From 1ea372da1035580acb4f6d806ad76aa76a30f127 Mon Sep 17 00:00:00 2001 From: Gregor Haas Date: Tue, 10 Dec 2019 19:01:02 -0500 Subject: [PATCH] Added some more functionality to payload installation --- checkm8_remote/include/checkm8.h | 16 ++--- checkm8_remote/include/libusb_helpers.h | 8 +++ checkm8_remote/include/payload.h | 22 +++++- checkm8_remote/main.c | 2 + checkm8_remote/src/command.c | 24 +++---- checkm8_remote/src/libusb_helpers.c | 2 +- checkm8_remote/src/payload.c | 95 ++++++++++++++++++++++++- 7 files changed, 142 insertions(+), 27 deletions(-) diff --git a/checkm8_remote/include/checkm8.h b/checkm8_remote/include/checkm8.h index 03bbf0e..feafdbb 100644 --- a/checkm8_remote/include/checkm8.h +++ b/checkm8_remote/include/checkm8.h @@ -10,20 +10,14 @@ #define IS_CHECKM8_FAIL(code) code < 0 #if CHECKM8_PLATFORM == 8010 -#define DEV_IDVENDOR 0x05AC -#define DEV_IDPRODUCT 0x1227 + +#define DEV_IDVENDOR 0x05AC +#define DEV_IDPRODUCT 0x1227 + #else #error "Unspported checkm8 platform" #endif -struct libusb_device_bundle -{ - struct libusb_context *ctx; - struct libusb_device *device; - struct libusb_device_handle *handle; - struct libusb_device_descriptor *descriptor; -}; - struct pwned_device { enum @@ -34,7 +28,9 @@ struct pwned_device unsigned int idVendor; unsigned int idProduct; + struct libusb_device_bundle *bundle; + struct payload *installed; }; struct pwned_device *exploit_device(); diff --git a/checkm8_remote/include/libusb_helpers.h b/checkm8_remote/include/libusb_helpers.h index 24a89e1..deec1bb 100644 --- a/checkm8_remote/include/libusb_helpers.h +++ b/checkm8_remote/include/libusb_helpers.h @@ -5,6 +5,14 @@ #define LIBUSB_MAX_PACKET_SIZE 0x800 +struct libusb_device_bundle +{ + struct libusb_context *ctx; + struct libusb_device *device; + struct libusb_device_handle *handle; + struct libusb_device_descriptor *descriptor; +}; + int get_device_bundle(struct pwned_device *dev); int release_device_bundle(struct pwned_device *dev); diff --git a/checkm8_remote/include/payload.h b/checkm8_remote/include/payload.h index 238e407..c326c18 100644 --- a/checkm8_remote/include/payload.h +++ b/checkm8_remote/include/payload.h @@ -1,11 +1,29 @@ #ifndef IPWNDFU_REWRITE_C_PAYLOAD_H #define IPWNDFU_REWRITE_C_PAYLOAD_H +#include "checkm8.h" + +#define PAYLOAD_SUCCESS 0 +#define PAYLOAD_FAIL_DUP -1 + +#define PAYLOAD_FOUND 0 +#define PAYLOAD_NOT_FOUND -1 + typedef enum { - PAYLOAD_AES + PAYLOAD_AES, + PAYLOAD_SYSREG } PAYLOAD_T; -struct payload *get_payload(PAYLOAD_T p); +typedef enum +{ + SRAM, + DRAM +} LOCATION_T; + +int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc); +int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p); + +int execute_payload(struct pwned_device *dev, PAYLOAD_T p, ...); #endif //IPWNDFU_REWRITE_C_PAYLOAD_H diff --git a/checkm8_remote/main.c b/checkm8_remote/main.c index 6299e73..fb48ac1 100644 --- a/checkm8_remote/main.c +++ b/checkm8_remote/main.c @@ -1,5 +1,6 @@ #include #include "checkm8.h" +#include "payload.h" int main() { @@ -10,4 +11,5 @@ int main() return -1; } + install_payload(dev, PAYLOAD_AES, DRAM); } \ No newline at end of file diff --git a/checkm8_remote/src/command.c b/checkm8_remote/src/command.c index a256c3f..fbdb0bf 100644 --- a/checkm8_remote/src/command.c +++ b/checkm8_remote/src/command.c @@ -3,7 +3,7 @@ #include "libusb.h" -void dfu_send_data(struct libusb_device_bundle *bundle, unsigned char *data, long data_len) +void dfu_send_data(struct pwned_device *dev, unsigned char *data, long data_len) { long index = 0, amount; while(index < data_len) @@ -11,7 +11,7 @@ void dfu_send_data(struct libusb_device_bundle *bundle, unsigned char *data, lon if(data_len - index >= LIBUSB_MAX_PACKET_SIZE) amount = LIBUSB_MAX_PACKET_SIZE; else amount = data_len - index; - libusb_control_transfer(bundle->handle, 0x21, 1, 0, 0, &data[index], amount, 5000); + libusb_control_transfer(dev->bundle->handle, 0x21, 1, 0, 0, &data[index], amount, 5000); index += amount; } } @@ -20,27 +20,27 @@ static unsigned char