update
This commit is contained in:
parent
900d2c58a7
commit
72c6cfa33d
@ -139,7 +139,7 @@ def dump_full_dram_context(cd : "ConcreteDevice"):
|
|||||||
|
|
||||||
SETUP_SDRAM = 0x00101a14
|
SETUP_SDRAM = 0x00101a14
|
||||||
def attempt_boot_bct(cd : "ConcreteDevice"):
|
def attempt_boot_bct(cd : "ConcreteDevice"):
|
||||||
dat = open("imem_good.bin", 'rb').read()
|
dat = open("bin/imem_good.bin", 'rb').read()
|
||||||
cd.memwrite_region(0x40000000, dat[:0xe000])
|
cd.memwrite_region(0x40000000, dat[:0xe000])
|
||||||
cd.write(b"MAIN")
|
cd.write(b"MAIN")
|
||||||
cd.arch_dbg.state.auto_sync = False
|
cd.arch_dbg.state.auto_sync = False
|
||||||
@ -359,7 +359,7 @@ def hw_init(cd : "ConcreteDevice"):
|
|||||||
pass
|
pass
|
||||||
elif cd.arch_dbg.state.R0 == 0x77:
|
elif cd.arch_dbg.state.R0 == 0x77:
|
||||||
# In nvtloadbinary
|
# In nvtloadbinary
|
||||||
dat = open("/tmp/bootloader.bin", 'rb').read()
|
dat = open("bin/bootloader.bin", 'rb').read()
|
||||||
cd.memwrite_region(0x83d88000, dat[:0x90000])
|
cd.memwrite_region(0x83d88000, dat[:0x90000])
|
||||||
cd.arch_dbg.state.R0 = 0
|
cd.arch_dbg.state.R0 = 0
|
||||||
cd.restore_stack_and_jump(cd.arch_dbg.state.LR)
|
cd.restore_stack_and_jump(cd.arch_dbg.state.LR)
|
||||||
@ -380,7 +380,7 @@ def hw_init(cd : "ConcreteDevice"):
|
|||||||
elif b"corrupted" in msg or b"GPT failed" in msg:
|
elif b"corrupted" in msg or b"GPT failed" in msg:
|
||||||
# Restore bootloader
|
# Restore bootloader
|
||||||
print(msg)
|
print(msg)
|
||||||
dat = open("/tmp/bootloader.bin", 'rb').read()
|
dat = open("bin/bootloader.bin", 'rb').read()
|
||||||
cd.memwrite_region(0x83d88000, dat[:0x90000])
|
cd.memwrite_region(0x83d88000, dat[:0x90000])
|
||||||
cd.memwrite_region(0x83d90260, ks_thumb.asm("mov r0, r0", as_bytes=True)[0] * 2)
|
cd.memwrite_region(0x83d90260, ks_thumb.asm("mov r0, r0", as_bytes=True)[0] * 2)
|
||||||
# cd.memwrite_region(0x83e130e6, b"\x00") # Fastboot unlock?
|
# cd.memwrite_region(0x83e130e6, b"\x00") # Fastboot unlock?
|
||||||
|
@ -5,7 +5,8 @@ The exploitation work for this device is done by (LordRafa)[https://github.com/L
|
|||||||
To build gupje, see the readme in the gupje_t/ folder.
|
To build gupje, see the readme in the gupje_t/ folder.
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
|
Run the exploit code with a *target* binary to run on the device.
|
||||||
```bash
|
```bash
|
||||||
python3 exploit.py ../bin/nvidia_shield_t/
|
python3 exploit.py --ga ../bin/nvidia_shield_t/debugger.bin
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user