def getKeybag(der, k): if der[:4] == "3gmI": if verbose: print("Reading IMG3 for " + k) kbag = image3.Image3(der).getKeybag() if kbag == None: return (None, None) ivenc = kbag[:16] keyenc = kbag[16:] keys = None if 'PWND:[checkm8]' in serial_number: pwned = usbexec.PwnedUSBDevice() keys = pwned.aes((ivenc + keyenc), usbexec.AES_DECRYPT, usbexec.AES_GID_KEY).encode('hex') else: device = dfuexec.PwnedDFUDevice() keys = device.aes((ivenc + keyenc), dfuexec.AES_DECRYPT, dfuexec.AES_GID_KEY).encode("hex") return (keys[:32], keys[32:]) else: if verbose: print("Reading IMG4 for " + k) dec = asn1_node_next( der, asn1_node_next( der, asn1_node_next(der, asn1_node_first_child(der, asn1_node_root(der))))) if dec[2] >= len(der) - 4: return (None, None) if verbose: print("Reading kbag") kbag = asn1_get_value_of_type(der, asn1_node_next(der, dec), 'OCTET STRING') if verbose: print("Extracting kbag") dec = asn1_node_next( kbag, asn1_node_first_child( kbag, asn1_node_first_child(kbag, asn1_node_root(kbag)))) if verbose: print("Reading values from kbag") ivenc = asn1_get_value_of_type(kbag, dec, 'OCTET STRING') keyenc = asn1_get_value_of_type(kbag, asn1_node_next(kbag, dec), 'OCTET STRING') keys = None if "SEP" in k: return ("KBAG", str(ivenc + keyenc).encode('hex')) else: if verbose: print("Decrypting key with device GID") if 'PWND:[checkm8]' in serial_number: pwned = usbexec.PwnedUSBDevice() keys = pwned.aes((ivenc + keyenc), usbexec.AES_DECRYPT, usbexec.AES_GID_KEY).encode('hex') else: device = dfuexec.PwnedDFUDevice() keys = device.aes_hex((ivenc + keyenc), dfuexec.AES_DECRYPT, dfuexec.AES_GID_KEY) return (keys[:32], keys[32:])
def main(): print "*** SecureROM Signature check remover by Linus Henze ***" device = dfu.acquire_device() print "Found:", device.serial_number if not "PWND:[" in device.serial_number: print "Please enable pwned DFU Mode first." sys.exit(1) if not "PWND:[checkm8]" in device.serial_number: print "Only devices pwned using checkm8 are supported." sys.exit(1) config = exploit_config(device.serial_number) print "Applying patches..." try: pdev = usbexec.PwnedUSBDevice() except usb.core.USBError: print "Patches have already been applied. Exiting." sys.exit(0) for k in config.patches.keys(): pdev.write_memory(k, config.patches[k]) print "Successfully applied patches" print "Resetting device state" print "* This will effectiveley disable pwned DFU Mode" print "* Only the signature patches will remain" # Send abort device.ctrl_transfer(HOST2DEVICE, DFU_ABORT, 0, 0, 0, 0) # Perform USB reset dfu.usb_reset(device) dfu.release_device(device) print "Device is now ready to accept unsigned images"
def fix_heap(): d = usbexec.PwnedUSBDevice() calculate_block_checksum = 0x10000D4E8 block_1 = 0x1801edb40 block_2 = 0x1801fffc0 block_2_size = 0x40 block_2_move_to = 0x1801fff80 if block_1 + d.read_memory_uint32(block_1 + 0x20) * 64 != block_2: raise Exception("bad block_1") for i in range(0, block_2_size, 4): m = d.read_memory_uint32(block_2 + i) d.write_memory_uint32(block_2_move_to + i, m) d.write_memory_uint32(block_1 + 0x20, d.read_memory_uint32(block_1 + 0x20) - 1) d.execute(0, calculate_block_checksum, block_1)
