from ghidra_assistant.utils.utils import * from ghidra_assistant.utils.archs.asm_utils import * from ghidra_assistant.concrete_device import * from qiling.const import QL_ARCH from ghidra_assistant.utils.debugger.debugger_archs.ga_arm_thumb import GA_arm_thumb_debugger from exploit import * from keystone import * from t210 import * from hw_in_the_loop import * from partial_emulation import * ks_arm = Ks(KS_ARCH_ARM, KS_MODE_ARM) ks_thumb = Ks(KS_ARCH_ARM, KS_MODE_THUMB) logger = setup_logger("") # get root logger logger.setLevel(logging.DEBUG) def device_setup(concrete_device : "ConcreteDevice"): ''' This function has to return a device object that handles the communication between the host and the device. Must implement at least the following: * read * write In this function you can also setup known values that the concrete debugger will use, like the target architecture and locations of the debugger and the vbar ''' #Setup architecture concrete_device.arch = QL_ARCH.ARM concrete_device.ga_debugger_location = 0x4000E000 concrete_device.ga_vbar_location = 0x40011000 concrete_device.ga_storage_location = 0x40013000 concrete_device.ga_stack_location = 0x40014000 rcm = TegraRCM() rcm.dev.read_chip_id() # file = "/home/eljakim/Source/gupje/source/bin/nvidia_shield/debugger.bin" file = "/home/eljakim/Source/gupje/source/bin/nvidia_shield_t/debugger.bin" # file = "/tmp/gardenia/build/bootloader" rcm.send_payload(file, thumb=1) concrete_device.arch_dbg = GA_arm_thumb_debugger(concrete_device.ga_vbar_location, concrete_device.ga_debugger_location, concrete_device.ga_storage_location) assert(rcm.dev.read(0x100) == b"GiAs") concrete_device.arch_dbg.read = rcm.dev.read concrete_device.arch_dbg.write = rcm.dev.write #Overwrite all calls to make the concrete target function properly concrete_device.copy_functions() # And add custom functions def read_u32(address): return u32(concrete_device.memdump_region(address, 4)) def write_u32(address, value): concrete_device.memwrite_region(address, p32(value)) def read_str(address): d = b"" while True: c = concrete_device.memdump_region(address, 1) if c == b"\x00": break d += c address += 1 return d concrete_device.read_u32 = read_u32 concrete_device.write_u32 = write_u32 concrete_device.read_str = read_str concrete_device.debugger_main = concrete_device.get_debugger_location() return rcm def test_arm_asm(cd : "ConcreteDevice"): cd.arch_dbg.state.auto_sync = False shellcode = f""" .align 1 start: ldr r0, =addr_some_addr ldr r1, =0x1000 ldr r2, =addr_debugger_storage ldr r4, =addr_usb_write bx r4 bx lr ldr r0, =addr_debugger_main bx r0 b flush ldr r0, =addr_debugger_storage ldr r1, =0x77 ldr r2, =0x77 str r0, [r0] str r1, [r0, #4] str r2, [r0, #8] bx lr flush: @ Flush the instruction cache @ mov r0, #0 @ Select the instruction cache @ mcr p15, 0, r0, c7, c5 @ Invalidate the entire instruction cache @ Flush the data cache @ mov r0, #0 @ Select the data cache @ mcr p15, 0, r0, c7, c6 @ Invalidate the entire data cache bx lr ldr r0, =addr_debugger_main bx r0 .align 3 addr_debugger_storage: .word 0x40013000 addr_usb_write: .word 0x001065C0 addr_rom_start: .word 0x00100000 addr_debugger_main : .word 0x4000E000 addr_some_addr: .word 0x40020000 .align 