grg/checkm8_tool
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: grg:39a932090b804a70bc707dad7f4c939eb43f854a
Branches Tags
grg:master
...
compare: grg:83ca059295ebaffe4bc8ff500ecaeab950570d0a
Branches Tags
grg:master

6 Commits
39a932090b ... 83ca059295

Author SHA1 Message Date
Gregor Haas
83ca059295 Measure time more accurately 2020-01-21 14:06:58 -05:00
Gregor Haas
c6fcb4aa66 Adjustments to finalize for experiment 2020-01-21 10:35:15 -05:00
Gregor Haas
54e64d982e Actually explicitly check... don't want to sleep for a whole experiment 2020-01-21 10:28:32 -05:00
Gregor Haas
420e60cf7f Fix eternal sleep in floppysleep 2020-01-21 10:27:50 -05:00
Gregor Haas
b1bf2daa2f Add some more interesting payloads 2020-01-21 10:22:17 -05:00
Gregor Haas
92fc040298 Add support for assembly in payloads 2020-01-21 10:21:19 -05:00
10 changed files with 309 additions and 169 deletions
Expand all files Collapse all files

2
c8_libpayload/CMakeLists.txt
View File

@@ -4,6 +4,8 @@ set(PL_NAMES
aes
aes_busy
aes_sw
bootstrap
floppysleep
sync
sysreg
task_sleep_test)

7
c8_libpayload/pl/CMakeLists.txt
View File

@@ -18,7 +18,12 @@ set(CMAKE_C_FLAGS "-nostdlib -O")
file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/bin)
foreach(NAME ${PL_NAMES})
add_executable(payload_${NAME} src/${NAME}.c)
if(EXISTS ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.S)
add_executable(payload_${NAME} ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.c
${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.S)
else()
add_executable(payload_${NAME} ${CMAKE_CURRENT_LIST_DIR}/src/${NAME}.c)
endif()
add_custom_command(TARGET payload_${NAME} POST_BUILD
BYPRODUCTS ${CMAKE_CURRENT_BINARY_DIR}/bin/payload_${NAME}.bin
COMMAND ${CMAKE_OBJCOPY}

4
c8_libpayload/pl/include/brfunc_common.h
View File

@@ -4,6 +4,7 @@
#include "checkm8_config.h"
typedef int (*BOOTROM_FUNC)();
typedef unsigned char (*(*BOOTROM_FUNC_PTR)());
#if CHECKM8_PLATFORM == 8010
@@ -29,6 +30,9 @@ typedef int (*BOOTROM_FUNC)();
#define ADDR_TIME_HAS_ELAPSED 0x10000B04F
#define ADDR_TASK_SLEEP 0x10000ADF0
/* Boot */
#define ADDR_NVME_INIT 0x1000080B4
#else
#error "Unsupported checkm8 platform"
#endif

