38 lines
1.8 KiB
ReStructuredText
38 lines
1.8 KiB
ReStructuredText
=====
|
|
Notes
|
|
=====
|
|
General notes on interesting/peculiar things found on the S7 USB recovery boot process
|
|
|
|
Emulator
|
|
========
|
|
What is interesting about the ROM is that it starts by checking MPIDR_EL1 register and doing a conditional branch to 0x20e0000.
|
|
|
|
.. code-block:: ghidra
|
|
|
|
undefined w0:1 <RETURN>
|
|
Reset XREF[1]: Entry Point(*)
|
|
00000000 bb 00 38 d5 mrs x27,mpidr_el1
|
|
00000004 7b 0f 78 92 and x27,x27,#0xf00
|
|
00000008 7f 03 00 f1 cmp x27,#0x0
|
|
0000000c 41 00 00 54 b.ne LAB_00000014
|
|
00000010 fc 7f 83 14 b LAB_020e0000
|
|
|
|
Week 35 - 2024
|
|
===============
|
|
After booting BL31, the MMU seems to be set up, and we're unable to do get any data off of spaces we're not 'allowed' to access. Patching the if-statement at 0x020244e8, disables the bit that says that the MMU is setup, but booting into recovery is possible (meaning the MMU is setup). Additionally, the memory at 0x02035600 is still not dumpable. At 0x02048000 is still accessible.
|
|
|
|
Weird space found at 0x105c2400. Seems to contain references to usb buffer (about 48-64 bytes).
|
|
|
|
Also space at 0x020307f0
|
|
|
|
.. code-block:: python
|
|
self.cd.memdump_region(0x105c2400, 0x40).hex()
|
|
'0f0f00000f0008002100000000000000ffffffffffffffffffffffffffffffff0f0f00000f0008002101000000000000ffffffffffffffffffffffffffffffff'
|
|
|
|
Week 36 - 2024
|
|
===============
|
|
Interesting links:
|
|
- `Heap overflow <https://highaltitudehacks.com/2020/09/05/arm64-reversing-and-exploitation-part-1-arm-instruction-set-heap-overflow.html>`_
|
|
- `UART on S8 <https://grimler.se/posts/exynos-uart/>`_
|
|
|
|
By accident found space at 0x11207010. Seems to be a memory read/write space. Not executable however, unless the MMU is turned off. |