From f11bbf0370b719139747c9e3599e7e20ebfcb41f Mon Sep 17 00:00:00 2001 From: Gregor Haas Date: Sun, 8 Dec 2019 22:54:29 -0500 Subject: [PATCH] Started working on payloads... still need to integrate --- checkm8_payloads/CMakeLists.txt | 4 +- checkm8_payloads/aes.c | 56 ++++++++++++++++++++++++ checkm8_payloads/include/brfunc_aes.h | 16 +++++++ checkm8_payloads/include/brfunc_common.h | 34 ++++++++++++++ checkm8_payloads/include/brfunc_sep.h | 7 +++ checkm8_payloads/include/brfunc_timing.h | 8 ++++ 6 files changed, 123 insertions(+), 2 deletions(-) create mode 100644 checkm8_payloads/aes.c create mode 100644 checkm8_payloads/include/brfunc_aes.h create mode 100644 checkm8_payloads/include/brfunc_common.h create mode 100644 checkm8_payloads/include/brfunc_sep.h create mode 100644 checkm8_payloads/include/brfunc_timing.h diff --git a/checkm8_payloads/CMakeLists.txt b/checkm8_payloads/CMakeLists.txt index 4d2b412..891dea4 100644 --- a/checkm8_payloads/CMakeLists.txt +++ b/checkm8_payloads/CMakeLists.txt @@ -1,4 +1,5 @@ enable_language(ASM) +include_directories(include) set(CMAKE_SYSTEM_PROCESSOR arm) set(CMAKE_C_COMPILER /usr/bin/aarch64-linux-gnu-gcc) @@ -6,5 +7,4 @@ set(CMAKE_ASM_COMPILER /usr/bin/aarch64-linux-gnu-as) set(CMAKE_OBJCOPY /usr/bin/aarch64-linux-gnu-objcopy) set(CMAKE_C_FLAGS "-nostdlib") -add_executable(payload_test test.c) -add_custom_command(OUTPUT payload.) \ No newline at end of file +add_executable(payload aes.c) \ No newline at end of file diff --git a/checkm8_payloads/aes.c b/checkm8_payloads/aes.c new file mode 100644 index 0000000..d9d4b17 --- /dev/null +++ b/checkm8_payloads/aes.c @@ -0,0 +1,56 @@ +#include "brfunc_aes.h" +#include "brfunc_timing.h" +#include "brfunc_sep.h" + +int aes_hw_crypto_command(unsigned int cmd, + void *src, + void *dst, + int len, + unsigned int opts, + void *key, + void *iv) +{ + int seeded; + long start = 0, timeout = 0; + CLOCK_GATE(0x3C, 1); + + seeded = DPA_SEEDED(); + if(!seeded) + { + SEP_CREATE_SEND_DPA_MESSAGE(); + start = SYSTEM_TIME(); + + while(!seeded && !timeout) + { + seeded = DPA_SEEDED(); + timeout = TIME_HAS_ELAPSED(start, 1000); + } + } + + if(timeout) return -1; + + unsigned int key_command = CREATE_KEY_COMMAND(0, 0, 0, 0, 1, 0, 0, 0); + *rAES_INT_STATUS = 0x20; + *rAES_CONTROL = 1; + + PUSH_COMMAND_KEY(key_command, key); + PUSH_COMMAND_IV(0, 0, 0, iv); + PUSH_COMMAND_DATA(0, 0, src, dst, len); + PUSH_COMMAND_FLAG(0, 1, 1); + WAIT_FOR_COMMAND_FLAG(); + + *rAES_CONTROL = 2; + CLOCK_GATE(0x3C, 0); + return 0; +} + +int _start(unsigned int cmd, + void *src, + void *dst, + int len, + unsigned int opts, + void *key, + void *iv) +{ + return aes_hw_crypto_command(cmd, src, dst, len, opts, key, iv); +} \ No newline at end of file diff --git a/checkm8_payloads/include/brfunc_aes.h b/checkm8_payloads/include/brfunc_aes.h new file mode 100644 index 