38
c8_libpayload/pl/src/aes_sw.c
View File

@@ -116,6 +116,18 @@ void expand_key(unsigned char key[16], unsigned char key_sched[176], int n,
}
}
PAYLOAD_SECTION
void busy_sleep(int usec)
{
unsigned long long halt = 0x1000004fc;
unsigned long long timer_deadline_enter = 0x10000b874;
unsigned long long now;
__asm__ volatile ("mrs %0, cntpct_el0" : "=r" (now));
((BOOTROM_FUNC) timer_deadline_enter)(now + 24 * usec, ((BOOTROM_FUNC) 0x10000b924));
((BOOTROM_FUNC) halt)();
}
PAYLOAD_SECTION
void aes128_encrypt_ecb(unsigned char *msg, unsigned int msg_len, unsigned char key[16],
unsigned char sbox[16][16], unsigned char rc_lookup[11],
@@ -123,6 +135,7 @@ void aes128_encrypt_ecb(unsigned char *msg, unsigned int msg_len, unsigned char
{
unsigned char key_sched[176];
expand_key(key, key_sched, 11, sbox, rc_lookup);
busy_sleep(10);
unsigned int num_blocks = msg_len / 16;
unsigned char *block;
@@ -139,7 +152,6 @@ void aes128_encrypt_ecb(unsigned char *msg, unsigned int msg_len, unsigned char
shift_rows(block);
mix_cols(block, mul2, mul3);
add_key(block, &key_sched[16 * (j + 1)]);
task_sleep(20);
}
sub_bytes(block, sbox);
@@ -149,34 +161,14 @@ void aes128_encrypt_ecb(unsigned char *msg, unsigned int msg_len, unsigned char
}
TEXT_SECTION
unsigned int _start(unsigned char *msg, unsigned int msg_len, unsigned char *key,
void _start(unsigned char *msg, unsigned int msg_len, unsigned char *key,
unsigned char sbox[16][16], unsigned char rc_lookup[11],
unsigned char mul2[256], unsigned char mul3[256])
{
unsigned long long start, end;
unsigned long long platform_quiesce_hardware = 0x100007dd0;
__asm__ volatile ("mrs %0, cntpct_el0" : "=r" (start));
aes128_encrypt_ecb(msg, msg_len, key, sbox, rc_lookup, mul2, mul3);
__asm__ volatile ("mrs %0, cntpct_el0" : "=r" (end));
// for(i = 0; i < 256; i++)
// {
// __asm__ volatile ("dc civac, %0" : : "r" (&sbox[i % 16][i / 16]) : "memory");
// __asm__ volatile ("dc civac, %0" : : "r" (&mul2[i]) : "memory");
// __asm__ volatile ("dc civac, %0" : : "r" (&mul3[i]) : "memory");
// }
//
// for(i = 0; i < 16; i++)
// {
// __asm__ volatile ("dc civac, %0" : : "r" (&msg[i]) : "memory");
// __asm__ volatile ("dc civac, %0" : : "r" (&key[i]) : "memory");
// }
//
// for(i = 0; i < 12; i++)
// {
// __asm__ volatile ("dc civac, %0" : : "r" (&rc_lookup[i]) : "memory");
// }
//
// __asm__ volatile ("dsb sy");
return end - start;
}

26
c8_libpayload/pl/src/bootstrap.c Normal file
View File

@@ -0,0 +1,26 @@
#include "util.h"
TEXT_SECTION
unsigned long long _start()
{
// unsigned long long platform_quiesce_hardware = 0x100007dd0;
// unsigned long long enter_critical_section = 0x10000a4b8;
// unsigned long long halt = 0x1000004fc;
// unsigned long long timer_deadline_enter = 0x10000b874;
// unsigned long long now, later;
//
// ((BOOTROM_FUNC) platform_quiesce_hardware)();
// //((BOOTROM_FUNC) enter_critical_section)();
//
// __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (now));
// ((BOOTROM_FUNC) timer_deadline_enter)(now + (24000000) - 64, ((BOOTROM_FUNC) 0x10000b924));
// ((BOOTROM_FUNC) halt)();
// __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (later));
volatile unsigned long long regval = 0xffff;
__asm__ volatile ("mrs %0, fpcr" : "=r" (regval));
regval = (1u << 24u);
__asm__ volatile ("msr fpcr, %0" : "=r" (regval));
return regval;
}

