493 lines
17 KiB
Python
493 lines
17 KiB
Python
|
from ghidra_assistant.utils.utils import *
|
||
|
from ghidra_assistant.utils.archs.asm_utils import *
|
||
|
from ghidra_assistant.concrete_device import *
|
||
|
from qiling.const import QL_ARCH
|
||
|
from ghidra_assistant.utils.debugger.debugger_archs.ga_arm_thumb import GA_arm_thumb_debugger
|
||
|
from exploit import *
|
||
|
from keystone import *
|
||
|
from t210 import *
|
||
|
from hw_in_the_loop import *
|
||
|
from partial_emulation import *
|
||
|
|
||
|
ks_arm = Ks(KS_ARCH_ARM, KS_MODE_ARM)
|
||
|
ks_thumb = Ks(KS_ARCH_ARM, KS_MODE_THUMB)
|
||
|
|
||
|
logger = setup_logger("") # get root logger
|
||
|
logger.setLevel(logging.DEBUG)
|
||
|
|
||
|
def device_setup(concrete_device : "ConcreteDevice"):
|
||
|
'''
|
||
|
This function has to return a device object that handles the communication between the host and the device.
|
||
|
Must implement at least the following:
|
||
|
|
||
|
* read
|
||
|
* write
|
||
|
|
||
|
In this function you can also setup known values that the concrete debugger will use, like the target architecture and locations of the debugger and the vbar
|
||
|
'''
|
||
|
|
||
|
#Setup architecture
|
||
|
concrete_device.arch = QL_ARCH.ARM
|
||
|
concrete_device.ga_debugger_location = 0x4000E000
|
||
|
concrete_device.ga_vbar_location = 0x40011000
|
||
|
concrete_device.ga_storage_location = 0x40013000
|
||
|
concrete_device.ga_stack_location = 0x40014000
|
||
|
|
||
|
rcm = TegraRCM()
|
||
|
rcm.dev.read_chip_id()
|
||
|
# file = "/home/eljakim/Source/gupje/source/bin/nvidia_shield/debugger.bin"
|
||
|
file = "/home/eljakim/Source/gupje/source/bin/nvidia_shield_t/debugger.bin"
|
||
|
# file = "/tmp/gardenia/build/bootloader"
|
||
|
rcm.send_payload(file, thumb=1)
|
||
|
concrete_device.arch_dbg = GA_arm_thumb_debugger(concrete_device.ga_vbar_location, concrete_device.ga_debugger_location, concrete_device.ga_storage_location)
|
||
|
|
||
|
assert(rcm.dev.read(0x100) == b"GiAs")
|
||
|
|
||
|
concrete_device.arch_dbg.read = rcm.dev.read
|
||
|
concrete_device.arch_dbg.write = rcm.dev.write
|
||
|
|
||
|
#Overwrite all calls to make the concrete target function properly
|
||
|
concrete_device.copy_functions()
|
||
|
|
||
|
# And add custom functions
|
||
|
def read_u32(address):
|
||
|
return u32(concrete_device.memdump_region(address, 4))
|
||
|
|
||
|
def write_u32(address, value):
|
||
|
concrete_device.memwrite_region(address, p32(value))
|
||
|
|
||
|
def read_str(address):
|
||
|
d = b""
|
||
|
while True:
|
||
|
c = concrete_device.memdump_region(address, 1)
|
||
|
if c == b"\x00":
|
||
|
break
|
||
|
d += c
|
||
|
address += 1
|
||
|
return d
|
||
|
|
||
|
concrete_device.read_u32 = read_u32
|
||
|
concrete_device.write_u32 = write_u32
|
||
|
concrete_device.read_str = read_str
|
||
|
|
||
|
concrete_device.debugger_main = concrete_device.get_debugger_location()
|
||
|
return rcm
|
||
|
|
||
|
def test_arm_asm(cd : "ConcreteDevice"):
|
||
|
cd.arch_dbg.state.auto_sync = False
|
||
|
|
||
|
shellcode = f"""
|
||
|
.align 1
|
||
|
start:
|
||
|
|
||
|
ldr r0, =addr_some_addr
