Skip to content

Instantly share code, notes, and snippets.

View ec_ocd.cfg
source [find cpu/arc/arcompact.tcl]
source [find cpu/arc/em.tcl]
set _CHIPNAME arc600
set _TARGETNAME $_CHIPNAME.cpu
jtag newtap $_CHIPNAME cpu -irlen 4 -ircapture 0x1 -expected-id 0x200024b1
target create $_TARGETNAME arc600 -chain-position $_TARGETNAME
@four0four
four0four / 01-zynq-uart-exploit.md
Last active January 6, 2024 19:17
Zynq BootROM Secrets: BootROM dump exploit
View 01-zynq-uart-exploit.md

Zynq BootROM Secrets: Exposing the bootROM with the UART loader

Last time I wrote about this, I lied a little - There is an interesting bug in the UART loader, and it may have been exactly why Xilinx didn't document it. In short: The UART loader writes the entire UART payload to a location in memory (nominally 0x4_0000). The ROM is architected such that when the boot mode is selected, it registers a callback that is called when the ROM wants more data from the boot device. For the UART loader, this is pretty simple - here's the whole thing:

; void uart_callback(u32 r0_offset, void* r1_dest, i32 r2_nbytes)
ROM:0000A578 PUSH            {R3,LR}
ROM:0000A57C MOV             R3, #uart_buff
ROM:0000A584 MOV             R12, #1
ROM:0000A588 LDR             R3, [R3]
@four0four
four0four / 01-zynq-uart.md
Last active September 16, 2023 03:02
Zynq BootROM Secrets - UART loader
View 01-zynq-uart.md

Zynq BootROM Secrets: UART loader

Recently I acquired (md5: ADF639AFE9855EE86C8FAAD216C970D9) the Zynq bootrom, and during the reversing process uncovered some interesting secrets, one of which is an as-of-yet undocumented UART loader. As documented the Zynq bootrom will load from NOR/NAND/SPI flashes, eMMC/SDIO-based storage (unfortunately) not USB, or anything else more complex.

Not sure why Xilinx didn't document this. In my brief testing it is super unreliable if you just spit everything at once - they reset the RX/TX paths during the process, so timing is critical, but that might be the janky meter-long ftdi cable. You can change the baudrate during the process, but I was too lazy to do the math.

Here's the disassembly that made me look twice (that, and checks for the MIO boot_mode[2:0] that weren't specified in the docs :)):

ROM:0000A220 BL              uart_init
@four0four
four0four / pydps5005.py
Last active July 12, 2023 13:20
DPS5005 python "driver"/library
View pydps5005.py
#!/usr/bin/env python3
from serial import Serial
from crcmod.predefined import mkPredefinedCrcFun
class PowerSupply():
def __init__(self):
self.v_set = 0.0
self.i_set = 0.0
@four0four
four0four / smurw-gpu.c
Last active June 1, 2023 21:18
hacked up smurw.c tested on an rx580 (should work on most?) invocation is like ./smurw [path to resource5 BAR] [addr] (dword to write)
View smurw-gpu.c
/* smutool Tool for SMU
* Copyright (C) 2015 Damien Zammit <damien@zamaudio.com>
* Copyright (C) 2023 Sheep Sun <sunxiaoyang2003@gmail.com>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
@four0four
four0four / seal_installer.scad
Created May 26, 2023 06:07
janky seal press
View seal_installer.scad
$fn=500;
inner_dia = 47.5;
outer_dia = 57.5;
clearance = 1.0;
height = 10;
@four0four
four0four / GetProcAddressEx.rs
Created April 14, 2023 02:12
GetProcAddressEx "in Rust"
View GetProcAddressEx.rs
use windows::core::*;
use windows::Win32::Foundation::HMODULE;
use windows::Win32::System::LibraryLoader::{GetProcAddress, LoadLibraryA};
//use windows::Win32::UI::Input::XboxController::XINPUT_STATE;
// ref: https://gist.github.com/robindegen/9446175
#[repr(C)]
#[derive(Debug,Default)]
@four0four
four0four / ring_thing.scad
Last active March 24, 2023 03:16
Simple piston-ring-pusher tool to help with measuring gaps repeatably. Requires https://github.com/revarbat/BOSL2 for the chamfer.
View ring_thing.scad
include <BOSL2/std.scad>
$fn=500;
difference() {
union() {
difference() {
cylinder(h=25, r = 50, center = false);
up(25) #chamfer_cylinder_mask(r=50, chamfer=2);
@four0four
four0four / microcorruption.py
Last active January 8, 2023 03:21 — forked from joshwatson/microcorruption.py
Microcorruption Memory Dump BinaryView for Binary Ninja
View microcorruption.py
import struct
import traceback
from binaryninja import (
BinaryView, Architecture, log
)
from binaryninja.enums import (
SegmentFlag
)
class MicrocorruptionView(BinaryView):
@four0four
four0four / safety_wire_jig.scad
Last active July 28, 2022 06:52
openscad safety wire jig
View safety_wire_jig.scad
/*[ Bolt properties (Machinery's pp. 1446, 25th ed) ]*/
//Width across flats (S)
bolt_head_width=16; // [13:M8,16:M10,18:M12,21:M14]
//shank nominal diameter
bolt_body_diam=10; //[8:M8,10:M10,12:M12,14:M14]
//bolt head depth
bolt_head_depth=6.6; //[5.5:M8, 6.6:M10, 7.8:M12, 9:M14]
/*[misc.]*/
// clearance for fitment around bolt parts