From cdb09e8ddf359f84b6c092b067dc7ca824281add Mon Sep 17 00:00:00 2001 From: Takumi Sueda Date: Sat, 6 Mar 2021 20:32:14 +0900 Subject: [PATCH] Add injector --- x1/Makefile | 13 ++++++++++++- x1/injector/disable_mmu.S | 17 +++++++++++++++++ x1/injector/disable_mmu.elf | Bin 0 -> 624 bytes x1/injector/inject.py | 34 ++++++++++++++++++++++++++++++++++ x1/injector/injected.elf | Bin 0 -> 584 bytes 5 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 x1/injector/disable_mmu.S create mode 100644 x1/injector/disable_mmu.elf create mode 100755 x1/injector/inject.py create mode 100644 x1/injector/injected.elf diff --git a/x1/Makefile b/x1/Makefile index 95abf93..df6af8b 100644 --- a/x1/Makefile +++ b/x1/Makefile @@ -7,7 +7,7 @@ all: return.bin mrc.bin c/main.bin .PHONY: clean: - @rm -f *.bin spray/*.bin c/*.bin + @rm -f *.bin spray/*.bin c/*.bin injector/*.bin injector/*.elf %.bin: %.S @$(AS) $< @@ -28,3 +28,14 @@ spray/main.bin: @./extract.py -p a.out spray/bottom_reset.bin @./append_nop.py spray/top.bin spray/bottom.bin spray/bottom_reset.bin spray/main.bin 112 113 @rm -f a.out + +injector/AppMain.bin: + @if [ "$(INJECTED_S)" = "" ]; then \ + echo "Please specify INJECTED_S."; \ + exit 1; \ + fi + @$(AS) $(INJECTED_S) -o injector/injected.elf + @./extract.py -p injector/injected.elf injector/injected.bin + @$(AS) injector/disable_mmu.S -o injector/disable_mmu.elf + @./extract.py -p injector/disable_mmu.elf injector/disable_mmu.bin + @./injector/inject.py 0xf00000 0x700000 injector/disable_mmu.bin injector/injected.bin injector/AppMain.bin diff --git a/x1/injector/disable_mmu.S b/x1/injector/disable_mmu.S new file mode 100644 index 0000000..4ca82ad --- /dev/null +++ b/x1/injector/disable_mmu.S @@ -0,0 +1,17 @@ +.text + .align 2 + .global _start + +_start: + mov r9, #0 + ldr r0, =0x67800000 + + mrc p15, 0, r10, c1, c0, 0 + @bic r10, r10, #5 @ disable MMU and dcache + bic r10, r10, #1 @ disable MMU + @bic r10, r10, #4096 @ disable icache + mcr p15, 0, r10, c1, c0, 0 // write ctrl regs + #mcr p15, 0, r9, c7, c7, 0 // invalidate cache + #mcr p15, 0, r9, c8, c7, 0 // invalidate TLB + mov pc, r0 + diff --git a/x1/injector/disable_mmu.elf b/x1/injector/disable_mmu.elf new file mode 100644 index 0000000000000000000000000000000000000000..e696f776906073f0d3a1106003ea793faf41632d GIT binary patch literal 624 zcma)(O-chn5QSem{)`|paV6+R2$+R5E?m0FLRSjn1*C@=Gz&qdThNs`f;Vt(kb8Iw zNwN*%39OfyiXAul;N?}(A5}e_m$Qp=V+>RVJ^XaQanr1w%z++KYyhwIcnfdSY}A>V z`hA>@%nYCP2Qa+tcLa2$%Lgz*B8`XXk|>j3$!eCX1-37J0AdyqSczxLh(+P2Oo0%BKKZxZq%O?_vAbm)3<)4f4lOdL8rN>#5pT0-rStf=$K03nrwU0b_YIZ;E}8%U literal 0 HcmV?d00001 diff --git a/x1/injector/inject.py b/x1/injector/inject.py new file mode 100755 index 0000000..7591b98 --- /dev/null +++ b/x1/injector/inject.py @@ -0,0 +1,34 @@ +#!/usr/bin/env python3 + +import sys + + +def main(): + if len(sys.argv) < 6: + print(f"Usage: {sys.argv[0]} total page_offset disable_mmu.bin injected.bin out.bin") + sys.exit(1) + + total, offset, dismmu, injected, out = sys.argv[1:6] + total = int(total, base=16 if total.startswith('0x') else 10) + offset = int(offset, base=16 if offset.startswith('0x') else 10) + + if total % 4 != 0: + print(f'Total is not aligned', file=sys.stderr) + sys.exit(1) + elif offset % (1024 * 64) != 0: + print(f'Page offset is not aligned', file=sys.stderr) + sys.exit(1) + + with open(dismmu, 'rb') as dmf, open(injected, 'rb') as injf, open(out, 'wb') as out: + nop = b'\x00\x00\xa0\xe1' + dm = dmf.read() + inj = injf.read() + + out.write(dm) + out.write(nop * ((offset - len(dm)) // 4)) + out.write(nop * ((1024 * 64 - len(inj)) // 4)) + out.write(inj) + out.write(nop * ((total - offset - 1024 * 64) // 4)) + + +main() diff --git a/x1/injector/injected.elf b/x1/injector/injected.elf new file mode 100644 index 0000000000000000000000000000000000000000..aab7ec51b3ee6a3f4f3610ce6cb325424a578035 GIT binary patch literal 584 zcmah`F>V4e5FE!44yA##sUjgk5xGj4h9XoTp?o0niIbo}iq4A!RldSg=<|vwAIKB3 zb7$v{C=zp8&#XOO@7eFq^O-RQ2?i518IaXU_pvfekfEpQ_=WG|=X9vj7e3#>a5j1? z=YNAes|;9No!P9;w9m$$%%Y=Tg8|n^9l{jhKP(-A9eB!q6L-Y2(B;OCJfh0x% literal 0 HcmV?d00001