0000000..57dafd6 --- /dev/null +++ b/checkm8_payloads/include/brfunc_aes.h @@ -0,0 +1,16 @@ +#ifndef IPWNDFU_REWRITE_C_BRFUNC_AES_H +#define IPWNDFU_REWRITE_C_BRFUNC_AES_H + +#include "brfunc_common.h" + +#define CREATE_KEY_COMMAND ((BOOTROM_FUNC) ADDR_CREATE_KEY_COMMAND) +#define PUSH_COMMAND_KEY ((BOOTROM_FUNC) ADDR_PUSH_COMMAND_KEY) +#define PUSH_COMMAND_IV ((BOOTROM_FUNC) ADDR_PUSH_COMMAND_IV) +#define PUSH_COMMAND_DATA ((BOOTROM_FUNC) ADDR_PUSH_COMMAND_DATA) +#define PUSH_COMMAND_FLAG ((BOOTROM_FUNC) ADDR_PUSH_COMMAND_FLAG) +#define WAIT_FOR_COMMAND_FLAG ((BOOTROM_FUNC) ADDR_WAIT_FOR_COMMAND_FLAG) + +#define rAES_INT_STATUS (long *) ADDR_rAES_INT_STATUS +#define rAES_CONTROL (long *) ADDR_rAES_CONTROL + +#endif //IPWNDFU_REWRITE_C_BRFUNC_AES_H diff --git a/checkm8_payloads/include/brfunc_common.h b/checkm8_payloads/include/brfunc_common.h new file mode 100644 index 0000000..91c9f0d --- /dev/null +++ b/checkm8_payloads/include/brfunc_common.h @@ -0,0 +1,34 @@ +#ifndef IPWNDFU_REWRITE_C_BRFUNC_COMMON_H +#define IPWNDFU_REWRITE_C_BRFUNC_COMMON_H + +#include "include/checkm8_config.h" + +typedef int (*BOOTROM_FUNC)(); + +#if CHECKM8_PLATFORM == 8010 + +/* AES */ +#define ADDR_CREATE_KEY_COMMAND 0x100000e90 +#define ADDR_PUSH_COMMAND_KEY 0x100000c64 +#define ADDR_PUSH_COMMAND_IV 0x100000d18 +#define ADDR_PUSH_COMMAND_DATA 0x100000d98 +#define ADDR_PUSH_COMMAND_FLAG 0x100000e20 +#define ADDR_WAIT_FOR_COMMAND_FLAG 0x100000ec4 + +#define ADDR_rAES_CONTROL 0x20A108008 +#define ADDR_rAES_INT_STATUS 0x20A108018 + +/* SEP */ +#define ADDR_DPA_SEEDED 0x100001140 +#define ADDR_SEP_CREATE_SEND_DPA_MESSAGE 0x100002338 + +/* Timing */ +#define ADDR_CLOCK_GATE 0x100009d4c +#define ADDR_SYSTEM_TIME 0x10000B0E0 +#define ADDR_TIME_HAS_ELAPSED 0x10000B04F + +#else +#error "Unsupported checkm8 platform" +#endif + +#endif //IPWNDFU_REWRITE_C_BRFUNC_COMMON_H diff --git a/checkm8_payloads/include/brfunc_sep.h b/checkm8_payloads/include/brfunc_sep.h new file mode 100644 index 0000000..3ef32da --- /dev/null +++ b/checkm8_payloads/include/brfunc_sep.h @@ -0,0 +1,7 @@ +#ifndef IPWNDFU_REWRITE_C_BRFUNC_SEP_H +#define IPWNDFU_REWRITE_C_BRFUNC_SEP_H + +#define DPA_SEEDED ((BOOTROM_FUNC) ADDR_DPA_SEEDED) +#define SEP_CREATE_SEND_DPA_MESSAGE ((BOOTROM_FUNC) ADDR_SEP_CREATE_SEND_DPA_MESSAGE) + +#endif //IPWNDFU_REWRITE_C_BRFUNC_SEP_H diff --git a/checkm8_payloads/include/brfunc_timing.h b/checkm8_payloads/include/brfunc_timing.h new file mode 100644 index 0000000..536b377 --- /dev/null +++ b/checkm8_payloads/include/brfunc_timing.h @@ -0,0 +1,8 @@ +#ifndef IPWNDFU_REWRITE_C_BRFUNC_TIMING_H +#define IPWNDFU_REWRITE_C_BRFUNC_TIMING_H + +#define CLOCK_GATE ((BOOTROM_FUNC) ADDR_CLOCK_GATE) +#define SYSTEM_TIME ((BOOTROM_FUNC) ADDR_SYSTEM_TIME) +#define TIME_HAS_ELAPSED ((BOOTROM_FUNC) ADDR_TIME_HAS_ELAPSED) + +#endif //IPWNDFU_REWRITE_C_BRFUNC_TIMING_H