def findCriticalGadgets(p): # Try to defend against ROP attacks which could write to OTP memory print "\nCritical gadgets:\n" rom = ''.join(map(chr, p.rom)) opTable = FirmwareLib.opcodeTable() # Critical addresses CRITICAL_ADDRS = [ 0xA7, # MEMCON (allows executing code from RAM) 0x87, # PCON (allows read/write of program memory) ] numResults = 0 for op in FirmwareLib.IRAM_WRITE_OPCODES: for ramaddr in CRITICAL_ADDRS: pattern = chr(op) + chr(ramaddr) start = 0 while start < len(rom): addr = rom.find(pattern, start) if addr < 0: break else: start = addr + 1 print "\t@%04x: %02x %02x %s" % (addr, op, ramaddr, opTable[op]) numResults = numResults + 1 if numResults: raise ValueError("Found potential security holes") else: print "\tNone found"
def __init__(self, parser): self.p = parser self.opTable = FirmwareLib.opcodeTable()
endsBlock = self.endsBlock(bytes) if endsBlock and inBlock: self.endBlock(f) inBlock = False if inBlock: self.endBlock(f) # Write a table of translated block functions f.write("const sbt_block_t sbt_rom_code[] = {\n") for addr in range(FirmwareLib.ROM_SIZE): if addr in blockMap: f.write("\t&sbt_block_%04x,\n" % addr) else: f.write("\t&sbt_exception,\n") f.write("};\n") if __name__ == '__main__': p = FirmwareLib.RSTParser() for f in sys.argv[1:]: p.parseFile(f) fixupImage(p) gen = CodeGenerator(p) gen.write(open('resources/firmware-sbt.cpp', 'w'))