Add payload_aes_busy to project
This commit is contained in:
@@ -3,15 +3,17 @@
|
|||||||
|
|
||||||
#include "checkm8.h"
|
#include "checkm8.h"
|
||||||
|
|
||||||
#define PAYLOAD_AES_BIN CHECKM8_BIN_BASE "payloads/payload_aes.bin"
|
#define PAYLOAD_AES_BIN CHECKM8_BIN_BASE "payloads/payload_aes.bin"
|
||||||
#define PAYLOAD_SYSREG_BIN CHECKM8_BIN_BASE "payloads/payload_sysreg.bin"
|
#define PAYLOAD_AES_BUSY_BIN CHECKM8_BIN_BASE "payloads/payload_aes_busy.bin"
|
||||||
#define PAYLOAD_SYNC_BIN CHECKM8_BIN_BASE "payloads/payload_sync.bin"
|
#define PAYLOAD_SYNC_BIN CHECKM8_BIN_BASE "payloads/payload_sync.bin"
|
||||||
|
#define PAYLOAD_SYSREG_BIN CHECKM8_BIN_BASE "payloads/payload_sysreg.bin"
|
||||||
|
|
||||||
typedef enum
|
typedef enum
|
||||||
{
|
{
|
||||||
PAYLOAD_SYNC,
|
|
||||||
PAYLOAD_AES,
|
PAYLOAD_AES,
|
||||||
PAYLOAD_SYSREG
|
PAYLOAD_AES_BUSY,
|
||||||
|
PAYLOAD_SYNC,
|
||||||
|
PAYLOAD_SYSREG,
|
||||||
} PAYLOAD_T;
|
} PAYLOAD_T;
|
||||||
|
|
||||||
typedef enum
|
typedef enum
|
||||||
|
|||||||
@@ -9,8 +9,10 @@
|
|||||||
#include "usb_helpers.h"
|
#include "usb_helpers.h"
|
||||||
|
|
||||||
#ifdef CHECKM8_LOGGING
|
#ifdef CHECKM8_LOGGING
|
||||||
|
|
||||||
#include <stdarg.h>
|
#include <stdarg.h>
|
||||||
#include <execinfo.h>
|
#include <execinfo.h>
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
void checkm8_debug_indent(const char *format, ...)
|
void checkm8_debug_indent(const char *format, ...)
|
||||||
@@ -53,71 +55,69 @@ int main()
|
|||||||
}
|
}
|
||||||
|
|
||||||
unsigned char key[8] = {0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef};
|
unsigned char key[8] = {0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef};
|
||||||
unsigned char data0[8] = {0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef};
|
unsigned char data[16] = {0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe,
|
||||||
unsigned char data1[8] = {0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef};
|
0xef};
|
||||||
|
|
||||||
ret = open_device_session(dev);
|
if(IS_CHECKM8_FAIL(open_device_session(dev)))
|
||||||
if(IS_CHECKM8_FAIL(ret))
|
|
||||||
{
|
{
|
||||||
printf("failed to open device session\n");
|
printf("failed to open device session\n");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
resp = write_gadget(dev, 0x180150000, key, 8);
|
if(IS_CHECKM8_FAIL(install_payload(dev, PAYLOAD_SYNC, SRAM)))
|
||||||
|
{
|
||||||
|
printf("failed to install sync payload\n");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if(IS_CHECKM8_FAIL(install_payload(dev, PAYLOAD_AES_BUSY, SRAM)))
|
||||||
|
{
|
||||||
|
printf("failed to install aes busy payload\n");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
resp = write_gadget(dev, 0x180152000, key, 8);
|
||||||
if(IS_CHECKM8_FAIL(resp->ret))
|
if(IS_CHECKM8_FAIL(resp->ret))
|
||||||
{
|
{
|
||||||
printf("failed to write key to device\n");
|
printf("failed to write key to device\n");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
