How this works:
- We put the thumb instructions "
ldr r0, [r0];
bx lr" onto open bus. We do this by prefetch stuffing and with a str instruction (the destination address of the store doesn't matter).
- We jump to the unmapped memory address 0xFFFFFFFC in thumb mode.
- The before executing the instruction
ldr r0, [r0], the instruction prefetcher prefetches the addresses 0xFFFFFFFE and 0x00000000. The lattermost prefetch unlocks the BIOS rom for access.
- Arbitrary BIOS read.