TTBR0_EL3 visible after BL31

This commit is contained in:
Jonathan Herrewijnen 2024-08-28 18:45:05 +02:00
parent 91c7d60638
commit a12453cbd3
4 changed files with 254 additions and 164 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 174 KiB

View File

@ -2,7 +2,7 @@
"cells": [ "cells": [
{ {
"cell_type": "code", "cell_type": "code",
"execution_count": 416, "execution_count": 1,
"metadata": {}, "metadata": {},
"outputs": [], "outputs": [],
"source": [ "source": [
@ -20,7 +20,7 @@
}, },
{ {
"cell_type": "code", "cell_type": "code",
"execution_count": 417, "execution_count": 2,
"metadata": {}, "metadata": {},
"outputs": [ "outputs": [
{ {
@ -49,6 +49,8 @@
" <th>name</th>\n", " <th>name</th>\n",
" <th>order</th>\n", " <th>order</th>\n",
" <th>comment</th>\n", " <th>comment</th>\n",
" <th>X0</th>\n",
" <th>LR</th>\n",
" <th>size</th>\n", " <th>size</th>\n",
" <th>overlap</th>\n", " <th>overlap</th>\n",
" <th>overlap_with</th>\n", " <th>overlap_with</th>\n",
@ -62,6 +64,8 @@
" <td>BootROM</td>\n", " <td>BootROM</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>131072</td>\n", " <td>131072</td>\n",
" <td>True</td>\n", " <td>True</td>\n",
" <td>0.0</td>\n", " <td>0.0</td>\n",
@ -73,6 +77,8 @@
" <td>_jump_bl1</td>\n", " <td>_jump_bl1</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>4</td>\n", " <td>4</td>\n",
" <td>True</td>\n", " <td>True</td>\n",
" <td>0.0</td>\n", " <td>0.0</td>\n",
@ -84,6 +90,8 @@
" <td>_boot_usb</td>\n", " <td>_boot_usb</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>172</td>\n", " <td>172</td>\n",
" <td>True</td>\n", " <td>True</td>\n",
" <td>0.0</td>\n", " <td>0.0</td>\n",
@ -95,6 +103,8 @@
" <td>auth_bl1</td>\n", " <td>auth_bl1</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>160</td>\n", " <td>160</td>\n",
" <td>True</td>\n", " <td>True</td>\n",
" <td>0.0</td>\n", " <td>0.0</td>\n",
@ -106,6 +116,8 @@
" <td>Tried debugger space</td>\n", " <td>Tried debugger space</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>28672</td>\n", " <td>28672</td>\n",
" <td>False</td>\n", " <td>False</td>\n",
" <td>4.0</td>\n", " <td>4.0</td>\n",
@ -117,6 +129,8 @@
" <td>_boot_usb_ra</td>\n", " <td>_boot_usb_ra</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>8</td>\n", " <td>8</td>\n",
" <td>False</td>\n", " <td>False</td>\n",
" <td>5.0</td>\n", " <td>5.0</td>\n",
@ -128,6 +142,8 @@
" <td>BL1</td>\n", " <td>BL1</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>8192</td>\n", " <td>8192</td>\n",
" <td>False</td>\n", " <td>False</td>\n",
" <td>6.0</td>\n", " <td>6.0</td>\n",
@ -139,6 +155,8 @@
" <td>BL31</td>\n", " <td>BL31</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>147456</td>\n", " <td>147456</td>\n",
" <td>False</td>\n", " <td>False</td>\n",
" <td>7.0</td>\n", " <td>7.0</td>\n",
@ -150,6 +168,8 @@
" <td>BL2</td>\n", " <td>BL2</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>158992</td>\n", " <td>158992</td>\n",
" <td>True</td>\n", " <td>True</td>\n",
" <td>8.0</td>\n", " <td>8.0</td>\n",
@ -161,6 +181,8 @@
" <td>Debugger</td>\n", " <td>Debugger</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>24576</td>\n", " <td>24576</td>\n",
" <td>True</td>\n", " <td>True</td>\n",
" <td>8.0</td>\n", " <td>8.0</td>\n",
@ -172,6 +194,8 @@
" <td>End/Start peripheral space?</td>\n", " <td>End/Start peripheral space?</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>4848</td>\n", " <td>4848</td>\n",
" <td>True</td>\n", " <td>True</td>\n",
" <td>9.0</td>\n", " <td>9.0</td>\n",
@ -183,6 +207,8 @@
" <td>Debugger relocated</td>\n", " <td>Debugger relocated</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>28672</td>\n", " <td>28672</td>\n",
" <td>True</td>\n", " <td>True</td>\n",
" <td>11.0</td>\n", " <td>11.0</td>\n",
@ -194,6 +220,8 @@
" <td>_frederic_dest_ptr</td>\n", " <td>_frederic_dest_ptr</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>4</td>\n", " <td>4</td>\n",
