def fclose(state):
# 4th Lifecycle: TA_InvokeCommandEntryPoint
# FCLOSE
lifecylce_cmd_id = claripy.BVV(
LifecycleCommandIds.INVOKE_COMMAND, 32).append_annotation(
UserInput("lifecycle_cmd_id")) # cmd_id for InvokeCommand
invoke_cmd_id = claripy.BVV(InvokeCommandIds.FCLOSE, 32).append_annotation(
UserInput("invoke_cmd_id")) # cmd_id for FCLOSE in InvokeCommand
param0_a = state.globals['current_object_handle_ptr'].append_annotation(
UserInput("param0_a_fclose")
) # needs to be set to the memory, where the file was opened with f_open
param0_b = claripy.BVV(0x0,
32).append_annotation(UserInput("param0_b_fclose"))
param0_type = claripy.BVV(TEECParamType.TEEC_VALUE_INPUT,
16).append_annotation(
UserInput("param0_type_fclose"))
param0 = TCParam(param0_type, param0_a, param0_b)
param1 = TCParam(TEECParamType.TEEC_NONE, None, None)
param2 = TCParam(TEECParamType.TEEC_NONE, None, None)
param3 = TCParam(TEECParamType.TEEC_NONE, None, None)
params = TCParams(param0, param1, param2, param3)
param_types = claripy.ZeroExt(16, params.get_param_type())
prepare_msg_recv_return(state, lifecylce_cmd_id, invoke_cmd_id,
param_types, params)
def open_session(state):
# 1st Lifecycle: TA_OpenSessionEntryPoint
lifecylce_cmd_id = claripy.BVV(
LifecycleCommandIds.OPEN_SESSION, 32).append_annotation(
UserInput("lifecycle_cmd_id")) # cmd_id for OpenSession
test = True
if test:
param2_buf = b"\x00\x00\x00\x00"
param3_buf = b"/system/bin/tee_test_store\x00"
else:
signature = "" \
+ "E02C5AB97A2B3A8A5996223CDE06B82B2D4FF5B15CAF65B860D5C7A3D68995AB08620BB75A22FE7673A8A1ABA03E17B651D1FC4D5CBDBAE9E7" \
+ "3EEEAF5A1D4D2FB73E7000231E0DB2166D0FC5DD97E705FD66546C9DA38ED4EFA2CCCDD238AD32E39821242B0195DF01D9B97242DBF209EDA8" \
+ "E446E043244B84E6BFCA79D7BB3C1924CDD248EDBD600EFF8F73001A89A4C663DB8970E3288B9431524C361E853B8FA29E04E61EBE6FBDBD87" \
+ "CDBD3EEB47B027B5851BDEAA13A23F43967A030E747EA432652CBB34FDDE61049BF5060C813FB0E93F6BAD9D36F4D4551195EA3BB49E9201AA" \
+ "6DF975AE169E214905DE2579D7CC3C3EAC4594B14AC19D7E39C5C267"
signature_bytes = bytes.fromhex(signature)
exponent = struct.pack("<I", 0x0) + b"\x03"
param2_buf = struct.pack(
"<I", len(signature_bytes)) + signature_bytes + exponent
param3_buf = b"com.huawei.hidisk\x00"
param2_len = claripy.BVV(len(param2_buf), 32).append_annotation(
UserInput("param2_len_open_session"))
param3_len = claripy.BVV(len(param3_buf) - 1, 32).append_annotation(
UserInput("param3_len_open_session")) # -1 because of nullbyte
param2_buf = claripy.BVV(param2_buf,
len(param2_buf) * 8).append_annotation(
UserInput("param2_buf_open_session"))
param3_buf = claripy.BVV(param3_buf,
len(param3_buf) * 8).append_annotation(
UserInput("param3_buf_open_session"))
param2_type = claripy.BVV(TEECParamType.TEEC_MEMREF_TEMP_INPUT,
16).append_annotation(
UserInput("param2_type_open_session"))
param3_type = claripy.BVV(TEECParamType.TEEC_MEMREF_TEMP_INPUT,
16).append_annotation(
UserInput("param3_type_open_session"))
param0 = TCParam(TEECParamType.TEEC_NONE, None, None)
param1 = TCParam(TEECParamType.TEEC_NONE, None, None)
param2 = TCParam(param2_type, param2_buf, param2_len)
param3 = TCParam(param3_type, param3_buf, param3_len)
params = TCParams(param0, param1, param2, param3)
