Added a generic payload entry point to support async execution

c8_remote/lib/payload/CMakeLists.txt

@@ -20,13 +20,14 @@ file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/bin)
 
 foreach(NAME ${PL_NAMES})
     if(EXISTS ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.S)
-        add_executable(payload_${NAME} ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.c
+        add_executable(payload_${NAME} ${CMAKE_CURRENT_LIST_DIR}/payload_entry.c
+                                       ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.c
                                        ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.S)
     else()
-        add_executable(payload_${NAME} ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.c)
+        add_executable(payload_${NAME} ${CMAKE_CURRENT_LIST_DIR}/payload_entry.c
+                                       ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.c)
     endif()
 
-    target_link_libraries(payload_${NAME} bootrom_dev)
     add_custom_command(TARGET       payload_${NAME} POST_BUILD
                         BYPRODUCTS  ${CMAKE_CURRENT_BINARY_DIR}/bin/payload_${NAME}.bin
                         COMMAND     ${CMAKE_OBJCOPY}

c8_remote/lib/payload/payload_entry.c

@@ -0,0 +1,28 @@
+#include "dev_util.h"
+
+extern uint64_t entry_sync(uint64_t *args);
+extern uint64_t entry_async(uint64_t *base);
+
+TEXT_SECTION
+uint64_t _start(uint64_t arg0, uint64_t arg1, uint64_t arg2, uint64_t arg3,
+                uint64_t arg4, uint64_t arg5, uint64_t arg6, uint64_t arg7)
+{
+    uint64_t entry, args[8];
+    __asm__ volatile ("mov %0, x30" : "=r" (entry));
+
+    if(entry == 0xbea /* todo: correct entry */)
+    {
+        args[0] = arg0;
+        args[1] = arg1;
+        args[2] = arg2;
+        args[3] = arg3;
+        args[4] = arg4;
+        args[5] = arg5;
+        args[6] = arg6;
+        args[7] = arg7;
+
+        return entry_sync(args);
+    }
+    else
+        return entry_async((uint64_t *) arg0);
+}

c8_remote/lib/payload/src/aes_busy.c

@@ -1,22 +1,32 @@
 #include "bootrom_func.h"
 
-TEXT_SECTION
+PAYLOAD_SECTION
-int _start(void *src, void *dst, void *key, int rep)
+uint64_t entry_sync(uint64_t *args)
 {
     int i, j;
     unsigned char src_data[16];
+
+    unsigned char *src = (unsigned char *) args[0];
+    unsigned char *dst = (unsigned char *) args[1];
+    unsigned char *key = (unsigned char *) args[2];
+    int rep = (int) args[3];
+
     for(j = 0; j < 16; j++)
     {
-        src_data[j] = ((unsigned char *) src)[j];
+        src_data[j] = src[j];
     }
 
-//    task_sleep(100);
     for(i = 0; i < rep; i++)
     {
         if(i % 2 == 0) hardware_aes(16, src_data, dst, 16, 0, key, 0);
         else hardware_aes(16, dst, src_data, 16, 0, key, 0);
-        //       task_sleep(15);
     }
 
+    return 0;
+}
+
+PAYLOAD_SECTION
+uint64_t entry_async(uint64_t *base)
+{
     return 0;
 }

c8_remote/lib/payload/src/aes_sw.c

@@ -140,14 +140,18 @@ void aes128_encrypt_ecb(unsigned char *msg, unsigned int msg_len, unsigned char
     }
 }
 
-TEXT_SECTION
+PAYLOAD_SECTION
-unsigned long long _start(unsigned char *msg, unsigned int msg_len, unsigned char *key,
+uint64_t entry_sync(uint64_t *args)
-                          unsigned char sbox[16][16], unsigned char rc_lookup[11],
-                          unsigned char mul2[256], unsigned char mul3[256])
 {
     unsigned long long start = 0, end = 0;
-    unsigned long long timer_deadline_enter = 0x10000b874;
+
-    unsigned long long halt = 0x1000004fc;
+    unsigned char *msg = (unsigned char *) args[0];
+    unsigned int msg_len = (unsigned int) args[1];
+    unsigned char *key = (unsigned char *) args[2];
+    unsigned char *sbox = (unsigned char *) args[3];
+    unsigned char *rc_lookup = (unsigned char *) args[4];
+    unsigned char *mul2 = (unsigned char *) args[5];
+    unsigned char *mul3 = (unsigned char *) args[6];
 
