MicroCorruption/23-St. John's/stjohns.txt

387 lines
13 KiB
Plaintext
Raw Normal View History

2022-12-12 05:15:23 +00:00
Hex:
:10 4400 00 55425C0135D0085A8245602831400044 4D
:10 4410 00 3F4060000F930824924260285C012F83 84
:10 4420 00 9F4F28470024F8233F4000040F930724 A0
:10 4430 00 924260285C011F83CF436024F9233150 EE
:10 4440 00 C0FF3F404046B012A4453F406646B012 10
:10 4450 00 A4453D4000040E433F406024B012D445 C3
:10 4460 00 3E40FF033F406024B01286455B426024 1B
:10 4470 00 8B105F4261240BDF5A4263240B930334 99
:10 4480 00 3B9001F005283F408246B012A445DD3F 35
:10 4490 00 1BB305243F40B646B012A445D63F0F4A 91
:10 44A0 00 3F50FAFF3F90BB0305283F40CD46B012 76
:10 44B0 00 A445CB3F3D4040000E4A3E5060240F41 92
:10 44C0 00 B012C2450C410D4A3E4060243F404024 9A
:10 44D0 00 B01252451F9305243F40E446B012A445 54
:10 44E0 00 B43F3F400447B012A4450D4A3E406424 07
:10 44F0 00 0F4BB012C2458B12A83F32D0F000FD3F E7
:10 4500 00 30403E461F41020002124F4F8F103FD0 F5
:10 4510 00 0080024FB0121000324130410D120E12 D5
:10 4520 00 0F1230123000B0120445315230410D12 DA
:10 4530 00 0E120F1230123100B012044531523041 C8
:10 4540 00 0D120E120F1230123200B01204453152 09
:10 4550 00 30410B1204120441245221838443FAFF 98
:10 4560 00 3B40FAFF0B540B120C120D120E120F12 DD
:10 4570 00 30123300B01204451F44FAFF31500E00 D0
:10 4580 00 34413B4130410E120F122312B0120445 48
:10 4590 00 3150060030418F110F120312B0120445 42
:10 45A0 00 215230410B120B4F033C1B53B0129645 66
:10 45B0 00 6F4B4F93FA237F400A00B01296453B41 60
:10 45C0 00 30410C4F043CFC4E00001C533D530D93 F6
:10 45D0 00 FA2330410B120A12091208123D900600 0C
:10 45E0 00 092C0C4F043CCC4E00001C533D530D93 42
:10 45F0 00 FA23203C4E4E4B4E0B9303240C4B8C10 55
:10 4600 00 0BDC1FB306243D53CF4E0000094F1953 56
:10 4610 00 013C094F0C4D12C30C100A49084C8A4B 3F
:10 4620 00 00002A533853FB230C5C0C591DF30224 61
:10 4630 00 CC4E0000384139413A413B4130410013 F2
:10 4640 00 57656C636F6D6520746F207468652073 A7
:10 4650 00 65637572652070726F6772616D206C6F 33
:10 4660 00 616465722E00506C6561736520656E74 BF
:10 4670 00 6572206465627567207061796C6F6164 32
:10 4680 00 2E004C6F61642061646472657373206F E7
:10 4690 00 75747369646520616C6C6F7765642072 F2
:10 46A0 00 616E6765206F66203078383030302D30 8D
:10 46B0 00 7846303030004C6F6164206164647265 0C
:10 46C0 00 737320756E616C69676E656400496E76 00
:10 46D0 00 616C6964207061796C6F6164206C656E D7
:10 46E0 00 67746800496E636F7272656374207369 E2
:10 46F0 00 676E61747572652C20636F6E74696E75 78
:10 4700 00 696E67005369676E6174757265207661 C2
:10 4710 00 6C69642C20657865637574696E672070 B8
:08 4720 00 61796C6F61640000 17
Strings:
:10 4728 00 70C3679B43365CA01131991CC462135B 4C
:10 4738 00 ECAE7DF973D62B163C05C679746CE52F 63
:10 4748 00 08218D19996D174F147F157B9F2C8011 A7
:10 4758 00 4AB3D2D12532D2EAB925616146A815BE 3D
:10 4768 00 08218D19996D174F147F157B9F2C8011 87
:10 4778 00 4AB3D2D12532D2EAB925616146A815BE 1D
Exception_Vectors:
:10 FF80 00 00450045004500450045004500450045 49
:10 FF90 00 00450045004500450045004500450044 3A
Start:
:04 0000 03 00004400 B5
What: ; does this do?
:00 0000 01 FF
Obj:
0010 <__trap_interrupt>
0010: 3041 ret
4400 <__watchdog_support>
4400: 5542 5c01 mov.b &0x015c, r5
4404: 35d0 085a bis #0x5a08, r5
4408: 8245 6028 mov r5, &0x2860
440c <__init_stack>
440c: 3140 0044 mov #0x4400 <__watchdog_support>, sp
4410 <__do_copy_data>
4410: 3f40 6000 mov #0x60, r15
4414: 0f93 tst r15
4416: 0824 jz #0x4428 <__do_clear_bss+0x0>
4418: 9242 6028 5c01 mov &0x2860, &0x015c
441e: 2f83 decd r15
4420: 9f4f 2847 0024 mov 0x4728(r15), 0x2400(r15)
4426: f823 jnz #0x4418 <__do_copy_data+0x8>
4428 <__do_clear_bss>
4428: 3f40 0004 mov #0x400, r15
442c: 0f93 tst r15
442e: 0724 jz #0x443e <main+0x0>
4430: 9242 6028 5c01 mov &0x2860, &0x015c
4436: 1f83 dec r15
4438: cf43 6024 mov.b #0x0, 0x2460(r15)
443c: f923 jnz #0x4430 <__do_clear_bss+0x8>
443e <main>
;? char sig_buf[64]; // >=> sp
443e: 3150 c0ff add #0xffc0, sp
;* puts ("Welcome to the secure program loader.");
4442: 3f40 4046 mov #0x4640 "Welcome to the secure program loader." r15
4446: b012 a445 call #0x45a4 <puts>
;* while (1)
continue:
;* puts ("Please enter debug payload.");
444a: 3f40 6646 mov #0x4666 "Please enter debug payload." r15
444e: b012 a445 call #0x45a4 <puts>
;? u8 buf[0x400]; // >=> 0x2460
;* memset (buf, 0, 0x400);
4452: 3d40 0004 mov #0x400, r13
4456: 0e43 clr r14
4458: 3f40 6024 mov #0x2460, r15
445c: b012 d445 call #0x45d4 <memset>
;* getsn(buf, 0x3ff);
4460: 3e40 ff03 mov #0x3ff, r14
4464: 3f40 6024 mov #0x2460, r15
4468: b012 8645 call #0x4586 <getsn>
;* void * loadaddr /* r11 */ = (buf[0] << 8) + (buf[1]);
446c: 5b42 6024 mov.b &0x2460, r11
4470: 8b10 swpb r11
4472: 5f42 6124 mov.b &0x2461, r15
4476: 0bdf bis r15, r11
;! byte index 0x2 goes unused!
;*size_t len = buf[3];
4478: 5a42 6324 mov.b &0x2463, r10
;*if (0x8000 > loadaddr || loadaddr >= 0xf001)
447c: 0b93 tst r11
447e: 0334 jge #0x4486 <main+0x48>
4480: 3b90 01f0 cmp #0xf001, r11
4484: 0528 jnc #0x4490 <main+0x52>
;* puts ("Load address outside allowed range of 0x8000-0xF000");
4486: 3f40 8246 mov #0x4682 "Load address outside allowed range of 0x8000-0xF000" r15
448a: b012 a445 call #0x45a4 <puts>
;* continue;
448e: dd3f jmp #0x444a <main+0xc>
;* if (loadaddr & 1)
4490: 1bb3 bit #0x1, r11
4492: 0524 jz #0x449e <main+0x60>
;* puts ("Load address unaligned");
4494: 3f40 b646 mov #0x46b6 "Load address unaligned" r15
4498: b012 a445 call #0x45a4 <puts>
;* continue;
449c: d63f jmp #0x444a <main+0xc>
;* if (len - 6 > 0x3bb)
449e: 0f4a mov r10, r15
44a0: 3f50 faff add #0xfffa, r15
44a4: 3f90 bb03 cmp #0x3bb, r15
44a8: 0528 jnc #0x44b4 <main+0x76>
;* puts ("Invalid payload length");
44aa: 3f40 cd46 mov #0x46cd "Invalid payload length" r15
44ae: b012 a445 call #0x45a4 <puts>
;* continue;
44b2: cb3f jmp #0x444a <main+0xc>
;* memcpy (sig_buf, buf+len, 0x40)
44b4: 3d40 4000 mov #0x40, r13
44b8: 0e4a mov r10, r14
44ba: 3e50 6024 add #0x2460, r14
44be: 0f41 mov sp, r15
44c0: b012 c245 call #0x45c2 <memcpy>
;* verify_ed25519 (ed25519_pubkey /*0x2440*/, buf /*0x2460*/, size /*r10*/, sig_buf /*sp*/);
44c4: 0c41 mov sp, r12
44c6: 0d4a mov r10, r13
44c8: 3e40 6024 mov #0x2460, r14
44cc: 3f40 4024 mov #0x2440, r15
44d0: b012 5245 call #0x4552 <verify_ed25519>
;* if (result != 0x1)
44d4: 1f93 cmp #0x1, r15
44d6: 0524 jeq #0x44e2 <main+0xa4>
;* puts ("Incorrect signature, continuing");
44d8: 3f40 e446 mov #0x46e4 "Incorrect signature, continuing" r15
44dc: b012 a445 call #0x45a4 <puts>
;* continue;
44e0: b43f jmp #0x444a <main+0xc>
;* puts ("Signature valid, executing payload");
44e2: 3f40 0447 mov #0x4704 "Signature valid, executing payload" r15
44e6: b012 a445 call #0x45a4 <puts>
;* memcpy ( loadaddr /*dest*/, buf + 0x4 /*src*/, len /*size*/);
44ea: 0d4a mov r10, r13
44ec: 3e40 6424 mov #0x2464, r14
44f0: 0f4b mov r11, r15
44f2: b012 c245 call #0x45c2 <memcpy>
;* payload ();
44f6: 8b12 call r11
;* continue;
44f8: a83f jmp #0x444a <main+0xc>
44fa <__stop_progExec__>
44fa: 32d0 f000 bis #0xf0, sr
44fe: fd3f jmp #0x44fa <__stop_progExec__+0x0>
4500 <__ctors_end>
4500: 3040 3e46 br #0x463e <_unexpected_>
4504 <INT>
4504: 1f41 0200 mov 0x2(sp), r15
4508: 0212 push sr
450a: 4f4f mov.b r15, r15
450c: 8f10 swpb r15
450e: 3fd0 0080 bis #0x8000, r15
4512: 024f mov r15, sr
4514: b012 1000 call #0x10
4518: 3241 pop sr
451a: 3041 ret
451c <sha1>
451c: 0d12 push r13
451e: 0e12 push r14
4520: 0f12 push r15
4522: 3012 3000 push #0x30
4526: b012 0445 call #0x4504 <INT>
452a: 3152 add #0x8, sp
452c: 3041 ret
452e <sha256>
452e: 0d12 push r13
4530: 0e12 push r14
4532: 0f12 push r15
4534: 3012 3100 push #0x31
4538: b012 0445 call #0x4504 <INT>
453c: 3152 add #0x8, sp
453e: 3041 ret
4540 <sha512>
4540: 0d12 push r13
4542: 0e12 push r14
4544: 0f12 push r15
4546: 3012 3200 push #0x32
454a: b012 0445 call #0x4504 <INT>
454e: 3152 add #0x8, sp
4550: 3041 ret
4552 <verify_ed25519>
4552: 0b12 push r11
4554: 0412 push r4
4556: 0441 mov sp, r4
4558: 2452 add #0x4, r4
455a: 2183 decd sp
455c: 8443 faff clr -0x6(r4)
4560: 3b40 faff mov #0xfffa, r11
4564: 0b54 add r4, r11
4566: 0b12 push r11
4568: 0c12 push r12
456a: 0d12 push r13
456c: 0e12 push r14
456e: 0f12 push r15
4570: 3012 3300 push #0x33
4574: b012 0445 call #0x4504 <INT>
4578: 1f44 faff mov -0x6(r4), r15
457c: 3150 0e00 add #0xe, sp
4580: 3441 pop r4
4582: 3b41 pop r11
4584: 3041 ret
4586 <getsn>
4586: 0e12 push r14
4588: 0f12 push r15
458a: 2312 push #0x2
458c: b012 0445 call #0x4504 <INT>
4590: 3150 0600 add #0x6, sp
4594: 3041 ret
4596 <putchar>
4596: 8f11 sxt r15
4598: 0f12 push r15
459a: 0312 push #0x0
459c: b012 0445 call #0x4504 <INT>
45a0: 2152 add #0x4, sp
45a2: 3041 ret
45a4 <puts>
45a4: 0b12 push r11
45a6: 0b4f mov r15, r11
45a8: 033c jmp #0x45b0 <puts+0xc>
45aa: 1b53 inc r11
45ac: b012 9645 call #0x4596 <putchar>
45b0: 6f4b mov.b @r11, r15
45b2: 4f93 tst.b r15
45b4: fa23 jnz #0x45aa <puts+0x6>
