From 0ab0ba6b649c06bde24d5185625fa3614da0982a Mon Sep 17 00:00:00 2001 From: pipa-pussy Date: Wed, 1 Jan 2025 23:59:44 +0530 Subject: [PATCH 1/8] Add files via upload Added pipa --- ShellCode/ShellCode.Pipa.S | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 ShellCode/ShellCode.Pipa.S diff --git a/ShellCode/ShellCode.Pipa.S b/ShellCode/ShellCode.Pipa.S new file mode 100644 index 0000000..2a2064a --- /dev/null +++ b/ShellCode/ShellCode.Pipa.S @@ -0,0 +1,24 @@ +.include "DummyHead.S" + +/* Shell Code for Xiaomi Pad 6 */ +_ShellCodeStart: + movz x4, #0x9004 + movk x4, #0x390, lsl #16 // Store 0x3909004 to x4, which is io status reg of gpio 110. + movz x5, #0x3004 + movk x5, #0x395, lsl #16 // Store 0x3953004 to x5, which is io status reg of gpio 110. + ldr w6, [x4] // Get status value from address stored in x4 and store it to w6. + ldr w7, [x5] // Get status value from address stored in x5 and store it to w7. + nop + nop + and w6, w6, w7 // w6 & w7 and store in w6. + and w6, w6, #1 // w6 & 1 and store in w6. + cbnz w6, _UEFI // Compare w6 with 0, if w6 == 0 goto _UEFI, else execute next instruction + +_LinuxStart: + b 0x0 // Code to jump to the Android kernel + +_UEFI: + b 0x40 // Code to jump to UEFI + +.include "CommonTail.S" +/* Do not remove the last line */ \ No newline at end of file From 91918714eaab29cef10cbfdb7acc21384e922adb Mon Sep 17 00:00:00 2001 From: pipa-pussy Date: Thu, 2 Jan 2025 00:06:18 +0530 Subject: [PATCH 2/8] Update ShellCode.Pipa.S Fix Shellcode --- ShellCode/ShellCode.Pipa.S | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/ShellCode/ShellCode.Pipa.S b/ShellCode/ShellCode.Pipa.S index 2a2064a..cd39429 100644 --- a/ShellCode/ShellCode.Pipa.S +++ b/ShellCode/ShellCode.Pipa.S @@ -12,13 +12,7 @@ _ShellCodeStart: nop and w6, w6, w7 // w6 & w7 and store in w6. and w6, w6, #1 // w6 & 1 and store in w6. - cbnz w6, _UEFI // Compare w6 with 0, if w6 == 0 goto _UEFI, else execute next instruction - -_LinuxStart: - b 0x0 // Code to jump to the Android kernel - -_UEFI: - b 0x40 // Code to jump to UEFI + cbnz w6, _UEFI // Compare w6 with 0, if w6 == 0 goto _UEFI, else Android .include "CommonTail.S" -/* Do not remove the last line */ \ No newline at end of file +/* Do not remove the last line */ From 972170a3d75e5f993f7e1b46456eebfc4908a3aa Mon Sep 17 00:00:00 2001 From: pipa-pussy Date: Fri, 3 Jan 2025 14:47:16 +0530 Subject: [PATCH 3/8] Updated register definitions for the GPIO controller https://github.com/pipa-mainline/linux/blob/adomerle/aw88261-wip/drivers/pinctrl/qcom/pinctrl-sm8250.c Target Device: Xiaomi Pad 6 (pipa), using Snapdragon 870 (SM8250) Goal: Detect Hall sensor state during boot and redirect to UEFI if activated. Hall Sensor GPIO: GPIO 110 on the TLMM controller, active low. TLMM Controller Base Address: 0xf900000 (North tile) GPIO 110 Status Register Offset: 0xB0004 (calculated as: 0x1000 * 110 + 0x4) Relevant Bit: Bit 0 of the status register represents the input status. Logic: Load the GPIO status register into a register. Mask the register using a logical AND to isolate the hall sensor input bit. Conditional branch based on that bit: If the bit is zero(not activated), jump to the UEFI. Otherwise, continue to the Linux kernel. Shellcode Structure: Uses DummyHead.S for padding and basic jump; uses CommonTail.S to provide UEFI/Linux branches. --- ShellCode/ShellCode.Pipa.S | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/ShellCode/ShellCode.Pipa.S b/ShellCode/ShellCode.Pipa.S index cd39429..d158a04 100644 --- a/ShellCode/ShellCode.Pipa.S +++ b/ShellCode/ShellCode.Pipa.S @@ -1,18 +1,14 @@ .include "DummyHead.S" -/* Shell Code for Xiaomi Pad 6 */ +/* Shell Code for Xiaomi Pad 6 (Pipa) */ _ShellCodeStart: - movz x4, #0x9004 - movk x4, #0x390, lsl #16 // Store 0x3909004 to x4, which is io status reg of gpio 110. - movz x5, #0x3004 - movk x5, #0x395, lsl #16 // Store 0x3953004 to x5, which is io status reg of gpio 110. + movz x4, #0xb004 + movk x4, #0xf90, lsl #16 // Store 0xf90b004 to x4, which is address of GPIO 110. ldr w6, [x4] // Get status value from address stored in x4 and