grg/checkm8_tool
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

heavily restructured libpayload, more integrated with c8_remote now

Browse Source
This commit is contained in:
Gregor Haas
2020-02-11 09:56:37 -05:00
parent 983ad0ad29
commit bd4c9b8196
28 changed files with 317 additions and 332 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
c8_remote/include/bootrom_addr.h Normal file
View File

@@ -0,0 +1,48 @@
#ifndef CHECKM8_TOOL_BOOTROM_ADDR_H
#define CHECKM8_TOOL_BOOTROM_ADDR_H
#include "checkm8_config.h"
#if CHECKM8_PLATFORM == 8010
/* Crypto */
#define ADDR_HARDWARE_AES 0x100000f0c
/* Timing */
#define ADDR_CLOCK_GATE 0x100009d4c
#define ADDR_GET_TIME 0x10000b0e0
#define ADDR_TIMER_REGISTER_INT 0x10000b874
#define ADDR_WFI 0x1000004fc
/* Tasking */
#define ADDR_TASK_NEW 0x10000a9ac
#define ADDR_TASK_RUN 0x10000ac18
#define ADDR_TASK_PAUSE 0x10000adf0
#define ADDR_TASK_RESCHED 0x10000aaa8
#define ADDR_TASK_FREE 0x10000aa20
#define ADDR_EVENT_NEW 0x10000aed4
#define ADDR_EVENT_NOTIFY 0x10000aee8
#define ADDR_EVENT_WAIT 0x10000af3c
/* Heap */
#define ADDR_CALC_CHKSUM 0x10000ee20
#define ADDR_CHECK_BLOCK_CKSUM 0x10000f138
#define ADDR_CHECK_ALL_CHKSUMS 0x10000f8b4
#define ADDR_DEV_MALLOC 0x10000efe0
#define ADDR_DEV_MEMALIGN 0x10000f380
#define ADDR_DEV_FREE 0x10000f1b0
/* Misc */
#define ADDR_RANDOM_RET 0x10000b924
#define ADDR_DFU_RETVAL (int *) 0x180088ac8
#define ADDR_DFU_STATUS (unsigned char *) 0x180088ac0
#define ADDR_DFU_EVENT (unsigned long long *) 0x180088af0
#else
#error "Unsupported checkm8 platform"
#endif
#endif //CHECKM8_TOOL_BOOTROM_ADDR_H

3
c8_remote/include/payload.h
View File

@@ -5,14 +5,11 @@
typedef enum
{
PAYLOAD_AES,
PAYLOAD_AES_BUSY,
PAYLOAD_AES_SW,
PAYLOAD_EXIT_USB_TASK,
PAYLOAD_FLOPPYSLEEP,
PAYLOAD_SYNC,
PAYLOAD_SYSREG,
PAYLOAD_TASK_SLEEP_TEST
} PAYLOAD_T;
typedef enum

38
c8_remote/lib/CMakeLists.txt Normal file
View File

@@ -0,0 +1,38 @@
project(checkm8_libpayload)
set(PL_NAMES
aes_busy
aes_sw
exit_usb_task
floppysleep
sync)
foreach(NAME ${PL_NAMES})
list(APPEND PL_TARGETS "payload_${NAME}")
list(APPEND PL_SRC_BIN "${CMAKE_CURRENT_LIST_DIR}/payload/src/${NAME}.c")
endforeach(NAME)
foreach(TARGET ${PL_TARGETS})
list(APPEND PL_SRC_LIB "${CMAKE_CURRENT_BINARY_DIR}/lib_cfiles/${TARGET}.c")
list(APPEND PL_BIN "${CMAKE_CURRENT_BINARY_DIR}/payload/bin/${TARGET}.bin")
endforeach(TARGET)
add_subdirectory(${CMAKE_CURRENT_LIST_DIR}/payload)
file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/lib_cfiles)
add_custom_target(payload_sources
BYPRODUCTS ${PL_SRC_LIB}
DEPENDS ${PL_TARGETS}
COMMENT "Refreshing payload library"
COMMAND python3 ${CMAKE_CURRENT_LIST_DIR}/scripts/librarize.py
${CMAKE_CURRENT_BINARY_DIR}/payload/bin
${CMAKE_CURRENT_BINARY_DIR}/lib_cfiles)
add_library(payload ${PL_SRC_LIB})
add_dependencies(payload payload_sources)
add_custom_command(TARGET payload POST_BUILD
BYPRODUCTS ${CMAKE_SOURCE_DIR}/c8_remote/include/libpayload.h
COMMAND python3 ${CMAKE_CURRENT_LIST_DIR}/scripts/headerize.py
${CMAKE_CURRENT_BINARY_DIR}/lib
${CMAKE_SOURCE_DIR}/c8_remote/include)

