1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-11-15 20:19:23 +00:00
trezor-firmware/python/src/trezorlib/debuglink.py

574 lines
19 KiB
Python
Raw Normal View History

# This file is part of the Trezor project.
2016-11-25 21:53:55 +00:00
#
2019-05-29 16:44:09 +00:00
# Copyright (C) 2012-2019 SatoshiLabs and contributors
2016-11-25 21:53:55 +00:00
#
# This library is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License version 3
# as published by the Free Software Foundation.
2016-11-25 21:53:55 +00:00
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the License along with this library.
# If not, see <https://www.gnu.org/licenses/lgpl-3.0.html>.
2019-10-18 11:31:57 +00:00
from collections import namedtuple
from copy import deepcopy
from mnemonic import Mnemonic
2016-05-20 20:27:20 +00:00
2019-10-17 11:25:47 +00:00
from . import messages as proto, protobuf
from .client import TrezorClient
2018-10-02 15:37:03 +00:00
from .tools import expect
2017-06-23 19:31:42 +00:00
EXPECTED_RESPONSES_CONTEXT_LINES = 3
2012-12-13 19:05:04 +00:00
2019-10-18 11:31:57 +00:00
LayoutLines = namedtuple("LayoutLines", "lines text")
def layout_lines(lines):
return LayoutLines(lines, " ".join(lines))
class DebugLink:
def __init__(self, transport, auto_interact=True):
self.transport = transport
self.allow_interactions = auto_interact
def open(self):
trezorlib: transport/protocol reshuffle This commit breaks session handling (which matters with Bridge) and regresses Bridge to an older code state. Both of these issues will be rectified in subsequent commits. Explanation of this big API reshuffle follows: * protocols are moved to trezorlib.transport, and to a single common file. * there is a cleaner definition of Transport and Protocol API (see below) * fully valid mypy type hinting * session handle counters and open handle counters mostly went away. Transports and Protocols are meant to be "raw" APIs; TrezorClient will implement context-handler-based sessions, session tracking, etc. I'm calling this a "reshuffle" because it involved very small number of code changes. Most of it is moving things around where they sit better. The API changes are as follows. Transport is now a thing that can: * open and close sessions * read and write protobuf messages * enumerate and find devices Some transports (all except bridge) are technically bytes-based and need a separate protocol implementation (because we have two existing protocols, although only the first one is actually used). Hence a protocol superclass. Protocol is a thing that *also* can: * open and close sessions * read and write protobuf messages For that, it requires a `handle`. Handle is a physical layer for a protocol. It can: * open and close some sort of device connection (this is distinct from session! Connection is a channel over which you can send data. Session is a logical arrangement on top of that; you can have multiple sessions on a single connection.) * read and write 64-byte chunks of data With that, we introduce ProtocolBasedTransport, which simply delegates the appropriate Transport functionality to respective Protocol methods. hid and webusb transports are ProtocolBasedTransport-s that provide separate device handles. HidHandle and WebUsbHandle existed before, but the distinction of functionality between a Transport and its Handle was unclear. Some methods were moved and now the handles implement the Handle API, while the transports provide the enumeration parts of the Transport API, as well as glue between the respective Protocols and Handles. udp transport is also a ProtocolBasedTransport, but it acts as its own handle. (That might be changed. For now, I went with the pre-existing structure.) In addition, session_begin/end is renamed to begin/end_session to keep consistent verb_noun naming.