1 addr_debugger_main_t: .word 0x4000E001 """ asm = ks_arm.asm(shellcode, as_bytes=True)[0] cd.memwrite_region(0x40013000 + 0x2000, asm) cd.jump_to(0x40013000 + 0x2000) #branch arm try: r = cd.read(0x200) pass except Exception as e: print(str(e)) pass pass def dump_full_dram_context(cd : "ConcreteDevice"): # BootROM rom = cd.memdump_region(0x100000, 0x17000) imem = cd.memdump_region(0x40000000, 0xfc00) SETUP_SDRAM = 0x00101a14 def attempt_boot_bct(cd : "ConcreteDevice"): dat = open("bin/imem_good.bin", 'rb').read() cd.memwrite_region(0x40000000, dat[:0xe000]) cd.write(b"MAIN") cd.arch_dbg.state.auto_sync = False cd.arch_dbg.state.print_ctx(print) dump_full_dram_context(cd) jump_stub = f""" .align 1 ldr r0, addr_debugger_main_t bx r0 .align 4 addr_debugger_main_t: .word 0x4000E001 """ jump_stub = ks_thumb.asm(jump_stub, as_bytes=True)[0] cd.memwrite_region(SETUP_SDRAM, jump_stub) # Test dumb restore_and_jump # cd.arch_dbg.state.R0 = 0x00101c18 # cd.arch_dbg.state.R3 = 0x4000E001 def test_restore_and_jump(): cd.arch_dbg.state.LR = 0x4000E001 cd.restore_stack_and_jump(0x00101c28 + 1) # Some dumb function that sets r0 assert cd.read(100) == b"GiAs" cd.arch_dbg.state.LR = 0x4000E001 cd.arch_dbg.state.R0 = 0x00101c18 cd.restore_stack_and_jump(SETUP_SDRAM + 1) cd.jump_to(0x00101c28 + 1) pass CLK_RST_CONTROLLER_MISC_CLK_ENB = 0x48 IROM_LEN = 0x00010000 def hw_init(cd : "ConcreteDevice"): # Get chip id # 0x14017 cd.arch_dbg.state.print_ctx(print) def NvBootUtilGetTimeUS(): cd.arch_dbg.state.LR = cd.arch_dbg.debugger_addr | 1 cd.arch_dbg.restore_stack_and_jump(0x00100c7e | 1) assert cd.read(4) == b'GiAs', "Debugger crashed?" return cd.arch_dbg.state.R0 chip_id = u32(cd.memdump_region(mmio_reg32(BASE_ADDRESSES['APB_MISC_BASE'], APB_MISC_GP_HIDREV), 4)) chip_version = (chip_id >> 4) & 0xF def clock_enable_fuse(): addr = mmio_reg32(BASE_ADDRESSES['CLOCK_BASE'], CLK_RST_CONTROLLER_MISC_CLK_ENB) val = cd.read_u32(addr) enable = 1 cd.write_u32(addr, val & 0xEFFFFFFF | ((enable & 1) << 28)) # clock_enable_fuse() # Clear tz ram, # cd.memwrite_region(BASE_ADDRESSES['TZRAM_BASE'], b"\x00" * BASE_ADDRESSES['TZRAM_SIZE']) # TODO # clock_enable_se # clock_enable_fuse # fuse_disable_program # mc_enable # _config_oscillators # _config_gpios # init_sdram def setup_sdram(): nvbootcontext = 0x40002404 cd.arch_dbg.state.R0 = nvbootcontext cd.arch_dbg.state.LR = cd.ga_debugger_location | 1 cd.restore_stack_and_jump(0x00101a14 | 1) pass # setup_sdram() def relocate_debugger(): ''' Works, relocates the debugger to the end of IRAM ''' reloc = open('/home/eljakim/Source/gupje/source/bin/nvidia_shield_t/debugger_reloc.bin', 'rb').read() cd.memwrite_region(0x4003c000, reloc) cd.restore_stack_and_jump(0x4003c000 | 1) assert cd.read(0x100) == b"GiAs" # And relocate the debugger cd.relocate_debugger(0x40011000, 0x4003c000, 0x4003e000) relocate_debugger() cd.memdump_region(0x40020000, 0x100) # setup_sdram() def nvbootmain(): # cd.arch_dbg.state.R1 = 0x40000000 cd.arch_dbg.state.LR = cd.ga_debugger_location | 1 cd.restore_stack_and_jump(0x00101318 | 1) pass # nvbootmain() NVCOLDBOOT = 0x00101ad2 def nvbootcoldboot(): ''' Works, attempts to load the BCT from the EMMC ''' nvbootinfo = 0x40000000 cd.write_u32(nvbootinfo, 