" <td>True</td>\n", " <td>True</td>\n",
" <td>11.0</td>\n", " <td>11.0</td>\n",
@ -205,6 +233,8 @@
" <td>modem_interface</td>\n", " <td>modem_interface</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>2048</td>\n", " <td>2048</td>\n",
" <td>False</td>\n", " <td>False</td>\n",
" <td>13.0</td>\n", " <td>13.0</td>\n",
@ -216,6 +246,8 @@
" <td>mali@14AC0000</td>\n", " <td>mali@14AC0000</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n", " <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>20480</td>\n", " <td>20480</td>\n",
" <td>False</td>\n", " <td>False</td>\n",
" <td>14.0</td>\n", " <td>14.0</td>\n",
@ -225,42 +257,42 @@
"</div>" "</div>"
], ],
"text/plain": [ "text/plain": [
" start end name order comment size \\\n", " start end name order comment X0 LR \\\n",
"0 0 131072 BootROM NaN NaN 131072 \n", "0 0 131072 BootROM NaN NaN NaN NaN \n",
"1 704 708 _jump_bl1 NaN NaN 4 \n", "1 704 708 _jump_bl1 NaN NaN NaN NaN \n",
"2 25824 25996 _boot_usb NaN NaN 172 \n", "2 25824 25996 _boot_usb NaN NaN NaN NaN \n",
"3 75848 76008 auth_bl1 NaN NaN 160 \n", "3 75848 76008 auth_bl1 NaN NaN NaN NaN \n",
"4 33660508 33689180 Tried debugger space NaN NaN 28672 \n", "4 33660508 33689180 Tried debugger space NaN NaN NaN NaN \n",
"5 33689440 33689448 _boot_usb_ra NaN NaN 8 \n", "5 33689440 33689448 _boot_usb_ra NaN NaN NaN NaN \n",
"6 33693696 33701888 BL1 NaN NaN 8192 \n", "6 33693696 33701888 BL1 NaN NaN NaN NaN \n",
"7 33701888 33849344 BL31 NaN NaN 147456 \n", "7 33701888 33849344 BL31 NaN NaN NaN NaN \n",
"8 33849344 34008336 BL2 NaN NaN 158992 \n", "8 33849344 34008336 BL2 NaN NaN NaN NaN \n",
"9 33984512 34009088 Debugger NaN NaN 24576 \n", "9 33984512 34009088 Debugger NaN NaN NaN NaN \n",
"10 34008336 34013184 End/Start peripheral space? NaN NaN 4848 \n", "10 34008336 34013184 End/Start peripheral space? NaN NaN NaN NaN \n",
"11 34340864 34369536 Debugger relocated NaN NaN 28672 \n", "11 34340864 34369536 Debugger relocated NaN NaN NaN NaN \n",
"12 34340864 34340868 _frederic_dest_ptr NaN NaN 4 \n", "12 34340864 34340868 _frederic_dest_ptr NaN NaN NaN NaN \n",
"13 34371584 34373632 modem_interface NaN NaN 2048 \n", "13 34371584 34373632 modem_interface NaN NaN NaN NaN \n",
"14 346816512 346836992 mali@14AC0000 NaN NaN 20480 \n", "14 346816512 346836992 mali@14AC0000 NaN NaN NaN NaN \n",
"\n", "\n",
" overlap overlap_with \n", " size overlap overlap_with \n",
"0 True 0.0 \n", "0 131072 True 0.0 \n",
"1 True 0.0 \n", "1 4 True 0.0 \n",
"2 True 0.0 \n", "2 172 True 0.0 \n",
"3 True 0.0 \n", "3 160 True 0.0 \n",
"4 False 4.0 \n", "4 28672 False 4.0 \n",
"5 False 5.0 \n", "5 8 False 5.0 \n",
"6 False 6.0 \n", "6 8192 False 6.0 \n",
"7 False 7.0 \n", "7 147456 False 7.0 \n",
"8 True 8.0 \n", "8 158992 True 8.0 \n",
"9 True 8.0 \n", "9 24576 True 8.0 \n",
"10 True 9.0 \n", "10 4848 True 9.0 \n",
"11 True 11.0 \n", "11 28672 True 11.0 \n",
"12 True 11.0 \n", "12 4 True 11.0 \n",
"13 False 13.0 \n", "13 2048 False 13.0 \n",
"14 False 14.0 " "14 20480 False 14.0 "
] ]
}, },
"execution_count": 417, "execution_count": 2,
"metadata": {}, "metadata": {},
"output_type": "execute_result" "output_type": "execute_result"
} }
@ -320,7 +352,7 @@
}, },
{ {
"cell_type": "code", "cell_type": "code",
"execution_count": 418, "execution_count": 3,
"metadata": {}, "metadata": {},
"outputs": [ "outputs": [
{ {
@ -332,7 +364,7 @@
"data": [ "data": [
{ {
"marker": { "marker": {
"color": "#c574e6" "color": "#46d3f4"
}, },
"mode": "text", "mode": "text",
"name": "BootROM", "name": "BootROM",
@ -348,7 +380,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#c574e6" "color": "#46d3f4"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -364,7 +396,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#c574e6" "color": "#46d3f4"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -380,7 +412,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#094b47" "color": "#05f11d"
