From a766913845b071d4a1f424f9179dab923f7272ee Mon Sep 17 00:00:00 2001 From: Eljakim Herrewijnen Date: Fri, 3 Jan 2025 17:32:55 +0100 Subject: [PATCH] added nvidia shield example project --- .gitmodules | 4 ++++ README.md | 6 +++++- devices/nvidia_shield | 1 + docs/source/architectures/arm64/aarch64_vbar.rst | 5 ++++- docs/source/targets/nvidia_shield.rst | 2 ++ 5 files changed, 16 insertions(+), 2 deletions(-) create mode 160000 devices/nvidia_shield diff --git a/.gitmodules b/.gitmodules index f788d3b..2353df6 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,7 @@ [submodule "devices/rpi4_gupje"] path = devices/rpi4_gupje url = https://github.com/EljakimHerrewijnen/rpi4_gupje.git + branch = main +[submodule "devices/nvidia_shield"] + path = devices/nvidia_shield + url = git@github.com:EljakimHerrewijnen/nvidia_shield.git diff --git a/README.md b/README.md index 0169775..b9effb8 100644 --- a/README.md +++ b/README.md @@ -100,12 +100,15 @@ This code works in combination with the ``Ghidra Assistant``, which is another p ## Example devices Several example devices are under development to show what the Gupje is capable off: + * Nvidia Shield Tablet(boot bricked device) * Nintendo Switch to add? * Samsung S7 (boot and hijack trustzone) * Raspberry Pi4(UART) + * Iphone? ## TODO + * Support an Iphone (7? 11?) * Add code that allows the host to easily write and execute shellcode on the device. This will significantly decrease the size of the debugger. (extra page required) * Add a more *minimal* approach to the debugger. That does not store data but can just be used to read/write memory. Usefull for exploitation when there is a very limited constraint on shellcode size. @@ -113,7 +116,8 @@ Several example devices are under development to show what the Gupje is capable * Build an emulator to explain the debugger ### ARM64 - * Allow restoring all registers by writing X15 to SP and jump to ELRn to create a *full* restored state. Figure out a way to branch without corrupting X15. (ELR?) + + * Allow restoring all registers by writing X15 to SP and jump to ELRn to create a *fully* restored state. Figure out a way to branch without corrupting X15. (ELR?) ### Thumb * headless mode is not supported diff --git a/devices/nvidia_shield b/devices/nvidia_shield new file mode 160000 index 0000000..a2e48e0 --- /dev/null +++ b/devices/nvidia_shield @@ -0,0 +1 @@ +Subproject commit a2e48e0e5f2a59402f5a74a9145585c6525280f9 diff --git a/docs/source/architectures/arm64/aarch64_vbar.rst b/docs/source/architectures/arm64/aarch64_vbar.rst index 0df3894..7223bdc 100644 --- a/docs/source/architectures/arm64/aarch64_vbar.rst +++ b/docs/source/architectures/arm64/aarch64_vbar.rst @@ -46,8 +46,11 @@ Each Exception Level has its own stack pointers. The registers for these are: Debugger VBAR Implementation **************************** +.. caution:: Docs are incomplete! + + The debugger uses a SMC call to insert a breakpoint at any address. When a SMC call is thrown the processor jumps to the address pointed to in the ``VBAR_EL3`` register. -This register **has to ** point to the debugger. +This register **has to** point to the debugger. The debugger will first store all the registers in the storage location, overwrite the stack pointer and send the hello message ``b'GiAs'`` to the host. An overview of what is happening when a SMC call is dan can be seen below: diff --git a/docs/source/targets/nvidia_shield.rst b/docs/source/targets/nvidia_shield.rst index 0a8b44e..fca0b6a 100644 --- a/docs/source/targets/nvidia_shield.rst +++ b/docs/source/targets/nvidia_shield.rst @@ -1,3 +1,5 @@ ==================== Nvidia Shield Tablet ==================== + +See the code `here `_ \ No newline at end of file