Attempted to get AES to work
This commit is contained in:
@@ -1,3 +1,5 @@
|
||||
project(checkm8_remote C)
|
||||
|
||||
set(CMAKE_C_STANDARD 99)
|
||||
set(CMAKE_C_FLAGS -g)
|
||||
|
||||
|
||||
@@ -1 +1 @@
|
||||
/home/grg/Projects/School/NCSU/iphone_aes_sc/ipwndfu_rewrite_c/checkm8_payloads/bin
|
||||
/home/grg/Projects/School/NCSU/iphone_aes_sc/checkm8_tool/checkm8_payloads/bin
|
||||
@@ -4,7 +4,8 @@
|
||||
#include <stdio.h>
|
||||
#include <stdarg.h>
|
||||
#include <execinfo.h>
|
||||
#include <command.h>
|
||||
#include <libusb_helpers.h>
|
||||
#include "command.h"
|
||||
|
||||
void checkm8_debug_indent(const char *format, ...)
|
||||
{
|
||||
@@ -46,23 +47,54 @@ int main()
|
||||
}
|
||||
|
||||
struct dev_cmd_resp *resp;
|
||||
ret = install_payload(dev, PAYLOAD_SYNC, DRAM);
|
||||
if(IS_CHECKM8_FAIL(ret))
|
||||
{
|
||||
printf("Failed to install sync payload\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
install_payload(dev, PAYLOAD_SYNC, DRAM);
|
||||
install_payload(dev, PAYLOAD_SYSREG, DRAM);
|
||||
ret = install_payload(dev, PAYLOAD_AES, DRAM);
|
||||
if(IS_CHECKM8_FAIL(ret))
|
||||
{
|
||||
printf("Failed to install AES payload\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
resp = execute_payload(dev, PAYLOAD_SYNC, 0);
|
||||
printf("payload sync execution got ret %i\n", resp->ret);
|
||||
free_dev_cmd_resp(resp);
|
||||
|
||||
resp = execute_payload(dev, PAYLOAD_SYSREG, 0);
|
||||
if(resp->ret == CHECKM8_SUCCESS)
|
||||
if(IS_CHECKM8_FAIL(resp->ret))
|
||||
{
|
||||
long long evt_base = RESP_VALUE(resp->data, unsigned long long, 0);
|
||||
printf("got evt base %llx\n", evt_base);
|
||||
|
||||
resp = read_payload(dev, evt_base, 16);
|
||||
printf("%08llX %08llx %08llx",
|
||||
RESP_VALUE(resp->data, unsigned long long, 0),
|
||||
RESP_VALUE(resp->data, unsigned long long, 1));
|
||||
printf("Failed to execute sync payload\n");
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
unsigned char data[16] = {0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe,
|
||||
0xef};
|
||||
unsigned char key[16] = {0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe,
|
||||
0xef};
|
||||
|
||||
free_dev_cmd_resp(resp);
|
||||
resp = write_payload(dev, 0x180152000, data, 16);
|
||||
if(IS_CHECKM8_FAIL(resp->ret))
|
||||
{
|
||||
printf("Failed to write AES data\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
free_dev_cmd_resp(resp);
|
||||
resp = write_payload(dev, 0x180152010, key, 16);
|
||||
if(IS_CHECKM8_FAIL(resp->ret))
|
||||
{
|
||||
printf("Failed to write AES key\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
free_dev_cmd_resp(resp);
|
||||
resp = execute_payload(dev, PAYLOAD_AES, 7, 16, 0x180152000, DFU_IMAGE_BASE + 56, 128, 0, 0x180152010, 0);
|
||||
|
||||
if(IS_CHECKM8_FAIL(resp->ret))
|
||||
{
|
||||
printf("Failed to execute AES\n");
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -249,6 +249,4 @@ struct dev_cmd_resp *dev_write_memory(struct pwned_device *dev, long long addr,
|
||||
memcpy(&cmd_args[40], data, len);
|
||||
|
||||
return command(dev, (unsigned char *) &cmd_args, 40 + len, 1 * sizeof(unsigned long long));
|
||||
|
||||
return dev_memcpy(dev, addr, DFU_IMAGE_BASE + 40, len);
|
||||
}
|
||||
@@ -195,23 +195,25 @@ struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int
|
||||
for(i = 0; i < nargs; i++)
|
||||
{
|
||||
args[i + 1] = va_arg(arg_list, unsigned long long);
|
||||
checkm8_debug_indent("\textracted arg %li\n", args[i + 1]);
|
||||
checkm8_debug_indent("\textracted arg %lx\n", args[i + 1]);
|
||||
}
|
||||
va_end(arg_list);
|
||||
|
||||
resp = dev_exec(dev, 8, nargs + 1, args);
|
||||
resp = dev_exec(dev, 16, nargs + 1, args);
|
||||
release_device_bundle(dev);
|
||||
return resp;
|
||||
}
|
||||
|
||||
struct dev_cmd_resp *read_payload(struct pwned_device *dev, long long addr, int len)
|
||||
{
|
||||
checkm8_debug_indent("read_payload(dev = %p, addr = %lx, len = %i)\n", dev, addr, len);
|
||||
int ret;
|
||||
struct dev_cmd_resp *resp;
|
||||
|
||||
ret = get_device_bundle(dev);
|
||||
if(IS_CHECKM8_FAIL(ret))
|
||||
{
|
||||
checkm8_debug_indent("\tfailed to get device bundle\n");
|
||||
resp = calloc(1, sizeof(struct dev_cmd_resp));
|
||||
resp->ret = ret;
|
||||
return resp;
|
||||
@@ -224,12 +226,14 @@ struct dev_cmd_resp *read_payload(struct pwned_device *dev, long long addr, int
|
||||
|
||||
struct dev_cmd_resp *write_payload(struct pwned_device *dev, long long addr, unsigned char *data, int len)
|
||||
{
|
||||
checkm8_debug_indent("write_payload(dev = %p, addr = %lx, data = %p, len = %i)\n", dev, addr, data, len);
|
||||
int ret;
|
||||
struct dev_cmd_resp *resp;
|
||||
|
||||
ret = get_device_bundle(dev);
|
||||
if(IS_CHECKM8_FAIL(ret))
|
||||
{
|
||||
checkm8_debug_indent("\tfailed to get device bundle\n");
|
||||
resp = calloc(1, sizeof(struct dev_cmd_resp));
|
||||
resp->ret = ret;
|
||||
return resp;
|
||||
|
||||
Reference in New Issue
Block a user