diff --git a/c8_arduino/src/checkm8_arduino.ino b/c8_arduino/src/checkm8_arduino.ino index 5997d27..86b602c 100644 --- a/c8_arduino/src/checkm8_arduino.ino +++ b/c8_arduino/src/checkm8_arduino.ino @@ -236,8 +236,8 @@ void loop() if(usb_args.data_len - chunk_i > ARD_BUF_SIZE) chunk_size = ARD_BUF_SIZE; else chunk_size = usb_args.data_len - chunk_i; + Serial.write(chunk_size); recv_serial(usb_data_buf, chunk_size); - Serial.write(PROT_ACK); i = 0; while(i < chunk_size) diff --git a/c8_remote/include/payload.h b/c8_remote/include/payload.h index e5d0321..1021e6c 100644 --- a/c8_remote/include/payload.h +++ b/c8_remote/include/payload.h @@ -24,9 +24,10 @@ typedef enum int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc); int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p); +struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int response_len, int nargs, ...); -struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int nargs, ...); -struct dev_cmd_resp *read_payload(struct pwned_device *dev, long long addr, int len); -struct dev_cmd_resp *write_payload(struct pwned_device *dev, long long addr, unsigned char *data, int len); +struct dev_cmd_resp *read_gadget(struct pwned_device *dev, long long addr, int len); +struct dev_cmd_resp *write_gadget(struct pwned_device *dev, long long addr, unsigned char *data, int len); +struct dev_cmd_resp *execute_gadget(struct pwned_device *dev, long long addr, int response_len, int nargs, ...); #endif //CHECKM8_TOOL_PAYLOAD_H diff --git a/c8_remote/main.c b/c8_remote/main.c index 80005ae..87b94f6 100644 --- a/c8_remote/main.c +++ b/c8_remote/main.c @@ -1,11 +1,17 @@ #include "checkm8.h" -#include "payload.h" #include +#include +#include + +#include "usb_helpers.h" +#include "command.h" +#include "payload.h" + +#ifdef CHECKM8_LOGGING #include #include -#include -#include "command.h" +#endif void checkm8_debug_indent(const char *format, ...) { @@ -47,7 +53,63 @@ int main() return -1; } + unsigned long long data0 = 0xdeadbeefdeadbeef; + unsigned long long data1 = 0xdeadbeefdeadbeef; - free_dev_cmd_resp(resp); + ret = open_device_session(dev); + if(IS_CHECKM8_FAIL(ret)) + { + printf("failed to open device session\n"); + return -1; + } + + for(int i = 0; i < 100000; i++) + { + printf("encrypting "); + for(int j = 0; j < 8; j++) + { + printf("%02X", ((unsigned char *) &data0)[j]); + } + + for(int j = 0; j < 8; j++) + { + printf("%02X", ((unsigned char *) &data1)[j]); + } + + printf("\n"); + resp = execute_gadget(dev, + 0x100000f0c, 16, 9, + 16, // action (AES_ENCRYPT) + 0x1800b0048, 0x1800b0010, // dest and src addresses + 16, // data size + 0x20000201, // AES_UID_KEY + 0, 0, // no + data0, data1); + + if(IS_CHECKM8_FAIL(resp->ret)) + { + printf("failed\n"); + return -1; + } + + memcpy(&data0, &resp->data[0], 8); + memcpy(&data1, &resp->data[8], 8); + free_dev_cmd_resp(resp); + + printf("\t-> "); + for(int j = 0; j < 8; j++) + { + printf("%02X", ((unsigned char *) &data0)[j]); + } + + for(int j = 0; j < 8; j++) + { + printf("%02X", ((unsigned char *) &data1)[j]); + } + printf("\n"); + usleep(250000); + } + + close_device_session(dev); free_device(dev); } diff --git a/c8_remote/src/command.c b/c8_remote/src/command.c index 00ef58f..2356c81 100644 --- a/c8_remote/src/command.c +++ b/c8_remote/src/command.c @@ -46,16 +46,24 @@ struct dev_cmd_resp *command(struct pwned_device *dev, checkm8_debug_indent("command(dev = %p, args = %p, arg_len = %i, response_len = %i)\n", dev, args, arg_len, response_len); + int close, ret; struct dev_cmd_resp *cmd_resp = calloc(1, sizeof(struct dev_cmd_resp)); unsigned char resp_buf[response_len]; - if(!is_device_session_open(dev)) + if(is_device_session_open(dev)) close = 0; + else { - cmd_resp->ret = CHECKM8_FAIL_NODEV; - return cmd_resp; + ret = open_device_session(dev); + close = 1; + + if(IS_CHECKM8_FAIL(ret)) + { + checkm8_debug_indent("\tfailed to open device session\n"); + cmd_resp->ret = CHECKM8_FAIL_NODEV; + return cmd_resp; + } } - int ret; ret = dfu_send_data(dev, nullbuf, 16); if(IS_CHECKM8_FAIL(ret)) { @@ -128,14 +136,16 @@ struct dev_cmd_resp *command(struct pwned_device *dev, cmd_resp->ret = CHECKM8_SUCCESS; memcpy(&cmd_resp->magic, resp_buf, 8); - if(response_len - 8 > 0) + if(response_len - 16 > 0) { - checkm8_debug_indent("\tcopying %i bytes of output to response data section\n", response_len - 8); - cmd_resp->data = calloc(1, response_len - 8); - memcpy(cmd_resp->data, &resp_buf[8], response_len - 8); + checkm8_debug_indent("\tcopying %i bytes of output to response data section\n", response_len - 16); + cmd_resp->data = calloc(1, response_len - 16); + memcpy(cmd_resp->data, &resp_buf[16], response_len - 16); } - cmd_resp->len = response_len - 8; + cmd_resp->len = response_len - 16; + + if(close) close_device_session(dev); return cmd_resp; } diff --git a/c8_remote/src/payload.c b/c8_remote/src/payload.c index 81401d0..80716ce 100644 --- a/c8_remote/src/payload.c +++ b/c8_remote/src/payload.c @@ -169,7 +169,7 @@ int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p) return CHECKM8_SUCCESS; } -struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int nargs, ...) +struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int response_len, int nargs, ...) { checkm8_debug_indent("execute_payload(dev = %p, p = %i, nargs = %i, ...)\n", dev, p, nargs); int ret, i; @@ -205,47 +205,39 @@ struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int } va_end(arg_list); - resp = dev_exec(dev, 16, nargs + 1, args); + resp = dev_exec(dev, response_len, nargs + 1, args); close_device_session(dev); return resp; } -struct dev_cmd_resp *read_payload(struct pwned_device *dev, long long addr, int len) +struct dev_cmd_resp *read_gadget(struct pwned_device *dev, long long addr, int len) { - checkm8_debug_indent("read_payload(dev = %p, addr = %lx, len = %i)\n", dev, addr, len); - int ret; - struct dev_cmd_resp *resp; - - ret = open_device_session(dev); - if(IS_CHECKM8_FAIL(ret)) - { - checkm8_debug_indent("\tfailed to get device bundle\n"); - resp = calloc(1, sizeof(struct dev_cmd_resp)); - resp->ret = ret; - return resp; - } - - resp = dev_read_memory(dev, addr, len); - close_device_session(dev); - return resp; + checkm8_debug_indent("read_gadget(dev = %p, addr = %lx, len = %i)\n", dev, addr, len); + return dev_read_memory(dev, addr, len); } -struct dev_cmd_resp *write_payload(struct pwned_device *dev, long long addr, unsigned char *data, int len) +struct dev_cmd_resp *write_gadget(struct pwned_device *dev, long long addr, unsigned char *data, int len) { - checkm8_debug_indent("write_payload(dev = %p, addr = %lx, data = %p, len = %i)\n", dev, addr, data, len); - int ret; - struct dev_cmd_resp *resp; - - ret = open_device_session(dev); - if(IS_CHECKM8_FAIL(ret)) - { - checkm8_debug_indent("\tfailed to get device bundle\n"); - resp = calloc(1, sizeof(struct dev_cmd_resp)); - resp->ret = ret; - return resp; - } - - resp = dev_write_memory(dev, addr, data, len); - close_device_session(dev); - return resp; + checkm8_debug_indent("write_gadget(dev = %p, addr = %lx, data = %p, len = %i)\n", dev, addr, data, len); + return dev_write_memory(dev, addr, data, len); } + +struct dev_cmd_resp *execute_gadget(struct pwned_device *dev, long long addr, int response_len, int nargs, ...) +{ + checkm8_debug_indent("execute_gadget(dev = %p, addr = %lx, nargs = %i)\n", dev, addr, nargs); + int i; + + unsigned long long args[nargs + 1]; + args[0] = addr; + + va_list arg_list; + va_start(arg_list, nargs); + for(i = 0; i < nargs; i++) + { + args[i + 1] = va_arg(arg_list, unsigned long long); + checkm8_debug_indent("\textracted arg %lx\n", args[i + 1]); + } + va_end(arg_list); + + return dev_exec(dev, response_len, nargs + 1, args); +} \ No newline at end of file diff --git a/c8_remote/src/usb_helpers.c b/c8_remote/src/usb_helpers.c index 1fe0bc7..9f07775 100644 --- a/c8_remote/src/usb_helpers.c +++ b/c8_remote/src/usb_helpers.c @@ -528,23 +528,12 @@ int ctrl_transfer(struct pwned_device *dev, index = 0; while(index < data_len) { - if(data_len - index > ARD_BUF_SIZE) amount = ARD_BUF_SIZE; - else amount = data_len - index; - + amount = 0; + while(read(dev->ard_fd, &amount, 1) == 0); checkm8_debug_indent("\twriting data chunk of size %i\n", amount); write(dev->ard_fd, &data[index], amount); - while(read(dev->ard_fd, &buf, 1) == 0); - if(buf == PROT_ACK) - { - checkm8_debug_indent("\treceived data ack\n"); - index += amount; - } - else - { - checkm8_debug_indent("\treceived unexpected response %x\n", buf); - return CHECKM8_FAIL_PROT; - } + index += amount; } } diff --git a/include/checkm8_config.h b/include/checkm8_config.h index 69b261e..5132351 100644 --- a/include/checkm8_config.h +++ b/include/checkm8_config.h @@ -2,7 +2,7 @@ #define CHECKM8_TOOL_CHECKM8_CONFIG_H //#define LIBUSB_LOGGING -#define CHECKM8_LOGGING +//#define CHECKM8_LOGGING #define WITH_ARDUINO #define ARDUINO_DEV "/dev/ttyACM0"