some changes, preparing for async
This commit is contained in:
@@ -4,7 +4,6 @@ set(PL_NAMES
|
|||||||
aes
|
aes
|
||||||
aes_busy
|
aes_busy
|
||||||
aes_sw
|
aes_sw
|
||||||
bootstrap
|
|
||||||
exit_usb_task
|
exit_usb_task
|
||||||
floppysleep
|
floppysleep
|
||||||
sync
|
sync
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
project(checkm8_libpayload_sources C ASM)
|
project(checkm8_libpayload_sources C ASM)
|
||||||
include_directories(include)
|
include_directories(include)
|
||||||
|
include_directories(include/openssl)
|
||||||
|
|
||||||
set(CMAKE_SYSTEM_PROCESSOR arm)
|
set(CMAKE_SYSTEM_PROCESSOR arm)
|
||||||
if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
|
if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
|
||||||
|
|||||||
@@ -1,26 +0,0 @@
|
|||||||
#include "util.h"
|
|
||||||
|
|
||||||
TEXT_SECTION
|
|
||||||
unsigned long long _start()
|
|
||||||
{
|
|
||||||
// unsigned long long platform_quiesce_hardware = 0x100007dd0;
|
|
||||||
// unsigned long long enter_critical_section = 0x10000a4b8;
|
|
||||||
// unsigned long long halt = 0x1000004fc;
|
|
||||||
// unsigned long long timer_deadline_enter = 0x10000b874;
|
|
||||||
// unsigned long long now, later;
|
|
||||||
//
|
|
||||||
// ((BOOTROM_FUNC) platform_quiesce_hardware)();
|
|
||||||
// //((BOOTROM_FUNC) enter_critical_section)();
|
|
||||||
//
|
|
||||||
// __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (now));
|
|
||||||
// ((BOOTROM_FUNC) timer_deadline_enter)(now + (24000000) - 64, ((BOOTROM_FUNC) 0x10000b924));
|
|
||||||
// ((BOOTROM_FUNC) halt)();
|
|
||||||
// __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (later));
|
|
||||||
|
|
||||||
volatile unsigned long long regval = 0xffff;
|
|
||||||
__asm__ volatile ("mrs %0, fpcr" : "=r" (regval));
|
|
||||||
regval = (1u << 24u);
|
|
||||||
__asm__ volatile ("msr fpcr, %0" : "=r" (regval));
|
|
||||||
|
|
||||||
return regval;
|
|
||||||
}
|
|
||||||
@@ -43,14 +43,14 @@ void fix_heap()
|
|||||||
}
|
}
|
||||||
|
|
||||||
TEXT_SECTION
|
TEXT_SECTION
|
||||||
void _start()
|
void _start(unsigned long long ptr_self)
|
||||||
{
|
{
|
||||||
unsigned int *completion = (unsigned int *) 0x180088ac8;
|
unsigned int *completion = (unsigned int *) 0x180088ac8;
|
||||||
unsigned char *dfu_done = (unsigned char *) 0x180088ac0;
|
unsigned char *dfu_done = (unsigned char *) 0x180088ac0;
|
||||||
|
|
||||||
unsigned long long *dfu_event = (unsigned long long *) 0x180088af0;
|
unsigned long long *dfu_event = (unsigned long long *) 0x180088af0;
|
||||||
BOOTROM_FUNC event_signal = ((BOOTROM_FUNC) 0x10000aee8);
|
BOOTROM_FUNC event_signal = ((BOOTROM_FUNC) 0x10000aee8);
|
||||||
BOOTROM_FUNC enter_critical_section = ((BOOTROM_FUNC) 0x10000a4b8);
|
BOOTROM_FUNC free = ((BOOTROM_FUNC) 0x10000f1b0);
|
||||||
|
|
||||||
fix_heap();
|
fix_heap();
|
||||||
|
|
||||||
@@ -58,5 +58,5 @@ void _start()
|
|||||||
*dfu_done = 1;
|
*dfu_done = 1;
|
||||||
|
|
||||||
event_signal(dfu_event);
|
event_signal(dfu_event);
|
||||||
// enter_critical_section();
|
free(ptr_self);
|
||||||
}
|
}
|
||||||
@@ -29,22 +29,19 @@ unsigned long long _start(float *init_a)
|
|||||||
unsigned long long timer_deadline_enter = 0x10000b874;
|
unsigned long long timer_deadline_enter = 0x10000b874;
|
||||||
unsigned long long halt = 0x1000004fc;
|
unsigned long long halt = 0x1000004fc;
|
||||||
|
|
||||||
while(1)
|
__asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (start));
|
