我的jlink破解失败经历
邮购了一个d版的jlink,尝试在升级的.dll中加入一段代码,用于读出0x00100000 flash的内容,失败了。求助卖方,需要收费才给我重写,算了,不玩了,可惜我的1k多大洋。
希望下面的内容对想破解的人有帮助,哪位要是搞定了,帮我烧一下flash中内容,我出邮费,不甚感激。联系wh.chxh#gmail.com
这个jlink的版本是v5.2,硬件是一片AT91SAM7S64 加一片LVC16245。S64片内Flash加密过,不可以直接读出。
下面是我对该设备的了解,有些错误,不然的话,我的破解就应该成功。
基本思路就是所谓的“特洛伊木马”,升级部分加入一下段串口打印代码,将flash内容打印出来。
当jlink连上pc时,执行Jlink.exe,会自动检查jinkarm.dll中部分firmware和硬件中的firmware版本,如果dll中的版本新,就会升级硬件中的部分。
比较的依据是字符串“J-Link compiled Jun 14 2007 14:36:33 ARM Rev.5”中的年月日,如果dll中的该串年月日大于硬件中的,就会自动升级。如将”Jun 14”改为”Jun 15”, 也会在次升级写入。
下面看dll中的固件程序究竟是什么样的,dll是用upx压缩了的,解压就可以了。下面是提取出来的升级部分内容,长度为0x5400。
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000000 2E 00 00 EA 14 F0 9F E5 14 F0 9F E5 14 F0 9F E5 ...?馃?馃?馃?
00000010 14 F0 9F E5 FF FF FF FF 10 F0 9F E5 10 F0 9F E5 .馃????.馃?馃?
00000020 04 54 10 00 08 54 10 00 0C 54 10 00 10 54 10 00 .T...T...T...T..
00000030 F8 38 20 00 1C 54 10 00 FF FF FF FF FF FF FF FF ? ..T..????????
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050 4A 2D 4C 69 6E 6B 20 63 6F 6D 70 69 6C 65 64 20 J-Link compiled
00000060 4A 75 6E 20 31 34 20 32 30 30 37 20 31 34 3A 33 Jun 14 2007 14:3
00000070 36 3A 33 33 20 41 52 4D 20 52 65 76 2E 35 00 00 6:33 ARM Rev.5..
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000C0 00 00 0F E1 1F 00 C0 E3 12 00 80 E3 00 F0 21 E1 ...?.楞..????
000000D0 14 D0 9F E5 1F 00 C0 E3 1F 00 80 E3 00 F0 21 E1 .袩?.楞..????
000000E0 08 D0 9F E5 08 00 9F E5 10 FF 2F E1 98 3E 20 00 .袩?.熷.?/針> .
000000F0 58 3E 20 00 00 50 10 00 70 B5 0C 4C 0C 4E 82 B0 X> ..P..p?L.N偘
用ida反汇编:
ROM:00100000 AREA ROM, CODE, READWRITE, ALIGN=0
ROM:00100000 ; ORG 0x100000
ROM:00100000 CODE32
ROM:00100000
ROM:00100000 loc_100000 ; DATA XREF: ROM:001050FC o
ROM:00100000 B loc_1000C0
ROM:00100004 ; ---------------------------------------------------------------------------
ROM:00100004 LDR PC, =0x105404
ROM:00100008 ; ---------------------------------------------------------------------------
ROM:00100008 LDR PC, =0x105408
ROM:0010000C ; ---------------------------------------------------------------------------
ROM:0010000C LDR PC, =0x10540C
ROM:00100010 ; ---------------------------------------------------------------------------
ROM:00100010 LDR PC, =0x105410
ROM:00100010 ; ---------------------------------------------------------------------------
ROM:00100014 DCD 0xFFFFFFFF
ROM:00100018 ; ---------------------------------------------------------------------------
ROM:00100018 LDR PC, =0x2038F8
ROM:0010001C ; ---------------------------------------------------------------------------
ROM:0010001C LDR PC, =0x10541C
ROM:0010001C ; ---------------------------------------------------------------------------
ROM:00100020 dword_100020 DCD 0x105404 ; DATA XREF: ROM:00100004 r
ROM:00100024 dword_100024 DCD 0x105408 ; DATA XREF: ROM:00100008 r
ROM:00100028 dword_100028 DCD 0x10540C ; DATA XREF: ROM:0010000C r
