view mot931c/hack-payload.disasm @ 215:d69f7512e3c1

Pirelli: documented and verified the checksum scheme used for the factory block
author Mychaela Falconia <falcon@freecalypso.org>
date Sun, 25 Dec 2016 23:48:16 +0000
parents 9082f3991fe5
children
line wrap: on
line source

; This hack payload must be receiving control in the ARM state,
; as the instruction at 0 makes sense as ARM, but not as Thumb.

; SVC mode, IRQ & FIQ disabled
       0:	e321f0d3	msr	CPSR_c, #211	; 0xd3
; disable the watchdog
       4:	e59f10b4	ldr	r1, =0xfffff802	; via 0xc0
       8:	e3a000f5	mov	r0, #245	; 0xf5
       c:	e1c100b2	strh	r0, [r1, #2]
      10:	e3a000a0	mov	r0, #160	; 0xa0
      14:	e1c100b2	strh	r0, [r1, #2]
; MODEM UART
      18:	e59f60a4	ldr	r6, =0xffff5800	; via 0xc4
; wait for "INT" input
      1c:	e5d60005	ldrb	r0, [r6, #5]
      20:	e3100001	tst	r0, #1
      24:	0afffffc	beq	0x1c
      28:	e5d65000	ldrb	r5, [r6]
      2c:	e3550049	cmp	r5, #73	; 0x49
      30:	1afffff9	bne	0x1c
      34:	e5d60005	ldrb	r0, [r6, #5]
      38:	e3100001	tst	r0, #1
      3c:	0afffffc	beq	0x34
      40:	e5d65000	ldrb	r5, [r6]
      44:	e355004e	cmp	r5, #78	; 0x4e
      48:	1afffff3	bne	0x1c
      4c:	e5d60005	ldrb	r0, [r6, #5]
      50:	e3100001	tst	r0, #1
      54:	0afffffc	beq	0x4c
      58:	e5d65000	ldrb	r5, [r6]
      5c:	e3550054	cmp	r5, #84	; 0x54
      60:	1affffed	bne	0x1c
; send 'X'
      64:	e3a00058	mov	r0, #88	; 0x58
      68:	e5c60000	strb	r0, [r6]
; receive 2 bytes of length (LSB first)
      6c:	e1a00000	mov	r0, r0
      70:	e5d60005	ldrb	r0, [r6, #5]
      74:	e3100001	tst	r0, #1
      78:	0afffffc	beq	0x70
      7c:	e5d65000	ldrb	r5, [r6]
      80:	e5d60005	ldrb	r0, [r6, #5]
      84:	e3100001	tst	r0, #1
      88:	0afffffc	beq	0x80
      8c:	e5d60000	ldrb	r0, [r6]
      90:	e1855400	orr	r5, r5, r0, lsl #8
; receive next stage payload
      94:	e59f402c	ldr	r4, =0x800100	; via 0xc8
      98:	e1a03004	mov	r3, r4
      9c:	e5d60005	ldrb	r0, [r6, #5]
      a0:	e3100001	tst	r0, #1
      a4:	0afffffc	beq	0x9c
      a8:	e5d60000	ldrb	r0, [r6]
      ac:	e5c40000	strb	r0, [r4]
      b0:	e2844001	add	r4, r4, #1
      b4:	e2555001	subs	r5, r5, #1
      b8:	1afffff7	bne	0x9c
; jump to it
      bc:	e12fff13	bx	r3

; literal pool
      c0:	fffff802
      c4:	ffff5800
      c8:	00800100