Started working on payloads... still need to integrate

checkm8_payloads/CMakeLists.txt

@@ -1,4 +1,5 @@
 enable_language(ASM)
+include_directories(include)
 
 set(CMAKE_SYSTEM_PROCESSOR arm)
 set(CMAKE_C_COMPILER /usr/bin/aarch64-linux-gnu-gcc)
@@ -6,5 +7,4 @@ set(CMAKE_ASM_COMPILER /usr/bin/aarch64-linux-gnu-as)
 set(CMAKE_OBJCOPY /usr/bin/aarch64-linux-gnu-objcopy)
 set(CMAKE_C_FLAGS "-nostdlib")
 
-add_executable(payload_test test.c)
+add_executable(payload aes.c)
-add_custom_command(OUTPUT payload.)

checkm8_payloads/aes.c

@@ -0,0 +1,56 @@
+#include "brfunc_aes.h"
+#include "brfunc_timing.h"
+#include "brfunc_sep.h"
+
+int aes_hw_crypto_command(unsigned int cmd,
+                          void *src,
+                          void *dst,
+                          int len,
+                          unsigned int opts,
+                          void *key,
+                          void *iv)
+{
+    int seeded;
+    long start = 0, timeout = 0;
+    CLOCK_GATE(0x3C, 1);
+
+    seeded = DPA_SEEDED();
+    if(!seeded)
+    {
+        SEP_CREATE_SEND_DPA_MESSAGE();
+        start = SYSTEM_TIME();
+
+        while(!seeded && !timeout)
+        {
+            seeded = DPA_SEEDED();
+            timeout = TIME_HAS_ELAPSED(start, 1000);
+        }
+    }
+
+    if(timeout) return -1;
+
+    unsigned int key_command = CREATE_KEY_COMMAND(0, 0, 0, 0, 1, 0, 0, 0);
+    *rAES_INT_STATUS = 0x20;
+    *rAES_CONTROL = 1;
+
+    PUSH_COMMAND_KEY(key_command, key);
+    PUSH_COMMAND_IV(0, 0, 0, iv);
+    PUSH_COMMAND_DATA(0, 0, src, dst, len);
+    PUSH_COMMAND_FLAG(0, 1, 1);
+    WAIT_FOR_COMMAND_FLAG();
+
+    *rAES_CONTROL = 2;
+    CLOCK_GATE(0x3C, 0);
+    return 0;
+}
+
+int _start(unsigned int cmd,
+           void *src,
+           void *dst,
+           int len,
+           unsigned int opts,
+           void *key,
+           void *iv)
+{
+    return aes_hw_crypto_command(cmd, src, dst, len, opts, key, iv);
+}

checkm8_payloads/include/brfunc_aes.h

@@ -0,0 +1,16 @@
+#ifndef IPWNDFU_REWRITE_C_BRFUNC_AES_H
+#define IPWNDFU_REWRITE_C_BRFUNC_AES_H
+
+#include "brfunc_common.h"
+
+#define CREATE_KEY_COMMAND          ((BOOTROM_FUNC) ADDR_CREATE_KEY_COMMAND)
+#define PUSH_COMMAND_KEY            ((BOOTROM_FUNC) ADDR_PUSH_COMMAND_KEY)
+#define PUSH_COMMAND_IV             ((BOOTROM_FUNC) ADDR_PUSH_COMMAND_IV)
+#define PUSH_COMMAND_DATA           ((BOOTROM_FUNC) ADDR_PUSH_COMMAND_DATA)
+#define PUSH_COMMAND_FLAG           ((BOOTROM_FUNC) ADDR_PUSH_COMMAND_FLAG)
+#define WAIT_FOR_COMMAND_FLAG       ((BOOTROM_FUNC) ADDR_WAIT_FOR_COMMAND_FLAG)
+
+#define rAES_INT_STATUS             (long *) ADDR_rAES_INT_STATUS
+#define rAES_CONTROL                (long *) ADDR_rAES_CONTROL
+
+#endif //IPWNDFU_REWRITE_C_BRFUNC_AES_H

checkm8_payloads/include/brfunc_common.h

@@ -0,0 +1,34 @@
+#ifndef IPWNDFU_REWRITE_C_BRFUNC_COMMON_H
+#define IPWNDFU_REWRITE_C_BRFUNC_COMMON_H
+
+#include "include/checkm8_config.h"
+
+typedef int (*BOOTROM_FUNC)();
+
+#if CHECKM8_PLATFORM == 8010
+
+/* AES */
+#define ADDR_CREATE_KEY_COMMAND             0x100000e90
+#define ADDR_PUSH_COMMAND_KEY               0x100000c64
+#define ADDR_PUSH_COMMAND_IV                0x100000d18
+#define ADDR_PUSH_COMMAND_DATA              0x100000d98
+#define ADDR_PUSH_COMMAND_FLAG              0x100000e20
+#define ADDR_WAIT_FOR_COMMAND_FLAG          0x100000ec4
+
+#define ADDR_rAES_CONTROL                   0x20A108008
+#define ADDR_rAES_INT_STATUS                0x20A108018
+
+/* SEP */
+#define ADDR_DPA_SEEDED                     0x100001140
+#define ADDR_SEP_CREATE_SEND_DPA_MESSAGE    0x100002338
+
+/* Timing */
+#define ADDR_CLOCK_GATE                     0x100009d4c
+#define ADDR_SYSTEM_TIME                    0x10000B0E0
+#define ADDR_TIME_HAS_ELAPSED               0x10000B04F
+
+#else
+#error "Unsupported checkm8 platform"
+#endif
+
+#endif //IPWNDFU_REWRITE_C_BRFUNC_COMMON_H

checkm8_payloads/include/brfunc_sep.h

@@ -0,0 +1,7 @@
+#ifndef IPWNDFU_REWRITE_C_BRFUNC_SEP_H
+#define IPWNDFU_REWRITE_C_BRFUNC_SEP_H
+
+#define DPA_SEEDED                  ((BOOTROM_FUNC) ADDR_DPA_SEEDED)
+#define SEP_CREATE_SEND_DPA_MESSAGE ((BOOTROM_FUNC) ADDR_SEP_CREATE_SEND_DPA_MESSAGE)
+
+#endif //IPWNDFU_REWRITE_C_BRFUNC_SEP_H

checkm8_payloads/include/brfunc_timing.h

@@ -0,0 +1,8 @@
+#ifndef IPWNDFU_REWRITE_C_BRFUNC_TIMING_H
+#define IPWNDFU_REWRITE_C_BRFUNC_TIMING_H
+
+#define CLOCK_GATE                  ((BOOTROM_FUNC) ADDR_CLOCK_GATE)
+#define SYSTEM_TIME                 ((BOOTROM_FUNC) ADDR_SYSTEM_TIME)
+#define TIME_HAS_ELAPSED            ((BOOTROM_FUNC) ADDR_TIME_HAS_ELAPSED)
+
+#endif //IPWNDFU_REWRITE_C_BRFUNC_TIMING_H