def getKeybag(der, k):
if der[:4] == "3gmI":
if verbose: print("Reading IMG3 for " + k)
kbag = image3.Image3(der).getKeybag()
if kbag == None: return (None, None)
ivenc = kbag[:16]
keyenc = kbag[16:]
keys = None
if 'PWND:[checkm8]' in serial_number:
pwned = usbexec.PwnedUSBDevice()
keys = pwned.aes((ivenc + keyenc), usbexec.AES_DECRYPT,
usbexec.AES_GID_KEY).encode('hex')
else:
device = dfuexec.PwnedDFUDevice()
keys = device.aes((ivenc + keyenc), dfuexec.AES_DECRYPT,
dfuexec.AES_GID_KEY).encode("hex")
return (keys[:32], keys[32:])
else:
if verbose: print("Reading IMG4 for " + k)
dec = asn1_node_next(
der,
asn1_node_next(
der,
asn1_node_next(der,
asn1_node_first_child(der,
asn1_node_root(der)))))
if dec[2] >= len(der) - 4:
return (None, None)
if verbose: print("Reading kbag")
kbag = asn1_get_value_of_type(der, asn1_node_next(der, dec),
'OCTET STRING')
if verbose: print("Extracting kbag")
dec = asn1_node_next(
kbag,
asn1_node_first_child(
kbag, asn1_node_first_child(kbag, asn1_node_root(kbag))))
if verbose: print("Reading values from kbag")
ivenc = asn1_get_value_of_type(kbag, dec, 'OCTET STRING')
keyenc = asn1_get_value_of_type(kbag, asn1_node_next(kbag, dec),
'OCTET STRING')
keys = None
if "SEP" in k:
return ("KBAG", str(ivenc + keyenc).encode('hex'))
else:
if verbose: print("Decrypting key with device GID")
if 'PWND:[checkm8]' in serial_number:
pwned = usbexec.PwnedUSBDevice()
keys = pwned.aes((ivenc + keyenc), usbexec.AES_DECRYPT,
usbexec.AES_GID_KEY).encode('hex')
else:
device = dfuexec.PwnedDFUDevice()
keys = device.aes_hex((ivenc + keyenc), dfuexec.AES_DECRYPT,
dfuexec.AES_GID_KEY)
return (keys[:32], keys[32:])
def main():
print "*** SecureROM Signature check remover by Linus Henze ***"
device = dfu.acquire_device()
print "Found:", device.serial_number
if not "PWND:[" in device.serial_number:
print "Please enable pwned DFU Mode first."
sys.exit(1)
if not "PWND:[checkm8]" in device.serial_number:
print "Only devices pwned using checkm8 are supported."
sys.exit(1)
config = exploit_config(device.serial_number)
print "Applying patches..."
try:
pdev = usbexec.PwnedUSBDevice()
except usb.core.USBError:
print "Patches have already been applied. Exiting."
sys.exit(0)
for k in config.patches.keys():
pdev.write_memory(k, config.patches[k])
print "Successfully applied patches"
print "Resetting device state"
print "* This will effectiveley disable pwned DFU Mode"
print "* Only the signature patches will remain"
# Send abort
device.ctrl_transfer(HOST2DEVICE, DFU_ABORT, 0, 0, 0, 0)
# Perform USB reset
dfu.usb_reset(device)
dfu.release_device(device)
print "Device is now ready to accept unsigned images"
def fix_heap():
d = usbexec.PwnedUSBDevice()
calculate_block_checksum = 0x10000D4E8
block_1 = 0x1801edb40
block_2 = 0x1801fffc0
block_2_size = 0x40
block_2_move_to = 0x1801fff80
if block_1 + d.read_memory_uint32(block_1 + 0x20) * 64 != block_2:
raise Exception("bad block_1")
for i in range(0, block_2_size, 4):
m = d.read_memory_uint32(block_2 + i)
d.write_memory_uint32(block_2_move_to + i, m)
d.write_memory_uint32(block_1 + 0x20,
d.read_memory_uint32(block_1 + 0x20) - 1)
d.execute(0, calculate_block_checksum, block_1)
#!/usr/bin/python import dfu import usbexec DFU_ABORT = 4 HOST2DEVICE = 0x21 SIG_CHECKS_1 = 0x1000078B4 SIG_CHECKS_2 = 0x1000078C0 SIG_CHECKS_3 = 0x1000078E4 SIG_CHECKS_4 = 0x100007BAC SIG_CHECKS_5 = 0x1800888C4 pwnd_device = usbexec.PwnedUSBDevice() device = dfu.acquire_device() # Remove sigchecks pwnd_device.write_memory(SIG_CHECKS_1, "\x1F\x20\x03\xD5") pwnd_device.write_memory(SIG_CHECKS_2, "\x1F\x20\x03\xD5") pwnd_device.write_memory(SIG_CHECKS_3, "\x1F\x20\x03\xD5") pwnd_device.write_memory(SIG_CHECKS_4, "\x1F\x20\x03\xD5") pwnd_device.write_memory(SIG_CHECKS_5, "\x00\x00\x00\x00") # Reset USB connection device.ctrl_transfer(HOST2DEVICE, DFU_ABORT, 0, 0, 0, 0) dfu.usb_reset(device) dfu.release_device(device)
def main():
print "*** SecureROM t8015 sigcheckpath by tihmstar ***"
device = dfu.acquire_device()
print "Found:", device.serial_number
if not "PWND:[" in device.serial_number:
print "Please enable pwned DFU Mode first."
