# TZ Exploit - CTS * [x] Read EL from APX * [x] Read EL from UEFI * [ ] Create Payload ## Idea Write code into TZ mem and jump to it. Hopefully it will execute at EL3. ## Tests ### Read NS-Bit page 1697: can only be read from securemode. ### Read EL \ [\ http://lioncash.github.io/ARMBook/the\_apsr,\_cpsr,\_and\_the\_difference\_between\_them.html](http://lioncash.github.io/ARMBook/the_apsr,_cpsr,_and_the_difference_between_them.html)\ \ \ page: 1139
### Read EL from APX a custom payload will be used to read the Exception Level from in APX mode.\ I expect it to be 3. ![](https://2395005476-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MJQb34R_xPz0ll0scbM%2F-MX2GWa0yBkEeZgMoRbU%2F-MX2PRxduOWt1YvgMR-h%2Fimage.png?alt=media\&token=82b00268-c6c7-41f8-aa7f-32fe077e88b2) | #define CPSR\_M\_SVC 0x13U | | ---------------------------- | Supervisor mode is the default mode to which a Supervisor Call exception is taken. {% file src="" %} FuseeGelee Payload to read EL from APX {% endfile %} ### Read EL from UEFI A normal efi App will be used to read the Execption Level from UEFI.\ I expect it to be 0. ![](https://2395005476-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MJQb34R_xPz0ll0scbM%2F-MX2GWa0yBkEeZgMoRbU%2F-MX2ZAd73Yp4H7vgNzQ4%2FEL_UEFI.jpg?alt=media\&token=a14ab6ab-e435-428b-8584-ea2d5a02af1b) | #define CPSR\_M\_FIQ 0x11U | | ---------------------------- | FIQ mode is the default mode to which an FIQ interrupt is taken. ## Creating a payload We need a relocateable payload since UEFI can give us different load addresses everytime. Therefore we need to use Position independent code:\ \ ## Step by Step ### Step 1: Create payload which reads EL and reports back via serial.\ Read payload from USB/eMMC to memory.\ Disable TZ protection.\ copy payload into TZ mem.\ override TZ with jumps to payload address.\ If payload reads EL3 continue. ### Step 2: to be continued...