Skip to content

Commit

Permalink
initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
@chr1syy
chr1syy committed Oct 12, 2021
0 parents commit 4a7d2fa
Show file tree
Hide file tree
Showing 26 changed files with 721 additions and 0 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
# amonet-NixOS
Binary file added bin/lk.bin
Binary file not shown.
Binary file added bin/microloader.bin
Binary file not shown.
Binary file added bin/preloader_prod.img
Binary file not shown.
Binary file added bin/recovery.img
Binary file not shown.
Binary file added bin/twrp.img
Binary file not shown.
Binary file added bin/tz.img
Binary file not shown.
7 changes: 7 additions & 0 deletions boot-fastboot.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#!/usr/bin/env bash

set -e

cd modules
python3 handshake2.py FACTFACT
cd ..
7 changes: 7 additions & 0 deletions boot-recovery.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#!/usr/bin/env bash

set -e

cd modules
python3 handshake2.py FACTORYM
cd ..
7 changes: 7 additions & 0 deletions bootrom-step.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#!/usr/bin/env bash

set -e

cd modules
python3 main.py
cd ..
Binary file added brom-payload/build/payload.bin
Binary file not shown.
12 changes: 12 additions & 0 deletions fastboot-step.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
#!/usr/bin/env bash

set -e

fastboot flash recovery bin/twrp.img
fastboot flash TEE2 bin/tz.img
fastboot oem reboot-recovery

echo ""
echo ""
echo "Your device should now reboot into TWRP"
echo ""
Binary file added lk-payload/build/payload.bin
Binary file not shown.
Binary file added modules/__pycache__/common.cpython-39.pyc
Binary file not shown.
Binary file added modules/__pycache__/handshake.cpython-39.pyc
Binary file not shown.
Binary file added modules/__pycache__/load_payload.cpython-39.pyc
Binary file not shown.
Binary file added modules/__pycache__/logger.cpython-39.pyc
Binary file not shown.
74 changes: 74 additions & 0 deletions modules/amonet.log
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
[2021-10-11 10:32:17.960962] Waiting for bootrom
[2021-10-11 10:44:43.633117] Waiting for bootrom
[2021-10-11 10:48:58.124419] Waiting for bootrom
[2021-10-11 10:52:55.294544] Found port = /dev/ttyACM1
[2021-10-11 10:52:55.326578] Handshake
[2021-10-11 10:52:55.347104] Disable watchdog
[2021-10-11 10:55:12.385989] Waiting for bootrom
[2021-10-11 10:56:07.876520] Found port = /dev/ttyACM1
[2021-10-11 10:56:07.877138] Handshake
[2021-10-11 11:01:13.370034] Waiting for bootrom
[2021-10-11 11:01:18.031427] Found port = /dev/ttyACM1
[2021-10-11 11:01:18.031993] Handshake
[2021-10-11 11:01:45.961266] Waiting for bootrom
[2021-10-11 11:02:05.857090] Found port = /dev/ttyACM1
[2021-10-11 11:02:05.857642] Handshake
[2021-10-11 11:02:27.053773] Waiting for bootrom
[2021-10-11 11:02:47.209365] Found port = /dev/ttyACM1
[2021-10-11 11:02:47.209909] Handshake
[2021-10-11 11:04:28.315684] Waiting for bootrom
[2021-10-11 11:04:35.557281] Found port = /dev/ttyACM1
[2021-10-11 11:04:35.557936] Handshake
[2021-10-11 11:05:09.319387] Waiting for bootrom
[2021-10-11 11:05:16.302489] Found port = /dev/ttyACM1
[2021-10-11 11:05:16.303407] Handshake
[2021-10-11 11:07:28.447052] Waiting for bootrom
[2021-10-11 11:07:31.559691] Found port = /dev/ttyACM1
[2021-10-11 11:07:31.560349] Handshake
[2021-10-11 11:19:03.861670] Waiting for bootrom
[2021-10-11 11:19:17.295299] Found port = /dev/ttyACM1
[2021-10-11 11:19:17.295979] Handshake
[2021-10-11 11:19:38.045398] Waiting for bootrom
[2021-10-11 11:19:40.900507] Found port = /dev/ttyACM1
[2021-10-11 11:19:40.901148] Handshake
[2021-10-11 11:20:37.418572] Waiting for bootrom
[2021-10-11 11:20:43.885720] Found port = /dev/ttyACM1
[2021-10-11 11:20:43.886431] Handshake
[2021-10-11 11:22:28.880958] Waiting for bootrom
[2021-10-11 11:24:24.785974] Found port = /dev/ttyACM1
[2021-10-11 11:24:24.817879] Handshake
[2021-10-11 11:24:24.838410] Disable watchdog
[2021-10-11 11:25:04.965338] Waiting for bootrom
[2021-10-11 11:25:07.304167] Found port = /dev/ttyACM1
[2021-10-11 11:25:07.304820] Handshake
[2021-10-11 11:25:37.893841] Waiting for bootrom
[2021-10-11 11:25:43.626979] Found port = /dev/ttyACM1
[2021-10-11 11:25:43.658987] Handshake
[2021-10-11 11:25:43.679533] Disable watchdog
[2021-10-11 11:28:04.683510] Waiting for bootrom
[2021-10-11 11:32:48.261321] Found port = /dev/ttyACM1
[2021-10-11 11:32:48.262270] Handshake
[2021-10-11 11:32:48.266242] Disable watchdog
[2021-10-11 11:32:53.567022] Init crypto engine
[2021-10-11 11:32:53.731423] Disable caches
[2021-10-11 11:32:53.734407] Disable bootrom range checks
[2021-10-11 11:32:53.871450] Load payload from ../brom-payload/build/payload.bin = 0x45D0 bytes
[2021-10-11 11:32:53.874025] Send payload
[2021-10-11 11:33:01.287658] Let's rock
[2021-10-11 11:33:01.293631] Wait for the payload to come online...
[2021-10-11 11:33:01.903658] all good
[2021-10-11 11:33:01.903743] Check GPT
[2021-10-11 11:33:02.230100] gpt_parsed = {'KB': (2048, 2048), 'DKB': (4096, 2048), 'EXPDB': (6144, 35584), 'UBOOT': (41728, 2048), 'boot': (43776, 32768), 'recovery': (76544, 32768), 'MISC': (109312, 1024), 'LOGO': (110336, 7168), 'TEE1': (117504, 10240), 'TEE2': (127744, 10240), 'system': (137984, 2457600), 'cache': (2595584, 512000), 'userdata': (3107584, 12162271), '': (0, 1)}
[2021-10-11 11:33:02.230178] Check boot0
[2021-10-11 11:33:02.439716] Check rpmb
[2021-10-11 11:33:02.651701] Clear preloader header
[2021-10-11 11:33:03.068859] Downgrade rpmb
[2021-10-11 11:33:03.071049] Recheck rpmb
[2021-10-11 11:33:03.967774] rpmb downgrade ok
[2021-10-11 11:33:03.967860] Flash lk-payload
[2021-10-11 11:33:04.292737] Flash tz
[2021-10-11 11:33:58.223469] Flash lk
[2021-10-11 11:34:20.823995] Inject microloader
[2021-10-11 11:34:21.243165] Force fastboot
[2021-10-11 11:34:21.534014] Flash preloader
[2021-10-11 11:34:27.495383] Reboot to unlocked fastboot
249 changes: 249 additions & 0 deletions modules/common.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,249 @@
import struct
import sys
import glob
import time

