The CPU gets out of reset in Secure Mode. SEC phase kicks in, does fundamental setup and enter TrustZone. TrustZone memory occupies the lower memory (32MB).
In stock firmware, TZ MVBAR address is 0x811f8000 on RT for primary core (Boot Processor.)
For secondary CPUs, the MVBAR is：
Core 1 MVBAR 0x82002860
Core 2 MVBAR 0x82003860
Core 3 MVBAR 0x82004860
MVBAR only has valid SMC instruction entry, other exception entries are unused.
There's an issue in TZ's UEFI variable handling. A working exploit can be found at https://github.com/NekomimiRouter/yahallo.