diff --git a/23-St. John's/notes.md b/23-St. John's/notes.md new file mode 100644 index 0000000..142c9d4 --- /dev/null +++ b/23-St. John's/notes.md @@ -0,0 +1,40 @@ +# St. John's + +## Sample payload + +``` +800000063041f23630084d78f18b0ef369693ebdb5eaf1290b3cb4a69815345a0de53b9bb6cc7de3c46159a7af7c91c28a3d3691309822290d9c6482fefc03cbbcff35ce9708 +``` +Loadaddr | N/A | Length | Bin | Signature +---------|-----|--------|-----------|---------- +8000 | 00 | 06 | 3041 | f23630084d78f18b0ef369693ebdb5eaf1290b3cb4a69815345a0de53b9bb6cc7de3c46159a7af7c91c28a3d3691309822290d9c6482fefc03cbbcff35ce9708 + + + + +## BSS +### ed25519 public key +#### ?!?!?!? WHY IS THIS HERE +70c3 679b 4336 5ca0 1131 991c c462 135b +ecae 7df9 73d6 2b16 3c05 c679 746c e52f + +### ed25519 private key +0821 8d19 996d 174f 147f 157b 9f2c 8011 +4ab3 d2d1 2532 d2ea b925 6161 46a8 15be + +0821 8d19 996d 174f 147f 157b 9f2c 8011 +4ab3 d2d1 2532 d2ea b925 6161 46a8 15be + + +## Second verse, same as the first. +Thanks to [cyphr.me](https://cyphr.me/ed25519_applet/ed.html) for already implementing ed25519. + +Loadaddr | N/A | Length | Bin | Signature +---------|-----|--------|------------------|---------- +8000 | 00 | 0c | 324000ffb0121000 | 483249ADDE744F491DAED26FFC723E08257D2B210A20177B1556C8F04D0D80B861453D737ED08AE10165CDF40B37DA23967A266F605ECFA9490B9C664682EC0B + + +8000 00 0c 324000ffb0121000 483249ADDE744F491DAED26FFC723E08257D2B210A20177B1556C8F04D0D80B861453D737ED08AE10165CDF40B37DA23967A266F605ECFA9490B9C664682EC0B + +# SOLVED +The CPU completed in 21663 cycles. diff --git a/23-St. John's/stjohns-crack.py b/23-St. John's/stjohns-crack.py new file mode 100644 index 0000000..620bc59 --- /dev/null +++ b/23-St. John's/stjohns-crack.py @@ -0,0 +1 @@ +import nacl.public diff --git a/23-St. John's/stjohns.c b/23-St. John's/stjohns.c new file mode 100644 index 0000000..ce8effb --- /dev/null +++ b/23-St. John's/stjohns.c @@ -0,0 +1,53 @@ + +// uC includes +#include "../common/io.c" +#include "../common/lib.c" + +typedef unsigned char u8; +typedef unsigned short u16; + +int main () { + u8 *ed25519_pubkey = (mem + 0x2440); + u8 *buf = (mem + 0x2460); // >=> 0x2460 + + u8 sig_buf[64]; // >=> sp + + puts ("Welcome to the secure program loader."); + + while (1) { + u16 loadaddr; // >=> r11 + u8 len; // >=> r10 + puts ("Please enter debug payload."); + + memset (buf, 0, 0x400); + getsn (buf, 0x3ff); + + loadaddr = (buf[0] << 8) + (buf[1]); + len = buf[3]; + + if (0x8000 > loadaddr || loadaddr >= 0xf001) { + puts ("Load address outside allowed range of 0x8000-0xF000"); + continue; + } + if (loadaddr & 1) { + puts ("Load address unaligned"); + continue; + } + if (len - 6 > 0x3bb) { + puts ("Invalid payload length"); + continue; + } + + u8 *signature = buf + len; + memcpy (sig_buf, buf + len, 0x40); + + if (verify_ed25519 (ed25519_pubkey, buf, len, sig_buf) != 0x1) { + puts ("Incorrect signature, continuing"); + continue; + } + + puts ("Signature valid, executing payload"); + printf ("LA:%p, BF:%p, LEN:%x\n", mem + loadaddr, buf, len); + memcpy (mem + loadaddr, buf + 0x4, len); + } +} diff --git a/23-St. John's/stjohns.txt b/23-St. John's/stjohns.txt new file mode 100644 index 0000000..f573833 --- /dev/null +++ b/23-St. John's/stjohns.txt @@ -0,0 +1,386 @@ +Hex: +:10 4400 00 55425C0135D0085A8245602831400044 4D +:10 4410 00 3F4060000F930824924260285C012F83 84 +:10 4420 00 9F4F28470024F8233F4000040F930724 A0 +:10 4430 00 924260285C011F83CF436024F9233150 EE +:10 4440 00 C0FF3F404046B012A4453F406646B012 10 +:10 4450 00 A4453D4000040E433F406024B012D445 C3 +:10 4460 00 3E40FF033F406024B01286455B426024 1B +:10 4470 00 8B105F4261240BDF5A4263240B930334 99 +:10 4480 00 3B9001F005283F408246B012A445DD3F 35 +:10 4490 00 1BB305243F40B646B012A445D63F0F4A 91 +:10 44A0 00 3F50FAFF3F90BB0305283F40CD46B012 76 +:10 44B0 00 A445CB3F3D4040000E4A3E5060240F41 92 +:10 44C0 00 B012C2450C410D4A3E4060243F404024 9A +:10 44D0 00 B01252451F9305243F40E446B012A445 54 +:10 44E0 00 B43F3F400447B012A4450D4A3E406424 07 +:10 44F0 00 0F4BB012C2458B12A83F32D0F000FD3F E7 +:10 4500 00 30403E461F41020002124F4F8F103FD0 F5 +:10 4510 00 0080024FB0121000324130410D120E12 D5 +:10 4520 00 0F1230123000B0120445315230410D12 DA +:10 4530 00 0E120F1230123100B012044531523041 C8 +:10 4540 00 0D120E120F1230123200B01204453152 09 +:10 4550 00 30410B1204120441245221838443FAFF 98 +:10 4560 00 3B40FAFF0B540B120C120D120E120F12 DD +:10 4570 00 30123300B01204451F44FAFF31500E00 D0 +:10 4580 00 34413B4130410E120F122312B0120445 48 +:10 4590 00 3150060030418F110F120312B0120445 42 +:10 45A0 00 215230410B120B4F033C1B53B0129645 66 +:10 45B0 00 6F4B4F93FA237F400A00B01296453B41 60 +:10 45C0 00 30410C4F043CFC4E00001C533D530D93 F6 +:10 45D0 00 FA2330410B120A12091208123D900600 0C +:10 45E0 00 092C0C4F043CCC4E00001C533D530D93 42 +:10 45F0 00 FA23203C4E4E4B4E0B9303240C4B8C10 55 +:10 4600 00 0BDC1FB306243D53CF4E0000094F1953 56 +:10 4610 00 013C094F0C4D12C30C100A49084C8A4B 3F +:10 4620 00 00002A533853FB230C5C0C591DF30224 61 +:10 4630 00 CC4E0000384139413A413B4130410013 F2 +:10 4640 00 57656C636F6D6520746F207468652073 A7 +:10 4650 00 65637572652070726F6772616D206C6F 33 +:10 4660 00 616465722E00506C6561736520656E74 BF +:10 4670 00 6572206465627567207061796C6F6164 32 +:10 4680 00 2E004C6F61642061646472657373206F E7 +:10 4690 00 75747369646520616C6C6F7765642072 F2 +:10 46A0 00 616E6765206F66203078383030302D30 8D +:10 46B0 00 7846303030004C6F6164206164647265 0C +:10 46C0 00 737320756E616C69676E656400496E76 00 +:10 46D0 00 616C6964207061796C6F6164206C656E D7 +:10 46E0 00 67746800496E636F7272656374207369 E2 +:10 46F0 00 676E61747572652C20636F6E74696E75 78 +:10 4700 00 696E67005369676E6174757265207661 C2 +:10 4710 00 6C69642C20657865637574696E672070 B8 +:08 4720 00 61796C6F61640000 17 +Strings: +:10 4728 00 70C3679B43365CA01131991CC462135B 4C +:10 4738 00 ECAE7DF973D62B163C05C679746CE52F 63 +:10 4748 00 08218D19996D174F147F157B9F2C8011 A7 +:10 4758 00 4AB3D2D12532D2EAB925616146A815BE 3D +:10 4768 00 08218D19996D174F147F157B9F2C8011 87 +:10 