Launching U-Boot from uefi on EDK2 nvidia hardware, tegra 30. surface by writing to secondary core smc handler address 82002880 pointing it to a payload loaded into memory at 83100000. then the payload launcher using acpi protocol unparks secondary core and this core issues smc call due to payload_secondary being loaded and its address set into secondary core 1 parking mailbox address. the payload loader issues a interrupt to unpark the secondary core which causes payload in memory to execute. payload running on secondary core copies another payload to primary core smc call handler address 80112174. once this is complete secondary payload signals to payload launcher to issue smc call which then the primary core payload is executed and u boot placed into memory by payload launcher at 84000000 is loaded and running and ready to boot into an os.
however at this stage secondary cores are unavailable to the os.
Payload launcher to be used as bootarm.efi - included
payload.bin to be used as primary core payload - included
payload2.bin to be used as secondary core payload. - included
payload_secondary.bin used to launch payload2 on secondary cores by unparking - included
u-boot.dtb.bin used as bootloader and launched at 84000000 - https://github.com/wmjb/surface-rt-uefi-u-boot
place all 5 files on root of usb and boot.
to build...
apt install build-essential python3 python-is-python3 python3-distutils uuid-dev iasl git nasm
git clone -b edk2-stable202005 https://github.com/tianocore/edk2.git
cd edk2
git submodule update --init
git clone https://github.com/tianocore/edk2-platforms.git
patch
BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c @2033
BrotliDecoderResult BrotliDecoderDecompress(
- size_t encoded_size, const uint8_t* encoded_buffer, size_t* decoded_size,
- uint8_t* decoded_buffer) {
+ size_t encoded_size,
+ const uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(encoded_size)],
+ size_t* decoded_size,
+ uint8_t decoded_buffer[BROTLI_ARRAY_PARAM(*decoded_size)]) {
BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c @1470
BROTLI_BOOL BrotliEncoderCompress(
int quality, int lgwin, BrotliEncoderMode mode, size_t input_size,
- const uint8_t* input_buffer, size_t* encoded_size,
- uint8_t* encoded_buffer) {
+ const uint8_t input_buffer[BROTLI_ARRAY_PARAM(input_size)],
+ size_t* encoded_size,
+ uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(*encoded_size)]) {
see https://801925.bugs.gentoo.org/attachment.cgi?id=736258
BaseTools/Tests/TestTools.py
def ReadTmpFile(self, fileName):
- f = open(self.GetTmpFilePath(fileName), 'r')
+ f = codecs.open(self.GetTmpFilePath(fileName), 'r', encoding='utf-8')
BaseTools/Source/Python/AutoGen/UniClassObject.py @152
TheUcs2Codec = Ucs2Codec()
def Ucs2Search(name):
- if name == 'ucs-2':
+ if name in ['ucs-2', 'ucs_2']:
make -C BaseTools
. ./edksetup.sh
build -a ARM -p UEFIPrivilegeEscalationPkg/UEFIPrivilegeEscalationPkg.dsc -t GCC5
https://github.com/Open-Surface-RT/UEFIPrivilegeEscalationPkg
# UEFI Privilege Escalation Exploit: Trustzone Exploit that allows running code in secure mode on Surface RT (Tegra 3) with the help of Yahallo (by imbushuo)
This tool allows you to run any given code in the Secure PL1 state of the Cortex-A9 CPU cores. This is based of off [Yahallo by imbushuo](https://github.com/NekomimiRouter/yahallo).
More information will follow.
# License
This code is released under GPLv2.