mirror of
https://github.com/brain-hackers/lab
synced 2025-01-09 04:50:04 +09:00
Add injector
This commit is contained in:
parent
cef69aef53
commit
cdb09e8ddf
13
x1/Makefile
13
x1/Makefile
@ -7,7 +7,7 @@ all: return.bin mrc.bin c/main.bin
|
|||||||
|
|
||||||
.PHONY:
|
.PHONY:
|
||||||
clean:
|
clean:
|
||||||
@rm -f *.bin spray/*.bin c/*.bin
|
@rm -f *.bin spray/*.bin c/*.bin injector/*.bin injector/*.elf
|
||||||
|
|
||||||
%.bin: %.S
|
%.bin: %.S
|
||||||
@$(AS) $<
|
@$(AS) $<
|
||||||
@ -28,3 +28,14 @@ spray/main.bin:
|
|||||||
@./extract.py -p a.out spray/bottom_reset.bin
|
@./extract.py -p a.out spray/bottom_reset.bin
|
||||||
@./append_nop.py spray/top.bin spray/bottom.bin spray/bottom_reset.bin spray/main.bin 112 113
|
@./append_nop.py spray/top.bin spray/bottom.bin spray/bottom_reset.bin spray/main.bin 112 113
|
||||||
@rm -f a.out
|
@rm -f a.out
|
||||||
|
|
||||||
|
injector/AppMain.bin:
|
||||||
|
@if [ "$(INJECTED_S)" = "" ]; then \
|
||||||
|
echo "Please specify INJECTED_S."; \
|
||||||
|
exit 1; \
|
||||||
|
fi
|
||||||
|
@$(AS) $(INJECTED_S) -o injector/injected.elf
|
||||||
|
@./extract.py -p injector/injected.elf injector/injected.bin
|
||||||
|
@$(AS) injector/disable_mmu.S -o injector/disable_mmu.elf
|
||||||
|
@./extract.py -p injector/disable_mmu.elf injector/disable_mmu.bin
|
||||||
|
@./injector/inject.py 0xf00000 0x700000 injector/disable_mmu.bin injector/injected.bin injector/AppMain.bin
|
||||||
|
17
x1/injector/disable_mmu.S
Normal file
17
x1/injector/disable_mmu.S
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
.text
|
||||||
|
.align 2
|
||||||
|
.global _start
|
||||||
|
|
||||||
|
_start:
|
||||||
|
mov r9, #0
|
||||||
|
ldr r0, =0x67800000
|
||||||
|
|
||||||
|
mrc p15, 0, r10, c1, c0, 0
|
||||||
|
@bic r10, r10, #5 @ disable MMU and dcache
|
||||||
|
bic r10, r10, #1 @ disable MMU
|
||||||
|
@bic r10, r10, #4096 @ disable icache
|
||||||
|
mcr p15, 0, r10, c1, c0, 0 // write ctrl regs
|
||||||
|
#mcr p15, 0, r9, c7, c7, 0 // invalidate cache
|
||||||
|
#mcr p15, 0, r9, c8, c7, 0 // invalidate TLB
|
||||||
|
mov pc, r0
|
||||||
|
|
BIN
x1/injector/disable_mmu.elf
Normal file
BIN
x1/injector/disable_mmu.elf
Normal file
Binary file not shown.
34
x1/injector/inject.py
Executable file
34
x1/injector/inject.py
Executable file
@ -0,0 +1,34 @@
|
|||||||
|
#!/usr/bin/env python3
|
||||||
|
|
||||||
|
import sys
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
if len(sys.argv) < 6:
|
||||||
|
print(f"Usage: {sys.argv[0]} total page_offset disable_mmu.bin injected.bin out.bin")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
total, offset, dismmu, injected, out = sys.argv[1:6]
|
||||||
|
total = int(total, base=16 if total.startswith('0x') else 10)
|
||||||
|
offset = int(offset, base=16 if offset.startswith('0x') else 10)
|
||||||
|
|
||||||
|
if total % 4 != 0:
|
||||||
|
print(f'Total is not aligned', file=sys.stderr)
|
||||||
|
sys.exit(1)
|
||||||
|
elif offset % (1024 * 64) != 0:
|
||||||
|
print(f'Page offset is not aligned', file=sys.stderr)
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
with open(dismmu, 'rb') as dmf, open(injected, 'rb') as injf, open(out, 'wb') as out:
|
||||||
|
nop = b'\x00\x00\xa0\xe1'
|
||||||
|
dm = dmf.read()
|
||||||
|
inj = injf.read()
|
||||||
|
|
||||||
|
out.write(dm)
|
||||||
|
out.write(nop * ((offset - len(dm)) // 4))
|
||||||
|
out.write(nop * ((1024 * 64 - len(inj)) // 4))
|
||||||
|
out.write(inj)
|
||||||
|
out.write(nop * ((total - offset - 1024 * 64) // 4))
|
||||||
|
|
||||||
|
|
||||||
|
main()
|
BIN
x1/injector/injected.elf
Normal file
BIN
x1/injector/injected.elf
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user