mirror of
https://git.soft.fish/val/MicroCorruption.git
synced 2024-11-25 11:15:57 +00:00
387 lines
13 KiB
Plaintext
387 lines
13 KiB
Plaintext
Hex:
|
|
:10 4400 00 55425C0135D0085A8245602831400044 4D
|
|
:10 4410 00 3F4060000F930824924260285C012F83 84
|
|
:10 4420 00 9F4F28470024F8233F4000040F930724 A0
|
|
:10 4430 00 924260285C011F83CF436024F9233150 EE
|
|
:10 4440 00 C0FF3F404046B012A4453F406646B012 10
|
|
:10 4450 00 A4453D4000040E433F406024B012D445 C3
|
|
:10 4460 00 3E40FF033F406024B01286455B426024 1B
|
|
:10 4470 00 8B105F4261240BDF5A4263240B930334 99
|
|
:10 4480 00 3B9001F005283F408246B012A445DD3F 35
|
|
:10 4490 00 1BB305243F40B646B012A445D63F0F4A 91
|
|
:10 44A0 00 3F50FAFF3F90BB0305283F40CD46B012 76
|
|
:10 44B0 00 A445CB3F3D4040000E4A3E5060240F41 92
|
|
:10 44C0 00 B012C2450C410D4A3E4060243F404024 9A
|
|
:10 44D0 00 B01252451F9305243F40E446B012A445 54
|
|
:10 44E0 00 B43F3F400447B012A4450D4A3E406424 07
|
|
:10 44F0 00 0F4BB012C2458B12A83F32D0F000FD3F E7
|
|
:10 4500 00 30403E461F41020002124F4F8F103FD0 F5
|
|
:10 4510 00 0080024FB0121000324130410D120E12 D5
|
|
:10 4520 00 0F1230123000B0120445315230410D12 DA
|
|
:10 4530 00 0E120F1230123100B012044531523041 C8
|
|
:10 4540 00 0D120E120F1230123200B01204453152 09
|
|
:10 4550 00 30410B1204120441245221838443FAFF 98
|
|
:10 4560 00 3B40FAFF0B540B120C120D120E120F12 DD
|
|
:10 4570 00 30123300B01204451F44FAFF31500E00 D0
|
|
:10 4580 00 34413B4130410E120F122312B0120445 48
|
|
:10 4590 00 3150060030418F110F120312B0120445 42
|
|
:10 45A0 00 215230410B120B4F033C1B53B0129645 66
|
|
:10 45B0 00 6F4B4F93FA237F400A00B01296453B41 60
|
|
:10 45C0 00 30410C4F043CFC4E00001C533D530D93 F6
|
|
:10 45D0 00 FA2330410B120A12091208123D900600 0C
|
|
:10 45E0 00 092C0C4F043CCC4E00001C533D530D93 42
|
|
:10 45F0 00 FA23203C4E4E4B4E0B9303240C4B8C10 55
|
|
:10 4600 00 0BDC1FB306243D53CF4E0000094F1953 56
|
|
:10 4610 00 013C094F0C4D12C30C100A49084C8A4B 3F
|
|
:10 4620 00 00002A533853FB230C5C0C591DF30224 61
|
|
:10 4630 00 CC4E0000384139413A413B4130410013 F2
|
|
:10 4640 00 57656C636F6D6520746F207468652073 A7
|
|
:10 4650 00 65637572652070726F6772616D206C6F 33
|
|
:10 4660 00 616465722E00506C6561736520656E74 BF
|
|
:10 4670 00 6572206465627567207061796C6F6164 32
|
|
:10 4680 00 2E004C6F61642061646472657373206F E7
|
|
:10 4690 00 75747369646520616C6C6F7765642072 F2
|
|
:10 46A0 00 616E6765206F66203078383030302D30 8D
|
|
:10 46B0 00 7846303030004C6F6164206164647265 0C
|
|
:10 46C0 00 737320756E616C69676E656400496E76 00
|
|
:10 46D0 00 616C6964207061796C6F6164206C656E D7
|
|
:10 46E0 00 67746800496E636F7272656374207369 E2
|
|
:10 46F0 00 676E61747572652C20636F6E74696E75 78
|
|
:10 4700 00 696E67005369676E6174757265207661 C2
|
|
:10 4710 00 6C69642C20657865637574696E672070 B8
|
|
:08 4720 00 61796C6F61640000 17
|
|
Strings:
|
|
:10 4728 00 70C3679B43365CA01131991CC462135B 4C
|
|
:10 4738 00 ECAE7DF973D62B163C05C679746CE52F 63
|
|
:10 4748 00 08218D19996D174F147F157B9F2C8011 A7
|
|
:10 4758 00 4AB3D2D12532D2EAB925616146A815BE 3D
|
|
:10 4768 00 08218D19996D174F147F157B9F2C8011 87
|
|
:10 4778 00 4AB3D2D12532D2EAB925616146A815BE 1D
|
|
Exception_Vectors:
|
|
:10 FF80 00 00450045004500450045004500450045 49
|
|
:10 FF90 00 00450045004500450045004500450044 3A
|
|
Start:
|
|
:04 0000 03 00004400 B5
|
|
What: ; does this do?
|
|
:00 0000 01 FF
|
|
|
|
Obj:
|
|
0010 <__trap_interrupt>
|
|
0010: 3041 ret
|
|
4400 <__watchdog_support>
|
|
4400: 5542 5c01 mov.b &0x015c, r5
|
|
4404: 35d0 085a bis #0x5a08, r5
|
|
4408: 8245 6028 mov r5, &0x2860
|
|
440c <__init_stack>
|
|
440c: 3140 0044 mov #0x4400 <__watchdog_support>, sp
|
|
4410 <__do_copy_data>
|
|
4410: 3f40 6000 mov #0x60, r15
|
|
4414: 0f93 tst r15
|
|
4416: 0824 jz #0x4428 <__do_clear_bss+0x0>
|
|
4418: 9242 6028 5c01 mov &0x2860, &0x015c
|
|
441e: 2f83 decd r15
|
|
4420: 9f4f 2847 0024 mov 0x4728(r15), 0x2400(r15)
|
|
4426: f823 jnz #0x4418 <__do_copy_data+0x8>
|
|
4428 <__do_clear_bss>
|
|
4428: 3f40 0004 mov #0x400, r15
|
|
442c: 0f93 tst r15
|
|
442e: 0724 jz #0x443e <main+0x0>
|
|
4430: 9242 6028 5c01 mov &0x2860, &0x015c
|
|
4436: 1f83 dec r15
|
|
4438: cf43 6024 mov.b #0x0, 0x2460(r15)
|
|
443c: f923 jnz #0x4430 <__do_clear_bss+0x8>
|
|
|
|
|
|
443e <main>
|
|
;? char sig_buf[64]; // >=> sp
|
|
443e: 3150 c0ff add #0xffc0, sp
|
|
;* puts ("Welcome to the secure program loader.");
|
|
4442: 3f40 4046 mov #0x4640 "Welcome to the secure program loader." r15
|
|
4446: b012 a445 call #0x45a4 <puts>
|
|
;* while (1)
|
|
continue:
|
|
;* puts ("Please enter debug payload.");
|
|
444a: 3f40 6646 mov #0x4666 "Please enter debug payload." r15
|
|
444e: b012 a445 call #0x45a4 <puts>
|
|
;? u8 buf[0x400]; // >=> 0x2460
|
|
;* memset (buf, 0, 0x400);
|
|
4452: 3d40 0004 mov #0x400, r13
|
|
4456: 0e43 clr r14
|
|
4458: 3f40 6024 mov #0x2460, r15
|
|
445c: b012 d445 call #0x45d4 <memset>
|
|
;* getsn(buf, 0x3ff);
|
|
4460: 3e40 ff03 mov #0x3ff, r14
|
|
4464: 3f40 6024 mov #0x2460, r15
|
|
4468: b012 8645 call #0x4586 <getsn>
|
|
;* void * loadaddr /* r11 */ = (buf[0] << 8) + (buf[1]);
|
|
446c: 5b42 6024 mov.b &0x2460, r11
|
|
4470: 8b10 swpb r11
|
|
4472: 5f42 6124 mov.b &0x2461, r15
|
|
4476: 0bdf bis r15, r11
|
|
;! byte index 0x2 goes unused!