38
c8_remote/lib/payload/CMakeLists.txt Normal file
View File

@@ -0,0 +1,38 @@
project(checkm8_libpayload_sources C ASM)
include_directories(${CMAKE_CURRENT_LIST_DIR}/include)
set(CMAKE_SYSTEM_PROCESSOR arm)
if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
# regular desktop
set(CMAKE_C_COMPILER /usr/bin/aarch64-linux-gnu-gcc)
set(CMAKE_ASM_COMPILER /usr/bin/aarch64-linux-gnu-as)
set(CMAKE_OBJCOPY /usr/bin/aarch64-linux-gnu-objcopy)
elseif(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "armv7l")
# raspberry pi
set(CMAKE_C_COMPILER /opt/cross/bin/aarch64-linux-gcc)
set(CMAKE_ASM_COMPILER /opt/cross/bin/aarch64-linux-as)
set(CMAKE_OBJCOPY /opt/cross/bin/aarch64-linux-objcopy)
endif()
set(CMAKE_C_FLAGS "-nostdlib -O -Wl,--gc-sections")
file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/bin)
add_library(bootrom_dev bootrom_dev.c)
foreach(NAME ${PL_NAMES})
if(EXISTS ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.S)
add_executable(payload_${NAME} ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.c
${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.S)
else()
add_executable(payload_${NAME} ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.c)
endif()
target_link_libraries(payload_${NAME} bootrom_dev)
add_custom_command(TARGET payload_${NAME} POST_BUILD
BYPRODUCTS ${CMAKE_CURRENT_BINARY_DIR}/bin/payload_${NAME}.bin
COMMAND ${CMAKE_OBJCOPY}
ARGS -O binary -j .text -j .payload_text -j .bootrom_lib.*
${CMAKE_CURRENT_BINARY_DIR}/payload_${NAME}
${CMAKE_CURRENT_BINARY_DIR}/bin/payload_${NAME}.bin)
endforeach(NAME)

123
c8_remote/lib/payload/bootrom_dev.c Normal file
View File

@@ -0,0 +1,123 @@
#include "bootrom_addr.h"
#include "dev_util.h"
/* Crypto */
BRLIB_SECTION("crypto")
int hardware_aes(unsigned long long cmd,
unsigned char *src, unsigned char *dst,
int len, unsigned long long opts,
unsigned char *key, unsigned char *iv)
{
return ((BOOTROM_FUNC_I) ADDR_HARDWARE_AES)(cmd, src, dst, len, opts, key, iv);
}
/* Timing */
BRLIB_SECTION("timing.power")
int clock_gate(int device, int power)
{
return ((BOOTROM_FUNC_I) ADDR_CLOCK_GATE)(device, power);
}
BRLIB_SECTION("timing.time")
unsigned long long get_time()
{
return ((BOOTROM_FUNC_ULL) ADDR_GET_TIME)();
}
BRLIB_SECTION("timing.sleep")
void timer_register_int(unsigned long long dl)
{
((BOOTROM_FUNC_V) ADDR_TIMER_REGISTER_INT)(dl, ADDR_RANDOM_RET);
}
BRLIB_SECTION("timing.sleep")
void wfi()
{
((BOOTROM_FUNC_V) ADDR_WFI)();
}
/* Tasking */
BRLIB_SECTION("tasking.task")
void *task_new(char *name, BOOTROM_FUNC_I func, void *args, int ssize)
{
return ((BOOTROM_FUNC_PTR) ADDR_TASK_NEW)(name, func, args, ssize);
}
void task_run(void *task)
{
((BOOTROM_FUNC_V) ADDR_TASK_RUN)(task);
}
BRLIB_SECTION("tasking.task")
void task_pause(int usec)
{
((BOOTROM_FUNC_V) ADDR_TASK_PAUSE)(usec);
}
BRLIB_SECTION("tasking.task")
void task_resched()
{
((BOOTROM_FUNC_V) ADDR_TASK_RESCHED)();
}
BRLIB_SECTION("tasking.task")
void task_free(void *task)
{
((BOOTROM_FUNC_V) ADDR_TASK_FREE)(task);
}
BRLIB_SECTION("tasking.event")
void event_new(void *dst, int flags, int state)
{
((BOOTROM_FUNC_V) ADDR_EVENT_NEW)(dst, flags, state);
}
BRLIB_SECTION("tasking.event")
void event_notify(void *ev)
{
((BOOTROM_FUNC_V) ADDR_EVENT_NOTIFY)(ev);
}
BRLIB_SECTION("tasking.event")
void event_wait(void *ev)
{
((BOOTROM_FUNC_V) ADDR_EVENT_WAIT)(ev);
}
/* Heap */
BRLIB_SECTION("heap.mgmt")
void calc_chksum(unsigned long long *dst, unsigned long long *src,
int len, unsigned long long *cookie)
{
((BOOTROM_FUNC_V) ADDR_CALC_CHKSUM)(dst, src, len, cookie);
}
BRLIB_SECTION("heap.mgmt")
void check_block_chksum(void *ptr)
{
((BOOTROM_FUNC_V) ADDR_CHECK_BLOCK_CKSUM)(ptr);
}
BRLIB_SECTION("heap.mgmt")
void check_all_chksums()
{
((BOOTROM_FUNC_V) ADDR_CHECK_ALL_CHKSUMS)();
}
BRLIB_SECTION("heap.alloc")
void *dev_malloc(int size)
{
return ((BOOTROM_FUNC_PTR) ADDR_DEV_MALLOC)(size);
}
BRLIB_SECTION("heap.alloc")
void *dev_memalign(int size, int constr)
{
return ((BOOTROM_FUNC_PTR) ADDR_DEV_MEMALIGN)(size, constr);
}
BRLIB_SECTION("heap.alloc")
void dev_free(void *ptr)
{
((BOOTROM_FUNC_PTR) ADDR_DEV_FREE)(ptr);
}

