Hex: :10 4400 00 55425C0135D0085A8245202431400044 91 :10 4410 00 3F4020000F930824924220245C012F83 08 :10 4420 00 9F4F80470024F8233F4000000F930724 4C :10 4430 00 924220245C011F83CF432024F9233150 72 :10 4440 00 BCFE3F405646B012BA45814300003F40 93 :10 4450 00 7C46B012BA452E430F41B0129C453F40 F6 :10 4460 00 A446B012BA453D4001010E430F413F50 F2 :10 4470 00 4300B012EA453E4000010F413F504300 67 :10 4480 00 B0129C453F40CB46B012BA453D404100 7A :10 4490 00 0E430F412F53B012EA453E4040000F41 FA :10 44A0 00 2F53B0129C452F410F9303343F9001F0 DE :10 44B0 00 05283F40EB46B012BA45C73F3D400001 DA :10 44C0 00 0E413E504300B012D8450C412C533D40 A4 :10 44D0 00 00012E413F400024B01268451F930524 7F :10 44E0 00 3F401F47B012BA45B03F3F403F47B012 70 :10 44F0 00 BA45911202000F930F243F406247B012 59 :10 4500 00 BA450312031230127F00B0122C450F43 3C :10 4510 00 31504A01304022453F407147B012BA45 00 :10 4520 00 943F32D0F000FD3F304054461F410200 1E :10 4530 00 02124F4F8F103FD00080024FB0121000 78 :10 4540 00 324130410D120E120F1230123000B012 F3 :10 4550 00 2C45315230410D120E120F1230123100 23 :10 4560 00 B0122C45315230410B12041204412452 36 :10 4570 00 21838443FAFF3B40FAFF0B540B120C12 C9 :10 4580 00 0D120E120F1230123300B0122C451F44 C0 :10 4590 00 FAFF31500E0034413B4130410E120F12 F0 :10 45A0 00 2312B0122C453150060030418F110F12 EA :10 45B0 00 0312B0122C45215230410B120B4F033C 19 :10 45C0 00 1B53B012AC456F4B4F93FA237F400A00 48 :10 45D0 00 B012AC453B4130410C4F043CFC4E0000 56 :10 45E0 00 1C533D530D93FA2330410B120A120912 4A :10 45F0 00 08123D900600092C0C4F043CCC4E0000 E4 :10 4600 00 1C533D530D93FA23203C4E4E4B4E0B93 BF :10 4610 00 03240C4B8C100BDC1FB306243D53CF4E F0 :10 4620 00 0000094F1953013C094F0C4D12C30C10 E7 :10 4630 00 0A49084C8A4B00002A533853FB230C5C 70 :10 4640 00 0C591DF30224CC4E0000384139413A41 47 :06 4650 00 3B4130410013 64 :10 4656 00 57656C636F6D6520746F207468652073 91 :10 4666 00 65637572652070726F6772616D206C6F 1D :10 4676 00 616465722E00506C6561736520656E74 A9 :10 4686 00 6572207365636F6E6420737461676520 5D :10 4696 00 6C6F616420616464726573732E00506C 84 :10 46A6 00 6561736520656E746572207468652073 34 :10 46B6 00 65636F6E642073746167652070726F67 DF :10 46C6 00 72616D2E00506C6561736520656E7465 50 :10 46D6 00 722070726F6772616D207369676E6174 A4 :10 46E6 00 7572652E004C6F616420616464726573 37 :10 46F6 00 73206F75747369646520616C6C6F7765 80 :10 4706 00 642072616E6765206F66203078383030 BD :10 4716 00 302D30784630303000496E636F727265 E6 :10 4726 00 6374207369676E61747572652C20636F 9C :10 4736 00 6E74696E75696E67005369676E617475 2C :10 4746 00 72652076616C69642C20657865637574 82 :10 4756 00 696E67207061796C6F61640041434345 FF :10 4766 00 5353204752414E544544004143434553 19 :0A 4776 00 532044454E4945440000 1D :10 4780 00 B6458AAE646E18722450B46348F3A09B 99 :10 4790 00 4BE01A9E69EDC9516A0752CC17D27D6F 62 :10 FF80 00 28452845284528452845284528452845 09 :10 FF90 00 28452845284528452845284528450044 22 :04 0000 03 00004400 B5 :00 0000 01 FF Obj: 0010 <__trap_interrupt> 0010: 3041 ret 4400 <__watchdog_support> 4400: 5542 5c01 mov.b &0x015c, r5 4404: 35d0 085a bis #0x5a08, r5 4408: 8245 2024 mov r5, &0x2420 440c <__init_stack> 440c: 3140 0044 mov #0x4400 <__watchdog_support>, sp 4410 <__do_copy_data> 4410: 3f40 2000 mov #0x20, r15 4414: 0f93 tst r15 4416: 0824 jz #0x4428 <__do_clear_bss+0x0> 4418: 9242 2024 5c01 mov &0x2420, &0x015c 441e: 2f83 decd r15 4420: 9f4f 8047 0024 mov 0x4780(r15), 0x2400(r15) 4426: f823 jnz #0x4418 <__do_copy_data+0x8> 4428 <__do_clear_bss> 4428: 3f40 0000 clr r15 442c: 0f93 tst r15 442e: 0724 jz #0x443e 4430: 9242 2024 5c01 mov &0x2420, &0x015c 4436: 1f83 dec r15 4438: cf43 2024 mov.b #0x0, 0x2420(r15) 443c: f923 jnz #0x4430 <__do_clear_bss+0x8> 443e
; [loadaddr: 2 B][signature: 0x40 B][payload: 0x100 B] ; void * loadaddr = 0 // >=> sp ; char signature[0x41] // >=> sp+2 ; short payload[0x101] // >=> sp+0x43 443e: 3150 bcfe add #0xfebc, sp ; puts ("Welcome to the secure program loader.") 4442: 3f40 5646 mov #0x4656 "Welcome to the secure program loader.", r15 4446: b012 ba45 call #0x45ba loop: ; void * loadaddr = 0 // >=> sp 444a: 8143 0000 clr 0x0(sp) ; puts ("Please enter second stage load address.") 444e: 3f40 7c46 mov #0x467c "Please enter second stage load address.", r15 4452: b012 ba45 call #0x45ba ; getsn (&loadaddr, 2) 4456: 2e43 mov #0x2, r14 4458: 0f41 mov sp, r15 445a: b012 9c45 call #0x459c ; puts ("Please enter the second stage program.") 445e: 3f40 a446 mov #0x46a4 "Please enter the second stage program.", r15 4462: b012 ba45 call #0x45ba ; short payload[0x101] // >=> sp+0x43 ; memset (&payload /*sp+0x43*/, 0, 0x101) 4466: 3d40 0101 mov #0x101, r13 446a: 0e43 clr r14 446c: 0f41 mov sp, r15 446e: 3f50 4300 add #0x43, r15 4472: b012 ea45 call #0x45ea ; getsn (&payload /*sp+0x43*/, 0x100) // get 100 bytes into sp+0x43 4476: 3e40 0001 mov #0x100, r14 447a: 0f41 mov sp, r15 447c: 3f50 4300 add #0x43, r15 4480: b012 9c45 call #0x459c ; puts ("Please enter program signature.") 4484: 3f40 cb46 mov #0x46cb "Please enter program signature.", r15 4488: b012 ba45 call #0x45ba ; char signature[0x41] = sp+2 ; memset(&signature /* sp+2 */, 0, 0x41) 448c: 3d40 4100 mov #0x41, r13 4490: 0e43 clr r14 4492: 0f41 mov sp, r15 4494: 2f53 incd r15 4496: b012 ea45 call #0x45ea ; getsn (signature /* sp+2 */, 0x40) 449a: 3e40 4000 mov #0x40, r14 449e: 0f41 mov sp, r15 44a0: 2f53 incd r15 44a2: b012 9c45 call #0x459c ; if (loadaddr & 0x8000 && loadaddr < 0xf001) 44a6: 2f41 mov @sp, r15 44a8: 0f93 tst r15 44aa: 0334 jge #0x44b2 44ac: 3f90 01f0 cmp #0xf001, r15 44b0: 0528 jnc #0x44bc else_44b2: ; puts ("Load address outside allowed range of 0x8000-0xF000") 44b2: 3f40 eb46 mov #0x46eb "Load address outside allowed range of 0x8000-0xF000", r15 44b6: b012 ba45 call #0x45ba ; goto loop 44ba: c73f jmp #0x444a if_44ba: ; memcpy (loadaddr, &payload, 0x100) 44bc: 3d40 0001 mov #0x100, r13 44c0: 0e41 mov sp, r14 44c2: 3e50 4300 add #0x43, r14 44c6: b012 d845 call #0x45d8 ; verify_ed25519 (0x2400, &*load_address, 0x100, signature) 44ca: 0c41 mov sp, r12 44cc: 2c53 incd r12 44ce: 3d40 0001 mov #0x100, r13 44d2: 2e41 mov @sp, r14 44d4: 3f40 0024 mov #0x2400, r15 44d8: b012 6845 call #0x4568 ; if ( ^^ ) goto if@44ea 44dc: 1f93 cmp #0x1, r15 44de: 0524 jeq #0x44ea else@44e0: ; puts ("Incorrect signature, continuing") 44e0: 3f40 1f47 mov #0x471f "Incorrect signature, continuing", r15 44e4: b012 ba45 call #0x45ba ; end of loop 44e8: b03f jmp #0x444a if@44ea: ; puts ("Signature valid, executing payload") 44ea: 3f40 3f47 mov #0x473f "Signature valid, executing payload", r15 44ee: b012 ba45 call #0x45ba ; loadaddr() 44f2: 9112 0200 call 0x2(sp) ; if (r15 == 0) goto ACCESS_DENIED 44f6: 0f93 tst r15 44f8: 0f24 jz #0x4518 ; puts ("ACCESS GRANTED") 44fa: 3f40 6247 mov #0x4762 "ACCESS GRANTED", r15 44fe: b012 ba45 call #0x45ba ; INT(7f, 0, 0) 4502: 0312 push #0x0 4504: 0312 push #0x0 4506: 3012 7f00 push #0x7f 450a: b012 2c45 call #0x452c ; exit (0) 450e: 0f43 clr r15 4510: 3150 4a01 add #0x14a, sp 4514: 3040 2245 br #0x4522 <__stop_progExec__> ACCESS_DENIED: ; puts ("ACCESS DENIED") 4518: 3f40 7147 mov #0x4771 "ACCESS DENIED", r15 451c: b012 ba45 call #0x45ba ; goto loop 4520: 943f jmp #0x444a ;; end main 4522 <__stop_progExec__> 4522: 32d0 f000 bis #0xf0, sr 4526: fd3f jmp #0x4522 <__stop_progExec__+0x0> 4528 <__ctors_end> 4528: 3040 5446 br #0x4654 <_unexpected_> 452c 452c: 1f41 0200 mov 0x2(sp), r15 4530: 0212 push sr 4532: 4f4f mov.b r15, r15 4534: 8f10 swpb r15 4536: 3fd0 0080 bis #0x8000, r15 453a: 024f mov r15, sr 453c: b012 1000 call #0x10 4540: 3241 pop sr 4542: 3041 ret 4544 4544: 0d12 push r13 4546: 0e12 push r14 4548: 0f12 push r15 454a: 3012 3000 push #0x30 454e: b012 2c45 call #0x452c 4552: 3152 add #0x8, sp 4554: 3041 ret 4556 4556: 0d12 push r13 4558: 0e12 push r14 455a: 0f12 push r15 455c: 3012 3100 push #0x31 4560: b012 2c45 call #0x452c 4564: 3152 add #0x8, sp 4566: 3041 ret 4568 ; int verify_ed25519(char * pubkey, void * load_address, size_t size, char * signature) { ... 4568: 0b12 push r11 456a: 0412 push r4 ; size_t result = 0; >=> sp+4 456c: 0441 mov sp, r4 456e: 2452 add #0x4, r4 4570: 2183 decd sp 4572: 8443 faff clr -0x6(r4) 4576: 3b40 faff mov #0xfffa, r11 457a: 0b54 add r4, r11 ; INT (pubkey, load_address, size, signature, stack_pointer); 4576: 3b40 faff mov #0xfffa, r11 457a: 0b54 add r4, r11 457c: 0b12 push r11 457e: 0c12 push r12 4580: 0d12 push r13 4582: 0e12 push r14 4584: 0f12 push r15 4586: 3012 3300 push #0x33 458a: b012 2c45 call #0x452c ; return result; 458e: 1f44 faff mov -0x6(r4), r15 4592: 3150 0e00 add #0xe, sp 4596: 3441 pop r4 4598: 3b41 pop r11 459a: 3041 ret 459c 459c: 0e12 push r14 459e: 0f12 push r15 45a0: 2312 push #0x2 45a2: b012 2c45 call #0x452c 45a6: 3150 0600 add #0x6, sp 45aa: 3041 ret 45ac ; int putchar (int char); 45ac: 8f11 sxt r15 45ae: 0f12 push r15 45b0: 0312 push #0x0 45b2: b012 2c45 call #0x452c 45b6: 2152 add #0x4, sp 45b8: 3041 ret 45ba ; void puts (char *str); 45ba: 0b12 push r11 ; char c; 45bc: 0b4f mov r15, r11 45be: 033c jmp #0x45c6 ; str++ v 45c0: 1b53 inc r11 ; putchar() 45c2: b012 ac45 call #0x45ac ; while (c = *str) ^ 45c6: 6f4b mov.b @r11, r15 45c8: 4f93 tst.b r15 45ca: fa23 jnz #0x45c0 ; putchar ('\n'); 45cc: 7f40 0a00 mov.b #0xa, r15 45d0: b012 ac45 call #0x45ac ; return (implicit) 45d4: 3b41 pop r11 45d6: 3041 ret 45d8 45d8: 0c4f mov r15, r12 45da: 043c jmp #0x45e4 45dc: fc4e 0000 mov.b @r14+, 0x0(r12) 45e0: 1c53 inc r12 45e2: 3d53 add #-0x1, r13 45e4: 0d93 tst r13 45e6: fa23 jnz #0x45dc 45e8: 3041 ret 45ea 45ea: 0b12 push r11 45ec: 0a12 push r10 45ee: 0912 push r9 45f0: 0812 push r8 45f2: 3d90 0600 cmp #0x6, r13 45f6: 092c jc #0x460a 45f8: 0c4f mov r15, r12 45fa: 043c jmp #0x4604 45fc: cc4e 0000 mov.b r14, 0x0(r12) 4600: 1c53 inc r12 4602: 3d53 add #-0x1, r13 4604: 0d93 tst r13 4606: fa23 jnz #0x45fc 4608: 203c jmp #0x464a 460a: 4e4e mov.b r14, r14 460c: 4b4e mov.b r14, r11 460e: 0b93 tst r11 4610: 0324 jz #0x4618 4612: 0c4b mov r11, r12 4614: 8c10 swpb r12 4616: 0bdc bis r12, r11 4618: 1fb3 bit #0x1, r15 461a: 0624 jz #0x4628 461c: 3d53 add #-0x1, r13 461e: cf4e 0000 mov.b r14, 0x0(r15) 4622: 094f mov r15, r9 4624: 1953 inc r9 4626: 013c jmp #0x462a 4628: 094f mov r15, r9 462a: 0c4d mov r13, r12 462c: 12c3 clrc 462e: 0c10 rrc r12 4630: 0a49 mov r9, r10 4632: 084c mov r12, r8 4634: 8a4b 0000 mov r11, 0x0(r10) 4638: 2a53 incd r10 463a: 3853 add #-0x1, r8 463c: fb23 jnz #0x4634 463e: 0c5c add r12, r12 4640: 0c59 add r9, r12 4642: 1df3 and #0x1, r13 4644: 0224 jz #0x464a 4646: cc4e 0000 mov.b r14, 0x0(r12) 464a: 3841 pop r8 464c: 3941 pop r9 464e: 3a41 pop r10 4650: 3b41 pop r11 4652: 3041 ret 4654 <_unexpected_> 4654: 0013 reti pc 4656 .strings: 4656: "Welcome to the secure program loader." 467c: "Please enter second stage load address." 46a4: "Please enter the second stage program." 46cb: "Please enter program signature." 46eb: "Load address outside allowed range of 0x8000-0xF000" 471f: "Incorrect signature, continuing" 473f: "Signature valid, executing payload" 4762: "ACCESS GRANTED" 4771: "ACCESS DENIED" Text: Lockitall LOCKIT 2 r A.01 ______________________________________________________________________ User Manual: Lockitall LockIT 2, rev a.01 ______________________________________________________________________ OVERVIEW - Lockitall is under new management. - The lock has been put together from bits of leftover scrap from the old factory. DETAILS The LockIT 2 A.02 is the second of a new series of locks. It is controlled by a MSP430 microcontroller. The MSP430 is a very low- power device, chosen because we found several crates of old stock. This lock only accepts biometric and NFC inputs, and does not have a traditional password prompt. To support rapid development cycles this lock accepts a program from the old password input prompt. The program must be signed by Lockitall, so engineering aren't concerned it will be used maliciously. There are two programs, one of which is below in hex format and is used in the factory to test proper lock operation. The other program, not reproduced here, is restricted and only available internally at Lockitall. Load address: 8000 Program text: 3540088000450545054505450545054505450f433041 Signature: 8605e027f42368ea6bba9de66409f6a8ddedcd49614a4648281c47a7b4ad252f5 639069b17ba8ff104d371e2d8a625b038f0750667364087e7987e40ea81510f This is Hardware Version Beta. This is Software Revision 02. (c) 2021 LOCKITALL Page 1/1 Prereqs: "Vancouver", Name: "Cold Lake", X: 135, Y: 140, Rating: 20, Patch: ""