Cold Lake complete!

21-Cold Lake/coldlake.c

@@ -0,0 +1,99 @@
+// yes it compiles. It'll segfault instantly, of course.
+//#include <stdlib.h>
+//#include <string.h>
+//#include <stdio.h>
+
+//#include <io.c>
+//#include <lib.c>
+
+#include <stddef.h>
+
+int verify_ed25519 (char * ed25519_pubkey, void * buf, int size, char * signature);
+
+void getsn (char* buf, int length);
+int  puts(const char *);
+
+void INT (int arg, ...);
+
+int main (void) {
+   int (*loadaddr)();    // >=> sp       0080
+   char signature[0x41]; // >=> sp+2     8605e027f42368ea6bba9de66409f6a8ddedcd49614a4648281c47a7b4ad252f5639069b17ba8ff104d371e2d8a625b038f0750667364087e7987e40ea81510f
+   char payload[0x101];  // >=> sp+0x43  3540088000450545054505450545054505450f433041
+
+   puts ("Welcome to the secure program loader.");
+   while (1) {
+
+      puts ("Please enter second stage load address.");
+      getsn ((char *) &loadaddr, 2);
+
+      puts ("Please enter the second stage program.");
+      memset (&payload /*sp+0x43*/, 0, 0x101);
+      getsn ((char *) &payload /*sp+0x43*/, 0x100); // get 100 bytes into sp+0x43
+
+      puts ("Please enter program signature.");
+      memset((char *) &signature /* sp+2 */, 0, 0x41);
+      getsn ((char *) &signature /* sp+2 */, 0x40);
+
+      if ((int)loadaddr & 0x8000 && (int)loadaddr < 0xf001) {
+         // Here, it copies the payload
+         memcpy ((void *)loadaddr, &payload, 0x100);
+         // Then, it verifies the signature
+         if (verify_ed25519 ((char *)0x2400, loadaddr, 0x100, signature) == 1) {
+            puts ("Signature valid, executing payload");
+            if (loadaddr()) {
+               puts ("ACCESS GRANTED");
+               INT (0x7f, 0, 0);
+               exit (0);
+            } else {
+               puts ("ACCESS DENIED");
+            }
+         } else {
+            // ??? memory not cleared? For shame.S
+            puts ("Incorrect signature, continuing");
+         }
+      }
+      else {
+         puts ("Load address outside allowed range of 0x8000-0xF000");
+      }
+   }
+}
+
+int sample_payload (void) {
+   short a = 0x8008;
+   //goto a;
+   a = a;
+   a = a;
+   a = a;
+   a = a;
+   a = a;
+   a = 0;
+   return a;
+}
+
+void INT (int arg, ...) {
+
+}
+
+int verify_ed25519 (char * ed25519_pubkey, void * buf, int size, char * signature) {
+   int result = 0; // >=> sp+4
+   INT (0x33, ed25519_pubkey, buf, size, signature, &result);
+   return result;
+}
+
+void getsn (char* buf, int length) {
+   INT (2, buf, length);
+}
+
+int putchar (int c) {
+   INT (0, c);
+}
+
+int puts (const char * str) {
+   char c;
+   while (c = *str) {
+      str++;
+      putchar(c);
+   }
+   putchar('\n');
+   return 0;
+}

21-Cold Lake/coldlake.disasm

@@ -0,0 +1,245 @@
+0010 <__trap_interrupt>
+0010:  3041           ret
+4400 <__watchdog_support>
+4400:  5542 5c01      mov.b	&0x015c, r5
+4404:  35d0 085a      bis	#0x5a08, r5
+4408:  8245 2024      mov	r5, &0x2420
+440c <__init_stack>
+440c:  3140 0044      mov	#0x4400, sp
+4410 <__do_copy_data>
+4410:  3f40 2000      mov	#0x20, r15
+4414:  0f93           tst	r15
+4416:  0824           jz	$+0x12 <__do_clear_bss+0x0>
+4418:  9242 2024 5c01 mov	&0x2420, &0x015c
+441e:  2f83           decd	r15
+4420:  9f4f 8047 0024 mov	0x4780(r15), 0x2400(r15)
+4426:  f823           jnz	$-0xe <__do_copy_data+0x8>
+4428 <__do_clear_bss>
+4428:  3f40 0000      clr	r15
+442c:  0f93           tst	r15
+442e:  0724           jz	$+0x10 <main+0x0>
+4430:  9242 2024 5c01 mov	&0x2420, &0x015c
+4436:  1f83           dec	r15
+4438:  cf43 2024      mov.b	#0x0, 0x2420(r15)
+443c:  f923           jnz	$-0xc <__do_clear_bss+0x8>
+443e <main>
+443e:  3150 bcfe      add	#0xfebc, sp
+4442:  3f40 5646      mov	#0x4656 "Welcome to the secure program loader.", r15
+4446:  b012 ba45      call	#0x45ba <puts>
+444a:  8143 0000      clr	0x0(sp)
+444e:  3f40 7c46      mov	#0x467c "Please enter second stage load address.", r15
+4452:  b012 ba45      call	#0x45ba <puts>
+4456:  2e43           mov	#0x2, r14
+4458:  0f41           mov	sp, r15
+445a:  b012 9c45      call	#0x459c <getsn>
+445e:  3f40 a446      mov	#0x46a4 "Please enter the second stage program.", r15
+4462:  b012 ba45      call	#0x45ba <puts>
+4466:  3d40 0101      mov	#0x101, r13
+446a:  0e43           clr	r14
+446c:  0f41           mov	sp, r15
+446e:  3f50 4300      add	#0x43, r15
+4472:  b012 ea45      call	#0x45ea <memset>
+4476:  3e40 0001      mov	#0x100, r14
+447a:  0f41           mov	sp, r15
+447c:  3f50 4300      add	#0x43, r15
+4480:  b012 9c45      call	#0x459c <getsn>
+4484:  3f40 cb46      mov	#0x46cb "Please enter program signature.", r15
+4488:  b012 ba45      call	#0x45ba <puts>
+448c:  3d40 4100      mov	#0x41, r13
+4490:  0e43           clr	r14
+4492:  0f41           mov	sp, r15
+4494:  2f53           incd	r15
+4496:  b012 ea45      call	#0x45ea <memset>
+449a:  3e40 4000      mov	#0x40, r14
+449e:  0f41           mov	sp, r15
+44a0:  2f53           incd	r15
+44a2:  b012 9c45      call	#0x459c <getsn>
+44a6:  2f41           mov	@sp, r15
+44a8:  0f93           tst	r15
+44aa:  0334           jge	$+0x8 <main+0x74>
+44ac:  3f90 01f0      cmp	#0xf001, r15
+44b0:  0528           jnc	$+0xc <main+0x7e>
+44b2:  3f40 eb46      mov	#0x46eb "Load address outside allowed range of 0x8000-0xF000", r15
+44b6:  b012 ba45      call	#0x45ba <puts>
+44ba:  c73f           jmp	$-0x70 <main+0xc>
+44bc:  3d40 0001      mov	#0x100, r13
+44c0:  0e41           mov	sp, r14
+44c2:  3e50 4300      add	#0x43, r14
+44c6:  b012 d845      call	#0x45d8 <memcpy>
+44ca:  0c41           mov	sp, r12
+44cc:  2c53           incd	r12
+44ce:  3d40 0001      mov	#0x100, r13
+44d2:  2e41           mov	@sp, r14
+44d4:  3f40 0024      mov	#0x2400, r15
+44d8:  b012 6845      call	#0x4568 <verify_ed25519>
+44dc:  1f93           cmp	#0x1, r15
+44de:  0524           jz	$+0xc <main+0xac>
+44e0:  3f40 1f47      mov	#0x471f "Incorrect signature, continuing", r15
+44e4:  b012 ba45      call	#0x45ba <puts>
+44e8:  b03f           jmp	$-0x9e <main+0xc>
+44ea:  3f40 3f47      mov	#0x473f "Signature valid, executing payload", r15
+44ee:  b012 ba45      call	#0x45ba <puts>
+44f2:  9112 0200      call	0x2(sp)
+44f6:  0f93           tst	r15
+44f8:  0f24           jz	$+0x20 <main+0xda>
+44fa:  3f40 6247      mov	#0x4762 "ACCESS GRANTED", r15
+44fe:  b012 ba45      call	#0x45ba <puts>
+4502:  0312           push	#0x0
+4504:  0312           push	#0x0
+4506:  3012 7f00      push	#0x7f
+450a:  b012 2c45      call	#0x452c <INT>
+450e:  0f43           clr	r15
+4510:  3150 4a01      add	#0x14a, sp
+4514:  3040 2245      br	#0x4522 <__stop_progExec__>
+4518:  3f40 7147      mov	#0x4771 "ACCESS DENIED", r15
+451c:  b012 ba45      call	#0x45ba <puts>
+4520:  943f           jmp	$-0xd6 <main+0xc>
+4522 <__stop_progExec__>
+4522:  32d0 f000      bis	#0xf0, sr
+4526:  fd3f           jmp	$-0x4 <__stop_progExec__+0x0>
+4528 <__ctors_end>
+4528:  3040 5446      br	#0x4654 <_unexpected_>
+452c <INT>
+452c:  1f41 0200      mov	0x2(sp), r15
+4530:  0212           push	sr
+4532:  4f4f           mov.b	r15, r15
+4534:  8f10           swpb	r15
+4536:  3fd0 0080      bis	#0x8000, r15
+453a:  024f           mov	r15, sr
+453c:  b012 1000      call	#0x10
+4540:  3241           pop	sr
+4542:  3041           ret
+4544 <sha1>
+4544:  0d12           push	r13
+4546:  0e12           push	r14
+4548:  0f12           push	r15
+454a:  3012 3000      push	#0x30
+454e:  b012 2c45      call	#0x452c <INT>
+4552:  3152           add	#0x8, sp
+4554:  3041           ret
+4556 <sha256>
+4556:  0d12           push	r13
+4558:  0e12           push	r14
+455a:  0f12           push	r15
+455c:  3012 3100      push	#0x31
+4560:  b012 2c45      call	#0x452c <INT>
+4564:  3152           add	#0x8, sp
+4566:  3041           ret
+4568 <verify_ed25519>
+4568:  0b12           push	r11
+456a:  0412           push	r4
+456c:  0441           mov	sp, r4
+456e:  2452           add	#0x4, r4
+4570:  2183           decd	sp
+4572:  8443 faff      clr	-0x6(r4)
+4576:  3b40 faff      mov	#0xfffa, r11
+457a:  0b54           add	r4, r11
+457c:  0b12           push	r11
+457e:  0c12           push	r12
+4580:  0d12           push	r13
+4582:  0e12           push	r14
+4584:  0f12           push	r15
+4586:  3012 3300      push	#0x33
+458a:  b012 2c45      call	#0x452c <INT>
+458e:  1f44 faff      mov	-0x6(r4), r15
+4592:  3150 0e00      add	#0xe, sp
+4596:  3441           pop	r4
+4598:  3b41           pop	r11
+459a:  3041           ret
+459c <getsn>
+459c:  0e12           push	r14
+459e:  0f12           push	r15
+45a0:  2312           push	#0x2
+45a2:  b012 2c45      call	#0x452c <INT>
+45a6:  3150 0600      add	#0x6, sp
+45aa:  3041           ret
+45ac <putchar>
+45ac:  8f11           sxt	r15
+45ae:  0f12           push	r15
+45b0:  0312           push	#0x0
+45b2:  b012 2c45      call	#0x452c <INT>
+45b6:  2152           add	#0x4, sp
+45b8:  3041           ret
+45ba <puts>
+45ba:  0b12           push	r11
+45bc:  0b4f           mov	r15, r11
+45be:  033c           jmp	$+0x8 <puts+0xc>
+45c0:  1b53           inc	r11
+45c2:  b012 ac45      call	#0x45ac <putchar>
+45c6:  6f4b           mov.b	@r11, r15
