346
edits
Changes
Jump to navigation
Jump to search
Line 118:
Line 118: + + + + + + + + + + + + + + + + + + + + +
Added espresso boot rom bugs
| None
| None
| [[User:GaryOderNichts|GaryOderNichts]], [[User:Yellows8|yellows8]] (independently: January 2021)
| [[User:GaryOderNichts|GaryOderNichts]], [[User:Yellows8|yellows8]] (independently: January 2021)
|}
== Espresso Boot ROM ==
{| class="wikitable" border="1"
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Discovered by
|-
| Binary is not reverified before launching
| The [[Espresso Boot ROM]] does not check for modifications to the binary in main memory before launching it. By changing the first instruction from the [[Hardware/Starbuck|Starbuck]], the [[Espresso]] can be sent anywhere.
| Arbitrary Espresso code booting
| Unknown
| fail0verflow
|-
| Reset vector is not always locked in L2 cache
| The Espresso Boot ROM keeps an infinite loop at the reset vector to prevent unexpected code from executing. Most of the time, this is in the L2 cache, which prevents the Starbuck from overwriting it. Toward the end, it is no longer in the cache, so a custom jump can be done, before ROM access is disabled.
| Espresso Boot ROM can be dumped
| Unknown
| fail0verflow
|}
|}