sys.exit(1)
if not "PWND:[checkm8]" in device.serial_number:
print "Only devices pwned using checkm8 are supported."
sys.exit(1)
dfu.release_device(device)
device = usbexec.PwnedUSBDevice()
#make Level3 Table
l3table = ""
for addr in range(0x0000000100000000, 0x0000000100100000, PAGE_SIZE):
entry = struct.pack("<Q", makePTE_Page_16K(addr))
if addr == REMAP_PAGE: #we are remapping heapcheck page
entry = struct.pack("<Q", makePTE_Page_16K(SRAM_REMAP_PAGE))
elif addr == REMAP_PAGE2: #we are remapping sigcheck page
entry = struct.pack("<Q", makePTE_Page_16K(SRAM_REMAP_PAGE2))
l3table += entry
#we write L3 Table here
device.write_memory(SRAM_PAGETABLE_PAGE, l3table)
#remap heapcheck page to sram
device.memcpy(SRAM_REMAP_PAGE, REMAP_PAGE, PAGE_SIZE)
#remap sigcheck page to sram
device.memcpy(SRAM_REMAP_PAGE2, REMAP_PAGE2, PAGE_SIZE)
# patch heap corruption check
device.write_memory(0x000000010000db98 - REMAP_PAGE + SRAM_REMAP_PAGE,
"\xC0\x03\x5F\xD6")
#patch codesigs
device.write_memory(0x000000010000624c - REMAP_PAGE2 + SRAM_REMAP_PAGE2,
"\x00\x00\x80\xD2")
#L2 Table point to L3
device.write_memory(
0x000000018000c400,
struct.pack("<Q", makePTE_Table_16K(SRAM_PAGETABLE_PAGE)))
#memory barrier
device.execute(0, 0x1000004F0)
#flush tlb
device.execute(0, 0x1000004AC)
print("done remapping and patching page")
device = dfu.acquire_device()
device.ctrl_transfer(HOST2DEVICE, DFU_ABORT, 0, 0, 0, 0)
# Perform USB reset
try:
dfu.usb_reset(device)
dfu.release_device(device)
except:
pass
print "Device is now ready to accept unsigned images"
#!/usr/bin/python import dfu import usbexec dev = usbexec.PwnedUSBDevice() dev.write_memory_ptr(0x1800C2F58, 0x10000078C) dev.write_memory(0x180087870, '\x01') device = dfu.acquire_device() device.ctrl_transfer(0x21, 4, 0, 0, 0, 0) dfu.usb_reset(device) dfu.release_device(device) print 'You can now load unpacked iBSS'
print 'ERROR: Could not read file:', arg
sys.exit(1)
device = dfu.acquire_device()
dfu.reset_counters(device)
dfu.send_data(device, data)
dfu.request_image_validation(device)
dfu.release_device(device)
if opt == '--demote':
device = dfu.acquire_device()
serial_number = device.serial_number
dfu.release_device(device)
if 'PWND:[checkm8]' in serial_number:
pwned = usbexec.PwnedUSBDevice()
old_value = pwned.read_memory_uint32(
pwned.platform.demotion_reg)
print 'Demotion register: 0x%x' % old_value
if old_value & 1:
print 'Attempting to demote device.'
pwned.write_memory_uint32(pwned.platform.demotion_reg,
old_value & 0xFFFFFFFE)
new_value = pwned.read_memory_uint32(
pwned.platform.demotion_reg)
print 'Demotion register: 0x%x' % new_value
if old_value != new_value:
print 'Success!'
else:
print 'Failed.'
else: