├── scripts
    ├── loaders
    │   ├── Ghidra
    │   │   ├── mclfloader
    │   │   │   ├── Module.manifest
    │   │   │   ├── ghidra_scripts
    │   │   │   │   └── README.txt
    │   │   │   ├── .gitignore
    │   │   │   ├── src
    │   │   │   │   ├── main
    │   │   │   │   │   ├── resources
    │   │   │   │   │   │   └── images
    │   │   │   │   │   │   │   └── README.txt
    │   │   │   │   │   ├── help
    │   │   │   │   │   │   └── help
    │   │   │   │   │   │   │   ├── topics
    │   │   │   │   │   │   │       └── mclfloader
    │   │   │   │   │   │   │       │   └── help.html
    │   │   │   │   │   │   │   ├── TOC_Source.xml
    │   │   │   │   │   │   │   └── shared
    │   │   │   │   │   │   │       └── Frontpage.css
    │   │   │   │   │   └── java
    │   │   │   │   │   │   └── mclfloader
    │   │   │   │   │   │       ├── MCLFHeader.java
    │   │   │   │   │   │       └── MCLFLoader.java
    │   │   │   │   └── test
    │   │   │   │   │   └── java
    │   │   │   │   │       └── README.test.txt
    │   │   │   ├── extension.properties
    │   │   │   ├── dist
    │   │   │   │   └── ghidra_9.1-BETA_DEV_20190926_mclfloader.zip
    │   │   │   ├── lib
    │   │   │   │   └── README.txt
    │   │   │   ├── os
    │   │   │   │   ├── linux64
    │   │   │   │   │   └── README.txt
    │   │   │   │   ├── osx64
    │   │   │   │   │   └── README.txt
    │   │   │   │   └── win64
    │   │   │   │   │   └── README.txt
    │   │   │   ├── data
    │   │   │   │   └── README.txt
    │   │   │   └── build.gradle
    │   │   └── tbaseloader
    │   │   │   ├── Module.manifest
    │   │   │   ├── ghidra_scripts
    │   │   │       └── README.txt
    │   │   │   ├── .gitignore
    │   │   │   ├── src
    │   │   │       ├── main
    │   │   │       │   ├── resources
    │   │   │       │   │   └── images
    │   │   │       │   │   │   └── README.txt
    │   │   │       │   ├── help
    │   │   │       │   │   └── help
    │   │   │       │   │   │   ├── topics
    │   │   │       │   │   │       └── tbaseloader
    │   │   │       │   │   │       │   └── help.html
    │   │   │       │   │   │   ├── TOC_Source.xml
    │   │   │       │   │   │   └── shared
    │   │   │       │   │   │       └── Frontpage.css
    │   │   │       │   └── java
    │   │   │       │   │   └── tbaseloader
    │   │   │       │   │       └── TBaseLoader.java
    │   │   │       └── test
    │   │   │       │   └── java
    │   │   │       │       └── README.test.txt
    │   │   │   ├── extension.properties
    │   │   │   ├── dist
    │   │   │       └── ghidra_9.1-BETA_DEV_20190926_tbaseloader.zip
    │   │   │   ├── lib
    │   │   │       └── README.txt
    │   │   │   ├── os
    │   │   │       ├── linux64
    │   │   │       │   └── README.txt
    │   │   │       ├── osx64
    │   │   │       │   └── README.txt
    │   │   │       └── win64
    │   │   │       │   └── README.txt
    │   │   │   ├── data
    │   │   │       └── README.txt
    │   │   │   └── build.gradle
    │   └── IDAPro
    │   │   ├── mclf_loader.py
    │   │   └── tbase_loader.py
    ├── README.md
    └── scripts
    │   ├── Ghidra
    │       ├── tl_apis.json
    │       ├── FindSymbols.py
    │       ├── dr_apis.json
    │       └── FindSymbolsMcLib.py
    │   └── IDAPro
    │       ├── tl_apis.json
    │       ├── dr_apis.json
    │       ├── find_symbols.py
    │       └── find_symbols_mclib.py
├── tainting
    ├── .gitignore
    ├── README.md
    ├── mclf2elf
    │   ├── mclf.py
    │   └── mclf2elf.py
    └── tainter.py
├── bindings
    ├── .gitignore
    ├── bin
    │   └── pymcclient
    ├── mcclient
    │   ├── __init__.py
    │   ├── __main__.py
    │   ├── mcclient_const.py
    │   ├── mcclient_types.py
    │   └── mcclient.py
    ├── docs
    │   ├── Makefile
    │   ├── make.bat
    │   ├── index.rst
    │   └── conf.py
    ├── test
    │   └── test.py
    ├── setup.py
    ├── COMPILING.md
    └── README.md
├── emulator
    ├── README.md
    └── emulator.py
├── fuzzer
    ├── README.md
    └── fuzzer.py
├── README.md
└── LICENSE.md


/scripts/loaders/Ghidra/mclfloader/Module.manifest:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/tbaseloader/Module.manifest:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/tainting/.gitignore:
--------------------------------------------------------------------------------
1 | **/mcore_*/
2 | **/coverage*
3 | 


--------------------------------------------------------------------------------
/bindings/.gitignore:
--------------------------------------------------------------------------------
1 | build/
2 | dist/
3 | pymcclient.egg-info/
4 | docs/_build/
5 | 


--------------------------------------------------------------------------------
/bindings/bin/pymcclient:
--------------------------------------------------------------------------------
1 | from mcclient import __main__
2 | 
3 | __main__.main()
4 | 


--------------------------------------------------------------------------------
/bindings/mcclient/__init__.py:
--------------------------------------------------------------------------------
1 | from .mcclient import Error, Device, Trustlet, Buffer
2 | from .mcclient_const import *
3 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/mclfloader/ghidra_scripts/README.txt:
--------------------------------------------------------------------------------
1 | Java source directory to hold module-specific Ghidra scripts.
2 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/tbaseloader/ghidra_scripts/README.txt:
--------------------------------------------------------------------------------
1 | Java source directory to hold module-specific Ghidra scripts.
2 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/mclfloader/.gitignore:
--------------------------------------------------------------------------------
1 | .*
2 | *.zip
3 | !dist/*.zip
4 | *.jar
5 | *.log
6 | *.class
7 | bin/*
8 | build/*
9 | !/.gitignore


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/tbaseloader/.gitignore:
--------------------------------------------------------------------------------
1 | .*
2 | *.zip
3 | !dist/*.zip
4 | *.jar
5 | *.log
6 | *.class
7 | bin/*
8 | build/*
9 | !/.gitignore


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/mclfloader/src/main/resources/images/README.txt:
--------------------------------------------------------------------------------
1 | The "src/resources/images" directory is intended to hold all image/icon files used by
2 | this module.
3 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/tbaseloader/src/main/resources/images/README.txt:
--------------------------------------------------------------------------------
1 | The "src/resources/images" directory is intended to hold all image/icon files used by
2 | this module.
3 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/mclfloader/extension.properties:
--------------------------------------------------------------------------------
1 | name=@extname@
2 | description=The extension description can be customized by editing the extension.properties file.
3 | author=
4 | createdOn=
5 | version=@extversion@
6 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/mclfloader/src/test/java/README.test.txt:
--------------------------------------------------------------------------------
1 | The "test" directory is intended to hold unit test cases.  The package structure within
2 | this folder should correspond to that found in the "src" folder.
3 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/tbaseloader/extension.properties:
--------------------------------------------------------------------------------
1 | name=@extname@
2 | description=The extension description can be customized by editing the extension.properties file.
3 | author=
4 | createdOn=
5 | version=@extversion@
6 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/tbaseloader/src/test/java/README.test.txt:
--------------------------------------------------------------------------------
1 | The "test" directory is intended to hold unit test cases.  The package structure within
2 | this folder should correspond to that found in the "src" folder.
3 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/mclfloader/dist/ghidra_9.1-BETA_DEV_20190926_mclfloader.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/quarkslab/samsung-trustzone-research/HEAD/scripts/loaders/Ghidra/mclfloader/dist/ghidra_9.1-BETA_DEV_20190926_mclfloader.zip


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/mclfloader/lib/README.txt:
--------------------------------------------------------------------------------
1 | The "lib" directory is intended to hold Jar files which this module
2 | is dependent upon.  This directory may be eliminated from a specific
3 | module if no other Jar files are needed.
4 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/tbaseloader/dist/ghidra_9.1-BETA_DEV_20190926_tbaseloader.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/quarkslab/samsung-trustzone-research/HEAD/scripts/loaders/Ghidra/tbaseloader/dist/ghidra_9.1-BETA_DEV_20190926_tbaseloader.zip


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/tbaseloader/lib/README.txt:
--------------------------------------------------------------------------------
1 | The "lib" directory is intended to hold Jar files which this module
2 | is dependent upon.  This directory may be eliminated from a specific
3 | module if no other Jar files are needed.
4 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/mclfloader/os/linux64/README.txt:
--------------------------------------------------------------------------------
1 | The "os/linux64" directory is intended to hold Linux native binaries
2 | which this module is dependent upon.   This directory may be eliminated for a specific 
3 | module if native binaries are not provided for the corresponding platform.
4 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/mclfloader/os/osx64/README.txt:
--------------------------------------------------------------------------------
1 | The "os/osx64" directory is intended to hold macOS (OS X) native binaries
2 | which this module is dependent upon.   This directory may be eliminated for a specific 
3 | module if native binaries are not provided for the corresponding platform.
4 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/tbaseloader/os/linux64/README.txt:
--------------------------------------------------------------------------------
1 | The "os/linux64" directory is intended to hold Linux native binaries
2 | which this module is dependent upon.   This directory may be eliminated for a specific 
3 | module if native binaries are not provided for the corresponding platform.
4 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/tbaseloader/os/osx64/README.txt:
--------------------------------------------------------------------------------
1 | The "os/osx64" directory is intended to hold macOS (OS X) native binaries
2 | which this module is dependent upon.   This directory may be eliminated for a specific 
3 | module if native binaries are not provided for the corresponding platform.
4 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/mclfloader/os/win64/README.txt:
--------------------------------------------------------------------------------
1 | The "os/win64" directory is intended to hold MS Windows native binaries (.exe)
2 | which this module is dependent upon.   This directory may be eliminated for a specific 
3 | module if native binaries are not provided for the corresponding platform.
4 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/tbaseloader/os/win64/README.txt:
--------------------------------------------------------------------------------
1 | The "os/win64" directory is intended to hold MS Windows native binaries (.exe)
2 | which this module is dependent upon.   This directory may be eliminated for a specific 
3 | module if native binaries are not provided for the corresponding platform.
4 | 


--------------------------------------------------------------------------------
/emulator/README.md:
--------------------------------------------------------------------------------
1 | # Emulator
2 | 
3 | This emulator is based on the [Unicorn](https://www.unicorn-engine.org/) engine. It allows executing trustlets and hooking the tlApis/drApis. It can also print the instructions executed, the register values and the content of the stack. It is especially useful to debug exploits for trustlets/drivers.
4 | 
5 | ## Installation
6 | 
7 | Simply install Unicorn and its Python bindings, are you're all good to go!
8 | 


--------------------------------------------------------------------------------
/bindings/mcclient/__main__.py:
--------------------------------------------------------------------------------
 1 | from IPython.terminal.embed import InteractiveShellEmbed
 2 | 
 3 | from . import mcclient
 4 | 
 5 | 
 6 | def main():
 7 |     banner = "Welcome to the Python mcClient API shell!\n\n"
 8 |     banner += "(check out the documentation to get started)\n"
 9 | 
10 |     imcsh = InteractiveShellEmbed(banner1=banner, exit_msg="Bye o/\n")
11 |     imcsh(local_ns={name: getattr(mcclient, name) for name in dir(mcclient)})
12 | 
13 | 
14 | if __name__ == "__main__":
15 |     main()
16 | 


--------------------------------------------------------------------------------
/fuzzer/README.md:
--------------------------------------------------------------------------------
 1 | # Fuzzer
 2 | 
 3 | This fuzzer is based on the [`afl-unicorn`](https://github.com/Battelle/afl-unicorn) project. We have only made some slight changes to the emulator code: executing one instruction to start the forkserver, loading the input file and forcing a crash on errors.
 4 | 
 5 | You will need to implement more tlApis/drApis if you intend to do some serious fuzzing, as we couldn't release ours.
 6 | 
 7 | ## Installation
 8 | 
 9 | Follow the instructions in [this blog-post](https://medium.com/hackernoon/afl-unicorn-fuzzing-arbitrary-binary-code-563ca28936bf) to get afl-unicorn up and running.
10 | 


--------------------------------------------------------------------------------
/bindings/docs/Makefile:
--------------------------------------------------------------------------------
 1 | # Minimal makefile for Sphinx documentation
 2 | #
 3 | 
 4 | # You can set these variables from the command line.
 5 | SPHINXOPTS    =
 6 | SPHINXBUILD   = sphinx-build
 7 | SOURCEDIR     = .
 8 | BUILDDIR      = _build
 9 | 
10 | # Put it first so that "make" without argument is like "make help".
11 | help:
12 | 	@$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
13 | 
14 | .PHONY: help Makefile
15 | 
16 | # Catch-all target: route all unknown targets to Sphinx using the new
17 | # "make mode" option.  $(O) is meant as a shortcut for $(SPHINXOPTS).
18 | %: Makefile
19 | 	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/mclfloader/data/README.txt:
--------------------------------------------------------------------------------
 1 | The "data" directory is intended to hold data files that will be used by this module and will
 2 | not end up in the .jar file, but will be present in the zip or tar file.  Typically, data
 3 | files are placed here rather than in the resources directory if the user may need to edit them.
 4 | 
 5 | An optional data/languages directory can exist for the purpose of containing various Sleigh language
 6 | specification files and importer opinion files.  
 7 | 
 8 | The data/buildLanguage.xml is used for building the contents of the data/languages directory.
 9 | 
10 | The skel language definition has been commented-out within the skel.ldefs file so that the 
11 | skeleton language does not show-up within Ghidra.
12 | 
13 | See the Sleigh language documentation (docs/languages/index.html) for details Sleigh language 
14 | specification syntax.
15 |  


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/tbaseloader/data/README.txt:
--------------------------------------------------------------------------------
 1 | The "data" directory is intended to hold data files that will be used by this module and will
 2 | not end up in the .jar file, but will be present in the zip or tar file.  Typically, data
 3 | files are placed here rather than in the resources directory if the user may need to edit them.
 4 | 
 5 | An optional data/languages directory can exist for the purpose of containing various Sleigh language
 6 | specification files and importer opinion files.  
 7 | 
 8 | The data/buildLanguage.xml is used for building the contents of the data/languages directory.
 9 | 
10 | The skel language definition has been commented-out within the skel.ldefs file so that the 
11 | skeleton language does not show-up within Ghidra.
12 | 
13 | See the Sleigh language documentation (docs/languages/index.html) for details Sleigh language 
14 | specification syntax.
15 |  


--------------------------------------------------------------------------------
/bindings/docs/make.bat:
--------------------------------------------------------------------------------
 1 | @ECHO OFF
 2 | 
 3 | pushd %~dp0
 4 | 
 5 | REM Command file for Sphinx documentation
 6 | 
 7 | if "%SPHINXBUILD%" == "" (
 8 | 	set SPHINXBUILD=sphinx-build
 9 | )
10 | set SOURCEDIR=.
11 | set BUILDDIR=_build
12 | 
13 | if "%1" == "" goto help
14 | 
15 | %SPHINXBUILD% >NUL 2>NUL
16 | if errorlevel 9009 (
17 | 	echo.
18 | 	echo.The 'sphinx-build' command was not found. Make sure you have Sphinx
19 | 	echo.installed, then set the SPHINXBUILD environment variable to point
20 | 	echo.to the full path of the 'sphinx-build' executable. Alternatively you
21 | 	echo.may add the Sphinx directory to PATH.
22 | 	echo.
23 | 	echo.If you don't have Sphinx installed, grab it from
24 | 	echo.http://sphinx-doc.org/
25 | 	exit /b 1
26 | )
27 | 
28 | %SPHINXBUILD% -M %1 %SOURCEDIR% %BUILDDIR% %SPHINXOPTS%
29 | goto end
30 | 
31 | :help
32 | %SPHINXBUILD% -M help %SOURCEDIR% %BUILDDIR% %SPHINXOPTS%
33 | 
34 | :end
35 | popd
36 | 


--------------------------------------------------------------------------------
/bindings/test/test.py:
--------------------------------------------------------------------------------
 1 | from mcclient import *
 2 | 
 3 | DEVICE_ID = DEVICE_ID_DEFAULT
 4 | TCI_BUFFER_SIZE = 0x1000
 5 | 
 6 | TRUSTLET_UUID = "ffffffff00000000000000000000000e"
 7 | TRUSTLET_FILE = "/system/app/mcRegistry/%s.tlbin" % TRUSTLET_UUID
 8 | 
 9 | 
10 | def main():
11 |     with Device(DEVICE_ID) as dev:
12 |         print(dev.id)
13 |         print(dev.version())
14 | 
15 |         with dev.buffer(TCI_BUFFER_SIZE) as tci:
16 |             with open(TRUSTLET_FILE, "rb") as fd:
17 |                 buf = fd.read()
18 | 
19 |             with Trustlet(dev, tci, buf) as app:
20 |                 print(app.id)
21 |                 print(app.error())
22 | 
23 |                 buf = dev.alloc(0x42)
24 |                 with app.share(buf) as info:
25 |                     print(info)
26 |                 dev.free(buf)
27 | 
28 |                 tci.seek(0)
29 |                 tci.write_dword(1)
30 | 
31 |                 app.notify()
32 |                 app.wait_notification()
33 | 
34 |                 tci.seek(0)
35 |                 print(tci.read_dword())
36 | 
37 | 
38 | if __name__ == "__main__":
39 |     main()
40 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/mclfloader/src/main/help/help/topics/mclfloader/help.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 2 | 
 3 | <HTML>
 4 |   <HEAD>
 5 |     <META name="generator" content=
 6 |     "HTML Tidy for Java (vers. 2009-12-01), see jtidy.sourceforge.net">
 7 |     <META http-equiv="Content-Language" content="en-us">
 8 |     <META http-equiv="Content-Type" content="text/html; charset=windows-1252">
 9 |     <META name="GENERATOR" content="Microsoft FrontPage 4.0">
10 |     <META name="ProgId" content="FrontPage.Editor.Document">
11 | 
12 |     <TITLE>Skeleton Help File for a Module</TITLE>
13 |     <LINK rel="stylesheet" type="text/css" href="../../shared/Frontpage.css">
14 |   </HEAD>
15 | 
16 |   <BODY>
17 |     <H1><a name="HelpAnchor"></a>Skeleton Help File for a Module</H1>
18 | 
19 |     <P>This is a simple skeleton help topic. For a better description of what should and should not
20 |     go in here, see the "sample" Ghidra extension in the Extensions/Ghidra directory, or see your 
21 |     favorite help topic. In general, language modules do not have their own help topics.</P>
22 |   </BODY>
23 | </HTML>
24 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/tbaseloader/src/main/help/help/topics/tbaseloader/help.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 2 | 
 3 | <HTML>
 4 |   <HEAD>
 5 |     <META name="generator" content=
 6 |     "HTML Tidy for Java (vers. 2009-12-01), see jtidy.sourceforge.net">
 7 |     <META http-equiv="Content-Language" content="en-us">
 8 |     <META http-equiv="Content-Type" content="text/html; charset=windows-1252">
 9 |     <META name="GENERATOR" content="Microsoft FrontPage 4.0">
10 |     <META name="ProgId" content="FrontPage.Editor.Document">
11 | 
12 |     <TITLE>Skeleton Help File for a Module</TITLE>
13 |     <LINK rel="stylesheet" type="text/css" href="../../shared/Frontpage.css">
14 |   </HEAD>
15 | 
16 |   <BODY>
17 |     <H1><a name="HelpAnchor"></a>Skeleton Help File for a Module</H1>
18 | 
19 |     <P>This is a simple skeleton help topic. For a better description of what should and should not
20 |     go in here, see the "sample" Ghidra extension in the Extensions/Ghidra directory, or see your 
21 |     favorite help topic. In general, language modules do not have their own help topics.</P>
22 |   </BODY>
23 | </HTML>
24 | 


--------------------------------------------------------------------------------
/scripts/README.md:
--------------------------------------------------------------------------------
 1 | # Scripts
 2 | 
 3 | Here are the various IDA Pro/Ghidra extensions that we have developed.
 4 | 
 5 | ## Loaders
 6 | 
 7 | ## MCLF loader
 8 | 
 9 | The MCLF loader allows loading trustlet/driver binaries in the MCLF file format.
10 | 
11 | It parses the header, maps the segments, sets the entry point and renames the mcLib handler.
12 | 
13 | - IDA Pro version is at `loaders/IDAPro/mclf_loader.py`
14 | - Ghidra version is in `loaders/Ghidra/mclfloader`
15 | 
16 | ## <t-base loader
17 | 
18 | The <t-base loader allows loading the various components contained in the SBOOT binary.
19 | 
20 | The embedded trustlets and driver can be extracted to disk via the built-in dialogs.
21 | 
22 | - IDA Pro version is at `loaders/IDAPro/tbase_loader.py`
23 | - Ghidra version is in `loaders/Ghidra/tbaseloader`
24 | 
25 | ## Scripts
26 | 
27 | ## Find Symbols
28 | 
29 | This scripts will find the stubs in the trustlet and driver binaries, extract the tlApi/drApi number, and rename and set the prototype of the corresponding function.
30 | 
31 | - IDA Pro version is at `scripts/IDAPro/find_symbols.py`
32 | - Ghidra version is at `scripts/Ghidra/FindSymbols.py`
33 | 


--------------------------------------------------------------------------------
/tainting/README.md:
--------------------------------------------------------------------------------
 1 | # Tainting
 2 | 
 3 | This is a little experiment using [Manticore](https://github.com/trailofbits/manticore) to perform symbolic execution of trustlets. On memory accesses, by asking the solver if it is possible to obtain an invalid address, we can detect potential vulnerabilities.
 4 | 
 5 | ## Installation
 6 | 
 7 | ### Installing Manticore
 8 | 
 9 | You'll need to install the development version of Manticore.
10 | 
11 | ```
12 | git clone https://github.com/trailofbits/manticore
13 | cd manticore
14 | python -m pip install -e .
15 | ```
16 | 
17 | ## Usage
18 | 
19 | ### Converting a trustlet
20 | 
21 | Manticore supports ELF files out of the box, so we will first convert our trustlets from MCLF to ELF.
22 | 
23 | ```
24 | python mclf2elf/mclf2elf.py <trustlet>
25 | ```
26 | 
27 | ### Tainting a trustlet
28 | 
29 | Then we can use the script to perform the symbolic execution of the trustlet binary.
30 | 
31 | ```
32 | python tainter.py -s <buffer_size> <trustlet>.elf
33 | ```
34 | 
35 | Note: use `-v` to display Manticore debug messages.
36 | 
37 | ### Exporting coverage
38 | 
39 | Use the `-c` flag to write coverage to a file on the disk.
40 | 
41 | Use [Lighthouse](https://github.com/gaasedelen/lighthouse) to display coverage into IDA Pro.
42 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/mclfloader/build.gradle:
--------------------------------------------------------------------------------
 1 | // Builds a Ghidra Extension for a given Ghidra installation.
 2 | //
 3 | // An absolute path to the Ghidra installation directory must be supplied either by setting the 
 4 | // GHIDRA_INSTALL_DIR environment variable or Gradle project property:
 5 | //
 6 | //     > export GHIDRA_INSTALL_DIR=<Absolute path to Ghidra> 
 7 | //     > gradle
 8 | //
 9 | //         or
10 | //
11 | //     > gradle -PGHIDRA_INSTALL_DIR=<Absolute path to Ghidra>
12 | //
13 | // Gradle should be invoked from the directory of the project to build.  Please see the
14 | // application.gradle.version property in <GHIDRA_INSTALL_DIR>/Ghidra/application.properties
15 | // for the correction version of Gradle to use for the Ghidra installation you specify.
16 | 
17 | //----------------------START "DO NOT MODIFY" SECTION------------------------------
18 | def ghidraInstallDir
19 | 
20 | if (System.env.GHIDRA_INSTALL_DIR) {
21 | 	ghidraInstallDir = System.env.GHIDRA_INSTALL_DIR
22 | }
23 | else if (project.hasProperty("GHIDRA_INSTALL_DIR")) {
24 | 	ghidraInstallDir = project.getProperty("GHIDRA_INSTALL_DIR")
25 | }
26 | 
27 | if (ghidraInstallDir) {
28 | 	apply from: new File(ghidraInstallDir).getCanonicalPath() + "/support/buildExtension.gradle"
29 | }
30 | else {
31 | 	throw new GradleException("GHIDRA_INSTALL_DIR is not defined!")
32 | }
33 | //----------------------END "DO NOT MODIFY" SECTION-------------------------------
34 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/tbaseloader/build.gradle:
--------------------------------------------------------------------------------
 1 | // Builds a Ghidra Extension for a given Ghidra installation.
 2 | //
 3 | // An absolute path to the Ghidra installation directory must be supplied either by setting the 
 4 | // GHIDRA_INSTALL_DIR environment variable or Gradle project property:
 5 | //
 6 | //     > export GHIDRA_INSTALL_DIR=<Absolute path to Ghidra> 
 7 | //     > gradle
 8 | //
 9 | //         or
10 | //
11 | //     > gradle -PGHIDRA_INSTALL_DIR=<Absolute path to Ghidra>
12 | //
13 | // Gradle should be invoked from the directory of the project to build.  Please see the
14 | // application.gradle.version property in <GHIDRA_INSTALL_DIR>/Ghidra/application.properties
15 | // for the correction version of Gradle to use for the Ghidra installation you specify.
16 | 
17 | //----------------------START "DO NOT MODIFY" SECTION------------------------------
18 | def ghidraInstallDir
19 | 
20 | if (System.env.GHIDRA_INSTALL_DIR) {
21 | 	ghidraInstallDir = System.env.GHIDRA_INSTALL_DIR
22 | }
23 | else if (project.hasProperty("GHIDRA_INSTALL_DIR")) {
24 | 	ghidraInstallDir = project.getProperty("GHIDRA_INSTALL_DIR")
25 | }
26 | 
27 | if (ghidraInstallDir) {
28 | 	apply from: new File(ghidraInstallDir).getCanonicalPath() + "/support/buildExtension.gradle"
29 | }
30 | else {
31 | 	throw new GradleException("GHIDRA_INSTALL_DIR is not defined!")
32 | }
33 | //----------------------END "DO NOT MODIFY" SECTION-------------------------------
34 | 


--------------------------------------------------------------------------------
/bindings/setup.py:
--------------------------------------------------------------------------------
 1 | # Always prefer setuptools over distutils
 2 | from setuptools import setup
 3 | 
 4 | # To use a consistent encoding
 5 | from codecs import open
 6 | import os
 7 | 
 8 | here = os.path.abspath(os.path.dirname(__file__))
 9 | 
10 | # Get the long description from the README file
11 | with open(os.path.join(here, "README.md"), encoding="utf-8") as f:
12 |     long_description = f.read()
13 | 
14 | 
15 | def get_packages(package):
16 |     """
17 |     Return root package and all sub-packages.
18 |     """
19 |     return [
20 |         dirpath
21 |         for dirpath, dirnames, filenames in os.walk(package)
22 |         if os.path.exists(os.path.join(dirpath, "__init__.py"))
23 |     ]
24 | 
25 | 
26 | setup(
27 |     name="pymcclient",
28 |     version="0.2.3",
29 |     description="Python bindings for libMcClient",
30 |     long_description=long_description,
31 |     author="Alexandre Adamski",
32 |     author_email="aadamski@quarkslab.com",
33 |     license="BSD2",
34 |     classifiers=[
35 |         "Development Status :: 4 - Beta",
36 |         "Intended Audience :: Black rats",
37 |         "Topic :: Security :: Hack Tools",
38 |         "License :: Theo Approved :: BSD2",
39 |         "Programming Language :: Python :: 3",
40 |         "Programming Language :: Python :: 3.7",
41 |     ],
42 |     keywords="android trustzone mobicore libmcclient bindings",
43 |     packages=get_packages("mcclient"),
44 |     install_requires=["ipython"],
45 |     scripts=["bin/pymcclient"],
46 | )
47 | 


--------------------------------------------------------------------------------
/bindings/COMPILING.md:
--------------------------------------------------------------------------------
 1 | # Capstone/Keystone for Android
 2 | 
 3 | Here are the commands we have used to compile Capstone/Keystone.
 4 | 
 5 | ## Compiling
 6 | 
 7 | ### Capstone
 8 | 
 9 | ```
10 | git clone https://github.com/aquynh/capstone capstone && cd capstone
11 | mkdir build64 && cd build64
12 | cmake -DCMAKE_SYSTEM_NAME=Android -DCMAKE_ANDROID_NDK=/path/to/android-ndk -DCMAKE_ANDROID_ARCH_ABI=arm64-v8a -DCMAKE_BUILD_TYPE=Release -G"Unix Makefiles" ..
13 | make -j8
14 | ```
15 | 
16 | ### Keystone
17 | 
18 | ```
19 | git clone https://github.com/keystone-engine keystone && cd keystone
20 | mkdir build64 && cd build64
21 | cmake -DCMAKE_SYSTEM_NAME=Android -DCMAKE_ANDROID_NDK=/path/to/android-ndk -DCMAKE_ANDROID_ARCH_ABI=arm64-v8a -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=ON -G"Unix Makefiles" ..
22 | make -j8
23 | ```
24 | 
25 | ## Installing
26 | 
27 | Here are the commands we have used to install Capstone/Keystone.
28 | 
29 | ### Capstone
30 | 
31 | ```
32 | adb push capstone /data/local/tmp
33 | adb shell
34 | $ . /data/local/tmp/python3/tools/env.sh
35 | $ cd /data/local/tmp/capstone/bindings/python
36 | $ cp ../../build64/libcapstone.* prebuilt
37 | $ python3.7 setup.py install
38 | $ cd /data/local/tmp && rm -rf capstone
39 | ```
40 | 
41 | ### Keystone
42 | 
43 | ```
44 | adb push keystone /data/local/tmp
45 | adb shell
46 | $ . /data/local/tmppython3/tools/env.sh
47 | $ cd /data/local/tmp/keystone/bindings/python
48 | $ cp ../../build64/llvm/lib/libkeystone.so /data/local/tmp/python3/usr/lib
49 | $ python3.7 setup.py install
50 | $ cd /data/local/tmp && rm -rf keystone
51 | ```
52 | 