+45c8:  4f93           tst.b	r15
+45ca:  fa23           jnz	$-0xa <puts+0x6>
+45cc:  7f40 0a00      mov.b	#0xa, r15
+45d0:  b012 ac45      call	#0x45ac <putchar>
+45d4:  3b41           pop	r11
+45d6:  3041           ret
+45d8 <memcpy>
+45d8:  0c4f           mov	r15, r12
+45da:  043c           jmp	$+0xa <memcpy+0xc>
+45dc:  fc4e 0000      mov.b	@r14+, 0x0(r12)
+45e0:  1c53           inc	r12
+45e2:  3d53           add	#-0x1, r13
+45e4:  0d93           tst	r13
+45e6:  fa23           jnz	$-0xa <memcpy+0x4>
+45e8:  3041           ret
+45ea <memset>
+45ea:  0b12           push	r11
+45ec:  0a12           push	r10
+45ee:  0912           push	r9
+45f0:  0812           push	r8
+45f2:  3d90 0600      cmp	#0x6, r13
+45f6:  092c           jc	$+0x14 <memset+0x20>
+45f8:  0c4f           mov	r15, r12
+45fa:  043c           jmp	$+0xa <memset+0x1a>
+45fc:  cc4e 0000      mov.b	r14, 0x0(r12)
+4600:  1c53           inc	r12
+4602:  3d53           add	#-0x1, r13
+4604:  0d93           tst	r13
+4606:  fa23           jnz	$-0xa <memset+0x12>
+4608:  203c           jmp	$+0x42 <memset+0x60>
+460a:  4e4e           mov.b	r14, r14
+460c:  4b4e           mov.b	r14, r11
+460e:  0b93           tst	r11
+4610:  0324           jz	$+0x8 <memset+0x2e>
+4612:  0c4b           mov	r11, r12
+4614:  8c10           swpb	r12
+4616:  0bdc           bis	r12, r11
+4618:  1fb3           bit	#0x1, r15
+461a:  0624           jz	$+0xe <memset+0x3e>
+461c:  3d53           add	#-0x1, r13
+461e:  cf4e 0000      mov.b	r14, 0x0(r15)
+4622:  094f           mov	r15, r9
+4624:  1953           inc	r9
+4626:  013c           jmp	$+0x4 <memset+0x40>
+4628:  094f           mov	r15, r9
+462a:  0c4d           mov	r13, r12
+462c:  12c3           clrc
+462e:  0c10           rrc	r12
+4630:  0a49           mov	r9, r10
+4632:  084c           mov	r12, r8
+4634:  8a4b 0000      mov	r11, 0x0(r10)
+4638:  2a53           incd	r10
+463a:  3853           add	#-0x1, r8
+463c:  fb23           jnz	$-0x8 <memset+0x4a>
+463e:  0c5c           add	r12, r12
+4640:  0c59           add	r9, r12
+4642:  1df3           and	#0x1, r13
+4644:  0224           jz	$+0x6 <memset+0x60>
+4646:  cc4e 0000      mov.b	r14, 0x0(r12)
+464a:  3841           pop	r8
+464c:  3941           pop	r9
+464e:  3a41           pop	r10
+4650:  3b41           pop	r11
+4652:  3041           ret
+4654 <_unexpected_>
+4654:  0013           reti	pc
+4656 .strings:
+4656: "Welcome to the secure program loader."
+467c: "Please enter second stage load address."
+46a4: "Please enter the second stage program."
+46cb: "Please enter program signature."
+46eb: "Load address outside allowed range of 0x8000-0xF000"
+471f: "Incorrect signature, continuing"
+473f: "Signature valid, executing payload"
+4762: "ACCESS GRANTED"
+4771: "ACCESS DENIED"

21-Cold Lake/coldlake.s

@@ -0,0 +1,277 @@
+	.file	"coldlake.c"
+	.cpu 430
+	.mpy none
+
+ ;  GNU C (mspgcc_20120406) version 4.6.3 20120301 (mspgcc LTS 20120406 unpatched) (msp430)
+ ; 	compiled by GNU C version 12.2.0, GMP version 6.2.1, MPFR version 4.1.0-p13, MPC version 1.2.1
+ ;  GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
+ ;  options passed:  coldlake.c -O0 -fverbose-asm
+ ;  options enabled:  -fauto-inc-dec -fbranch-count-reg -fcommon
+ ;  -fdelete-null-pointer-checks -fearly-inlining
+ ;  -feliminate-unused-debug-types -ffunction-cse -fgcse-lm -fident
+ ;  -finline-functions-called-once -fira-share-save-slots
+ ;  -fira-share-spill-slots -fivopts -fkeep-static-consts
+ ;  -fleading-underscore -fmath-errno -fmerge-debug-strings
+ ;  -fmove-loop-invariants -fpeephole -fprefetch-loop-arrays
+ ;  -freg-struct-return -fsched-critical-path-heuristic
+ ;  -fsched-dep-count-heuristic -fsched-group-heuristic -fsched-interblock
+ ;  -fsched-last-insn-heuristic -fsched-rank-heuristic -fsched-spec
+ ;  -fsched-spec-insn-heuristic -fsched-stalled-insns-dep -fshow-column
+ ;  -fsigned-zeros -fsplit-ivs-in-unroller -fstrict-volatile-bitfields
+ ;  -ftrapping-math -ftree-forwprop -ftree-loop-if-convert -ftree-loop-im
+ ;  -ftree-loop-ivcanon -ftree-loop-optimize -ftree-parallelize-loops=
+ ;  -ftree-phiprop -ftree-pta -ftree-reassoc -ftree-scev-cprop
+ ;  -ftree-slp-vectorize -ftree-vect-loop-version -funit-at-a-time
+ ;  -fverbose-asm -fzero-initialized-in-bss
+
+ ;  Compiler executable checksum: e798769d5090625420b1df34770b8edb
+
+	.section	.rodata
+.LC0:
+	.string	"Welcome to the secure program loader."
+.LC1:
+	.string	"Please enter second stage load address."
+.LC2:
+	.string	"Please enter the second stage program."
+.LC3:
+	.string	"Please enter program signature."
