def test_send(self, tap):
dev = self.dev
tap._link_detect()
dev.rxcpu.halt()
dev.sbds.block_disable()
dev.sdi.block_disable()
dev.sdc.block_disable()
dev.sbds.reset()
dev.sdi.reset()
dev.sdc.reset()
self.clear_txmbufs()
self.clear_txbds()
print "[+] saving initial state"
state = reutils.state_save(dev)
print "[+] submitting test packet to tap driver"
tap.send('\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x88\xb5' +
('\xaa\x55' * 25),
flags=("cpu_post_dma"))
usleep(10)
state = reutils.state_diff(dev, state)
dev.sdc.block_enable()
dev.sdi.block_enable()
dev.sbds.block_enable()
usleep(10)
state = reutils.state_diff(dev, state)
def test_send(self, tap):
dev = self.dev
tap._link_detect()
dev.rxcpu.halt()
dev.sbds.block_disable()
dev.sdi.block_disable()
dev.sdi.mode.pre_dma_debug = 1
print "[+] saving initial state"
state = reutils.state_save(dev)
print "[+] submitting test packet to tap driver"
tap.send('\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x88\xb5' + ('\xaa\x55' * 25), flags=("cpu_post_dma"))
usleep(10)
state = reutils.state_diff(dev, state)
dev.rdma.block_disable()
usleep(10)
state = reutils.state_diff(dev, state)
dev.sbds.block_enable()
usleep(10)
state = reutils.state_diff(dev, state)
dev.sdi.block_enable()
usleep(10)
state = reutils.state_diff(dev, state)
dev.rdma.block_enable()
usleep(10)
state = reutils.state_diff(dev, state)
def test_dmaw(self):
dev = self.dev
dev.rxcpu.halt()
dev.bufman.block_enable()
dev.grc.mode.pcie_tl_sel = 1
dev.grc.mode.pcie_pl_sel = 0
dev.grc.mode.pcie_hi1k_en = 0
buf_v = dev.interface.mm.alloc(0x80)
buf_p = dev.interface.mm.get_paddr(buf_v)
sbuf = cast(buf_v, POINTER(c_char * 0x80))
dev.wdma.block_disable()
dev.wdma.reset()
dev.hc.block_disable()
dev.hc.reset()
state = reutils.state_save(dev)
dev.hc.nic_diag_sbd_ci[0] = 4
dev.hc.status_block_host_addr_hi = buf_p >> 32
dev.hc.status_block_host_addr_low = buf_p & 0xffffffff
dev.hc.mode.no_int_on_force_update = 1
for i in range(0x3d00, 0x3e00, 4):
dev.reg[i >> 2] = 0xffffffff
dev.reg[0x3f04 >> 2] = 0xffffffff
state = reutils.state_diff(dev, state)
print "[*] coalescing"
dev.hc.mode.coalesce_now = 1
state = reutils.state_diff(dev, state)
print "[*] status block is now"
print " %s" % repr(sbuf.contents.raw)
print
dev.wdma.block_enable()
state = reutils.state_diff(dev, state)
print "[*] status block is now"
print " %s" % repr(sbuf.contents.raw)
print
print "[*] coalescing"
dev.hc.mode.coalesce_now = 1
state = reutils.state_diff(dev, state)
print "[*] status block is now"
print " %s" % repr(sbuf.contents.raw)
print
def spy_read(self, tap):
dev = self.dev
dev.sbdi.block_disable()
dev.sbdc.block_disable()
dev.sbds.block_disable()
dev.sdi.block_disable()
dev.sdc.block_disable()
dev.rxcpu.halt()
state = reutils.state_save(dev)
test_buf_v = dev.interface.mm.alloc(128)
test_buf_p = dev.interface.mm.get_paddr(test_buf_v)