45b6: 7f40 0a00 mov.b #0xa, r15
45ba: b012 9645 call #0x4596 <putchar>
45be: 3b41 pop r11
45c0: 3041 ret
45c2 <memcpy>
45c2: 0c4f mov r15, r12
45c4: 043c jmp #0x45ce <memcpy+0xc>
45c6: fc4e 0000 mov.b @r14+, 0x0(r12)
45ca: 1c53 inc r12
45cc: 3d53 add #-0x1, r13
45ce: 0d93 tst r13
45d0: fa23 jnz #0x45c6 <memcpy+0x4>
45d2: 3041 ret
45d4 <memset>
45d4: 0b12 push r11
45d6: 0a12 push r10
45d8: 0912 push r9
45da: 0812 push r8
45dc: 3d90 0600 cmp #0x6, r13
45e0: 092c jc #0x45f4 <memset+0x20>
45e2: 0c4f mov r15, r12
45e4: 043c jmp #0x45ee <memset+0x1a>
45e6: cc4e 0000 mov.b r14, 0x0(r12)
45ea: 1c53 inc r12
45ec: 3d53 add #-0x1, r13
45ee: 0d93 tst r13
45f0: fa23 jnz #0x45e6 <memset+0x12>
45f2: 203c jmp #0x4634 <memset+0x60>
45f4: 4e4e mov.b r14, r14
45f6: 4b4e mov.b r14, r11
45f8: 0b93 tst r11
45fa: 0324 jz #0x4602 <memset+0x2e>
45fc: 0c4b mov r11, r12
45fe: 8c10 swpb r12
4600: 0bdc bis r12, r11
4602: 1fb3 bit #0x1, r15
4604: 0624 jz #0x4612 <memset+0x3e>
4606: 3d53 add #-0x1, r13
4608: cf4e 0000 mov.b r14, 0x0(r15)
460c: 094f mov r15, r9
460e: 1953 inc r9
4610: 013c jmp #0x4614 <memset+0x40>
4612: 094f mov r15, r9
4614: 0c4d mov r13, r12
4616: 12c3 clrc
4618: 0c10 rrc r12
461a: 0a49 mov r9, r10
461c: 084c mov r12, r8
461e: 8a4b 0000 mov r11, 0x0(r10)
4622: 2a53 incd r10
4624: 3853 add #-0x1, r8
4626: fb23 jnz #0x461e <memset+0x4a>
4628: 0c5c add r12, r12
462a: 0c59 add r9, r12
462c: 1df3 and #0x1, r13
462e: 0224 jz #0x4634 <memset+0x60>
4630: cc4e 0000 mov.b r14, 0x0(r12)
4634: 3841 pop r8
4636: 3941 pop r9
4638: 3a41 pop r10
463a: 3b41 pop r11
463c: 3041 ret
463e <_unexpected_>
463e: 0013 reti pc
4640 .strings:
4640: "Welcome to the secure program loader."
4666: "Please enter debug payload."
4682: "Load address outside allowed range of 0x8000-0xF000"
46b6: "Load address unaligned"
46cd: "Invalid payload length"
46e4: "Incorrect signature, continuing"
4704: "Signature valid, executing payload"
Prereqs:"Churchill"
Name:"St. John's"
Text: """
Lockitall LOCKIT 2 r A.01
______________________________________________________________________
User Manual: Lockitall LockIT 2, rev a.01
______________________________________________________________________
OVERVIEW
- The firmware has been updated to resolve a vulnerability.
DETAILS
The LockIT 2 A.01 is the second of a new series of locks. It is
controlled by a MSP430 microcontroller. The MSP430 is a very low-
power device, chosen because we found several crates of old stock.
This lock only accepts biometric and NFC inputs, and does not have
a traditional password prompt.
To support rapid development cycles this lock accepts a program
from the old password input prompt.
800000063041f23630084d78f18b0ef369693ebdb5eaf1290b3cb4a69815345a0d
e53b9bb6cc7de3c46159a7af7c91c28a3d3691309822290d9c6482fefc03cbbcff
35ce9708
This is Hardware Version Beta.
This is Software Revision 04.
(c) 2021 LOCKITALL Page 1/1
"""
X:170
Y:325
Rating:20
Patch:""