EljakimHerrewijnen/Samsung_S7
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: EljakimHerrewijnen:5aa1331a5295e6d09efca98230ff673c72a6b2a2
Branches Tags
EljakimHerrewijnen:main
EljakimHerrewijnen:altered-script-flow
..
compare: EljakimHerrewijnen:913145a630c97e8e3ea702caf56824db0bd74726
Branches Tags
EljakimHerrewijnen:main
EljakimHerrewijnen:altered-script-flow

No commits in common. "5aa1331a5295e6d09efca98230ff673c72a6b2a2" and "913145a630c97e8e3ea702caf56824db0bd74726" have entirely different histories.
5aa1331a52 ... 913145a630

4 changed files with 3 additions and 5044 deletions
Show Stats Expand all files Collapse all files

11
README.md
View File

@ -1,12 +1,3 @@
# Samsung_S7 # Samsung_S7
Code to exploit and research the Exynos Bootrom.
## Setting up Code to exploit and research the Exynos Bootrom
Create a venv, and intall ghidra_assistant.
```bash
python3 -m venv venv
. venv/bin/activate
pip install -r requirements.txts
```
To get to work, run `source/exploit/exploit.py`

38
documentation/source/BootROM_8890/index.rst
View File

@ -21,7 +21,7 @@ To extract the sboot.bin file from a samsung firmware file:
Memory Layout Memory Layout
------------- -------------
TODO make memory layout of ROM, IMEM and some devices @JONHE TODO make memory layout of ROM, IMEM and some devices
.. figure:: images/memory_layout.drawio.svg .. figure:: images/memory_layout.drawio.svg
@ -49,44 +49,10 @@ dldata
This protocol remains *mostly* the same for newer Exynos SoCs. This protocol remains *mostly* the same for newer Exynos SoCs.
USB Stack
=========
This information is largely based on the blogpost of Frederic on reversing the `USB stack of the Exynos BootROM <https://fredericb.info/2020/06/reverse-engineer-usb-stack-of-exynos-bootrom.html#reverse-engineer-usb-stack-of-exynos-bootrom>`_. We're looking at the proprietary USB protocol used by the Exynos BootROM.
The base address of the usb controller (dwusb3) is mapped at 0x1540000, with a size of 0x10000: (can be found at: `Exynos8890 dtsi <https://github.com/LineageOS/android_kernel_samsung_universal8890/tree/lineage-18.1/arch/arm64/boot/dts>`_).
.. code-block:: dts
udc: usb@15400000 {
compatible = "samsung,exynos8890-dwusb3";
clocks = <&clock 700>, <&clock 703>, <&clock 708>, <&clock 709>;
clock-names = "aclk", "sclk", "phyclock", "pipe_pclk";
reg = <0x0 0x15400000 0x10000>;
#address-cells = <2>;
#size-cells = <1>;
ranges;
usb-pm-qos-int = <255000>;
status = "disabled";
usbdrd_dwc3: dwc3 {
compatible = "synopsys,dwc3";
reg = <0x0 0x15400000 0x10000>;
interrupts = <0 213 0>;
phys = <&usbdrd_phy0 0>, <&usbdrd_phy0 1>;
phy-names = "usb2-phy", "usb3-phy";
};
};c
This is a basic USB controller, but some functions, that are also present in the linux kernel, should be visible in the bootROM as well. Available functions could be: `linux-kernel-dwc3 <https://android.googlesource.com/kernel/msm/+/android-msm-dory-3.10-kitkat-wear/drivers/usb/dwc3/core.h>`_.
Bug 1(Integer underflow) Bug 1(Integer underflow)
------------------------ ------------------------
@TODO better explain frederick's bug. @JOHER
https://github.com/LineageOS/android_kernel_samsung_universal8890/blob/lineage-18.1/arch/arm64/boot/dts/exynos8890.dtsi
@TODO better explain frederick's bug. @JONHE
Bug 2 Bug 2
----- -----

3
requirements.txt
View File

@ -1,3 +0,0 @@
sphinx-rtd-theme
sphinxcontrib.confluencebuilder
sphinxcontrib.drawio

4995
source/exploit/exynos8895-reference.dtsi
View File

File diff suppressed because it is too large Load Diff