diff --git a/CMakeLists.txt b/CMakeLists.txt index 089db8a..5bebfe5 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -6,4 +6,4 @@ include_directories(include) #add_subdirectory(c8_arduino) add_subdirectory(c8_remote) -add_subdirectory(c8_payloads) +add_subdirectory(c8_libpayload) diff --git a/c8_libpayload/CMakeLists.txt b/c8_libpayload/CMakeLists.txt new file mode 100644 index 0000000..8e23baa --- /dev/null +++ b/c8_libpayload/CMakeLists.txt @@ -0,0 +1,32 @@ +project(checkm8_libpayload) + +set(PL_NAMES_SHORT + aes + aes_busy + aes_sw + sync + sysreg + task_sleep_test) + +foreach(NAME ${PL_NAMES_SHORT}) + list(APPEND PL_TARGETS "payload_${NAME}") + list(APPEND PL_SRC_SHORT "${CMAKE_CURRENT_LIST_DIR}/pl/src/${NAME}.c") +endforeach(NAME) + +foreach(NAME ${PL_TARGETS}) + list(APPEND PL_SRC_LONG "${CMAKE_CURRENT_BINARY_DIR}/lib/${NAME}.c") +endforeach(NAME) + +add_subdirectory(pl) + +file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/lib) +add_custom_target(libpayload_sources # TODO: somehow only pass names that need to be udpated? + DEPENDS ${PL_TARGETS} + BYPRODUCTS ${PL_SRC_LONG} + COMMENT "running librarizer" + COMMAND python3 ${CMAKE_CURRENT_LIST_DIR}/scripts/librarize.py + ${CMAKE_CURRENT_BINARY_DIR}/pl/bin + ${CMAKE_CURRENT_BINARY_DIR}/lib) + +add_library(payload ${PL_SRC_LONG}) +add_dependencies(payload libpayload_sources) \ No newline at end of file diff --git a/c8_libpayload/pl/CMakeLists.txt b/c8_libpayload/pl/CMakeLists.txt new file mode 100644 index 0000000..3bc4353 --- /dev/null +++ b/c8_libpayload/pl/CMakeLists.txt @@ -0,0 +1,23 @@ +project(checkm8_libpayload_sources C ASM) +include_directories(include) + +set(CMAKE_SYSTEM_PROCESSOR arm) +if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64") + set(CMAKE_C_COMPILER /usr/bin/aarch64-linux-gnu-gcc) + set(CMAKE_ASM_COMPILER /usr/bin/aarch64-linux-gnu-as) + set(CMAKE_OBJCOPY /usr/bin/aarch64-linux-gnu-objcopy) +endif() + +set(CMAKE_C_FLAGS "-nostdlib -O") + +file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/bin) +foreach(PL ${PL_NAMES_SHORT}) + add_executable(payload_${PL} src/${PL}.c) + add_custom_command(TARGET payload_${PL} POST_BUILD + BYPRODUCTS ${CMAKE_CURRENT_BINARY_DIR}/bin/payload_${PL}.bin + COMMENT "objcopying ${PL}" + COMMAND ${CMAKE_OBJCOPY} + ARGS -O binary -j .text -j .payload_text -j .payload_data + ${CMAKE_CURRENT_BINARY_DIR}/payload_${PL} + ${CMAKE_CURRENT_BINARY_DIR}/bin/payload_${PL}.bin) +endforeach(PL) \ No newline at end of file diff --git a/c8_payloads/include/brfunc_aes.h b/c8_libpayload/pl/include/brfunc_aes.h similarity index 100% rename from c8_payloads/include/brfunc_aes.h rename to c8_libpayload/pl/include/brfunc_aes.h diff --git a/c8_payloads/include/brfunc_common.h b/c8_libpayload/pl/include/brfunc_common.h similarity index 100% rename from c8_payloads/include/brfunc_common.h rename to c8_libpayload/pl/include/brfunc_common.h diff --git a/c8_payloads/include/brfunc_sep.h b/c8_libpayload/pl/include/brfunc_sep.h similarity index 100% rename from c8_payloads/include/brfunc_sep.h rename to c8_libpayload/pl/include/brfunc_sep.h diff --git a/c8_payloads/include/brfunc_timing.h b/c8_libpayload/pl/include/brfunc_timing.h