我的jlink破解失败经历

http://fallenwind.spaces.eepw.com.cn/articles/article/item/59116

标题:我的jlink破解失败经历
2009-07-12 01:16:56
我的jlink破解失败经历
作者: 苦丁茶

我的jlink破解失败经历
请谨慎尝试
邮购了一个d版的jlink,尝试在升级的.dll中加入一段代码,用于读出0x00100000 flash的内容,失败了。

求助卖方,需要收费才给我重写,算了,不玩了,可惜我的1k多大洋。

希望下面的内容对想破解的人有帮助,哪位要是搞定了,帮我烧一下flash中内容,

我出邮费,不甚感激。联系wh.chxh#gmail.com

这个jlink的版本是v5.2,硬件是一片AT91SAM7S64 加一片LVC16245。

S64片内Flash加密过,不可以直接读出。

下面是我对该设备的了解,有些错误,不然的话,我的破解就应该成功。

基本思路就是所谓的“特洛伊木马”,升级部分加入一下段串口打印代码,将flash内容打印出来。

当jlink连上pc时,执行Jlink.exe,会自动检查jinkarm.dll中部分firmware

和硬件中的firmware版本,如果dll中的版本新,就会升级硬件中的部分。

比较的依据是字符串“J-Link compiled Jun 14 2007 14:36:33 ARM Rev.5”中的年月日,

如果dll中的该串年月日大于硬件中的,就会自动升级。如将”Jun 14”改为”Jun 15”, 也会在次升级写入。

下面看dll中的固件程序究竟是什么样的,dll是用upx压缩了的,解压就可以了。

下面是提取出来的升级部分内容,长度为0x5400。 

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F 
00000000   2E 00 00 EA 14 F0 9F E5  14 F0 9F E5 14 F0 9F E5   ...?馃?馃?馃? 
00000010   14 F0 9F E5 FF FF FF FF  10 F0 9F E5 10 F0 9F E5   .馃????.馃?馃? 
00000020   04 54 10 00 08 54 10 00  0C 54 10 00 10 54 10 00   .T...T...T...T.. 
00000030   F8 38 20 00 1C 54 10 00  FF FF FF FF FF FF FF FF   ? ..T..???????? 
00000040   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................ 
00000050   4A 2D 4C 69 6E 6B 20 63  6F 6D 70 69 6C 65 64 20   J-Link compiled  
00000060   4A 75 6E 20 31 34 20 32  30 30 37 20 31 34 3A 33   Jun 14 2007 14:3 
00000070   36 3A 33 33 20 41 52 4D  20 52 65 76 2E 35 00 00   6:33 ARM Rev.5.. 
00000080   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................ 
00000090   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................ 
000000A0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................ 
000000B0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................ 
000000C0   00 00 0F E1 1F 00 C0 E3  12 00 80 E3 00 F0 21 E1   ...?.楞..???? 
000000D0   14 D0 9F E5 1F 00 C0 E3  1F 00 80 E3 00 F0 21 E1   .袩?.楞..???? 
000000E0   08 D0 9F E5 08 00 9F E5  10 FF 2F E1 98 3E 20 00   .袩?.熷.?/針> . 
000000F0   58 3E 20 00 00 50 10 00  70 B5 0C 4C 0C 4E 82 B0   X> ..P..p?L.N偘 

 用ida反汇编: 