2018-11-08 14:24:28 +00:00
self.transport.begin_session()
2012-12-13 19:05:04 +00:00
2014-02-13 15:46:21 +00:00
def close(self):
trezorlib: transport/protocol reshuffle This commit breaks session handling (which matters with Bridge) and regresses Bridge to an older code state. Both of these issues will be rectified in subsequent commits. Explanation of this big API reshuffle follows: * protocols are moved to trezorlib.transport, and to a single common file. * there is a cleaner definition of Transport and Protocol API (see below) * fully valid mypy type hinting * session handle counters and open handle counters mostly went away. Transports and Protocols are meant to be "raw" APIs; TrezorClient will implement context-handler-based sessions, session tracking, etc. I'm calling this a "reshuffle" because it involved very small number of code changes. Most of it is moving things around where they sit better. The API changes are as follows. Transport is now a thing that can: * open and close sessions * read and write protobuf messages * enumerate and find devices Some transports (all except bridge) are technically bytes-based and need a separate protocol implementation (because we have two existing protocols, although only the first one is actually used). Hence a protocol superclass. Protocol is a thing that *also* can: * open and close sessions * read and write protobuf messages For that, it requires a `handle`. Handle is a physical layer for a protocol. It can: * open and close some sort of device connection (this is distinct from session! Connection is a channel over which you can send data. Session is a logical arrangement on top of that; you can have multiple sessions on a single connection.) * read and write 64-byte chunks of data With that, we introduce ProtocolBasedTransport, which simply delegates the appropriate Transport functionality to respective Protocol methods. hid and webusb transports are ProtocolBasedTransport-s that provide separate device handles. HidHandle and WebUsbHandle existed before, but the distinction of functionality between a Transport and its Handle was unclear. Some methods were moved and now the handles implement the Handle API, while the transports provide the enumeration parts of the Transport API, as well as glue between the respective Protocols and Handles. udp transport is also a ProtocolBasedTransport, but it acts as its own handle. (That might be changed. For now, I went with the pre-existing structure.) In addition, session_begin/end is renamed to begin/end_session to keep consistent verb_noun naming.
2018-11-08 14:24:28 +00:00
self.transport.end_session()
2016-01-12 23:17:38 +00:00
def _call(self, msg, nowait=False):
self.transport.write(msg)
if nowait:
return None
ret = self.transport.read()
return ret
def state(self):
return self._call(proto.DebugLinkGetState())
2014-02-06 22:34:13 +00:00
2019-10-18 11:31:57 +00:00
def read_layout(self):
return layout_lines(self.state().layout_lines)
def wait_layout(self):
obj = self._call(proto.DebugLinkGetState(wait_layout=True))
2019-10-18 11:31:57 +00:00
return layout_lines(obj.layout_lines)
def read_pin(self):
state = self.state()
return state.pin, state.matrix
2014-02-06 22:34:13 +00:00
2013-09-01 01:34:36 +00:00
def read_pin_encoded(self):
return self.encode_pin(*self.read_pin())
2014-02-20 18:15:43 +00:00
def encode_pin(self, pin, matrix=None):
"""Transform correct PIN according to the displayed matrix."""
if matrix is None:
_, matrix = self.read_pin()
return "".join([str(matrix.index(p) + 1) for p in pin])
2016-01-12 23:17:38 +00:00
2019-03-07 15:28:24 +00:00
def read_mnemonic_secret(self):
obj = self._call(proto.DebugLinkGetState())
2019-03-07 15:28:24 +00:00
return obj.mnemonic_secret
2014-02-06 22:34:13 +00:00
def read_recovery_word(self):
obj = self._call(proto.DebugLinkGetState())
return (obj.recovery_fake_word, obj.recovery_word_pos)
2014-02-20 18:15:43 +00:00
def read_reset_word(self):
obj = self._call(proto.DebugLinkGetState(wait_word_list=True))
return obj.reset_word
2018-03-20 15:46:53 +00:00
def read_reset_word_pos(self):
obj = self._call(proto.DebugLinkGetState(wait_word_pos=True))
2018-03-20 15:46:53 +00:00
return obj.reset_word_pos
def read_reset_entropy(self):
obj = self._call(proto.DebugLinkGetState())
return obj.reset_entropy
2014-02-20 18:15:43 +00:00
def read_passphrase_protection(self):
obj = self._call(proto.DebugLinkGetState())
return obj.passphrase_protection
2019-09-27 13:38:15 +00:00
def input(self, word=None, button=None, swipe=None, x=None, y=None, wait=False):
if not self.allow_interactions:
return
2019-09-27 13:38:15 +00:00
args = sum(a is not None for a in (word, button, swipe, x))
if args != 1:
raise ValueError("Invalid input - must use one of word, button, swipe")
2019-09-27 13:38:15 +00:00
decision = proto.DebugLinkDecision(
yes_no=button, swipe=swipe, input=word, x=x, y=y, wait=wait
)
ret = self._call(decision, nowait=not wait)
if ret is not None:
