hardsploit_gui 2.0

data/lib/HardsploitAPI/README.md

@@ -0,0 +1,22 @@
+# Hardsploit
+
+    The essential security auditing tool for Internet of Things devices you'll need in your toolbox
+
+### [GO TO HARDSPLOIT](http://www.hardsploit.io)
+
+    TO LEARN ABOUT IT
+
+### [GO TO SHOP](https://www.shop-hardsploit.com)
+    TO BUY
+
+### [GO TO WIKI](https://github.com/OPALESECURITY/hardsploit-api/wiki)
+
+    TO UNDERSTAND HOW USE IT
+
+### [GO TO FORUM](http://forum.hardsploit.io)
+
+    FOR SUPPORT / HELP
+
+### [GO TO BUG TRACKER](https://github.com/OPALESECURITY/hardsploit-api/issues)
+
+    FOR BUGS OR IMPROVEMENTS

data/lib/HardsploitAPI/SWD/HardsploitAPI_SWD.rb

@@ -0,0 +1,249 @@
+#!/usr/bin/ruby
+#===================================================
+#  Hardsploit API - By Opale Security
+#  www.opale-security.com || www.hardsploit.io
+#  License: GNU General Public License v3
+#  License URI: http://www.gnu.org/licenses/gpl.txt
+#===================================================
+require_relative 'HardsploitAPI_SWD_DEBUG'
+require_relative 'HardsploitAPI_SWD_STM32'
+
+class HardsploitAPI
+attr_accessor :debugPort
+attr_accessor :stm32
+
+	def runSWD
+		@debugPort = SWD_DEBUG_PORT.new(self)
+		@stm32     = SWD_STM32.new(debugPort)
+
+		resetSWD()
+		#  Cortex M4 0x410FC241
+		#  Cortex M3 411FC231
+	end
+
+	def obtainCodes
+		resetSWD()
+		code = {
+		  :DebugPortId => debugPort.idcode(),
+		  :AccessPortId => stm32.ahb.idcode(),
+		  :CpuId => stm32.ahb.readWord(0xE000ED00),
+			:DeviceId => stm32.ahb.readWord(0x1FFFF7E8)
+		}
+		return code
+	end
+
+
+	def writeFlash(path)
+		resetSWD()
+		dataWrite = IO.binread(path)
+	  dataWrite = dataWrite.unpack("C*")
+		puts "Halting Processor"
+		stm32.halt()
+		puts "Erasing Flash"
+		stm32.flashUnlock()
+		stm32.flashErase()
+		puts "Programming Flash"
+		stm32.flashProgram()
+		time = Time.new
+		stm32.flashWrite(0x08000000, dataWrite)
+		time = Time.new - time
+		puts "Write #{((dataWrite.size/time)).round(2)}Bytes/s #{(dataWrite.size)}Bytes in  #{time.round(4)} s"
+		stm32.flashProgramEnd()
+		puts "Resetting"
+		stm32.sysReset()
+		puts "Start"
+		stm32.unhalt
+	end
+
+	def eraseFlash
+		puts 'Erase'
+		stm32.flashErase()
+	end
+
+	def dumpFlash(path)
+		resetSWD()
+		#DUMP FLASH MEMORY TO A FILE
+		@stm32.halt
+	  flash_size = (stm32.ahb.readWord(0x1ffff7e0) & 0xFFFF)
+		puts "Flash size : #{(flash_size) } KB"
+		puts "Dump flash"
+	  time = Time.new
+		data = @stm32.flashRead(0x08000000,(flash_size*1024))
+		time = Time.new - time
+		puts "DUMP #{((data.size/time)).round(2)}Bytes/s #{(data.size)}Bytes in  #{time.round(4)} s"
+		IO.binwrite(path, data.pack('C*'))
+		puts "Finish dump"
+	end
+
+	def writeSWD(ap,register,data)
+		packet = Array.new
+		packet.push 0  #low byte of lenght of trame refresh automaticly before send by usb
+		packet.push 0  #high byte of lenght of trame refresh automaticly before send by usb
+		packet.push HardsploitAPI.lowByte(HardsploitAPI::USB_COMMAND::FPGA_COMMAND)
+		packet.push HardsploitAPI.highByte(HardsploitAPI::USB_COMMAND::FPGA_COMMAND)
+
+		packet.push 0x50 #Command RAW COMMUNICATION TO FPGA FIFO
+
+		packet.push 0x10 #Write mode
+
+		packet.push (calcOpcode(ap, register, false)) #Send Request
+
+		packet.push  ((data & 0xFF) >> 0)
+		packet.push  ((data & 0xFF00) >> 8 )
+		packet.push  ((data & 0xFF0000) >> 16 )
+		packet.push  ((data & 0xFF000000) >> 24 )
+
+		result = sendAndReceiveDATA(packet,1000)
+
+		if result.class == Array then
+				if result.size == 1 + 4 then #receive ACK
+					if result[4] == 1 then
+							return true
+					elsif result[4] == 2 then
+							raise "WAIT response"
+					elsif result[4] == 4 then
+						  raise "FAULT response"
+					else
+							raise "WRITE ERROR #{result[4]}"
+					end
+				else
+					raise "Error during writing}"
+				end
+		else # Receive and error
+			raise "Error during writing, timeout "
+		end
+
+		return false
+	end
+
+	def writeBlockAP(data)
+		if data.size > 8000 then
+			raise "data is too big > 8000"
+		end
+
+		packet = Array.new
+		packet.push 0  #low byte of lenght of trame refresh automaticly before send by usb
+		packet.push 0  #high byte of lenght of trame refresh automaticly before send by usb
+		packet.push HardsploitAPI.lowByte(HardsploitAPI::USB_COMMAND::FPGA_COMMAND)
+		packet.push HardsploitAPI.highByte(HardsploitAPI::USB_COMMAND::FPGA_COMMAND)
+
+		packet.push 0x50 #Command RAW COMMUNICATION TO FPGA FIFO
+		packet.push 0xBB #Write ap
+		packet.push *data
+
+		result = sendAndReceiveDATA(packet,1000)
+		if result.class == Array then
+				if result.size == 1 + 4 then #receive ACK
+					if result[4] == 1 then
+							return true
+					elsif result[4] == 2 then
+							raise "WAIT response"
+					elsif result[4] == 4 then
+						  raise "FAULT response"
+					else
+							raise "WRITE ERROR #{result[4]}"
+					end
+				else
+					raise "Error during writing"
+				end
+		else # Receive and error
+			raise "Error during writing, timeout "
+		end
+			return false
+	end
+
+
+	def readBlockAP(size)
+		packet = Array.new
+		packet.push 0  #low byte of lenght of trame refresh automaticly before send by usb
+		packet.push 0  #high byte of lenght of trame refresh automaticly before send by usb
+		packet.push HardsploitAPI.lowByte(HardsploitAPI::USB_COMMAND::FPGA_COMMAND)
+		packet.push HardsploitAPI.highByte(HardsploitAPI::USB_COMMAND::FPGA_COMMAND)
+
+		packet.push 0x50 #Command RAW COMMUNICATION TO FPGA FIFO
+
+		packet.push 0xAA #Read mode
+		packet.push HardsploitAPI.lowByte(size)
+		packet.push HardsploitAPI.highByte(size)
+
+		result = sendAndReceiveDATA(packet,1000)
+		 if result.class == Array then
+		 		if result.size >= 4   then #Receive read + 4bytes for header
+		 			return result.drop(4)
+				else
+					raise "Receive just Header where is the data ? "
+		 		end
+		 else # Receive and error
+		 		raise "Error during reading  timeout or ACK issue "
+		 end
+	end
+
+	def readSWD(ap,register)
+		packet = Array.new
+		packet.push 0  #low byte of lenght of trame refresh automaticly before send by usb
+		packet.push 0  #high byte of lenght of trame refresh automaticly before send by usb
+		packet.push HardsploitAPI.lowByte(HardsploitAPI::USB_COMMAND::FPGA_COMMAND)
+		packet.push HardsploitAPI.highByte(HardsploitAPI::USB_COMMAND::FPGA_COMMAND)
+
+		packet.push 0x50 #Command RAW COMMUNICATION TO FPGA FIFO
+
+		packet.push 0x11 #Read mode
+		packet.push(calcOpcode(ap,register, true)) #Send Request
+
+		result = sendAndReceiveDATA(packet,1000)
+		 if result.class == Array then
+		 		if result.size == 4 + 4  then #Receive read + 4bytes for header
+		 			convert = (result[7]  << 24)  + (result[6]  << 16) + (result[5]  << 8 ) + result[4]
+		 			return convert
+		 		elsif result.size == 4+1 then #receive ACK
+					raise "Read error  ACK : #{result[4]}"
+		 		else
+		 			raise "Error during reading"
+		 		end
+		 else # Receive and error
+		 	raise "Error during reading  timeout "
+		 end
+	end
+
+
+	#Return array with 1 byte for ACK
+	#Return 32bits integer for data read here is Core ID
+	#Raise if error
+	def resetSWD
+		packet = Array.new
+		packet.push 0  #low byte of lenght of trame refresh automaticly before send by usb
+		packet.push 0  #high byte of lenght of trame refresh automaticly before send by usb
+		packet.push HardsploitAPI.lowByte(HardsploitAPI::USB_COMMAND::FPGA_COMMAND)
+		packet.push HardsploitAPI.highByte(HardsploitAPI::USB_COMMAND::FPGA_COMMAND)
+
+		packet.push 0x50 #Command RAW COMMUNICATION TO FPGA FIFO
+
+		packet.push 0x00 #Reset mode
+
+		result = sendAndReceiveDATA(packet,1000)
+		if result.class == Array then
+				if result.size == 4 + 4  then #Receive read + 4bytes for header
+					convert = (result[7]  << 24)  + (result[6]  << 16) + (result[5]  << 8 ) + result[4]
+					return convert
+				elsif result.size == 4 +1 then #reveice ACK
+					raise "ERROR ACK #{result[4]}"
+				else
+					raise "Error during reading ICCODE result != 4"
+				end
+		else # Receive and error
+			raise "Error during reading ICCODE timeout "
+		end
+	end
+
+
+	def calcOpcode (ap, register, read)
+			opcode = 0x00
+			(ap ? opcode |= 0x40 : opcode |= 0x00)
+			(read ? opcode |= 0x20 : opcode |= 0x00)
+			opcode = opcode | ((register & 0x01) << 4) | ((register & 0x02) << 2) #Addr AP DP  bit 2..3
+			opcode = opcode | (((opcode & 0x78).to_s(2).count('1').odd? ? 1 : 0) << 2)  #0x78 mask to take only read ap and register to process parity bit
+			opcode = opcode | 0x81 #Start and Park Bit
+			#puts "OpCode #{opcode.to_s(16)}"
+			return opcode
+	end
+end

data/lib/HardsploitAPI/SWD/HardsploitAPI_SWD_DEBUG.rb

@@ -0,0 +1,102 @@
+#!/usr/bin/ruby
+#===================================================
+#  Hardsploit API - By Opale Security
+#  www.opale-security.com || www.hardsploit.io
+#  License: GNU General Public License v3
+#  License URI: http://www.gnu.org/licenses/gpl.txt
+#===================================================
+class SWD_DEBUG_PORT
+
+	def initialize(hardAPI)
+		@HardAPI = hardAPI
+		@HardAPI.startFPGA
+		sleep(0.5)
+		@HardAPI.resetSWD
+		# read the IDCODE
+		# if HardAPI.resetSWD() != 0x1ba01477 then
+		#  		raise "warning: unexpected idcode"
+		# else
+		#  		puts "MCU DETECTED"
+		# end
+		abort(1,1,1,1,1)
+		select(0,0)
+		# power shit up
+		puts "Power shit up"
+		@HardAPI.writeSWD(FALSE, 1, 0x54000000)
+		if (status() >> 24) != 0xF4 then
+		 		raise "error powering up system"
+				exit(0)
+		else
+			puts "POWERING UP SYTEM OK"
+		end
+		#get the SELECT register to a known state
+		select(0,0)
+		@curAP = 0
+		@curBank = 0
+	end
+
+	def getAPI
+		return @HardAPI
+	end
+
+	def idcode
+			return @HardAPI.readSWD(FALSE, 0)
+	end
+
+	def abort (orunerr, wdataerr, stickyerr, stickycmp, dap)
+			value = 0x00000000
+			(orunerr ? value |= 0x10 : value |= 0x00)
+			(wdataerr ? value |= 0x08 : value |= 0x00)
+			(stickyerr ? value |= 0x04 : value |= 0x00)
+			(stickycmp ? value |= 0x02 : value |= 0x00)
+			(dap ? value |= 0x01 : value |= 0x00)
+			@HardAPI.writeSWD(FALSE, 0, value)
+	end
+
+	def status
+			val= @HardAPI.readSWD(FALSE,1)
+			return val
+	end
+
+	def control (trnCount = 0, trnMode = 0, maskLane = 0, orunDetect = 0)
+			value = 0x54000000
+			value = value | ((trnCount & 0xFFF) << 12)
+			value = value | ((maskLane & 0x00F) << 8)
+			value = value | ((trnMode  & 0x003) << 2)
+			(orunDetect ? value |= 0x01 : value |= 0x00)
+			@HardAPI.writeSWD(False, 1, value)
+	end
+
+	def select (apsel, apbank)
+			value = 0x00000000
+			value = value | ((apsel  & 0xFF) << 24)
+			value = value | ((apbank & 0x0F) <<  4)
+			@HardAPI.writeSWD(FALSE, 2, value)
+	end
+
+
+	def readRB
+			return @HardAPI.readSWD(FALSE, 3)
+	end
+	def readAP ( apsel, address)
+			adrBank = (address >> 4) & 0xF
+			adrReg  = (address >> 2) & 0x3
+			if apsel != @curAP or adrBank != @curBank then
+					select(apsel, adrBank)
+					@curAP = apsel
+					@curBank = adrBank
+			end
+			return @HardAPI.readSWD(TRUE, adrReg)
+	end
+
+	def writeAP (apsel, address, data)
+			adrBank = (address >> 4) & 0xF
+			adrReg  = (address >> 2) & 0x3
+			if apsel != @curAP or adrBank != @curBank then
+					select(apsel, adrBank)
+					@curAP = apsel
+					@curBank = adrBank
+			end
+		@HardAPI.writeSWD(TRUE, adrReg, data)
+	 end
+end