|
||
|
ldr r1, =0x1000
|
||
|
ldr r2, =addr_debugger_storage
|
||
|
ldr r4, =addr_usb_write
|
||
|
bx r4
|
||
|
|
||
|
bx lr
|
||
|
ldr r0, =addr_debugger_main
|
||
|
bx r0
|
||
|
b flush
|
||
|
ldr r0, =addr_debugger_storage
|
||
|
ldr r1, =0x77
|
||
|
ldr r2, =0x77
|
||
|
str r0, [r0]
|
||
|
str r1, [r0, #4]
|
||
|
str r2, [r0, #8]
|
||
|
bx lr
|
||
|
|
||
|
flush:
|
||
|
@ Flush the instruction cache
|
||
|
@ mov r0, #0 @ Select the instruction cache
|
||
|
@ mcr p15, 0, r0, c7, c5 @ Invalidate the entire instruction cache
|
||
|
|
||
|
@ Flush the data cache
|
||
|
@ mov r0, #0 @ Select the data cache
|
||
|
@ mcr p15, 0, r0, c7, c6 @ Invalidate the entire data cache
|
||
|
bx lr
|
||
|
ldr r0, =addr_debugger_main
|
||
|
bx r0
|
||
|
|
||
|
|
||
|
.align 3
|
||
|
addr_debugger_storage: .word 0x40013000
|
||
|
addr_usb_write: .word 0x001065C0
|
||
|
addr_rom_start: .word 0x00100000
|
||
|
addr_debugger_main : .word 0x4000E000
|
||
|
addr_some_addr: .word 0x40020000
|
||
|
.align 1
|
||
|
addr_debugger_main_t: .word 0x4000E001
|
||
|
"""
|
||
|
|
||
|
asm = ks_arm.asm(shellcode, as_bytes=True)[0]
|
||
|
cd.memwrite_region(0x40013000 + 0x2000, asm)
|
||
|
cd.jump_to(0x40013000 + 0x2000) #branch arm
|
||
|
try:
|
||
|
r = cd.read(0x200)
|
||
|
pass
|
||
|
except Exception as e:
|
||
|
print(str(e))
|
||
|
pass
|
||
|
pass
|
||
|
|
||
|
def dump_full_dram_context(cd : "ConcreteDevice"):
|
||
|
# BootROM
|
||
|
rom = cd.memdump_region(0x100000, 0x17000)
|
||
|
imem = cd.memdump_region(0x40000000, 0xfc00)
|
||
|
|
||
|
SETUP_SDRAM = 0x00101a14
|
||
|
def attempt_boot_bct(cd : "ConcreteDevice"):
|
||
|
dat = open("bin/imem_good.bin", 'rb').read()
|
||
|
cd.memwrite_region(0x40000000, dat[:0xe000])
|
||
|
cd.write(b"MAIN")
|
||
|
cd.arch_dbg.state.auto_sync = False
|
||
|
|
||
|
cd.arch_dbg.state.print_ctx(print)
|
||
|
dump_full_dram_context(cd)
|
||
|
|
||
|
jump_stub = f"""
|
||
|
.align 1
|
||
|
ldr r0, addr_debugger_main_t
|
||
|
bx r0
|
||
|
.align 4
|
||
|
addr_debugger_main_t: .word 0x4000E001
|
||
|
"""
|
||
|
jump_stub = ks_thumb.asm(jump_stub, as_bytes=True)[0]
|
||
|
|
||
|
cd.memwrite_region(SETUP_SDRAM, jump_stub)
|
||
|
|
||
|
# Test dumb restore_and_jump
|
||
|
# cd.arch_dbg.state.R0 = 0x00101c18
|
||
|
# cd.arch_dbg.state.R3 = 0x4000E001
|
||
|
def test_restore_and_jump():
|
||
|
cd.arch_dbg.state.LR = 0x4000E001
|
||
|
cd.restore_stack_and_jump(0x00101c28 + 1) # Some dumb function that sets r0
|
||
|
assert cd.read(100) == b"GiAs"
|
||
|
|
||
|
cd.arch_dbg.state.LR = 0x4000E001
|
||
|
cd.arch_dbg.state.R0 = 0x00101c18
|
||
|
cd.restore_stack_and_jump(SETUP_SDRAM + 1)
|
||
|
|
||
|
cd.jump_to(0x00101c28 + 1)
|
||
|
|
||
|
|
||
|
pass
|
||
|
|
||
|
|
||
|
CLK_RST_CONTROLLER_MISC_CLK_ENB = 0x48
|
||
|
IROM_LEN = 0x00010000
|
||
|
def hw_init(cd : "ConcreteDevice"):
|
||
|
# Get chip id
|
||
|
# 0x14017
|
||
|
cd.arch_dbg.state.print_ctx(print)
|
||
|
def NvBootUtilGetTimeUS():
|
||
|
cd.arch_dbg.state.LR = cd.arch_dbg.debugger_addr | 1
|
||
|
cd.arch_dbg.restore_stack_and_jump(0x00100c7e | 1)
|
||
|
assert cd.read(4) == b'GiAs', "Debugger crashed?"
