MicroCorruption/25-Halifax/Halifax.asm

374 lines
13 KiB
NASM
Raw Permalink Normal View History

2023-01-09 09:54:47 +00:00
Hex:
:10 4400 00 55425C0135D0085A8245002831400044 AD
:10 4410 00 3F4000000F930824924200285C012F83 44
:10 4420 00 9F4F6E470024F8233F4000040F930724 5A
:10 4430 00 924200285C011F83CF430024F9233150 AE
:10 4440 00 E0FF3F403446B01286453F405846B012 28
:10 4450 00 86450312031230124000B01250453150 0D
:10 4460 00 06003F406F46B0128645031203123012 19
:10 4470 00 7F00B0125045315006003F409146B012 C7
:10 4480 00 86453F40C646B01286453D4020000E43 5B
:10 4490 00 0F41B012C8453F40FC46B01286450D41 61
:10 44A0 00 3E4000100F43B012B6450B430F410F5B 67
:10 44B0 00 6E4F0F4E3FF00F005A4F104712C34E10 71
:10 44C0 00 12C34E1012C34E1012C34E103EF00F00 16
:10 44D0 00 5F4E1047B01278454F4AB01278451B53 D3
:10 44E0 00 3B902000E3233F402147B01286453F40 E8
:10 44F0 00 2247B01286453D4000040E433F400024 51
:10 4500 00 B012C8453E40FF033F400024B0126845 4A
:10 4510 00 5B4200248B105F4201240BDF5A420224 CD
:10 4520 00 2A93052C3F403E47B0128645E03F3F40 6E
:10 4530 00 5547B01286450D4A3E4003240F4BB012 3A
:10 4540 00 A4458B12D43F32D0F000FD3F30403246 BC
:10 4550 00 1F41020002124F4F8F103FD00080024F C8
:10 4560 00 B0121000324130410E120F122312B012 5D
:10 4570 00 50453150060030418F110F120312B012 16
:10 4580 00 5045215230410B120B4F033C1B53B012 CC
:10 4590 00 78456F4B4F93FA237F400A00B0127845 5D
:10 45A0 00 3B4130410C4F043CFC4E00001C533D53 3A
:10 45B0 00 0D93FA2330410D120E120F1230124100 EA
:10 45C0 00 B0125045315230410B120A1209120812 32
:10 45D0 00 3D900600092C0C4F043CCC4E00001C53 AF
:10 45E0 00 3D530D93FA23203C4E4E4B4E0B930324 28
:10 45F0 00 0C4B8C100BDC1FB306243D53CF4E0000 38
:10 4600 00 094F1953013C094F0C4D12C30C100A49 B4
:10 4610 00 084C8A4B00002A533853FB230C5C0C59 7E
:10 4620 00 1DF30224CC4E0000384139413A413B41 50
:04 4630 00 30410013 02
Strings:
:10 4634 00 57656C636F6D6520746F207468652074 B2
:10 4644 00 6573742070726F6772616D206C6F6164 42
:10 4654 00 65722E00456E61626C696E6720686172 D6
:10 4664 00 64656E6564206D6F6465005665726966 85
:10 4674 00 79696E67203078376620696E74657272 66
:10 4684 00 7570742064697361626C656400307837 96
:10 4694 00 6620696E746572727570742064697361 E2
:10 46A4 00 626C65642C206B65792073746F726564 29
:10 46B4 00 20696E20696E7465726E616C20535241 7C
:10 46C4 00 4D00756E6C6F636B2062792070726F76 2B
:10 46D4 00 6964696E672074686520313620627974 74
:10 46E4 00 65206B657920746F203078343120696E D1
:10 46F4 00 7465727275707400496E7465726E616C 63
:10 4704 00 205352414D20486173683A0030313233 AE
:10 4714 00 3435363738394142434445460000506C FD
:10 4724 00 6561736520656E746572206465627567 82
:10 4734 00 207061796C6F61642E00496E76616C69 DA
:10 4744 00 64207061796C6F6164206C656E677468 55
:10 4754 00 00457865637574696E67206465627567 82
:0A 4764 00 207061796C6F61640000 41
Vector_Table:
:10 FF80 00 4C454C454C454C454C454C454C454C45 E9