--------------------------------------------------------------------------------
/bindings/README.md:
--------------------------------------------------------------------------------
 1 | # Bindings
 2 | 
 3 | ## Introduction
 4 | 
 5 | Python bindings for `libMcClient.so`, the library that is used to communicate with Trusted Applications and Secure Drivers. The bindings can be used as a library, or we also offer a very practical REPL which is based on IPython.
 6 | 
 7 | ## Installation
 8 | 
 9 | First you will need to install Python 3 on your device. To do that we suggest you use the [`python3-android`](https://github.com/yan12125/python3-android) project by @[yan12125](https://github.com/yan12125). Then you can install `pip` on it using [`get-pip.py`](https://bootstrap.pypa.io/get-pip.py) and finally install IPython itself.
10 | 
11 | If you're interested in compiling Keystone/Capstone for Android, check out [this guide](COMPILING.md).
12 | 
13 | Installation of the project can be done from the sources
14 | 
15 | ```
16 | $ python setup.py install
17 | ```
18 | 
19 | ## Usage
20 | 
21 | To start the REPL, simply enter
22 | 
23 | ```
24 | $ pymcclient
25 | ```
26 | 
27 | ## Example
28 | 
29 | ```python
30 | from mcclient import *
31 | 
32 | # Create a device session
33 | with Device() as dev:
34 | 
35 |     # Allocate a TCI buffer
36 |     with dev.buffer(tci_size) as tci:
37 | 
38 |         # Create a trustlet session
39 |         with Trustlet.uuid(dev, tci, uuid) as app:
40 | 
41 |             # Write the command ID
42 |             tci.seek(0)
43 |             tci.write_dword(42)
44 | 
45 |             # Notify the trustlet
46 |             app.notify()
47 |             # Wait for a notification
48 |             app.wait_notification()
49 | 
50 |             # Display the TCI buffer
51 |             tci.seek(0)
52 |             tci.hexdump(0x100)
53 | ```
54 | 
55 | Thanks to Python's context managers, the sessions are automatically closed and the buffers automatically freed when the "with statements" are exited.
56 | 
57 | But you can still go the old fashioned way and call the `open` and `close` methods yourself.
58 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Security Research on Kinibi
 2 | 
 3 | In this repository, you will find the tools that we have developed during our research to help us reverse engineer and also exploit Samsung's implementation of TrustZone, which is based on a Trusted OS called Kinibi.
 4 | 
 5 | ## Bindings
 6 | 
 7 | In the `bindings/` folder, you will find Python bindings for the `libMcClient.so` library that is used to communicate with Trusted Applications and Secure Drivers. They were developed because we found it easier to write our exploits in Python, and they proved especially useful for the exercises given during our training sessions.
 8 | 
 9 | ## Emulator
10 | 
11 | In the `emulator/` folder, you will find a Python script that makes use of the [Unicorn](https://www.unicorn-engine.org/) engine to emulate a trustlet. This tool was mainly used to test our exploits as it can print the instructions executed, register values and stack content.
12 | 
13 | ## Fuzzer
14 | 
15 | In the `fuzzer/` folder, you will find a Python script that makes use of the [`afl-unicorn`](https://github.com/Battelle/afl-unicorn) project to fuzz trustlets. It is heavily based on the emulator. You will need to implement more tlApis/drApis if you intend to do some serious fuzzing.
16 | 
17 | ## Scripts
18 | 
19 | In the `scripts/` folder, you will find various things:
20 | - `mclf_loader`, a loader for trustlet binaries using the MCLF file format
21 | - `tbase_loader`, a loader that extracts the various components of a SBOOT image
22 | - `find_symbols`, a script that finds and renames the various tlApis/drApis stubs within trustlets
23 | - `find_symbols_mclib`, a script that finds and renames the various tlApis/drApis functions within the McLib
24 | 
25 | The scripts are available both for IDA Pro and Ghidra, as we wanted our trainees to be able to use a free SRE.
26 | 
27 | ## Tainting
28 | 
29 | In the `tainting/` folder, you will find a Python script that makes use of [Manticore](https://github.com/trailofbits/manticore) to find vulnerabilities in trustlets using symbolic execution. This was just an experiment, so the script is really basic.
30 | 
31 | ## Contact
32 | 
33 | - Alexandre Adamski <<aadamski@quarkslab.com>>
34 | - Joffrey Guilbon <<jguilbon@quarkslab.com>>
35 | - Maxime Peterlin <<mpeterlin@quarslab.com>>
36 | 


--------------------------------------------------------------------------------
/tainting/mclf2elf/mclf.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | """
 3 | Loader for TLBIN files (MCLF format)
 4 | 
 5 | Layout:
 6 |    [HDR + textsz] - text, mapped at txt addr
 7 |    [datasz]       - data, mapped at data addr
 8 |    [0 bytes]      - bss, mapped at data addr + datasz ?
 9 |    [521 bytes]    - sig, not mapped
10 | """
11 | import struct
12 | 
13 | class Error(Exception) :
14 |     pass
15 | 
16 | class Readable(object) :
17 |     def get(self, fmt, pos=None) :
18 |         if pos is not None :
19 |             self.f.seek(pos)
20 |         sz = struct.calcsize(fmt)
21 |         dat = self.f.read(sz)
22 |         if len(dat) != sz :
23 |             raise Error("short read")
24 |         return struct.unpack('<' + fmt, dat)
25 |     def __str__(self) :
26 |         def fmt(x) :
27 |             if isinstance(x, int) :
28 |                 return '0x%x' % x
29 |             else :
30 |                 return repr(x)
31 |         nms = self.__fields__.split(',')
32 |         fs = ','.join('%s=%s' % (nm, fmt(getattr(self, nm))) for nm in nms)
33 |         return '[%s %s]' % (self.__class__.__name__, fs)
34 |     __repr__ = __str__
35 | 
36 | class Segment(Readable) :
37 |     __fields__ = 'start,len'
38 |     def __init__(self, f) :
39 |         self.f = f
40 |         self.load()
41 |     def load(self) :
42 |         self.start, self.len = self.get('II')
43 | 
44 | class MCLF(Readable) :
45 |     __fields__ = 'mag,vmag,vmin,flags,memType,serviceType,ninstances,uuid,driverId,numThreads,text,data,bssLen,entry,serviceVersion'
46 |     MAG = 'MCLF'
47 | 
48 |     def __init__(self, fn) :
49 |         self.f = file(fn, 'rb')
50 |         self.load()
51 | 
52 |     def getSegment(self) :
53 |         return Segment(self.f)
54 | 
55 |     def loadV1(self) :
56 |         self.flags,self.memType,self.serviceType,self.ninstances = self.get('IIII')
57 |         self.uuid = self.get('16s')[0].encode('hex')
58 |         self.driverId,self.numThreads = self.get('II')
59 |         self.text = self.getSegment()
60 |         self.data = self.getSegment()
61 |         self.bssLen,self.entry = self.get('II')
62 |         self.serviceVersion = None
63 | 
64 |     def loadV2(self) :
65 |         self.serviceVersion = self.get('I')[0]
66 | 
67 |     def load(self) :
68 |         self.mag,self.vmin,self.vmag = self.get("4sHH")
69 |         if self.mag != self.MAG :
70 |             raise Error("bad magic")
71 |         if self.vmag < 1 :
72 |             raise Error("unsupported version")
73 |         if self.vmag >= 1 :
74 |             self.loadV1()
75 |         if self.vmag >= 2 :
76 |             self.loadV2()
77 | 
78 | def test() :
79 |     import sys
80 |     def sz(f) :
81 |         f.seek(0, 2)
82 |         return f.tell()
83 |     for fn in sys.argv[1:] :
84 |         print fn
85 |         m = MCLF(fn) 
86 |         print m
87 |         #print 'sz=%x xtra=%x' % (sz(m.f), sz(m.f) - (m.text.len + m.data.len))
88 |         print
89 | 
90 | if __name__ == '__main__' :
91 |     test()


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/mclfloader/src/main/java/mclfloader/MCLFHeader.java:
--------------------------------------------------------------------------------
 1 | package mclfloader;
 2 | 
 3 | import java.io.IOException;
 4 | 
 5 | import ghidra.app.util.bin.BinaryReader;
 6 | import ghidra.app.util.bin.StructConverter;
 7 | import ghidra.program.flatapi.FlatProgramAPI;
 8 | import ghidra.program.model.address.Address;
 9 | import ghidra.program.model.data.ArrayDataType;
10 | import ghidra.program.model.data.DataType;
11 | import ghidra.program.model.data.Structure;
12 | import ghidra.program.model.data.StructureDataType;
13 | 
14 | public class MCLFHeader implements StructConverter {
15 |     public String intro;
16 |     public long version;
17 |     public long flags;
18 |     public long memType;
19 |     public long serviceType;
20 |     public long numInstances;
21 |     public byte[] uuid;
22 |     public long driverId;
23 |     public long numThreads;
24 |     public Address textVa;
25 |     public long textLen;
26 |     public Address dataVa;
27 |     public long dataLen;
28 |     public long bssLen;
29 |     public Address entry;
30 |     public long serviceVersion;
31 | 
32 |     public MCLFHeader(FlatProgramAPI api, BinaryReader reader) throws IOException {
33 |         reader.setPointerIndex(0);
34 |         intro = reader.readNextAsciiString(4);
35 |         version = reader.readNextUnsignedInt();
36 |         flags = reader.readNextUnsignedInt();
37 |         memType = reader.readNextUnsignedInt();
38 |         serviceType = reader.readNextUnsignedInt();
39 |         numInstances = reader.readNextUnsignedInt();
40 |         uuid = reader.readNextByteArray(16);
41 |         driverId = reader.readNextUnsignedInt();
42 |         numThreads = reader.readNextUnsignedInt();
43 |         textVa = api.toAddr(reader.readNextUnsignedInt());
44 |         textLen = reader.readNextUnsignedInt();
45 |         dataVa = api.toAddr(reader.readNextUnsignedInt());
46 |         dataLen = reader.readNextUnsignedInt();
47 |         bssLen = reader.readNextUnsignedInt();
48 |         entry = api.toAddr(reader.readNextUnsignedInt());
49 |         serviceVersion = reader.readNextUnsignedInt();
50 |     }
51 | 
52 |     @Override
53 |     public DataType toDataType() {
54 |         Structure struct = new StructureDataType("mclfHeader_t", 0);
55 |         struct.add(ASCII, 4, "intro", null);
56 |         struct.add(DWORD, 4, "version", null);
57 |         struct.add(DWORD, 4, "flags", null);
58 |         struct.add(DWORD, 4, "memType", null);
59 |         struct.add(DWORD, 4, "serviceType", null);
60 |         struct.add(DWORD, 4, "numInstances", null);
61 |         struct.add(new ArrayDataType(BYTE, 16, 1), "uuid", null);
62 |         struct.add(DWORD, 4, "driverId", null);
63 |         struct.add(DWORD, 4, "numThreads", null);
64 |         struct.add(POINTER, 4, "textVa", null);
65 |         struct.add(DWORD, 4, "textLen", null);
66 |         struct.add(POINTER, 4, "dataVa", null);
67 |         struct.add(DWORD, 4, "dataLen", null);
68 |         struct.add(DWORD, 4, "bssLen", null);
69 |         struct.add(POINTER, 4, "entry", null);
70 |         struct.add(DWORD, 4, "serviceVersion", null);
71 |         return struct;
72 |     }
73 | }
74 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/mclfloader/src/main/help/help/TOC_Source.xml:
--------------------------------------------------------------------------------
 1 | <?xml version='1.0' encoding='ISO-8859-1' ?>
 2 | <!-- 
 3 | 
 4 | 	This is an XML file intended to be parsed by the Ghidra help system.  It is loosely based 
 5 | 	upon the JavaHelp table of contents document format.  The Ghidra help system uses a 
 6 | 	TOC_Source.xml file to allow a module with help to define how its contents appear in the 
 7 | 	Ghidra help viewer's table of contents.  The main document (in the Base module) 
 8 | 	defines a basic structure for the 
 9 | 	Ghidra table of contents system.  Other TOC_Source.xml files may use this structure to insert
10 | 	their files directly into this structure (and optionally define a substructure).
11 | 	
12 | 	
13 | 	In this document, a tag can be either a <tocdef> or a <tocref>.  The former is a definition
14 | 	of an XML item that may have a link and may contain other <tocdef> and <tocref> children.  
15 | 	<tocdef> items may be referred to in other documents by using a <tocref> tag with the 
16 | 	appropriate id attribute value.  Using these two tags allows any module to define a place 
17 | 	in the table of contents system (<tocdef>), which also provides a place for 
18 | 	other TOC_Source.xml files to insert content (<tocref>).  
19 | 	
20 | 	During the help build time, all TOC_Source.xml files will be parsed and	validated to ensure
21 | 	that all <tocref> tags point to valid <tocdef> tags.  From these files will be generated
22 | 	<module name>_TOC.xml files, which are table of contents files written in the format 
23 | 	desired by the JavaHelp system.   Additionally, the genated files will be merged together
24 | 	as they are loaded by the JavaHelp system.  In the end, when displaying help in the Ghidra
25 | 	help GUI, there will be on table of contents that has been created from the definitions in 
26 | 	all of the modules' TOC_Source.xml files.
27 | 
28 | 	
29 | 	Tags and Attributes
30 | 	
31 | 	<tocdef>
32 | 	-id          - the name of the definition (this must be unique across all TOC_Source.xml files)	
33 | 	-text        - the display text of the node, as seen in the help GUI
34 | 	-target**    - the file to display when the node is clicked in the GUI
35 | 	-sortgroup   - this is a string that defines where a given node should appear under a given
36 | 	               parent.  The string values will be sorted by the JavaHelp system using
37 | 	               a javax.text.RulesBasedCollator.  If this attribute is not specified, then
38 | 	               the text of attribute will be used.
39 | 
40 | 	<tocref>
41 | 	-id			 - The id of the <tocdef> that this reference points to 
42 | 	
43 | 	**The URL for the target is relative and should start with 'help/topics'.  This text is 
44 | 	used by the Ghidra help system to provide a universal starting point for all links so that
45 | 	they can be resolved at runtime, across modules.
46 | 	
47 | 	
48 | -->
49 | 
50 | 
51 | <tocroot>
52 | 	<!-- Uncomment and adjust fields to add help topic to help system's Table of Contents
53 | 	<tocref id="Ghidra Functionality">
54 | 		<tocdef id="HelpAnchor" text="My Feature" target="help/topics/my_topic/help.html" />
55 | 	</tocref>
56 | 	-->
57 | </tocroot>
58 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/tbaseloader/src/main/help/help/TOC_Source.xml:
--------------------------------------------------------------------------------
 1 | <?xml version='1.0' encoding='ISO-8859-1' ?>
 2 | <!-- 
 3 | 
 4 | 	This is an XML file intended to be parsed by the Ghidra help system.  It is loosely based 
 5 | 	upon the JavaHelp table of contents document format.  The Ghidra help system uses a 
 6 | 	TOC_Source.xml file to allow a module with help to define how its contents appear in the 
 7 | 	Ghidra help viewer's table of contents.  The main document (in the Base module) 
 8 | 	defines a basic structure for the 
 9 | 	Ghidra table of contents system.  Other TOC_Source.xml files may use this structure to insert
10 | 	their files directly into this structure (and optionally define a substructure).
11 | 	
12 | 	
13 | 	In this document, a tag can be either a <tocdef> or a <tocref>.  The former is a definition
14 | 	of an XML item that may have a link and may contain other <tocdef> and <tocref> children.  
15 | 	<tocdef> items may be referred to in other documents by using a <tocref> tag with the 
16 | 	appropriate id attribute value.  Using these two tags allows any module to define a place 
17 | 	in the table of contents system (<tocdef>), which also provides a place for 
18 | 	other TOC_Source.xml files to insert content (<tocref>).  
19 | 	
20 | 	During the help build time, all TOC_Source.xml files will be parsed and	validated to ensure
21 | 	that all <tocref> tags point to valid <tocdef> tags.  From these files will be generated
22 | 	<module name>_TOC.xml files, which are table of contents files written in the format 
23 | 	desired by the JavaHelp system.   Additionally, the genated files will be merged together
24 | 	as they are loaded by the JavaHelp system.  In the end, when displaying help in the Ghidra
25 | 	help GUI, there will be on table of contents that has been created from the definitions in 
26 | 	all of the modules' TOC_Source.xml files.
27 | 
28 | 	
29 | 	Tags and Attributes
30 | 	
31 | 	<tocdef>
32 | 	-id          - the name of the definition (this must be unique across all TOC_Source.xml files)	
33 | 	-text        - the display text of the node, as seen in the help GUI
34 | 	-target**    - the file to display when the node is clicked in the GUI
35 | 	-sortgroup   - this is a string that defines where a given node should appear under a given
36 | 	               parent.  The string values will be sorted by the JavaHelp system using
37 | 	               a javax.text.RulesBasedCollator.  If this attribute is not specified, then
38 | 	               the text of attribute will be used.
39 | 
40 | 	<tocref>
41 | 	-id			 - The id of the <tocdef> that this reference points to 
42 | 	
43 | 	**The URL for the target is relative and should start with 'help/topics'.  This text is 
44 | 	used by the Ghidra help system to provide a universal starting point for all links so that
45 | 	they can be resolved at runtime, across modules.
46 | 	
47 | 	
48 | -->
49 | 
50 | 
51 | <tocroot>
52 | 	<!-- Uncomment and adjust fields to add help topic to help system's Table of Contents
53 | 	<tocref id="Ghidra Functionality">
54 | 		<tocdef id="HelpAnchor" text="My Feature" target="help/topics/my_topic/help.html" />
55 | 	</tocref>
56 | 	-->
57 | </tocroot>
58 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/mclfloader/src/main/help/help/shared/Frontpage.css:
--------------------------------------------------------------------------------
 1 | /* ###
 2 |  * IP: GHIDRA
 3 |  *
 4 |  * Licensed under the Apache License, Version 2.0 (the "License");
 5 |  * you may not use this file except in compliance with the License.
 6 |  * You may obtain a copy of the License at
 7 |  * 
 8 |  *      http://www.apache.org/licenses/LICENSE-2.0
 9 |  * 
10 |  * Unless required by applicable law or agreed to in writing, software
11 |  * distributed under the License is distributed on an "AS IS" BASIS,
12 |  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 |  * See the License for the specific language governing permissions and
14 |  * limitations under the License.
15 |  */
16 | /*
17 | 									WARNING!
18 |     This file is copied to all help directories.  If you change this file, you must copy it 
19 |     to each src/main/help/help/shared directory.									
20 | 									
21 | 	
22 | 	Java Help Note:  JavaHelp does not accept sizes (like in 'margin-top') in anything but 
23 | 	px (pixel) or with no type marking. 
24 | 
25 | */ 
26 | 
27 | body { margin-bottom: 50px; margin-left: 10px; margin-right: 10px; margin-top: 10px; } /* some padding to improve readability */ 
28 | li { font-family:times new roman; font-size:14pt; }
29 | h1 { color:#000080; font-family:times new roman; font-size:36pt; font-style:italic; font-weight:bold; text-align:center; }
30 | h2 { margin: 10px; margin-top: 20px; color:#984c4c; font-family:times new roman; font-size:18pt; font-weight:bold; }
31 | h3 { margin-left: 10px; margin-top: 20px; color:#0000ff; font-family:times new roman; font-size:14pt; font-weight:bold;  }
32 | h4 { margin-left: 10px; margin-top: 20px; font-family:times new roman; font-size:14pt; font-style:italic; }
33 |  
34 | /*
35 | 	 P tag code.  Most of the help files nest P tags inside of blockquote tags (the was the 
36 | 	 way it had been done in the beginning).  The net effect is that the text is indented.  In 
37 | 	 modern HTML we would use CSS to do this.  We need to support the Ghidra P tags, nested in
38 | 	 blockquote tags, as well as naked P tags.  The following two lines accomplish this.  Note
39 | 	 that the 'blockquote p' definition will inherit from the first 'p' definition.
40 | */
41 | p { margin-left: 40px; font-family:times new roman; font-size:14pt; }
42 | blockquote p { margin-left: 10px; }
43 | 
44 | p.providedbyplugin { color:#7f7f7f; margin-left: 10px; font-size:14pt; margin-top:100px  }
45 | p.ProvidedByPlugin { color:#7f7f7f; margin-left: 10px; font-size:14pt; margin-top:100px }
46 | p.relatedtopic { color:#800080; margin-left: 10px; font-size:14pt; }
47 | p.RelatedTopic { color:#800080; margin-left: 10px; font-size:14pt; }
48 | 
49 | /* 
50 | 	We wish for a tables to have space between it and the preceding element, so that text
51 | 	is not too close to the top of the table.  Also, nest the table a bit so that it is clear
52 | 	the table relates to the preceding text.
53 | */
54 | table { margin-left: 20px; margin-top: 10px; width: 80%;}
55 | td { font-family:times new roman; font-size:14pt; vertical-align: top; }
56 | th { font-family:times new roman; font-size:14pt; font-weight:bold; background-color: #EDF3FE; }
57 | 
58 | code { color: black; font-family: courier new; font-size: 14pt; }
59 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/tbaseloader/src/main/help/help/shared/Frontpage.css:
--------------------------------------------------------------------------------
 1 | /* ###
 2 |  * IP: GHIDRA
 3 |  *
 4 |  * Licensed under the Apache License, Version 2.0 (the "License");
 5 |  * you may not use this file except in compliance with the License.
 6 |  * You may obtain a copy of the License at
 7 |  * 
 8 |  *      http://www.apache.org/licenses/LICENSE-2.0
 9 |  * 
10 |  * Unless required by applicable law or agreed to in writing, software
11 |  * distributed under the License is distributed on an "AS IS" BASIS,
12 |  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 |  * See the License for the specific language governing permissions and
14 |  * limitations under the License.
15 |  */
16 | /*
17 | 									WARNING!
18 |     This file is copied to all help directories.  If you change this file, you must copy it 
19 |     to each src/main/help/help/shared directory.									
20 | 									
21 | 	
22 | 	Java Help Note:  JavaHelp does not accept sizes (like in 'margin-top') in anything but 
23 | 	px (pixel) or with no type marking. 
24 | 
25 | */ 
26 | 
27 | body { margin-bottom: 50px; margin-left: 10px; margin-right: 10px; margin-top: 10px; } /* some padding to improve readability */ 
28 | li { font-family:times new roman; font-size:14pt; }
29 | h1 { color:#000080; font-family:times new roman; font-size:36pt; font-style:italic; font-weight:bold; text-align:center; }
30 | h2 { margin: 10px; margin-top: 20px; color:#984c4c; font-family:times new roman; font-size:18pt; font-weight:bold; }
31 | h3 { margin-left: 10px; margin-top: 20px; color:#0000ff; font-family:times new roman; font-size:14pt; font-weight:bold;  }
32 | h4 { margin-left: 10px; margin-top: 20px; font-family:times new roman; font-size:14pt; font-style:italic; }
33 |  
34 | /*
35 | 	 P tag code.  Most of the help files nest P tags inside of blockquote tags (the was the 
36 | 	 way it had been done in the beginning).  The net effect is that the text is indented.  In 
37 | 	 modern HTML we would use CSS to do this.  We need to support the Ghidra P tags, nested in
38 | 	 blockquote tags, as well as naked P tags.  The following two lines accomplish this.  Note
39 | 	 that the 'blockquote p' definition will inherit from the first 'p' definition.
40 | */
41 | p { margin-left: 40px; font-family:times new roman; font-size:14pt; }
42 | blockquote p { margin-left: 10px; }
43 | 
44 | p.providedbyplugin { color:#7f7f7f; margin-left: 10px; font-size:14pt; margin-top:100px  }
45 | p.ProvidedByPlugin { color:#7f7f7f; margin-left: 10px; font-size:14pt; margin-top:100px }
46 | p.relatedtopic { color:#800080; margin-left: 10px; font-size:14pt; }
47 | p.RelatedTopic { color:#800080; margin-left: 10px; font-size:14pt; }
48 | 
49 | /* 
50 | 	We wish for a tables to have space between it and the preceding element, so that text
51 | 	is not too close to the top of the table.  Also, nest the table a bit so that it is clear
52 | 	the table relates to the preceding text.
53 | */
54 | table { margin-left: 20px; margin-top: 10px; width: 80%;}
55 | td { font-family:times new roman; font-size:14pt; vertical-align: top; }
56 | th { font-family:times new roman; font-size:14pt; font-weight:bold; background-color: #EDF3FE; }
57 | 
58 | code { color: black; font-family: courier new; font-size: 14pt; }
59 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/mclfloader/src/main/java/mclfloader/MCLFLoader.java:
--------------------------------------------------------------------------------
 1 | package mclfloader;
 2 | 
 3 | import java.io.IOException;
 4 | import java.io.InputStream;
 5 | import java.util.ArrayList;
 6 | import java.util.Collection;
 7 | import java.util.List;
 8 | 
 9 | import ghidra.app.util.Option;
10 | import ghidra.app.util.bin.BinaryReader;
11 | import ghidra.app.util.bin.ByteProvider;
12 | import ghidra.app.util.importer.MessageLog;
13 | import ghidra.app.util.opinion.AbstractLibrarySupportLoader;
14 | import ghidra.app.util.opinion.LoadSpec;
15 | import ghidra.program.flatapi.FlatProgramAPI;
16 | import ghidra.program.model.address.Address;
17 | import ghidra.program.model.data.DataUtilities;
18 | import ghidra.program.model.data.DataUtilities.ClearDataMode;
19 | import ghidra.program.model.lang.LanguageCompilerSpecPair;
20 | import ghidra.program.model.listing.Program;
21 | import ghidra.program.model.mem.MemoryBlock;
22 | import ghidra.program.model.util.CodeUnitInsertionException;
23 | import ghidra.util.Msg;
24 | import ghidra.util.exception.CancelledException;
25 | import ghidra.util.task.TaskMonitor;
26 | 
27 | public class MCLFLoader extends AbstractLibrarySupportLoader {
28 |     public MCLFHeader header;
29 | 
30 |     @Override
31 |     public String getName() {
32 |         return "MobiCore Loadable Format (MCLF)";
33 |     }
34 | 
35 |     @Override
36 |     public Collection<LoadSpec> findSupportedLoadSpecs(ByteProvider provider) throws IOException {
37 |         BinaryReader reader = new BinaryReader(provider, true);
38 |         if (reader.readNextAsciiString(4).equals("MCLF"))
39 |             return List.of(new LoadSpec(this, 0, new LanguageCompilerSpecPair("ARM:LE:32:v7", "default"), true));
40 |         return new ArrayList<>();
41 |     }
42 | 
43 |     @Override
44 |     protected void load(ByteProvider provider, LoadSpec loadSpec, List<Option> options, Program program,
45 |             TaskMonitor monitor, MessageLog log) throws CancelledException, IOException {
46 |         BinaryReader reader = new BinaryReader(provider, true);
47 |         FlatProgramAPI api = new FlatProgramAPI(program, monitor);
48 | 
49 |         header = new MCLFHeader(api, reader);
50 | 
51 |         InputStream input = provider.getInputStream(0);
52 |         createSegment(api, input, ".text", header.textVa, header.textLen, true, false, true);
53 |         createSegment(api, input, ".data", header.dataVa, header.dataLen, true, true, false);
54 |         createSegment(api, null, ".bss", header.dataVa.add(header.dataLen), header.bssLen, true, true, false);
55 | 
56 |         api.addEntryPoint(header.entry);
57 |         api.createFunction(header.entry, "_entry");
58 | 
59 |         try {
60 |             api.createLabel(header.textVa.add(0x8c), "tlApiLibEntry", true);
61 |         } catch (Exception e) {
62 |             Msg.error(this, e.getMessage());
63 |         }
64 | 
65 |         try {
66 |             DataUtilities.createData(program, header.textVa, header.toDataType(), -1, false,
67 |                     ClearDataMode.CLEAR_ALL_UNDEFINED_CONFLICT_DATA);
68 |         } catch (CodeUnitInsertionException e) {
69 |             Msg.error(this, e.getMessage());
70 |         }
71 |     }
72 | 
73 |     private void createSegment(FlatProgramAPI api, InputStream input, String name, Address start, long length,
74 |             boolean read, boolean write, boolean exec) {
75 |         try {
76 |             MemoryBlock text = api.createMemoryBlock(name, start, input, length, false);
77 |             text.setRead(read);
78 |             text.setWrite(write);
79 |             text.setExecute(exec);
80 |         } catch (Exception e) {
81 |             Msg.error(this, e.getMessage());
82 |         }
83 |     }
84 | }
85 | 


--------------------------------------------------------------------------------
/tainting/mclf2elf/mclf2elf.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | """
  3 | Convert an MCLF file to a fake elf file so we can use normal tools with it.
  4 | """
  5 | 
  6 | import sys, struct
  7 | from mclf import *
  8 | 
  9 | def writefmt(f, fmt, *args) :
 10 |     f.write(struct.pack(fmt, *args))
 11 | 
 12 | class EHdr(object) :
 13 |     def __init__(self, entry, phnum) :
 14 |         self.e_ident = '\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00'
 15 |         self.e_type = 0x2
 16 |         self.e_machine = 0x28
 17 |         self.e_version = 0x1
 18 |         self.e_entry = entry
 19 |         self.e_phoff = 0x34
 20 |         self.e_shoff = 0
 21 |         self.e_flags = 0x4000002
 22 |         self.e_ehsize = 0x34
 23 |         self.e_phentsize = 0x20
 24 |         self.e_phnum = phnum
 25 |         self.e_shentsize = 0x28
 26 |         self.e_shnum = 0
 27 |         self.e_shstrndx = 0
 28 | 
 29 |     def write(self, f) :
 30 |         f.write(self.e_ident) 
 31 |         writefmt(f, '<HHIIIIIHHHHHH', self.e_type, 
 32 |                 self.e_machine, 
 33 |                 self.e_version, 
 34 |                 self.e_entry, 
 35 |                 self.e_phoff, 
 36 |                 self.e_shoff, 
 37 |                 self.e_flags, 
 38 |                 self.e_ehsize, 
 39 |                 self.e_phentsize, 
 40 |                 self.e_phnum, 
 41 |                 self.e_shentsize, 
 42 |                 self.e_shnum, 
 43 |                 self.e_shstrndx)
 44 | 
 45 | class PHdr(object) :
 46 |     def __init__(self, typ, off, vaddr, paddr, sz, vsz, flags, align) :
 47 |         self.p_type = typ
 48 |         self.p_offset = off
 49 |         self.p_vaddr = vaddr
 50 |         self.p_paddr = paddr
 51 |         self.p_filesz = sz
 52 |         self.p_memsz = vsz
 53 |         self.p_flags = flags
 54 |         self.p_align = align
 55 |     def write(self, f) :
 56 |         return writefmt(f, '<IIIIIIII',
 57 |             self.p_type,
 58 |             self.p_offset,
 59 |             self.p_vaddr,
 60 |             self.p_paddr,
 61 |             self.p_filesz,
 62 |             self.p_memsz,
 63 |             self.p_flags,
 64 |             self.p_align)
 65 | 
 66 | class Elf(object) :
 67 |     def __init__(self, entry) :
 68 |         self.entry = entry
 69 |         self.phdrs = []
 70 |         self.data = []
 71 |         self.dOff = 0
 72 | 
 73 |     def addPhdr(self, typ, vaddr, vsz, dat, flags) :
 74 |         p = PHdr(typ, self.dOff, vaddr, vaddr, len(dat), vsz, flags, 1<<12)
 75 |         self.phdrs.append(p)
 76 |         self.data.append(dat)
 77 |         self.dOff += len(dat)
 78 | 
 79 |     def write(self, f) :
 80 |         e = EHdr(self.entry, len(self.phdrs))
 81 |         e.e_phoff = self.e_ehsize = 0x34
 82 |         e.write(f)
 83 | 
 84 |         off = e.e_ehsize + e.e_phentsize * len(self.phdrs)
 85 |         for p in self.phdrs :
 86 |             p.p_offset += off
 87 |             p.write(f)
 88 | 
 89 |         for d in self.data :
 90 |             f.write(d)
 91 |     
 92 | def proc(fn) :
 93 |     m = MCLF(fn)
 94 |     m.f.seek(0)
 95 |     e = Elf(m.entry)
 96 |     if m.text.len :
 97 |         d = m.f.read(m.text.len)
 98 |         e.addPhdr(1, m.text.start, m.text.len, d, 5)
 99 |     if m.data.len or m.bssLen :
100 |         d = m.f.read(m.data.len)
101 |         e.addPhdr(1, m.data.start, m.data.len + m.bssLen, d, 6)
102 |     d = m.f.read(521)
103 |     e.addPhdr(0, 0xffff0000, 521, d, 4)
104 | 
105 |     outFn = fn + '.elf'
106 |     with file(outFn, 'wb') as f :
107 |         e.write(f)
108 | 
109 |     pos = m.f.tell()
110 |     m.f.seek(0, 2)
111 |     delta = m.f.tell() - pos
112 |     assert delta == 0  # no data left in original file!
113 | 
114 | for arg in sys.argv[1:] :
115 |     proc(arg)


