yalu10.2 Kpp bypass question.

Postby SigNiver » Tue Sep 05, 2017 3:23 pm

The volumeIII have introduced how the KPP executes deeply.However I still get confused with the KPP bypass technique in yalu2.I have two questions for that part of code.
1.the biggest problem for me to understand the code is that I can't fully understand the macro relative with the page table entry,such as TTE_INDEX_SHIFT,TTE_BLOCK_ATTR_NS_MASK,TTE_IS_TABLE_MASK and so on.Are there any documents that explain these? I have read ARM® Cortex®-A Series carefully ,but I still can't understand that.
2.I know the key point of the kppbypass technique is changeing the TTBR1 register.Changing the TTBR1 register will change the base address of Level1 translation table for kernel.so what dose yalu write in each level translation table.Besides, how does the shellcode changing the TTBR1 register run.I did not fully understand it either.
Hope anyone can help me.thanks a lot!
