BootROM dumping #7
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Rumors (well okay, some exploit writeups) says the USB controller has complete access to the phone's memory, at least in download mode conditions. Perhaps this means we can read/write "forbidden" areas of memory, such as the bootROM and secure monitor firmware?
We already have BootROM exploits of course, but those require entering a special "USB Boot mode" which boots the device via a USB connection to another machine (not over mass storage like on a PC). Entering said mode often requires zeroing or corrupting the bootloader region, which is possible but annoying to restore (you must split up the
sboot.binfile properly and boot it over USB). Even worse, however, getting exploits to work requires guessing some addresses at the very least, and dumping the bootROM via EL1 exploits can make porting such exploits easier.This also means it could be made easier to load a custom secure monitor (no need to run a proprietary blob at all times, yay!). Who knows, perhaps it's even possible to touch modem memory (though I'm too much of a noob to know).
I'm not sure how we'd do this yet (if possible) though. Perhaps we just patch
process_packetto call S-BOOT's USB tx or rx function? Or perhaps we need to do it manually... (frankly I've never worked with hardware directly so I might be lost when it comes to this, but more importantly this could be hardware-specific)It also feels to me as if a phone without proprietary blobs in its lower rings (like EL3) is probably more free than any post-Intel-ME PC. Kinda funny if you think about it.