chipmunkmc/osmium
1
1
Fork 0
Code Issues 1 Pull requests Projects Releases 3 Packages Wiki Activity Actions
A bootloader exploit for Exynos devices
27 commits 1 branch 3 tags 184 KiB
  • C 79.8%
  • Assembly 18.7%
  • Makefile 1.5%
Find a file
Exact
chipmunkmc c38d17ef40 update it again 
im such a klutz i forgot heap chunks start with a header... also these commits will put the new mirrors (which exist for times when the site goes down and in case a meteor destroys all my data or something) to the test
2026-01-28 00:28:30 -05:00
sboot_info Revert moving the shellcode from the heap to the stack 2026-01-24 15:36:12 -05:00
shellcode Some changes 2026-01-01 15:19:17 -05:00
toys oops i forgot a license 2025-12-25 18:57:49 -05:00
uploader Revert moving the shellcode from the heap to the stack 2026-01-24 15:36:12 -05:00
.gitignore windows moment 2026-01-01 15:32:28 -05:00
LICENSE oops i forgot a license 2025-12-25 18:57:49 -05:00
Makefile damn it i didnt add all the files 2025-12-29 03:12:39 -05:00
README.md update it again 2026-01-28 00:28:30 -05:00

README.md

osmium

This is an exploit for booting unsigned images over USB on Samsung's S-BOOT bootloader, the bootloader formerly used for Samsung's Exynos devices. This exploits SVE-2020-16712, which is described here (mirror) (I'll make a writeup of my own soon:TM:).

Usage

If you are on Windows, you need to set up some drivers. First of all, install Samsung's drivers. Next, plug in a phone in Download Mode, grab a copy of Zadig, run it, check Options->List All devices, choose the first Gadget Serial device, change the driver from WinUSB to libusbK (no other drivers work!!!), and click Replace Driver. Now you should be ready to run the tool under Windows.

First, grab a copy of uploader. You can get a binary from releases, or compile it with make (you need aarch64 binutils and a C compiler; read the Makefiles and set variables accordingly). Where uploader or uploader.exe is the name of the binary, you may need to invoke it as ./uploader (sh), uploader (cmd.exe), .\uploader.exe (cmd.exe, PowerShell).

For now you need an sboot info file, which is a text file containing info (mainly memory addresses) needed to exploit the bootloader. I have prepared some working ones in the sboot_info/ folder, where each file is named after the last 3 characters of the build number.

Let's say you have an SM-J327T1 on the latest SH2 bootloader (just like my daily driver!) and want to boot a copy of TWRP named recovery.img; the command is simply ./uploader boot sboot_info/SM-J327T1/SH2.txt recovery.img!

Making SYSTEM writable

On the stock ROM, the SYSTEM partition is usually unreadable. To fix it, firstly get the identifier of the partition's block device (in my case mmcblk0p17):

j7popeltemtr:/ $ ls -l /dev/block/platform/13540000.dwmmc0/by-name/SYSTEM      
lrwxrwxrwx 1 root root 21 2026-01-11 23:02 /dev/block/platform/13540000.dwmmc0/by-name/SYSTEM -> /dev/block/mmcblk0p17

Now, you can make the device writable using /sys/block:

j7popeltemtr:/ $ su
j7popeltemtr:/ # cat /sys/block/mmcblk0/mmcblk0p17/ro
1
j7popeltemtr:/ # echo 0 > /sys/block/mmcblk0/force_ro
j7popeltemtr:/ # echo 0 > /sys/block/mmcblk0/mmcblk0p17/ro
/system/bin/sh: can't create /sys/block/mmcblk0/mmcblk0p17/ro: Permission denied
1|j7popeltemtr:/ # cat /sys/block/mmcblk0/mmcblk0p17/ro
0

You must run the force_ro command first or else it won't work! Ignore the permission error, though, as long as ro gets set to 0. Now you can flash the partition, for instance with dd!

Porting

To port the exploit to a new device, first decide which bootloader to target. I would suggest the latest one for your bootloader revision (or if you dare, the actual latest one) that still has the vulnerability, or if there is none, the factory binary (see below) release for your bootloader revision.

To check if the device's running bootloader is vulnerable, run ./uploader crash --verbose. If it gets stuck on ->Writing 8208 bytes..., chances are the exploit is patched. If it gets stuck after <-packet 100 37, this means it's unpatched and the bootloader freezes on data abort exceptions. If you get a reboot or upload mode, your bootloader has a good exception handler.