187
c8_libpayload/pl/src/floppysleep.S Normal file
View File

@@ -0,0 +1,187 @@
.global fs_routine
.global fs_load
# .global check_subnormal
.section .payload_text, "ax"
fs_load:
# load from memory
ldr s0, [x0]
mov v0.s[1], v0.s[0]
mov v0.s[2], v0.s[0]
mov v0.s[3], v0.s[0]
fmov s31, 1.0
ucvtf s30, w1
mov v1.s[3], v30.s[0]
fadd s30, s30, s31
mov v1.s[2], v30.s[0]
fadd s30, s30, s31
mov v1.s[1], v30.s[0]
fadd s30, s30, s31
mov v1.s[0], v30.s[0]
fadd s30, s30, s31
mov v2.s[3], v30.s[0]
fadd s30, s30, s31
mov v2.s[2], v30.s[0]
fadd s30, s30, s31
mov v2.s[1], v30.s[0]
fadd s30, s30, s31
mov v2.s[0], v30.s[0]
fadd s30, s30, s31
mov v3.s[3], v30.s[0]
fadd s30, s30, s31
mov v3.s[2], v30.s[0]
fadd s30, s30, s31
mov v3.s[1], v30.s[0]
fadd s30, s30, s31
mov v3.s[0], v30.s[0]
fadd s30, s30, s31
mov v4.s[3], v30.s[0]
fadd s30, s30, s31
mov v4.s[2], v30.s[0]
fadd s30, s30, s31
mov v4.s[1], v30.s[0]
fadd s30, s30, s31
mov v4.s[0], v30.s[0]
fadd s30, s30, s31
mov v5.s[3], v30.s[0]
fadd s30, s30, s31
mov v5.s[2], v30.s[0]
fadd s30, s30, s31
mov v5.s[1], v30.s[0]
fadd s30, s30, s31
mov v5.s[0], v30.s[0]
fadd s30, s30, s31
mov v6.s[3], v30.s[0]
fadd s30, s30, s31
mov v6.s[2], v30.s[0]
fadd s30, s30, s31
mov v6.s[1], v30.s[0]
fadd s30, s30, s31
mov v6.s[0], v30.s[0]
fadd s30, s30, s31
mov v7.s[3], v30.s[0]
fadd s30, s30, s31
mov v7.s[2], v30.s[0]
fadd s30, s30, s31
mov v7.s[1], v30.s[0]
fadd s30, s30, s31
mov v7.s[0], v30.s[0]
fadd s30, s30, s31
mov v8.s[3], v30.s[0]
fadd s30, s30, s31
mov v8.s[2], v30.s[0]
fadd s30, s30, s31
mov v8.s[1], v30.s[0]
fadd s30, s30, s31
mov v8.s[0], v30.s[0]
fadd s30, s30, s31
mov v9.s[3], v30.s[0]
fadd s30, s30, s31
mov v9.s[2], v30.s[0]
fadd s30, s30, s31
mov v9.s[1], v30.s[0]
fadd s30, s30, s31
mov v9.s[0], v30.s[0]
fadd s30, s30, s31
mov v10.s[3], v10.s[0]
fadd s30, s30, s31
mov v10.s[2], v10.s[0]
fadd s30, s30, s31
mov v10.s[1], v10.s[0]
fadd s30, s30, s31
mov v10.s[0], v30.s[0]
fadd s30, s30, s31
mov v11.s[3], v30.s[0]
fadd s30, s30, s31
mov v11.s[2], v30.s[0]
fadd s30, s30, s31
mov v11.s[1], v30.s[0]
fadd s30, s30, s31
mov v11.s[0], v30.s[0]
fadd s30, s30, s31
mov v12.s[3], v30.s[0]
fadd s30, s30, s31
mov v12.s[2], v30.s[0]
fadd s30, s30, s31
mov v12.s[1], v30.s[0]
fadd s30, s30, s31
mov v12.s[0], v30.s[0]
fadd s30, s30, s31
mov v13.s[3], v30.s[0]
fadd s30, s30, s31
mov v13.s[2], v30.s[0]
fadd s30, s30, s31
mov v13.s[1], v30.s[0]
fadd s30, s30, s31
mov v13.s[0], v30.s[0]
fadd s30, s30, s31
mov v14.s[3], v30.s[0]
fadd s30, s30, s31
mov v14.s[2], v30.s[0]
fadd s30, s30, s31
mov v14.s[1], v30.s[0]
fadd s30, s30, s31
mov v14.s[0], v30.s[0]
fadd s30, s30, s31
mov v15.s[3], v30.s[0]
fadd s30, s30, s31
mov v15.s[2], v30.s[0]
fadd s30, s30, s31
mov v15.s[1], v30.s[0]
fadd s30, s30, s31
mov v15.s[0], v30.s[0]
#mov s30, wzr
#mov s31, wzr
ret
fs_routine:
fdiv v16.4s, v0.4s, v1.4s
fdiv v17.4s, v0.4s, v2.4s
fdiv v18.4s, v0.4s, v3.4s
fdiv v19.4s, v0.4s, v4.4s
fdiv v20.4s, v0.4s, v5.4s
fdiv v21.4s, v0.4s, v6.4s
fdiv v22.4s, v0.4s, v7.4s
fdiv v23.4s, v0.4s, v8.4s
fdiv v24.4s, v0.4s, v9.4s
fdiv v25.4s, v0.4s, v10.4s
fdiv v26.4s, v0.4s, v11.4s
fdiv v27.4s, v0.4s, v12.4s
fdiv v28.4s, v0.4s, v13.4s
fdiv v29.4s, v0.4s, v14.4s
fdiv v30.4s, v0.4s, v15.4s
fdiv v16.4s, v16.4s, v15.4s
fdiv v17.4s, v17.4s, v14.4s
fdiv v18.4s, v18.4s, v13.4s
fdiv v19.4s, v19.4s, v12.4s
fdiv v20.4s, v20.4s, v11.4s
fdiv v21.4s, v21.4s, v10.4s
fdiv v22.4s, v22.4s, v9.4s
fdiv v23.4s, v23.4s, v8.4s
fdiv v24.4s, v24.4s, v7.4s
fdiv v25.4s, v25.4s, v6.4s
fdiv v26.4s, v26.4s, v5.4s
fdiv v27.4s, v27.4s, v4.4s
fdiv v28.4s, v28.4s, v3.4s
fdiv v29.4s, v29.4s, v2.4s
fdiv v30.4s, v30.4s, v1.4s
ret

