An intermezzo that calls the USB RX functions would fit before the stack smash address and would negate the need to split the user payload in to two. It would also allow for the maximum RCM size to be used (larger if completely smashing the original stack is acceptable).
I got an old Sony Tablet S with a AP20H SoC, it is essentially the same as the t20 but the gpu runs at 300mhz intead of 333mhz (t20).
If it is, what would i need to do to get this working?
Now that a PC-relative intermezzo is complete, I should spend the time to clean things up, add device detection and use the correct RCM header size, payload address, VID/PID, etc.
Hi,
I am trying to port Fusee Gelee to Tegra114 (T40).
So far i had no success.
How did you port the other devices? Any tips? Will a bootrom dump from Dalmore dev tablet help?
I think i understand the basic concept of the exploit but i think i miss something
As far as i understand i need to know the following things:
RCM_PAYLOAD_ADDR: should be 0x4000E000
RCM_HEADER_SIZE: should be RCM_V35_HEADER_SIZE = 628
COPY_BUFFER_ADDRESSES: Here is only the upper DMA address important/interesting. (My guess: 0x40008000)
The stack spray range: could effectively use the whole payload between intermezzo and user_payload?
stack spay: should be RCM_PAYLOAD_ADDR, right?
I hope you can remember how you ported FG to T20/30/...
Thanks in advance :)
p.s. i have a payload which should put some chars to uart. It was adapted from a T30 payload and was proven to work as UEFI payload.
I think the payload isn't the problem