Complete St. John's

This commit is contained in:
Val 2022-12-11 23:15:23 -06:00
parent 3f09e719e3
commit 7ca5957c6d
5 changed files with 484 additions and 1 deletions

40
23-St. John's/notes.md Normal file
View File

@ -0,0 +1,40 @@
# St. John's
## Sample payload
```
800000063041f23630084d78f18b0ef369693ebdb5eaf1290b3cb4a69815345a0de53b9bb6cc7de3c46159a7af7c91c28a3d3691309822290d9c6482fefc03cbbcff35ce9708
```
Loadaddr | N/A | Length | Bin | Signature
---------|-----|--------|-----------|----------
8000 | 00 | 06 | 3041 | f23630084d78f18b0ef369693ebdb5eaf1290b3cb4a69815345a0de53b9bb6cc7de3c46159a7af7c91c28a3d3691309822290d9c6482fefc03cbbcff35ce9708
## BSS
### ed25519 public key
#### ?!?!?!? WHY IS THIS HERE
70c3 679b 4336 5ca0 1131 991c c462 135b
ecae 7df9 73d6 2b16 3c05 c679 746c e52f
### ed25519 private key
0821 8d19 996d 174f 147f 157b 9f2c 8011
4ab3 d2d1 2532 d2ea b925 6161 46a8 15be
0821 8d19 996d 174f 147f 157b 9f2c 8011
4ab3 d2d1 2532 d2ea b925 6161 46a8 15be
## Second verse, same as the first.
Thanks to [cyphr.me](https://cyphr.me/ed25519_applet/ed.html) for already implementing ed25519.
Loadaddr | N/A | Length | Bin | Signature
---------|-----|--------|------------------|----------
8000 | 00 | 0c | 324000ffb0121000 | 483249ADDE744F491DAED26FFC723E08257D2B210A20177B1556C8F04D0D80B861453D737ED08AE10165CDF40B37DA23967A266F605ECFA9490B9C664682EC0B
8000 00 0c 324000ffb0121000 483249ADDE744F491DAED26FFC723E08257D2B210A20177B1556C8F04D0D80B861453D737ED08AE10165CDF40B37DA23967A266F605ECFA9490B9C664682EC0B
# SOLVED
The CPU completed in 21663 cycles.

View File

@ -0,0 +1 @@
import nacl.public

53
23-St. John's/stjohns.c Normal file
View File

@ -0,0 +1,53 @@
// uC includes
#include "../common/io.c"
#include "../common/lib.c"
typedef unsigned char u8;
typedef unsigned short u16;
int main () {
u8 *ed25519_pubkey = (mem + 0x2440);
u8 *buf = (mem + 0x2460); // >=> 0x2460
u8 sig_buf[64]; // >=> sp
puts ("Welcome to the secure program loader.");
while (1) {
u16 loadaddr; // >=> r11
u8 len; // >=> r10
puts ("Please enter debug payload.");
memset (buf, 0, 0x400);
getsn (buf, 0x3ff);
loadaddr = (buf[0] << 8) + (buf[1]);
len = buf[3];
if (0x8000 > loadaddr || loadaddr >= 0xf001) {
puts ("Load address outside allowed range of 0x8000-0xF000");
continue;
}
if (loadaddr & 1) {
puts ("Load address unaligned");
continue;
}
if (len - 6 > 0x3bb) {
puts ("Invalid payload length");
continue;
}
u8 *signature = buf + len;
memcpy (sig_buf, buf + len, 0x40);
if (verify_ed25519 (ed25519_pubkey, buf, len, sig_buf) != 0x1) {
puts ("Incorrect signature, continuing");
continue;
}
puts ("Signature valid, executing payload");
printf ("LA:%p, BF:%p, LEN:%x\n", mem + loadaddr, buf, len);
memcpy (mem + loadaddr, buf + 0x4, len);
}
}