47
c8_libpayload/pl/src/floppysleep.c Normal file
View File

@@ -0,0 +1,47 @@
#include "brfunc_common.h"
#include "util.h"
extern unsigned long long fs_routine(void);
extern unsigned long long fs_load(float *dividend, int divisor_base);
// extern unsigned long long check_subnormal();
PAYLOAD_SECTION
unsigned int is_subnormal(float val)
{
unsigned int bytes = *((unsigned int *) &val);
bytes = bytes >> 23u;
if(bytes & 0x7u)
{
return 0;
}
else return 1;
}
TEXT_SECTION
unsigned long long _start(float *init_a)
{
int i;
unsigned long long start, end, report;
unsigned long long timer_deadline_enter = 0x10000b874;
unsigned long long halt = 0x1000004fc;
while(1)
{
__asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (start));
fs_load(init_a, 1);
for(i = 0; i < 8; i++) fs_routine();
__asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (end));
if(2 * end - start - 64 > 0)
{
((BOOTROM_FUNC) timer_deadline_enter)(2 * end - start - 64, ((BOOTROM_FUNC) 0x10000b924));
((BOOTROM_FUNC) halt)();
}
}
__asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (report));
return report - end;
}

2
c8_remote/include/payload.h
View File

@@ -8,6 +8,8 @@ typedef enum
PAYLOAD_AES,
PAYLOAD_AES_BUSY,
PAYLOAD_AES_SW,
PAYLOAD_BOOTSTRAP,
PAYLOAD_FLOPPYSLEEP,
PAYLOAD_SYNC,
PAYLOAD_SYSREG,
PAYLOAD_TASK_SLEEP_TEST