--------------------------------------------------------------------------------
/bindings/docs/index.rst:
--------------------------------------------------------------------------------
  1 | .. include:: ../README.rst
  2 | 
  3 | Reference
  4 | =========
  5 | 
  6 | Error
  7 | -----
  8 | 
  9 | .. autoclass:: mcclient.Error
 10 |     :members:
 11 |     :undoc-members:
 12 |     :show-inheritance:
 13 | 
 14 | Device
 15 | ------
 16 | 
 17 | .. autoclass:: mcclient.Device
 18 |     :members:
 19 |     :undoc-members:
 20 |     :show-inheritance:
 21 | 
 22 | Trustlet
 23 | -----------
 24 | 
 25 | .. autoclass:: mcclient.Trustlet
 26 |     :members:
 27 |     :undoc-members:
 28 |     :show-inheritance:
 29 | 
 30 | Buffer
 31 | ------
 32 | 
 33 | .. autoclass:: mcclient.Buffer
 34 |     :members:
 35 |     :undoc-members:
 36 |     :show-inheritance:
 37 | 
 38 | Constants
 39 | ---------
 40 | 
 41 | .. data:: mcclient.DEVICE_ID_DEFAULT = 0
 42 | 
 43 |     The default device ID
 44 | 
 45 | .. data:: mcclient.INFINITE_TIMEOUT = -1
 46 | 
 47 |     Wait infinite for a response of the MC
 48 | 
 49 | .. data:: mcclient.INFINITE_TIMEOUT_INTERRUPTIBLE = -2
 50 | 
 51 |     Wait infinite for a response of the MC, exit on signal
 52 | 
 53 | .. data:: mcclient.NO_TIMEOUT = 0
 54 | 
 55 |     Do not wait for a response of the MC
 56 | 
 57 | .. data:: mcclient.MAX_TCI_LEN = 0x100000
 58 | 
 59 |     TCI/DCI must not exceed 1MiB
 60 | 
 61 | Return values of MobiCore driver functions
 62 | 
 63 | .. data:: mcclient.OK = 0x00000000
 64 | .. data:: mcclient.NO_NOTIFICATION = 0x00000001
 65 | .. data:: mcclient.ERR_NOTIFICATION = 0x00000002
 66 | .. data:: mcclient.ERR_NOT_IMPLEMENTED = 0x00000003
 67 | .. data:: mcclient.ERR_OUT_OF_RESOURCES = 0x00000004
 68 | .. data:: mcclient.ERR_INIT = 0x00000005
 69 | .. data:: mcclient.ERR_UNKNOWN = 0x00000006
 70 | .. data:: mcclient.ERR_UNKNOWN_DEVICE = 0x00000007
 71 | .. data:: mcclient.ERR_UNKNOWN_SESSION = 0x00000008
 72 | .. data:: mcclient.ERR_INVALID_OPERATION = 0x00000009
 73 | .. data:: mcclient.ERR_INVALID_RESPONSE = 0x0000000a
 74 | .. data:: mcclient.ERR_TIMEOUT = 0x0000000b
 75 | .. data:: mcclient.ERR_NO_FREE_MEMORY = 0x0000000c
 76 | .. data:: mcclient.ERR_FREE_MEMORY_FAILED = 0x0000000d
 77 | .. data:: mcclient.ERR_SESSION_PENDING = 0x0000000e
 78 | .. data:: mcclient.ERR_DAEMON_UNREACHABLE = 0x0000000f
 79 | .. data:: mcclient.ERR_INVALID_DEVICE_FILE = 0x00000010
 80 | .. data:: mcclient.ERR_INVALID_PARAMETER = 0x00000011
 81 | .. data:: mcclient.ERR_KERNEL_MODULE = 0x00000012
 82 | .. data:: mcclient.ERR_BULK_MAPPING = 0x00000013
 83 | .. data:: mcclient.ERR_BULK_UNMAPPING = 0x00000014
 84 | .. data:: mcclient.INFO_NOTIFICATION = 0x00000015
 85 | .. data:: mcclient.ERR_NQ_FAILED = 0x00000016
 86 | .. data:: mcclient.ERR_DAEMON_VERSION = 0x00000017
 87 | .. data:: mcclient.ERR_CONTAINER_VERSION = 0x00000018
 88 | .. data:: mcclient.ERR_WRONG_PUBLIC_KEY = 0x00000019
 89 | .. data:: mcclient.ERR_CONTAINER_TYPE_MISMATCH = 0x0000001a
 90 | .. data:: mcclient.ERR_CONTAINER_LOCKED = 0x0000001b
 91 | .. data:: mcclient.ERR_SP_NO_CHILD = 0x0000001c
 92 | .. data:: mcclient.ERR_TL_NO_CHILD = 0x0000001d
 93 | .. data:: mcclient.ERR_UNWRAP_ROOT_FAILED = 0x0000001e
 94 | .. data:: mcclient.ERR_UNWRAP_SP_FAILED = 0x0000001f
 95 | .. data:: mcclient.ERR_UNWRAP_TRUSTLET_FAILED = 0x00000020
 96 | .. data:: mcclient.ERR_DAEMON_DEVICE_NOT_OPEN = 0x00000021
 97 | .. data:: mcclient.ERR_TA_HEADER_ERROR = 0x00000021
 98 | .. data:: mcclient.ERR_TA_ATTESTATION_ERROR = 0x00000022
 99 | .. data:: mcclient.ERR_INTERRUPTED_BY_SIGNAL = 0x00000023
100 | .. data:: mcclient.ERR_SERVICE_BLOCKED = 0x00000024
101 | .. data:: mcclient.ERR_SERVICE_LOCKED = 0x00000025
102 | .. data:: mcclient.ERR_SERVICE_KILLED = 0x00000026
103 | .. data:: mcclient.ERR_NO_FREE_INSTANCES = 0x00000027
104 | 
105 | Indices and tables
106 | ==================
107 | 
108 | * :ref:`genindex`
109 | * :ref:`modindex`
110 | * :ref:`search`
111 | 


--------------------------------------------------------------------------------
/scripts/loaders/IDAPro/mclf_loader.py:
--------------------------------------------------------------------------------
  1 | '''
  2 | * This program is free software ; you can redistribute it and/or modify
  3 | * it under the terms of the GNU General Public License as published by
  4 | * the Free Software Foundation ; either version 2 of the License, or
  5 | * (at your option) any later version.
  6 | *
  7 | * This program is distributed in the hope that it will be useful,
  8 | * but WITHOUT ANY WARRANTY ; without even the implied warranty of
  9 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 10 | * GNU General Public License for more details.
 11 | *
 12 | * You should have received a copy of the GNU General Public License
 13 | * along with the program ; if not, write to the Free Software
 14 | * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
 15 | *
 16 | * @file mclf_loader.py
 17 | * @brief Mobicore trustlet and drive binary loader for IDA
 18 | * @author Gassan Idriss <ghassani@gmail.com>
 19 | '''
 20 | import struct
 21 | import sys
 22 | import idaapi
 23 | import idc
 24 | import ida_bytes
 25 | import ida_idp
 26 | import ida_name
 27 | import ida_segregs
 28 | 
 29 | MCLF_HEADER_MAGIC 		= b"MCLF"
 30 | MCLF_HEADER_SIZE_V1 	= 72
 31 | MCLF_HEADER_SIZE_V2 	= 76
 32 | MCLF_HEADER_SIZE_V23 	= 96
 33 | MCLF_TEXT_INFO_OFFSET 	= 128
 34 | MCLF_TEXT_INFO_SIZE 	= 36
 35 | MCLF_HEADER_SIZE 		= MCLF_TEXT_INFO_OFFSET + MCLF_TEXT_INFO_SIZE
 36 | tlApiLibEntry           = 0x108C
 37 | 
 38 | def decode(s):
 39 |     """Decodes UTF-8 bytes into a unicode string."""
 40 |     if isinstance(s, str):
 41 |         return s
 42 |     return s.decode("utf-8")
 43 | 
 44 | def accept_file(f, filename):
 45 | 	retval = 0
 46 | 	if filename == 0 or type(filename) == str:
 47 | 		f.seek(0)
 48 | 		magic = f.read(4)
 49 | 		versionMinor = struct.unpack("<h", f.read(2))[0]
 50 | 		versionMajor = struct.unpack("<h", f.read(2))[0]
 51 | 		if magic == MCLF_HEADER_MAGIC and versionMajor > 1 and versionMajor < 3:
 52 | 			retval = "%s v%d.%d executable for ARM" % (decode(magic), versionMajor, versionMinor)
 53 | 	return retval
 54 | 
 55 | def load_file(f, neflags, format):
 56 | 	f.seek(0)
 57 | 	
 58 | 	magic 		 	= f.read(4)
 59 | 	version 	 	= struct.unpack("<I", f.read(4))[0]
 60 | 	flags 		 	= struct.unpack("<I", f.read(4))[0]
 61 | 	memType 	 	= struct.unpack("<I", f.read(4))[0]
 62 | 	serviceType  	= struct.unpack("<I", f.read(4))[0]
 63 | 	numInstances 	= struct.unpack("<I", f.read(4))[0]
 64 | 	uuid 		 	= struct.unpack("<IIII", f.read(16))
 65 | 	driverId 	 	= struct.unpack("<I", f.read(4))[0]
 66 | 	numThreads 	 	= struct.unpack("<I", f.read(4))[0]
 67 | 	textVA  	 	= struct.unpack("<I", f.read(4))[0]
 68 | 	textLen 	 	= struct.unpack("<I", f.read(4))[0]
 69 | 	dataVA  	 	= struct.unpack("<I", f.read(4))[0]
 70 | 	dataLen 	 	= struct.unpack("<I", f.read(4))[0]
 71 | 	bssLen 	 	 	= struct.unpack("<I", f.read(4))[0]
 72 | 	entry 	 	 	= struct.unpack("<I", f.read(4))[0]
 73 | 
 74 | 	f.seek(MCLF_TEXT_INFO_OFFSET)
 75 | 	
 76 | 	idaapi.set_processor_type("arm", ida_idp.SETPROC_LOADER_NON_FATAL)
 77 | 
 78 | 	# Set VA for .text and add the segment
 79 | 	f.file2base(0, textVA, textVA + textLen, True)
 80 | 	idaapi.add_segm(0, textVA, textVA + textLen, ".text", "CODE")
 81 | 
 82 | 	# Set VA for .data and add the segment
 83 | 	f.file2base(textLen, dataVA, dataVA + dataLen, True)
 84 | 	idaapi.add_segm(0, dataVA, dataVA + dataLen, ".data", "DATA")
 85 | 	
 86 | 	# Add BSS segment after .text and .data
 87 | 	idaapi.add_segm(0, dataVA + dataLen, dataVA + dataLen + bssLen, ".bss", "BSS")
 88 | 
 89 | 	if entry % 4 == 1: 
 90 | 		#Thumb address is always +1 to set the T bit
 91 | 		idaapi.add_entry(entry-1, entry-1, "_entry", 1)
 92 | 		idc.split_sreg_range(entry-1, "T", 0x1, ida_segregs.SR_user)
 93 | 	else:
 94 | 		idaapi.add_entry(entry, entry, "_entry", 1)
 95 | 		idc.split_sreg_range(entry, "T", 0x0, ida_segregs.SR_user)
 96 | 
 97 | 	ida_bytes.create_data(tlApiLibEntry, idaapi.FF_DWORD, 4, idaapi.BADADDR)
 98 | 	idc.set_name(tlApiLibEntry, "tlApiLibEntry", ida_name.SN_CHECK)
 99 | 	return 1
100 | 


--------------------------------------------------------------------------------
/bindings/mcclient/mcclient_const.py:
--------------------------------------------------------------------------------
  1 | DEVICE_ID_DEFAULT = 0                # The default device ID
  2 | INFINITE_TIMEOUT = -1                # Wait infinite for a response of the MC
  3 | INFINITE_TIMEOUT_INTERRUPTIBLE = -2  # Wait infinite for a response of the MC,
  4 |                                      # exit on signal
  5 | NO_TIMEOUT = 0                       # Do not wait for a response of the MC
  6 | MAX_TCI_LEN = 0x100000               # TCI/DCI must not exceed 1MiB
  7 | 
  8 | #
  9 | # MobiCore driver API error codes
 10 | # MAJOR part of error code is stable
 11 | # MCP part contains MCP result code
 12 | # DETAIL part may be used in testing for specific error code
 13 | #
 14 | ERROR_MAJOR = lambda ecode: ecode & 0xff
 15 | ERROR_MCP = lambda ecode: (ecode >> 8) & 0xff
 16 | ERROR_DETAIL = lambda ecode: (ecode >> 16) & 0xfff
 17 | 
 18 | #
 19 | # Return values of MobiCore driver functions
 20 | #
 21 | OK = 0x00000000
 22 | NO_NOTIFICATION = 0x00000001
 23 | ERR_NOTIFICATION = 0x00000002
 24 | ERR_NOT_IMPLEMENTED = 0x00000003
 25 | ERR_OUT_OF_RESOURCES = 0x00000004
 26 | ERR_INIT = 0x00000005
 27 | ERR_UNKNOWN = 0x00000006
 28 | ERR_UNKNOWN_DEVICE = 0x00000007
 29 | ERR_UNKNOWN_SESSION = 0x00000008
 30 | ERR_INVALID_OPERATION = 0x00000009
 31 | ERR_INVALID_RESPONSE = 0x0000000a
 32 | ERR_TIMEOUT = 0x0000000b
 33 | ERR_NO_FREE_MEMORY = 0x0000000c
 34 | ERR_FREE_MEMORY_FAILED = 0x0000000d
 35 | ERR_SESSION_PENDING = 0x0000000e
 36 | ERR_DAEMON_UNREACHABLE = 0x0000000f
 37 | ERR_INVALID_DEVICE_FILE = 0x00000010
 38 | ERR_INVALID_PARAMETER = 0x00000011
 39 | ERR_KERNEL_MODULE = 0x00000012
 40 | ERR_BULK_MAPPING = 0x00000013
 41 | ERR_BULK_UNMAPPING = 0x00000014
 42 | INFO_NOTIFICATION = 0x00000015
 43 | ERR_NQ_FAILED = 0x00000016
 44 | 
 45 | ERR_DAEMON_VERSION = 0x00000017
 46 | ERR_CONTAINER_VERSION = 0x00000018
 47 | 
 48 | #
 49 | # Those should become MCP or even detail codes on top of MC_DRV_ERR_MCP_ERROR
 50 | #
 51 | ERR_WRONG_PUBLIC_KEY = 0x00000019
 52 | ERR_CONTAINER_TYPE_MISMATCH = 0x0000001a
 53 | ERR_CONTAINER_LOCKED = 0x0000001b
 54 | ERR_SP_NO_CHILD = 0x0000001c
 55 | ERR_TL_NO_CHILD = 0x0000001d
 56 | ERR_UNWRAP_ROOT_FAILED = 0x0000001e
 57 | ERR_UNWRAP_SP_FAILED = 0x0000001f
 58 | ERR_UNWRAP_TRUSTLET_FAILED = 0x00000020
 59 | 
 60 | #
 61 | # Use separate numbers for those in the future
 62 | #
 63 | # ERR_DEVICE_ALREADY_OPEN = ERR_INVALID_OPERATION
 64 | # ERR_SOCKET_CONNECT = ERR_DAEMON_UNREACHABLE
 65 | # ERR_SOCKET_WRITE = ERR_DAEMON_UNREACHABLE
 66 | # ERR_SOCKET_READ = ERR_DAEMON_UNREACHABLE
 67 | # ERR_SOCKET_LENGTH = ERR_DAEMON_UNREACHABLE
 68 | # ERR_DAEMON_SOCKET = ERR_DAEMON_UNREACHABLE
 69 | # ERR_DEVICE_FILE_OPEN = ERR_INVALID_DEVICE_FILE
 70 | # ERR_NULL_POINTER = ERR_INVALID_PARAMETER
 71 | # ERR_TCI_TOO_BIG = ERR_INVALID_PARAMETER
 72 | # ERR_WSM_NOT_FOUND = ERR_INVALID_PARAMETER
 73 | # ERR_TCI_GREATER_THAN_WSM = ERR_INVALID_PARAMETER
 74 | # ERR_TRUSTLET_NOT_FOUND = ERR_INVALID_DEVICE_FILE
 75 | # ERR_TRUSTED_APPLICATION_NOT_FOUND = ERR_TRUSTLET_NOT_FOUND
 76 | # ERR_DAEMON_KMOD_ERROR = ERR_DAEMON_UNREACHABLE
 77 | # ERR_DAEMON_MCI_ERROR = ERR_DAEMON_UNREACHABLE
 78 | # ERR_MCP_ERROR = ERR_DAEMON_UNREACHABLE
 79 | # ERR_INVALID_LENGTH = ERR_NO_FREE_MEMORY
 80 | # ERR_KMOD_NOT_OPEN = ERR_NO_FREE_MEMORY
 81 | # ERR_BUFFER_ALREADY_MAPPED = ERR_BULK_MAPPING
 82 | # ERR_BLK_BUFF_NOT_FOUND = ERR_BULK_UNMAPPING
 83 | 
 84 | ERR_DAEMON_DEVICE_NOT_OPEN = 0x00000021
 85 | # ERR_DAEMON_WSM_HANDLE_NOT_FOUND = ERR_WSM_NOT_FOUND
 86 | # ERR_DAEMON_UNKNOWN_SESSION = ERR_UNKNOWN_SESSION
 87 | 
 88 | #
 89 | # Installation errors
 90 | #
 91 | ERR_TA_HEADER_ERROR = 0x00000021
 92 | ERR_TA_ATTESTATION_ERROR = 0x00000022
 93 | 
 94 | ERR_INTERRUPTED_BY_SIGNAL = 0x00000023
 95 | 
 96 | ERR_SERVICE_BLOCKED = 0x00000024
 97 | ERR_SERVICE_LOCKED = 0x00000025
 98 | ERR_SERVICE_KILLED = 0x00000026
 99 | ERR_NO_FREE_INSTANCES = 0x00000027
100 | 
101 | # MAKE_MCP_ERROR = lambda mcp_code: ERR_MCP_ERROR | ((mcp_code & 0xfffff) << 8)
102 | # MAKE_KMOD_WITH_ERRNO = lambda err: ERR_KERNEL_MODULE | ((err & 0xffff) << 16)
103 | 


--------------------------------------------------------------------------------
/scripts/scripts/Ghidra/tl_apis.json:
--------------------------------------------------------------------------------
 1 | [
 2 |     [1, "tlApiGetVersion", "_DWORD tlApiGetVersion(_DWORD tlApiVersion);"],
 3 |     [2, "tlApiGetMobicoreVersion", "_DWORD tlApiGetMobicoreVersion(_DWORD mcVersionInfo);"],
 4 |     [3, "tlApiGetPlatformInfo", "_DWORD tlApiGetPlatformInfo(_DWORD platformInfo);"],
 5 |     [4, "tlApiExit", "void tlApiExit(_DWORD exitCode);"],
 6 |     [5, "tlApiLogvPrintf", "void tlApiLogvPrintf(_DWORD fmt, _DWORD args);"],
 7 |     [6, "tlApiWaitNotification", "_DWORD tlApiWaitNotification(_DWORD timeout);"],
 8 |     [7, "tlApiNotify", "_DWORD tlApiNotify(void);"],
 9 |     [8, "tlApi_callDriver", "_DWORD tlApi_callDriver(_DWORD driver_ID, _DWORD pMarParam);"],
10 |     [9, "tlApiWrapObjectExt", "_DWORD tlApiWrapObjectExt(_DWORD src, _DWORD plainLen, _DWORD encryptedLen, _DWORD dest, _DWORD destLen, _DWORD context, _DWORD lifetime, _DWORD consumer, _DWORD flags);"],
11 |     [10, "tlApiUnwrapObjectExt", "_DWORD tlApiUnwrapObjectExt(_DWORD src, _DWORD srcLen, _DWORD dest, _DWORD destLen, _DWORD flags);"],
12 |     [11, "tlApiGetSuid", "_DWORD tlApiGetSuid(_DWORD suid);"],
13 |     [12, "tlApi_callDriverEx", "_DWORD tlApi_callDriverEx(_DWORD driver_ID, _DWORD payload, _DWORD payloadSize); "],
14 |     [13, "tlApiCrAbort", "_DWORD tlApiCrAbort(_DWORD sessionHandle);"],
15 |     [14, "tlApiRandomGenerateData", "_DWORD tlApiRandomGenerateData(_DWORD alg, _DWORD randomBuffer, _DWORD randomLen);"],
16 |     [15, "tlApiGenerateKeyPair", "_DWORD tlApiGenerateKeyPair(_DWORD keyPair, _DWORD type, _DWORD len);"],
17 |     [16, "tlApiCipherInitWithData", "_DWORD tlApiCipherInitWithData(_DWORD pSessionHandle, _DWORD alg, _DWORD mode, _DWORD key, _DWORD buffer, _DWORD bufferLen);"],
18 |     [17, "tlApiCipherUpdate", "_DWORD tlApiCipherUpdate(_DWORD sessionHandle, _DWORD srcData, _DWORD srcLen, _DWORD destData, _DWORD destLen);"],
19 |     [18, "tlApiCipherDoFinal", "_DWORD tlApiCipherDoFinal(_DWORD sessionHandle, _DWORD srcData, _DWORD srcLen, _DWORD destData, _DWORD destLen);"],
20 |     [19, "tlApiSignatureInitWithData", "_DWORD tlApiSignatureInitWithData(_DWORD pSessionHandle, _DWORD key, _DWORD mode, _DWORD alg, _DWORD buffer, _DWORD bufferLen);"],
21 |     [20, "tlApiSignatureUpdate", "_DWORD tlApiSignatureUpdate(_DWORD sessionHandle, _DWORD message, _DWORD messageLen);"],
22 |     [21, "tlApiSignatureSign", "_DWORD tlApiSignatureSign(_DWORD sessionHandle, _DWORD message, _DWORD messageLen, _DWORD signature, _DWORD signatureLen);"],
23 |     [22, "tlApiSignatureVerify", "_DWORD tlApiSignatureVerify(_DWORD sessionHandle, _DWORD message, _DWORD messageLen, _DWORD signature, _DWORD signatureLen, bool validity);"],
24 |     [23, "tlApiMessageDigestInitWithData", "_DWORD tlApiMessageDigestInitWithData(_DWORD pSessionHandle, _DWORD alg, _DWORD buffer, _DWORD lengthOfDataHashedPreviously);"],
25 |     [24, "tlApiMessageDigestUpdate", "_DWORD tlApiMessageDigestUpdate(_DWORD sessionHandle, _DWORD message, _DWORD messageLen);"],
26 |     [25, "tlApiMessageDigestDoFinal", "_DWORD tlApiMessageDigestDoFinal(_DWORD sessionHandle, _DWORD message, _DWORD messageLen, _DWORD hash, _DWORD hashLen);"],
27 |     [26, "tlApiGetVirtMemType", "_DWORD tlApiGetVirtMemType(_DWORD type, _DWORD addr, _DWORD size);"],
28 |     [27, "tlApiDeriveKey", "_DWORD tlApiDeriveKey(_DWORD salt, _DWORD saltLen, _DWORD dest, _DWORD destLen, _DWORD context, _DWORD lifetime);"],
29 |     [28, "tlApiMalloc", "void* tlApiMalloc(_DWORD size, _DWORD hint);"],
30 |     [29, "tlApiRealloc", "void* tlApiRealloc(_DWORD buffer, _DWORD newSize);"],
31 |     [30, "tlApiFree", "void tlApiFree(_DWORD buffer);"],
32 |     [85, "tlApiEndorse", "_DWORD tlApiEndorse(_DWORD msg, _DWORD msgLen, _DWORD dst, _DWORD dstLen, _DWORD scope);"],
33 |     [86, "tlApiTuiGetScreenInfo", "_DWORD tlApiTuiGetScreenInfo(_DWORD screenInfo);"],
34 |     [87, "tlApiTuiOpenSession", "_DWORD tlApiTuiOpenSession(void);"],
35 |     [88, "tlApiTuiCloseSession", "_DWORD tlApiTuiCloseSession(void);"],
36 |     [89, "tlApiTuiSetImage", "_DWORD tlApiTuiSetImage(_DWORD image, _DWORD coordinates);"],
37 |     [90, "tlApiTuiGetTouchEvent", "_DWORD tlApiTuiGetTouchEvent(_DWORD touchEvent);"],
38 |     [92, "tlApiDrmProcessContent", "_DWORD tlApiDrmProcessContent(_DWORD sHandle, _DWORD decryptCtx, _DWORD input, _DWORD inputDesc, _DWORD processMode, _DWORD output);"],
39 |     [93, "tlApiDrmOpenSession", "_DWORD tlApiDrmOpenSession(_DWORD sHandle);"],
40 |     [94, "tlApiDrmCloseSession", "_DWORD tlApiDrmCloseSession(_DWORD sHandle);"],
41 |     [95, "tlApiDrmCheckLink", "_DWORD tlApiDrmCheckLink(_DWORD sHandle, _DWORD link);"],
42 |     [98, "tlApiGetSecureTimestamp", "_DWORD tlApiGetSecureTimestamp(_DWORD pTimestamp);"],
43 |     [100, "tlApiAddEntropy", "_DWORD tlApiAddEntropy(_DWORD buf, _DWORD buflen);"],
44 |     [101, "tlApiCreateHeap", "_DWORD tlApiCreateHeap(_DWORD heapStartSize, _DWORD heapMaxSize, _DWORD flags, _DWORD hint);"]
45 | ]


--------------------------------------------------------------------------------
/scripts/scripts/IDAPro/tl_apis.json:
--------------------------------------------------------------------------------
 1 | [
 2 |     [1, "tlApiGetVersion", "_DWORD tlApiGetVersion(_DWORD tlApiVersion);"],
 3 |     [2, "tlApiGetMobicoreVersion", "_DWORD tlApiGetMobicoreVersion(_DWORD mcVersionInfo);"],
 4 |     [3, "tlApiGetPlatformInfo", "_DWORD tlApiGetPlatformInfo(_DWORD platformInfo);"],
 5 |     [4, "tlApiExit", "void tlApiExit(_DWORD exitCode);"],
 6 |     [5, "tlApiLogvPrintf", "void tlApiLogvPrintf(_DWORD fmt, _DWORD args);"],
 7 |     [6, "tlApiWaitNotification", "_DWORD tlApiWaitNotification(_DWORD timeout);"],
 8 |     [7, "tlApiNotify", "_DWORD tlApiNotify(void);"],
 9 |     [8, "tlApi_callDriver", "_DWORD tlApi_callDriver(_DWORD driver_ID, _DWORD pMarParam);"],
10 |     [9, "tlApiWrapObjectExt", "_DWORD tlApiWrapObjectExt(_DWORD src, _DWORD plainLen, _DWORD encryptedLen, _DWORD dest, _DWORD destLen, _DWORD context, _DWORD lifetime, _DWORD consumer, _DWORD flags);"],
11 |     [10, "tlApiUnwrapObjectExt", "_DWORD tlApiUnwrapObjectExt(_DWORD src, _DWORD srcLen, _DWORD dest, _DWORD destLen, _DWORD flags);"],
12 |     [11, "tlApiGetSuid", "_DWORD tlApiGetSuid(_DWORD suid);"],
13 |     [12, "tlApi_callDriverEx", "_DWORD tlApi_callDriverEx(_DWORD driver_ID, _DWORD payload, _DWORD payloadSize); "],
14 |     [13, "tlApiCrAbort", "_DWORD tlApiCrAbort(_DWORD sessionHandle);"],
15 |     [14, "tlApiRandomGenerateData", "_DWORD tlApiRandomGenerateData(_DWORD alg, _DWORD randomBuffer, _DWORD randomLen);"],
16 |     [15, "tlApiGenerateKeyPair", "_DWORD tlApiGenerateKeyPair(_DWORD keyPair, _DWORD type, _DWORD len);"],
17 |     [16, "tlApiCipherInitWithData", "_DWORD tlApiCipherInitWithData(_DWORD pSessionHandle, _DWORD alg, _DWORD mode, _DWORD key, _DWORD buffer, _DWORD bufferLen);"],
18 |     [17, "tlApiCipherUpdate", "_DWORD tlApiCipherUpdate(_DWORD sessionHandle, _DWORD srcData, _DWORD srcLen, _DWORD destData, _DWORD destLen);"],
19 |     [18, "tlApiCipherDoFinal", "_DWORD tlApiCipherDoFinal(_DWORD sessionHandle, _DWORD srcData, _DWORD srcLen, _DWORD destData, _DWORD destLen);"],
20 |     [19, "tlApiSignatureInitWithData", "_DWORD tlApiSignatureInitWithData(_DWORD pSessionHandle, _DWORD key, _DWORD mode, _DWORD alg, _DWORD buffer, _DWORD bufferLen);"],
21 |     [20, "tlApiSignatureUpdate", "_DWORD tlApiSignatureUpdate(_DWORD sessionHandle, _DWORD message, _DWORD messageLen);"],
22 |     [21, "tlApiSignatureSign", "_DWORD tlApiSignatureSign(_DWORD sessionHandle, _DWORD message, _DWORD messageLen, _DWORD signature, _DWORD signatureLen);"],
23 |     [22, "tlApiSignatureVerify", "_DWORD tlApiSignatureVerify(_DWORD sessionHandle, _DWORD message, _DWORD messageLen, _DWORD signature, _DWORD signatureLen, bool validity);"],
24 |     [23, "tlApiMessageDigestInitWithData", "_DWORD tlApiMessageDigestInitWithData(_DWORD pSessionHandle, _DWORD alg, _DWORD buffer, _DWORD lengthOfDataHashedPreviously);"],
25 |     [24, "tlApiMessageDigestUpdate", "_DWORD tlApiMessageDigestUpdate(_DWORD sessionHandle, _DWORD message, _DWORD messageLen);"],
26 |     [25, "tlApiMessageDigestDoFinal", "_DWORD tlApiMessageDigestDoFinal(_DWORD sessionHandle, _DWORD message, _DWORD messageLen, _DWORD hash, _DWORD hashLen);"],
27 |     [26, "tlApiGetVirtMemType", "_DWORD tlApiGetVirtMemType(_DWORD type, _DWORD addr, _DWORD size);"],
28 |     [27, "tlApiDeriveKey", "_DWORD tlApiDeriveKey(_DWORD salt, _DWORD saltLen, _DWORD dest, _DWORD destLen, _DWORD context, _DWORD lifetime);"],
29 |     [28, "tlApiMalloc", "void* tlApiMalloc(_DWORD size, _DWORD hint);"],
30 |     [29, "tlApiRealloc", "void* tlApiRealloc(_DWORD buffer, _DWORD newSize);"],
31 |     [30, "tlApiFree", "void tlApiFree(_DWORD buffer);"],
32 |     [85, "tlApiEndorse", "_DWORD tlApiEndorse(_DWORD msg, _DWORD msgLen, _DWORD dst, _DWORD dstLen, _DWORD scope);"],
33 |     [86, "tlApiTuiGetScreenInfo", "_DWORD tlApiTuiGetScreenInfo(_DWORD screenInfo);"],
34 |     [87, "tlApiTuiOpenSession", "_DWORD tlApiTuiOpenSession(void);"],
35 |     [88, "tlApiTuiCloseSession", "_DWORD tlApiTuiCloseSession(void);"],
36 |     [89, "tlApiTuiSetImage", "_DWORD tlApiTuiSetImage(_DWORD image, _DWORD coordinates);"],
37 |     [90, "tlApiTuiGetTouchEvent", "_DWORD tlApiTuiGetTouchEvent(_DWORD touchEvent);"],
38 |     [92, "tlApiDrmProcessContent", "_DWORD tlApiDrmProcessContent(_DWORD sHandle, _DWORD decryptCtx, _DWORD input, _DWORD inputDesc, _DWORD processMode, _DWORD output);"],
39 |     [93, "tlApiDrmOpenSession", "_DWORD tlApiDrmOpenSession(_DWORD sHandle);"],
40 |     [94, "tlApiDrmCloseSession", "_DWORD tlApiDrmCloseSession(_DWORD sHandle);"],
41 |     [95, "tlApiDrmCheckLink", "_DWORD tlApiDrmCheckLink(_DWORD sHandle, _DWORD link);"],
42 |     [98, "tlApiGetSecureTimestamp", "_DWORD tlApiGetSecureTimestamp(_DWORD pTimestamp);"],
43 |     [100, "tlApiAddEntropy", "_DWORD tlApiAddEntropy(_DWORD buf, _DWORD buflen);"],
44 |     [101, "tlApiCreateHeap", "_DWORD tlApiCreateHeap(_DWORD heapStartSize, _DWORD heapMaxSize, _DWORD flags, _DWORD hint);"]
45 | ]


