Compare commits
3 Commits
6e4a22b5c3
...
4bbb11908f
Author | SHA1 | Date | |
---|---|---|---|
|
4bbb11908f | ||
|
de8395b286 | ||
|
19d20965db |
@ -3,7 +3,7 @@
|
||||
Booting
|
||||
=======
|
||||
|
||||
After exploitation the goal is to fully boot the device.
|
||||
After exploitation the goal is to fully boot the device.
|
||||
|
||||
Current boot chain:
|
||||
|
||||
@ -19,9 +19,63 @@ As done by Frederic, the bootrom can be dumped using his provided scripts, and c
|
||||
./exynos-usbdl e payloads/Exynos8890_dump_bootrom.bin dumped_sboot.bin
|
||||
scripts/split-sboot-8890.sh dumped_sboot.bin
|
||||
|
||||
This results in the following files:
|
||||
|
||||
.. list-table:: bootrom stages
|
||||
:header-rows: 1
|
||||
|
||||
* - File
|
||||
- Strings output
|
||||
- Likely boot stage?
|
||||
* - sboot.bin.1.bin
|
||||
- Exynos BL1
|
||||
- BL1
|
||||
* - sboot.bin.2.bin
|
||||
- BL31 %s
|
||||
- BL31
|
||||
* - sboot.bin.3.bin
|
||||
- Unsure. Contains strings like: TOP_DIV_ACLK_MFC_600 and APOLLO_DIV_APOLLO_RUN_MONITOR
|
||||
- BL2?
|
||||
* - sboot.bin.4.bin
|
||||
- Contains more textual information, and references to post BL2 boot, and android information
|
||||
- Kernel boot/BL33?
|
||||
|
||||
debugger
|
||||
========
|
||||
Some other information about the debugger and it's current state.
|
||||
After the initial loading of the debugger, the state reported is:
|
||||
|
||||
.. code:: bash
|
||||
|
||||
root | DEBUG |
|
||||
X0 : 0x0 | X1 : 0xffffffff | X2 : 0x20215d8 | X3 : 0x2021894 | X4 : 0x4 | X5 : 0x0 | X6 : 0x0 |
|
||||
X7 : 0x136c0008 | X8 : 0x2069000 | X9 : 0x0 | X10 : 0x2070000 | X11 : 0x0 | X12 : 0x0 | X13 : 0x0 |
|
||||
X14 : 0xf | X15 : 0x206d000 | X16 : 0x9 | X17 : 0x0 | X18 : 0x1 | X19 : 0x2000 | X20 : 0x2069000 |
|
||||
X21 : 0x0 | X22 : 0x0 | X23 : 0x0 | X24 : 0x0 | X25 : 0x0 | X26 : 0x0 | X27 : 0x1 |
|
||||
X28 : 0x0 | X29 : 0x2020f00 | LR/X30 : 0x20219b8 | SP/X31 : 0x2020ef0
|
||||
|
||||
With the original bl1
|
||||
|
||||
.. code:: bash
|
||||
|
||||
root | DEBUG |
|
||||
X0 : 0x0 | X1 : 0x1 | X2 : 0x20215d8 | X3 : 0x2021894 | X4 : 0x4 | X5 : 0x0 | X6 : 0x0 |
|
||||
X7 : 0x136c0008 | X8 : 0x2069000 | X9 : 0x0 | X10 : 0x2070000 | X11 : 0x0 | X12 : 0x0 | X13 : 0x0 |
|
||||
X14 : 0xf | X15 : 0x20c4000 | X16 : 0x9 | X17 : 0x0 | X18 : 0x1 | X19 : 0x2000 | X20 : 0x2069000 |
|
||||
X21 : 0x0 | X22 : 0x0 | X23 : 0x0 | X24 : 0x0 | X25 : 0x0 | X26 : 0x0 | X27 : 0x1 |
|
||||
X28 : 0x0 | X29 : 0x2020f00 | LR/X30 : 0x20c0000 | SP/X31 : 0x2020ef0
|
||||
|
||||
|
||||
|
||||
With a modified bl1
|
||||
|
||||
.. code:: bash
|
||||
|
||||
root | DEBUG |
|
||||
X0 : 0x0 | X1 : 0x1 | X2 : 0x20215d8 | X3 : 0x2021894 | X4 : 0x4 | X5 : 0x0 | X6 : 0x0 |
|
||||
X7 : 0x136c0008 | X8 : 0x2069000 | X9 : 0x0 | X10 : 0x2070000 | X11 : 0x0 | X12 : 0x0 | X13 : 0x0 |
|
||||
X14 : 0xf | X15 : 0x20c4000 | X16 : 0x9 | X17 : 0x0 | X18 : 0x1 | X19 : 0x2000 | X20 : 0x2069000 |
|
||||
X21 : 0x0 | X22 : 0x0 | X23 : 0x0 | X24 : 0x0 | X25 : 0x0 | X26 : 0x0 | X27 : 0x1 |
|
||||
X28 : 0x0 | X29 : 0x2020f00 | LR/X30 : 0x20c0000 | SP/X31 : 0x2020ef0
|
||||
|
||||
I relocated the debugger to ``0x20c0000`` to prevent overwriting it.
|
||||
|
||||
@ -137,6 +191,13 @@ Replacing this function with our debugger makes us jump back:
|
||||
|
||||
However this does not fully run bl1, so we will have to dig a bit deeper to see the puropose and when to jump back to the debugger.
|
||||
|
||||
Authentication of BL1 seems to be done at ``0x0012848``. With return value '0' expected when this function is executed, to execute other functions.
|
||||
|
||||
.. figure:: images/bl1_auth_references.png
|
||||
:align: center
|
||||
|
||||
BL1 authentication.
|
||||
|
||||
purpose
|
||||
-------
|
||||
bl1 interacts with several pheriperals, from the DTB these are:
|
||||
|
@ -8,10 +8,11 @@ OBJCOPY := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64
|
||||
LD := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ld.bfd
|
||||
|
||||
#==================Target Samsung S7 (8890)==================
|
||||
CFLAGS_SAMSUNGS7 = -Os
|
||||
CFLAGS_SAMSUNGS7 = -Os # -Os for optimization for size
|
||||
|
||||
dwc3:
|
||||
$(CC) entry.S -c -o entry.o $(CFLAGS_SAMSUNGS7)
|
||||
$(CC) $(CFLAGS_SAMSUNGS7) -c test_dwc3.c -o dwc3.o
|
||||
$(LD) -T test_dwc3.ld entry.o dwc3.o -o dwc3.elf --just-symbols=symbols.txt
|
||||
$(CC) entry.S -c -o entry.o $(CFLAGS_SAMSUNGS7) # -c compiles assembly code, and -o creates an object file (containing linking and symbol information)
|
||||
$(CC) $(CFLAGS_SAMSUNGS7) -c test_dwc3.c -o dwc3.o # compiles test_dwc3.c to dwc3.o
|
||||
$(LD) -T test_dwc3.ld entry.o dwc3.o -o dwc3.elf --just-symbols=symbols.txt # -T for linker script, --just-symbols for symbols file
|
||||
$(OBJCOPY) -O binary dwc3.elf dwc3.bin
|
||||
|
Binary file not shown.
Binary file not shown.
17
source/exploit/debugger/Makefile
Normal file
17
source/exploit/debugger/Makefile
Normal file
@ -0,0 +1,17 @@
|
||||
ifeq ($(ANDROID_NDK_ROOT),)
|
||||
$(error Error : Set the env variable 'ANDROID_NDK_ROOT' with the path of the Android NDK (version 20))
|
||||
endif
|
||||
|
||||
CC := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android27-clang
|
||||
AR := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ar
|
||||
OBJCOPY := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-objcopy
|
||||
LD := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ld.bfd
|
||||
|
||||
#==================Target Samsung S7 (8890)==================
|
||||
CFLAGS_SAMSUNGS7 = -Os
|
||||
|
||||
stage1:
|
||||
$(CC) entry.S -c -o entry.o $(CFLAGS_SAMSUNGS7)
|
||||
$(CC) $(CFLAGS_SAMSUNGS7) -c stage1.c -o stage1.o
|
||||
$(LD) -T linkscript.ld entry.o stage1.o -o stage1.elf --just-symbols=symbols.txt
|
||||
$(OBJCOPY) -O binary stage1.elf stage1.bin
|
8
source/exploit/modify_bin.py
Normal file
8
source/exploit/modify_bin.py
Normal file
@ -0,0 +1,8 @@
|
||||
# Open a binary file and modify it
|
||||
bl1 = open('../S7/bl1.bin', 'rb').read()
|
||||
|
||||
# Modify the binary file at 1C10
|
||||
bl1 = bl1[:0x1C1C] + b'\x48' + bl1[0x1C1D:]
|
||||
|
||||
# Write the modified binary file
|
||||
open('../S7/bl1_mod.bin', 'wb').write(bl1)
|
@ -15,3 +15,4 @@ stage1:
|
||||
$(CC) $(CFLAGS_SAMSUNGS7) -c stage1.c -o stage1.o
|
||||
$(LD) -T linkscript.ld entry.o stage1.o -o stage1.elf --just-symbols=symbols.txt
|
||||
$(OBJCOPY) -O binary stage1.elf stage1.bin
|
||||
|
Loading…
Reference in New Issue
Block a user