Mangy_Dog has quit [Remote host closed the connection]
ChriChri_ has joined #linux-sunxi
ChriChri has quit [Ping timeout: 240 seconds]
ChriChri_ is now known as ChriChri
OnkelUlla has quit [Ping timeout: 240 seconds]
OnkelUlla has joined #linux-sunxi
PPA has quit [Ping timeout: 258 seconds]
PPA has joined #linux-sunxi
gaston1980 has quit [Quit: Konversation terminated!]
<smaeul>
bauen1: sure, send me something to run, as long as it doesn't do anything sneaky like try to program more fuses
arete74 has quit [Ping timeout: 256 seconds]
arete74 has joined #linux-sunxi
arete74 has quit [Ping timeout: 272 seconds]
arete74 has joined #linux-sunxi
TheSeven has quit [Ping timeout: 244 seconds]
[7] has joined #linux-sunxi
matthias_bgg has quit [Ping timeout: 240 seconds]
lurchi_ has joined #linux-sunxi
lurchi__ has quit [Ping timeout: 240 seconds]
freemangordon has quit [Ping timeout: 264 seconds]
freemangordon has joined #linux-sunxi
arete74 has quit [Ping timeout: 240 seconds]
arete74 has joined #linux-sunxi
[TimeLapse] is now known as [lilpowercut]
JohnDoe_71Rus has joined #linux-sunxi
reinforce has joined #linux-sunxi
reinforce has quit [Quit: Leaving.]
reinforce has joined #linux-sunxi
matthias_bgg has joined #linux-sunxi
asdf28 has joined #linux-sunxi
diego71 has quit [Read error: Connection reset by peer]
diego71 has joined #linux-sunxi
ChriChri has quit [Quit: bye...]
ChriChri has joined #linux-sunxi
chewitt_ is now known as chewitt
ganbold_ has quit [Read error: Connection reset by peer]
ganbold_ has joined #linux-sunxi
cmeerw has joined #linux-sunxi
ganbold_ has quit [Ping timeout: 240 seconds]
ganbold has joined #linux-sunxi
arete74 has quit [Ping timeout: 260 seconds]
jonasbits has quit [Ping timeout: 272 seconds]
ldevulder_ is now known as ldevulder
Kamilion has quit [Remote host closed the connection]
<bauen1>
smaeul: thanks, i will try to keep side effects to the absolute minimum, do you have access to your h5s uart0 ?
[lilpowercut] is now known as [HandSpinner]
maz has quit [Remote host closed the connection]
maz has joined #linux-sunxi
gediz0x539 has joined #linux-sunxi
faruk has joined #linux-sunxi
gediz0x539 has quit [Client Quit]
faruk has quit [Client Quit]
faruk has joined #linux-sunxi
gediz0x539 has joined #linux-sunxi
jonasbits has joined #linux-sunxi
dev1990 has joined #linux-sunxi
gediz0x539 has quit [Quit: Leaving]
Kamilion has joined #linux-sunxi
lkcl has quit [Ping timeout: 260 seconds]
random_yanek has quit [Ping timeout: 240 seconds]
lkcl has joined #linux-sunxi
ganbold_ has joined #linux-sunxi
ganbold has quit [Ping timeout: 240 seconds]
random_yanek has joined #linux-sunxi
tuxillo has quit [Ping timeout: 256 seconds]
tuxillo has joined #linux-sunxi
florian_kc has joined #linux-sunxi
\\Mr_C\\ has joined #linux-sunxi
florian_kc is now known as florian
gendevbot has quit [Ping timeout: 256 seconds]
faruk has quit [Ping timeout: 240 seconds]
faruk has joined #linux-sunxi
gendevbot has joined #linux-sunxi
<bauen1>
smaeul: without any sdcard the h5 should enter FEL, with uart0-h5.toc0 it should print a hello world to uart0, with uart0-h5-evil.toc0 it should enter an infinite loop without enabling uart0
<bauen1>
then you can use e.g. 'vimdiff <(xxd uart0-h5.toc0) <(xxd uart0-h5-evil.toc0)' to verify that only the load address and header checksum is different between the images, but not the rsa signature
<bauen1>
i hope the uart0 actually works, i've modified the linker script so it can run directly from toc0
AneoX_ has quit [Ping timeout: 240 seconds]
AneoX has joined #linux-sunxi
gediz0x539 has joined #linux-sunxi
AneoX has quit [Ping timeout: 240 seconds]
netlynx has joined #linux-sunxi
netlynx has quit [Changing host]
netlynx has joined #linux-sunxi
AneoX has joined #linux-sunxi
faruk has quit [Read error: Connection reset by peer]
faruk has joined #linux-sunxi
faruk has quit [Remote host closed the connection]
_whitelogger has joined #linux-sunxi
faruk has joined #linux-sunxi
<bauen1>
now, even if this attack succeeds not all hope is lost, but then a lot depends on if you can lock the SID to prevent erasing the ROTPK
<bauen1>
if the SRAM just after the TOC0 memory location can be used as SRAM-PUF
<bauen1>
then an attacker couldn't increase the size of toc0 by much without erasing the private key material
<bauen1>
and would be limited to work calling whatever is in the sbrom, or copying the bootloader to any memory address
<bauen1>
there's approximately 64 bytes on the stack that are accessed by the code after the bootloader is copied to the attacker controlled destination
faruk has quit [Remote host closed the connection]
faruk has joined #linux-sunxi
ganbold_ has quit [Read error: Connection reset by peer]
ganbold__ has joined #linux-sunxi
Mangy_Dog has joined #linux-sunxi
[HandSpinner] is now known as [myEnthusiasm]
<bauen1>
the sbrom also doesn't seem to set register that makes unaligned access an error, so you can actually copy the bootloader anywhere you want without restrictions
<bauen1>
the contents of the stack at the time of copying is also pretty public information
<bauen1>
so you can try to do ROP programming using the known contents
<bauen1>
you can also copy the bootloader into the stack at an arbitrary point
cnxsoft1 has quit [Read error: Connection reset by peer]
<bauen1>
it is probably possible to code the bootloader in a way that makes it hard, or even impossible to abuse its content
cnxsoft has joined #linux-sunxi
<bauen1>
but you can't really defend against making the sbrom jump to an arbitrary address in the sbrom itself
<bauen1>
the only good news is, that if you copy the bootloader into the stack you also need to modify the contents of the stack that are modified when memcpy2 returns, otherwise the actual bootloader code is executed and it can prevent attacks
AneoX has quit [Ping timeout: 246 seconds]
<bauen1>
when the bootloader actually runs, it can verifiy the contents of all registers, and known memory and abort if they don't match (good) known values, that way an attacker would only have the option of changing the load address to point into the sbrom or the stack top
faruk has quit [Ping timeout: 264 seconds]
<bauen1>
pointing the load address into the stack can maybe be prevented by clever coding of the bootloader so that any possible byte sequence that is written over the stack top results in code execution jumping to 0x00 (reset), 0x20 (hand), the bootloader or other (friendly) nop locations
AneoX has joined #linux-sunxi
<bauen1>
an attacker could point the load address into an mmio region, but that would hopefully not be enough to achieve code execution since the sbrom will then also jump to that location
faruk has joined #linux-sunxi
fl_0 has quit [Ping timeout: 240 seconds]
<bauen1>
if you don't really care about physical access you could also just put toc0 in the spi nor and then mark that as secure to prevent non-secure code from accessing it
fl_0 has joined #linux-sunxi
ldevulder_ has joined #linux-sunxi
ldevulder has quit [Ping timeout: 240 seconds]
<bauen1>
i'm definietly overdoing this
arete74 has joined #linux-sunxi
TiD91 has quit [Quit: killed]
Jeremy_Rand_DT[4 has quit [Quit: killed]
return0e[m] has quit [Quit: killed]
davidebeatrici has quit [Quit: killed]
thefloweringash has quit [Quit: killed]
z3ntu_ has quit [Quit: killed]
Ke has quit [Quit: killed]
Irenes[m] has quit [Quit: killed]
insep_ has quit [Quit: killed]
MartijnBraam has quit [Quit: killed]
JuniorJPDJ has quit [Quit: killed]
clementp[m]1 has quit [Quit: killed]
psydruid has quit [Quit: killed]
z3ntu has quit [Quit: killed]
mahoux has quit [Quit: killed]
solderfumes[m] has quit [Quit: killed]
j--r has quit [Quit: killed]
clementp[m] has joined #linux-sunxi
gaston1980 has joined #linux-sunxi
gaston1980 has quit [*.net *.split]
netlynx has quit [*.net *.split]
gediz0x539 has quit [*.net *.split]
Kamilion has quit [*.net *.split]
matthias_bgg has quit [*.net *.split]
curlybracket has quit [*.net *.split]
gaston1980 has joined #linux-sunxi
curlybracket has joined #linux-sunxi
ldevulder_ is now known as ldevulder
Kamilion has joined #linux-sunxi
netlynx has joined #linux-sunxi
netlynx has quit [Changing host]
netlynx has joined #linux-sunxi
<bauen1>
there are only really less than 8318 (less if you cull duplicates and remove illegal instructions), that could be used as ROP entry point by just changing the load_address
faruk has quit [Remote host closed the connection]
lkcl has quit [Ping timeout: 272 seconds]
gediz0x539 has joined #linux-sunxi
<SdtElectronics>
In the last section of script.bin Wiki page (https://linux-sunxi.org/Script.bin#Modern_script.bin_usage) a special version of the linux dtc compiler was mentioned. Has someone been still working on it?
SdtElectronics has quit [Remote host closed the connection]
SdtElectronics has joined #linux-sunxi
<SdtElectronics>
I managed to compile a standalone version of that dtc compiler and played a little bit with it. It seems that it relies on a special kind of device tree file, namely, .sun8iw15p1-soc.dtb.dts.tmp for H6. I've successfully converted a fex file to dts with that, but the equivalent dtb.dts is required for converting fex files on other platforms.
lkcl has joined #linux-sunxi
JohnDoe_71Rus has joined #linux-sunxi
SdtElectronics has quit [Remote host closed the connection]
gediz0x539 has quit [Quit: Leaving]
SdtElectronics has joined #linux-sunxi
<bauen1>
the h5 sbrom also doesn't appear to validate the item data_offset or data_length, so instead of signing the sha256 of the boot code you could point it anywhere in memory and sign the sha256 of that
lurchi_ is now known as lurchi__
reinforce has quit [Quit: Leaving.]
lennard has quit [Ping timeout: 260 seconds]
SdtElectronics has quit [Ping timeout: 240 seconds]
<MoeIcenowy>
bauen1: smells the fell of sighax ;-)
<MoeIcenowy>
feel *
<bauen1>
lol
<bauen1>
but i think that can be used as a solution to 1 of the 2 vulnerabilities
SdtElectronics has joined #linux-sunxi
<bauen1>
you can modify the bootcode item to not just cover the bootcode, but also the TOC0_ITEMn_STATUS and TOC0_ITEMn_RUN_ADDRESS field
<bauen1>
then turn the memcpy into a NOP by specifying the (known) address where TOC0_ITEMn_STATUS will be, and put a branch to the actual bootcode in there
<bauen1>
this could also be modified to include more of the toc0 header, e.g. TOC0_LENGTH, just TOC0_BOOT_MEDIA might be problematic
SdtElectronics has quit [Client Quit]
<bauen1>
the other vulnerability: a really big (unsigned) toc0 that overwrites the stack, could be solved by SRAM PUF and an unwritable SID
<bauen1>
and i haven't found any hint that the SID can be locked, e.g. by burning a speicfic fuse it becomes unwritable
lennard has joined #linux-sunxi
ganbold_ has joined #linux-sunxi
ganbold__ has quit [Ping timeout: 265 seconds]
vagrantc has joined #linux-sunxi
florian has quit [Quit: Leaving]
sunshavi has quit [Ping timeout: 260 seconds]
sunshavi has joined #linux-sunxi
lurchi__ is now known as lurchi_
tuxillo has quit [Ping timeout: 246 seconds]
ldevulder has quit [Ping timeout: 260 seconds]
sunshavi has quit [Ping timeout: 240 seconds]
mps has quit [Remote host closed the connection]
<bauen1>
smaeul: i've also added a test for the 2. exploit, 'make evil-uart0.toc0', this one is more "unsafe", it should overwrite the stack and cause a jump into (unsigned) code, then activate uart0 and print a message that the exploit succeeded
<bauen1>
i think the math is a bit off
<asdf28>
:->
<bauen1>
asdf28: well it's roughly 60kb too big, not that it exactly matters
ndufresne has quit [Read error: Connection reset by peer]
ndufresne0 is now known as ndufresne
asdf28 has quit [Ping timeout: 240 seconds]
Kamilion has quit [Quit: I am kamilion. But you knew that, didn't you.]
parazyd has quit [Quit: leaving]
parazyd has joined #linux-sunxi
gaston1980 has quit [Quit: Konversation terminated!]
jbrown has quit [Ping timeout: 258 seconds]
lurchi_ is now known as lurchi__
Kamilion has joined #linux-sunxi
Pinchiukas has joined #linux-sunxi
lurchi__ is now known as lurchi_
<Pinchiukas>
Can anyone by chance tell me how to reset a Ditter U20? I booted it up after some time in the shed but if I click on anything using the mouse it just goes black.
sunshavi has joined #linux-sunxi
jstein has joined #linux-sunxi
<smaeul>
bauen1: CHIP_CONFIG (READ_PROTECT/WRITE_PROTECT) are the eFuses controlling eFuse access. the other way to write-protect is to disconnect the eFuse supply voltage
lurchi_ is now known as lurchi__
<bauen1>
smaeul: thanks, but as far as i've found they are only enforced in software ?
<bauen1>
and a read protect efuse wouldn't really make much sense anyway (sid access already requires secure or EL3)
fl_0 has quit [Ping timeout: 240 seconds]
KotCzarny has quit [Ping timeout: 240 seconds]
DonkeyHotei has quit [Ping timeout: 240 seconds]
hramrach has quit [Ping timeout: 240 seconds]
juri_ has quit [Ping timeout: 240 seconds]
fl_0 has joined #linux-sunxi
juri_ has joined #linux-sunxi
DonkeyHotei has joined #linux-sunxi
Pinchiukas has quit [Ping timeout: 240 seconds]
hramrach has joined #linux-sunxi
Pinchiukas has joined #linux-sunxi
tllim has joined #linux-sunxi
<tllim>
@bauen1, check your PM
lurchi__ is now known as lurchi_
tllim has quit [Quit: Leaving]
jstein has quit [Quit: quit]
Nemo_bis has quit [Ping timeout: 260 seconds]
<smaeul>
bauen1: uart0-h5.toc0 and uart0-h5-evil.toc0 behave as expected. uart0-h5-evil.toc0 gives no UART output and no FEL USB device.
<smaeul>
evil-uart0.toc0 always goes into FEL
<smaeul>
I had to adjust the linker script to get all of the code/data to go before the fill: replace "*(.text)" with "*(.text* .rodata.str1.1)"
<smaeul>
and I tried dropping the .text start from 0x15000 to 0x5000, since there was a 0x15000 byte gap in the file, but I'm assuming it gets loaded starting at 0x10000
Nemo_bis has joined #linux-sunxi
<bauen1>
smaeul: i just remembered that 0x15000 is probably the start of a sram gap
<bauen1>
smaeul: you also need to adjust the 0x15000 in the evil_head.S
<bauen1>
there should probably be a few null bytes before, just in case sboot writes something there
<bauen1>
smaeul: you're booting via sd card i presume ?
egbert has quit [Ping timeout: 258 seconds]
Mangy_Dog has quit [Ping timeout: 256 seconds]
martinayotte has quit [Ping timeout: 258 seconds]
cmeerw has quit [Ping timeout: 272 seconds]
<smaeul>
bauen1: SRAM gap is at 0x18000. yes, I'm using an SD card