def main():
parser = argparse.ArgumentParser()
parser.add_argument("-c", "--config", help="Device config", required=True)
parser.add_argument("-p", "--payload", help="Payload file", required=True)
arguments = parser.parse_args()
if not os.path.exists(arguments.config):
log("Config file {} doesn't exist".format(arguments.config))
return
if not os.path.exists(arguments.payload):
log("Payload file {} doesn't exist".format(arguments.payload))
return
with open(arguments.config) as config:
config = json5.load(config)
hw_code = config["hw_code"]
watchdog_address = config["watchdog_address"]
var_0 = config["var_0"]
var_1 = config["var_1"]
device = Device().find()
device.handshake()
device_hw_code = device.get_hw_code()
hw_sub_code, hw_ver, sw_ver = device.get_hw_dict()
secure_boot, serial_link_authorization, download_agent_authorization = device.get_target_config(
)
if hw_code != device_hw_code:
log("Incorrect hw code, expected {}, found {}".format(
hex(hw_code), hex(device_hw_code)))
return
print()
log("Device hw code: {}".format(hex(device_hw_code)))
log("Device hw sub code: {}".format(hex(hw_sub_code)))
log("Device hw version: {}".format(hex(hw_ver)))
log("Device sw version: {}".format(hex(sw_ver)))
log("Device secure boot: {}".format(secure_boot))
log("Device serial link authorization: {}".format(
serial_link_authorization))
log("Device download agent authorization: {}".format(
download_agent_authorization))
print()
log("Disabling watchdog timer")
device.write32(watchdog_address, 0x22000064)
if serial_link_authorization or download_agent_authorization:
log("Disabling protection")
exploit(device, watchdog_address, var_0, var_1, arguments.payload)
log("Protection disabled")
def main():
parser = argparse.ArgumentParser()
parser.add_argument("-c", "--config", help="Device config")
arguments = parser.parse_args()
if arguments.config:
if not os.path.exists(arguments.config):
raise RuntimeError("Config file {} doesn't exist".format(arguments.config))
elif not os.path.exists(DEFAULT_CONFIG):
raise RuntimeError("Default config is missing")
device = Device().find()
device.handshake()
hw_code = device.get_hw_code()
hw_sub_code, hw_ver, sw_ver = device.get_hw_dict()
secure_boot, serial_link_authorization, download_agent_authorization = device.get_target_config()
if arguments.config:
config_file = open(arguments.config)
config = Config().from_file(config_file, hw_code)
config_file.close()
else:
config = Config().default(hw_code)
if not os.path.exists(PAYLOAD_DIR + config.payload):
raise RuntimeError("Payload file {} doesn't exist".format(PAYLOAD_DIR + config.payload))
print()
log("Device hw code: {}".format(hex(hw_code)))
log("Device hw sub code: {}".format(hex(hw_sub_code)))
log("Device hw version: {}".format(hex(hw_ver)))
log("Device sw version: {}".format(hex(sw_ver)))
log("Device secure boot: {}".format(secure_boot))
log("Device serial link authorization: {}".format(serial_link_authorization))
log("Device download agent authorization: {}".format(download_agent_authorization))
print()
log("Disabling watchdog timer")
device.write32(config.watchdog_address, 0x22000064)
if serial_link_authorization or download_agent_authorization:
log("Disabling protection")
payload = open(PAYLOAD_DIR + config.payload, "rb")
exploit(device, config.watchdog_address, config.var_0, config.var_1, payload)
payload.close()
log("Protection disabled")
def main():
parser = argparse.ArgumentParser()
parser.add_argument("-c", "--config", help="Device config")
parser.add_argument("-t", "--test", help="Testmode", action="store_true")
parser.add_argument("-w", "--watchdog", help="Watchdog address(in hex) for testmode")
parser.add_argument("-v", "--var_1", help="var_1 value(in hex) for testmode")
parser.add_argument("-p", "--payload_address", help="payload_address value(in hex) for testmode")
arguments = parser.parse_args()
if arguments.config:
if not os.path.exists(arguments.config):
raise RuntimeError("Config file {} doesn't exist".format(arguments.config))
elif not os.path.exists(DEFAULT_CONFIG):
raise RuntimeError("Default config is missing")
device = Device().find()
device.handshake()
hw_code = device.get_hw_code()
hw_sub_code, hw_ver, sw_ver = device.get_hw_dict()
secure_boot, serial_link_authorization, download_agent_authorization = device.get_target_config()
if arguments.config:
config_file = open(arguments.config)
config = Config().from_file(config_file, hw_code)
config_file.close()
else:
try:
config = Config().default(hw_code)
except NotImplementedError as e:
if arguments.test:
config = Config()
if arguments.var_1:
config.var_1 = int(arguments.var_1, 16)
if arguments.watchdog:
config.watchdog_address = int(arguments.watchdog, 16)
if arguments.payload_address:
config.payload_address = int(arguments.payload_address, 16)
config.payload = "generic_dump_payload.bin"
log(e)
else:
raise e
if not os.path.exists(PAYLOAD_DIR + config.payload):
raise RuntimeError("Payload file {} doesn't exist".format(PAYLOAD_DIR + config.payload))
print()
log("Device hw code: {}".format(hex(hw_code)))
log("Device hw sub code: {}".format(hex(hw_sub_code)))
log("Device hw version: {}".format(hex(hw_ver)))
log("Device sw version: {}".format(hex(sw_ver)))
log("Device secure boot: {}".format(secure_boot))
log("Device serial link authorization: {}".format(serial_link_authorization))
log("Device download agent authorization: {}".format(download_agent_authorization))
print()
log("Disabling watchdog timer")
device.write32(config.watchdog_address, 0x22000064)
if serial_link_authorization or download_agent_authorization:
log("Disabling protection")
with open(PAYLOAD_DIR + config.payload, "rb") as payload:
payload = payload.read()
result = exploit(device, config.watchdog_address, config.payload_address, config.var_0, config.var_1, payload)
if arguments.test:
while not result:
config.var_1 += 1
log("Test mode, testing " + hex(config.var_1) + "...")
device = Device().find()
device.handshake()
result = exploit(device, config.watchdog_address, config.payload_address,
config.var_0, config.var_1, payload)
bootrom__name = "bootrom_" + hex(hw_code)[2:] + ".bin"
if result == to_bytes(0xA1A2A3A4, 4):
log("Protection disabled")
elif result == to_bytes(0xC1C2C3C4, 4):
dump_brom(device, bootrom__name)
elif result == to_bytes(0x0000C1C2, 4) and device.read(4) == to_bytes(0xC1C2C3C4, 4):
dump_brom(device, bootrom__name, True)
def main():
parser = argparse.ArgumentParser()
parser.add_argument("-c", "--config", help="Device config")
parser.add_argument("-t", "--test", help="Testmode", action="store_true")
parser.add_argument("-w", "--watchdog", help="Watchdog address(in hex)")
parser.add_argument("-u", "--uart", help="UART base address(in hex)")
parser.add_argument("-v", "--var_1", help="var_1 value(in hex)")
parser.add_argument("-a",
"--payload_address",
help="payload_address value(in hex)")
parser.add_argument("-p", "--payload", help="Payload to use")
parser.add_argument("-s",
"--serial_port",
help="Connect to existing serial port")
parser.add_argument("-f",
"--force",
help="Force exploit on insecure device",
action="store_true")
parser.add_argument("-n",
"--no_handshake",
help="Skip handshake",
action="store_true")
parser.add_argument("-m",
"--crash_method",
help="Method to use for crashing preloader (0, 1, 2)",
type=int)
arguments = parser.parse_args()
if arguments.config:
if not os.path.exists(arguments.config):
raise RuntimeError("Config file {} doesn't exist".format(
arguments.config))
elif not os.path.exists(DEFAULT_CONFIG):
raise RuntimeError("Default config is missing")
if arguments.serial_port:
device = Device(arguments.serial_port)
else:
device = Device().find()
config, serial_link_authorization, download_agent_authorization, hw_code = get_device_info(
device, arguments)
while device.preloader:
device = crash_preloader(device, config)
config, serial_link_authorization, download_agent_authorization, hw_code = get_device_info(
device, arguments)
log("Disabling watchdog timer")
device.write32(config.watchdog_address, 0x22000064)
if serial_link_authorization or download_agent_authorization or arguments.force:
log("Disabling protection")
payload = prepare_payload(config)
result = exploit(device, config.watchdog_address,
config.payload_address, config.var_0, config.var_1,
payload)
if arguments.test:
while not result:
device.dev.close()
config.var_1 += 1
log("Test mode, testing " + hex(config.var_1) + "...")