}, },
"mode": "text", "mode": "text",
"name": "_jump_bl1", "name": "_jump_bl1",
@ -396,7 +428,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#094b47" "color": "#05f11d"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -412,7 +444,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#094b47" "color": "#05f11d"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -428,7 +460,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#f3ff4d" "color": "#15ef8e"
}, },
"mode": "text", "mode": "text",
"name": "_boot_usb", "name": "_boot_usb",
@ -444,7 +476,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#f3ff4d" "color": "#15ef8e"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -460,7 +492,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#f3ff4d" "color": "#15ef8e"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -476,7 +508,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#7e3e97" "color": "#d1cb9b"
}, },
"mode": "text", "mode": "text",
"name": "auth_bl1", "name": "auth_bl1",
@ -492,7 +524,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#7e3e97" "color": "#d1cb9b"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -508,7 +540,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#7e3e97" "color": "#d1cb9b"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -524,7 +556,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#e36dac" "color": "#bafebb"
}, },
"mode": "text", "mode": "text",
"name": "Tried debugger space", "name": "Tried debugger space",
@ -540,7 +572,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#e36dac" "color": "#bafebb"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -556,7 +588,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#e36dac" "color": "#bafebb"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -572,7 +604,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#9d6e7f" "color": "#b21068"
}, },
"mode": "text", "mode": "text",
"name": "_boot_usb_ra", "name": "_boot_usb_ra",
@ -588,7 +620,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#9d6e7f" "color": "#b21068"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -604,7 +636,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#9d6e7f" "color": "#b21068"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -620,7 +652,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#48e551" "color": "#d43e00"
}, },
"mode": "text", "mode": "text",
"name": "BL1", "name": "BL1",
@ -636,7 +668,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#48e551" "color": "#d43e00"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -652,7 +684,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#48e551" "color": "#d43e00"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -668,7 +700,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#082a5a" "color": "#2fcf29"
}, },
"mode": "text", "mode": "text",
"name": "BL31", "name": "BL31",
@ -684,7 +716,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#082a5a" "color": "#2fcf29"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -700,7 +732,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#082a5a" "color": "#2fcf29"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -716,7 +748,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#12adbc" "color": "#7ac7dc"
}, },
"mode": "text", "mode": "text",
"name": "BL2", "name": "BL2",
@ -732,7 +764,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#12adbc" "color": "#7ac7dc"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -748,7 +780,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#12adbc" "color": "#7ac7dc"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -764,7 +796,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#afec87" "color": "#1a256d"
}, },
"mode": "text", "mode": "text",
