Depthcharge Versions Save

A U-Boot hacking toolkit for security researchers and tinkerers

0.5.0

1 year ago

Depthcharge Release 0.5.0 ("Food for Thought")

  • Added checker for CVE-2022-2347
  • Added more helpful warning message resulting from a lack of a loadaddr

0.4.0

1 year ago

2022-08-05: Depthcharge Release 0.4.0 ("Entertainment!")

Added a handful of configuration checker builtins covering:

  • CVE-2022-30552 and CVE-2022-30790 (#97)
  • CVE-2021-27138 and CVE-2021-27097 (#99)
  • No CVE: part_test_dos() stack overflow (#98)
  • CVE-2020-8432
  • CVE-2017-3225 and CVE-2017-3226
  • CONFIG_ENV_IS_IN_* items (#90)
  • CONFIG_FIT_SIGNATURE=y without CONFIG_FIT_FULL_CHECK=y

0.3.2

2 years ago

Updated Sphinx configuration and dependencies to address broken doc rendering.

0.3.1

2 years ago

Just a little releaselet to get a fix for Issue #91 into main.

0.3.0

2 years ago

2021-08-01: Depthcharge Release 0.3.0 ("Danny Nadelko")

Summary

  • Introduced AARCH64 support (#3)
  • Added Depthcharge.register_payload() API function (#23)
  • Added icache/dcache flush upon payload deployment (#24)
  • Fixed ARM DataAbort parsing issue when in Thumb mode (#79)
  • Fixed issue displaying multiple DRAM bank info (#81)
  • Documentation updates and fixes
  • Removal of RETURN_REGISTER payload.

Versions

  • Python module (depthcharge): 0.3.0
  • Companion Firmware: 0.1.0

Details

Introduced AARCH64 support

The depthcharge.arch.AARCH64 class has been introduced to support 64-bit ARMv8)systems. A number of fixes and changes throughout the codebase have been made to accommodate use on 64-bit systems.

There remains a known limitation on ARMv8 devices operating in AARCH32 bit mode, where we do not necessary have a generic means to trigger data aborts.

The RETURN_REGISTER builtin payload and associated GoRegisterReader have been removed, as they ultimately provided little value, while being annoying to add AARCH64-bit support for. The RETURN_MEMORY payload (with no argument) can be used instead to return a gd pointer, if needed.

0.2.0

3 years ago

2020-12-01: Depthcharge Release 0.2.0 ("Clatter and Hiss")

Summary:

  • Introduced configuration checker API and depthcharge-audit-config
  • Command-line argument and API "breaking" changes:
    • ARM is longer the default architecture, "Generic" is
    • Migrated uboot.py submodule to a uboot subpackage
    • Change to opt-in semantics for payload deploy+execute, device crash/reboot
    • Payload base and offset improvements

Versions:

  • Python module (depthcharge): 0.2.0
  • Companion Firmware: 0.1.0

Details:

Introduced configuration checker API and depthcharge-audit-config

The depthcharge.checker API is designed to to facilitate configuration auditing, where the goal is to consistently and quickly identify common security pitfalls or known vulnerabilities, so time spent on security review efforts can be focused elsewhere (e.g., in newly developed code).

The depthcharge.checker.ConfigChecker class defines the overarching framework and implements the common auditing and reporting functionality. The depthcharge.checker.UBootConfigChecker and .UBootHeaderChecker classes implement support for parsing .config and platform configuration header files, respectively.

The audit() methods of these "checkers" produce depthcharge.checker.Report objects, which are sets of depthcharge.checker.SecurityRisk objects that describe the potential risks and provide a high-level, general recommendations. The Report class supports a few export formats, including html, csv, and Markdown.

The depthcharge-audit-config script exposes this new API functionality via the command-line.

ARM is longer the default architecture, "Generic" is.

In the interest of being more user friendly, Depthcharge now defaults to an ARM-ish "Generic" architecture, which is still 32-bit and little endian. This change comes with a migration from an arch.py submodule to an arch subpackage (containing per-architecture submodules), which is largely transparent to API users.

By making no assumptions about registers and instruction set, we can exclude operations that would otherwise cause a target device to spin out of control. The goal here is try to balance provide some reasonable amount of functionality, while being resilient to platform-specific quirks that would otherwise cause grief fro a newcomer to Depthcharge.

In order to use ARM-specific functionality, one must now do one of the following:

  • API: Create a Depthcharge context using arch='arm'
  • Scripts: pass an --arch arm argument

See arch/generic.py for the other Generic architectures available. However, note that 64-bit and big-endian platforms have not yet undergone testing.

Migration uboot.py submodule to a uboot subpackage

The migration of the uboot.py submodule to a uboot subpackage was performed in order to allow new additions to be introduced in a more organized manner.

