mirror of
https://git.soft.fish/val/MicroCorruption.git
synced 2024-11-25 04:45:59 +00:00
436 lines
16 KiB
NASM
436 lines
16 KiB
NASM
Instructions:
|
|
Size | Addr | CT | Data | Checksum?
|
|
-- -:|------|----|----------------------------------|----------
|
|
10 | 4400 | 00 | 55425C0135D0085A8245202831400044 | 8D
|
|
10 | 4410 | 00 | 3F4020000F930824924220285C012F83 | 04
|
|
10 | 4420 | 00 | 9F4F6E470024F8233F4000040F930724 | 5A
|
|
10 | 4430 | 00 | 924220285C011F83CF432024F9233150 | 6E
|
|
10 | 4440 | 00 | C0FF3F408646B012CA453F40AC46B012 | 5E
|
|
10 | 4450 | 00 | CA453D4000040E433F402024B0121A46 | 96
|
|
10 | 4460 | 00 | 3E40FF033F402024B012AC455B422024 | 75
|
|
10 | 4470 | 00 | 8B105F4221240BDF594222245A422324 | 0D
|
|
10 | 4480 | 00 | 0B9303343B9001F005283F40C846B012 | 1F
|
|
10 | 4490 | 00 | CA45DB3F0F4A3F50FAFF3F90BB030528 | 58
|
|
10 | 44A0 | 00 | 3F40FC46B012CA45D03F084A38502024 | 4D
|
|
10 | 44B0 | 00 | 3D4040000E480F41B012E84519930D20 | D1
|
|
10 | 44C0 | 00 | 0D410E4A3F402024B01266453D404000 | 59
|
|
10 | 44D0 | 00 | 0E480F41B012FA45103C099309200C41 | D7
|
|
10 | 44E0 | 00 | 0D4A3E4020243F400024B0127845053C | 50
|
|
10 | 44F0 | 00 | 3F401347B012CA45A83F1F9305243F40 | D1
|
|
10 | 4500 | 00 | 2A47B012CA45A13F3F404A47B012CA45 | A8
|
|
10 | 4510 | 00 | 0D4A3E4024240F4BB012E8458B12953F | C4
|
|
10 | 4520 | 00 | 32D0F000FD3F304084461F4102000212 | AD
|
|
10 | 4530 | 00 | 4F4F8F103FD00080024FB01210003241 | 19
|
|
10 | 4540 | 00 | 30410D120E120F1230123000B0122A45 | F7
|
|
10 | 4550 | 00 | 315230410D120E120F1230123100B012 | D2
|
|
10 | 4560 | 00 | 2A45315230410D120E120F1230123200 | 14
|
|
10 | 4570 | 00 | B0122A45315230410B12041204412452 | 28
|
|
10 | 4580 | 00 | 21838443FAFF3B40FAFF0B540B120C12 | B9
|
|
10 | 4590 | 00 | 0D120E120F1230123300B0122A451F44 | B2
|
|
10 | 45A0 | 00 | FAFF31500E0034413B4130410E120F12 | E0
|
|
10 | 45B0 | 00 | 2312B0122A453150060030418F110F12 | DC
|
|
10 | 45C0 | 00 | 0312B0122A45215230410B120B4F033C | 0B
|
|
10 | 45D0 | 00 | 1B53B012BC456F4B4F93FA237F400A00 | 28
|
|
10 | 45E0 | 00 | B012BC453B4130410C4F043CFC4E0000 | 36
|
|
10 | 45F0 | 00 | 1C533D530D93FA2330410B120D930A24 | A3
|
|
10 | 4600 | 00 | 7B4F7C4E4B9C04244F4B4E4C0F8E033C | F7
|
|
10 | 4610 | 00 | 3D53F43F0F433B4130410B120A120912 | 44
|
|
10 | 4620 | 00 | 08123D900600092C0C4F043CCC4E0000 | B3
|
|
10 | 4630 | 00 | 1C533D530D93FA23203C4E4E4B4E0B93 | 8F
|
|
10 | 4640 | 00 | 03240C4B8C100BDC1FB306243D53CF4E | C0
|
|
10 | 4650 | 00 | 0000094F1953013C094F0C4D12C30C10 | B7
|
|
10 | 4660 | 00 | 0A49084C8A4B00002A533853FB230C5C | 40
|
|
10 | 4670 | 00 | 0C591DF30224CC4E0000384139413A41 | 17
|
|
06 | 4680 | 00 | 3B4130410013 | 34
|
|
|
|
Strings:
|
|
Size | Addr | CT | Data | Checksum?
|
|
-- -:|------|----|----------------------------------|----------
|
|
10 | 4686 | 00 | 57656C636F6D6520746F207468652073 | 61
|
|
10 | 4696 | 00 | 65637572652070726F6772616D206C6F | ED
|
|
10 | 46A6 | 00 | 616465722E00506C6561736520656E74 | 79
|
|
10 | 46B6 | 00 | 6572206465627567207061796C6F6164 | EC
|
|
10 | 46C6 | 00 | 2E004C6F61642061646472657373206F | A1
|
|
10 | 46D6 | 00 | 75747369646520616C6C6F7765642072 | AC
|
|
10 | 46E6 | 00 | 616E6765206F66203078383030302D30 | 47
|
|
10 | 46F6 | 00 | 784630303000496E76616C6964207061 | AE
|
|
10 | 4706 | 00 | 796C6F6164206C656E67746800496E76 | BB
|
|
10 | 4716 | 00 | 616C6964207369676E61747572652074 | 73
|
|
10 | 4726 | 00 | 79706500496E636F7272656374207369 | 90
|
|
10 | 4736 | 00 | 676E61747572652C20636F6E74696E75 | 31
|
|
10 | 4746 | 00 | 696E67005369676E6174757265207661 | 7C
|
|
10 | 4756 | 00 | 6C69642C20657865637574696E672070 | 72
|
|
08 | 4766 | 00 | 61796C6F61640000 | D1
|
|
|
|
10 | 476E | 00 | A09AE3E830085A0169641E1E22118B45 | 97
|
|
10 | 477E | 00 | 7F9A95E7A133643CB578FB0C25940C4F | DA
|
|
10 | FF80 | 00 | 26452645264526452645264526452645 | 19
|
|
10 | FF90 | 00 | 26452645264526452645264526450044 | 30
|
|
04 | 0000 | 03 | 00004400 | B5
|
|
00 | 0000 | 01 | | FF
|
|
|
|
|
|
Obj:
|
|
0010 <__trap_interrupt>
|
|
0010: 3041 ret
|
|
4400 <__watchdog_support>
|
|
4400: 5542 5c01 mov.b &0x015c, r5
|
|
4404: 35d0 085a bis #0x5a08, r5
|
|
4408: 8245 2028 mov r5, &0x2820
|
|
440c <__init_stack>
|
|
440c: 3140 0044 mov #0x4400 <__watchdog_support>, sp
|
|
4410 <__do_copy_data>
|
|
4410: 3f40 2000 mov #0x20, r15
|
|
4414: 0f93 tst r15
|
|
4416: 0824 jz #0x4428 <__do_clear_bss+0x0>
|
|
4418: 9242 2028 5c01 mov &0x2820, &0x015c
|
|
441e: 2f83 decd r15
|
|
4420: 9f4f 6e47 0024 mov 0x476e(r15), 0x2400(r15)
|
|
4426: f823 jnz #0x4418 <__do_copy_data+0x8>
|
|
4428 <__do_clear_bss>
|
|
4428: 3f40 0004 mov #0x400, r15
|
|
442c: 0f93 tst r15
|
|
442e: 0724 jz #0x443e <main+0x0>
|
|
4430: 9242 2028 5c01 mov &0x2820, &0x015c
|
|
4436: 1f83 dec r15
|
|
4438: cf43 2024 mov.b #0x0, 0x2420(r15)
|
|
443c: f923 jnz #0x4430 <__do_clear_bss+0x8>
|
|
|
|
443e <main>
|
|
; char signature_buffer[64];
|
|
443e: 3150 c0ff add #0xffc0, sp
|
|
|
|
; puts ("Welcome to the secure program loader.");
|
|
4442: 3f40 8646 mov #0x4686 "Welcome to the secure program loader.", r15
|
|
4446: b012 ca45 call #0x45ca <puts>
|
|
; puts ("Please enter debug payload.");
|
|
444a: 3f40 ac46 mov #0x46ac "Please enter debug payload.", r15
|
|
444e: b012 ca45 call #0x45ca <puts>
|
|
|
|
; char * static_buffer = (char *) 0x2420;
|
|
; memset (0x2420, 0, 0x400);
|
|
4452: 3d40 0004 mov #0x400, r13
|
|
4456: 0e43 clr r14
|
|
4458: 3f40 2024 mov #0x2420, r15
|
|
445c: b012 1a46 call #0x461a <memset>
|
|
|
|
; getsn (0x2420 /* static_buffer */, 0x3ff);
|
|
4460: 3e40 ff03 mov #0x3ff, r14
|
|
4464: 3f40 2024 mov #0x2420, r15
|
|
4468: b012 ac45 call #0x45ac <getsn>
|
|
|
|
; short loadaddr? = static_buffer[0]<<8+static_buffer[1];
|
|
446c: 5b42 2024 mov.b &0x2420, r11
|
|
4470: 8b10 swpb r11
|
|
4472: 5f42 2124 mov.b &0x2421, r15
|
|
4476: 0bdf bis r15, r11
|
|
; char signature_type = static_buffer[2];
|
|
4478: 5942 2224 mov.b &0x2422, r9
|
|
; char payload_length = static_buffer[3];
|
|
447c: 5a42 2324 mov.b &0x2423, r10
|
|
|
|
; if (0x8000 <= loadaddr && loadaddr < 0xf001) {/* goto load_range_succeed */}
|
|
4480: 0b93 tst r11
|
|
4482: 0334 jge #0x448a <main+0x4c> <load_range_fail>
|
|
4484: 3b90 01f0 cmp #0xf001, r11
|
|
4488: 0528 jnc #0x4494 <main+0x56> <load_range_succeed>
|
|
; else
|
|
load_range_fail:
|
|
; puts ("Load address outside allowed range of 0x8000-0xF000");
|
|
448a: 3f40 c846 mov #0x46c8 "Load address outside allowed range of 0x8000-0xF000", r15
|
|
448e: b012 ca45 call #0x45ca <puts>
|
|
; continue;
|
|
4492: db3f jmp #0x444a <main+0xc>
|
|
|
|
load_range_succeed:
|
|
; if (payload_length - 6 > 0x3bb)
|
|
4494: 0f4a mov r10, r15
|
|
4496: 3f50 faff add #0xfffa, r15
|
|
449a: 3f90 bb03 cmp #0x3bb, r15
|
|
449e: 0528 jnc #0x44aa <main+0x6c>
|
|
; puts ("Invalid payload length");
|
|
44a0: 3f40 fc46 mov #0x46fc "Invalid payload length", r15
|
|
44a4: b012 ca45 call #0x45ca <puts>
|
|
; continue;
|
|
44a8: d03f jmp #0x444a <main+0xc>
|
|
|
|
; char * payload_signature = static_buffer+payload_length
|
|
44aa: 084a mov r10, r8
|
|
44ac: 3850 2024 add #0x2420, r8
|
|
; memcpy (signature_buffer, payload_signature, 0x40)
|
|
44b0: 3d40 4000 mov #0x40, r13
|
|
44b4: 0e48 mov r8, r14
|
|
44b6: 0f41 mov sp, r15
|
|
44b8: b012 e845 call #0x45e8 <memcpy>
|
|
; if (signature_type == 0x1)
|
|
44bc: 1993 cmp #0x1, r9
|
|
44be: 0d20 jne #0x44da <main+0x9c>
|
|
; sha512 (static_buffer, payload_length, signature_buffer);
|
|
44c0: 0d41 mov sp, r13
|
|
44c2: 0e4a mov r10, r14
|
|
44c4: 3f40 2024 mov #0x2420, r15
|
|
44c8: b012 6645 call #0x4566 <sha512>
|
|
; memcmp (signature_buffer, payload_signature, 0x40)
|
|
44cc: 3d40 4000 mov #0x40, r13
|
|
44d0: 0e48 mov r8, r14
|
|
44d2: 0f41 mov sp, r15
|
|
44d4: b012 fa45 call #0x45fa <memcmp>
|
|
44d8: 103c jmp #0x44fa <main+0xbc>
|
|
; if (signature_type != 0)
|
|
44da: 0993 tst r9
|
|
44dc: 0920 jnz #0x44f0 <main+0xb2> <signature_type_invalid>
|
|
; verify_ed25519 (0x2400, static_buffer, )
|
|
44de: 0c41 mov sp, r12
|
|
44e0: 0d4a mov r10, r13
|
|
44e2: 3e40 2024 mov #0x2420, r14
|
|
44e6: 3f40 0024 mov #0x2400, r15
|
|
44ea: b012 7845 call #0x4578 <verify_ed25519>
|
|
44ee: 053c jmp #0x44fa <main+0xbc> <uncond_jump_target_44fa>
|
|
signature_type_invalid:
|
|
; puts ("Invalid signature type");
|
|
44f0: 3f40 1347 mov #0x4713 "Invalid signature type", r15
|
|
44f4: b012 ca45 call #0x45ca <puts>
|
|
44f8: a83f jmp #0x444a <main+0xc>
|
|
uncond_jump_target_44fa:
|
|
; if (r15 != 0x1)
|
|
44fa: 1f93 cmp #0x1, r15
|
|
44fc: 0524 jeq #0x4508 <main+0xca> ; else_4508
|
|
; puts ("Incorrect signature, continuing");
|
|
44fe: 3f40 2a47 mov #0x472a "Incorrect signature, continuing", r15
|
|
4502: b012 ca45 call #0x45ca <puts>
|
|
; continue;
|
|
4506: a13f jmp #0x444a <main+0xc>
|
|
|
|
else_4508:
|
|
; puts ("Signature valid, executing payload");
|
|
4508: 3f40 4a47 mov #0x474a "Signature valid, executing payload", r15
|
|
450c: b012 ca45 call #0x45ca <puts>
|
|
; memcpy ()
|
|
4510: 0d4a mov r10, r13
|
|
4512: 3e40 2424 mov #0x2424, r14
|
|
4516: 0f4b mov r11, r15
|
|
4518: b012 e845 call #0x45e8 <memcpy>
|
|
; payload();
|
|
451c: 8b12 call r11
|
|
; continue;
|
|
451e: 953f jmp #0x444a <main+0xc>
|
|
|
|
4520 <__stop_progExec__>
|
|
4520: 32d0 f000 bis #0xf0, sr
|
|
4524: fd3f jmp #0x4520 <__stop_progExec__+0x0>
|
|
4526 <__ctors_end>
|
|
4526: 3040 8446 br #0x4684 <_unexpected_>
|
|
452a <INT>
|
|
452a: 1f41 0200 mov 0x2(sp), r15
|
|
452e: 0212 push sr
|
|
4530: 4f4f mov.b r15, r15
|
|
4532: 8f10 swpb r15
|
|
4534: 3fd0 0080 bis #0x8000, r15
|
|
4538: 024f mov r15, sr
|
|
453a: b012 1000 call #0x10
|
|
453e: 3241 pop sr
|
|
4540: 3041 ret
|
|
4542 <sha1>
|
|
4542: 0d12 push r13
|
|
4544: 0e12 push r14
|
|
4546: 0f12 push r15
|
|
4548: 3012 3000 push #0x30
|
|
454c: b012 2a45 call #0x452a <INT>
|
|
4550: 3152 add #0x8, sp
|
|
4552: 3041 ret
|
|
4554 <sha256>
|
|
4554: 0d12 push r13
|
|
4556: 0e12 push r14
|
|
4558: 0f12 push r15
|
|
455a: 3012 3100 push #0x31
|
|
455e: b012 2a45 call #0x452a <INT>
|
|
4562: 3152 add #0x8, sp
|
|
4564: 3041 ret
|
|
4566 <sha512>
|
|
4566: 0d12 push r13
|
|
4568: 0e12 push r14
|
|
456a: 0f12 push r15
|
|
456c: 3012 3200 push #0x32
|
|
4570: b012 2a45 call #0x452a <INT>
|
|
4574: 3152 add #0x8, sp
|
|
4576: 3041 ret
|
|
4578 <verify_ed25519>
|
|
4578: 0b12 push r11
|
|
457a: 0412 push r4
|
|
457c: 0441 mov sp, r4
|
|
457e: 2452 add #0x4, r4
|
|
4580: 2183 decd sp
|
|
4582: 8443 faff clr -0x6(r4)
|
|
4586: 3b40 faff mov #0xfffa, r11
|
|
458a: 0b54 add r4, r11
|
|
458c: 0b12 push r11
|
|
458e: 0c12 push r12
|
|
4590: 0d12 push r13
|
|
4592: 0e12 push r14
|
|
4594: 0f12 push r15
|
|
4596: 3012 3300 push #0x33
|
|
459a: b012 2a45 call #0x452a <INT>
|
|
459e: 1f44 faff mov -0x6(r4), r15
|
|
45a2: 3150 0e00 add #0xe, sp
|
|
45a6: 3441 pop r4
|
|
45a8: 3b41 pop r11
|
|
45aa: 3041 ret
|
|
45ac <getsn>
|
|
45ac: 0e12 push r14
|
|
45ae: 0f12 push r15
|
|
45b0: 2312 push #0x2
|
|
45b2: b012 2a45 call #0x452a <INT>
|
|
45b6: 3150 0600 add #0x6, sp
|
|
45ba: 3041 ret
|
|
45bc <putchar>
|
|
45bc: 8f11 sxt r15
|
|
45be: 0f12 push r15
|
|
45c0: 0312 push #0x0
|
|
45c2: b012 2a45 call #0x452a <INT>
|
|
45c6: 2152 add #0x4, sp
|
|
45c8: 3041 ret
|
|
45ca <puts>
|
|
45ca: 0b12 push r11
|
|
45cc: 0b4f mov r15, r11
|
|
45ce: 033c jmp #0x45d6 <puts+0xc>
|
|
45d0: 1b53 inc r11
|
|
45d2: b012 bc45 call #0x45bc <putchar>
|
|
45d6: 6f4b mov.b @r11, r15
|
|
45d8: 4f93 tst.b r15
|
|
45da: fa23 jnz #0x45d0 <puts+0x6>
|
|
45dc: 7f40 0a00 mov.b #0xa, r15
|
|
45e0: b012 bc45 call #0x45bc <putchar>
|
|
45e4: 3b41 pop r11
|
|
45e6: 3041 ret
|
|
45e8 <memcpy>
|
|
45e8: 0c4f mov r15, r12
|
|
45ea: 043c jmp #0x45f4 <memcpy+0xc>
|
|
45ec: fc4e 0000 mov.b @r14+, 0x0(r12)
|
|
45f0: 1c53 inc r12
|
|
45f2: 3d53 add #-0x1, r13
|
|
45f4: 0d93 tst r13
|
|
45f6: fa23 jnz #0x45ec <memcpy+0x4>
|
|
45f8: 3041 ret
|
|
45fa <memcmp>
|
|
45fa: 0b12 push r11
|
|
45fc: 0d93 tst r13
|
|
45fe: 0a24 jz #0x4614 <memcmp+0x1a>
|
|
4600: 7b4f mov.b @r15+, r11
|
|
4602: 7c4e mov.b @r14+, r12
|
|
4604: 4b9c cmp.b r12, r11
|
|
4606: 0424 jeq #0x4610 <memcmp+0x16>
|
|
4608: 4f4b mov.b r11, r15
|
|
460a: 4e4c mov.b r12, r14
|
|
460c: 0f8e sub r14, r15
|
|
460e: 033c jmp #0x4616 <memcmp+0x1c>
|
|
4610: 3d53 add #-0x1, r13
|
|
4612: f43f jmp #0x45fc <memcmp+0x2>
|
|
4614: 0f43 clr r15
|
|
4616: 3b41 pop r11
|
|
4618: 3041 ret
|
|
461a <memset>
|
|
461a: 0b12 push r11
|
|
461c: 0a12 push r10
|
|
461e: 0912 push r9
|
|
4620: 0812 push r8
|
|
4622: 3d90 0600 cmp #0x6, r13
|
|
4626: 092c jc #0x463a <memset+0x20>
|
|
4628: 0c4f mov r15, r12
|
|
462a: 043c jmp #0x4634 <memset+0x1a>
|
|
462c: cc4e 0000 mov.b r14, 0x0(r12)
|
|
4630: 1c53 inc r12
|
|
4632: 3d53 add #-0x1, r13
|
|
4634: 0d93 tst r13
|
|
4636: fa23 jnz #0x462c <memset+0x12>
|
|
4638: 203c jmp #0x467a <memset+0x60>
|
|
463a: 4e4e mov.b r14, r14
|
|
463c: 4b4e mov.b r14, r11
|
|
463e: 0b93 tst r11
|
|
4640: 0324 jz #0x4648 <memset+0x2e>
|
|
4642: 0c4b mov r11, r12
|
|
4644: 8c10 swpb r12
|
|
4646: 0bdc bis r12, r11
|
|
4648: 1fb3 bit #0x1, r15
|
|
464a: 0624 jz #0x4658 <memset+0x3e>
|
|
464c: 3d53 add #-0x1, r13
|
|
464e: cf4e 0000 mov.b r14, 0x0(r15)
|
|
4652: 094f mov r15, r9
|
|
4654: 1953 inc r9
|
|
4656: 013c jmp #0x465a <memset+0x40>
|
|
4658: 094f mov r15, r9
|
|
465a: 0c4d mov r13, r12
|
|
465c: 12c3 clrc
|
|
465e: 0c10 rrc r12
|
|
4660: 0a49 mov r9, r10
|
|
4662: 084c mov r12, r8
|
|
4664: 8a4b 0000 mov r11, 0x0(r10)
|
|
4668: 2a53 incd r10
|
|
466a: 3853 add #-0x1, r8
|
|
466c: fb23 jnz #0x4664 <memset+0x4a>
|
|
466e: 0c5c add r12, r12
|
|
4670: 0c59 add r9, r12
|
|
4672: 1df3 and #0x1, r13
|
|
4674: 0224 jz #0x467a <memset+0x60>
|
|
4676: cc4e 0000 mov.b r14, 0x0(r12)
|
|
467a: 3841 pop r8
|
|
467c: 3941 pop r9
|
|
467e: 3a41 pop r10
|
|
4680: 3b41 pop r11
|
|
4682: 3041 ret
|
|
4684 <_unexpected_>
|
|
4684: 0013 reti pc
|
|
4686 .strings:
|
|
4686: "Welcome to the secure program loader."
|
|
46ac: "Please enter debug payload."
|
|
46c8: "Load address outside allowed range of 0x8000-0xF000"
|
|
46fc: "Invalid payload length"
|
|
4713: "Invalid signature type"
|
|
472a: "Incorrect signature, continuing"
|
|
474a: "Signature valid, executing payload"
|
|
|
|
Prereqs: "Cold Lake"
|
|
Name: "Churchill"
|
|
Text:
|
|
Lockitall LOCKIT 2 r A.01
|
|
______________________________________________________________________
|
|
|
|
User Manual: Lockitall LockIT 2, rev a.01
|
|
______________________________________________________________________
|
|
|
|
|
|
OVERVIEW
|
|
|
|
- Lockitall is under new management.
|
|
- All vulnerabilities in our old locks are now resolved.
|
|
|
|
DETAILS
|
|
|
|
The LockIT 2 A.03 is the second of a new series of locks. It is
|
|
controlled by a MSP430 microcontroller. The MSP430 is a very low-
|
|
power device, chosen because we found several crates of old stock.
|
|
|
|
This lock only accepts biometric and NFC inputs, and does not have
|
|
a traditional password prompt.
|
|
|
|
To support rapid development cycles this lock accepts a program
|
|
from the old password input prompt. Only programs signed by us are
|
|
allowed.
|
|
|
|
800000063041c26436953f8f3cadf1442fc218b185051ab6c20853a45f093fc32a
|
|
df31529d05a5ec3e96a9e41ed9ad1b14dcbdb98e50e37a7ddc3d595b867807ed16
|
|
05f2070e
|
|
|
|
This is Hardware Version Beta.
|
|
|
|
This is Software Revision 03.
|
|
|
|
|
|
|
|
(c) 2021 LOCKITALL Page 1/1
|
|
|
|
"X": 122,
|
|
"Y": 212,
|
|
"Rating": 30,
|
|
"Patch": ""
|
|
},
|