155
c8_remote/main.c
View File

@@ -3,6 +3,7 @@
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <float.h>
#include "command.h"
#include "payload.h"
@@ -43,104 +44,6 @@ void checkm8_debug_block(const char *format, ...)
#endif
}
void write_aes_utils(struct pwned_device *dev)
{
unsigned char sbox[256] =
{
0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
};
unsigned char rc_lookup[11] = {0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c};
unsigned char mul2_lookup[256] =
{
0x00, 0x02, 0x04, 0x06, 0x08, 0x0a, 0x0c, 0x0e, 0x10, 0x12, 0x14, 0x16, 0x18, 0x1a, 0x1c, 0x1e,
0x20, 0x22, 0x24, 0x26, 0x28, 0x2a, 0x2c, 0x2e, 0x30, 0x32, 0x34, 0x36, 0x38, 0x3a, 0x3c, 0x3e,
0x40, 0x42, 0x44, 0x46, 0x48, 0x4a, 0x4c, 0x4e, 0x50, 0x52, 0x54, 0x56, 0x58, 0x5a, 0x5c, 0x5e,
0x60, 0x62, 0x64, 0x66, 0x68, 0x6a, 0x6c, 0x6e, 0x70, 0x72, 0x74, 0x76, 0x78, 0x7a, 0x7c, 0x7e,
0x80, 0x82, 0x84, 0x86, 0x88, 0x8a, 0x8c, 0x8e, 0x90, 0x92, 0x94, 0x96, 0x98, 0x9a, 0x9c, 0x9e,
0xa0, 0xa2, 0xa4, 0xa6, 0xa8, 0xaa, 0xac, 0xae, 0xb0, 0xb2, 0xb4, 0xb6, 0xb8, 0xba, 0xbc, 0xbe,
0xc0, 0xc2, 0xc4, 0xc6, 0xc8, 0xca, 0xcc, 0xce, 0xd0, 0xd2, 0xd4, 0xd6, 0xd8, 0xda, 0xdc, 0xde,
0xe0, 0xe2, 0xe4, 0xe6, 0xe8, 0xea, 0xec, 0xee, 0xf0, 0xf2, 0xf4, 0xf6, 0xf8, 0xfa, 0xfc, 0xfe,
0x1b, 0x19, 0x1f, 0x1d, 0x13, 0x11, 0x17, 0x15, 0x0b, 0x09, 0x0f, 0x0d, 0x03, 0x01, 0x07, 0x05,
0x3b, 0x39, 0x3f, 0x3d, 0x33, 0x31, 0x37, 0x35, 0x2b, 0x29, 0x2f, 0x2d, 0x23, 0x21, 0x27, 0x25,
0x5b, 0x59, 0x5f, 0x5d, 0x53, 0x51, 0x57, 0x55, 0x4b, 0x49, 0x4f, 0x4d, 0x43, 0x41, 0x47, 0x45,
0x7b, 0x79, 0x7f, 0x7d, 0x73, 0x71, 0x77, 0x75, 0x6b, 0x69, 0x6f, 0x6d, 0x63, 0x61, 0x67, 0x65,
0x9b, 0x99, 0x9f, 0x9d, 0x93, 0x91, 0x97, 0x95, 0x8b, 0x89, 0x8f, 0x8d, 0x83, 0x81, 0x87, 0x85,
0xbb, 0xb9, 0xbf, 0xbd, 0xb3, 0xb1, 0xb7, 0xb5, 0xab, 0xa9, 0xaf, 0xad, 0xa3, 0xa1, 0xa7, 0xa5,
0xdb, 0xd9, 0xdf, 0xdd, 0xd3, 0xd1, 0xd7, 0xd5, 0xcb, 0xc9, 0xcf, 0xcd, 0xc3, 0xc1, 0xc7, 0xc5,
0xfb, 0xf9, 0xff, 0xfd, 0xf3, 0xf1, 0xf7, 0xf5, 0xeb, 0xe9, 0xef, 0xed, 0xe3, 0xe1, 0xe7, 0xe5
};
unsigned char mul3_lookup[256] =
{
0x00, 0x03, 0x06, 0x05, 0x0c, 0x0f, 0x0a, 0x09, 0x18, 0x1b, 0x1e, 0x1d, 0x14, 0x17, 0x12, 0x11,
0x30, 0x33, 0x36, 0x35, 0x3c, 0x3f, 0x3a, 0x39, 0x28, 0x2b, 0x2e, 0x2d, 0x24, 0x27, 0x22, 0x21,