print "[+] allocated test buffer at vaddr %x, paddr %x" % (test_buf_v, test_buf_p)
for i in range(128):
cast(test_buf_v, POINTER(c_char))[i] = '\xb4'
dev.mem.txbd[0].addr_hi = test_buf_p >> 32
dev.mem.txbd[0].addr_low = test_buf_p & 0xffffffff
dev.mem.txbd[0].flags.l4_cksum_offload = 0
dev.mem.txbd[0].flags.ip_cksum_offload = 0
dev.mem.txbd[0].flags.jumbo_frame = 0
dev.mem.txbd[0].flags.hdrlen_2 = 0
dev.mem.txbd[0].flags.snap = 0
dev.mem.txbd[0].flags.vlan_tag = 0
dev.mem.txbd[0].flags.coalesce_now = 0
dev.mem.txbd[0].flags.cpu_pre_dma = 0
dev.mem.txbd[0].flags.cpu_post_dma = 0
dev.mem.txbd[0].flags.hdrlen_3 = 0
dev.mem.txbd[0].flags.hdrlen_4 = 0
dev.mem.txbd[0].flags.hdrlen_5 = 0
dev.mem.txbd[0].flags.hdrlen_6 = 0
dev.mem.txbd[0].flags.hdrlen_7 = 0
dev.mem.txbd[0].flags.no_crc = 0
dev.mem.txbd[0].flags.packet_end = 1
dev.mem.txbd[0].length = 64
dev.mem.txbd[0].vlan_tag = 0
dev.mem.txbd[0].reserved = 0
print "[+] txbd[0] forged"
state = reutils.state_diff(dev, state)
dev.sbdi.ofs_48 = 0x210
print "[+] sbdi mailbox msg delivered"
state = reutils.state_diff(dev, state)
self.block_pump(dev.sdi)
state = reutils.state_diff(dev, state)
def pxediff(self):
dev = self.dev
cpu = dev.rxcpu
dev.nvram.init(wr=1)
if dev.nvram.getpxe():
was_enabled = True
dev.nvram.setpxe(1)
else:
was_enabled = False
dev.reset()
sleep(5)
initial = reutils.state_save(dev)
dev.reset()
usleep(1000)
dev.nvram.init(wr=1)
dev.nvram.setpxe()
dev.reset()
print "[+] press any key to continue..."
raw_input()
dev.interface.reattach()
dev.init()
self.read_oprom()
wpxe = reutils.state_diff(dev, initial)
dev.reset(quick=True)
cpu.mode.halt = 1
wpxei = reutils.state_diff(dev, wpxe)
if not was_enabled:
dev.reset()
dev.nvram.init(wr=1)
dev.nvram.setpxe(1)
dev.reset()
def asfdiff(self): dev = self.dev cpu = dev.rxcpu dev.nvram.init(wr=1) if dev.nvram.getasf(): was_enabled = True dev.nvram.setasf(1) else: was_enabled = False self.clear_txmbufs() self.clear_txbds() dev.reset() sleep(5) cpu.halt() initial = reutils.state_save(dev) dev.reset() usleep(1000) dev.reset(cold = False) usleep(1000) dev.nvram.init(wr=1) dev.nvram.setasf() self.clear_txmbufs() self.clear_txbds() dev.reset() sleep(5) cpu.halt() wasf = reutils.state_diff(dev, initial) if not was_enabled: dev.nvram.init(wr=1) dev.nvram.setasf(1) dev.reset()
def gate_send(self):
dev = self.dev
print "[+] constructing buffer:",
buf_vaddr = dev.interface.mm.alloc(1024)
buf = cast(buf_vaddr, POINTER(c_char))
for b in range(0, 1024, 4):
buf[b] = '\xde'
buf[b+1] = '\xad'
buf[b+2] = '\xbe'
buf[b+3] = '\xef'
buf_paddr = dev.interface.mm.get_paddr(buf_vaddr)
print "vaddr %x, paddr %x" % (buf_vaddr, buf_paddr)
print "[+] resetting device"
dev.mem.write_dword(0xe00, 0)
self.clear_txmbufs()
self.clear_txbds()
dev.reset()
if dev.mem.gencomm.dword[0xac] >> 16 != 0x88b5:
raise Exception("thundergate firmware does not appear to be runing.")
