finish KVG, start KVS stuff

Makefile

@@ -2,8 +2,9 @@ CC ?= gcc
 SHELL ?= /bin/sh
 KVSFLIST := \
 	src/KVS/main.c \
-	src/KVS/ui.c \
+	src/KVS/tpm.c \
-	src/KVS/kernver-utils.c
+	src/KVS/rmasmoke.c \
+	src/KVS/ui.c 
 
 CFLAGS := \
 	-Iinclude \

include/arg_checks.h

@@ -19,4 +19,14 @@ bool fbool(const char *arg)
 	}
 
 	return false;
+}
+
+char *fequals(const char *arg)
+{
+	for (int i = 0; i < gargc; i++) {
+		if (!memcmp(gargv[i], arg, strlen(arg) - 1)) 
+			return gargv[i] + strlen(arg) + 1;
+	}
+
+	return "";
 }

include/ui.h

@@ -0,0 +1,7 @@
+#ifndef KVS2_UI_H
+#define KVS2_UI_H
+
+void ui_flash(char* flashtype);
+void ui_header(char* fwver, char* kernver, char* tpmver, char* fwmp, char* gscver, char* gsctype);
+
+#endif

src/KVG/main.c

@@ -9,19 +9,36 @@
 #include "arg_checks.h"
 #include "hex_utils.h"
 
+uint32_t kvarg;
 
 // basically almost all of this code was pieced together
 // using vboot_reference code, credits to Google
 // for writing most of this code in a sense :3
 
+#define VB2_SHA256_DIGEST_SIZE 32
+
 struct vb2_secdata_kernel_v0 {
     uint8_t struct_version;  
     uint32_t uid;
-    uint32_t kernel_versions;
+    uint32_t kernver;
     uint8_t reserved[3];
     uint8_t crc8;
 } __attribute__((packed));
 
+struct vb2_secdata_kernel_v1 {
+	uint8_t struct_version;  /* 1.0 (or 0x10 in v0 format) */
+	uint8_t struct_size;
+	uint8_t crc8;
+	uint8_t flags;
+	uint32_t kernver;
+	uint8_t ec_hash[VB2_SHA256_DIGEST_SIZE];
+};
+
+
+struct vb2_secdata_kernel_v0 secdata0;
+struct vb2_secdata_kernel_v1 secdata1;
+
+
 struct vb2_context {
     void *secdata_kernel;
 };
@@ -44,17 +61,37 @@ uint8_t vb2_crc8(const void *vptr, uint32_t size)
     return (uint8_t)(crc >> 8);
 }
 
+#define MAJOR_VER(x) (((x) & 0xf0) >> 4)
+#define MINOR_VER(x) ((x) & 0x0f)
+
+static inline int is_v0(struct vb2_context *ctx)
+{
+	struct vb2_secdata_kernel_v1 *sec = (void *)ctx->secdata_kernel;
+	return MAJOR_VER(sec->struct_version) == 0;
+}
+
 static uint8_t secdata_kernel_crc(struct vb2_context *ctx)
 {
-    size_t offset, size;
+	size_t offset, size;
-    offset = 0;
+
-    size = offsetof(struct vb2_secdata_kernel_v0, crc8);
+	if (is_v0(ctx)) {
-    return vb2_crc8(ctx->secdata_kernel + offset, size);
+		offset = 0;
+		size = offsetof(struct vb2_secdata_kernel_v0, crc8);
+	} else {
+		struct vb2_secdata_kernel_v1 *sec
+			= (void *)ctx->secdata_kernel;
+		offset = offsetof(struct vb2_secdata_kernel_v1, flags);
+		size = sec->struct_size - offset;
+	}
+
+	return vb2_crc8(ctx->secdata_kernel + offset, size);
 }
 
+
 int main(int argc, char *argv[]) {
     gargc = argc;
 	gargv = argv;
+    char *version = fequals("--ver");
 
     // if --help or no args are passsed
     // print the usage and an example command
@@ -63,38 +100,69 @@ int main(int argc, char *argv[]) {
         printf("e.g: %s 0x00010001 --raw\n", argv[0]);
         printf("-=-=-=-=-=-=-\n");
         printf("--raw - prints the output as raw hex bytes\n");
+        printf("--ver=<0/1> - specifies the kernver struct version to use, oldui boards use ver0 while newui boards use ver1\n");
         printf("--help - shows this message :3\n");
         printf("-=-=-=-=-=-=-\n");
         printf("KVG was created by kxtzownsu\n");
+        printf("Credits go to Hannah for making the arg parsing system\n");
         exit(0);
     }
 
-    struct vb2_secdata_kernel_v0 secdata;
-
-    secdata.struct_version = 0x02;
-    secdata.uid = 0x4752574c;
-    secdata.reserved[0] = 0x00;
-    secdata.reserved[1] = 0x00;
-    secdata.reserved[2] = 0x00;
-
     // make sure the user sends us a correct hex value, 
     // we dont want to just blindly trust that its correct
     if (is_valid_hex(argv[1])) {
-        uint32_t kvarg = convert_to_uint32(argv[1]);
+        kvarg = convert_to_uint32(argv[1]);
-        secdata.kernel_versions = kvarg;
     } else {
         printf("The entered kernver: %s, wasn't detected as valid hexadecimal, please try again.\n", argv[1]);
         exit(1);
     }
 
