Merge branch 'main' of https://git.herreweb.nl/EljakimHerrewijnen/Samsung_S7

documentation/source/BootROM_8890/boot_chain.rst

@@ -3,7 +3,7 @@
 Booting
 =======
 
-After exploitation the goal is to fully boot the device.
+After exploitation the goal is to fully boot the device. 
 
 Current boot chain:
 
@@ -19,9 +19,63 @@ As done by Frederic, the bootrom can be dumped using his provided scripts, and c
     ./exynos-usbdl e payloads/Exynos8890_dump_bootrom.bin dumped_sboot.bin
     scripts/split-sboot-8890.sh dumped_sboot.bin
 
+This results in the following files:
+
+.. list-table:: bootrom stages
+	:header-rows: 1
+
+	* - File
+	  - Strings output
+	  - Likely boot stage?
+	* - sboot.bin.1.bin
+	  - Exynos BL1
+	  - BL1
+	* - sboot.bin.2.bin
+	  - BL31 %s
+	  - BL31
+	* - sboot.bin.3.bin
+	  - Unsure. Contains strings like: TOP_DIV_ACLK_MFC_600 and APOLLO_DIV_APOLLO_RUN_MONITOR
+	  - BL2?
+	* - sboot.bin.4.bin
+	  - Contains more textual information, and references to post BL2 boot, and android information
+	  - Kernel boot/BL33?
+
 debugger
 ========
-Some other information about the debugger and it's current state.
+After the initial loading of the debugger, the state reported is:
+
+.. code:: bash
+    
+    root | DEBUG | 
+                X0 : 0x0 | X1 : 0xffffffff | X2 : 0x20215d8 | X3 : 0x2021894 | X4 : 0x4 | X5 : 0x0 | X6 : 0x0 |
+                X7 : 0x136c0008 | X8 : 0x2069000 | X9 : 0x0 | X10 : 0x2070000 | X11 : 0x0 | X12 : 0x0 | X13 : 0x0 |
+                X14 : 0xf | X15 : 0x206d000 | X16 : 0x9 | X17 : 0x0 | X18 : 0x1 | X19 : 0x2000 | X20 : 0x2069000 |
+                X21 : 0x0 | X22 : 0x0 | X23 : 0x0 | X24 : 0x0 | X25 : 0x0 | X26 : 0x0 | X27 : 0x1 |
+                X28 : 0x0 | X29 : 0x2020f00 | LR/X30 : 0x20219b8 | SP/X31 : 0x2020ef0
+
+With the original bl1
+
+.. code:: bash
+
+  root | DEBUG | 
+            X0 : 0x0 | X1 : 0x1 | X2 : 0x20215d8 | X3 : 0x2021894 | X4 : 0x4 | X5 : 0x0 | X6 : 0x0 |
+            X7 : 0x136c0008 | X8 : 0x2069000 | X9 : 0x0 | X10 : 0x2070000 | X11 : 0x0 | X12 : 0x0 | X13 : 0x0 |
+            X14 : 0xf | X15 : 0x20c4000 | X16 : 0x9 | X17 : 0x0 | X18 : 0x1 | X19 : 0x2000 | X20 : 0x2069000 |
+            X21 : 0x0 | X22 : 0x0 | X23 : 0x0 | X24 : 0x0 | X25 : 0x0 | X26 : 0x0 | X27 : 0x1 |
+            X28 : 0x0 | X29 : 0x2020f00 | LR/X30 : 0x20c0000 | SP/X31 : 0x2020ef0
+
+
+
+With a modified bl1
+
+.. code:: bash
+
+  root | DEBUG | 
+            X0 : 0x0 | X1 : 0x1 | X2 : 0x20215d8 | X3 : 0x2021894 | X4 : 0x4 | X5 : 0x0 | X6 : 0x0 |
+            X7 : 0x136c0008 | X8 : 0x2069000 | X9 : 0x0 | X10 : 0x2070000 | X11 : 0x0 | X12 : 0x0 | X13 : 0x0 |
+            X14 : 0xf | X15 : 0x20c4000 | X16 : 0x9 | X17 : 0x0 | X18 : 0x1 | X19 : 0x2000 | X20 : 0x2069000 |
+            X21 : 0x0 | X22 : 0x0 | X23 : 0x0 | X24 : 0x0 | X25 : 0x0 | X26 : 0x0 | X27 : 0x1 |
+            X28 : 0x0 | X29 : 0x2020f00 | LR/X30 : 0x20c0000 | SP/X31 : 0x2020ef0
 
 I relocated the debugger to ``0x20c0000`` to prevent overwriting it.
 