import serial

from logger import log

BAUD = 115200
TIMEOUT = 5


CRYPTO_BASE = 0x11010000


def serial_ports ():
""" Lists available serial ports
:raises EnvironmentError:
On unsupported or unknown platforms
:returns:
A set containing the serial ports available on the system
"""

if sys.platform.startswith("win"):
ports = [ "COM{0:d}".format(i + 1) for i in range(256) ]
elif sys.platform.startswith("linux"):
ports = glob.glob("/dev/ttyACM*")
elif sys.platform.startswith("darwin"):
ports = glob.glob("/dev/cu.usbmodem*")
else:
raise EnvironmentError("Unsupported platform")

result = set()
for port in ports:
try:
s = serial.Serial(port, timeout=TIMEOUT)
s.close()
result.add(port)
except (OSError, serial.SerialException):
pass

return result


def p32_be(x):
return struct.pack(">I", x)


class Device:

def __init__(self, port=None):
self.dev = None
if port:
self.dev = serial.Serial(port, BAUD, timeout=TIMEOUT)

def find_device(self,preloader=False):
if self.dev:
raise RuntimeError("Device already found")

if preloader:
log("Waiting for preloader")
else:
log("Waiting for bootrom")

old = serial_ports()
while True:
new = serial_ports()

# port added
if new > old:
port = (new - old).pop()
break
# port removed
elif old > new:
old = new

time.sleep(0.25)

log("Found port = {}".format(port))

self.dev = serial.Serial(port, BAUD, timeout=TIMEOUT)

def check(self, test, gold):
if test != gold:
raise RuntimeError("ERROR: Serial protocol mismatch")

def check_int(self, test, gold):
test = struct.unpack('>I', test)[0]
self.check(test, gold)

def _writeb(self, out_str):
self.dev.write(out_str)
return self.dev.read()

def handshake(self):
# look for start byte
while True:
c = self._writeb(b'\xa0')
if c == b'\x5f':
break
self.dev.flushInput()

