Lionel Debroux wrote:Maybe you don't have to do that, if the boot1.5 loads the image in boot1.5/boot2 compressed format before checking its signature ?
The return address of the memcpy()-type function which copies the boot2 to the target area would be a natural target to gain control of the execution flow. You can probably overwrite the code there with your own.
It doesn't. It decompresses it directly to the base address. (my exploit runs when the progress gets to about 9%).
I'm going to try to overwrite the code at the return address of the nand read function, good idea.