def findCriticalGadgets(p):
# Try to defend against ROP attacks which could write to OTP memory
print "\nCritical gadgets:\n"
rom = ''.join(map(chr, p.rom))
opTable = FirmwareLib.opcodeTable()
# Critical addresses
CRITICAL_ADDRS = [
0xA7, # MEMCON (allows executing code from RAM)
0x87, # PCON (allows read/write of program memory)
]
numResults = 0
for op in FirmwareLib.IRAM_WRITE_OPCODES:
for ramaddr in CRITICAL_ADDRS:
pattern = chr(op) + chr(ramaddr)
start = 0
while start < len(rom):
addr = rom.find(pattern, start)
if addr < 0:
break
else:
start = addr + 1
print "\t@%04x: %02x %02x %s" % (addr, op, ramaddr, opTable[op])
numResults = numResults + 1
if numResults:
raise ValueError("Found potential security holes")
else:
print "\tNone found"
def __init__(self, parser):
self.p = parser
self.opTable = FirmwareLib.opcodeTable()
endsBlock = self.endsBlock(bytes)
if endsBlock and inBlock:
self.endBlock(f)
inBlock = False
if inBlock:
self.endBlock(f)
# Write a table of translated block functions
f.write("const sbt_block_t sbt_rom_code[] = {\n")
for addr in range(FirmwareLib.ROM_SIZE):
if addr in blockMap:
f.write("\t&sbt_block_%04x,\n" % addr)
else:
f.write("\t&sbt_exception,\n")
f.write("};\n")
if __name__ == '__main__':
p = FirmwareLib.RSTParser()
for f in sys.argv[1:]:
p.parseFile(f)
fixupImage(p)
gen = CodeGenerator(p)
gen.write(open('resources/firmware-sbt.cpp', 'w'))