38
c8_remote/lib/payload/include/bootrom_func.h Normal file
View File

@@ -0,0 +1,38 @@
#ifndef CHECKM8_TOOL_BOOTROM_FUNC_H
#define CHECKM8_TOOL_BOOTROM_FUNC_H
#include "dev_util.h"
/* Crypto */
int hardware_aes(unsigned long long cmd,
unsigned char *src, unsigned char *dst,
int len, unsigned long long opts,
unsigned char *key, unsigned char *iv);
/* Timing */
int clock_gate(int device, int power);
unsigned long long get_time();
void timer_register_int(unsigned long long dl);
void wfi();
/* Tasking */
void *task_new(char *name, BOOTROM_FUNC_I func, void *args, int ssize);
void task_run(void *task);
void task_pause(int usec);
void task_resched();
void task_free(void *task);
void event_new(void *dst, int flags, int state);
void event_notify(void *ev);
void event_wait(void *ev);
/* Heap */
void calc_chksum(unsigned long long *dst, unsigned long long *src, int len, unsigned long long *cookie);
void check_block_chksum(void *ptr);
void check_all_chksums();
void *dev_malloc(int size);
void *dev_memalign(int size, int constr);
void dev_free(void *ptr);
#endif //CHECKM8_TOOL_BOOTROM_FUNC_H

13
c8_remote/lib/payload/include/dev_util.h Normal file
View File

@@ -0,0 +1,13 @@
#ifndef CHECKM8_TOOL_DEV_UTIL_H
#define CHECKM8_TOOL_DEV_UTIL_H
typedef void (*BOOTROM_FUNC_V)();
typedef int (*BOOTROM_FUNC_I)();
typedef unsigned long long (*BOOTROM_FUNC_ULL)();
typedef void (*(*BOOTROM_FUNC_PTR)());
#define PAYLOAD_SECTION __attribute__ ((section (".payload_text")))
#define TEXT_SECTION __attribute__ ((section (".text")))
#define BRLIB_SECTION(s) __attribute__ ((section (".bootrom_lib."s)))
#endif //CHECKM8_TOOL_DEV_UTIL_H

22
c8_remote/lib/payload/src/aes_busy.c Normal file
View File

@@ -0,0 +1,22 @@
#include "bootrom_func.h"
TEXT_SECTION
int _start(void *src, void *dst, void *key, int rep)
{
int i, j;
unsigned char src_data[16];
for(j = 0; j < 16; j++)
{
src_data[j] = ((unsigned char *) src)[j];
}
// task_sleep(100);
for(i = 0; i < rep; i++)
{
if(i % 2 == 0) hardware_aes(16, src_data, dst, 16, 0, key, 0);
else hardware_aes(16, dst, src_data, 16, 0, key, 0);
// task_sleep(15);
}
return 0;
}

163
c8_remote/lib/payload/src/aes_sw.c Normal file
View File

@@ -0,0 +1,163 @@
#include "bootrom_func.h"
PAYLOAD_SECTION
void sub_bytes(unsigned char block[16], unsigned char sbox[16][16])
{
int i;
unsigned char val;
for(i = 0; i < 16; i++)
{
val = block[i];
block[i] = sbox[val >> 4u][val & 0xfu];
}
}
PAYLOAD_SECTION
void shift_rows(unsigned char block[16])
{
unsigned char temp1, temp2;
temp1 = block[0x1];
block[0x1] = block[0x5];
block[0x5] = block[0x9];
block[0x9] = block[0xd];
block[0xd] = temp1;
temp1 = block[0x2];
temp2 = block[0xe];
block[0x2] = block[0xa];
block[0xe] = block[0x6];
block[0xa] = temp1;
block[0x6] = temp2;
temp1 = block[0x3];
block[0x3] = block[0xf];
block[0xf] = block[0xb];
block[0xb] = block[0x7];
block[0x7] = temp1;
}
PAYLOAD_SECTION
void mix_cols(unsigned char block[16],
unsigned char mul2_lookup[256], unsigned char mul3_lookup[256])
{
unsigned char r0, r1, r2, r3;
int i;
for(i = 0; i < 4; i++)
{
r0 = block[4 * i];
r1 = block[4 * i + 1];
r2 = block[4 * i + 2];
r3 = block[4 * i + 3];
// no reason for the "+ 0" here but it makes the code look more lined up :)
block[4 * i + 0] = mul2_lookup[r0] ^ mul3_lookup[r1] ^ r2 ^ r3;
block[4 * i + 1] = r0 ^ mul2_lookup[r1] ^ mul3_lookup[r2] ^ r3;
block[4 * i + 2] = r0 ^ r1 ^ mul2_lookup[r2] ^ mul3_lookup[r3];
block[4 * i + 3] = mul3_lookup[r0] ^ r1 ^ r2 ^ mul2_lookup[r3];
}
}
PAYLOAD_SECTION
void add_key(unsigned char block[16], unsigned char key[16])
{
int i;
for(i = 0; i < 16; i++)
{
block[i] = block[i] ^ key[i];
}
}
PAYLOAD_SECTION
void expand_key(unsigned char key[16], unsigned char key_sched[176], int n,
unsigned char sbox[16][16], unsigned char rc_lookup[11])
{
int i, j, prev_key_base, key_base = 0;
unsigned char val;
for(i = 0; i < 16; i++)
{
key_sched[i] = key[i];
}
for(i = 1; i < n; i++)
{
prev_key_base = key_base;
key_base = 16 * i;
for(j = 0; j < 3; j++)
{
val = key_sched[prev_key_base + 13 + j];
key_sched[key_base + j] = sbox[val >> 4u][val & 0xfu];
}
val = key_sched[prev_key_base + 12];
key_sched[key_base + 3] = sbox[val >> 4u][val & 0xfu];
key_sched[key_base] ^= rc_lookup[i - 1];
for(j = 0; j < 4; j++)
{
key_sched[key_base + j] = key_sched[key_base + j] ^ key_sched[prev_key_base + j];
}
for(j = 4; j < 16; j++)
{
key_sched[key_base + j] = key_sched[key_base + j - 4] ^ key_sched[prev_key_base + j];
}
}
}
PAYLOAD_SECTION
void aes128_encrypt_ecb(unsigned char *msg, unsigned int msg_len, unsigned char key[16],
unsigned char sbox[16][16], unsigned char rc_lookup[11],
unsigned char mul2[256], unsigned char mul3[256])
{
unsigned char key_sched[176];
expand_key(key, key_sched, 11, sbox, rc_lookup);
unsigned int num_blocks = msg_len / 16;
unsigned char *block;
unsigned int i, j;
for(i = 0; i < num_blocks; i++)
{
block = &msg[16 * i];
add_key(block, key_sched);
for(j = 0; j < 9; j++)
{
sub_bytes(block, sbox);
shift_rows(block);
mix_cols(block, mul2, mul3);
add_key(block, &key_sched[16 * (j + 1)]);
}
sub_bytes(block, sbox);
shift_rows(block);
add_key(block, &key_sched[16 * (j + 1)]);
}
}
TEXT_SECTION
unsigned long long _start(unsigned char *msg, unsigned int msg_len, unsigned char *key,
unsigned char sbox[16][16], unsigned char rc_lookup[11],
unsigned char mul2[256], unsigned char mul3[256])
{
unsigned long long start = 0, end = 0;
unsigned long long timer_deadline_enter = 0x10000b874;
unsigned long long halt = 0x1000004fc;
__asm__ volatile ("mrs %0, cntpct_el0" : "=r" (start));
aes128_encrypt_ecb(msg, msg_len, key, sbox, rc_lookup, mul2, mul3);
__asm__ volatile ("mrs %0, cntpct_el0" : "=r" (end));
if(2 * end - start - 64 > 0)
{
timer_register_int(2 * end - start - 64);
wfi();
}
return end - start;
}