--------------------------------------------------------------------------------
/bindings/mcclient/mcclient_types.py:
--------------------------------------------------------------------------------
  1 | import ctypes
  2 | import os
  3 | 
  4 | 
  5 | mcResult = ctypes.c_uint32
  6 | 
  7 | 
  8 | class mcStructure(ctypes.Structure):
  9 | 
 10 |     def __init__(self, values=None):
 11 |         super(mcStructure, self).__init__()
 12 |         if values:
 13 |             for field, value in values.items():
 14 |                 setattr(self, field, value)
 15 | 
 16 |     def __iter__(self):
 17 |         for field, _ in self._fields_:
 18 |             value = getattr(self, field)
 19 |             yield field, value
 20 | 
 21 | 
 22 | class mcSessionHandle(mcStructure):
 23 |     _fields_ = [("sessionId", ctypes.c_uint32), ("deviceId", ctypes.c_uint32)]
 24 | 
 25 | 
 26 | class mcUuid(mcStructure):
 27 |     _fields_ = [("value", ctypes.c_uint8 * 16)]
 28 | 
 29 | 
 30 | mcSpid = ctypes.c_uint32
 31 | 
 32 | 
 33 | class mcBulkMap(mcStructure):
 34 |     _fields_ = [
 35 |         ("sVirtualAddr", ctypes.c_uint32),
 36 |         ("sVirtualLen", ctypes.c_uint32),
 37 |     ]
 38 | 
 39 | 
 40 | class mcVersionInfo(mcStructure):
 41 |     _fields_ = [
 42 |         ("productId", ctypes.c_char * 64),
 43 |         ("versionMci", ctypes.c_uint32),
 44 |         ("versionSo", ctypes.c_uint32),
 45 |         ("versionMclf", ctypes.c_uint32),
 46 |         ("versionContainer", ctypes.c_uint32),
 47 |         ("versionMcConfig", ctypes.c_uint32),
 48 |         ("versionTlApi", ctypes.c_uint32),
 49 |         ("versionDrApi", ctypes.c_uint32),
 50 |         ("versionCmp", ctypes.c_uint32),
 51 |     ]
 52 | 
 53 | 
 54 | def load_library():
 55 |     mc_client = None
 56 |     for path in ["/system/lib64", "/system/lib",
 57 |                  "/vendor/lib64", "/vendor/lib"]:
 58 |         file_path = os.path.join(path, "libMcClient.so")
 59 |         if os.path.isfile(file_path):
 60 |             mc_client = ctypes.CDLL(file_path)
 61 |             break
 62 |     else:
 63 |         return None
 64 | 
 65 |     def setup_prototype(library, function, restype, *argtypes):
 66 |         getattr(library, function).restype = restype
 67 |         getattr(library, function).argtypes = argtypes
 68 | 
 69 |     setup_prototype(
 70 |         mc_client,
 71 |         "mcOpenDevice",
 72 |         mcResult,
 73 |         ctypes.c_uint32)
 74 |     setup_prototype(
 75 |         mc_client,
 76 |         "mcCloseDevice",
 77 |         mcResult,
 78 |         ctypes.c_uint32)
 79 | 
 80 |     setup_prototype(
 81 |         mc_client,
 82 |         "mcOpenSession",
 83 |         mcResult,
 84 |         ctypes.POINTER(mcSessionHandle),
 85 |         ctypes.POINTER(mcUuid),
 86 |         ctypes.POINTER(ctypes.c_uint8),
 87 |         ctypes.c_uint32,
 88 |     )
 89 |     setup_prototype(
 90 |         mc_client,
 91 |         "mcOpenTrustlet",
 92 |         mcResult,
 93 |         ctypes.POINTER(mcSessionHandle),
 94 |         mcSpid,
 95 |         ctypes.POINTER(ctypes.c_uint8),
 96 |         ctypes.c_uint32,
 97 |         ctypes.POINTER(ctypes.c_uint8),
 98 |         ctypes.c_uint32,
 99 |     )
100 |     setup_prototype(
101 |         mc_client,
102 |         "mcCloseSession",
103 |         mcResult,
104 |         ctypes.POINTER(mcSessionHandle)
105 |     )
106 | 
107 |     setup_prototype(
108 |         mc_client,
109 |         "mcNotify",
110 |         mcResult,
111 |         ctypes.POINTER(mcSessionHandle)
112 |     )
113 |     setup_prototype(
114 |         mc_client,
115 |         "mcWaitNotification",
116 |         mcResult,
117 |         ctypes.POINTER(mcSessionHandle),
118 |         ctypes.c_uint32,
119 |     )
120 | 
121 |     setup_prototype(
122 |         mc_client,
123 |         "mcMallocWsm",
124 |         mcResult,
125 |         ctypes.c_uint32,
126 |         ctypes.c_uint32,
127 |         ctypes.c_uint32,
128 |         ctypes.POINTER(ctypes.POINTER(ctypes.c_uint8)),
129 |         ctypes.c_uint32,
130 |     )
131 |     setup_prototype(
132 |         mc_client,
133 |         "mcFreeWsm",
134 |         mcResult,
135 |         ctypes.c_uint32,
136 |         ctypes.POINTER(ctypes.c_uint8),
137 |     )
138 | 
139 |     setup_prototype(
140 |         mc_client,
141 |         "mcMap",
142 |         mcResult,
143 |         ctypes.POINTER(mcSessionHandle),
144 |         ctypes.c_void_p,
145 |         ctypes.c_uint32,
146 |         ctypes.POINTER(mcBulkMap),
147 |     )
148 |     setup_prototype(
149 |         mc_client,
150 |         "mcUnmap",
151 |         mcResult,
152 |         ctypes.POINTER(mcSessionHandle),
153 |         ctypes.c_void_p,
154 |         ctypes.POINTER(mcBulkMap),
155 |     )
156 | 
157 |     setup_prototype(
158 |         mc_client,
159 |         "mcGetSessionErrorCode",
160 |         mcResult,
161 |         ctypes.POINTER(mcSessionHandle),
162 |         ctypes.POINTER(ctypes.c_int32),
163 |     )
164 |     setup_prototype(
165 |         mc_client,
166 |         "mcGetMobiCoreVersion",
167 |         mcResult,
168 |         ctypes.c_uint32,
169 |         ctypes.POINTER(mcVersionInfo),
170 |     )
171 | 
172 |     return mc_client
173 | 


--------------------------------------------------------------------------------
/scripts/loaders/IDAPro/tbase_loader.py:
--------------------------------------------------------------------------------
  1 | import re
  2 | import struct
  3 | 
  4 | import ida_idp
  5 | import ida_segment
  6 | import ida_kernwin
  7 | 
  8 | TABLE_MAGIC = b"tee     "
  9 | TABLE_MAGIC2 = b"t-base "
 10 | 
 11 | BASE_ADDR = 0x7F00000
 12 | VERSION = b"t-base-EXYNOS64-Android-(\w+)-[A-Za-z0-9-_]+"
 13 | 
 14 | S0CB_ADDR = 0x7FFF000
 15 | TRUSTLETS = [b"drcrypt", b"drcrypto", b"tlproxy", b"sth2", b"rpmb"]
 16 | 
 17 | 
 18 | def decode(s):
 19 |     """Decodes UTF-8 bytes into a unicode string."""
 20 |     if isinstance(s, str):
 21 |         return s
 22 |     return s.decode("utf-8")
 23 | 
 24 | def find_pattern(data, pattern, align=0):
 25 |     location = 0
 26 |     while True:
 27 |         location = data.find(pattern, location + 1)
 28 |         if location == -1:
 29 |             return None
 30 |         if align == 0 or location & (align - 1) == 0:
 31 |             return location
 32 | 
 33 | 
 34 | def find_table(d):
 35 |     addr = find_pattern(d, b"t-base ")
 36 |     if not addr:
 37 |         addr = find_pattern(d, b"tee    ")
 38 |     return addr
 39 | 
 40 | 
 41 | def find_version(d):
 42 |     offset = 0
 43 |     version = re.search(VERSION, d).group(1)
 44 |     if version in [b"200A", b"200B"]:
 45 |         offset = 1
 46 |     elif version in [b"302A", b"310B"]:
 47 |         offset = 4
 48 |     elif version in [b"400A"]:
 49 |         offset = 5
 50 |     return offset
 51 | 
 52 | 
 53 | def accept_file(li, filename):
 54 |     li.seek(0)
 55 |     d = li.read(li.size())
 56 | 
 57 |     addr = find_table(d)
 58 |     if addr:
 59 |         return "<t-base image (sboot.bin)"
 60 |     return 0
 61 | 
 62 | 
 63 | def parse_table(li, table_addr):
 64 |     li.seek(table_addr)
 65 |     bs = li.read(0x20)
 66 | 
 67 |     table = []
 68 |     while True:
 69 |         bs = li.read(0x20)
 70 |         if not struct.unpack("<Q", bs[0:8])[0]:
 71 |             break
 72 | 
 73 |         name = bs[0:8].strip(b"\x00").strip()
 74 |         addr = struct.unpack("<I", bs[8:12])[0]
 75 |         size = struct.unpack("<I", bs[12:16])[0]
 76 |         table.append((name, addr, size))
 77 |     return table
 78 | 
 79 | 
 80 | def ask_save_binaries(li):
 81 |     message = "Would you like to save the extracted binaries to disk?"
 82 |     choice = ida_kernwin.ask_yn(ida_kernwin.ASKBTN_YES, message)
 83 |     return choice == ida_kernwin.ASKBTN_YES
 84 | 
 85 | 
 86 | def extract_binary(li, name, offset, size):
 87 |     name = ida_kernwin.ask_file(True, decode(name), decode(b"Please enter a file name"))
 88 |     if name:
 89 |         with open(name, "wb") as f:
 90 |             li.seek(offset)
 91 |             f.write(li.read(size))
 92 | 
 93 | 
 94 | def map_segments(li, table, file_offset, mclib_addr, no_save):
 95 |     for name, addr, size in table:
 96 |         seg = ida_segment.segment_t()
 97 |         seg.start_ea = BASE_ADDR + addr
 98 |         sclass = "CODE"
 99 | 
100 |         if name in [b"image_h", b"img-hdr"]:
101 |             sclass = "DATA"
102 |         elif name == b"mclib":
103 |             seg.start_ea = mclib_addr - 8
104 |         elif name == b"rtm":
105 |             seg.start_ea = S0CB_ADDR
106 |         elif name in TRUSTLETS:
107 |             if not no_save:
108 |                 extract_binary(li, name + b".tlbin", file_offset + addr, size)
109 |             continue
110 |         elif name != b"mtk":
111 |             ida_kernwin.info("Unknown table entry '%s'" % decode(name))
112 |             continue
113 | 
114 |         seg.end_ea = seg.start_ea + size
115 |         seg.bitness = 1
116 |         ida_segment.add_segm_ex(seg, decode(name), sclass, 0)
117 |         li.file2base(file_offset + addr, seg.start_ea, seg.end_ea - 1, 0)
118 | 
119 |         if not no_save:
120 |             filename = b"%s_%08x.bin" % (name, seg.start_ea)
121 |             extract_binary(li, filename, file_offset + addr, size)
122 | 
123 | 
124 | def load_file(li, neflags, format):
125 |     flags = ida_idp.SETPROC_LOADER_NON_FATAL | ida_idp.SETPROC_LOADER
126 |     ida_idp.set_processor_type("arm", flags)
127 | 
128 |     li.seek(0)
129 |     d = li.read(li.size())
130 | 
131 |     mclf_addr = find_pattern(d, b"MCLF", 0x1000)
132 |     if not mclf_addr:
133 |         ida_kernwin.warning("MCLF header not found")
134 |         return 0
135 | 
136 |     rtm_addr = find_pattern(d, b"S0CB", 0x1000)
137 |     if not rtm_addr:
138 |         ida_kernwin.warning("S0CB header not found")
139 |         return 0
140 | 
141 |     mclib_addr = struct.unpack("<I", d[rtm_addr + 0x8C:rtm_addr + 0x8C + 4])[0]
142 | 
143 |     table_addr = find_table(d)
144 |     if not table_addr:
145 |         ida_kernwin.warning("Table header not found")
146 |         return 0
147 | 
148 |     offset = find_version(d)
149 |     if not offset:
150 |         ida_kernwin.warning("Unknown version string")
151 |         return 0
152 | 
153 |     elem = d[table_addr + 0x20 * offset:table_addr + 0x20 * (offset + 1)]
154 |     file_offset = mclf_addr - struct.unpack("<I", elem[8:12])[0]
155 | 
156 |     table = parse_table(li, table_addr)
157 |     no_save = not ask_save_binaries(li)
158 |     map_segments(li, table, file_offset, mclib_addr, no_save)
159 |     return 1
160 | 


--------------------------------------------------------------------------------
/scripts/scripts/Ghidra/FindSymbols.py:
--------------------------------------------------------------------------------
  1 | import json
  2 | import os
  3 | import inspect
  4 | 
  5 | from java.util import ArrayList
  6 | from ghidra.program.model.symbol import RefType
  7 | from ghidra.program.model.block import BasicBlockModel
  8 | from ghidra.program.model.address import AddressSetView
  9 | from ghidra.app.decompiler import DecompInterface
 10 | from ghidra.program.model.pcode import PcodeOp
 11 | from ghidra.program.model.symbol import SourceType
 12 | from ghidra.program.model.listing.Function import FunctionUpdateType
 13 | from ghidra.app.util.cparser.C import CParserUtils
 14 | from ghidra.program.model.listing import ReturnParameterImpl
 15 | from ghidra.program.model.listing import ParameterImpl
 16 | 
 17 | 
 18 | TL_APIS = {}
 19 | MAX_TL_API = 0xC2
 20 | 
 21 | DR_APIS = {}
 22 | MAX_DR_API = 0x3D
 23 | 
 24 | 
 25 | blockModel = BasicBlockModel(currentProgram)
 26 | functionManager = currentProgram.getFunctionManager()
 27 | decompInterface = DecompInterface()
 28 | decompInterface.openProgram(currentProgram)
 29 | 
 30 | 
 31 | def load_api_names_types():
 32 |     curdir = os.path.dirname(os.path.abspath(inspect.getsourcefile(lambda: 0)))
 33 | 
 34 |     with open(os.path.join(curdir, 'tl_apis.json'), 'r') as f:
 35 |         TL_APIS.update({i: (n, t) for i, n, t in json.loads(f.read())})
 36 |     print("[*] Loaded %s trustlets APIs names" % len(TL_APIS))
 37 | 
 38 |     global DR_APIS
 39 |     with open(os.path.join(curdir, 'dr_apis.json'), 'r') as f:
 40 |         DR_APIS.update({i: (n, t) for i, n, t in json.loads(f.read())})
 41 |     print("[*] Loaded %s drivers APIs names" % len(DR_APIS))
 42 | 
 43 | 
 44 | def get_api_name_type(api_number):
 45 |     if api_number in TL_APIS:
 46 |         return TL_APIS[api_number]
 47 | 
 48 |     if api_number - 0x1000 in DR_APIS:
 49 |         return DR_APIS[api_number - 0x1000]
 50 | 
 51 |     if 0 <= api_number < MAX_TL_API:
 52 |         return 'tlApi_%04x' % api_number, None
 53 | 
 54 |     if 0 <= api_number - 0x1000 < MAX_DR_API:
 55 |         return 'drApi_%04x' % api_number, None
 56 | 
 57 |     return None, None
 58 | 
 59 | 
 60 | def xrefs_to_lib_entry():
 61 |     symbolTable = currentProgram.getSymbolTable()
 62 |     entry = symbolTable.getSymbol("tlApiLibEntry")
 63 |     xrefs = entry.getReferences()
 64 |     for xref in xrefs:
 65 |         if xref.getReferenceType() == RefType.READ:
 66 |             yield xref.getFromAddress()
 67 | 
 68 | 
 69 | def find_chunk_boundaries(address):
 70 |     blocks = blockModel.getCodeBlocksContaining(address, monitor)
 71 |     block = blocks[0]
 72 |     for i in range(1, len(blocks)):
 73 |         block = block.union(blocks[i])
 74 |     return block
 75 | 
 76 | 
 77 | def determine_api_number(function, block):
 78 |     decompileResults = decompInterface.decompileFunction(function, 30, monitor)
 79 |     hfunction = decompileResults.getHighFunction()
 80 |     ops = hfunction.getPcodeOps()
 81 |     while ops.hasNext() and not monitor.isCancelled():
 82 |         pcodeOpAST = ops.next()
 83 |         if pcodeOpAST.getOpcode() != PcodeOp.CALLIND:
 84 |             continue
 85 |         pcodeBlock = pcodeOpAST.getParent()
 86 |         if pcodeBlock.getStart() < block.getMinAddress() \
 87 |                 or pcodeBlock.getStop() > block.getMaxAddress():
 88 |             continue
 89 |         argument = pcodeOpAST.getInput(1)
 90 |         if argument.isConstant():
 91 |             return argument.getOffset()
 92 |     return None
 93 | 
 94 | 
 95 | def has_only_one_basic_block(function):
 96 |     blockModel = BasicBlockModel(currentProgram)
 97 |     blocks = blockModel.getCodeBlocksContaining(function.getBody(), monitor)
 98 | 
 99 |     count = 0
100 |     while blocks.hasNext():
101 |         blocks.next()
102 |         count += 1
103 |     return count == 1
104 | 
105 | 
106 | load_api_names_types()
107 | for address in xrefs_to_lib_entry():
108 |     block = find_chunk_boundaries(address)
109 |     if not block:
110 |         print("[!] 0x%s - Couldn't find chunk boudaries" % address)
111 |         continue
112 |     function = functionManager.getFunctionContaining(address)
113 |     api_number = determine_api_number(function, block)
114 |     if not api_number:
115 |         print("[!] 0x%s - Couldn't determine the api number" % address)
116 |         continue
117 |     api_name, api_type = get_api_name_type(api_number)
118 |     if api_name is None:
119 |         print("[!] 0x%s - Couldn't get the api name" % address)
120 |         continue
121 |     if not has_only_one_basic_block(function):
122 |         print("[!] 0x%s - Function has more than one basic block" % address)
123 |         continue
124 | 
125 |     func_name = function.getName()
126 |     print("[*] Renaming function %s to %s" % (func_name, api_name))
127 |     function.setName(api_name, SourceType.USER_DEFINED)
128 |     if not api_type:
129 |         continue
130 | 
131 |     api_type = api_type.replace('_DWORD', 'int')
132 |     print("[*] Changing function type of %s to '%s'" % (api_name, api_type))
133 |     funcDef = CParserUtils.parseSignature(None, currentProgram, api_type)
134 |     returnValue = ReturnParameterImpl(funcDef.getReturnType(), currentProgram)
135 |     newParams = ArrayList()
136 |     for param in funcDef.getArguments():
137 |         newParams.add(ParameterImpl(param.getName(), param.getDataType(), currentProgram))
138 |     function.updateFunction(None, returnValue, newParams,
139 |         FunctionUpdateType.DYNAMIC_STORAGE_ALL_PARAMS, True, SourceType.USER_DEFINED)
140 | 


--------------------------------------------------------------------------------
/scripts/scripts/Ghidra/dr_apis.json:
--------------------------------------------------------------------------------
 1 | [
 2 |     [1, "drApiExit", "void drApiExit(_DWORD exitCode);"],
 3 |     [2, "drApiMapPhys", "_DWORD drApiMapPhys(_DWORD startVirt, _DWORD len, _DWORD startPhys, _DWORD attr);"],
 4 |     [3, "drApiUnmap", "_DWORD drApiUnmap(_DWORD startVirt, _DWORD len);"],
 5 |     [4, "drApiMapPhysPage4KBWithHardware", "_DWORD drApiMapPhysPage4KBWithHardware(_DWORD virtPage, _DWORD physPage);"],
 6 |     [5, "drApiMapClient", "_DWORD drApiMapClientAndParams(_DWORD ipcReqClient);"],
 7 |     [6, "drApiMapClientAndParams", "_DWORD drApiMapClientAndParams(_DWORD ipcReqClient, _DWORD params);"],
 8 |     [7, "drApiAddrTranslateAndCheck", "_DWORD drApiAddrTranslateAndCheck(_DWORD addr);"],
 9 |     [8, "drApiGetTaskid", "_DWORD drApiGetTaskid(void);"],
10 |     [9, "drApiTaskidGetThreadid", "_DWORD drApiTaskidGetThreadid(_DWORD taskid, _DWORD threadNo);"],
11 |     [10, "drApiGetLocalThreadid", "_DWORD drApiGetLocalThreadid(_DWORD threadNo);"],
12 |     [11, "drApiStartThread", "_DWORD drApiStartThread(_DWORD threadNo, _DWORD threadEntry, _DWORD stackPointer, _DWORD priority, _DWORD localExceptionHandlerThreadNo);"],
13 |     [12, "drApiStopThread", "_DWORD drApiStopThread(_DWORD threadNo);"],
14 |     [13, "drApiResumeThread", "_DWORD drApiResumeThread(_DWORD threadNo);"],
15 |     [14, "drApiThreadSleep", "_DWORD drApiThreadSleep(_DWORD timeout);"],
16 |     [15, "drApiSetThreadPriority", "_DWORD drApiSetThreadPriority(_DWORD threadNo, _DWORD priority);"],
17 |     [16, "drApiIntrAttach", "_DWORD drApiIntrAttach(_DWORD intrNo, _DWORD intrMode);"],
18 |     [17, "drApiIntrDetach", "_DWORD drApiIntrDetach(_DWORD intrNo);"],
19 |     [18, "drApiWaitForIntr", "_DWORD drApiWaitForIntr(_DWORD intrNo, _DWORD timeout, _DWORD pIntrRet);"],
20 |     [19, "drApiTriggerIntr", "_DWORD drApiTriggerIntr(_DWORD intrNo);"],
21 |     [20, "drApiIpcWaitForMessage", "_DWORD drApiIpcWaitForMessage(_DWORD pIpcPartner, _DWORD pMr0, _DWORD pMr1, _DWORD pMr2);"],
22 |     [21, "drApiIpcCallToIPCH", "_DWORD drApiIpcCallToIPCH(_DWORD pIpcPeer, _DWORD pIpcMsg, _DWORD pIpcData);"],
23 |     [22, "drApiIpcSignal", "_DWORD drApiIpcSignal(_DWORD receiver);"],
24 |     [23, "drApiIpcSigWait", "_DWORD drApiIpcSigWait(void);"],
25 |     [24, "drApiNotify", "_DWORD drApiNotify(void);"],
26 |     [25, "drApiSyscallControl", "_DWORD drApiSyscallControl(_DWORD controlid, _DWORD param1, _DWORD param2, _DWORD param3, _DWORD param4, _DWORD data);"],
27 |     [26, "drApiReadOemData", "_DWORD drApiReadOemData(_DWORD offset, _DWORD data);"],
28 |     [27, "drApiVirt2Phys", "_DWORD drApiVirt2Phys(_DWORD taskid, _DWORD virtAddr, _DWORD physAddr);"],
29 |     [28, "drApiCacheDataCleanAll", "_DWORD drApiCacheDataCleanAll(void);"],
30 |     [29, "drApiCacheDataCleanInvalidateAll", "_DWORD drApiCacheDataCleanInvalidateAll(void);"],
31 |     [30, "drApiNotifyClient", "_DWORD drApiNotifyClient(_DWORD client);"],
32 |     [31, "drApiThreadExRegs", "_DWORD drApiThreadExRegs(_DWORD threadNo, _DWORD ctrl, _DWORD ip, _DWORD sp);"],
33 |     [33, "drApiIpcUnknownMessage", "_DWORD drApiIpcUnknownMessage(_DWORD pIpcPeer, _DWORD pIpcMsg, _DWORD pIpcData);"],
34 |     [34, "drApiIpcUnknownException", null],
35 |     [35, "drApiGetPhysMemType", "_DWORD drApiGetPhysMemType(_DWORD type, _DWORD addr, _DWORD size);"],
36 |     [36, "drApiGetClientRootAndSpId", "_DWORD drApiGetClientRootAndSpId(_DWORD rootId, _DWORD spId, _DWORD client);"],
37 |     [37, "drApiCacheDataCleanRange", "_DWORD drApiCacheDataCleanRange(_DWORD virtAddrStart, _DWORD len, _DWORD flags);"],
38 |     [38, "drApiCacheDataCleanInvalidateRange", "_DWORD drApiCacheDataCleanInvalidateRange(_DWORD virtAddrStart, _DWORD len, _DWORD flags);"],
39 |     [39, "drApiMapPhys64", "_DWORD drApiMapPhys64(_DWORD startVirt, _DWORD len, _DWORD startPhys, _DWORD attr);"],
40 |     [40, "drApiMapPhysPage4KBWithHardware64", "_DWORD drApiMapPhysPage4KBWithHardware64(_DWORD virtPage, _DWORD physPage);"],
41 |     [41, "drApiVirt2Phys64", "_DWORD drApiVirt2Phys64(_DWORD taskid, _DWORD virtAddr, _DWORD physAddr);"],
42 |     [42, "drApiGetPhysMemType64", "_DWORD drApiGetPhysMemType64(_DWORD type, _DWORD addr, _DWORD size);"],
43 |     [43, "drApiUpdateNotificationThread", "_DWORD drApiUpdateNotificationThread(_DWORD threadno);"],
44 |     [44, "drApiRestartThread", "_DWORD drApiRestartThread(_DWORD threadno, _DWORD ip, _DWORD sp);"],
45 |     [45, "drApiGetSecureTimestamp", "_DWORD drApiGetSecureTimestamp(_DWORD pTimestamp);"],
46 |     [46, "drApiFastCall", "_DWORD drApiFastCall(_DWORD fastcall_registers, _DWORD size);"],
47 |     [47, "drApiGetClientProperty", "_DWORD drApiGetClientProperty(_DWORD client, _DWORD property, _DWORD buffer, _DWORD bufferLen);"],
48 |     [48, "drApiPlatformControl", "_DWORD drApiPlatformControl(_DWORD controlid, _DWORD param1, _DWORD param2, _DWORD param3, _DWORD param4, _DWORD data);"],
49 |     [49, "drApiMapTaskBuffer", "_DWORD drApiMapTaskBuffer(_DWORD taskId, _DWORD startVirtClient, _DWORD length, _DWORD attr, _DWORD startVirtServer);"],
50 |     [50, "drApiUnmapBuffer", "_DWORD drApiUnmapBuffer(_DWORD startVirtServer);"],
51 |     [51, "drApiMapPhysicalBuffer", "_DWORD drApiMapPhysicalBuffer(_DWORD startPhys, _DWORD length, _DWORD attr, _DWORD startVirtServer);"],
52 |     [52, "drApiUnmapTaskBuffers", "_DWORD drApiUnmapTaskBuffers(_DWORD clientTaskId);"],
53 |     [53, "drApiCreateHeap", "_DWORD drApiCreateHeap(_DWORD heapStartSize, _DWORD heapMaxSize, _DWORD flags, _DWORD hint);"],
54 |     [54, "drApiClientHasCapability", null],
55 |     [55, "drApiTakeIdentity", null],
56 |     [56, "drApiRevertIdentity", null]
57 | ]


