Open TheRasPiGuy opened 5 years ago
Same, Bump.
You would need a SecureROM dump, and I don't know how it is dumped to find offsets when the device is not exploited.
Duplicate of #71
i think you can dump the securerom with a kernel exploit.
id hook() { IOLog("p0sixninja is in da house!!\n"); void* mem = IOMemoryDescriptor(0xBF000200, 0x40, 3); IOLog("mem = 0x%08x\n", mem); void* map = IOMemoryDescriptor_map(mem, 3); IOLog("map = 0x%08x\n", map); unsigned int* va = IOMemoryMap_getVirtualAddress(map); IOLog("va = 0x%08x\n", va); IOHexdump(va, 0x40);
something like this
@manizzle Kernel exploit? Which kernel? Once the SecureROM has finished, it has already unmapped itself and it should not be accessible from the application processor.
Maybe things have changed since p0sixninja last looked at this stuff? How do you know its been unmapped?
@manizzle
Sorry, I'm not basing this on any facts, just experience. If the SecureROM has the ability to unmap itself, why wouldn't it? If it didn't, wouldn't all the bootroms of all jailbreakable devices already be leaked, since then it could be extracted using any rooted device? I too am trying my best to acquire bootroms for more devices, but I don't think it will be that simple.
Decap the bootrom chips?
@EWouters Sounds like a really good idea until you realize the bootrom is in the SoC (System on Chip).
Not familiar with the added problems of the bootrom being part of a SoC. However hardware exploits should not be discarded in this, they have proven essential in early jailbreaks.
@manizzle
Sorry, I'm not basing this on any facts, just experience. If the SecureROM has the ability to unmap itself, why wouldn't it? If it didn't, wouldn't all the bootroms of all jailbreakable devices already be leaked, since then it could be extracted using any rooted device? I too am trying my best to acquire bootroms for more devices, but I don't think it will be that simple.
its worth a shot
Wanted to mess around with my old SE, was bummed when the SoC wasn't supported. How can I find the offsets for s8003?