brain-hackers_pepepper-mirror/lab
1
0
Fork 0
mirror of https://github.com/brain-hackers/lab synced 2024-12-22 12:10:04 +09:00
Code Issues Projects Releases Wiki Activity

Implement memory spray

Browse Source
This commit is contained in:
Takumi Sueda 2021-03-05 22:07:56 +09:00
parent 60d409f947
commit 7372479efc
5 changed files with 68 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
x1/Makefile
View File

@ -7,7 +7,7 @@ all: return.bin mrc.bin c/main.bin
.PHONY: .PHONY:
clean: clean:
@rm -f *.bin */*.bin @rm -f *.bin spray/*.bin c/*.bin
%.bin: %.S %.bin: %.S
@$(AS) $< @$(AS) $<
@ -17,4 +17,12 @@ clean:
c/main.bin: c/main.bin:
@$(CC) -nostdlib -static -fPIC -mcpu=cortex-a7 c/start.S c/main.c @$(CC) -nostdlib -static -fPIC -mcpu=cortex-a7 c/start.S c/main.c
@./extract.py a.out $@ @./extract.py a.out $@
#@rm -f a.out @rm -f a.out
spray/main.bin:
@$(AS) spray/top.S
@./extract.py -p a.out spray/top.bin
@$(AS) spray/bottom.S
@./extract.py -p a.out spray/bottom.bin
@./append_nop.py 15728640 spray/top.bin spray/bottom.bin spray/main.bin
@rm -f a.out

24
x1/append_nop.py Executable file
View File

@ -0,0 +1,24 @@
#!/usr/bin/env python3
import sys
def main():
if len(sys.argv) < 5:
print(f'Usage: {sys.argv[0]} N top.bin bottom.bin out.bin', file=sys.stderr)
sys.exit(1)
with open(sys.argv[2], 'rb') as topf, open(sys.argv[3], 'rb') as bottomf, open(sys.argv[4], 'wb') as out:
top, bottom = topf.read(), bottomf.read()
out.write(top)
for i in range((1024 * 64 - len(top) - len(bottom)) // 4):
out.write(b'\x00\x00\xa0\xe1')
out.write(bottom)
for i in range(1024 * 1024 * 15 // (1024 * 64) - 1):
for i in range((1024 * 64 - len(bottom)) // 4):
out.write(b'\x00\x00\xa0\xe1')
out.write(bottom)
main()

14
x1/extract.py
View File

@ -9,7 +9,7 @@ def main():
print(f'Usage: {sys.argv[0]} in.elf out.bin') print(f'Usage: {sys.argv[0]} in.elf out.bin')
sys.exit(1) sys.exit(1)
with open(sys.argv[1], 'rb') as f: with open(sys.argv[-2], 'rb') as f:
extract(ELFFile(f)) extract(ELFFile(f))
@ -19,10 +19,14 @@ def extract(elf):
print('Input ELF has no .text section', file=sys.stderr) print('Input ELF has no .text section', file=sys.stderr)
sys.exit(1) sys.exit(1)
with open(sys.argv[2], 'wb') as f: with open(sys.argv[-1], 'wb') as f:
elf.stream.seek(0) if '-p' in sys.argv:
elf.stream.read(text.header.sh_offset) print(f'Pure .text mode is enabled')
f.write(elf.stream.read()) f.write(text.data())
else:
elf.stream.seek(0)
elf.stream.read(text.header.sh_offset)
f.write(elf.stream.read())
print(f'Successfully extracted the necessary sections to "{sys.argv[2]}"') print(f'Successfully extracted the necessary sections to "{sys.argv[2]}"')

9
x1/spray/bottom.S Normal file
View File

@ -0,0 +1,9 @@
.text
.align 2
.global _start
_start:
loop:
b loop
ldr r0, =0x00000000
mov pc, r0

16
x1/spray/top.S Normal file
View File

@ -0,0 +1,16 @@
.text
.align 2
.global _start
_start:
mov r9, #0
ldr r0, =0x67800000
mrc p15, 0, r10, c1, c0, 0
bic r10, r10, #1 @ disable MMU and dcache
@bic r10, r10, #4096 @ disable icache
mcr p15, 0, r10, c1, c0, 0 // write ctrl regs
#mcr p15, 0, r9, c7, c7, 0 // invalidate cache
#mcr p15, 0, r9, c8, c7, 0 // invalidate TLB
mov pc, r0