Unable to compile for arm_xscale

[stanleyws]

I have a Linksys EA4500v2 router that has Marvell 88F6282 CPU with arm_xscale architecture. Compiling with option '-mcpu=xscale' returns a lot of undefined symbol errors:
LLD Link... ld.lld: error: undefined symbol: __sync_lock_test_and_set_4
Looked it up and seems like arm_xscale architecture (armv5) does not have atomic instructions. So I guess there is no easy fix for this.

Also verified the mipsel binary works on my Linksys EA7500v2 router (with MT7621 CPU).

[xfangfang]

This should be a zig problem, there once a pr for fix: ziglang/zig#10756

Maybe you can find a cross compilation toolchain suitable for your device from openwrt, that should be able to compile.

[xfangfang]

I use a docker image (muslcc/x86_64:armv5l-linux-musleabi) provided by https://musl.cc to compile the armv5 version of pppwn_cpp successfully, which runs normally on QEMU. You can test it to see if it can run properly on your router. If everything is fine, I will update the CI code.

/src/armv5 # readelf -A pppwn
Attribute Section: aeabi
File Attributes
  Tag_CPU_name: "5T"
  Tag_CPU_arch: v5T
  Tag_ARM_ISA_use: Yes
  Tag_THUMB_ISA_use: Thumb-2
  Tag_ABI_PCS_wchar_t: 4
  Tag_ABI_FP_rounding: Needed
  Tag_ABI_FP_denormal: Needed
  Tag_ABI_FP_exceptions: Needed
  Tag_ABI_FP_number_model: IEEE 754
  Tag_ABI_align_needed: 8-byte
  Tag_ABI_enum_size: int
  Tag_ABI_optimization_goals: Aggressive Size

pppwn_armv5_b1.tar.gz

[stanleyws]

Thanks for the update. I can confirm the binary runs on Linksys EA4500 but it doesn't successfully jailbreak my ps4 on 11.00. It will cause kernel panic on ps4 every time at stage 2 with output:
[+] STAGE 2: KASLR defeat

[*] Defeating KASLR...
[+] pppoe_softc_list: 0xff90836578000201
[+] kaslr_offset: 0xff908365f3b1dc89
[-] Error: Leak is invalid. Wrong firmware?
[*] Sending PADT...
[*] Retry after 5s...

And this is the command line I launched pppwn with:
root@OpenWrt:~# ./pppwn -i br-lan --fw 1100 -s1 stage1_1100.bin -s2 stage2_1100.bin -a

[xfangfang]

Can you provide the whole logs?

[xfangfang]

And it would be better if you could provide a PCAP monitoring file using Wireshark (or tcpdump).

[stanleyws]

Here's the complete log:

root@OpenWrt:~# ./pppwn -i br-lan --fw 1100 -s1 stage1_1100.bin -s2 stage2_1100.bin -a
[+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=br-lan fw=1100 stage1=stage1_1100.bin stage2=stage2_1100.bin timeout=0 wait-after-pin=1 groom-delay=4 buffer-size= 0 auto-retry=on no-wait-padi=off real_sleep=off

[+] STAGE 0: Initialization
[*] Waiting for PADI...
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffa8d4784e9000
[+] Target MAC: bc:60:a7:bc:30:07
[+] Source MAC: 07:90:4e:78:d4:a8
[+] AC cookie length: 4e0
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Waiting for interface to be ready...
[+] Generate target IPv6 from MAC address
[+] Target IPv6: fe80::be60:a7ff:febc:3007
[+] Heap grooming...done

[+] STAGE 1: Memory corruption
[+] Pinning to CPU 0...done
[*] Sending malicious LCP configure request...
[*] Waiting for LCP configure reject...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[-] Scanning for corrupted object...failed.
[*] Sending PADT...
[*] Retry after 5s...

[+] STAGE 0: Initialization
[*] Waiting for PADI...
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffa8d207f42400
[+] Target MAC: bc:60:a7:bc:30:07
[+] Source MAC: 07:24:f4:07:d2:a8
[+] AC cookie length: 4e0
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Waiting for interface to be ready...
[+] Generate target IPv6 from MAC address
[+] Target IPv6: fe80::be60:a7ff:febc:3007
[+] Heap grooming...done

[+] STAGE 1: Memory corruption
[+] Pinning to CPU 0...done
[*] Sending malicious LCP configure request...
[*] Waiting for LCP configure reject...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[-] Scanning for corrupted object...failed.
[*] Sending PADT...
[*] Retry after 5s...