||||||
|
fs_load(init_a, 1);
|
||||||
|
for(i = 0; i < 8; i++) fs_routine();
|
||||||
|
__asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (end));
|
||||||
|
|
||||||
|
if(2 * end - start - 64 > 0)
|
||||||
{
|
{
|
||||||
__asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (start));
|
((BOOTROM_FUNC) timer_deadline_enter)(2 * end - start - 64, ((BOOTROM_FUNC) 0x10000b924));
|
||||||
fs_load(init_a, 1);
|
((BOOTROM_FUNC) halt)();
|
||||||
for(i = 0; i < 8; i++) fs_routine();
|
|
||||||
__asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (end));
|
|
||||||
|
|
||||||
if(2 * end - start - 64 > 0)
|
|
||||||
{
|
|
||||||
((BOOTROM_FUNC) timer_deadline_enter)(2 * end - start - 64, ((BOOTROM_FUNC) 0x10000b924));
|
|
||||||
((BOOTROM_FUNC) halt)();
|
|
||||||
}
|
|
||||||
|
|
||||||
__asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (report));
|
|
||||||
j++;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
__asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (report));
|
||||||
|
j++;
|
||||||
|
|
||||||
return end - start;
|
return end - start;
|
||||||
}
|
}
|
||||||
@@ -8,7 +8,6 @@ typedef enum
|
|||||||
PAYLOAD_AES,
|
PAYLOAD_AES,
|
||||||
PAYLOAD_AES_BUSY,
|
PAYLOAD_AES_BUSY,
|
||||||
PAYLOAD_AES_SW,
|
PAYLOAD_AES_SW,
|
||||||
PAYLOAD_BOOTSTRAP,
|
|
||||||
PAYLOAD_EXIT_USB_TASK,
|
PAYLOAD_EXIT_USB_TASK,
|
||||||
PAYLOAD_FLOPPYSLEEP,
|
PAYLOAD_FLOPPYSLEEP,
|
||||||
PAYLOAD_SYNC,
|
PAYLOAD_SYNC,
|
||||||
@@ -25,6 +24,7 @@ typedef enum
|
|||||||
int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc);
|
int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc);
|
||||||
int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p);
|
int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p);
|
||||||
struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int response_len, int nargs, ...);
|
struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int response_len, int nargs, ...);
|
||||||
|
unsigned long long get_payload_address(struct pwned_device *dev, PAYLOAD_T p);
|
||||||
|
|
||||||
unsigned long long install_data(struct pwned_device *dev, LOCATION_T loc, unsigned char *data, int len);
|
unsigned long long install_data(struct pwned_device *dev, LOCATION_T loc, unsigned char *data, int len);
|
||||||
int uninstall_data(struct pwned_device *dev, unsigned long long ptr);
|
int uninstall_data(struct pwned_device *dev, unsigned long long ptr);
|
||||||
|
|||||||
106
c8_remote/main.c
106
c8_remote/main.c
@@ -67,8 +67,12 @@ int floppysleep(struct pwned_device *dev)
|
|||||||
}
|
}
|
||||||
|
|
||||||
float init_a = -7.504355E-39f;
|
float init_a = -7.504355E-39f;
|
||||||
resp = write_gadget(dev, 0x180154000, (unsigned char *) &init_a, sizeof(float));
|
unsigned long long init_a_ptr = install_data(dev, SRAM, (unsigned char *) &init_a, sizeof(float));
|
||||||
free_dev_cmd_resp(resp);
|
if(init_a_ptr == -1)
|
||||||
|
{
|
||||||
|
printf("failed to write initial data\n");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
resp = execute_payload(dev, PAYLOAD_SYNC, 0, 0);
|
resp = execute_payload(dev, PAYLOAD_SYNC, 0, 0);
|
||||||
if(IS_CHECKM8_FAIL(resp->ret))
|
if(IS_CHECKM8_FAIL(resp->ret))
|
||||||
@@ -81,7 +85,7 @@ int floppysleep(struct pwned_device *dev)
|
|||||||
|
|
||||||
while(1)
|
while(1)
|
||||||
{
|
{
|
||||||
resp = execute_payload(dev, PAYLOAD_FLOPPYSLEEP, 0, 1, 0x180154000);
|
resp = execute_payload(dev, PAYLOAD_FLOPPYSLEEP, 0, 1, init_a_ptr);