data/lib/HardsploitAPI/SWD/HardsploitAPI_SWD_MEM_AP.rb

@@ -0,0 +1,78 @@
+#!/usr/bin/ruby
+#===================================================
+#  Hardsploit API - By Opale Security
+#  www.opale-security.com || www.hardsploit.io
+#  License: GNU General Public License v3
+#  License URI: http://www.gnu.org/licenses/gpl.txt
+#===================================================
+
+class SWD_MEM_AP
+
+	def initialize( dp, apsel)
+		@dp = dp
+		@apsel = apsel
+		csw(1,2) # 32-bit auto-incrementing addressing
+	end
+
+  def csw ( addrInc, size)
+      @dp.readAP(@apsel, 0x00)
+      val = @dp.readRB() & 0xFFFFFF00
+			@dp.writeAP(@apsel, 0x00, val + (addrInc << 4) + size)
+	end
+  def idcode
+      @dp.readAP(@apsel, 0xFC)
+      return @dp.readRB()
+	end
+  def readWord (adr)
+      @dp.writeAP(@apsel, 0x04, adr)
+      @dp.readAP(@apsel, 0x0C)
+      return @dp.readRB()
+	end
+  def writeWord (adr, data)
+      @dp.writeAP(@apsel, 0x04, adr)
+      @dp.writeAP(@apsel, 0x0C, data)
+      return @dp.readRB()
+	end
+  def readBlock ( adr, count)#1K boundaries and return 4K of data word alignement
+			if count < 1 then
+				raise "readBlock error : count must be >= 1"
+			end
+			if count > 1024 then
+				raise "readBlock error : count must be <= 1024 "
+			end
+			csw(1, 2) # 32-bit single-incrementing addressing
+			@dp.writeAP(@apsel, 0x04, adr)
+			vals = Array.new
+			@dp.readAP(@apsel, 0x0C) #For the first byte
+			vals.push(*@dp.getAPI.readBlockAP(count-1))  #Hardcoded function to increase speed of read block
+      return vals
+	end
+
+	# def writeBlockNonInc (adr, data)
+	#  		self.csw(0, 2) # 32-bit non-incrementing addressing
+	#  		for val in data
+	# 			@dp.writeAP(@apsel, 0x04, adr)
+	# 			@dp.writeAP(@apsel, 0x0C, val)
+	# 		end
+	# 		self.csw(1, 2) # 32-bit auto-incrementing addressing
+	# end
+
+	def writeBlock (adr, data) #1K boundaries
+    @dp.writeAP(@apsel, 0x04, adr)
+		puts "writeBlock #{adr.to_s(16)}"
+
+		@dp.getAPI.writeBlockAP(data)
+		# for i in (0..data.size-1).step(4)
+		# 		@dp.writeAP(@apsel, 0x0C, data[i].to_i + (data[i+1].to_i << 8) + (data[i+2].to_i << 16)+ (data[i+3].to_i << 24))
+		# end
+	end
+
+  def writeHalfs (adr, data)
+      self.csw(2, 1) # 16-bit packed-incrementing addressing
+      @dp.writeAP(@apsel, 0x04, adr)
+      for val in data
+          sleep(0.001)
+          @dp.writeAP(@apsel, 0x0C, val)
+			end
+	end
+end