From 0e094be537109333068bac5c3edb0eec980746cc Mon Sep 17 00:00:00 2001
From: Gregor Haas <gregorhaas1997@gmail.com>
Date: Mon, 10 Feb 2020 19:02:30 -0500
Subject: [PATCH] some changes, preparing for async

---
 c8_libpayload/CMakeLists.txt         |   1 -
 c8_libpayload/pl/CMakeLists.txt      |   1 +
 c8_libpayload/pl/src/bootstrap.c     |  26 -------
 c8_libpayload/pl/src/exit_usb_task.c |   6 +-
 c8_libpayload/pl/src/floppysleep.c   |  25 +++----
 c8_remote/include/payload.h          |   2 +-
 c8_remote/main.c                     | 106 ++++++++++++++++-----------
 c8_remote/src/payload.c              |  19 +++--
 8 files changed, 89 insertions(+), 97 deletions(-)
 delete mode 100644 c8_libpayload/pl/src/bootstrap.c

diff --git a/c8_libpayload/CMakeLists.txt b/c8_libpayload/CMakeLists.txt
index c3b96a0..66eb416 100644
--- a/c8_libpayload/CMakeLists.txt
+++ b/c8_libpayload/CMakeLists.txt
@@ -4,7 +4,6 @@ set(PL_NAMES
         aes
         aes_busy
         aes_sw
-        bootstrap
         exit_usb_task
         floppysleep
         sync
diff --git a/c8_libpayload/pl/CMakeLists.txt b/c8_libpayload/pl/CMakeLists.txt
index 89e5cab..b469316 100644
--- a/c8_libpayload/pl/CMakeLists.txt
+++ b/c8_libpayload/pl/CMakeLists.txt
@@ -1,5 +1,6 @@
 project(checkm8_libpayload_sources C ASM)
 include_directories(include)
+include_directories(include/openssl)
 
 set(CMAKE_SYSTEM_PROCESSOR arm)
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
diff --git a/c8_libpayload/pl/src/bootstrap.c b/c8_libpayload/pl/src/bootstrap.c
deleted file mode 100644
index 6a299eb..0000000
--- a/c8_libpayload/pl/src/bootstrap.c
+++ /dev/null
@@ -1,26 +0,0 @@
-#include "util.h"
-
-TEXT_SECTION
-unsigned long long _start()
-{
-//    unsigned long long platform_quiesce_hardware = 0x100007dd0;
-//    unsigned long long enter_critical_section = 0x10000a4b8;
-//    unsigned long long halt = 0x1000004fc;
-//    unsigned long long timer_deadline_enter = 0x10000b874;
-//    unsigned long long now, later;
-//
-//    ((BOOTROM_FUNC) platform_quiesce_hardware)();
-//    //((BOOTROM_FUNC) enter_critical_section)();
-//
-//    __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (now));
-//    ((BOOTROM_FUNC) timer_deadline_enter)(now + (24000000) - 64, ((BOOTROM_FUNC) 0x10000b924));
-//    ((BOOTROM_FUNC) halt)();
-//    __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (later));
-
-    volatile unsigned long long regval = 0xffff;
-    __asm__ volatile ("mrs %0, fpcr" : "=r" (regval));
-    regval = (1u << 24u);
-    __asm__ volatile ("msr fpcr, %0" : "=r" (regval));
-
-    return regval;
-}
\ No newline at end of file
diff --git a/c8_libpayload/pl/src/exit_usb_task.c b/c8_libpayload/pl/src/exit_usb_task.c
index 821849d..b97d57c 100644
--- a/c8_libpayload/pl/src/exit_usb_task.c
+++ b/c8_libpayload/pl/src/exit_usb_task.c
@@ -43,14 +43,14 @@ void fix_heap()
 }
 
 TEXT_SECTION
-void _start()
+void _start(unsigned long long ptr_self)
 {
     unsigned int *completion = (unsigned int *) 0x180088ac8;
     unsigned char *dfu_done = (unsigned char *) 0x180088ac0;
 
     unsigned long long *dfu_event = (unsigned long long *) 0x180088af0;
     BOOTROM_FUNC event_signal = ((BOOTROM_FUNC) 0x10000aee8);
-    BOOTROM_FUNC enter_critical_section = ((BOOTROM_FUNC) 0x10000a4b8);
+    BOOTROM_FUNC free = ((BOOTROM_FUNC) 0x10000f1b0);
 
     fix_heap();
 
@@ -58,5 +58,5 @@ void _start()
     *dfu_done = 1;
 
     event_signal(dfu_event);
-    // enter_critical_section();
+    free(ptr_self);
 }
\ No newline at end of file
diff --git a/c8_libpayload/pl/src/floppysleep.c b/c8_libpayload/pl/src/floppysleep.c
index f946078..9793fae 100644
--- a/c8_libpayload/pl/src/floppysleep.c
+++ b/c8_libpayload/pl/src/floppysleep.c
@@ -29,22 +29,19 @@ unsigned long long _start(float *init_a)
     unsigned long long timer_deadline_enter = 0x10000b874;
     unsigned long long halt = 0x1000004fc;
 
