Added some more functionality to payload installation
This commit is contained in:
@@ -10,20 +10,14 @@
|
||||
#define IS_CHECKM8_FAIL(code) code < 0
|
||||
|
||||
#if CHECKM8_PLATFORM == 8010
|
||||
#define DEV_IDVENDOR 0x05AC
|
||||
#define DEV_IDPRODUCT 0x1227
|
||||
|
||||
#define DEV_IDVENDOR 0x05AC
|
||||
#define DEV_IDPRODUCT 0x1227
|
||||
|
||||
#else
|
||||
#error "Unspported checkm8 platform"
|
||||
#endif
|
||||
|
||||
struct libusb_device_bundle
|
||||
{
|
||||
struct libusb_context *ctx;
|
||||
struct libusb_device *device;
|
||||
struct libusb_device_handle *handle;
|
||||
struct libusb_device_descriptor *descriptor;
|
||||
};
|
||||
|
||||
struct pwned_device
|
||||
{
|
||||
enum
|
||||
@@ -34,7 +28,9 @@ struct pwned_device
|
||||
|
||||
unsigned int idVendor;
|
||||
unsigned int idProduct;
|
||||
|
||||
struct libusb_device_bundle *bundle;
|
||||
struct payload *installed;
|
||||
};
|
||||
|
||||
struct pwned_device *exploit_device();
|
||||
|
||||
@@ -5,6 +5,14 @@
|
||||
|
||||
#define LIBUSB_MAX_PACKET_SIZE 0x800
|
||||
|
||||
struct libusb_device_bundle
|
||||
{
|
||||
struct libusb_context *ctx;
|
||||
struct libusb_device *device;
|
||||
struct libusb_device_handle *handle;
|
||||
struct libusb_device_descriptor *descriptor;
|
||||
};
|
||||
|
||||
int get_device_bundle(struct pwned_device *dev);
|
||||
int release_device_bundle(struct pwned_device *dev);
|
||||
|
||||
|
||||
@@ -1,11 +1,29 @@
|
||||
#ifndef IPWNDFU_REWRITE_C_PAYLOAD_H
|
||||
#define IPWNDFU_REWRITE_C_PAYLOAD_H
|
||||
|
||||
#include "checkm8.h"
|
||||
|
||||
#define PAYLOAD_SUCCESS 0
|
||||
#define PAYLOAD_FAIL_DUP -1
|
||||
|
||||
#define PAYLOAD_FOUND 0
|
||||
#define PAYLOAD_NOT_FOUND -1
|
||||
|
||||
typedef enum
|
||||
{
|
||||
PAYLOAD_AES
|
||||
PAYLOAD_AES,
|
||||
PAYLOAD_SYSREG
|
||||
} PAYLOAD_T;
|
||||
|
||||
struct payload *get_payload(PAYLOAD_T p);
|
||||
typedef enum
|
||||
{
|
||||
SRAM,
|
||||
DRAM
|
||||
} LOCATION_T;
|
||||
|
||||
int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc);
|
||||
int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p);
|
||||
|
||||
int execute_payload(struct pwned_device *dev, PAYLOAD_T p, ...);
|
||||
|
||||
#endif //IPWNDFU_REWRITE_C_PAYLOAD_H
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
#include <stdio.h>
|
||||
#include "checkm8.h"
|
||||
#include "payload.h"
|
||||
|
||||
int main()
|
||||
{
|
||||
@@ -10,4 +11,5 @@ int main()
|
||||
return -1;
|
||||
}
|
||||
|
||||
install_payload(dev, PAYLOAD_AES, DRAM);
|
||||
}
|
||||
@@ -3,7 +3,7 @@
|
||||
|
||||
#include "libusb.h"
|
||||
|
||||
void dfu_send_data(struct libusb_device_bundle *bundle, unsigned char *data, long data_len)
|
||||
void dfu_send_data(struct pwned_device *dev, unsigned char *data, long data_len)
|
||||
{
|
||||
long index = 0, amount;
|
||||
while(index < data_len)
|
||||
@@ -11,7 +11,7 @@ void dfu_send_data(struct libusb_device_bundle *bundle, unsigned char *data, lon
|
||||
if(data_len - index >= LIBUSB_MAX_PACKET_SIZE) amount = LIBUSB_MAX_PACKET_SIZE;
|
||||
else amount = data_len - index;
|
||||
|
||||
libusb_control_transfer(bundle->handle, 0x21, 1, 0, 0, &data[index], amount, 5000);
|
||||
libusb_control_transfer(dev->bundle->handle, 0x21, 1, 0, 0, &data[index], amount, 5000);
|
||||
index += amount;
|
||||
}
|
||||
}
|
||||
@@ -20,27 +20,27 @@ static unsigned char nullbuf[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
||||
|
||||
int command(struct pwned_device *dev, void *data, long data_len, void *response, long response_len)
|
||||
{
|
||||
struct libusb_device_bundle bundle;
|
||||
int ret = get_device_bundle(&bundle);
|
||||
|
||||
int ret = get_device_bundle(dev);
|
||||
if(IS_CHECKM8_FAIL(ret))
|
||||
{
|
||||
return ret;
|
||||
}
|
||||
|
||||
dfu_send_data(&bundle, nullbuf, 16);
|
||||
libusb_control_transfer(bundle.handle, 0x21, 1, 0, 0, NULL, 0, 100);
|
||||
libusb_control_transfer(bundle.handle, 0xA1, 3, 0, 0, NULL, 0, 100);