ROM:00100000                 AREA ROM, CODE, READWRITE, ALIGN=0 
ROM:00100000                 ; ORG 0x100000 
ROM:00100000                 CODE32 
ROM:00100000 
ROM:00100000 loc_100000                          ; DATA XREF: ROM:001050FC o 
ROM:00100000                 B       loc_1000C0 
ROM:00100004 ; --------------------------------------------------------------------------- 
ROM:00100004                 LDR     PC, =0x105404 
ROM:00100008 ; --------------------------------------------------------------------------- 
ROM:00100008                 LDR     PC, =0x105408 
ROM:0010000C ; --------------------------------------------------------------------------- 
ROM:0010000C                 LDR     PC, =0x10540C 
ROM:00100010 ; --------------------------------------------------------------------------- 
ROM:00100010                 LDR     PC, =0x105410 
ROM:00100010 ; --------------------------------------------------------------------------- 
ROM:00100014                 DCD 0xFFFFFFFF 
ROM:00100018 ; --------------------------------------------------------------------------- 
ROM:00100018                 LDR     PC, =0x2038F8 
ROM:0010001C ; --------------------------------------------------------------------------- 
ROM:0010001C                 LDR     PC, =0x10541C 
ROM:0010001C ; --------------------------------------------------------------------------- 
ROM:00100020 dword_100020    DCD 0x105404       ; DATA XREF: ROM:00100004 r 
ROM:00100024 dword_100024    DCD 0x105408        ; DATA XREF: ROM:00100008 r 
ROM:00100028 dword_100028    DCD 0x10540C        ; DATA XREF: ROM:0010000C r 
ROM:0010002C dword_10002C    DCD 0x105410        ; DATA XREF: ROM:00100010 r 
ROM:00100030 dword_100030    DCD 0x2038F8        ; DATA XREF: ROM:00100018 r 
ROM:00100034 dword_100034    DCD 0x10541C        ; DATA XREF: ROM:0010001C r 
ROM:00100038                 DCB 0xFF 
ROM:00100039                 DCB 0xFF 
ROM:0010003A                 DCB 0xFF 
ROM:0010003B                 DCB 0xFF 
ROM:0010003C                 DCB 0xFF 
ROM:0010003D                 DCB 0xFF 
ROM:0010003E                 DCB 0xFF 
ROM:0010003F                 DCB 0xFF 
ROM:00100040                 DCB    0 
ROM:00100041                 DCB    0 
ROM:00100042                 DCB    0 
ROM:00100043                 DCB    0 
ROM:00100044                 DCB    0 
ROM:00100045                 DCB    0 
ROM:00100046                 DCB    0 
ROM:00100047                 DCB    0 
ROM:00100048                 DCB    0 
ROM:00100049                 DCB    0 
ROM:0010004A                 DCB    0 
ROM:0010004B                 DCB    0 
ROM:0010004C                 DCB    0 
ROM:0010004D                 DCB    0 
ROM:0010004E                 DCB    0 
ROM:0010004F                 DCB    0 
ROM:00100050 aJLinkCompiledJ DCB "J-Link compiled Jun 14 2007 14:36:33 ARM Rev.5",0 
ROM:0010007F                 DCB    0 
ROM:00100080                 DCB    0 
ROM:00100081                 DCB    0 
ROM:00100082                 DCB    0 
ROM:00100083                 DCB    0 
ROM:00100084                 DCB    0 
ROM:00100085                 DCB    0 
ROM:00100086                 DCB    0 
ROM:00100087                 DCB    0 
ROM:00100088                 DCB    0 
ROM:00100089                 DCB    0 
ROM:0010008A                 DCB    0 
ROM:0010008B                 DCB    0 
ROM:0010008C                 DCB    0 
ROM:0010008D                 DCB    0 
ROM:0010008E                 DCB    0 
ROM:0010008F                 DCB    0 
ROM:00100090                 DCB    0 
ROM:00100091                 DCB    0 
ROM:00100092                 DCB    0 
ROM:00100093                 DCB    0 
ROM:00100094                 DCB    0 
ROM:00100095                 DCB    0 
ROM:00100096                 DCB    0 
ROM:00100097                 DCB    0 
ROM:00100098                 DCB    0 
ROM:00100099                 DCB    0 
ROM:0010009A                 DCB    0 
ROM:0010009B                 DCB    0 
ROM:0010009C                 DCB    0 
ROM:0010009D                 DCB    0 
ROM:0010009E                 DCB    0 
ROM:0010009F                 DCB    0 
ROM:001000A0                 DCB    0 
ROM:001000A1                 DCB    0 
ROM:001000A2                 DCB    0 
ROM:001000A3                 DCB    0 
ROM:001000A4                 DCB    0 
ROM:001000A5                 DCB    0 
ROM:001000A6                 DCB    0 
ROM:001000A7                 DCB    0 
ROM:001000A8                 DCB    0 
ROM:001000A9                 DCB    0 
ROM:001000AA                 DCB    0 
ROM:001000AB                 DCB    0 
ROM:001000AC                 DCB    0 
ROM:001000AD                 DCB    0 
ROM:001000AE                 DCB    0 
ROM:001000AF                 DCB    0 
ROM:001000B0                 DCB    0 
ROM:001000B1                 DCB    0 
ROM:001000B2                 DCB    0 
ROM:001000B3                 DCB    0 
ROM:001000B4                 DCB    0 
ROM:001000B5                 DCB    0 
ROM:001000B6                 DCB    0 
ROM:001000B7                 DCB    0 
ROM:001000B8                 DCB    0 
ROM:001000B9                 DCB    0 
ROM:001000BA                 DCB    0 
ROM:001000BB                 DCB    0 
ROM:001000BC                 DCB    0 
ROM:001000BD                 DCB    0 
ROM:001000BE                 DCB    0 
ROM:001000BF                 DCB    0 
ROM:001000C0 ; --------------------------------------------------------------------------- 
ROM:001000C0 
ROM:001000C0 loc_1000C0                              ; CODE XREF: ROM:loc_100000 j 
ROM:001000C0                 MRS     R0, CPSR 
ROM:001000C4                 BIC     R0, R0, #0x1F 
ROM:001000C8                 ORR     R0, R0, #0x12 
ROM:001000CC                 MSR     CPSR_c, R0 
ROM:001000D0                 LDR     SP, =0x203E98 
ROM:001000D4                 BIC     R0, R0, #0x1F 
ROM:001000D8                 ORR     R0, R0, #0x1F 
ROM:001000DC                 MSR     CPSR_c, R0 
ROM:001000E0                 LDR     SP, =0x203E58 
ROM:001000E4                 LDR     R0, =loc_105534 
ROM:001000E8                 BX      R0 
ROM:001000E8 ; --------------------------------------------------------------------------- 
ROM:001000EC dword_1000EC    DCD 0x203E98       ; DATA XREF: ROM:001000D0 r 
ROM:001000F0 dword_1000F0    DCD 0x203E58       ; DATA XREF: ROM:001000E0 r 
ROM:001000F4 off_1000F4      DCD loc_105534       ; DATA XREF: ROM:001000E4 r 
ROM:001000F8                 DCB 0x70 ; p 
ROM:001000F9                 DCB 0xB5 ; ? 
ROM:001000FA                 DCB  0xC 
ROM:001000FB                 DCB 0x4C ; L 
ROM:001000FC                 DCB  0xC 

