Minor documentation changes atop trisz404's PR.

This commit is contained in:
Kate J. Temkin 2018-05-07 00:45:18 -06:00
parent 9e0ed49e71
commit 92d3ebcc81
2 changed files with 20 additions and 9 deletions

View File

@ -26,13 +26,20 @@ import os
import sys import sys
import usb import usb
import time import time
import errno
import ctypes import ctypes
import argparse import argparse
import platform import platform
# specify the locations of important load components # The address where the RCM payload is placed.
# This is fixed for most device.
RCM_PAYLOAD_ADDR = 0x40010000 RCM_PAYLOAD_ADDR = 0x40010000
# The address where the user payload is expected to begin.
PAYLOAD_START_ADDR = 0x40010E40 PAYLOAD_START_ADDR = 0x40010E40
# Specify the range of addresses where we should inject oct
# payload address.
STACK_SPRAY_START = 0x40014E40 STACK_SPRAY_START = 0x40014E40
STACK_SPRAY_END = 0x40017000 STACK_SPRAY_END = 0x40017000
@ -295,7 +302,7 @@ class RCMHax:
# ... and we're allowed to wait for one, wait indefinitely for one to appear... # ... and we're allowed to wait for one, wait indefinitely for one to appear...
if wait_for_device: if wait_for_device:
print("Waiting for a TegraRCM to come online...") print("Waiting for a TegraRCM device to come online...")
while self.dev is None: while self.dev is None:
self.dev = self._find_device() self.dev = self._find_device()
@ -456,24 +463,25 @@ with open(intermezzo_path, "rb") as f:
payload += intermezzo payload += intermezzo
# Pad the payload till the start of the payload # Pad the payload till the start of the user payload.
padding_size = PAYLOAD_START_ADDR - (RCM_PAYLOAD_ADDR + intermezzo_size) padding_size = PAYLOAD_START_ADDR - (RCM_PAYLOAD_ADDR + intermezzo_size)
payload += (b'\0' * padding_size) payload += (b'\0' * padding_size)
target_payload = b'' target_payload = b''
# Read the rest of the payload into memory.
# Read the user payload into memory.
with open(payload_path, "rb") as f: with open(payload_path, "rb") as f:
target_payload = f.read() target_payload = f.read()
# First part of the payload # Fit a collection of the payload before the stack spray...
padding_size = STACK_SPRAY_START - PAYLOAD_START_ADDR padding_size = STACK_SPRAY_START - PAYLOAD_START_ADDR
payload += target_payload[:padding_size] payload += target_payload[:padding_size]
# Gap in the payload, stack spray # ... insert the stack spray...
repeat_count = int((STACK_SPRAY_END - STACK_SPRAY_START) / 4) repeat_count = int((STACK_SPRAY_END - STACK_SPRAY_START) / 4)
payload += (RCM_PAYLOAD_ADDR.to_bytes(4, byteorder='little') * repeat_count) payload += (RCM_PAYLOAD_ADDR.to_bytes(4, byteorder='little') * repeat_count)
# Read the rest of the payload into memory. # ... and follow the stack spray with the remainder of the payload.
payload += target_payload[padding_size:] payload += target_payload[padding_size:]
# Pad the payload to fill a USB request exactly, so we don't send a short # Pad the payload to fill a USB request exactly, so we don't send a short
@ -482,9 +490,12 @@ payload_length = len(payload)
padding_size = 0x1000 - (payload_length % 0x1000) padding_size = 0x1000 - (payload_length % 0x1000)
payload += (b'\0' * padding_size) payload += (b'\0' * padding_size)
# Check to see if our payload packet will fit inside the RCM high buffer.
# If it won't, error out.
if len(payload) > length: if len(payload) > length:
print("ERROR: Too large payload! (%x vs %x)" % (len(payload), length)) size_over = len(payload) - length
sys.exit(-2) print("ERROR: Payload is too large to be submitted via RCM. ({} bytes larger than max).".format(size_over))
sys.exit(errno.EFBIG)
# Send the constructed payload, which contains the command, the stack smashing # Send the constructed payload, which contains the command, the stack smashing
# values, the Intermezzo relocation stub, and the final payload. # values, the Intermezzo relocation stub, and the final payload.

BIN
intermezzo.bin Executable file

Binary file not shown.