:10 FF90 00 4C454C454C454C454C454C454C450044 26
Entry:
:04 0000 03 00004400 B5
:00 0000 01 FF
Obj:
0010 <__trap_interrupt>
0010: 3041 ret
4400 <__watchdog_support>
4400: 5542 5c01 mov.b &0x015c, r5
4404: 35d0 085a bis #0x5a08, r5
4408: 8245 0028 mov r5, &0x2800
440c <__init_stack>
440c: 3140 0044 mov #0x4400 <__watchdog_support>, sp
4410 <__do_copy_data>
4410: 3f40 0000 clr r15
4414: 0f93 tst r15
4416: 0824 jz #0x4428 <__do_clear_bss+0x0>
4418: 9242 0028 5c01 mov &0x2800, &0x015c
441e: 2f83 decd r15
4420: 9f4f 6e47 0024 mov 0x476e(r15), 0x2400(r15)
4426: f823 jnz #0x4418 <__do_copy_data+0x8>
4428 <__do_clear_bss>
4428: 3f40 0004 mov #0x400, r15
442c: 0f93 tst r15
442e: 0724 jz #0x443e <main+0x0>
4430: 9242 0028 5c01 mov &0x2800, &0x015c
4436: 1f83 dec r15
4438: cf43 0024 mov.b #0x0, 0x2400(r15)
443c: f923 jnz #0x4430 <__do_clear_bss+0x8>
443e <main>
; char sha_buf[0x20];
443e: 3150 e0ff add #0xffe0, sp
; puts ("Welcome to the test program loader.");
4442: 3f40 3446 mov #0x4634 "Welcome to the test program loader." <__data_start+0x2234>, r15
4446: b012 8645 call #0x4586 <puts>
; puts ("Enabling hardened mode");
444a: 3f40 5846 mov #0x4658 "Enabling hardened mode" r15
444e: b012 8645 call #0x4586 <puts>
; INT (0x40);
4452: 0312 push #0x0
4454: 0312 push #0x0
4456: 3012 4000 push #0x40
445a: b012 5045 call #0x4550 <INT>
445e: 3150 0600 add #0x6, sp
; puts ("Verifying 0x7f interrupt disabled");
4462: 3f40 6f46 mov #0x466f "Verifying 0x7f interrupt disabled" r15
4466: b012 8645 call #0x4586 <puts>
; INT (0x7f);
446a: 0312 push #0x0
446c: 0312 push #0x0
446e: 3012 7f00 push #0x7f
4472: b012 5045 call #0x4550 <INT>
4476: 3150 0600 add #0x6, sp
; puts ("0x7f interrupt disabled, key stored in internal SRAM");
447a: 3f40 9146 mov #0x4691 "0x7f interrupt disabled, key stored in internal SRAM" r15
447e: b012 8645 call #0x4586 <puts>
; puts ("unlock by providing the 16 byte key to 0x41 interrupt");
4482: 3f40 c646 mov #0x46c6 "unlock by providing the 16 byte key to 0x41 interrupt" r15
4486: b012 8645 call #0x4586 <puts>
; memset (&sha_buf, 0, 0x20);
448a: 3d40 2000 mov #0x20, r13
448e: 0e43 clr r14
4490: 0f41 mov sp, r15
4492: b012 c845 call #0x45c8 <memset>
; puts ("Internal SRAM Hash:");
4496: 3f40 fc46 mov #0x46fc "Internal SRAM Hash:" r15
449a: b012 8645 call #0x4586 <puts>
; sha256_internal (0, 0x1000, &sha_buf);
449e: 0d41 mov sp, r13
44a0: 3e40 0010 mov #0x1000, r14
44a4: 0f43 clr r15
44a6: b012 b645 call #0x45b6 <sha256_internal>
print_hash_inline:
; for (i /* r11 */ = 0; i != 0x20; i++)
44aa: 0b43 clr r11
pha_loop:
; byte /* r14 */ = hash[i];
44ac: 0f41 mov sp, r15
44ae: 0f5b add r11, r15
44b0: 6e4f mov.b @r15, r14
; lower_nibble /* r15 */ = byte & 0xf;
44b2: 0f4e mov r14, r15
44b4: 3ff0 0f00 and #0xf, r15
; lower_char /* r11 */ = "0123456789ABCDEF"[lower_nibble];