|
|
;*size_t len = buf[3];
|
|
4478: 5a42 6324 mov.b &0x2463, r10
|
|
;*if (0x8000 > loadaddr || loadaddr >= 0xf001)
|
|
447c: 0b93 tst r11
|
|
447e: 0334 jge #0x4486 <main+0x48>
|
|
4480: 3b90 01f0 cmp #0xf001, r11
|
|
4484: 0528 jnc #0x4490 <main+0x52>
|
|
;* puts ("Load address outside allowed range of 0x8000-0xF000");
|
|
4486: 3f40 8246 mov #0x4682 "Load address outside allowed range of 0x8000-0xF000" r15
|
|
448a: b012 a445 call #0x45a4 <puts>
|
|
;* continue;
|
|
448e: dd3f jmp #0x444a <main+0xc>
|
|
;* if (loadaddr & 1)
|
|
4490: 1bb3 bit #0x1, r11
|
|
4492: 0524 jz #0x449e <main+0x60>
|
|
;* puts ("Load address unaligned");
|
|
4494: 3f40 b646 mov #0x46b6 "Load address unaligned" r15
|
|
4498: b012 a445 call #0x45a4 <puts>
|
|
;* continue;
|
|
449c: d63f jmp #0x444a <main+0xc>
|
|
;* if (len - 6 > 0x3bb)
|
|
449e: 0f4a mov r10, r15
|
|
44a0: 3f50 faff add #0xfffa, r15
|
|
44a4: 3f90 bb03 cmp #0x3bb, r15
|
|
44a8: 0528 jnc #0x44b4 <main+0x76>
|
|
;* puts ("Invalid payload length");
|
|
44aa: 3f40 cd46 mov #0x46cd "Invalid payload length" r15
|
|
44ae: b012 a445 call #0x45a4 <puts>
|
|
;* continue;
|
|
44b2: cb3f jmp #0x444a <main+0xc>
|
|
;* memcpy (sig_buf, buf+len, 0x40)
|
|
44b4: 3d40 4000 mov #0x40, r13
|
|
44b8: 0e4a mov r10, r14
|
|
44ba: 3e50 6024 add #0x2460, r14
|
|
44be: 0f41 mov sp, r15
|
|
44c0: b012 c245 call #0x45c2 <memcpy>
|
|
;* verify_ed25519 (ed25519_pubkey /*0x2440*/, buf /*0x2460*/, size /*r10*/, sig_buf /*sp*/);
|
|
44c4: 0c41 mov sp, r12
|
|
44c6: 0d4a mov r10, r13
|
|
44c8: 3e40 6024 mov #0x2460, r14
|
|
44cc: 3f40 4024 mov #0x2440, r15
|
|
44d0: b012 5245 call #0x4552 <verify_ed25519>
|
|
;* if (result != 0x1)
|
|
44d4: 1f93 cmp #0x1, r15
|
|
44d6: 0524 jeq #0x44e2 <main+0xa4>
|
|
;* puts ("Incorrect signature, continuing");
|
|
44d8: 3f40 e446 mov #0x46e4 "Incorrect signature, continuing" r15
|
|
44dc: b012 a445 call #0x45a4 <puts>
|
|
;* continue;
|
|
44e0: b43f jmp #0x444a <main+0xc>
|
|
;* puts ("Signature valid, executing payload");
|
|
44e2: 3f40 0447 mov #0x4704 "Signature valid, executing payload" r15
|
|
44e6: b012 a445 call #0x45a4 <puts>
|
|
;* memcpy ( loadaddr /*dest*/, buf + 0x4 /*src*/, len /*size*/);
|
|
44ea: 0d4a mov r10, r13
|
|
44ec: 3e40 6424 mov #0x2464, r14
|
|
44f0: 0f4b mov r11, r15
|
|
44f2: b012 c245 call #0x45c2 <memcpy>
|
|
;* payload ();
|
|
44f6: 8b12 call r11
|
|
;* continue;
|
|
44f8: a83f jmp #0x444a <main+0xc>
|
|
|
|
|
|
44fa <__stop_progExec__>
|
|
44fa: 32d0 f000 bis #0xf0, sr
|
|
44fe: fd3f jmp #0x44fa <__stop_progExec__+0x0>
|
|
4500 <__ctors_end>
|
|
4500: 3040 3e46 br #0x463e <_unexpected_>
|
|
4504 <INT>
|
|
4504: 1f41 0200 mov 0x2(sp), r15
|
|
4508: 0212 push sr
|
|