similarity index 100% rename from c8_payloads/include/brfunc_timing.h rename to c8_libpayload/pl/include/brfunc_timing.h diff --git a/c8_payloads/include/util.h b/c8_libpayload/pl/include/util.h similarity index 100% rename from c8_payloads/include/util.h rename to c8_libpayload/pl/include/util.h diff --git a/c8_payloads/src/aes.c b/c8_libpayload/pl/src/aes.c similarity index 98% rename from c8_payloads/src/aes.c rename to c8_libpayload/pl/src/aes.c index 363cb6b..f86953e 100644 --- a/c8_payloads/src/aes.c +++ b/c8_libpayload/pl/src/aes.c @@ -18,7 +18,7 @@ int aes_hw_crypto_command(unsigned int cmd, long start = 0, timeout = 0; __asm__("orr %0, xzr, #0x3c" : "=r" (cgvar)); - CLOCK_GATE(cgvar, 1); + CLOCK_GATE(cgvar, 0); // seeded = DPA_SEEDED(); // if(!(seeded & 1)) diff --git a/c8_payloads/src/aes_busy.c b/c8_libpayload/pl/src/aes_busy.c similarity index 90% rename from c8_payloads/src/aes_busy.c rename to c8_libpayload/pl/src/aes_busy.c index b3783e6..4a860fd 100644 --- a/c8_payloads/src/aes_busy.c +++ b/c8_libpayload/pl/src/aes_busy.c @@ -13,12 +13,12 @@ int _start(void *src, void *dst, void *key, int rep) src_data[j] = ((unsigned char *) src)[j]; } - task_sleep(100); +// task_sleep(100); for(i = 0; i < rep; i++) { if(i % 2 == 0) aes_hw_crypto_cmd(16, src_data, dst, 16, 0, key, 0); else aes_hw_crypto_cmd(16, dst, src_data, 16, 0, key, 0); - task_sleep(15); + // task_sleep(15); } return 0; diff --git a/c8_payloads/src/aes_sw.c b/c8_libpayload/pl/src/aes_sw.c similarity index 96% rename from c8_payloads/src/aes_sw.c rename to c8_libpayload/pl/src/aes_sw.c index 65f7522..3af2244 100644 --- a/c8_payloads/src/aes_sw.c +++ b/c8_libpayload/pl/src/aes_sw.c @@ -154,11 +154,9 @@ unsigned int _start(unsigned char *msg, unsigned int msg_len, unsigned char *key unsigned char mul2[256], unsigned char mul3[256]) { unsigned long long start, end; - unsigned char msg_copy[16]; - for(int i = 0; i < 16; i++) msg_copy[i] = msg[i]; __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (start)); - aes128_encrypt_ecb(msg_copy, msg_len, key, sbox, rc_lookup, mul2, mul3); + aes128_encrypt_ecb(msg, msg_len, key, sbox, rc_lookup, mul2, mul3); __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (end)); // for(i = 0; i < 256; i++) diff --git a/c8_payloads/src/sync.c b/c8_libpayload/pl/src/sync.c similarity index 100% rename from c8_payloads/src/sync.c rename to c8_libpayload/pl/src/sync.c diff --git a/c8_payloads/src/sysreg.c b/c8_libpayload/pl/src/sysreg.c similarity index 90% rename from c8_payloads/src/sysreg.c rename to c8_libpayload/pl/src/sysreg.c index 0d4a225..d2e0165 100644 --- a/c8_payloads/src/sysreg.c +++ b/c8_libpayload/pl/src/sysreg.c @@ -13,5 +13,5 @@ long long _start() __asm__("mrs %0, ttbr0_el1" : "=r" (res.pt_base)); __asm__("mrs %0, vbar_el1" : "=r" (res.evt_base)); - return res.evt_base; + return res.pt_base; } \ No newline at end of file diff --git a/c8_payloads/src/task_sleep_test.c b/c8_libpayload/pl/src/task_sleep_test.c similarity index 100% rename from c8_payloads/src/task_sleep_test.c rename to c8_libpayload/pl/src/task_sleep_test.c diff --git a/c8_libpayload/scripts/librarize.py b/c8_libpayload/scripts/librarize.py new file mode 100644 index 0000000..72a80ba --- /dev/null +++ b/c8_libpayload/scripts/librarize.py @@ -0,0 +1,55 @@ +import sys +from collections import defaultdict +import os + +if __name__ == '__main__': + print('ffffffffffffffffff') + if len(sys.argv) < 3: + print('Usage: librarize.py [bin names ...] [lib dir]') + exit(1) + + bin_names = [] + lib_dir = os.path.abspath(sys.argv[-1]) + + if os.path.isdir(sys.argv[1]): + bin_folder = os.path.abspath(sys.argv[1]) + for bin_fname in os.listdir(bin_folder): + bin_names.append(bin_folder + '/' + bin_fname) + else: + for n in sys.argv[1:-1]: + bin_names.append(os.path.abspath(n)) + + source_lines = defaultdict(list) + header_lines = ['#ifndef CHECKM8_TOOL_LIBPAYLOAD_H\n', + '#define CHECKM8_TOOL_LIBPAYLOAD_H\n', + '\n'] + + for n in bin_names: + payload_name = os.path.basename(n).split('.')[0] + with open(n, 'rb') as fbin: + fbytes = fbin.read() + + header_lines.append('extern const unsigned char %s[%i];\n' % (payload_name, len(fbytes))) + + source_lines[payload_name].append('#include "libpayload.h"\n') + source_lines[payload_name].append('\n') + source_lines[payload_name].append('const unsigned char %s[%i] =\n' % (payload_name, len(fbytes))) + source_lines[payload_name].append('\t{') + + for i, b in enumerate(fbytes): + if i % 16 == 0: + source_lines[payload_name].append('\n\t\t') + + source_lines[payload_name][-1] += '0x%02x, ' % b + + source_lines[payload_name].append('\n\t};\n') + + header_lines.append('\n') + header_lines.append('#endif //CHECKM8_TOOL_LIBPAYLOAD_H\n') + + with open(lib_dir + '/libpayload.h', 'w+') as f: + f.writelines(header_lines) + + for sname, lines in source_lines.items(): + with open(lib_dir + '/' + sname + '.c', 'w+') as f: + f.writelines(lines) \ No newline at end of file diff --git a/c8_payloads/CMakeLists.txt b/c8_payloads/CMakeLists.txt deleted file mode 100644 index 4dc1a46..0000000 --- a/c8_payloads/CMakeLists.txt +++ /dev/null @@ -1,33 +0,0 @@ -project(checkm8_payloads ASM) -include_directories(include) - -set(CMAKE_SYSTEM_PROCESSOR arm) - -if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64") - set(CMAKE_C_COMPILER /usr/bin/aarch64-linux-gnu-gcc) - set(CMAKE_ASM_COMPILER /usr/bin/aarch64-linux-gnu-as) - set(CMAKE_OBJCOPY /usr/bin/aarch64-linux-gnu-objcopy) -endif() - -set(CMAKE_C_FLAGS "-nostdlib -O") - -set(PAYLOADS - aes - aes_busy - aes_sw - sync - sysreg - task_sleep_test) - -file(MAKE_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/bin/) -set_directory_properties(PROPERTY ADDITIONAL_CLEAN_FILES "${CMAKE_CURRENT_SOURCE_DIR}/bin/") - -foreach(BINARY ${PAYLOADS}) - add_executable(payload_${BINARY} src/${BINARY}.c) - add_custom_command(TARGET payload_${BINARY} POST_BUILD - BYPRODUCTS ${CMAKE_CURRENT_SOURCE_DIR}/bin/payload_${BINARY}.bin - COMMAND ${CMAKE_OBJCOPY} - ARGS -O binary -j .text -j .payload_text -j .payload_data - ${CMAKE_CURRENT_BINARY_DIR}/payload_${BINARY} - ${CMAKE_CURRENT_SOURCE_DIR}/bin/payload_${BINARY}.bin) -endforeach(BINARY) \ No newline at end of file diff --git a/c8_payloads/bin/payload_aes.bin b/c8_payloads/bin/payload_aes.bin deleted file mode 100644 index 11f483e..0000000 Binary files a/c8_payloads/bin/payload_aes.bin and /dev/null differ diff --git a/c8_payloads/bin/payload_aes_busy.bin b/c8_payloads/bin/payload_aes_busy.bin deleted file mode 100644 index fdc05ef..0000000 Binary files a/c8_payloads/bin/payload_aes_busy.bin and /dev/null differ diff --git a/c8_payloads/bin/payload_aes_sw.bin b/c8_payloads/bin/payload_aes_sw.bin deleted file mode 100644 index d6b5b60..0000000 Binary files a/c8_payloads/bin/payload_aes_sw.bin and /dev/null differ diff --git a/c8_payloads/bin/payload_sync.bin b/c8_payloads/bin/payload_sync.bin deleted file mode 100644 index 0724988..0000000 --- a/c8_payloads/bin/payload_sync.bin +++ /dev/null @@ -1 +0,0 @@ -¿?ÕuÕŸ?Õß?ÕÀ_Ö \ No newline at end of file diff --git a/c8_payloads/bin/payload_sysreg.bin b/c8_payloads/bin/payload_sysreg.bin deleted file mode 100644 index 8fc742e..0000000 Binary files a/c8_payloads/bin/payload_sysreg.bin and /dev/null differ diff --git a/c8_payloads/bin/payload_task_sleep_test.bin b/c8_payloads/bin/payload_task_sleep_test.bin deleted file mode 100644 index 61d4edd..0000000 Binary files a/c8_payloads/bin/payload_task_sleep_test.bin and /dev/null differ diff --git a/c8_remote/CMakeLists.txt b/c8_remote/CMakeLists.txt index 2cb6934..6763206 100644 --- a/c8_remote/CMakeLists.txt +++ b/c8_remote/CMakeLists.txt @@ -3,12 +3,8 @@ project(checkm8_remote C) set(CMAKE_C_STANDARD 99) set(CMAKE_C_FLAGS "-g -Wall") + include_directories(include) add_executable(checkm8_remote main.c src/usb_helpers.c src/exploit.c src/payload.c src/command.c) -add_custom_command(TARGET checkm8_remote POST_BUILD - COMMAND ln - ARGS -s -f -n - ${CMAKE_SOURCE_DIR}/c8_payloads/bin - ${CMAKE_CURRENT_SOURCE_DIR}/bin/payloads) -target_link_libraries(checkm8_remote usb-1.0 pthread udev) \ No newline at end of file +target_link_libraries(checkm8_remote usb-1.0 pthread udev payload) \ No newline at end of file diff --git a/c8_remote/include/payload.h b/c8_remote/include/payload.h index 8587178..a8ddab5 100644 --- a/c8_remote/include/payload.h +++ b/c8_remote/include/payload.h @@ -3,13 +3,6 @@ #include "checkm8.h" -#define PAYLOAD_AES_BIN CHECKM8_BIN_BASE "payloads/payload_aes.bin" -#define PAYLOAD_AES_BUSY_BIN CHECKM8_BIN_BASE "payloads/payload_aes_busy.bin" -#define PAYLOAD_AES_SW_BIN CHECKM8_BIN_BASE "payloads/payload_aes_sw.bin" -#define PAYLOAD_SYNC_BIN CHECKM8_BIN_BASE "payloads/payload_sync.bin" -#define PAYLOAD_SYSREG_BIN CHECKM8_BIN_BASE "payloads/payload_sysreg.bin" -#define PAYLOAD_TASK_SLEEP_TEST_BIN CHECKM8_BIN_BASE "payloads/payload_task_sleep_test.bin" - typedef enum { PAYLOAD_AES, @@ -26,8 +19,6 @@ typedef enum DRAM } LOCATION_T; -#define RESP_VALUE(buf, type, i) ((type *) buf)[i] - int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc); int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p); struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int response_len, int nargs, ...); diff --git a/c8_remote/main.c b/c8_remote/main.c index cf4a9a3..471cb52 100644 --- a/c8_remote/main.c +++ b/c8_remote/main.c @@ -231,13 +231,6 @@ int main() } printf("\n"); - free_dev_cmd_resp(resp); - resp = execute_payload(dev, PAYLOAD_SYNC, 0, 0); - if(IS_CHECKM8_FAIL(resp->ret)) - { - printf("failed