|
||
|
return cd.arch_dbg.state.R0
|
||
|
chip_id = u32(cd.memdump_region(mmio_reg32(BASE_ADDRESSES['APB_MISC_BASE'], APB_MISC_GP_HIDREV), 4))
|
||
|
chip_version = (chip_id >> 4) & 0xF
|
||
|
|
||
|
def clock_enable_fuse():
|
||
|
addr = mmio_reg32(BASE_ADDRESSES['CLOCK_BASE'], CLK_RST_CONTROLLER_MISC_CLK_ENB)
|
||
|
val = cd.read_u32(addr)
|
||
|
enable = 1
|
||
|
cd.write_u32(addr, val & 0xEFFFFFFF | ((enable & 1) << 28))
|
||
|
|
||
|
|
||
|
# clock_enable_fuse()
|
||
|
# Clear tz ram,
|
||
|
# cd.memwrite_region(BASE_ADDRESSES['TZRAM_BASE'], b"\x00" * BASE_ADDRESSES['TZRAM_SIZE'])
|
||
|
|
||
|
# TODO
|
||
|
# clock_enable_se
|
||
|
# clock_enable_fuse
|
||
|
# fuse_disable_program
|
||
|
# mc_enable
|
||
|
# _config_oscillators
|
||
|
# _config_gpios
|
||
|
# init_sdram
|
||
|
|
||
|
def setup_sdram():
|
||
|
nvbootcontext = 0x40002404
|
||
|
cd.arch_dbg.state.R0 = nvbootcontext
|
||
|
cd.arch_dbg.state.LR = cd.ga_debugger_location | 1
|
||
|
cd.restore_stack_and_jump(0x00101a14 | 1)
|
||
|
pass
|
||
|
# setup_sdram()
|
||
|
|
||
|
def relocate_debugger():
|
||
|
'''
|
||
|
Works, relocates the debugger to the end of IRAM
|
||
|
'''
|
||
|
reloc = open('/home/eljakim/Source/gupje/source/bin/nvidia_shield_t/debugger_reloc.bin', 'rb').read()
|
||
|
cd.memwrite_region(0x4003c000, reloc)
|
||
|
cd.restore_stack_and_jump(0x4003c000 | 1)
|
||
|
assert cd.read(0x100) == b"GiAs"
|
||
|
|
||
|
# And relocate the debugger
|
||
|
cd.relocate_debugger(0x40011000, 0x4003c000, 0x4003e000)
|
||
|
|
||
|
relocate_debugger()
|
||
|
cd.memdump_region(0x40020000, 0x100)
|
||
|
# setup_sdram()
|
||
|
|
||
|
def nvbootmain():
|
||
|
# cd.arch_dbg.state.R1 = 0x40000000
|
||
|
cd.arch_dbg.state.LR = cd.ga_debugger_location | 1
|
||
|
cd.restore_stack_and_jump(0x00101318 | 1)
|
||
|
pass
|
||
|
# nvbootmain()
|
||
|
|
||
|
NVCOLDBOOT = 0x00101ad2
|
||
|
def nvbootcoldboot():
|
||
|
'''
|
||
|
Works, attempts to load the BCT from the EMMC
|
||
|
'''
|
||
|
nvbootinfo = 0x40000000
|
||
|
cd.write_u32(nvbootinfo, 0x400001)
|
||
|
cd.write_u32(nvbootinfo + 4, 0x400001)
|
||
|
cd.write_u32(nvbootinfo + 8, 0x400001)
|
||
|
|
||
|
# cd.write_u32(nvbootinfo + 0xc, 0x00000001) # Boot type, set later also
|
||
|
|
||
|