print "[+] posting command to local thundergate command window"
dev.mem.write_dword(0xe04, buf_paddr >> 32)
dev.mem.write_dword(0xe08, buf_paddr & 0xffffffff)
dev.mem.write_dword(0xe0c, 0x400)
dev.mem.write_dword(0xe00, 0x88b5000e)
print "[+] saving state"
initial = reutils.state_save(dev)
print "[+] setting sw event 0"
dev.grc.rxcpu_event.sw_event_0 = 1
cntr = 0
while (dev.grc.rxcpu_event.sw_event_0):
cntr += 1
if cntr > 100:
print "[!] timed out waiting for command completion"
break
usleep(100)
if cntr <= 100:
print "[+] command completed after usleeping for %d" % (cntr * 100)
if dev.mem.gencomm.dword[0xac] != 0x88b5000e:
print "[!] unexpected response: %08x" % dev.mem.gencomm.dword[0xac]
intermediate = reutils.state_diff(dev, initial)
for b in range(0, 1024, 4):
buf[b] = '\xba'
buf[b+1] = '\xad'
buf[b+2] = '\xd0'
buf[b+3] = '\x0d'
print "[+] setting sw event 0 again"
dev.grc.rxcpu_event.sw_event_0 = 1
cntr = 0
while (dev.grc.rxcpu_event.sw_event_0):
cntr += 1
if cntr > 100:
print "[!] timed out waiting for command completion"
break
usleep(100)
if cntr <= 100:
print "[+] command completed after usleeping for %d" % (cntr * 100)
if dev.mem.gencomm.dword[0xac] != 0x88b5000e:
print "[!] unexpected response: %08x" % dev.mem.gencomm.dword[0xac]
inter2 = reutils.state_diff(dev, intermediate)
print "[+] constructing new buffer:",
buf_vaddr = dev.interface.mm.alloc(1024)
buf = cast(buf_vaddr, POINTER(c_char))
for b in range(0, 1024, 4):
buf[b] = '\xab'
buf[b+1] = '\xcd'
buf[b+2] = '\xdc'
buf[b+3] = '\xba'
buf_paddr = dev.interface.mm.get_paddr(buf_vaddr)
print "vaddr %x, paddr %x" % (buf_vaddr, buf_paddr)
dev.mem.write_dword(0xe04, buf_paddr >> 32)
dev.mem.write_dword(0xe08, buf_paddr & 0xffffffff)
print "[+] setting sw event 0 again"
dev.grc.rxcpu_event.sw_event_0 = 1
cntr = 0
while (dev.grc.rxcpu_event.sw_event_0):
cntr += 1
if cntr > 100:
print "[!] timed out waiting for command completion"
break
usleep(100)
if cntr <= 100:
print "[+] command completed after usleeping for %d" % (cntr * 100)
if dev.mem.gencomm.dword[0xac] != 0x88b5000e:
print "[!] unexpected response: %08x" % dev.mem.gencomm.dword[0xac]
final = reutils.state_diff(dev, inter2)
def test_dmar(self, size=0x80, init=1, reset=0):
dev = self.dev
dev.rxcpu.halt()
dev.bufman.block_enable()
dev.grc.mode.pcie_tl_sel = 0
dev.grc.mode.pcie_pl_sel = 1
dev.grc.mode.pcie_hi1k_en = 1
dev.hpmb.box[tg.mb_rbd_standard_producer].low = 0
end = 0x6000 + (size * 4)
print "[+] clearing device memory from 0x6000 to 0x%04x" % end
for i in range(0x6000, end, 4):
dev.mem.write_dword(i, 0)
for i in range(0x6000, end, 4):
if dev.mem.read_dword(i) != 0:
raise Exception("buffer not clear")
print "[+] zapping rdi std rcb"
dev.rdi.std_rcb.host_addr_hi = 0
dev.rdi.std_rcb.host_addr_low = 0
dev.rdi.std_rcb.ring_size = 0
dev.rdi.std_rcb.max_frame_len = 0
dev.rdi.std_rcb.disable_ring = 0
dev.rdi.std_rcb.nic_addr = 0
vaddr = dev.interface.mm.alloc(4 * size)
paddr = dev.interface.mm.get_paddr(vaddr)
buf = ctypes.cast(vaddr, ctypes.POINTER(ctypes.c_uint32))
for i in range(size):
buf[i] = 0xaabbccdd;
state = reutils.state_save(dev)
print "[+] setting up standard rcb"
dev.rdi.std_rcb.host_addr_hi = (paddr >> 32)
dev.rdi.std_rcb.host_addr_low = (paddr & 0xffffffff)
dev.rdi.std_rcb.ring_size = 0x200
dev.rdi.std_rcb.max_frame_len = 0
dev.rdi.std_rcb.disable_ring = 0
dev.rdi.std_rcb.nic_addr = 0x6000
state = reutils.state_diff(dev, state)
print "[+] initiating dma read of sz %x to buffer at vaddr %x, paddr %x" % (size, vaddr, paddr)
dev.hpmb.box[tg.mb_rbd_standard_producer].low = size >> 3
blocks = ["rbdi", "rdma"]
for b in blocks:
o = getattr(dev, b)
o.block_enable(reset=reset)
state = reutils.state_diff(dev, state)
for i in range(0x6000, end, 4):
if dev.mem.read_dword(i) != buf[(i - 0x6000) >> 2]:
raise Exception("dma read test failed")
print "[+] dma read test complete"
dev.interface.mm.free(vaddr)