altered-script-flow #1

Merged
Jonathan merged 3 commits from altered-script-flow into main 2024-08-09 20:21:44 +00:00
9 changed files with 95 additions and 23 deletions
Showing only changes of commit e8a997fee8 - Show all commits

1
.gitignore vendored
View File

@ -1,5 +1,6 @@
dump/
*.bin
*.a
venv/
reven/
!dump/exynos-usbdl/

View File

@ -1,9 +1,9 @@
#Ghidra Lock File
#Tue Aug 06 19:30:30 CEST 2024
#Fri Aug 09 11:27:43 CEST 2024
OS\ Name=Linux
OS\ Version=6.5.0-44-generic
Username=eljakim
Hostname=levith
<META>\ Supports\ File\ Channel\ Locking=Channel Lock
OS\ Architecture=amd64
Timestamp=8/6/24, 7\:30 PM
Timestamp=8/9/24, 11\:27 AM

View File

@ -260,14 +260,44 @@ class ExynosDevice():
Room for playing around with the debugger
'''
self.cd.arch_dbg.state.auto_sync = False
self.cd.arch_dbg.state.auto_sync_special = False
self.cd.arch_dbg.state.print_ctx()
# Overwrite jump back
# self.cd.memwrite_region(0x02020108, p32(0x2069000))
# self.cd.memwrite_region(0x02021800, p32(0x2069000))
self.cd.memwrite_region(0x020200e8, p32(0x02069000)) # address, data. Writes
def relocate_debugger():
# Seems to be cleared upon cache clearing??
debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read()
self.cd.memwrite_region(0x020c0000, debugger_reloc)
self.usb_write(b"FLSH") # Flush cache
self.cd.restore_stack_and_jump(0x020c0000)
assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
relocate_debugger()
# Try loading bl1
bl1 = open("../S7/bl1.bin", "rb").read()
self.cd.memwrite_region(0x02021800, bl1)
# self.usb_write(b"FLSH")
AUTH_BL1 = 0x00012848
def auth_bl1(lr=0x2069000):
# Load the firmware
self.cd.arch_dbg.state.W0 = 1
self.cd.arch_dbg.state.X1 = 1
self.cd.arch_dbg.state.LR = lr #jump back to debugger when finished
self.cd.restore_stack_and_jump(AUTH_BL1)
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
auth_bl1(0x020c0000)
# Works until here
pass
# Overwrite jump back
self.cd.memwrite_region(0x02020108, p32(0x2069000))
self.cd.memwrite_region(0x020200e8, p32(0x2069000))
def memdump_try():
self.cd.arch_dbg.state.LR = 0x020200e8
self.cd.restore_stack_and_jump(0x02021810)
@ -278,16 +308,8 @@ class ExynosDevice():
self.cd.arch_dbg.state.print_ctx()
print(hex(block))
dumped += self.cd.memdump_region(block, 0x200)
if stack_pointer >= 0x02020F08:
print(f'stack_pointer at {stack_pointer}')
return dumped
def auth_bl1():
# Load the firmware
self.cd.arch_dbg.state.X0 = 1
self.cd.arch_dbg.state.X1 = 1
self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished
self.cd.restore_stack_and_jump(AUTH_BL1)
def jump_bl1():
self.cd.arch_dbg.state.LR = 0x2069000
@ -299,11 +321,9 @@ class ExynosDevice():
# self.cd.restore_stack_and_jump(0x00012814)
# self.cd.restore_stack_and_jump(0x000125b4)
dumped = memdump_try()
bl1 = open("../S7/bl1.bin", "rb").read()
self.cd.memwrite_region(0x02024000, bl1)
self.usb_write(b"FLSH")
auth_bl1()
# auth_bl1()
jump_bl1()

View File

@ -8,6 +8,8 @@ OBJCOPY := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64
LD := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ld.bfd
#==================Target Samsung S7 (8890)==================
all: samsung_s7 samsung_s7_reloc
CFLAGS_SAMSUNGS7 = -Os -Idevices/samsung_s7/
samsung_s7:
[ -d bin/samsung_s7 ] || mkdir -p bin/samsung_s7/
@ -15,3 +17,12 @@ samsung_s7:
$(CC) debugger.c -c -o bin/samsung_s7/debugger.o $(CFLAGS_SAMSUNGS7)
$(LD) -T devices/samsung_s7/linkscript.ld bin/samsung_s7/entry.o bin/samsung_s7/debugger.o -o bin/samsung_s7/debugger.elf --just-symbols=devices/samsung_s7/symbols.txt
$(OBJCOPY) -O binary bin/samsung_s7/debugger.elf bin/samsung_s7/debugger.bin
CFLAGS_SAMSUNGS7_RELOC = -Os -DRELOC_DEBUGGER=1 -Idevices/samsung_s7/
samsung_s7_reloc:
[ -d bin/samsung_s7 ] || mkdir -p bin/samsung_s7/
$(CC) arm64_stub.S -c -o bin/samsung_s7/reloc_entry.o $(CFLAGS_SAMSUNGS7_RELOC)
$(CC) debugger.c -c -o bin/samsung_s7/reloc_debugger.o $(CFLAGS_SAMSUNGS7_RELOC)
$(LD) -T devices/samsung_s7/reloc_linkscript.ld bin/samsung_s7/reloc_entry.o bin/samsung_s7/reloc_debugger.o -o bin/samsung_s7/reloc_debugger.elf --just-symbols=devices/samsung_s7/reloc_symbols.txt
$(OBJCOPY) -O binary bin/samsung_s7/reloc_debugger.elf bin/samsung_s7/reloc_debugger.bin

View File

@ -1,8 +1,14 @@
# Gupje
Current memory map:
## Stage 2
Memory map in stage2 after exploitation
![memory map](memory_map.drawio.svg)
## Stage 3
Memory map in stage3 after relocating the debugger
## Usage:
Copy this folder to <gupje>/devices/samsung_s7 and run:

View File

@ -8,6 +8,8 @@ extern int usb_event_handler(void);
extern uint32_t get_endpoint_recv_buffer(char endpoint);
extern void exynos_sleep(int endpoint,uint32_t timeout);
extern void usb_send(uint32_t address,uint32_t size);
extern uint32_t recv_buffer;
extern uint32_t data_received;
int mystrlen(char *data) {
int i=0;
@ -19,9 +21,13 @@ int mystrlen(char *data) {
return i-1;
}
#ifdef RELOC_DEBUGGER
#define recv_buffer 0x020c6200
#define data_received 0x020c6000
#else
#define recv_buffer 0x206fe00 //0x02021800 + 0x3000
#define data_received 0x206fd00
#endif
void recv_data_cb(uint32_t endpoint, uint32_t len){
char *dest_buf = (char *)recv_buffer;

View File

@ -0,0 +1,14 @@
MEMORY {
ROM (rwx): ORIGIN = 0x020c0000, LENGTH = 0x1000
}
SECTIONS
{
. = 0x020c0000;
.text . : {
*(.text*)
*(.data*)
*(.rodata*)
} >ROM
}

View File

@ -0,0 +1,12 @@
debugger_storage = 0x020c4000;
debugger_stack = 0x020c2000;
debugger_entry = 0x020c0000;
maybe_usb_setup_read = 0x00006f88;
dwc3_ep0_start_trans = 0x0000791c;
usb_event_handler = 0x00007bac;
get_endpoint_recv_buffer = 0x00007a7c;
exynos_sleep = 0x000027c8;
g_recv_buffer = 0x020c6200;
g_data_received = 0x020c6000;

View File

@ -7,3 +7,5 @@ dwc3_ep0_start_trans = 0x0000791c;
usb_event_handler = 0x00007bac;
get_endpoint_recv_buffer = 0x00007a7c;
exynos_sleep = 0x000027c8;
RELOCATED = 0;