+.LC4:
+	.string	"Signature valid, executing payload"
+.LC5:
+	.string	"ACCESS GRANTED"
+.LC6:
+	.string	"ACCESS DENIED"
+.LC7:
+	.string	"Incorrect signature, continuing"
+.LC8:
+	.string	"Load address outside allowed range of 0x8000-0xF000"
+	.section	.init9,"ax",@progbits
+	.p2align 1,0
+.global	main
+	.type	main,@function
+/***********************
+ * Function `main'
+ ***********************/
+main:
+	mov	sp, r4	 ; ,
+	add	#2, r4	 ; ,
+	add	#llo(-324), sp	 ; ,
+	mov	#.LC0, r15	 ; ,
+	call	#puts	 ;
+.L7:
+	mov	#.LC1, r15	 ; ,
+	call	#puts	 ;
+	mov	#2, r14	 ; ,
+	mov	r4, r15	 ; ,
+	add	#llo(-326), r15	 ; ,
+	call	#getsn	 ;
+	mov	#.LC2, r15	 ; ,
+	call	#puts	 ;
+	mov	r4, r15	 ; , tmp34
+	add	#llo(-259), r15	 ; , tmp34
+	mov	#257, r14	 ; , tmp36
+	mov	r14, r13	 ;  tmp36,
+	mov	#0, r14	 ; ,
+	call	#memset	 ;
+	mov	r4, r15	 ; , tmp38
+	add	#llo(-259), r15	 ; , tmp38
+	mov	#256, r14	 ; ,
+	call	#getsn	 ;
+	mov	#.LC3, r15	 ; ,
+	call	#puts	 ;
+	mov	r4, r15	 ; , tmp39
+	add	#llo(-324), r15	 ; , tmp39
+	mov	#65, r14	 ; , tmp41
+	mov	r14, r13	 ;  tmp41,
+	mov	#0, r14	 ; ,
+	call	#memset	 ;
+	mov	r4, r15	 ; , tmp43
+	add	#llo(-324), r15	 ; , tmp43
+	mov	#64, r14	 ; ,
+	call	#getsn	 ;
+	mov	-326(r4), r15	 ;  loadaddr, loadaddr.0
+	cmp	#0, r15	 ; , loadaddr.1
+	jge	.L2	 ;
+	mov	-326(r4), r15	 ;  loadaddr, loadaddr.2
+	cmp	#llo(-4095), r15	 ; , loadaddr.3
+	jhs	.L2	 ;
+	mov	-326(r4), r15	 ;  loadaddr, loadaddr.4
+	mov	r4, r14	 ; , tmp44
+	add	#llo(-259), r14	 ; , tmp44
+	mov	#256, r13	 ; , tmp47
+	call	#memcpy	 ;
+	mov	-326(r4), r15	 ;  loadaddr, loadaddr.5
+	mov	r4, r14	 ; , tmp49
+	add	#llo(-324), r14	 ; , tmp49
+	mov	r14, r12	 ;  tmp49,
+	mov	#256, r13	 ; ,
+	mov	r15, r14	 ;  loadaddr.5,
+	mov	#9216, r15	 ; ,
+	call	#verify_ed25519	 ;
+	cmp	#1, r15	 ; , D.1328
+	jne	.L3	 ;
+	mov	#.LC4, r15	 ; ,
+	call	#puts	 ;
+	mov	-326(r4), r15	 ;  loadaddr, loadaddr.6
+	call	r15	 ;  loadaddr.6
+	cmp	#0, r15	 ; , D.1332
+	jeq	.L4	 ;
+	mov	#.LC5, r15	 ; ,
+	call	#puts	 ;
+	push	#0	 ;
+	push	#0	 ;
+	push	#127	 ;
+	call	#INT	 ;
+	add	#6, sp	 ; ,
+	mov	#0, r15	 ; ,
+	call	#exit	 ;
+.L4:
+	mov	#.LC6, r15	 ; ,
+	call	#puts	 ;
+	jmp	.L6	 ;
+.L3:
+	mov	#.LC7, r15	 ; ,
+	call	#puts	 ;
+	jmp	.L6	 ;
+.L2:
+	mov	#.LC8, r15	 ; ,
+	call	#puts	 ;
+	jmp	.L7	 ;
+.L6:
+	jmp	.L7	 ;
+.LIRD0:
+.Lfe1:
+	.size	main,.Lfe1-main
+;; End of function
+
+	.text
+	.p2align 1,0
+.global	INT
+	.type	INT,@function
+/***********************
+ * Function `INT'
+ ***********************/
+INT:
+	push	r4	 ;
+	mov	sp, r4	 ; ,
+	add	#2, r4	 ; ,
+	pop	r4	 ;
+	ret
+.Lfe2:
+	.size	INT,.Lfe2-INT
+;; End of function
+
+	.p2align 1,0
+.global	verify_ed25519
+	.type	verify_ed25519,@function
+/***********************
+ * Function `verify_ed25519'
+ ***********************/
+verify_ed25519:
+	push	r4	 ;
+	mov	sp, r4	 ; ,
+	add	#2, r4	 ; ,
+	add	#llo(-10), sp	 ; ,
+	mov	r15, -10(r4)	 ;  ed25519_pubkey, ed25519_pubkey
+	mov	r14, -8(r4)	 ;  buf, buf
+	mov	r13, -6(r4)	 ;  size, size
+	mov	r12, -4(r4)	 ;  signature, signature
+	mov	#0, -12(r4)	 ; , result
+	mov	#llo(-12), r15	 ; ,
+	add	r4, r15	 ; ,
+	push	r15	 ;
+	push	-4(r4)	 ;  signature
+	push	-6(r4)	 ;  size
+	push	-8(r4)	 ;  buf
+	push	-10(r4)	 ;  ed25519_pubkey
+	push	#51	 ;
+	call	#INT	 ;
+	add	#12, sp	 ; ,
+	mov	-12(r4), r15	 ;  result, D.1316
+	add	#10, sp	 ; ,
+	pop	r4	 ;
+	ret
+.Lfe3:
+	.size	verify_ed25519,.Lfe3-verify_ed25519
+;; End of function
+
+	.p2align 1,0
+.global	getsn
+	.type	getsn,@function
+/***********************
+ * Function `getsn'
+ ***********************/
+getsn:
+	push	r4	 ;
+	mov	sp, r4	 ; ,
+	add	#2, r4	 ; ,
+	sub	#4, sp	 ; ,
+	mov	r15, -6(r4)	 ;  buf, buf
+	mov	r14, -4(r4)	 ;  length, length
+	push	-4(r4)	 ;  length
+	push	-6(r4)	 ;  buf
+	push	#2	 ;
+	call	#INT	 ;
+	add	#6, sp	 ; ,
+	add	#4, sp	 ; ,
+	pop	r4	 ;
+	ret
+.Lfe4:
+	.size	getsn,.Lfe4-getsn
+;; End of function
+
+	.p2align 1,0
+.global	putchar
+	.type	putchar,@function
+/***********************
+ * Function `putchar'
+ ***********************/
+putchar:
+	push	r4	 ;
+	mov	sp, r4	 ; ,
+	add	#2, r4	 ; ,
+	sub	#2, sp	 ; ,
+	mov	r15, -4(r4)	 ;  c, c
+	push	-4(r4)	 ;  c
+	push	#0	 ;
+	call	#INT	 ;
+	add	#4, sp	 ; ,
+	add	#2, sp	 ; ,
+	pop	r4	 ;
+	ret
+.Lfe5:
+	.size	putchar,.Lfe5-putchar
+;; End of function
+
+	.p2align 1,0
+.global	puts
+	.type	puts,@function
+/***********************
+ * Function `puts'
+ ***********************/
+puts:
+	push	r4	 ;
+	mov	sp, r4	 ; ,
+	add	#2, r4	 ; ,
+	sub	#4, sp	 ; ,
+	mov	r15, -4(r4)	 ;  str, str
+	jmp	.L13	 ;
+.L14:
+	add	#1, -4(r4)	 ; , str
+	mov.b	-6(r4), r15	 ;  c, D.1313
+	sxt	r15	 ;  D.1313
+	call	#putchar	 ;
+.L13:
+	mov	-4(r4), r15	 ;  str, tmp27
+	mov.b	@r15, -6(r4)	 ;  *str_1, c
+	cmp.b	#0, -6(r4)	 ; , c