device = Device().find()
device.handshake()
while device.preloader:
device = crash_preloader(device, config)
device.handshake()
result = exploit(device, config.watchdog_address,
config.payload_address, config.var_0,
config.var_1, payload)
else:
log("Insecure device, sending payload using send_da")
if not arguments.payload:
config.payload = DEFAULT_PAYLOAD
if not arguments.payload_address:
config.payload_address = DEFAULT_DA_ADDRESS
payload = prepare_payload(config)
payload += b'\x00' * 0x100
device.send_da(config.payload_address, len(payload), 0x100, payload)
device.jump_da(config.payload_address)
result = device.read(4)
bootrom__name = "bootrom_" + hex(hw_code)[2:] + ".bin"
if result == to_bytes(0xA1A2A3A4, 4):
log("Protection disabled")
elif result == to_bytes(0xC1C2C3C4, 4):
dump_brom(device, bootrom__name)
elif result == to_bytes(0x0000C1C2, 4) and device.read(4) == to_bytes(
0xC1C2C3C4, 4):
dump_brom(device, bootrom__name, True)
elif result != b'':
raise RuntimeError("Unexpected result {}".format(result.hex()))
else:
log("Payload did not reply")
def main():
parser = argparse.ArgumentParser()
parser.add_argument("-c", "--config", help="Device config")
parser.add_argument("-t", "--test", help="Testmode", action="store_true")
parser.add_argument("-w", "--watchdog", help="Watchdog address(in hex)")
parser.add_argument("-u", "--uart", help="UART base address(in hex)")
parser.add_argument("-v", "--var_1", help="var_1 value(in hex)")
parser.add_argument("-a",
"--payload_address",
help="payload_address value(in hex)")
parser.add_argument("-p", "--payload", help="Payload to use")
parser.add_argument("-s",
"--serial_port",
help="Connect to existing serial port")
parser.add_argument("-f",
"--force",
help="Force exploit on insecure device",
action="store_true")
parser.add_argument("-n",
"--no_handshake",
help="Skip handshake",
action="store_true")
arguments = parser.parse_args()
if arguments.config:
if not os.path.exists(arguments.config):
raise RuntimeError("Config file {} doesn't exist".format(
arguments.config))
elif not os.path.exists(DEFAULT_CONFIG):
raise RuntimeError("Default config is missing")
if arguments.serial_port:
device = Device(arguments.serial_port)
else:
device = Device().find()
if not arguments.no_handshake:
device.handshake()
hw_code = device.get_hw_code()
hw_sub_code, hw_ver, sw_ver = device.get_hw_dict()
secure_boot, serial_link_authorization, download_agent_authorization = device.get_target_config(
)
if arguments.config:
config_file = open(arguments.config)
config = Config().from_file(config_file, hw_code)
config_file.close()
else:
try:
config = Config().default(hw_code)
except NotImplementedError as e:
if arguments.test:
config = Config()
log(e)
else:
raise e
if arguments.test:
config.payload = DEFAULT_PAYLOAD
if arguments.var_1:
config.var_1 = int(arguments.var_1, 16)
if arguments.watchdog:
config.watchdog_address = int(arguments.watchdog, 16)
if arguments.uart:
config.uart_base = int(arguments.uart, 16)
if arguments.payload_address:
config.payload_address = int(arguments.payload_address, 16)
if arguments.payload:
config.payload = arguments.payload
if not os.path.exists(PAYLOAD_DIR + config.payload):
raise RuntimeError(
"Payload file {} doesn't exist".format(PAYLOAD_DIR +
config.payload))
print()
log("Device hw code: {}".format(hex(hw_code)))
log("Device hw sub code: {}".format(hex(hw_sub_code)))
log("Device hw version: {}".format(hex(hw_ver)))
log("Device sw version: {}".format(hex(sw_ver)))
log("Device secure boot: {}".format(secure_boot))
log("Device serial link authorization: {}".format(
serial_link_authorization))
log("Device download agent authorization: {}".format(
download_agent_authorization))
print()
log("Disabling watchdog timer")
device.write32(config.watchdog_address, 0x22000064)
if serial_link_authorization or download_agent_authorization or arguments.force:
log("Disabling protection")
payload = prepare_payload(config)
result = exploit(device, config.watchdog_address,
config.payload_address, config.var_0, config.var_1,
payload)
if arguments.test:
while not result:
device.dev.close()
config.var_1 += 1
log("Test mode, testing " + hex(config.var_1) + "...")
device = Device().find()
device.handshake()
result = exploit(device, config.watchdog_address,
config.payload_address, config.var_0,
config.var_1, payload)
else:
log("Insecure device, sending payload using send_da")
if not arguments.payload:
config.payload = DEFAULT_PAYLOAD
if not arguments.payload_address:
config.payload_address = DEFAULT_DA_ADDRESS
payload = prepare_payload(config)
payload += b'\x00' * 0x100
device.send_da(config.payload_address, len(payload), 0x100, payload)
device.jump_da(config.payload_address)
result = device.read(4)
bootrom__name = "bootrom_" + hex(hw_code)[2:] + ".bin"
if result == to_bytes(0xA1A2A3A4, 4):
log("Protection disabled")
elif result == to_bytes(0xC1C2C3C4, 4):
dump_brom(device, bootrom__name)
elif result == to_bytes(0x0000C1C2, 4) and device.read(4) == to_bytes(
0xC1C2C3C4, 4):
dump_brom(device, bootrom__name, True)
elif result != b'':
raise RuntimeError("Unexpected result {}".format(result.hex()))
else:
log("Payload did not reply")