grg/checkm8_tool
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Bugfixes and experiment update

Browse Source
This commit is contained in:
Gregor Haas
2020-01-11 17:14:33 -05:00
parent 477d7079c8
commit 13b5c8abb0
3 changed files with 51 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
c8_payloads/src/aes_sw.c
View File

@@ -1,6 +1,12 @@
#include "util.h" #include "util.h"
#include "brfunc_timing.h" #include "brfunc_timing.h"
PAYLOAD_SECTION
void task_sleep(unsigned int usec)
{
((BOOTROM_FUNC) ADDR_TASK_SLEEP)(usec);
}
PAYLOAD_SECTION PAYLOAD_SECTION
void sub_bytes(unsigned char block[16], unsigned char sbox[16][16]) void sub_bytes(unsigned char block[16], unsigned char sbox[16][16])
{ {
@@ -133,6 +139,7 @@ void aes128_encrypt_ecb(unsigned char *msg, unsigned int msg_len, unsigned char
shift_rows(block); shift_rows(block);
mix_cols(block, mul2, mul3); mix_cols(block, mul2, mul3);
add_key(block, &key_sched[16 * (j + 1)]); add_key(block, &key_sched[16 * (j + 1)]);
task_sleep(20);
} }
sub_bytes(block, sbox); sub_bytes(block, sbox);
@@ -146,10 +153,31 @@ unsigned int _start(unsigned char *msg, unsigned int msg_len, unsigned char *key
unsigned char sbox[16][16], unsigned char rc_lookup[11], unsigned char sbox[16][16], unsigned char rc_lookup[11],
unsigned char mul2[256], unsigned char mul3[256]) unsigned char mul2[256], unsigned char mul3[256])
{ {
while(1) unsigned long long start, end;
{
aes128_encrypt_ecb(msg, msg_len, key, sbox, rc_lookup, mul2, mul3); __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (start));
task_sleep(1000); aes128_encrypt_ecb(msg, msg_len, key, sbox, rc_lookup, mul2, mul3);
} task_sleep(120);
return 0xDEADBEEF; __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (end));
// for(i = 0; i < 256; i++)
// {
// __asm__ volatile ("dc civac, %0" : : "r" (&sbox[i % 16][i / 16]) : "memory");
// __asm__ volatile ("dc civac, %0" : : "r" (&mul2[i]) : "memory");
// __asm__ volatile ("dc civac, %0" : : "r" (&mul3[i]) : "memory");
// }
//
// for(i = 0; i < 16; i++)
// {
// __asm__ volatile ("dc civac, %0" : : "r" (&msg[i]) : "memory");
// __asm__ volatile ("dc civac, %0" : : "r" (&key[i]) : "memory");
// }
//
// for(i = 0; i < 12; i++)
// {
// __asm__ volatile ("dc civac, %0" : : "r" (&rc_lookup[i]) : "memory");
// }
//
// __asm__ volatile ("dsb sy");
return end - start;
} }

17
c8_remote/main.c
View File

@@ -171,7 +171,7 @@ int main()
if(IS_CHECKM8_FAIL(install_payload(dev, PAYLOAD_AES_SW, SRAM))) if(IS_CHECKM8_FAIL(install_payload(dev, PAYLOAD_AES_SW, SRAM)))
{ {
printf("failed to install aes busy payload\n"); printf("failed to install task sleep payload\n");
return -1; return -1;
} }
@@ -202,7 +202,6 @@ int main()
write_aes_utils(dev); write_aes_utils(dev);
free_dev_cmd_resp(resp); free_dev_cmd_resp(resp);
int i = 0; int i = 0;
while(1) while(1)
{ {
@@ -216,6 +215,8 @@ int main()
return -1; return -1;
} }
printf("%i) op took %llu", i++, resp->retval);
free_dev_cmd_resp(resp); free_dev_cmd_resp(resp);
resp = read_gadget(dev, 0x180153000, 16); resp = read_gadget(dev, 0x180153000, 16);
if(IS_CHECKM8_FAIL(resp->ret)) if(IS_CHECKM8_FAIL(resp->ret))
@@ -223,14 +224,22 @@ int main()
printf("failed to read encrypted data from memory\n"); printf("failed to read encrypted data from memory\n");
} }
printf("%i) got ", i++); printf(" -> ");
for(int j = 0; j < 16; j++) for(int j = 0; j < 16; j++)
{ {
printf("%02x", resp->data[j]); printf("%02x", resp->data[j]);
} }
printf("\n");
printf(" (%llu)\n", resp->retval);
free_dev_cmd_resp(resp); free_dev_cmd_resp(resp);
resp = execute_payload(dev, PAYLOAD_SYNC, 0, 0);
if(IS_CHECKM8_FAIL(resp->ret))
{
printf("failed to execute sync\n");
}
free_dev_cmd_resp(resp);
usleep(1000000);
} }
close_device_session(dev); close_device_session(dev);

15
c8_remote/src/usb_helpers.c
View File

@@ -567,12 +567,12 @@ int reset(struct pwned_device *dev)
char buf; char buf;
write(dev->ard_fd, &PROT_RESET, 1); write(dev->ard_fd, &PROT_RESET, 1);
while(read(dev->ard_fd, &buf, 1) == 0); ard_read(dev, (unsigned char *) &buf, 1);
if(buf == PROT_ACK) if(buf == PROT_ACK)
{ {
checkm8_debug_indent("\treceived ack\n"); checkm8_debug_indent("\treceived ack\n");
while(read(dev->ard_fd, &buf, 1) == 0); ard_read(dev, (unsigned char *) &buf, 1);
if(buf == PROT_SUCCESS) if(buf == PROT_SUCCESS)
{ {
checkm8_debug_indent("\tsuccess\n"); checkm8_debug_indent("\tsuccess\n");
@@ -600,7 +600,6 @@ int serial_descriptor(struct pwned_device *dev, unsigned char *serial_buf, int l
#ifdef WITH_ARDUINO #ifdef WITH_ARDUINO
char buf; char buf;
int curr, ret;
struct serial_desc_args args; struct serial_desc_args args;
args.dev_idVendor = dev->idVendor; args.dev_idVendor = dev->idVendor;
args.dev_idProduct = dev->idProduct; args.dev_idProduct = dev->idProduct;
@@ -610,7 +609,7 @@ int serial_descriptor(struct pwned_device *dev, unsigned char *serial_buf, int l
write(dev->ard_fd, &PROT_SERIAL_DESC, 1); write(dev->ard_fd, &PROT_SERIAL_DESC, 1);
write(dev->ard_fd, &args, sizeof(struct serial_desc_args)); write(dev->ard_fd, &args, sizeof(struct serial_desc_args));
while(read(dev->ard_fd, &buf, 1) == 0); ard_read(dev, (unsigned char *) &buf, 1);
if(buf == PROT_ACK) if(buf == PROT_ACK)
{ {
checkm8_debug_indent("\treceived ack\n"); checkm8_debug_indent("\treceived ack\n");
@@ -628,13 +627,7 @@ int serial_descriptor(struct pwned_device *dev, unsigned char *serial_buf, int l
else if(buf == PROT_SUCCESS) else if(buf == PROT_SUCCESS)
{ {
checkm8_debug_indent("\tsuccess, reading serial descriptor\n"); checkm8_debug_indent("\tsuccess, reading serial descriptor\n");
curr = 0; ard_read(dev, serial_buf, len);
while(curr < len)
{
ret = read(dev->ard_fd, &serial_buf[curr], len - curr);
if(ret > 0) curr += ret;
}
return CHECKM8_SUCCESS; return CHECKM8_SUCCESS;
} }
else else