看ROM:001000E4       LDR     R0, =loc_105534,BX R0

这里就跳转到AT91Sam7s64 bootloader部分了。后面的代码不具有可读性,应该是加密了的。 
我就修改LDR     R0, =loc_105534 为LDR     R0, =loc_105000, 
在loc_105000加入一小段设置串口的代码并将0x1000000,64k内容用串口传出。结果就挂了!!! 
我想可能是bootloader程序将升级部分读入后,将后面的不可读部分还原,我增加的部分代码也变了,所以没有将64k flash内容通过串口传出来。 
如果再尝试的话,我觉得应该将串口传送的代码部分增加到ROM:0010007F处,或再上面一点,这里可能不会被bootloader改写。 
嵌入的代码,加入到dll中时,要适度修改。如果要放到dll中的代码前面,还要精简一下。 

#include <AT91SAM7S64.H>                    /* AT91SAM7S64 definitions */ 

#define EXT_OC          18432000   // Exetrnal ocilator MAINCK 
#define MCK             48054857   // MCK (PLLRC div by 2) 

#define BR    115200                        /* Baud Rate */ 

#define BRD  (MCK/16/BR)                    /* Baud Rate Divisor */ 

int sendchar (int ch); 
void AT91F_LowLevelInit(void); 
void init_serial (void); 

int main(void) 
{ 
   int i; 
   char *p; 

   AT91F_LowLevelInit(); 

