grg/checkm8_tool
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Added some more functionality to payload installation

Browse Source
This commit is contained in:
Gregor Haas
2019-12-10 19:01:02 -05:00
parent 16cf301e80
commit 1ea372da10
7 changed files with 142 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
checkm8_remote/include/checkm8.h
View File

@@ -10,20 +10,14 @@
#define IS_CHECKM8_FAIL(code) code < 0 #define IS_CHECKM8_FAIL(code) code < 0
#if CHECKM8_PLATFORM == 8010 #if CHECKM8_PLATFORM == 8010
#define DEV_IDVENDOR 0x05AC
#define DEV_IDPRODUCT 0x1227 #define DEV_IDVENDOR 0x05AC
#define DEV_IDPRODUCT 0x1227
#else #else
#error "Unspported checkm8 platform" #error "Unspported checkm8 platform"
#endif #endif
struct libusb_device_bundle
{
struct libusb_context *ctx;
struct libusb_device *device;
struct libusb_device_handle *handle;
struct libusb_device_descriptor *descriptor;
};
struct pwned_device struct pwned_device
{ {
enum enum
@@ -34,7 +28,9 @@ struct pwned_device
unsigned int idVendor; unsigned int idVendor;
unsigned int idProduct; unsigned int idProduct;
struct libusb_device_bundle *bundle; struct libusb_device_bundle *bundle;
struct payload *installed;
}; };
struct pwned_device *exploit_device(); struct pwned_device *exploit_device();

8
checkm8_remote/include/libusb_helpers.h
View File

@@ -5,6 +5,14 @@
#define LIBUSB_MAX_PACKET_SIZE 0x800 #define LIBUSB_MAX_PACKET_SIZE 0x800
struct libusb_device_bundle
{
struct libusb_context *ctx;
struct libusb_device *device;
struct libusb_device_handle *handle;
struct libusb_device_descriptor *descriptor;
};
int get_device_bundle(struct pwned_device *dev); int get_device_bundle(struct pwned_device *dev);
int release_device_bundle(struct pwned_device *dev); int release_device_bundle(struct pwned_device *dev);

22
checkm8_remote/include/payload.h
View File

@@ -1,11 +1,29 @@
#ifndef IPWNDFU_REWRITE_C_PAYLOAD_H #ifndef IPWNDFU_REWRITE_C_PAYLOAD_H
#define IPWNDFU_REWRITE_C_PAYLOAD_H #define IPWNDFU_REWRITE_C_PAYLOAD_H
#include "checkm8.h"
#define PAYLOAD_SUCCESS 0
#define PAYLOAD_FAIL_DUP -1
#define PAYLOAD_FOUND 0
#define PAYLOAD_NOT_FOUND -1
typedef enum typedef enum
{ {
PAYLOAD_AES PAYLOAD_AES,
PAYLOAD_SYSREG
} PAYLOAD_T; } PAYLOAD_T;
struct payload *get_payload(PAYLOAD_T p); typedef enum
{
SRAM,
DRAM
} LOCATION_T;
int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc);
int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p);
int execute_payload(struct pwned_device *dev, PAYLOAD_T p, ...);
#endif //IPWNDFU_REWRITE_C_PAYLOAD_H #endif //IPWNDFU_REWRITE_C_PAYLOAD_H

2
checkm8_remote/main.c
View File

@@ -1,5 +1,6 @@
#include <stdio.h> #include <stdio.h>
#include "checkm8.h" #include "checkm8.h"
#include "payload.h"
int main() int main()
{ {
@@ -10,4 +11,5 @@ int main()
return -1; return -1;
} }
install_payload(dev, PAYLOAD_AES, DRAM);
} }