44b8: 5a4f 1047 mov.b 0x4710(r15), r10
; upper_nibble /* r14 */ = (byte >> 0x4) & 0xf;
44bc: 12c3 clrc
44be: 4e10 rrc.b r14
44c0: 12c3 clrc
44c2: 4e10 rrc.b r14
44c4: 12c3 clrc
44c6: 4e10 rrc.b r14
44c8: 12c3 clrc
44ca: 4e10 rrc.b r14
44cc: 3ef0 0f00 and #0xf, r14
; putchar("0123456789ABCDEF"[upper_nibble]);
44d0: 5f4e 1047 mov.b 0x4710(r14), r15
44d4: b012 7845 call #0x4578 <putchar>
; putchar(lower_char)
44d8: 4f4a mov.b r10, r15
44da: b012 7845 call #0x4578 <putchar>
; ... i != 0x20; i++)
44de: 1b53 inc r11
44e0: 3b90 2000 cmp #0x20, r11
44e4: e323 jne #0x44ac <main+0x6e> <pha_loop>
; puts (""); // prints newline
44e6: 3f40 2147 mov #0x4721, r15
44ea: b012 8645 call #0x4586 <puts>
; while(true) {
; puts ("Please enter debug payload.");
44ee: 3f40 2247 mov #0x4722 "Please enter debug payload." r15
44f2: b012 8645 call #0x4586 <puts>
; memset (0x2400, 0, 0x400);
44f6: 3d40 0004 mov #0x400, r13
44fa: 0e43 clr r14
44fc: 3f40 0024 mov #0x2400, r15
4500: b012 c845 call #0x45c8 <memset>
; getsn (0x2400, 0x3ff);
4504: 3e40 ff03 mov #0x3ff, r14
4508: 3f40 0024 mov #0x2400, r15
450c: b012 6845 call #0x4568 <getsn>
; loadaddr = (buf[0] << 8) + (buf[1]);
4510: 5b42 0024 mov.b &0x2400, r11
4514: 8b10 swpb r11
4516: 5f42 0124 mov.b &0x2401, r15
451a: 0bdf bis r15, r11
;
451c: 5a42 0224 mov.b &0x2402, r10
4520: 2a93 cmp #0x2, r10
4522: 052c jc #0x452e <main+0xf0>
4524: 3f40 3e47 mov #0x473e "Invalid payload length" r15
4528: b012 8645 call #0x4586 <puts>
; continue;
452c: e03f jmp #0x44ee <main+0xb0>
execute_debug_payload:
452e: 3f40 5547 mov #0x4755 "Executing debug payload" r15
4532: b012 8645 call #0x4586 <puts>
; memcpy (loadaddr, 0x2403, len);
4536: 0d4a mov r10, r13
4538: 3e40 0324 mov #0x2403, r14
453c: 0f4b mov r11, r15
453e: b012 a445 call #0x45a4 <memcpy>
; loadaddr();
4542: 8b12 call r11
; continue;
4544: d43f jmp #0x44ee <main+0xb0>
4546 <__stop_progExec__>
4546: 32d0 f000 bis #0xf0, sr
454a: fd3f jmp #0x4546 <__stop_progExec__+0x0>
454c <__ctors_end>
454c: 3040 3246 br #0x4632 <_unexpected_>
4550 <INT>
4550: 1f41 0200 mov 0x2(sp), r15
4554: 0212 push sr
4556: 4f4f mov.b r15, r15
4558: 8f10 swpb r15
455a: 3fd0 0080 bis #0x8000, r15
455e: 024f mov r15, sr
4560: b012 1000 call #0x10
4564: 3241 pop sr
4566: 3041 ret
4568 <getsn>
4568: 0e12 push r14
456a: 0f12 push r15
456c: 2312 push #0x2
456e: b012 5045 call #0x4550 <INT>
4572: 3150 0600 add #0x6, sp
4576: 3041 ret
4578 <putchar>
4578: 8f11 sxt r15
457a: 0f12 push r15
457c: 0312 push #0x0
457e: b012 5045 call #0x4550 <INT>
4582: 2152 add #0x4, sp
4584: 3041 ret
4586 <puts>
4586: 0b12 push r11
4588: 0b4f mov r15, r11
458a: 033c jmp #0x4592 <puts+0xc>
458c: 1b53 inc r11
458e: b012 7845 call #0x4578 <putchar>
4592: 6f4b mov.b @r11, r15
4594: 4f93 tst.b r15
4596: fa23 jnz #0x458c <puts+0x6>
4598: 7f40 0a00 mov.b #0xa, r15
459c: b012 7845 call #0x4578 <putchar>
