A working AES experiment!
This commit is contained in:
@@ -236,8 +236,8 @@ void loop()
|
||||
if(usb_args.data_len - chunk_i > ARD_BUF_SIZE) chunk_size = ARD_BUF_SIZE;
|
||||
else chunk_size = usb_args.data_len - chunk_i;
|
||||
|
||||
Serial.write(chunk_size);
|
||||
recv_serial(usb_data_buf, chunk_size);
|
||||
Serial.write(PROT_ACK);
|
||||
|
||||
i = 0;
|
||||
while(i < chunk_size)
|
||||
|
||||
@@ -24,9 +24,10 @@ typedef enum
|
||||
|
||||
int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc);
|
||||
int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p);
|
||||
struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int response_len, int nargs, ...);
|
||||
|
||||
struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int nargs, ...);
|
||||
struct dev_cmd_resp *read_payload(struct pwned_device *dev, long long addr, int len);
|
||||
struct dev_cmd_resp *write_payload(struct pwned_device *dev, long long addr, unsigned char *data, int len);
|
||||
struct dev_cmd_resp *read_gadget(struct pwned_device *dev, long long addr, int len);
|
||||
struct dev_cmd_resp *write_gadget(struct pwned_device *dev, long long addr, unsigned char *data, int len);
|
||||
struct dev_cmd_resp *execute_gadget(struct pwned_device *dev, long long addr, int response_len, int nargs, ...);
|
||||
|
||||
#endif //CHECKM8_TOOL_PAYLOAD_H
|
||||
|
||||
@@ -1,11 +1,17 @@
|
||||
#include "checkm8.h"
|
||||
#include "payload.h"
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "usb_helpers.h"
|
||||
#include "command.h"
|
||||
#include "payload.h"
|
||||
|
||||
#ifdef CHECKM8_LOGGING
|
||||
#include <stdarg.h>
|
||||
#include <execinfo.h>
|
||||
#include <usb_helpers.h>
|
||||
#include "command.h"
|
||||
#endif
|
||||
|
||||
void checkm8_debug_indent(const char *format, ...)
|
||||
{
|
||||
@@ -47,7 +53,63 @@ int main()
|
||||
return -1;
|
||||
}
|
||||
|
||||
unsigned long long data0 = 0xdeadbeefdeadbeef;
|
||||
unsigned long long data1 = 0xdeadbeefdeadbeef;
|
||||
|
||||
free_dev_cmd_resp(resp);
|
||||
ret = open_device_session(dev);
|
||||
if(IS_CHECKM8_FAIL(ret))
|
||||
{
|
||||
printf("failed to open device session\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
for(int i = 0; i < 100000; i++)
|
||||
{
|
||||
printf("encrypting ");
|
||||
for(int j = 0; j < 8; j++)
|
||||
{
|
||||
printf("%02X", ((unsigned char *) &data0)[j]);
|
||||
}
|
||||
|
||||
for(int j = 0; j < 8; j++)
|
||||
{
|
||||
printf("%02X", ((unsigned char *) &data1)[j]);
|
||||
}
|
||||
|
||||
printf("\n");
|
||||
resp = execute_gadget(dev,
|
||||
0x100000f0c, 16, 9,
|
||||
16, // action (AES_ENCRYPT)
|
||||
0x1800b0048, 0x1800b0010, // dest and src addresses
|
||||
16, // data size
|
||||
0x20000201, // AES_UID_KEY
|
||||
0, 0, // no
|
||||
data0, data1);
|
||||
|
||||
if(IS_CHECKM8_FAIL(resp->ret))
|
||||
{
|
||||
printf("failed\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
memcpy(&data0, &resp->data[0], 8);
|
||||
memcpy(&data1, &resp->data[8], 8);
|
||||
free_dev_cmd_resp(resp);
|
||||
|
||||
printf("\t-> ");
|
||||
for(int j = 0; j < 8; j++)
|
||||
{
|
||||
printf("%02X", ((unsigned char *) &data0)[j]);
|
||||
}
|
||||
|
||||
for(int j = 0; j < 8; j++)
|
||||
{
|
||||
printf("%02X", ((unsigned char *) &data1)[j]);
|
||||
}
|
||||
printf("\n");
|
||||
usleep(250000);
|
||||
}
|
||||
|
||||
close_device_session(dev);
|
||||
free_device(dev);
|
||||
}
|
||||
|
||||
@@ -46,16 +46,24 @@ struct dev_cmd_resp *command(struct pwned_device *dev,
|
||||
checkm8_debug_indent("command(dev = %p, args = %p, arg_len = %i, response_len = %i)\n",
|
||||
dev, args, arg_len, response_len);
|
||||
|
||||
int close, ret;
|
||||
struct dev_cmd_resp *cmd_resp = calloc(1, sizeof(struct dev_cmd_resp));
|
||||
unsigned char resp_buf[response_len];
|
||||
|
||||
if(!is_device_session_open(dev))
|
||||
if(is_device_session_open(dev)) close = 0;
|
||||
else
|
||||
{
|
||||
cmd_resp->ret = CHECKM8_FAIL_NODEV;
|
||||
return cmd_resp;
|
||||
ret = open_device_session(dev);
|
||||
close = 1;
|
||||
|
||||
if(IS_CHECKM8_FAIL(ret))
|
||||
{
|
||||
checkm8_debug_indent("\tfailed to open device session\n");
|
||||
cmd_resp->ret = CHECKM8_FAIL_NODEV;
|
||||
return cmd_resp;
|
||||
}
|
||||
}
|
||||
|
||||
int ret;
|
||||
ret = dfu_send_data(dev, nullbuf, 16);
|
||||
if(IS_CHECKM8_FAIL(ret))
|
||||
{
|
||||
@@ -128,14 +136,16 @@ struct dev_cmd_resp *command(struct pwned_device *dev,
|
||||
|
||||
cmd_resp->ret = CHECKM8_SUCCESS;
|
||||
memcpy(&cmd_resp->magic, resp_buf, 8);
|
||||
if(response_len - 8 > 0)
|
||||
if(response_len - 16 > 0)
|
||||
{
|
||||
checkm8_debug_indent("\tcopying %i bytes of output to response data section\n", response_len - 8);
|
||||
cmd_resp->data = calloc(1, response_len - 8);
|
||||
memcpy(cmd_resp->data, &resp_buf[8], response_len - 8);
|
||||
checkm8_debug_indent("\tcopying %i bytes of output to response data section\n", response_len - 16);
|
||||
cmd_resp->data = calloc(1, response_len - 16);
|
||||
memcpy(cmd_resp->data, &resp_buf[16], response_len - 16);
|
||||
}
|
||||
|
||||
cmd_resp->len = response_len - 8;
|
||||
cmd_resp->len = response_len - 16;
|
||||
|
||||
if(close) close_device_session(dev);
|
||||
return cmd_resp;
|
||||
}
|
||||
|
||||
|
||||
@@ -169,7 +169,7 @@ int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p)
|
||||
return CHECKM8_SUCCESS;
|
||||
}
|
||||
|
||||
struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int nargs, ...)
|
||||
struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int response_len, int nargs, ...)
|
||||
{
|
||||
checkm8_debug_indent("execute_payload(dev = %p, p = %i, nargs = %i, ...)\n", dev, p, nargs);
|
||||
int ret, i;
|
||||
@@ -205,47 +205,39 @@ struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int
|
||||
}
|
||||
va_end(arg_list);
|
||||
|
||||
resp = dev_exec(dev, 16, nargs + 1, args);
|
||||
resp = dev_exec(dev, response_len, nargs + 1, args);
|
||||
close_device_session(dev);
|
||||
return resp;
|
||||
}
|
||||
|
||||
struct dev_cmd_resp *read_payload(struct pwned_device *dev, long long addr, int len)
|
||||
struct dev_cmd_resp *read_gadget(struct pwned_device *dev, long long addr, int len)
|
||||
{
|
||||
checkm8_debug_indent("read_payload(dev = %p, addr = %lx, len = %i)\n", dev, addr, len);
|
||||
int ret;
|
||||
struct dev_cmd_resp *resp;
|
||||
|
||||
ret = open_device_session(dev);
|
||||
if(IS_CHECKM8_FAIL(ret))
|
||||
{
|
||||
checkm8_debug_indent("\tfailed to get device bundle\n");
|
||||
resp = calloc(1, sizeof(struct dev_cmd_resp));
|
||||
resp->ret = ret;
|
||||
return resp;
|
||||
}
|
||||
|
||||
resp = dev_read_memory(dev, addr, len);
|
||||
close_device_session(dev);
|
||||
return resp;
|
||||
checkm8_debug_indent("read_gadget(dev = %p, addr = %lx, len = %i)\n", dev, addr, len);
|
||||
return dev_read_memory(dev, addr, len);
|
||||
}
|
||||
|
||||
struct dev_cmd_resp *write_payload(struct pwned_device *dev, long long addr, unsigned char *data, int len)
|
||||
struct dev_cmd_resp *write_gadget(struct pwned_device *dev, long long addr, unsigned char *data, int len)
|
||||
{
|
||||
checkm8_debug_indent("write_payload(dev = %p, addr = %lx, data = %p, len = %i)\n", dev, addr, data, len);
|
||||
int ret;
|
||||
struct dev_cmd_resp *resp;
|
||||
|
||||
ret = open_device_session(dev);
|
||||
if(IS_CHECKM8_FAIL(ret))
|
||||
{
|
||||
checkm8_debug_indent("\tfailed to get device bundle\n");
|
||||
resp = calloc(1, sizeof(struct dev_cmd_resp));
|
||||
resp->ret = ret;
|
||||
return resp;
|
||||
}
|
||||
|
||||
resp = dev_write_memory(dev, addr, data, len);
|
||||
close_device_session(dev);
|
||||
return resp;
|
||||
checkm8_debug_indent("write_gadget(dev = %p, addr = %lx, data = %p, len = %i)\n", dev, addr, data, len);
|
||||
return dev_write_memory(dev, addr, data, len);
|
||||
}
|
||||
|
||||
struct dev_cmd_resp *execute_gadget(struct pwned_device *dev, long long addr, int response_len, int nargs, ...)
|
||||
{
|
||||
checkm8_debug_indent("execute_gadget(dev = %p, addr = %lx, nargs = %i)\n", dev, addr, nargs);
|
||||
int i;
|
||||
|
||||
unsigned long long args[nargs + 1];
|
||||
args[0] = addr;
|
||||
|
||||
va_list arg_list;
|
||||
va_start(arg_list, nargs);
|
||||
for(i = 0; i < nargs; i++)
|
||||
{
|
||||
args[i + 1] = va_arg(arg_list, unsigned long long);
|
||||
checkm8_debug_indent("\textracted arg %lx\n", args[i + 1]);
|
||||
}
|
||||
va_end(arg_list);
|
||||
|
||||
return dev_exec(dev, response_len, nargs + 1, args);
|
||||
}
|
||||
@@ -528,23 +528,12 @@ int ctrl_transfer(struct pwned_device *dev,
|
||||
index = 0;
|
||||
while(index < data_len)
|
||||
{
|
||||
if(data_len - index > ARD_BUF_SIZE) amount = ARD_BUF_SIZE;
|
||||
else amount = data_len - index;
|
||||
|
||||
amount = 0;
|
||||
while(read(dev->ard_fd, &amount, 1) == 0);
|
||||
checkm8_debug_indent("\twriting data chunk of size %i\n", amount);
|
||||
write(dev->ard_fd, &data[index], amount);
|
||||
|
||||
while(read(dev->ard_fd, &buf, 1) == 0);
|
||||
if(buf == PROT_ACK)
|
||||
{
|
||||
checkm8_debug_indent("\treceived data ack\n");
|
||||
index += amount;
|
||||
}
|
||||
else
|
||||
{
|
||||
checkm8_debug_indent("\treceived unexpected response %x\n", buf);
|
||||
return CHECKM8_FAIL_PROT;
|
||||
}
|
||||
index += amount;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
#define CHECKM8_TOOL_CHECKM8_CONFIG_H
|
||||
|
||||
//#define LIBUSB_LOGGING
|
||||
#define CHECKM8_LOGGING
|
||||
//#define CHECKM8_LOGGING
|
||||
|
||||
#define WITH_ARDUINO
|
||||
#define ARDUINO_DEV "/dev/ttyACM0"
|
||||
|
||||
Reference in New Issue
Block a user