386
23-St. John's/stjohns.txt Normal file
View File

@ -0,0 +1,386 @@
Hex:
:10 4400 00 55425C0135D0085A8245602831400044 4D
:10 4410 00 3F4060000F930824924260285C012F83 84
:10 4420 00 9F4F28470024F8233F4000040F930724 A0
:10 4430 00 924260285C011F83CF436024F9233150 EE
:10 4440 00 C0FF3F404046B012A4453F406646B012 10
:10 4450 00 A4453D4000040E433F406024B012D445 C3
:10 4460 00 3E40FF033F406024B01286455B426024 1B
:10 4470 00 8B105F4261240BDF5A4263240B930334 99
:10 4480 00 3B9001F005283F408246B012A445DD3F 35
:10 4490 00 1BB305243F40B646B012A445D63F0F4A 91
:10 44A0 00 3F50FAFF3F90BB0305283F40CD46B012 76
:10 44B0 00 A445CB3F3D4040000E4A3E5060240F41 92
:10 44C0 00 B012C2450C410D4A3E4060243F404024 9A
:10 44D0 00 B01252451F9305243F40E446B012A445 54
:10 44E0 00 B43F3F400447B012A4450D4A3E406424 07
:10 44F0 00 0F4BB012C2458B12A83F32D0F000FD3F E7
:10 4500 00 30403E461F41020002124F4F8F103FD0 F5
:10 4510 00 0080024FB0121000324130410D120E12 D5
:10 4520 00 0F1230123000B0120445315230410D12 DA
:10 4530 00 0E120F1230123100B012044531523041 C8
:10 4540 00 0D120E120F1230123200B01204453152 09
:10 4550 00 30410B1204120441245221838443FAFF 98
:10 4560 00 3B40FAFF0B540B120C120D120E120F12 DD
:10 4570 00 30123300B01204451F44FAFF31500E00 D0
:10 4580 00 34413B4130410E120F122312B0120445 48
:10 4590 00 3150060030418F110F120312B0120445 42
:10 45A0 00 215230410B120B4F033C1B53B0129645 66
:10 45B0 00 6F4B4F93FA237F400A00B01296453B41 60
:10 45C0 00 30410C4F043CFC4E00001C533D530D93 F6
:10 45D0 00 FA2330410B120A12091208123D900600 0C
:10 45E0 00 092C0C4F043CCC4E00001C533D530D93 42
:10 45F0 00 FA23203C4E4E4B4E0B9303240C4B8C10 55
:10 4600 00 0BDC1FB306243D53CF4E0000094F1953 56
:10 4610 00 013C094F0C4D12C30C100A49084C8A4B 3F
:10 4620 00 00002A533853FB230C5C0C591DF30224 61
:10 4630 00 CC4E0000384139413A413B4130410013 F2
:10 4640 00 57656C636F6D6520746F207468652073 A7
:10 4650 00 65637572652070726F6772616D206C6F 33
:10 4660 00 616465722E00506C6561736520656E74 BF
:10 4670 00 6572206465627567207061796C6F6164 32
:10 4680 00 2E004C6F61642061646472657373206F E7
:10 4690 00 75747369646520616C6C6F7765642072 F2
:10 46A0 00 616E6765206F66203078383030302D30 8D
:10 46B0 00 7846303030004C6F6164206164647265 0C
:10 46C0 00 737320756E616C69676E656400496E76 00
:10 46D0 00 616C6964207061796C6F6164206C656E D7
:10 46E0 00 67746800496E636F7272656374207369 E2
:10 46F0 00 676E61747572652C20636F6E74696E75 78
:10 4700 00 696E67005369676E6174757265207661 C2
:10 4710 00 6C69642C20657865637574696E672070 B8
:08 4720 00 61796C6F61640000 17
Strings:
:10 4728 00 70C3679B43365CA01131991CC462135B 4C
:10 4738 00 ECAE7DF973D62B163C05C679746CE52F 63
:10 4748 00 08218D19996D174F147F157B9F2C8011 A7
:10 4758 00 4AB3D2D12532D2EAB925616146A815BE 3D
:10 4768 00 08218D19996D174F147F157B9F2C8011 87
:10 4778 00 4AB3D2D12532D2EAB925616146A815BE 1D
Exception_Vectors:
:10 FF80 00 00450045004500450045004500450045 49
:10 FF90 00 00450045004500450045004500450044 3A
Start:
:04 0000 03 00004400 B5
What: ; does this do?
:00 0000 01 FF
Obj:
