Proper warmboot exploit implementation and documentation.

Side effect: Fixes a bug where the dumped bootrom was wrong in 4.6.

bootloader/main.c

@@ -1164,8 +1164,29 @@ void ipl_main()
 	// Set bootloader's default configuration.
 	set_default_configuration();
 
+	sdram_params_t *params = sdram_get_params();
+	
+	/*
+	 * This code here implements a warmboot exploit. Hotboot, that's so hot, it burns Nvidia once again.
+	 * In the bootrom if the boot_rom_patch_control's highest bit set it uses it as an index to
+	 * APB_MISC_BASE (u32 array) and sets it to boot_rom_patch_data.
+	 * (The hightes bit falls out when it gets multiplied by sizeof(u32) aka. 4).
+	 * Because the bootrom misses the boundary checks, it lets us write anywhere, anything.
+	 * Ipatch hardware lets us apply 12 changes to the bootrom and can be changed any time.
+	 * The first patch is not needed anymore when the bug triggers, so we overwrite that.
+	 * 0x10459E is the address where it returns error when the signature is worng.
+	 * We change it to `MOV R0, #0`(0x2000), so we pass that check.
+	 *
+	 * Note: The modulus in the warmboot header is still validated.
+	 */
+	
+	params->boot_rom_patch_control = (1 << 31) | (((IPATCH_BASE + 4) - APB_MISC_BASE) / 4);
+	u32 addr = 0x10459E;
+	u32 data = 0x2000;
+	params->boot_rom_patch_data = (addr / 2) << 16 | (data & 0xffff);
+	
 	// Save sdram lp0 config.
-	if (ianos_loader(true, "bootloader/sys/libsys_lp0.bso", DRAM_LIB, (void *)sdram_get_params()))
+	if (ianos_loader(true, "bootloader/sys/libsys_lp0.bso", DRAM_LIB, params))
 		h_cfg.errors |= ERR_LIBSYS_LP0;
 
 	display_init();

bootloader/mem/sdram.c

@@ -22,7 +22,7 @@
 #include "../utils/util.h"
 #include "../soc/fuse.h"
 #include "../power/max77620.h"
-#include "../mem/sdram_param_t210.h"
+#include "sdram_param_t210.h"
 #include "../soc/clock.h"
 
 #define CONFIG_SDRAM_COMPRESS_CFG
@@ -388,9 +388,9 @@ break_nosleep:
 	EMC(EMC_ACPD_CONTROL) = params->emc_acpd_control;
 	EMC(EMC_TXDSRVTTGEN) = params->emc_txdsrvttgen;
 	EMC(EMC_CFG) = (params->emc_cfg & 0xE) | 0x3C00000;
-	if (params->boot_rom_patch_control & 0x80000000)
+	if (params->boot_rom_patch_control & (1 << 31))
 	{
-		*(vu32 *)(4 * (params->boot_rom_patch_control + 0x1C000000)) = params->boot_rom_patch_data;
+		*(vu32 *)(APB_MISC_BASE + params->boot_rom_patch_control * 4) = params->boot_rom_patch_data;
 		MC(MC_TIMING_CONTROL) = 1;
 	}
 	PMC(APBDEV_PMC_IO_DPD3_REQ) = ((4 * params->emc_pmc_scratch1 >> 2) + 0x40000000) & 0xCFFF0000;
@@ -489,14 +489,14 @@ break_nosleep:
 	MC(MC_EMEM_CFG_ACCESS_CTRL) = 1; //Disable write access to a bunch of EMC registers.
 }
 
-const void *sdram_get_params()
+sdram_params_t *sdram_get_params()
 {
 	//TODO: sdram_id should be in [0, 7].
 
 #ifdef CONFIG_SDRAM_COMPRESS_CFG
 	u8 *buf = (u8 *)0x40030000;
 	LZ_Uncompress(_dram_cfg_lz, buf, sizeof(_dram_cfg_lz));
-	return (const void *)&buf[sizeof(sdram_params_t) * _get_sdram_id()];
+	return (sdram_params_t *)&buf[sizeof(sdram_params_t) * _get_sdram_id()];
 #else
 	return _dram_cfgs[_get_sdram_id()];
 #endif

bootloader/mem/sdram.h

@@ -17,8 +17,10 @@
 #ifndef _SDRAM_H_
 #define _SDRAM_H_
 
+#include "sdram_param_t210.h"
+
 void sdram_init();
-const void *sdram_get_params();
+sdram_params_t *sdram_get_params();
 void sdram_lp0_save_params(const void *params);
 