The uboot.py submodule has been converted to a subpackage organized as follows:

  • depthcharge.uboot.board: Platform and "board" configuration data
  • depthcharge.uboot.cmd_table: Console command handler table inspection
  • depthcharge.uboot.env: Environment (variable) functionality
  • depthcharge.uboot.jump_table: Exported jump table definitions

This breaks the (unstable) v0.1.x API. Below is a summary of the v0.1.x items that have been removed, along with their corresponding replacements in the (also unstable) v0.2.x API.

   depthcharge.uboot.board:
    v0.1.x: depthcharge.uboot.bdinfo_dict()

                        Replaced by:

    v0.2.x: depthcharge.uboot.board.bdinfo_dict()


   depthcharge.uboot.cmd_table:
    v0.1.x: depthcharge.uboot.cmdtbl_entry_to_bytes()

                        Replaced by:

    v0.2.x: depthcharge.uboot.cmd_table.entry_to_bytes()


   depthcharge.uboot.env:
    v0.1.x: depthcharge.uboot.raw_environment_regex()
            depthcharge.uboot.raw_env_var_regex()
            depthcharge.uboot.expand_environment()
            depthcharge.uboot.expand_variable()
            depthcharge.uboot.parse_raw_environment()
            depthcharge.uboot.load_raw_environment()
            depthcharge.uboot.save_raw_environment()
            depthcharge.uboot.create_raw_environment()
            depthcharge.uboot.parse_environment()
            depthcharge.uboot.load_environment()
            depthcharge.uboot.save_environment()

                        Replaced by:

    v0.2.x: depthcharge.uboot.env.raw_regex()
            depthcharge.uboot.env.raw_var_regex()
            depthcharge.uboot.env.expand()
            depthcharge.uboot.env.expand_variable()
            depthcharge.uboot.env.parse_raw()
            depthcharge.uboot.env.load_raw()
            depthcharge.uboot.env.save_raw()
            depthcharge.uboot.env.create_raw()
            depthcharge.uboot.env.load()
            depthcharge.uboot.env.save()


   depthcharge.uboot.jump_table:
    v0.1.x: depthcharge.uboot.jump_table_exports()  
            depthcharge.uboot.find_jump_table()

                        Replaced by:

    v0.2.x: depthcharge.uboot.jump_table.exports()
            depthcharge.uboot.jump_table.find()

Opt-in Operation Semantics

Previously, Depthcharge would attempt to automatically explore a device as much as possible when the depthcharge.Depthcharge context object is created (which is what is happening when the depthcharge-inspect is used).

However, when beginning work on bringing up support for a MIPS target, it became clear that the (expected) failures resulting from previously untested U-Boot versions (including those heavily modified by a platform vendor) would be very unintuitive to new users of the Depthcharge toolkit. In order to better to provide a better user experience (i.e. a less annoying and kludgy-feeling toolkit), as well as making adding new architecture support less of a hassle, the platform inspection now behaves according to opt-in semantics, rather than opt-out semantics.

In the depthcharge.Depthcharge constructor, there are now allow_deploy and skip_deploy options, whose semantics are detailed in the corresponding API documentation. On the command-line, these correspond to -A, --allow-deploy and -S, --skip-deploy arguments.

Similarly, the opt-out of operations requiring a device crash or reboot in scripts was found to be unfriendly and has been similarly been changed to have opt-in semantics. The relevant API function keyword argument has always been allow_reboot; the change was only needed in scripts' command-line options, which now match: -R, --allow-reboot

Payload base address and offset improvements

The code used to configure the address at which Depthcharge should deploy payloads has been updated to address some deficiencies and better match the promises made in the API docs.

0.1.1

3 years ago

Release 0.1.1 (Burn No Bridges)

Documentation and packaging fixes - no functional changes.

Note: Affected by issue #14 - use of the 0.1.1.post1 tag is recommended for the time being if you plan to use setup.py.

Versions

  • Python module (depthcharge): 0.1.1
  • Companion Firmware: 0.1.0

0.1.0

3 years ago

Release 0.1.0 (Against the Grain)

Initial public release of Depthcharge.

Versions

Python module (depthcharge): 0.1.0 Companion Firmware: 0.1.0

Current limitations

  • Supports ARM (32-bit) only. Additional architecture support can be introduced via python/depthcharge/arch.py.
  • The Companion Firmware currently acts only as an I2C peripheral. This can certainly be expanded upon to also act as a SPI peripheral.
  • GoExecutor is the only Executor implementation. Boot commands could also be leveraged as such, provided that payloads are wrapped in appropriate image formats, preferably automatically by Depthcharge.