0010 <__trap_interrupt>
0010: 3041 ret
4400 <__watchdog_support>
4400: 5542 5c01 mov.b &0x015c, r5
4404: 35d0 085a bis #0x5a08, r5
4408: 8245 6028 mov r5, &0x2860
440c <__init_stack>
440c: 3140 0044 mov #0x4400 <__watchdog_support>, sp
4410 <__do_copy_data>
4410: 3f40 6000 mov #0x60, r15
4414: 0f93 tst r15
4416: 0824 jz #0x4428 <__do_clear_bss+0x0>
4418: 9242 6028 5c01 mov &0x2860, &0x015c
441e: 2f83 decd r15
4420: 9f4f 2847 0024 mov 0x4728(r15), 0x2400(r15)
4426: f823 jnz #0x4418 <__do_copy_data+0x8>
4428 <__do_clear_bss>
4428: 3f40 0004 mov #0x400, r15
442c: 0f93 tst r15
442e: 0724 jz #0x443e <main+0x0>
4430: 9242 6028 5c01 mov &0x2860, &0x015c
4436: 1f83 dec r15
4438: cf43 6024 mov.b #0x0, 0x2460(r15)
443c: f923 jnz #0x4430 <__do_clear_bss+0x8>
443e <main>
;? char sig_buf[64]; // >=> sp
443e: 3150 c0ff add #0xffc0, sp
;* puts ("Welcome to the secure program loader.");
4442: 3f40 4046 mov #0x4640 "Welcome to the secure program loader." r15
4446: b012 a445 call #0x45a4 <puts>
;* while (1)
continue:
;* puts ("Please enter debug payload.");
444a: 3f40 6646 mov #0x4666 "Please enter debug payload." r15
444e: b012 a445 call #0x45a4 <puts>
;? u8 buf[0x400]; // >=> 0x2460
;* memset (buf, 0, 0x400);
4452: 3d40 0004 mov #0x400, r13
4456: 0e43 clr r14
4458: 3f40 6024 mov #0x2460, r15
445c: b012 d445 call #0x45d4 <memset>
;* getsn(buf, 0x3ff);
4460: 3e40 ff03 mov #0x3ff, r14
4464: 3f40 6024 mov #0x2460, r15
4468: b012 8645 call #0x4586 <getsn>
;* void * loadaddr /* r11 */ = (buf[0] << 8) + (buf[1]);
446c: 5b42 6024 mov.b &0x2460, r11
4470: 8b10 swpb r11
4472: 5f42 6124 mov.b &0x2461, r15
4476: 0bdf bis r15, r11
;! byte index 0x2 goes unused!
;*size_t len = buf[3];
4478: 5a42 6324 mov.b &0x2463, r10
;*if (0x8000 > loadaddr || loadaddr >= 0xf001)
447c: 0b93 tst r11
447e: 0334 jge #0x4486 <main+0x48>
4480: 3b90 01f0 cmp #0xf001, r11
4484: 0528 jnc #0x4490 <main+0x52>
;* puts ("Load address outside allowed range of 0x8000-0xF000");
4486: 3f40 8246 mov #0x4682 "Load address outside allowed range of 0x8000-0xF000" r15
448a: b012 a445 call #0x45a4 <puts>
;* continue;
448e: dd3f jmp #0x444a <main+0xc>
;* if (loadaddr & 1)
4490: 1bb3 bit #0x1, r11
4492: 0524 jz #0x449e <main+0x60>
;* puts ("Load address unaligned");
4494: 3f40 b646 mov #0x46b6 "Load address unaligned" r15
4498: b012 a445 call #0x45a4 <puts>
;* continue;
449c: d63f jmp #0x444a <main+0xc>
;* if (len - 6 > 0x3bb)
449e: 0f4a mov r10, r15
44a0: 3f50 faff add #0xfffa, r15
44a4: 3f90 bb03 cmp #0x3bb, r15
44a8: 0528 jnc #0x44b4 <main+0x76>
;* puts ("Invalid payload length");
44aa: 3f40 cd46 mov #0x46cd "Invalid payload length" r15
44ae: b012 a445 call #0x45a4 <puts>
;* continue;
44b2: cb3f jmp #0x444a <main+0xc>
;* memcpy (sig_buf, buf+len, 0x40)
44b4: 3d40 4000 mov #0x40, r13
44b8: 0e4a mov r10, r14
44ba: 3e50 6024 add #0x2460, r14
44be: 0f41 mov sp, r15
44c0: b012 c245 call #0x45c2 <memcpy>
;* verify_ed25519 (ed25519_pubkey /*0x2440*/, buf /*0x2460*/, size /*r10*/, sig_buf /*sp*/);
