puppykitten
puppykitten
/ trashpci.c
Created
May 14, 2018 20:13
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <linux/init.h> | |
| #include <linux/kernel.h> | |
| #include <linux/module.h> | |
| #include <linux/pci.h> | |
| #include <linux/printk.h> | |
| #include <linux/proc_fs.h> | |
| #include <linux/seq_file.h> | |
| static struct pci_dev *_pdev; | |
| static void __iomem *_mmio; |
puppykitten
/ gist:443cf0b3902416a4c15d6fea453a8494
Created
May 14, 2018 20:07
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| EC3 | |
| The challenge: | |
| * Players are provided with a custom build qemu binary and a minimal linux system image. | |
| * After connecting to the remote service root access is granted to the qemu guest. | |
| * The qemu binary contains an extra pci device, called ooo. Which is heavily based on the EDU pci device present in the qemu sources. |
puppykitten
/ rtm_ipc.h
Created
January 28, 2018 08:26
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** Possible message types/event types of the system. */ | |
| typedef enum { | |
| MSG_NULL = 0, // Used for initializing state machines | |
| /***************/ | |
| MSG_RQ = 1, /**< Request; client -> server; */ | |
| MSG_RS = 2, /**< Response; server -> client */ | |
| MSG_RD = 3, /**< Ready; server -> IPCH */ | |
| MSG_NOT = 4, /**< Notification; client -> IPCH; */ | |
| MSG_CLOSE_TRUSTLET = 5, /**< Close Trustlet; MSH -> IPCH; IPCH -> all servers */ | |
| MSG_CLOSE_TRUSTLET_ACK = 6, /**< Close Trustlet Ack; servers -> IPCH */ |
puppykitten
/ drApis
Created
January 28, 2018 08:01
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ROM:07D0C114 ; int drApi_syscall_table[62] | |
| ROM:07D0C114 drApi_syscall_table DCD drApiGetVersion+1 ; 0 | |
| ROM:07D0C114 ; DATA XREF: get_syscall_fn+30↑o | |
| ROM:07D0C114 ; ROM:off_7D0A9F8↑o | |
| ROM:07D0C114 DCD drApiExit+1 ; 1 | |
| ROM:07D0C114 DCD drApiMapPhys+1 ; 2 | |
| ROM:07D0C114 DCD drApiUnmap+1 ; 3 | |
| ROM:07D0C114 DCD drApiMapPhysPage4KBWithHardware+1; 4 | |
| ROM:07D0C114 DCD drApiMapClient+1 ; 5 | |
| ROM:07D0C114 DCD drApiMapClientAndParams+1; 6 |
puppykitten
/ tlApis
Created
January 28, 2018 07:55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ROM:07D0BE38 tlApi_syscall_table DCD tlApiNOP+1 ; 0 | |
| ROM:07D0BE38 DCD tlApiGetVersion+1 ; 1 | |
| ROM:07D0BE38 DCD tlApiGetMobicoreVersion+1; 2 | |
| ROM:07D0BE38 DCD tlApiGetPlatformInfo+1; 3 | |
| ROM:07D0BE38 DCD tlApiExit+1 ; 4 | |
| ROM:07D0BE38 DCD tlApiLogvPrintf+1 ; 5 | |
| ROM:07D0BE38 DCD tlApiWaitNotification+1; 6 | |
| ROM:07D0BE38 DCD tlApiNotify+1 ; 7 | |
| ROM:07D0BE38 DCD tlApi_callDriver+1 ; 8 | |
| ROM:07D0BE38 DCD tlApiWrapObjectExt+1; 9 |
puppykitten
/ syscalls
Created
January 28, 2018 07:38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .tbase_mem_data:07F0D86C ; =========================================================================== | |
| .tbase_mem_data:07F0D86C | |
| .tbase_mem_data:07F0D86C ; Segment type: Pure data | |
| .tbase_mem_data:07F0D86C AREA .tbase_mem_data, DATA, ALIGN=0 | |
| .tbase_mem_data:07F0D86C ; ORG 0x7F0D86C | |
