Samsung_S7/documentation/_build/confluence/BootROM_8890/01_start.conf

18 lines
2.8 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<p>The Exynos 8890 BootROM is a small piece of code that runs on the Exynos SoC at boot runtime. It is responsible for initializing the hardware and loading the first stage bootloader from storage. The BootROM is stored in a read-only memory and cannot be modified.</p><p>Useful links:</p><ul>
<li>
<p><a href="https://github.com/LineageOS/android_kernel_samsung_universal8890/tree/lineage-18.1/arch/arm64/boot/dts">DTSI files for exynos8890</a></p></li>
<li>
<p><a href="https://github.com/frederic/exynos-usbdl/tree/master">Frederic exynos-usbdl on Github</a></p></li>
<li>
<p><a href="https://github.com/ananjaser1211/exynos8890-exynos-usbdl-recovery">Exynos8890 usbdl-recovery images/firmwares</a></p></li>
</ul>
<p>Be sure to use the correct firmware and firmware version for your S7 when trying this exploit/Frederics recovery boot (otherwise the booting will likely fail after sending BL31)!</p><h2>Protections</h2>
<p>There are no stack canaries or guard pages, and no ASLR. Meaning there are almost no protections in place. There is however an SMC and a MMU. The SMC is used to communicate with the secure world, and the MMU is used to map the memory.</p><p>Rom is at address 0x0 and is unwritable (Sometimes this is writeable due to MMU caching) and is 0x20000 bytes long.</p><h2>Samsung Firmware</h2>
<p>Samsung releases firmware files for their devices. These files contain the bootloader, modem, and other firmware files. To see how the ROM works we are interested in the sboot firmware, which contains multiple stages of the bootloader.</p><p>These files can then be used to boot the device into USB recovery. To extract the sboot.bin file from a samsung firmware file:</p><ac:structured-macro ac:name="code">
<ac:parameter ac:name="language">bash</ac:parameter>
<ac:parameter ac:name="linenumbers">false</ac:parameter>
<ac:plain-text-body><![CDATA[$ unzip -p firmware.zip 'BL_*.tar.md5' | tar -Oxf - 'sboot.bin.lz4' | lz4 -d - sboot.bin]]></ac:plain-text-body>
</ac:structured-macro>
<p>For additional bootloaders, see: <a href="https://github.com/ananjaser1211/exynos8890-exynos-usbdl-recovery">Github exynos8890-exynos-usbdl-recovery</a></p><h2>Memory Layout</h2>
<p>The memory layout of the Exynos 8890 is as follows:</p><h2>Download protocol</h2>
<p>When the ROM is unable to boot from the internal storage, it enters <code>Exynos Recovery Mode</code>.</p><p>In this mode the bootROM accepts data over USB. There is little functionality other than receiving data, meaning almost no additional attack surface except for the download protocol.</p><p>The Exynos BootROM uses a custom protocol to download a bootable image over USB. This image is verified and executed by the BootROM. Unauthorized images are rejected. Initial authorisation is done using the _auth_bl1 function. Frederic has exploited a vulnerability in the download protocol to load Unauthorized images.</p>