450a: 4f4f mov.b r15, r15
|
|
450c: 8f10 swpb r15
|
|
450e: 3fd0 0080 bis #0x8000, r15
|
|
4512: 024f mov r15, sr
|
|
4514: b012 1000 call #0x10
|
|
4518: 3241 pop sr
|
|
451a: 3041 ret
|
|
451c <sha1>
|
|
451c: 0d12 push r13
|
|
451e: 0e12 push r14
|
|
4520: 0f12 push r15
|
|
4522: 3012 3000 push #0x30
|
|
4526: b012 0445 call #0x4504 <INT>
|
|
452a: 3152 add #0x8, sp
|
|
452c: 3041 ret
|
|
452e <sha256>
|
|
452e: 0d12 push r13
|
|
4530: 0e12 push r14
|
|
4532: 0f12 push r15
|
|
4534: 3012 3100 push #0x31
|
|
4538: b012 0445 call #0x4504 <INT>
|
|
453c: 3152 add #0x8, sp
|
|
453e: 3041 ret
|
|
4540 <sha512>
|
|
4540: 0d12 push r13
|
|
4542: 0e12 push r14
|
|
4544: 0f12 push r15
|
|
4546: 3012 3200 push #0x32
|
|
454a: b012 0445 call #0x4504 <INT>
|
|
454e: 3152 add #0x8, sp
|
|
4550: 3041 ret
|
|
4552 <verify_ed25519>
|
|
4552: 0b12 push r11
|
|
4554: 0412 push r4
|
|
4556: 0441 mov sp, r4
|
|
4558: 2452 add #0x4, r4
|
|
455a: 2183 decd sp
|
|
455c: 8443 faff clr -0x6(r4)
|
|
4560: 3b40 faff mov #0xfffa, r11
|
|
4564: 0b54 add r4, r11
|
|
4566: 0b12 push r11
|
|
4568: 0c12 push r12
|
|
456a: 0d12 push r13
|
|
456c: 0e12 push r14
|
|
456e: 0f12 push r15
|
|
4570: 3012 3300 push #0x33
|
|
4574: b012 0445 call #0x4504 <INT>
|
|
4578: 1f44 faff mov -0x6(r4), r15
|
|
457c: 3150 0e00 add #0xe, sp
|
|
4580: 3441 pop r4
|
|
4582: 3b41 pop r11
|
|
4584: 3041 ret
|
|
4586 <getsn>
|
|
4586: 0e12 push r14
|
|
4588: 0f12 push r15
|
|
458a: 2312 push #0x2
|
|
458c: b012 0445 call #0x4504 <INT>
|
|
4590: 3150 0600 add #0x6, sp
|
|
4594: 3041 ret
|
|
4596 <putchar>
|
|
4596: 8f11 sxt r15
|
|
4598: 0f12 push r15
|
|
459a: 0312 push #0x0
|
|
459c: b012 0445 call #0x4504 <INT>
|
|
45a0: 2152 add #0x4, sp
|
|
45a2: 3041 ret
|
|
45a4 <puts>
|
|
45a4: 0b12 push r11
|
|
45a6: 0b4f mov r15, r11
|
|
45a8: 033c jmp #0x45b0 <puts+0xc>
|
|
45aa: 1b53 inc r11
|
|
45ac: b012 9645 call #0x4596 <putchar>
|
|
45b0: 6f4b mov.b @r11, r15
|
|
45b2: 4f93 tst.b r15
|
|
45b4: fa23 jnz #0x45aa <puts+0x6>
|
|
45b6: 7f40 0a00 mov.b #0xa, r15
|
|
45ba: b012 9645 call #0x4596 <putchar>
|
|
45be: 3b41 pop r11
|
|
45c0: 3041 ret
|
|
45c2 <memcpy>
|
|
45c2: 0c4f mov r15, r12
|
|
45c4: 043c jmp #0x45ce <memcpy+0xc>
|
|
45c6: fc4e 0000 mov.b @r14+, 0x0(r12)
|
|
45ca: 1c53 inc r12
|
|
45cc: 3d53 add #-0x1, r13
|
|
45ce: 0d93 tst r13
|
|
45d0: fa23 jnz #0x45c6 <memcpy+0x4>
|
|
45d2: 3041 ret
|
|
45d4 <memset>
|
|
45d4: 0b12 push r11
|
|
45d6: 0a12 push r10
|
|
45d8: 0912 push r9
|
|
45da: 0812 push r8
|
|
45dc: 3d90 0600 cmp #0x6, r13
|
|
45e0: 092c jc #0x45f4 <memset+0x20>
|
|
45e2: 0c4f mov r15, r12
|
|
45e4: 043c jmp #0x45ee <memset+0x1a>
|
|
45e6: cc4e 0000 mov.b r14, 0x0(r12)
|
|
45ea: 1c53 inc r12
