- Notifications
You must be signed in to change notification settings - Fork26
Unsigned code loader for Exynos BootROM
License
frederic/exynos-usbdl
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
exynos-usbdl : unsigned code loader for Exynos bootrom
You will be solely responsible for any damage caused to your hardware/software/warranty/data/cat/etc...
Exynos bootrom supports booting from USB. This method of boot requires an USB host to send a signed bootloader to the bootrom via USB port.
This tool exploits avulnerability in the USB download mode to load and run unsigned code in Secure World.
- Exynos 8890
- Exynos 8895
Among all the booting methods supported by this chipset, two are configured in fuses to be attempted on cold boot.If the first boot method fails (including failed authentication), then second boot method is attempted.
On retail smartphones, the usual boot configuration is internal storage (UFS chip) first, then USB download mode as fallback.This meansUSB download mode is only accessible if first boot method has failed.
First boot method sabotage can be achieved either through software or hardware modification.The approach used for this project was to dig a hole in UFS chip with dental scraper.
For Exynos 8890, @astarasikov shared a better approach to corrupt bootloader without opening the device : from Download mode, flashcm.bin (from a firmware image) ontoBOOTLOADER partition usingHeimdall tool. Please keep in mind that it will brick your device until you restore theBOOTLOADER partition.
Once the first boot method fails, USB download mode can be accessed by pressing and holding power button.
./exynos-usbdl <mode> <input_file> [<output_file>]mode: mode of operationn: normale: exploitinput_file: payload binary to load and executeoutput_file: file to write data returned by payload (exploit mode only)Payloads are raw binary AArch64 executables. Some are provided in directorypayloads/.
Please seeLICENSE.