52
c8_remote/lib/payload/src/exit_usb_task.c Normal file
View File

@@ -0,0 +1,52 @@
#include "bootrom_addr.h"
#include "bootrom_func.h"
PAYLOAD_SECTION
void fix_heap()
{
*((unsigned long long *) 0x1801b91a0) = 0x80 / 0x40;
*((unsigned long long *) 0x1801b91a8) = ((0x840u / 0x40) << 2u);
*((unsigned long long *) 0x1801b91b0) = 0x80;
*((unsigned long long *) 0x1801b91b8) = 0;
*((unsigned long long *) 0x1801b9220) = 0x80 / 0x40;
*((unsigned long long *) 0x1801b9228) = ((0x80u / 0x40) << 2u);
*((unsigned long long *) 0x1801b9230) = 0x80;
*((unsigned long long *) 0x1801b9238) = 0;
*((unsigned long long *) 0x1801b92a0) = 0x80 / 0x40;
*((unsigned long long *) 0x1801b92a8) = ((0x80u / 0x40) << 2u);
*((unsigned long long *) 0x1801b92b0) = 0x80;
*((unsigned long long *) 0x1801b92b8) = 0;
__asm__ volatile ("dmb sy");
calc_chksum((unsigned long long *) 0x1801b9180,
(unsigned long long *) 0x1801b91a0,
32,
(unsigned long long *) 0x180080640);
calc_chksum((unsigned long long *) 0x1801b9200,
(unsigned long long *) 0x1801b9220,
32,
(unsigned long long *) 0x180080640);
calc_chksum((unsigned long long *) 0x1801b9280,
(unsigned long long *) 0x1801b92a0,
32,
(unsigned long long *) 0x180080640);
__asm__ volatile ("dmb sy");
check_all_chksums();
}
TEXT_SECTION
void _start(unsigned long long *ptr_self)
{
fix_heap();
*(ADDR_DFU_RETVAL) = -1;
*(ADDR_DFU_STATUS) = 1;
event_notify(ADDR_DFU_EVENT);
dev_free(ptr_self);
}

