Skip to content

Instantly share code, notes, and snippets.

@MerryMage

MerryMage/_.md Secret

Last active Nov 22, 2017
Embed
What would you like to do?

How this works:

  1. We put the thumb instructions "ldr r0, [r0]; bx lr" onto open bus. We do this by prefetch stuffing and with a str instruction (the destination address of the store doesn't matter).
  2. We jump to the unmapped memory address 0xFFFFFFFC in thumb mode.
  3. The before executing the instruction ldr r0, [r0], the instruction prefetcher prefetches the addresses 0xFFFFFFFE and 0x00000000. The lattermost prefetch unlocks the BIOS rom for access.
  4. Arbitrary BIOS read.
.text
.thumb
.section .iwram
.func test_b, test_b
.global test_b
.type test_b, %function
.balign 4
test_b:
str r2, [r1]
bx r1
ldr r0, [r0]
bx lr
bx lr
bx lr
bx lr
.balign 4
.endfunc
.ltorg
#include <gba_console.h>
#include <gba_video.h>
#include <gba_interrupt.h>
#include <gba_systemcalls.h>
#include <gba_input.h>
#include <stdio.h>
#include <stdlib.h>
int main(void) {
irqInit();
irqEnable(IRQ_VBLANK);
consoleDemoInit();
for (size_t i = 0; i < 0x40; i += 4)
iprintf("%08x\n", test_b(i, 0xFFFFFFFD, 0x68006800));
for (;;) {
VBlankIntrWait();
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment