grg/checkm8_tool
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

synchronous payloads seem to work well

Browse Source
This commit is contained in:
Gregor Haas
2020-02-11 15:10:35 -05:00
parent d407c17c0f
commit 8b25a00bd4
4 changed files with 74 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
c8_remote/include/bootrom_addr.h
View File

@@ -36,6 +36,7 @@
/* Misc */ /* Misc */
#define ADDR_RANDOM_RET 0x10000b924 #define ADDR_RANDOM_RET 0x10000b924
#define ADDR_SYNC_ENTRY 0x1800afc84
#define ADDR_DFU_RETVAL (int *) 0x180088ac8 #define ADDR_DFU_RETVAL (int *) 0x180088ac8
#define ADDR_DFU_STATUS (unsigned char *) 0x180088ac0 #define ADDR_DFU_STATUS (unsigned char *) 0x180088ac0

3
c8_remote/lib/payload/payload_entry.c
View File

@@ -1,3 +1,4 @@
#include "bootrom_addr.h"
#include "dev_util.h" #include "dev_util.h"
extern uint64_t entry_sync(uint64_t *args); extern uint64_t entry_sync(uint64_t *args);
@@ -10,7 +11,7 @@ uint64_t _start(uint64_t arg0, uint64_t arg1, uint64_t arg2, uint64_t arg3,
uint64_t entry, args[8]; uint64_t entry, args[8];
__asm__ volatile ("mov %0, x30" : "=r" (entry)); __asm__ volatile ("mov %0, x30" : "=r" (entry));
if(entry == 0xbea /* todo: correct entry */) if(entry == ADDR_SYNC_ENTRY /* todo: correct entry */)
{ {
args[0] = arg0; args[0] = arg0;
args[1] = arg1; args[1] = arg1;

11
c8_remote/main.c
View File

@@ -235,6 +235,13 @@ void aes_sw(struct pwned_device *dev)
return; return;
} }
resp = execute_payload(dev, PAYLOAD_SYNC, 0, 0);
if(IS_CHECKM8_FAIL(resp->ret))
{
printf("failed to execute sync payload\n");
return;
}
for(i = 0; i < 100; i++) for(i = 0; i < 100; i++)
{ {
resp = execute_payload(dev, PAYLOAD_AES_SW, 0, 7, resp = execute_payload(dev, PAYLOAD_AES_SW, 0, 7,
@@ -341,9 +348,7 @@ int main()
demote_device(dev); demote_device(dev);
// usb_task_exit(dev); aes_sw(dev);
floppysleep(dev);
free_device(dev); free_device(dev);
} }

92
c8_remote/src/exploit.c
View File

@@ -294,6 +294,13 @@ int demote_device(struct pwned_device *dev)
{ {
checkm8_debug_indent("demote_device(dev = %p)\n", dev); checkm8_debug_indent("demote_device(dev = %p)\n", dev);
unsigned int oldval, newval; unsigned int oldval, newval;
int retval;
if(IS_CHECKM8_FAIL(open_device_session(dev)))
{
checkm8_debug_indent("\tfailed to open a device session\n");
return CHECKM8_FAIL_XFER;
}
struct dev_cmd_resp *resp = dev_read_memory(dev, DEMOTE_REG, 4); struct dev_cmd_resp *resp = dev_read_memory(dev, DEMOTE_REG, 4);
if(IS_CHECKM8_FAIL(resp->ret)) if(IS_CHECKM8_FAIL(resp->ret))
@@ -305,46 +312,73 @@ int demote_device(struct pwned_device *dev)
oldval = *((unsigned int *) resp->data); oldval = *((unsigned int *) resp->data);
free_dev_cmd_resp(resp); free_dev_cmd_resp(resp);
if(oldval & 1u) if(!(oldval & 1u))
{ {
oldval &= 0xFFFFFFFE; checkm8_debug_block("\tdevice already demoted\n");
if(IS_CHECKM8_FAIL(close_device_session(dev)))
{
checkm8_debug_indent("\tfailed to close device session\n");
return CHECKM8_FAIL_XFER;
}
checkm8_debug_indent("\tattempting to demote device\n"); return CHECKM8_SUCCESS;
resp = dev_write_memory(dev, DEMOTE_REG, (unsigned char *) &oldval, 4); }
oldval &= 0xFFFFFFFE;
checkm8_debug_indent("\tattempting to demote device\n");
resp = dev_write_memory(dev, DEMOTE_REG, (unsigned char *) &oldval, 4);
free_dev_cmd_resp(resp);
if(IS_CHECKM8_FAIL(resp->ret))
{
checkm8_debug_block("\tfailed to write to demotion reg\n");
if(IS_CHECKM8_FAIL(close_device_session(dev)))
{
checkm8_debug_indent("\tfailed to close device session\n");
return CHECKM8_FAIL_XFER;
}
return CHECKM8_FAIL_INVARGS;
}
// verify
resp = dev_read_memory(dev, DEMOTE_REG, 4);
if(IS_CHECKM8_FAIL(resp->ret))
{
free_dev_cmd_resp(resp); free_dev_cmd_resp(resp);
if(IS_CHECKM8_FAIL(resp->ret)) checkm8_debug_block("\tfailed to verify demotion reg\n");
if(IS_CHECKM8_FAIL(close_device_session(dev)))
{ {
checkm8_debug_block("\tfailed to write to demotion reg\n"); checkm8_debug_indent("\tfailed to close device session\n");
return CHECKM8_FAIL_INVARGS; return CHECKM8_FAIL_XFER;
} }
// verify return CHECKM8_FAIL_INVARGS;
resp = dev_read_memory(dev, DEMOTE_REG, 4); }
if(IS_CHECKM8_FAIL(resp->ret))
{
free_dev_cmd_resp(resp);
checkm8_debug_block("\tfailed to verify demotion reg\n");
return CHECKM8_FAIL_INVARGS;
}
newval = *((unsigned int *) resp->data); newval = *((unsigned int *) resp->data);
free_dev_cmd_resp(resp); free_dev_cmd_resp(resp);
if(oldval == newval)
{ if(oldval == newval)
checkm8_debug_block("\tdemotion success!\n"); {
return CHECKM8_SUCCESS; checkm8_debug_block("\tdemotion success!\n");
} retval = CHECKM8_SUCCESS;
else
{
checkm8_debug_block("\tdemotion register did not change!\n");
return CHECKM8_FAIL_INVARGS;
}
} }
else else
{ {
checkm8_debug_block("\tdevice already demoted\n"); checkm8_debug_block("\tdemotion register did not change!\n");
return CHECKM8_SUCCESS; retval = CHECKM8_FAIL_INVARGS;
} }
if(IS_CHECKM8_FAIL(close_device_session(dev)))
{
checkm8_debug_indent("\tfailed to close device session\n");
return CHECKM8_FAIL_XFER;
}
return retval;
} }
void free_device(struct pwned_device *dev) void free_device(struct pwned_device *dev)