187
c8_remote/lib/payload/src/floppysleep.S Normal file
View File

@@ -0,0 +1,187 @@
.global fs_routine
.global fs_load
# .global check_subnormal
.section .payload_text, "ax"
fs_load:
# load from memory
ldr s0, [x0]
mov v0.s[1], v0.s[0]
mov v0.s[2], v0.s[0]
mov v0.s[3], v0.s[0]
fmov s31, 1.0
ucvtf s30, w1
mov v1.s[3], v30.s[0]
fadd s30, s30, s31
mov v1.s[2], v30.s[0]
fadd s30, s30, s31
mov v1.s[1], v30.s[0]
fadd s30, s30, s31
mov v1.s[0], v30.s[0]
fadd s30, s30, s31
mov v2.s[3], v30.s[0]
fadd s30, s30, s31
mov v2.s[2], v30.s[0]
fadd s30, s30, s31
mov v2.s[1], v30.s[0]
fadd s30, s30, s31
mov v2.s[0], v30.s[0]
fadd s30, s30, s31
mov v3.s[3], v30.s[0]
fadd s30, s30, s31
mov v3.s[2], v30.s[0]
fadd s30, s30, s31
mov v3.s[1], v30.s[0]
fadd s30, s30, s31
mov v3.s[0], v30.s[0]
fadd s30, s30, s31
mov v4.s[3], v30.s[0]
fadd s30, s30, s31
mov v4.s[2], v30.s[0]
fadd s30, s30, s31
mov v4.s[1], v30.s[0]
fadd s30, s30, s31
mov v4.s[0], v30.s[0]
fadd s30, s30, s31
mov v5.s[3], v30.s[0]
fadd s30, s30, s31
mov v5.s[2], v30.s[0]
fadd s30, s30, s31
mov v5.s[1], v30.s[0]
fadd s30, s30, s31
mov v5.s[0], v30.s[0]
fadd s30, s30, s31
mov v6.s[3], v30.s[0]
fadd s30, s30, s31
mov v6.s[2], v30.s[0]
fadd s30, s30, s31
mov v6.s[1], v30.s[0]
fadd s30, s30, s31
mov v6.s[0], v30.s[0]
fadd s30, s30, s31
mov v7.s[3], v30.s[0]
fadd s30, s30, s31
mov v7.s[2], v30.s[0]
fadd s30, s30, s31
mov v7.s[1], v30.s[0]
fadd s30, s30, s31
mov v7.s[0], v30.s[0]
fadd s30, s30, s31
mov v8.s[3], v30.s[0]
fadd s30, s30, s31
mov v8.s[2], v30.s[0]
fadd s30, s30, s31
mov v8.s[1], v30.s[0]
fadd s30, s30, s31
mov v8.s[0], v30.s[0]
fadd s30, s30, s31
mov v9.s[3], v30.s[0]
fadd s30, s30, s31
mov v9.s[2], v30.s[0]
fadd s30, s30, s31
mov v9.s[1], v30.s[0]
fadd s30, s30, s31
mov v9.s[0], v30.s[0]
fadd s30, s30, s31
mov v10.s[3], v10.s[0]
fadd s30, s30, s31
mov v10.s[2], v10.s[0]
fadd s30, s30, s31
mov v10.s[1], v10.s[0]
fadd s30, s30, s31
mov v10.s[0], v30.s[0]
fadd s30, s30, s31
mov v11.s[3], v30.s[0]
fadd s30, s30, s31
mov v11.s[2], v30.s[0]
fadd s30, s30, s31
mov v11.s[1], v30.s[0]
fadd s30, s30, s31
mov v11.s[0], v30.s[0]
fadd s30, s30, s31
mov v12.s[3], v30.s[0]
fadd s30, s30, s31
mov v12.s[2], v30.s[0]
fadd s30, s30, s31
mov v12.s[1], v30.s[0]
fadd s30, s30, s31
mov v12.s[0], v30.s[0]
fadd s30, s30, s31
mov v13.s[3], v30.s[0]
fadd s30, s30, s31
mov v13.s[2], v30.s[0]
fadd s30, s30, s31
mov v13.s[1], v30.s[0]
fadd s30, s30, s31
mov v13.s[0], v30.s[0]
fadd s30, s30, s31
mov v14.s[3], v30.s[0]
fadd s30, s30, s31
mov v14.s[2], v30.s[0]
fadd s30, s30, s31
mov v14.s[1], v30.s[0]
fadd s30, s30, s31
mov v14.s[0], v30.s[0]
fadd s30, s30, s31
mov v15.s[3], v30.s[0]
fadd s30, s30, s31
mov v15.s[2], v30.s[0]
fadd s30, s30, s31
mov v15.s[1], v30.s[0]
fadd s30, s30, s31
mov v15.s[0], v30.s[0]
#mov s30, wzr
#mov s31, wzr
ret
fs_routine:
fdiv v16.4s, v0.4s, v1.4s
fdiv v17.4s, v0.4s, v2.4s
fdiv v18.4s, v0.4s, v3.4s
fdiv v19.4s, v0.4s, v4.4s
fdiv v20.4s, v0.4s, v5.4s
fdiv v21.4s, v0.4s, v6.4s
fdiv v22.4s, v0.4s, v7.4s
fdiv v23.4s, v0.4s, v8.4s
fdiv v24.4s, v0.4s, v9.4s
fdiv v25.4s, v0.4s, v10.4s
fdiv v26.4s, v0.4s, v11.4s
fdiv v27.4s, v0.4s, v12.4s
fdiv v28.4s, v0.4s, v13.4s
fdiv v29.4s, v0.4s, v14.4s
fdiv v30.4s, v0.4s, v15.4s
fdiv v16.4s, v16.4s, v15.4s
fdiv v17.4s, v17.4s, v14.4s
fdiv v18.4s, v18.4s, v13.4s
fdiv v19.4s, v19.4s, v12.4s
fdiv v20.4s, v20.4s, v11.4s
fdiv v21.4s, v21.4s, v10.4s
fdiv v22.4s, v22.4s, v9.4s
fdiv v23.4s, v23.4s, v8.4s
fdiv v24.4s, v24.4s, v7.4s
fdiv v25.4s, v25.4s, v6.4s
fdiv v26.4s, v26.4s, v5.4s
fdiv v27.4s, v27.4s, v4.4s
fdiv v28.4s, v28.4s, v3.4s
fdiv v29.4s, v29.4s, v2.4s
fdiv v30.4s, v30.4s, v1.4s
ret