store it to w6. - ldr w7, [x5] // Get status value from address stored in x5 and store it to w7. nop nop - and w6, w6, w7 // w6 & w7 and store in w6. - and w6, w6, #1 // w6 & 1 and store in w6. - cbnz w6, _UEFI // Compare w6 with 0, if w6 == 0 goto _UEFI, else Android + and w6, w6, #1 // w6 & 1 and stored in w6. + cbnz w6, _UEFI // Compare w6 with 0, if w6 == 0 goto _UEFI, else execute next instruction(jmp Linux). .include "CommonTail.S" -/* Do not remove the last line */ +/* Do not remove the last line */ From 43210d0211a12f035a07a594efc6da80107c55bc Mon Sep 17 00:00:00 2001 From: pipa-pussy Date: Fri, 3 Jan 2025 15:08:59 +0530 Subject: [PATCH 4/8] Correction:Address in shellcode --- ShellCode/ShellCode.Pipa.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ShellCode/ShellCode.Pipa.S b/ShellCode/ShellCode.Pipa.S index d158a04..e0fdd18 100644 --- a/ShellCode/ShellCode.Pipa.S +++ b/ShellCode/ShellCode.Pipa.S @@ -2,8 +2,8 @@ /* Shell Code for Xiaomi Pad 6 (Pipa) */ _ShellCodeStart: - movz x4, #0xb004 - movk x4, #0xf90, lsl #16 // Store 0xf90b004 to x4, which is address of GPIO 110. + movz x4, #0xb004 // Load lower 16 bits of the address (0xb004) + movk x4, #0xf90, lsl #16 // Store 0xf900000 to the high part of x4 to create address of GPIO 110. ldr w6, [x4] // Get status value from address stored in x4 and store it to w6. nop nop From 64c8310f56725aee75bf706e03d87da1b6a2278e Mon Sep 17 00:00:00 2001 From: pipa-pussy Date: Fri, 3 Jan 2025 16:12:57 +0530 Subject: [PATCH 5/8] Added Pipa Config --- Config/DualBoot.Sm8250.cfg | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 Config/DualBoot.Sm8250.cfg diff --git a/Config/DualBoot.Sm8250.cfg b/Config/DualBoot.Sm8250.cfg new file mode 100644 index 0000000..126e750 --- /dev/null +++ b/Config/DualBoot.Sm8250.cfg @@ -0,0 +1,3 @@ +StackBase=0x9FC00000 +StackSize=0x00040000 +RestartReasonAddress=0x146bf65c \ No newline at end of file From 78b3dbe79aa9f43dc9e16db818c3ce206ef94b6d Mon Sep 17 00:00:00 2001 From: pipa-pussy Date: Fri, 3 Jan 2025 22:46:03 +0530 Subject: [PATCH 6/8] Update ShellCode.Pipa.S To Correct Shellcode Address --- ShellCode/ShellCode.Pipa.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ShellCode/ShellCode.Pipa.S b/ShellCode/ShellCode.Pipa.S index e0fdd18..579f6d2 100644 --- a/ShellCode/ShellCode.Pipa.S +++ b/ShellCode/ShellCode.Pipa.S @@ -2,8 +2,8 @@ /* Shell Code for Xiaomi Pad 6 (Pipa) */ _ShellCodeStart: - movz x4, #0xb004 // Load lower 16 bits of the address (0xb004) - movk x4, #0xf90, lsl #16 // Store 0xf900000 to the high part of x4 to create address of GPIO 110. + movz x4, #0xe004 + movk x4, #0xf90, lsl #16 // Store 0xf906e004 to x4, which is address of GPIO 110. ldr w6, [x4] // Get status value from address stored in x4 and store it to w6. nop nop From 6dd39a4588f5feaf49601dc49cddbb29773f29ab Mon Sep 17 00:00:00 2001 From: pipa-pussy Date: Sat, 4 Jan 2025 00:27:38 +0530 Subject: [PATCH 7/8] Fixed: ShellCode.Pipa.S --- ShellCode/ShellCode.Pipa.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ShellCode/ShellCode.Pipa.S b/ShellCode/ShellCode.Pipa.S index 579f6d2..9960131 100644 --- a/ShellCode/ShellCode.Pipa.S +++ b/ShellCode/ShellCode.Pipa.S @@ -3,7 +3,7 @@ /* Shell Code for Xiaomi Pad 6 (Pipa) */ _ShellCodeStart: movz x4, #0xe004 - movk x4, #0xf90, lsl #16 // Store 0xf906e004 to x4, which is address of GPIO 110. + movk x4, #0xf96, lsl #16 // Store 0xf96E004 to x4, which is address of GPIO 110. ldr w6, [x4] // Get status value from address stored in x4 and store it to w6. nop nop From e1238386b1e3b1c6bfcfc814bba43667801f10e6 Mon Sep 17 00:00:00 2001 From: pipa-pussy Date: Sat, 4 Jan 2025 00:30:18 +0530 Subject: [PATCH 8/8] Removed: RestartReasonAddress; Fixed StackSize Value --- Config/DualBoot.Sm8250.cfg | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Config/DualBoot.Sm8250.cfg b/Config/DualBoot.Sm8250.cfg index 126e750..d8f37a9 100644 --- a/Config/DualBoot.Sm8250.cfg +++ b/Config/DualBoot.Sm8250.cfg @@ -1,3 +1,2 @@ StackBase=0x9FC00000 -StackSize=0x00040000 -RestartReasonAddress=0x146bf65c \ No newline at end of file +StackSize=0x00300000