In the last case mentioned above, debugging the bootloader can be fairly easy. In such a case, punch *#9900# into the dialer in Android, and set the debug level to HIGH and let your phone reboot. Now bootloader exceptions will throw you into upload mode, and using bkerler's sboot_dump tool you can dump RAM. ./samupload.py partition 0 to dump logs, ./samupload.py partition 1 to dump S-BOOT, or use ./samupload.py range to dump other ranges of memory. Of course, ./uploader crash can deliberately trigger an exception in download mode!

To start a new S-BOOT info file, run ./uploader check /dev/null > sboot_info.txt. Notes (also sorry if I got some names wrong):

  • pit_fail_download_ptr is the pointer to the instruction of the call to do_download in load_kernel made when the boot partition cannot be found.
  • signature_check_ptr is the call to pit_check_signature in load_kernel (may be in make_security_decisions or something in newer bootloaders)
  • rev_check_ptr is the call to the function with the string "KERNEL REV. Invalid magic string.\n" in load_kernel
  • boot_kernel_ptr is the handler for the boot command
  • write_protect_1_ptr and write_protect_2_ptr are calls to MMC write protection functions in boot_kernel the non-printf function calls in blk_set_boot_wp and blk_set_user_wp respectively.
  • reset_handler_ptr_ptr is the function pointer used in the reset command handler (not the pointer to the handler itself) used to gain code execution; said command is invoked from process_packet
  • loke_file_ptr can be found in process_packet and is usually initialized to a high value like 80000000 in the initialization packet.
  • root_chunk_ptr is the root heap chunk used in malloc when the uncached flag is 1.
  • next_core_ptr is the value used in next_available_cpu.
  • The v3_smp values can be found in v3_smp_thread_handler, where v3_smp_cmd_flag is referenced in a function called in another function called there, where the return value is then checked against -2, and the v3_smp_flash_ptr_ptr call is made after.
  • pit_chunk_ptr is the address of the data in the chunk on the secondary (non-cached) heap that is used to store the PIT, and which the shellcode will be ran from.

An analyze command to help automate this may be added later.

Naming

All I remember about naming it was it was an element that ended with mium like Cadmium, the name of another S-BOOT exploit. It's blue like the download mode background, and the exploit targets said mode to boot custom images.

About the other exploit, its writeup can be found here (mirror); it's an untethered exploit for booting custom images. While the origins of the exploit may glow in the dark, the exploit itself is quite awesome. A friend told me she could get TWRP to boot on her S6 using it!

Credits

Credit goes to:

  • Jeffxx - Finding the original vulnerability and creating the writeup used to implement this.
  • bkerler - sboot_dump, a tool used I used to dump RAM on phones when testing. It was highly useful for debugging the exploit since the very start.
  • Heimdall and https://github.com/Samsung-Loki/Thor - These source code of these projects was helpful for implementing the Odin mode protocol, and I frequently use the former to flash my testing devices.
  • ashyx & thepcwiz101 - Creating the original root method, which I could use on a secondary device I obtained from a friend by luck
  • Ghidra - Being a great reverse-engineering tool I used while working on, as far as I know, all of my exploit releases.
  • Various people - Providing hardware, helping me learn about programming, and just things unrelated to phones...

I've had access to my SM-J327T1 since I was young (it originally a parent's), and have always wanted to play with root and custom ROMs on it someday. When I truly came into posession of the phone I started to look into that, just for the bootloader to be locked, and the root method to target an old firmware revision...

So I decided to do a quick search for Exynos bootloader exploits, and as luck would have it, I came across the document linked earlier. After doing more work with phones I began to understand the document more, and a few months ago began to exploit the vulnerability on my own hardware.

By patching my phone's boot.img with Magisk and using this exploit to boot it, I can now have semi-tethered root, and if I charge my phone often it's not that bad; and yes, I've already tweaked my system a bit. In the future I could completely replace the stock ROM. So thank you very much for everything...

For the future

A bootrom exploit for some Exynos devices has been created by frederic. While I originally overlooked this due to the README being specific about the supported chips, I realized this is probably not an absolute requirement, and is just a list of chips the current implementation can target. The bootrom dumper presumably requires root access, but such access can already be granted by this exploit!

This exploit is useful because of how early in the boot process it occurs. It could lead to:

  • Exploitation on devices that sometimes cannot be downgraded to bootloaders early enough for the exploit in this repo (i.e. the SM-S367VL, at least judging by its SamFW page)
  • Running bootloaders meant for other, but hardware identical variants of phones (i.e. SM-J327U -> SM-J327T), especially newer ones. This can help run newer versions of the stock ROM.
  • Complete control over the CPU!
  • With enough work, complete annihilation of proprietary blobs (not counting the bootrom, which is likely insignificant)!!!