   *AT91C_PMC_PCER = (1 << AT91C_ID_PIOA) |  /* Enable Clock for PIO    */ 
                    (1 << AT91C_ID_US1);    /* Enable Clock for USART0 */ 

   init_serial(); 

   p = (char*)0x100000; 
    
   for(i = 0; i < 65536; i++) 
   { 
      sendchar(*p); 
      p++; 
   } 
   while(1); 
} 
void AT91F_LowLevelInit( void) 
{ 

    AT91PS_PMC     pPMC = AT91C_BASE_PMC; 
    //* Set Flash Waite sate 
   //  Single Cycle Access at Up to 30 MHz, or 40 
       AT91C_BASE_MC->MC_FMR = AT91C_MC_FWS_1FWS ; 

    //* Watchdog Disable 
        AT91C_BASE_WDTC->WDTC_WDMR= AT91C_WDTC_WDDIS; 

   //* Set MCK at 48 054 850 
    // 1 Enabling the Main Oscillator: 
        // SCK = 1/32768 = 30.51 uSecond 
       // Start up time = 8 * 6 / SCK = 56 * 30.51 = 1,46484375 ms 
       pPMC->PMC_MOR = (( AT91C_CKGR_OSCOUNT & (0x06 <<8) | AT91C_CKGR_MOSCEN )); 
        // Wait the startup time 
        while(!(pPMC->PMC_SR & AT91C_PMC_MOSCS)); 
   // 2 Checking the Main Oscillator Frequency (Optional) 
   // 3 Setting PLL and divider: 
      // - div by 14 Fin = 1.3165 =(18,432 / 14) 
      // - Mul 72+1: Fout =   96.1097 =(3,6864 *73) 
      // for 96 MHz the erroe is 0.11% 
      // Field out NOT USED = 0 
      // PLLCOUNT pll startup time estimate at : 0.844 ms 
      // PLLCOUNT 28 = 0.000844 /(1/32768) 
       pPMC->PMC_PLLR = ((AT91C_CKGR_DIV & 14 ) | 
                         (AT91C_CKGR_PLLCOUNT & (28<<8)) | 
                         (AT91C_CKGR_MUL & (72<<16))); 


        // Wait the startup time 
        while(!(pPMC->PMC_SR & AT91C_PMC_LOCK)); 
        while(!(pPMC->PMC_SR & AT91C_PMC_MCKRDY)); 
    // 4. Selection of Master Clock and Processor Clock 
    // select the PLL clock divided by 2 
        pPMC->PMC_MCKR =  AT91C_PMC_PRES_CLK_2 ; 
        while(!(pPMC->PMC_SR & AT91C_PMC_MCKRDY)); 

        pPMC->PMC_MCKR |= AT91C_PMC_CSS_PLL_CLK  ; 
        while(!(pPMC->PMC_SR & AT91C_PMC_MCKRDY)); 
} 


void init_serial (void) {                   /* Initialize Serial Interface */ 

   AT91S_USART * pUSART = AT91C_BASE_US1;      /* Global Pointer to USART1 */ 
  *AT91C_PIOA_PDR = //AT91C_PA5_RXD0 | AT91C_PA6_TXD0;         /* Enalbe TxD0 Pin */ 
               AT91C_PA21_RXD1 | AT91C_PA22_TXD1; 

  pUSART->US_CR = AT91C_US_RSTRX |          /* Reset Receiver      */ 
                  AT91C_US_RSTTX |          /* Reset Transmitter   */ 
                  AT91C_US_RXDIS |          /* Receiver Disable    */ 
                  AT91C_US_TXDIS ;          /* Transmitter Disable */ 


  pUSART->US_MR = AT91C_US_USMODE_NORMAL |  /* Normal Mode */ 
                  AT91C_US_CLKS_CLOCK    |  /* Clock = MCK */ 
                  AT91C_US_CHRL_8_BITS   |  /* 8-bit Data  */ 
                  AT91C_US_PAR_NONE      |  /* No Parity   */ 
                  AT91C_US_NBSTOP_1_BIT;    /* 1 Stop Bit  */ 

  pUSART->US_BRGR = BRD;                    /* Baud Rate Divisor */ 

  pUSART->US_CR = AT91C_US_RXEN  |          /* Receiver Enable     */ 
                  AT91C_US_TXEN;            /* Transmitter Enable  */ 
} 

int sendchar (int ch)   
{ 
  /* Write character to Serial Port */ 
  AT91S_USART * pUSART = AT91C_BASE_US1;      /* Global Pointer to USART1 */ 
  while (!(pUSART->US_CSR & AT91C_US_TXRDY));   /* Wait for Empty Tx Buffer */ 
  return (pUSART->US_THR = ch);                 /* Transmit Character */ 
} 

