如何破解Syscan360会议胸牌 Secer's Blog - 记录互联网安全历程与个人成长经历

<div style="text-align: center; box-sizing: border-box; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);="" text-align:="" center;"=""><span style="font-size:24px;"><span style="box-sizing: border-box; font-weight: 700;">揭密破解Syscan360</span><span style="box-sizing: border-box; font-weight: 700;">会议胸牌</span></span><div style="text-align: center; box-sizing: border-box; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);="" text-align:="" center;"=""><span style="font-size:16px;"><span style="box-sizing: border-box; font-weight: 700;">作者：阿里安全IoT</span><span style="box-sizing: border-box; font-weight: 700;">安全研究 </span><span style="font-weight: 700;">谢君</span></span><div style="text-align: center; box-sizing: border-box; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);="" text-align:="" center;"=""><span style="box-sizing: border-box; font-weight: 700;"><br /></span><p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""><span style="box-sizing: border-box; font-weight: 700;"><span style="font-size:19px;">背景：</span></span><p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">有幸参加今年11月份的上海Syscan360安全会议，会议期间有一个亮点就是360的独角兽团队设计了一款电子badge(胸牌)供参加人员进行破解尝试，类似于美国Defcon上面的那种解密puzzle的比赛，在参会现场的人都可以参加这种破解，总共9道题，规则是现场会给每道题谜面，在这块胸牌上面输入正确的谜底才能进入下一题，解题需要开脑洞，有好些人参与破解，而且有好些人都解出来了，今天笔者从这块胸牌的硬件和软件层面去揭密这个胸牌的一些有意思的功能和如何在不需要知道谜面的情况下，快速解密答案，算是硬件破解方面抛砖引玉。<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""> <p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""><span style="box-sizing: border-box; font-weight: 700;"><span style="font-size:19px;">初识篇：</span></span><p style="box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51); font-family: " helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div style="text-align: left;">我这边看到有两块板，一块黑色一块红色，其中黑色如下</div><div style="text-align: left;"><img src="http://ata2-img.cn-hangzhou.img-pub.aliyun-inc.com/05b920148680788517e73e8d0a28753d.png" alt="" width="283" height="396" style="box-sizing: border-box; vertical-align: middle; max-width: 100%;" /> <img src="http://ata2-img.cn-hangzhou.img-pub.aliyun-inc.com/a7e674df162b171e3f423a05f9bd667f.png" alt="" width="307" height="395" style="box-sizing: border-box; vertical-align: middle; max-width: 100%;" /></div><p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">硬件配置如下：<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">MCU: 德州仪器TI CC1310 型号（CC1310F64RGZ）VQFN (48) 7.00 mm × 7.00 mm<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">ARM Cortex-M3处理器,时钟速度高达48Mhz<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">64KB片上可编程flash，20KB静态内存SRAM，30个GPIO口<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">RF Core支持收发1Ghz以下的无线信号<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">外置存储器: Winbond 25Q32bvsig<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">32Mbits存储空间<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">一个LCD液晶屏<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">四个led灯，若干电阻和电容，6个按键和开关，所有的这些构成一个小型的嵌入式系统<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">使用方法：<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">6个按键，分别负责切换不同的可打印的ASCII码，删除，进入和返回等功能<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">只有所有的关卡通过后才能出现控制闪灯和产生红外信号去关闭遥控电视的功能，这是后话，后面细讲。<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""> <p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""><span style="box-sizing: border-box; font-weight: 700;"><span style="font-size:19px;">硬件篇：</span></span><p style="box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51); font-family: " helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div style="text-align: left;">要想了解里面的原理和功能，必须得拿到里面的代码逻辑。通过查阅MCU CC1310芯片的数据手册，我们发现它支持jtag仿真调试，我们只需要外挂支持ARM的仿真器，就可以进行整个内存空间的访问和片上动态调试，这一点对于我们逆向来讲非常有帮助，CC1310芯片布局如下。</div><div style="text-align: left;"><img src="http://ata2-img.cn-hangzhou.img-pub.aliyun-inc.com/1dfb49ddde9a55a1e7696eeee4bf9ee4.png" alt="" width="634" height="387" style="box-sizing: border-box; vertical-align: middle; max-width: 100%;" /></div><p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">DIO_16 26 Digital I/O GPIO, JTAG_TDO, high-drive capability<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">DIO_17 27 Digital I/O GPIO, JTAG_TDI, high-drive capability<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""> <p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">我们知道要进行jtag调试需要至少4根信号线分别是TMS,TCK,TDI,TDO，(RST可选)最后是GND(接地), 具体JTAG的定义和各个信号线的定义大家可以网上搜索，我就不赘述了，找到这几个信号线接到相应的仿真器上就可以进行调试了。<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">从该MCU的电子手册我们得知这四个信号线的Pin脚位置如下。<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""> TMS 24<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""> TCK 25<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""> TDO 26<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""> TDI 27<p style="box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51); font-family: " helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div style="text-align: left;">然后我们可以通过万电表量出这几个引脚引出来的位置，刚好这板子已经把这几个信号脚引出来了，也省去我们不少麻烦。