def test_mcu_patch_stm32f411(self): ql = Qiling(["../examples/rootfs/mcu/stm32f411/patch_test.hex"], archtype="cortex_m", env=stm32f411, verbose=QL_VERBOSE.DEFAULT) ql.hw.create('usart2') ql.hw.create('rcc') ql.hw.create('gpioa') ql.patch(0x80005CA, b'\x00\xBF') ql.run(count=4000) del ql
def crack(passwd): ql = Qiling(["../examples/rootfs/mcu/stm32f407/backdoorlock.hex"], archtype="cortex_m", profile="stm32f407", verbose=QL_VERBOSE.OFF) ql.hw.create('spi2') ql.hw.create('gpioe') ql.hw.create('gpiof') ql.hw.create('usart1') ql.hw.create('rcc') print('Testing passwd', passwd) ql.patch(0x8000238, b'\x00\xBF' * 4) ql.patch(0x80031e4, b'\x00\xBF' * 11) ql.patch(0x80032f8, b'\x00\xBF' * 13) ql.patch(0x80013b8, b'\x00\xBF' * 10) ql.hw.usart1.send(passwd.encode() + b'\r') ql.hw.systick.set_ratio(400) ql.run(count=400000, end=0x8003225) return ql.arch.get_pc() == 0x8003225
def crack(passwd): ql = Qiling(["../../examples/rootfs/mcu/stm32f407/backdoorlock.hex"], archtype="cortex_m", env=stm32f407, verbose=QL_VERBOSE.OFF) ql.hw.create('spi2') ql.hw.create('gpioe') ql.hw.create('gpiof') ql.hw.create('usart1') ql.hw.create('rcc') ql.hw.show_info() print('Testing passwd', passwd) ql.patch(0x8000238, b'\x00\xBF' * 4) ql.patch(0x80031e4, b'\x00\xBF' * 11) ql.patch(0x80032f8, b'\x00\xBF' * 13) ql.patch(0x80013b8, b'\x00\xBF' * 10) ql.hw.usart1.send(passwd.encode() + b'\r') ql.hw.systick.set_ratio(100) ql.run(count=1000000, end=0x8003225) if ql.arch.effective_pc == 0x8003225: print('Success, the passwd is', passwd) else: print('Fail, the passwd is not', passwd) del ql