Shofel payloader source & prebuild for jib with some old payloads i had made

these payloads may not work , i have no clue honestly i attached them ,
also there are 2 helper py scripts that might work with some of these
payloads

Shofel4Jibo/payloads/boot_bct.c

@@ -0,0 +1,24 @@
+#include "types.h"
+#include "t124.h"
+
+typedef void (*do_bct_boot_t)( void );
+
+void memcpy( void *dst, const void *src, size_t len ) {
+
+    for ( size_t i = 0; i < len; i++ ) {
+        ( (u8 *)dst )[i] = ( (u8 *)src )[i];
+    }
+
+}
+
+__attribute__((section(".init")))
+void entry() {
+
+    memcpy( (void*) ( IRAM_END - IROM_LEN + 1 ), (void*) IROM_BEGIN, IROM_LEN );
+
+    register do_bct_boot_t do_bct_boot = (do_bct_boot_t) ( BOOTROM_DO_BCT_BOOT | 1 );
+    do_bct_boot();
+    while(1);
+
+}
+

Shofel4Jibo/payloads/intermezzo.c

@@ -0,0 +1,55 @@
+#include "types.h"
+#include "t124.h"
+
+extern u32 __payload_bin_start;
+extern u32 __payload_bin_end;
+
+typedef void (*post_relocation_t)( void );
+typedef void (*payload_ep_t)( void );
+typedef void (*_memcpy_t)( void *dst, const void *src, size_t len );
+
+void _memcpy( void *dst, const void *src, size_t len ) {
+
+    for ( size_t i = 0; i < len; i++ ) {
+        ( (u8 *)dst )[i] = ( (u8 *)src )[i];
+    }
+
+}
+// Probably I could trust in have relative PC branches, so no address would
+// require to be updated. This would work since there is a whole new copy
+// of the binary on the relocated area and PC would be working on that area
+// but having memcpy address on a register and update it to the relocated
+// area when required should improve the chances of the compiler not messing
+// up with the memcpy calls.
+register _memcpy_t memcpy asm("r7");
+        
+void _post_relocation() {
+
+    // Same with these arguments....
+    register u32 payload_bef_len = *( (u32 *) IRAM_ADD_PAYLOAD_BEF_LENVAR );
+    register u32 payload_aft_len = *( (u32 *) IRAM_ADD_PAYLOAD_AFT_LENVAR );
+    register u32 payload_thumb_mode = *( (u32 *) IRAM_ADD_PAYLOAD_THUMB_MODE );
+
+    memcpy -= INTERMEZZO_LEN;
+    memcpy( (u8 *) BOOTROM_PAYLOAD_ENTRY, (u8 *) IRAM_ADD_PAYLOAD_START, payload_bef_len );
+    memcpy( (u8 *) (BOOTROM_PAYLOAD_ENTRY + payload_bef_len), (u8 *) IRAM_ADD_PAYLOAD_CONT, payload_aft_len );
+
+    payload_ep_t payload_ep = (payload_ep_t) ( BOOTROM_PAYLOAD_ENTRY | payload_thumb_mode );
+    payload_ep();
+
+}
+
+__attribute__((section(".init")))
+void pre_relocation() {
+
+    u32 payload_bin_size = (u32)&__payload_bin_end - (u32)&__payload_bin_start;
+    u8 *dest = (u8 *) ( BOOTROM_PAYLOAD_ENTRY - INTERMEZZO_LEN );
+
+    memcpy = _memcpy;
+    memcpy( dest, &__payload_bin_start, payload_bin_size );
+ 
+    post_relocation_t post_relocation = _post_relocation - INTERMEZZO_LEN;
+    post_relocation();
+
+}
+

Shofel4Jibo/payloads/ipatch_rcm.c

@@ -0,0 +1,41 @@
+/* Based on similar payload by ktemkin
+ * https://gist.github.com/ktemkin/825d5f4316f63a7c11ea851a2022415a
+ */
+
+#include "types.h"
+#include "t124.h"
+
+#define _REG(base, off) *(volatile unsigned int *)((base) + (off))
+#define reg_write(base, off, value) _REG(base, off) = value
+#define reg_clear(base, off, value) _REG(base, off) &= ~value
+#define reg_set(base, off, value) _REG(base, off) |= value
+
+/**
+ * Patches over a given address in the IROM using the IPATCH hardware.
+ */
+void ipatch_word(u8 slot, u32 addr, u16 new_value)
+{
+	u32 slot_value;
+	u32 offset;
+
+	// Mark the relevant ipatch slot as not-in-use.
+	reg_clear(IPATCH_BASE, IPATCH_SELECT, (1 << slot));
+
+	// Compute the new patch value.
+	offset = (addr & 0xFFFF) >> 1;
+	slot_value = (offset << 16) | new_value;
+
+	// Figure out the location of the slot to touch.
+	reg_write(IPATCH_BASE, IPATCH_REGS + (slot * 4), slot_value);
+
+	// Apply the new one.
+	reg_set(IPATCH_BASE, IPATCH_SELECT, (1 << slot));
+}
+
+__attribute__((section(".init")))
+void entry() {
+	ipatch_word(1, BOOTROM_GET_SECURITY_MODE, 0x2000);
+
+	register entry_point entry = (entry_point) ( 0x00101128 | 1 );
+	entry();
+}

