sending incorrect data now

This commit is contained in:
Eljakim Herrewijnen 2024-08-02 19:53:33 +02:00
parent 10e4590faf
commit d40e818b33
2 changed files with 49 additions and 46 deletions

View File

@ -1,46 +1,47 @@
start:
b main
.text
.global rom_send
rom_send:
mov w1, #0x20000 // size
mov w0, #0x0 // address
bl usb_send
ret
.text
.global usb_send
usb_send:
stp x29, x30, [sp,#-48]!
mov w3, #0x0
bfxil w3, w1, #0, #24
mov w1, #0xc12
mov x29, sp
stp x19, x20, [sp,#16]
mov x5, #0xc834
mov w20, #0x1
movk x5, #0x1540, lsl #16
ldr x2, [x29,#40]
mov x4, #0xc838
orr w6, w1, w20
movk x4, #0x1540, lsl #16
mov x19, #0xc83c
movk x19, #0x1540, lsl #16
stp w3, w1, [x2,#8]
mov w3, #0x406
stp w0, wzr, [x2]
mov w0, w20
ldr x1, [x29,#40]
strb w6, [x2,#12]
; mov x2, #0x27c8
str w1, [x5]
mov w1, #0x1388
str wzr, [x4]
str w3, [x19]
; blr x2
mov w0, w20
ldr w1, [x19]
ldp x19, x20, [sp,#16]
ldp x29, x30, [sp],#48
ret
;.text
;.global rom_send
;rom_send:
; mov w1, #0x20000 // size
; mov w0, #0x0 // address
; bl usb_send
; ret
;
;.text
;.global usb_send
;usb_send:
; stp x29, x30, [sp,#-48]!
; mov w3, #0x0
; bfxil w3, w1, #0, #24
; mov w1, #0xc12
; mov x29, sp
; stp x19, x20, [sp,#16]
; mov x5, #0xc834
; mov w20, #0x1
; movk x5, #0x1540, lsl #16
; ldr x2, [x29,#40]
; mov x4, #0xc838
; orr w6, w1, w20
; movk x4, #0x1540, lsl #16
; mov x19, #0xc83c
; movk x19, #0x1540, lsl #16
; stp w3, w1, [x2,#8]
; mov w3, #0x406
; stp w0, wzr, [x2]
; mov w0, w20
; ldr x1, [x29,#40]
; strb w6, [x2,#12]
; ; mov x2, #0x27c8
; str w1, [x5]
; mov w1, #0x1388
; str wzr, [x4]
; str w3, [x19]
; ; blr x2
; mov w0, w20
; ldr w1, [x19]
; ldp x19, x20, [sp,#16]
; ldp x29, x30, [sp],#48
; ret
;

View File

@ -2,7 +2,7 @@ import usb.util
import struct, sys, usb1, libusb1, ctypes, usb, argparse
from keystone import *
from capstone import *
# from ghidra_assistant.utils.utils import *
from ghidra_assistant.utils.utils import *
def p32(x):
return struct.pack("<I", x)
@ -168,8 +168,9 @@ class ExynosDevice():
from ghidra_assistant.utils.utils import *
ks = Ks(KS_ARCH_ARM64, KS_MODE_LITTLE_ENDIAN)
cs = Cs(CS_ARCH_ARM64, CS_MODE_LITTLE_ENDIAN)
def usb_debug():
shellcode = f"""
start:
@ -286,6 +287,7 @@ def usb_debug():
transferred.value = 0
buf = ctypes.c_buffer(b"", 0x200)
res = libusb1.libusb_bulk_transfer(exynos.handle._USBDeviceHandle__handle, 0x81, buf, len(buf), ctypes.byref(transferred), 100)
hexdump(buf.raw[:0x20])
pass
# Should have received some bytes