AAGaming00
commented
8 months ago Seems like the writeup has at least some of it, guess ill give it a look
Open AAGaming00 opened 8 months ago
AAGaming00
commented
8 months ago Seems like the writeup has at least some of it, guess ill give it a look
oscardagrach
commented
8 months ago Hi @AAGaming00
I wrote this quite a while ago but I will see if I can find the shellcode source and upload it to this repository so you can take a look at what I was doing. Like you discovered from the write-up, I did the NOP sled and tailored the shellcode the G920V bootloader, so it's just a matter of reverse engineering to find the right offsets/values and fixing them up on the stack.
AAGaming00
commented
8 months ago major thanks, good luck on your search!
AAGaming00
commented
8 months ago Is there anything edited in the middle of the bootloader code where it actually does the signature check? or is it all handled by the added stuff at the start/end (can't check right now but that's what I remember seeing)
AAGaming00
commented
8 months ago also is it known around when samsung patched this out? bootloader rollback bit prevents me going any earlier than the sep 6 2016 engineering bootloader or the sep 10 2016 release bootloader i can find
AAGaming00
commented
8 months ago Alright, seems like everything that's needed is there, ran the patcher as-is just to check if it would still pass verification and it does
just waiting on the source for the shellcode now as i can't quite wrap my head around it's disassembly
oscardagrach
commented
8 months ago I haven't been able to find the shellcode source yet (I wrote it around 2016/17). I'll keep looking as I might have saved it in a couple different places. I'll throw it in IDA and see if I can remember exactly what I was doing. This vulnerability had a lot of annoying constraints if I recall...
AAGaming00
commented
8 months ago also i'm testing this with a android 7 eng rooted boot image i found somewhere + android 7 system on top of the sep 10 2016 android 6 bootloader, that android 7 eng boot image is the only working method i've found to get root access on this
AAGaming00
commented
8 months ago ya ever find anything on this? if not i'll probably just start working on re-implementing it based on the paper soon
Is there any source anywhere or any documentation on creating patch.a? I'm looking to port this to the Verizon SM-G928V, I have bootloaders from sep 6 2016 and sep 10 2016 that both boot on my device.