From 13b5c8abb0eda427819be2ef9dca5861cbba7dbd Mon Sep 17 00:00:00 2001
From: Gregor Haas <gregorhaas1997@gmail.com>
Date: Sat, 11 Jan 2020 17:14:33 -0500
Subject: [PATCH] Bugfixes and experiment update

---
 c8_payloads/src/aes_sw.c    | 40 +++++++++++++++++++++++++++++++------
 c8_remote/main.c            | 17 ++++++++++++----
 c8_remote/src/usb_helpers.c | 15 ++++----------
 3 files changed, 51 insertions(+), 21 deletions(-)

diff --git a/c8_payloads/src/aes_sw.c b/c8_payloads/src/aes_sw.c
index c0eb49f..3424653 100644
--- a/c8_payloads/src/aes_sw.c
+++ b/c8_payloads/src/aes_sw.c
@@ -1,6 +1,12 @@
 #include "util.h"
 #include "brfunc_timing.h"
 
+PAYLOAD_SECTION
+void task_sleep(unsigned int usec)
+{
+    ((BOOTROM_FUNC) ADDR_TASK_SLEEP)(usec);
+}
+
 PAYLOAD_SECTION
 void sub_bytes(unsigned char block[16], unsigned char sbox[16][16])
 {
@@ -133,6 +139,7 @@ void aes128_encrypt_ecb(unsigned char *msg, unsigned int msg_len, unsigned char
             shift_rows(block);
             mix_cols(block, mul2, mul3);
             add_key(block, &key_sched[16 * (j + 1)]);
+            task_sleep(20);
         }
 
         sub_bytes(block, sbox);
@@ -146,10 +153,31 @@ unsigned int _start(unsigned char *msg, unsigned int msg_len, unsigned char *key
                     unsigned char sbox[16][16], unsigned char rc_lookup[11],
                     unsigned char mul2[256], unsigned char mul3[256])
 {
-    while(1)
-    {
-        aes128_encrypt_ecb(msg, msg_len, key, sbox, rc_lookup, mul2, mul3);
-        task_sleep(1000);
-    }
-    return 0xDEADBEEF;
+    unsigned long long start, end;
+
+    __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (start));
+    aes128_encrypt_ecb(msg, msg_len, key, sbox, rc_lookup, mul2, mul3);
+    task_sleep(120);
+    __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (end));
+
+//    for(i = 0; i < 256; i++)
+//    {
+//        __asm__ volatile ("dc civac, %0" : : "r" (&sbox[i % 16][i / 16]) : "memory");
+//        __asm__ volatile ("dc civac, %0" : : "r" (&mul2[i]) : "memory");
+//        __asm__ volatile ("dc civac, %0" : : "r" (&mul3[i]) : "memory");
+//    }
+//
+//    for(i = 0; i < 16; i++)
+//    {
+//        __asm__ volatile ("dc civac, %0" : : "r" (&msg[i]) : "memory");
+//        __asm__ volatile ("dc civac, %0" : : "r" (&key[i]) : "memory");
+//    }
+//
+//    for(i = 0; i < 12; i++)
+//    {
+//        __asm__ volatile ("dc civac, %0" : : "r" (&rc_lookup[i]) : "memory");
+//    }
+//
+//    __asm__ volatile ("dsb sy");
+    return end - start;
 }
\ No newline at end of file
diff --git a/c8_remote/main.c b/c8_remote/main.c
index 04b8fef..cf4a9a3 100644
--- a/c8_remote/main.c
+++ b/c8_remote/main.c
@@ -171,7 +171,7 @@ int main()
 
     if(IS_CHECKM8_FAIL(install_payload(dev, PAYLOAD_AES_SW, SRAM)))
     {
-        printf("failed to install aes busy payload\n");
+        printf("failed to install task sleep payload\n");
         return -1;
     }
 
@@ -202,7 +202,6 @@ int main()
     write_aes_utils(dev);
 
     free_dev_cmd_resp(resp);
-
     int i = 0;
     while(1)
     {
@@ -216,6 +215,8 @@ int main()
             return -1;
         }
 
+        printf("%i) op took %llu", i++, resp->retval);
+
         free_dev_cmd_resp(resp);
         resp = read_gadget(dev, 0x180153000, 16);
         if(IS_CHECKM8_FAIL(resp->ret))
@@ -223,14 +224,22 @@ int main()
             printf("failed to read encrypted data from memory\n");
         }
 
-        printf("%i) got ", i++);
+        printf(" -> ");
         for(int j = 0; j < 16; j++)
         {
             printf("%02x", resp->data[j]);
         }
+        printf("\n");
 
-        printf(" (%llu)\n", resp->retval);
         free_dev_cmd_resp(resp);
+        resp = execute_payload(dev, PAYLOAD_SYNC, 0, 0);
+        if(IS_CHECKM8_FAIL(resp->ret))
+        {
+            printf("failed to execute sync\n");
+        }
+
+        free_dev_cmd_resp(resp);
+        usleep(1000000);
     }
 
     close_device_session(dev);
diff --git a/c8_remote/src/usb_helpers.c b/c8_remote/src/usb_helpers.c
index b8bba97..0c5888c 100644
--- a/c8_remote/src/usb_helpers.c
+++ b/c8_remote/src/usb_helpers.c
@@ -567,12 +567,12 @@ int reset(struct pwned_device *dev)
     char buf;
     write(dev->ard_fd, &PROT_RESET, 1);
 
-    while(read(dev->ard_fd, &buf, 1) == 0);
+    ard_read(dev, (unsigned char *) &buf, 1);
     if(buf == PROT_ACK)
     {
         checkm8_debug_indent("\treceived ack\n");
 
-        while(read(dev->ard_fd, &buf, 1) == 0);
+        ard_read(dev, (unsigned char *) &buf, 1);
         if(buf == PROT_SUCCESS)
         {
             checkm8_debug_indent("\tsuccess\n");
@@ -600,7 +600,6 @@ int serial_descriptor(struct pwned_device *dev, unsigned char *serial_buf, int l
 
 #ifdef WITH_ARDUINO
     char buf;
-    int curr, ret;
     struct serial_desc_args args;
     args.dev_idVendor = dev->idVendor;
     args.dev_idProduct = dev->idProduct;
@@ -610,7 +609,7 @@ int serial_descriptor(struct pwned_device *dev, unsigned char *serial_buf, int l
     write(dev->ard_fd, &PROT_SERIAL_DESC, 1);
     write(dev->ard_fd, &args, sizeof(struct serial_desc_args));
 
-    while(read(dev->ard_fd, &buf, 1) == 0);
+    ard_read(dev, (unsigned char *) &buf, 1);
     if(buf == PROT_ACK)
     {
         checkm8_debug_indent("\treceived ack\n");
@@ -628,13 +627,7 @@ int serial_descriptor(struct pwned_device *dev, unsigned char *serial_buf, int l
         else if(buf == PROT_SUCCESS)
         {
             checkm8_debug_indent("\tsuccess, reading serial descriptor\n");
-            curr = 0;
-            while(curr < len)
-            {
-                ret = read(dev->ard_fd, &serial_buf[curr], len - curr);
-                if(ret > 0) curr += ret;
-            }
-
+            ard_read(dev, serial_buf, len);
             return CHECKM8_SUCCESS;
         }
         else