free_dev_cmd_resp(resp);
|
resp = write_gadget(dev, 0x180153000, data, 16);
|
||||||
for(int i = 0; i < 257; i++)
|
if(IS_CHECKM8_FAIL(resp->ret))
|
||||||
{
|
{
|
||||||
printf("encrypting ");
|
printf("failed to write aes data\n");
|
||||||
for(int j = 0; j < 8; j++)
|
return -1;
|
||||||
{
|
}
|
||||||
printf("%02X", data0[j]);
|
|
||||||
}
|
|
||||||
|
|
||||||
for(int j = 0; j < 8; j++)
|
free_dev_cmd_resp(resp);
|
||||||
{
|
resp = execute_payload(dev, PAYLOAD_SYNC, 0, 0);
|
||||||
printf("%02X", data1[j]);
|
if(IS_CHECKM8_FAIL(resp->ret))
|
||||||
}
|
{
|
||||||
|
printf("failed to execute sync payload\n");
|
||||||
printf("\n");
|
return -1;
|
||||||
resp = execute_gadget(dev,
|
}
|
||||||
0x100000f0c, 16, 9,
|
|
||||||
16, // action (AES_ENCRYPT)
|
|
||||||
0x1800b0048, 0x1800b0010, // dest and src addresses
|
|
||||||
16, // data size
|
|
||||||
0x00000000, // AES_USER_KEY
|
|
||||||
0x180150000, // key address
|
|
||||||
0, // no IV
|
|
||||||
*((unsigned long long *) data0),
|
|
||||||
*((unsigned long long *) data1));
|
|
||||||
|
|
||||||
|
free_dev_cmd_resp(resp);
|
||||||
|
for(int i = 0; i < 100000; i++)
|
||||||
|
{
|
||||||
|
resp = execute_payload(dev, PAYLOAD_AES_BUSY, 16, 4, 0x180153000, 0x1800b0010, 0x180150000, 16);
|
||||||
if(IS_CHECKM8_FAIL(resp->ret))
|
if(IS_CHECKM8_FAIL(resp->ret))
|
||||||
{
|
{
|
||||||
printf("failed\n");
|
printf("failed to execute busy AES payload\n");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
memcpy(&data0, &resp->data[0], 8);
|
memcpy(data, resp->data, 16);
|
||||||
memcpy(&data1, &resp->data[8], 8);
|
|
||||||
free_dev_cmd_resp(resp);
|
free_dev_cmd_resp(resp);
|
||||||
|
|
||||||
printf("\t-> ");
|
printf("got ");
|
||||||
for(int j = 0; j < 8; j++)
|
for(int j = 0; j < 16; j++)
|
||||||
{
|
{
|
||||||
printf("%02X", ((unsigned char *) &data0)[j]);
|
printf("%02x", data[j]);
|
||||||
}
|
|
||||||
|
|
||||||
for(int j = 0; j < 8; j++)
|
|
||||||
{
|
|
||||||
printf("%02X", ((unsigned char *) &data1)[j]);
|
|
||||||
}
|
}
|
||||||
printf("\n");
|
printf("\n");
|
||||||
usleep(1000000);
|
usleep(3000000);
|
||||||
}
|
}
|
||||||
|
|
||||||
close_device_session(dev);
|
close_device_session(dev);
|
||||||
|
|||||||
@@ -27,14 +27,18 @@ struct payload *get_payload(PAYLOAD_T p)
|
|||||||
|
|
||||||
switch(p)
|
switch(p)
|
||||||
{
|
{
|
||||||
case PAYLOAD_SYNC:
|
|
||||||
path = PAYLOAD_SYNC_BIN;
|
|
||||||
break;
|
|
||||||
|
|
||||||
case PAYLOAD_AES:
|
case PAYLOAD_AES:
|
||||||
path = PAYLOAD_AES_BIN;
|
path = PAYLOAD_AES_BIN;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
case PAYLOAD_AES_BUSY:
|
||||||
|
path = PAYLOAD_AES_BUSY_BIN;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case PAYLOAD_SYNC:
|
||||||
|
path = PAYLOAD_SYNC_BIN;
|
||||||
|
break;
|
||||||
|
|
||||||
case PAYLOAD_SYSREG:
|
case PAYLOAD_SYSREG:
|
||||||
path = PAYLOAD_SYSREG_BIN;
|
path = PAYLOAD_SYSREG_BIN;
|
||||||
break;
|
break;
|
||||||
|
|||||||
Reference in New Issue
Block a user