+	jne	.L14	 ;
+	mov	#10, r15	 ; ,
+	call	#putchar	 ;
+	mov	#0, r15	 ; , D.1314
+	add	#4, sp	 ; ,
+	pop	r4	 ;
+	ret
+.Lfe6:
+	.size	puts,.Lfe6-puts
+;; End of function

21-Cold Lake/coldlake.txt

@@ -0,0 +1,439 @@
+Hex:
+   :10 4400 00 55425C0135D0085A8245202431400044 91
+   :10 4410 00 3F4020000F930824924220245C012F83 08
+   :10 4420 00 9F4F80470024F8233F4000000F930724 4C
+   :10 4430 00 924220245C011F83CF432024F9233150 72
+   :10 4440 00 BCFE3F405646B012BA45814300003F40 93
+   :10 4450 00 7C46B012BA452E430F41B0129C453F40 F6
+   :10 4460 00 A446B012BA453D4001010E430F413F50 F2
+   :10 4470 00 4300B012EA453E4000010F413F504300 67
+   :10 4480 00 B0129C453F40CB46B012BA453D404100 7A
+   :10 4490 00 0E430F412F53B012EA453E4040000F41 FA
+   :10 44A0 00 2F53B0129C452F410F9303343F9001F0 DE
+   :10 44B0 00 05283F40EB46B012BA45C73F3D400001 DA
+   :10 44C0 00 0E413E504300B012D8450C412C533D40 A4
+   :10 44D0 00 00012E413F400024B01268451F930524 7F
+   :10 44E0 00 3F401F47B012BA45B03F3F403F47B012 70
+   :10 44F0 00 BA45911202000F930F243F406247B012 59
+   :10 4500 00 BA450312031230127F00B0122C450F43 3C
+   :10 4510 00 31504A01304022453F407147B012BA45 00
+   :10 4520 00 943F32D0F000FD3F304054461F410200 1E
+   :10 4530 00 02124F4F8F103FD00080024FB0121000 78
+   :10 4540 00 324130410D120E120F1230123000B012 F3
+   :10 4550 00 2C45315230410D120E120F1230123100 23
+   :10 4560 00 B0122C45315230410B12041204412452 36
+   :10 4570 00 21838443FAFF3B40FAFF0B540B120C12 C9
+   :10 4580 00 0D120E120F1230123300B0122C451F44 C0
+   :10 4590 00 FAFF31500E0034413B4130410E120F12 F0
+   :10 45A0 00 2312B0122C453150060030418F110F12 EA
+   :10 45B0 00 0312B0122C45215230410B120B4F033C 19
+   :10 45C0 00 1B53B012AC456F4B4F93FA237F400A00 48
+   :10 45D0 00 B012AC453B4130410C4F043CFC4E0000 56
+   :10 45E0 00 1C533D530D93FA2330410B120A120912 4A
+   :10 45F0 00 08123D900600092C0C4F043CCC4E0000 E4
+   :10 4600 00 1C533D530D93FA23203C4E4E4B4E0B93 BF
+   :10 4610 00 03240C4B8C100BDC1FB306243D53CF4E F0
+   :10 4620 00 0000094F1953013C094F0C4D12C30C10 E7
+   :10 4630 00 0A49084C8A4B00002A533853FB230C5C 70
+   :10 4640 00 0C591DF30224CC4E0000384139413A41 47
+   :06 4650 00 3B4130410013                     64
+   :10 4656 00 57656C636F6D6520746F207468652073 91
+   :10 4666 00 65637572652070726F6772616D206C6F 1D
+   :10 4676 00 616465722E00506C6561736520656E74 A9
+   :10 4686 00 6572207365636F6E6420737461676520 5D
+   :10 4696 00 6C6F616420616464726573732E00506C 84
+   :10 46A6 00 6561736520656E746572207468652073 34
+   :10 46B6 00 65636F6E642073746167652070726F67 DF
+   :10 46C6 00 72616D2E00506C6561736520656E7465 50
+   :10 46D6 00 722070726F6772616D207369676E6174 A4
+   :10 46E6 00 7572652E004C6F616420616464726573 37
+   :10 46F6 00 73206F75747369646520616C6C6F7765 80
+   :10 4706 00 642072616E6765206F66203078383030 BD
+   :10 4716 00 302D30784630303000496E636F727265 E6
+   :10 4726 00 6374207369676E61747572652C20636F 9C
+   :10 4736 00 6E74696E75696E67005369676E617475 2C
+   :10 4746 00 72652076616C69642C20657865637574 82
+   :10 4756 00 696E67207061796C6F61640041434345 FF
+   :10 4766 00 5353204752414E544544004143434553 19
+   :0A 4776 00 532044454E4945440000             1D
+   :10 4780 00 B6458AAE646E18722450B46348F3A09B 99
+   :10 4790 00 4BE01A9E69EDC9516A0752CC17D27D6F 62
+   :10 FF80 00 28452845284528452845284528452845 09
+   :10 FF90 00 28452845284528452845284528450044 22
+   :04 0000 03 00004400                         B5
+   :00 0000 01                                  FF
+
+Obj:
+0010 <__trap_interrupt>
+0010:  3041           ret
+4400 <__watchdog_support>
+4400:  5542 5c01      mov.b	&0x015c, r5
+4404:  35d0 085a      bis	#0x5a08, r5
+4408:  8245 2024      mov	r5, &0x2420
+440c <__init_stack>
+440c:  3140 0044      mov	#0x4400 <__watchdog_support>, sp
+4410 <__do_copy_data>
+4410:  3f40 2000      mov	#0x20, r15
+4414:  0f93           tst	r15
+4416:  0824           jz	#0x4428 <__do_clear_bss+0x0>
+4418:  9242 2024 5c01 mov	&0x2420, &0x015c
+441e:  2f83           decd	r15
+4420:  9f4f 8047 0024 mov	0x4780(r15), 0x2400(r15)
+4426:  f823           jnz	#0x4418 <__do_copy_data+0x8>
+4428 <__do_clear_bss>
+4428:  3f40 0000      clr	r15
+442c:  0f93           tst	r15
+442e:  0724           jz	#0x443e <main+0x0>
+4430:  9242 2024 5c01 mov	&0x2420, &0x015c
+4436:  1f83           dec	r15
+4438:  cf43 2024      mov.b	#0x0, 0x2420(r15)
+443c:  f923           jnz	#0x4430 <__do_clear_bss+0x8>
+
+443e <main>
+; [loadaddr: 2 B][signature: 0x40 B][payload: 0x100 B]
+; void * loadaddr = 0    // >=> sp
+; char   signature[0x41] // >=> sp+2
+; short  payload[0x101]  // >=> sp+0x43
+443e:  3150 bcfe      add	#0xfebc, sp
+
+; puts ("Welcome to the secure program loader.")
+4442:  3f40 5646      mov	#0x4656 "Welcome to the secure program loader.", r15
+4446:  b012 ba45      call	#0x45ba <puts>
+                  loop:
+; void * loadaddr = 0 // >=> sp
+444a:  8143 0000      clr	0x0(sp)
+
+; puts ("Please enter second stage load address.")
+444e:  3f40 7c46      mov	#0x467c "Please enter second stage load address.", r15
+4452:  b012 ba45      call	#0x45ba <puts>
+
+; getsn (&loadaddr, 2)
+4456:  2e43           mov	#0x2, r14
+4458:  0f41           mov	sp, r15
+445a:  b012 9c45      call	#0x459c <getsn>
+
+; puts ("Please enter the second stage program.")
+445e:  3f40 a446      mov	#0x46a4 "Please enter the second stage program.", r15
+4462:  b012 ba45      call	#0x45ba <puts>
+
+; short payload[0x101] // >=> sp+0x43
+; memset (&payload /*sp+0x43*/, 0, 0x101)
+4466:  3d40 0101      mov	#0x101, r13
+446a:  0e43           clr	r14
+446c:  0f41           mov	sp, r15
+446e:  3f50 4300      add	#0x43, r15
+4472:  b012 ea45      call	#0x45ea <memset>
+
+; getsn (&payload /*sp+0x43*/, 0x100) // get 100 bytes into sp+0x43
+4476:  3e40 0001      mov	#0x100, r14
+447a:  0f41           mov	sp, r15
+447c:  3f50 4300      add	#0x43, r15
+4480:  b012 9c45      call	#0x459c <getsn>
+
+; puts ("Please enter program signature.")
+4484:  3f40 cb46      mov	#0x46cb "Please enter program signature.", r15
+4488:  b012 ba45      call	#0x45ba <puts>
+
+; char signature[0x41] = sp+2
+; memset(&signature /* sp+2 */, 0, 0x41)
+448c:  3d40 4100      mov	#0x41, r13
+4490:  0e43           clr	r14
+4492:  0f41           mov	sp, r15
+4494:  2f53           incd	r15
+4496:  b012 ea45      call	#0x45ea <memset>
+
+; getsn (signature /* sp+2 */, 0x40)
+449a:  3e40 4000      mov	#0x40, r14
+449e:  0f41           mov	sp, r15
+44a0:  2f53           incd	r15
+44a2:  b012 9c45      call	#0x459c <getsn>
+
+; if (loadaddr & 0x8000 && loadaddr < 0xf001)
+44a6:  2f41           mov	@sp, r15
+44a8:  0f93           tst	r15
+44aa:  0334           jge	#0x44b2 <main+0x74> <else_44b2>
+44ac:  3f90 01f0      cmp	#0xf001, r15
+44b0:  0528           jnc	#0x44bc <main+0x7e> <if_44ba>
+                  else_44b2:
+; puts ("Load address outside allowed range of 0x8000-0xF000")
+44b2:  3f40 eb46      mov	#0x46eb "Load address outside allowed range of 0x8000-0xF000", r15
+44b6:  b012 ba45      call	#0x45ba <puts>
+; goto loop
+44ba:  c73f           jmp	#0x444a <main+0xc>
+                  if_44ba:
+; memcpy (loadaddr, &payload, 0x100)
+44bc:  3d40 0001      mov	#0x100, r13
+44c0:  0e41           mov	sp, r14
+44c2:  3e50 4300      add	#0x43, r14
+44c6:  b012 d845      call	#0x45d8 <memcpy>
+
+; verify_ed25519 (0x2400, &*load_address, 0x100, signature)
+44ca:  0c41           mov	sp, r12
+44cc:  2c53           incd	r12
+44ce:  3d40 0001      mov	#0x100, r13
+44d2:  2e41           mov	@sp, r14
+44d4:  3f40 0024      mov	#0x2400, r15
+44d8:  b012 6845      call	#0x4568 <verify_ed25519>
+; if ( ^^ ) goto if@44ea
+44dc:  1f93           cmp	#0x1, r15
+44de:  0524           jeq	#0x44ea <main+0xac>
+else@44e0:
+; puts ("Incorrect signature, continuing")
+44e0:  3f40 1f47      mov	#0x471f "Incorrect signature, continuing", r15
+44e4:  b012 ba45      call	#0x45ba <puts>
+; end of loop
+44e8:  b03f           jmp	#0x444a <main+0xc>
+if@44ea:
+; puts ("Signature valid, executing payload")
+44ea:  3f40 3f47      mov	#0x473f "Signature valid, executing payload", r15
+44ee:  b012 ba45      call	#0x45ba <puts>
+; loadaddr()
+44f2:  9112 0200      call	0x2(sp)
+; if (r15 == 0) goto ACCESS_DENIED
+44f6:  0f93           tst	r15
+44f8:  0f24           jz	#0x4518 <main+0xda>
+; puts ("ACCESS GRANTED")
+44fa:  3f40 6247      mov	#0x4762 "ACCESS GRANTED", r15
+44fe:  b012 ba45      call	#0x45ba <puts>
+; INT(7f, 0, 0)
+4502:  0312           push	#0x0
+4504:  0312           push	#0x0
+4506:  3012 7f00      push	#0x7f
+450a:  b012 2c45      call	#0x452c <INT>
+; exit (0)
+450e:  0f43           clr	r15
+4510:  3150 4a01      add	#0x14a, sp
+4514:  3040 2245      br	#0x4522 <__stop_progExec__>
+                  ACCESS_DENIED:
+; puts ("ACCESS DENIED")
+4518:  3f40 7147      mov	#0x4771 "ACCESS DENIED", r15
+451c:  b012 ba45      call	#0x45ba <puts>
+; goto loop
+4520:  943f           jmp	#0x444a <main+0xc> <loop>
+;; end main
+
+4522 <__stop_progExec__>
+4522:  32d0 f000      bis	#0xf0, sr
+4526:  fd3f           jmp	#0x4522 <__stop_progExec__+0x0>
+4528 <__ctors_end>
+4528:  3040 5446      br	#0x4654 <_unexpected_>
+452c <INT>
+452c:  1f41 0200      mov	0x2(sp), r15
+4530:  0212           push	sr
+4532:  4f4f           mov.b	r15, r15
+4534:  8f10           swpb	r15
+4536:  3fd0 0080      bis	#0x8000, r15
+453a:  024f           mov	r15, sr
+453c:  b012 1000      call	#0x10
+4540:  3241           pop	sr
+4542:  3041           ret
+
+4544 <sha1>
+4544:  0d12           push	r13
+4546:  0e12           push	r14
+4548:  0f12           push	r15
+454a:  3012 3000      push	#0x30
+454e:  b012 2c45      call	#0x452c <INT>
+4552:  3152           add	#0x8, sp
+4554:  3041           ret
+4556 <sha256>
+4556:  0d12           push	r13
+4558:  0e12           push	r14
+455a:  0f12           push	r15
+455c:  3012 3100      push	#0x31
+4560:  b012 2c45      call	#0x452c <INT>
+4564:  3152           add	#0x8, sp
+4566:  3041           ret
+
+4568 <verify_ed25519>
+; int verify_ed25519(char * pubkey, void * load_address, size_t size, char * signature) { ...