@@ -137,6 +191,13 @@ Replacing this function with our debugger makes us jump back:
 
 However this does not fully run bl1, so we will have to dig a bit deeper to see the puropose and when to jump back to the debugger.
 
+Authentication of BL1 seems to be done at ``0x0012848``. With return value '0' expected when this function is executed, to execute other functions.
+
+.. figure:: images/bl1_auth_references.png
+   :align: center
+
+   BL1 authentication. 
+
 purpose
 -------
 bl1 interacts with several pheriperals, from the DTB these are:

source/dwc3_test/Makefile

@@ -8,10 +8,11 @@ OBJCOPY := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64
 LD := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ld.bfd
 
 #==================Target Samsung S7 (8890)==================
-CFLAGS_SAMSUNGS7 = -Os
+CFLAGS_SAMSUNGS7 = -Os # -Os for optimization for size
 
 dwc3:
-	$(CC) entry.S -c -o entry.o $(CFLAGS_SAMSUNGS7)
-	$(CC) $(CFLAGS_SAMSUNGS7) -c test_dwc3.c -o dwc3.o
-	$(LD) -T test_dwc3.ld entry.o dwc3.o -o dwc3.elf --just-symbols=symbols.txt
+	$(CC) entry.S -c -o entry.o $(CFLAGS_SAMSUNGS7) # -c compiles assembly code, and -o creates an object file (containing linking and symbol information)
+	$(CC) $(CFLAGS_SAMSUNGS7) -c test_dwc3.c -o dwc3.o # compiles test_dwc3.c to dwc3.o
+	$(LD) -T test_dwc3.ld entry.o dwc3.o -o dwc3.elf --just-symbols=symbols.txt # -T for linker script, --just-symbols for symbols file
 	$(OBJCOPY) -O binary dwc3.elf dwc3.bin
+	

source/exploit/debugger/Makefile

@@ -0,0 +1,17 @@
+ifeq ($(ANDROID_NDK_ROOT),)
+$(error Error : Set the env variable 'ANDROID_NDK_ROOT' with the path of the Android NDK (version 20))
+endif
+
+CC := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android27-clang
+AR := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ar
+OBJCOPY := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-objcopy
+LD := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ld.bfd
+
+#==================Target Samsung S7 (8890)==================
+CFLAGS_SAMSUNGS7 = -Os
+
+stage1:
+	$(CC) entry.S -c -o entry.o $(CFLAGS_SAMSUNGS7)
+	$(CC) $(CFLAGS_SAMSUNGS7) -c stage1.c -o stage1.o
+	$(LD) -T linkscript.ld entry.o stage1.o -o stage1.elf --just-symbols=symbols.txt
+	$(OBJCOPY) -O binary stage1.elf stage1.bin

source/exploit/modify_bin.py

@@ -0,0 +1,8 @@
+# Open a binary file and modify it
+bl1 = open('../S7/bl1.bin', 'rb').read()
+
+# Modify the binary file at 1C10
+bl1 = bl1[:0x1C1C] + b'\x48' + bl1[0x1C1D:]
+
+# Write the modified binary file
+open('../S7/bl1_mod.bin', 'wb').write(bl1)

source/exploit/stage1/Makefile

@@ -15,3 +15,4 @@ stage1:
 	$(CC) $(CFLAGS_SAMSUNGS7) -c stage1.c -o stage1.o
 	$(LD) -T linkscript.ld entry.o stage1.o -o stage1.elf --just-symbols=symbols.txt
 	$(OBJCOPY) -O binary stage1.elf stage1.bin
+