--------------------------------------------------------------------------------
/scripts/scripts/IDAPro/dr_apis.json:
--------------------------------------------------------------------------------
 1 | [
 2 |     [1, "drApiExit", "void drApiExit(_DWORD exitCode);"],
 3 |     [2, "drApiMapPhys", "_DWORD drApiMapPhys(_DWORD startVirt, _DWORD len, _DWORD startPhys, _DWORD attr);"],
 4 |     [3, "drApiUnmap", "_DWORD drApiUnmap(_DWORD startVirt, _DWORD len);"],
 5 |     [4, "drApiMapPhysPage4KBWithHardware", "_DWORD drApiMapPhysPage4KBWithHardware(_DWORD virtPage, _DWORD physPage);"],
 6 |     [5, "drApiMapClient", "_DWORD drApiMapClientAndParams(_DWORD ipcReqClient);"],
 7 |     [6, "drApiMapClientAndParams", "_DWORD drApiMapClientAndParams(_DWORD ipcReqClient, _DWORD params);"],
 8 |     [7, "drApiAddrTranslateAndCheck", "_DWORD drApiAddrTranslateAndCheck(_DWORD addr);"],
 9 |     [8, "drApiGetTaskid", "_DWORD drApiGetTaskid(void);"],
10 |     [9, "drApiTaskidGetThreadid", "_DWORD drApiTaskidGetThreadid(_DWORD taskid, _DWORD threadNo);"],
11 |     [10, "drApiGetLocalThreadid", "_DWORD drApiGetLocalThreadid(_DWORD threadNo);"],
12 |     [11, "drApiStartThread", "_DWORD drApiStartThread(_DWORD threadNo, _DWORD threadEntry, _DWORD stackPointer, _DWORD priority, _DWORD localExceptionHandlerThreadNo);"],
13 |     [12, "drApiStopThread", "_DWORD drApiStopThread(_DWORD threadNo);"],
14 |     [13, "drApiResumeThread", "_DWORD drApiResumeThread(_DWORD threadNo);"],
15 |     [14, "drApiThreadSleep", "_DWORD drApiThreadSleep(_DWORD timeout);"],
16 |     [15, "drApiSetThreadPriority", "_DWORD drApiSetThreadPriority(_DWORD threadNo, _DWORD priority);"],
17 |     [16, "drApiIntrAttach", "_DWORD drApiIntrAttach(_DWORD intrNo, _DWORD intrMode);"],
18 |     [17, "drApiIntrDetach", "_DWORD drApiIntrDetach(_DWORD intrNo);"],
19 |     [18, "drApiWaitForIntr", "_DWORD drApiWaitForIntr(_DWORD intrNo, _DWORD timeout, _DWORD pIntrRet);"],
20 |     [19, "drApiTriggerIntr", "_DWORD drApiTriggerIntr(_DWORD intrNo);"],
21 |     [20, "drApiIpcWaitForMessage", "_DWORD drApiIpcWaitForMessage(_DWORD pIpcPartner, _DWORD pMr0, _DWORD pMr1, _DWORD pMr2);"],
22 |     [21, "drApiIpcCallToIPCH", "_DWORD drApiIpcCallToIPCH(_DWORD pIpcPeer, _DWORD pIpcMsg, _DWORD pIpcData);"],
23 |     [22, "drApiIpcSignal", "_DWORD drApiIpcSignal(_DWORD receiver);"],
24 |     [23, "drApiIpcSigWait", "_DWORD drApiIpcSigWait(void);"],
25 |     [24, "drApiNotify", "_DWORD drApiNotify(void);"],
26 |     [25, "drApiSyscallControl", "_DWORD drApiSyscallControl(_DWORD controlid, _DWORD param1, _DWORD param2, _DWORD param3, _DWORD param4, _DWORD data);"],
27 |     [26, "drApiReadOemData", "_DWORD drApiReadOemData(_DWORD offset, _DWORD data);"],
28 |     [27, "drApiVirt2Phys", "_DWORD drApiVirt2Phys(_DWORD taskid, _DWORD virtAddr, _DWORD physAddr);"],
29 |     [28, "drApiCacheDataCleanAll", "_DWORD drApiCacheDataCleanAll(void);"],
30 |     [29, "drApiCacheDataCleanInvalidateAll", "_DWORD drApiCacheDataCleanInvalidateAll(void);"],
31 |     [30, "drApiNotifyClient", "_DWORD drApiNotifyClient(_DWORD client);"],
32 |     [31, "drApiThreadExRegs", "_DWORD drApiThreadExRegs(_DWORD threadNo, _DWORD ctrl, _DWORD ip, _DWORD sp);"],
33 |     [33, "drApiIpcUnknownMessage", "_DWORD drApiIpcUnknownMessage(_DWORD pIpcPeer, _DWORD pIpcMsg, _DWORD pIpcData);"],
34 |     [34, "drApiIpcUnknownException", null],
35 |     [35, "drApiGetPhysMemType", "_DWORD drApiGetPhysMemType(_DWORD type, _DWORD addr, _DWORD size);"],
36 |     [36, "drApiGetClientRootAndSpId", "_DWORD drApiGetClientRootAndSpId(_DWORD rootId, _DWORD spId, _DWORD client);"],
37 |     [37, "drApiCacheDataCleanRange", "_DWORD drApiCacheDataCleanRange(_DWORD virtAddrStart, _DWORD len, _DWORD flags);"],
38 |     [38, "drApiCacheDataCleanInvalidateRange", "_DWORD drApiCacheDataCleanInvalidateRange(_DWORD virtAddrStart, _DWORD len, _DWORD flags);"],
39 |     [39, "drApiMapPhys64", "_DWORD drApiMapPhys64(_DWORD startVirt, _DWORD len, _DWORD startPhys, _DWORD attr);"],
40 |     [40, "drApiMapPhysPage4KBWithHardware64", "_DWORD drApiMapPhysPage4KBWithHardware64(_DWORD virtPage, _DWORD physPage);"],
41 |     [41, "drApiVirt2Phys64", "_DWORD drApiVirt2Phys64(_DWORD taskid, _DWORD virtAddr, _DWORD physAddr);"],
42 |     [42, "drApiGetPhysMemType64", "_DWORD drApiGetPhysMemType64(_DWORD type, _DWORD addr, _DWORD size);"],
43 |     [43, "drApiUpdateNotificationThread", "_DWORD drApiUpdateNotificationThread(_DWORD threadno);"],
44 |     [44, "drApiRestartThread", "_DWORD drApiRestartThread(_DWORD threadno, _DWORD ip, _DWORD sp);"],
45 |     [45, "drApiGetSecureTimestamp", "_DWORD drApiGetSecureTimestamp(_DWORD pTimestamp);"],
46 |     [46, "drApiFastCall", "_DWORD drApiFastCall(_DWORD fastcall_registers, _DWORD size);"],
47 |     [47, "drApiGetClientProperty", "_DWORD drApiGetClientProperty(_DWORD client, _DWORD property, _DWORD buffer, _DWORD bufferLen);"],
48 |     [48, "drApiPlatformControl", "_DWORD drApiPlatformControl(_DWORD controlid, _DWORD param1, _DWORD param2, _DWORD param3, _DWORD param4, _DWORD data);"],
49 |     [49, "drApiMapTaskBuffer", "_DWORD drApiMapTaskBuffer(_DWORD taskId, _DWORD startVirtClient, _DWORD length, _DWORD attr, _DWORD startVirtServer);"],
50 |     [50, "drApiUnmapBuffer", "_DWORD drApiUnmapBuffer(_DWORD startVirtServer);"],
51 |     [51, "drApiMapPhysicalBuffer", "_DWORD drApiMapPhysicalBuffer(_DWORD startPhys, _DWORD length, _DWORD attr, _DWORD startVirtServer);"],
52 |     [52, "drApiUnmapTaskBuffers", "_DWORD drApiUnmapTaskBuffers(_DWORD clientTaskId);"],
53 |     [53, "drApiCreateHeap", "_DWORD drApiCreateHeap(_DWORD heapStartSize, _DWORD heapMaxSize, _DWORD flags, _DWORD hint);"],
54 |     [54, "drApiClientHasCapability", null],
55 |     [55, "drApiTakeIdentity", null],
56 |     [56, "drApiRevertIdentity", null]
57 | ]


--------------------------------------------------------------------------------
/scripts/scripts/IDAPro/find_symbols.py:
--------------------------------------------------------------------------------
  1 | import inspect
  2 | import json
  3 | import os
  4 | import sys
  5 | 
  6 | import ida_allins
  7 | import ida_bytes
  8 | import ida_funcs
  9 | import ida_gdl
 10 | import ida_idaapi
 11 | import ida_idp
 12 | import ida_name
 13 | import ida_segment
 14 | import ida_typeinf
 15 | import ida_ua
 16 | import ida_xref
 17 | 
 18 | TL_APIS = {}
 19 | MAX_TL_API = 0xC2
 20 | 
 21 | DR_APIS = {}
 22 | MAX_DR_API = 0x3D
 23 | 
 24 | 
 25 | if sys.version_info[0] < 3:
 26 |     def encode(s):
 27 |         return s.encode("utf-8")
 28 | else:
 29 |     def encode(s):
 30 |         return s
 31 | 
 32 | def define_missed_functions():
 33 |     def match(F):
 34 |         return ida_bytes.is_code(F) and not ida_bytes.is_flow(F)
 35 | 
 36 |     for n in range(ida_segment.get_segm_qty()):
 37 |         seg = ida_segment.getnseg(n)
 38 |         if seg.type != ida_segment.SEG_CODE:
 39 |             continue
 40 |         print("[*] Browsing segment from %#x for %#x" % (seg.start_ea, seg.end_ea))
 41 | 
 42 |         ea = seg.start_ea
 43 |         while ea < seg.end_ea:
 44 |             ea = ida_bytes.next_that(ea, seg.end_ea, match)
 45 |             if ea == ida_idaapi.BADADDR:
 46 |                 break
 47 |             if ida_funcs.get_func(ea):
 48 |                 continue
 49 |             s = "[*] Trying to define function at %#x... " % ea
 50 |             if not ida_funcs.add_func(ea):
 51 |                 print(s + " Failed!")
 52 |             else:
 53 |                 print(s + " Success!")
 54 | 
 55 | 
 56 | def load_api_names_types():
 57 |     curdir = os.path.dirname(os.path.abspath(inspect.getsourcefile(lambda: 0)))
 58 | 
 59 |     with open(os.path.join(curdir, 'tl_apis.json'), 'r') as f:
 60 |         TL_APIS.update({i: (n, t) for i, n, t in json.loads(f.read())})
 61 |     print("[*] Loaded %s trustlets APIs names" % len(TL_APIS))
 62 | 
 63 |     global DR_APIS
 64 |     with open(os.path.join(curdir, 'dr_apis.json'), 'r') as f:
 65 |         DR_APIS.update({i: (n, t) for i, n, t in json.loads(f.read())})
 66 |     print("[*] Loaded %s drivers APIs names" % len(DR_APIS))
 67 | 
 68 | 
 69 | def get_api_name_type(api_number):
 70 |     if api_number in TL_APIS:
 71 |         return TL_APIS[api_number]
 72 | 
 73 |     if api_number - 0x1000 in DR_APIS:
 74 |         return DR_APIS[api_number - 0x1000]
 75 | 
 76 |     if 0 <= api_number < MAX_TL_API:
 77 |         return 'tlApi_%04x' % api_number, None
 78 | 
 79 |     if 0 <= api_number - 0x1000 < MAX_DR_API:
 80 |         return 'drApi_%04x' % api_number, None
 81 | 
 82 |     return None, None
 83 | 
 84 | 
 85 | def xrefs_to_lib_entry():
 86 |     tl_api_lib_entry = ida_name.get_name_ea(ida_idaapi.BADADDR,
 87 |                                             'tlApiLibEntry')
 88 |     if tl_api_lib_entry == ida_idaapi.BADADDR:
 89 |         return
 90 | 
 91 |     xref = ida_xref.xrefblk_t()
 92 |     xref.first_to(tl_api_lib_entry, ida_xref.XREF_DATA)
 93 |     while True:
 94 |         yield xref.frm
 95 |         if not xref.next_to():
 96 |             break
 97 | 
 98 | 
 99 | def find_chunk_boundaries(ea):
100 |     def match(F):
101 |         return ida_bytes.is_code(F) and not ida_bytes.is_flow(F)
102 | 
103 |     chunk_end = ida_bytes.next_that(ea + 1, ida_idaapi.BADADDR, match)
104 |     return ida_bytes.prev_that(ea, 0, match), chunk_end
105 | 
106 | 
107 | def determine_api_number(ea, chunk_start, chunk_end):
108 |     def get_reg_num(reg_name):
109 |         reg_inf = ida_idp.reg_info_t()
110 |         ida_idp.parse_reg_name(reg_inf, reg_name)
111 |         return reg_inf.reg
112 | 
113 |     insn = ida_ua.insn_t()
114 |     ida_ua.decode_insn(insn, ea)
115 |     if insn.itype != ida_allins.ARM_ldr \
116 |             or insn.ops[0].type != ida_ua.o_reg:
117 |         reg = -1
118 |     else:
119 |         reg = insn.ops[0].reg
120 | 
121 |     reg_val = -1
122 |     ins_ea = chunk_start
123 |     while ins_ea < chunk_end:
124 |         insn = ida_ua.insn_t()
125 |         ins_len = max(1, ida_ua.decode_insn(insn, ins_ea))
126 | 
127 |         if insn.itype == ida_allins.ARM_mov \
128 |                 and insn.ops[0].type == ida_ua.o_reg \
129 |                 and insn.ops[0].reg == get_reg_num('R0') \
130 |                 and insn.ops[1].type == ida_ua.o_imm:
131 |             reg_val = insn.ops[1].value
132 | 
133 |         if insn.itype == ida_allins.ARM_bx \
134 |                 and insn.ops[0].type == ida_ua.o_reg \
135 |                 and (insn.ops[0].reg == reg or reg == -1):
136 |             break
137 |         ins_ea += ins_len
138 |     return reg_val
139 | 
140 | 
141 | def has_only_one_basic_block(func):
142 |     if func is None:
143 |         return False
144 |     return ida_gdl.FlowChart(func).size == 1
145 | 
146 | 
147 | def set_function_prototype(func, proto):
148 |     t = ida_typeinf.idc_parse_decl(None, proto, 0)
149 |     ida_typeinf.apply_type(None, t[1], t[2], func.start_ea,
150 |                            ida_typeinf.TINFO_DEFINITE)
151 | 
152 | 
153 | load_api_names_types()
154 | define_missed_functions()
155 | 
156 | for ea in xrefs_to_lib_entry():
157 |     chunk_start, chunk_end = find_chunk_boundaries(ea)
158 |     if chunk_start == ida_idaapi.BADADDR or chunk_end == ida_idaapi.BADADDR:
159 |         print("[!] %#x - Couldn't find chunk boudaries" % ea)
160 |         continue
161 | 
162 |     api_number = determine_api_number(ea, chunk_start, chunk_end)
163 |     if api_number == -1:
164 |         print("[!] %#x - Couldn't determine the api number" % ea)
165 |         continue
166 | 
167 |     api_name, api_type = get_api_name_type(api_number)
168 |     if api_name is None:
169 |         print("[!] %#x - Couldn't get the api name" % ea)
170 |         continue
171 | 
172 |     func = ida_funcs.get_func(ea)
173 |     if not has_only_one_basic_block(func):
174 |         print("[!] %#x - Function has more than one basic block" % ea)
175 |         continue
176 | 
177 |     func_name = ida_name.get_name(func.start_ea)
178 |     print("[*] Renaming function %s to %s" % (func_name, api_name))
179 |     ida_name.set_name(func.start_ea, encode(api_name),
180 |                       ida_name.SN_FORCE)
181 | 
182 |     if not api_type:
183 |         continue
184 |     print("[*] Changing function type of %s to '%s'" % (api_name, api_type))
185 |     set_function_prototype(func, encode(api_type))
186 | 


--------------------------------------------------------------------------------
/bindings/docs/conf.py:
--------------------------------------------------------------------------------
  1 | # -*- coding: utf-8 -*-
  2 | #
  3 | # Configuration file for the Sphinx documentation builder.
  4 | #
  5 | # This file does only contain a selection of the most common options. For a
  6 | # full list see the documentation:
  7 | # http://www.sphinx-doc.org/en/master/config
  8 | 
  9 | # -- Path setup --------------------------------------------------------------
 10 | 
 11 | # If extensions (or modules to document with autodoc) are in another directory,
 12 | # add these directories to sys.path here. If the directory is relative to the
 13 | # documentation root, use os.path.abspath to make it absolute, like shown here.
 14 | #
 15 | import os
 16 | import sys
 17 | sys.path.insert(0, os.path.abspath('..'))
 18 | 
 19 | 
 20 | # -- Project information -----------------------------------------------------
 21 | 
 22 | project = 'pymcclient'
 23 | copyright = '2019, Quarkslab'
 24 | author = 'Alexandre Adamski'
 25 | 
 26 | # The short X.Y version
 27 | version = '0.2.3'
 28 | # The full version, including alpha/beta/rc tags
 29 | release = ''
 30 | 
 31 | 
 32 | # -- General configuration ---------------------------------------------------
 33 | 
 34 | # If your documentation needs a minimal Sphinx version, state it here.
 35 | #
 36 | # needs_sphinx = '1.0'
 37 | 
 38 | # Add any Sphinx extension module names here, as strings. They can be
 39 | # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
 40 | # ones.
 41 | extensions = [
 42 |     'sphinx.ext.autodoc',
 43 |     'sphinx.ext.viewcode',
 44 |     'sphinx.ext.napoleon',
 45 | ]
 46 | 
 47 | autodoc_member_order = 'bysource'
 48 | 
 49 | napoleon_numpy_docstring = False
 50 | napoleon_use_param = False
 51 | napoleon_use_rtype = False
 52 | 
 53 | # Add any paths that contain templates here, relative to this directory.
 54 | templates_path = ['_templates']
 55 | 
 56 | # The suffix(es) of source filenames.
 57 | # You can specify multiple suffix as a list of string:
 58 | #
 59 | # source_suffix = ['.rst', '.md']
 60 | source_suffix = '.rst'
 61 | 
 62 | # The master toctree document.
 63 | master_doc = 'index'
 64 | 
 65 | # The language for content autogenerated by Sphinx. Refer to documentation
 66 | # for a list of supported languages.
 67 | #
 68 | # This is also used if you do content translation via gettext catalogs.
 69 | # Usually you set "language" from the command line for these cases.
 70 | language = None
 71 | 
 72 | # List of patterns, relative to source directory, that match files and
 73 | # directories to ignore when looking for source files.
 74 | # This pattern also affects html_static_path and html_extra_path.
 75 | exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store']
 76 | 
 77 | # The name of the Pygments (syntax highlighting) style to use.
 78 | pygments_style = None
 79 | 
 80 | 
 81 | # -- Options for HTML output -------------------------------------------------
 82 | 
 83 | # The theme to use for HTML and HTML Help pages.  See the documentation for
 84 | # a list of builtin themes.
 85 | #
 86 | html_theme = 'sphinx_rtd_theme'
 87 | 
 88 | # Theme options are theme-specific and customize the look and feel of a theme
 89 | # further.  For a list of options available for each theme, see the
 90 | # documentation.
 91 | #
 92 | # html_theme_options = {}
 93 | 
 94 | # Add any paths that contain custom static files (such as style sheets) here,
 95 | # relative to this directory. They are copied after the builtin static files,
 96 | # so a file named "default.css" will overwrite the builtin "default.css".
 97 | html_static_path = ['_static']
 98 | 
 99 | # Custom sidebar templates, must be a dictionary that maps document names
100 | # to template names.
101 | #
102 | # The default sidebars (for documents that don't match any pattern) are
103 | # defined by theme itself.  Builtin themes are using these templates by
104 | # default: ``['localtoc.html', 'relations.html', 'sourcelink.html',
105 | # 'searchbox.html']``.
106 | #
107 | # html_sidebars = {}
108 | 
109 | 
110 | # -- Options for HTMLHelp output ---------------------------------------------
111 | 
112 | # Output file base name for HTML help builder.
113 | htmlhelp_basename = 'pymcclientdoc'
114 | 
115 | 
116 | # -- Options for LaTeX output ------------------------------------------------
117 | 
118 | latex_elements = {
119 |     # The paper size ('letterpaper' or 'a4paper').
120 |     #
121 |     # 'papersize': 'letterpaper',
122 | 
123 |     # The font size ('10pt', '11pt' or '12pt').
124 |     #
125 |     # 'pointsize': '10pt',
126 | 
127 |     # Additional stuff for the LaTeX preamble.
128 |     #
129 |     # 'preamble': '',
130 | 
131 |     # Latex figure (float) alignment
132 |     #
133 |     # 'figure_align': 'htbp',
134 | }
135 | 
136 | # Grouping the document tree into LaTeX files. List of tuples
137 | # (source start file, target name, title,
138 | #  author, documentclass [howto, manual, or own class]).
139 | latex_documents = [
140 |     (master_doc, 'pymcclient.tex', 'pymcclient Documentation',
141 |      'Alexandre Adamski', 'manual'),
142 | ]
143 | 
144 | 
145 | # -- Options for manual page output ------------------------------------------
146 | 
147 | # One entry per manual page. List of tuples
148 | # (source start file, name, description, authors, manual section).
149 | man_pages = [
150 |     (master_doc, 'pymcclient', 'pymcclient Documentation',
151 |      [author], 1)
152 | ]
153 | 
154 | 
155 | # -- Options for Texinfo output ----------------------------------------------
156 | 
157 | # Grouping the document tree into Texinfo files. List of tuples
158 | # (source start file, target name, title, author,
159 | #  dir menu entry, description, category)
160 | texinfo_documents = [
161 |     (master_doc, 'pymcclient', 'pymcclient Documentation',
162 |      author, 'pymcclient', 'One line description of project.',
163 |      'Miscellaneous'),
164 | ]
165 | 
166 | 
167 | # -- Options for Epub output -------------------------------------------------
168 | 
169 | # Bibliographic Dublin Core info.
170 | epub_title = project
171 | 
172 | # The unique identifier of the text. This can be a ISBN number
173 | # or the project homepage.
174 | #
175 | # epub_identifier = ''
176 | 
177 | # A unique identification for the text.
178 | #
179 | # epub_uid = ''
180 | 
181 | # A list of files that should not be packed into the epub file.
182 | epub_exclude_files = ['search.html']
183 | 
184 | 
185 | # -- Extension configuration -------------------------------------------------
186 | 


--------------------------------------------------------------------------------
/tainting/tainter.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | import argparse
  3 | import os
  4 | import struct
  5 | 
  6 | from manticore import Manticore, issymbolic
  7 | from manticore.core.state import TerminateState
  8 | 
  9 | import capstone as cs
 10 | 
 11 | 
 12 | def main(args):
 13 |     m = Manticore(args.binary, ['anything'])
 14 |     m.verbosity(args.verbosity)
 15 | 
 16 |     taint_id = 'user_ctrl'
 17 |     modules = []
 18 |     blocks = set()
 19 | 
 20 |     tl_api_lib_entry = 0x7d00000
 21 |     tl_api_lib_entry_ptr = 0x108c
 22 | 
 23 |     tci_buffer_addr = 0x100000
 24 |     tci_buffer_size = args.size
 25 | 
 26 |     @m.init
 27 |     def setup(state):
 28 |         elf = state.platform.elf
 29 | 
 30 |         text = elf.get_segment(0)
 31 |         text_addr = text['p_vaddr']
 32 |         text_size = text['p_memsz']
 33 |         name = os.path.basename(args.binary)
 34 |         modules.append((0, text_addr + text_size, name))
 35 | 
 36 |         data = elf.get_segment(1)
 37 |         data_addr = data['p_vaddr']
 38 |         data_size = data['p_memsz']
 39 | 
 40 |         shrmem_ptr_addr = data_addr + data_size - 8
 41 |         shrmem_ptr_size = data_addr + data_size - 4
 42 | 
 43 |         for start, end, _, _, _ in state.cpu.memory.mappings():
 44 |             if start > data_addr + data_size:
 45 |                 state.cpu.memory.munmap(start, end - start)
 46 | 
 47 |         state.cpu.memory.mmap(tci_buffer_addr, tci_buffer_size, 'rw')
 48 |         state.cpu.write_bytes(tci_buffer_addr, '\x00' * tci_buffer_size)
 49 | 
 50 |         state.cpu.write_bytes(shrmem_ptr_addr,
 51 |                               struct.pack('<I', tci_buffer_addr))
 52 |         state.cpu.write_bytes(shrmem_ptr_size,
 53 |                               struct.pack('<I', tci_buffer_size))
 54 | 
 55 |         tl_api_code = b'\x4f\xf0\x00\x00'   # mov.w r0, #0
 56 |         tl_api_code += b'\x70\x47'          # bx lr
 57 |         state.cpu.memory.mmap(tl_api_lib_entry, len(tl_api_code), 'rw')
 58 |         state.cpu.write_bytes(tl_api_lib_entry, tl_api_code)
 59 |         state.cpu.memory.mprotect(tl_api_lib_entry, len(tl_api_code), 'rx')
 60 | 
 61 |         state.cpu.write_bytes(tl_api_lib_entry_ptr,
 62 |                               struct.pack('<I', tl_api_lib_entry | 1),
 63 |                               force=True)
 64 | 
 65 |     @m.hook(tl_api_lib_entry)
 66 |     def tl_api(state):
 67 |         tl_api_func_id = state.cpu.read_register('R0')
 68 | 
 69 |         if tl_api_func_id == 0x6:
 70 |             print("Calling tlApiWaitNotification")
 71 |             tci_buffer = state.new_symbolic_buffer(tci_buffer_size,
 72 |                                                    taint=(taint_id,))
 73 |             state.cpu.write_bytes(tci_buffer_addr, tci_buffer)
 74 | 
 75 |         elif tl_api_func_id == 0x7:
 76 |             print("Calling tlApiNotify")
 77 |             raise TerminateState('tlApiNotify', testcase=False)
 78 | 
 79 |         elif tl_api_func_id == 0x4:
 80 |             print("Calling tlApiExit")
 81 |             raise TerminateState('tlApiExit', testcase=False)
 82 | 
 83 |         else:
 84 |             print("Calling unknown tlApi %#x" % tl_api_func_id)
 85 | 
 86 |     def has_tainted_operands(operands):
 87 |         for operand in operands:
 88 |             op = operand.read()
 89 |             if issymbolic(op) and taint_id in op.taint:
 90 |                 return True
 91 |         return False
 92 | 
 93 |     def has_tainted_flags(state, cc):
 94 |         if cc == cs.arm.ARM_CC_AL:
 95 |             ret = []
 96 |         elif cc == cs.arm.ARM_CC_EQ:
 97 |             ret = ['Z']
 98 |         elif cc == cs.arm.ARM_CC_NE:
 99 |             ret = ['Z']
100 |         elif cc == cs.arm.ARM_CC_HS:
101 |             ret = ['C']
102 |         elif cc == cs.arm.ARM_CC_LO:
103 |             ret = ['C']
104 |         elif cc == cs.arm.ARM_CC_MI:
105 |             ret = ['N']
106 |         elif cc == cs.arm.ARM_CC_PL:
107 |             ret = ['N']
108 |         elif cc == cs.arm.ARM_CC_VS:
109 |             ret = ['V']
110 |         elif cc == cs.arm.ARM_CC_VC:
111 |             ret = ['V']
112 |         elif cc == cs.arm.ARM_CC_HI:
113 |             ret = ['C', 'Z']
114 |         elif cc == cs.arm.ARM_CC_LS:
115 |             ret = ['C', 'Z']
116 |         elif cc == cs.arm.ARM_CC_GE:
117 |             ret = ['N', 'V']
118 |         elif cc == cs.arm.ARM_CC_LT:
119 |             ret = ['N', 'V']
120 |         elif cc == cs.arm.ARM_CC_GT:
121 |             ret = ['Z', 'N', 'V']
122 |         elif cc == cs.arm.ARM_CC_LE:
123 |             ret = ['Z', 'N', 'V']
124 | 
125 |         for flag in ret:
126 |             flag_name = 'APSR_{}'.format(flag)
127 |             flag_val = state.cpu.regfile.read(flag_name)
128 |             if issymbolic(flag_val) and taint_id in flag_val.taint:
129 |                 return True
130 |         return False
131 | 
132 |     @m.hook(None)
133 |     def tainting_and_coverage(state):
134 |         insn = state.cpu.instruction
135 |         if args.tainting:
136 |             if has_tainted_operands(insn.operands) \
137 |                     or has_tainted_flags(state, insn.cc):
138 |                 print('Found tainted instruction:')
139 |                 print('    %#x: %s %s'
140 |                       % (insn.address, insn.mnemonic, insn.op_str))
141 |         if args.coverage:
142 |             blocks.add((insn.address, insn.size))
143 | 
144 |     m.run()
145 | 
146 |     def write_coverage(f):
147 |         f.write(b"DRCOV VERSION: 2\n")
148 |         f.write(b"DRCOV FLAVOR: drcov\n")
149 |         f.write(b"Module Table: version 2, count %u\n" % len(modules))
150 |         f.write(b"Columns: id, base, end, entry, checksum, timestamp, path\n")
151 | 
152 |         fmt = b"%2u, 0x%x, 0x%x, 0x0000000000000000, "
153 |         fmt += b"0x00000000, 0x00000000, %s\n"
154 |         for mid, (base, end, path) in enumerate(modules):
155 |             f.write(fmt % (mid, base, end, str.encode(path)))
156 | 
157 |         f.write(b"BB Table: %u bbs\n" % len(blocks))
158 |         for addr, size in blocks:
159 |             for mid, module in enumerate(modules):
160 |                 if addr >= module[0] and addr < module[1]:
161 |                     bb = struct.pack("<IHH", addr - module[0], size, mid)
162 |                     f.write(bb)
163 |                     break
164 | 
165 |     if args.coverage:
166 |         with open(args.coverage, 'wb') as f:
167 |             write_coverage(f)
168 | 
169 |     print('See {} for results.'.format(m.workspace))
170 | 
171 | 
172 | if __name__ == '__main__':
173 |     parser = argparse.ArgumentParser(description='Trustlets fuzzer')
174 |     parser.add_argument('binary', metavar='BINARY', type=str,
175 |                         help='binary path')
176 |     parser.add_argument('--size', '-s', type=int, required=True,
177 |                         help="tci buffer size")
178 |     parser.add_argument('--tainting', '-t', action='store_true',
179 |                         help='enable tainting')
180 |     parser.add_argument('--coverage', '-c', type=str,
181 |                         help='create coverage file')
182 |     parser.add_argument('-v', '--verbosity', type=int, default=0,
183 |                         choices=[0, 1, 2, 3, 4, 5],
184 |                         help="increase output verbosity")
185 |     main(parser.parse_args())
186 | 