0x60, 0x63, 0x66, 0x65, 0x6c, 0x6f, 0x6a, 0x69, 0x78, 0x7b, 0x7e, 0x7d, 0x74, 0x77, 0x72, 0x71,
0x50, 0x53, 0x56, 0x55, 0x5c, 0x5f, 0x5a, 0x59, 0x48, 0x4b, 0x4e, 0x4d, 0x44, 0x47, 0x42, 0x41,
0xc0, 0xc3, 0xc6, 0xc5, 0xcc, 0xcf, 0xca, 0xc9, 0xd8, 0xdb, 0xde, 0xdd, 0xd4, 0xd7, 0xd2, 0xd1,
0xf0, 0xf3, 0xf6, 0xf5, 0xfc, 0xff, 0xfa, 0xf9, 0xe8, 0xeb, 0xee, 0xed, 0xe4, 0xe7, 0xe2, 0xe1,
0xa0, 0xa3, 0xa6, 0xa5, 0xac, 0xaf, 0xaa, 0xa9, 0xb8, 0xbb, 0xbe, 0xbd, 0xb4, 0xb7, 0xb2, 0xb1,
0x90, 0x93, 0x96, 0x95, 0x9c, 0x9f, 0x9a, 0x99, 0x88, 0x8b, 0x8e, 0x8d, 0x84, 0x87, 0x82, 0x81,
0x9b, 0x98, 0x9d, 0x9e, 0x97, 0x94, 0x91, 0x92, 0x83, 0x80, 0x85, 0x86, 0x8f, 0x8c, 0x89, 0x8a,
0xab, 0xa8, 0xad, 0xae, 0xa7, 0xa4, 0xa1, 0xa2, 0xb3, 0xb0, 0xb5, 0xb6, 0xbf, 0xbc, 0xb9, 0xba,
0xfb, 0xf8, 0xfd, 0xfe, 0xf7, 0xf4, 0xf1, 0xf2, 0xe3, 0xe0, 0xe5, 0xe6, 0xef, 0xec, 0xe9, 0xea,
0xcb, 0xc8, 0xcd, 0xce, 0xc7, 0xc4, 0xc1, 0xc2, 0xd3, 0xd0, 0xd5, 0xd6, 0xdf, 0xdc, 0xd9, 0xda,
0x5b, 0x58, 0x5d, 0x5e, 0x57, 0x54, 0x51, 0x52, 0x43, 0x40, 0x45, 0x46, 0x4f, 0x4c, 0x49, 0x4a,
0x6b, 0x68, 0x6d, 0x6e, 0x67, 0x64, 0x61, 0x62, 0x73, 0x70, 0x75, 0x76, 0x7f, 0x7c, 0x79, 0x7a,
0x3b, 0x38, 0x3d, 0x3e, 0x37, 0x34, 0x31, 0x32, 0x23, 0x20, 0x25, 0x26, 0x2f, 0x2c, 0x29, 0x2a,
0x0b, 0x08, 0x0d, 0x0e, 0x07, 0x04, 0x01, 0x02, 0x13, 0x10, 0x15, 0x16, 0x1f, 0x1c, 0x19, 0x1a
};
struct dev_cmd_resp *resp;
resp = write_gadget(dev, 0x180154000, sbox, 256);
if(IS_CHECKM8_FAIL(resp->ret))
{
printf("failed to write sbox\n");
return;
}
free_dev_cmd_resp(resp);
resp = write_gadget(dev, 0x180154000 + 256, rc_lookup, 11);
if(IS_CHECKM8_FAIL(resp->ret))
{
printf("failed to write rc lookup\n");
return;
}
free_dev_cmd_resp(resp);
resp = write_gadget(dev, 0x180154000 + 256 + 16, mul2_lookup, 256);
if(IS_CHECKM8_FAIL(resp->ret))
{
printf("failed to write mul2 lookup\n");
return;
}
free_dev_cmd_resp(resp);
resp = write_gadget(dev, 0x180154000 + 512 + 16, mul3_lookup, 256);
if(IS_CHECKM8_FAIL(resp->ret))
{
printf("failed to write mul3 lookup\n");
return;
}
}
int main()
{
struct dev_cmd_resp *resp;
@@ -151,12 +54,6 @@ int main()
return -1;
}
unsigned char key[16] = {0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd,
0xef};
