diff --git a/c8_libpayload/CMakeLists.txt b/c8_libpayload/CMakeLists.txt index 0c02d72..c63705a 100644 --- a/c8_libpayload/CMakeLists.txt +++ b/c8_libpayload/CMakeLists.txt @@ -4,6 +4,8 @@ set(PL_NAMES aes aes_busy aes_sw + bootstrap + floppysleep sync sysreg task_sleep_test) diff --git a/c8_libpayload/pl/include/brfunc_common.h b/c8_libpayload/pl/include/brfunc_common.h index 4e2d41d..dc55ffc 100644 --- a/c8_libpayload/pl/include/brfunc_common.h +++ b/c8_libpayload/pl/include/brfunc_common.h @@ -4,6 +4,7 @@ #include "checkm8_config.h" typedef int (*BOOTROM_FUNC)(); +typedef unsigned char (*(*BOOTROM_FUNC_PTR)()); #if CHECKM8_PLATFORM == 8010 @@ -29,6 +30,9 @@ typedef int (*BOOTROM_FUNC)(); #define ADDR_TIME_HAS_ELAPSED 0x10000B04F #define ADDR_TASK_SLEEP 0x10000ADF0 +/* Boot */ +#define ADDR_NVME_INIT 0x1000080B4 + #else #error "Unsupported checkm8 platform" #endif diff --git a/c8_libpayload/pl/src/aes_sw.c b/c8_libpayload/pl/src/aes_sw.c index 3af2244..188f621 100644 --- a/c8_libpayload/pl/src/aes_sw.c +++ b/c8_libpayload/pl/src/aes_sw.c @@ -116,6 +116,18 @@ void expand_key(unsigned char key[16], unsigned char key_sched[176], int n, } } +PAYLOAD_SECTION +void busy_sleep(int usec) +{ + unsigned long long halt = 0x1000004fc; + unsigned long long timer_deadline_enter = 0x10000b874; + unsigned long long now; + + __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (now)); + ((BOOTROM_FUNC) timer_deadline_enter)(now + 24 * usec, ((BOOTROM_FUNC) 0x10000b924)); + ((BOOTROM_FUNC) halt)(); +} + PAYLOAD_SECTION void aes128_encrypt_ecb(unsigned char *msg, unsigned int msg_len, unsigned char key[16], unsigned char sbox[16][16], unsigned char rc_lookup[11], @@ -123,6 +135,7 @@ void aes128_encrypt_ecb(unsigned char *msg, unsigned int msg_len, unsigned char { unsigned char key_sched[176]; expand_key(key, key_sched, 11, sbox, rc_lookup); + busy_sleep(10); unsigned int num_blocks = msg_len / 16; unsigned char *block; @@ -139,7 +152,6 @@ void aes128_encrypt_ecb(unsigned char *msg, unsigned int msg_len, unsigned char shift_rows(block); mix_cols(block, mul2, mul3); add_key(block, &key_sched[16 * (j + 1)]); - task_sleep(20); } sub_bytes(block, sbox); @@ -149,34 +161,14 @@ void aes128_encrypt_ecb(unsigned char *msg, unsigned int msg_len, unsigned char } TEXT_SECTION -unsigned int _start(unsigned char *msg, unsigned int msg_len, unsigned char *key, +void _start(unsigned char *msg, unsigned int msg_len, unsigned char *key, unsigned char sbox[16][16], unsigned char rc_lookup[11], unsigned char mul2[256], unsigned char mul3[256]) { unsigned long long start, end; + unsigned long long platform_quiesce_hardware = 0x100007dd0; __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (start)); aes128_encrypt_ecb(msg, msg_len, key, sbox, rc_lookup, mul2, mul3); __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (end)); - -// for(i = 0; i < 256; i++) -// { -// __asm__ volatile ("dc civac, %0" : : "r" (&sbox[i % 16][i / 16]) : "memory"); -// __asm__ volatile ("dc civac, %0" : : "r" (&mul2[i]) : "memory"); -// __asm__ volatile ("dc civac, %0" : : "r" (&mul3[i]) : "memory"); -// } -// -// for(i = 0; i < 16; i++) -// { -// __asm__ volatile ("dc civac, %0" : : "r" (&msg[i]) : "memory"); -// __asm__ volatile ("dc civac, %0" : : "r" (&key[i]) : "memory"); -// } -// -// for(i = 0; i < 12; i++) -// { -// __asm__ volatile ("dc civac, %0" : : "r" (&rc_lookup[i]) : "memory"); -// } -// -// __asm__ volatile ("dsb sy"); - return end - start; } \ No newline at end of file diff --git a/c8_libpayload/pl/src/bootstrap.c b/c8_libpayload/pl/src/bootstrap.c new file mode 100644 index 0000000..6a299eb --- /dev/null +++ b/c8_libpayload/pl/src/bootstrap.c @@ -0,0 +1,26 @@ +#include "util.h" + +TEXT_SECTION +unsigned long long _start() +{ +// unsigned long long platform_quiesce_hardware = 0x100007dd0; +// unsigned long long enter_critical_section = 0x10000a4b8; +// unsigned long long halt = 0x1000004fc; +// unsigned long long timer_deadline_enter = 0x10000b874; +// unsigned long long now, later; +// +// ((BOOTROM_FUNC) platform_quiesce_hardware)(); +// //((BOOTROM_FUNC) enter_critical_section)(); +// +// __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (now)); +// ((BOOTROM_FUNC) timer_deadline_enter)(now + (24000000) - 64, ((BOOTROM_FUNC) 0x10000b924)); +// ((BOOTROM_FUNC) halt)(); +// __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (later)); + + volatile unsigned long long regval = 0xffff; + __asm__ volatile ("mrs %0, fpcr" : "=r" (regval)); + regval = (1u << 24u); + __asm__ volatile ("msr fpcr, %0" : "=r" (regval)); + + return regval; +} \ No newline at end of file diff --git a/c8_libpayload/pl/src/floppysleep.S b/c8_libpayload/pl/src/floppysleep.S new file mode 100644 index 0000000..616f213 --- /dev/null +++ b/c8_libpayload/pl/src/floppysleep.S @@ -0,0 +1,189 @@ +.global fs_routine +.global fs_load +# .global check_subnormal + +.section .payload_text, "ax" + +fs_load: + # load from memory + ldr s0, [x0] + mov v0.s[1], v0.s[0] + mov v0.s[2], v0.s[0] + mov v0.s[3], v0.s[0] + fmov s31, 1.0 + ucvtf s30, w1 + + mov v1.s[3], v30.s[0] + fadd s30, s30, s31 + mov v1.s[2], v30.s[0] + fadd s30, s30, s31 + mov v1.s[1], v30.s[0] + fadd s30, s30, s31 + mov v1.s[0], v30.s[0] + + fadd s30, s30, s31 + mov v2.s[3], v30.s[0] + fadd s30, s30, s31 + mov v2.s[2], v30.s[0] + fadd s30, s30, s31 + mov v2.s[1], v30.s[0] + fadd s30, s30, s31 + mov v2.s[0], v30.s[0] + + fadd s30, s30, s31 + mov v3.s[3], v30.s[0] + fadd s30, s30, s31 + mov v3.s[2], v30.s[0] + fadd s30, s30, s31 + mov v3.s[1], v30.s[0] + fadd s30, s30, s31 + mov v3.s[0], v30.s[0] + + fadd s30, s30, s31 + mov v4.s[3], v30.s[0] + fadd s30, s30, s31 + mov v4.s[2], v30.s[0] + fadd s30, s30, s31 + mov v4.s[1], v30.s[0] + fadd s30, s30, s31 + mov v4.s[0], v30.s[0] + + fadd s30, s30, s31 + mov v5.s[3], v30.s[0] + fadd s30, s30, s31 + mov v5.s[2], v30.s[0] + fadd s30, s30, s31 + mov v5.s[1], v30.s[0] + fadd s30, s30, s31 + mov v5.s[0], v30.s[0] + + + fadd s30, s30, s31 + mov v6.s[3], v30.s[0] + fadd s30, s30, s31 + mov v6.s[2], v30.s[0] + fadd s30, s30, s31 + mov v6.s[1], v30.s[0] + fadd s30, s30, s31 + mov v6.s[0], v30.s[0] + + fadd s30, s30, s31 + mov v7.s[3], v30.s[0] + fadd s30, s30, s31 + mov v7.s[2], v30.s[0] + fadd s30, s30, s31 + mov v7.s[1], v30.s[0] + fadd s30, s30, s31 + mov v7.s[0], v30.s[0] + + fadd s30, s30, s31 + mov v8.s[3], v30.s[0] + fadd s30, s30, s31 + mov v8.s[2], v30.s[0] + fadd s30, s30, s31 + mov v8.s[1], v30.s[0] + fadd s30, s30, s31 + mov v8.s[0], v30.s[0] + + fadd s30, s30, s31 + mov v9.s[3], v30.s[0] + fadd s30, s30, s31 + mov v9.s[2], v30.s[0] + fadd s30, s30, s31 + mov v9.s[1], v30.s[0] + fadd s30, s30, s31 + mov v9.s[0], v30.s[0] + + fadd s30, s30, s31 + mov v10.s[3], v10.s[0] + fadd s30, s30, s31 + mov v10.s[2], v10.s[0] + fadd s30, s30, s31 + mov v10.s[1], v10.s[0] + fadd s30, s30, s31 + mov v10.s[0], v30.s[0] + + fadd s30, s30, s31 + mov v11.s[3], v30.s[0] + fadd s30, s30, s31 + mov v11.s[2], v30.s[0] + fadd s30, s30, s31 + mov v11.s[1], v30.s[0] + fadd s30, s30, s31 + mov v11.s[0], v30.s[0] + + fadd s30, s30, s31 + mov v12.s[3], v30.s[0] + fadd s30, s30, s31 + mov v12.s[2], v30.s[0] + fadd s30, s30, s31 + mov v12.s[1], v30.s[0] + fadd s30, s30, s31 + mov v12.s[0], v30.s[0] + + fadd s30, s30, s31 + mov v13.s[3], v30.s[0] + fadd s30, s30, s31 + mov v13.s[2], v30.s[0] + fadd s30, s30, s31 + mov v13.s[1], v30.s[0] + fadd s30, s30, s31 + mov v13.s[0], v30.s[0] + + fadd s30, s30, s31 + mov v14.s[3], v30.s[0] + fadd s30, s30, s31 + mov v14.s[2], v30.s[0] + fadd s30, s30, s31 + mov v14.s[1], v30.s[0] + fadd s30, s30, s31 + mov v14.s[0], v30.s[0] + + fadd s30, s30, s31 + mov v15.s[3], v30.s[0] + fadd s30, s30, s31 + mov v15.s[2], v30.s[0] + fadd s30, s30, s31 + mov v15.s[1], v30.s[0] + fadd s30, s30, s31 + mov v15.s[0], v30.s[0] + + #mov s30, wzr + #mov s31, wzr + ret + +fs_routine: + fdiv v16.4s, v0.4s, v1.4s + fdiv v17.4s, v0.4s, v2.4s + fdiv v18.4s, v0.4s, v3.4s + fdiv v19.4s, v0.4s, v4.4s + fdiv v20.4s, v0.4s, v5.4s + fdiv v21.4s, v0.4s, v6.4s + fdiv v22.4s, v0.4s, v7.4s + fdiv v23.4s, v0.4s, v8.4s + fdiv v24.4s, v0.4s, v9.4s + fdiv v25.4s, v0.4s, v10.4s + fdiv v26.4s, v0.4s, v11.4s + fdiv v27.4s, v0.4s, v12.4s + fdiv v28.4s, v0.4s, v13.4s + fdiv v29.4s, v0.4s, v14.4s + fdiv v30.4s, v0.4s, v15.4s + + fdiv v16.4s, v16.4s, v15.4s + fdiv v17.4s, v17.4s, v14.4s + fdiv v18.4s, v18.4s, v13.4s + fdiv v19.4s, v19.4s, v12.4s + fdiv v20.4s, v20.4s, v11.4s + fdiv v21.4s, v21.4s, v10.4s + fdiv v22.4s, v22.4s, v9.4s + fdiv v23.4s, v23.4s, v8.4s + fdiv v24.4s, v24.4s, v7.4s + fdiv v25.4s, v25.4s, v6.4s + fdiv v26.4s, v26.4s, v5.4s + fdiv v27.4s, v27.4s, v4.4s + fdiv v28.4s, v28.4s, v3.4s + fdiv v29.4s, v29.4s, v2.4s + fdiv v30.4s, v30.4s, v1.4s + + mov w0, v16.s[3] + ret diff --git a/c8_libpayload/pl/src/floppysleep.c b/c8_libpayload/pl/src/floppysleep.c new file mode 100644 index 0000000..93708b9 --- /dev/null +++ b/c8_libpayload/pl/src/floppysleep.c @@ -0,0 +1,44 @@ +#include "brfunc_common.h" +#include "util.h" + +extern unsigned long long fs_routine(void); + +extern unsigned long long fs_load(float *dividend, int divisor_base); +// extern unsigned long long check_subnormal(); + +PAYLOAD_SECTION +unsigned int is_subnormal(float val) +{ + unsigned int bytes = *((unsigned int *) &val); + bytes = bytes >> 23u; + + if(bytes & 0x7u) + { + return 0; + } + else return 1; +} + +TEXT_SECTION +unsigned long long _start(float *init_a) +{ + int i; + unsigned long long check; + unsigned long long start, end, report; + unsigned long long timer_deadline_enter = 0x10000b874; + unsigned long long halt = 0x1000004fc; + + fs_load(init_a, 1); + + __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (start)); + for(i = 0; i < 1; i++) check = fs_routine(); + __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (end)); + +// +// ((BOOTROM_FUNC) timer_deadline_enter)(2 * end - start - 64, ((BOOTROM_FUNC) 0x10000b924)); +// ((BOOTROM_FUNC) halt)(); + + +// __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (report)); + return end - start; +} \ No newline at end of file diff --git a/c8_remote/include/payload.h b/c8_remote/include/payload.h index a8ddab5..67acbfb 100644 --- a/c8_remote/include/payload.h +++ b/c8_remote/include/payload.h @@ -8,6 +8,8 @@ typedef enum PAYLOAD_AES, PAYLOAD_AES_BUSY, PAYLOAD_AES_SW, + PAYLOAD_BOOTSTRAP, + PAYLOAD_FLOPPYSLEEP, PAYLOAD_SYNC, PAYLOAD_SYSREG, PAYLOAD_TASK_SLEEP_TEST diff --git a/c8_remote/main.c b/c8_remote/main.c index 471cb52..eec33a0 100644 --- a/c8_remote/main.c +++ b/c8_remote/main.c @@ -3,6 +3,7 @@ #include #include #include +#include #include "command.h" #include "payload.h" @@ -43,104 +44,6 @@ void checkm8_debug_block(const char *format, ...) #endif } -void write_aes_utils(struct pwned_device *dev) -{ - unsigned char sbox[256] = - { - 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, - 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, - 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, - 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, - 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, - 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, - 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, - 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, - 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, - 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, - 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, - 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, - 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, - 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, - 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, - 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 - }; - - unsigned char rc_lookup[11] = {0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c}; - - unsigned char mul2_lookup[256] = - { - 0x00, 0x02, 0x04, 0x06, 0x08, 0x0a, 0x0c, 0x0e, 0x10, 0x12, 0x14, 0x16, 0x18, 0x1a, 0x1c, 0x1e, - 0x20, 0x22, 0x24, 0x26, 0x28, 0x2a, 0x2c, 0x2e, 0x30, 0x32, 0x34, 0x36, 0x38, 0x3a, 0x3c, 0x3e, - 0x40, 0x42, 0x44, 0x46, 0x48, 0x4a, 0x4c, 0x4e, 0x50, 0x52, 0x54, 0x56, 0x58, 0x5a, 0x5c, 0x5e, - 0x60, 0x62, 0x64, 0x66, 0x68, 0x6a, 0x6c, 0x6e, 0x70, 0x72, 0x74, 0x76, 0x78, 0x7a, 0x7c, 0x7e, - 0x80, 0x82, 0x84, 0x86, 0x88, 0x8a, 0x8c, 0x8e, 0x90, 0x92, 0x94, 0x96, 0x98, 0x9a, 0x9c, 0x9e, - 0xa0, 0xa2, 0xa4, 0xa6, 0xa8, 0xaa, 0xac, 0xae, 0xb0, 0xb2, 0xb4, 0xb6, 0xb8, 0xba, 0xbc, 0xbe, - 0xc0, 0xc2, 0xc4, 0xc6, 0xc8, 0xca, 0xcc, 0xce, 0xd0, 0xd2, 0xd4, 0xd6, 0xd8, 0xda, 0xdc, 0xde, - 0xe0, 0xe2, 0xe4, 0xe6, 0xe8, 0xea, 0xec, 0xee, 0xf0, 0xf2, 0xf4, 0xf6, 0xf8, 0xfa, 0xfc, 0xfe, - 0x1b, 0x19, 0x1f, 0x1d, 0x13, 0x11, 0x17, 0x15, 0x0b, 0x09, 0x0f, 0x0d, 0x03, 0x01, 0x07, 0x05, - 0x3b, 0x39, 0x3f, 0x3d, 0x33, 0x31, 0x37, 0x35, 0x2b, 0x29, 0x2f, 0x2d, 0x23, 0x21, 0x27, 0x25, - 0x5b, 0x59, 0x5f, 0x5d, 0x53, 0x51, 0x57, 0x55, 0x4b, 0x49, 0x4f, 0x4d, 0x43, 0x41, 0x47, 0x45, - 0x7b, 0x79, 0x7f, 0x7d, 0x73, 0x71, 0x77, 0x75, 0x6b, 0x69, 0x6f, 0x6d, 0x63, 0x61, 0x67, 0x65, - 0x9b, 0x99, 0x9f, 0x9d, 0x93, 0x91, 0x97, 0x95, 0x8b, 0x89, 0x8f, 0x8d, 0x83, 0x81, 0x87, 0x85, - 0xbb, 0xb9, 0xbf, 0xbd, 0xb3, 0xb1, 0xb7, 0xb5, 0xab, 0xa9, 0xaf, 0xad, 0xa3, 0xa1, 0xa7, 0xa5, - 0xdb, 0xd9, 0xdf, 0xdd, 0xd3, 0xd1, 0xd7, 0xd5, 0xcb, 0xc9, 0xcf, 0xcd, 0xc3, 0xc1, 0xc7, 0xc5, - 0xfb, 0xf9, 0xff, 0xfd, 0xf3, 0xf1, 0xf7, 0xf5, 0xeb, 0xe9, 0xef, 0xed, 0xe3, 0xe1, 0xe7, 0xe5 - }; - - unsigned char mul3_lookup[256] = - { - 0x00, 0x03, 0x06, 0x05, 0x0c, 0x0f, 0x0a, 0x09, 0x18, 0x1b, 0x1e, 0x1d, 0x14, 0x17, 0x12, 0x11, - 0x30, 0x33, 0x36, 0x35, 0x3c, 0x3f, 0x3a, 0x39, 0x28, 0x2b, 0x2e, 0x2d, 0x24, 0x27, 0x22, 0x21, - 0x60, 0x63, 0x66, 0x65, 0x6c, 0x6f, 0x6a, 0x69, 0x78, 0x7b, 0x7e, 0x7d, 0x74, 0x77, 0x72, 0x71, - 0x50, 0x53, 0x56, 0x55, 0x5c, 0x5f, 0x5a, 0x59, 0x48, 0x4b, 0x4e, 0x4d, 0x44, 0x47, 0x42, 0x41, - 0xc0, 0xc3, 0xc6, 0xc5, 0xcc, 0xcf, 0xca, 0xc9, 0xd8, 0xdb, 0xde, 0xdd, 0xd4, 0xd7, 0xd2, 0xd1, - 0xf0, 0xf3, 0xf6, 0xf5, 0xfc, 0xff, 0xfa, 0xf9, 0xe8, 0xeb, 0xee, 0xed, 0xe4, 0xe7, 0xe2, 0xe1, - 0xa0, 0xa3, 0xa6, 0xa5, 0xac, 0xaf, 0xaa, 0xa9, 0xb8, 0xbb, 0xbe, 0xbd, 0xb4, 0xb7, 0xb2, 0xb1, - 0x90, 0x93, 0x96, 0x95, 0x9c, 0x9f, 0x9a, 0x99, 0x88, 0x8b, 0x8e, 0x8d, 0x84, 0x87, 0x82, 0x81, - 0x9b, 0x98, 0x9d, 0x9e, 0x97, 0x94, 0x91, 0x92, 0x83, 0x80, 0x85, 0x86, 0x8f, 0x8c, 0x89, 0x8a, - 0xab, 0xa8, 0xad, 0xae, 0xa7, 0xa4, 0xa1, 0xa2, 0xb3, 0xb0, 0xb5, 0xb6, 0xbf, 0xbc, 0xb9, 0xba, - 0xfb, 0xf8, 0xfd, 0xfe, 0xf7, 0xf4, 0xf1, 0xf2, 0xe3, 0xe0, 0xe5, 0xe6, 0xef, 0xec, 0xe9, 0xea, - 0xcb, 0xc8, 0xcd, 0xce, 0xc7, 0xc4, 0xc1, 0xc2, 0xd3, 0xd0, 0xd5, 0xd6, 0xdf, 0xdc, 0xd9, 0xda, - 0x5b, 0x58, 0x5d, 0x5e, 0x57, 0x54, 0x51, 0x52, 0x43, 0x40, 0x45, 0x46, 0x4f, 0x4c, 0x49, 0x4a, - 0x6b, 0x68, 0x6d, 0x6e, 0x67, 0x64, 0x61, 0x62, 0x73, 0x70, 0x75, 0x76, 0x7f, 0x7c, 0x79, 0x7a, - 0x3b, 0x38, 0x3d, 0x3e, 0x37, 0x34, 0x31, 0x32, 0x23, 0x20, 0x25, 0x26, 0x2f, 0x2c, 0x29, 0x2a, - 0x0b, 0x08, 0x0d, 0x0e, 0x07, 0x04, 0x01, 0x02, 0x13, 0x10, 0x15, 0x16, 0x1f, 0x1c, 0x19, 0x1a - }; - - struct dev_cmd_resp *resp; - - resp = write_gadget(dev, 0x180154000, sbox, 256); - if(IS_CHECKM8_FAIL(resp->ret)) - { - printf("failed to write sbox\n"); - return; - } - - free_dev_cmd_resp(resp); - resp = write_gadget(dev, 0x180154000 + 256, rc_lookup, 11); - if(IS_CHECKM8_FAIL(resp->ret)) - { - printf("failed to write rc lookup\n"); - return; - } - - free_dev_cmd_resp(resp); - resp = write_gadget(dev, 0x180154000 + 256 + 16, mul2_lookup, 256); - if(IS_CHECKM8_FAIL(resp->ret)) - { - printf("failed to write mul2 lookup\n"); - return; - } - - free_dev_cmd_resp(resp); - resp = write_gadget(dev, 0x180154000 + 512 + 16, mul3_lookup, 256); - if(IS_CHECKM8_FAIL(resp->ret)) - { - printf("failed to write mul3 lookup\n"); - return; - } -} - int main() { struct dev_cmd_resp *resp; @@ -151,12 +54,6 @@ int main() return -1; } - unsigned char key[16] = {0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, - 0xef}; - unsigned char data[16] = {0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, - 0xef}; - - if(IS_CHECKM8_FAIL(open_device_session(dev))) { printf("failed to open device session\n"); @@ -169,70 +66,38 @@ int main() return -1; } - if(IS_CHECKM8_FAIL(install_payload(dev, PAYLOAD_AES_SW, SRAM))) + if(IS_CHECKM8_FAIL(install_payload(dev, PAYLOAD_FLOPPYSLEEP, SRAM))) { printf("failed to install task sleep payload\n"); return -1; } - resp = write_gadget(dev, 0x180152000, key, 16); - if(IS_CHECKM8_FAIL(resp->ret)) - { - printf("failed to write key to device\n"); - return -1; - } - + float init_a = -7.504355E-39f; + resp = write_gadget(dev, 0x180154000, (unsigned char *) &init_a, sizeof(float)); free_dev_cmd_resp(resp); - resp = write_gadget(dev, 0x180153000, data, 16); - if(IS_CHECKM8_FAIL(resp->ret)) - { - printf("failed to write aes data\n"); - return -1; - } - - free_dev_cmd_resp(resp); resp = execute_payload(dev, PAYLOAD_SYNC, 0, 0); if(IS_CHECKM8_FAIL(resp->ret)) { - printf("failed to execute sync payload\n"); + printf("failed to execute bootstrap\n"); return -1; } - write_aes_utils(dev); - free_dev_cmd_resp(resp); - int i = 0; + while(1) { - resp = execute_payload(dev, PAYLOAD_AES_SW, 0, 7, - 0x180153000, 16, 0x180152000, - 0x180154000, 0x180154000 + 256, - 0x180154000 + 256 + 16, 0x180154000 + 512 + 16); + resp = execute_payload(dev, PAYLOAD_FLOPPYSLEEP, 0, 1, 0x180154000); if(IS_CHECKM8_FAIL(resp->ret)) { - printf("failed to execute sw AES payload\n"); + printf("failed to execute flopsleep payload\n"); return -1; } - printf("%i) op took %llu", i++, resp->retval); - + printf("retval is %08lli\n", resp->retval); free_dev_cmd_resp(resp); - resp = read_gadget(dev, 0x180153000, 16); - if(IS_CHECKM8_FAIL(resp->ret)) - { - printf("failed to read encrypted data from memory\n"); - } - printf(" -> "); - for(int j = 0; j < 16; j++) - { - printf("%02x", resp->data[j]); - } - printf("\n"); - - free_dev_cmd_resp(resp); - usleep(1000000); + usleep(2000000); } close_device_session(dev); diff --git a/c8_remote/src/payload.c b/c8_remote/src/payload.c index 4a57b55..9e8920b 100644 --- a/c8_remote/src/payload.c +++ b/c8_remote/src/payload.c @@ -43,6 +43,16 @@ struct payload *get_payload(PAYLOAD_T p) len = PAYLOAD_AES_SW_SZ; break; + case PAYLOAD_BOOTSTRAP: + pl = payload_bootstrap; + len = PAYLOAD_BOOTSTRAP_SZ; + break; + + case PAYLOAD_FLOPPYSLEEP: + pl = payload_floppysleep; + len = PAYLOAD_FLOPPYSLEEP_SZ; + break; + case PAYLOAD_SYNC: pl = payload_sync; len = PAYLOAD_SYNC_SZ;