Minor update to memory map and some documentation updates
This commit is contained in:
parent
d9d9ae332a
commit
5bf8cf0a7f
@ -320,3 +320,12 @@ This is our current progress. BL2 has booted, and shows the VBAR's for EL1.
|
|||||||
SCTLR_EL3: 0xc5183a, SCTLR_EL2: 0x30c5083a, SCTLR_EL1: 0x30c5083a
|
SCTLR_EL3: 0xc5183a, SCTLR_EL2: 0x30c5083a, SCTLR_EL1: 0x30c5083a
|
||||||
MAIR_EL3: 0x44e048e000098aa4, MAIR_EL2: 0x1e42bb572931240b, MAIR_EL1: 0x44e048e000098aa4
|
MAIR_EL3: 0x44e048e000098aa4, MAIR_EL2: 0x1e42bb572931240b, MAIR_EL1: 0x44e048e000098aa4
|
||||||
Current EL: 0xc
|
Current EL: 0xc
|
||||||
|
|
||||||
|
Stage 5 - BL33
|
||||||
|
==============
|
||||||
|
The last stage before the kernel boots.
|
||||||
|
|
||||||
|
.. figure:: images/bl31_debugger_memory_example.png
|
||||||
|
:align: center
|
||||||
|
|
||||||
|
Boot chain with EL3 and EL1 areas
|
@ -205,3 +205,5 @@ SCTLR_EL3: 0xc5183a, SCTLR_EL2: 0x30c5083a, SCTLR_EL1: 0x30c5083a
|
|||||||
MAIR_EL3: 0x44e048e000098aa4, MAIR_EL2: 0x9e42bf572931240b, MAIR_EL1: 0x44e048e000098aa4
|
MAIR_EL3: 0x44e048e000098aa4, MAIR_EL2: 0x9e42bf572931240b, MAIR_EL1: 0x44e048e000098aa4
|
||||||
Current EL: 0xc
|
Current EL: 0xc
|
||||||
|
|
||||||
|
The debugger at 0x11200000 can only dump 0x768 at a time (its space related. Before BL31 this is also an issue.).
|
||||||
|
|
||||||
|
@ -5,17 +5,16 @@ start,end,name,order,comment,X0,LR
|
|||||||
0x000064e0,0x0000658c,_boot_usb,,,,
|
0x000064e0,0x0000658c,_boot_usb,,,,
|
||||||
0x020c0000,0x020c0004,_frederic_dest_ptr,,,,
|
0x020c0000,0x020c0004,_frederic_dest_ptr,,,,
|
||||||
0x000002c0,0x000002c4,_jump_bl1,,,,
|
0x000002c0,0x000002c4,_jump_bl1,,,,
|
||||||
0x02022000,0x02024000,BL1,,,,
|
0x02022000,0x02023fff,BL1,,,,
|
||||||
0x02024000,0x02048000,BL31,,,,
|
0x02024000,0x02047fff,BL31,,,,
|
||||||
0x02048000,0x0206ed10,BL2,,,,
|
0x02048000,0x0206ed10,BL2,,,,
|
||||||
0x02069000,0x0206f000,Debugger,,,,
|
0x02069000,0x0206f000,Debugger,,,,
|
||||||
0x020c0000,0x020c7000,Debugger relocated,,,,
|
0x020c0000,0x020c7000,Debugger relocated,,,,
|
||||||
0x02048000,0x0204daf0,BL2 empty space?,,,,
|
0x02048000,0x0204daf0,BL2 empty space?,,,,
|
||||||
0x0204eb00,0x0204eb00,BL2 copy start/source,,,,
|
0x020c2000,0x020e8d10,BL2 loaded to this address,,,,
|
||||||
0x020c2000,0x020e8d10,BL2 load address?,,,,
|
0x0206ed10,0x02070000,Open space. Has pointers written to.,,,,
|
||||||
0x0206ed10,0x02070000,End/Start peripheral space?,,,,
|
|
||||||
0x02019e5c,0x02020e5c,Tried debugger space,,,,
|
|
||||||
0x020C7800,0x020C8000,modem_interface,,,,
|
0x020C7800,0x020C8000,modem_interface,,,,
|
||||||
0x14AC0000,0x14ac5000,mali@14AC0000,,,,
|
0x14AC0000,0x14ac5000,mali@14AC0000,,,,
|
||||||
0x02035600,0x02035608,TTBR0_EL3 address ptr,,,,
|
0x02035600,0x02035608,TTBR0_EL3,,,,
|
||||||
0x11207010,0x11207010,memread/write space,,,,
|
0x11200000,0x11207000,Last relocated debugger,,,,
|
||||||
|
0xa0000000,0xa0013fff,Parts of BL2 in IMEM,,,,
|
|
File diff suppressed because one or more lines are too long
Binary file not shown.