|
||||
libusb_control_transfer(bundle.handle, 0xA1, 3, 0, 0, NULL, 6, 100);
|
||||
dfu_send_data(&bundle, (unsigned char *) data, data_len);
|
||||
dfu_send_data(dev, nullbuf, 16);
|
||||
libusb_control_transfer(dev->bundle->handle, 0x21, 1, 0, 0, NULL, 0, 100);
|
||||
libusb_control_transfer(dev->bundle->handle, 0xA1, 3, 0, 0, NULL, 0, 100);
|
||||
libusb_control_transfer(dev->bundle->handle, 0xA1, 3, 0, 0, NULL, 6, 100);
|
||||
dfu_send_data(dev, (unsigned char *) data, data_len);
|
||||
|
||||
if(response_len == 0)
|
||||
{
|
||||
libusb_control_transfer(bundle.handle, 0xA1, 2, 0xFFFF, 0, response, response_len + 1, 100);
|
||||
libusb_control_transfer(dev->bundle->handle, 0xA1, 2, 0xFFFF, 0, response, response_len + 1, 100);
|
||||
}
|
||||
else
|
||||
{
|
||||
libusb_control_transfer(bundle.handle, 0xA1, 2, 0xFFFF, 0, response, response_len, 100);
|
||||
libusb_control_transfer(dev->bundle->handle, 0xA1, 2, 0xFFFF, 0, response, response_len, 100);
|
||||
}
|
||||
|
||||
release_device_bundle(dev);
|
||||
return CHECKM8_SUCCESS;
|
||||
}
|
||||
@@ -5,7 +5,7 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include "../../checkm8_libusb/src/libusbi.h"
|
||||
#include "libusbi.h"
|
||||
|
||||
int get_device_bundle(struct pwned_device *dev)
|
||||
{
|
||||
|
||||
@@ -5,9 +5,13 @@
|
||||
|
||||
struct payload
|
||||
{
|
||||
char *path;
|
||||
PAYLOAD_T type;
|
||||
unsigned char *data;
|
||||
long len;
|
||||
|
||||
long install_base;
|
||||
struct payload *next;
|
||||
struct payload *prev;
|
||||
};
|
||||
|
||||
struct payload *get_payload(PAYLOAD_T p)
|
||||
@@ -36,13 +40,100 @@ struct payload *get_payload(PAYLOAD_T p)
|
||||
}
|
||||
|
||||
fseek(payload_file, 0, SEEK_END);
|
||||
res->path = path;
|
||||
res->type = p;
|
||||
res->len = ftell(payload_file);
|
||||
res->data = malloc(res->len);
|
||||
res->install_base = -1;
|
||||
res->next = NULL;
|
||||
res->prev = NULL;
|
||||
|
||||
rewind(payload_file);
|
||||
fread(res->data, 1, res->len, payload_file);
|
||||
fclose(payload_file);
|
||||
|
||||
return res;
|
||||
}
|
||||
|
||||
void free_payload(struct payload *p)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
long get_address(struct pwned_device *dev, LOCATION_T l)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
|
||||
int dev_contains_payload(struct pwned_device *dev, PAYLOAD_T p)
|
||||
{
|
||||
struct payload *curr;
|
||||
for(curr = dev->installed; curr != NULL; curr = curr->next)
|
||||
{
|
||||
if(curr->type == p) return PAYLOAD_FOUND;
|
||||
}
|
||||
|
||||
return PAYLOAD_NOT_FOUND;
|
||||
}
|
||||
|
||||
int dev_insert_payload(struct pwned_device *dev, struct payload *pl)
|
||||
{
|
||||
struct payload *curr;
|
||||
if(dev->installed == NULL)
|
||||
{
|
||||
dev->installed = pl;
|
||||
return PAYLOAD_SUCCESS;
|
||||
}
|
||||
else if(dev_contains_payload(dev, pl->type) == PAYLOAD_FOUND)
|
||||
{
|
||||
return PAYLOAD_FAIL_DUP;
|
||||
}
|
||||
else
|
||||
{
|
||||
for(curr = dev->installed; curr->next != NULL; curr = curr->next);
|
||||
|
||||
curr->next = pl;
|
||||
pl->prev = curr;
|
||||
return PAYLOAD_SUCCESS;
|
||||
}
|
||||
}
|
||||
|
||||
struct payload *dev_remove_payload(struct pwned_device *dev, PAYLOAD_T p)
|
||||
{
|
||||
struct payload *curr;
|
||||
if(dev->installed == NULL)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
else
|
||||
{
|
||||
for(curr = dev->installed; curr != NULL; curr = curr->next)
|
||||
{
|
||||
if(curr->type == p)
|
||||
{
|
||||
curr->prev->next = curr->next;
|
||||
curr->next->prev = curr->prev;
|
||||
return curr;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc)
|
||||
{
|
||||
struct payload *payload = get_payload(p);
|
||||
long addr = get_address(dev, loc);
|
||||
}
|
||||
|
||||
int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
int execute_payload(struct pwned_device *dev, PAYLOAD_T p, ...)
|
||||
{
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user