Loading lk-payload/main.c +22 −32 Original line number Diff line number Diff line Loading @@ -21,13 +21,15 @@ void _putchar(char character) low_uart_put(character); } int (*original_read)(struct device_t *dev, uint64_t block_off, void *dst, size_t sz, int part) = 0x4BD1E839; int (*original_read)(struct device_t *dev, uint64_t block_off, void *dst, size_t sz, int part) = (void*)0x4BD1E839; uint64_t g_boot, g_recovery, g_lk; int read_func(struct device_t *dev, uint64_t block_off, void *dst, size_t sz, int part) { printf("read_func hook\n"); int ret = 0; if (block_off == g_boot * 0x200 || block_off == g_recovery * 0x200) { // hex_dump(0x4BD5C000, 0x1000); printf("demangle boot image - from 0x%08X\n", __builtin_return_address(0)); if (sz < 0x400) { Loading Loading @@ -89,12 +91,21 @@ int main() { while (1) {} } struct device_t *dev = get_device(); int (*app)() = (void*)0x4BD27109; unsigned char overwritten[80] = { 0xE9, 0x0A, 0xD0, 0x4B, 0x7D, 0x0E, 0xD0, 0x4B, 0x01, 0x09, 0xD0, 0x4B, 0x31, 0x0B, 0xD0, 0x4B, 0x9D, 0x0C, 0xD0, 0x4B, 0x00, 0x84, 0xD5, 0x4B, 0x05, 0x0A, 0xD0, 0x4B, 0x71, 0x0A, 0xD0, 0x4B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2D, 0x1B, 0xD0, 0x4B, 0xF9, 0x1C, 0xD0, 0x4B, 0xA9, 0x1A, 0xD0, 0x4B, 0x95, 0x1D, 0xD0, 0x4B, 0x19, 0x1A, 0xD0, 0x4B, 0xED, 0x1B, 0xD0, 0x4B, 0xA5, 0x19, 0xD0, 0x4B, 0x81, 0x1C, 0xD0, 0x4B, 0x00, 0x00, 0x00, 0x00 }; memcpy((void*)0x4BD5C000, overwritten, sizeof(overwritten)); void *lk_tmp = (void*)0x44000000; void *lk_dst = (void*)0x4BD00000; #define LK_SIZE (0x800 * 0x200) ret = dev->read(dev, g_lk * 0x200 + 0x200, lk_tmp, LK_SIZE, USER_PART); printf("read lk: 0x%08X\n", ret); struct device_t *dev = get_device(); uint8_t tmp[0x10] = { 0 }; dev->read(dev, g_boot * 0x200 + 0x400, tmp, 0x10, USER_PART); Loading @@ -103,13 +114,6 @@ int main() { fastboot = 1; } printf("Disable interrupts\n"); asm volatile ("cpsid if"); printf("Copy lk\n"); void *lk_dst = (void*)0x4BD00000; memcpy(lk_dst, lk_tmp, LK_SIZE); uint16_t *patch; // force fastboot mode Loading @@ -125,37 +129,23 @@ int main() { *patch++ = 0x2000; // movs r0, #0 *patch = 0x4770; // bx lr // fix display? patch = (void*)0x4bd2fe76; *patch++ = 0x20A7; *patch++ = 0; // device is unlocked patch = (void*)0x4BD01E84; *patch++ = 0x2001; // movs r0, #1 *patch = 0x4770; // bx lr // don't sprintf disable printk // patch = (void*)0x4BD26766; // *patch++ = 0; // *patch++ = 0; // hook bootimg read function uint32_t *patch32; patch32 = (void*)0x4BD5538C; *patch32 = read_func; patch32 = (void*)&dev->read; *patch32 = (uint32_t)read_func; patch32 = (void*)0x4BD681B8; *patch32 = 1; // // force 64-bit linux kernel printf("Clean lk\n"); cache_clean(lk_dst, LK_SIZE); printf("About to jump to LK\n"); asm volatile ( "mov r4, %0\n" "mov r3, %1\n" "blx r3\n" : : "r" (arg), "r" (lk_dst) : "r3", "r4"); printf("Failure\n"); app(); while (1) { Loading Loading
