added nvidia shield example project

2025-01-03 17:32:55 +01:00 · 2025-01-03 17:32:55 +01:00 · a766913845
commit a766913845
parent b79954846e
5 changed files with 16 additions and 2 deletions
--- a/.gitmodules
+++ b/.gitmodules
@ -1,3 +1,7 @@
 [submodule "devices/rpi4_gupje"]
 	path = devices/rpi4_gupje
 	url = https://github.com/EljakimHerrewijnen/rpi4_gupje.git
+	branch = main
+[submodule "devices/nvidia_shield"]
+	path = devices/nvidia_shield
+	url = git@github.com:EljakimHerrewijnen/nvidia_shield.git
--- a/README.md
+++ b/README.md
@ -100,12 +100,15 @@ This code works in combination with the ``Ghidra Assistant``, which is another p

 ## Example devices
 Several example devices are under development to show what the Gupje is capable off:
+
    * Nvidia Shield Tablet(boot bricked device) 
      * Nintendo Switch to add?
    * Samsung S7 (boot and hijack trustzone)
    * Raspberry Pi4(UART)
+    * Iphone?

 ## TODO
+
    * Support an Iphone (7? 11?)
    * Add code that allows the host to easily write and execute shellcode on the device. This will significantly decrease the size of the debugger. (extra page required)
    * Add a more *minimal* approach to the debugger. That does not store data but can just be used to read/write memory. Usefull for exploitation when there is a very limited constraint on shellcode size.
@ -113,7 +116,8 @@ Several example devices are under development to show what the Gupje is capable
    * Build an emulator to explain the debugger

 ### ARM64
-    * Allow restoring all registers by writing X15 to SP and jump to ELRn to create a *full* restored state. Figure out a way to branch without corrupting X15. (ELR?)
+
+    * Allow restoring all registers by writing X15 to SP and jump to ELRn to create a *fully* restored state. Figure out a way to branch without corrupting X15. (ELR?)

 ### Thumb
    * headless mode is not supported
--- a/devices/nvidia_shield
+++ b/devices/nvidia_shield
@ -0,0 +1 @@
+Subproject commit a2e48e0e5f2a59402f5a74a9145585c6525280f9
--- a/docs/source/architectures/arm64/aarch64_vbar.rst
+++ b/docs/source/architectures/arm64/aarch64_vbar.rst
@ -46,6 +46,9 @@ Each Exception Level has its own stack pointers. The registers for these are:
 Debugger VBAR Implementation
 ****************************

+.. caution:: Docs are incomplete!
+
+
 The debugger uses a SMC call to insert a breakpoint at any address. When a SMC call is thrown the processor jumps to the address pointed to in the ``VBAR_EL3`` register. 
 This register **has to** point to the debugger. 
 The debugger will first store all the registers in the storage location, overwrite the stack pointer and send the hello message ``b'GiAs'`` to the host. 
--- a/docs/source/targets/nvidia_shield.rst
+++ b/docs/source/targets/nvidia_shield.rst
@ -1,3 +1,5 @@
 ====================
 Nvidia Shield Tablet
 ====================
+
+See the code `here <https://github.com/EljakimHerrewijnen/nvidia_shield>`_
				`@ -0,0 +1 @@`
				`Subproject commit a2e48e0e5f2a59402f5a74a9145585c6525280f9`