--------------------------------------------------------------------------------
/scripts/loaders/Ghidra/tbaseloader/src/main/java/tbaseloader/TBaseLoader.java:
--------------------------------------------------------------------------------
  1 | package tbaseloader;
  2 | 
  3 | import java.io.File;
  4 | import java.io.IOException;
  5 | import java.io.InputStream;
  6 | import java.util.ArrayList;
  7 | import java.util.Arrays;
  8 | import java.util.Collection;
  9 | import java.util.List;
 10 | 
 11 | import docking.widgets.OptionDialog;
 12 | import docking.widgets.filechooser.GhidraFileChooser;
 13 | import ghidra.app.util.Option;
 14 | import ghidra.app.util.bin.BinaryReader;
 15 | import ghidra.app.util.bin.ByteProvider;
 16 | import ghidra.app.util.importer.MessageLog;
 17 | import ghidra.app.util.opinion.AbstractLibrarySupportLoader;
 18 | import ghidra.app.util.opinion.LoadSpec;
 19 | import ghidra.program.flatapi.FlatProgramAPI;
 20 | import ghidra.program.model.address.Address;
 21 | import ghidra.program.model.lang.LanguageCompilerSpecPair;
 22 | import ghidra.program.model.listing.Program;
 23 | import ghidra.program.model.mem.MemoryBlock;
 24 | import ghidra.util.Msg;
 25 | import ghidra.util.exception.CancelledException;
 26 | import ghidra.util.task.TaskMonitor;
 27 | import utilities.util.FileUtilities;
 28 | 
 29 | public class TBaseLoader extends AbstractLibrarySupportLoader {
 30 |     private static long BASE_ADDR = 0x7F00000;
 31 |     private static String VERSION = "t-base-EXYNOS64-Android-";
 32 | 
 33 |     private static long S0CB_ADDR = 0x7FFF000;
 34 |     private static List<String> TRUSTLETS = Arrays.asList("drcrypt", "drcrypto", "tlproxy", "sth2", "rpmb");
 35 | 
 36 |     private static class TableEntry {
 37 |         public String name;
 38 |         public long addr;
 39 |         public long size;
 40 |     }
 41 | 
 42 |     private long mclibAddr;
 43 |     private long tableAddr;
 44 |     private long fileOffset;
 45 | 
 46 |     private static long find(BinaryReader reader, byte[] pattern, long offset) throws IOException {
 47 |         for (long i = offset; i <= reader.length() - pattern.length; ++i) {
 48 |             for (int j = 0; j < pattern.length; ++j) {
 49 |                 if (reader.readByte(i + j) != pattern[j])
 50 |                     break;
 51 |                 if (j == pattern.length - 1)
 52 |                     return i;
 53 |             }
 54 |         }
 55 |         return -1;
 56 |     }
 57 | 
 58 |     private static long findPattern(BinaryReader reader, byte[] pattern, long align) throws IOException {
 59 |         long location = find(reader, pattern, 0);
 60 |         while (location != -1) {
 61 |             if (align == 0 || (location & (align - 1)) == 0)
 62 |                 return location;
 63 |             location = find(reader, pattern, location + 1);
 64 |         }
 65 |         return location;
 66 |     }
 67 | 
 68 |     private static long findTable(BinaryReader reader) throws IOException {
 69 |         long addr = findPattern(reader, "t-base ".getBytes(), 0);
 70 |         if (addr < 0)
 71 |             addr = findPattern(reader, "tee ".getBytes(), 0);
 72 |         return addr;
 73 |     }
 74 | 
 75 |     private static long findVersion(BinaryReader reader) throws IOException {
 76 |         long candidate = findPattern(reader, VERSION.getBytes(), 0);
 77 |         candidate += VERSION.length();
 78 | 
 79 |         String version = reader.readAsciiString(candidate, 4);
 80 |         if (version.equals("200A") || version.equals("200B"))
 81 |             return 1;
 82 |         else if (version.equals("302A") || version.equals("310B"))
 83 |             return 4;
 84 |         else if (version.equals("400A"))
 85 |             return 5;
 86 |         return 0;
 87 |     }
 88 | 
 89 |     private List<TableEntry> parseTable(BinaryReader reader) throws IOException {
 90 |         List<TableEntry> table = new ArrayList<>();
 91 |         reader.setPointerIndex(tableAddr + 0x20);
 92 |         while (reader.peekNextByte() != (byte) 0) {
 93 |             TableEntry entry = new TableEntry();
 94 |             entry.name = reader.readNextAsciiString(8);
 95 |             entry.addr = reader.readNextUnsignedInt();
 96 |             entry.size = reader.readNextUnsignedInt();
 97 |             reader.readNextByteArray(16);
 98 |             table.add(entry);
 99 |         }
100 |         return table;
101 |     }
102 | 
103 |     private boolean askSaveBinaries() {
104 |         String message = "Would you like to save the extracted binaries to disk?";
105 |         int choice = OptionDialog.showYesNoDialog(null, "", message);
106 |         return choice == OptionDialog.YES_OPTION;
107 |     }
108 | 
109 |     private void extractBinary(BinaryReader reader, String name, long offset, long size) throws IOException {
110 |         GhidraFileChooser chooser = new GhidraFileChooser(null);
111 |         File directory = reader.getByteProvider().getFile().getParentFile();
112 |         chooser.setSelectedFile(new File(directory, name));
113 |         chooser.setTitle("Please enter a file name");
114 |         File file = chooser.getSelectedFile(true);
115 |         if (file != null)
116 |             FileUtilities.writeBytes(file, reader.readByteArray(offset, (int) size));
117 |     }
118 | 
119 |     private void mapSegments(BinaryReader reader, FlatProgramAPI api, List<TableEntry> table, boolean noSave)
120 |             throws IOException {
121 |         for (TableEntry entry : table) {
122 |             Address start = api.toAddr(BASE_ADDR + entry.addr);
123 |             boolean data = false, code = true;
124 | 
125 |             if (entry.name.equals("image_h") || entry.name.equals("img-hdr"))
126 |                 code = !(data = true);
127 |             else if (entry.name.equals("mclib"))
128 |                 start = api.toAddr(mclibAddr - 8);
129 |             else if (entry.name.equals("rtm"))
130 |                 start = api.toAddr(S0CB_ADDR);
131 |             else if (TRUSTLETS.contains(entry.name)) {
132 |                 if (!noSave)
133 |                     extractBinary(reader, entry.name + ".tlbin", fileOffset + entry.addr, entry.size);
134 |                 continue;
135 |             } else if (!entry.name.equals("mtk")) {
136 |                 Msg.info(this, String.format("Unknown table entry '%s'", entry.name));
137 |                 continue;
138 |             }
139 | 
140 |             InputStream input = reader.getByteProvider().getInputStream(fileOffset + entry.addr);
141 |             try {
142 |                 MemoryBlock block = api.createMemoryBlock(entry.name, start, input, entry.size, false);
143 |                 block.setRead(code || data);
144 |                 block.setWrite(data);
145 |                 block.setExecute(code);
146 |             } catch (Exception e) {
147 |                 Msg.error(this, e);
148 |             }
149 |             input.close();
150 | 
151 |             if (!noSave) {
152 |                 String filename = String.format("%s_%08x.bin", entry.name, start.getOffset());
153 |                 extractBinary(reader, filename, fileOffset + entry.addr, entry.size);
154 |             }
155 |         }
156 |     }
157 | 
158 |     @Override
159 |     public String getName() {
160 |         return "<t-base image (sboot.bin)";
161 |     }
162 | 
163 |     @Override
164 |     public Collection<LoadSpec> findSupportedLoadSpecs(ByteProvider provider) throws IOException {
165 |         BinaryReader reader = new BinaryReader(provider, true);
166 | 
167 |         long table = findTable(reader);
168 |         if (table == -1)
169 |             return new ArrayList<LoadSpec>();
170 |         return List.of(new LoadSpec(this, 0, new LanguageCompilerSpecPair("ARM:LE:32:v7", "default"), true));
171 |     }
172 | 
173 |     @Override
174 |     protected void load(ByteProvider provider, LoadSpec loadSpec, List<Option> options, Program program,
175 |             TaskMonitor monitor, MessageLog log) throws CancelledException, IOException {
176 |         BinaryReader reader = new BinaryReader(provider, true);
177 |         FlatProgramAPI api = new FlatProgramAPI(program, monitor);
178 | 
179 |         long mclfAddr = findPattern(reader, "MCLF".getBytes(), 0x1000);
180 |         if (mclfAddr == -1) {
181 |             Msg.error(this, "MCLF header not found");
182 |             return;
183 |         }
184 | 
185 |         long rtmAddr = findPattern(reader, "S0CB".getBytes(), 0x1000);
186 |         if (rtmAddr == -1) {
187 |             Msg.error(this, "S0CB header not found");
188 |             return;
189 |         }
190 | 
191 |         mclibAddr = reader.readUnsignedInt(rtmAddr + 0x8c);
192 | 
193 |         tableAddr = findTable(reader);
194 |         if (tableAddr == -1) {
195 |             Msg.error(this, "Table header not found");
196 |             return;
197 |         }
198 | 
199 |         long offset = findVersion(reader);
200 |         if (offset == -1) {
201 |             Msg.error(this, "Table header not found");
202 |             return;
203 |         }
204 | 
205 |         fileOffset = mclfAddr - reader.readUnsignedInt(tableAddr + 0x20 * offset + 8);
206 | 
207 |         List<TableEntry> table = parseTable(reader);
208 |         boolean noSave = !askSaveBinaries();
209 |         mapSegments(reader, api, table, noSave);
210 |     }
211 | }
212 | 


--------------------------------------------------------------------------------
/emulator/emulator.py:
--------------------------------------------------------------------------------
  1 | import argparse
  2 | import collections
  3 | import signal
  4 | import struct
  5 | import sys
  6 | 
  7 | from unicorn import *
  8 | from unicorn.arm_const import *
  9 | 
 10 | 
 11 | MCLF_STRUCT = struct.Struct("IIIIII16sIIIIIIII")
 12 | MCLF_TUPLE = collections.namedtuple('MCLF',
 13 |     ['magic', 'version', 'flags', 'mem_type', 'service_type',
 14 |      'num_instances', 'uuid', 'driver_id', 'num_threads', 'text_va',
 15 |      'text_len', 'data_va', 'data_len', 'bss_len', 'entry'])
 16 | 
 17 | 
 18 | class Emulator(object):
 19 |     ALIGN_PAGE = staticmethod(lambda x: x & ~(Emulator.page_size - 1))
 20 |     ROUND_PAGE = staticmethod(lambda x: Emulator.ALIGN_PAGE(x + Emulator.page_size))
 21 | 
 22 |     page_size = 0x1000
 23 |     memory_pages = []
 24 | 
 25 |     tl_api_lib_entry = 0x108c
 26 |     tl_api_lib_addr = 0x07d00000
 27 |     tci_buffer_addr = 0x100000
 28 | 
 29 |     def __init__(self, args):
 30 |         self.args = args
 31 |         self.parse_binary()
 32 |         self.check_binary()
 33 | 
 34 |         # Initialize the engine
 35 |         mode = UC_MODE_THUMB if self.mclf.entry & 1 else UC_MODE_ARM
 36 |         self.uc = Uc(UC_ARCH_ARM, mode)
 37 | 
 38 |         self.map_sections()
 39 |         self.map_shared_memory()
 40 |         self.map_tlapi_handler()
 41 | 
 42 |         # Add the debug hook if needed
 43 |         if args.debug:
 44 |             from capstone import Cs, CS_ARCH_ARM, CS_MODE_ARM, CS_MODE_THUMB
 45 |             self.cs_arm = Cs(CS_ARCH_ARM, CS_MODE_ARM)
 46 |             self.cs_thumb = Cs(CS_ARCH_ARM, CS_MODE_THUMB)
 47 |             self.uc.hook_add(UC_HOOK_CODE, self.DEBUG)
 48 | 
 49 |         self.LOG("[+] Starting emulation")
 50 |         self.uc.emu_start(self.mclf.entry | 1,
 51 |                           self.mclf.text_va +
 52 |                           self.mclf.text_len,
 53 |                           count=0,
 54 |                           timeout=0)
 55 | 
 56 |     def parse_binary(self):
 57 |         # Read the trustlet binary
 58 |         with open(self.args.binary, "rb") as f:
 59 |             self.mclf = MCLF_TUPLE(*MCLF_STRUCT.unpack(f.read(72)))
 60 |             f.seek(0)
 61 |             self.code = f.read(self.mclf.text_len)
 62 |             f.seek(self.mclf.text_len)
 63 |             self.data = f.read(self.mclf.data_len)
 64 | 
 65 |     def check_binary(self):
 66 |         # Check the service type
 67 |         if self.mclf.service_type in [2, 3]:
 68 |             self.LOG("[+] Binary is a trustlet")
 69 |         else:
 70 |             raise Exception("[!] Unsupported binary")
 71 | 
 72 |         # Print basic information
 73 |         self.LOG("[+] Trustlet size = 0x{:x}"
 74 |                  .format(self.mclf.text_len +
 75 |                          self.mclf.data_len +
 76 |                          self.mclf.bss_len))
 77 | 
 78 |     def map_sections(self):
 79 |         # Map the text section
 80 |         self.LOG("[+] Mapping text section at 0x{:08x} with a size of 0x{:x}"
 81 |                  .format(self.mclf.text_va, self.mclf.text_len))
 82 |         self.map_mem(self.mclf.text_va, self.mclf.text_len)
 83 |         self.write_mem(self.mclf.text_va, self.code)
 84 | 
 85 |         # Map the data section
 86 |         self.LOG("[+] Mapping data section at 0x{:08x} with a size of 0x{:x}"
 87 |                  .format(self.mclf.data_va, self.mclf.data_len))
 88 |         self.map_mem(self.mclf.data_va, self.mclf.data_len)
 89 |         self.write_mem(self.mclf.data_va, self.data)
 90 | 
 91 |         # Map the BSS section
 92 |         bss_va = self.mclf.data_va + self.mclf.data_len
 93 |         self.LOG("[+] Mapping BSS section at 0x{:08x} with a size of 0x{:x}"
 94 |                  .format(bss_va, self.mclf.bss_len))
 95 |         self.map_mem(bss_va, self.mclf.bss_len)
 96 |         self.write_mem(bss_va, b'\x00' * self.mclf.bss_len)
 97 | 
 98 |     def map_shared_memory(self):
 99 |         # Map the TCI buffer
100 |         self.LOG("[+] Mapping TCI buffer at 0x{:08x} with a size of 0x{:x}"
101 |                  .format(self.tci_buffer_addr, self.args.tci))
102 |         self.map_mem(self.tci_buffer_addr, self.args.tci)
103 | 
104 |         # Write the TCI buffer address and length
105 |         end_of_bss = self.mclf.data_va + self.mclf.data_len + self.mclf.bss_len
106 |         self.write_dword(end_of_bss - 8, self.tci_buffer_addr)
107 |         self.write_dword(end_of_bss - 4, self.args.tci)
108 | 
109 |     def map_tlapi_handler(self):
110 |         # Map the tlApi handler
111 |         self.map_mem(self.tl_api_lib_addr, 1)
112 |         self.write_dword(self.tl_api_lib_entry, self.tl_api_lib_addr)
113 | 
114 |         # Hook the tlApi handler
115 |         self.uc.hook_add(UC_HOOK_CODE, self.handle_tl_api,
116 |                          begin=self.tl_api_lib_addr,
117 |                          end=self.tl_api_lib_addr + 1)
118 | 
119 |     def handle_tl_api(self, uc, address, size, user_data):
120 |         tl_api_func_id = self.read_reg(UC_ARM_REG_R0)
121 |         self.LOG("[+] Calling tlApi with ID 0x{:x}".format(tl_api_func_id))
122 | 
123 |         if tl_api_func_id == 0x4:
124 |             self.handle_tl_api_exit("tlApiExit")
125 |         elif tl_api_func_id == 0x6:
126 |             pass  # tlApiWaitNotification
127 |         elif tl_api_func_id == 0x7:
128 |             self.handle_tl_api_exit("tlApiNotify")
129 |         else:
130 |             self.set_ret(0)
131 |         self.force_ret()
132 | 
133 |     def handle_tl_api_exit(self, caller):
134 |         self.LOG("[+] {}: Quitting!".format(caller))
135 |         self.uc.emu_stop()
136 |         sys.exit(0)
137 | 
138 |     def LOG(self, msg):
139 |         print(msg)
140 | 
141 |     def DEBUG(self, uc, address, size, user_data):
142 |         pc = self.read_reg(UC_ARM_REG_PC)
143 |         try:
144 |             ins = bytes(self.uc.mem_read(pc, 4))
145 |             if self.uc.query(UC_QUERY_MODE) == UC_MODE_ARM:
146 |                 cs = self.cs_arm
147 |             elif self.uc.query(UC_QUERY_MODE) == UC_MODE_THUMB:
148 |                 cs = self.cs_thumb
149 |             _, __, mnem, op_str = next(cs.disasm_lite(ins, 4))
150 |             ins_disas = '{} {}'.format(mnem, op_str)
151 |         except:
152 |             ins_disas = 'ERROR'
153 |         self.LOG('[+] {:08x}:\t{}'.format(pc, ins_disas.upper()))
154 | 
155 |     def read_reg(self, reg):
156 |         return self.uc.reg_read(reg)
157 | 
158 |     def write_reg(self, reg, value):
159 |         return self.uc.reg_write(reg, value)
160 | 
161 |     def set_ret(self, val):
162 |         self.write_reg(UC_ARM_REG_R0, val)
163 | 
164 |     def force_ret(self):
165 |         self.write_reg(UC_ARM_REG_PC, self.read_reg(UC_ARM_REG_LR))
166 | 
167 |     def read_mem(self, addr, sz):
168 |         return self.uc.mem_read(addr, sz)
169 | 
170 |     def read_byte(self, addr):
171 |         return struct.unpack("<B", self.read_mem(addr, 1))[0]
172 | 
173 |     def read_word(self, addr):
174 |         return struct.unpack("<H", self.read_mem(addr, 2))[0]
175 | 
176 |     def read_dword(self, addr):
177 |         return struct.unpack("<I", self.read_mem(addr, 4))[0]
178 | 
179 |     def read_qword(self, addr):
180 |         return struct.unpack("<Q", self.read_mem(addr, 8))[0]
181 | 
182 |     def write_mem(self, addr, data):
183 |         return self.uc.mem_write(addr, data)
184 | 
185 |     def write_byte(self, addr, val):
186 |         return self.write_mem(addr, struct.pack("<B", val))
187 | 
188 |     def write_word(self, addr, val):
189 |         return self.write_mem(addr, struct.pack("<H", val))
190 | 
191 |     def write_dword(self, addr, val):
192 |         return self.write_mem(addr, struct.pack("<I", val))
193 | 
194 |     def write_qword(self, addr, val):
195 |         return self.write_mem(addr, struct.pack("<Q", val))
196 | 
197 |     def map_mem(self, addr, size):
198 |         self.LOG("[+] Mapping region at 0x{:08x} (0x{:x} bytes)"
199 |                  .format(addr, size))
200 |         maddr = self.ALIGN_PAGE(addr)
201 |         msize = self.ROUND_PAGE(addr - maddr + size)
202 |         pages = []
203 | 
204 |         for page_addr in range(maddr, maddr + msize, self.page_size):
205 |             if page_addr not in self.memory_pages:
206 |                 if pages and pages[-1][0] + pages[-1][1] == page_addr:
207 |                     pages[-1] = pages[-1][0], pages[-1][1] + self.page_size
208 |                 else:
209 |                     pages.append((page_addr, self.page_size))
210 |                 self.memory_pages.append(page_addr)
211 | 
212 |         for page_addr, page_size in pages:
213 |             self.uc.mem_map(page_addr, page_size)
214 | 
215 | 
216 | if __name__ == "__main__":
217 |     def sigint_handler(_, __):
218 |         exit()
219 |     signal.signal(signal.SIGINT, sigint_handler)
220 | 
221 |     parser = argparse.ArgumentParser(description='Trustlets emulator')
222 |     parser.add_argument('binary', type=str, help='binary path')
223 |     parser.add_argument('--tci', '-t', type=int, metavar='buffer_size',
224 |                         default=Emulator.page_size, help="tci buffer size")
225 |     parser.add_argument('--debug', '-d', action='store_true',
226 |                         help='enable debug logs')
227 |     Emulator(parser.parse_args())
228 | 


--------------------------------------------------------------------------------
/fuzzer/fuzzer.py:
--------------------------------------------------------------------------------
  1 | import argparse
  2 | import collections
  3 | import os
  4 | import signal
  5 | import struct
  6 | import sys
  7 | 
  8 | from unicorn import *
  9 | from unicorn.arm_const import *
 10 | 
 11 | 
 12 | MCLF_STRUCT = struct.Struct("IIIIII16sIIIIIIII")
 13 | MCLF_TUPLE = collections.namedtuple('MCLF',
 14 |     ['magic', 'version', 'flags', 'mem_type', 'service_type',
 15 |      'num_instances', 'uuid', 'driver_id', 'num_threads', 'text_va',
 16 |      'text_len', 'data_va', 'data_len', 'bss_len', 'entry'])
 17 | 
 18 | 
 19 | class Emulator(object):
 20 |     ALIGN_PAGE = staticmethod(lambda x: x & ~(Emulator.page_size - 1))
 21 |     ROUND_PAGE = staticmethod(lambda x: Emulator.ALIGN_PAGE(x + Emulator.page_size))
 22 | 
 23 |     page_size = 0x1000
 24 |     memory_pages = []
 25 | 
 26 |     tl_api_lib_entry = 0x108c
 27 |     tl_api_lib_addr = 0x07d00000
 28 |     tci_buffer_addr = 0x100000
 29 | 
 30 |     def __init__(self, args):
 31 |         self.args = args
 32 |         self.parse_binary()
 33 |         self.check_binary()
 34 | 
 35 |         # Initialize the engine
 36 |         mode = UC_MODE_THUMB if self.mclf.entry & 1 else UC_MODE_ARM
 37 |         self.uc = Uc(UC_ARCH_ARM, mode)
 38 | 
 39 |         self.map_sections()
 40 |         self.map_shared_memory()
 41 |         self.map_tlapi_handler()
 42 | 
 43 |         # Add the debug hook if needed
 44 |         if args.debug:
 45 |             from capstone import Cs, CS_ARCH_ARM, CS_MODE_ARM, CS_MODE_THUMB
 46 |             self.cs_arm = Cs(CS_ARCH_ARM, CS_MODE_ARM)
 47 |             self.cs_thumb = Cs(CS_ARCH_ARM, CS_MODE_THUMB)
 48 |             self.uc.hook_add(UC_HOOK_CODE, self.DEBUG)
 49 | 
 50 |         self.start_forkserver()
 51 |         self.load_input()
 52 | 
 53 |         try:
 54 |             self.LOG("[+] Starting fuzzing")
 55 |             self.uc.emu_start(self.mclf.entry | 1,
 56 |                               self.mclf.text_va +
 57 |                               self.mclf.text_len,
 58 |                               count=0,
 59 |                               timeout=0)
 60 |         except UcError as e:
 61 |             self.force_crash(e)
 62 | 
 63 |     def start_forkserver(self):
 64 |         self.LOG("Starting the AFL forkserver by executing 1 instruction")
 65 |         try:
 66 |             self.uc.emu_start(self.mclf.entry | 1, 0, 0, count=1)
 67 |         except UcError as e:
 68 |             self.LOG("Failed to execute a single instruction: %s" % e)
 69 | 
 70 |     def load_input(self):
 71 |         self.LOG("Loading data input from %s" % self.args.input)
 72 |         with open(self.args.input, 'rb') as f:
 73 |             input = f.read()
 74 |             if len(input) > self.args.tci:
 75 |                 self.LOG("Test input is too long")
 76 |             else:
 77 |                 self.write_mem(self.tci_buffer_addr, input)
 78 | 
 79 |     def force_crash(self, uc_error):
 80 |         mem_errors = [
 81 |             UC_ERR_READ_UNMAPPED, UC_ERR_READ_PROT, UC_ERR_READ_UNALIGNED,
 82 |             UC_ERR_WRITE_UNMAPPED, UC_ERR_WRITE_PROT, UC_ERR_WRITE_UNALIGNED,
 83 |             UC_ERR_FETCH_UNMAPPED, UC_ERR_FETCH_PROT, UC_ERR_FETCH_UNALIGNED,
 84 |         ]
 85 |         if uc_error.errno in mem_errors:
 86 |             os.kill(os.getpid(), signal.SIGSEGV)
 87 |         elif uc_error.errno == UC_ERR_INSN_INVALID:
 88 |             os.kill(os.getpid(), signal.SIGILL)
 89 |         else:
 90 |             os.kill(os.getpid(), signal.SIGABRT)
 91 | 
 92 |     def parse_binary(self):
 93 |         # Read the trustlet binary
 94 |         with open(self.args.binary, "rb") as f:
 95 |             self.mclf = MCLF_TUPLE(*MCLF_STRUCT.unpack(f.read(72)))
 96 |             f.seek(0)
 97 |             self.code = f.read(self.mclf.text_len)
 98 |             f.seek(self.mclf.text_len)
 99 |             self.data = f.read(self.mclf.data_len)
100 | 
101 |     def check_binary(self):
102 |         # Check the service type
103 |         if self.mclf.service_type in [2, 3]:
104 |             self.LOG("[+] Binary is a trustlet")
105 |         else:
106 |             raise Exception("[!] Unsupported binary")
107 | 
108 |         # Print basic information
109 |         self.LOG("[+] Trustlet size = 0x{:x}"
110 |                  .format(self.mclf.text_len +
111 |                          self.mclf.data_len +
112 |                          self.mclf.bss_len))
113 | 
114 |     def map_sections(self):
115 |         # Map the text section
116 |         self.LOG("[+] Mapping text section at 0x{:08x} with a size of 0x{:x}"
117 |                  .format(self.mclf.text_va, self.mclf.text_len))
118 |         self.map_mem(self.mclf.text_va, self.mclf.text_len)
119 |         self.write_mem(self.mclf.text_va, self.code)
120 | 
121 |         # Map the data section
122 |         self.LOG("[+] Mapping data section at 0x{:08x} with a size of 0x{:x}"
123 |                  .format(self.mclf.data_va, self.mclf.data_len))
124 |         self.map_mem(self.mclf.data_va, self.mclf.data_len)
125 |         self.write_mem(self.mclf.data_va, self.data)
126 | 
127 |         # Map the BSS section
128 |         bss_va = self.mclf.data_va + self.mclf.data_len
129 |         self.LOG("[+] Mapping BSS section at 0x{:08x} with a size of 0x{:x}"
130 |                  .format(bss_va, self.mclf.bss_len))
131 |         self.map_mem(bss_va, self.mclf.bss_len)
132 |         self.write_mem(bss_va, b'\x00' * self.mclf.bss_len)
133 | 
134 |     def map_shared_memory(self):
135 |         # Map the TCI buffer
136 |         self.LOG("[+] Mapping TCI buffer at 0x{:08x} with a size of 0x{:x}"
137 |                  .format(self.tci_buffer_addr, self.args.tci))
138 |         self.map_mem(self.tci_buffer_addr, self.args.tci)
139 | 
140 |         # Write the TCI buffer address and length
141 |         end_of_bss = self.mclf.data_va + self.mclf.data_len + self.mclf.bss_len
142 |         self.write_dword(end_of_bss - 8, self.tci_buffer_addr)
143 |         self.write_dword(end_of_bss - 4, self.args.tci)
144 | 
145 |     def map_tlapi_handler(self):
146 |         # Map the tlApi handler
147 |         self.map_mem(self.tl_api_lib_addr, 1)
148 |         self.write_dword(self.tl_api_lib_entry, self.tl_api_lib_addr)
149 | 
150 |         # Hook the tlApi handler
151 |         self.uc.hook_add(UC_HOOK_CODE, self.handle_tl_api,
152 |                          begin=self.tl_api_lib_addr,
153 |                          end=self.tl_api_lib_addr + 1)
154 | 
155 |     def handle_tl_api(self, uc, address, size, user_data):
156 |         tl_api_func_id = self.read_reg(UC_ARM_REG_R0)
157 |         self.LOG("[+] Calling tlApi with ID 0x{:x}".format(tl_api_func_id))
158 | 
159 |         if tl_api_func_id == 0x4:
160 |             self.handle_tl_api_exit("tlApiExit")
161 |         elif tl_api_func_id == 0x6:
162 |             pass  # tlApiWaitNotification
163 |         elif tl_api_func_id == 0x7:
164 |             self.handle_tl_api_exit("tlApiNotify")
165 |         else:
166 |             self.set_ret(0)
167 |         self.force_ret()
168 | 
169 |     def handle_tl_api_exit(self, caller):
170 |         self.LOG("[+] {}: Quitting!".format(caller))
171 |         self.uc.emu_stop()
172 |         sys.exit(0)
173 | 
174 |     def LOG(self, msg):
175 |         print(msg)
176 | 
177 |     def DEBUG(self, uc, address, size, user_data):
178 |         pc = self.read_reg(UC_ARM_REG_PC)
179 |         try:
180 |             ins = bytes(self.uc.mem_read(pc, 4))
181 |             if self.uc.query(UC_QUERY_MODE) == UC_MODE_ARM:
182 |                 cs = self.cs_arm
183 |             elif self.uc.query(UC_QUERY_MODE) == UC_MODE_THUMB:
184 |                 cs = self.cs_thumb
185 |             _, __, mnem, op_str = next(cs.disasm_lite(ins, 4))
186 |             ins_disas = '{} {}'.format(mnem, op_str)
187 |         except:
188 |             ins_disas = 'ERROR'
189 |         self.LOG('[+] {:08x}:\t{}'.format(pc, ins_disas.upper()))
190 | 
191 |     def read_reg(self, reg):
192 |         return self.uc.reg_read(reg)
193 | 
194 |     def write_reg(self, reg, value):
195 |         return self.uc.reg_write(reg, value)
196 | 
197 |     def set_ret(self, val):
198 |         self.write_reg(UC_ARM_REG_R0, val)
199 | 
200 |     def force_ret(self):
201 |         self.write_reg(UC_ARM_REG_PC, self.read_reg(UC_ARM_REG_LR))
202 | 
203 |     def read_mem(self, addr, sz):
204 |         return self.uc.mem_read(addr, sz)
205 | 
206 |     def read_byte(self, addr):
207 |         return struct.unpack("<B", self.read_mem(addr, 1))[0]
208 | 
209 |     def read_word(self, addr):
210 |         return struct.unpack("<H", self.read_mem(addr, 2))[0]
211 | 
212 |     def read_dword(self, addr):
213 |         return struct.unpack("<I", self.read_mem(addr, 4))[0]
214 | 
215 |     def read_qword(self, addr):
216 |         return struct.unpack("<Q", self.read_mem(addr, 8))[0]
217 | 
218 |     def write_mem(self, addr, data):
219 |         return self.uc.mem_write(addr, data)
220 | 
221 |     def write_byte(self, addr, val):
222 |         return self.write_mem(addr, struct.pack("<B", val))
223 | 
224 |     def write_word(self, addr, val):
225 |         return self.write_mem(addr, struct.pack("<H", val))
226 | 
227 |     def write_dword(self, addr, val):
228 |         return self.write_mem(addr, struct.pack("<I", val))
229 | 
230 |     def write_qword(self, addr, val):
231 |         return self.write_mem(addr, struct.pack("<Q", val))
232 | 
233 |     def map_mem(self, addr, size):
234 |         self.LOG("[+] Mapping region at 0x{:08x} (0x{:x} bytes)"
235 |                  .format(addr, size))
236 |         maddr = self.ALIGN_PAGE(addr)
237 |         msize = self.ROUND_PAGE(addr - maddr + size)
238 |         pages = []
239 | 
240 |         for page_addr in range(maddr, maddr + msize, self.page_size):
241 |             if page_addr not in self.memory_pages:
242 |                 if pages and pages[-1][0] + pages[-1][1] == page_addr:
243 |                     pages[-1] = pages[-1][0], pages[-1][1] + self.page_size
244 |                 else:
245 |                     pages.append((page_addr, self.page_size))
246 |                 self.memory_pages.append(page_addr)
247 | 
248 |         for page_addr, page_size in pages:
249 |             self.uc.mem_map(page_addr, page_size)
250 | 
251 | 
252 | if __name__ == "__main__":
253 |     def sigint_handler(_, __):
254 |         exit()
255 |     signal.signal(signal.SIGINT, sigint_handler)
256 | 
257 |     parser = argparse.ArgumentParser(description='Trustlets emulator')
258 |     parser.add_argument('binary', type=str, help='binary path')
259 |     parser.add_argument('input', type=str, help='input file')
260 |     parser.add_argument('--tci', '-t', type=int, metavar='buffer_size',
261 |                         default=Emulator.page_size, help="tci buffer size")
262 |     parser.add_argument('--debug', '-d', action='store_true',
263 |                         help='enable debug logs')
264 |     Emulator(parser.parse_args())
265 | 