-    while(1)
+    __asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (start));
+    fs_load(init_a, 1);
+    for(i = 0; i < 8; i++) fs_routine();
+    __asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (end));
+
+    if(2 * end - start - 64 > 0)
     {
-        __asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (start));
-        fs_load(init_a, 1);
-        for(i = 0; i < 8; i++) fs_routine();
-        __asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (end));
-
-        if(2 * end - start - 64 > 0)
-        {
-            ((BOOTROM_FUNC) timer_deadline_enter)(2 * end - start - 64, ((BOOTROM_FUNC) 0x10000b924));
-            ((BOOTROM_FUNC) halt)();
-        }
-
-        __asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (report));
-        j++;
+        ((BOOTROM_FUNC) timer_deadline_enter)(2 * end - start - 64, ((BOOTROM_FUNC) 0x10000b924));
+        ((BOOTROM_FUNC) halt)();
     }
 
+    __asm__ volatile ("isb\n\rmrs %0, cntpct_el0" : "=r" (report));
+    j++;
+
     return end - start;
 }
\ No newline at end of file
diff --git a/c8_remote/include/payload.h b/c8_remote/include/payload.h
index cc958a8..afe5e5c 100644
--- a/c8_remote/include/payload.h
+++ b/c8_remote/include/payload.h
@@ -8,7 +8,6 @@ typedef enum
     PAYLOAD_AES,
     PAYLOAD_AES_BUSY,
     PAYLOAD_AES_SW,
-    PAYLOAD_BOOTSTRAP,
     PAYLOAD_EXIT_USB_TASK,
     PAYLOAD_FLOPPYSLEEP,
     PAYLOAD_SYNC,
@@ -25,6 +24,7 @@ typedef enum
 int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc);
 int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p);
 struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int response_len, int nargs, ...);
+unsigned long long get_payload_address(struct pwned_device *dev, PAYLOAD_T p);
 
 unsigned long long install_data(struct pwned_device *dev, LOCATION_T loc, unsigned char *data, int len);
 int uninstall_data(struct pwned_device *dev, unsigned long long ptr);
diff --git a/c8_remote/main.c b/c8_remote/main.c
index 12b8a95..1e8cc00 100644
--- a/c8_remote/main.c
+++ b/c8_remote/main.c
@@ -67,8 +67,12 @@ int floppysleep(struct pwned_device *dev)
     }
 
     float init_a = -7.504355E-39f;
-    resp = write_gadget(dev, 0x180154000, (unsigned char *) &init_a, sizeof(float));
-    free_dev_cmd_resp(resp);
+    unsigned long long init_a_ptr = install_data(dev, SRAM, (unsigned char *) &init_a, sizeof(float));
+    if(init_a_ptr == -1)
+    {
+        printf("failed to write initial data\n");
+        return -1;
+    }
 
     resp = execute_payload(dev, PAYLOAD_SYNC, 0, 0);
     if(IS_CHECKM8_FAIL(resp->ret))
@@ -81,7 +85,7 @@ int floppysleep(struct pwned_device *dev)
 
     while(1)
     {
-        resp = execute_payload(dev, PAYLOAD_FLOPPYSLEEP, 0, 1, 0x180154000);
+        resp = execute_payload(dev, PAYLOAD_FLOPPYSLEEP, 0, 1, init_a_ptr);
         if(IS_CHECKM8_FAIL(resp->ret))
         {
             printf("failed to execute flopsleep payload\n");
@@ -242,7 +246,7 @@ void aes_sw(struct pwned_device *dev)
             return;
         }
 
-        printf("%i) op took %llu\n", i++, resp->retval);
+        printf("%i) op took %llu\n", i, resp->retval);
 
         free_dev_cmd_resp(resp);
         resp = read_gadget(dev, addr_data, 16);
@@ -275,6 +279,57 @@ void aes_sw(struct pwned_device *dev)
     close_device_session(dev);
 }
 
+void usb_task_exit(struct pwned_device *dev)
+{
+    struct dev_cmd_resp *resp;
+
+    if(IS_CHECKM8_FAIL(open_device_session(dev)))
+    {
+        printf("failed to open device session\n");
+        return;
+    }
+
+    if(IS_CHECKM8_FAIL(install_payload(dev, PAYLOAD_SYNC, SRAM)))
+    {
+        printf("failed to install sync payload\n");
+        return;
+    }
+
+    if(IS_CHECKM8_FAIL(install_payload(dev, PAYLOAD_EXIT_USB_TASK, SRAM)))
+    {
+        printf("failed to install sync payload\n");
+        return;
+    }
+
+    resp = execute_payload(dev, PAYLOAD_SYNC, 0, 0);
+    if(IS_CHECKM8_FAIL(resp->ret))
+    {
+        printf("failed to execute bootstrap\n");
+        return;
+    }
+    free_dev_cmd_resp(resp);
+
+    if(IS_CHECKM8_FAIL(uninstall_payload(dev, PAYLOAD_SYNC)))
+    {
+        printf("failed to uninstall sync payload\n");
+        return;
+    }
+
+    resp = execute_payload(dev, PAYLOAD_EXIT_USB_TASK, 0,
+                           1, get_payload_address(dev, PAYLOAD_EXIT_USB_TASK));
+    if(IS_CHECKM8_FAIL(resp->ret))
+    {
+        printf("failed to exit usb task\n");
+        return;
+    }
+
+    if(IS_CHECKM8_FAIL(close_device_session(dev)))
+    {
+        printf("failed to close device session\n");
+        return;
+    }
+}
+
 int main()
 {
     struct dev_cmd_resp *resp;
@@ -286,47 +341,10 @@ int main()
     }
 
