1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
/*
 *  0wnboot
 *  by chronic and ius
 *
 *  http://chronic-dev.org/blog/
 *  http://chronicdev.googlecode.com/
 */

// compile with:
//
// arm-elf-gcc -s -Ttext=0x0 -nostdlib -o 0wnboot 0wnboot.c && arm-elf-objcopy -O binary 0wnboot 0wnboot.bin
// && rm -rf 0wnboot

typedef unsigned short uint16_t;
typedef unsigned long uint32_t;
//#define LOADADDR 0x9000000
#define SIGCHECK_LOC 0x0FF1A132 // change to 00 20 (mov r0, #0)
#define IBFLAGS_LOC 0xFF2ADC0 // change to 0xffffffff - range+perms check bye bye!
#define SET_REG16(x, y) (*((volatile uint16_t*)(x)) = (y))
#define SET_REG32(x, y) (*((volatile uint32_t*)(x)) = (y))
int (*ib_printf)(const char *format, ...) = (void*)0x0FF1B5BC+1;

void _start() {
//  ib_printf("0wnboot v0.3\n");
//  ib_printf("by chronic and ius\n\n");
//  ib_printf("thanks to pod2g, CPICH, MuscleNerd, and westbaer\n\n");
//  ib_printf("patching iboot flags...\n");
  SET_REG32(IBFLAGS_LOC, 0xffffffff);
//  ib_printf("patching sig check...\n");
  SET_REG16(SIGCHECK_LOC, 0x2000);
//  ib_printf("doing clearenv hax...\n");
  SET_REG16(0x0FF19344, 0x4B00); // ldr r3, 0x9000000
  SET_REG16(0x0FF19346, 0x4718); // bx r3
  SET_REG32(0x0FF19348, 0x09000000); // 0x9000000
  SET_REG32(0x0FF23EAC, 0x706D756A); // rename cleareenv patch1 = "jump"
  SET_REG32(0x0FF23EB0, 0x65646F63); // rename clearenv patch2 = "code"
//  ib_printf("u haz been 0wned good sir!\n");
}