-    struct vb2_context ctx;
+    if (strcmp(version, "0") != 0 && strcmp(version, "1") != 0) {
-    ctx.secdata_kernel = (void *)&secdata;
+        printf("The entered struct version: %s, wasn't a valid option (see --help). Please try again.\n", version);
-
+        exit(1);
-    secdata.crc8 = secdata_kernel_crc(&ctx);
-    if (fbool("--raw")) {
-        fwrite(&secdata, sizeof(secdata), 1, stdout);
-    } else {
-        print_hex((uint8_t *)&secdata, sizeof(struct vb2_secdata_kernel_v0));
     }
+
+    if (!strcmp(version, "0")){
+        secdata0.struct_version = 0x02;
+        secdata0.uid = 0x4752574c;
+        secdata0.reserved[0] = 0x00;
+        secdata0.reserved[1] = 0x00;
+        secdata0.reserved[2] = 0x00;
+        secdata0.kernver = kvarg;
+
+        struct vb2_context ctx;
+        ctx.secdata_kernel = (void *)&secdata0;
+
+        secdata0.crc8 = secdata_kernel_crc(&ctx);
+    }
+
+    if (!strcmp(version, "1")) {
+        secdata1.struct_version = 0x10;
+        secdata1.struct_size = sizeof(struct vb2_secdata_kernel_v1);
+	    secdata1.flags = 0x0;
+	    secdata1.kernver = kvarg;
+
+        struct vb2_context ctx;
+        ctx.secdata_kernel = (void *)&secdata1;
+        secdata1.crc8 = secdata_kernel_crc(&ctx);
+    }
+    
+    // god i hate this nesting, TODO: find a better way to detect if we're specifying ver0 or ver1
+    if (fbool("--raw")) {
+        if (!strcmp(version, "0")) {
+            fwrite(&secdata0, sizeof(secdata0), 1, stdout);
+        }
+	    if (!strcmp(version, "1")) {
+	        fwrite(&secdata1, sizeof(secdata1), 1, stdout);
+	    }
+    } else {
+        if (!strcmp(version, "0")) {
+            print_hex((uint8_t *)&secdata0, sizeof(struct vb2_secdata_kernel_v0));          
+        }
+	    if (!strcmp(version, "1")) {
+	        print_hex((uint8_t *)&secdata1, sizeof(struct vb2_secdata_kernel_v1));
+	    }
+    }
+
     return 0;
-}
+}

src/KVS/main.c

@@ -0,0 +1,36 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "ui.h"
+
+int main(int argc, char **argv) {
+	// example values for testing
+	char* fwver = "Google_Grunt.11031.149.0";
+	char* kernver = "0x00010001";
+	char* tpmver = "2.0";
+	char* fwmp = "0x1";
+	char* gscver = "0.5.229";
+	char* gsctype = "Cr50";
+
+	// only allow 2 characters (option & newline)
+	char choice[2];
+
+	ui_header(fwver, kernver, tpmver, fwmp, gscver, gsctype);
+	printf("1) Flash new kernver via /dev/tpm0 (REQ. UNENROLLED)\n");
+	printf("2) Flash new kernver via RMASmoke (REQ. CR50 VER 0.5.229 OR LOWER)\n");
+	printf("3) Make kernver index unwritable\n");
+	printf("4) Shell\n");
+	printf("5) Reboot\n");
+	printf("> ");
+	fgets(choice, sizeof(choice), stdin);
+	if (choice[strlen(choice) - 1] == '\n') {
+		choice[strlen(choice) - 1] = '\0';
+	}
+	printf("You entered: %s\n", choice);
+
+	if (strcmp(choice, "1") == 0) {
+		ui_flash("tpm0");
+	}
+
+	return 0;
+}

src/KVS/ui.c

@@ -0,0 +1,22 @@
+#include <stdio.h>
+
+void ui_flash(char* flashtype) {
+	printf("wip\n");
+}
+
+void ui_header(char* fwver, char* kernver, char* tpmver, char* fwmp, char* gscver, char* gsctype){
+	printf("KVS: Kernel Version Switcher (codename Maglev, bid: 2.0.0))\n");
+	printf("FW Version: %s\n", fwver);
+	printf("Kernel Version: %s\n", kernver);
+	printf("TPM: %s\n", tpmver);
+	printf("FWMP: %s\n", fwmp);
+	printf("GSC RW Version: %s\n", gscver);
+	printf("GSC Type: %s\n", gsctype);
+	printf("-=-=-=-=-=-=-=-=-=-=-=-=-\n");
+}
+
+void ui_credits(){
+	printf("kxtzownsu - Writing KVS 1 and 2\n");
+	printf("Hannah/ZegLol - Helping with /dev/tpm0 flashing, rewriting RMASmoke.\n");
+	printf("Writable - Writing the RMASmoke vulnerability\n");
+}