TZ Exploit - CTS
- Read EL from APX
- Read EL from UEFI
- Create Payload
Write code into TZ mem and jump to it. Hopefully it will execute at EL3.
https://developer.arm.com/documentation/ddi0406/latest/ page 1697: can only be read from securemode.
https://stackoverflow.com/questions/31787617/what-is-the-current-execution-mode-exception-level-etc
http://lioncash.github.io/ARMBook/the_apsr,_cpsr,_and_the_difference_between_them.html
https://www.keil.com/pack/doc/CMSIS/Core_A/html/group__CMSIS__CPSR.html
https://www.keil.com/pack/doc/CMSIS/Core_A/html/group__CMSIS__CPSR__M.html
a custom payload will be used to read the Exception Level from in APX mode.
I expect it to be 3.

#define CPSR_M_SVC 0x13U |
Supervisor mode is the default mode to which a Supervisor Call exception is taken.
payload.c
8KB
Text
FuseeGelee Payload to read EL from APX
A normal efi App will be used to read the Execption Level from UEFI.
I expect it to be 0.

#define CPSR_M_FIQ 0x11U |
FIQ mode is the default mode to which an FIQ interrupt is taken.
We need a relocateable payload since UEFI can give us different load addresses everytime.
Therefore we need to use Position independent code:
https://stackoverflow.com/questions/6324257/load-time-base-address-cortex-m3-bare-metal
https://stackoverflow.com/questions/5311515/gcc-fpic-option
Create payload which reads EL and reports back via serial.
Read payload from USB/eMMC to memory.
Disable TZ protection.
copy payload into TZ mem.
override TZ with jumps to payload address.
If payload reads EL3 continue.
to be continued...
Last modified 2yr ago