2019-10-18 11:31:57 +00:00
return layout_lines(ret.lines)
2019-09-27 13:38:15 +00:00
def click(self, click, wait=False):
x, y = click
return self.input(x=x, y=y, wait=wait)
2012-12-13 19:05:04 +00:00
def press_yes(self):
self.input(button=True)
2014-02-06 22:34:13 +00:00
def press_no(self):
self.input(button=False)
2018-03-20 15:46:53 +00:00
def swipe_up(self):
self.input(swipe=proto.DebugSwipeDirection.UP)
2018-03-20 15:46:53 +00:00
def swipe_down(self):
self.input(swipe=proto.DebugSwipeDirection.DOWN)
def swipe_right(self):
self.input(swipe=proto.DebugSwipeDirection.RIGHT)
def swipe_left(self):
self.input(swipe=proto.DebugSwipeDirection.LEFT)
2018-03-20 15:46:53 +00:00
def stop(self):
self._call(proto.DebugLinkStop(), nowait=True)
2016-05-26 18:46:40 +00:00
2019-12-09 16:01:04 +00:00
def reseed(self, value):
self._call(proto.DebugLinkReseedRandom(value=value))
def start_recording(self, directory):
self._call(proto.DebugLinkRecordScreen(target_directory=directory))
def stop_recording(self):
self._call(proto.DebugLinkRecordScreen(target_directory=None))
@expect(proto.DebugLinkMemory, field="memory")
2016-05-26 18:46:40 +00:00
def memory_read(self, address, length):
return self._call(proto.DebugLinkMemoryRead(address=address, length=length))
2016-05-26 18:46:40 +00:00
def memory_write(self, address, memory, flash=False):
2018-08-13 16:21:24 +00:00
self._call(
proto.DebugLinkMemoryWrite(address=address, memory=memory, flash=flash),
nowait=True,
)
2016-05-26 18:46:40 +00:00
def flash_erase(self, sector):
2017-06-23 19:31:42 +00:00
self._call(proto.DebugLinkFlashErase(sector=sector), nowait=True)
class NullDebugLink(DebugLink):
def __init__(self):
super().__init__(None)
def open(self):
pass
def close(self):
pass
def _call(self, msg, nowait=False):
if not nowait:
if isinstance(msg, proto.DebugLinkGetState):
return proto.DebugLinkState()
else:
raise RuntimeError("unexpected call to a fake debuglink")
class DebugUI:
INPUT_FLOW_DONE = object()
def __init__(self, debuglink: DebugLink):
self.debuglink = debuglink
self.clear()
def clear(self):
self.pins = None
self.passphrase = ""
self.input_flow = None
def button_request(self, code):
if self.input_flow is None:
# XXX
# On Trezor T, in some rare cases, two layouts may be queuing for events at
# the same time. A new workflow will first send out a ButtonRequest, wait
# for a ButtonAck, and only then display a layout (closing the old one).
# That means that if a layout that accepts debuglink decisions is currently
# on screen, it has a good chance of accepting the following `press_yes`
# before it can be closed by the newly open layout from the new workflow.
#
# This happens in particular when the recovery homescreen is on, because
# it is a homescreen that accepts debuglink decisions.
#
# To prevent the issue, we insert a `wait_layout`, which on TT will only
# return after the screen is refreshed, so we are certain that the new
# layout is on. On T1 it is a no-op.
#
# This could run into trouble if some workflow asks for a ButtonRequest
# without refreshing the screen.
# This will also freeze on old bridges, where Read and Write are not
# separate operations, because it relies on ButtonAck being sent without
# waiting for a response.
self.debuglink.wait_layout()
self.debuglink.press_yes()
elif self.input_flow is self.INPUT_FLOW_DONE:
raise AssertionError("input flow ended prematurely")
else:
try:
self.input_flow.send(code)
except StopIteration:
self.input_flow = self.INPUT_FLOW_DONE
def get_pin(self, code=None):
if self.pins is None:
# respond with correct pin
return self.debuglink.read_pin_encoded()
if self.pins == []:
raise AssertionError("PIN sequence ended prematurely")
else:
return self.debuglink.encode_pin(self.pins.pop(0))
def get_passphrase(self, available_on_device):
return self.passphrase
class TrezorClientDebugLink(TrezorClient):
# This class implements automatic responses
# and other functionality for unit tests
# for various callbacks, created in order
# to automatically pass unit tests.
#
# This mixing should be used only for purposes
# of unit testing, because it will fail to work
# without special DebugLink interface provided
# by the device.
def __init__(self, transport, auto_interact=True):
try:
debug_transport = transport.find_debug()
self.debug = DebugLink(debug_transport, auto_interact)
# try to open debuglink, see if it works
self.debug.open()
self.debug.close()
except Exception:
if not auto_interact:
self.debug = NullDebugLink()
else:
raise
self.ui = DebugUI(self.debug)
self.in_with_statement = 0
self.screenshot_id = 0
self.filters = {}
# Do not expect any specific response from device
self.expected_responses = None
self.current_response = None
super().__init__(transport, ui=self.ui)
def open(self):
super().open()
self.debug.open()
def close(self):
self.debug.close()
super().close()
def set_filter(self, message_type, callback):
"""Configure a filter function for a specified message type.
The `callback` must be a function that accepts a protobuf message, and returns
a (possibly modified) protobuf message of the same type. Whenever a message
is sent or received that matches `message_type`, `callback` is invoked on the
message and its result is substituted for the original.
Useful for test scenarios with an active malicious actor on the wire.
"""
self.filters[message_type] = callback
def _filter_message(self, msg):
message_type = msg.__class__
callback = self.filters.get(message_type)
if callable(callback):
return callback(deepcopy(msg))
else:
return msg
def set_input_flow(self, input_flow):
"""Configure a sequence of input events for the current with-block.
The `input_flow` must be a generator function. A `yield` statement in the
input flow function waits for a ButtonRequest from the device, and returns
its code.
Example usage:
>>> def input_flow():
>>> # wait for first button prompt
>>> code = yield
>>> assert code == ButtonRequestType.Other
>>> # press No
>>> client.debug.press_no()
>>>
>>> # wait for second button prompt
>>> yield
>>> # press Yes
>>> client.debug.press_yes()
>>>
>>> with client:
>>> client.set_input_flow(input_flow)
>>> some_call(client)
"""
if not self.in_with_statement:
raise RuntimeError("Must be called inside 'with' statement")
if callable(input_flow):
input_flow = input_flow()
if not hasattr(input_flow, "send"):
raise RuntimeError("input_flow should be a generator function")
self.ui.input_flow = input_flow
next(input_flow) # can't send before first yield
def __enter__(self):
# For usage in with/expected_responses
self.in_with_statement += 1
return self
def __exit__(self, _type, value, traceback):
self.in_with_statement -= 1
# Clear input flow.
try:
if _type is not None:
# Another exception raised
return False
if self.expected_responses is None:
# no need to check anything else
return False
# Evaluate missed responses in 'with' statement
if self.current_response < len(self.expected_responses):
self._raise_unexpected_response(None)
finally:
# Cleanup
self.expected_responses = None
self.current_response = None
self.ui.clear()
return False
def set_expected_responses(self, expected):
"""Set a sequence of expected responses to client calls.
Within a given with-block, the list of received responses from device must
match the list of expected responses, otherwise an AssertionError is raised.
If an expected response is given a field value other than None, that field value
must exactly match the received field value. If a given field is None
(or unspecified) in the expected response, the received field value is not
checked.
"""
if not self.in_with_statement:
raise RuntimeError("Must be called inside 'with' statement")
self.expected_responses = expected
self.current_response = 0
def use_pin_sequence(self, pins):
"""Respond to PIN prompts from device with the provided PINs.
The sequence must be at least as long as the expected number of PIN prompts.
"""
# XXX This currently only works on T1 as a response to PinMatrixRequest, but
# if we modify trezor-core to introduce PIN prompts predictably (i.e. by
# a new ButtonRequestType), it could also be used on TT via debug.input()
self.ui.pins = list(pins)
def use_passphrase(self, passphrase):
"""Respond to passphrase prompts from device with the provided passphrase."""
self.ui.passphrase = Mnemonic.normalize_string(passphrase)
def use_mnemonic(self, mnemonic):
"""Use the provided mnemonic to respond to device.
Only applies to T1, where device prompts the host for mnemonic words."""