44c4: 0c41 mov sp, r12
44c6: 0d4a mov r10, r13
44c8: 3e40 6024 mov #0x2460, r14
44cc: 3f40 4024 mov #0x2440, r15
44d0: b012 5245 call #0x4552 <verify_ed25519>
;* if (result != 0x1)
44d4: 1f93 cmp #0x1, r15
44d6: 0524 jeq #0x44e2 <main+0xa4>
;* puts ("Incorrect signature, continuing");
44d8: 3f40 e446 mov #0x46e4 "Incorrect signature, continuing" r15
44dc: b012 a445 call #0x45a4 <puts>
;* continue;
44e0: b43f jmp #0x444a <main+0xc>
;* puts ("Signature valid, executing payload");
44e2: 3f40 0447 mov #0x4704 "Signature valid, executing payload" r15
44e6: b012 a445 call #0x45a4 <puts>
;* memcpy ( loadaddr /*dest*/, buf + 0x4 /*src*/, len /*size*/);
44ea: 0d4a mov r10, r13
44ec: 3e40 6424 mov #0x2464, r14
44f0: 0f4b mov r11, r15
44f2: b012 c245 call #0x45c2 <memcpy>
;* payload ();
44f6: 8b12 call r11
;* continue;
44f8: a83f jmp #0x444a <main+0xc>
44fa <__stop_progExec__>
44fa: 32d0 f000 bis #0xf0, sr
44fe: fd3f jmp #0x44fa <__stop_progExec__+0x0>
4500 <__ctors_end>
4500: 3040 3e46 br #0x463e <_unexpected_>
4504 <INT>
4504: 1f41 0200 mov 0x2(sp), r15
4508: 0212 push sr
450a: 4f4f mov.b r15, r15
450c: 8f10 swpb r15
450e: 3fd0 0080 bis #0x8000, r15
4512: 024f mov r15, sr
4514: b012 1000 call #0x10
4518: 3241 pop sr
451a: 3041 ret
451c <sha1>
451c: 0d12 push r13
451e: 0e12 push r14
4520: 0f12 push r15
4522: 3012 3000 push #0x30
4526: b012 0445 call #0x4504 <INT>
452a: 3152 add #0x8, sp
452c: 3041 ret
452e <sha256>
452e: 0d12 push r13
4530: 0e12 push r14
4532: 0f12 push r15
4534: 3012 3100 push #0x31
4538: b012 0445 call #0x4504 <INT>
453c: 3152 add #0x8, sp
453e: 3041 ret
4540 <sha512>
4540: 0d12 push r13
4542: 0e12 push r14
4544: 0f12 push r15
4546: 3012 3200 push #0x32
454a: b012 0445 call #0x4504 <INT>
454e: 3152 add #0x8, sp
4550: 3041 ret
4552 <verify_ed25519>
4552: 0b12 push r11
4554: 0412 push r4
4556: 0441 mov sp, r4
4558: 2452 add #0x4, r4
455a: 2183 decd sp
455c: 8443 faff clr -0x6(r4)
4560: 3b40 faff mov #0xfffa, r11
4564: 0b54 add r4, r11
4566: 0b12 push r11
4568: 0c12 push r12
456a: 0d12 push r13
456c: 0e12 push r14
456e: 0f12 push r15
4570: 3012 3300 push #0x33
4574: b012 0445 call #0x4504 <INT>
4578: 1f44 faff mov -0x6(r4), r15
457c: 3150 0e00 add #0xe, sp
4580: 3441 pop r4
4582: 3b41 pop r11
4584: 3041 ret
4586 <getsn>
4586: 0e12 push r14
4588: 0f12 push r15
458a: 2312 push #0x2
458c: b012 0445 call #0x4504 <INT>
4590: 3150 0600 add #0x6, sp
4594: 3041 ret
4596 <putchar>
4596: 8f11 sxt r15
4598: 0f12 push r15
459a: 0312 push #0x0
459c: b012 0445 call #0x4504 <INT>
45a0: 2152 add #0x4, sp
45a2: 3041 ret
45a4 <puts>
45a4: 0b12 push r11
45a6: 0b4f mov r15, r11
45a8: 033c jmp #0x45b0 <puts+0xc>
45aa: 1b53 inc r11
45ac: b012 9645 call #0x4596 <putchar>
45b0: 6f4b mov.b @r11, r15
45b2: 4f93 tst.b r15
45b4: fa23 jnz #0x45aa <puts+0x6>
45b6: 7f40 0a00 mov.b #0xa, r15
45ba: b012 9645 call #0x4596 <putchar>
45be: 3b41 pop r11
45c0: 3041 ret
45c2 <memcpy>
45c2: 0c4f mov r15, r12
45c4: 043c jmp #0x45ce <memcpy+0xc>
45c6: fc4e 0000 mov.b @r14+, 0x0(r12)
