Home Explore Help
Register Sign In
danielinux
/
rdp1-bypass
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
rdp1-bypass
/
protocol.txt

protocol.txt 2.8 KB
Permalink History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667 
  1. Communication protocol documentation
    2. 

  2. 

  3. UART interface, 3.3V signal levels
    4. 

  4. Pin PA2: TX (microcontroller -> PC)
    5. 

  5. Pin PA3: RX (microcontroller <- PC)
    6. 

  6. 115200 Baud (115k2 Baud)
    7. 

  7. 8 Bit
    8. 

  8. No Parity
    9. 

  9. 1 Stop Bit
    10. 

  10. 

  11. Each command consists of 1 up to several characters followed by a newline (\n). \r and \r\n is also accepted as command ending.
    12. 

  12. 

  13. - Set the start address for firmware extraction (default: 0 = 0x00000000 = "A00000000"):
    14. 

  14. 	AXXXXXXXX\n (where XXXXXXXX is the address HEX. E.g., send A08000000\n to start firmware extraction from address 0x08000000)
    15. 

  15. 

  16. - Set the length of data extraction (default: 65535 = 0x10000 = "L00010000"):
    17. 

  17. 	LXXXXXXXX\n (where XXXXXXXX is the length in HEX. E.g., send L00001000\n to extract 0x1000 = 4096 bytes of data.)
    18. 

  18. 

  19. - Set BIN output mode (default):
    20. 

  20. 	B\n
    21. 

  21. 

  22. - Set HEX output mode:
    23. 

  23. 	H\n
    24. 

  24. 

  25. - Select Little Endian output (default):
    26. 

  26. 	e\n
    27. 

  27. 

  28. - Select Big Endian output:
    29. 

  29. 	E\n
    30. 

  30. 

  31. - Start Firmware extraction:
    32. 

  32. 	S\n
    33. 

  33. 

  34. - Print statistics:
    35. 

  35. 	P\n
    36. 

  36. 

  37. 

  38. The microcontroller will acknowledge every valid command with a human-readible reply containing the current setting. An invalid command will be rejected with "ERROR: unknown command". Each reply microcontroller->PC is ended by \r\n.
    39. 

  39. The address as well as the length (A and L commands) will be automatically adjusted to 32-bit alignment.
    40. 

  40. 

  41. Example for HEX output mode, the firmware dump is also ended by \r\n:
    42. 

  42. AF77D29D 1526DB04 8316DC73 120B63E3 843B6494 \r\n
    43. 

  43. 

  44. In BIN mode, the firmware is sent directly in binary form without any modification (\r\n at the end is also omitted).
    45. 

  45. 

  46. Little Endian mode is recommended for firmware extraction. Disassemblers like radare2 expect the firmware binary to be in little endian. Strings will be directly readible when using little endian.
    47. 

  47. 

  48. The success ratio depends on bus load and other parameters. If a read access fails, it will be retried automatically.
    49. 

  49. When reading an address failes for more than 100 times, the extraction will be aborted, since there is a major issue. The system will print
    50. 

  50. \r\n!ExtractionFailureXXXXXXXX\r\n
    51. 

  51. where XXXXXXXX is the SWD status in hex. (see swd.h swdStatus_t).
    52. 

  52. Reasons can be:
    53. 

  53. - Incorrect connection (SWD, Reset and Power connected correctly? Have you removed any (additional) debugger form the SWD?)
    54. 

  54. - The chip is not affected by the exploit (may apply to future revisions, if ST decides to update their IC masks...) 
    55. 

  55. - You are trying to read into non-existant memory (e.g. Trying to read 128KBytes out of a 64KByte device)
    56. 

  56. 

  57. 

  58. The statistics function prints the following data in Hex:
    59. 

  59. Statistics: \r\n
    60. 

  60. Attempts: 0x00001234\r\n
    61. 

  61. Success: 0x00001200\r\n
    62. 

  62. Failure: 0x00000034\r\n
    63. 

  63. 

  64. Statistics are reset each time the system start extraction (= when the "S" command is received).
    65. 

  65. Attempts: Number of total read attempts (Sum of Success and Failure)
    66. 

  66. Success: Number of successful reads
    67. 

  67. Failure: Nummer of unsuccessful reads
    68.