+4568:  0b12           push	r11
+456a:  0412           push	r4
+; size_t result = 0; >=> sp+4
+456c:  0441           mov	sp, r4
+456e:  2452           add	#0x4, r4
+4570:  2183           decd	sp
+4572:  8443 faff      clr	-0x6(r4)
+4576:  3b40 faff      mov	#0xfffa, r11
+457a:  0b54           add	r4, r11
+; INT (pubkey, load_address, size, signature, stack_pointer);
+4576:  3b40 faff      mov	#0xfffa, r11
+457a:  0b54           add	r4, r11
+457c:  0b12           push	r11
+457e:  0c12           push	r12
+4580:  0d12           push	r13
+4582:  0e12           push	r14
+4584:  0f12           push	r15
+4586:  3012 3300      push	#0x33
+458a:  b012 2c45      call	#0x452c <INT>
+; return result;
+458e:  1f44 faff      mov	-0x6(r4), r15
+4592:  3150 0e00      add	#0xe, sp
+4596:  3441           pop	r4
+4598:  3b41           pop	r11
+459a:  3041           ret
+
+459c <getsn>
+459c:  0e12           push	r14
+459e:  0f12           push	r15
+45a0:  2312           push	#0x2
+45a2:  b012 2c45      call	#0x452c <INT>
+45a6:  3150 0600      add	#0x6, sp
+45aa:  3041           ret
+
+45ac <putchar> ; int putchar (int char);
+45ac:  8f11           sxt	r15
+45ae:  0f12           push	r15
+45b0:  0312           push	#0x0
+45b2:  b012 2c45      call	#0x452c <INT>
+45b6:  2152           add	#0x4, sp
+45b8:  3041           ret
+
+45ba <puts> ; void puts (char *str);
+45ba:  0b12           push	r11
+; char c;
+45bc:  0b4f           mov	r15, r11
+45be:  033c           jmp	#0x45c6 <puts+0xc>
+; str++            v
+45c0:  1b53           inc	r11
+; putchar()
+45c2:  b012 ac45      call	#0x45ac <putchar>
+; while (c = *str) ^
+45c6:  6f4b           mov.b	@r11, r15
+45c8:  4f93           tst.b	r15
+45ca:  fa23           jnz	#0x45c0 <puts+0x6>
+; putchar ('\n');
+45cc:  7f40 0a00      mov.b	#0xa, r15
+45d0:  b012 ac45      call	#0x45ac <putchar>
+; return (implicit)
+45d4:  3b41           pop	r11
+45d6:  3041           ret
+
+45d8 <memcpy>
+45d8:  0c4f           mov	r15, r12
+45da:  043c           jmp	#0x45e4 <memcpy+0xc>
+45dc:  fc4e 0000      mov.b	@r14+, 0x0(r12)
+45e0:  1c53           inc	r12
+45e2:  3d53           add	#-0x1, r13
+45e4:  0d93           tst	r13
+45e6:  fa23           jnz	#0x45dc <memcpy+0x4>
+45e8:  3041           ret
+45ea <memset>
+45ea:  0b12           push	r11
+45ec:  0a12           push	r10
+45ee:  0912           push	r9
+45f0:  0812           push	r8
+45f2:  3d90 0600      cmp	#0x6, r13
+45f6:  092c           jc	#0x460a <memset+0x20>
+45f8:  0c4f           mov	r15, r12
+45fa:  043c           jmp	#0x4604 <memset+0x1a>
+45fc:  cc4e 0000      mov.b	r14, 0x0(r12)
+4600:  1c53           inc	r12
+4602:  3d53           add	#-0x1, r13
+4604:  0d93           tst	r13
+4606:  fa23           jnz	#0x45fc <memset+0x12>
+4608:  203c           jmp	#0x464a <memset+0x60>
+460a:  4e4e           mov.b	r14, r14
+460c:  4b4e           mov.b	r14, r11
+460e:  0b93           tst	r11
+4610:  0324           jz	#0x4618 <memset+0x2e>
+4612:  0c4b           mov	r11, r12
+4614:  8c10           swpb	r12
+4616:  0bdc           bis	r12, r11
+4618:  1fb3           bit	#0x1, r15
+461a:  0624           jz	#0x4628 <memset+0x3e>
+461c:  3d53           add	#-0x1, r13
+461e:  cf4e 0000      mov.b	r14, 0x0(r15)
+4622:  094f           mov	r15, r9
+4624:  1953           inc	r9
+4626:  013c           jmp	#0x462a <memset+0x40>
+4628:  094f           mov	r15, r9
+462a:  0c4d           mov	r13, r12
+462c:  12c3           clrc
+462e:  0c10           rrc	r12
+4630:  0a49           mov	r9, r10
+4632:  084c           mov	r12, r8
+4634:  8a4b 0000      mov	r11, 0x0(r10)
+4638:  2a53           incd	r10
+463a:  3853           add	#-0x1, r8
+463c:  fb23           jnz	#0x4634 <memset+0x4a>
+463e:  0c5c           add	r12, r12
+4640:  0c59           add	r9, r12
+4642:  1df3           and	#0x1, r13
+4644:  0224           jz	#0x464a <memset+0x60>
+4646:  cc4e 0000      mov.b	r14, 0x0(r12)
+464a:  3841           pop	r8
+464c:  3941           pop	r9
+464e:  3a41           pop	r10
+4650:  3b41           pop	r11
+4652:  3041           ret
+4654 <_unexpected_>
+4654:  0013           reti	pc
+4656 .strings:
+4656: "Welcome to the secure program loader."
+467c: "Please enter second stage load address."
+46a4: "Please enter the second stage program."
+46cb: "Please enter program signature."
