Ejemplo n.º 1
0
def install():
    tmp = utils.runGetOutput(['adb shell lsmod'], 1)
    output.Info(tmp)
    if re.search('prdbg', tmp):
        tmp = utils.runGetOutput(['adb shell su -c "rmmod prdbg"'], 1)
        output.Info(tmp)
         
    # unhide addresses when reading /proc/kallsyms
    tmp = utils.runGetOutput(['adb shell su -c "echo 0 > /proc/sys/kernel/kptr_restrict"'], 1)
    output.Info(tmp)

    # copy the gofer
    tmp = utils.runGetOutput(['adb push ./gofer/gofer /data/local/tmp'], 1)
    output.Info(tmp)

    # copy the driver
    tmp = utils.runGetOutput(['adb push ./driver/prdbg.ko /data/local/tmp'], 1)
    output.Info(tmp)

    # insmod the driver
    tmp = utils.runGetOutput(['adb shell su -c "insmod /data/local/tmp/prdbg.ko"'], 1)
    output.Info(tmp)

    # create the character device if it doesn't exist
    tmp = utils.runGetOutput(['adb shell ls /dev/prdbg'], 1)
    output.Info(tmp)
    if re.search('No such file or directory', tmp):
        tmp = utils.runGetOutput(['adb shell su -c "/data/local/tmp/busybox mknod /dev/prdbg c 500 1"'], 1)
        output.Info(tmp)

        tmp = utils.runGetOutput(['adb shell su -c "chmod 666 /dev/prdbg"'], 1)
        output.Info(tmp)
Ejemplo n.º 2
0
def install():
    tmp = utils.runGetOutput(['lsmod'], 1)
    output.Info(tmp)
    if re.search('prdbg', tmp):
        tmp = utils.runGetOutput(['sudo rmmod prdbg'], 1)
        output.Info(tmp)
         
    # unhide addresses when reading /proc/kallsyms
    # gotta do fancy shit here that I don't understand yet
    tmp = utils.runGetOutput(['echo 0 | sudo tee /proc/sys/kernel/kptr_restrict'], 1)
    output.Info(tmp)

    # copy the gofer
    tmp = utils.runGetOutput(['cp ./gofer/gofer /tmp'], 1)
    output.Info(tmp)

    # insmod the driver
    tmp = utils.runGetOutput(['sudo insmod ./driver/prdbg.ko'], 1)
    output.Info(tmp)

    # create the character device if it doesn't exist
    tmp = utils.runGetOutput(['ls /dev/prdbg 2>&1'], 1)
    output.Info(tmp)
    if re.search('No such file or directory', tmp):
        tmp = utils.runGetOutput(['sudo mknod /dev/prdbg c 500 1'], 1)
        output.Info(tmp)

        tmp = utils.runGetOutput(['sudo chmod 666 /dev/prdbg'], 1)
        output.Info(tmp)
Ejemplo n.º 3
0
def writeCode(addr, data):
    cmd = ['/tmp/gofer MEMWRITECODE %X' % addr]
    while data:
        cmd[0] += ' %02X' % struct.unpack('B', data[0])
        data = data[1:]
    text = utils.runGetOutput(cmd, 1)
    Info(text)
    return
Ejemplo n.º 4
0
def read(addr, amt):
    if prefer_kmem:
        cmd = ['/tmp/gofer RMDK %X L%X' % (addr, amt)]
    else:
        cmd = ['/tmp/gofer MEMREAD %X L%X' % (addr, amt)]
    text = utils.runGetOutput(cmd, 1)
    Info(text)
    return parsing.parseBytesFromHexDump(text)
Ejemplo n.º 5
0
def write(addr, data):
    if prefer_kmem:
        cmd = ['/tmp/gofer WMDK %X' % addr]
    else:
        cmd = ['/tmp/gofer MEMWRITE %X' % addr]
    while data:
        cmd[0] += ' %02X' % struct.unpack('B', data[0])
        data = data[1:]
    text = utils.runGetOutput(cmd, 1)
    Info(text)
    return
Ejemplo n.º 6
0
def vmalloc(amt):
    cmd = ['/tmp/gofer VMALLOC %X' % amt]
    text = utils.runGetOutput(cmd, 1);
    Info(text)
    return parsing.parseHexValue(text)
Ejemplo n.º 7
0
def call(addr, arg):
    cmd = ['adb shell su -c "/data/local/tmp/gofer CALL %X"' % addr]
    text = utils.runGetOutput(cmd, 1);
    Info(text)
Ejemplo n.º 8
0
def vfree(addr): 
    cmd = ['adb shell su -c "/data/local/tmp/gofer VFREE %X"' % addr]
    text = utils.runGetOutput(cmd, 1);
    Info(text)
Ejemplo n.º 9
0
def getKAllSyms():
    temp = utils.runGetOutput(['echo 0 > /proc/sys/kernel/kptr_restrict'], 1)
    output.Info(temp)

