TZ Exploit - CTS
Last updated
Was this helpful?
Last updated
Was this helpful?
Write code into TZ mem and jump to it. Hopefully it will execute at EL3.
page 1697: can only be read from securemode.
page: 1139
a custom payload will be used to read the Exception Level from in APX mode. I expect it to be 3.
#define CPSR_M_SVC 0x13U
Supervisor mode is the default mode to which a Supervisor Call exception is taken.
A normal efi App will be used to read the Execption Level from UEFI. I expect it to be 0.
#define CPSR_M_FIQ 0x11U
FIQ mode is the default mode to which an FIQ interrupt is taken.
We need a relocateable payload since UEFI can give us different load addresses everytime.
Create payload which reads EL and reports back via serial. Read payload from USB/eMMC to memory. Disable TZ protection. copy payload into TZ mem. override TZ with jumps to payload address. If payload reads EL3 continue.
to be continued...
Therefore we need to use Position independent code: