From bd4c9b81964d8500eb6d7f36f3f29aeffc1e7fd9 Mon Sep 17 00:00:00 2001 From: Gregor Haas Date: Tue, 11 Feb 2020 09:56:37 -0500 Subject: [PATCH] heavily restructured libpayload, more integrated with c8_remote now --- CMakeLists.txt | 4 +- c8_libpayload/pl/include/brfunc_aes.h | 24 ---- c8_libpayload/pl/include/brfunc_common.h | 40 ------ c8_libpayload/pl/include/brfunc_sep.h | 9 -- c8_libpayload/pl/include/brfunc_timing.h | 12 -- c8_libpayload/pl/include/util.h | 7 - c8_libpayload/pl/src/aes.c | 60 --------- c8_libpayload/pl/src/exit_usb_task.c | 62 --------- c8_libpayload/pl/src/sysreg.c | 17 --- c8_libpayload/pl/src/task_sleep_test.c | 21 --- c8_remote/include/bootrom_addr.h | 48 +++++++ c8_remote/include/payload.h | 3 - .../lib}/CMakeLists.txt | 19 ++- .../lib/payload}/CMakeLists.txt | 14 +- c8_remote/lib/payload/bootrom_dev.c | 123 ++++++++++++++++++ c8_remote/lib/payload/include/bootrom_func.h | 38 ++++++ c8_remote/lib/payload/include/dev_util.h | 13 ++ .../lib/payload}/src/aes_busy.c | 11 +- .../pl => c8_remote/lib/payload}/src/aes_sw.c | 26 +--- c8_remote/lib/payload/src/exit_usb_task.c | 52 ++++++++ .../lib/payload}/src/floppysleep.S | 0 .../lib/payload}/src/floppysleep.c | 10 +- .../pl => c8_remote/lib/payload}/src/sync.c | 2 +- .../lib}/scripts/headerize.py | 0 .../lib}/scripts/librarize.py | 0 c8_remote/src/payload.c | 34 ++--- pongo/demote_mod | Bin 66024 -> 0 bytes pongo/test_module | Bin 66040 -> 0 bytes 28 files changed, 317 insertions(+), 332 deletions(-) delete mode 100644 c8_libpayload/pl/include/brfunc_aes.h delete mode 100644 c8_libpayload/pl/include/brfunc_common.h delete mode 100644 c8_libpayload/pl/include/brfunc_sep.h delete mode 100644 c8_libpayload/pl/include/brfunc_timing.h delete mode 100644 c8_libpayload/pl/include/util.h delete mode 100644 c8_libpayload/pl/src/aes.c delete mode 100644 c8_libpayload/pl/src/exit_usb_task.c delete mode 100644 c8_libpayload/pl/src/sysreg.c delete mode 100644 c8_libpayload/pl/src/task_sleep_test.c create mode 100644 c8_remote/include/bootrom_addr.h rename {c8_libpayload => c8_remote/lib}/CMakeLists.txt (77%) rename {c8_libpayload/pl => c8_remote/lib/payload}/CMakeLists.txt (86%) create mode 100644 c8_remote/lib/payload/bootrom_dev.c create mode 100644 c8_remote/lib/payload/include/bootrom_func.h create mode 100644 c8_remote/lib/payload/include/dev_util.h rename {c8_libpayload/pl => c8_remote/lib/payload}/src/aes_busy.c (54%) rename {c8_libpayload/pl => c8_remote/lib/payload}/src/aes_sw.c (86%) create mode 100644 c8_remote/lib/payload/src/exit_usb_task.c rename {c8_libpayload/pl => c8_remote/lib/payload}/src/floppysleep.S (100%) rename {c8_libpayload/pl => c8_remote/lib/payload}/src/floppysleep.c (75%) rename {c8_libpayload/pl => c8_remote/lib/payload}/src/sync.c (84%) rename {c8_libpayload => c8_remote/lib}/scripts/headerize.py (100%) rename {c8_libpayload => c8_remote/lib}/scripts/librarize.py (100%) delete mode 100755 pongo/demote_mod delete mode 100755 pongo/test_module diff --git a/CMakeLists.txt b/CMakeLists.txt index 5bebfe5..faf8138 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,8 +2,8 @@ cmake_minimum_required(VERSION 3.10) project(checkm8_tool) enable_language(C) +include_directories(c8_remote/include) include_directories(include) -#add_subdirectory(c8_arduino) +add_subdirectory(c8_remote/lib) add_subdirectory(c8_remote) -add_subdirectory(c8_libpayload) diff --git a/c8_libpayload/pl/include/brfunc_aes.h b/c8_libpayload/pl/include/brfunc_aes.h deleted file mode 100644 index f66f682..0000000 --- a/c8_libpayload/pl/include/brfunc_aes.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef CHECKM8_TOOL_BRFUNC_AES_H -#define CHECKM8_TOOL_BRFUNC_AES_H - -#include "brfunc_common.h" - -int aes_hw_crypto_cmd(unsigned long long cmd, - unsigned char *src, unsigned char *dst, - int len, unsigned long long opts, - unsigned char *key, unsigned char *iv) -{ - return ((BOOTROM_FUNC) ADDR_AES_HW_CRYPTO_CMD)(cmd, src, dst, len, opts, key, iv); -} - -#define CREATE_KEY_COMMAND ((BOOTROM_FUNC) ADDR_CREATE_KEY_COMMAND) -#define PUSH_COMMAND_KEY ((BOOTROM_FUNC) ADDR_PUSH_COMMAND_KEY) -#define PUSH_COMMAND_IV ((BOOTROM_FUNC) ADDR_PUSH_COMMAND_IV) -#define PUSH_COMMAND_DATA ((BOOTROM_FUNC) ADDR_PUSH_COMMAND_DATA) -#define PUSH_COMMAND_FLAG ((BOOTROM_FUNC) ADDR_PUSH_COMMAND_FLAG) -#define WAIT_FOR_COMMAND_FLAG ((BOOTROM_FUNC) ADDR_WAIT_FOR_COMMAND) - -#define rAES_INT_STATUS (long *) ADDR_AES_CONTROL -#define rAES_CONTROL (long *) ADDR_AES_STATUS - -#endif //CHECKM8_TOOL_BRFUNC_AES_H diff --git a/c8_libpayload/pl/include/brfunc_common.h b/c8_libpayload/pl/include/brfunc_common.h deleted file mode 100644 index dc55ffc..0000000 --- a/c8_libpayload/pl/include/brfunc_common.h +++ /dev/null @@ -1,40 +0,0 @@ -#ifndef CHECKM8_TOOL_BRFUNC_COMMON_H -#define CHECKM8_TOOL_BRFUNC_COMMON_H - -#include "checkm8_config.h" - -typedef int (*BOOTROM_FUNC)(); -typedef unsigned char (*(*BOOTROM_FUNC_PTR)()); - -#if CHECKM8_PLATFORM == 8010 - -/* AES */ -#define ADDR_AES_HW_CRYPTO_CMD 0x100000f0c -#define ADDR_CREATE_KEY_COMMAND 0x100000e90 -#define ADDR_PUSH_COMMAND_KEY 0x100000c64 -#define ADDR_PUSH_COMMAND_IV 0x100000d18 -#define ADDR_PUSH_COMMAND_DATA 0x100000d98 -#define ADDR_PUSH_COMMAND_FLAG 0x100000e20 -#define ADDR_WAIT_FOR_COMMAND 0x100000ec4 - -#define ADDR_AES_CONTROL 0x20A108008 -#define ADDR_AES_STATUS 0x20A108018 - -/* SEP */ -#define ADDR_DPA_SEEDED 0x100001140 -#define ADDR_SEND_DPA_MESSAGE 0x100002338 - -/* Timing */ -#define ADDR_CLOCK_GATE 0x100009d4c -#define ADDR_SYSTEM_TIME 0x10000B0E0 -#define ADDR_TIME_HAS_ELAPSED 0x10000B04F -#define ADDR_TASK_SLEEP 0x10000ADF0 - -/* Boot */ -#define ADDR_NVME_INIT 0x1000080B4 - -#else -#error "Unsupported checkm8 platform" -#endif - -#endif //CHECKM8_TOOL_BRFUNC_COMMON_H diff --git a/c8_libpayload/pl/include/brfunc_sep.h b/c8_libpayload/pl/include/brfunc_sep.h deleted file mode 100644 index 1b80138..0000000 --- a/c8_libpayload/pl/include/brfunc_sep.h +++ /dev/null @@ -1,9 +0,0 @@ -#ifndef CHECKM8_TOOL_BRFUNC_SEP_H -#define CHECKM8_TOOL_BRFUNC_SEP_H - -#include "brfunc_common.h" - -#define DPA_SEEDED ((BOOTROM_FUNC) ADDR_DPA_SEEDED) -#define SEP_CREATE_SEND_DPA_MESSAGE ((BOOTROM_FUNC) ADDR_SEND_DPA_MESSAGE) - -#endif //CHECKM8_TOOL_BRFUNC_SEP_H diff --git a/c8_libpayload/pl/include/brfunc_timing.h b/c8_libpayload/pl/include/brfunc_timing.h deleted file mode 100644 index a75ace3..0000000 --- a/c8_libpayload/pl/include/brfunc_timing.h +++ /dev/null @@ -1,12 +0,0 @@ -#ifndef CHECKM8_TOOL_BRFUNC_TIMING_H -#define CHECKM8_TOOL_BRFUNC_TIMING_H - -#include "brfunc_common.h" - -#define CLOCK_GATE ((BOOTROM_FUNC) ADDR_CLOCK_GATE) -#define SYSTEM_TIME ((BOOTROM_FUNC) ADDR_SYSTEM_TIME) -#define TIME_HAS_ELAPSED ((BOOTROM_FUNC) ADDR_TIME_HAS_ELAPSED) - -#define GET_PLL ((BOOTROM_FUNC) ADDR_GET_PLL) - -#endif //CHECKM8_TOOL_BRFUNC_TIMING_H diff --git a/c8_libpayload/pl/include/util.h b/c8_libpayload/pl/include/util.h deleted file mode 100644 index 8c2c084..0000000 --- a/c8_libpayload/pl/include/util.h +++ /dev/null @@ -1,7 +0,0 @@ -#ifndef CHECKM8_TOOL_UTIL_H -#define CHECKM8_TOOL_UTIL_H - -#define PAYLOAD_SECTION __attribute__ ((section (".payload_text"))) -#define TEXT_SECTION __attribute__((section (".text"))) - -#endif //CHECKM8_TOOL_UTIL_H diff --git a/c8_libpayload/pl/src/aes.c b/c8_libpayload/pl/src/aes.c deleted file mode 100644 index 4ecb75b..0000000 --- a/c8_libpayload/pl/src/aes.c +++ /dev/null @@ -1,60 +0,0 @@ -#include "brfunc_aes.h" -#include "brfunc_timing.h" -#include "brfunc_sep.h" - -#include "util.h" - -PAYLOAD_SECTION -int aes_hw_crypto_command(unsigned int cmd, - void *src, - void *dst, - int len, - unsigned int opts, - void *key, - void *iv) -{ - int seeded; - long cgvar; - long start = 0, timeout = 0; - - __asm__("orr %0, xzr, #0x3c" : "=r" (cgvar)); - CLOCK_GATE(cgvar, 0); - -// seeded = DPA_SEEDED(); -// if(!(seeded & 1)) -// { -// SEP_CREATE_SEND_DPA_MESSAGE(); -// start = SYSTEM_TIME(); -// -// while(!(seeded & 1) && !(timeout & 1)) -// { -// seeded = DPA_SEEDED(); -// timeout = TIME_HAS_ELAPSED(start, 1000); -// } -// } -// -// if(timeout) return -1; - - unsigned int key_command = CREATE_KEY_COMMAND(0, 0, 0, 0, 1, 0, 0, 0); - *rAES_INT_STATUS = 0x20; - *rAES_CONTROL = 1; - - PUSH_COMMAND_KEY(key_command, key); - PUSH_COMMAND_IV(0, 0, 0, iv); - PUSH_COMMAND_DATA(0, 0, src, dst, len); - PUSH_COMMAND_FLAG(0, 1, 1); - WAIT_FOR_COMMAND_FLAG(); - - *rAES_CONTROL = 2; - CLOCK_GATE(cgvar, 0); - return 0; -} - -TEXT_SECTION -int _start(void *src, - void *dst, - void *key) -{ - return ((BOOTROM_FUNC) ADDR_AES_HW_CRYPTO_CMD)(0, src, dst, 128, 0, key, 0); - // return aes_hw_crypto_command(0, src, dst, 128, 0, key, 0); -} \ No newline at end of file diff --git a/c8_libpayload/pl/src/exit_usb_task.c b/c8_libpayload/pl/src/exit_usb_task.c deleted file mode 100644 index b97d57c..0000000 --- a/c8_libpayload/pl/src/exit_usb_task.c +++ /dev/null @@ -1,62 +0,0 @@ -#include "brfunc_common.h" -#include "util.h" - -PAYLOAD_SECTION -void fix_heap() -{ - BOOTROM_FUNC calculate_checksum = ((BOOTROM_FUNC) 0x10000ee20); - BOOTROM_FUNC heap_verify = ((BOOTROM_FUNC) 0x10000f8b4); - - *((unsigned long long *) 0x1801b91a0) = 0x80 / 0x40; - *((unsigned long long *) 0x1801b91a8) = ((0x840u / 0x40) << 2u); - *((unsigned long long *) 0x1801b91b0) = 0x80; - *((unsigned long long *) 0x1801b91b8) = 0; - - *((unsigned long long *) 0x1801b9220) = 0x80 / 0x40; - *((unsigned long long *) 0x1801b9228) = ((0x80u / 0x40) << 2u); - *((unsigned long long *) 0x1801b9230) = 0x80; - *((unsigned long long *) 0x1801b9238) = 0; - - *((unsigned long long *) 0x1801b92a0) = 0x80 / 0x40; - *((unsigned long long *) 0x1801b92a8) = ((0x80u / 0x40) << 2u); - *((unsigned long long *) 0x1801b92b0) = 0x80; - *((unsigned long long *) 0x1801b92b8) = 0; - - __asm__ volatile ("dmb sy"); - calculate_checksum((unsigned long long *) 0x1801b9180, - (unsigned long long *) 0x1801b91a0, - 32, - (unsigned long long *) 0x180080640); - - calculate_checksum((unsigned long long *) 0x1801b9200, - (unsigned long long *) 0x1801b9220, - 32, - (unsigned long long *) 0x180080640); - - calculate_checksum((unsigned long long *) 0x1801b9280, - (unsigned long long *) 0x1801b92a0, - 32, - (unsigned long long *) 0x180080640); - - __asm__ volatile ("dmb sy"); - heap_verify(); -} - -TEXT_SECTION -void _start(unsigned long long ptr_self) -{ - unsigned int *completion = (unsigned int *) 0x180088ac8; - unsigned char *dfu_done = (unsigned char *) 0x180088ac0; - - unsigned long long *dfu_event = (unsigned long long *) 0x180088af0; - BOOTROM_FUNC event_signal = ((BOOTROM_FUNC) 0x10000aee8); - BOOTROM_FUNC free = ((BOOTROM_FUNC) 0x10000f1b0); - - fix_heap(); - - *completion = -1; - *dfu_done = 1; - - event_signal(dfu_event); - free(ptr_self); -} \ No newline at end of file diff --git a/c8_libpayload/pl/src/sysreg.c b/c8_libpayload/pl/src/sysreg.c deleted file mode 100644 index d2e0165..0000000 --- a/c8_libpayload/pl/src/sysreg.c +++ /dev/null @@ -1,17 +0,0 @@ -#include "util.h" - -struct sysregs -{ - long pt_base; - long evt_base; -}; - -TEXT_SECTION -long long _start() -{ - struct sysregs res; - __asm__("mrs %0, ttbr0_el1" : "=r" (res.pt_base)); - __asm__("mrs %0, vbar_el1" : "=r" (res.evt_base)); - - return res.pt_base; -} \ No newline at end of file diff --git a/c8_libpayload/pl/src/task_sleep_test.c b/c8_libpayload/pl/src/task_sleep_test.c deleted file mode 100644 index 9f806fc..0000000 --- a/c8_libpayload/pl/src/task_sleep_test.c +++ /dev/null @@ -1,21 +0,0 @@ -#include "util.h" -#include "brfunc_common.h" - -TEXT_SECTION -void _start(unsigned long long next, - unsigned long long arg0, unsigned long long arg1, - unsigned long long arg2, unsigned long long arg3) -{ - int i; - BOOTROM_FUNC clock_gate = ((BOOTROM_FUNC) 0x100009d4cull); - for(i = 0x54 + 6; i > 6; i--) - { - if(i == 0x4b || i == 0x4a || i == 0x49 || i == 0x3e || - i == 0x1b || i == 0x17 || i == 0x11 || i == 0x10) - continue; - - clock_gate(i, 0); - } - - ((BOOTROM_FUNC) next)(arg0, arg1, arg2, arg3); -} \ No newline at end of file diff --git a/c8_remote/include/bootrom_addr.h b/c8_remote/include/bootrom_addr.h new file mode 100644 index 0000000..678e6ce --- /dev/null +++ b/c8_remote/include/bootrom_addr.h @@ -0,0 +1,48 @@ +#ifndef CHECKM8_TOOL_BOOTROM_ADDR_H +#define CHECKM8_TOOL_BOOTROM_ADDR_H + +#include "checkm8_config.h" + +#if CHECKM8_PLATFORM == 8010 + +/* Crypto */ +#define ADDR_HARDWARE_AES 0x100000f0c + +/* Timing */ +#define ADDR_CLOCK_GATE 0x100009d4c +#define ADDR_GET_TIME 0x10000b0e0 +#define ADDR_TIMER_REGISTER_INT 0x10000b874 +#define ADDR_WFI 0x1000004fc + +/* Tasking */ +#define ADDR_TASK_NEW 0x10000a9ac +#define ADDR_TASK_RUN 0x10000ac18 +#define ADDR_TASK_PAUSE 0x10000adf0 +#define ADDR_TASK_RESCHED 0x10000aaa8 +#define ADDR_TASK_FREE 0x10000aa20 + +#define ADDR_EVENT_NEW 0x10000aed4 +#define ADDR_EVENT_NOTIFY 0x10000aee8 +#define ADDR_EVENT_WAIT 0x10000af3c + +/* Heap */ +#define ADDR_CALC_CHKSUM 0x10000ee20 +#define ADDR_CHECK_BLOCK_CKSUM 0x10000f138 +#define ADDR_CHECK_ALL_CHKSUMS 0x10000f8b4 + +#define ADDR_DEV_MALLOC 0x10000efe0 +#define ADDR_DEV_MEMALIGN 0x10000f380 +#define ADDR_DEV_FREE 0x10000f1b0 + +/* Misc */ +#define ADDR_RANDOM_RET 0x10000b924 + +#define ADDR_DFU_RETVAL (int *) 0x180088ac8 +#define ADDR_DFU_STATUS (unsigned char *) 0x180088ac0 +#define ADDR_DFU_EVENT (unsigned long long *) 0x180088af0 + +#else +#error "Unsupported checkm8 platform" +#endif + +#endif //CHECKM8_TOOL_BOOTROM_ADDR_H diff --git a/c8_remote/include/payload.h b/c8_remote/include/payload.h index c21840d..c07d74c 100644 --- a/c8_remote/include/payload.h +++ b/c8_remote/include/payload.h @@ -5,14 +5,11 @@ typedef enum { - PAYLOAD_AES, PAYLOAD_AES_BUSY, PAYLOAD_AES_SW, PAYLOAD_EXIT_USB_TASK, PAYLOAD_FLOPPYSLEEP, PAYLOAD_SYNC, - PAYLOAD_SYSREG, - PAYLOAD_TASK_SLEEP_TEST } PAYLOAD_T; typedef enum diff --git a/c8_libpayload/CMakeLists.txt b/c8_remote/lib/CMakeLists.txt similarity index 77% rename from c8_libpayload/CMakeLists.txt rename to c8_remote/lib/CMakeLists.txt index 66eb416..b65cf0a 100644 --- a/c8_libpayload/CMakeLists.txt +++ b/c8_remote/lib/CMakeLists.txt @@ -1,35 +1,32 @@ project(checkm8_libpayload) set(PL_NAMES - aes aes_busy aes_sw exit_usb_task floppysleep - sync - sysreg - task_sleep_test) + sync) foreach(NAME ${PL_NAMES}) list(APPEND PL_TARGETS "payload_${NAME}") - list(APPEND PL_SRC_BIN "${CMAKE_CURRENT_LIST_DIR}/pl/src/${NAME}.c") + list(APPEND PL_SRC_BIN "${CMAKE_CURRENT_LIST_DIR}/payload/src/${NAME}.c") endforeach(NAME) foreach(TARGET ${PL_TARGETS}) - list(APPEND PL_SRC_LIB "${CMAKE_CURRENT_BINARY_DIR}/lib/${TARGET}.c") - list(APPEND PL_BIN "${CMAKE_CURRENT_BINARY_DIR}/pl/bin/${TARGET}.bin") + list(APPEND PL_SRC_LIB "${CMAKE_CURRENT_BINARY_DIR}/lib_cfiles/${TARGET}.c") + list(APPEND PL_BIN "${CMAKE_CURRENT_BINARY_DIR}/payload/bin/${TARGET}.bin") endforeach(TARGET) -add_subdirectory(pl) +add_subdirectory(${CMAKE_CURRENT_LIST_DIR}/payload) -file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/lib) +file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/lib_cfiles) add_custom_target(payload_sources BYPRODUCTS ${PL_SRC_LIB} DEPENDS ${PL_TARGETS} COMMENT "Refreshing payload library" COMMAND python3 ${CMAKE_CURRENT_LIST_DIR}/scripts/librarize.py - ${CMAKE_CURRENT_BINARY_DIR}/pl/bin - ${CMAKE_CURRENT_BINARY_DIR}/lib) + ${CMAKE_CURRENT_BINARY_DIR}/payload/bin + ${CMAKE_CURRENT_BINARY_DIR}/lib_cfiles) add_library(payload ${PL_SRC_LIB}) add_dependencies(payload payload_sources) diff --git a/c8_libpayload/pl/CMakeLists.txt b/c8_remote/lib/payload/CMakeLists.txt similarity index 86% rename from c8_libpayload/pl/CMakeLists.txt rename to c8_remote/lib/payload/CMakeLists.txt index b469316..86b3b53 100644 --- a/c8_libpayload/pl/CMakeLists.txt +++ b/c8_remote/lib/payload/CMakeLists.txt @@ -1,6 +1,6 @@ project(checkm8_libpayload_sources C ASM) -include_directories(include) -include_directories(include/openssl) +include_directories(${CMAKE_CURRENT_LIST_DIR}/include) + set(CMAKE_SYSTEM_PROCESSOR arm) if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64") @@ -15,9 +15,11 @@ elseif(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "armv7l") set(CMAKE_OBJCOPY /opt/cross/bin/aarch64-linux-objcopy) endif() -set(CMAKE_C_FLAGS "-nostdlib -O") - +set(CMAKE_C_FLAGS "-nostdlib -O -Wl,--gc-sections") file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/bin) + +add_library(bootrom_dev bootrom_dev.c) + foreach(NAME ${PL_NAMES}) if(EXISTS ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.S) add_executable(payload_${NAME} ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.c @@ -25,10 +27,12 @@ foreach(NAME ${PL_NAMES}) else() add_executable(payload_${NAME} ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.c) endif() + + target_link_libraries(payload_${NAME} bootrom_dev) add_custom_command(TARGET payload_${NAME} POST_BUILD BYPRODUCTS ${CMAKE_CURRENT_BINARY_DIR}/bin/payload_${NAME}.bin COMMAND ${CMAKE_OBJCOPY} - ARGS -O binary -j .text -j .payload_text -j .payload_data + ARGS -O binary -j .text -j .payload_text -j .bootrom_lib.