# complete sequence
self.check(self._writeb(b'\x0a'), b'\xf5')
self.check(self._writeb(b'\x50'), b'\xaf')
self.check(self._writeb(b'\x05'), b'\xfa')

def handshake2(self, cmd='FACTFACT'):
# look for start byte
c = 0
while c != b'Y':
c = self.dev.read()
log("Preloader ready, sending " + cmd)
command = str.encode(cmd)
self.dev.write(command)
self.dev.flushInput()

def read32(self, addr, size=1):
result = []

self.dev.write(b'\xd1')
self.check(self.dev.read(1), b'\xd1') # echo cmd

self.dev.write(struct.pack('>I', addr))
self.check_int(self.dev.read(4), addr) # echo addr

self.dev.write(struct.pack('>I', size))
self.check_int(self.dev.read(4), size) # echo size

self.check(self.dev.read(2), b'\x00\x00') # arg check

for _ in range(size):
data = struct.unpack('>I', self.dev.read(4))[0]
result.append(data)

self.check(self.dev.read(2), b'\x00\x00') # status

# support scalar
if len(result) == 1:
return result[0]
else:
return result

def write32(self, addr, words, status_check=True):
# support scalar
if not isinstance(words, list):
words = [ words ]

self.dev.write(b'\xd4')
self.check(self.dev.read(1), b'\xd4') # echo cmd

self.dev.write(struct.pack('>I', addr))
self.check_int(self.dev.read(4), addr) # echo addr

self.dev.write(struct.pack('>I', len(words)))
self.check_int(self.dev.read(4), len(words)) # echo size

self.check(self.dev.read(2), b'\x00\x01') # arg check

for word in words:
self.dev.write(struct.pack('>I', word))
self.check_int(self.dev.read(4), word) # echo word

if status_check:
self.check(self.dev.read(2), b'\x00\x01') # status

def run_ext_cmd(self, cmd):
self.dev.write(b'\xC8')
self.check(self.dev.read(1), b'\xC8') # echo cmd
cmd = bytes([cmd])
self.dev.write(cmd)
self.check(self.dev.read(1), cmd)
self.dev.read(1)
self.dev.read(2)

def wait_payload(self):
data = self.dev.read(4)
if data != b"\xB1\xB2\xB3\xB4":
raise RuntimeError("received {} instead of expected pattern".format(data))

def emmc_read(self, idx):
# magic
self.dev.write(p32_be(0xf00dd00d))
# cmd
self.dev.write(p32_be(0x1000))
# block to read
self.dev.write(p32_be(idx))

data = self.dev.read(0x200)
if len(data) != 0x200:
raise RuntimeError("read fail")

return data

def emmc_write(self, idx, data):
if len(data) != 0x200:
raise RuntimeError("data must be 0x200 bytes")

# magic
self.dev.write(p32_be(0xf00dd00d))
# cmd
self.dev.write(p32_be(0x1001))
# block to write
self.dev.write(p32_be(idx))
# data
self.dev.write(data)

code = self.dev.read(4)
if code != b"\xd0\xd0\xd0\xd0":
raise RuntimeError("device failure")

def emmc_switch(self, part):
# magic
self.dev.write(p32_be(0xf00dd00d))
# cmd
self.dev.write(p32_be(0x1002))
# partition
self.dev.write(p32_be(part))

def reboot(self):
# magic
self.dev.write(p32_be(0xf00dd00d))
# cmd
self.dev.write(p32_be(0x3000))

def rpmb_read(self):
# magic
self.dev.write(p32_be(0xf00dd00d))
# cmd
self.dev.write(p32_be(0x2000))

data = self.dev.read(0x100)
if len(data) != 0x100:
raise RuntimeError("read fail")

return data

def rpmb_write(self, data):
if len(data) != 0x100:
raise RuntimeError("data must be 0x100 bytes")

# magic
self.dev.write(p32_be(0xf00dd00d))
# cmd
self.dev.write(p32_be(0x2001))
# data
self.dev.write(data)
20 changes: 20 additions & 0 deletions modules/handshake.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
import sys

from common import Device
from logger import log


def handshake(dev):
log("Handshake")
dev.handshake()
log("Disable watchdog")
dev.write32(0x10007000, 0x22000000)


if __name__ == "__main__":
if len(sys.argv) > 1:
dev = Device(sys.argv[1])
else:
dev = Device()
dev.find_device()
handshake(dev)
Loading

0 comments on commit 4a7d2fa

Please sign in to comment.