cd.write_u32(nvbootinfo + 0x10, 5) #Irom
|
||
|
# cd.write_u32(nvbootinfo + 0x10, 9)
|
||
|
|
||
|
def NvBootClocksGetOscFreq():
|
||
|
return cd.read_u32(cd.read_u32(0x00100214) + 0x10) >> 0x1c
|
||
|
cd.write_u32(nvbootinfo + 0x28, NvBootClocksGetOscFreq()) #Irom
|
||
|
cd.write_u32(nvbootinfo + 0xf0, nvbootinfo + 256) # End of boot info
|
||
|
|
||
|
# Move debugger in r0, to jump to that on failure
|
||
|
cd.arch_dbg.state.R0 = 0x40020000 # cd.ga_debugger_location | 1
|
||
|
cd.arch_dbg.state.LR = cd.ga_debugger_location | 1
|
||
|
cd.restore_stack_and_jump(NVCOLDBOOT | 1)
|
||
|
|
||
|
assert cd.read(4) == b"GiAs", "Failed to jump to debugger"
|
||
|
# BCT should be loaded at 0x40020000
|
||
|
|
||
|
|
||
|
nvbootcoldboot()
|
||
|
# dump_emmc()
|
||
|
boot_to = 0x0
|
||
|
if cd.arch_dbg.state.R0 == 0:
|
||
|
# 0x40020000 should point to 0x4000e000
|
||
|
boot_to = cd.read_u32(0x40020000)
|
||
|
assert boot_to == 0x4000e000, "BCT not loaded correctly?"
|
||
|
else:
|
||
|
# BCT not loaded, fix this
|
||
|
boot_to = 0x4000e000
|
||
|
imem = open("bin/imem_bct", 'rb').read()
|
||
|
cd.memwrite_region(0x40000000, imem)
|
||
|
|
||
|
# Setup sdram?
|
||
|
# cd.arch_dbg.state.R0 = 0x40002404
|
||
|
# cd.arch_dbg.state.LR = cd.ga_debugger_location | 1
|
||
|
# cd.restore_stack_and_jump(0x00101a14 | 1)
|
||
|
# pass
|
||
|
|
||
|
# NvBootSdramQueryTotalSize
|
||
|
# cd.arch_dbg.state.LR = cd.ga_debugger_location | 1
|
||
|
# cd.restore_stack_and_jump(0x00105dcc | 1)
|
||
|
# pass
|
||
|
|
||
|
#nvloadbootloader
|
||
|
# cd.arch_dbg.state.R0 = 0x40002404
|
||
|
# cd.arch_dbg.state.LR = cd.ga_debugger_location | 1
|
||
|
# cd.restore_stack_and_jump(0x00104822 | 1)
|
||
|
# pass
|
||
|
|
||
|
|
||
|
|
||
|
# Apply patches
|
||
|
# patch validation of secure os
|
||
|
stub = f"""
|
||
|
mov r0, 0x0
|
||
|
bx lr
|
||
|
"""
|
||
|
cd.memwrite_region(0x4001a2c0, ks_thumb.asm(stub, as_bytes=True)[0])
|
||
|
|
||
|
jump_stub = f"""
|
||
|
ldr r12, addr_debugger_main_t
|
||
|
bx r12
|
||
|
.align 4
|
||
|
addr_debugger_main_t: .word {hex(cd.ga_debugger_location | 1)}
|
||
|
"""
|
||
|
jump_stub = ks_arm.asm(jump_stub, as_bytes=True)[0]
|
||
|
|
||
|
NVBOOTSDMMCREADPAGE = 0x4001d1dc
|
||
|
emmc_dump_patch = cd.memdump_region(NVBOOTSDMMCREADPAGE, 0x20)
