Skip to content

surface-rt-uefi-u-boot-exploit for booting surface-rt-uefi-u-boot from uefi

License

Notifications You must be signed in to change notification settings

wmjb/surface-rt-uefi-u-boot-exploit

Repository files navigation

Launching U-Boot from uefi on EDK2 nvidia hardware, tegra 30. surface by writing to secondary core smc handler address 82002880 pointing it to a payload loaded into memory at 83100000. then the payload launcher using acpi protocol unparks secondary core and this core issues smc call due to payload_secondary being loaded and its address set into secondary core 1 parking mailbox address. the payload loader issues a interrupt to unpark the secondary core which causes payload in memory to execute. payload running on secondary core copies another payload to primary core smc call handler address 80112174. once this is complete secondary payload signals to payload launcher to issue smc call which then the primary core payload is executed and u boot placed into memory by payload launcher at 84000000 is loaded and running and ready to boot into an os.

however at this stage secondary cores are unavailable to the os.

Payload launcher to be used as bootarm.efi - included

payload.bin to be used as primary core payload - included

payload2.bin to be used as secondary core payload. - included

payload_secondary.bin used to launch payload2 on secondary cores by unparking - included

u-boot.dtb.bin used as bootloader and launched at 84000000 - https://github.com/wmjb/surface-rt-uefi-u-boot

place all 5 files on root of usb and boot.

to build...

apt install build-essential python3 python-is-python3 python3-distutils uuid-dev iasl git nasm 

git clone -b edk2-stable202005 https://github.com/tianocore/edk2.git

cd edk2

git submodule update --init

git clone https://github.com/tianocore/edk2-platforms.git

patch 

BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c @2033


BrotliDecoderResult BrotliDecoderDecompress(
-    size_t encoded_size, const uint8_t* encoded_buffer, size_t* decoded_size,
-    uint8_t* decoded_buffer) {
+    size_t encoded_size,
+    const uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(encoded_size)],
+    size_t* decoded_size,
+    uint8_t decoded_buffer[BROTLI_ARRAY_PARAM(*decoded_size)]) {

BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c @1470


BROTLI_BOOL BrotliEncoderCompress(
        int quality, int lgwin, BrotliEncoderMode mode, size_t input_size,
-    const uint8_t* input_buffer, size_t* encoded_size,
-    uint8_t* encoded_buffer) {
+    const uint8_t input_buffer[BROTLI_ARRAY_PARAM(input_size)],
+    size_t* encoded_size,
+    uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(*encoded_size)]) { 

see https://801925.bugs.gentoo.org/attachment.cgi?id=736258

BaseTools/Tests/TestTools.py


  def ReadTmpFile(self, fileName):
-        f = open(self.GetTmpFilePath(fileName), 'r')
+        f = codecs.open(self.GetTmpFilePath(fileName), 'r', encoding='utf-8')

BaseTools/Source/Python/AutoGen/UniClassObject.py @152

 
 TheUcs2Codec = Ucs2Codec()
 def Ucs2Search(name):
-    if name == 'ucs-2':
+    if name in ['ucs-2', 'ucs_2']:

make -C BaseTools

. ./edksetup.sh

build -a ARM -p UEFIPrivilegeEscalationPkg/UEFIPrivilegeEscalationPkg.dsc -t GCC5


https://github.com/Open-Surface-RT/UEFIPrivilegeEscalationPkg

# UEFI Privilege Escalation Exploit: Trustzone Exploit that allows running code in secure mode on Surface RT (Tegra 3) with the help of Yahallo (by imbushuo)

This tool allows you to run any given code in the Secure PL1 state of the Cortex-A9 CPU cores. This is based of off [Yahallo by imbushuo](https://github.com/NekomimiRouter/yahallo).

More information will follow.

# License

This code is released under GPLv2.

About

surface-rt-uefi-u-boot-exploit for booting surface-rt-uefi-u-boot from uefi

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published