</div><div style="text-align: left;"> <img src="http://ata2-img.cn-hangzhou.img-pub.aliyun-inc.com/76774d6b1d76d4a0482e93810f0d5374.png" alt="" width="575" height="383" style="box-sizing: border-box; vertical-align: middle; max-width: 100%;" /></div><p style="box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51); font-family: " helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div style="text-align: left;">好了，焊好线后，需要我们的仿真器出场了，笔者使用的ft2232h mini module，当然大家也可以选用别的仿真器，像jlink之类的，简单说一下这个mini module，它是一个多硬件协议(MPSSE)集一身的小模块，比如SPI/JTAG/I2C等，共用GPIO口，非常方便，接下来就是连线了，连接图如下。</div><div style="text-align: left;"> <img src="http://ata2-img.cn-hangzhou.img-pub.aliyun-inc.com/edcb9bc34a49236799b0ab82ebdd81eb.png" alt="" width="609" height="427" style="box-sizing: border-box; vertical-align: middle; max-width: 100%;" /></div><p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">右边是mini module CN-2接口Pin脚，左边是CC1310的引脚，GND随便找一个板子接地的地方接上就好了。<p style="box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51); font-family: " helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div style="text-align: left;">下面就是ft2232h mini module</div><div style="text-align: left;"> <img src="http://ata2-img.cn-hangzhou.img-pub.aliyun-inc.com/5e1e3a925c14975f6a94c1b5ca1cf890.png" alt="" width="595" height="434" style="box-sizing: border-box; vertical-align: middle; max-width: 100%;" /></div><p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">好了，接下来就是激动人心的时刻了。<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""> <p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""><span style="box-sizing: border-box; font-weight: 700;"><span style="font-size:19px;">软件篇：</span></span><p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">硬件连接准备就绪后，我们开始驱动仿真器来进行片上调试。<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">调试工具准备如下：<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">OpenOCD (开源的硬件调试软件)<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">Arm-none-eabi-gdb (arm版的gdb)<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">在使用openocd之前需要准备好cc1310的调试配置文件cc1310.cfg，在<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""><a href="http://openocd.zylin.com/gitweb?p=openocd.git;a=blob;f=tcl/target/cc1310.cfg;h=8f86bd4b965a02922ae1abc98f53c8a4c65f9711;hb=27c749394270555698e3f5413082d5c6898d8151%BF%C9%D2%D4%D5%D2%B5%BD" style="box-sizing: border-box; background: 0px 0px; color: rgb(66, 139, 202); text-decoration: none;">http://openocd.zylin.com/gitweb?p=openocd.git;a=blob;f=tcl/target/cc1310.cfg;h=8f86bd4b965a02922ae1abc98f53c8a4c65f9711;hb=27c749394270555698e3f5413082d5c6898d8151可以找到</a>。<p style="box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51); font-family: " helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div style="text-align: left;">一切准备妥当，接下来就可以开始见证奇迹的时刻了。</div><div style="text-align: left;"> <img src="http://ata2-img.cn-hangzhou.img-pub.aliyun-inc.com/1c3c91790a6430e7ffaa265e5bd2c356.png" alt="" width="623" height="323" style="box-sizing: border-box; vertical-align: middle; max-width: 100%;" /></div><p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">运行telnet localhost 4444进行命令行来控制操作cpu或者内存空间，在这里我们可把cpu halt暂停下来，cpu重置，设置断点等操作。<p style="box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51); font-family: " helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div style="text-align: left;">在这里我们执行halt命令，cpu就断下来了，效果如下</div><div style="text-align: left;"><img src="http://ata2-img.cn-hangzhou.img-pub.aliyun-inc.com/a5ac1cbaef30c3f27cde7c690d77e98c.png" alt="" width="630" height="211" style="box-sizing: border-box; vertical-align: middle; max-width: 100%;" /></div><p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">这个时侯我的gdb就可以远程attach上去进行动态调试与内存空间访问了。<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">运行arm-none-eabi-gdb，gdb里面执行target remote localhost:3333<p style="box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51); font-family: " helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div style="text-align: left;">进行远程调试连接，可以内存空间访问与动态调试。</div><div style="text-align: left;"> <img src="http://ata2-img.cn-hangzhou.img-pub.aliyun-inc.com/84311b10b166e362aec5ea7d152c1122.png" alt="" width="619" height="189" style="box-sizing: border-box; vertical-align: middle; max-width: 100%;" /></div><p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">好了，我们可以内存空间访问了，先把固件，flash，和内存数据dump出来，静态分析一下吧。<p style="box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51); font-family: " helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div style="text-align: left;">如下是cc13xx芯片的内存空间地址映射表，它可以让我们知道dump哪些有用的数据</div><div style="text-align: left;"><img src="http://ata2-img.cn-hangzhou.img-pub.aliyun-inc.com/b476ea8d2f0afaa77da42a55cd4b4b6d.png" alt="" width="623" height="263" style="box-sizing: border-box; vertical-align: middle; max-width: 100%;" /></div><p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">0地址开始到0x10000是我们CC1310F64型号的flash的地址空间<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">BootROM是从0x10000000到0x10020000<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">SRAM地址从0x20000000到0x20005000<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">好了，我们就dump这三块位置。