Shofel4Jibo/payloads/jtag_example.c

@@ -0,0 +1,40 @@
+#include "t124.h"
+#include "types.h"
+
+static inline u32 read32(uintptr_t addr) {
+    return *(vu32 *)addr;
+}
+
+static inline void write32(uintptr_t addr, u32 val) {
+    *(vu32 *)addr = val;
+}
+
+static inline void or32(uintptr_t addr, u32 val) {
+    write32(addr, read32(addr) | val);
+}
+
+__attribute__(( section(".init") ))
+void main() {
+
+    
+    u32 pirom_start_0 = 0x00010000;
+    write32( SECURE_BOOT_BASE + SB_PIROM_START_0, pirom_start_0 );
+
+    u32 sb_csr_0 = 0x00000010;
+    write32( SECURE_BOOT_BASE + SB_CSR_0, sb_csr_0 );
+
+    u32 sb_pfcfg_0 = read32( SECURE_BOOT_BASE + SB_PFCFG_0 );
+    sb_pfcfg_0 &= 0xfffffff0;
+    sb_pfcfg_0 |= 0xf;
+    write32( SECURE_BOOT_BASE + SB_PFCFG_0, sb_pfcfg_0 );
+
+    or32( APB_BASE + APB_MISC_PP_CONFIG_CTL_0, APB_MISC_PP_CONFIG_CTL_0_JTAG |
+                                               APB_MISC_PP_CONFIG_CTL_0_TBE );
+    while(1) {
+        // Halt COP and wait for JTAG
+        or32( FLOW_CTLR_BASE + FLOW_CTLR_HALT_COP_EVENTS_0,
+                FLOW_CTLR_HALT_COP_FLOW_MODE_WAITEVENT |
+                FLOW_CTLR_HALT_COP_JTAG );
+    }
+}
+

Shofel4Jibo/payloads/mem_dumper_usb_server.c

@@ -0,0 +1,58 @@
+#include "types.h"
+#include "t124.h"
+#include "mem_dumper_usb_server.h"
+
+typedef void (*ep1_x_imm_t)(void *buffer, u32 size, u32 *num_xfer);
+
+void memcpy( void *dst, const void *src, size_t len ) {
+
+    for ( size_t i = 0; i < len; i++ ) {
+        ( (u8 *)dst )[i] = ( (u8 *)src )[i];
+    }
+
+}
+
+static inline u32 read32(uintptr_t addr) {
+    return *(vu32 *)addr;
+}
+
+static inline void write32(uintptr_t addr, u32 val) {
+    *(vu32 *)addr = val;
+}
+
+static inline void or32(uintptr_t addr, u32 val) {
+    write32(addr, read32(addr) | val);
+}
+
+void enter_rcm() {
+    or32(PMC_BASE + PMC_SCRATCH0, PMC_SCRATCH0_MODE_RCM);
+    or32(PMC_BASE + PMC_CNTRL, PMC_CNTRL_MAIN_RST);
+}
+
+__attribute__((section(".init")))
+void entry() {
+
+    u32 num_xfer;
+    u32 to_send;
+    struct mem_dumper_args_s args;
+    u8 *buffer = (u8*)0x40020000;
+
+    ep1_x_imm_t ep1_out_read_imm = (ep1_x_imm_t) ( BOOTROM_EP1_OUT_READ_IMM | 1 );
+    ep1_x_imm_t ep1_in_write_imm = (ep1_x_imm_t) ( BOOTROM_EP1_IN_WRITE_IMM | 1 );
+
+    ep1_out_read_imm( &args, sizeof(args), &num_xfer );
+    
+    while ( args.len > 0 ) {
+
+        to_send = args.len > 0x1000? 0x1000 : args.len;
+        
+        memcpy( buffer, (void*)args.start, to_send );
+        ep1_in_write_imm( buffer, to_send, &num_xfer );
+
+        args.start += to_send;
+        args.len -= to_send;
+    }
+    enter_rcm();
+
+}
+

Shofel4Jibo/payloads/payload.ld

@@ -0,0 +1,16 @@
+__payload_bin_start = 0x4000E000;
+ENTRY(__payload_bin_start)
+
+SECTIONS {
+    /* We don't do GOT relocation and rely on nothing ending up using the GOT
+     * (-fno-common helps here) */
+    /DISCARD/ : { *(.comment) }
+    .init (__payload_bin_start): { *(.init) *(.init.*) }
+    .text : { *(.text) *(.text.*) }
+    .data : { *(.data) *(.data.*) }
+    .rodata : { *(.rodata) *(.rodata.*) *(.got) }
+    .got : { *(.got) }
+    .bss : { *(.bss) *(.bss.*) *(COMMON)}
+    .footer : { LONG(0xdeadbeef) } /* make sure .bss is padded out */
+    __payload_bin_end = .;
+}

Shofel4Jibo/payloads/reset_example.c

@@ -0,0 +1,20 @@
+#include "t124.h"
+#include "types.h"
+
+static inline u32 read32(uintptr_t addr) {
+    return *(vu32 *)addr;
+}
+
+static inline void write32(uintptr_t addr, u32 val) {
+    *(vu32 *)addr = val;
+}
+
+static inline void or32(uintptr_t addr, u32 val) {
+    write32(addr, read32(addr) | val);
+}
+
+__attribute__((section(".init")))
+void main() {
+    or32(PMC_BASE + PMC_CNTRL, PMC_CNTRL_MAIN_RST);
+}
+