[+] STAGE 0: Initialization
[*] Waiting for PADI...
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffa8d478d89c00
[+] Target MAC: bc:60:a7:bc:30:07
[+] Source MAC: 07:9c:d8:78:d4:a8
[+] AC cookie length: 4e0
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Waiting for interface to be ready...
[+] Generate target IPv6 from MAC address
[+] Target IPv6: fe80::be60:a7ff:febc:3007
[+] Heap grooming...done

[+] STAGE 1: Memory corruption
[+] Pinning to CPU 0...done
[*] Sending malicious LCP configure request...
[*] Waiting for LCP configure reject...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[+] Scanning for corrupted object...found fe80::0558:4141:4141:4141

[+] STAGE 2: KASLR defeat

[*] Defeating KASLR...
[+] pppoe_softc_list: 0xff9b9ea578000201
[+] kaslr_offset: 0xff9b9ea5f3b1dc89
[-] Error: Leak is invalid. Wrong firmware?
[*] Sending PADT...
[*] Retry after 5s...

[+] STAGE 0: Initialization
[*] Waiting for PADI...
^C[*] Sending PADT...
root@OpenWrt:~# 

And here's tcpdump capture file:
dump.zip

[xfangfang]

pppwn_armv5_b2.tar.gz

I think this issue may be related to memory alignment. I don't have much experience working on embedded platforms and don't have the device to test, so I'm not sure if there are any other memory alignment issues. Therefore, I am here to describe in detail how I compiled and modified. If this build still cannot run, you may need to make the necessary modifications yourself.

how to build

git clone git@github.com:xfangfang/PPPwn_cpp.git
cd PPPwn_cpp
docker run -it --rm -v `pwd`:/src muslcc/x86_64:armv5l-linux-musleabi sh

apk update
apk add cmake make git flex bison
cd /src && mkdir armv5 && cd armv5
cmake -DUSE_SYSTEM_PCAP=OFF -DCMAKE_CXX_FLAGS="-static" -DCMAKE_C_FLAGS="-static" ..
make -j8 pppwn

how to solve memory alignment problem

PPPwn_cpp/src/exploit.cpp

Lines 926 to 937 in cbc09a3

	if (option[1] > 1) {
	auto *self = (Exploit *) cookie;
	self->pppoe_softc_list = htole64(*(uint64_t * )(option + 3));
	return true; // length > 1
	}
	return false;
	}, this);
	std::cout << "[+] pppoe_softc_list: 0x" << std::hex << pppoe_softc_list << std::endl;
	this->kaslr_offset = pppoe_softc_list - offs.PPPOE_SOFTC_LIST;
	std::cout << "[+] kaslr_offset: 0x" << std::hex << kaslr_offset << std::endl;

I think the problem lies in line 928: self->pppoe_softc_list = htole64(*(uint64_t * )(option + 3));

from the pcap dump, option is: 01,02,00,78,a5,9e,9b,ff,ff,ff,ff,00,00,00,00,00

pppoe_softc_list should be: 0xffffff9b9ea578, but logs shows: 0xff9b9ea578000201

so I change the line 928 to:

memcpy(&self->pppoe_softc_list, option + 3, sizeof(uint64_t));
self->pppoe_softc_list = htole64(self->pppoe_softc_list);

If there are other issues, you may need to find similar code(*(uint64_t * ), *(uint32_t * ) ...) and make similar adjustments.

p.s. You can use test3: https://github.com/xfangfang/PPPwn_cpp/tree/main/tests Execute on the router and compare the output results with those on the PC to make it easier to identify issues.

Possible problem locations

PPPwn_cpp/src/exploit.cpp

Lines 84 to 87 in cbc09a3

	#define V64BE(list, index, data) (*(uint64_t *) &(list)[index]) = htobe64(data)
	#define V64(list, index, data) (*(uint64_t *) &(list)[index]) = htole64(data)
	#define V32(list, index, data) (*(uint32_t *) &(list)[index]) = htole32(data)
	#define V16(list, index, data) (*(uint16_t *) &(list)[index]) = htole16(data)

[stanleyws]

I think it's indeed a memory alignment problem. The updated binary won't crash the console at step 2 but it will cause kernel panic at stage 3 right after [*] Triggering code execution...

I'll take a look at the code. Thanks again

[xfangfang]

I forgot one step, in order to compile, it need to modify one line of cmake:

PPPwn_cpp/CMakeLists.txt

Line 133 in cbc09a3

COMMAND ${ZIG} cc -o ${CMAKE_BINARY_DIR}/pack ${mongoose_SOURCE_DIR}/test/pack.c

            COMMAND ${ZIG} cc ${CMAKE_C_FLAGS} -o ${CMAKE_BINARY_DIR}/pack ${mongoose_SOURCE_DIR}/test/pack.c