Text only | Text with Images

PhatHack

The Hacking Hoedown => PhatBox Hacking => Topic started by: sbingner on March 13, 2007, 05:41:59 AM

Title: Making the stupid patch program not crash
Post by: sbingner on March 13, 2007, 05:41:59 AM
NOTICE: if somebody can figure this out, and find a way of flashing without the freezes I will give them $50 -- if you want to pledge money for this paypal it to me and let me know it's for this... I'll update in here

I'm going to post all the data I can about phatpatch's constant crashing I can in here in the hopes that somebody can figure out it:

I used a test phatpatch that just changes some code that's unused, the source is at http://downloads.phathack.com/sbingner/phatpatch-0.8.c -- there is no compiled version since it obviously does no good and I don't want somebody to try to use it.

It more often than not seems to be causing the phatbox to freeze up and reboot... sometimes it doesn't... here's one error:
Code Select
flash = (volatile unsigned short *)0x40001000; flash[0x8a04&0xffff] = 0x65532;
Bad mode in prefetch abort handler detected: mode SVC_32
Vectors: (0xffff0000 to 0xffff0040)
0000: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0020: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
Stubs: (0xffff0200 to 0xffff04b8)
0200: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0220: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0240: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0260: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0280: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
02a0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
02c0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
02e0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0300: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0320: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0340: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0360: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0380: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
03a0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
03c0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
03e0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0400: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0420: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0440: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0460: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0480: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04a0: 00000000 00000000 00000000 00000000 00000000 00000000                   
Internal error: Oops: 0
CPU: 0
pc : [<c00484bc>]    lr : [<c0043514>]    Not tainted
sp : c0fdbf28  ip : 00000000  fp : bffffbf8
r10: 00000002  r9 : 0007b3fc  r8 : c0fdbff4
r7 : c0fdbff9  r6 : 00000001  r5 : 00050000  r4 : 0005e688
r3 : 00000005  r2 : 00000000  r1 : ffffffff  r0 : 0005e688
Flags: nZCv  IRQs off  FIQs on  Mode SVC_32  Segment user
Control: 217D  Table: C0FD4015  DAC: 00000015
Process phatpatch-0.8 (pid: 23, stackpage=c0fdb000)
Stack: (0xc0fdbf60 to 0xc0fdc000)
bf60: c0043514 c00484bc 60000093 ffffffff 40012408 c00ee768 c0fdbfb8 00008674
bf80: 0007b3fc c0fdbff9 c0fdbfb4 c0fdbf98 c0049cb4 c00497d4 e1c230b0 c0fdbff4
bfa0: 00000001 c00fcb7c 00000000 c0fdbfb8 c00438b4 c0049c90 00000000 00000000
bfc0: 40012408 0000fffc 0000fffe 00000005 00000001 bffffc5c 00008674 0007b3fc
bfe0: 00000002 bffffbf8 00000000 bffffbe0 000173a0 0000821c 60000010 ffffffff
Backtrace: invalid frame pointer 0xbffffbf8
Code: 13a05102 11a057c5 01a05001 e59f00bc (e5903000)
Segmentation fault


