Fork: 0
0xRoM / glitch-o-bolt
Transfer to URL with SHA Find file
Newer
Older
glitch-o-bolt / ConfigChall04.py
root on 3 May 2 KB ٩( ‘ω’ )و initial release
Raw Blame History 
  1. ######
  2. # LEAVE THESE IMPORTS!
  3. ######
  4. import time
  5. import functions
  6.  
  7. from pyocd.core.helpers import ConnectHelper
  8. from pyocd.flash.file_programmer import FileProgrammer
  9.  
  10. ######
  11. # config values
  12. ######
  13.  
  14. SERIAL_PORT = '/dev/ttyUSB0'
  15. BAUD_RATE = 115200
  16.  
  17. LENGTH = 50
  18. REPEAT = 1
  19. DELAY = 1
  20.  
  21. ###
  22. # name, enabled, string to match
  23. ###
  24. conditions = [
  25.     ['Start', False, '', 'start_chall_04'],
  26.     ['Step1', False, '', 'step_1'],
  27.     ['Step2', False, '', 'step_2'],
  28. ]
  29.  
  30. ######
  31. # Custom functions for conditions to trigger
  32. ######
  33.  
  34. def start_chall_04():
  35.     functions.add_text(f"[Chall 4] enable uart switch then hold chall 4 button to load the challenge into memory.")
  36.     functions.add_text(f"[Chall 4] once loaded hold 'boot 1' button and press 'reset' button to put in bootloader mode") 
  37.     functions.add_text(f"[Chall 4] then press 'Step1'")
  38.  
  39. def step_1():
  40.     functions.set_uart_switch(False)
  41.  
  42.     functions.add_text(f"\n[Chall 4] uploading firmware to ram... please wait")
  43.  
  44.     # Connect to the target board
  45.     session = ConnectHelper.session_with_chosen_probe()
  46.     session.open()
  47.  
  48.     # Optionally halt the target
  49.     target = session.target
  50.     target.halt()
  51.  
  52.     # Load binary file to specified address (e.g., 0x20000000)
  53.     newFirmware = "/tmp/f103-analysis/h3/rootshell/shellcode-0xRoM.bin"
  54.     programmer = FileProgrammer(session)
  55.     programmer.program(newFirmware, base_address=0x20000000, file_format='bin')
  56.  
  57.     # Optionally resume execution
  58.     target.resume()
  59.     # Clean up
  60.     session.close()
  61.  
  62.     with open(newFirmware, "rb") as f:
  63.         original_data = f.read()
  64.  
  65.     # Connect to the target
  66.     session = ConnectHelper.session_with_chosen_probe()
  67.     session.open()
  68.  
  69.     target = session.target
  70.     target.halt()
  71.  
  72.     # Read back the memory from the target
  73.     read_data = target.read_memory_block8(0x20000000, len(original_data))
  74.  
  75.     # Compare
  76.     if bytes(read_data) == original_data:
  77.          functions.add_text(f"[+] Shellcode loaded successfully.")
  78.     else:
  79.          functions.add_text(f"[!] Mismatch detected. Shellcode may not have loaded correctly.")
  80.  
  81.     session.close()
  82.  
  83.     functions.change_baudrate(9600)
  84.     functions.add_text(f"[Chall 4] hold buttons 'boot0' and 'boot1' and press the 'glitch' button")
  85.     functions.add_text(f"[Chall 4] this single glitch will boot from SRAM")
  86.     functions.add_text(f"[Chall 4] enable UART to access 'Low-level Shell' (might need to press reset)")
  87.     functions.add_text(f"[Chall 4] then press 'Step2'")
  88.     
  89. def step_2():
  90.     functions.send_uart_message("p") 
  91.     time.sleep(1)
  92.     functions.change_baudrate(115200)
Buy Me A Coffee