EljakimHerrewijnen/Samsung_S7
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

reads B33

Browse Source
This commit is contained in:
Jonathan Herrewijnen 2024-09-16 17:14:14 +02:00
parent e56a90f457
commit fe58a3b869
3 changed files with 21 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
documentation/source/BootROM_8890/04_notes.rst
View File

@ -207,3 +207,9 @@ Current EL: 0xc
The debugger at 0x11200000 can only dump 0x768 at a time (its space related. Before BL31 this is also an issue.).
There's an odd space at 0x14kk. With things like deadcafe:
.. code::
1c0000000000000000000000fecaadde00000000fecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddefecaaddef

1
documentation/source/_ignore/stack_and_functions.csv
View File

@ -18,3 +18,4 @@ start,end,name,order,comment,X0,LR
0x02035600,0x02035608,TTBR0_EL3,,,,
0x11200000,0x11207000,Last relocated debugger,,,,
0xa0000000,0xa0013fff,Parts of BL2 in IMEM,,,,
0x14000000,1400060000,DEADCAFE,,,,
1 start end name order comment X0 LR
18 0x02035600 0x02035608 TTBR0_EL3
19 0x11200000 0x11207000 Last relocated debugger
20 0xa0000000 0xa0013fff Parts of BL2 in IMEM
21 0x14000000 1400060000 DEADCAFE

14
source/exploit/exploit.py
View File

@ -772,10 +772,12 @@ class ExynosDevice():
print(f'Current EL: {hex(self.cd.arch_dbg.state.CURRENT_EL)}')
# Restore bootflow
BL33_jump = self.cd.arch_dbg.state.X0
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
# self.cd.memwrite_region(0x020200dc, p32(hijacked_fun))
# Disable this to keep access to the debugger after senindg the next stage
# self.cd.restore_stack_and_jump(hijacked_fun)
self.cd.restore_stack_and_jump(hijacked_fun)
# ==== Stage 5 ====
#self.cd.memwrite_region(0x020200dc, p32(hijacked_fun))
@ -790,6 +792,10 @@ class ExynosDevice():
# assert len(stage4) == stage4_len, "Invalid stage4 length"
self.send_normal_stage(stage4)
self.connect_device()
self.usb_read(0x200) # GiAs
self.cd.arch_dbg.X0 = BL33_jump
self.cd.jump_to(0x8f000000)
# TRYOUT PATCHING BL33
# BL1 is loaded, now authenticate and patch it
@ -812,6 +818,12 @@ class ExynosDevice():
time.sleep(2)
# # dump in stages of 100 000 bytes and append to dump
# dump = b""
# for i in range(0x80000000, 0xf0000000, 0x100000):
# dump += self.cd.memdump_region(i, 0x100000)
pass