ROM:0010002C dword_10002C DCD 0x105410 ; DATA XREF: ROM:00100010 r
ROM:00100030 dword_100030 DCD 0x2038F8 ; DATA XREF: ROM:00100018 r
ROM:00100034 dword_100034 DCD 0x10541C ; DATA XREF: ROM:0010001C r
ROM:00100038 DCB 0xFF
ROM:00100039 DCB 0xFF
ROM:0010003A DCB 0xFF
ROM:0010003B DCB 0xFF
ROM:0010003C DCB 0xFF
ROM:0010003D DCB 0xFF
ROM:0010003E DCB 0xFF
ROM:0010003F DCB 0xFF
ROM:00100040 DCB 0
ROM:00100041 DCB 0
ROM:00100042 DCB 0
ROM:00100043 DCB 0
ROM:00100044 DCB 0
ROM:00100045 DCB 0
ROM:00100046 DCB 0
ROM:00100047 DCB 0
ROM:00100048 DCB 0
ROM:00100049 DCB 0
ROM:0010004A DCB 0
ROM:0010004B DCB 0
ROM:0010004C DCB 0
ROM:0010004D DCB 0
ROM:0010004E DCB 0
ROM:0010004F DCB 0
ROM:00100050 aJLinkCompiledJ DCB "J-Link compiled Jun 14 2007 14:36:33 ARM Rev.5",0
ROM:0010007F DCB 0
ROM:00100080 DCB 0
ROM:00100081 DCB 0
ROM:00100082 DCB 0
ROM:00100083 DCB 0
ROM:00100084 DCB 0
ROM:00100085 DCB 0
ROM:00100086 DCB 0
ROM:00100087 DCB 0
ROM:00100088 DCB 0
ROM:00100089 DCB 0
ROM:0010008A DCB 0
ROM:0010008B DCB 0
ROM:0010008C DCB 0
ROM:0010008D DCB 0
ROM:0010008E DCB 0
ROM:0010008F DCB 0
ROM:00100090 DCB 0
ROM:00100091 DCB 0
ROM:00100092 DCB 0
ROM:00100093 DCB 0
ROM:00100094 DCB 0
ROM:00100095 DCB 0
ROM:00100096 DCB 0
ROM:00100097 DCB 0
ROM:00100098 DCB 0
ROM:00100099 DCB 0
ROM:0010009A DCB 0
ROM:0010009B DCB 0
ROM:0010009C DCB 0
ROM:0010009D DCB 0
ROM:0010009E DCB 0
ROM:0010009F DCB 0
ROM:001000A0 DCB 0
ROM:001000A1 DCB 0
ROM:001000A2 DCB 0
ROM:001000A3 DCB 0
ROM:001000A4 DCB 0
ROM:001000A5 DCB 0
ROM:001000A6 DCB 0
ROM:001000A7 DCB 0
ROM:001000A8 DCB 0
ROM:001000A9 DCB 0
ROM:001000AA DCB 0
ROM:001000AB DCB 0
ROM:001000AC DCB 0
ROM:001000AD DCB 0
ROM:001000AE DCB 0
ROM:001000AF DCB 0
ROM:001000B0 DCB 0
ROM:001000B1 DCB 0
ROM:001000B2 DCB 0
ROM:001000B3 DCB 0
ROM:001000B4 DCB 0
ROM:001000B5 DCB 0
ROM:001000B6 DCB 0
ROM:001000B7 DCB 0
ROM:001000B8 DCB 0
ROM:001000B9 DCB 0
ROM:001000BA DCB 0
ROM:001000BB DCB 0
ROM:001000BC DCB 0
ROM:001000BD DCB 0
ROM:001000BE DCB 0
ROM:001000BF DCB 0
ROM:001000C0 ; ---------------------------------------------------------------------------
ROM:001000C0
ROM:001000C0 loc_1000C0 ; CODE XREF: ROM:loc_100000 j
ROM:001000C0 MRS R0, CPSR
ROM:001000C4 BIC R0, R0, #0x1F
ROM:001000C8 ORR R0, R0, #0x12
ROM:001000CC MSR CPSR_c, R0
ROM:001000D0 LDR SP, =0x203E98
ROM:001000D4 BIC R0, R0, #0x1F
ROM:001000D8 ORR R0, R0, #0x1F
ROM:001000DC MSR CPSR_c, R0
ROM:001000E0 LDR SP, =0x203E58
ROM:001000E4 LDR R0, =loc_105534
ROM:001000E8 BX R0
ROM:001000E8 ; ---------------------------------------------------------------------------
ROM:001000EC dword_1000EC DCD 0x203E98 ; DATA XREF: ROM:001000D0 r
ROM:001000F0 dword_1000F0 DCD 0x203E58 ; DATA XREF: ROM:001000E0 r
ROM:001000F4 off_1000F4 DCD loc_105534 ; DATA XREF: ROM:001000E4 r
ROM:001000F8 DCB 0x70 ; p
ROM:001000F9 DCB 0xB5 ; ?