"name": "Debugger", "name": "Debugger",
@ -780,7 +812,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#afec87" "color": "#1a256d"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -796,7 +828,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#afec87" "color": "#1a256d"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -812,7 +844,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#680696" "color": "#b0eb7f"
}, },
"mode": "text", "mode": "text",
"name": "End/Start peripheral space?", "name": "End/Start peripheral space?",
@ -828,7 +860,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#680696" "color": "#b0eb7f"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -844,7 +876,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#680696" "color": "#b0eb7f"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -860,7 +892,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#feeb63" "color": "#e42eab"
}, },
"mode": "text", "mode": "text",
"name": "Debugger relocated", "name": "Debugger relocated",
@ -876,7 +908,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#feeb63" "color": "#e42eab"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -892,7 +924,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#feeb63" "color": "#e42eab"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -908,7 +940,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#51c421" "color": "#b86b0c"
}, },
"mode": "text", "mode": "text",
"name": "_frederic_dest_ptr", "name": "_frederic_dest_ptr",
@ -924,7 +956,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#51c421" "color": "#b86b0c"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -940,7 +972,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#51c421" "color": "#b86b0c"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -956,7 +988,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#a8b579" "color": "#625596"
}, },
"mode": "text", "mode": "text",
"name": "modem_interface", "name": "modem_interface",
@ -972,7 +1004,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#a8b579" "color": "#625596"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -988,7 +1020,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#a8b579" "color": "#625596"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -1004,7 +1036,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#521205" "color": "#5b6129"
}, },
"mode": "text", "mode": "text",
"name": "mali@14AC0000", "name": "mali@14AC0000",
@ -1020,7 +1052,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#521205" "color": "#5b6129"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -1036,7 +1068,7 @@
}, },
{ {
"marker": { "marker": {
"color": "#521205" "color": "#5b6129"
}, },
"mode": "text", "mode": "text",
"showlegend": false, "showlegend": false,
@ -1070,7 +1102,7 @@
}, },
"shapes": [ "shapes": [
{ {
"fillcolor": "#c574e6", "fillcolor": "#46d3f4",
"layer": "below", "layer": "below",
"line": { "line": {
"width": 2 "width": 2
@ -1083,7 +1115,7 @@
"y1": 3.92 "y1": 3.92
}, },
{ {
"fillcolor": "#094b47", "fillcolor": "#05f11d",
"layer": "below", "layer": "below",
"line": { "line": {
"width": 2 "width": 2
@ -1096,7 +1128,7 @@
"y1": 1.79 "y1": 1.79
}, },
{ {
"fillcolor": "#f3ff4d", "fillcolor": "#15ef8e",
"layer": "below", "layer": "below",
"line": { "line": {
"width": 2 "width": 2
@ -1109,7 +1141,7 @@
"y1": 2.79 "y1": 2.79
}, },
{ {
"fillcolor": "#7e3e97", "fillcolor": "#d1cb9b",
"layer": "below", "layer": "below",
"line": { "line": {
"width": 2 "width": 2
@ -1122,7 +1154,7 @@
"y1": 3.79 "y1": 3.79
}, },
{ {
"fillcolor": "#e36dac", "fillcolor": "#bafebb",
"layer": "below", "layer": "below",
"line": { "line": {
"width": 2 "width": 2
@ -1135,7 +1167,7 @@
"y1": 4.92 "y1": 4.92
}, },
{ {
"fillcolor": "#9d6e7f", "fillcolor": "#b21068",
"layer": "below", "layer": "below",
"line": { "line": {
