diff --git a/c8_remote/lib/payload/CMakeLists.txt b/c8_remote/lib/payload/CMakeLists.txt index 23f0da9..e3ca1d1 100644 --- a/c8_remote/lib/payload/CMakeLists.txt +++ b/c8_remote/lib/payload/CMakeLists.txt @@ -20,13 +20,14 @@ file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/bin) foreach(NAME ${PL_NAMES}) if(EXISTS ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.S) - add_executable(payload_${NAME} ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.c + add_executable(payload_${NAME} ${CMAKE_CURRENT_LIST_DIR}/payload_entry.c + ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.c ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.S) else() - add_executable(payload_${NAME} ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.c) + add_executable(payload_${NAME} ${CMAKE_CURRENT_LIST_DIR}/payload_entry.c + ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.c) endif() - target_link_libraries(payload_${NAME} bootrom_dev) add_custom_command(TARGET payload_${NAME} POST_BUILD BYPRODUCTS ${CMAKE_CURRENT_BINARY_DIR}/bin/payload_${NAME}.bin COMMAND ${CMAKE_OBJCOPY} diff --git a/c8_remote/lib/payload/payload_entry.c b/c8_remote/lib/payload/payload_entry.c new file mode 100644 index 0000000..09d6e2d --- /dev/null +++ b/c8_remote/lib/payload/payload_entry.c @@ -0,0 +1,28 @@ +#include "dev_util.h" + +extern uint64_t entry_sync(uint64_t *args); +extern uint64_t entry_async(uint64_t *base); + +TEXT_SECTION +uint64_t _start(uint64_t arg0, uint64_t arg1, uint64_t arg2, uint64_t arg3, + uint64_t arg4, uint64_t arg5, uint64_t arg6, uint64_t arg7) +{ + uint64_t entry, args[8]; + __asm__ volatile ("mov %0, x30" : "=r" (entry)); + + if(entry == 0xbea /* todo: correct entry */) + { + args[0] = arg0; + args[1] = arg1; + args[2] = arg2; + args[3] = arg3; + args[4] = arg4; + args[5] = arg5; + args[6] = arg6; + args[7] = arg7; + + return entry_sync(args); + } + else + return entry_async((uint64_t *) arg0); +} \ No newline at end of file diff --git a/c8_remote/lib/payload/src/aes_busy.c b/c8_remote/lib/payload/src/aes_busy.c index 2d60ded..2d63661 100644 --- a/c8_remote/lib/payload/src/aes_busy.c +++ b/c8_remote/lib/payload/src/aes_busy.c @@ -1,22 +1,32 @@ #include "bootrom_func.h" -TEXT_SECTION -int _start(void *src, void *dst, void *key, int rep) +PAYLOAD_SECTION +uint64_t entry_sync(uint64_t *args) { int i, j; unsigned char src_data[16]; + + unsigned char *src = (unsigned char *) args[0]; + unsigned char *dst = (unsigned char *) args[1]; + unsigned char *key = (unsigned char *) args[2]; + int rep = (int) args[3]; + for(j = 0; j < 16; j++) { - src_data[j] = ((unsigned char *) src)[j]; + src_data[j] = src[j]; } -// task_sleep(100); for(i = 0; i < rep; i++) { if(i % 2 == 0) hardware_aes(16, src_data, dst, 16, 0, key, 0); else hardware_aes(16, dst, src_data, 16, 0, key, 0); - // task_sleep(15); } + return 0; +} + +PAYLOAD_SECTION +uint64_t entry_async(uint64_t *base) +{ return 0; } \ No newline at end of file diff --git a/c8_remote/lib/payload/src/aes_sw.c b/c8_remote/lib/payload/src/aes_sw.c index ed0ace9..eda50e5 100644 --- a/c8_remote/lib/payload/src/aes_sw.c +++ b/c8_remote/lib/payload/src/aes_sw.c @@ -140,14 +140,18 @@ void aes128_encrypt_ecb(unsigned char *msg, unsigned int msg_len, unsigned char } } -TEXT_SECTION -unsigned long long _start(unsigned char *msg, unsigned int msg_len, unsigned char *key, - unsigned char sbox[16][16], unsigned char rc_lookup[11], - unsigned char mul2[256], unsigned char mul3[256]) +PAYLOAD_SECTION +uint64_t entry_sync(uint64_t *args) { unsigned long long start = 0, end = 0; - unsigned long long timer_deadline_enter = 0x10000b874; - unsigned long long halt = 0x1000004fc; + + unsigned char *msg = (unsigned char *) args[0]; + unsigned int msg_len = (unsigned int) args[1]; + unsigned char *key = (unsigned char *) args[2]; + unsigned char *sbox = (unsigned char *) args[3]; + unsigned char *rc_lookup = (unsigned char *) args[4]; + unsigned char *mul2 = (unsigned char *) args[5]; + unsigned char *mul3 = (unsigned char *) args[6]; __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (start)); aes128_encrypt_ecb(msg, msg_len, key, sbox, rc_lookup, mul2, mul3); @@ -160,4 +164,35 @@ unsigned long long _start(unsigned char *msg, unsigned int msg_len, unsigned cha } return end - start; +} + +PAYLOAD_SECTION +uint64_t entry_async(uint64_t *base) +{ + unsigned long long start = 0, end = 0; + + unsigned char *msg = (unsigned char *) base[0]; + unsigned int msg_len = (unsigned int) base[1]; + unsigned char *key = (unsigned char *) base[2]; + unsigned char *sbox = (unsigned char *) base[3]; + unsigned char *rc_lookup = (unsigned char *) base[4]; + unsigned char *mul2 = (unsigned char *) base[5]; + unsigned char *mul3 = (unsigned char *) base[6]; + + base[0] = 0; + while(1) + { + __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (start)); + aes128_encrypt_ecb(msg, msg_len, key, sbox, rc_lookup, mul2, mul3); + __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (end)); + + if(2 * end - start - 64 > 0) + { + timer_register_int(2 * end - start - 64); + wfi(); + } + + base[0]++; + if(base[0] % 100000 == 0) task_resched(); + } } \ No newline at end of file diff --git a/c8_remote/lib/payload/src/exit_usb_task.c b/c8_remote/lib/payload/src/exit_usb_task.c index ddb6281..59f19f3 100644 --- a/c8_remote/lib/payload/src/exit_usb_task.c +++ b/c8_remote/lib/payload/src/exit_usb_task.c @@ -39,8 +39,7 @@ void fix_heap() check_all_chksums(); } -TEXT_SECTION -void _start(unsigned long long *ptr_self) +extern uint64_t entry_sync(uint64_t *args) { fix_heap(); @@ -48,5 +47,10 @@ void _start(unsigned long long *ptr_self) *(ADDR_DFU_STATUS) = 1; event_notify(ADDR_DFU_EVENT); - dev_free(ptr_self); + return 0; +} + +extern uint64_t entry_async(uint64_t *base) +{ + return 0; } \ No newline at end of file diff --git a/c8_remote/lib/payload/src/floppysleep.c b/c8_remote/lib/payload/src/floppysleep.c index 3575e2b..2b19e9c 100644 --- a/c8_remote/lib/payload/src/floppysleep.c +++ b/c8_remote/lib/payload/src/floppysleep.c @@ -1,32 +1,30 @@ #include "bootrom_func.h" -extern unsigned long long fs_routine(void); +extern uint64_t fs_routine(void); +extern uint64_t fs_load(float *dividend, int divisor_base); +// extern uint64_t check_subnormal(); -extern unsigned long long fs_load(float *dividend, int divisor_base); -// extern unsigned long long check_subnormal(); +//PAYLOAD_SECTION +//unsigned int is_subnormal(float val) +//{ +// unsigned int bytes = *((unsigned int *) &val); +// bytes = bytes >> 23u; +// +// if(bytes & 0x7u) +// { +// return 0; +// } +// else return 1; +//} PAYLOAD_SECTION -unsigned int is_subnormal(float val) -{ - unsigned int bytes = *((unsigned int *) &val); - bytes = bytes >> 23u; - - if(bytes & 0x7u) - { - return 0; - } - else return 1; -} - -TEXT_SECTION -unsigned long long _start(float *init_a) +uint64_t floppysleep_iteration(float *init) { int i; - volatile int j = 0; - unsigned long long start, end, report; + uint64_t start, end, report; __asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (start)); - fs_load(init_a, 1); + fs_load(init, 1); for(i = 0; i < 8; i++) fs_routine(); __asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (end)); @@ -37,7 +35,26 @@ unsigned long long _start(float *init_a) } __asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (report)); - j++; - return end - start; -} \ No newline at end of file +} + +PAYLOAD_SECTION +uint64_t entry_sync(uint64_t *args) +{ + return floppysleep_iteration((float *) args[0]); +} + +PAYLOAD_SECTION +uint64_t entry_async(uint64_t *args) +{ + float *init_ptr = (float *) args[0]; + args[0] = 0; + + while(1) + { + floppysleep_iteration(init_ptr); + + args[0]++; + if(args[0] % 100000 == 0) task_resched(); + } +} diff --git a/c8_remote/lib/payload/src/sync.c b/c8_remote/lib/payload/src/sync.c index 5063a98..21c120e 100644 --- a/c8_remote/lib/payload/src/sync.c +++ b/c8_remote/lib/payload/src/sync.c @@ -1,10 +1,18 @@ #include "dev_util.h" -TEXT_SECTION -void _start() +PAYLOAD_SECTION +extern uint64_t entry_sync(uint64_t *args) { __asm__("dmb sy"); __asm__("ic iallu"); __asm__("dsb sy"); __asm__("isb"); + + return 0; +} + +PAYLOAD_SECTION +extern uint64_t entry_async(uint64_t *base) +{ + return 0; } \ No newline at end of file diff --git a/c8_remote/main.c b/c8_remote/main.c index 7dbd3a0..52997f4 100644 --- a/c8_remote/main.c +++ b/c8_remote/main.c @@ -332,7 +332,6 @@ void usb_task_exit(struct pwned_device *dev) int main() { - struct dev_cmd_resp *resp; struct pwned_device *dev = exploit_device(); if(dev == NULL || dev->status == DEV_NORMAL) {