    temp = utils.runGetOutput(['cat /proc/kallsyms'], 1)
    return temp
Ejemplo n.º 10
0
def uninstall():
    tmp = utils.runGetOutput(['lsmod'], 1)
    output.Info(tmp)
    if re.search('prdbg', tmp):
        tmp = utils.runGetOutput(['sudo rmmod prdbg'], 1)
        output.Info(tmp)
Ejemplo n.º 11
0
def disassemble(addr, data, toolchainSettings, **kwargs):
	result = ''

	littleEnd = kwargs.get('littleEnd', True)
	verbose = kwargs.get('verbose', False)

	# objdump doesn't like unaligned sections
	prepad = 0
	postpad = 0

	if 'DONT_ALIGN' in toolchainSettings:
		pass
	else:
		while addr % 4:
			#print "data was: ", data
			data = '\x00' + data
			#print "data is: ", data
			addr -= 1
			prepad += 1
	
		while len(data) % 4:
			#print "data was: ", data
			data = data + '\x00'
			#print "data is: ", data
			postpad += 1
   
	#print "prepad: ", prepad
	#print "postpad: ", postpad
 
	(asm_handle, asm_name) = tempfile.mkstemp(suffix='.s')
	(obj0_handle, obj0_name) = tempfile.mkstemp(suffix='.o')
	(obj1_handle, obj1_name) = tempfile.mkstemp(suffix='.o')
	(ld_handle, ld_name) = tempfile.mkstemp(suffix='.ld')

	# create asm input file
	asm_obj = os.fdopen(asm_handle, 'w')
	input_text = ''
	#input_text = '.org 0x%X\n' % addr
	input_text += '.byte'
	while data:
		input_text += ' 0x%02X' % struct.unpack('B', data[0])
		#print "input_text is: ", input_text
		data = data[1:]
		if data:
			input_text += ','
	input_text += "\n"
	asm_obj.write(input_text)
	asm_obj.close()

	# create asm output file 
	obj0_obj = os.fdopen(obj0_handle)
	obj0_obj.close()

	# assemble to object file
	cmd = '%s %s %s -o %s' % \
			(toolchainSettings['as'], toolchainSettings['as_flags'], asm_name, obj0_name)
	output = utils.runGetOutput(cmd, verbose) 

	# create linker file
	ld_obj = os.fdopen(ld_handle, 'w')
	ld_obj.write("SECTIONS\n")
	ld_obj.write("{\n")
	ld_obj.write("  . = 0x%X;\n" % addr)
	ld_obj.write("  .text . : { %s(.text) }\n" % obj0_name)
	ld_obj.write("}\n");
	ld_obj.close()

	# link object file to new object file with the relocation of .text
	cmd = '%s %s --script %s -o %s' % (toolchainSettings['ld'], obj0_name, ld_name, obj1_name)
	output = utils.runGetOutput(cmd, verbose)

	# replace all symbols '$d' with '$a' so that objdump won't distinguish between
	# code and data within .text (see "mapping symbols" in arm eabi pdf)
	# note some elf's don't have a string table (eg: HC12)
	try:
		elf.replaceStrtabString(obj1_name, '$d', '$a')
	except Exception as e:
		pass
		#print e
		#print "possibly strtab doesn't exist, skipping this step..."
 
