Open AAGaming00 opened 8 months ago
Seems like the writeup has at least some of it, guess ill give it a look
Hi @AAGaming00
I wrote this quite a while ago but I will see if I can find the shellcode source and upload it to this repository so you can take a look at what I was doing. Like you discovered from the write-up, I did the NOP sled and tailored the shellcode the G920V bootloader, so it's just a matter of reverse engineering to find the right offsets/values and fixing them up on the stack.
major thanks, good luck on your search!
Is there anything edited in the middle of the bootloader code where it actually does the signature check? or is it all handled by the added stuff at the start/end (can't check right now but that's what I remember seeing)
also is it known around when samsung patched this out? bootloader rollback bit prevents me going any earlier than the sep 6 2016 engineering bootloader or the sep 10 2016 release bootloader i can find
Alright, seems like everything that's needed is there, ran the patcher as-is just to check if it would still pass verification and it does
just waiting on the source for the shellcode now as i can't quite wrap my head around it's disassembly
I haven't been able to find the shellcode source yet (I wrote it around 2016/17). I'll keep looking as I might have saved it in a couple different places. I'll throw it in IDA and see if I can remember exactly what I was doing. This vulnerability had a lot of annoying constraints if I recall...
also i'm testing this with a android 7 eng rooted boot image i found somewhere + android 7 system on top of the sep 10 2016 android 6 bootloader, that android 7 eng boot image is the only working method i've found to get root access on this
ya ever find anything on this? if not i'll probably just start working on re-implementing it based on the paper soon
Is there any source anywhere or any documentation on creating patch.a? I'm looking to port this to the Verizon SM-G928V, I have bootloaders from sep 6 2016 and sep 10 2016 that both boot on my device.