nullbuf[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, int command(struct pwned_device *dev, void *data, long data_len, void *response, long response_len) { - struct libusb_device_bundle bundle; - int ret = get_device_bundle(&bundle); - + int ret = get_device_bundle(dev); if(IS_CHECKM8_FAIL(ret)) { return ret; } - dfu_send_data(&bundle, nullbuf, 16); - libusb_control_transfer(bundle.handle, 0x21, 1, 0, 0, NULL, 0, 100); - libusb_control_transfer(bundle.handle, 0xA1, 3, 0, 0, NULL, 0, 100); - libusb_control_transfer(bundle.handle, 0xA1, 3, 0, 0, NULL, 6, 100); - dfu_send_data(&bundle, (unsigned char *) data, data_len); + dfu_send_data(dev, nullbuf, 16); + libusb_control_transfer(dev->bundle->handle, 0x21, 1, 0, 0, NULL, 0, 100); + libusb_control_transfer(dev->bundle->handle, 0xA1, 3, 0, 0, NULL, 0, 100); + libusb_control_transfer(dev->bundle->handle, 0xA1, 3, 0, 0, NULL, 6, 100); + dfu_send_data(dev, (unsigned char *) data, data_len); if(response_len == 0) { - libusb_control_transfer(bundle.handle, 0xA1, 2, 0xFFFF, 0, response, response_len + 1, 100); + libusb_control_transfer(dev->bundle->handle, 0xA1, 2, 0xFFFF, 0, response, response_len + 1, 100); } else { - libusb_control_transfer(bundle.handle, 0xA1, 2, 0xFFFF, 0, response, response_len, 100); + libusb_control_transfer(dev->bundle->handle, 0xA1, 2, 0xFFFF, 0, response, response_len, 100); } + release_device_bundle(dev); + return CHECKM8_SUCCESS; } \ No newline at end of file diff --git a/checkm8_remote/src/libusb_helpers.c b/checkm8_remote/src/libusb_helpers.c index da70867..d0e8719 100644 --- a/checkm8_remote/src/libusb_helpers.c +++ b/checkm8_remote/src/libusb_helpers.c @@ -5,7 +5,7 @@ #include #include -#include "../../checkm8_libusb/src/libusbi.h" +#include "libusbi.h" int get_device_bundle(struct pwned_device *dev) { diff --git a/checkm8_remote/src/payload.c b/checkm8_remote/src/payload.c index 111aa4b..69d55bc 100644 --- a/checkm8_remote/src/payload.c +++ b/checkm8_remote/src/payload.c @@ -5,9 +5,13 @@ struct payload { - char *path; + PAYLOAD_T type; unsigned char *data; long len; + + long install_base; + struct payload *next; + struct payload *prev; }; struct payload *get_payload(PAYLOAD_T p) @@ -36,13 +40,100 @@ struct payload *get_payload(PAYLOAD_T p) } fseek(payload_file, 0, SEEK_END); - res->path = path; + res->type = p; res->len = ftell(payload_file); res->data = malloc(res->len); + res->install_base = -1; + res->next = NULL; + res->prev = NULL; rewind(payload_file); fread(res->data, 1, res->len, payload_file); fclose(payload_file); return res; +} + +void free_payload(struct payload *p) +{ + +} + +long get_address(struct pwned_device *dev, LOCATION_T l) +{ + +} + + +int dev_contains_payload(struct pwned_device *dev, PAYLOAD_T p) +{ + struct payload *curr; + for(curr = dev->installed; curr != NULL; curr = curr->next) + { + if(curr->type == p) return PAYLOAD_FOUND; + } + + return PAYLOAD_NOT_FOUND; +} + +int dev_insert_payload(struct pwned_device *dev, struct payload *pl) +{ + struct payload *curr; + if(dev->installed == NULL) + { + dev->installed = pl; + return PAYLOAD_SUCCESS; + } + else if(dev_contains_payload(dev, pl->type) == PAYLOAD_FOUND) + { + return PAYLOAD_FAIL_DUP; + } + else + { + for(curr = dev->installed; curr->next != NULL; curr = curr->next); + + curr->next = pl; + pl->prev = curr; + return PAYLOAD_SUCCESS; + } +} + +struct payload *dev_remove_payload(struct pwned_device *dev, PAYLOAD_T p) +{ + struct payload *curr; + if(dev->installed == NULL) + { + return NULL; + } + else + { + for(curr = dev->installed; curr != NULL; curr = curr->next) + { + if(curr->type == p) + { + curr->prev->next = curr->next; + curr->next->prev = curr->prev; + return curr; + } + } + } + + return NULL; +} + + +int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc) +{ + struct payload *payload = get_payload(p); + long addr = get_address(dev, loc); +} + +int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p) +{ + +} + +int execute_payload(struct pwned_device *dev, PAYLOAD_T p, ...) +{ + } \ No newline at end of file