<karlp>
bauen1: explainn it like I'm five. you're secure boot bit runs first, how does being able to locate it at an arbitrary memory address do anything?
asdf28 has quit [Ping timeout: 272 seconds]
lurchi__ is now known as lurchi_
ChriChri_ has joined #linux-sunxi
ChriChri has quit [Ping timeout: 264 seconds]
ChriChri_ is now known as ChriChri
lurchi_ is now known as lurchi__
sunshavi has quit [Remote host closed the connection]
ganbold has quit [Ping timeout: 244 seconds]
ganbold has joined #linux-sunxi
cnxsoft has joined #linux-sunxi
cnxsoft has quit [Read error: Connection reset by peer]
cnxsoft has joined #linux-sunxi
gaston1980 has quit [Quit: Konversation terminated!]
<smaeul>
karlp: bauen1: for one thing, you can point it to the "switch to NBROM and enter FEL" code address in the SBROM
<smaeul>
SBROM will attempt to copy your code there (which does nothing since SBROM is not writable) and then jump to that address, giving the attacker FEL access
<smaeul>
although, if an attacker can modify the TOC0, they can also wipe it, causing the SBROM to fall back to FEL
diego71 has quit [Read error: Connection reset by peer]
martinayotte has joined #linux-sunxi
cmeerw has joined #linux-sunxi
cnxsoft1 has quit [Quit: cnxsoft1]
cnxsoft has joined #linux-sunxi
cnxsoft has quit [Client Quit]
cnxsoft has joined #linux-sunxi
cnxsoft has quit [Client Quit]
cnxsoft has joined #linux-sunxi
cnxsoft has quit [Client Quit]
cnxsoft has joined #linux-sunxi
cnxsoft has quit [Client Quit]
cnxsoft has joined #linux-sunxi
cnxsoft has quit [Client Quit]
cnxsoft has joined #linux-sunxi
cnxsoft has quit [Client Quit]
cnxsoft has joined #linux-sunxi
cnxsoft has quit [Client Quit]
cnxsoft has joined #linux-sunxi
mps has quit [Ping timeout: 240 seconds]
<bauen1>
smaeul: i can't test this, i can only look at the dump, but i don't think so
gediz539 has joined #linux-sunxi
gediz0x539 has quit [Ping timeout: 240 seconds]
<bauen1>
so at least for the h5 you don't even need any valid (signed) toc0 image to exploit this
gediz539 has quit [Remote host closed the connection]
gediz0x539 has joined #linux-sunxi
<bauen1>
smaeul: you don't even need to rely on rop, if you find the right word in the signed blob (a pointer to the end of the normal toc0 image) you can select the target location so that the stack is overwritten and upon return from the memcpy you have complete execution
gediz0x539 has quit [Ping timeout: 258 seconds]
gediz0x539 has joined #linux-sunxi
yann|work has joined #linux-sunxi
diego71 has joined #linux-sunxi
RichardG867 has quit [Ping timeout: 240 seconds]
<bauen1>
and you also don't need physical access to exploit this bug, you just need to be able to write to a boot device
gediz0x539 has quit [Read error: Connection reset by peer]
gediz0x539 has joined #linux-sunxi
<bauen1>
smaeul: i'm not 100% if there is no limit, but it appears that at least 1 boot method (idk which one) doesn't have a limit
swiftgeek is now known as _swiftgeek
_swiftgeek is now known as swiftgeek
random_yanek has quit [Ping timeout: 272 seconds]
random_yanek has joined #linux-sunxi
arete74 has quit [Ping timeout: 272 seconds]
arete74 has joined #linux-sunxi
florian_kc has joined #linux-sunxi
matthias_bgg has joined #linux-sunxi
abelvesa has quit [Remote host closed the connection]
asdf28 has joined #linux-sunxi
abelvesa has joined #linux-sunxi
abelvesa has joined #linux-sunxi
abelvesa has quit [Client Quit]
abelvesa has joined #linux-sunxi
arete74 has quit [Ping timeout: 260 seconds]
arete74 has joined #linux-sunxi
arete74 has quit [Ping timeout: 260 seconds]
arete74 has joined #linux-sunxi
cnxsoft has quit [Remote host closed the connection]
cnxsoft has joined #linux-sunxi
<bauen1>
looking at the code that loads the toc0 from an spi nor chip, the length needs to be a multiple of 0x8000 to be accepted, but that's the only limitation
<bauen1>
after the length has been read the sbrom will load data from the spi nor in 0x8000 increments using dma
AneoX has joined #linux-sunxi
AneoX has quit [Ping timeout: 240 seconds]
AneoX has joined #linux-sunxi
AneoX has quit [Ping timeout: 240 seconds]
AneoX has joined #linux-sunxi
cnxsoft has quit [Remote host closed the connection]
cnxsoft has joined #linux-sunxi
AneoX has quit [Ping timeout: 256 seconds]
\\Mr_C\\ has joined #linux-sunxi
AneoX has joined #linux-sunxi
netlynx has joined #linux-sunxi
<bauen1>
smaeul: i still don't have any boards, so i can't actually dump the roms myself, so i don't have any h6 code to look at yet
akaWolf1 has quit [Read error: Connection reset by peer]
akaWolf has joined #linux-sunxi
akaWolf has quit [Ping timeout: 258 seconds]
<bauen1>
smaeul: could you maybe help me with confirming that the vulnerability actually exists ? i don't plan on buying a h5 board (and even then shipping would take > 1 month)
JohnDoe_71Rus has joined #linux-sunxi
popolon has joined #linux-sunxi
reinforce has quit [Quit: Leaving.]
anarsoul has quit [Remote host closed the connection]
anarsoul has joined #linux-sunxi
gendevbot has quit [Ping timeout: 256 seconds]
gediz0x539 has quit [Ping timeout: 240 seconds]
gendevbot has joined #linux-sunxi
damex has quit [Remote host closed the connection]
damex has joined #linux-sunxi
lurchi_ is now known as lurchi__
chewitt has joined #linux-sunxi
florian has quit [Quit: Leaving]
diego71 has quit [Ping timeout: 240 seconds]
iyzsong has quit [Read error: Connection reset by peer]
iyzsong has joined #linux-sunxi
chewitt has quit [Read error: Connection reset by peer]