| .tbase_mem_data:07F0D86C syscall_table DCD svc_0_nop+1 ; DATA XREF: invoke_syscall_from_table+40↑o | |
| .tbase_mem_data:07F0D86C ; invoke_syscall_from_table:syscall_table_ptr↑o | |
| .tbase_mem_data:07F0D870 DCD svc_1_init_process+1 | |
| .tbase_mem_data:07F0D874 DCD svc_2_nop+1 | |
| .tbase_mem_data:07F0D878 DCD svc_3_nop+1 |
puppykitten
/ tbase syscalls
Created
January 28, 2018 07:29
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .tbase_mem_data:07F0D86C ; =========================================================================== | |
| .tbase_mem_data:07F0D86C | |
| .tbase_mem_data:07F0D86C ; Segment type: Pure data | |
| .tbase_mem_data:07F0D86C AREA .tbase_mem_data, DATA, ALIGN=0 | |
| .tbase_mem_data:07F0D86C ; ORG 0x7F0D86C | |
| .tbase_mem_data:07F0D86C syscall_table DCD svc_0_nop+1 ; DATA XREF: invoke_syscall_from_table+40↑o | |
| .tbase_mem_data:07F0D86C ; invoke_syscall_from_table:syscall_table_ptr↑o | |
| .tbase_mem_data:07F0D870 DCD svc_1_init_process+1 | |
| .tbase_mem_data:07F0D874 DCD svc_2_nop+1 | |
| .tbase_mem_data:07F0D878 DCD svc_3_nop+1 |
puppykitten
/ tbase syscalls
Created
January 28, 2018 07:29
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .tbase_mem_data:07F0D86C ; =========================================================================== | |
| .tbase_mem_data:07F0D86C | |
| .tbase_mem_data:07F0D86C ; Segment type: Pure data | |
| .tbase_mem_data:07F0D86C AREA .tbase_mem_data, DATA, ALIGN=0 | |
| .tbase_mem_data:07F0D86C ; ORG 0x7F0D86C | |
| .tbase_mem_data:07F0D86C syscall_table DCD svc_0_nop+1 ; DATA XREF: invoke_syscall_from_table+40↑o | |
| .tbase_mem_data:07F0D86C ; invoke_syscall_from_table:syscall_table_ptr↑o | |
| .tbase_mem_data:07F0D870 DCD svc_1_init_process+1 | |
| .tbase_mem_data:07F0D874 DCD svc_2_nop+1 | |
| .tbase_mem_data:07F0D878 DCD svc_3_nop+1 |
puppykitten
/ tbase syscalls
Created
January 28, 2018 07:28
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .tbase_mem_data:07F0D86C ; =========================================================================== | |
| .tbase_mem_data:07F0D86C | |
| .tbase_mem_data:07F0D86C ; Segment type: Pure data | |
| .tbase_mem_data:07F0D86C AREA .tbase_mem_data, DATA, ALIGN=0 | |
| .tbase_mem_data:07F0D86C ; ORG 0x7F0D86C | |
| .tbase_mem_data:07F0D86C syscall_table DCD svc_0_nop+1 ; DATA XREF: invoke_syscall_from_table+40↑o | |
| .tbase_mem_data:07F0D86C ; invoke_syscall_from_table:syscall_table_ptr↑o | |
| .tbase_mem_data:07F0D870 DCD svc_1_init_process+1 | |
| .tbase_mem_data:07F0D874 DCD svc_2_nop+1 | |
| .tbase_mem_data:07F0D878 DCD svc_3_nop+1 |
puppykitten
/ gist:2ede4fdbe48f62bc5078b2df4d0a055b
Created
January 28, 2018 07:26
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ROM:00133054 tbase_smc_send_VBAR ; CODE XREF: config_tbase_and_tell_aft_the_vbar+E↑p | |
| ROM:00133054 LDR R0, =0xB2000002 | |
| ROM:00133058 MOV R1, #1 | |
| ROM:0013305C LDR R2, =0x7F00000 ; normal VBAR address | |
| ROM:00133060 SMC #0 | |
| ROM:00133064 BX LR | |
| ROM:00133064 ; End of function tbase_smc_send_VBAR | |
| ROM:00133064 | |
| ROM:00133068 | |
| ROM:00133068 ; =============== S U B R O U T I N E ======================================= |
NewerOlder