Changes

exploit/commands.c

@@ -1,4 +1,5 @@
 #include <string.h>
+#include <stdio.h>
 
 #include "libusb_helpers.h"
 #include "checkm8.h"
@@ -40,11 +41,12 @@ int command(unsigned char *request_data, int request_len, unsigned char *respons
 
 int execute(unsigned long *args, int nargs, unsigned char *response_buf, int response_len)
 {
-    unsigned long cmd_buf[nargs + 1];
-    cmd_buf[0] = EXEC_MAGIC;
-    memcpy(&cmd_buf[1], args, 8 * nargs);
+    unsigned char cmd_buf[8 * (nargs + 1)];
+    unsigned long exec = EXEC_MAGIC;
 
-    return command((unsigned char *) cmd_buf, 8 * (nargs + 1), response_buf, response_len);
+    memcpy(cmd_buf, &exec, 8);
+    memcpy(&cmd_buf[8], args, 8 * nargs);
+    return command(cmd_buf, 8 * (nargs + 1), response_buf, response_len);
 }
 
 
@@ -65,5 +67,9 @@ int aes(unsigned char *source, unsigned char *target, int encrypt, int key)
     int ret = execute(args, 10, response, 32);
 
     memcpy(target, &response[16], 16);
+    for(int i = 0; i < 16; i++)
+    {
+        printf("%02x", target[i]);
+    }
     return ret;
 }

exploit/exploit.c

@@ -5,34 +5,14 @@
 #include "checkm8.h"
 #include "libusb_helpers.h"
 
-int complete_stage(int stage_function(struct libusb_device_bundle *bundle))
+int complete_stage(struct libusb_device_bundle *bundle, int stage_function(struct libusb_device_bundle *bundle))
 {
-    int ret;
+    libusb_open(bundle->device, &bundle->handle);
+    libusb_set_auto_detach_kernel_driver(bundle->handle, 1);
 
-    libusb_context *usb_ctx = NULL;
-    struct libusb_device_bundle usb_bundle;
+    int ret = stage_function(bundle);
+    libusb_close(bundle->handle);
 
-    libusb_init(&usb_ctx);
-    get_test_device(usb_ctx, &usb_bundle);
-
-    if(usb_bundle.handle == NULL)
-    {
-        libusb_exit(usb_ctx);
-        printf("Could not find device\n");
-        return 1;
-    }
-
-    ret = libusb_set_auto_detach_kernel_driver(usb_bundle.handle, 1);
-    if(ret > 0)
-    {
-        printf("%s\n", libusb_error_name(ret));
-        return ret;
-    }
-
-    ret = stage_function(&usb_bundle);
-
-    libusb_close(usb_bundle.handle);
-    libusb_exit(usb_ctx);
     return ret;
 }
 
@@ -115,22 +95,30 @@ int check_function(struct libusb_device_bundle *bundle)
 
 int exploit_device()
 {
-    int ret = complete_stage(stage1_function);
+    libusb_context *usb_ctx = NULL;
+    struct libusb_device_bundle usb_bundle;
+
+    libusb_init(&usb_ctx);
+    get_test_device(usb_ctx, &usb_bundle);
+
+    int ret = complete_stage(&usb_bundle, stage1_function);
     if(ret == 0)
     {
-        ret = complete_stage(stage2_function);
+        ret = complete_stage(&usb_bundle, stage2_function);
         usleep(500000);
     }
 
     if(ret == 0)
     {
-        ret = complete_stage(stage3_function);
+        ret = complete_stage(&usb_bundle, stage3_function);
         usleep(500000);
     }
 
     if(ret == 0)
     {
-        ret = complete_stage(check_function);
+        ret = complete_stage(&usb_bundle, check_function);
     }
+
+    libusb_exit(usb_ctx);
     return ret;
 }

exploit/libusb_helpers.c

@@ -1,4 +1,5 @@
 #include "libusb_helpers.h"
+#include "../libusb/libusb/libusb.h"
 
 #include <string.h>
 #include <stdio.h>
@@ -22,16 +23,25 @@ void get_test_device(libusb_context *usb_ctx, struct libusb_device_bundle *bundl
 
         if(usb_desc.idVendor == 0x05AC && usb_desc.idProduct == 0x1227)
         {
-            libusb_open(usb_device, &usb_handle);
             break;
         }
     }
 
     libusb_free_device_list(usb_device_list, usb_dev_count);
+    bundle->ctx = usb_ctx;
+    bundle->device = usb_device;
     bundle->handle = usb_handle;
     bundle->descriptor = usb_desc;
 }
 
+void LIBUSB_CALL async_ctrl_transfer_cb(struct libusb_transfer *transfer)
+{
+    printf("transfer status: %s (%i / %i)\n",
+            libusb_error_name(transfer->status),
+            transfer->actual_length,
+            transfer->length);
+}
+
 void libusb1_async_ctrl_transfer(libusb_device_handle *handle,
                                  unsigned char bmRequestType, unsigned char bRequest,
                                  unsigned short wValue, unsigned short wIndex,
@@ -47,7 +57,7 @@ void libusb1_async_ctrl_transfer(libusb_device_handle *handle,
     struct libusb_transfer *usb_transfer = libusb_alloc_transfer(0);
     libusb_fill_control_setup(usb_transfer_buf, bmRequestType, bRequest, wValue, wIndex, data_len);
     memcpy(&usb_transfer_buf[8], data, data_len);
-    libusb_fill_control_transfer(usb_transfer, handle, usb_transfer_buf, NULL, NULL, 1);
+    libusb_fill_control_transfer(usb_transfer, handle, usb_transfer_buf, async_ctrl_transfer_cb, NULL, 1);
 
     ret = libusb_submit_transfer(usb_transfer);
     if(ret != 0)
@@ -70,6 +80,8 @@ void libusb1_async_ctrl_transfer(libusb_device_handle *handle,
             }
             return;
         }
+
+        printf("%i / %i\n", usb_transfer->actual_length, usb_transfer->length);
     }
 }
 
@@ -94,10 +106,7 @@ void libusb1_no_error_ctrl_transfer(libusb_device_handle *handle,
     }
 
     ret = libusb_control_transfer(handle, bmRequestType, bRequest, wValue, wIndex, data, data_len, timeout);
-    if(ret > 0)
-    {
-        printf("%s\n", libusb_error_name(ret));
-    }
+    printf("%s\n", libusb_error_name(ret));
 }
 
 void stall(libusb_device_handle *handle)

exploit/libusb_helpers.h

@@ -1,10 +1,12 @@
 #ifndef IPWNDFU_REWRITE_C_LIBUSB_HELPERS_H
 #define IPWNDFU_REWRITE_C_LIBUSB_HELPERS_H
 
-#include <libusb-1.0/libusb.h>
+#include "libusb-1.0/libusb.h"
 
 struct libusb_device_bundle
 {
+    struct libusb_context *ctx;
+    struct libusb_device *device;
     struct libusb_device_handle *handle;
     struct libusb_device_descriptor descriptor;
 };