Pc License部分,看下面就可以了,很简单的 

.text:00413DF0 sub_413DF0      proc near           ; CODE XREF: sub_4144F0+6C p 
.text:00413DF0                                    ; sub_4146A0+105 p 
.text:00413DF0 
.text:00413DF0 arg_0           = dword ptr  14h 
.text:00413DF0 arg_4           = dword ptr  18h 
.text:00413DF0 arg_8           = dword ptr  1Ch 
.text:00413DF0 arg_C           = dword ptr  20h 
.text:00413DF0 
;    License_RDI_V11_S12345678_Eyymmdd _Kabcdabcd 
;    arg_0 = "RDI",  arg_4 = 11, arg_8 = 12345678, arg_c = yymmdd 
.text:00413DF0                 push    ebx             ;  
.text:00413DF1                 push    ebp             ;  
.text:00413DF2                 push    esi 
.text:00413DF3                 push    edi 
.text:00413DF4                 mov     edi, [esp+arg_0] 
.text:00413DF8                 or      ecx, 0FFFFFFFFh 
.text:00413DFB                 xor     eax, eax 
.text:00413DFD                 mov     edx, [esp+arg_8] 
.text:00413E01                 repne scasb 
.text:00413E03                 mov     edi, [esp+arg_4] 
.text:00413E07                 xor     ebp, ebp 
.text:00413E09                 not     ecx 
.text:00413E0B                 dec     ecx 
.text:00413E0C                 xor     edi, edx 
.text:00413E0E                 mov     ebx, ecx 
.text:00413E10                 mov     ecx, [esp+arg_C] 
.text:00413E14                 xor     edi, ecx 
.text:00413E16                 xor     esi, esi 
.text:00413E18                 test    ebx, ebx 
.text:00413E1A                 jle     short loc_413E42 
.text:00413E1C 
.text:00413E1C loc_413E1C:                        ; CODE XREF: sub_413DF0+50 j 
.text:00413E1C                 mov     eax, [esp+arg_0] 
.text:00413E20                 mov     ecx, esi 
.text:00413E22                 and     ecx, 80000003h 
.text:00413E28                 movsx   eax, byte ptr [esi+eax] 
.text:00413E2C                 jns     short loc_413E33 
.text:00413E2E                 dec     ecx 
.text:00413E2F                 or      ecx, 0FFFFFFFCh 
.text:00413E32                 inc     ecx 
.text:00413E33 
.text:00413E33 loc_413E33:                        ; CODE XREF: sub_413DF0+3C j 
.text:00413E33                 shl     ecx, 3 
.text:00413E36                 shl     eax, cl 
.text:00413E38                 cdq 
.text:00413E39                 xor     edi, eax 
.text:00413E3B                 xor     ebp, edx 
.text:00413E3D                 inc     esi 
.text:00413E3E                 cmp     esi, ebx 
.text:00413E40                 jl      short loc_413E1C 
.text:00413E42 
.text:00413E42 loc_413E42:                       ; CODE XREF: sub_413DF0+2A j 
.text:00413E42                 mov     eax, edi 
.text:00413E44                 pop     edi 
.text:00413E45                 imul    eax, 36DF45Dh 
.text:00413E4B                 pop     esi 
.text:00413E4C                 pop     ebp 
.text:00413E4D                 add     eax, 14718ABh      ;eax就是实际校验 
.text:00413E52                 pop     ebx 
.text:00413E53                 retn 
.text:00413E53 sub_413DF0      endp

 

posted @ 2014-10-30 23:22  IAmAProgrammer  阅读(2164)  评论(0编辑  收藏  举报