@ -633,7 +633,7 @@ class ExynosDevice():
|
|||||||
|
|
||||||
# Relocate debugger
|
# Relocate debugger
|
||||||
debugger = open("../../dump/reloc_debugger_0x11200000.bin", "rb").read()
|
debugger = open("../../dump/reloc_debugger_0x11200000.bin", "rb").read()
|
||||||
self.relocate_debugger(debugger=debugger, entry=0x11200000, storage=0x11201200, g_data_received=0x11201400)
|
self.relocate_debugger(debugger=debugger, entry=0x11200000, storage=0x11203000, g_data_received=0x11204000)
|
||||||
DEBUGGER_ADDR = 0x11200000
|
DEBUGGER_ADDR = 0x11200000
|
||||||
|
|
||||||
# Test debugger connection
|
# Test debugger connection
|
||||||
@ -771,13 +771,8 @@ class ExynosDevice():
|
|||||||
print(f'MAIR_EL3: {hex(self.cd.arch_dbg.state.MAIR_EL3)}, MAIR_EL2: {hex(self.cd.arch_dbg.state.MAIR_EL2)}, MAIR_EL1: {hex(self.cd.arch_dbg.state.MAIR_EL1)}')
|
print(f'MAIR_EL3: {hex(self.cd.arch_dbg.state.MAIR_EL3)}, MAIR_EL2: {hex(self.cd.arch_dbg.state.MAIR_EL2)}, MAIR_EL1: {hex(self.cd.arch_dbg.state.MAIR_EL1)}')
|
||||||
print(f'Current EL: {hex(self.cd.arch_dbg.state.CURRENT_EL)}')
|
print(f'Current EL: {hex(self.cd.arch_dbg.state.CURRENT_EL)}')
|
||||||
|
|
||||||
# Restore bootflow
|
|
||||||
# self.cd.memwrite_region(0x020200dc, p32(hijacked_fun))
|
|
||||||
|
|
||||||
# Restore this to
|
|
||||||
self.cd.restore_stack_and_jump(hijacked_fun)
|
|
||||||
|
|
||||||
# ==== Stage 5 ====
|
# ==== Stage 5 ====
|
||||||
|
#self.cd.memwrite_region(0x020200dc, p32(hijacked_fun))
|
||||||
stage4 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
|
stage4 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
|
||||||
|
|
||||||
# Patching
|
# Patching
|
||||||
@ -789,6 +784,8 @@ class ExynosDevice():
|
|||||||
# assert len(stage4) == stage4_len, "Invalid stage4 length"
|
# assert len(stage4) == stage4_len, "Invalid stage4 length"
|
||||||
|
|
||||||
self.send_normal_stage(stage4)
|
self.send_normal_stage(stage4)
|
||||||
|
|
||||||
|
self.cd.restore_stack_and_jump(hijacked_fun)
|
||||||
time.sleep(2)
|
time.sleep(2)
|
||||||
|
|
||||||
pass
|
pass
|
||||||
|
Loading…
x
Reference in New Issue
Block a user