/* * 0wnboot * by chronic and ius * * http://chronic-dev.org/blog/ * http://chronicdev.googlecode.com/ */ // compile with: // // arm-elf-gcc -s -Ttext=0x0 -nostdlib -o 0wnboot 0wnboot.c && arm-elf-objcopy -O binary 0wnboot 0wnboot.bin // && rm -rf 0wnboot typedef unsigned short uint16_t; typedef unsigned long uint32_t; //#define LOADADDR 0x9000000 #define SIGCHECK_LOC 0x0FF1A132 // change to 00 20 (mov r0, #0) #define IBFLAGS_LOC 0xFF2ADC0 // change to 0xffffffff - range+perms check bye bye! #define SET_REG16(x, y) (*((volatile uint16_t*)(x)) = (y)) #define SET_REG32(x, y) (*((volatile uint32_t*)(x)) = (y)) int (*ib_printf)(const char *format, ...) = (void*)0x0FF1B5BC+1; void _start() { // ib_printf("0wnboot v0.3\n"); // ib_printf("by chronic and ius\n\n"); // ib_printf("thanks to pod2g, CPICH, MuscleNerd, and westbaer\n\n"); // ib_printf("patching iboot flags...\n"); SET_REG32(IBFLAGS_LOC, 0xffffffff); // ib_printf("patching sig check...\n"); SET_REG16(SIGCHECK_LOC, 0x2000); // ib_printf("doing clearenv hax...\n"); SET_REG16(0x0FF19344, 0x4B00); // ldr r3, 0x9000000 SET_REG16(0x0FF19346, 0x4718); // bx r3 SET_REG32(0x0FF19348, 0x09000000); // 0x9000000 SET_REG32(0x0FF23EAC, 0x706D756A); // rename cleareenv patch1 = "jump" SET_REG32(0x0FF23EB0, 0x65646F63); // rename clearenv patch2 = "code" // ib_printf("u haz been 0wned good sir!\n"); }
marudesu727