|
||
|
def dump_emmc_patches():
|
||
|
cd.memwrite_region(NVBOOTSDMMCREADPAGE, jump_stub)
|
||
|
|
||
|
# Add this to enable emmc hooks
|
||
|
# dump_emmc_patches()
|
||
|
|
||
|
# Setup code for log hook
|
||
|
cd.memwrite_region(0x4001cadc, jump_stub)
|
||
|
|
||
|
cd.arch_dbg.state.LR = cd.ga_debugger_location | 1
|
||
|
cd.restore_stack_and_jump(boot_to)
|
||
|
|
||
|
while True:
|
||
|
try:
|
||
|
r = cd.read(0x100)
|
||
|
if cd.arch_dbg.state.LR == NVBOOTSDMMCREADPAGE:
|
||
|
# Try dumping the emmc
|
||
|
cd.memwrite_region(NVBOOTSDMMCREADPAGE, emmc_dump_patch)
|
||
|
print(f"block={cd.arch_dbg.state.R0} page={cd.arch_dbg.state.R1} buffer={hex(cd.arch_dbg.state.R2)}")
|
||
|
|
||
|
def dirty_emmc_read(block, page, target_buffer):
|
||
|
cd.arch_dbg.state.LR = cd.ga_debugger_location | 1
|
||
|
cd.arch_dbg.state.R0 = block
|
||
|
cd.arch_dbg.state.R1 = page
|
||
|
cd.arch_dbg.state.R2 = target_buffer
|
||
|
cd.arch_dbg.state.R3 = cd.ga_debugger_location | 1
|
||
|
cd.restore_stack_and_jump(NVBOOTSDMMCREADPAGE | 1)
|
||
|
resp = cd.read(0x200)
|
||
|
pass
|
||
|
|
||
|
def dump_emmc():
|
||
|
out_buf = 0x40020000
|
||
|
dirty_emmc_read(0, 0, out_buf)
|
||
|
dat = cd.memdump_region(out_buf, 512)
|
||
|
pass
|
||
|
dump_emmc()
|
||
|
pass
|
||
|
elif cd.arch_dbg.state.R0 == 0x77:
|
||
|
# In nvtloadbinary
|
||
|
dat = open("bin/bootloader.bin", 'rb').read()
|
||
|
cd.memwrite_region(0x83d88000, dat[:0x90000])
|
||
|
cd.arch_dbg.state.R0 = 0
|
||
|
cd.restore_stack_and_jump(cd.arch_dbg.state.LR)
|
||
|
continue
|
||
|
elif cd.arch_dbg.state.R0 == 0x76:
|
||
|
cd.arch_dbg.state.R0 = 0
|
||
|
cd.restore_stack_and_jump(0x4000e188)
|
||
|
continue
|
||
|
else:
|
||
|
# In log
|
||
|
msg = cd.read_str(cd.arch_dbg.state.R0)
|
||
|
# Parse arguments, TODO
|
||
|
args = msg.count(b"%")
|
||
|
|
||
|
if b"Bootloader downloaded" in msg:
|
||
|
# Lets try dump the correct bootloader
|
||
|
pass
|
||
|
elif b"corrupted" in msg or b"GPT failed" in msg:
|
||
|
# Restore bootloader
|
||
|
print(msg)
|
||
|
dat = open("bin/bootloader.bin", 'rb').read()
|
||
|
cd.memwrite_region(0x83d88000, dat[:0x90000])
|
||
|
cd.memwrite_region(0x83d90260, ks_thumb.asm("mov r0, r0", as_bytes=True)[0] * 2)
