search

oranav / i9300_emmc_toolbox

Samsung Galaxy S3 GT-I9300 eMMC toolbox
GNU General Public License v3.0
98 stars 17 forks source link

Check that emmc chip is supported #10

Closed Badel2 closed 6 years ago

Badel2 commented 6 years ago

This exploit only works with emmc chip VTU00M, which is the only one affected by the i9300 brick bug. If your device can boot into android you can check the chip model with

cat /sys/class/block/mmcblk0/device/name

Otherwise here is some example code that searches for the chip name in the device memory, UNTESTED FOR VTU00M but works for my 016G92.

(Add this to sboot_exploit.py, run_shellcode, after "searching for arena pointer")

        # Somewhere near the arena there should be the emmc chip name
        logging.debug('Dumping some arena memory')
        end = arena + 0x20000
        chunk_size = 0x1f0
        _arena = b''

        for addr in range(arena, end, chunk_size):
            sz = min(chunk_size, end - addr)
            chunk = exploit.read_memory(addr - exploit.buf_ptr, sz)
            _arena += chunk

        target_chip_name = b"VTU00M"
        #target_chip_name = b"016G92"
        if target_chip_name in _arena:
            logging.debug('Ok, emmc chip supported')
        else:
            raise Exception('EMMC chip not supported')
            # or just warn and continue anyway?

Of course this check could also be added to the shellcode itself, perhaps to the mmc_dev_init function.

oranav commented 6 years ago

Thanks, but I'm pretty sure broken eMMCs don't report their controller model, thus it is pretty useless for bricked devices... I could theoretically write something that will identify the controller of bricked eMMCs as well, but I'm too lazy to do that :)