unsigned char data[16] = {0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe,
0xef};
if(IS_CHECKM8_FAIL(open_device_session(dev)))
{
printf("failed to open device session\n");
@@ -169,70 +66,38 @@ int main()
return -1;
}
if(IS_CHECKM8_FAIL(install_payload(dev, PAYLOAD_AES_SW, SRAM)))
if(IS_CHECKM8_FAIL(install_payload(dev, PAYLOAD_FLOPPYSLEEP, SRAM)))
{
printf("failed to install task sleep payload\n");
return -1;
}
resp = write_gadget(dev, 0x180152000, key, 16);
if(IS_CHECKM8_FAIL(resp->ret))
{
printf("failed to write key to device\n");
return -1;
}
float init_a = -7.504355E-39f;
resp = write_gadget(dev, 0x180154000, (unsigned char *) &init_a, sizeof(float));
free_dev_cmd_resp(resp);
resp = write_gadget(dev, 0x180153000, data, 16);
if(IS_CHECKM8_FAIL(resp->ret))
{
printf("failed to write aes data\n");
return -1;
}
free_dev_cmd_resp(resp);
resp = execute_payload(dev, PAYLOAD_SYNC, 0, 0);
if(IS_CHECKM8_FAIL(resp->ret))
{
printf("failed to execute sync payload\n");
printf("failed to execute bootstrap\n");
return -1;
}
write_aes_utils(dev);
free_dev_cmd_resp(resp);
int i = 0;
while(1)
{
resp = execute_payload(dev, PAYLOAD_AES_SW, 0, 7,
0x180153000, 16, 0x180152000,
0x180154000, 0x180154000 + 256,
0x180154000 + 256 + 16, 0x180154000 + 512 + 16);
resp = execute_payload(dev, PAYLOAD_FLOPPYSLEEP, 0, 1, 0x180154000);
if(IS_CHECKM8_FAIL(resp->ret))
{
printf("failed to execute sw AES payload\n");
printf("failed to execute flopsleep payload\n");
return -1;
}
printf("%i) op took %llu", i++, resp->retval);
printf("retval is %08lli\n", resp->retval);
free_dev_cmd_resp(resp);
resp = read_gadget(dev, 0x180153000, 16);
if(IS_CHECKM8_FAIL(resp->ret))
{
printf("failed to read encrypted data from memory\n");
}
printf(" -> ");
for(int j = 0; j < 16; j++)
{
printf("%02x", resp->data[j]);
}
printf("\n");
free_dev_cmd_resp(resp);
usleep(1000000);
usleep(2000000);
}
close_device_session(dev);

10
c8_remote/src/payload.c
View File

@@ -43,6 +43,16 @@ struct payload *get_payload(PAYLOAD_T p)
len = PAYLOAD_AES_SW_SZ;
break;
case PAYLOAD_BOOTSTRAP:
pl = payload_bootstrap;
len = PAYLOAD_BOOTSTRAP_SZ;
break;
case PAYLOAD_FLOPPYSLEEP:
pl = payload_floppysleep;
len = PAYLOAD_FLOPPYSLEEP_SZ;
break;
case PAYLOAD_SYNC:
pl = payload_sync;
len = PAYLOAD_SYNC_SZ;