--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
  1 | Apache License
  2 | ==============
  3 | 
  4 | _Version 2.0, January 2004_  
  5 | _&lt;<http://www.apache.org/licenses/>&gt;_
  6 | 
  7 | ### Terms and Conditions for use, reproduction, and distribution
  8 | 
  9 | #### 1. Definitions
 10 | 
 11 | “License” shall mean the terms and conditions for use, reproduction, and
 12 | distribution as defined by Sections 1 through 9 of this document.
 13 | 
 14 | “Licensor” shall mean the copyright owner or entity authorized by the copyright
 15 | owner that is granting the License.
 16 | 
 17 | “Legal Entity” shall mean the union of the acting entity and all other entities
 18 | that control, are controlled by, or are under common control with that entity.
 19 | For the purposes of this definition, “control” means **(i)** the power, direct or
 20 | indirect, to cause the direction or management of such entity, whether by
 21 | contract or otherwise, or **(ii)** ownership of fifty percent (50%) or more of the
 22 | outstanding shares, or **(iii)** beneficial ownership of such entity.
 23 | 
 24 | “You” (or “Your”) shall mean an individual or Legal Entity exercising
 25 | permissions granted by this License.
 26 | 
 27 | “Source” form shall mean the preferred form for making modifications, including
 28 | but not limited to software source code, documentation source, and configuration
 29 | files.
 30 | 
 31 | “Object” form shall mean any form resulting from mechanical transformation or
 32 | translation of a Source form, including but not limited to compiled object code,
 33 | generated documentation, and conversions to other media types.
 34 | 
 35 | “Work” shall mean the work of authorship, whether in Source or Object form, made
 36 | available under the License, as indicated by a copyright notice that is included
 37 | in or attached to the work (an example is provided in the Appendix below).
 38 | 
 39 | “Derivative Works” shall mean any work, whether in Source or Object form, that
 40 | is based on (or derived from) the Work and for which the editorial revisions,
 41 | annotations, elaborations, or other modifications represent, as a whole, an
 42 | original work of authorship. For the purposes of this License, Derivative Works
 43 | shall not include works that remain separable from, or merely link (or bind by
 44 | name) to the interfaces of, the Work and Derivative Works thereof.
 45 | 
 46 | “Contribution” shall mean any work of authorship, including the original version
 47 | of the Work and any modifications or additions to that Work or Derivative Works
 48 | thereof, that is intentionally submitted to Licensor for inclusion in the Work
 49 | by the copyright owner or by an individual or Legal Entity authorized to submit
 50 | on behalf of the copyright owner. For the purposes of this definition,
 51 | “submitted” means any form of electronic, verbal, or written communication sent
 52 | to the Licensor or its representatives, including but not limited to
 53 | communication on electronic mailing lists, source code control systems, and
 54 | issue tracking systems that are managed by, or on behalf of, the Licensor for
 55 | the purpose of discussing and improving the Work, but excluding communication
 56 | that is conspicuously marked or otherwise designated in writing by the copyright
 57 | owner as “Not a Contribution.”
 58 | 
 59 | “Contributor” shall mean Licensor and any individual or Legal Entity on behalf
 60 | of whom a Contribution has been received by Licensor and subsequently
 61 | incorporated within the Work.
 62 | 
 63 | #### 2. Grant of Copyright License
 64 | 
 65 | Subject to the terms and conditions of this License, each Contributor hereby
 66 | grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,
 67 | irrevocable copyright license to reproduce, prepare Derivative Works of,
 68 | publicly display, publicly perform, sublicense, and distribute the Work and such
 69 | Derivative Works in Source or Object form.
 70 | 
 71 | #### 3. Grant of Patent License
 72 | 
 73 | Subject to the terms and conditions of this License, each Contributor hereby
 74 | grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,
 75 | irrevocable (except as stated in this section) patent license to make, have
 76 | made, use, offer to sell, sell, import, and otherwise transfer the Work, where
 77 | such license applies only to those patent claims licensable by such Contributor
 78 | that are necessarily infringed by their Contribution(s) alone or by combination
 79 | of their Contribution(s) with the Work to which such Contribution(s) was
 80 | submitted. If You institute patent litigation against any entity (including a
 81 | cross-claim or counterclaim in a lawsuit) alleging that the Work or a
 82 | Contribution incorporated within the Work constitutes direct or contributory
 83 | patent infringement, then any patent licenses granted to You under this License
 84 | for that Work shall terminate as of the date such litigation is filed.
 85 | 
 86 | #### 4. Redistribution
 87 | 
 88 | You may reproduce and distribute copies of the Work or Derivative Works thereof
 89 | in any medium, with or without modifications, and in Source or Object form,
 90 | provided that You meet the following conditions:
 91 | 
 92 | * **(a)** You must give any other recipients of the Work or Derivative Works a copy of
 93 | this License; and
 94 | * **(b)** You must cause any modified files to carry prominent notices stating that You
 95 | changed the files; and
 96 | * **(c)** You must retain, in the Source form of any Derivative Works that You distribute,
 97 | all copyright, patent, trademark, and attribution notices from the Source form
 98 | of the Work, excluding those notices that do not pertain to any part of the
 99 | Derivative Works; and
100 | * **(d)** If the Work includes a “NOTICE” text file as part of its distribution, then any
101 | Derivative Works that You distribute must include a readable copy of the
102 | attribution notices contained within such NOTICE file, excluding those notices
103 | that do not pertain to any part of the Derivative Works, in at least one of the
104 | following places: within a NOTICE text file distributed as part of the
105 | Derivative Works; within the Source form or documentation, if provided along
106 | with the Derivative Works; or, within a display generated by the Derivative
107 | Works, if and wherever such third-party notices normally appear. The contents of
108 | the NOTICE file are for informational purposes only and do not modify the
109 | License. You may add Your own attribution notices within Derivative Works that
110 | You distribute, alongside or as an addendum to the NOTICE text from the Work,
111 | provided that such additional attribution notices cannot be construed as
112 | modifying the License.
113 | 
114 | You may add Your own copyright statement to Your modifications and may provide
115 | additional or different license terms and conditions for use, reproduction, or
116 | distribution of Your modifications, or for any such Derivative Works as a whole,
117 | provided Your use, reproduction, and distribution of the Work otherwise complies
118 | with the conditions stated in this License.
119 | 
120 | #### 5. Submission of Contributions
121 | 
122 | Unless You explicitly state otherwise, any Contribution intentionally submitted
123 | for inclusion in the Work by You to the Licensor shall be under the terms and
124 | conditions of this License, without any additional terms or conditions.
125 | Notwithstanding the above, nothing herein shall supersede or modify the terms of
126 | any separate license agreement you may have executed with Licensor regarding
127 | such Contributions.
128 | 
129 | #### 6. Trademarks
130 | 
131 | This License does not grant permission to use the trade names, trademarks,
132 | service marks, or product names of the Licensor, except as required for
133 | reasonable and customary use in describing the origin of the Work and
134 | reproducing the content of the NOTICE file.
135 | 
136 | #### 7. Disclaimer of Warranty
137 | 
138 | Unless required by applicable law or agreed to in writing, Licensor provides the
139 | Work (and each Contributor provides its Contributions) on an “AS IS” BASIS,
140 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied,
141 | including, without limitation, any warranties or conditions of TITLE,
142 | NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are
143 | solely responsible for determining the appropriateness of using or
144 | redistributing the Work and assume any risks associated with Your exercise of
145 | permissions under this License.
146 | 
147 | #### 8. Limitation of Liability
148 | 
149 | In no event and under no legal theory, whether in tort (including negligence),
150 | contract, or otherwise, unless required by applicable law (such as deliberate
151 | and grossly negligent acts) or agreed to in writing, shall any Contributor be
152 | liable to You for damages, including any direct, indirect, special, incidental,
153 | or consequential damages of any character arising as a result of this License or
154 | out of the use or inability to use the Work (including but not limited to
155 | damages for loss of goodwill, work stoppage, computer failure or malfunction, or
156 | any and all other commercial damages or losses), even if such Contributor has
157 | been advised of the possibility of such damages.
158 | 
159 | #### 9. Accepting Warranty or Additional Liability
160 | 
161 | While redistributing the Work or Derivative Works thereof, You may choose to
162 | offer, and charge a fee for, acceptance of support, warranty, indemnity, or
163 | other liability obligations and/or rights consistent with this License. However,
164 | in accepting such obligations, You may act only on Your own behalf and on Your
165 | sole responsibility, not on behalf of any other Contributor, and only if You
166 | agree to indemnify, defend, and hold each Contributor harmless for any liability
167 | incurred by, or claims asserted against, such Contributor by reason of your
168 | accepting any such warranty or additional liability.
169 | 
170 | _END OF TERMS AND CONDITIONS_
171 | 
172 | ### APPENDIX: How to apply the Apache License to your work
173 | 
174 | To apply the Apache License to your work, attach the following boilerplate
175 | notice, with the fields enclosed by brackets `[]` replaced with your own
176 | identifying information. (Don't include the brackets!) The text should be
177 | enclosed in the appropriate comment syntax for the file format. We also
178 | recommend that a file or class name and description of purpose be included on
179 | the same “printed page” as the copyright notice for easier identification within
180 | third-party archives.
181 | 
182 |     Copyright 2019 Alexandre Adamski
183 |     Copyright 2019 Joffrey Guilbon
184 |     Copyright 2019 Maxime Peterlin
185 |     Copyright 2019 Quarkslab
186 |     
187 |     Licensed under the Apache License, Version 2.0 (the "License");
188 |     you may not use this file except in compliance with the License.
189 |     You may obtain a copy of the License at
190 |     
191 |       http://www.apache.org/licenses/LICENSE-2.0
192 |     
193 |     Unless required by applicable law or agreed to in writing, software
194 |     distributed under the License is distributed on an "AS IS" BASIS,
195 |     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
196 |     See the License for the specific language governing permissions and
197 |     limitations under the License.
198 | 
199 | 


--------------------------------------------------------------------------------
/scripts/scripts/Ghidra/FindSymbolsMcLib.py:
--------------------------------------------------------------------------------
  1 | import inspect
  2 | import json
  3 | import os
  4 | import struct
  5 | 
  6 | from ghidra.app.decompiler import DecompInterface
  7 | from ghidra.app.decompiler.component import DecompilerUtils
  8 | from ghidra.app.util.cparser.C import CParserUtils
  9 | from ghidra.program.flatapi import FlatProgramAPI
 10 | from ghidra.program.model.block import BasicBlockModel
 11 | from ghidra.program.model.listing import ParameterImpl
 12 | from ghidra.program.model.listing import ReturnParameterImpl
 13 | from ghidra.program.model.listing.Function import FunctionUpdateType
 14 | from ghidra.program.model.pcode import PcodeOp
 15 | from ghidra.program.model.symbol import SourceType
 16 | from java.util import ArrayList
 17 | 
 18 | 
 19 | TL_APIS = {}
 20 | MAX_TL_API = 0xC2
 21 | 
 22 | DR_APIS = {}
 23 | MAX_DR_API = 0x3D
 24 | 
 25 | 
 26 | blockModel = BasicBlockModel(currentProgram)
 27 | functionManager = currentProgram.getFunctionManager()
 28 | decompInterface = DecompInterface()
 29 | decompInterface.openProgram(currentProgram)
 30 | api = FlatProgramAPI(currentProgram, monitor)
 31 | 
 32 | 
 33 | def read_dword(address):
 34 |     dword = api.getBytes(address, 4)
 35 |     return struct.unpack('<I', dword)[0]
 36 | 
 37 | 
 38 | def load_api_names_types():
 39 |     """
 40 |     Loads api function names and api function types from external json files and fills globals dict variables with these informations
 41 |     """
 42 |     curdir = os.path.dirname(os.path.abspath(inspect.getsourcefile(lambda: 0)))
 43 | 
 44 |     with open(os.path.join(curdir, 'tl_apis.json'), 'r') as f:
 45 |         TL_APIS.update({i: (n, t) for i, n, t in json.loads(f.read())})
 46 |     print("[*] Loaded %s trustlets APIs names" % len(TL_APIS))
 47 | 
 48 |     global DR_APIS
 49 |     with open(os.path.join(curdir, 'dr_apis.json'), 'r') as f:
 50 |         DR_APIS.update({i: (n, t) for i, n, t in json.loads(f.read())})
 51 |     print("[*] Loaded %s drivers APIs names" % len(DR_APIS))
 52 | 
 53 | 
 54 | def get_apis_name_type(api_number):
 55 |     """Retrieves API names and types from global
 56 | 
 57 |     :param api_number: API number
 58 |     :type api_number: int
 59 |     :return: TL API name, TL API type (possibly None), DR API name, DR API type (possibly None)
 60 |     :rtype: (str, str, str, str)
 61 |     """
 62 |     tl_api_name = None
 63 |     tl_api_type = None
 64 |     dr_api_name = None
 65 |     dr_api_type = None
 66 | 
 67 |     if api_number in TL_APIS:
 68 |         tl_api_name, tl_api_type = TL_APIS[api_number]
 69 | 
 70 |     if api_number in DR_APIS:
 71 |         dr_api_name, dr_api_type = DR_APIS[api_number]
 72 | 
 73 |     if tl_api_name is None:
 74 |         if 0 <= api_number < MAX_TL_API:
 75 |             tl_api_name = "tlApi_%x" % api_number
 76 | 
 77 |     if dr_api_name is None:
 78 |         if 0 <= api_number < MAX_DR_API:
 79 |             dr_api_name = "drApi_%x" % api_number
 80 | 
 81 |     return tl_api_name, tl_api_type, dr_api_name, dr_api_type
 82 | 
 83 | 
 84 | def find_mclib_jumper():
 85 |     """Retrieves the address of the McLib jumper fills by the loader during the trustlet loading process
 86 | 
 87 |     :return: Address of the McLib jumper
 88 |     :rtype: Optional[ghidra.program.model.address.GenericAddress]
 89 |     """
 90 |     mclib_jumper = None
 91 |     mem_block = currentProgram.getMemory().getBlock("rtm")
 92 | 
 93 |     mclib_jumper = read_dword(mem_block.getStart().add(0x8C))
 94 |     mclib_jumper = api.toAddr(mclib_jumper) if mclib_jumper else None
 95 |     return mclib_jumper
 96 | 
 97 | 
 98 | def get_dispatcher(mclib_jumper):
 99 |     """Retrieves the dispatcher of the TL/DR API calls
100 |     
101 |     :param mclib_jumper: Handler of the TL/DR API calls
102 |     :type mclib_jumper: ghidra.program.model.address.GenericAddress
103 |     :return: Address of the dispatcher for the TL/DR API calls
104 |     :rtype: Optional[ghidra.program.model.address.GenericAddress]
105 | 
106 |     """
107 | 
108 |     handler = None
109 |     function = functionManager.getFunctionAt(mclib_jumper)
110 |     if function is None:
111 |         function = createFunction(mclib_jumper, None)
112 | 
113 |     decompileResults = decompInterface.decompileFunction(function, 30, monitor)
114 |     hfunction = decompileResults.getHighFunction()
115 |     ops = hfunction.getPcodeOps()
116 |     while ops.hasNext() and not monitor.isCancelled():
117 |         pcodeOpAST = ops.next()
118 |         if pcodeOpAST.getOpcode() != PcodeOp.CALL:
119 |             continue
120 |         argument = pcodeOpAST.getInput(0)
121 |         if argument.isAddress():
122 |             handler = api.toAddr(argument.getAddress().getUnsignedOffset())
123 |             return handler
124 |     return handler
125 | 
126 | 
127 | def get_tl_dr_api_table(dispatcher):
128 |     """Retrieves function tables for TL/DR API calls
129 | 
130 |     :param dispatcher: Dispatcher of the TL/DR calls
131 |     :type dispatcher: int
132 |     :return: Driver API function table and Trustlet API function table
133 |     :rtype: (int, int)
134 |     """
135 | 
136 |     def get_table_addr_and_type(table_pcode_op_ast):
137 |         """Retrives address and type of a given table
138 | 
139 |         :param table_pcode_op_ast: pcodeOpAST associated with the given table load instruction
140 |         :type pcode_op_ast: ghidra.program.model.pcode.PcodeOpAST
141 |         :return: Address and type of the given table
142 |         :rtype: (int, Optional[bool])
143 |         """
144 |         memory_varnode = table_pcode_op_ast.getInput(0)
145 |         if memory_varnode.isAddress():
146 |             table = read_dword(memory_varnode.getAddress())
147 |             basicBlock = table_pcode_op_ast.getParent()
148 |             for pcodeop in basicBlock.getIterator():
149 |                 opcode = pcodeop.getOpcode()
150 |                 if opcode == PcodeOp.INT_SUB and \
151 |                         pcodeop.getInput(1).isConstant and \
152 |                         pcodeop.getInput(1).getOffset() == 0x1000:
153 |                     return table, True
154 |  
155 |                 elif opcode == PcodeOp.INT_AND and \
156 |                         pcodeop.getInput(1).isConstant() and \
157 |                         pcodeop.getInput(1).getOffset() == 0x7FFFFFFF:
158 |                     return table, None
159 |             return table, False
160 | 
161 |     dr_table, tl_table = None, None
162 | 
163 |     function = functionManager.getFunctionAt(dispatcher)
164 |     if function is None:
165 |         function = createFunction(mclib_jumper, None)
166 | 
167 |     # First forward slice the first argument of the function until we find the
168 |     # address where the API number is used to get the function pointer and retrieve
169 |     # the base varnode (register) where is stored the table pointer
170 |     decompileResults = decompInterface.decompileFunction(function, 30, monitor)
171 |     hfunction = decompileResults.getHighFunction()
172 |     varnode = hfunction.getFunctionPrototype().getParam(0).getRepresentative()
173 | 
174 |     forward_slices = DecompilerUtils.getForwardSlice(varnode)
175 |     for forward_slice in forward_slices:
176 |         pcode_op_ast = forward_slice.getDef()
177 |         if not pcode_op_ast:
178 |             continue
179 |         if pcode_op_ast.getOpcode() == PcodeOp.PTRADD:
180 |             array_varnode = pcode_op_ast.getInput(0)
181 |             break
182 | 
183 |     # Second, backward slice the varnode used to store the base of the function pointer
184 |     # table to get the values
185 |     backward_slices = DecompilerUtils.getBackwardSlice(array_varnode)
186 |     for backward_slice in backward_slices:
187 |         pcode_op_ast = backward_slice.getDef()
188 |         if not pcode_op_ast:
189 |             continue
190 |         if pcode_op_ast.getOpcode() == PcodeOp.COPY:
191 |             table, table_type = get_table_addr_and_type(pcode_op_ast)
192 |             if table_type is not None and table_type:
193 |                 dr_table = table
194 |             elif table_type is not None and not table_type:
195 |                 tl_table = table
196 | 
197 |     return dr_table, tl_table
198 | 
199 | 
200 | def set_name_prototype_tl_dr_function(api_number):
201 |     """Set the name and the prototype of the TL/DR API function associated with the given function number
202 | 
203 |     :param api_number: API function number
204 |     :type api_number: int
205 |     """
206 |     global MAX_TL_API
207 |     global MAX_DR_API
208 | 
209 |     tl_api_name, tl_api_type, dr_api_name, dr_api_type = get_apis_name_type(api_number)
210 |     index = api_number * 4
211 | 
212 |     if api_number < MAX_TL_API:
213 |         if not tl_api_name:
214 |             pass
215 |         else:
216 |             dword = read_dword(api.toAddr(tl_table + index))
217 |             if dword < 0x1000:
218 |                 MAX_TL_API = dword
219 |             else:
220 |                 if (dword & 1) == 1:
221 |                     dword -= 1
222 |                 func_addr = api.toAddr(dword)
223 |                 function = functionManager.getFunctionContaining(func_addr)
224 |                 if function is None:
225 |                     function = createFunction(func_addr, None)
226 |                 if function is None:
227 |                     print("[!] Unable to get the function at the address 0x%x" % dword)
228 |                 print("[*] Renaming function %s to %s" % (function.getName(), tl_api_name))
229 |                 function.setName(tl_api_name, SourceType.USER_DEFINED)
230 |                 if tl_api_type:
231 |                     tl_api_type = tl_api_type.replace('_DWORD', 'int')
232 |                     print("[*] Changing function type of %s to '%s'" % (tl_api_name, tl_api_type))
233 |                     funcDef = CParserUtils.parseSignature(None, currentProgram, tl_api_type)
234 |                     returnValue = ReturnParameterImpl(funcDef.getReturnType(), currentProgram)
235 |                     newParams = ArrayList()
236 |                     for param in funcDef.getArguments():
237 |                         newParams.add(ParameterImpl(param.getName(), param.getDataType(), currentProgram))
238 |                     function.updateFunction(None, returnValue, newParams,
239 |                         FunctionUpdateType.DYNAMIC_STORAGE_ALL_PARAMS, True, SourceType.USER_DEFINED)
240 | 
241 |     if api_number < MAX_DR_API:
242 |         if not dr_api_name:
243 |             pass
244 |         else:
245 |             dword = read_dword(api.toAddr(dr_table + index))
246 |             if dword < 0x1000:
247 |                 MAX_DR_API = dword
248 |             else:
249 |                 if (dword & 1) == 1:
250 |                     dword -= 1
251 |                 func_addr = api.toAddr(dword)
252 |                 function = functionManager.getFunctionContaining(func_addr)
253 |                 if function is None:
254 |                     function = createFunction(func_addr, None)
255 |                 if function is None:
256 |                     print("[!] Unable to get the function at the address 0x%x" % dword)
257 |                 print("[*] Renaming function %s to %s" % (function.getName(), dr_api_name))
258 |                 function.setName(dr_api_name, SourceType.USER_DEFINED)
259 |                 if dr_api_type:
260 |                     dr_api_type = dr_api_type.replace('_DWORD', 'int')
261 |                     print("[*] Changing function type of %s to '%s'" % (dr_api_name, dr_api_type))
262 |                     funcDef = CParserUtils.parseSignature(None, currentProgram, dr_api_type)
263 |                     returnValue = ReturnParameterImpl(funcDef.getReturnType(), currentProgram)
264 |                     newParams = ArrayList()
265 |                     for param in funcDef.getArguments():
266 |                         newParams.add(ParameterImpl(param.getName(), param.getDataType(), currentProgram))
267 |                     function.updateFunction(
268 |                         None,
269 |                         returnValue,
270 |                         newParams,
271 |                         FunctionUpdateType.DYNAMIC_STORAGE_ALL_PARAMS,
272 |                         True,
273 |                         SourceType.USER_DEFINED
274 |                     )
275 | 
276 | 
277 | load_api_names_types()
278 | mclib_jumper = find_mclib_jumper()
279 | 
280 | dispatcher = get_dispatcher(mclib_jumper)
281 | if not dispatcher:
282 |     print("[!] %#x - Couldn't get address of the tlApi/drApi dispatcher" % dispatcher)
283 | 
284 | dr_table, tl_table = get_tl_dr_api_table(dispatcher)
285 | 
286 | for api_number in range(max(MAX_TL_API, MAX_DR_API)):
287 |     set_name_prototype_tl_dr_function(api_number)
288 | 


--------------------------------------------------------------------------------
/scripts/scripts/IDAPro/find_symbols_mclib.py:
--------------------------------------------------------------------------------
  1 | import ida_allins
  2 | import ida_bytes
  3 | import ida_funcs
  4 | import ida_gdl
  5 | import ida_idp
  6 | import ida_name
  7 | import ida_segment
  8 | import ida_typeinf
  9 | import ida_ua
 10 | 
 11 | import inspect
 12 | import json
 13 | import os
 14 | import sys
 15 | 
 16 | TL_APIS = {}
 17 | MAX_TL_API = 0xC2
 18 | 
 19 | DR_APIS = {}
 20 | MAX_DR_API = 0x3D
 21 | 
 22 | if sys.version_info[0] < 3:
 23 |     def encode(s):
 24 |         return s.encode("utf-8")
 25 | else:
 26 |     def encode(s):
 27 |         return s
 28 | 
 29 | 
 30 | def load_api_names_types():
 31 |     """
 32 |     Loads api function names and api function types from external json files
 33 |     and fills globals dict variables with these informations
 34 |     """
 35 |     curdir = os.path.dirname(os.path.abspath(inspect.getsourcefile(lambda: 0)))
 36 | 
 37 |     with open(os.path.join(curdir, "tl_apis.json"), "r") as f:
 38 |         TL_APIS.update({i: (n, t) for i, n, t in json.loads(f.read())})
 39 |     print("[*] Loaded %s trustlets APIs names" % len(TL_APIS))
 40 | 
 41 |     global DR_APIS
 42 |     with open(os.path.join(curdir, "dr_apis.json"), "r") as f:
 43 |         DR_APIS.update({i: (n, t) for i, n, t in json.loads(f.read())})
 44 |     print("[*] Loaded %s drivers APIs names" % len(DR_APIS))
 45 | 
 46 | 
 47 | def get_apis_name_type(api_number):
 48 |     """Retrieves API names and types from global
 49 | 
 50 |     :param api_number: API number
 51 |     :type api_number: int
 52 |     :return: TL API name, TL API type (possibly None), DR API name,
 53 |              DR API type (possibly None)
 54 |     :rtype: (str, str, str, str)
 55 |     """
 56 |     tl_api_name = None
 57 |     tl_api_type = None
 58 |     dr_api_name = None
 59 |     dr_api_type = None
 60 | 
 61 |     if api_number in TL_APIS:
 62 |         tl_api_name, tl_api_type = TL_APIS[api_number]
 63 | 
 64 |     if api_number in DR_APIS:
 65 |         dr_api_name, dr_api_type = DR_APIS[api_number]
 66 | 
 67 |     if tl_api_name is None:
 68 |         if 0 <= api_number < MAX_TL_API:
 69 |             tl_api_name = "tlApi_%x" % api_number
 70 | 
 71 |     if dr_api_name is None:
 72 |         if 0 <= api_number < MAX_DR_API:
 73 |             dr_api_name = "drApi_%x" % api_number
 74 | 
 75 |     return tl_api_name, tl_api_type, dr_api_name, dr_api_type
 76 | 
 77 | 
 78 | def get_reg_num(reg_name):
 79 |     """Retrieves the reg_inf.reg (register number) of a given register name
 80 | 
 81 |     :param reg_name: Register name
 82 |     :type reg_name: str
 83 |     :return: Register number
 84 |     :rtype: int
 85 |     """
 86 |     reg_inf = ida_idp.reg_info_t
 87 |     reg_inf = ida_idp.reg_info_t()
 88 |     ida_idp.parse_reg_name(reg_inf, reg_name)
 89 |     return reg_inf.reg
 90 | 
 91 | 
 92 | def find_mclib_jumper():
 93 |     """Retrieves the address of the McLib jumper fills by the loader during
 94 |     the trustlet loading process
 95 | 
 96 |     :return: McLib jumper address
 97 |     :rtype: int
 98 |     """
 99 |     segm = ida_segment.get_segm_by_name("rtm")
100 |     mclib_jumper = ida_bytes.get_dword(segm.start_ea + 0x8C)
101 | 
102 |     return mclib_jumper
103 | 
104 | 
105 | def get_handler(mclib_jumper):
106 |     """Retrieves the handler of the TL/DR API calls
107 | 
108 |     :param mclib_jumper: Address of the McLib jumper
109 |     :type mclib_jumper: int
110 |     :return: Handler of the TL/DR API calls
111 |     :rtype: int
112 |     """
113 |     handler = -1
114 |     insn = ida_ua.insn_t()
115 | 
116 |     ida_ua.decode_insn(insn, mclib_jumper)
117 |     if insn.itype == ida_allins.ARM_adr and \
118 |             insn.ops[0].type == ida_ua.o_reg and \
119 |             insn.ops[0].reg == get_reg_num("PC") and \
120 |             insn.ops[1].type == ida_ua.o_imm:
121 |         handler = insn.ops[1].value
122 |     return handler
123 | 
124 | 
125 | def get_dispatcher(handler):
126 |     """Retrieves the dispatcher of the TL/DR API calls
127 | 
128 |     :param handler: Handler of the TL/DR API calls
129 |     :type handler: int
130 |     :return: Dispatcher for the TL/DR API calls
131 |     :rtype: int
132 |     """
133 | 
134 |     func = ida_funcs.get_func(handler)
135 |     insn = ida_ua.insn_t()
136 |     ea = 0
137 |     branch_addr = -1
138 | 
139 |     ea = func.start_ea
140 | 
141 |     while ea < func.end_ea:
142 |         insn = ida_ua.insn_t()
143 |         insn_len = max(1, ida_ua.decode_insn(insn, ea))
144 |         if insn.itype == ida_allins.ARM_bl and \
145 |                 insn.ops[0].type == ida_ua.o_near:
146 |             branch_addr = insn.ops[0].addr
147 |             break
148 |         ea += insn_len
149 | 
150 |     return branch_addr
151 | 
152 | 
153 | def get_tl_dr_api_table(dispatcher):
154 |     """Retrieves function tables for TL/DR API calls
155 | 
156 |     :param dispatcher: Dispatcher of the TL/DR calls
157 |     :type dispatcher: int
158 |     :return: Driver API function table and Trustlet API function table
159 |     :rtype: (int, int)
160 |     """
161 | 
162 |     def get_cmp(func_start, func_end):
163 |         """Retrives the address of the CMP within the dispatching function
164 | 
165 |         :param func_start: Beginning of the dispatching function
166 |         :type func_start: int
167 |         :param func_end: Ending of the dispatching function
168 |         :type func_end: int
169 |         :return: Address of the CMP within the dispatching function
170 |         :rtype: int
171 |         """
172 | 
173 |         cmp_addr = -1
174 |         insn_ea = func_start
175 |         insn = ida_ua.insn_t()
176 |         insn_len = 0
177 | 
178 |         while insn_ea < func_end:
179 |             insn_len = max(1, ida_ua.decode_insn(insn, insn_ea))
180 |             if insn.itype == ida_allins.ARM_cmp and \
181 |                     insn.ops[1].type == ida_ua.o_imm and \
182 |                     insn.ops[1].value == 0x1000:
183 |                 cmp_addr = insn_ea
184 |                 break
185 |             insn_ea += insn_len
186 |         return cmp_addr
187 | 
188 |     def find_dr_tl_addr(blocks_info):
189 |         """Retrieves the address of the tables defining the DR/TL API calls
190 | 
191 |         :param blocks_info: List of tuples defining the current blocks to process. Each tuple is defined with the form (BasicBlock, bool), where bool defines if the Basic Block belongs to a branch dealing with the driver case.
192 |         :type blocks_info: list(tuple(ida_gdl.BasicBlock, bool))
193 |         :return: The address of the DrApi and TlApi tables
194 |         :rtype: (int, int)
195 |         """
196 | 
197 |         tl_table = -1
198 |         dr_table = -1
199 |         new_blocks = []
200 |         is_dr_branch = False
201 |         is_dr_block = False
202 | 
203 |         def analyze_block(block):
204 |             """Analyze a basic bloc and return its successors, if it's correspond to a basic bloc treating the Driver case and the address for the DR/TL API table if one is loaded
205 | 
206 |             :param block: Basic block to analyze
207 |             :type block: ida_gdl.BasicBlock
208 |             :return: Successors Basic Blocks, if it deals with Secure Driver case, and the address of the table loaded if loaded
209 |             :rtype: (Generator, bool, int)
210 |             """
211 | 
212 |             loaded_value = -1
213 |             is_dr_table = False
214 |             insn = ida_ua.insn_t()
215 |             insn_ea = block.start_ea
216 |             insn_len = 0
217 | 
218 |             while insn_ea < block.end_ea:
219 |                 insn_len = max(1, ida_ua.decode_insn(insn, insn_ea))
220 |                 if insn.itype == ida_allins.ARM_sub and \
221 |                         insn.ops[2].type == ida_ua.o_imm and \
222 |                         insn.ops[2].value == 0x1000:
223 |                     is_dr_table = True
224 |                 if insn.itype == ida_allins.ARM_ldr and \
225 |                         insn.ops[1].type == ida_ua.o_mem:
226 |                     pool_value = ida_bytes.get_dword(insn.ops[1].addr)
227 |                     value = ida_bytes.get_dword(pool_value)
228 |                     if value > 0x1000:
229 |                         loaded_value = pool_value
230 |                 insn_ea += insn_len
231 |             return block.succs(), is_dr_table, loaded_value
232 | 
233 |         # Walk through every Basic Block of the function using the previously defined function until we find the value of the DR/TL API tables
234 |         while True:
235 |             new_blocks = []
236 | 
237 |             for block, is_dr_branch in blocks_info:
238 |                 successors, is_dr_block, loaded_value = analyze_block(block)
239 |                 new_blocks += [(successor, is_dr_block) for successor in successors]
240 |                 if loaded_value != -1 and not is_dr_branch:
241 |                     tl_table = loaded_value
242 |                 if loaded_value != -1 and is_dr_branch:
243 |                     dr_table = loaded_value
244 | 
245 |             blocks_info = new_blocks
246 |             if dr_table != -1 and tl_table != -1:
247 |                 return dr_table, tl_table
248 | 
249 |     func = ida_funcs.get_func(dispatcher)
250 |     func_start, func_end = func.start_ea, func.end_ea
251 | 
252 |     # First, locate the CMP.W R1, 0x1000
253 |     cmp_addr = -1
254 |     cmp_addr = get_cmp(func_start, func_end)
255 |     if cmp_addr == -1:
256 |         print("[!] %#x - Couldn't find tl/dr api check" % dispatcher)
257 | 
258 |     # Second, get the basic blocks containing the table for drapi and tlapi
259 |     fc = ida_gdl.FlowChart(func)
260 |     for block in fc:
261 |         if block.start_ea <= cmp_addr and block.end_ea >= cmp_addr:
262 |             bb = block
263 |             break
264 | 
265 |     # Third, locate the drApi and tlApi function tables
266 |     dr_table, tl_table = find_dr_tl_addr([(bb, False)])
267 |     return dr_table, tl_table
268 | 
269 | 
270 | def set_function_prototype(func, proto):
271 |     """Set the prototype of a given function with the given type
272 | 
273 |     :param func: Function where we will apply the prototype
274 |     :type func: ida_funcs.func_t
275 |     :param proto: prototype we will apply to the given function
276 |     :type api_type: str
277 |     """
278 |     t = ida_typeinf.idc_parse_decl(None, proto, 0)
279 |     ida_typeinf.apply_type(None, t[1], t[2], func.start_ea,
280 |                            ida_typeinf.TINFO_DEFINITE)
281 | 
282 | 
283 | def set_name_prototype_tl_dr_function(api_number):
284 |     """Set the name and the prototype of the TL/DR API function associated with the given function number
285 | 
286 |     :param api_number: API function number
287 |     :type api_number: int
288 |     """
289 |     global MAX_TL_API
290 |     global MAX_DR_API
291 | 
292 |     tl_api_name, tl_api_type, dr_api_name, dr_api_type = get_apis_name_type(api_number)
293 |     index = api_number * 4
294 | 
295 |     if api_number < MAX_TL_API:
296 |         if not tl_api_name:
297 |             pass
298 |         else:
299 |             dword = ida_bytes.get_dword(tl_table + index)
300 |             func = ida_funcs.get_func(dword)
301 |             if func is None:
302 |                 MAX_TL_API = dword
303 |             else:
304 |                 func_name = ida_name.get_name(func.start_ea)
305 |                 print("[*] Renaming function %s to %s" % (func_name, tl_api_name))
306 |                 ida_name.set_name(func.start_ea, encode(tl_api_name), ida_name.SN_FORCE)
307 |                 if tl_api_type:
308 |                     set_function_prototype(func, encode(tl_api_type))
309 | 
310 |     if api_number < MAX_DR_API:
311 |         if not dr_api_name:
312 |             pass
313 |         else:
314 |             dword = ida_bytes.get_dword(dr_table + index)
315 |             func = ida_funcs.get_func(dword)
316 |             if func is None:
317 |                 MAX_DR_API = dword
318 |             else:
319 |                 func_name = ida_name.get_name(func.start_ea)
320 |                 print("[*] Renaming function %s to %s" % (func_name, tl_api_name))
321 |                 ida_name.set_name(func.start_ea, encode(dr_api_name), ida_name.SN_FORCE)
322 |                 if dr_api_type:
323 |                     set_function_prototype(func, encode(dr_api_type))
324 | 
325 | 
326 | load_api_names_types()
327 | mclib_jumper = find_mclib_jumper()
328 | 
329 | handler = get_handler(mclib_jumper)
330 | if handler == -1:
331 |     print("[!] %#x - Couldn't get address of the tlApi/drApi handler" % mclib_jumper)
332 | 
333 | dispatcher = get_dispatcher(handler)
334 | if dispatcher == -1:
335 |     print("[!] %#x - Couldn't get address of the tlApi/drApi dispatcher" % handler)
336 | 
337 | dr_table, tl_table = get_tl_dr_api_table(dispatcher)
338 | if not dr_table:
339 |     print("[!] %#x - Couldn't find drApi table" % dispatcher)
340 | if not tl_table:
341 |     print("[!] %#x - Couldn't find tlApi table" % dispatcher)
342 | 
343 | for api_number in range(max(MAX_TL_API, MAX_DR_API)):
344 |     set_name_prototype_tl_dr_function(api_number)
345 | 


