The-Homebrew-Cloud/fusee-launcher
2
0
Fork 0
mirror of https://github.com/Qyriad/fusee-launcher.git synced 2024-11-22 02:59:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove trailing whitespace

Browse Source
This commit is contained in:
Josh Holland 2018-04-23 18:16:27 +01:00 committed by Mikaela Szekely
parent afe5aa04ac
commit 21a30bbf41
2 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
fusee-launcher.py
View File

@ -434,7 +434,7 @@ print("Found a Tegra with Device ID: {}".format(device_id))
# Prefix the image with an RCM command, so it winds up loaded into memory # Prefix the image with an RCM command, so it winds up loaded into memory
# at the right location (0x40010000). # at the right location (0x40010000).
# Use the maximum length accepted by RCM, so we can transmit as much payload as # Use the maximum length accepted by RCM, so we can transmit as much payload as
# we want; we'll take over before we get to the end. # we want; we'll take over before we get to the end.
length = 0x30298 length = 0x30298
payload = length.to_bytes(4, byteorder='little') payload = length.to_bytes(4, byteorder='little')

10
report/fusee_gelee.md
View File

@ -139,7 +139,7 @@ while (1) {
// Handle the received and validated command. // Handle the received and validated command.
// For a "load miniloader" command, this sanity checks the (validated) // For a "load miniloader" command, this sanity checks the (validated)
// miniloader image and takes steps to prevent re-use of signed data not // miniloader image and takes steps to prevent re-use of signed data not
// intended to be used as an RCM command. // intended to be used as an RCM command.
rcm_handle_command_complete(...); rcm_handle_command_complete(...);
} }
@ -199,7 +199,7 @@ while (total_rxd < total_to_rx) {
} }
} }
/* copy any data _past_ the command into a separate payload /* copy any data _past_ the command into a separate payload
buffer at 0x40010000 */ buffer at 0x40010000 */
/* -code omitted for brevity - */ /* -code omitted for brevity - */
@ -244,7 +244,7 @@ data that should be included in the response. Per the specification, the device
should respond with either the *amount of data specified* or the *amount of data should respond with either the *amount of data specified* or the *amount of data
available*, whichever is less. available*, whichever is less.
The bootloader's implementation of this behavior is conceptually implemented as The bootloader's implementation of this behavior is conceptually implemented as
follows: follows:
```C ```C
@ -298,7 +298,7 @@ respond_to_control_request(dma_buffer, length_to_send);
In most cases, the handler correctly limits the length of the transmitted In most cases, the handler correctly limits the length of the transmitted
responses to the amount it has available, per the USB specification. However, responses to the amount it has available, per the USB specification. However,
in a few notable cases, the length is *incorrectly always set to the amount in a few notable cases, the length is *incorrectly always set to the amount
requested* by the host: requested* by the host:
* When issuing a `GET_CONFIGURATION` request with a `DEVICE` recipient. * When issuing a `GET_CONFIGURATION` request with a `DEVICE` recipient.
* When issuing a `GET_INTERFACE` request with a `INTERFACE` recipient. * When issuing a `GET_INTERFACE` request with a `INTERFACE` recipient.
@ -408,7 +408,7 @@ careful sequence of interactions:
6. If the next write would target the lower DMA buffer, issue another write 6. If the next write would target the lower DMA buffer, issue another write
of a full 0x1000 bytes to move the target to the upper DMA buffer, reducing of a full 0x1000 bytes to move the target to the upper DMA buffer, reducing
the total amount of data to be copied. the total amount of data to be copied.
7. Trigger the vulnerable memcpy by sending a `GET_STATUS` `IN` control 7. Trigger the vulnerable memcpy by sending a `GET_STATUS` `IN` control
request with an `ENDPOINT` recipient, and a length long enough to smash the request with an `ENDPOINT` recipient, and a length long enough to smash the
desired stack region, and preferably not longer than required. desired stack region, and preferably not longer than required.