#!/usr/bin/python import dfu import usbexec DFU_ABORT = 4 HOST2DEVICE = 0x21 SIG_CHECKS_1 = 0x1000078B4 SIG_CHECKS_2 = 0x1000078C0 SIG_CHECKS_3 = 0x1000078E4 SIG_CHECKS_4 = 0x100007BAC SIG_CHECKS_5 = 0x1800888C4 pwnd_device = usbexec.PwnedUSBDevice() device = dfu.acquire_device() # Remove sigchecks pwnd_device.write_memory(SIG_CHECKS_1, "\x1F\x20\x03\xD5") pwnd_device.write_memory(SIG_CHECKS_2, "\x1F\x20\x03\xD5") pwnd_device.write_memory(SIG_CHECKS_3, "\x1F\x20\x03\xD5") pwnd_device.write_memory(SIG_CHECKS_4, "\x1F\x20\x03\xD5") pwnd_device.write_memory(SIG_CHECKS_5, "\x00\x00\x00\x00") # Reset USB connection device.ctrl_transfer(HOST2DEVICE, DFU_ABORT, 0, 0, 0, 0) dfu.usb_reset(device) dfu.release_device(device)
def main(): print "*** SecureROM t8015 sigcheckpath by tihmstar ***" device = dfu.acquire_device() print "Found:", device.serial_number if not "PWND:[" in device.serial_number: print "Please enable pwned DFU Mode first." sys.exit(1) if not "PWND:[checkm8]" in device.serial_number: print "Only devices pwned using checkm8 are supported." sys.exit(1) dfu.release_device(device) device = usbexec.PwnedUSBDevice() #make Level3 Table l3table = "" for addr in range(0x0000000100000000, 0x0000000100100000, PAGE_SIZE): entry = struct.pack("<Q", makePTE_Page_16K(addr)) if addr == REMAP_PAGE: #we are remapping heapcheck page entry = struct.pack("<Q", makePTE_Page_16K(SRAM_REMAP_PAGE)) elif addr == REMAP_PAGE2: #we are remapping sigcheck page entry = struct.pack("<Q", makePTE_Page_16K(SRAM_REMAP_PAGE2)) l3table += entry #we write L3 Table here device.write_memory(SRAM_PAGETABLE_PAGE, l3table) #remap heapcheck page to sram device.memcpy(SRAM_REMAP_PAGE, REMAP_PAGE, PAGE_SIZE) #remap sigcheck page to sram device.memcpy(SRAM_REMAP_PAGE2, REMAP_PAGE2, PAGE_SIZE) # patch heap corruption check device.write_memory(0x000000010000db98 - REMAP_PAGE + SRAM_REMAP_PAGE, "\xC0\x03\x5F\xD6") #patch codesigs device.write_memory(0x000000010000624c - REMAP_PAGE2 + SRAM_REMAP_PAGE2, "\x00\x00\x80\xD2") #L2 Table point to L3 device.write_memory( 0x000000018000c400, struct.pack("<Q", makePTE_Table_16K(SRAM_PAGETABLE_PAGE))) #memory barrier device.execute(0, 0x1000004F0) #flush tlb device.execute(0, 0x1000004AC) print("done remapping and patching page") device = dfu.acquire_device() device.ctrl_transfer(HOST2DEVICE, DFU_ABORT, 0, 0, 0, 0) # Perform USB reset try: dfu.usb_reset(device) dfu.release_device(device) except: pass print "Device is now ready to accept unsigned images"
#!/usr/bin/python import dfu import usbexec dev = usbexec.PwnedUSBDevice() dev.write_memory_ptr(0x1800C2F58, 0x10000078C) dev.write_memory(0x180087870, '\x01') device = dfu.acquire_device() device.ctrl_transfer(0x21, 4, 0, 0, 0, 0) dfu.usb_reset(device) dfu.release_device(device) print 'You can now load unpacked iBSS'
print 'ERROR: Could not read file:', arg sys.exit(1) device = dfu.acquire_device() dfu.reset_counters(device) dfu.send_data(device, data) dfu.request_image_validation(device) dfu.release_device(device) if opt == '--demote': device = dfu.acquire_device() serial_number = device.serial_number dfu.release_device(device) if 'PWND:[checkm8]' in serial_number: pwned = usbexec.PwnedUSBDevice() old_value = pwned.read_memory_uint32( pwned.platform.demotion_reg) print 'Demotion register: 0x%x' % old_value if old_value & 1: print 'Attempting to demote device.' pwned.write_memory_uint32(pwned.platform.demotion_reg, old_value & 0xFFFFFFFE) new_value = pwned.read_memory_uint32( pwned.platform.demotion_reg) print 'Demotion register: 0x%x' % new_value if old_value != new_value: print 'Success!' else: print 'Failed.' else: