Instructions: Size | Addr | CT | Data | Checksum? -- -:|------|----|----------------------------------|---------- 10 | 4400 | 00 | 55425C0135D0085A8245202831400044 | 8D 10 | 4410 | 00 | 3F4020000F930824924220285C012F83 | 04 10 | 4420 | 00 | 9F4F6E470024F8233F4000040F930724 | 5A 10 | 4430 | 00 | 924220285C011F83CF432024F9233150 | 6E 10 | 4440 | 00 | C0FF3F408646B012CA453F40AC46B012 | 5E 10 | 4450 | 00 | CA453D4000040E433F402024B0121A46 | 96 10 | 4460 | 00 | 3E40FF033F402024B012AC455B422024 | 75 10 | 4470 | 00 | 8B105F4221240BDF594222245A422324 | 0D 10 | 4480 | 00 | 0B9303343B9001F005283F40C846B012 | 1F 10 | 4490 | 00 | CA45DB3F0F4A3F50FAFF3F90BB030528 | 58 10 | 44A0 | 00 | 3F40FC46B012CA45D03F084A38502024 | 4D 10 | 44B0 | 00 | 3D4040000E480F41B012E84519930D20 | D1 10 | 44C0 | 00 | 0D410E4A3F402024B01266453D404000 | 59 10 | 44D0 | 00 | 0E480F41B012FA45103C099309200C41 | D7 10 | 44E0 | 00 | 0D4A3E4020243F400024B0127845053C | 50 10 | 44F0 | 00 | 3F401347B012CA45A83F1F9305243F40 | D1 10 | 4500 | 00 | 2A47B012CA45A13F3F404A47B012CA45 | A8 10 | 4510 | 00 | 0D4A3E4024240F4BB012E8458B12953F | C4 10 | 4520 | 00 | 32D0F000FD3F304084461F4102000212 | AD 10 | 4530 | 00 | 4F4F8F103FD00080024FB01210003241 | 19 10 | 4540 | 00 | 30410D120E120F1230123000B0122A45 | F7 10 | 4550 | 00 | 315230410D120E120F1230123100B012 | D2 10 | 4560 | 00 | 2A45315230410D120E120F1230123200 | 14 10 | 4570 | 00 | B0122A45315230410B12041204412452 | 28 10 | 4580 | 00 | 21838443FAFF3B40FAFF0B540B120C12 | B9 10 | 4590 | 00 | 0D120E120F1230123300B0122A451F44 | B2 10 | 45A0 | 00 | FAFF31500E0034413B4130410E120F12 | E0 10 | 45B0 | 00 | 2312B0122A453150060030418F110F12 | DC 10 | 45C0 | 00 | 0312B0122A45215230410B120B4F033C | 0B 10 | 45D0 | 00 | 1B53B012BC456F4B4F93FA237F400A00 | 28 10 | 45E0 | 00 | B012BC453B4130410C4F043CFC4E0000 | 36 10 | 45F0 | 00 | 1C533D530D93FA2330410B120D930A24 | A3 10 | 4600 | 00 | 7B4F7C4E4B9C04244F4B4E4C0F8E033C | F7 10 | 4610 | 00 | 3D53F43F0F433B4130410B120A120912 | 44 10 | 4620 | 00 | 08123D900600092C0C4F043CCC4E0000 | B3 10 | 4630 | 00 | 1C533D530D93FA23203C4E4E4B4E0B93 | 8F 10 | 4640 | 00 | 03240C4B8C100BDC1FB306243D53CF4E | C0 10 | 4650 | 00 | 0000094F1953013C094F0C4D12C30C10 | B7 10 | 4660 | 00 | 0A49084C8A4B00002A533853FB230C5C | 40 10 | 4670 | 00 | 0C591DF30224CC4E0000384139413A41 | 17 06 | 4680 | 00 | 3B4130410013 | 34 Strings: Size | Addr | CT | Data | Checksum? -- -:|------|----|----------------------------------|---------- 10 | 4686 | 00 | 57656C636F6D6520746F207468652073 | 61 10 | 4696 | 00 | 65637572652070726F6772616D206C6F | ED 10 | 46A6 | 00 | 616465722E00506C6561736520656E74 | 79 10 | 46B6 | 00 | 6572206465627567207061796C6F6164 | EC 10 | 46C6 | 00 | 2E004C6F61642061646472657373206F | A1 10 | 46D6 | 00 | 75747369646520616C6C6F7765642072 | AC 10 | 46E6 | 00 | 616E6765206F66203078383030302D30 | 47 10 | 46F6 | 00 | 784630303000496E76616C6964207061 | AE 10 | 4706 | 00 | 796C6F6164206C656E67746800496E76 | BB 10 | 4716 | 00 | 616C6964207369676E61747572652074 | 73 10 | 4726 | 00 | 79706500496E636F7272656374207369 | 90 10 | 4736 | 00 | 676E61747572652C20636F6E74696E75 | 31 10 | 4746 | 00 | 696E67005369676E6174757265207661 | 7C 10 | 4756 | 00 | 6C69642C20657865637574696E672070 | 72 08 | 4766 | 00 | 61796C6F61640000 | D1 10 | 476E | 00 | A09AE3E830085A0169641E1E22118B45 | 97 10 | 477E | 00 | 7F9A95E7A133643CB578FB0C25940C4F | DA 10 | FF80 | 00 | 26452645264526452645264526452645 | 19 10 | FF90 | 00 | 26452645264526452645264526450044 | 30 04 | 0000 | 03 | 00004400 | B5 00 | 0000 | 01 | | FF Obj: 0010 <__trap_interrupt> 0010: 3041 ret 4400 <__watchdog_support> 4400: 5542 5c01 mov.b &0x015c, r5 4404: 35d0 085a bis #0x5a08, r5 4408: 8245 2028 mov r5, &0x2820 440c <__init_stack> 440c: 3140 0044 mov #0x4400 <__watchdog_support>, sp 4410 <__do_copy_data> 4410: 3f40 2000 mov #0x20, r15 4414: 0f93 tst r15 4416: 0824 jz #0x4428 <__do_clear_bss+0x0> 4418: 9242 2028 5c01 mov &0x2820, &0x015c 441e: 2f83 decd r15 4420: 9f4f 6e47 0024 mov 0x476e(r15), 0x2400(r15) 4426: f823 jnz #0x4418 <__do_copy_data+0x8> 4428 <__do_clear_bss> 4428: 3f40 0004 mov #0x400, r15 442c: 0f93 tst r15 442e: 0724 jz #0x443e 4430: 9242 2028 5c01 mov &0x2820, &0x015c 4436: 1f83 dec r15 4438: cf43 2024 mov.b #0x0, 0x2420(r15) 443c: f923 jnz #0x4430 <__do_clear_bss+0x8> 443e
; char signature_buffer[64]; 443e: 3150 c0ff add #0xffc0, sp ; puts ("Welcome to the secure program loader."); 4442: 3f40 8646 mov #0x4686 "Welcome to the secure program loader.", r15 4446: b012 ca45 call #0x45ca ; puts ("Please enter debug payload."); 444a: 3f40 ac46 mov #0x46ac "Please enter debug payload.", r15 444e: b012 ca45 call #0x45ca ; char * static_buffer = (char *) 0x2420; ; memset (0x2420, 0, 0x400); 4452: 3d40 0004 mov #0x400, r13 4456: 0e43 clr r14 4458: 3f40 2024 mov #0x2420, r15 445c: b012 1a46 call #0x461a ; getsn (0x2420 /* static_buffer */, 0x3ff); 4460: 3e40 ff03 mov #0x3ff, r14 4464: 3f40 2024 mov #0x2420, r15 4468: b012 ac45 call #0x45ac ; short loadaddr? = static_buffer[0]<<8+static_buffer[1]; 446c: 5b42 2024 mov.b &0x2420, r11 4470: 8b10 swpb r11 4472: 5f42 2124 mov.b &0x2421, r15 4476: 0bdf bis r15, r11 ; char signature_type = static_buffer[2]; 4478: 5942 2224 mov.b &0x2422, r9 ; char payload_length = static_buffer[3]; 447c: 5a42 2324 mov.b &0x2423, r10 ; if (0x8000 <= loadaddr && loadaddr < 0xf001) {/* goto load_range_succeed */} 4480: 0b93 tst r11 4482: 0334 jge #0x448a 4484: 3b90 01f0 cmp #0xf001, r11 4488: 0528 jnc #0x4494 ; else load_range_fail: ; puts ("Load address outside allowed range of 0x8000-0xF000"); 448a: 3f40 c846 mov #0x46c8 "Load address outside allowed range of 0x8000-0xF000", r15 448e: b012 ca45 call #0x45ca ; continue; 4492: db3f jmp #0x444a load_range_succeed: ; if (payload_length - 6 > 0x3bb) 4494: 0f4a mov r10, r15 4496: 3f50 faff add #0xfffa, r15 449a: 3f90 bb03 cmp #0x3bb, r15 449e: 0528 jnc #0x44aa ; puts ("Invalid payload length"); 44a0: 3f40 fc46 mov #0x46fc "Invalid payload length", r15 44a4: b012 ca45 call #0x45ca ; continue; 44a8: d03f jmp #0x444a ; char * payload_signature = static_buffer+payload_length 44aa: 084a mov r10, r8 44ac: 3850 2024 add #0x2420, r8 ; memcpy (signature_buffer, payload_signature, 0x40) 44b0: 3d40 4000 mov #0x40, r13 44b4: 0e48 mov r8, r14 44b6: 0f41 mov sp, r15 44b8: b012 e845 call #0x45e8 ; if (signature_type == 0x1) 44bc: 1993 cmp #0x1, r9 44be: 0d20 jne #0x44da ; sha512 (static_buffer, payload_length, signature_buffer); 44c0: 0d41 mov sp, r13 44c2: 0e4a mov r10, r14 44c4: 3f40 2024 mov #0x2420, r15 44c8: b012 6645 call #0x4566 ; memcmp (signature_buffer, payload_signature, 0x40) 44cc: 3d40 4000 mov #0x40, r13 44d0: 0e48 mov r8, r14 44d2: 0f41 mov sp, r15 44d4: b012 fa45 call #0x45fa 44d8: 103c jmp #0x44fa ; if (signature_type != 0) 44da: 0993 tst r9 44dc: 0920 jnz #0x44f0 ; verify_ed25519 (0x2400, static_buffer, ) 44de: 0c41 mov sp, r12 44e0: 0d4a mov r10, r13 44e2: 3e40 2024 mov #0x2420, r14 44e6: 3f40 0024 mov #0x2400, r15 44ea: b012 7845 call #0x4578 44ee: 053c jmp #0x44fa signature_type_invalid: ; puts ("Invalid signature type"); 44f0: 3f40 1347 mov #0x4713 "Invalid signature type", r15 44f4: b012 ca45 call #0x45ca 44f8: a83f jmp #0x444a uncond_jump_target_44fa: ; if (r15 != 0x1) 44fa: 1f93 cmp #0x1, r15 44fc: 0524 jeq #0x4508 ; else_4508 ; puts ("Incorrect signature, continuing"); 44fe: 3f40 2a47 mov #0x472a "Incorrect signature, continuing", r15 4502: b012 ca45 call #0x45ca ; continue; 4506: a13f jmp #0x444a else_4508: ; puts ("Signature valid, executing payload"); 4508: 3f40 4a47 mov #0x474a "Signature valid, executing payload", r15 450c: b012 ca45 call #0x45ca ; memcpy () 4510: 0d4a mov r10, r13 4512: 3e40 2424 mov #0x2424, r14 4516: 0f4b mov r11, r15 4518: b012 e845 call #0x45e8 ; payload(); 451c: 8b12 call r11 ; continue; 451e: 953f jmp #0x444a 4520 <__stop_progExec__> 4520: 32d0 f000 bis #0xf0, sr 4524: fd3f jmp #0x4520 <__stop_progExec__+0x0> 4526 <__ctors_end> 4526: 3040 8446 br #0x4684 <_unexpected_> 452a 452a: 1f41 0200 mov 0x2(sp), r15 452e: 0212 push sr 4530: 4f4f mov.b r15, r15 4532: 8f10 swpb r15 4534: 3fd0 0080 bis #0x8000, r15 4538: 024f mov r15, sr 453a: b012 1000 call #0x10 453e: 3241 pop sr 4540: 3041 ret 4542 4542: 0d12 push r13 4544: 0e12 push r14 4546: 0f12 push r15 4548: 3012 3000 push #0x30 454c: b012 2a45 call #0x452a 4550: 3152 add #0x8, sp 4552: 3041 ret 4554 4554: 0d12 push r13 4556: 0e12 push r14 4558: 0f12 push r15 455a: 3012 3100 push #0x31 455e: b012 2a45 call #0x452a 4562: 3152 add #0x8, sp 4564: 3041 ret 4566 4566: 0d12 push r13 4568: 0e12 push r14 456a: 0f12 push r15 456c: 3012 3200 push #0x32 4570: b012 2a45 call #0x452a 4574: 3152 add #0x8, sp 4576: 3041 ret 4578 4578: 0b12 push r11 457a: 0412 push r4 457c: 0441 mov sp, r4 457e: 2452 add #0x4, r4 4580: 2183 decd sp 4582: 8443 faff clr -0x6(r4) 4586: 3b40 faff mov #0xfffa, r11 458a: 0b54 add r4, r11 458c: 0b12 push r11 458e: 0c12 push r12 4590: 0d12 push r13 4592: 0e12 push r14 4594: 0f12 push r15 4596: 3012 3300 push #0x33 459a: b012 2a45 call #0x452a 459e: 1f44 faff mov -0x6(r4), r15 45a2: 3150 0e00 add #0xe, sp 45a6: 3441 pop r4 45a8: 3b41 pop r11 45aa: 3041 ret 45ac 45ac: 0e12 push r14 45ae: 0f12 push r15 45b0: 2312 push #0x2 45b2: b012 2a45 call #0x452a 45b6: 3150 0600 add #0x6, sp 45ba: 3041 ret 45bc 45bc: 8f11 sxt r15 45be: 0f12 push r15 45c0: 0312 push #0x0 45c2: b012 2a45 call #0x452a 45c6: 2152 add #0x4, sp 45c8: 3041 ret 45ca 45ca: 0b12 push r11 45cc: 0b4f mov r15, r11 45ce: 033c jmp #0x45d6 45d0: 1b53 inc r11 45d2: b012 bc45 call #0x45bc 45d6: 6f4b mov.b @r11, r15 45d8: 4f93 tst.b r15 45da: fa23 jnz #0x45d0 45dc: 7f40 0a00 mov.b #0xa, r15 45e0: b012 bc45 call #0x45bc 45e4: 3b41 pop r11 45e6: 3041 ret 45e8 45e8: 0c4f mov r15, r12 45ea: 043c jmp #0x45f4 45ec: fc4e 0000 mov.b @r14+, 0x0(r12) 45f0: 1c53 inc r12 45f2: 3d53 add #-0x1, r13 45f4: 0d93 tst r13 45f6: fa23 jnz #0x45ec 45f8: 3041 ret 45fa 45fa: 0b12 push r11 45fc: 0d93 tst r13 45fe: 0a24 jz #0x4614 4600: 7b4f mov.b @r15+, r11 4602: 7c4e mov.b @r14+, r12 4604: 4b9c cmp.b r12, r11 4606: 0424 jeq #0x4610 4608: 4f4b mov.b r11, r15 460a: 4e4c mov.b r12, r14 460c: 0f8e sub r14, r15 460e: 033c jmp #0x4616 4610: 3d53 add #-0x1, r13 4612: f43f jmp #0x45fc 4614: 0f43 clr r15 4616: 3b41 pop r11 4618: 3041 ret 461a 461a: 0b12 push r11 461c: 0a12 push r10 461e: 0912 push r9 4620: 0812 push r8 4622: 3d90 0600 cmp #0x6, r13 4626: 092c jc #0x463a 4628: 0c4f mov r15, r12 462a: 043c jmp #0x4634 462c: cc4e 0000 mov.b r14, 0x0(r12) 4630: 1c53 inc r12 4632: 3d53 add #-0x1, r13 4634: 0d93 tst r13 4636: fa23 jnz #0x462c 4638: 203c jmp #0x467a 463a: 4e4e mov.b r14, r14 463c: 4b4e mov.b r14, r11 463e: 0b93 tst r11 4640: 0324 jz #0x4648 4642: 0c4b mov r11, r12 4644: 8c10 swpb r12 4646: 0bdc bis r12, r11 4648: 1fb3 bit #0x1, r15 464a: 0624 jz #0x4658 464c: 3d53 add #-0x1, r13 464e: cf4e 0000 mov.b r14, 0x0(r15) 4652: 094f mov r15, r9 4654: 1953 inc r9 4656: 013c jmp #0x465a 4658: 094f mov r15, r9 465a: 0c4d mov r13, r12 465c: 12c3 clrc 465e: 0c10 rrc r12 4660: 0a49 mov r9, r10 4662: 084c mov r12, r8 4664: 8a4b 0000 mov r11, 0x0(r10) 4668: 2a53 incd r10 466a: 3853 add #-0x1, r8 466c: fb23 jnz #0x4664 466e: 0c5c add r12, r12 4670: 0c59 add r9, r12 4672: 1df3 and #0x1, r13 4674: 0224 jz #0x467a 4676: cc4e 0000 mov.b r14, 0x0(r12) 467a: 3841 pop r8 467c: 3941 pop r9 467e: 3a41 pop r10 4680: 3b41 pop r11 4682: 3041 ret 4684 <_unexpected_> 4684: 0013 reti pc 4686 .strings: 4686: "Welcome to the secure program loader." 46ac: "Please enter debug payload." 46c8: "Load address outside allowed range of 0x8000-0xF000" 46fc: "Invalid payload length" 4713: "Invalid signature type" 472a: "Incorrect signature, continuing" 474a: "Signature valid, executing payload" Prereqs: "Cold Lake" Name: "Churchill" Text: Lockitall LOCKIT 2 r A.01 ______________________________________________________________________ User Manual: Lockitall LockIT 2, rev a.01 ______________________________________________________________________ OVERVIEW - Lockitall is under new management. - All vulnerabilities in our old locks are now resolved. DETAILS The LockIT 2 A.03 is the second of a new series of locks. It is controlled by a MSP430 microcontroller. The MSP430 is a very low- power device, chosen because we found several crates of old stock. This lock only accepts biometric and NFC inputs, and does not have a traditional password prompt. To support rapid development cycles this lock accepts a program from the old password input prompt. Only programs signed by us are allowed. 800000063041c26436953f8f3cadf1442fc218b185051ab6c20853a45f093fc32a df31529d05a5ec3e96a9e41ed9ad1b14dcbdb98e50e37a7ddc3d595b867807ed16 05f2070e This is Hardware Version Beta. This is Software Revision 03. (c) 2021 LOCKITALL Page 1/1 "X": 122, "Y": 212, "Rating": 30, "Patch": "" },