ROM:001000FA DCB 0xC
ROM:001000FB DCB 0x4C ; L
ROM:001000FC DCB 0xC
看ROM:001000E4 LDR R0, =loc_105534,BX R0这里就跳转到AT91Sam7s64 bootloader部分了。后面的代码不具有可读性,应该是加密了的。
我就修改LDR R0, =loc_105534 为LDR R0, =loc_105000,
在loc_105000加入一小段设置串口的代码并将0x1000000,64k内容用串口传出。结果就挂了!!!
我想可能是bootloader程序将升级部分读入后,将后面的不可读部分还原,我增加的部分代码也变了,所以没有将64k flash内容通过串口传出来。
如果再尝试的话,我觉得应该将串口传送的代码部分增加到ROM:0010007F处,或再上面一点,这里可能不会被bootloader改写。
嵌入的代码,加入到dll中时,要适度修改。如果要放到dll中的代码前面,还要精简一下。
#include <AT91SAM7S64.H> /* AT91SAM7S64 definitions */
#define EXT_OC 18432000 // Exetrnal ocilator MAINCK
#define MCK 48054857 // MCK (PLLRC div by 2)
#define BR 115200 /* Baud Rate */
#define BRD (MCK/16/BR) /* Baud Rate Divisor */
int sendchar (int ch);
void AT91F_LowLevelInit(void);
void init_serial (void);
int main(void)
{
int i;
char *p;
AT91F_LowLevelInit();
*AT91C_PMC_PCER = (1 << AT91C_ID_PIOA) | /* Enable Clock for PIO */
(1 << AT91C_ID_US1); /* Enable Clock for USART0 */
init_serial();
p = (char*)0x100000;
for(i = 0; i < 65536; i++)
{
sendchar(*p);
p++;
}
while(1);
}
void AT91F_LowLevelInit( void)
{
AT91PS_PMC pPMC = AT91C_BASE_PMC;
//* Set Flash Waite sate
// Single Cycle Access at Up to 30 MHz, or 40
AT91C_BASE_MC->MC_FMR = AT91C_MC_FWS_1FWS ;
//* Watchdog Disable
AT91C_BASE_WDTC->WDTC_WDMR= AT91C_WDTC_WDDIS;
//* Set MCK at 48 054 850
// 1 Enabling the Main Oscillator:
// SCK = 1/32768 = 30.51 uSecond
// Start up time = 8 * 6 / SCK = 56 * 30.51 = 1,46484375 ms
pPMC->PMC_MOR = (( AT91C_CKGR_OSCOUNT & (0x06 <<8) | AT91C_CKGR_MOSCEN ));
// Wait the startup time
while(!(pPMC->PMC_SR & AT91C_PMC_MOSCS));
// 2 Checking the Main Oscillator Frequency (Optional)
// 3 Setting PLL and divider:
// - div by 14 Fin = 1.3165 =(18,432 / 14)
// - Mul 72+1: Fout = 96.1097 =(3,6864 *73)
// for 96 MHz the erroe is 0.11%
// Field out NOT USED = 0
// PLLCOUNT pll startup time estimate at : 0.844 ms
// PLLCOUNT 28 = 0.000844 /(1/32768)
pPMC->PMC_PLLR = ((AT91C_CKGR_DIV & 14 ) |
(AT91C_CKGR_PLLCOUNT & (28<<8)) |
(AT91C_CKGR_MUL & (72<<16)));
// Wait the startup time
while(!(pPMC->PMC_SR & AT91C_PMC_LOCK));
while(!(pPMC->PMC_SR & AT91C_PMC_MCKRDY));
// 4. Selection of Master Clock and Processor Clock
// select the PLL clock divided by 2
pPMC->PMC_MCKR = AT91C_PMC_PRES_CLK_2 ;
while(!(pPMC->PMC_SR & AT91C_PMC_MCKRDY));
pPMC->PMC_MCKR |= AT91C_PMC_CSS_PLL_CLK ;
while(!(pPMC->PMC_SR & AT91C_PMC_MCKRDY));
}
void init_serial (void) { /* Initialize Serial Interface */
AT91S_USART * pUSART = AT91C_BASE_US1; /* Global Pointer to USART1 */
*AT91C_PIOA_PDR = //AT91C_PA5_RXD0 | AT91C_PA6_TXD0; /* Enalbe TxD0 Pin */
AT91C_PA21_RXD1 | AT91C_PA22_TXD1;
pUSART->US_CR = AT91C_US_RSTRX | /* Reset Receiver */
