From c9a028cc183d638c16ca9a8858b783b1830be16f Mon Sep 17 00:00:00 2001 From: Amaury Pouly Date: Tue, 24 Jun 2014 18:04:17 +0200 Subject: Introduce hwpatcher, a tool to patch binaries This tool is a scriptable (lua) tool to patch binaries, it supports: - raw binary - ELF - SB(v1/v2) It also contains some basic routines to parse and generate useful arm/thumb code like jump or register load/store. This is very useful to take a firmware and patch an interrupt vector or some code to jump to an extra payload added to the binary. Examples are provided for several STMP based target which the payload is expected to be hwstub, and also for the Sansa View. A typical patcher usually requires three elements: - the lua patcher itself - the payload (hwstub for example) - (optional) a small stub either to jump properly to the payload or determine under which circumstance to do the jump (hold a key for example) Change-Id: I6d36020a3bc9e636615ac8221b7591ade5f251e3 --- utils/hwpatcher/zxfi2.lua | 50 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 utils/hwpatcher/zxfi2.lua (limited to 'utils/hwpatcher/zxfi2.lua') diff --git a/utils/hwpatcher/zxfi2.lua b/utils/hwpatcher/zxfi2.lua new file mode 100644 index 0000000000..fc3bdf800b --- /dev/null +++ b/utils/hwpatcher/zxfi2.lua @@ -0,0 +1,50 @@ +--[[ +Zen X-Fi2 1.23.01e NAND hacking +required argument (in order): +- path to firmware +- path to output firmware +- path to blob +- path to stub +]]-- + +if #arg < 4 then + error("not enough argument to fuzep patcher") +end + +local fw = hwp.load_file(arg[1]) +local irq_addr_pool = hwp.make_addr(0x4035e154, "play") +local proxy_addr = arm.to_arm(hwp.make_addr(0x402f06f8, "play")) +-- read old IRQ address pool +local old_irq_addr = hwp.make_addr(hwp.read32(fw, irq_addr_pool)) +print(string.format("Old IRQ address: %s", old_irq_addr)) +-- put stub at the beginning of the proxy +local stub = hwp.load_bin_file(arg[4]) +local stub_info = hwp.section_info(stub, "") +local stub_data = hwp.read(stub, hwp.make_addr(stub_info.addr, ""), stub_info.size) +hwp.write(fw, proxy_addr, stub_data) +local stub_addr = proxy_addr +proxy_addr = hwp.inc_addr(proxy_addr, stub_info.size) +-- modify irq +hwp.write32(fw, irq_addr_pool, proxy_addr.addr) +print(string.format("New IRQ address: %s", proxy_addr)) +-- in proxy, save registers +arm.write_save_regs(fw, proxy_addr) +proxy_addr = hwp.inc_addr(proxy_addr, 4) +-- load blob +local blob = hwp.load_bin_file(arg[3]) +local blob_info = hwp.section_info(blob, "") +-- patch blob with stub address +hwp.write32(blob, hwp.make_addr(blob_info.addr + 4, ""), stub_addr.addr) +-- write it ! +local blob_data = hwp.read(blob, hwp.make_addr(blob_info.addr, ""), blob_info.size) +hwp.write(fw, proxy_addr, blob_data) +proxy_addr = hwp.inc_addr(proxy_addr, blob_info.size) +-- restore registers +arm.write_restore_regs(fw, proxy_addr) +proxy_addr = hwp.inc_addr(proxy_addr, 4) +-- branch to old code +local branch_to_old = arm.make_branch(old_irq_addr, false) +arm.write_branch(fw, proxy_addr, branch_to_old, hwp.inc_addr(proxy_addr, 4)) +-- save +hwp.save_file(fw, arg[2]) + -- cgit