cleaned up, documented some
This commit is contained in:
@@ -1,73 +0,0 @@
|
|||||||
module exploit
|
|
||||||
(
|
|
||||||
// exploit
|
|
||||||
input clk_in,
|
|
||||||
output bang_tx,
|
|
||||||
output power_tx,
|
|
||||||
output [5:0] led
|
|
||||||
);
|
|
||||||
|
|
||||||
////////// EXPLOIT
|
|
||||||
localparam INSTRUCTION_OFFSET = 100;
|
|
||||||
|
|
||||||
// da official exploit code
|
|
||||||
localparam EXPLOIT_BYTES = {16'hFA,16'hEB,16'h11,16'hDD};
|
|
||||||
|
|
||||||
localparam EXPLOIT_BYTES_LEN = $bits(EXPLOIT_BYTES)-1; // $bits() seems to work // https://www.linkedin.com/pulse/bits-clog2-size-uses-differences-muhammed-kawser-ahmed
|
|
||||||
|
|
||||||
localparam LEDS_ON = 0;
|
|
||||||
localparam LEDS_OFF = 6'b111111;
|
|
||||||
|
|
||||||
reg [1:0] bang_tx_reg = 0;
|
|
||||||
reg [1:0] power_tx_reg = 1;
|
|
||||||
reg [1:0] led_run = 1;
|
|
||||||
reg [1:0] rst = 0;
|
|
||||||
reg [1:0] running = 1;
|
|
||||||
reg [5:0] ledCounter = 0;
|
|
||||||
reg [23:0] instruction_counter = 0;
|
|
||||||
reg [23:0] exploit_tx_count = 0;
|
|
||||||
reg [EXPLOIT_BYTES_LEN:0] exploit_bytes_reg = EXPLOIT_BYTES;
|
|
||||||
|
|
||||||
always @(posedge clk_in) begin
|
|
||||||
if(rst == 1) begin
|
|
||||||
running = 1;
|
|
||||||
power_tx_reg = 1;
|
|
||||||
rst = 0;
|
|
||||||
end
|
|
||||||
|
|
||||||
if(instruction_counter == INSTRUCTION_OFFSET) begin
|
|
||||||
power_tx_reg = 0;
|
|
||||||
rst = 1;
|
|
||||||
end
|
|
||||||
|
|
||||||
if(running == 1) begin
|
|
||||||
if(instruction_counter >= INSTRUCTION_OFFSET && instruction_counter <= INSTRUCTION_OFFSET+EXPLOIT_BYTES_LEN) begin
|
|
||||||
bang_tx_reg <= exploit_bytes_reg[exploit_tx_count];
|
|
||||||
exploit_tx_count <= exploit_tx_count + 1;
|
|
||||||
led_run <= 1;
|
|
||||||
end else begin
|
|
||||||
led_run <= 0;
|
|
||||||
end
|
|
||||||
|
|
||||||
if(led_run == 1) begin
|
|
||||||
ledCounter <= ledCounter + 1;
|
|
||||||
if(ledCounter == LEDS_OFF) begin
|
|
||||||
ledCounter <= LEDS_ON;
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
if(instruction_counter == INSTRUCTION_OFFSET+EXPLOIT_BYTES_LEN) begin
|
|
||||||
ledCounter <= LEDS_ON;
|
|
||||||
rst = 1;
|
|
||||||
running = 0;
|
|
||||||
end
|
|
||||||
|
|
||||||
instruction_counter <= instruction_counter + 1;
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
assign led = ledCounter;
|
|
||||||
assign bang_tx = bang_tx_reg;
|
|
||||||
assign power_tx = power_tx_reg;
|
|
||||||
|
|
||||||
endmodule
|
|
||||||
@@ -1,2 +1,6 @@
|
|||||||
Made for the [Tang Nano 9K FPGA](https://www.aliexpress.us/item/3256807026232976.html?channel=twinner)
|
Made for the [Tang Nano 9K FPGA](https://www.aliexpress.us/item/3256807026232976.html?channel=twinner)
|
||||||
Build using [Lushay Code](https://learn.lushaylabs.com/vscode-extension/) for VS Code/*
|
Build using [Lushay Code](https://learn.lushaylabs.com/vscode-extension/) for VS Code
|
||||||
|
|
||||||
|
Testing using the two versions
|
||||||
|
[Bit-bang version](ESP32-S3_Exploit_BitBang/)
|
||||||
|
[UART version](ESP32-S3_Exploit_UART/)
|
||||||
@@ -2,5 +2,15 @@
|
|||||||
Working on an exploit to break the security on the ESP32-S3
|
Working on an exploit to break the security on the ESP32-S3
|
||||||
Highly a work in progress
|
Highly a work in progress
|
||||||
|
|
||||||
|
[entropy](entropy/) - entropy images of the bootroms
|
||||||
|
[esp-rom-elfs-20230320](esp-rom-elfs-20230320/) - all of the ESP32-X bootloader elfs from [here](https://github.com/espressif/esp-rom-elfs/releases/tag/20230320)
|
||||||
|
[ESP32-S3_Exploit_FPGA](ESP32-S3_Exploit_FPGA/) - runs the exploit, based on a cheap [Tang Nano 9K FPGA](https://www.aliexpress.us/item/3256807026232976.html?channel=twinner) using [Lushay Code](https://learn.lushaylabs.com/vscode-extension/) for VS Code
|
||||||
|
[existing_files](existing_files/) - assorted existing roms I found
|
||||||
|
[Ghidra](Ghidra/) - Ghidra project for reverse engineering and exploit dev
|
||||||
|
[libs](libs/) - extra libraries that Espressif disclosed was used in the roms, excepting those found natively in esp-idf (useful for reverse engineering and debugging)
|
||||||
|
[sillyfillyespdumper](sillyfillyespdumper/) - tool I made to dump arbitrary data from ESP32-Xs
|
||||||
|
[silltfillyespdumper/live-roms](sillyfillyespdumper/live-roms/) - full, redundant rom dumps from two production ESP32-S3s
|
||||||
|
|
||||||
|
|
||||||
Based much on [Coruk's attack on the ESP32-C3](https://courk.cc/esp32-c3-c6-fault-injection)
|
Based much on [Coruk's attack on the ESP32-C3](https://courk.cc/esp32-c3-c6-fault-injection)
|
||||||
|
|
||||||
|
|||||||
|
Before Width: | Height: | Size: 21 KiB After Width: | Height: | Size: 21 KiB |
@@ -1,9 +0,0 @@
|
|||||||
#Ghidra Lock File
|
|
||||||
#Sun Aug 18 08:19:25 MDT 2024
|
|
||||||
<META>\ Supports\ File\ Channel\ Locking=Channel Lock
|
|
||||||
Hostname=princesspi2
|
|
||||||
OS\ Architecture=amd64
|
|
||||||
OS\ Name=Windows 11
|
|
||||||
OS\ Version=10.0
|
|
||||||
Timestamp=8/18/24, 8\:19\u202FAM
|
|
||||||
Username=human
|
|
||||||
Reference in New Issue
Block a user