifdef RELOC_DEBUGGER
+#define recv_buffer 0x020c6200
+#define data_received 0x020c6000
+#else
#define recv_buffer 0x206fe00 //0x02021800 + 0x3000
#define data_received 0x206fd00
+#endif
void recv_data_cb(uint32_t endpoint, uint32_t len){
char *dest_buf = (char *)recv_buffer;
diff --git a/source/gupje_device/reloc_linkscript.ld b/source/gupje_device/reloc_linkscript.ld
new file mode 100644
index 0000000..3d1a536
--- /dev/null
+++ b/source/gupje_device/reloc_linkscript.ld
@@ -0,0 +1,14 @@
+MEMORY {
+ ROM (rwx): ORIGIN = 0x020c0000, LENGTH = 0x1000
+}
+
+SECTIONS
+{
+ . = 0x020c0000;
+ .text . : {
+ *(.text*)
+ *(.data*)
+ *(.rodata*)
+ } >ROM
+
+}
\ No newline at end of file
diff --git a/source/gupje_device/reloc_symbols.txt b/source/gupje_device/reloc_symbols.txt
new file mode 100644
index 0000000..bab33dc
--- /dev/null
+++ b/source/gupje_device/reloc_symbols.txt
@@ -0,0 +1,12 @@
+debugger_storage = 0x020c4000;
+debugger_stack = 0x020c2000;
+debugger_entry = 0x020c0000;
+
+maybe_usb_setup_read = 0x00006f88;
+dwc3_ep0_start_trans = 0x0000791c;
+usb_event_handler = 0x00007bac;
+get_endpoint_recv_buffer = 0x00007a7c;
+exynos_sleep = 0x000027c8;
+
+g_recv_buffer = 0x020c6200;
+g_data_received = 0x020c6000;
\ No newline at end of file
diff --git a/source/gupje_device/symbols.txt b/source/gupje_device/symbols.txt
index cc34e41..d1f0867 100644
--- a/source/gupje_device/symbols.txt
+++ b/source/gupje_device/symbols.txt
@@ -6,4 +6,6 @@ maybe_usb_setup_read = 0x00006f88;
dwc3_ep0_start_trans = 0x0000791c;
usb_event_handler = 0x00007bac;
get_endpoint_recv_buffer = 0x00007a7c;
-exynos_sleep = 0x000027c8;
\ No newline at end of file
+exynos_sleep = 0x000027c8;
+
+RELOCATED = 0;
\ No newline at end of file