0x400001) cd.write_u32(nvbootinfo + 4, 0x400001) cd.write_u32(nvbootinfo + 8, 0x400001) # cd.write_u32(nvbootinfo + 0xc, 0x00000001) # Boot type, set later also cd.write_u32(nvbootinfo + 0x10, 5) #Irom # cd.write_u32(nvbootinfo + 0x10, 9) def NvBootClocksGetOscFreq(): return cd.read_u32(cd.read_u32(0x00100214) + 0x10) >> 0x1c cd.write_u32(nvbootinfo + 0x28, NvBootClocksGetOscFreq()) #Irom cd.write_u32(nvbootinfo + 0xf0, nvbootinfo + 256) # End of boot info # Move debugger in r0, to jump to that on failure cd.arch_dbg.state.R0 = 0x40020000 # cd.ga_debugger_location | 1 cd.arch_dbg.state.LR = cd.ga_debugger_location | 1 cd.restore_stack_and_jump(NVCOLDBOOT | 1) assert cd.read(4) == b"GiAs", "Failed to jump to debugger" # BCT should be loaded at 0x40020000 nvbootcoldboot() # dump_emmc() boot_to = 0x0 if cd.arch_dbg.state.R0 == 0: # 0x40020000 should point to 0x4000e000 boot_to = cd.read_u32(0x40020000) assert boot_to == 0x4000e000, "BCT not loaded correctly?" else: # BCT not loaded, fix this boot_to = 0x4000e000 imem = open("bin/imem_bct", 'rb').read() cd.memwrite_region(0x40000000, imem) # Setup sdram? # cd.arch_dbg.state.R0 = 0x40002404 # cd.arch_dbg.state.LR = cd.ga_debugger_location | 1 # cd.restore_stack_and_jump(0x00101a14 | 1) # pass # NvBootSdramQueryTotalSize # cd.arch_dbg.state.LR = cd.ga_debugger_location | 1 # cd.restore_stack_and_jump(0x00105dcc | 1) # pass #nvloadbootloader # cd.arch_dbg.state.R0 = 0x40002404 # cd.arch_dbg.state.LR = cd.ga_debugger_location | 1 # cd.restore_stack_and_jump(0x00104822 | 1) # pass # Apply patches # patch validation of secure os stub = f""" mov r0, 0x0 bx lr """ cd.memwrite_region(0x4001a2c0, ks_thumb.asm(stub, as_bytes=True)[0]) jump_stub = f""" ldr r12, addr_debugger_main_t bx r12 .align 4 addr_debugger_main_t: .word {hex(cd.ga_debugger_location | 1)} """ jump_stub = ks_arm.asm(jump_stub, as_bytes=True)[0] NVBOOTSDMMCREADPAGE = 0x4001d1dc emmc_dump_patch = cd.memdump_region(NVBOOTSDMMCREADPAGE, 0x20) def dump_emmc_patches(): cd.memwrite_region(NVBOOTSDMMCREADPAGE, jump_stub) # Add this to enable emmc hooks # dump_emmc_patches() # Setup code for log hook cd.memwrite_region(0x4001cadc, jump_stub) cd.arch_dbg.state.LR = cd.ga_debugger_location | 1 cd.restore_stack_and_jump(boot_to) while True: try: r = cd.read(0x100) if cd.arch_dbg.state.LR == NVBOOTSDMMCREADPAGE: # Try dumping the emmc cd.memwrite_region(NVBOOTSDMMCREADPAGE, emmc_dump_patch) print(f"block={cd.arch_dbg.state.R0} page={cd.arch_dbg.state.R1} buffer={hex(cd.arch_dbg.state.R2)}") def dirty_emmc_read(block, page, target_buffer): cd.arch_dbg.state.LR = cd.ga_debugger_location | 1 cd.arch_dbg.state.R0 = block cd.arch_dbg.state.R1 = page cd.arch_dbg.state.R2 = target_buffer cd.arch_dbg.state.R3 = cd.ga_debugger_location | 1 cd.restore_stack_and_jump(NVBOOTSDMMCREADPAGE | 1) resp = cd.read(0x200) pass def dump_emmc(): out_buf = 0x40020000 dirty_emmc_read(0, 0, out_buf) dat = cd.memdump_region(out_buf, 512) pass dump_emmc() pass elif cd.arch_dbg.state.R0 == 0x77: # In nvtloadbinary dat = open("bin/bootloader.bin", 'rb').read() cd.memwrite_region(0x83d88000, dat[:0x90000]) cd.arch_dbg.state.R0 = 0 cd.restore_stack_and_jump(cd.arch_dbg.state.LR) continue elif