EljakimHerrewijnen/Gupje
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

added nvidia shield example project

Browse Source
This commit is contained in:
Eljakim Herrewijnen 2025-01-03 17:32:55 +01:00
parent b79954846e
commit a766913845
5 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitmodules vendored
View File

@ -1,3 +1,7 @@
[submodule "devices/rpi4_gupje"] [submodule "devices/rpi4_gupje"]
path = devices/rpi4_gupje path = devices/rpi4_gupje
url = https://github.com/EljakimHerrewijnen/rpi4_gupje.git url = https://github.com/EljakimHerrewijnen/rpi4_gupje.git
branch = main
[submodule "devices/nvidia_shield"]
path = devices/nvidia_shield
url = git@github.com:EljakimHerrewijnen/nvidia_shield.git

6
README.md
View File

@ -100,12 +100,15 @@ This code works in combination with the ``Ghidra Assistant``, which is another p
## Example devices ## Example devices
Several example devices are under development to show what the Gupje is capable off: Several example devices are under development to show what the Gupje is capable off:
* Nvidia Shield Tablet(boot bricked device) * Nvidia Shield Tablet(boot bricked device)
* Nintendo Switch to add? * Nintendo Switch to add?
* Samsung S7 (boot and hijack trustzone) * Samsung S7 (boot and hijack trustzone)
* Raspberry Pi4(UART) * Raspberry Pi4(UART)
* Iphone?
## TODO ## TODO
* Support an Iphone (7? 11?) * Support an Iphone (7? 11?)
* Add code that allows the host to easily write and execute shellcode on the device. This will significantly decrease the size of the debugger. (extra page required) * Add code that allows the host to easily write and execute shellcode on the device. This will significantly decrease the size of the debugger. (extra page required)
* Add a more *minimal* approach to the debugger. That does not store data but can just be used to read/write memory. Usefull for exploitation when there is a very limited constraint on shellcode size. * Add a more *minimal* approach to the debugger. That does not store data but can just be used to read/write memory. Usefull for exploitation when there is a very limited constraint on shellcode size.
@ -113,7 +116,8 @@ Several example devices are under development to show what the Gupje is capable
* Build an emulator to explain the debugger * Build an emulator to explain the debugger
### ARM64 ### ARM64
* Allow restoring all registers by writing X15 to SP and jump to ELRn to create a *full* restored state. Figure out a way to branch without corrupting X15. (ELR?)
* Allow restoring all registers by writing X15 to SP and jump to ELRn to create a *fully* restored state. Figure out a way to branch without corrupting X15. (ELR?)
### Thumb ### Thumb
* headless mode is not supported * headless mode is not supported

1
devices/nvidia_shield Submodule

@ -0,0 +1 @@
Subproject commit a2e48e0e5f2a59402f5a74a9145585c6525280f9

5
docs/source/architectures/arm64/aarch64_vbar.rst
View File

@ -46,8 +46,11 @@ Each Exception Level has its own stack pointers. The registers for these are:
Debugger VBAR Implementation Debugger VBAR Implementation
**************************** ****************************
.. caution:: Docs are incomplete!
The debugger uses a SMC call to insert a breakpoint at any address. When a SMC call is thrown the processor jumps to the address pointed to in the ``VBAR_EL3`` register. The debugger uses a SMC call to insert a breakpoint at any address. When a SMC call is thrown the processor jumps to the address pointed to in the ``VBAR_EL3`` register.
This register **has to ** point to the debugger. This register **has to** point to the debugger.
The debugger will first store all the registers in the storage location, overwrite the stack pointer and send the hello message ``b'GiAs'`` to the host. The debugger will first store all the registers in the storage location, overwrite the stack pointer and send the hello message ``b'GiAs'`` to the host.
An overview of what is happening when a SMC call is dan can be seen below: An overview of what is happening when a SMC call is dan can be seen below:

2
docs/source/targets/nvidia_shield.rst
View File

@ -1,3 +1,5 @@
==================== ====================
Nvidia Shield Tablet Nvidia Shield Tablet
==================== ====================
See the code `here <https://github.com/EljakimHerrewijnen/nvidia_shield>`_