Pinned

1. Zynq BootROM Secrets - UART loader Zynq BootROM Secrets - UART loader

   1

   ## Zynq BootROM Secrets: UART loader

   2

   3

   Recently I acquired (md5: ADF639AFE9855EE86C8FAAD216C970D9) the Zynq bootrom, and during the reversing process uncovered some interesting secrets, one of which is an as-of-yet undocumented UART loader. As documented the Zynq bootrom will load from NOR/NAND/SPI flashes, eMMC/SDIO-based storage (unfortunately) not USB, or anything else more complex.

   4

   5

   Not sure why Xilinx didn't document this. In my brief testing it is *super* unreliable if you just spit everything at once - they reset the RX/TX paths during the process, so timing is critical, but that might be the janky meter-long ftdi cable. You can change the baudrate during the process, but I was too lazy to do the math.

2. Zynq BootROM Secrets: BootROM dump ... Zynq BootROM Secrets: BootROM dump exploit

   1

   ## Zynq BootROM Secrets: Exposing the bootROM with the UART loader

   2

   3

   Last time I wrote about this, I lied a little - There *is* an interesting bug in the UART loader, and it may have been exactly why Xilinx didn't document it. In short: The UART loader writes the entire UART payload to a location in memory (nominally `0x4_0000`). The ROM is architected such that when the boot mode is selected, it registers a callback that is called when the ROM wants more data from the boot device. For the UART loader, this is pretty simple - here's the whole thing:

   4

   5

   ```

3. zynq exploit loader shellcode zynq exploit loader shellcode