45a0: 3b41 pop r11
45a2: 3041 ret
45a4 <memcpy>
45a4: 0c4f mov r15, r12
45a6: 043c jmp #0x45b0 <memcpy+0xc>
45a8: fc4e 0000 mov.b @r14+, 0x0(r12)
45ac: 1c53 inc r12
45ae: 3d53 add #-0x1, r13
45b0: 0d93 tst r13
45b2: fa23 jnz #0x45a8 <memcpy+0x4>
45b4: 3041 ret
45b6 <sha256_internal>
45b6: 0d12 push r13
45b8: 0e12 push r14
45ba: 0f12 push r15
45bc: 3012 4100 push #0x41
45c0: b012 5045 call #0x4550 <INT>
45c4: 3152 add #0x8, sp
45c6: 3041 ret
45c8 <memset>
45c8: 0b12 push r11
45ca: 0a12 push r10
45cc: 0912 push r9
45ce: 0812 push r8
45d0: 3d90 0600 cmp #0x6, r13
45d4: 092c jc #0x45e8 <memset+0x20>
45d6: 0c4f mov r15, r12
45d8: 043c jmp #0x45e2 <memset+0x1a>
45da: cc4e 0000 mov.b r14, 0x0(r12)
45de: 1c53 inc r12
45e0: 3d53 add #-0x1, r13
45e2: 0d93 tst r13
45e4: fa23 jnz #0x45da <memset+0x12>
45e6: 203c jmp #0x4628 <memset+0x60>
45e8: 4e4e mov.b r14, r14
45ea: 4b4e mov.b r14, r11
45ec: 0b93 tst r11
45ee: 0324 jz #0x45f6 <memset+0x2e>
45f0: 0c4b mov r11, r12
45f2: 8c10 swpb r12
45f4: 0bdc bis r12, r11
45f6: 1fb3 bit #0x1, r15
45f8: 0624 jz #0x4606 <memset+0x3e>
45fa: 3d53 add #-0x1, r13
45fc: cf4e 0000 mov.b r14, 0x0(r15)
4600: 094f mov r15, r9
4602: 1953 inc r9
4604: 013c jmp #0x4608 <memset+0x40>
4606: 094f mov r15, r9
4608: 0c4d mov r13, r12
460a: 12c3 clrc
460c: 0c10 rrc r12
460e: 0a49 mov r9, r10
4610: 084c mov r12, r8
4612: 8a4b 0000 mov r11, 0x0(r10)
4616: 2a53 incd r10
4618: 3853 add #-0x1, r8
461a: fb23 jnz #0x4612 <memset+0x4a>
461c: 0c5c add r12, r12
461e: 0c59 add r9, r12
4620: 1df3 and #0x1, r13
4622: 0224 jz #0x4628 <memset+0x60>
4624: cc4e 0000 mov.b r14, 0x0(r12)
4628: 3841 pop r8
462a: 3941 pop r9
462c: 3a41 pop r10
462e: 3b41 pop r11
4630: 3041 ret
4632 <_unexpected_>
4632: 0013 reti pc
4634 <__data_start+0x2234>
4634 .strings:
4634: "Welcome to the test program loader."
4658: "Enabling hardened mode"
466f: "Verifying 0x7f interrupt disabled"
4691: "0x7f interrupt disabled, key stored in internal SRAM"
46c6: "unlock by providing the 16 byte key to 0x41 interrupt"
46fc: "Internal SRAM Hash:"
4710: "0123456789ABCDEF"
4722: "Please enter debug payload."
473e: "Invalid payload length"
4755: "Executing debug payload"
Prereqs: "Vancouver"
Name: "Halifax"
Text:
Lockitall LOCKIT 2 r A.01
______________________________________________________________________
User Manual: Lockitall LockIT 2, rev a.01
______________________________________________________________________
OVERVIEW
- This new lock adds a hardened mode and disables the 0x7f
interrupt.
DETAILS
An example in-field debug payload follows. Any payload is
allowed, because the unlock key must be passed to the new
interrupt with code 0x41, and this key is only stored in
secure memory.
8000023041
This is Hardware Version 4.
This is Software Revision 2.
(c) 2022 LOCKITALL Page 1/1
X:181
Y:288
Rating:20
Patch:""