UEFI

The Surface RT UEFI consists multi phases. Some issues are outlined below.

TrustZone and SEC phase

The CPU gets out of reset in Secure Mode. SEC phase kicks in, does fundamental setup and enter TrustZone. TrustZone memory occupies the lower memory (32MB).

In stock firmware, TZ MVBAR address is 0x811f8000 on RT for primary core (Boot Processor.)

For secondary CPUs, the MVBAR is：

Core 1 MVBAR 0x82002860
Core 2 MVBAR 0x82003860
Core 3 MVBAR 0x82004860

MVBAR only has valid SMC instruction entry, other exception entries are unused.

Exploit

There's an issue in TZ's UEFI variable handling. A working exploit can be found at https://github.com/NekomimiRouter/yahallo.

PreviousRPMB partition on EMMC NextACPI Tables

Last updated 3 years ago