cleaned up, documented some

This commit is contained in:
2024-08-24 18:55:09 -06:00
parent dddcf5d092
commit 890dee360d
30 changed files with 15 additions and 83 deletions
-73
View File
@@ -1,73 +0,0 @@
module exploit
(
// exploit
input clk_in,
output bang_tx,
output power_tx,
output [5:0] led
);
////////// EXPLOIT
localparam INSTRUCTION_OFFSET = 100;
// da official exploit code
localparam EXPLOIT_BYTES = {16'hFA,16'hEB,16'h11,16'hDD};
localparam EXPLOIT_BYTES_LEN = $bits(EXPLOIT_BYTES)-1; // $bits() seems to work // https://www.linkedin.com/pulse/bits-clog2-size-uses-differences-muhammed-kawser-ahmed
localparam LEDS_ON = 0;
localparam LEDS_OFF = 6'b111111;
reg [1:0] bang_tx_reg = 0;
reg [1:0] power_tx_reg = 1;
reg [1:0] led_run = 1;
reg [1:0] rst = 0;
reg [1:0] running = 1;
reg [5:0] ledCounter = 0;
reg [23:0] instruction_counter = 0;
reg [23:0] exploit_tx_count = 0;
reg [EXPLOIT_BYTES_LEN:0] exploit_bytes_reg = EXPLOIT_BYTES;
always @(posedge clk_in) begin
if(rst == 1) begin
running = 1;
power_tx_reg = 1;
rst = 0;
end
if(instruction_counter == INSTRUCTION_OFFSET) begin
power_tx_reg = 0;
rst = 1;
end
if(running == 1) begin
if(instruction_counter >= INSTRUCTION_OFFSET && instruction_counter <= INSTRUCTION_OFFSET+EXPLOIT_BYTES_LEN) begin
bang_tx_reg <= exploit_bytes_reg[exploit_tx_count];
exploit_tx_count <= exploit_tx_count + 1;
led_run <= 1;
end else begin
led_run <= 0;
end
if(led_run == 1) begin
ledCounter <= ledCounter + 1;
if(ledCounter == LEDS_OFF) begin
ledCounter <= LEDS_ON;
end
end
if(instruction_counter == INSTRUCTION_OFFSET+EXPLOIT_BYTES_LEN) begin
ledCounter <= LEDS_ON;
rst = 1;
running = 0;
end
instruction_counter <= instruction_counter + 1;
end
end
assign led = ledCounter;
assign bang_tx = bang_tx_reg;
assign power_tx = power_tx_reg;
endmodule
@@ -1,2 +1,6 @@
Made for the [Tang Nano 9K FPGA](https://www.aliexpress.us/item/3256807026232976.html?channel=twinner) Made for the [Tang Nano 9K FPGA](https://www.aliexpress.us/item/3256807026232976.html?channel=twinner)
Build using [Lushay Code](https://learn.lushaylabs.com/vscode-extension/) for VS Code/* Build using [Lushay Code](https://learn.lushaylabs.com/vscode-extension/) for VS Code
Testing using the two versions
[Bit-bang version](ESP32-S3_Exploit_BitBang/)
[UART version](ESP32-S3_Exploit_UART/)
+10
View File
@@ -2,5 +2,15 @@
Working on an exploit to break the security on the ESP32-S3 Working on an exploit to break the security on the ESP32-S3
Highly a work in progress Highly a work in progress
[entropy](entropy/) - entropy images of the bootroms
[esp-rom-elfs-20230320](esp-rom-elfs-20230320/) - all of the ESP32-X bootloader elfs from [here](https://github.com/espressif/esp-rom-elfs/releases/tag/20230320)
[ESP32-S3_Exploit_FPGA](ESP32-S3_Exploit_FPGA/) - runs the exploit, based on a cheap [Tang Nano 9K FPGA](https://www.aliexpress.us/item/3256807026232976.html?channel=twinner) using [Lushay Code](https://learn.lushaylabs.com/vscode-extension/) for VS Code
[existing_files](existing_files/) - assorted existing roms I found
[Ghidra](Ghidra/) - Ghidra project for reverse engineering and exploit dev
[libs](libs/) - extra libraries that Espressif disclosed was used in the roms, excepting those found natively in esp-idf (useful for reverse engineering and debugging)
[sillyfillyespdumper](sillyfillyespdumper/) - tool I made to dump arbitrary data from ESP32-Xs
[silltfillyespdumper/live-roms](sillyfillyespdumper/live-roms/) - full, redundant rom dumps from two production ESP32-S3s
Based much on [Coruk's attack on the ESP32-C3](https://courk.cc/esp32-c3-c6-fault-injection) Based much on [Coruk's attack on the ESP32-C3](https://courk.cc/esp32-c3-c6-fault-injection)

Before

Width:  |  Height:  |  Size: 21 KiB

After

Width:  |  Height:  |  Size: 21 KiB

@@ -1,9 +0,0 @@
#Ghidra Lock File
#Sun Aug 18 08:19:25 MDT 2024
<META>\ Supports\ File\ Channel\ Locking=Channel Lock
Hostname=princesspi2
OS\ Architecture=amd64
OS\ Name=Windows 11
OS\ Version=10.0
Timestamp=8/18/24, 8\:19\u202FAM
Username=human