45ca: 1c53 inc r12
45cc: 3d53 add #-0x1, r13
45ce: 0d93 tst r13
45d0: fa23 jnz #0x45c6 <memcpy+0x4>
45d2: 3041 ret
45d4 <memset>
45d4: 0b12 push r11
45d6: 0a12 push r10
45d8: 0912 push r9
45da: 0812 push r8
45dc: 3d90 0600 cmp #0x6, r13
45e0: 092c jc #0x45f4 <memset+0x20>
45e2: 0c4f mov r15, r12
45e4: 043c jmp #0x45ee <memset+0x1a>
45e6: cc4e 0000 mov.b r14, 0x0(r12)
45ea: 1c53 inc r12
45ec: 3d53 add #-0x1, r13
45ee: 0d93 tst r13
45f0: fa23 jnz #0x45e6 <memset+0x12>
45f2: 203c jmp #0x4634 <memset+0x60>
45f4: 4e4e mov.b r14, r14
45f6: 4b4e mov.b r14, r11
45f8: 0b93 tst r11
45fa: 0324 jz #0x4602 <memset+0x2e>
45fc: 0c4b mov r11, r12
45fe: 8c10 swpb r12
4600: 0bdc bis r12, r11
4602: 1fb3 bit #0x1, r15
4604: 0624 jz #0x4612 <memset+0x3e>
4606: 3d53 add #-0x1, r13
4608: cf4e 0000 mov.b r14, 0x0(r15)
460c: 094f mov r15, r9
460e: 1953 inc r9
4610: 013c jmp #0x4614 <memset+0x40>
4612: 094f mov r15, r9
4614: 0c4d mov r13, r12
4616: 12c3 clrc
4618: 0c10 rrc r12
461a: 0a49 mov r9, r10
461c: 084c mov r12, r8
461e: 8a4b 0000 mov r11, 0x0(r10)
4622: 2a53 incd r10
4624: 3853 add #-0x1, r8
4626: fb23 jnz #0x461e <memset+0x4a>
4628: 0c5c add r12, r12
462a: 0c59 add r9, r12
462c: 1df3 and #0x1, r13
462e: 0224 jz #0x4634 <memset+0x60>
4630: cc4e 0000 mov.b r14, 0x0(r12)
4634: 3841 pop r8
4636: 3941 pop r9
4638: 3a41 pop r10
463a: 3b41 pop r11
463c: 3041 ret
463e <_unexpected_>
463e: 0013 reti pc
4640 .strings:
4640: "Welcome to the secure program loader."
4666: "Please enter debug payload."
4682: "Load address outside allowed range of 0x8000-0xF000"
46b6: "Load address unaligned"
46cd: "Invalid payload length"
46e4: "Incorrect signature, continuing"
4704: "Signature valid, executing payload"
Prereqs:"Churchill"
Name:"St. John's"
Text: """
Lockitall LOCKIT 2 r A.01
______________________________________________________________________
User Manual: Lockitall LockIT 2, rev a.01
______________________________________________________________________
OVERVIEW
- The firmware has been updated to resolve a vulnerability.
DETAILS
The LockIT 2 A.01 is the second of a new series of locks. It is
controlled by a MSP430 microcontroller. The MSP430 is a very low-
power device, chosen because we found several crates of old stock.
This lock only accepts biometric and NFC inputs, and does not have
a traditional password prompt.
To support rapid development cycles this lock accepts a program
from the old password input prompt.
800000063041f23630084d78f18b0ef369693ebdb5eaf1290b3cb4a69815345a0d
e53b9bb6cc7de3c46159a7af7c91c28a3d3691309822290d9c6482fefc03cbbcff
35ce9708
This is Hardware Version Beta.
This is Software Revision 04.
(c) 2021 LOCKITALL Page 1/1
"""
X:170
Y:325
Rating:20
Patch:""

View File

@ -38,5 +38,8 @@ Hopefully in the coming weeks I'll learn enough about malloc and free to get som
### 2022 Dec 4 PM - 2022 Dec 11 PM: ### 2022 Dec 4 PM - 2022 Dec 11 PM:
Cold Lake Cold Lake
### 2022 Dec 11 PM ### 2022 Dec 11 PM:
Churchill Churchill
### 2022 Dec 11 PM:
St. John's