--------------------------------------------------------------------------------
/bindings/mcclient/mcclient.py:
--------------------------------------------------------------------------------
  1 | import ctypes
  2 | import io
  3 | import os
  4 | import struct
  5 | import sys
  6 | 
  7 | from contextlib import contextmanager
  8 | 
  9 | from . import mcclient_const as const
 10 | from . import mcclient_types as types
 11 | 
 12 | 
 13 | if 'sphinx' in sys.modules:
 14 |     client = None
 15 | else:
 16 |     client = types.load_library()
 17 |     if client is None:
 18 |         raise ImportError("ERROR: fail to load the dynamic library.")
 19 | 
 20 | 
 21 | class Error(Exception):
 22 |     """
 23 |     This exception is raised when a function doesn't return successfully.
 24 |     """
 25 |     def __init__(self, code):
 26 |         self._code = code
 27 | 
 28 |     @property
 29 |     def code(self):
 30 |         """
 31 |         The error code returned by the function.
 32 |         """
 33 |         return self._code
 34 | 
 35 |     def __str__(self):
 36 |         special = ["NO_NOTIFICATION", "INFO_NOTIFICATION"]
 37 |         for name in dir(const):
 38 |             if getattr(const, name) == self._code \
 39 |                     and (name.startswith("ERR_") or name in special):
 40 |                 return name
 41 |         return "ERR_UNKNOWN"
 42 | 
 43 | 
 44 | class Device(object):
 45 |     """
 46 |     Initialize a session with a t-base device.
 47 | 
 48 |     Args:
 49 |         device_id (:obj:`int`): Identifier for the t-base device to be used.
 50 |                                 DEVICE_ID_DEFAULT refers to the default device.
 51 | 
 52 |     This class can be used with a Python "with statement", meaning that it will
 53 |     automatically call :func:`Device.open` on enter and :func:`Device.close` on
 54 |     exit. ::
 55 | 
 56 |         with Device() as dev:
 57 |             # do something with the device
 58 |     """
 59 | 
 60 |     def __init__(self, id=const.DEVICE_ID_DEFAULT):
 61 |         self._id = id
 62 | 
 63 |     @property
 64 |     def id(self):
 65 |         """
 66 |         The identifier for the t-base device used.
 67 |         """
 68 |         return self._id
 69 | 
 70 |     def __enter__(self):
 71 |         self.open()
 72 |         return self
 73 | 
 74 |     def __exit__(self, *_):
 75 |         self.close()
 76 |         return False
 77 | 
 78 |     def open(self):
 79 |         """
 80 |         Open a new connection to a t-base device.
 81 | 
 82 |         It initializes all device specific resources required to communicate
 83 |         with an t-base instance located on the specified device in the system.
 84 | 
 85 |         Raises:
 86 |             :class:`Error`: See below the possible error codes:
 87 | 
 88 |                 - ERR_INVALID_OPERATION if device already opened
 89 |                 - ERR_DAEMON_UNREACHABLE when problems with daemon occur
 90 |                 - ERR_UNKNOWN_DEVICE when device_id is unknown
 91 |                 - ERR_INVALID_DEVICE_FILE if kernel module under /dev/mobicore
 92 |                   cannot be opened
 93 |         """
 94 |         res = client.mcOpenDevice(self._id)
 95 |         if res != const.OK:
 96 |             raise Error(res)
 97 | 
 98 |     def close(self):
 99 |         """
100 |         Close the connection to a t-base device.
101 | 
102 |         When closing a device, active sessions have to be closed beforehand.
103 |         Resources associated with the device will be released. The device may
104 |         be opened again after it has been closed.
105 | 
106 |         Raises:
107 |             :class:`Error`: See below the possible error codes:
108 | 
109 |                 - ERR_UNKNOWN_DEVICE when device id is invalid
110 |                 - ERR_SESSION_PENDING when a session is still open
111 |                 - ERR_DAEMON_UNREACHABLE when problems with daemon occur
112 |         """
113 |         res = client.mcCloseDevice(self._id)
114 |         if res != const.OK:
115 |             raise Error(res)
116 | 
117 |     @contextmanager
118 |     def buffer(self, len):
119 |         """
120 |         Instantiate a new memory buffer.
121 | 
122 |         Args:
123 |             len (:obj:`int`): Length of the block in bytes
124 | 
125 |         Yields:
126 |             :class:`Buffer`: The allocated block of memory
127 | 
128 |         This method can be used with a Python "with statement", meaning that it
129 |         will automatically call :func:`Device.malloc` on enter and
130 |         :func:`Device.free` on exit. ::
131 | 
132 |             with dev.buffer(0x1000) as tci:
133 |                 # do something with the buffer
134 |         """
135 |         buf = self.malloc(len)
136 |         yield buf
137 |         self.free(buf)
138 | 
139 |     def malloc(self, len):
140 |         """
141 |         Allocate a block of memory.
142 | 
143 |         The driver allocates a contiguous block of memory which can be used as
144 |         WSM. This implicates that the allocated memory is always aligned to 4K.
145 | 
146 |         Args:
147 |             len (:obj:`int`): Length of the block in bytes
148 | 
149 |         Returns:
150 |             :class:`Buffer`: The allocated block of memory
151 | 
152 |         Raises:
153 |             :class:`Error`: See below the possible error codes:
154 | 
155 |                 - INVALID_PARAMETER if a parameter is invalid
156 |                 - ERR_UNKNOWN_DEVICE when device id is invalid
157 |                 - ERR_NO_FREE_MEMORY if no more contiguous memory is available
158 |                   in this size or for this process
159 |         """
160 |         buf = ctypes.POINTER(ctypes.c_uint8)()
161 |         res = client.mcMallocWsm(self._id, 0, len, ctypes.byref(buf), 0)
162 |         if res != const.OK:
163 |             raise Error(res)
164 |         ptr = ctypes.cast(buf, ctypes.c_void_p)
165 |         return Buffer(ptr, len)
166 | 
167 |     def free(self, buf):
168 |         """
169 |         Free a block of memory.
170 | 
171 |         The driver will free a block of memory previously allocated.
172 | 
173 |         Args:
174 |             buf (:class:`Buffer`): The memory block to be freed
175 | 
176 |         Raises:
177 |             :class:`Error`: See below the possible error codes:
178 | 
179 |                 - INVALID_PARAMETER if a parameter is invalid
180 |                 - ERR_UNKNOWN_DEVICE when device id is invalid
181 |                 - ERR_FREE_MEMORY_FAILED on failures
182 |         """
183 |         ptr = ctypes.cast(buf._ptr, ctypes.POINTER(ctypes.c_uint8))
184 |         res = client.mcFreeWsm(self._id, ptr)
185 |         if res != const.OK:
186 |             raise Error(res)
187 |         buf.close()
188 | 
189 |     def version(self):
190 |         """
191 |         Get t-base version information of a device.
192 | 
193 |         Returns:
194 |             :obj:`dict`: t-base version info
195 |             ::
196 | 
197 |                 {
198 |                     'productId': b't-base-EXYNOS64-Android-302A-V015-681_681',
199 |                     'versionMci': 65536,
200 |                     'versionSo': 131074,
201 |                     'versionMclf': 131077,
202 |                     'versionContainer': 131073,
203 |                     'versionMcConfig': 2,
204 |                     'versionTlApi': 65552,
205 |                     'versionDrApi': 65538,
206 |                     'versionCmp': 0
207 |                 }
208 | 
209 |         Raises:
210 |             :class:`Error`: See below the possible error codes:
211 | 
212 |                 - ERR_UNKNOWN_DEVICE when device is not open
213 |                 - INVALID_PARAMETER if a parameter is invalid
214 |                 - ERR_DAEMON_UNREACHABLE when problems with daemon occur
215 |         """
216 |         info = types.mcVersionInfo()
217 |         res = client.mcGetMobiCoreVersion(self._id, ctypes.byref(info))
218 |         if res != const.OK:
219 |             raise Error(res)
220 |         return dict(info)
221 | 
222 | 
223 | class Trustlet(object):
224 |     """
225 |     Initialize a session to a Trusted Application.
226 | 
227 |     Args:
228 |         dev (:class:`Device`): The t-base device to use
229 |         tci (:class:`Buffer`): TCI buffer for communicating with the TA
230 |         buf (:obj:`bytes`): Buffer containing the TA binary
231 | 
232 |     This class can be used with a Python "with statement", meaning that it will
233 |     automatically call :func:`Trustlet.open` on enter and
234 |     :func:`Trustlet.close` on exit. ::
235 | 
236 |         with Trustlet(dev, tci, buf) as app:
237 |             # do something with the trustlet
238 |     """
239 | 
240 |     @staticmethod
241 |     def uuid(dev, tci, uuid):
242 |         """
243 |         Initialize a session to a TA using its UUID.
244 | 
245 |         Args:
246 |             dev (:class:`Device`): The t-base device to use
247 |             tci (:class:`Buffer`): TCI buffer for communicating with the TA
248 |             buf (:obj:`str`): The Trusted Application's UUID
249 | 
250 |         Returns:
251 |             :class:`Trustlet`: A Trusted Application session
252 |         """
253 |         path = "/vendor/app/mcRegistry/{}.tlbin".format(uuid)
254 |         if not os.path.exists(path):
255 |             path = "/system/app/mcRegistry/{}.tlbin".format(uuid)
256 |         if not os.path.exists(path):
257 |             raise IOError("Could not find the trustlet")
258 |         with open(path, "rb") as fd:
259 |             return Trustlet(dev, tci, fd.read())
260 | 
261 |     def __init__(self, dev, tci, buf):
262 |         self._ses = types.mcSessionHandle()
263 |         self._ses.device_id = dev.id
264 |         self._tci = tci
265 |         self._buf = buf
266 | 
267 |     @property
268 |     def id(self):
269 |         """
270 |         The identifier of the Trusted Application session.
271 |         """
272 |         return self._ses.sessionId
273 | 
274 |     def __enter__(self):
275 |         self.open()
276 |         return self
277 | 
278 |     def __exit__(self, *_):
279 |         self.close()
280 |         return False
281 | 
282 |     def open(self):
283 |         """
284 |         Open a new session to a Trusted Application (Trustlet). The trustlet
285 |         will be loaded from the memory buffer.
286 | 
287 |         Write MCP open message to buffer and notify t-base about the
288 |         availability of a new command. Waits till t-base responds with the new
289 |         session ID (stored in the MCP buffer).
290 | 
291 |         Raises:
292 |             :class:`Error`: See below the possible error codes:
293 | 
294 |                 - INVALID_PARAMETER if session parameter is invalid
295 |                 - ERR_UNKNOWN_DEVICE when device id is invalid
296 |                 - ERR_DAEMON_UNREACHABLE when problems with daemon socket occur
297 |                 - ERR_UNKNOWN_DEVICE when daemon returns an error
298 |                 - ERR_TRUSTED_APPLICATION_NOT_FOUND when TA cannot be loaded
299 |         """
300 |         ta = (ctypes.c_uint8 * len(self._buf)).from_buffer_copy(self._buf)
301 |         ta_ptr = ctypes.cast(ta, ctypes.POINTER(ctypes.c_uint8))
302 |         tci_ptr = ctypes.cast(self._tci._ptr, ctypes.POINTER(ctypes.c_uint8))
303 |         res = client.mcOpenTrustlet(ctypes.byref(self._ses), 0, ta_ptr,
304 |                                     len(self._buf), tci_ptr, self._tci._len)
305 |         if res != const.OK:
306 |             raise Error(res)
307 | 
308 |     def close(self):
309 |         """
310 |         Close a Trusted Application session.
311 | 
312 |         Closes the specified t-base session. The call will block until the
313 |         session has been closed.
314 | 
315 |         Raises:
316 |             :class:`Error`: See below the possible error codes:
317 | 
318 |                 - INVALID_PARAMETER if session parameter is invalid
319 |                 - ERR_UNKNOWN_SESSION when session id is invalid
320 |                 - ERR_UNKNOWN_DEVICE when device id of session is invalid
321 |                 - ERR_DAEMON_UNREACHABLE when problems with daemon occur
322 |                 - ERR_INVALID_DEVICE_FILE when daemon cannot open trustlet file
323 |         """
324 |         res = client.mcCloseSession(ctypes.byref(self._ses))
325 |         if res != const.OK:
326 |             raise Error(res)
327 | 
328 |     def notify(self):
329 |         """
330 |         Notify a session.
331 | 
332 |         Notifies the session end point about available message data.
333 |         Corresponding errors can only be received by
334 |         :func:`Trustlet.wait_notification`. A session has to be opened in
335 |         advance.
336 | 
337 |         Raises:
338 |             :class:`Error`: See below the possible error codes:
339 | 
340 |                 - DRV_INVALID_PARAMETER if session parameter is invalid
341 |                 - DRV_ERR_UNKNOWN_SESSION when session id is invalid
342 |                 - DRV_ERR_UNKNOWN_DEVICE when device id of session is invalid
343 |         """
344 |         res = client.mcNotify(self._ses)
345 |         if res != const.OK:
346 |             raise Error(res)
347 | 
348 |     def wait_notification(self, timeout=const.INFINITE_TIMEOUT):
349 |         """
350 |         Wait for a notification.
351 | 
352 |         Wait for a notification issued by t-base for a specific session. The
353 |         timeout parameter specifies the number of milliseconds the call will
354 |         wait for a notification. If the caller passes 0 as timeout value the
355 |         call will immediately return. If timeout value is below 0 the call will
356 |         block until a notification for the session has been received.
357 | 
358 |         Warning:
359 |             If timeout is below 0, the call will block. Caller has to trust the
360 |             other side to send a notification to wake him up again.
361 | 
362 |         Args:
363 |             timeout (:obj:`int`): Time in milliseconds to wait
364 | 
365 |         Raises:
366 |             :class:`Error`: See below the possible error codes:
367 | 
368 |                 - ERR_TIMEOUT if no notification arrived in time
369 |                 - INFO_NOTIFICATION if a problem with the session was
370 |                   encountered. Get more details with :func:`Trustlet.error()`.
371 |                 - ERR_NOTIFICATION if a problem with the socket occurred
372 |                 - INVALID_PARAMETER if a parameter is invalid
373 |                 - ERR_UNKNOWN_SESSION when session id is invalid
374 |                 - ERR_UNKNOWN_DEVICE when device id of session is invalid
375 |         """
376 |         res = client.mcWaitNotification(ctypes.byref(self._ses), timeout)
377 |         if res != const.OK:
378 |             raise Error(res)
379 | 
380 |     @contextmanager
381 |     def share(self, buf):
382 |         """
383 |         Share an additional buffer with the Trusted Application.
384 | 
385 |         Args:
386 |             buf (:class:`Buffer`): Memory buffer to be shared with the TA
387 | 
388 |         Yields:
389 |             :obj:`dict`: Information about the mapped bulk buffer
390 |             ::
391 | 
392 |                 {
393 |                     'sVirtualAddr': 9437184,
394 |                     'sVirtualLen': 4096
395 |                 }
396 | 
397 |         This method can be used with a Python "with statement", meaning that it
398 |         will automatically call :func:`Trustlet.map` on enter and
399 |         :func:`Trustlet.unmap` on exit. ::
400 | 
401 |             with app.share(buf):
402 |                 # do something with the additional buffer
403 |         """
404 |         map = self.map(buf)
405 |         yield map
406 |         self.unmap(buf, map)
407 | 
408 |     def map(self, buf):
409 |         """
410 |         Map additional bulk buffer between a Client Application (CA) and the
411 |         Trusted Application (TA) for a session.
412 | 
413 |         Memory allocated in user space of the CA can be mapped as additional
414 |         communication channel (besides TCI) to the Trusted Application.
415 |         Limitation of the Trusted Application memory structure apply: only 6
416 |         chunks can be mapped with a maximum chunk size of 1 MiB each.
417 | 
418 |         Warning:
419 |             It is up to the application layer (CA) to inform the Trusted
420 |             Application about the additional mapped bulk memory.
421 | 
422 |         Args:
423 |             buf (:class:`Buffer`): Memory buffer to be shared with the TA
424 | 
425 |         Returns:
426 |             :obj:`dict`: Information about the mapped bulk buffer
427 |             ::
428 | 
429 |                 {
430 |                     'sVirtualAddr': 9437184,
431 |                     'sVirtualLen': 4096
432 |                 }
433 | 
434 |         Raises:
435 |             :class:`Error`: See below the possible error codes:
436 | 
437 |                 - INVALID_PARAMETER if a parameter is invalid
438 |                 - ERR_UNKNOWN_SESSION when session id is invalid
439 |                 - ERR_UNKNOWN_DEVICE when device id of session is invalid
440 |                 - ERR_DAEMON_UNREACHABLE when problems with daemon occur
441 |                 - ERR_BULK_MAPPING when buf is already uses as bulk buffer or
442 |                   when registering the buffer failed
443 |         """
444 |         info = types.mcBulkMap()
445 |         res = client.mcMap(ctypes.byref(self._ses), buf._ptr, buf._len,
446 |                            ctypes.byref(info))
447 |         if res != const.OK:
448 |             raise Error(res)
449 |         return dict(info)
450 | 
451 |     def unmap(self, buf, info):
452 |         """
453 |         Remove additional mapped bulk buffer between Client Application (CA)
454 |         and the Trusted Application (TA) for a session.
455 | 
456 |         Warning:
457 |             The bulk buffer will immediately be unmapped from the session
458 |             context. The application layer (CA) must inform the TA about
459 |             unmapping of the additional bulk memory before making this call.
460 | 
461 |         Args:
462 |             buf (:class:`Buffer`): Memory buffer shared with the TA
463 |             info (:obj:`dict`): Information about the mapped bulk buffer
464 | 
465 |         Raises:
466 |             :class:`Error`: See below the possible error codes:
467 | 
468 |                 - INVALID_PARAMETER if a parameter is invalid
469 |                 - ERR_UNKNOWN_SESSION when session id is invalid
470 |                 - ERR_UNKNOWN_DEVICE when device id of session is invalid
471 |                 - ERR_DAEMON_UNREACHABLE when problems with daemon occur
472 |                 - ERR_BULK_MAPPING when buf was not registered earlier or when
473 |                   unregistering failed
474 |         """
475 |         info = types.mcBulkMap(info)
476 |         res = client.mcUnmap(ctypes.byref(self._ses), buf._ptr,
477 |                              ctypes.byref(info))
478 |         if res != const.OK:
479 |             raise Error(res)
480 | 
481 |     def error(self):
482 |         """
483 |         Get additional error information of the last error that occurred on a
484 |         session.
485 | 
486 |         After the request the stored error code will be deleted.
487 | 
488 |         Returns:
489 |             :obj:`int`: >0 Trusted Application has terminated itself with
490 |             this value, <0 Trusted Application is dead because of an error
491 |             within t-base (e.g. Kernel exception)
492 |         """
493 |         err = ctypes.c_int32()
494 |         res = client.mcGetSessionErrorCode(ctypes.byref(self._ses),
495 |                                            ctypes.byref(err))
496 |         if res != const.OK:
497 |             raise Error(res)
498 |         return err.value
499 | 
500 | 
501 | class Buffer(io.RawIOBase):
502 |     """
503 |     This class exposes a memory memory buffer as a raw I/O stream object. It
504 |     use provide convenience functions to read/write common data types.
505 | 
506 |     Warning:
507 |         The constructor of this class should never be called directly. If you
508 |         need to allocate a new buffer, use :func:`Device.malloc` instead.
509 |     """
510 | 
511 |     def __init__(self, ptr, len):
512 |         self._ptr = ptr
513 |         self._len = len
514 |         self._pos = 0
515 | 
516 |     def seek(self, offset, whence=0):
517 |         self._checkClosed()
518 |         if whence == io.SEEK_SET:
519 |             self._pos = offset
520 |         elif whence == io.SEEK_CUR:
521 |             self._pos += offset
522 |         elif whence == io.SEEK_END:
523 |             self._pos = self._len + offset
524 |         self._pos = max(0, min(self._len, self._pos))
525 |         return self._pos
526 | 
527 |     def truncate(self, size=None):
528 |         self._checkClosed()
529 |         if size is None:
530 |             size = self._pos
531 |         self._len = max(0, size)
532 |         self.seek(self._pos)
533 |         return self._len
534 | 
535 |     def seekable(self):
536 |         return True
537 | 
538 |     def readinto(self, b):
539 |         self._checkClosed()
540 |         addr = self._ptr.value + self._pos
541 |         size = min(self._len, self._pos + len(b)) - self._pos
542 |         b[:size] = (ctypes.c_char * size).from_address(addr).raw
543 |         self._pos += size
544 |         return size
545 | 
546 |     def readable(self):
547 |         return True
548 | 
549 |     def write(self, b):
550 |         self._checkClosed()
551 |         addr = self._ptr.value + self._pos
552 |         size = min(self._len, self._pos + len(b)) - self._pos
553 |         (ctypes.c_char * size).from_address(addr).raw = b[:size]
554 |         self._pos += size
555 |         return size
556 | 
557 |     def writable(self):
558 |         return True
559 | 
560 |     def skip(self, size):
561 |         """
562 |         Move stream position forward of size bytes.
563 | 
564 |         Args:
565 |             size (:obj:`int`): Number of bytes to skip
566 |         """
567 |         self.seek(size, io.SEEK_CUR)
568 | 
569 |     def read_byte(self, signed=False):
570 |         """
571 |         Read the byte at the current position.
572 | 
573 |         Args:
574 |             signed (:obj:`bool`): Interpret as signed
575 | 
576 |         Returns:
577 |             :obj:`int`: The value read
578 |         """
579 |         fmt = "<b" if signed else "<B"
580 |         return struct.unpack(fmt, self.read(1))[0]
581 | 
582 |     def read_word(self, signed=False):
583 |         """
584 |         Read the word (2-byte long) value at the current position.
585 | 
586 |         Args:
587 |             signed (:obj:`bool`): Interpret as signed
588 | 
589 |         Returns:
590 |             :obj:`int`: The value read
591 |         """
592 |         fmt = "<h" if signed else "<H"
593 |         return struct.unpack(fmt, self.read(2))[0]
594 | 
595 |     def read_dword(self, signed=False):
596 |         """
597 |         Read the double word (4-byte long) value at the current position.
598 | 
599 |         Args:
600 |             signed (:obj:`bool`): Interpret as signed
601 | 
602 |         Returns:
603 |             :obj:`int`: The value read
604 |         """
605 |         fmt = "<i" if signed else "<I"
606 |         return struct.unpack(fmt, self.read(4))[0]
607 | 
608 |     def read_qword(self, signed=False):
609 |         """
610 |         Read the quadro word (8-byte long) value at the current position.
611 | 
612 |         Args:
613 |             signed (:obj:`bool`): Interpret as signed
614 | 
615 |         Returns:
616 |             :obj:`int`: The value read
617 |         """
618 |         fmt = "<q" if signed else "<Q"
619 |         return struct.unpack(fmt, self.read(8))[0]
620 | 
621 |     def read_float(self):
622 |         """
623 |         Read the float (4-byte long) value at the current position.
624 | 
625 |         Returns:
626 |             :obj:`float`: The value read
627 |         """
628 |         return struct.unpack("<f", self.read(4))[0]
629 | 
630 |     def read_double(self):
631 |         """
632 |         Read the double (8-byte long) value at the current position.
633 | 
634 |         Returns:
635 |             :obj:`float`: The value read
636 |         """
637 |         return struct.unpack("<d", self.read(8))[0]
638 | 
639 |     def read_string(self):
640 |         """
641 |         Read the NULL-terminated string at the current position.
642 | 
643 | 
644 |         Returns:
645 |             :obj:`str`: The string read
646 |         """
647 |         val = b""
648 |         c = self.read(1)
649 |         while c != b"\x00":
650 |             val += c
651 |             c = self.read(1)
652 |         return val
653 | 
654 |     def write_byte(self, val, signed=False):
655 |         """
656 |         Write a byte at the current position.
657 | 
658 |         Args:
659 |             val (:class:`int`): The value to write
660 |             signed (:obj:`bool`): Interpret as signed
661 |         """
662 |         fmt = "<b" if signed else "<B"
663 |         self.write(struct.pack(fmt, val))
664 | 
665 |     def write_word(self, val, signed=False):
666 |         """
667 |         Write a word (2-byte long) at the current position.
668 | 
669 |         Args:
670 |             val (:class:`int`): The value to write
671 |             signed (:obj:`bool`): Interpret as signed
672 |         """
673 |         fmt = "<h" if signed else "<H"
674 |         self.write(struct.pack(fmt, val))
675 | 
676 |     def write_dword(self, val, signed=False):
677 |         """
678 |         Write a double word (4-byte long) at the current position.
679 | 
680 |         Args:
681 |             val (:class:`int`): The value to write
682 |             signed (:obj:`bool`): Interpret as signed
683 |         """
684 |         fmt = "<i" if signed else "<I"
685 |         self.write(struct.pack(fmt, val))
686 | 
687 |     def write_qword(self, val, signed=False):
688 |         """
689 |         Write a quadro word (8-byte long) at the current position.
690 | 
691 |         Args:
692 |             val (:class:`int`): The value to write
693 |             signed (:obj:`bool`): Interpret as signed
694 |         """
695 |         fmt = "<q" if signed else "<Q"
696 |         self.write(struct.pack(fmt, val))
697 | 
698 |     def write_float(self, val):
699 |         """
700 |         Write a float (4-byte long) value at the current position.
701 | 
702 |         Args:
703 |             val (:class:`float`): The value to write
704 |         """
705 |         self.write(struct.pack("<f", val))
706 | 
707 |     def write_double(self, val):
708 |         """
709 |         Write a double (8-byte long) value at the current position.
710 | 
711 |         Args:
712 |             val (:class:`float`): The value to write
713 |         """
714 |         self.write(struct.pack("<d", val))
715 | 
716 |     def write_string(self, val):
717 |         """
718 |         Write a NULL-terminated string at the current position.
719 | 
720 |         Args:
721 |             val (:obj:`str`): The string to write
722 |         """
723 |         self.write(val)
724 |         self.write(b"\x00")
725 | 
726 |     def hexdump(self, size=-1):
727 |         """
728 |         Display an hex dump of the size bytes at the current position.
729 | 
730 |         Args:
731 |             size (:obj:`int`): The number of bytes to dump (-1 = all)
732 |         """
733 |         if size == -1:
734 |             size = self._len - self._pos
735 |         for i in range(0, size, 0x10):
736 |             hex_dmp = "0x{:08x}:".format(i)
737 |             chr_dmp = " | "
738 |             for j in range(min(0x10, size - i)):
739 |                 hex_chr = self.read(1)[0]
740 |                 hex_dmp += " {:02x}".format(hex_chr)
741 |                 if 0x20 <= hex_chr <= 0x7E:
742 |                     chr_dmp += chr(hex_chr)
743 |                 else:
744 |                     chr_dmp += "."
745 |             hex_dmp = hex_dmp.ljust(60, " ")
746 |             print(hex_dmp + chr_dmp)
747 | 
748 |     def assemble(self, code, thumb=True):
749 |         """
750 |         Assemble code using Keystone and write it at the current position.
751 | 
752 |         Args:
753 |             code (:obj:`str`): the code to assemble
754 |             thumb (:obj:`bool`): True if Thumb, False otherwise
755 | 
756 |         Returns:
757 |             :obj:`int`: the number of bytes written
758 |         """
759 |         from keystone import Ks, KS_ARCH_ARM, KS_MODE_ARM, KS_MODE_THUMB
760 | 
761 |         ks = Ks(KS_ARCH_ARM, KS_MODE_THUMB if thumb else KS_MODE_ARM)
762 | 
763 |         addr = self._ptr.value
764 |         bs, size = ks.asm(code, addr)
765 |         self.write(bytes(bytearray(bs)))
766 |         return len(bs)
767 | 
768 |     def disassemble(self, size, thumb=True):
769 |         """
770 |         Display the bytes disassembled using Capstone at the current position.
771 | 
772 |         Args:
773 |             size (:obj:`int`): the number of bytes to disassemble
774 |             thumb (:obj:`bool`): True if Thumb, False otherwise
775 |         """
776 |         from capstone import Cs, CS_ARCH_ARM, CS_MODE_ARM, CS_MODE_THUMB
777 | 
778 |         cs = Cs(CS_ARCH_ARM, CS_MODE_THUMB if thumb else CS_MODE_ARM)
779 | 
780 |         addr = self._ptr.value
781 |         for insn in cs.disasm(self.read(size), addr):
782 |             insn_info = insn.address, insn.mnemonic, insn.op_str
783 |             print("{:08x}:\t{} {}".format(insn_info))
784 | 


--------------------------------------------------------------------------------