|
||
|
# cd.memwrite_region(0x83e130e6, b"\x00") # Fastboot unlock?
|
||
|
|
||
|
# Remove fastboot lock
|
||
|
shellcode = f"""
|
||
|
mov r0, 0x1
|
||
|
bx lr
|
||
|
"""
|
||
|
cd.memwrite_region(0x83dd0eb0, ks_arm.asm(shellcode, as_bytes=True)[0])
|
||
|
|
||
|
|
||
|
# Jump to bootloader loaded
|
||
|
cd.arch_dbg.state.R0 = 0
|
||
|
cd.arch_dbg.state.LR = 0x40018ea0
|
||
|
cd.restore_stack_and_jump(cd.arch_dbg.state.LR)
|
||
|
continue
|
||
|
elif b"WB0" in msg:
|
||
|
cd.arch_dbg.state.print_ctx(print)
|
||
|
cd.arch_dbg.state.LR = cd.ga_debugger_location | 1
|
||
|
cd.restore_stack_and_jump(0x4000e188)
|
||
|
continue
|
||
|
elif b"Sdram initialization" in msg:
|
||
|
pass
|
||
|
print(f"{hex(cd.arch_dbg.state.LR)}:{msg}")
|
||
|
cd.restore_stack_and_jump(cd.arch_dbg.state.LR)
|
||
|
except Exception as e:
|
||
|
pass
|
||
|
|
||
|
|
||
|
# Jump in bootloader
|
||
|
cd.arch_dbg.state.LR = cd.ga_debugger_location | 1
|
||
|
cd.restore_stack_and_jump(boot_to) # ARM code
|
||
|
pass
|
||
|
|
||
|
|
||
|
# Continue next of init fase
|
||
|
cd.arch_dbg.state.print_ctx(print)
|
||
|
cd.arch_dbg.state.R0 = 0 # Set as success
|
||
|
cd.arch_dbg.state.LR = cd.ga_debugger_location | 1
|
||
|
cd.restore_stack_and_jump(0x00101b76 | 1)
|
||
|
pass
|
||
|
|
||
|
def NvBootMainSecureRomExit():
|
||
|
cd.arch_dbg.state.R0 = 0 #warmboot
|
||
|
cd.arch_dbg.state.R1 = boot_to
|
||
|
cd.arch_dbg.state.R2 = 0x0 # Security bitfield
|
||
|
cd.arch_dbg.state.R3 = 0x0 # debug bitfield
|
||
|
cd.arch_dbg.state.LR = cd.ga_debugger_location | 1
|
||
|
cd.restore_stack_and_jump(0x0010121e | 1)
|
||
|
NvBootMainSecureRomExit()
|
||
|
|
||
|
def NvBootArcDisable():
|
||
|
cd.arch_dbg.state.R0 = boot_to
|
||
|
cd.arch_dbg.state.LR = cd.ga_debugger_location | 1
|
||
|
cd.restore_stack_and_jump(0x0010166e | 1)
|
||
|
cd.read(4)
|
||
|
NvBootArcDisable()
|
||
|
pass
|
||
|
|
||
|
|
||
|
# cd.memwrite_region(BASE_ADDRESSES['IROM_BASE'], b"\x00" * 0xc000)#)open("imem_good.bin", 'rb').read()[:IROM_LEN]
|
||
|
|
||
|
def resetfullchip():
|
||
|
cd.R0 = BASE_ADDRESSES['IROM_BASE']
|
||
|
cd.R1 = BASE_ADDRESSES['IROM_BASE']
|
||
|
cd.R2 = BASE_ADDRESSES['IROM_BASE']
|
||
|
# cd.restore_stack_and_jump(0x00100624 | 1)
|
||
|
cd.restore_stack_and_jump(0x0010122c | 1)
|
||
|
pass
|
||
|
|
||
|
# coldboot()
|
||
|
pass
|
||
|
|
||
|
def relocate_debugger(cd : ConcreteDevice):
|
||
|
'''
|
||
|
Works, relocates the debugger to the end of IRAM
|
||
|
'''
|
||
|
reloc = open('/home/eljakim/Source/gupje/source/bin/nvidia_shield_t/debugger_reloc.bin', 'rb').read()
|
||
|
cd.memwrite_region(0x4003c000, reloc)
|
||
|
cd.restore_stack_and_jump(0x4003c000 | 1)
|
||
|
assert cd.read(0x100) == b"GiAs"
|
||
|
|
||
|
# And relocate the debugger
|
||
|
cd.relocate_debugger(0x40011000, 0x4003c000, 0x4003e000)
|
||
|
|
||
|
|
||
|
|
||
|
def device_main(cd : "ConcreteDevice", args):
|
||
|
'''
|
||
|
Main function that will do execution for the device.
|
||
|
'''
|
||
|
cd.test_connection()
|
||
|
partial_emu = False
|
||
|
if partial_emu:
|
||
|
relocate_debugger(cd)
|
||
|
do_partial_emu(cd)
|
||
|
else:
|
||
|
hw_init(cd)
|
||
|
attempt_boot_bct(cd)
|
||
|
test_arm_asm(cd)
|
||
|
pass
|
||
|
|
||
|
if __name__ == "__main__":
|
||
|
logger = setup_logger("DEBUGGER")
|
||
|
logger.setLevel(logging.INFO)
|
||
|
cd = ConcreteDevice(None, False)
|
||
|
cd.dev = device_setup(cd)
|
||
|
cd.device_main = device_main
|
||
|
cd.device_main(cd, [])
|