* ${CMAKE_CURRENT_BINARY_DIR}/payload_${NAME} ${CMAKE_CURRENT_BINARY_DIR}/bin/payload_${NAME}.bin) endforeach(NAME) \ No newline at end of file diff --git a/c8_remote/lib/payload/bootrom_dev.c b/c8_remote/lib/payload/bootrom_dev.c new file mode 100644 index 0000000..c407b60 --- /dev/null +++ b/c8_remote/lib/payload/bootrom_dev.c @@ -0,0 +1,123 @@ +#include "bootrom_addr.h" +#include "dev_util.h" + +/* Crypto */ +BRLIB_SECTION("crypto") +int hardware_aes(unsigned long long cmd, + unsigned char *src, unsigned char *dst, + int len, unsigned long long opts, + unsigned char *key, unsigned char *iv) +{ + return ((BOOTROM_FUNC_I) ADDR_HARDWARE_AES)(cmd, src, dst, len, opts, key, iv); +} + +/* Timing */ +BRLIB_SECTION("timing.power") +int clock_gate(int device, int power) +{ + return ((BOOTROM_FUNC_I) ADDR_CLOCK_GATE)(device, power); +} + +BRLIB_SECTION("timing.time") +unsigned long long get_time() +{ + return ((BOOTROM_FUNC_ULL) ADDR_GET_TIME)(); +} + +BRLIB_SECTION("timing.sleep") +void timer_register_int(unsigned long long dl) +{ + ((BOOTROM_FUNC_V) ADDR_TIMER_REGISTER_INT)(dl, ADDR_RANDOM_RET); +} + +BRLIB_SECTION("timing.sleep") +void wfi() +{ + ((BOOTROM_FUNC_V) ADDR_WFI)(); +} + +/* Tasking */ +BRLIB_SECTION("tasking.task") +void *task_new(char *name, BOOTROM_FUNC_I func, void *args, int ssize) +{ + return ((BOOTROM_FUNC_PTR) ADDR_TASK_NEW)(name, func, args, ssize); +} + +void task_run(void *task) +{ + ((BOOTROM_FUNC_V) ADDR_TASK_RUN)(task); +} + +BRLIB_SECTION("tasking.task") +void task_pause(int usec) +{ + ((BOOTROM_FUNC_V) ADDR_TASK_PAUSE)(usec); +} + +BRLIB_SECTION("tasking.task") +void task_resched() +{ + ((BOOTROM_FUNC_V) ADDR_TASK_RESCHED)(); +} + +BRLIB_SECTION("tasking.task") +void task_free(void *task) +{ + ((BOOTROM_FUNC_V) ADDR_TASK_FREE)(task); +} + +BRLIB_SECTION("tasking.event") +void event_new(void *dst, int flags, int state) +{ + ((BOOTROM_FUNC_V) ADDR_EVENT_NEW)(dst, flags, state); +} + +BRLIB_SECTION("tasking.event") +void event_notify(void *ev) +{ + ((BOOTROM_FUNC_V) ADDR_EVENT_NOTIFY)(ev); +} + +BRLIB_SECTION("tasking.event") +void event_wait(void *ev) +{ + ((BOOTROM_FUNC_V) ADDR_EVENT_WAIT)(ev); +} + +/* Heap */ +BRLIB_SECTION("heap.mgmt") +void calc_chksum(unsigned long long *dst, unsigned long long *src, + int len, unsigned long long *cookie) +{ + ((BOOTROM_FUNC_V) ADDR_CALC_CHKSUM)(dst, src, len, cookie); +} + +BRLIB_SECTION("heap.mgmt") +void check_block_chksum(void *ptr) +{ + ((BOOTROM_FUNC_V) ADDR_CHECK_BLOCK_CKSUM)(ptr); +} + +BRLIB_SECTION("heap.mgmt") +void check_all_chksums() +{ + ((BOOTROM_FUNC_V) ADDR_CHECK_ALL_CHKSUMS)(); +} + +BRLIB_SECTION("heap.alloc") +void *dev_malloc(int size) +{ + return ((BOOTROM_FUNC_PTR) ADDR_DEV_MALLOC)(size); +} + +BRLIB_SECTION("heap.alloc") +void *dev_memalign(int size, int constr) +{ + return ((BOOTROM_FUNC_PTR) ADDR_DEV_MEMALIGN)(size, constr); +} + +BRLIB_SECTION("heap.alloc") +void dev_free(void *ptr) +{ + ((BOOTROM_FUNC_PTR) ADDR_DEV_FREE)(ptr); +} \ No newline at end of file diff --git a/c8_remote/lib/payload/include/bootrom_func.h b/c8_remote/lib/payload/include/bootrom_func.h new file mode 100644 index 0000000..9587c5e --- /dev/null +++ b/c8_remote/lib/payload/include/bootrom_func.h @@ -0,0 +1,38 @@ +#ifndef CHECKM8_TOOL_BOOTROM_FUNC_H +#define CHECKM8_TOOL_BOOTROM_FUNC_H + +#include "dev_util.h" + +/* Crypto */ +int hardware_aes(unsigned long long cmd, + unsigned char *src, unsigned char *dst, + int len, unsigned long long opts, + unsigned char *key, unsigned char *iv); + +/* Timing */ +int clock_gate(int device, int power); +unsigned long long get_time(); +void timer_register_int(unsigned long long dl); +void wfi(); + +/* Tasking */ +void *task_new(char *name, BOOTROM_FUNC_I