"width": 2 "width": 2
@ -1148,7 +1180,7 @@
"y1": 5.92 "y1": 5.92
}, },
{ {
"fillcolor": "#48e551", "fillcolor": "#d43e00",
"layer": "below", "layer": "below",
"line": { "line": {
"width": 2 "width": 2
@ -1161,7 +1193,7 @@
"y1": 6.92 "y1": 6.92
}, },
{ {
"fillcolor": "#082a5a", "fillcolor": "#2fcf29",
"layer": "below", "layer": "below",
"line": { "line": {
"width": 2 "width": 2
@ -1174,7 +1206,7 @@
"y1": 7.92 "y1": 7.92
}, },
{ {
"fillcolor": "#12adbc", "fillcolor": "#7ac7dc",
"layer": "below", "layer": "below",
"line": { "line": {
"width": 2 "width": 2
@ -1187,7 +1219,7 @@
"y1": 9.42 "y1": 9.42
}, },
{ {
"fillcolor": "#afec87", "fillcolor": "#1a256d",
"layer": "below", "layer": "below",
"line": { "line": {
"width": 2 "width": 2
@ -1200,7 +1232,7 @@
"y1": 9.79 "y1": 9.79
}, },
{ {
"fillcolor": "#680696", "fillcolor": "#b0eb7f",
"layer": "below", "layer": "below",
"line": { "line": {
"width": 2 "width": 2
@ -1213,7 +1245,7 @@
"y1": 10.79 "y1": 10.79
}, },
{ {
"fillcolor": "#feeb63", "fillcolor": "#e42eab",
"layer": "below", "layer": "below",
"line": { "line": {
"width": 2 "width": 2
@ -1226,7 +1258,7 @@
"y1": 12.92 "y1": 12.92
}, },
{ {
"fillcolor": "#51c421", "fillcolor": "#b86b0c",
"layer": "below", "layer": "below",
"line": { "line": {
"width": 2 "width": 2
@ -1239,7 +1271,7 @@
"y1": 12.79 "y1": 12.79
}, },
{ {
"fillcolor": "#a8b579", "fillcolor": "#625596",
"layer": "below", "layer": "below",
"line": { "line": {
"width": 2 "width": 2
@ -1252,7 +1284,7 @@
"y1": 13.92 "y1": 13.92
}, },
{ {
"fillcolor": "#521205", "fillcolor": "#5b6129",
"layer": "below", "layer": "below",
"line": { "line": {
"width": 2 "width": 2
@ -2281,6 +2313,16 @@
"\n", "\n",
"fig.show()" "fig.show()"
] ]
},
{
"cell_type": "code",
"execution_count": 4,
"metadata": {},
"outputs": [],
"source": [
"# Save to html\n",
"fig.write_html(\"stack_and_functions.html\")"
]
} }
], ],
"metadata": { "metadata": {

View File

@ -1,16 +1,16 @@
start,end,name,order,comment start,end,name,order,comment,X0,LR
0x00000000,0x00020000,BootROM,, 0x00000000,0x00020000,BootROM,,,,
0x02020f60,0x02020f68,_boot_usb_ra,, 0x02020f60,0x02020f68,_boot_usb_ra,,,,
0x00012848,0x000128e8,auth_bl1,, 0x00012848,0x000128e8,auth_bl1,,,,
0x000064e0,0x0000658c,_boot_usb,, 0x000064e0,0x0000658c,_boot_usb,,,,
0x020c0000,0x020c0004,_frederic_dest_ptr,, 0x020c0000,0x020c0004,_frederic_dest_ptr,,,,
0x000002c0,0x000002c4,_jump_bl1,, 0x000002c0,0x000002c4,_jump_bl1,,,,
0x02022000,0x02024000,BL1,, 0x02022000,0x02024000,BL1,,,,
0x02024000,0x02048000,BL31,, 0x02024000,0x02048000,BL31,,,,
0x02048000,0x0206ed10,BL2,, 0x02048000,0x0206ed10,BL2,,,,
0x02069000,0x0206f000,Debugger,, 0x02069000,0x0206f000,Debugger,,,,
0x020c0000,0x020c7000,Debugger relocated,, 0x020c0000,0x020c7000,Debugger relocated,,,,
0x0206ed10,0x02070000,End/Start peripheral space?,, 0x0206ed10,0x02070000,End/Start peripheral space?,,,,
0x02019e5c,0x02020e5c,Tried debugger space,, 0x02019e5c,0x02020e5c,Tried debugger space,,,,
0x020C7800,0x020C8000,modem_interface,, 0x020C7800,0x020C8000,modem_interface,,,,
0x14AC0000,0x14ac5000,mali@14AC0000 0x14AC0000,0x14ac5000,mali@14AC0000,,,,
Can't render this file because it has a wrong number of fields in line 16.

View File

@ -323,6 +323,26 @@ class ExynosDevice():
return dumped return dumped
def check_mem_write_execute(self, region):
"""
NOT WORKING YET
Write opcode to memory which jumps back immediatelly to the LR register at that moment.
"""
# LR to jump back to:
lr = self.cd.arch_dbg.state.LR
# Write opcode
shellcode = f"""
ldr x0, target_addr
blr x0
target_addr: .quad {hex(lr)}
"""
shellcode = ks.asm(shellcode, as_bytes=True)[0]
self.cd.memwrite_region(region, shellcode)
self.cd.jump_to(region)
def setup_guppy_debugger(self): def setup_guppy_debugger(self):
""" """
Sets up guppy debugger on the device itself. Sets up guppy debugger on the device itself.