24
checkm8_remote/src/command.c
View File

@@ -3,7 +3,7 @@
#include "libusb.h" #include "libusb.h"
void dfu_send_data(struct libusb_device_bundle *bundle, unsigned char *data, long data_len) void dfu_send_data(struct pwned_device *dev, unsigned char *data, long data_len)
{ {
long index = 0, amount; long index = 0, amount;
while(index < data_len) while(index < data_len)
@@ -11,7 +11,7 @@ void dfu_send_data(struct libusb_device_bundle *bundle, unsigned char *data, lon
if(data_len - index >= LIBUSB_MAX_PACKET_SIZE) amount = LIBUSB_MAX_PACKET_SIZE; if(data_len - index >= LIBUSB_MAX_PACKET_SIZE) amount = LIBUSB_MAX_PACKET_SIZE;
else amount = data_len - index; else amount = data_len - index;
libusb_control_transfer(bundle->handle, 0x21, 1, 0, 0, &data[index], amount, 5000); libusb_control_transfer(dev->bundle->handle, 0x21, 1, 0, 0, &data[index], amount, 5000);
index += amount; index += amount;
} }
} }
@@ -20,27 +20,27 @@ static unsigned char nullbuf[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
int command(struct pwned_device *dev, void *data, long data_len, void *response, long response_len) int command(struct pwned_device *dev, void *data, long data_len, void *response, long response_len)
{ {
struct libusb_device_bundle bundle; int ret = get_device_bundle(dev);
int ret = get_device_bundle(&bundle);
if(IS_CHECKM8_FAIL(ret)) if(IS_CHECKM8_FAIL(ret))
{ {
return ret; return ret;
} }
dfu_send_data(&bundle, nullbuf, 16); dfu_send_data(dev, nullbuf, 16);
libusb_control_transfer(bundle.handle, 0x21, 1, 0, 0, NULL, 0, 100); libusb_control_transfer(dev->bundle->handle, 0x21, 1, 0, 0, NULL, 0, 100);
libusb_control_transfer(bundle.handle, 0xA1, 3, 0, 0, NULL, 0, 100); libusb_control_transfer(dev->bundle->handle, 0xA1, 3, 0, 0, NULL, 0, 100);
libusb_control_transfer(bundle.handle, 0xA1, 3, 0, 0, NULL, 6, 100); libusb_control_transfer(dev->bundle->handle, 0xA1, 3, 0, 0, NULL, 6, 100);
dfu_send_data(&bundle, (unsigned char *) data, data_len); dfu_send_data(dev, (unsigned char *) data, data_len);
if(response_len == 0) if(response_len == 0)
{ {
libusb_control_transfer(bundle.handle, 0xA1, 2, 0xFFFF, 0, response, response_len + 1, 100); libusb_control_transfer(dev->bundle->handle, 0xA1, 2, 0xFFFF, 0, response, response_len + 1, 100);
} }
else else
{ {
libusb_control_transfer(bundle.handle, 0xA1, 2, 0xFFFF, 0, response, response_len, 100); libusb_control_transfer(dev->bundle->handle, 0xA1, 2, 0xFFFF, 0, response, response_len, 100);
} }
release_device_bundle(dev);
return CHECKM8_SUCCESS;
} }

2
checkm8_remote/src/libusb_helpers.c
View File

@@ -5,7 +5,7 @@
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include "../../checkm8_libusb/src/libusbi.h" #include "libusbi.h"
int get_device_bundle(struct pwned_device *dev) int get_device_bundle(struct pwned_device *dev)
{ {

95
checkm8_remote/src/payload.c
View File

@@ -5,9 +5,13 @@
struct payload struct payload
{ {
char *path; PAYLOAD_T type;
unsigned char *data; unsigned char *data;
long len; long len;
long install_base;
struct payload *next;
struct payload *prev;
}; };
struct payload *get_payload(PAYLOAD_T p) struct payload *get_payload(PAYLOAD_T p)
@@ -36,13 +40,100 @@ struct payload *get_payload(PAYLOAD_T p)
} }
fseek(payload_file, 0, SEEK_END); fseek(payload_file, 0, SEEK_END);
res->path = path; res->type = p;
res->len = ftell(payload_file); res->len = ftell(payload_file);
res->data = malloc(res->len); res->data = malloc(res->len);
res->install_base = -1;
res->next = NULL;
res->prev = NULL;
rewind(payload_file); rewind(payload_file);
fread(res->data, 1, res->len, payload_file); fread(res->data, 1, res->len, payload_file);
fclose(payload_file); fclose(payload_file);
return res; return res;
}
void free_payload(struct payload *p)
{
}
long get_address(struct pwned_device *dev, LOCATION_T l)
{
}
int dev_contains_payload(struct pwned_device *dev, PAYLOAD_T p)
{
struct payload *curr;
for(curr = dev->installed; curr != NULL; curr = curr->next)
{
if(curr->type == p) return PAYLOAD_FOUND;
}
return PAYLOAD_NOT_FOUND;
}
int dev_insert_payload(struct pwned_device *dev, struct payload *pl)
{
struct payload *curr;
if(dev->installed == NULL)
{
dev->installed = pl;
return PAYLOAD_SUCCESS;
}
else if(dev_contains_payload(dev, pl->type) == PAYLOAD_FOUND)
{
return PAYLOAD_FAIL_DUP;
}
else
{
for(curr = dev->installed; curr->next != NULL; curr = curr->next);
curr->next = pl;
pl->prev = curr;
return PAYLOAD_SUCCESS;
}
}
struct payload *dev_remove_payload(struct pwned_device *dev, PAYLOAD_T p)
{
struct payload *curr;
if(dev->installed == NULL)
{
return NULL;
}
else
{
for(curr = dev->installed; curr != NULL; curr = curr->next)
{
if(curr->type == p)
{
curr->prev->next = curr->next;
curr->next->prev = curr->prev;
return curr;
}
}
}
return NULL;
}
int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc)
{
struct payload *payload = get_payload(p);
long addr = get_address(dev, loc);
}
int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p)
{
}
int execute_payload(struct pwned_device *dev, PAYLOAD_T p, ...)
{
} }