+46eb: "Load address outside allowed range of 0x8000-0xF000"
+471f: "Incorrect signature, continuing"
+473f: "Signature valid, executing payload"
+4762: "ACCESS GRANTED"
+4771: "ACCESS DENIED"
+
+Text:
+   Lockitall                                              LOCKIT 2 r A.01
+   ______________________________________________________________________
+
+                 User Manual: Lockitall LockIT 2, rev a.01
+   ______________________________________________________________________
+
+
+   OVERVIEW
+
+       - Lockitall is under new management.
+       - The lock has been put together from bits of leftover scrap from
+         the old factory.
+
+
+   DETAILS
+
+       The LockIT 2 A.02  is the second of a new series  of locks.  It is
+       controlled by a  MSP430 microcontroller. The MSP430 is a very low-
+       power device, chosen because we found several crates of old stock.
+
+       This lock only accepts biometric and NFC inputs, and does not have
+       a traditional password prompt.
+
+       To support rapid  development cycles  this lock  accepts a program
+       from the old password input prompt. The program must be signed  by
+       Lockitall,  so  engineering  aren't  concerned  it  will  be  used
+       maliciously. There are two programs, one of which is below  in hex
+       format  and  is used in the factory to test proper lock operation.
+       The  other  program,  not  reproduced here, is restricted and only
+       available internally at Lockitall.
+
+       Load address:
+       8000
+
+       Program text:
+       3540088000450545054505450545054505450f433041
+
+       Signature:
+       8605e027f42368ea6bba9de66409f6a8ddedcd49614a4648281c47a7b4ad252f5
+       639069b17ba8ff104d371e2d8a625b038f0750667364087e7987e40ea81510f
+
+       This is Hardware Version Beta.
+
+       This is Software Revision 02.
+
+
+
+   (c) 2021 LOCKITALL                                            Page 1/1
+
+
+Prereqs: "Vancouver",
+Name: "Cold Lake",
+X: 135,
+Y: 140,
+Rating: 20,
+Patch: ""

21-Cold Lake/initial-notes.md

@@ -0,0 +1,65 @@
+
+## load_address:
+
+    8000: BE
+     vv
+    0080: LE
+
+
+## program_text:
+
+text:
+
+    35400880 0045 0545 0545 0545 0545 0545 0545 0f43 3041
+
+disassembly:
+```c
+asm (msp430) : 8000
+3540 0880      mov	#0x8008, r5
+0045           br	r5          ; uncond branch to #8008
+0545           nop
+0545           nop
+0545           nop
+0545           nop
+0545           nop
+0545           nop
+0f43           clr	r15
+3041           ret
+
+```
+## Signature:
+8605e027f42368ea6bba9de66409f6a8ddedcd49614a4648281c47a7b4ad252f5639069b17ba8ff104d371e2d8a625b038f0750667364087e7987e40ea81510f
+
+## public key?
+
+`b6458aae646e18722450b46348f3a09b4be01a9e69edc9516a0752cc17d27d6f`: Nope
+
+b645 8aae 646e 1872 2450 b463 48f3 a09b 4be0 1a9e 69ed c951 6a07 52cc 17d2 7d6f ?
+
+45b6 ae8a 6e64 7218 5024 63b4 48f3 9ba0 e04b 9e1a ed69 51c9 076a cc52 d217 6fd7 ?
+
+`45b6ae8a6e647218502463b448f39ba0e04b9e1aed6951c9076acc52d2176fd7`: Nope
+
+
+# Solution:
+
+```c
+if ((int)loadaddr & 0x8000 && (int)loadaddr < 0xf001) {
+   // Here, it copies the payload
+   memcpy ((void *)loadaddr, &payload, 0x100);
+   // Then, it verifies the signature
+   if (verify_ed25519 ((char *)0x2400, loadaddr, 0x100, signature) == 1) {
+      puts ("Signature valid, executing payload");
+```
+| Cycle | Loadaddr | Payload  | Signature |
+|-------|----------|----------|-----------|
+| 1     | 0880     | 30400245 | 00        |
+| 2     | 0090     | 35400880 0045 0545 0545 0545 0545 0545 0545 0f43 3041 | 8605 e027 f423 68ea 6bba 9de6 6409 f6a8 dded cd49 614a 4648 281c 47a7 b4ad 252f 5639 069b 17ba 8ff1 04d3 71e2 d8a6 25b0 38f0 7506 6736 4087 e798 7e40 ea81 510f |
+
+    0880
+    30400245
+    00
+
+    0090
+    3540088000450545054505450545054505450f433041
+    8605e027f42368ea6bba9de66409f6a8ddedcd49614a4648281c47a7b4ad252f5639069b17ba8ff104d371e2d8a625b038f0750667364087e7987e40ea81510f

21-Cold Lake/manual.txt

@@ -0,0 +1,47 @@
+Lockitall                                              LOCKIT 2 r A.01
+______________________________________________________________________
+
+              User Manual: Lockitall LockIT 2, rev a.01
+______________________________________________________________________
+
+
+OVERVIEW
+
+    - Lockitall is under new management.
+    - The lock has been put together from bits of leftover scrap from
+      the old factory.
+
+
+DETAILS
+
+    The LockIT 2 A.02  is the second of a new series  of locks.  It is
+    controlled by a  MSP430 microcontroller. The MSP430 is a very low-
+    power device, chosen because we found several crates of old stock.
+
+    This lock only accepts biometric and NFC inputs, and does not have
+    a traditional password prompt.
+
+    To support rapid  development cycles  this lock  accepts a program
+    from the old password input prompt. The program must be signed  by
+    Lockitall,  so  engineering  aren't  concerned  it  will  be  used
+    maliciously. There are two programs, one of which is below  in hex
+    format  and  is used in the factory to test proper lock operation.
+    The  other  program,  not  reproduced here, is restricted and only
+    available internally at Lockitall.
+
+    Load address:
+    8000
+
+    Program text:
+    3540088000450545054505450545054505450f433041
+
+    Signature:
+    8605e027f42368ea6bba9de66409f6a8ddedcd49614a4648281c47a7b4ad252f5639069b17ba8ff104d371e2d8a625b038f0750667364087e7987e40ea81510f
+
+    This is Hardware Version Beta.
+
+    This is Software Revision 02.
+
+
+
+(c) 2021 LOCKITALL                                            Page 1/1

readme.md

@@ -31,3 +31,12 @@ Hopefully in the coming weeks I'll learn enough about malloc and free to get som
     Lagos
 ### 2022 Jul 31 PM - 2022 Sep 2 AM:
     Chernobyl
+
+### 2022 Dec 4  PM:
+    Vancouver
+
+### 2022 Dec 4  PM - 2022 Dec 11 PM:
+    Cold Lake
+
+### 2022 Dec 11 PM - Ongoing:
+    Churchill