43
c8_remote/lib/payload/src/floppysleep.c Normal file
View File

@@ -0,0 +1,43 @@
#include "bootrom_func.h"
extern unsigned long long fs_routine(void);
extern unsigned long long fs_load(float *dividend, int divisor_base);
// extern unsigned long long check_subnormal();
PAYLOAD_SECTION
unsigned int is_subnormal(float val)
{
unsigned int bytes = *((unsigned int *) &val);
bytes = bytes >> 23u;
if(bytes & 0x7u)
{
return 0;
}
else return 1;
}
TEXT_SECTION
unsigned long long _start(float *init_a)
{
int i;
volatile int j = 0;
unsigned long long start, end, report;
__asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (start));
fs_load(init_a, 1);
for(i = 0; i < 8; i++) fs_routine();
__asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (end));
if(2 * end - start - 64 > 0)
{
timer_register_int(2 * end - start - 64);
wfi();
}
__asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (report));
j++;
return end - start;
}

10
c8_remote/lib/payload/src/sync.c Normal file
View File

@@ -0,0 +1,10 @@
#include "dev_util.h"
TEXT_SECTION
void _start()
{
__asm__("dmb sy");
__asm__("ic iallu");
__asm__("dsb sy");
__asm__("isb");
}

44
c8_remote/lib/scripts/headerize.py Normal file
View File

@@ -0,0 +1,44 @@
import sys
import os
if __name__ == '__main__':
if len(sys.argv) < 3:
print('Usage: headerize.py [lib names ...] [header dir]')
exit(1)
lib_names = []
hdr_dir = os.path.abspath(sys.argv[-1])
for libarg in sys.argv[1:-1]:
if os.path.isdir(libarg):
lib_folder = os.path.abspath(libarg)
for lib_fname in os.listdir(lib_folder):
lib_names.append(lib_folder + '/' + lib_fname)
else:
lib_names.append(os.path.abspath(libarg))
header_lines = ['#ifndef CHECKM8_TOOL_LIBPAYLOAD_H\n',
'#define CHECKM8_TOOL_LIBPAYLOAD_H\n',
'\n']
name_lines = []
size_lines = []
for n in lib_names:
with open(n, 'r') as f:
line = f.readline() # looks like "const unsigned char PAYLOAD_NAME[PAYLOAD_SIZE] = "
name = line.split(' ')[3].split('[')[0]
size = line.split(' ')[3].split('[')[1][:-1]
name_lines.append('extern const unsigned char %s[%s_SZ];\n' % (name, name.upper()))
size_lines.append('#define %s_SZ %s\n' % (name.upper(), size))
header_lines.extend(size_lines)
header_lines.append('\n')
header_lines.extend(name_lines)
header_lines.append('\n')
header_lines.append('#endif //CHECKM8_TOOL_LIBPAYLOAD_H\n')
with open(hdr_dir + '/libpayload.h', 'w+') as f:
f.writelines(header_lines)