cd.arch_dbg.state.R0 == 0x76: cd.arch_dbg.state.R0 = 0 cd.restore_stack_and_jump(0x4000e188) continue else: # In log msg = cd.read_str(cd.arch_dbg.state.R0) # Parse arguments, TODO args = msg.count(b"%") if b"Bootloader downloaded" in msg: # Lets try dump the correct bootloader pass elif b"corrupted" in msg or b"GPT failed" in msg: # Restore bootloader print(msg) dat = open("bin/bootloader.bin", 'rb').read() cd.memwrite_region(0x83d88000, dat[:0x90000]) cd.memwrite_region(0x83d90260, ks_thumb.asm("mov r0, r0", as_bytes=True)[0] * 2) # cd.memwrite_region(0x83e130e6, b"\x00") # Fastboot unlock? # Remove fastboot lock shellcode = f""" mov r0, 0x1 bx lr """ cd.memwrite_region(0x83dd0eb0, ks_arm.asm(shellcode, as_bytes=True)[0]) # Jump to bootloader loaded cd.arch_dbg.state.R0 = 0 cd.arch_dbg.state.LR = 0x40018ea0 cd.restore_stack_and_jump(cd.arch_dbg.state.LR) continue elif b"WB0" in msg: cd.arch_dbg.state.print_ctx(print) cd.arch_dbg.state.LR = cd.ga_debugger_location | 1 cd.restore_stack_and_jump(0x4000e188) continue elif b"Sdram initialization" in msg: pass print(f"{hex(cd.arch_dbg.state.LR)}:{msg}") cd.restore_stack_and_jump(cd.arch_dbg.state.LR) except Exception as e: pass # Jump in bootloader cd.arch_dbg.state.LR = cd.ga_debugger_location | 1 cd.restore_stack_and_jump(boot_to) # ARM code pass # Continue next of init fase cd.arch_dbg.state.print_ctx(print) cd.arch_dbg.state.R0 = 0 # Set as success cd.arch_dbg.state.LR = cd.ga_debugger_location | 1 cd.restore_stack_and_jump(0x00101b76 | 1) pass def NvBootMainSecureRomExit(): cd.arch_dbg.state.R0 = 0 #warmboot cd.arch_dbg.state.R1 = boot_to cd.arch_dbg.state.R2 = 0x0 # Security bitfield cd.arch_dbg.state.R3 = 0x0 # debug bitfield cd.arch_dbg.state.LR = cd.ga_debugger_location | 1 cd.restore_stack_and_jump(0x0010121e | 1) NvBootMainSecureRomExit() def NvBootArcDisable(): cd.arch_dbg.state.R0 = boot_to cd.arch_dbg.state.LR = cd.ga_debugger_location | 1 cd.restore_stack_and_jump(0x0010166e | 1) cd.read(4) NvBootArcDisable() pass # cd.memwrite_region(BASE_ADDRESSES['IROM_BASE'], b"\x00" * 0xc000)#)open("imem_good.bin", 'rb').read()[:IROM_LEN] def resetfullchip(): cd.R0 = BASE_ADDRESSES['IROM_BASE'] cd.R1 = BASE_ADDRESSES['IROM_BASE'] cd.R2 = BASE_ADDRESSES['IROM_BASE'] # cd.restore_stack_and_jump(0x00100624 | 1) cd.restore_stack_and_jump(0x0010122c | 1) pass # coldboot() pass def relocate_debugger(cd : ConcreteDevice): ''' Works, relocates the debugger to the end of IRAM ''' reloc = open('/home/eljakim/Source/gupje/source/bin/nvidia_shield_t/debugger_reloc.bin', 'rb').read() cd.memwrite_region(0x4003c000, reloc) cd.restore_stack_and_jump(0x4003c000 | 1) assert cd.read(0x100) == b"GiAs" # And relocate the debugger cd.relocate_debugger(0x40011000, 0x4003c000, 0x4003e000) def device_main(cd : "ConcreteDevice", args): ''' Main function that will do execution for the device. ''' cd.test_connection() partial_emu = False if partial_emu: relocate_debugger(cd) do_partial_emu(cd) else: hw_init(cd) attempt_boot_bct(cd) test_arm_asm(cd) pass if __name__ == "__main__": logger = setup_logger("DEBUGGER") logger.setLevel(logging.INFO) cd = ConcreteDevice(None, False) cd.dev = device_setup(cd) cd.device_main = device_main cd.device_main(cd, [])