TZ Exploit - CTS
- Read EL from APX
- Read EL from UEFI
- Create Payload
Write code into TZ mem and jump to it. Hopefully it will execute at EL3.
https://stackoverflow.com/questions/31787617/what-is-the-current-execution-mode-exception-level-etc http://lioncash.github.io/ARMBook/the_apsr,_cpsr,_and_the_difference_between_them.html https://www.keil.com/pack/doc/CMSIS/Core_A/html/group__CMSIS__CPSR.html https://www.keil.com/pack/doc/CMSIS/Core_A/html/group__CMSIS__CPSR__M.html
a custom payload will be used to read the Exception Level from in APX mode. I expect it to be 3.
Supervisor mode is the default mode to which a Supervisor Call exception is taken.
FuseeGelee Payload to read EL from APX
A normal efi App will be used to read the Execption Level from UEFI. I expect it to be 0.
FIQ mode is the default mode to which an FIQ interrupt is taken.
We need a relocateable payload since UEFI can give us different load addresses everytime.
Therefore we need to use Position independent code: https://stackoverflow.com/questions/6324257/load-time-base-address-cortex-m3-bare-metal https://stackoverflow.com/questions/5311515/gcc-fpic-option
Create payload which reads EL and reports back via serial. Read payload from USB/eMMC to memory. Disable TZ protection. copy payload into TZ mem. override TZ with jumps to payload address. If payload reads EL3 continue.
to be continued...