From 92a4507d15fb4dcb2a237f7327bbf90029dedfca Mon Sep 17 00:00:00 2001 From: N00byEdge Date: Mon, 24 Feb 2020 15:17:48 +0100 Subject: [PATCH 1/2] Fix patch_entry() to set RWX on L2 table entries Theoretically, the access on the L2 table could be read-only, and we don't update it at all. --- iStrap/t8010 t8011 loader/ttbr0_hooker.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/iStrap/t8010 t8011 loader/ttbr0_hooker.c b/iStrap/t8010 t8011 loader/ttbr0_hooker.c index 69a8fcf..4d36c1f 100644 --- a/iStrap/t8010 t8011 loader/ttbr0_hooker.c +++ b/iStrap/t8010 t8011 loader/ttbr0_hooker.c @@ -36,6 +36,8 @@ void patch_entry(uint64_t *ttbr0, size_t L2_idx, size_t L3_idx) { case 3: { // L3 Table uint64_t *L3_table = (uint64_t*) (l2Entry & 0xFFFFFFFFC000); + l2Entry &= 0x7800000000000000ULL; + ttbr0[L2_idx] = l2Entry; size_t L3_idx_start = L3_idx; for (size_t L3_idx = L3_idx_start; L3_idx < L3_idx_start+32; L3_idx++) { From 9155304581fc26f1d1f9af1970d664806e7c9809 Mon Sep 17 00:00:00 2001 From: N00byEdge Date: Tue, 25 Feb 2020 10:20:15 +0100 Subject: [PATCH 2/2] Update ttbr0_hooker.c --- iStrap/t8010 t8011 loader/ttbr0_hooker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iStrap/t8010 t8011 loader/ttbr0_hooker.c b/iStrap/t8010 t8011 loader/ttbr0_hooker.c index 4d36c1f..d6e93cc 100644 --- a/iStrap/t8010 t8011 loader/ttbr0_hooker.c +++ b/iStrap/t8010 t8011 loader/ttbr0_hooker.c @@ -36,7 +36,7 @@ void patch_entry(uint64_t *ttbr0, size_t L2_idx, size_t L3_idx) { case 3: { // L3 Table uint64_t *L3_table = (uint64_t*) (l2Entry & 0xFFFFFFFFC000); - l2Entry &= 0x7800000000000000ULL; + l2Entry &= ~0x7800000000000000ULL; ttbr0[L2_idx] = l2Entry; size_t L3_idx_start = L3_idx;