mirror of
https://git.soft.fish/val/MicroCorruption.git
synced 2024-11-22 13:55:58 +00:00
440 lines
15 KiB
Plaintext
440 lines
15 KiB
Plaintext
Hex:
|
|
:10 4400 00 55425C0135D0085A8245202431400044 91
|
|
:10 4410 00 3F4020000F930824924220245C012F83 08
|
|
:10 4420 00 9F4F80470024F8233F4000000F930724 4C
|
|
:10 4430 00 924220245C011F83CF432024F9233150 72
|
|
:10 4440 00 BCFE3F405646B012BA45814300003F40 93
|
|
:10 4450 00 7C46B012BA452E430F41B0129C453F40 F6
|
|
:10 4460 00 A446B012BA453D4001010E430F413F50 F2
|
|
:10 4470 00 4300B012EA453E4000010F413F504300 67
|
|
:10 4480 00 B0129C453F40CB46B012BA453D404100 7A
|
|
:10 4490 00 0E430F412F53B012EA453E4040000F41 FA
|
|
:10 44A0 00 2F53B0129C452F410F9303343F9001F0 DE
|
|
:10 44B0 00 05283F40EB46B012BA45C73F3D400001 DA
|
|
:10 44C0 00 0E413E504300B012D8450C412C533D40 A4
|
|
:10 44D0 00 00012E413F400024B01268451F930524 7F
|
|
:10 44E0 00 3F401F47B012BA45B03F3F403F47B012 70
|
|
:10 44F0 00 BA45911202000F930F243F406247B012 59
|
|
:10 4500 00 BA450312031230127F00B0122C450F43 3C
|
|
:10 4510 00 31504A01304022453F407147B012BA45 00
|
|
:10 4520 00 943F32D0F000FD3F304054461F410200 1E
|
|
:10 4530 00 02124F4F8F103FD00080024FB0121000 78
|
|
:10 4540 00 324130410D120E120F1230123000B012 F3
|
|
:10 4550 00 2C45315230410D120E120F1230123100 23
|
|
:10 4560 00 B0122C45315230410B12041204412452 36
|
|
:10 4570 00 21838443FAFF3B40FAFF0B540B120C12 C9
|
|
:10 4580 00 0D120E120F1230123300B0122C451F44 C0
|
|
:10 4590 00 FAFF31500E0034413B4130410E120F12 F0
|
|
:10 45A0 00 2312B0122C453150060030418F110F12 EA
|
|
:10 45B0 00 0312B0122C45215230410B120B4F033C 19
|
|
:10 45C0 00 1B53B012AC456F4B4F93FA237F400A00 48
|
|
:10 45D0 00 B012AC453B4130410C4F043CFC4E0000 56
|
|
:10 45E0 00 1C533D530D93FA2330410B120A120912 4A
|
|
:10 45F0 00 08123D900600092C0C4F043CCC4E0000 E4
|
|
:10 4600 00 1C533D530D93FA23203C4E4E4B4E0B93 BF
|
|
:10 4610 00 03240C4B8C100BDC1FB306243D53CF4E F0
|
|
:10 4620 00 0000094F1953013C094F0C4D12C30C10 E7
|
|
:10 4630 00 0A49084C8A4B00002A533853FB230C5C 70
|
|
:10 4640 00 0C591DF30224CC4E0000384139413A41 47
|
|
:06 4650 00 3B4130410013 64
|
|
:10 4656 00 57656C636F6D6520746F207468652073 91
|
|
:10 4666 00 65637572652070726F6772616D206C6F 1D
|
|
:10 4676 00 616465722E00506C6561736520656E74 A9
|
|
:10 4686 00 6572207365636F6E6420737461676520 5D
|
|
:10 4696 00 6C6F616420616464726573732E00506C 84
|
|
:10 46A6 00 6561736520656E746572207468652073 34
|
|
:10 46B6 00 65636F6E642073746167652070726F67 DF
|
|
:10 46C6 00 72616D2E00506C6561736520656E7465 50