@ -339,6 +359,7 @@ class ExynosDevice():
def _initial_run_debugger(): def _initial_run_debugger():
"""Write debugger to device and test basic functionality""" """Write debugger to device and test basic functionality"""
### Setup debugger
if os.getenv("USER") == "eljakim": if os.getenv("USER") == "eljakim":
debugger = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin", "rb").read() debugger = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin", "rb").read()
else: else:
@ -347,6 +368,7 @@ class ExynosDevice():
except Exception as e: except Exception as e:
print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}') print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}')
sys.exit(0) sys.exit(0)
debugger += ((0x2000 - len(debugger)) * b"\x00") debugger += ((0x2000 - len(debugger)) * b"\x00")
assert len(debugger) == 0x2000, "Invalid debugger size, stage1 requires 0x2000 size" assert len(debugger) == 0x2000, "Invalid debugger size, stage1 requires 0x2000 size"
for block in range(0, len(debugger), 0x200): for block in range(0, len(debugger), 0x200):
@ -363,8 +385,17 @@ class ExynosDevice():
_setup_debugger() _setup_debugger()
def relocate_debugger(self): def relocate_debugger(self, debugger=None, entry=0x020c0000, storage=0x020c4000, g_data_received=0x020c6000):
# Seems to be cleared upon cache clearing?? """
Relocates the debugger to another location. Make sure to have built the debugger with the correct addresses!
Args:
- debugger: The debugger to relocate. If None, it will use the default debugger.
- entry: The entry point of the debugger.
- storage: The storage location of the debugger.
- g_data_received: The location of the data received.
"""
if debugger is None:
if os.getenv("USER") == "eljakim": if os.getenv("USER") == "eljakim":
debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read() debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read()
else: else:
@ -373,29 +404,15 @@ class ExynosDevice():
except Exception as e: except Exception as e:
print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}') print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}')
sys.exit(0) sys.exit(0)
self.cd.memwrite_region(0x020c0000, debugger_reloc)
# self.usb_write(b"FLSH") # Flush cache
self.cd.restore_stack_and_jump(0x020c0000)
assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
def relocate_debugger_2(self):
# Seems to be cleared upon cache clearing??
if os.getenv("USER") == "eljakim":
debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read()
else: else:
try: debugger_reloc = debugger
debugger_reloc = open("../../dump/reloc_debugger.bin", "rb").read()
except Exception as e:
print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}')
sys.exit(0)
self.cd.memwrite_region(0x020c0000, debugger_reloc) self.cd.memwrite_region(entry, debugger_reloc)
# self.usb_write(b"FLSH") # Flush cache # self.usb_write(b"FLSH") # Flush cache
self.cd.restore_stack_and_jump(0x020c0000) self.cd.restore_stack_and_jump(entry)
assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger" assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000) self.cd.relocate_debugger(g_data_received+0x1000, entry, storage) #0x20c7000, 0x20c0000, 0x20c4000
def dumb_interact(self, dump_imems=False): def dumb_interact(self, dump_imems=False):
''' '''
@ -561,12 +578,32 @@ class ExynosDevice():
# self.cd.restore_stack_and_jump(0x00012814) # self.cd.restore_stack_and_jump(0x00012814)
# self.cd.restore_stack_and_jump(0x000125b4) # self.cd.restore_stack_and_jump(0x000125b4)
def get_ttbr0_el3(self):
shellcode= f"""
mov x1, lr
mrs x0, ttbr0_el3
ldr x2, =0x020c1000
str x0, [x2]
mov lr, x1
ret
"""
shellcode = ks.asm(shellcode, as_bytes=True)[0]
self.cd.memwrite_region(0x020c0000, shellcode)
self.cd.jump_to(0x020c0000)
ttbr0 = u64(self.cd.memdump_region(0x020c1000, 8))
print(f"TTBR0_EL3: {hex(ttbr0)}")
print(f"Bits: {ttbr0:064b}")
# Overwrite it with 0's
self.cd.memwrite_region(0x020c1000, b"\x00" * 8)
ttbr0 = self.cd.memdump_region(0x020c1000, 8)
assert ttbr0 == b"\x00" * 8, "TTBR0_EL3 not overwritten"
def debugger_boot(self): def debugger_boot(self):
""" """
Boot into USB recovery mode using the debugger. Boot into USB recovery mode using the debugger.
