search

oranav / i9300_emmc_toolbox

Samsung Galaxy S3 GT-I9300 eMMC toolbox
GNU General Public License v3.0
98 stars 17 forks source link

How to find the sboot version from a dump #8

Closed Badel2 closed 6 years ago

Badel2 commented 6 years ago

I hope this helps somebody:

If you dump your sboot into a file and want to know its version you can just run

$ strings SBOOT | grep I9300

This should print a line like I9300XXUGNA5, which means the version is XXUGNA5, so this phone is not compatible with this exploit, which requires XXELLA.

(Of course you could also grep XXELLA but that won't tell you which version do you have)

Toomoch commented 6 years ago

I have version I9300BVBLH2 What do I need to edit in shellcode.c?

oranav commented 6 years ago

Sorry for not being around lately. I just pushed a new version which should theoretically work on any sboot version! Please try it and let me know if it worked. Closing this issue for now -- reopen if needed.

Badel2 commented 6 years ago

Wow thank you! I tried the new version of the exploit and it didn't work at first (timed out on "Loop malloc" after 119 tries), but I was able to find the issue! This lines of code are displacing a part of the arena memory instead of just overwriting the two pointers:

https://github.com/oranav/i9300_emmc_toolbox/blob/fd49e152a8381252c3e311f9e698df28dfdedb30/exploit/sboot_exploit.py#L339-L341

I changed it to:

 arena_memory = arena_memory[:vptr_off] + \ 
     struct.pack("<I", ptr_to_jump) * 2 + \ 
     arena_memory[vptr_off+4*2:]

And it worked! I was able to execute helloworld.bin. Then I tried dumping the emmc firmware and it didn't work, because my emmc is 016G92 and not VTU00M, I leave the command here for future reference:

Determine emmc chip name (run this on a GT-I9300 as root): cat /sys/class/block/mmcblk0/device/name

Since I don't need to flash any emmc firmware, I'm wondering what could I use this exploit for. Can I boot into linux from sboot? Can I modify sboot and brick my device? Maybe I can change the boot logo?

oranav commented 6 years ago

This lines of code are displacing a part of the arena memory instead of just overwriting the two pointers

Oh shit, you're right. Fixed it, thanks!

You can boot into Linux from sboot (actually you can boot to anything), but you first need to compile Linux that can run on I9300. Yes, you can also modify sboot and brick your device. And you can change the boot logo - if I recall correctly it resides in the PARAM partition.