LinusHenze/Fugu

t8015 support

minacrissdev opened this issue · 2 comments

minacrissdev commented

try to create t8015 loader

return [
// Patch to boot iBoot
0x1000079DC: [ 0x68, 0x00, 0x80, 0x52 ], // movz w8, #0x3

               // Patch for the boot trampoline
               0x180018000: [
                   0xE2, 0x07, 0x61, 0xB2, // mov x2, #0x180000000
                   0x40, 0x00, 0x3F, 0xD6, // blr x2
               ],
               
               // Our loader goes here
               0x180000000: Array<UInt8>(loader),
               
               // Our shellcode goes here
               // Note: This must be 4kB aligned
               0x180001000: Array<UInt8>(iStrap_4x),
           ]
sitay1 commented

Did it worked for you?

ash1n2 commented

Hello.

I have a question.

I cannot write memory at address 0x1000079DC.

I tried to using GDB and BONOBO cable.

(gdb) target remote :3333
Remote debugging using :3333
warning: No executable has been specified and target does not support
determining executable automatically. Try using the "file" command.
0x0000000100000568 in ?? ()
(gdb) x/10x 0x1000079DC
0x1000079dc: 0x528000a8 0xb9000028 0xb900007f 0x320003e8
0x1000079ec: 0xaa0803e0 0xd65f03c0 0xffffffb8 0xffffffac
0x1000079fc: 0xffffffc0 0xffffffd0
(gdb) set *0x1000079DC=0x00000061
Cannot access memory at address 0x1000079dc
(gdb) x/10x 0x1000079DC
0x1000079dc: 0x528000a8 0xb9000028 0xb900007f 0x320003e8
0x1000079ec: 0xaa0803e0 0xd65f03c0 0xffffffb8 0xffffffac
0x1000079fc: 0xffffffc0 0xffffffd0
(gdb) x/10x 0x180018000
0x180018000: 0xd5034fdf 0xaa0003fd 0xaa0103fc 0x58001820
0x180018010: 0x58001841 0xd50b7420 0x91010000 0xeb01001f
0x180018020: 0x54ffffa3 0x580017e0
(gdb) set *0x180018000=0x00000061
(gdb) x/10x 0x180018000
0x180018000: 0x00000061 0xaa0003fd 0xaa0103fc 0x58001820
0x180018010: 0x58001841 0xd50b7420 0x91010000 0xeb01001f
0x180018020: 0x54ffffa3 0x580017e0
(gdb)

so I tried another way.
It was successful.

m.insert(pair<uint64_t, vector<uint8_t>>(0x180000000, {
0x61,
}));

iphone.ecore0 arp_halt
iphone.ecore0 cluster 0 core 0 multi core
target halted in AArch64 state due to debug-request, current mode: EL1T
cpsr: 0x800002c4 pc: 0x100000568
MMU: enabled, D-Cache: enabled, I-Cache: enabled
iphone.ecore0 mdw 0x180000000 4
0x180000000: ffffff61 ffffffff 00000000 00000000

However, The iPhone X reboot occurred when the below code was executed.

m.insert(pair<uint64_t, vector<uint8_t>>(0x1000079DC, {
0x61,
}));

How can I write patch-code on 8015 ?