|
|
:10 46D6 00 722070726F6772616D207369676E6174 A4
|
|
:10 46E6 00 7572652E004C6F616420616464726573 37
|
|
:10 46F6 00 73206F75747369646520616C6C6F7765 80
|
|
:10 4706 00 642072616E6765206F66203078383030 BD
|
|
:10 4716 00 302D30784630303000496E636F727265 E6
|
|
:10 4726 00 6374207369676E61747572652C20636F 9C
|
|
:10 4736 00 6E74696E75696E67005369676E617475 2C
|
|
:10 4746 00 72652076616C69642C20657865637574 82
|
|
:10 4756 00 696E67207061796C6F61640041434345 FF
|
|
:10 4766 00 5353204752414E544544004143434553 19
|
|
:0A 4776 00 532044454E4945440000 1D
|
|
:10 4780 00 B6458AAE646E18722450B46348F3A09B 99
|
|
:10 4790 00 4BE01A9E69EDC9516A0752CC17D27D6F 62
|
|
:10 FF80 00 28452845284528452845284528452845 09
|
|
:10 FF90 00 28452845284528452845284528450044 22
|
|
:04 0000 03 00004400 B5
|
|
:00 0000 01 FF
|
|
|
|
Obj:
|
|
0010 <__trap_interrupt>
|
|
0010: 3041 ret
|
|
4400 <__watchdog_support>
|
|
4400: 5542 5c01 mov.b &0x015c, r5
|
|
4404: 35d0 085a bis #0x5a08, r5
|
|
4408: 8245 2024 mov r5, &0x2420
|
|
440c <__init_stack>
|
|
440c: 3140 0044 mov #0x4400 <__watchdog_support>, sp
|
|
4410 <__do_copy_data>
|
|
4410: 3f40 2000 mov #0x20, r15
|
|
4414: 0f93 tst r15
|
|
4416: 0824 jz #0x4428 <__do_clear_bss+0x0>
|
|
4418: 9242 2024 5c01 mov &0x2420, &0x015c
|
|
441e: 2f83 decd r15
|
|
4420: 9f4f 8047 0024 mov 0x4780(r15), 0x2400(r15)
|
|
4426: f823 jnz #0x4418 <__do_copy_data+0x8>
|
|
4428 <__do_clear_bss>
|
|
4428: 3f40 0000 clr r15
|
|
442c: 0f93 tst r15
|
|
442e: 0724 jz #0x443e <main+0x0>
|
|
4430: 9242 2024 5c01 mov &0x2420, &0x015c
|
|
4436: 1f83 dec r15
|
|
4438: cf43 2024 mov.b #0x0, 0x2420(r15)
|
|
443c: f923 jnz #0x4430 <__do_clear_bss+0x8>
|
|
|
|
443e <main>
|
|
; [loadaddr: 2 B][signature: 0x40 B][payload: 0x100 B]
|
|
; void * loadaddr = 0 // >=> sp
|
|
; char signature[0x41] // >=> sp+2
|
|
; short payload[0x101] // >=> sp+0x43
|
|
443e: 3150 bcfe add #0xfebc, sp
|
|
|
|
; puts ("Welcome to the secure program loader.")
|
|
4442: 3f40 5646 mov #0x4656 "Welcome to the secure program loader.", r15
|
|
4446: b012 ba45 call #0x45ba <puts>
|
|
loop:
|
|
; void * loadaddr = 0 // >=> sp
|
|
444a: 8143 0000 clr 0x0(sp)
|
|
|
|
; puts ("Please enter second stage load address.")
|
|
444e: 3f40 7c46 mov #0x467c "Please enter second stage load address.", r15
|
|
4452: b012 ba45 call #0x45ba <puts>
|
|
|
|
; getsn (&loadaddr, 2)
|
|
4456: 2e43 mov #0x2, r14
|
|
4458: 0f41 mov sp, r15
|
|
445a: b012 9c45 call #0x459c <getsn>
|
|
|
|
; puts ("Please enter the second stage program.")
|
|
445e: 3f40 a446 mov #0x46a4 "Please enter the second stage program.", r15
|
|
4462: b012 ba45 call #0x45ba <puts>
|
|
|
|
; short payload[0x101] // >=> sp+0x43
|
|
; memset (&payload /*sp+0x43*/, 0, 0x101)
|
|
4466: 3d40 0101 mov #0x101, r13
|
|
446a: 0e43 clr r14
|
|
446c: 0f41 mov sp, r15
|
|
446e: 3f50 4300 add #0x43, r15
|
|
4472: b012 ea45 call #0x45ea <memset>
|
|
|
|
; getsn (&payload /*sp+0x43*/, 0x100) // get 100 bytes into sp+0x43
|
|
4476: 3e40 0001 mov #0x100, r14
|
|
447a: 0f41 mov sp, r15
|
|
447c: 3f50 4300 add #0x43, r15
|
|
4480: b012 9c45 call #0x459c <getsn>
|
|
|
|
; puts ("Please enter program signature.")
|
|
4484: 3f40 cb46 mov #0x46cb "Please enter program signature.", r15
|
|
4488: b012 ba45 call #0x45ba <puts>
|
|
|
|
; char signature[0x41] = sp+2
|
|
; memset(&signature /* sp+2 */, 0, 0x41)
|
|
448c: 3d40 4100 mov #0x41, r13
|
|
4490: 0e43 clr r14
|
|
4492: 0f41 mov sp, r15
|
|
4494: 2f53 incd r15
|
|
4496: b012 ea45 call #0x45ea <memset>
|
|
|
|
; getsn (signature /* sp+2 */, 0x40)
|
|
449a: 3e40 4000 mov #0x40, r14
|
|
449e: 0f41 mov sp, r15
|
|
44a0: 2f53 incd r15
|
|
44a2: b012 9c45 call #0x459c <getsn>
|
|
|
|
; if (loadaddr & 0x8000 && loadaddr < 0xf001)
|
|
44a6: 2f41 mov @sp, r15
|
|
44a8: 0f93 tst r15
|
|
44aa: 0334 jge #0x44b2 <main+0x74> <else_44b2>
|
|
44ac: 3f90 01f0 cmp #0xf001, r15
|
|
44b0: 0528 jnc #0x44bc <main+0x7e> <if_44ba>
|
|
else_44b2:
|
|
; puts ("Load address outside allowed range of 0x8000-0xF000")
|
|
44b2: 3f40 eb46 mov #0x46eb "Load address outside allowed range of 0x8000-0xF000", r15
|
|
44b6: b012 ba45 call #0x45ba <puts>
|
|
; goto loop
|
|
44ba: c73f jmp #0x444a <main+0xc>
|
|
if_44ba:
|
|
; memcpy (loadaddr, &payload, 0x100)
|
|
44bc: 3d40 0001 mov #0x100, r13
|
|
44c0: 0e41 mov sp, r14
|
|
44c2: 3e50 4300 add #0x43, r14
|
|
44c6: b012 d845 call #0x45d8 <memcpy>
|
|
|
|
; verify_ed25519 (0x2400, &*load_address, 0x100, signature)
|
|
44ca: 0c41 mov sp, r12
|
|
44cc: 2c53 incd r12
|
|
44ce: 3d40 0001 mov #0x100, r13
|
|
44d2: 2e41 mov @sp, r14
|
|
44d4: 3f40 0024 mov #0x2400, r15
|
|
44d8: b012 6845 call #0x4568 <verify_ed25519>
|
|
; if ( ^^ ) goto if@44ea
|
|
44dc: 1f93 cmp #0x1, r15
|
|
44de: 0524 jeq #0x44ea <main+0xac>
|
|
else@44e0:
|
|
; puts ("Incorrect signature, continuing")
|
|
44e0: 3f40 1f47 mov #0x471f "Incorrect signature, continuing", r15
|
|
44e4: b012 ba45 call #0x45ba <puts>
|
|
; end of loop
|
|
44e8: b03f jmp #0x444a <main+0xc>
|
|
if@44ea:
|
|
; puts ("Signature valid, executing payload")
|
|
44ea: 3f40 3f47 mov #0x473f "Signature valid, executing payload", r15
|
|
44ee: b012 ba45 call #0x45ba <puts>
|
|
; loadaddr()
|
|
44f2: 9112 0200 call 0x2(sp)
|
|
; if (r15 == 0) goto ACCESS_DENIED
|
|
44f6: 0f93 tst r15
|
|
44f8: 0f24 jz #0x4518 <main+0xda>
|
|
; puts ("ACCESS GRANTED")
|
|
44fa: 3f40 6247 mov #0x4762 "ACCESS GRANTED", r15
|
|
44fe: b012 ba45 call #0x45ba <puts>
|
|
; INT(7f, 0, 0)
|
|
4502: 0312 push #0x0
|
|
4504: 0312 push #0x0
|
|
4506: 3012 7f00 push #0x7f
|
|
450a: b012 2c45 call #0x452c <INT>
|
|
; exit (0)
|
|
450e: 0f43 clr r15
|
|
4510: 3150 4a01 add #0x14a, sp
|
|
4514: 3040 2245 br #0x4522 <__stop_progExec__>
|
|
ACCESS_DENIED:
|
|
; puts ("ACCESS DENIED")
|
|
4518: 3f40 7147 mov #0x4771 "ACCESS DENIED", r15
|
|
451c: b012 ba45 call #0x45ba <puts>
|
|
; goto loop
|
|
4520: 943f jmp #0x444a <main+0xc> <loop>
|
|
;; end main
|
|
|
|
4522 <__stop_progExec__>
|
|
4522: 32d0 f000 bis #0xf0, sr
|
|
4526: fd3f jmp #0x4522 <__stop_progExec__+0x0>
|
|
4528 <__ctors_end>
|
|
4528: 3040 5446 br #0x4654 <_unexpected_>
|
|
452c <INT>
|
|
452c: 1f41 0200 mov 0x2(sp), r15
|
|
4530: 0212 push sr
|
|
4532: 4f4f mov.b r15, r15
|
|
4534: 8f10 swpb r15
|
|
4536: 3fd0 0080 bis #0x8000, r15
|
|
453a: 024f mov r15, sr
|
|
453c: b012 1000 call #0x10
|
|
4540: 3241 pop sr
|
|
4542: 3041 ret
|
|
|
|
4544 <sha1>
|
|
4544: 0d12 push r13
|
|
4546: 0e12 push r14
|
|
4548: 0f12 push r15
|
|
454a: 3012 3000 push #0x30
|
|
454e: b012 2c45 call #0x452c <INT>
|
|
4552: 3152 add #0x8, sp
|
|
4554: 3041 ret
|
|
4556 <sha256>
|
|
4556: 0d12 push r13
|
|
4558: 0e12 push r14
|
|
455a: 0f12 push r15
|
|
455c: 3012 3100 push #0x31
|
|
4560: b012 2c45 call #0x452c <INT>
|
|
4564: 3152 add #0x8, sp
|
|
4566: 3041 ret
|
|
|
|
4568 <verify_ed25519>
|
|
; int verify_ed25519(char * pubkey, void * load_address, size_t size, char * signature) { ...
|
|
4568: 0b12 push r11
|
|
456a: 0412 push r4
|
|
; size_t result = 0; >=> sp+4
|
|
456c: 0441 mov sp, r4
|
|
456e: 2452 add #0x4, r4
|
|
4570: 2183 decd sp
|
|
4572: 8443 faff clr -0x6(r4)
|
|
4576: 3b40 faff mov #0xfffa, r11
|
|
457a: 0b54 add r4, r11
|
|
; INT (pubkey, load_address, size, signature, stack_pointer);
|
|
4576: 3b40 faff mov #0xfffa, r11
|
|
457a: 0b54 add r4, r11
|
|
457c: 0b12 push r11
|
|
457e: 0c12 push r12
|
|
4580: 0d12 push r13
|
|
4582: 0e12 push r14
|
|
4584: 0f12 push r15
|
|
4586: 3012 3300 push #0x33
|
|
458a: b012 2c45 call #0x452c <INT>
|
|
; return result;
|
|
458e: 1f44 faff mov -0x6(r4), r15
|
|
4592: 3150 0e00 add #0xe, sp
|
|
4596: 3441 pop r4
|
|
4598: 3b41 pop r11
|
|
459a: 3041 ret
|
|
|
|
459c <getsn>
|
|
459c: 0e12 push r14
|
|
459e: 0f12 push r15
|
|
45a0: 2312 push #0x2
|
|
45a2: b012 2c45 call #0x452c <INT>
|
|
45a6: 3150 0600 add #0x6, sp
|
|
45aa: 3041 ret
|
|
|
|
45ac <putchar> ; int putchar (int char);
|
|
45ac: 8f11 sxt r15
|
|
45ae: 0f12 push r15
|
|
45b0: 0312 push #0x0
|
|
45b2: b012 2c45 call #0x452c <INT>
|
|
45b6: 2152 add #0x4, sp
|
|
45b8: 3041 ret
|
|
|
|
45ba <puts> ; void puts (char *str);
|
|
45ba: 0b12 push r11
|
|
; char c;
|
|
45bc: 0b4f mov r15, r11
|
|
45be: 033c jmp #0x45c6 <puts+0xc>
|
|
; str++ v
|
|
45c0: 1b53 inc r11
|
|
; putchar()
|
|
45c2: b012 ac45 call #0x45ac <putchar>
|
|
; while (c = *str) ^
|
|
45c6: 6f4b mov.b @r11, r15
|
|
45c8: 4f93 tst.b r15
|
|
45ca: fa23 jnz #0x45c0 <puts+0x6>
|
|
; putchar ('\n');
|
|
45cc: 7f40 0a00 mov.b #0xa, r15
|
|
45d0: b012 ac45 call #0x45ac <putchar>
|
|
; return (implicit)
|
|
45d4: 3b41 pop r11
|
|
45d6: 3041 ret
|
|
|
|
45d8 <memcpy>
|
|
45d8: 0c4f mov r15, r12
|
|
45da: 043c jmp #0x45e4 <memcpy+0xc>
|
|
45dc: fc4e 0000 mov.b @r14+, 0x0(r12)
|
|
45e0: 1c53 inc r12
|
|
45e2: 3d53 add #-0x1, r13
|
|
45e4: 0d93 tst r13
|
|
45e6: fa23 jnz #0x45dc <memcpy+0x4>
|
|
45e8: 3041 ret
|
|
45ea <memset>
|
|
45ea: 0b12 push r11
|
|
45ec: 0a12 push r10
|
|
45ee: 0912 push r9
|
|
45f0: 0812 push r8
|
|
45f2: 3d90 0600 cmp #0x6, r13
|
|
45f6: 092c jc #0x460a <memset+0x20>
|
|
45f8: 0c4f mov r15, r12
|
|
45fa: 043c jmp #0x4604 <memset+0x1a>
|
|
45fc: cc4e 0000 mov.b r14, 0x0(r12)
|
|
4600: 1c53 inc r12
|
|
4602: 3d53 add #-0x1, r13
|
|
4604: 0d93 tst r13
|
|
4606: fa23 jnz #0x45fc <memset+0x12>
|
|
4608: 203c jmp #0x464a <memset+0x60>
|
|
460a: 4e4e mov.b r14, r14
|
|
460c: 4b4e mov.b r14, r11
|
|
460e: 0b93 tst r11
|
|
4610: 0324 jz #0x4618 <memset+0x2e>
|
|
4612: 0c4b mov r11, r12
|
|
4614: 8c10 swpb r12
|
|
4616: 0bdc bis r12, r11
|
|
4618: 1fb3 bit #0x1, r15
|
|
461a: 0624 jz #0x4628 <memset+0x3e>
|
|
461c: 3d53 add #-0x1, r13
|
|
461e: cf4e 0000 mov.b r14, 0x0(r15)
|
|
4622: 094f mov r15, r9
|
|
4624: 1953 inc r9
|
|
4626: 013c jmp #0x462a <memset+0x40>
|
|
4628: 094f mov r15, r9
|
|
462a: 0c4d mov r13, r12
|
|
462c: 12c3 clrc
|
|
462e: 0c10 rrc r12
|
|
4630: 0a49 mov r9, r10
|
|
4632: 084c mov r12, r8
|
|
4634: 8a4b 0000 mov r11, 0x0(r10)
|
|
4638: 2a53 incd r10
|
|
463a: 3853 add #-0x1, r8
|
|
463c: fb23 jnz #0x4634 <memset+0x4a>
|
|
463e: 0c5c add r12, r12
|
|
4640: 0c59 add r9, r12
|
|
4642: 1df3 and #0x1, r13
|
|
4644: 0224 jz #0x464a <memset+0x60>
|
|
4646: cc4e 0000 mov.b r14, 0x0(r12)
|
|
464a: 3841 pop r8
|
|
464c: 3941 pop r9
|
|
464e: 3a41 pop r10
|
|
4650: 3b41 pop r11
|
|
4652: 3041 ret
|
|
4654 <_unexpected_>
|
|
4654: 0013 reti pc
|
|
4656 .strings:
|
|
4656: "Welcome to the secure program loader."
|
|
467c: "Please enter second stage load address."
|
|
46a4: "Please enter the second stage program."
|
|
46cb: "Please enter program signature."
|
|
46eb: "Load address outside allowed range of 0x8000-0xF000"
|
|
471f: "Incorrect signature, continuing"
|
|
473f: "Signature valid, executing payload"
|
|
4762: "ACCESS GRANTED"
|
|
4771: "ACCESS DENIED"
|
|
|
|
Text:
|
|
Lockitall LOCKIT 2 r A.01
|
|
______________________________________________________________________
|
|
|
|
User Manual: Lockitall LockIT 2, rev a.01
|
|
______________________________________________________________________
|
|
|
|
|
|
OVERVIEW
|
|
|
|
- Lockitall is under new management.
|
|
- The lock has been put together from bits of leftover scrap from
|
|
the old factory.
|
|
|
|
|
|
DETAILS
|
|
|
|
The LockIT 2 A.02 is the second of a new series of locks. It is
|
|
controlled by a MSP430 microcontroller. The MSP430 is a very low-
|
|
power device, chosen because we found several crates of old stock.
|
|
|
|
This lock only accepts biometric and NFC inputs, and does not have
|
|
a traditional password prompt.
|
|
|
|
To support rapid development cycles this lock accepts a program
|
|
from the old password input prompt. The program must be signed by
|
|
Lockitall, so engineering aren't concerned it will be used
|
|
maliciously. There are two programs, one of which is below in hex
|
|
format and is used in the factory to test proper lock operation.
|
|
The other program, not reproduced here, is restricted and only
|
|
available internally at Lockitall.
|
|
|
|
Load address:
|
|
8000
|
|
|
|
Program text:
|
|
3540088000450545054505450545054505450f433041
|
|
|
|
Signature:
|
|
8605e027f42368ea6bba9de66409f6a8ddedcd49614a4648281c47a7b4ad252f5
|
|
639069b17ba8ff104d371e2d8a625b038f0750667364087e7987e40ea81510f
|
|
|
|
This is Hardware Version Beta.
|
|
|
|
This is Software Revision 02.
|
|
|
|
|
|
|
|
(c) 2021 LOCKITALL Page 1/1
|
|
|
|
|
|
Prereqs: "Vancouver",
|
|
Name: "Cold Lake",
|
|
X: 135,
|
|
Y: 140,
|
|
Rating: 20,
|
|
Patch: ""
|