lk-payload/main.c +22 −32 Original line number Diff line number Diff line Loading @@ -21,13 +21,15 @@ void _putchar(char character) low_uart_put(character); } int (*original_read)(struct device_t *dev, uint64_t block_off, void *dst, size_t sz, int part) = 0x4BD1E839; int (*original_read)(struct device_t *dev, uint64_t block_off, void *dst, size_t sz, int part) = (void*)0x4BD1E839; uint64_t g_boot, g_recovery, g_lk; int read_func(struct device_t *dev, uint64_t block_off, void *dst, size_t sz, int part) { printf("read_func hook\n"); int ret = 0; if (block_off == g_boot * 0x200 || block_off == g_recovery * 0x200) { // hex_dump(0x4BD5C000, 0x1000); printf("demangle boot image - from 0x%08X\n", __builtin_return_address(0)); if (sz < 0x400) { Loading Loading @@ -89,12 +91,21 @@ int main() { while (1) {} } struct device_t *dev = get_device(); int (*app)() = (void*)0x4BD27109; unsigned char overwritten[80] = { 0xE9, 0x0A, 0xD0, 0x4B, 0x7D, 0x0E, 0xD0, 0x4B, 0x01, 0x09, 0xD0, 0x4B, 0x31, 0x0B, 0xD0, 0x4B, 0x9D, 0x0C, 0xD0, 0x4B, 0x00, 0x84, 0xD5, 0x4B, 0x05, 0x0A, 0xD0, 0x4B, 0x71, 0x0A, 0xD0, 0x4B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2D, 0x1B, 0xD0, 0x4B, 0xF9, 0x1C, 0xD0, 0x4B, 0xA9, 0x1A, 0xD0, 0x4B, 0x95, 0x1D, 0xD0, 0x4B, 0x19, 0x1A, 0xD0, 0x4B, 0xED, 0x1B, 0xD0, 0x4B, 0xA5, 0x19, 0xD0, 0x4B, 0x81, 0x1C, 0xD0, 0x4B, 0x00, 0x00, 0x00, 0x00 }; memcpy((void*)0x4BD5C000, overwritten, sizeof(overwritten)); void *lk_tmp = (void*)0x44000000; void *lk_dst = (void*)0x4BD00000; #define LK_SIZE (0x800 * 0x200) ret = dev->read(dev, g_lk * 0x200 + 0x200, lk_tmp, LK_SIZE, USER_PART); printf("read lk: 0x%08X\n", ret); struct device_t *dev = get_device(); uint8_t tmp[0x10] = { 0 }; dev->read(dev, g_boot * 0x200 + 0x400, tmp, 0x10, USER_PART); Loading @@ -103,13 +114,6 @@ int main() { fastboot = 1; } printf("Disable interrupts\n"); asm volatile ("cpsid if"); printf("Copy lk\n"); void *lk_dst = (void*)0x4BD00000; memcpy(lk_dst, lk_tmp, LK_SIZE); uint16_t *patch; // force fastboot mode Loading @@ -125,37 +129,23 @@ int main() { *patch++ = 0x2000; // movs r0, #0 *patch = 0x4770; // bx lr // fix display? patch = (void*)0x4bd2fe76; *patch++ = 0x20A7; *patch++ = 0; // device is unlocked patch = (void*)0x4BD01E84; *patch++ = 0x2001; // movs r0, #1 *patch = 0x4770; // bx lr // don't sprintf disable printk // patch = (void*)0x4BD26766; // *patch++ = 0; // *patch++ = 0; // hook bootimg read function uint32_t *patch32; patch32 = (void*)0x4BD5538C; *patch32 = read_func; patch32 = (void*)&dev->read; *patch32 = (uint32_t)read_func; patch32 = (void*)0x4BD681B8; *patch32 = 1; // // force 64-bit linux kernel printf("Clean lk\n"); cache_clean(lk_dst, LK_SIZE); printf("About to jump to LK\n"); asm volatile ( "mov r4, %0\n" "mov r3, %1\n" "blx r3\n" : : "r" (arg), "r" (lk_dst) : "r3", "r4"); printf("Failure\n"); app(); while (1) { Loading