|
|
45ec: 3d53 add #-0x1, r13
|
|
45ee: 0d93 tst r13
|
|
45f0: fa23 jnz #0x45e6 <memset+0x12>
|
|
45f2: 203c jmp #0x4634 <memset+0x60>
|
|
45f4: 4e4e mov.b r14, r14
|
|
45f6: 4b4e mov.b r14, r11
|
|
45f8: 0b93 tst r11
|
|
45fa: 0324 jz #0x4602 <memset+0x2e>
|
|
45fc: 0c4b mov r11, r12
|
|
45fe: 8c10 swpb r12
|
|
4600: 0bdc bis r12, r11
|
|
4602: 1fb3 bit #0x1, r15
|
|
4604: 0624 jz #0x4612 <memset+0x3e>
|
|
4606: 3d53 add #-0x1, r13
|
|
4608: cf4e 0000 mov.b r14, 0x0(r15)
|
|
460c: 094f mov r15, r9
|
|
460e: 1953 inc r9
|
|
4610: 013c jmp #0x4614 <memset+0x40>
|
|
4612: 094f mov r15, r9
|
|
4614: 0c4d mov r13, r12
|
|
4616: 12c3 clrc
|
|
4618: 0c10 rrc r12
|
|
461a: 0a49 mov r9, r10
|
|
461c: 084c mov r12, r8
|
|
461e: 8a4b 0000 mov r11, 0x0(r10)
|
|
4622: 2a53 incd r10
|
|
4624: 3853 add #-0x1, r8
|
|
4626: fb23 jnz #0x461e <memset+0x4a>
|
|
4628: 0c5c add r12, r12
|
|
462a: 0c59 add r9, r12
|
|
462c: 1df3 and #0x1, r13
|
|
462e: 0224 jz #0x4634 <memset+0x60>
|
|
4630: cc4e 0000 mov.b r14, 0x0(r12)
|
|
4634: 3841 pop r8
|
|
4636: 3941 pop r9
|
|
4638: 3a41 pop r10
|
|
463a: 3b41 pop r11
|
|
463c: 3041 ret
|
|
463e <_unexpected_>
|
|
463e: 0013 reti pc
|
|
4640 .strings:
|
|
4640: "Welcome to the secure program loader."
|
|
4666: "Please enter debug payload."
|
|
4682: "Load address outside allowed range of 0x8000-0xF000"
|
|
46b6: "Load address unaligned"
|
|
46cd: "Invalid payload length"
|
|
46e4: "Incorrect signature, continuing"
|
|
4704: "Signature valid, executing payload"
|
|
|
|
|
|
Prereqs:"Churchill"
|
|
Name:"St. John's"
|
|
Text: """
|
|
Lockitall LOCKIT 2 r A.01
|
|
______________________________________________________________________
|
|
|
|
User Manual: Lockitall LockIT 2, rev a.01
|
|
______________________________________________________________________
|
|
|
|
|
|
OVERVIEW
|
|
|
|
- The firmware has been updated to resolve a vulnerability.
|
|
|
|
|
|
DETAILS
|
|
|
|
The LockIT 2 A.01 is the second of a new series of locks. It is
|
|
controlled by a MSP430 microcontroller. The MSP430 is a very low-
|
|
power device, chosen because we found several crates of old stock.
|
|
|
|
This lock only accepts biometric and NFC inputs, and does not have
|
|
a traditional password prompt.
|
|
|
|
To support rapid development cycles this lock accepts a program
|
|
from the old password input prompt.
|
|
|
|
800000063041f23630084d78f18b0ef369693ebdb5eaf1290b3cb4a69815345a0d
|
|
e53b9bb6cc7de3c46159a7af7c91c28a3d3691309822290d9c6482fefc03cbbcff
|
|
35ce9708
|
|
|
|
This is Hardware Version Beta.
|
|
|
|
This is Software Revision 04.
|
|
|
|
|
|
|
|
(c) 2021 LOCKITALL Page 1/1
|
|
"""
|
|
|
|
X:170
|
|
Y:325
|
|
Rating:20
|
|
Patch:""
|