Compare commits

..

6 Commits

Author SHA1 Message Date
Jonathan Herrewijnen
44ebe96d86 adds ghzfile 2024-10-24 19:18:42 +02:00
Jonathan Herrewijnen
3b89bec190 Modify usb_recovery boot to boot normally or in another way 2024-10-24 18:28:39 +02:00
Jonathan Herrewijnen
d187b06980 adds print screen binary. Not working for now 2024-10-23 19:24:09 +02:00
Jonathan Herrewijnen
9b12fe8c33 adding ghidra zip file 2024-10-10 20:36:18 +02:00
Jonathan Herrewijnen
26bb5a5718 Trying to patch screen 2024-10-10 19:58:17 +02:00
Jonathan Herrewijnen
697a2a6f4f adds ghidra zip file from 26 sept (xrdp is not working.. ) 2024-09-26 19:35:38 +02:00
13 changed files with 163 additions and 88 deletions

View File

@ -232,6 +232,30 @@ So, I've written something to dump the location of thte TTBR0_EL3 table, before
df['TTBR0_EL3'] = [blub]
df.to_pickle('ttbr0_el3.pkl')
I tried modifying some code to write text to the screen. In order to view whether this would at all be possible, I tried modifying code that would alter the message printed when booting normally (it would print: USB RECOVERY MODE). But it would appear that this is already in space that is by then not accessible anymore. The 'str' function crashes the device. Doesn't really matter where I do this, but the space seems immutable.. The movz and movk is because I was having issues moving data into registers.
.. code:: python
# Write NOP from 0x8f008cb8 to 0x8f008d14 using self.cd.memwrite
for i in range(0x8f008cb8, 0x8f008d14, 4):
self.cd.memwrite_region(i, b'\x1f\x20\x03\xd5')
#self.cd.memwrite_region(0x8f008cb8, struct.pack('>I', 0x1f2003d5))
# Write opcode that writes 'aaaaaaaa' at 0x8f06ab10
shellcode = f"""
// Load the target address (0x8f06ab10) into x21
movz x21, #0x8f06 // Load the high half of the address
movk x21, #0xab10, lsl #16 // Load the low half of the address
// Load the value 'aaaa' (0x6161616161616161) into x22
movz x20, #0xbeef
// Write the contents of x20 to the bytes where x21 points to
str x20, [x21]
"""
shellcode = ks.asm(shellcode, as_bytes=True)[0]
self.cd.memwrite_region(0x8f008cb8, shellcode)
It would appear that I'm currently only able to modify code before executing any part of BL33. I'm as of yet unable to return to the debugger at any point in BL33.

View File

@ -790,27 +790,27 @@ class ExynosDevice():
# self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)
# Disable this to keep access to the debugger after senindg the next stage
self.cd.arch_dbg.state.X23 = DEBUGGER_ADDR # TEMPORARY
self.cd.restore_stack_and_jump(hijacked_fun)
# ==== Stage 5 ====
# Sends stage 5 (BL33) but returns to debugger after sending.
stage4 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
# print_payload = open("/home/jonathan/projects/samsung_s7/source/screen_print/print.bin", "rb").read()
# off = stage4.find(bytes.fromhex("fd 7b bd a9 fd 03 00 91 f3 53 01 a9 d4 08 00 d0 f3 03 01 2a a0 17 00 f9"))
# stage4 = stage4[off:] + print_payload + stage4[off+len(print_payload):]
self.send_normal_stage(stage4)
self.connect_device()
self.usb_read(0x200) # GiAs
# # Modify something in BL33
print(self.cd.arch_dbg.state.print_ctx())
print(self.cd.memdump_region(0x8f063710, 0x8))
self.cd.memwrite_region(0x8f063710, struct.pack('>I', 0x53614d74))
# Modify USB Recovyer mode string to: NFI Patched BL33
self.cd.memwrite_region(0x8f06ab10, b'\x4e\x46\x49\x20\x50\x61\x74\x63\x68\x69\x6e\x67\x20\x42\x4c\x33\x33')
print(self.cd.memdump_region(0x8f063710, 0x8))
# Print state of x30/LR on screen
self.cd.memwrite_region(0x8f01dc08, struct.pack('>I', 0x7b432c91))
# Change bootmode to SDCARD (allow normal booting, if pressing volume up)
self.cd.memwrite_region(0x8f01dbdc, struct.pack('>I', 0x03030035))
self.cd.memwrite_region(0x8f01dbe0, struct.pack('>I', 0x80f9ff34))
# Jump into a different function that continues the boot flow (different than BL33_LR)
self.cd.restore_stack_and_jump(0x02024e5c)
pass

Binary file not shown.

View File

@ -0,0 +1,18 @@
ifeq ($(ANDROID_NDK_ROOT),)
$(error Error : Set the env variable 'ANDROID_NDK_ROOT' with the path of the Android NDK (version 20))
endif
CC := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android27-clang
AR := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ar
OBJCOPY := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-objcopy
LD := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ld.bfd
#==================Target Samsung S7 (8890)==================
CFLAGS_SAMSUNGS7 = -Os # -Os for optimization for size
print:
$(CC) entry.S -c -o entry.o $(CFLAGS_SAMSUNGS7) # -c compiles assembly code, and -o creates an object file (containing linking and symbol information)
$(CC) $(CFLAGS_SAMSUNGS7) -c test_print.c -o print.o # compiles test_print.c to print.o
$(LD) -T test_print.ld entry.o print.o -o print.elf --just-symbols=symbols.txt # -T for linker script, --just-symbols for symbols file
$(OBJCOPY) -O binary print.elf print.bin

View File

View File

@ -0,0 +1,2 @@
start:
b notmain

BIN
source/screen_print/entry.o Normal file

Binary file not shown.

BIN
source/screen_print/print.elf Executable file

Binary file not shown.

BIN
source/screen_print/print.o Normal file

Binary file not shown.

View File

@ -0,0 +1 @@
jh_print_to_screen = 0x8f0222d0;

View File

@ -0,0 +1,16 @@
#include <stdint.h>
void jh_print_to_screen(int param_1,int param_2,int param_3,int param_4,int param_5,char *param_6,
int param_7);
// uint r_log(char *fmt,...);
int notmain(char *msg, int msg_len){
// jh_print_to_screen(0x1234, 12, 0xfff, 0xfff, msg, msg_len, 2);
// volatile int a = 0;
// for(int i = 0; i < 100000; i++){
// a++;
// }
// while(1);
return 0;
}

View File

@ -0,0 +1,14 @@
MEMORY {
ROM (rwx): ORIGIN = 0x8f007de8, LENGTH = 0x108
}
SECTIONS
{
. = 0x8f007de8;
.text . : {
*(.text*)
*(.data*)
*(.rodata*)
} >ROM
}