Another like this first one:
Code Select
flash = (volatile unsigned short *)0x40001000; flash[0x8a10&0xffff] = 0x65532;
Bad mode in prefetch abort handler detected: mode UK12_32
Vectors: (0xffff0000 to 0xffff0040)
0000: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0020: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
Stubs: (0xffff0200 to 0xffff04b8)
0200: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0220: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0240: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0260: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0280: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
02a0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
02c0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
02e0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0300: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0320: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0340: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0360: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0380: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
03a0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
03c0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
03e0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0400: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0420: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0440: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0460: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0480: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04a0: 00000000 00000000 00000000 00000000 00000000 00000000                   
Internal error: Oops: 0
CPU: 0
pc : [<40021000>]    lr : [<c004b20c>]    Not tainted
sp : c0fdbee0  ip : c0fdbf0c  fp : ffffffff
r10: c0fda000  r9 : c038d780  r8 : c038e2bc
r7 : c00fd9b4  r6 : c00fa000  r5 : c0049ed4  r4 : c005e254
r3 : 0005e3d8  r2 : 00000015  r1 : c0fda000  r0 : 0007a000
Flags: NZcv  IRQs on  FIQs on  Mode UK12_32  Segment user
Control: 217D  Table: C0FD4015  DAC: 00000015
Process phatpatch-0.8 (pid: 25, stackpage=c0fdb000)
Stack: (0xc0fdbf18 to 0xc0fdc000)
bf00:                                                       c004b20c 40021000
bf20: c000001c ffffffff c0fdbf60 c0fdbf38 c0049660 c005e13c c038e2bc c0fda000
bf40: c00ee768 c038e2a0 40012420 ffffffff c038e2bc c0fdbf94 c0fdbf64 c0049844
bf60: c00ecd58 c004ac5c 00000000 0000000f 40012420 c00ee768 c0fdbfb8 00008674
bf80: 0007b3fc 00000002 c0fdbfb4 c0fdbf98 c0049cb4 c00497d4 e1c230b0 c0fdbff4
bfa0: 00000001 c00fcb7c 00000000 c0fdbfb8 c00438b4 c0049c90 00000000 00000000
bfc0: 40012420 0000fffc 0000fffe 00000005 00000001 bffffc5c 00008674 0007b3fc
bfe0: 00000002 bffffbf8 00000000 bffffbe0 000173a0 0000821c 60000010 ffffffff
Backtrace: invalid frame pointer 0xffffffff
Code: ffffffff ffffffff ffffffff ffffffff bad PC value.
Segmentation fault
Title: Re: Making the stupid patch program not crash
Post by: sbingner on March 13, 2007, 05:43:51 AM
After this one it rebooted itself:
Code Select
flash = (volatile unsigned short *)0x40001000; flash[0x8a06&0xffff] = 0x65532;
Unable to handle kernel paging request at virtual address c1804000
pgd = c0034000
*pgd = c0ce6031, *pmd = c0ce6031, *pte = 00000000, *ppte = 00000000
Internal error: Oops: ffffffff
CPU: 0
pc : [<c00434e4>]    lr : [<00000000>]    Not tainted
sp : c1803fd4  ip : c00f8678  fp : e92dd800
r10: 00000000  r9 : 60000093  r8 : 00000000
r7 : ffffffff  r6 : 0000ffff  r5 : c00495ac  r4 : ff100000
r3 : de6e75d0  r2 : 00000000  r1 : c00f8680  r0 : 00000000
Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  Segment kernel
Control: 217D  Table: C0FD4015  DAC: 00000015
Process  (pid: 0, stackpage=c1803000)
Title: Re: Making the stupid patch program not crash
Post by: sbingner on March 13, 2007, 05:45:30 AM
Yet another, no reboot on this one:
Code Select
flash = (volatile unsigned short *)0x40001000; flash[0x8a0a&0xffff] = 0x65532;
pc : [<0002908c>]    lr : [<00029088>]    Not tainted
sp : bffff64c  ip : bffffbd0  fp : bffffbcc
r10: 00000002  r9 : 0007b3fc  r8 : 00008674
r7 : bffffc5c  r6 : 00000001  r5 : 00000005  r4 : 0000fffe
r3 : 0007b434  r2 : 00000000  r1 : 000d4110  r0 : 0007b448
Flags: nZCv  IRQs on  FIQs on  Mode USER_32  Segment user
Control: 217D  Table: C0FD4015  DAC: 00000015
Segmentation fault


Simlar crash:
Code Select
flash = (volatile unsigned short *)0x40001000; flash[0x8a0e&0xffff] = 0x65532;
pc : [<00382e30>]    lr : [<00008228>]    Not tainted
sp : bffffffc  ip : 00000000  fp : bffffbf8
r10: 00000002  r9 : 0007b3fc  r8 : 2d686374
r7 : 61707461  r6 : 68702f2e  r5 : 00736f64  r4 : 2f3d4457
r3 : 0000fffc  r2 : 4001241c  r1 : 00000000  r0 : fe1681b0
Flags: nZCv  IRQs on  FIQs on  Mode USER_32  Segment user
Control: 217D  Table: C0FD4015  DAC: 00000015
Segmentation fault
Title: Re: Making the stupid patch program not crash
Post by: sbingner on March 13, 2007, 05:46:27 AM
Crash, no reboot:

Code Select
flash = (volatile unsigned short *)0x40001000; flash[0x8a0c&0xffff] = 0x65532;
pc : [<c004ae48>]    lr : [<c0043964>]    Not tainted
sp : c0fdbfd4  ip : c0fdc000  fp : c0fdbffc
r10: e5813020  r9 : e2622014  r8 : 00000001
r7 : e0833142  r6 : 0007b3fc  r5 : 00008674  r4 : c0fda000
r3 : c038e2a0  r2 : e2622018  r1 : 0000fffe  r0 : 0005e688
Flags: nZCv  IRQs on  FIQs on  Mode USER_32  Segment user
Control: 217D  Table: C0FD4015  DAC: 00000015
Bad mode in data abort handler detected: mode ABT_32
Vectors: (0xffff0000 to 0xffff0040)
0000: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0020: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
Stubs: (0xffff0200 to 0xffff04b8)
0200: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0220: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0240: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0260: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0280: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
02a0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
02c0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
02e0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0300: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0320: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0340: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0360: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0380: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
03a0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
03c0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
03e0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0400: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0420: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0440: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0460: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0480: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04a0: 00000000 00000000 00000000 00000000 00000000 00000000                   
Internal error: Oops: 0
CPU: 0
pc : [<ffff0308>]    lr : [<c0043964>]    Not tainted
sp : c0fdbf8c  ip : c0fdc000  fp : c0fdbffc
r10: e5813020  r9 : e2622014  r8 : 00000001
r7 : e0833142  r6 : 0007b3fc  r5 : 00008674  r4 : c0fda000
r3 : c038e2a0  r2 : e2622018  r1 : 0000fffe  r0 : 0005e688
Flags: nZCv  IRQs off  FIQs on  Mode ABT_32  Segment user
Control: 217D  Table: C0FD4015  DAC: 00000015
Process phatpatch-0.8 (pid: 24, stackpage=c0fdb000)
Stack: (0xc0fdbfc4 to 0xc0fdc000)
bfc0:          c0043964 ffff0308 60000097 ffffffff bffffc5c 00008674 0007b3fc
bfe0: 00000002 bffffbf8 00000000 bffffbe0 000173a0 0000821c 60000010 ffffffff
Backtrace:
Function entered at [<ffffffef>] from [<60000010>]
Backtrace aborted due to bad frame pointer <c0fdbffc>
Code: bad PC value.
note: phatpatch-0.8[24] exited with preempt_count 1
Segmentation fault

But after this one I couldn't run verify or even save the rom out:
Code Select
/dos # ./phatpatch-0.8 s test
Unable to handle kernel NULL pointer dereference at virtual address 00000004
pgd = c0fd4000
*pgd = c0fec011, *pmd = c0fec011, *pte = 00000000, *ppte = 00000000
Internal error: Oops: 0
CPU: 0
pc : [<c00ecb88>]    lr : [<c005a648>]    Not tainted
sp : c0fdbf74  ip : c0fdbf9c  fp : c0fdbfac
r10: 00000003  r9 : c0fda000  r8 : c0043aa0
r7 : 0000007a  r6 : bffffe54  r5 : 0007b7bc  r4 : bffffc5c
r3 : 00000000  r2 : 00000000  r1 : 00000001  r0 : c00fe808
Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  Segment user
Control: 217D  Table: C0FD4015  DAC: 00000015
Process phatpatch-0.8 (pid: 31, stackpage=c0fdb000)
Stack: (0xc0fdbf64 to 0xc0fdc000)
bf60:          c005a648 c00ecb88 80000013 ffffffff 00009714 00000003 c0fdbfa4
bf80: c0fdbf8c bffffc5c 0007b7bc c0fdbfac c0fdbf9c c005a648 c00ecb84 00000000
bfa0: 00000000 c0fdbfb0 c0043920 c005a640 00000000 c0049d20 bffffc5c 00000001
bfc0: 0000000f 00000000 00000000 0007b7bc bffffe54 bffffc5c bffffe54 00009714
bfe0: 00000003 0007b3fc 0007a68c bffffc58 0000934c 000172a4 60000010 bffffc5c
Backtrace:
Function entered at [<c005a630>] from [<c0043920>]
r4 = 00000000
Code: e92dd830 e24dd010 a0000093 e3c2203f (e5923004)
Segmentation fault