4778 00 4AB3D2D12532D2EAB925616146A815BE 1D +Exception_Vectors: +:10 FF80 00 00450045004500450045004500450045 49 +:10 FF90 00 00450045004500450045004500450044 3A +Start: +:04 0000 03 00004400 B5 +What: ; does this do? +:00 0000 01 FF + +Obj: +0010 <__trap_interrupt> +0010: 3041 ret +4400 <__watchdog_support> +4400: 5542 5c01 mov.b &0x015c, r5 +4404: 35d0 085a bis #0x5a08, r5 +4408: 8245 6028 mov r5, &0x2860 +440c <__init_stack> +440c: 3140 0044 mov #0x4400 <__watchdog_support>, sp +4410 <__do_copy_data> +4410: 3f40 6000 mov #0x60, r15 +4414: 0f93 tst r15 +4416: 0824 jz #0x4428 <__do_clear_bss+0x0> +4418: 9242 6028 5c01 mov &0x2860, &0x015c +441e: 2f83 decd r15 +4420: 9f4f 2847 0024 mov 0x4728(r15), 0x2400(r15) +4426: f823 jnz #0x4418 <__do_copy_data+0x8> +4428 <__do_clear_bss> +4428: 3f40 0004 mov #0x400, r15 +442c: 0f93 tst r15 +442e: 0724 jz #0x443e +4430: 9242 6028 5c01 mov &0x2860, &0x015c +4436: 1f83 dec r15 +4438: cf43 6024 mov.b #0x0, 0x2460(r15) +443c: f923 jnz #0x4430 <__do_clear_bss+0x8> + + +443e
+;? char sig_buf[64]; // >=> sp +443e: 3150 c0ff add #0xffc0, sp +;* puts ("Welcome to the secure program loader."); +4442: 3f40 4046 mov #0x4640 "Welcome to the secure program loader." r15 +4446: b012 a445 call #0x45a4 +;* while (1) +continue: +;* puts ("Please enter debug payload."); +444a: 3f40 6646 mov #0x4666 "Please enter debug payload." r15 +444e: b012 a445 call #0x45a4 +;? u8 buf[0x400]; // >=> 0x2460 +;* memset (buf, 0, 0x400); +4452: 3d40 0004 mov #0x400, r13 +4456: 0e43 clr r14 +4458: 3f40 6024 mov #0x2460, r15 +445c: b012 d445 call #0x45d4 +;* getsn(buf, 0x3ff); +4460: 3e40 ff03 mov #0x3ff, r14 +4464: 3f40 6024 mov #0x2460, r15 +4468: b012 8645 call #0x4586 +;* void * loadaddr /* r11 */ = (buf[0] << 8) + (buf[1]); +446c: 5b42 6024 mov.b &0x2460, r11 +4470: 8b10 swpb r11 +4472: 5f42 6124 mov.b &0x2461, r15 +4476: 0bdf bis r15, r11 +;! byte index 0x2 goes unused! +;*size_t len = buf[3]; +4478: 5a42 6324 mov.b &0x2463, r10 +;*if (0x8000 > loadaddr || loadaddr >= 0xf001) +447c: 0b93 tst r11 +447e: 0334 jge #0x4486 +4480: 3b90 01f0 cmp #0xf001, r11 +4484: 0528 jnc #0x4490 +;* puts ("Load address outside allowed range of 0x8000-0xF000"); +4486: 3f40 8246 mov #0x4682 "Load address outside allowed range of 0x8000-0xF000" r15 +448a: b012 a445 call #0x45a4 +;* continue; +448e: dd3f jmp #0x444a +;* if (loadaddr & 1) +4490: 1bb3 bit #0x1, r11 +4492: 0524 jz #0x449e +;* puts ("Load address unaligned"); +4494: 3f40 b646 mov #0x46b6 "Load address unaligned" r15 +4498: b012 a445 call #0x45a4 +;* continue; +449c: d63f jmp #0x444a +;* if (len - 6 > 0x3bb) +449e: 0f4a mov r10, r15 +44a0: 3f50 faff add #0xfffa, r15 +44a4: 3f90 bb03 cmp #0x3bb, r15 +44a8: 0528 jnc #0x44b4 +;* puts ("Invalid payload length"); +44aa: 3f40 cd46 mov #0x46cd "Invalid payload length" r15 +44ae: b012 a445 call #0x45a4 +;* continue; +44b2: cb3f jmp #0x444a +;* memcpy (sig_buf, buf+len, 0x40) +44b4: 3d40 4000 mov #0x40, r13 +44b8: 0e4a mov r10, r14 +44ba: 3e50 6024 add #0x2460, r14 +44be: 