     __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (start));
     aes128_encrypt_ecb(msg, msg_len, key, sbox, rc_lookup, mul2, mul3);
@@ -160,4 +164,35 @@ unsigned long long _start(unsigned char *msg, unsigned int msg_len, unsigned cha
     }
 
     return end - start;
+}
+
+PAYLOAD_SECTION
+uint64_t entry_async(uint64_t *base)
+{
+    unsigned long long start = 0, end = 0;
+
+    unsigned char *msg = (unsigned char *) base[0];
+    unsigned int msg_len = (unsigned int) base[1];
+    unsigned char *key = (unsigned char *) base[2];
+    unsigned char *sbox = (unsigned char *) base[3];
+    unsigned char *rc_lookup = (unsigned char *) base[4];
+    unsigned char *mul2 = (unsigned char *) base[5];
+    unsigned char *mul3 = (unsigned char *) base[6];
+
+    base[0] = 0;
+    while(1)
+    {
+        __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (start));
+        aes128_encrypt_ecb(msg, msg_len, key, sbox, rc_lookup, mul2, mul3);
+        __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (end));
+
+        if(2 * end - start - 64 > 0)
+        {
+            timer_register_int(2 * end - start - 64);
+            wfi();
+        }
+
+        base[0]++;
+        if(base[0] % 100000 == 0) task_resched();
+    }
 }

c8_remote/lib/payload/src/exit_usb_task.c

@@ -39,8 +39,7 @@ void fix_heap()
     check_all_chksums();
 }
 
-TEXT_SECTION
+extern uint64_t entry_sync(uint64_t *args)
-void _start(unsigned long long *ptr_self)
 {
     fix_heap();
 
@@ -48,5 +47,10 @@ void _start(unsigned long long *ptr_self)
     *(ADDR_DFU_STATUS) = 1;
 
     event_notify(ADDR_DFU_EVENT);
-    dev_free(ptr_self);
+    return 0;
+}
+
+extern uint64_t entry_async(uint64_t *base)
+{
+    return 0;
 }

c8_remote/lib/payload/src/floppysleep.c

@@ -1,32 +1,30 @@
 #include "bootrom_func.h"
 
-extern unsigned long long fs_routine(void);
+extern uint64_t fs_routine(void);
+extern uint64_t fs_load(float *dividend, int divisor_base);
+// extern uint64_t check_subnormal();
 
-extern unsigned long long fs_load(float *dividend, int divisor_base);
+//PAYLOAD_SECTION
-// extern unsigned long long check_subnormal();
+//unsigned int is_subnormal(float val)
+//{
+//    unsigned int bytes = *((unsigned int *) &val);
+//    bytes = bytes >> 23u;
+//
+//    if(bytes & 0x7u)
+//    {
+//        return 0;
+//    }
+//    else return 1;
+//}
 
 PAYLOAD_SECTION
-unsigned int is_subnormal(float val)
+uint64_t floppysleep_iteration(float *init)
-{
-    unsigned int bytes = *((unsigned int *) &val);
-    bytes = bytes >> 23u;
-
-    if(bytes & 0x7u)
-    {
-        return 0;
-    }
-    else return 1;
-}
-
-TEXT_SECTION
-unsigned long long _start(float *init_a)
 {
     int i;
-    volatile int j = 0;
+    uint64_t start, end, report;
-    unsigned long long start, end, report;
 
     __asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (start));
-    fs_load(init_a, 1);
+    fs_load(init, 1);
     for(i = 0; i < 8; i++) fs_routine();
     __asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (end));
 
@@ -37,7 +35,26 @@ unsigned long long _start(float *init_a)
     }
 
     __asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (report));
-    j++;
-
     return end - start;
-}
+}
+
+PAYLOAD_SECTION
+uint64_t entry_sync(uint64_t *args)
+{
+    return floppysleep_iteration((float *) args[0]);
+}
+
+PAYLOAD_SECTION
+uint64_t entry_async(uint64_t *args)
+{
+    float *init_ptr = (float *) args[0];
+    args[0] = 0;
+
+    while(1)
+    {
+        floppysleep_iteration(init_ptr);
+
+        args[0]++;
+        if(args[0] % 100000 == 0) task_resched();
+    }
+}

c8_remote/lib/payload/src/sync.c

@@ -1,10 +1,18 @@
 #include "dev_util.h"
 
-TEXT_SECTION
+PAYLOAD_SECTION
-void _start()
+extern uint64_t entry_sync(uint64_t *args)
 {
     __asm__("dmb sy");
     __asm__("ic iallu");
     __asm__("dsb sy");
     __asm__("isb");
+
+    return 0;
+}
+
+PAYLOAD_SECTION
+extern uint64_t entry_async(uint64_t *base)
+{
+    return 0;
 }

c8_remote/main.c

@@ -332,7 +332,6 @@ void usb_task_exit(struct pwned_device *dev)
 
 int main()
 {
-    struct dev_cmd_resp *resp;
     struct pwned_device *dev = exploit_device();
     if(dev == NULL || dev->status == DEV_NORMAL)
     {