invoke_cmd_id = 0
param_types = claripy.ZeroExt(16, params.get_param_type())
prepare_msg_recv_return(state, lifecylce_cmd_id, invoke_cmd_id,
param_types, params)
def close_session(state):
# 5th Lifecylce: TA_CloseSessionEntryPoint
lifecylce_cmd_id = claripy.BVV(
LifecycleCommandIds.CLOSE_SESSION, 32).append_annotation(
UserInput("lifecycle_cmd_id")) # cmd_id for CloseSession
param0 = TCParam(TEECParamType.TEEC_NONE, None, None)
param1 = TCParam(TEECParamType.TEEC_NONE, None, None)
param2 = TCParam(TEECParamType.TEEC_NONE, None, None)
param3 = TCParam(TEECParamType.TEEC_NONE, None, None)
params = TCParams(param0, param1, param2, param3)
invoke_cmd_id = 0
param_types = claripy.ZeroExt(16, params.get_param_type())
prepare_msg_recv_return(state, lifecylce_cmd_id, invoke_cmd_id,
param_types, params)
def fopen(state):
# 2nd Lifecycle: TA_InvokeCommandEntryPoint
# FOPEN
lifecylce_cmd_id = claripy.BVV(
LifecycleCommandIds.INVOKE_COMMAND, 32).append_annotation(
UserInput("lifecycle_cmd_id")) # cmd_id for InvokeCommand
invoke_cmd_id = claripy.BVV(InvokeCommandIds.FOPEN, 32).append_annotation(
UserInput("invoke_cmd_id")) # cmd_id for FOPEN in InvokeCommand
param0_buf = b"sec_storage_data/test\x00"
param0_len = claripy.BVV(len(param0_buf) - 1, 32).append_annotation(
UserInput(src="param0_len_fopen")) # -1 because of nullbyte
param0_buf = claripy.BVV(param0_buf,
len(param0_buf) * 8).append_annotation(
UserInput("param0_buf_fopen"))
param0_type = claripy.BVV(TEECParamType.TEEC_MEMREF_TEMP_INPUT,
16).append_annotation(
UserInput("param0_type_fopen"))
param1_a = claripy.BVV(
DataFlags.TEE_DATA_FLAG_ACCESS_READ
| DataFlags.TEE_DATA_FLAG_ACCESS_WRITE
| DataFlags.TEE_DATA_FLAG_CREATE,
32).append_annotation(UserInput("param1_a_fopen_flags"))
param1_b = claripy.BVV(0,
32).append_annotation(UserInput("param1_b_fopen"))
param1_type = claripy.BVV(TEECParamType.TEEC_VALUE_INPUT,
16).append_annotation(
UserInput("param1_type_fopen"))
param0 = TCParam(param0_type, param0_buf, param0_len)
param1 = TCParam(param1_type, param1_a, param1_b)
param0 = create_empty_param("fopen_0", True)
param1 = create_empty_param("fopen_1", True)
param2 = create_empty_param("fopen_2", True)
param3 = create_empty_param("fopen_3", True)
params = TCParams(param0, param1, param2, param3)
store_symbolic_params(state, params)
param_types = claripy.ZeroExt(16, params.get_param_type())
prepare_msg_recv_return(state, lifecylce_cmd_id, invoke_cmd_id,
param_types, params)
def create_empty_param(name_appendix="empty", watch=False):
param_a = claripy.BVS("param_a_" + name_appendix, 32).append_annotation(
UserInput("param_a_" + name_appendix))
param_b = claripy.BVS("param_b_" + name_appendix, 32).append_annotation(
UserInput("param_b_" + name_appendix))
param_type = claripy.BVS("param_type_" + name_appendix,
16).append_annotation(
UserInput("param_type_" + name_appendix))
return TCParam(param_type, param_a, param_b, watch)
def open_session(state):
# 1st Lifecycle: TA_OpenSessionEntryPoint
lifecylce_cmd_id = claripy.BVV(
LifecycleCommandIds.OPEN_SESSION, 32).append_annotation(
UserInput("lifecycle_cmd_id")) # cmd_id for OpenSession
param2_len = claripy.BVS("param2_len", 32).append_annotation(
