diff --git a/source/exploit/entry.S b/source/exploit/entry.S index 632e12e..3d4c757 100644 --- a/source/exploit/entry.S +++ b/source/exploit/entry.S @@ -1,46 +1,47 @@ start: b main -.text -.global rom_send -rom_send: - mov w1, #0x20000 // size - mov w0, #0x0 // address - bl usb_send - ret - -.text -.global usb_send -usb_send: - stp x29, x30, [sp,#-48]! - mov w3, #0x0 - bfxil w3, w1, #0, #24 - mov w1, #0xc12 - mov x29, sp - stp x19, x20, [sp,#16] - mov x5, #0xc834 - mov w20, #0x1 - movk x5, #0x1540, lsl #16 - ldr x2, [x29,#40] - mov x4, #0xc838 - orr w6, w1, w20 - movk x4, #0x1540, lsl #16 - mov x19, #0xc83c - movk x19, #0x1540, lsl #16 - stp w3, w1, [x2,#8] - mov w3, #0x406 - stp w0, wzr, [x2] - mov w0, w20 - ldr x1, [x29,#40] - strb w6, [x2,#12] - ; mov x2, #0x27c8 - str w1, [x5] - mov w1, #0x1388 - str wzr, [x4] - str w3, [x19] - ; blr x2 - mov w0, w20 - ldr w1, [x19] - ldp x19, x20, [sp,#16] - ldp x29, x30, [sp],#48 - ret +;.text +;.global rom_send +;rom_send: +; mov w1, #0x20000 // size +; mov w0, #0x0 // address +; bl usb_send +; ret +; +;.text +;.global usb_send +;usb_send: +; stp x29, x30, [sp,#-48]! +; mov w3, #0x0 +; bfxil w3, w1, #0, #24 +; mov w1, #0xc12 +; mov x29, sp +; stp x19, x20, [sp,#16] +; mov x5, #0xc834 +; mov w20, #0x1 +; movk x5, #0x1540, lsl #16 +; ldr x2, [x29,#40] +; mov x4, #0xc838 +; orr w6, w1, w20 +; movk x4, #0x1540, lsl #16 +; mov x19, #0xc83c +; movk x19, #0x1540, lsl #16 +; stp w3, w1, [x2,#8] +; mov w3, #0x406 +; stp w0, wzr, [x2] +; mov w0, w20 +; ldr x1, [x29,#40] +; strb w6, [x2,#12] +; ; mov x2, #0x27c8 +; str w1, [x5] +; mov w1, #0x1388 +; str wzr, [x4] +; str w3, [x19] +; ; blr x2 +; mov w0, w20 +; ldr w1, [x19] +; ldp x19, x20, [sp,#16] +; ldp x29, x30, [sp],#48 +; ret +; \ No newline at end of file diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py index 78a04d0..e2ed6c1 100644 --- a/source/exploit/exploit.py +++ b/source/exploit/exploit.py @@ -2,7 +2,7 @@ import usb.util import struct, sys, usb1, libusb1, ctypes, usb, argparse from keystone import * from capstone import * -# from ghidra_assistant.utils.utils import * +from ghidra_assistant.utils.utils import * def p32(x): return struct.pack("