#!/usr/bin/env python

import serial, os, struct, code, traceback, readline
from proxy import *
from asm import *

ftdidev = os.environ.get("FTDIDEVICE", "/dev/ttyUSB2")
ftdi = serial.Serial(ftdidev, 230400)

iface = SerialInterface(ftdi, debug=False)
proxy = IPCProxy(iface, debug=False)

CODE_SRAM    = 0xfffff000
CODE_MEM2    = 0x11000000
CODE_SCRATCH = 0x10000000 #0x11000000
CODE_BUFFER  = 0x12000000
DUMP_SIZE    = 0x4000

code = """
hax:
	push {r4-r12,lr}
	ldr r0, =0xfff00000
	ldr r1, =0x%08x
	ldr r2, =0x%08x

	# enable boot0
	ldr r4, =0x0d80018c
	ldr r5, [r4]
	bic r6, r5, #0x1000

	str r6, [r4]


loop:
	ldr r3, [r0]
	str r3, [r1]
	add r0, #4
	add r1, #4
	subs r2, #4
	bne loop 

	str r5, [r4]
	mov r0, r6

	pop {r4-r12,lr}
	bx lr
""" % (CODE_BUFFER, DUMP_SIZE)

print "Preparing payload..."
magic = ARMAsm(code, CODE_SCRATCH)
iface.writemem(CODE_SCRATCH, magic.data)
proxy.dc_flushrange(CODE_SCRATCH, magic.len)
proxy.dc_flushall()
proxy.ic_invalidateall()
proxy.ahb_flush_from(1)
proxy.flush()

print "Preparing target buffer..."
proxy.memset32(CODE_BUFFER, 0x42424242, DUMP_SIZE)
proxy.dc_flushall()
proxy.flush()

print "Haaaaaaax!"
ret = proxy.call(magic.hax, 123)
print " --> %d" % ret
print "%08x" % proxy.read32(CODE_BUFFER)
boot0 = iface.readmem(CODE_BUFFER, DUMP_SIZE)
open("boot0.b", "w").write(boot0)