UserInput("param2_len_open_session"))
param3_len = claripy.BVS("param3_len", 32).append_annotation(
UserInput("param3_len_open_session")) # -1 because of nullbyte
state.solver.add(claripy.And(param2_len >= 0, param2_len <= MAX_STRLEN))
state.solver.add(claripy.And(param3_len >= 0, param3_len <= MAX_STRLEN))
param2_buf = claripy.BVS("param2_buf", MAX_STRLEN * 8).append_annotation(
UserInput("param2_buf_open_session"))
param3_buf = claripy.BVS("param3_buf", MAX_STRLEN * 8).append_annotation(
UserInput("param3_buf_open_session"))
param2_type = claripy.BVV(TEECParamType.TEEC_MEMREF_TEMP_INPUT,
16).append_annotation(
UserInput("param2_type_open_session"))
param3_type = claripy.BVV(TEECParamType.TEEC_MEMREF_TEMP_INPUT,
16).append_annotation(
UserInput("param3_type_open_session"))
"""
param2_type = claripy.BVS("param2_type", 16).append_annotation(UserInput("param2_type_open_session"))
param3_type = claripy.BVS("param3_type", 16).append_annotation(UserInput("param3_type_open_session"))
"""
param0 = TCParam(TEECParamType.TEEC_NONE, None, None)
param1 = TCParam(TEECParamType.TEEC_NONE, None, None)
param2 = TCParam(param2_type, param2_buf, param2_len, True)
param3 = TCParam(param3_type, param3_buf, param3_len, True)
params = TCParams(param0, param1, param2, param3)
invoke_cmd_id = 0
store_symbolic_params(state, params)
param_types = claripy.ZeroExt(16, params.get_param_type(
)) # param_types has 16 bit, but needs to be extended to architecture size
# TODO: store param_types to symbolics here
prepare_msg_recv_return(state, lifecylce_cmd_id, invoke_cmd_id,
param_types, params)
def fwrite(state):
# 3rd Lifecycle: TA_InvokeCommandEntryPoint
# FREAD
lifecylce_cmd_id = claripy.BVV(
LifecycleCommandIds.INVOKE_COMMAND, 32).append_annotation(
UserInput("lifecycle_cmd_id")) # cmd_id for InvokeCommand
invoke_cmd_id = claripy.BVV(InvokeCommandIds.FWRITE, 32).append_annotation(
UserInput("invoke_cmd_id")) # cmd_id for FREAD in InvokeCommand
# TODO: dynamically pass fopen-memory-address via msg_snd/msg_rcv (if possible)
param0_a = state.globals['current_object_handle_ptr'].append_annotation(
UserInput("param0_a_fwrite")
) # needs to be set to the memory, where the file was opened with f_open
param0_b = claripy.BVV(0x0,
32).append_annotation(UserInput("param0_b_fwrite"))
param0_type = claripy.BVV(TEECParamType.TEEC_VALUE_INPUT,
16).append_annotation(
UserInput("param0_type_fwrite"))
param1_a = claripy.BVV(
b'Ich schreib was ich will!', 0x19 * 8
).append_annotation(
UserInput("param1_a_fwrite_inbuf")
) # needs to be set to the memory, where the file was opened with f_open
param1_b = claripy.BVV(0x19, 32).append_annotation(
UserInput("param1_b_fwrite_insize"))
param1_type = claripy.BVV(TEECParamType.TEEC_MEMREF_TEMP_INPUT,
16).append_annotation(
UserInput("param1_type_fwrite"))
param0 = TCParam(param0_type, param0_a, param0_b)
param1 = TCParam(param1_type, param1_a, param1_b, True)
param2 = create_empty_param("fwrite_2")
param3 = create_empty_param("fwrite_3")
params = TCParams(param0, param1, param2, param3)
store_symbolic_params(state, params)
param_types = claripy.ZeroExt(16, params.get_param_type())
prepare_msg_recv_return(state, lifecylce_cmd_id, invoke_cmd_id,
param_types, params)
def fseek(state):
# 3rd Lifecycle: TA_InvokeCommandEntryPoint
# FREAD
lifecylce_cmd_id = claripy.BVV(
LifecycleCommandIds.INVOKE_COMMAND, 32).append_annotation(
UserInput("lifecycle_cmd_id")) # cmd_id for InvokeCommand
invoke_cmd_id = claripy.BVV(InvokeCommandIds.FSEEK, 32).append_annotation(
UserInput("invoke_cmd_id")) # cmd_id for FREAD in InvokeCommand
# TODO: dynamically pass fopen-memory-address via msg_snd/msg_rcv (if possible)
param0_a = state.globals['current_object_handle_ptr'].append_annotation(
UserInput("param0_a_fseek_obj_handle")
) # needs to be set to the memory, where the file was opened with f_open
param0_b = claripy.BVV(0x0, 32).append_annotation(
UserInput("param0_b_fseek_offset"))
param0_type = claripy.BVV(TEECParamType.TEEC_VALUE_INPUT,
16).append_annotation(
UserInput("param0_type_fseek"))
param1_a = claripy.BVV(TeeWhence.TEE_DATA_SEEK_SET, 32).append_annotation(
UserInput("param1_a_fseek_whence")
) # needs to be set to the memory, where the file was opened with f_open
param1_b = claripy.BVV(0x0,
32).append_annotation(UserInput("param1_b_fseek"))
param1_type = claripy.BVV(TEECParamType.TEEC_VALUE_INPUT,
16).append_annotation(
UserInput("param1_type_fseek"))
param0 = TCParam(param0_type, param0_a, param0_b)
param1 = TCParam(param1_type, param1_a, param1_b)
param2 = create_empty_param("fseek_2", True)
param3 = create_empty_param("fseek_3", True)
params = TCParams(param0, param1, param2, param3)
store_symbolic_params(state, params)
param_types = claripy.ZeroExt(16, params.get_param_type())
prepare_msg_recv_return(state, lifecylce_cmd_id, invoke_cmd_id,
param_types, params)
def fwrite(state):
# 3rd Lifecycle: TA_InvokeCommandEntryPoint
# FREAD
lifecylce_cmd_id = claripy.BVV(
LifecycleCommandIds.INVOKE_COMMAND, 32).append_annotation(
UserInput("lifecycle_cmd_id")) # cmd_id for InvokeCommand
invoke_cmd_id = claripy.BVV(InvokeCommandIds.FWRITE, 32).append_annotation(
UserInput("invoke_cmd_id")) # cmd_id for FREAD in InvokeCommand
param0_a = state.globals['current_object_handle_ptr'].append_annotation(
UserInput("param0_a_fwrite_object_handle")
) # needs to be set to the memory, where the file was opened with f_open
param0_b = claripy.BVV(0x0,
32).append_annotation(UserInput("param0_b_fwrite"))
param0_type = claripy.BVV(TEECParamType.TEEC_VALUE_INPUT,
16).append_annotation(
UserInput("param0_type_fwrite"))
param1_a = claripy.BVV(
b'Ich schreib was ich will!', 0x19 * 8
).append_annotation(
UserInput("param1_a_fwrite_inbuf")
) # needs to be set to the memory, where the file was opened with f_open
param1_b = claripy.BVV(0x19, 32).append_annotation(
UserInput("param1_b_fwrite_insize"))
param1_type = claripy.BVV(TEECParamType.TEEC_MEMREF_TEMP_INPUT,
16).append_annotation(
UserInput("param1_type_fwrite"))
param0 = TCParam(param0_type, param0_a, param0_b)
param1 = TCParam(param1_type, param1_a, param1_b)
param2 = TCParam(TEECParamType.TEEC_NONE, None, None)
param3 = TCParam(TEECParamType.TEEC_NONE, None, None)
params = TCParams(param0, param1, param2, param3)
param_types = claripy.ZeroExt(16, params.get_param_type())
prepare_msg_recv_return(state, lifecylce_cmd_id, invoke_cmd_id,
param_types, params)