func, void *args, int ssize); +void task_run(void *task); +void task_pause(int usec); +void task_resched(); +void task_free(void *task); + +void event_new(void *dst, int flags, int state); +void event_notify(void *ev); +void event_wait(void *ev); + +/* Heap */ +void calc_chksum(unsigned long long *dst, unsigned long long *src, int len, unsigned long long *cookie); +void check_block_chksum(void *ptr); +void check_all_chksums(); + +void *dev_malloc(int size); +void *dev_memalign(int size, int constr); +void dev_free(void *ptr); + +#endif //CHECKM8_TOOL_BOOTROM_FUNC_H diff --git a/c8_remote/lib/payload/include/dev_util.h b/c8_remote/lib/payload/include/dev_util.h new file mode 100644 index 0000000..ba582da --- /dev/null +++ b/c8_remote/lib/payload/include/dev_util.h @@ -0,0 +1,13 @@ +#ifndef CHECKM8_TOOL_DEV_UTIL_H +#define CHECKM8_TOOL_DEV_UTIL_H + +typedef void (*BOOTROM_FUNC_V)(); +typedef int (*BOOTROM_FUNC_I)(); +typedef unsigned long long (*BOOTROM_FUNC_ULL)(); +typedef void (*(*BOOTROM_FUNC_PTR)()); + +#define PAYLOAD_SECTION __attribute__ ((section (".payload_text"))) +#define TEXT_SECTION __attribute__ ((section (".text"))) +#define BRLIB_SECTION(s) __attribute__ ((section (".bootrom_lib."s))) + +#endif //CHECKM8_TOOL_DEV_UTIL_H diff --git a/c8_libpayload/pl/src/aes_busy.c b/c8_remote/lib/payload/src/aes_busy.c similarity index 54% rename from c8_libpayload/pl/src/aes_busy.c rename to c8_remote/lib/payload/src/aes_busy.c index 4a860fd..2d60ded 100644 --- a/c8_libpayload/pl/src/aes_busy.c +++ b/c8_remote/lib/payload/src/aes_busy.c @@ -1,7 +1,4 @@ -#include "util.h" -#include "brfunc_aes.h" -#include "brfunc_timing.h" - +#include "bootrom_func.h" TEXT_SECTION int _start(void *src, void *dst, void *key, int rep) @@ -16,9 +13,9 @@ int _start(void *src, void *dst, void *key, int rep) // task_sleep(100); for(i = 0; i < rep; i++) { - if(i % 2 == 0) aes_hw_crypto_cmd(16, src_data, dst, 16, 0, key, 0); - else aes_hw_crypto_cmd(16, dst, src_data, 16, 0, key, 0); - // task_sleep(15); + if(i % 2 == 0) hardware_aes(16, src_data, dst, 16, 0, key, 0); + else hardware_aes(16, dst, src_data, 16, 0, key, 0); + // task_sleep(15); } return 0; diff --git a/c8_libpayload/pl/src/aes_sw.c b/c8_remote/lib/payload/src/aes_sw.c similarity index 86% rename from c8_libpayload/pl/src/aes_sw.c rename to c8_remote/lib/payload/src/aes_sw.c index d6dd1fb..ed0ace9 100644 --- a/c8_libpayload/pl/src/aes_sw.c +++ b/c8_remote/lib/payload/src/aes_sw.c @@ -1,11 +1,4 @@ -#include "util.h" -#include "brfunc_timing.h" - -PAYLOAD_SECTION -void task_sleep(unsigned int usec) -{ - ((BOOTROM_FUNC) ADDR_TASK_SLEEP)(usec); -} +#include "bootrom_func.h" PAYLOAD_SECTION void sub_bytes(unsigned char block[16], unsigned char sbox[16][16]) @@ -116,18 +109,6 @@ void expand_key(unsigned char key[16], unsigned char key_sched[176], int n, } } -PAYLOAD_SECTION -void busy_sleep(int usec) -{ - unsigned long long halt = 0x1000004fc; - unsigned long long timer_deadline_enter = 0x10000b874; - unsigned long long now; - - __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (now)); - ((BOOTROM_FUNC) timer_deadline_enter)(now + 24 * usec, ((BOOTROM_FUNC) 0x10000b924)); - ((BOOTROM_FUNC) halt)(); -} - PAYLOAD_SECTION void aes128_encrypt_ecb(unsigned char *msg, unsigned int msg_len, unsigned char key[16], unsigned char sbox[16][16], unsigned char rc_lookup[11], @@ -135,7 +116,6 @@ void aes128_encrypt_ecb(unsigned char *msg, unsigned int msg_len, unsigned char { unsigned char key_sched[176]; expand_key(key, key_sched, 11, sbox, rc_lookup); - busy_sleep(10); unsigned int num_blocks = msg_len / 16; unsigned char *block; @@ -175,8 +155,8 @@ unsigned long long _start(unsigned char *msg, unsigned int msg_len, unsigned cha if(2 * end - start - 64 > 0) { - ((BOOTROM_FUNC) timer_deadline_enter)(2 * end - start - 64, ((BOOTROM_FUNC) 0x10000b924)); - ((BOOTROM_FUNC) halt)(); + timer_register_int(2 * end - start - 64); + wfi(); } return end - start; diff --git a/c8_remote/lib/payload/src/exit_usb_task.c b/c8_remote/lib/payload/src/exit_usb_task.c new file mode 100644 index 0000000..ddb6281 --- /dev/null +++ b/c8_remote/lib/payload/src/exit_usb_task.c @@ -0,0 +1,52 @@ +#include "bootrom_addr.h" +#include "bootrom_func.h" + +PAYLOAD_SECTION +void fix_heap() +{ + *((unsigned long long *) 0x1801b91a0) = 0x80 / 0x40; + *((unsigned long long *) 0x1801b91a8) = ((0x840u / 0x40) << 2u); + *((unsigned long long *) 0x1801b91b0) = 0x80; + *((unsigned long long *) 0x1801b91b8) = 0; + + *((unsigned long long *) 0x1801b9220) = 0x80 / 0x40; + *((unsigned long long *) 0x1801b9228) = ((0x80u / 0x40) << 2u); + *((unsigned long long *) 0x1801b9230) = 0x80; + *((unsigned long long *) 0x1801b9238) = 0; + + *((unsigned long long *) 0x1801b92a0) = 0x80 / 0x40; + *((unsigned long long *) 0x1801b92a8) = ((0x80u / 0x40) << 2u); + *((unsigned long long *) 0x1801b92b0) = 0x80; + *((unsigned long long *) 0x1801b92b8) = 0; + + __asm__ volatile ("dmb sy"); + calc_chksum((unsigned long long *) 0x1801b9180, + (unsigned long long *) 0x1801b91a0, + 32, + (unsigned long long *) 0x180080640); + + calc_chksum((unsigned long long *) 0x1801b9200, + (unsigned long long *) 0x1801b9220, + 32, + (unsigned long long *) 0x180080640); + + calc_chksum((unsigned long long *) 0x1801b9280, + (unsigned long long *) 0x1801b92a0, + 32, + (unsigned long long *) 0x180080640); + + __asm__ volatile ("dmb sy"); + check_all_chksums(); +} + +TEXT_SECTION +void _start(unsigned long long *ptr_self) +{ + fix_heap(); + + *(ADDR_DFU_RETVAL) = -1; + *(ADDR_DFU_STATUS) = 1; + + event_notify(ADDR_DFU_EVENT); + dev_free(ptr_self); +} \ No newline at end of file diff --git a/c8_libpayload/pl/src/floppysleep.S b/c8_remote/lib/payload/src/floppysleep.S similarity index 100% rename from c8_libpayload/pl/src/floppysleep.S rename to c8_remote/lib/payload/src/floppysleep.S diff --git a/c8_libpayload/pl/src/floppysleep.c b/c8_remote/lib/payload/src/floppysleep.c similarity index 75% rename from c8_libpayload/pl/src/floppysleep.c rename to c8_remote/lib/payload/src/floppysleep.c index 9793fae..3575e2b 100644 --- a/c8_libpayload/pl/src/floppysleep.c +++ b/c8_remote/lib/payload/src/floppysleep.c @@ -1,5 +1,4 @@ -#include "brfunc_common.h" -#include "util.h" +#include "bootrom_func.h" extern unsigned long long fs_routine(void); @@ -24,10 +23,7 @@ unsigned long long _start(float *init_a) { int i; volatile int j = 0; - unsigned long long start, end, report; - unsigned long long timer_deadline_enter = 0x10000b874; - unsigned long long halt = 0x1000004fc; __asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (start)); fs_load(init_a, 1); @@ -36,8 +32,8 @@ unsigned long long _start(float *init_a) if(2 * end - start - 64 > 0) { - ((BOOTROM_FUNC) timer_deadline_enter)(2 * end - start - 64, ((BOOTROM_FUNC) 0x10000b924)); - ((BOOTROM_FUNC) halt)(); + timer_register_int(2 * end - start - 64); + wfi(); } __asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (report)); diff --git a/c8_libpayload/pl/src/sync.c b/c8_remote/lib/payload/src/sync.c similarity index 84% rename from c8_libpayload/pl/src/sync.c rename to c8_remote/lib/payload/src/sync.c index 25140bf..5063a98 100644 --- a/c8_libpayload/pl/src/sync.c +++ b/c8_remote/lib/payload/src/sync.c @@ -1,4 +1,4 @@ -#include "util.h" +#include "dev_util.h" TEXT_SECTION void _start() diff --git a/c8_libpayload/scripts/headerize.py b/c8_remote/lib/scripts/headerize.py similarity index 100% rename from c8_libpayload/scripts/headerize.py rename to c8_remote/lib/scripts/headerize.py diff --git a/c8_libpayload/scripts/librarize.py b/c8_remote/lib/scripts/librarize.py similarity index 100% rename from c8_libpayload/scripts/librarize.py rename to c8_remote/lib/scripts/librarize.py diff --git a/c8_remote/src/payload.c b/c8_remote/src/payload.c index 4fd8f6d..ee7c526 100644 --- a/c8_remote/src/payload.c +++ b/c8_remote/src/payload.c @@ -7,6 +7,7 @@ #include "command.h" #include "usb_helpers.h" +#include "bootrom_addr.h" #include "libpayload.h" struct payload @@ -28,11 +29,6 @@ struct payload *get_payload(PAYLOAD_T p) switch(p) { - case PAYLOAD_AES: - pl = payload_aes; - len = PAYLOAD_AES_SZ; - break; - case PAYLOAD_AES_BUSY: pl = payload_aes_busy; len = PAYLOAD_AES_BUSY_SZ; @@ -58,16 +54,6 @@ struct payload *get_payload(PAYLOAD_T p) len = PAYLOAD_SYNC_SZ; break; - case