AT91C_US_RSTTX | /* Reset Transmitter */
AT91C_US_RXDIS | /* Receiver Disable */
AT91C_US_TXDIS ; /* Transmitter Disable */
pUSART->US_MR = AT91C_US_USMODE_NORMAL | /* Normal Mode */
AT91C_US_CLKS_CLOCK | /* Clock = MCK */
AT91C_US_CHRL_8_BITS | /* 8-bit Data */
AT91C_US_PAR_NONE | /* No Parity */
AT91C_US_NBSTOP_1_BIT; /* 1 Stop Bit */
pUSART->US_BRGR = BRD; /* Baud Rate Divisor */
pUSART->US_CR = AT91C_US_RXEN | /* Receiver Enable */
AT91C_US_TXEN; /* Transmitter Enable */
}
int sendchar (int ch)
{
/* Write character to Serial Port */
AT91S_USART * pUSART = AT91C_BASE_US1; /* Global Pointer to USART1 */
while (!(pUSART->US_CSR & AT91C_US_TXRDY)); /* Wait for Empty Tx Buffer */
return (pUSART->US_THR = ch); /* Transmit Character */
}
Pc License部分,看下面就可以了,很简单的
.text:00413DF0 sub_413DF0 proc near ; CODE XREF: sub_4144F0+6C p
.text:00413DF0 ; sub_4146A0+105 p
.text:00413DF0
.text:00413DF0 arg_0 = dword ptr 14h
.text:00413DF0 arg_4 = dword ptr 18h
.text:00413DF0 arg_8 = dword ptr 1Ch
.text:00413DF0 arg_C = dword ptr 20h
.text:00413DF0
; License_RDI_V11_S12345678_Eyymmdd _Kabcdabcd
; arg_0 = "RDI", arg_4 = 11, arg_8 = 12345678, arg_c = yymmdd
.text:00413DF0 push ebx ;
.text:00413DF1 push ebp ;
.text:00413DF2 push esi
.text:00413DF3 push edi
.text:00413DF4 mov edi, [esp+arg_0]
.text:00413DF8 or ecx, 0FFFFFFFFh
.text:00413DFB xor eax, eax
.text:00413DFD mov edx, [esp+arg_8]
.text:00413E01 repne scasb
.text:00413E03 mov edi, [esp+arg_4]
.text:00413E07 xor ebp, ebp
.text:00413E09 not ecx
.text:00413E0B dec ecx
.text:00413E0C xor edi, edx
.text:00413E0E mov ebx, ecx
.text:00413E10 mov ecx, [esp+arg_C]
.text:00413E14 xor edi, ecx
.text:00413E16 xor esi, esi
.text:00413E18 test ebx, ebx
.text:00413E1A jle short loc_413E42
.text:00413E1C
.text:00413E1C loc_413E1C: ; CODE XREF: sub_413DF0+50 j
.text:00413E1C mov eax, [esp+arg_0]
.text:00413E20 mov ecx, esi
.text:00413E22 and ecx, 80000003h
.text:00413E28 movsx eax, byte ptr [esi+eax]
.text:00413E2C jns short loc_413E33
.text:00413E2E dec ecx
.text:00413E2F or ecx, 0FFFFFFFCh
.text:00413E32 inc ecx
.text:00413E33
.text:00413E33 loc_413E33: ; CODE XREF: sub_413DF0+3C j
.text:00413E33 shl ecx, 3
.text:00413E36 shl eax, cl
.text:00413E38 cdq
.text:00413E39 xor edi, eax
.text:00413E3B xor ebp, edx
.text:00413E3D inc esi
.text:00413E3E cmp esi, ebx
.text:00413E40 jl short loc_413E1C
.text:00413E42
.text:00413E42 loc_413E42: ; CODE XREF: sub_413DF0+2A j
.text:00413E42 mov eax, edi
.text:00413E44 pop edi
.text:00413E45 imul eax, 36DF45Dh
.text:00413E4B pop esi
.text:00413E4C pop ebp
.text:00413E4D add eax, 14718ABh ;eax就是实际校验
.text:00413E52 pop ebx
.text:00413E53 retn
.text:00413E53 sub_413DF0 endp
|
|
楼主
标题置顶
标题高亮