 #endif

bootloader/mem/sdram_config.inl

@@ -1,6 +1,5 @@
 /*
  * Copyright (c) 2018 naehrwert
- * Copyright (c) 2018 balika011
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms and conditions of the GNU General Public License,
@@ -172,7 +171,7 @@ static const u8 _dram_cfg_0[1896] = {
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x46, 0x2C, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0xEC, 0x00, 0x00, 0x00,
-	0x01, 0x77, 0x00, 0xFC, 0x00, 0x20, 0xCF, 0x22, 0x00, 0x00, 0xF0, 0xFF,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF0, 0xFF,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
 };
 
@@ -333,7 +332,7 @@ static const u8 _dram_cfg_1[1896] = {
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x46, 0x2C, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0xEC, 0x00, 0x00, 0x00,
-	0x01, 0x77, 0x00, 0xFC, 0x00, 0x20, 0xCF, 0x22, 0x00, 0x00, 0xF0, 0xFF,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF0, 0xFF,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
 };
 
@@ -494,7 +493,7 @@ static const u8 _dram_cfg_2[1896] = {
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x46, 0x2C, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0xEC, 0x00, 0x00, 0x00,
-	0x01, 0x77, 0x00, 0xFC, 0x00, 0x20, 0xCF, 0x22, 0x00, 0x00, 0xF0, 0xFF,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF0, 0xFF,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
 };
 
@@ -655,7 +654,7 @@ static const u8 _dram_cfg_3[1896] = {
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x46, 0x2C, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0xEC, 0x00, 0x00, 0x00,
-	0x01, 0x77, 0x00, 0xFC, 0x00, 0x20, 0xCF, 0x22, 0x00, 0x00, 0xF0, 0xFF,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF0, 0xFF,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
 };
 
@@ -816,7 +815,7 @@ static const u8 _dram_cfg_4[1896] = {
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x46, 0x2C, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0xEC, 0x00, 0x00, 0x00,
-	0x01, 0x77, 0x00, 0xFC, 0x00, 0x20, 0xCF, 0x22, 0x00, 0x00, 0xF0, 0xFF,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF0, 0xFF,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
 };
 
@@ -977,7 +976,7 @@ static const u8 _dram_cfg_5[1896] = {
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x46, 0x2C, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0xEC, 0x00, 0x00, 0x00,
-	0x01, 0x77, 0x00, 0xFC, 0x00, 0x20, 0xCF, 0x22, 0x00, 0x00, 0xF0, 0xFF,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF0, 0xFF,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
 };
 
@@ -1138,7 +1137,7 @@ static const u8 _dram_cfg_6[1896] = {
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x46, 0x2C, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0xEC, 0x00, 0x00, 0x00,
-	0x01, 0x77, 0x00, 0xFC, 0x00, 0x20, 0xCF, 0x22, 0x00, 0x00, 0xF0, 0xFF,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF0, 0xFF,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
 };
 