PAYLOAD_SYSREG: - pl = payload_sysreg; - len = PAYLOAD_SYSREG_SZ; - break; - - case PAYLOAD_TASK_SLEEP_TEST: - pl = payload_task_sleep_test; - len = PAYLOAD_TASK_SLEEP_TEST_SZ; - break; - default: return NULL; } @@ -94,8 +80,8 @@ void free_payload(struct payload *p) DEV_PTR_T get_address(struct pwned_device *dev, LOCATION_T l, int len) { checkm8_debug_indent("get_address(dev = %p, loc = %i, len = %i)\n", dev, l, len); - DEV_PTR_T addr_malloc = 0x10000efe0, retval; - unsigned long long malloc_args[2] = {addr_malloc, (unsigned long long) len}; + DEV_PTR_T retval; + unsigned long long malloc_args[2] = {ADDR_DEV_MALLOC, (unsigned long long) len}; struct dev_cmd_resp *resp = dev_exec(dev, 0, 2, malloc_args); if(IS_CHECKM8_FAIL(resp->ret)) @@ -192,7 +178,6 @@ int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc) int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p) { checkm8_debug_indent("uninstall payload(dev = %p, p = %i)\n", dev, p); - DEV_PTR_T addr_free = 0x10000f1b0; unsigned long long free_args[2]; struct dev_cmd_resp *resp; struct payload *pl = dev_retrieve_payload(dev, p); @@ -203,7 +188,7 @@ int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p) return CHECKM8_FAIL_INVARGS; } - free_args[0] = addr_free; + free_args[0] = ADDR_DEV_FREE; free_args[1] = pl->install_base; resp = dev_exec(dev, 0, 2, free_args); @@ -261,8 +246,7 @@ int uninstall_data(struct pwned_device *dev, DEV_PTR_T addr) { checkm8_debug_indent("uninstall_data(dev = %p, addr = %X)\n", dev, addr); struct dev_cmd_resp *resp; - DEV_PTR_T addr_free = 0x10000f1b0; - unsigned long long free_args[2] = {addr_free, addr}; + unsigned long long free_args[2] = {ADDR_DEV_FREE, addr}; resp = dev_exec(dev, 0, 2, free_args); if(IS_CHECKM8_FAIL(resp->ret)) @@ -319,6 +303,14 @@ unsigned long long execute_payload_async(struct pwned_device *dev, PAYLOAD_T p, checkm8_debug_indent("\tpayload is not installed\n"); return DEV_PTR_NULL; } + + if(bufsize < nargs * sizeof(unsigned long long)) + { + checkm8_debug_indent("\texpanding buffer to fit (at least) provided arguments\n"); + bufsize = nargs * sizeof(unsigned long long); + } + + } struct dev_cmd_resp *read_gadget(struct pwned_device *dev, DEV_PTR_T addr, int len) diff --git a/pongo/demote_mod b/pongo/demote_mod deleted file mode 100755 index 54deeb954656228770cff0f2d2254ba8841991c7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 66024 zcmeI(J!~9B6u|K}YkPAs7P**1as(n53J9PSAS6e)ofPYA9Rb^875WRLJ(z?<8q^&pA3gIh++; zXl3Idi(R>Xh2na?x3$$uT*=mIu=dgW74jvm^!hyQj{1E@^?J0B*Sq&C==HAU&*{eQ zJb81!js0!!cjnGzN6w$Skp9{>vQnDPzuj}`e*4em?vk6i zu{+mk?be<>bMAw&(KEaMf$WZfP9`nQx3aPe*)W-Pd%AnBYW1MTsxfj+qx;WIXy4y_ zO@kk?Uzdpt!HVu5zc5OYRrc^^KoTP_wSckx8=V!mN;z2wjNcNYT*+O$P@wy zAbn^w`b2=f7RsSutxnBhq<6Zv4{h`~1!Y*|?MJaktnxp?l1F!S;_v-YYF% z{VeumJDL0DaObsb?x-pKSurx1)Mc=*(H7N zx?R+Big$D~8TY5-XW(n)5fDHC0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY** z5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**o-%-H4(n*vH?={HEv;NL1s$#G=*wjEtB!6P zUu%EpXv=s#o|psXo*6I){Nm`#&Ekw3vcQ24b$U$?%v{?UR`4b zd{gW-X2p1Vw6u8|4)uu)wbJ}ZmKU=8Etl(}cLN=0dq=y=CD5+zly;Zj3S1^Kq5V*= zezde}`%t^y>_L*~N7R*H>B?n8(L|mvXgr{?sIj0?Yc9GuS5L-evEk*pW<0krV;39Y zbQHyQHj3t5c`<6lVbwO5>(f!KDRwrj)grO=u7&lex>O5oxDYp%bvDfwD)mt8#i(Ad VEL3eHoY8xP4e7dcaVc(!`~&`IKB52s diff --git a/pongo/test_module b/pongo/test_module deleted file mode 100755 index bf061ec8fe3c70b097e1c37890f2bfa82c795a7c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 66040 zcmeI*&ubiI7{Kx8oy|@*F*F;9n4;LNC`3g;=|%7`X&Okh#DEcVP+m9LAqm~xiMz8j zrAil6@VE;(^ypD<9t6dU@g`p4sYlU^6pA+wMo8=P&W~hW+x!FhzVPfb&--g;K9e~P zIr!(#`x7EYv^}OVu5q^@@|o+_u#t`DbykX(A7t5G*IkWtAG@%&FrSVDX_80eq7J*r_p>$*cjIi0rbq4P43ZX{ ztWD|>=_Wb*v9=v|*4xKj!~5M1(xGRw8LrN+#dVdk{q&h6?c_eM%&pF4oi25=;~>jJ zwLU^|k?(D7tr}Oextgqf_%X&Zm$JiT)IA4h@wxW8cdTZN>}huI+=|9v^R;l1y%K{% z$H$AhepIVj&FMUoobO5PbLTmFZSmWCKfiMD-7^Q@|9bC_?hD#i*2vq_df@7kuIlEU zr{wu+y&l#oJFW1g^(cxfTTygP7Q=cys$7p+_1eYCT(eebM%ODFQ8V6dcJx)R#8G8! z`JI==t=JuxEjRr?izE))v28@PPCY#388THDS^w+HFVA(5r(<{C=v*P)tq#bL%d9UCX+{WUY5gj)ZzA3w*8Q(lL zV$8e7)ANg`F`s4=ONE(NXRrrl|U>roWjtth(Yx_6>h9M)|6Mq@pyx5aLS^?D?>F*LCe)jIXihRwKjLr2r9 pS#5-3H=;(P+N{}DxT)s|TQanCrxWYGA9lh{Xj{9s9k=v4