fixed an async payload bug and implemented an async floppysleep (works!)

2020-02-11 20:52:23 -05:00
parent 3e64bd8bab
commit 059461ccbd
2 changed files with 61 additions and 6 deletions
--- a/c8_remote/main.c
+++ b/c8_remote/main.c
@@ -95,6 +95,59 @@ void floppysleep(struct pwned_device *dev)
    close_device_session(dev);
 }

+void floppysleep_async(struct pwned_device *dev)
+{
+    float init_a = -7.504355E-39f;
+    DEV_PTR_T init_a_ptr, async_buf_ptr;
+    struct dev_cmd_resp *resp;
+
+    if(IS_CHECKM8_FAIL(open_device_session(dev)))
+    {
+        printf("failed to open device session\n");
+        return;
+    }
+
+    if(IS_CHECKM8_FAIL(install_payload(dev, PAYLOAD_SYNC, SRAM)))
+    {
+        printf("failed to install sync payload\n");
+        return;
+    }
+
+    if(IS_CHECKM8_FAIL(install_payload(dev, PAYLOAD_FLOPPYSLEEP, SRAM)))
+    {
+        printf("failed to install task sleep payload\n");
+        return;
+    }
+
+    init_a_ptr = install_data(dev, SRAM, (unsigned char *) &init_a, sizeof(float));
+    if(init_a_ptr == DEV_PTR_NULL)
+    {
+        printf("failed to write initial data\n");
+        return;
+    }
+
+    resp = execute_payload(dev, PAYLOAD_SYNC, 0, 0);
+    if(IS_CHECKM8_FAIL(resp->ret))
+    {
+        printf("failed to execute bootstrap\n");
+        return;
+    }
+
+    free_dev_cmd_resp(resp);
+
+    async_buf_ptr = setup_payload_async(dev, PAYLOAD_FLOPPYSLEEP, 32, 1, init_a_ptr);
+    run_payload_async(dev, PAYLOAD_FLOPPYSLEEP);
+    close_device_session(dev);
+
+    printf("async buf pointer is %llX\n", async_buf_ptr);
+
+//    sleep(10);
+//
+//    open_device_session(dev);
+//    resp = read_gadget(dev, async_buf_ptr, 8);
+//    close_device_session(dev);
+}
+
 void aes_sw(struct pwned_device *dev)
 {
    int i = 0;
@@ -339,12 +392,14 @@ int main()
        return -1;
    }

+    fix_heap(dev);
    demote_device(dev);
-    floppysleep(dev);
+    floppysleep_async(dev);

-    uninstall_all_payloads(dev);
-    uninstall_all_data(dev);
-    free_device(dev);
+//    open_device_session(dev);
+//    uninstall_all_payloads(dev);
+//    uninstall_all_data(dev);
+//    free_device(dev);
 }


--- a/c8_remote/src/payload.c
+++ b/c8_remote/src/payload.c
@@ -399,12 +399,12 @@ unsigned long long setup_payload_async(struct pwned_device *dev, PAYLOAD_T p, in
    }

    task_args[0] = ADDR_TASK_NEW;
-    task_args[1] = 0; // todo: name pointer
+    task_args[1] = 0x10001943b; // todo: name pointer
    task_args[2] = pl->install_base;
    task_args[3] = buf_addr;
    task_args[4] = 0x4000;

-    resp = dev_exec(dev, 0, 4, task_args);
+    resp = dev_exec(dev, 0, 5, task_args);
    if(IS_CHECKM8_FAIL(resp->ret))
    {
        checkm8_debug_indent("\tfailed to create a new task\n");