cleaned up, documented some
This commit is contained in:
@@ -1,73 +0,0 @@
|
||||
module exploit
|
||||
(
|
||||
// exploit
|
||||
input clk_in,
|
||||
output bang_tx,
|
||||
output power_tx,
|
||||
output [5:0] led
|
||||
);
|
||||
|
||||
////////// EXPLOIT
|
||||
localparam INSTRUCTION_OFFSET = 100;
|
||||
|
||||
// da official exploit code
|
||||
localparam EXPLOIT_BYTES = {16'hFA,16'hEB,16'h11,16'hDD};
|
||||
|
||||
localparam EXPLOIT_BYTES_LEN = $bits(EXPLOIT_BYTES)-1; // $bits() seems to work // https://www.linkedin.com/pulse/bits-clog2-size-uses-differences-muhammed-kawser-ahmed
|
||||
|
||||
localparam LEDS_ON = 0;
|
||||
localparam LEDS_OFF = 6'b111111;
|
||||
|
||||
reg [1:0] bang_tx_reg = 0;
|
||||
reg [1:0] power_tx_reg = 1;
|
||||
reg [1:0] led_run = 1;
|
||||
reg [1:0] rst = 0;
|
||||
reg [1:0] running = 1;
|
||||
reg [5:0] ledCounter = 0;
|
||||
reg [23:0] instruction_counter = 0;
|
||||
reg [23:0] exploit_tx_count = 0;
|
||||
reg [EXPLOIT_BYTES_LEN:0] exploit_bytes_reg = EXPLOIT_BYTES;
|
||||
|
||||
always @(posedge clk_in) begin
|
||||
if(rst == 1) begin
|
||||
running = 1;
|
||||
power_tx_reg = 1;
|
||||
rst = 0;
|
||||
end
|
||||
|
||||
if(instruction_counter == INSTRUCTION_OFFSET) begin
|
||||
power_tx_reg = 0;
|
||||
rst = 1;
|
||||
end
|
||||
|
||||
if(running == 1) begin
|
||||
if(instruction_counter >= INSTRUCTION_OFFSET && instruction_counter <= INSTRUCTION_OFFSET+EXPLOIT_BYTES_LEN) begin
|
||||
bang_tx_reg <= exploit_bytes_reg[exploit_tx_count];
|
||||
exploit_tx_count <= exploit_tx_count + 1;
|
||||
led_run <= 1;
|
||||
end else begin
|
||||
led_run <= 0;
|
||||
end
|
||||
|
||||
if(led_run == 1) begin
|
||||
ledCounter <= ledCounter + 1;
|
||||
if(ledCounter == LEDS_OFF) begin
|
||||
ledCounter <= LEDS_ON;
|
||||
end
|
||||
end
|
||||
|
||||
if(instruction_counter == INSTRUCTION_OFFSET+EXPLOIT_BYTES_LEN) begin
|
||||
ledCounter <= LEDS_ON;
|
||||
rst = 1;
|
||||
running = 0;
|
||||
end
|
||||
|
||||
instruction_counter <= instruction_counter + 1;
|
||||
end
|
||||
end
|
||||
|
||||
assign led = ledCounter;
|
||||
assign bang_tx = bang_tx_reg;
|
||||
assign power_tx = power_tx_reg;
|
||||
|
||||
endmodule
|
||||
@@ -1,2 +1,6 @@
|
||||
Made for the [Tang Nano 9K FPGA](https://www.aliexpress.us/item/3256807026232976.html?channel=twinner)
|
||||
Build using [Lushay Code](https://learn.lushaylabs.com/vscode-extension/) for VS Code/*
|
||||
Build using [Lushay Code](https://learn.lushaylabs.com/vscode-extension/) for VS Code
|
||||
|
||||
Testing using the two versions
|
||||
[Bit-bang version](ESP32-S3_Exploit_BitBang/)
|
||||
[UART version](ESP32-S3_Exploit_UART/)
|
||||
@@ -2,5 +2,15 @@
|
||||
Working on an exploit to break the security on the ESP32-S3
|
||||
Highly a work in progress
|
||||
|
||||
[entropy](entropy/) - entropy images of the bootroms
|
||||
[esp-rom-elfs-20230320](esp-rom-elfs-20230320/) - all of the ESP32-X bootloader elfs from [here](https://github.com/espressif/esp-rom-elfs/releases/tag/20230320)
|
||||
[ESP32-S3_Exploit_FPGA](ESP32-S3_Exploit_FPGA/) - runs the exploit, based on a cheap [Tang Nano 9K FPGA](https://www.aliexpress.us/item/3256807026232976.html?channel=twinner) using [Lushay Code](https://learn.lushaylabs.com/vscode-extension/) for VS Code
|
||||
[existing_files](existing_files/) - assorted existing roms I found
|
||||
[Ghidra](Ghidra/) - Ghidra project for reverse engineering and exploit dev
|
||||
[libs](libs/) - extra libraries that Espressif disclosed was used in the roms, excepting those found natively in esp-idf (useful for reverse engineering and debugging)
|
||||
[sillyfillyespdumper](sillyfillyespdumper/) - tool I made to dump arbitrary data from ESP32-Xs
|
||||
[silltfillyespdumper/live-roms](sillyfillyespdumper/live-roms/) - full, redundant rom dumps from two production ESP32-S3s
|
||||
|
||||
|
||||
Based much on [Coruk's attack on the ESP32-C3](https://courk.cc/esp32-c3-c6-fault-injection)
|
||||
|
||||
|
||||
|
Before Width: | Height: | Size: 21 KiB After Width: | Height: | Size: 21 KiB |
@@ -1,9 +0,0 @@
|
||||
#Ghidra Lock File
|
||||
#Sun Aug 18 08:19:25 MDT 2024
|
||||
<META>\ Supports\ File\ Channel\ Locking=Channel Lock
|
||||
Hostname=princesspi2
|
||||
OS\ Architecture=amd64
|
||||
OS\ Name=Windows 11
|
||||
OS\ Version=10.0
|
||||
Timestamp=8/18/24, 8\:19\u202FAM
|
||||
Username=human
|
||||
Reference in New Issue
Block a user