<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">在gdb里面运行如下命令<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">dump binary memory cc1310_flash.bin 0 0x10000<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">dump binary memory cc1310_brom.bin 0x10000000 0x10020000<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">dump binary memory cc1310_sram.bin 0x20000000 0x20005000<p style="box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51); font-family: " helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div style="text-align: left;">好了，合并这三个文件用IDA进行反汇编，不同的段进行地址重定位，可以做到地址精确引用，如下。</div><div style="text-align: left;"><img src="http://ata2-img.cn-hangzhou.img-pub.aliyun-inc.com/125f8ae2b28911b36917985cb08a7413.png" alt="" width="567" height="147" style="box-sizing: border-box; vertical-align: middle; max-width: 100%;" /></div><p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">好了，接下来就是逆向篇了，如何找到答案和分析其代码逻辑等等。<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">逆向篇：<p style="box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51); font-family: " helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div style="text-align: left;">我们通过IDA里面的一些字符串获得一些线索。</div><div style="text-align: left;"><img src="http://ata2-img.cn-hangzhou.img-pub.aliyun-inc.com/1ac4b2533187ae89d512c1a52047fb43.png" alt="" width="611" height="563" style="box-sizing: border-box; vertical-align: middle; max-width: 100%;" /></div><p style="box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51); font-family: " helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div style="text-align: left;">然后我们很快找到每一道题的答案了</div><div style="text-align: left;"><img src="http://ata2-img.cn-hangzhou.img-pub.aliyun-inc.com/5b542a9b32ea69d6b44f9323d9451762.png" alt="" width="622" height="822" style="box-sizing: border-box; vertical-align: middle; max-width: 100%;" /></div><p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">解释一下这里面的一些逻辑。<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">这里面每一道题的提示和答案，还有用户自定义ID存储在flash 0xe000开始的区域里面，总共长度0xe2个字节，运行时会把这块区域数据读到SRAM里面，在SRAM里面进行操作，然后把SRAM结果写回到0xe000这块区域里，以保证下次设备重启数据和进度不会丢失，其结构如下。<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""> <p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""> <p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">0xe000 ---0xe010 存储用户设置的ID<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">0xe014 --- 0xe015 存储用户过了多少关了（直接改成9就通关了：），修改SRAM里面相应的存储的数据，然后通过ID设置来触发写回到0xe014，这样就生效了）<p style="box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51); font-family: " helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div style="text-align: left;">如下是不同关卡的提示和答案</div><div style="text-align: left;"><img src="http://ata2-img.cn-hangzhou.img-pub.aliyun-inc.com/fb57ec19a454a0d8eb344902e4c849d3.png" alt="" width="316" height="790" style="box-sizing: border-box; vertical-align: middle; max-width: 100%;" /><img src="http://ata2-img.cn-hangzhou.img-pub.aliyun-inc.com/e00fb9680944815fbdbe15ee78c53a87.png" alt="" width="318" height="594" style="box-sizing: border-box; vertical-align: middle; max-width: 100%;" /></div><p style="box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51); font-family: " helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div style="text-align: left;">比较每一个关卡的用户输入答案，并进行更新</div><div style="text-align: left;"><img src="http://ata2-img.cn-hangzhou.img-pub.aliyun-inc.com/4a576eaee402c969111bad29c57feade.png" alt="" width="625" height="403" style="box-sizing: border-box; vertical-align: middle; max-width: 100%;" /></div><p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">0x20001060存储着flash地址0xe000里面的数据<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">偏移0x14就是用户当前所在关卡数，如果答案比较相等，这个关卡数加1并写回到flash里面，并在屏幕上显示『right!』。<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">总共9道题的答案分别是<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">UR1NMYW0RLD!<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">42<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">ORDREDUTEMPLE<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">FQJPVDPOK<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">VYTX<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">LOYAL<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">GNILCS<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">FIBONACHI<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">WORLD<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"="">通关最后的结果如下<p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""><img src="http://ata2-img.cn-hangzhou.img-pub.aliyun-inc.com/084ab3f65b238deedf81d78630d4252f.png" alt="" width="649" height="470" style="box-sizing: border-box; vertical-align: middle; max-width: 100%;" /> <p style="text-align: left; box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51);" helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""> <p style="box-sizing: border-box; margin-top: 20px; margin-bottom: 20px; color: rgb(51, 51, 51); font-family: " helvetica="" neue",="" helvetica,="" arial,="" "hiragino="" sans="" gb",="" "microsoft="" yahei",="" sans-serif;="" font-size:="" 16px;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div style="text-align: left;">如果你只想知道答案，看到这里就可以了，接下来会讲讲里面的一些其它功能。</div><br /><br />

如何破解Syscan360会议胸牌

Hacking more