update

GA_debugger.py

@@ -139,7 +139,7 @@ def dump_full_dram_context(cd : "ConcreteDevice"):
     
 SETUP_SDRAM = 0x00101a14
 def attempt_boot_bct(cd : "ConcreteDevice"):
-    dat = open("imem_good.bin", 'rb').read()
+    dat = open("bin/imem_good.bin", 'rb').read()
     cd.memwrite_region(0x40000000, dat[:0xe000])
     cd.write(b"MAIN")
     cd.arch_dbg.state.auto_sync = False
@@ -359,7 +359,7 @@ def hw_init(cd : "ConcreteDevice"):
                     pass
                 elif cd.arch_dbg.state.R0 == 0x77:
                     # In nvtloadbinary
-                    dat = open("/tmp/bootloader.bin", 'rb').read()
+                    dat = open("bin/bootloader.bin", 'rb').read()
                     cd.memwrite_region(0x83d88000, dat[:0x90000])
                     cd.arch_dbg.state.R0 = 0
                     cd.restore_stack_and_jump(cd.arch_dbg.state.LR)
@@ -380,7 +380,7 @@ def hw_init(cd : "ConcreteDevice"):
                     elif b"corrupted" in msg or b"GPT failed" in msg:
                         # Restore bootloader
                         print(msg)
-                        dat = open("/tmp/bootloader.bin", 'rb').read()
+                        dat = open("bin/bootloader.bin", 'rb').read()
                         cd.memwrite_region(0x83d88000, dat[:0x90000])
                         cd.memwrite_region(0x83d90260, ks_thumb.asm("mov r0, r0", as_bytes=True)[0] * 2)
                         # cd.memwrite_region(0x83e130e6, b"\x00") # Fastboot unlock?

Readme.md

@@ -5,7 +5,8 @@ The exploitation work for this device is done by (LordRafa)[https://github.com/L
 To build gupje, see the readme in the gupje_t/ folder.
 
 ## Usage
-
+Run the exploit code with a *target* binary to run on the device.
 ```bash
-python3 exploit.py ../bin/nvidia_shield_t/
-```
+python3 exploit.py --ga ../bin/nvidia_shield_t/debugger.bin
+```
+