to execute sync\n"); - } - free_dev_cmd_resp(resp); usleep(1000000); } diff --git a/c8_remote/src/command.c b/c8_remote/src/command.c index a905e2a..08dd929 100644 --- a/c8_remote/src/command.c +++ b/c8_remote/src/command.c @@ -167,7 +167,7 @@ struct dev_cmd_resp *dev_memset(struct pwned_device *dev, long long addr, unsign cmd_args[3] = (unsigned long long) c; cmd_args[4] = len; - return command(dev, (unsigned char *) &cmd_args, 5 * sizeof(unsigned long long), 1 * sizeof(unsigned long long)); + return command(dev, (unsigned char *) &cmd_args, 5 * sizeof(unsigned long long), 8); } struct dev_cmd_resp *dev_memcpy(struct pwned_device *dev, long long dest, long long src, int len) @@ -180,7 +180,7 @@ struct dev_cmd_resp *dev_memcpy(struct pwned_device *dev, long long dest, long l cmd_args[3] = src; cmd_args[4] = len; - return command(dev, (unsigned char *) &cmd_args, 5 * sizeof(unsigned long long), 1 * sizeof(unsigned long long)); + return command(dev, (unsigned char *) &cmd_args, 5 * sizeof(unsigned long long), 8); } struct dev_cmd_resp *dev_exec(struct pwned_device *dev, int response_len, int nargs, unsigned long long *args) @@ -266,5 +266,5 @@ struct dev_cmd_resp *dev_write_memory(struct pwned_device *dev, long long addr, ((unsigned long long *) cmd_args)[4] = len; memcpy(&cmd_args[40], data, len); - return command(dev, cmd_args, 40 + len, 1 * sizeof(unsigned long long)); + return command(dev, cmd_args, 40 + len, 8); } \ No newline at end of file diff --git a/c8_remote/src/payload.c b/c8_remote/src/payload.c index bd83570..7bdedd5 100644 --- a/c8_remote/src/payload.c +++ b/c8_remote/src/payload.c @@ -7,6 +7,8 @@ #include "command.h" #include "usb_helpers.h" +// TODO: this is so ugly ... +#include "../../cmake-build-debug/c8_libpayload/lib/libpayload.h" struct payload { @@ -21,68 +23,55 @@ struct payload struct payload *get_payload(PAYLOAD_T p) { - FILE *payload_file; struct payload *res; - char *path; + unsigned char *pl; switch(p) { case PAYLOAD_AES: - path = PAYLOAD_AES_BIN; + pl = payload_aes; break; case PAYLOAD_AES_BUSY: - path = PAYLOAD_AES_BUSY_BIN; + pl = payload_aes_busy; break; case PAYLOAD_AES_SW: - path = PAYLOAD_AES_SW_BIN; + pl = payload_aes_sw; break; case PAYLOAD_SYNC: - path = PAYLOAD_SYNC_BIN; + pl = payload_sync; break; case PAYLOAD_SYSREG: - path = PAYLOAD_SYSREG_BIN; + pl = payload_sysreg; break; case PAYLOAD_TASK_SLEEP_TEST: - path = PAYLOAD_TASK_SLEEP_TEST_BIN; + pl = payload_task_sleep_test; break; default: return NULL; } - checkm8_debug_indent("get_payload(p = %i) -> %s\n", p, path); + checkm8_debug_indent("get_payload(p = %i)\n", p); res = malloc(sizeof(struct payload)); if(res == NULL) return NULL; - if((payload_file = fopen(path, "rb")) == NULL) - { - free(res); - return NULL; - } - - fseek(payload_file, 0, SEEK_END); res->type = p; - res->len = ftell(payload_file); - res->data = malloc(res->len); + res->len = sizeof(pl); + res->data = pl; res->install_base = -1; res->next = NULL; res->prev = NULL; - rewind(payload_file); - fread(res->data, 1, res->len, payload_file); - fclose(payload_file); - return res; } void free_payload(struct payload *p) { - free(p->data); free(p); }