FreeCalypso > hg > freecalypso-reveng

diff mot931c/hack-payload.disasm @ 157:9082f3991fe5

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mot931c break-in procedure cracked
author Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
date Wed, 14 May 2014 05:34:37 +0000
parents
children
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mot931c/hack-payload.disasm	Wed May 14 05:34:37 2014 +0000
@@ -0,0 +1,64 @@
+; This hack payload must be receiving control in the ARM state,
+; as the instruction at 0 makes sense as ARM, but not as Thumb.
+
+; SVC mode, IRQ & FIQ disabled
+       0:	e321f0d3	msr	CPSR_c, #211	; 0xd3
+; disable the watchdog
+       4:	e59f10b4	ldr	r1, =0xfffff802	; via 0xc0
+       8:	e3a000f5	mov	r0, #245	; 0xf5
+       c:	e1c100b2	strh	r0, [r1, #2]
+      10:	e3a000a0	mov	r0, #160	; 0xa0
+      14:	e1c100b2	strh	r0, [r1, #2]
+; MODEM UART
+      18:	e59f60a4	ldr	r6, =0xffff5800	; via 0xc4
+; wait for "INT" input
+      1c:	e5d60005	ldrb	r0, [r6, #5]
+      20:	e3100001	tst	r0, #1
+      24:	0afffffc	beq	0x1c
+      28:	e5d65000	ldrb	r5, [r6]
+      2c:	e3550049	cmp	r5, #73	; 0x49
+      30:	1afffff9	bne	0x1c
+      34:	e5d60005	ldrb	r0, [r6, #5]
+      38:	e3100001	tst	r0, #1
+      3c:	0afffffc	beq	0x34
+      40:	e5d65000	ldrb	r5, [r6]
+      44:	e355004e	cmp	r5, #78	; 0x4e
+      48:	1afffff3	bne	0x1c
+      4c:	e5d60005	ldrb	r0, [r6, #5]
+      50:	e3100001	tst	r0, #1
+      54:	0afffffc	beq	0x4c
+      58:	e5d65000	ldrb	r5, [r6]
+      5c:	e3550054	cmp	r5, #84	; 0x54
+      60:	1affffed	bne	0x1c
+; send 'X'
+      64:	e3a00058	mov	r0, #88	; 0x58
+      68:	e5c60000	strb	r0, [r6]
+; receive 2 bytes of length (LSB first)
+      6c:	e1a00000	mov	r0, r0
+      70:	e5d60005	ldrb	r0, [r6, #5]
+      74:	e3100001	tst	r0, #1
+      78:	0afffffc	beq	0x70
+      7c:	e5d65000	ldrb	r5, [r6]
+      80:	e5d60005	ldrb	r0, [r6, #5]
+      84:	e3100001	tst	r0, #1
+      88:	0afffffc	beq	0x80
+      8c:	e5d60000	ldrb	r0, [r6]
+      90:	e1855400	orr	r5, r5, r0, lsl #8
+; receive next stage payload
+      94:	e59f402c	ldr	r4, =0x800100	; via 0xc8
+      98:	e1a03004	mov	r3, r4
+      9c:	e5d60005	ldrb	r0, [r6, #5]
+      a0:	e3100001	tst	r0, #1
+      a4:	0afffffc	beq	0x9c
+      a8:	e5d60000	ldrb	r0, [r6]
+      ac:	e5c40000	strb	r0, [r4]
+      b0:	e2844001	add	r4, r4, #1
+      b4:	e2555001	subs	r5, r5, #1
+      b8:	1afffff7	bne	0x9c
+; jump to it
+      bc:	e12fff13	bx	r3
+
+; literal pool
+      c0:	fffff802
+      c4:	ffff5800
+      c8:	00800100