     demote_device(dev);
-    aes_sw(dev);
 
-//    if(IS_CHECKM8_FAIL(install_payload(dev, PAYLOAD_SYNC, SRAM)))
-//    {
-//        printf("failed to install sync payload\n");
-//        return -1;
-//    }
-//
-//    if(IS_CHECKM8_FAIL(install_payload(dev, PAYLOAD_TASK_SLEEP_TEST, SRAM)))
-//    {
-//        printf("failed to install exit usb task payload\n");
-//        return -1;
-//    }
-//
-//    if(IS_CHECKM8_FAIL(install_payload(dev, PAYLOAD_FLOPPYSLEEP, SRAM)))
-//    {
-//        printf("failed to install floppysleep\n");
-//        return -1;
-//    }
-//
-//    float init_a = -7.504355E-39f;
-//    resp = write_gadget(dev, 0x180154000, (unsigned char *) &init_a, sizeof(float));
-//    free_dev_cmd_resp(resp);
-//
-//    resp = execute_payload(dev, PAYLOAD_SYNC, 0, 0);
-//    if(IS_CHECKM8_FAIL(resp->ret))
-//    {
-//        printf("failed to execute bootstrap\n");
-//        return -1;
-//    }
-//    free_dev_cmd_resp(resp);
-//
-//    resp = execute_payload(dev, PAYLOAD_TASK_SLEEP_TEST, 0, 2, 0x180152000, 0x180154000);
-//    if(IS_CHECKM8_FAIL(resp->ret))
-//    {
-//        printf("failed to exit usb task\n");
-//        return -1;
-//    }
-//    free_dev_cmd_resp(resp);
-//
-//    close_device_session(dev);
+    //  usb_task_exit(dev);
+
+    floppysleep(dev);
     free_device(dev);
 }
 
diff --git a/c8_remote/src/payload.c b/c8_remote/src/payload.c
index cad0589..b7c7011 100644
--- a/c8_remote/src/payload.c
+++ b/c8_remote/src/payload.c
@@ -43,11 +43,6 @@ struct payload *get_payload(PAYLOAD_T p)
             len = PAYLOAD_AES_SW_SZ;
             break;
 
-        case PAYLOAD_BOOTSTRAP:
-            pl = payload_bootstrap;
-            len = PAYLOAD_BOOTSTRAP_SZ;
-            break;
-
         case PAYLOAD_EXIT_USB_TASK:
             pl = payload_exit_usb_task;
             len = PAYLOAD_EXIT_USB_TASK_SZ;
@@ -151,13 +146,15 @@ int *dev_unlink_payload(struct pwned_device *dev, struct payload *pl)
 {
     if(dev->installed == pl)
     {
-        dev->installed = NULL;
+        dev->installed = pl->next;
         return CHECKM8_SUCCESS;
     }
     else
     {
         pl->prev->next = pl->next;
-        pl->next->prev = pl->prev;
+        if(pl->next != NULL)
+            pl->next->prev = pl->prev;
+
         return CHECKM8_SUCCESS;
     }
 }
@@ -222,6 +219,12 @@ int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p)
     return CHECKM8_SUCCESS;
 }
 
+unsigned long long get_payload_address(struct pwned_device *dev, PAYLOAD_T p)
+{
+    return dev_retrieve_payload(dev, p)->install_base;
+}
+
+
 unsigned long long install_data(struct pwned_device *dev, LOCATION_T loc, unsigned char *data, int len)
 {
     checkm8_debug_indent("install_data(dev = %p, loc = %i, data = %p, len = %i)\n", dev, loc, data, len);
@@ -265,7 +268,7 @@ int uninstall_data(struct pwned_device *dev, unsigned long long addr)
 
 struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int response_len, int nargs, ...)
 {
-    checkm8_debug_indent("execute_payload(dev = %p, p = %i, nargs = %i, ...)\n", dev, p, nargs);
+    checkm8_debug_indent("execute_payload(dev = %p, p = %i, response_len = %i, nargs = %i, ...)\n", dev, p, response_len, nargs);
     int i;
     struct dev_cmd_resp *resp;
     struct payload *pl;