0f41 mov sp, r15 +44c0: b012 c245 call #0x45c2 +;* verify_ed25519 (ed25519_pubkey /*0x2440*/, buf /*0x2460*/, size /*r10*/, sig_buf /*sp*/); +44c4: 0c41 mov sp, r12 +44c6: 0d4a mov r10, r13 +44c8: 3e40 6024 mov #0x2460, r14 +44cc: 3f40 4024 mov #0x2440, r15 +44d0: b012 5245 call #0x4552 +;* if (result != 0x1) +44d4: 1f93 cmp #0x1, r15 +44d6: 0524 jeq #0x44e2 +;* puts ("Incorrect signature, continuing"); +44d8: 3f40 e446 mov #0x46e4 "Incorrect signature, continuing" r15 +44dc: b012 a445 call #0x45a4 +;* continue; +44e0: b43f jmp #0x444a +;* puts ("Signature valid, executing payload"); +44e2: 3f40 0447 mov #0x4704 "Signature valid, executing payload" r15 +44e6: b012 a445 call #0x45a4 +;* memcpy ( loadaddr /*dest*/, buf + 0x4 /*src*/, len /*size*/); +44ea: 0d4a mov r10, r13 +44ec: 3e40 6424 mov #0x2464, r14 +44f0: 0f4b mov r11, r15 +44f2: b012 c245 call #0x45c2 +;* payload (); +44f6: 8b12 call r11 +;* continue; +44f8: a83f jmp #0x444a + + +44fa <__stop_progExec__> +44fa: 32d0 f000 bis #0xf0, sr +44fe: fd3f jmp #0x44fa <__stop_progExec__+0x0> +4500 <__ctors_end> +4500: 3040 3e46 br #0x463e <_unexpected_> +4504 +4504: 1f41 0200 mov 0x2(sp), r15 +4508: 0212 push sr +450a: 4f4f mov.b r15, r15 +450c: 8f10 swpb r15 +450e: 3fd0 0080 bis #0x8000, r15 +4512: 024f mov r15, sr +4514: b012 1000 call #0x10 +4518: 3241 pop sr +451a: 3041 ret +451c +451c: 0d12 push r13 +451e: 0e12 push r14 +4520: 0f12 push r15 +4522: 3012 3000 push #0x30 +4526: b012 0445 call #0x4504 +452a: 3152 add #0x8, sp +452c: 3041 ret +452e +452e: 0d12 push r13 +4530: 0e12 push r14 +4532: 0f12 push r15 +4534: 3012 3100 push #0x31 +4538: b012 0445 call #0x4504 +453c: 3152 add #0x8, sp +453e: 3041 ret +4540 +4540: 0d12 push r13 +4542: 0e12 push r14 +4544: 0f12 push r15 +4546: 3012 3200 push #0x32 +454a: b012 0445 call #0x4504 +454e: 3152 add #0x8, sp +4550: 3041 ret +4552 +4552: 0b12 push r11 +4554: 0412 push r4 +4556: 0441 mov sp, r4 +4558: 2452 add #0x4, r4 +455a: 2183 decd sp +455c: 8443 faff clr -0x6(r4) +4560: 3b40 faff mov #0xfffa, r11 +4564: 0b54 add r4, r11 +4566: 0b12 push r11 +4568: 0c12 push r12 +456a: 0d12 push r13 +456c: 0e12 push r14 +456e: 0f12 push r15 +4570: 3012 3300 push #0x33 +4574: b012 0445 call #0x4504 +4578: 1f44 faff mov -0x6(r4), r15 +457c: 3150 0e00 add #0xe, sp +4580: 3441 pop r4 +4582: 3b41 pop r11 +4584: 3041 ret +4586 +4586: 0e12 push r14 +4588: 0f12 push r15 +458a: 2312 push #0x2 +458c: b012 0445 call #0x4504 +4590: 3150 0600 add #0x6, sp +4594: 3041 ret +4596 +4596: 8f11 sxt r15 +4598: 0f12 push r15 +459a: 0312 push #0x0 +459c: b012 0445 call #0x4504 +45a0: 2152 add #0x4, sp +45a2: 3041 ret +45a4 +45a4: 0b12 push r11 +45a6: 0b4f mov r15, r11 +45a8: 033c jmp #0x45b0 +45aa: 1b53 inc r11 +45ac: b012 9645 call #0x4596 +45b0: 6f4b mov.b @r11, r15 +45b2: 4f93 tst.b r15 +45b4: fa23 jnz #0x45aa +45b6: 7f40 0a00 mov.b #0xa, r15 +45ba: b012 9645 call #0x4596 +45be: 3b41 pop r11 +45c0: 3041 ret +45c2 +45c2: 0c4f mov r15, r12 +45c4: 043c jmp #0x45ce +45c6: fc4e 0000 mov.b @r14+, 