""" """
### Setup debugger
self.setup_guppy_debugger() self.setup_guppy_debugger()
self.cd.arch_dbg.state.auto_sync = False self.cd.arch_dbg.state.auto_sync = False
@ -576,10 +613,17 @@ class ExynosDevice():
# dumped = self.dump_memory(0x20000, 0x2070000) # dumped = self.dump_memory(0x20000, 0x2070000)
DEBUGGER_ADDR = 0x2069000 DEBUGGER_ADDR = 0x2069000 # 0x2069000
self.get_ttbr0_el3()
# Relocate to other debugger
debugger = open("../../dump/reloc_debugger_0x2019e5c.bin", "rb").read()
self.relocate_debugger(debugger=debugger, entry=0x02048000, storage=0x02051000, g_data_received=0x02052000)
DEBUGGER_ADDR = 0x02048000
### Overwrite boot_usb_ra to our debugger ### Overwrite boot_usb_ra to our debugger
self.cd.test_connection() self.cd.test_connection()
hijacked_usb_ra = self.cd.memdump_region(0x02020f60, 8) hijacked_usb_ra = self.cd.memdump_region(0x02020f60, 8)
self.cd.memwrite_region(0x02020f60, p64(DEBUGGER_ADDR)) self.cd.memwrite_region(0x02020f60, p64(DEBUGGER_ADDR))
@ -623,6 +667,9 @@ class ExynosDevice():
# ==== BL31 ==== # ==== BL31 ====
assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger" assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
self.get_ttbr0_el3()
# self.check_mem_write_execute(0x020c0000)
# Download next stage via ROM_DOWNLOAD_USB # Download next stage via ROM_DOWNLOAD_USB
lr = self.cd.arch_dbg.state.LR lr = self.cd.arch_dbg.state.LR
@ -635,38 +682,39 @@ class ExynosDevice():
self.usb_read(0x200) # GiAs self.usb_read(0x200) # GiAs
# lr = self.cd.arch_dbg.state.LR # lr = self.cd.arch_dbg.state.LR
self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) # Resore oginal boot flow # self.cd.memwrite_region(0x020200dc, p32(hijacked_fun)) # Resore oginal boot flow
# TODO patch verification self.get_ttbr0_el3()
# self.cd.memwrite_region(0x0202010c - 52, p32(GADGET_RET0))
# self.cd.memwrite_region(0x02024774, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins)
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
# self.cd.arch_dbg.state.X0 = 0x020347f0
# self.cd.arch_dbg.state.X1 = 0
# self.cd.restore_stack_and_jump(0x02030464)
self.cd.restore_stack_and_jump(lr) self.cd.restore_stack_and_jump(lr)
time.sleep(2) time.sleep(2)
self.usb_read(0x200) # GiAs self.usb_read(0x200) # GiAs
self.cd.memwrite_region(0x02031008, b"ELH") self.cd.memwrite_region(0x02031008, b"ELH")
# trampoline = self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br") # Keep LR
# self.cd.memwrite_region(0x02024020, trampoline)
# ====== PATCHES TO BL31 here! ====== # ====== PATCHES TO BL31 here! ======
# Relocate to other debugger
# debugger = open("../../dump/reloc_debugger_0x2019e5c.bin", "rb").read()
# self.relocate_debugger(debugger=debugger, entry=0x14AC0000, storage=0x14AC3000, g_data_received=0x14AC4000)
# DEBUGGER_ADDR = 0x14AC0000
# Jump BL31 # Jump BL31
self.cd.restore_stack_and_jump(0x02024010) self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
self.cd.memwrite_region(0x20219b8, p32(DEBUGGER_ADDR))
# self.cd.restore_stack_and_jump(hijacked_fun)
self.cd.restore_stack_and_jump(0x02024010)
time.sleep(2) time.sleep(2)
self.connect_device() self.connect_device()
self.usb_read(0x200) # GiAs
self.cd.arch_dbg.fetch_special_regs()
# self.usb_read(0x200) # GiAs
# self.cd.restore_stack_and_jump(hijacked_fun)
# ==== Stage 3 BL2 ==== # ==== Stage 3 BL2 ====
self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()) self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read())