|
||||||
if(IS_CHECKM8_FAIL(resp->ret))
|
if(IS_CHECKM8_FAIL(resp->ret))
|
||||||
{
|
{
|
||||||
printf("failed to execute flopsleep payload\n");
|
printf("failed to execute flopsleep payload\n");
|
||||||
@@ -242,7 +246,7 @@ void aes_sw(struct pwned_device *dev)
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
printf("%i) op took %llu\n", i++, resp->retval);
|
printf("%i) op took %llu\n", i, resp->retval);
|
||||||
|
|
||||||
free_dev_cmd_resp(resp);
|
free_dev_cmd_resp(resp);
|
||||||
resp = read_gadget(dev, addr_data, 16);
|
resp = read_gadget(dev, addr_data, 16);
|
||||||
@@ -275,6 +279,57 @@ void aes_sw(struct pwned_device *dev)
|
|||||||
close_device_session(dev);
|
close_device_session(dev);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void usb_task_exit(struct pwned_device *dev)
|
||||||
|
{
|
||||||
|
struct dev_cmd_resp *resp;
|
||||||
|
|
||||||
|
if(IS_CHECKM8_FAIL(open_device_session(dev)))
|
||||||
|
{
|
||||||
|
printf("failed to open device session\n");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if(IS_CHECKM8_FAIL(install_payload(dev, PAYLOAD_SYNC, SRAM)))
|
||||||
|
{
|
||||||
|
printf("failed to install sync payload\n");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if(IS_CHECKM8_FAIL(install_payload(dev, PAYLOAD_EXIT_USB_TASK, SRAM)))
|
||||||
|
{
|
||||||
|
printf("failed to install sync payload\n");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
resp = execute_payload(dev, PAYLOAD_SYNC, 0, 0);
|
||||||
|
if(IS_CHECKM8_FAIL(resp->ret))
|
||||||
|
{
|
||||||
|
printf("failed to execute bootstrap\n");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
free_dev_cmd_resp(resp);
|
||||||
|
|
||||||
|
if(IS_CHECKM8_FAIL(uninstall_payload(dev, PAYLOAD_SYNC)))
|
||||||
|
{
|
||||||
|
printf("failed to uninstall sync payload\n");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
resp = execute_payload(dev, PAYLOAD_EXIT_USB_TASK, 0,
|
||||||
|
1, get_payload_address(dev, PAYLOAD_EXIT_USB_TASK));
|
||||||
|
if(IS_CHECKM8_FAIL(resp->ret))
|
||||||
|
{
|
||||||
|
printf("failed to exit usb task\n");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if(IS_CHECKM8_FAIL(close_device_session(dev)))
|
||||||
|
{
|
||||||
|
printf("failed to close device session\n");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
int main()
|
int main()
|
||||||
{
|
{
|
||||||
struct dev_cmd_resp *resp;
|
struct dev_cmd_resp *resp;
|
||||||
@@ -286,47 +341,10 @@ int main()
|
|||||||
}
|
}
|
||||||
|
|
||||||
demote_device(dev);
|
demote_device(dev);
|
||||||
aes_sw(dev);
|
|
||||||
|
|
||||||
// if(IS_CHECKM8_FAIL(install_payload(dev, PAYLOAD_SYNC, SRAM)))
|
// usb_task_exit(dev);
|
||||||
// {
|
|
||||||
// printf("failed to install sync payload\n");
|
floppysleep(dev);
|
||||||
// return -1;
|
|
||||||
// }
|
|
||||||
//
|
|
||||||
// if(IS_CHECKM8_FAIL(install_payload(dev, PAYLOAD_TASK_SLEEP_TEST, SRAM)))
|
|
||||||
// {
|
|
||||||
// printf("failed to install exit usb task payload\n");
|
|
||||||
// return -1;
|
|
||||||
// }
|
|
||||||
//
|
|
||||||
// if(IS_CHECKM8_FAIL(install_payload(dev, PAYLOAD_FLOPPYSLEEP, SRAM)))
|
|
||||||
// {
|
|
||||||
// printf("failed to install floppysleep\n");
|
|
||||||
// return -1;
|
|
||||||
// }
|
|
||||||
//
|
|
||||||
// float init_a = -7.504355E-39f;
|
|
||||||
// resp = write_gadget(dev, 0x180154000, (unsigned char *) &init_a, sizeof(float));
|
|
||||||
// free_dev_cmd_resp(resp);
|
|
||||||
