Jibo-Revival-Group/JiboViteDocs
8
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a164159c1c81d00a5b43bd599738717732b25665
JiboViteDocs/docs/uart/vectors/validatedmem.md

176 lines
5.7 KiB
Markdown
Raw Normal View History

Feat: Add old docs, begin adapting old docs to new format.
2026-05-05 18:38:52 -04:00
# Validated memory adresses
- - -
## Power Management Controller (PMC)
#### `0x7000E400` — PMC Base Address
**Use:** The starting point for all Power Management operations.
#### `0x7000E450` — PMC_SCRATCH0
- **Use:** undefined but i used it as a Data Safe.
- **Example:** When the USB connection dies, store 4 bytes of data here.
- **C Code exampple:**
```c
// Store a 4-byte value from IRAM into the scratch register
uint32_t leaked_data = *(volatile uint32_t *)0x40001000;
*(volatile uint32_t *)0x7000E450 = leaked_data;
```
#### `0x7000E414` — PMC_CNTRL (Reset Control)
- **Use:** The Reboot Trigger.
- **Bit 4:** Setting this bit triggers a Warm Reset.
- **Example:** use this immediately after writing to `SCRATCH0` to force Jibo back into RCM mode.
- **C Code Implementation:**
```c
// Trigger Warm Reset to return to RCM mode
*(volatile uint32_t *)0x7000E414 |= (1 << 4);
```
## Timer and Watchdog (TMR/WDT)
These addresses allow us to cut the systems security features from what i can tell so they don't interfere with the payload.
#### `0x6000501c` — TMR_WDT_RESTART
- **Use:** The Watchdog cut.
- **Mechanism:** The Tegra K1 has a timer that reboots the device if it doesn't receive a clock signal within a few seconds.
- **Example:** We write the magic value `0xcafe` here in every loop to prevent Jibo from panic-resetting during a dump.
- **C Code Implementation:**
```c
while(1) {
// (reset)
*(volatile uint32_t *)0x6000501c = 0xcafe;
// ... rest of the exploit ...
}
```
## Internal RAM (IRAM/SRAM)
This is the part where the BootROM is.
#### `0x40000000` — IRAM Base (Start)
- **Use:** The beginning of the 256KB internal memory.
- **Significance:** This is where the payload is injected. If u dump from here, u get the "Leftovers" of the boot process (keys, signatures, and config data) from what i could tell.
#### `0x4003FFFF` — IRAM End
- **Use:** The boundary of the volatile memory. (not 100% Sure but pretty certain)
- **Constraint:** If we try to read past this address, the system will hard-crash because we are hitting undefined memory space.
## BootROM Service Functions
The BootROM (at `0x00000000`) is read-only memory etched into the silicon. It contains pre-written functions for USB communication that we can "borrow" so we don't have to write a full USB driver from scratch.
#### `0x00003551` — usb_send (Standard)
- **Use:** Sends a structured data packet over the RCM USB connection.
- **Significance:** This is the basically the proper way i could get it to talk. It handles some of the USB protocol handshaking automatically.
- **Example:**
```C
// Define the function signature based on BootROM
typedef int (*usb_send_ptr)(void *buffer, unsigned int length);
usb_send_ptr usb_send = (usb_send_ptr)0x00003551;
//push 64 bytes of IRAM to the PC
usb_send((void *)0x40000000, 64);
```
#### `0x000035e5` — usb_send_raw (Bulk)
- **Use:** A lower-level function that bypasses some of the standard RCM state checks i think.
- **Significance:** This is how i got those first **16 bytes** out. It is open data pushing.
- **Example:** I used this when the standard `usb_send` was stalling, as it forces the hardware to dump the buffer to the endpoint immediately.
```c
// Define the raw function pointer
typedef void (*usb_send_raw_ptr)(void *buffer, unsigned int length);
usb_send_raw_ptr usb_send_raw = (usb_send_raw_ptr)0x000035e5;
//Force dump a 16-byte chunk of IRAM regardless of USB state
void dump_raw_chunk() {
uint8_t buffer[16];
// Copy the data from a target address (e.g.sstart of IRAM)
memcpy(buffer, (void*)0x40000000, 16);
// Push it out. On the PC side
usb_send_raw(buffer, 16);
}
```
## Hardware Fuse Registers
The Fuses are permanent oly set at the factory so we cant change these
#### `0x7000F800` — FUSE_BASE
- **Use:** The starting point for reading the hardware id & status.
- **Significance:** Reading from here tells us if Jibo is in "Production" mode (Locked) or "Development" mode (Unlocked).
#### `0x7000F800 + 0x60` — Security Config Fuse
- **Use:** Determines if **Secure Boot** is active.
- **Discovery:** In my tests, reading this offset returned random data.
- **The Verdict:** This confirmed that Jibo is a **Secure Boot** device. He will only boot software that has been digitally signed by Jibo Inc.s private keys.
#### `0x7000F900` — FUSE_RESERVED_ODM (The SBK/SSK Area)
- **Use:** This is where the **Secure Boot Key (SBK)** usually is.
- **The Goal:** If we can successfully read this entire block, we might find the AES keys needed to decrypt the Jibo OS files on the EMMC.
## The Boot Configuration Table (BCT)
The BCT is a piece of data usually found at the very start of the boot process (and often cached in IRAM).
#### `0x400000f0` — BCT Pointer / Entry Point
- **Use:** I identified this address in on of the `hexdumps` i sent on discord.
- **Significance:** This is where the BootROM hands over control to the next stage of the bootloader.
- **The Hack:** By targeting our leaker near this address, we can see how the Tegra sets up its memory controllers before it realizes we've hijacked the process.
```C
void inspect_bct_handoff() {
// Read the instruction at the BCT entry point
uint32_t entry_instruction = *(volatile uint32_t *)0x400000f0;
// Often, this is a 'Branch' (B) instruction in ARM hex: 0xEAXXXXXX
// If 0xEA, we know Jibo is ready run the bootloader
if ((entry_instruction >> 24) == 0xEA) {
// Log it for the PC to see
*(volatile uint32_t *)0x7000E450 = 0xBC7DE4D; // "BCT DEAD" hex flag
}
}
```
Reference in New Issue Copy Permalink