bcm43451b1: Extended rom_extraction patch. Now it is also possible to…

… read the console buffer using an ioctl.
seemoo-lab · Sep 29, 2017 · c61a62f · c61a62f
1 parent ebcfba1
commit c61a62f
Show file tree

Hide file tree

Showing 5 changed files with 98 additions and 13 deletions.
diff --git a/patches/bcm43451b1/7_63_43_0/rom_extraction/Makefile b/patches/bcm43451b1/7_63_43_0/rom_extraction/Makefile
@@ -160,15 +160,15 @@ endif
 
 dump-rom: FORCE
 	@printf "\033[0;31m  DUMPING ROM TO\033[0m /var/root/romdump.bin\n"
-	$(Q)ssh -p 2222 root@localhost 'nexutil -g0x602 -l1024 -i -v0x0 -r > /var/root/romdump.bin && for n in {1..447}; do nexutil -g0x602 -l1024 -i -v$$(($$n*1024)) -r >> /var/root/romdump.bin; done'
-	@printf "\033[0;31m  DOWNLOADING ROM DUMP\033[0m /var/root/rumdump.bin => romdump.bin\n"
-	$(Q)scp -P 2222 root@localhost:/var/root/romdump.bin rom.bin
+	$(Q)ssh local 'nexutil -g0x602 -l1024 -i -v0x0 -r > /var/root/romdump.bin && for n in {1..447}; do nexutil -g0x602 -l1024 -i -v$$(($$n*1024)) -r >> /var/root/romdump.bin; done'
+	@printf "\033[0;31m  DOWNLOADING ROM DUMP\033[0m /var/root/romdump.bin => rom.bin\n"
+	$(Q)scp local:/var/root/romdump.bin rom.bin
 
 install-firmware: tempranillo.trx
 	@printf "\033[0;31m  COPYING TO PHONE\033[0m %s => /sdcard/%s\n" $< $<
-	$(Q)scp -P 2222 tempranillo.trx root@localhost:/usr/share/firmware/wifi/C-4345__s-B1/
+	$(Q)scp tempranillo.trx local:/usr/share/firmware/wifi/C-4345__s-B1/
 	@printf "\033[0;31m  RELOADING FIRMWARE\033[0m\n"
-	$(Q)ssh -p 2222 root@localhost '/usr/libexec/wifiFirmwareLoader -F /usr/share/firmware/wifi/C-4345__s-B1/tempranillo.trx'
+	$(Q)ssh local '/usr/libexec/wifiFirmwareLoader -F /usr/share/firmware/wifi/C-4345__s-B1/tempranillo.trx'
 
 install-original: $(FW_PATH)/$(RAM_FILE)
 	@printf "\033[0;31m  REMOUNTING /vendor\033[0m\n"

diff --git a/patches/bcm43451b1/7_63_43_0/rom_extraction/include/local_wrapper.h b/patches/bcm43451b1/7_63_43_0/rom_extraction/include/local_wrapper.h
@@ -0,0 +1,40 @@
+/***************************************************************************
+ *                                                                         *
+ *          ###########   ###########   ##########    ##########           *
+ *         ############  ############  ############  ############          *
+ *         ##            ##            ##   ##   ##  ##        ##          *
+ *         ##            ##            ##   ##   ##  ##        ##          *
+ *         ###########   ####  ######  ##   ##   ##  ##    ######          *
+ *          ###########  ####  #       ##   ##   ##  ##    #    #          *
+ *                   ##  ##    ######  ##   ##   ##  ##    #    #          *
+ *                   ##  ##    #       ##   ##   ##  ##    #    #          *
+ *         ############  ##### ######  ##   ##   ##  ##### ######          *
+ *         ###########    ###########  ##   ##   ##   ##########           *
+ *                                                                         *
+ *            S E C U R E   M O B I L E   N E T W O R K I N G              *
+ *                                                                         *
+ * This file is part of NexMon.                                            *
+ *                                                                         *
+ * Copyright (c) 2016 NexMon Team                                          *
+ *                                                                         *
+ * NexMon is free software: you can redistribute it and/or modify          *
+ * it under the terms of the GNU General Public License as published by    *
+ * the Free Software Foundation, either version 3 of the License, or       *
+ * (at your option) any later version.                                     *
+ *                                                                         *
+ * NexMon is distributed in the hope that it will be useful,               *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of          *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the           *
+ * GNU General Public License for more details.                            *
+ *                                                                         *
+ * You should have received a copy of the GNU General Public License       *
+ * along with NexMon. If not, see <http://www.gnu.org/licenses/>.          *
+ *                                                                         *
+ **************************************************************************/
+
+#ifndef LOCAL_WRAPPER_H
+#define LOCAL_WRAPPER_H
+
+#include "../src/local_wrapper.c"        // wrapper definitions for functions that already exist in the firmware
+
+#endif /*LOCAL_WRAPPER_H*/
diff --git a/patches/bcm43451b1/7_63_43_0/rom_extraction/src/before_flash_patching.c b/patches/bcm43451b1/7_63_43_0/rom_extraction/src/before_flash_patching.c
@@ -41,8 +41,8 @@
 #include <helper.h>             // useful helper functions
 #include <patcher.h>            // macros used to craete patches such as BLPatch, BPatch, ...
 #include <rates.h>              // rates used to build the ratespec for frame injection
+#include <local_wrapper.h>
 
-int fp_apply_patches(void);
 unsigned int fp_orig_data[183][2] = { 0 };
 unsigned int fp_orig_data_len = 183;
 

diff --git a/patches/bcm43451b1/7_63_43_0/rom_extraction/src/ioctl.c b/patches/bcm43451b1/7_63_43_0/rom_extraction/src/ioctl.c
@@ -86,6 +86,32 @@ wlc_ioctl_hook(struct wlc_info *wlc, int cmd, char *arg, int len, void *wlc_if)
             break;
         }
 
+        case 0x603: // read from memory
+        {
+            memcpy(arg, *(char **) arg, len);
+            ret = IOCTL_SUCCESS;
+            break;
+        }
+
+        case 0x604: // write to console
+        {
+            arg[len-1] = 0;
+            printf("%s\n", arg);
+            ret = IOCTL_SUCCESS;
+            break;
+        }
+
+        case 0x605: // dump console
+        {
+            unsigned int *config = *(unsigned int **) 0x208e38;
+            if (len >= config[3]) {
+                memcpy(arg, (char *) (config[2] + config[4]), config[3] - config[4]);
+                memcpy(arg + config[3] - config[4], (char *) config[2], config[4]);
+                ret = IOCTL_SUCCESS;
+            }
+            break;
+        }
+
         default:
             ret = wlc_ioctl(wlc, cmd, arg, len, wlc_if);
     }

diff --git a/patches/bcm43451b1/7_63_43_0/rom_extraction/src/local_wrapper.c b/patches/bcm43451b1/7_63_43_0/rom_extraction/src/local_wrapper.c
@@ -32,14 +32,33 @@
  *                                                                         *
  **************************************************************************/
 
-#pragma NEXMON targetregion "patch"
+#ifndef LOCAL_WRAPPER_C
+#define LOCAL_WRAPPER_C
 
-#include <firmware_version.h>   // definition of firmware version macros
-#include <patcher.h>            // macros used to craete patches such as BLPatch, BPatch, ...
+#include <firmware_version.h>
+#include <structs.h>
+#include <stdarg.h>
 
-__attribute__((weak, at(0x20a584, "dummy", CHIP_VER_BCM43451b1, FW_VER_7_63_43_0)))
+#ifndef WRAPPER_H
+    // if this file is not included in the wrapper.h file, create dummy functions
+    #define VOID_DUMMY { ; }
+    #define RETURN_DUMMY { ; return 0; }
+
+    #define AT(CHIPVER, FWVER, ADDR) __attribute__((weak, at(ADDR, "dummy", CHIPVER, FWVER)))
+#else
+    // if this file is included in the wrapper.h file, create prototypes
+    #define VOID_DUMMY ;
+    #define RETURN_DUMMY ;
+    #define AT(CHIPVER, FWVER, ADDR)
+#endif
+
+AT(CHIP_VER_BCM43451b1, FW_VER_7_63_43_0, 0x20a584)
 int
 fp_apply_patches(void)
-{
-	return 0;
-}
+RETURN_DUMMY
+
+#undef VOID_DUMMY
+#undef RETURN_DUMMY
+#undef AT
+
+#endif /*LOCAL_WRAPPER_C*/