A U-Boot hacking toolkit for security researchers and tinkerers
Added a handful of configuration checker builtins covering:
Updated Sphinx configuration and dependencies to address broken doc rendering.
Just a little releaselet to get a fix for Issue #91 into main.
Depthcharge.register_payload()
API function (#23)depthcharge
): 0.3.0Introduced AARCH64 support
The depthcharge.arch.AARCH64 class has been introduced to support 64-bit ARMv8)systems. A number of fixes and changes throughout the codebase have been made to accommodate use on 64-bit systems.
There remains a known limitation on ARMv8 devices operating in AARCH32 bit mode, where we do not necessary have a generic means to trigger data aborts.
The RETURN_REGISTER builtin payload and associated GoRegisterReader have been removed, as they ultimately provided little value, while being annoying to add AARCH64-bit support for. The RETURN_MEMORY payload (with no argument) can be used instead to return a gd pointer, if needed.
Summary:
Versions:
depthcharge
): 0.2.0Details:
Introduced configuration checker API and depthcharge-audit-config
The depthcharge.checker
API is designed to to facilitate configuration auditing, where the goal is to consistently and quickly identify common security pitfalls or known vulnerabilities, so time spent on security review efforts can be focused elsewhere (e.g., in newly developed code).
The depthcharge.checker.ConfigChecker
class defines the overarching framework and implements the common auditing and reporting functionality. The depthcharge.checker.UBootConfigChecker
and .UBootHeaderChecker
classes implement support for parsing .config and platform configuration header files, respectively.
The audit() methods of these "checkers" produce depthcharge.checker.Report
objects, which are sets of depthcharge.checker.SecurityRisk
objects that describe the potential risks and provide a high-level, general recommendations. The Report
class supports a few export formats, including html, csv, and Markdown.
The depthcharge-audit-config
script exposes this new API functionality via the command-line.
ARM is longer the default architecture, "Generic" is.
In the interest of being more user friendly, Depthcharge now defaults to an ARM-ish "Generic" architecture, which is still 32-bit and little endian. This change comes with a migration from an arch.py
submodule to an arch
subpackage (containing per-architecture submodules), which is largely transparent to API users.
By making no assumptions about registers and instruction set, we can exclude operations that would otherwise cause a target device to spin out of control. The goal here is try to balance provide some reasonable amount of functionality, while being resilient to platform-specific quirks that would otherwise cause grief fro a newcomer to Depthcharge.
In order to use ARM-specific functionality, one must now do one of the following:
arch='arm'
--arch arm
argumentSee arch/generic.py
for the other Generic architectures available. However, note that 64-bit and big-endian platforms have not yet undergone testing.
Migration uboot.py submodule to a uboot subpackage
The migration of the uboot.py submodule to a uboot subpackage was performed in order to allow new additions to be introduced in a more organized manner.
The uboot.py submodule has been converted to a subpackage organized as follows:
depthcharge.uboot.board
: Platform and "board" configuration datadepthcharge.uboot.cmd_table
: Console command handler table inspectiondepthcharge.uboot.env
: Environment (variable) functionalitydepthcharge.uboot.jump_table
: Exported jump table definitionsThis breaks the (unstable) v0.1.x API. Below is a summary of the v0.1.x items that have been removed, along with their corresponding replacements in the (also unstable) v0.2.x API.
depthcharge.uboot.board:
v0.1.x: depthcharge.uboot.bdinfo_dict()
Replaced by:
v0.2.x: depthcharge.uboot.board.bdinfo_dict()
depthcharge.uboot.cmd_table:
v0.1.x: depthcharge.uboot.cmdtbl_entry_to_bytes()
Replaced by:
v0.2.x: depthcharge.uboot.cmd_table.entry_to_bytes()
depthcharge.uboot.env:
v0.1.x: depthcharge.uboot.raw_environment_regex()
depthcharge.uboot.raw_env_var_regex()
depthcharge.uboot.expand_environment()
depthcharge.uboot.expand_variable()
depthcharge.uboot.parse_raw_environment()
depthcharge.uboot.load_raw_environment()
depthcharge.uboot.save_raw_environment()
depthcharge.uboot.create_raw_environment()
depthcharge.uboot.parse_environment()
depthcharge.uboot.load_environment()
depthcharge.uboot.save_environment()
Replaced by:
v0.2.x: depthcharge.uboot.env.raw_regex()
depthcharge.uboot.env.raw_var_regex()
depthcharge.uboot.env.expand()
depthcharge.uboot.env.expand_variable()
depthcharge.uboot.env.parse_raw()
depthcharge.uboot.env.load_raw()
depthcharge.uboot.env.save_raw()
depthcharge.uboot.env.create_raw()
depthcharge.uboot.env.load()
depthcharge.uboot.env.save()
depthcharge.uboot.jump_table:
v0.1.x: depthcharge.uboot.jump_table_exports()
depthcharge.uboot.find_jump_table()
Replaced by:
v0.2.x: depthcharge.uboot.jump_table.exports()
depthcharge.uboot.jump_table.find()
Opt-in Operation Semantics
Previously, Depthcharge would attempt to automatically explore a device as much as possible when the depthcharge.Depthcharge
context object is created (which is what is happening when the depthcharge-inspect
is used).
However, when beginning work on bringing up support for a MIPS target, it became clear that the (expected) failures resulting from previously untested U-Boot versions (including those heavily modified by a platform vendor) would be very unintuitive to new users of the Depthcharge toolkit. In order to better to provide a better user experience (i.e. a less annoying and kludgy-feeling toolkit), as well as making adding new architecture support less of a hassle, the platform inspection now behaves according to opt-in semantics, rather than opt-out semantics.
In the depthcharge.Depthcharge
constructor, there are now allow_deploy
and skip_deploy
options, whose semantics are detailed in the corresponding API documentation. On the command-line, these correspond to -A, --allow-deploy
and -S, --skip-deploy
arguments.
Similarly, the opt-out of operations requiring a device crash or reboot in scripts was found to be unfriendly and has been similarly been changed to have opt-in semantics. The relevant API function keyword argument has always been allow_reboot
; the change was only needed in scripts' command-line options, which now match: -R, --allow-reboot
Payload base address and offset improvements
The code used to configure the address at which Depthcharge should deploy payloads has been updated to address some deficiencies and better match the promises made in the API docs.
Documentation and packaging fixes - no functional changes.
Note: Affected by issue #14 - use of the 0.1.1.post1 tag is recommended for the time being if you plan to use setup.py
.
depthcharge
): 0.1.1Initial public release of Depthcharge.
Python module (depthcharge
): 0.1.0
Companion Firmware: 0.1.0