EljakimHerrewijnen/Samsung_S7
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
76d1b8361c
Samsung_S7/documentation/source/BootROM_8890/01_start.rst
Jonathan Herrewijnen d9d9ae332a Cleaning up code and rewriting documentation. Now mostly finalized. 
Boots BL2 and returns to debugger. BL2 is not yet patcheable.
2024-09-10 18:59:32 +02:00

46 lines
2.7 KiB
ReStructuredText
Raw Blame History

==========
Start/Home
==========
The Exynos 8890 BootROM is a small piece of code that runs on the Exynos SoC at boot runtime. It is responsible for initializing the hardware and loading the first stage bootloader from storage. The BootROM is stored in a read-only memory and cannot be modified.
Useful links:
- `DTSI files for exynos8890 <https://github.com/LineageOS/android_kernel_samsung_universal8890/tree/lineage-18.1/arch/arm64/boot/dts>`_
- `Frederic exynos-usbdl on Github <https://github.com/frederic/exynos-usbdl/tree/master>`_'
- `Exynos8890 usbdl-recovery images/firmwares <https://github.com/ananjaser1211/exynos8890-exynos-usbdl-recovery>`_
Be sure to use the correct firmware and firmware version for your S7 when trying this exploit/Frederic's recovery boot (otherwise the booting will likely fail after sending BL31)!
Protections
-----------
There are no stack canaries or guard pages, and no ASLR. Meaning there are almost no protections in place. There is however an SMC and a MMU. The SMC is used to communicate with the secure world, and the MMU is used to map the memory.
Rom is at address 0x0 and is unwritable (Sometimes this is writeable due to MMU caching) and is 0x20000 bytes long.
Samsung Firmware
----------------
Samsung releases firmware files for their devices. These files contain the bootloader, modem, and other firmware files. To see how the ROM works we are interested in the sboot firmware, which contains multiple stages of the bootloader.
These files can then be used to boot the device into USB recovery. To extract the sboot.bin file from a samsung firmware file:
.. code-block:: bash
$ unzip -p firmware.zip 'BL_*.tar.md5' | tar -Oxf - 'sboot.bin.lz4' | lz4 -d - sboot.bin
For additional bootloaders, see: `Github exynos8890-exynos-usbdl-recovery <https://github.com/ananjaser1211/exynos8890-exynos-usbdl-recovery>`_
Memory Layout
-------------
The memory layout of the Exynos 8890 is as follows:
.. raw:: html
<iframe src="../_static/stack_and_functions.html" width="100%" height="1000px" frameborder="0" float='center'></iframe>
Download protocol
-----------------
When the ROM is unable to boot from the internal storage, it enters ``Exynos Recovery Mode``.
In this mode the bootROM accepts data over USB. There is little functionality other than receiving data, meaning almost no additional attack surface except for the download protocol.
The Exynos BootROM uses a custom protocol to download a bootable image over USB. This image is verified and executed by the BootROM. Unauthorized images are rejected. Initial authorisation is done using the '_auth_bl1' function. Frederic has exploited a vulnerability in the download protocol to load Unauthorized images.
Reference in New Issue View Git Blame Copy Permalink