def test_mcu_patch_stm32f411(self):
ql = Qiling(["../examples/rootfs/mcu/stm32f411/patch_test.hex"],
archtype="cortex_m", env=stm32f411, verbose=QL_VERBOSE.DEFAULT)
ql.hw.create('usart2')
ql.hw.create('rcc')
ql.hw.create('gpioa')
ql.patch(0x80005CA, b'\x00\xBF')
ql.run(count=4000)
del ql
def crack(passwd):
ql = Qiling(["../examples/rootfs/mcu/stm32f407/backdoorlock.hex"],
archtype="cortex_m",
profile="stm32f407",
verbose=QL_VERBOSE.OFF)
ql.hw.create('spi2')
ql.hw.create('gpioe')
ql.hw.create('gpiof')
ql.hw.create('usart1')
ql.hw.create('rcc')
print('Testing passwd', passwd)
ql.patch(0x8000238, b'\x00\xBF' * 4)
ql.patch(0x80031e4, b'\x00\xBF' * 11)
ql.patch(0x80032f8, b'\x00\xBF' * 13)
ql.patch(0x80013b8, b'\x00\xBF' * 10)
ql.hw.usart1.send(passwd.encode() + b'\r')
ql.hw.systick.set_ratio(400)
ql.run(count=400000, end=0x8003225)
return ql.arch.get_pc() == 0x8003225
def crack(passwd):
ql = Qiling(["../../examples/rootfs/mcu/stm32f407/backdoorlock.hex"],
archtype="cortex_m",
env=stm32f407,
verbose=QL_VERBOSE.OFF)
ql.hw.create('spi2')
ql.hw.create('gpioe')
ql.hw.create('gpiof')
ql.hw.create('usart1')
ql.hw.create('rcc')
ql.hw.show_info()
print('Testing passwd', passwd)
ql.patch(0x8000238, b'\x00\xBF' * 4)
ql.patch(0x80031e4, b'\x00\xBF' * 11)
ql.patch(0x80032f8, b'\x00\xBF' * 13)
ql.patch(0x80013b8, b'\x00\xBF' * 10)
ql.hw.usart1.send(passwd.encode() + b'\r')
ql.hw.systick.set_ratio(100)
ql.run(count=1000000, end=0x8003225)
if ql.arch.effective_pc == 0x8003225:
print('Success, the passwd is', passwd)
else:
print('Fail, the passwd is not', passwd)
del ql