reboot, top or halt would also not work (ls about the only thing that did):
Code Select
/dos # reboot
Unable to handle kernel NULL pointer dereference at virtual address 00000004
pgd = c0fd4000
*pgd = c0fec011, *pmd = c0fec011, *pte = 00000000, *ppte = 00000000
Internal error: Oops: 0
CPU: 0
pc : [<c00ecb88>]    lr : [<c00954a8>]    Not tainted
sp : c0fdbe48  ip : c0fdbe70  fp : c0fdbf58
r10: c0fdbf20  r9 : 00000000  r8 : c0fdbf28
r7 : c038e0a0  r6 : c0028000  r5 : c0fda000  r4 : c038e0bc
r3 : 00000000  r2 : 00000000  r1 : 00000000  r0 : c038e0bc
Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  Segment user
Control: 217D  Table: C0FD4015  DAC: 00000015
Process busybox (pid: 39, stackpage=c0fdb000)
Stack: (0xc0fdbe38 to 0xc0fdc000)
be20:                                                       c00954a8 c00ecb88
be40: a0000013 ffffffff c0fdbe54 c006a544 c006a03c 00000041 c038e0bc c0fda000
be60: c0fdbf58 c0fdbe70 c00954a8 c00ecb84 c0fdbe7c c00889b4 c00eaf70 c0392008
be80: 01c5a71f 00000004 c0fdbedc 00000000 c0f26260 c0fdbf60 c0fda000 c0fdbf64
bea0: c0f26260 c0fdbec8 c0fdbeb4 c00878d0 c00ecef0 c0f27a80 00000000 20000013
bec0: 00000000 00000041 c00fcf38 00000000 000001f0 c00fcd3c c0fda000 c00fcf34
bee0: c0fdbf18 c0fdbef0 c006a544 c006a03c c0f27a80 c00fcd3c c00fcd3c 00000000
bf00: 000001f0 00000053 00000000 ffffffff c0fdbf1c 00000000 00000000 c0f52000
bf20: c0fdbf2c c006d410 c006d348 c0028000 c0028000 00000100 c0f27a80 c0391dc0
bf40: c0f52000 c0fda000 000bfe00 c0fdbf80 c0fdbf5c c0092b1c c00953b0 00000000
bf60: ffffffea c0391da0 00000100 000bfe00 000a05d0 c0fdbfac c0fdbf84 c0070ee0
bf80: c0092ad8 c00720d0 bffff864 000c3f80 00000100 bffff897 00000003 c0043aa0
bfa0: 00000000 c0fdbfb0 c0043920 c0070e14 000c3f80 c0049c90 00000005 000bfe00
bfc0: 00000100 0006fda8 000c3f80 00000100 bffff897 bffff897 bffffd90 00000000
bfe0: 000a05d0 bffff844 bffff848 bffff834 0006fdbc 000778b8 20000010 00000005
Backtrace:
Function entered at [<c00953a0>] from [<c0092b1c>]
Function entered at [<c0092ac8>] from [<c0070ee0>]
Function entered at [<c0070e04>] from [<c0043920>]
r8 = C0043AA0  r7 = 00000003  r6 = BFFFF897  r5 = 00000100
r4 = 000C3F80
Code: e92dd830 e24dd010 a0000093 e3c2203f (e5923004)
Segmentation fault
Text only | Text with Images