This post describes how to dump bootROM from Amlogic S905D3 SoC using Khadas VIM3L board. Since this board doesn't use Secure Boot, we can execute custom code in Secure World (a.k.a TrustZone) without exploiting any vulnerability. In addition, the board exposes an UART connector, which is convenient for …| fred's notes
In previous posts, we explained how to dump Exynos bootROM and reverse its USB stack. These efforts led to the discovery of a bug in the USB stack that can be exploited to run arbitrary code. The following chipsets are known to be affected by this bug : Exynos 8890 Exynos …| fred's notes
In the previous post, we explained how to dump Exynos bootROM. Exynos (8895 in this post) bootROM contains a minimal USB stack to load a signed bootloader from an USB host (a.k.a. boot from USB). This post summarizes how this USB stack can be reversed using the Great …| fred's notes