bootloader/mem/sdram_config_lz.inl

@@ -1,6 +1,5 @@
 /*
  * Copyright (c) 2018 naehrwert
- * Copyright (c) 2018 balika011
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms and conditions of the GNU General Public License,
@@ -15,7 +14,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
-static const u8 _dram_cfg_lz[1270] = {
+static const u8 _dram_cfg_lz[1262] = {
 	0x17, 0x03, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x22, 0x00, 0x00,
 	0x00, 0x2C, 0x17, 0x04, 0x09, 0x00, 0x17, 0x04, 0x04, 0x17, 0x08, 0x08,
 	0x17, 0x10, 0x10, 0x00, 0x00, 0x68, 0xBC, 0x01, 0x70, 0x0A, 0x00, 0x00,
@@ -104,22 +103,22 @@ static const u8 _dram_cfg_lz[1270] = {
 	0x17, 0x17, 0x3A, 0x7E, 0x16, 0x40, 0x17, 0x0C, 0x8B, 0x1F, 0x17, 0x2A,
 	0x38, 0x1E, 0x17, 0x0A, 0x38, 0x17, 0x13, 0x81, 0x28, 0x00, 0xC0, 0x17,
 	0x17, 0x55, 0x46, 0x24, 0x17, 0x0A, 0x81, 0x28, 0x17, 0x14, 0x38, 0x17,
-	0x18, 0x81, 0x60, 0x46, 0x2C, 0x17, 0x06, 0x38, 0xEC, 0x00, 0x00, 0x00,
+	0x18, 0x81, 0x60, 0x46, 0x2C, 0x17, 0x06, 0x38, 0xEC, 0x17, 0x0D, 0x16,
-	0x01, 0x77, 0x00, 0xFC, 0x00, 0x20, 0xCF, 0x22, 0x17, 0x10, 0x82, 0x3C,
+	0x17, 0x0E, 0x82, 0x3C, 0x17, 0x82, 0x0C, 0x8E, 0x68, 0x17, 0x04, 0x24,
-	0x17, 0x82, 0x0C, 0x8E, 0x68, 0x17, 0x04, 0x24, 0x17, 0x5C, 0x8E, 0x68,
+	0x17, 0x5C, 0x8E, 0x68, 0x17, 0x07, 0x82, 0x5F, 0x80, 0x17, 0x87, 0x01,
-	0x17, 0x07, 0x82, 0x5F, 0x80, 0x17, 0x87, 0x01, 0x8E, 0x68, 0x02, 0x17,
+	0x8E, 0x68, 0x02, 0x17, 0x81, 0x4A, 0x8E, 0x68, 0x17, 0x0C, 0x87, 0x78,
-	0x81, 0x4A, 0x8E, 0x68, 0x17, 0x0C, 0x87, 0x78, 0x17, 0x85, 0x28, 0x8E,
+	0x17, 0x85, 0x28, 0x8E, 0x68, 0x17, 0x8E, 0x68, 0x9D, 0x50, 0x17, 0x81,
-	0x68, 0x17, 0x8E, 0x68, 0x9D, 0x50, 0x17, 0x81, 0x24, 0x8E, 0x68, 0x17,
+	0x24, 0x8E, 0x68, 0x17, 0x04, 0x2C, 0x17, 0x28, 0x8E, 0x68, 0x17, 0x04,
-	0x04, 0x2C, 0x17, 0x28, 0x8E, 0x68, 0x17, 0x04, 0x30, 0x17, 0x85, 0x3C,
+	0x30, 0x17, 0x85, 0x3C, 0x8E, 0x68, 0x12, 0x17, 0x07, 0x85, 0x70, 0x17,
-	0x8E, 0x68, 0x12, 0x17, 0x07, 0x85, 0x70, 0x17, 0x88, 0x74, 0x8E, 0x68,
+	0x88, 0x74, 0x8E, 0x68, 0x17, 0x87, 0x3E, 0x9D, 0x50, 0x0C, 0x17, 0x04,
-	0x17, 0x87, 0x3E, 0x9D, 0x50, 0x0C, 0x17, 0x04, 0x04, 0x17, 0x12, 0x8E,
+	0x04, 0x17, 0x12, 0x8E, 0x68, 0x18, 0x17, 0x87, 0x12, 0xBB, 0x20, 0x17,
-	0x68, 0x18, 0x17, 0x87, 0x12, 0xBB, 0x20, 0x17, 0x83, 0x04, 0x9D, 0x50,
+	0x83, 0x04, 0x9D, 0x50, 0x15, 0x17, 0x05, 0x8D, 0x76, 0x17, 0x0F, 0x8B,
-	0x15, 0x17, 0x05, 0x8D, 0x76, 0x17, 0x0F, 0x8B, 0x49, 0x17, 0x0B, 0x18,
+	0x49, 0x17, 0x0B, 0x18, 0x32, 0x00, 0x2F, 0x00, 0x32, 0x00, 0x31, 0x00,
-	0x32, 0x00, 0x2F, 0x00, 0x32, 0x00, 0x31, 0x00, 0x34, 0x00, 0x36, 0x00,
+	0x34, 0x00, 0x36, 0x00, 0x2F, 0x00, 0x33, 0x17, 0x09, 0x84, 0x0C, 0x17,
-	0x2F, 0x00, 0x33, 0x17, 0x09, 0x84, 0x0C, 0x17, 0x18, 0x18, 0x17, 0x20,
+	0x18, 0x18, 0x17, 0x20, 0x8E, 0x68, 0x15, 0x17, 0x07, 0x5A, 0x17, 0x06,
-	0x8E, 0x68, 0x15, 0x17, 0x07, 0x5A, 0x17, 0x06, 0x5E, 0x16, 0x00, 0x15,
+	0x5E, 0x16, 0x00, 0x15, 0x17, 0x82, 0x40, 0x9D, 0x50, 0x17, 0x86, 0x5F,
-	0x17, 0x82, 0x40, 0x9D, 0x50, 0x17, 0x86, 0x5F, 0xBB, 0x20, 0x3A, 0x00,
+	0xBB, 0x20, 0x3A, 0x00, 0x00, 0x00, 0x1D, 0x17, 0x81, 0x4F, 0xAC, 0x38,
-	0x00, 0x00, 0x1D, 0x17, 0x81, 0x4F, 0xAC, 0x38, 0x3B, 0x17, 0x04, 0x04,
+	0x3B, 0x17, 0x04, 0x04, 0x17, 0x86, 0x30, 0x8E, 0x68, 0x17, 0x81, 0x53,
-	0x17, 0x86, 0x30, 0x8E, 0x68, 0x17, 0x81, 0x53, 0xAC, 0x38, 0x07, 0x17,
+	0xAC, 0x38, 0x07, 0x17, 0x0D, 0x8E, 0x68, 0xA3, 0x72, 0x17, 0x83, 0x10,
-	0x0D, 0x8E, 0x68, 0xA3, 0x72, 0x17, 0x83, 0x10, 0x8E, 0x68
+	0x8E, 0x68
 };