54
c8_remote/lib/scripts/librarize.py Normal file
View File

@@ -0,0 +1,54 @@
import sys
import os
from collections import defaultdict
from operator import eq
if __name__ == '__main__':
if len(sys.argv) < 3:
print('Usage: librarize.py [bin names ...] [lib dir]')
exit(1)
bin_names = []
lib_dir = os.path.abspath(sys.argv[-1])
for binarg in sys.argv[1:-1]:
if os.path.isdir(binarg):
bin_folder = os.path.abspath(binarg)
for bin_fname in os.listdir(bin_folder):
bin_names.append(bin_folder + '/' + bin_fname)
else:
bin_names.append(os.path.abspath(binarg))
source_lines = defaultdict(list)
for n in bin_names:
payload_name = os.path.basename(n).split('.')[0]
with open(n, 'rb') as fbin:
fbytes = fbin.read()
source_lines[payload_name].append('const unsigned char %s[%i] =\n' % (payload_name, len(fbytes)))
source_lines[payload_name].append('\t{')
for i, b in enumerate(fbytes):
if i % 16 == 0:
source_lines[payload_name][-1] += '\n'
source_lines[payload_name].append('\t\t')
source_lines[payload_name][-1] += '0x%02x, ' % b
if i == len(fbytes) - 1:
source_lines[payload_name][-1] += '\n'
source_lines[payload_name].append('\t};\n')
for sname, lines in source_lines.items():
sfname = lib_dir + '/' + sname + '.c'
if os.path.exists(sfname):
with open(sfname, 'r') as f:
old_lines = f.readlines()
if all(map(eq, lines, old_lines)):
continue
with open(sfname, 'w+') as f:
f.writelines(lines)

34
c8_remote/src/payload.c
View File

@@ -7,6 +7,7 @@
#include "command.h"
#include "usb_helpers.h"
#include "bootrom_addr.h"
#include "libpayload.h"
struct payload
@@ -28,11 +29,6 @@ struct payload *get_payload(PAYLOAD_T p)
switch(p)
{
case PAYLOAD_AES:
pl = payload_aes;
len = PAYLOAD_AES_SZ;
break;
case PAYLOAD_AES_BUSY:
pl = payload_aes_busy;
len = PAYLOAD_AES_BUSY_SZ;
@@ -58,16 +54,6 @@ struct payload *get_payload(PAYLOAD_T p)
len = PAYLOAD_SYNC_SZ;
break;
case PAYLOAD_SYSREG:
pl = payload_sysreg;
len = PAYLOAD_SYSREG_SZ;
break;
case PAYLOAD_TASK_SLEEP_TEST:
pl = payload_task_sleep_test;
len = PAYLOAD_TASK_SLEEP_TEST_SZ;
break;
default:
return NULL;
}
@@ -94,8 +80,8 @@ void free_payload(struct payload *p)
DEV_PTR_T get_address(struct pwned_device *dev, LOCATION_T l, int len)
{
checkm8_debug_indent("get_address(dev = %p, loc = %i, len = %i)\n", dev, l, len);
DEV_PTR_T addr_malloc = 0x10000efe0, retval;
unsigned long long malloc_args[2] = {addr_malloc, (unsigned long long) len};
DEV_PTR_T retval;
unsigned long long malloc_args[2] = {ADDR_DEV_MALLOC, (unsigned long long) len};
struct dev_cmd_resp *resp = dev_exec(dev, 0, 2, malloc_args);
if(IS_CHECKM8_FAIL(resp->ret))
@@ -192,7 +178,6 @@ int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc)
int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p)
{
checkm8_debug_indent("uninstall payload(dev = %p, p = %i)\n", dev, p);
DEV_PTR_T addr_free = 0x10000f1b0;
unsigned long long free_args[2];
struct dev_cmd_resp *resp;
struct payload *pl = dev_retrieve_payload(dev, p);
@@ -203,7 +188,7 @@ int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p)
return CHECKM8_FAIL_INVARGS;
}
free_args[0] = addr_free;
free_args[0] = ADDR_DEV_FREE;
free_args[1] = pl->install_base;
resp = dev_exec(dev, 0, 2, free_args);
@@ -261,8 +246,7 @@ int uninstall_data(struct pwned_device *dev, DEV_PTR_T addr)
{
checkm8_debug_indent("uninstall_data(dev = %p, addr = %X)\n", dev, addr);
struct dev_cmd_resp *resp;
DEV_PTR_T addr_free = 0x10000f1b0;
unsigned long long free_args[2] = {addr_free, addr};
unsigned long long free_args[2] = {ADDR_DEV_FREE, addr};
resp = dev_exec(dev, 0, 2, free_args);
if(IS_CHECKM8_FAIL(resp->ret))
@@ -319,6 +303,14 @@ unsigned long long execute_payload_async(struct pwned_device *dev, PAYLOAD_T p,
checkm8_debug_indent("\tpayload is not installed\n");
return DEV_PTR_NULL;
}
if(bufsize < nargs * sizeof(unsigned long long))
{
checkm8_debug_indent("\texpanding buffer to fit (at least) provided arguments\n");
bufsize = nargs * sizeof(unsigned long long);
}
}
struct dev_cmd_resp *read_gadget(struct pwned_device *dev, DEV_PTR_T addr, int len)