UEFI
The Surface RT UEFI consists multi phases. Some issues are outlined below.
The CPU gets out of reset in Secure Mode. SEC phase kicks in, does fundamental setup and enter TrustZone. TrustZone memory occupies the lower memory (32MB).
In stock firmware, TZ MVBAR address is 0x811f8000 on RT for primary core (Boot Processor.)
For secondary CPUs, the MVBAR is:
- Core 1 MVBAR 0x82002860
- Core 2 MVBAR 0x82003860
- Core 3 MVBAR 0x82004860
MVBAR only has valid SMC instruction entry, other exception entries are unused.
There's an issue in TZ's UEFI variable handling. A working exploit can be found at https://github.com/NekomimiRouter/yahallo.
Last modified 2yr ago