self.mnemonic = Mnemonic.normalize_string(mnemonic).split(" ")
def _raw_read(self):
__tracebackhide__ = True # for pytest # pylint: disable=W0612
# if SCREENSHOT and self.debug:
# from PIL import Image
# layout = self.debug.state().layout
# im = Image.new("RGB", (128, 64))
# pix = im.load()
# for x in range(128):
# for y in range(64):
# rx, ry = 127 - x, 63 - y
# if (ord(layout[rx + (ry / 8) * 128]) & (1 << (ry % 8))) > 0:
# pix[x, y] = (255, 255, 255)
# im.save("scr%05d.png" % self.screenshot_id)
# self.screenshot_id += 1
resp = super()._raw_read()
resp = self._filter_message(resp)
self._check_request(resp)
return resp
def _raw_write(self, msg):
return super()._raw_write(self._filter_message(msg))
def _raise_unexpected_response(self, msg):
__tracebackhide__ = True # for pytest # pylint: disable=W0612
start_at = max(self.current_response - EXPECTED_RESPONSES_CONTEXT_LINES, 0)
stop_at = min(
self.current_response + EXPECTED_RESPONSES_CONTEXT_LINES + 1,
len(self.expected_responses),
)
output = []
output.append("Expected responses:")
if start_at > 0:
output.append(" (...{} previous responses omitted)".format(start_at))
for i in range(start_at, stop_at):
exp = self.expected_responses[i]
prefix = " " if i != self.current_response else ">>> "
set_fields = {
key: value
for key, value in exp.__dict__.items()
if value is not None and value != []
}
oneline_str = ", ".join("{}={!r}".format(*i) for i in set_fields.items())
if len(oneline_str) < 60:
output.append(
"{}{}({})".format(prefix, exp.__class__.__name__, oneline_str)
)
else:
item = []
item.append("{}{}(".format(prefix, exp.__class__.__name__))
for key, value in set_fields.items():
item.append("{} {}={!r}".format(prefix, key, value))
item.append("{})".format(prefix))
output.append("\n".join(item))
if stop_at < len(self.expected_responses):
omitted = len(self.expected_responses) - stop_at
output.append(" (...{} following responses omitted)".format(omitted))
output.append("")
if msg is not None:
output.append("Actually received:")
output.append(protobuf.format_message(msg))
else:
output.append("This message was never received.")
raise AssertionError("\n".join(output))
def _check_request(self, msg):
__tracebackhide__ = True # for pytest # pylint: disable=W0612
if self.expected_responses is None:
return
if self.current_response >= len(self.expected_responses):
raise AssertionError(
"No more messages were expected, but we got:\n"
+ protobuf.format_message(msg)
)
expected = self.expected_responses[self.current_response]
if msg.__class__ != expected.__class__:
self._raise_unexpected_response(msg)
for field, value in expected.__dict__.items():
if value is None or value == []:
continue
if getattr(msg, field) != value:
self._raise_unexpected_response(msg)
self.current_response += 1
def mnemonic_callback(self, _):
word, pos = self.debug.read_recovery_word()
if word != "":
return word
if pos != 0:
return self.mnemonic[pos - 1]
raise RuntimeError("Unexpected call")
@expect(proto.Success, field="message")
def load_device(
2018-08-13 16:21:24 +00:00
client,
mnemonic,
pin,
passphrase_protection,
label,
language="en-US",
2018-08-13 16:21:24 +00:00
skip_checksum=False,
needs_backup=False,
no_backup=False,
2018-08-13 16:21:24 +00:00
):
if not isinstance(mnemonic, (list, tuple)):
mnemonic = [mnemonic]
mnemonics = [Mnemonic.normalize_string(m) for m in mnemonic]
if client.features.initialized:
2018-08-13 16:21:24 +00:00
raise RuntimeError(
"Device is initialized already. Call device.wipe() and try again."
2018-08-13 16:21:24 +00:00
)
resp = client.call(
proto.LoadDevice(
mnemonics=mnemonics,
2018-08-13 16:21:24 +00:00
pin=pin,
passphrase_protection=passphrase_protection,
language=language,
label=label,
skip_checksum=skip_checksum,
needs_backup=needs_backup,
no_backup=no_backup,
2018-08-13 16:21:24 +00:00
)
)
client.init_device()
return resp
# keep the old name for compatibility
load_device_by_mnemonic = load_device
@expect(proto.Success, field="message")
def self_test(client):
if client.features.bootloader_mode is not True:
raise RuntimeError("Device must be in bootloader mode")
2018-08-13 16:21:24 +00:00
return client.call(
proto.SelfTest(
payload=b"\x00\xFF\x55\xAA\x66\x99\x33\xCCABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!\x00\xFF\x55\xAA\x66\x99\x33\xCC"
)
)
@expect(proto.Success, field="message")
def show_text(client, header_text, body_text, icon=None, icon_color=None):
body_text = [
proto.DebugLinkShowTextItem(style=style, content=content)
for style, content in body_text
]
msg = proto.DebugLinkShowText(
header_text=header_text,
body_text=body_text,
header_icon=icon,
icon_color=icon_color,
)
return client.call(msg)