0x0(r12) +45ca: 1c53 inc r12 +45cc: 3d53 add #-0x1, r13 +45ce: 0d93 tst r13 +45d0: fa23 jnz #0x45c6 +45d2: 3041 ret +45d4 +45d4: 0b12 push r11 +45d6: 0a12 push r10 +45d8: 0912 push r9 +45da: 0812 push r8 +45dc: 3d90 0600 cmp #0x6, r13 +45e0: 092c jc #0x45f4 +45e2: 0c4f mov r15, r12 +45e4: 043c jmp #0x45ee +45e6: cc4e 0000 mov.b r14, 0x0(r12) +45ea: 1c53 inc r12 +45ec: 3d53 add #-0x1, r13 +45ee: 0d93 tst r13 +45f0: fa23 jnz #0x45e6 +45f2: 203c jmp #0x4634 +45f4: 4e4e mov.b r14, r14 +45f6: 4b4e mov.b r14, r11 +45f8: 0b93 tst r11 +45fa: 0324 jz #0x4602 +45fc: 0c4b mov r11, r12 +45fe: 8c10 swpb r12 +4600: 0bdc bis r12, r11 +4602: 1fb3 bit #0x1, r15 +4604: 0624 jz #0x4612 +4606: 3d53 add #-0x1, r13 +4608: cf4e 0000 mov.b r14, 0x0(r15) +460c: 094f mov r15, r9 +460e: 1953 inc r9 +4610: 013c jmp #0x4614 +4612: 094f mov r15, r9 +4614: 0c4d mov r13, r12 +4616: 12c3 clrc +4618: 0c10 rrc r12 +461a: 0a49 mov r9, r10 +461c: 084c mov r12, r8 +461e: 8a4b 0000 mov r11, 0x0(r10) +4622: 2a53 incd r10 +4624: 3853 add #-0x1, r8 +4626: fb23 jnz #0x461e +4628: 0c5c add r12, r12 +462a: 0c59 add r9, r12 +462c: 1df3 and #0x1, r13 +462e: 0224 jz #0x4634 +4630: cc4e 0000 mov.b r14, 0x0(r12) +4634: 3841 pop r8 +4636: 3941 pop r9 +4638: 3a41 pop r10 +463a: 3b41 pop r11 +463c: 3041 ret +463e <_unexpected_> +463e: 0013 reti pc +4640 .strings: +4640: "Welcome to the secure program loader." +4666: "Please enter debug payload." +4682: "Load address outside allowed range of 0x8000-0xF000" +46b6: "Load address unaligned" +46cd: "Invalid payload length" +46e4: "Incorrect signature, continuing" +4704: "Signature valid, executing payload" + + +Prereqs:"Churchill" +Name:"St. John's" +Text: """ +Lockitall LOCKIT 2 r A.01 +______________________________________________________________________ + +User Manual: Lockitall LockIT 2, rev a.01 +______________________________________________________________________ + + +OVERVIEW + +- The firmware has been updated to resolve a vulnerability. + + +DETAILS + +The LockIT 2 A.01 is the second of a new series of locks. It is +controlled by a MSP430 microcontroller. The MSP430 is a very low- +power device, chosen because we found several crates of old stock. + +This lock only accepts biometric and NFC inputs, and does not have +a traditional password prompt. + +To support rapid development cycles this lock accepts a program +from the old password input prompt. + +800000063041f23630084d78f18b0ef369693ebdb5eaf1290b3cb4a69815345a0d +e53b9bb6cc7de3c46159a7af7c91c28a3d3691309822290d9c6482fefc03cbbcff +35ce9708 + +This is Hardware Version Beta. + +This is Software Revision 04. + + + +(c) 2021 LOCKITALL Page 1/1 +""" + +X:170 +Y:325 +Rating:20 +Patch:"" diff --git a/readme.md b/readme.md index 98a712a..5dade64 100644 --- a/readme.md +++ b/readme.md @@ -38,5 +38,8 @@ Hopefully in the coming weeks I'll learn enough about malloc and free to get som ### 2022 Dec 4 PM - 2022 Dec 11 PM: Cold Lake -### 2022 Dec 11 PM +### 2022 Dec 11 PM: Churchill + +### 2022 Dec 11 PM: + St. John's