	# disassemble output file
	cmd = '%s -d %s %s' % (toolchainSettings['objdump'], toolchainSettings['objdump_flags'], obj1_name) 
	output = utils.runGetOutput(cmd, verbose)

	# delete temp files
	if verbose:
		print "file input: " + asm_name
		print "file obj0: " + obj0_name
		print "file obj1: " + obj1_name
		print "file linker: " + ld_name
	else:
		os.unlink(asm_name)
		os.unlink(obj0_name)
		os.unlink(obj1_name)
		os.unlink(ld_name)

	# output here looks like:
	# /tmp/tmpiCaOBI.o:	 file format elf64-x86-64
	#
	# Disassembly of section .text:
	#
	# 000000000040349d <.text>:
	#  40349d:	5b				   	pop	rbx
	#  40349e:	6a 01					push   0x1
	# ...

	# output into list of lines
	lines = output.split("\n")
	# filter only disassembly lines
	# fuse_copy_do: 0f 1f 44 00 00	   	nop	DWORD PTR [rax+rax*1+0x0]

	instrBytes = []
	instrStrings = []
	for l in lines:
		result = parseObjdumpDisasmLine(l, littleEnd=littleEnd)
		if not result:
			continue
		instrBytes.append(result[0])
		instrStrings.append(result[1])
		
	return (instrBytes, instrStrings)
Ejemplo n.º 12
0
def assemble(source, toolchainSettings, **kwargs):
	verbose = kwargs.get('verbose', False)

	(asm_handle, asm_name) = tempfile.mkstemp(suffix='.s')
	(obj0_handle, obj0_name) = tempfile.mkstemp(suffix='.o')

	if verbose: 
		print "asm_name: %s" % asm_name
		print "obj0_name: %s" % obj0_name

	# create asm input file
	asm_obj = os.fdopen(asm_handle, 'w')
	asm_obj.write(source + "\n")
	asm_obj.close()

	# assemble to object file
	cmd = '%s %s %s -o %s' % \
			(toolchainSettings['as'], toolchainSettings['as_flags'], asm_name, obj0_name)
	output = utils.runGetOutput(cmd, verbose) 

	# disassemble output file
	cmd = '%s -d %s %s' % (toolchainSettings['objdump'], toolchainSettings['objdump_flags'], obj0_name) 
	output = utils.runGetOutput(cmd, verbose)

	# parse disassembly output
	blob = ''
	lines = output.split("\n")
	for l in lines:
		# is it a disassembly line, for example;
		# (arm example)	
		# 192c: f8d8 300c 	ldr.w	r3, [r8, #12]
		# (x86_64 example)   
		# 400520:	bf d4 05 40 00		  	mov	$0x4005d4,%edi
		reStr = r'^\s*(?:0x)?[a-f0-9]{1,16}:\s+' + \
				r'(.*?)\t' + \
				r'.*'

		m = re.match(reStr, l)
		if m:
			#print "parsing: " + m.group(1)
			blob += parsing.parseDwordsWordsBytes(m.group(1))
			#print "got blob: ", bytes.getStrAsHex(blob)

	# parse symbol table
	cmd = '%s -t %s %s' % (toolchainSettings['objdump'], toolchainSettings['objdump_flags'], obj0_name) 
	output = utils.runGetOutput(cmd, verbose)

	syms = {}
	lines = output.split("\n")
	for l in lines:
		# eg:
		# 00000000 l	d  .text	00000000 .text
		# 00000000 l	d  .data	00000000 .data
		# 00000000 l	d  .bss	00000000 .bss
		# deadbef0 l	   *ABS*	00000000 MARKER_ORIG_BYTES0
		# deadbef1 l	   *ABS*	00000000 MARKER_ORIG_BYTES1
		# deadbef2 l	   *ABS*	00000000 MARKER_ADDR_RETURN
		# 00000060 l	   .text	00000000 context
		reStr = r'^' + \
				r'(?P<val_addr>[a-f0-9]{8})\s+' + \
				r'(?P<flags>[lgu\!wCWIidDFfo ]+)\s+' + \
				r'(?P<section>\S+)\s+' + \
				r'(?P<align_size>[a-f0-9]{8})\s+' + \
				r'(?P<name>\S+)\s*' + \
				r'$'

		m = re.match(reStr, l)
		if m:
			#if verbose:
			#	print "DID MATCH ON SYMBOL INFO LINE:\n%s" % l

			#syms.append( \
			#	{   'val_addr' : int(m.group('val_addr'), 16), \
			#		'flags' : m.group('flags'), \
			#		'section' : m.group('section'), \
			#		'align_size' : int(m.group('align_size'), 16), \
			#		'name' : m.group('name')
			#	}
			#)
			syms[m.group('name')] = int(m.group('val_addr'), 16)
			
		else:
			#if verbose:
			#	print "COULDN'T MATCH SYMBOL INFO ON LINE:\n%s" % l
			pass

	# delete temp files
	if not verbose:
		os.unlink(asm_name)
		os.unlink(obj0_name)

	return [blob, syms]
Ejemplo n.º 13
0
def getKAllSyms():
    temp = utils.runGetOutput(['adb shell su -c "echo 0 > /proc/sys/kernel/kptr_restrict"'], 1)
    output.Info(temp)

    temp = utils.runGetOutput(['adb shell su -c "cat /proc/kallsyms"'], 1)
    return temp
Ejemplo n.º 14
0
def uninstall():
    tmp = utils.runGetOutput(['adb shell lsmod'], 1)
    output.Info(tmp)
    if re.search('prdbg', tmp):
        tmp = utils.runGetOutput(['adb shell su -c "rmmod prdbg"'], 1)
        output.Info(tmp)
Ejemplo n.º 15
0
def vfree(addr): 
    cmd = ['/tmp/gofer VFREE %X' % addr]
    text = utils.runGetOutput(cmd, 1);
    Info(text)
Ejemplo n.º 16
0
def vmalloc(amt):
    cmd = ['adb shell su -c "/data/local/tmp/gofer VMALLOC %X"' % amt]
    text = utils.runGetOutput(cmd, 1);
    Info(text)
    return parsing.parseHexValue(text)
Ejemplo n.º 17
0
def call(addr, arg):
    cmd = ['/tmp/gofer CALL %X' % addr]
    text = utils.runGetOutput(cmd, 1);
    Info(text)
Ejemplo n.º 18
0
import utils

print "deleting %s" % tempjpgs
g = glob.glob(tempjpgs)
for (i, f) in enumerate(g):
    print 'deleting %s (%d/%d)' % (f, i, len(g))
    os.remove(f)

print "copying while resizing files to ~/Downloads/tmp"
g = glob.glob(picsjpgs)
for (i, srcPath) in enumerate(sorted(g)):
    fname = os.path.basename(srcPath)
    dstPath = os.path.join(tempdir, '%06d.JPG' % i)
    cmd = 'convert %s -resize 640x480 %s' % (srcPath, dstPath)
    print 'calling `%s` (%d/%d)' % (cmd, i, len(g))
    utils.runGetOutput(cmd)

print "encoding files"
cmd = 'ffmpeg -framerate 4 -i %s/%%06d.JPG -c:v libx264 -r 30 -pix_fmt yuv420p derp.mp4' % tempdir
print "calling `%s`" % cmd
utils.runGetOutput(cmd)

print "about to delete files from camera! press ctrl+c to quit!"
raw_input()

print "deleting %s" % picsjpgs
g = glob.glob(picsjpgs)
for (i, f) in enumerate(g):
    print 'deleting %s (%d/%d)' % (f, i, len(g))
    os.remove(f)