//
|
|
||||||
// resp = execute_payload(dev, PAYLOAD_SYNC, 0, 0);
|
|
||||||
// if(IS_CHECKM8_FAIL(resp->ret))
|
|
||||||
// {
|
|
||||||
// printf("failed to execute bootstrap\n");
|
|
||||||
// return -1;
|
|
||||||
// }
|
|
||||||
// free_dev_cmd_resp(resp);
|
|
||||||
//
|
|
||||||
// resp = execute_payload(dev, PAYLOAD_TASK_SLEEP_TEST, 0, 2, 0x180152000, 0x180154000);
|
|
||||||
// if(IS_CHECKM8_FAIL(resp->ret))
|
|
||||||
// {
|
|
||||||
// printf("failed to exit usb task\n");
|
|
||||||
// return -1;
|
|
||||||
// }
|
|
||||||
// free_dev_cmd_resp(resp);
|
|
||||||
//
|
|
||||||
// close_device_session(dev);
|
|
||||||
free_device(dev);
|
free_device(dev);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -43,11 +43,6 @@ struct payload *get_payload(PAYLOAD_T p)
|
|||||||
len = PAYLOAD_AES_SW_SZ;
|
len = PAYLOAD_AES_SW_SZ;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case PAYLOAD_BOOTSTRAP:
|
|
||||||
pl = payload_bootstrap;
|
|
||||||
len = PAYLOAD_BOOTSTRAP_SZ;
|
|
||||||
break;
|
|
||||||
|
|
||||||
case PAYLOAD_EXIT_USB_TASK:
|
case PAYLOAD_EXIT_USB_TASK:
|
||||||
pl = payload_exit_usb_task;
|
pl = payload_exit_usb_task;
|
||||||
len = PAYLOAD_EXIT_USB_TASK_SZ;
|
len = PAYLOAD_EXIT_USB_TASK_SZ;
|
||||||
@@ -151,13 +146,15 @@ int *dev_unlink_payload(struct pwned_device *dev, struct payload *pl)
|
|||||||
{
|
{
|
||||||
if(dev->installed == pl)
|
if(dev->installed == pl)
|
||||||
{
|
{
|
||||||
dev->installed = NULL;
|
dev->installed = pl->next;
|
||||||
return CHECKM8_SUCCESS;
|
return CHECKM8_SUCCESS;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
pl->prev->next = pl->next;
|
pl->prev->next = pl->next;
|
||||||
pl->next->prev = pl->prev;
|
if(pl->next != NULL)
|
||||||
|
pl->next->prev = pl->prev;
|
||||||
|
|
||||||
return CHECKM8_SUCCESS;
|
return CHECKM8_SUCCESS;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -222,6 +219,12 @@ int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p)
|
|||||||
return CHECKM8_SUCCESS;
|
return CHECKM8_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
unsigned long long get_payload_address(struct pwned_device *dev, PAYLOAD_T p)
|
||||||
|
{
|
||||||
|
return dev_retrieve_payload(dev, p)->install_base;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
unsigned long long install_data(struct pwned_device *dev, LOCATION_T loc, unsigned char *data, int len)
|
unsigned long long install_data(struct pwned_device *dev, LOCATION_T loc, unsigned char *data, int len)
|
||||||
{
|
{
|
||||||
checkm8_debug_indent("install_data(dev = %p, loc = %i, data = %p, len = %i)\n", dev, loc, data, len);
|
checkm8_debug_indent("install_data(dev = %p, loc = %i, data = %p, len = %i)\n", dev, loc, data, len);
|
||||||
@@ -265,7 +268,7 @@ int uninstall_data(struct pwned_device *dev, unsigned long long addr)
|
|||||||
|
|
||||||
struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int response_len, int nargs, ...)
|
struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int response_len, int nargs, ...)
|
||||||
{
|
{
|
||||||
checkm8_debug_indent("execute_payload(dev = %p, p = %i, nargs = %i, ...)\n", dev, p, nargs);
|
checkm8_debug_indent("execute_payload(dev = %p, p = %i, response_len = %i, nargs = %i, ...)\n", dev, p, response_len, nargs);
|
||||||
int i;
|
int i;
|
||||||
struct dev_cmd_resp *resp;
|
struct dev_cmd_resp *resp;
|
||||||
struct payload *pl;
|
struct payload *pl;
|
||||||
|
|||||||
Reference in New Issue
Block a user