A working AES experiment!
This commit is contained in:
@@ -46,16 +46,24 @@ struct dev_cmd_resp *command(struct pwned_device *dev,
|
||||
checkm8_debug_indent("command(dev = %p, args = %p, arg_len = %i, response_len = %i)\n",
|
||||
dev, args, arg_len, response_len);
|
||||
|
||||
int close, ret;
|
||||
struct dev_cmd_resp *cmd_resp = calloc(1, sizeof(struct dev_cmd_resp));
|
||||
unsigned char resp_buf[response_len];
|
||||
|
||||
if(!is_device_session_open(dev))
|
||||
if(is_device_session_open(dev)) close = 0;
|
||||
else
|
||||
{
|
||||
cmd_resp->ret = CHECKM8_FAIL_NODEV;
|
||||
return cmd_resp;
|
||||
ret = open_device_session(dev);
|
||||
close = 1;
|
||||
|
||||
if(IS_CHECKM8_FAIL(ret))
|
||||
{
|
||||
checkm8_debug_indent("\tfailed to open device session\n");
|
||||
cmd_resp->ret = CHECKM8_FAIL_NODEV;
|
||||
return cmd_resp;
|
||||
}
|
||||
}
|
||||
|
||||
int ret;
|
||||
ret = dfu_send_data(dev, nullbuf, 16);
|
||||
if(IS_CHECKM8_FAIL(ret))
|
||||
{
|
||||
@@ -128,14 +136,16 @@ struct dev_cmd_resp *command(struct pwned_device *dev,
|
||||
|
||||
cmd_resp->ret = CHECKM8_SUCCESS;
|
||||
memcpy(&cmd_resp->magic, resp_buf, 8);
|
||||
if(response_len - 8 > 0)
|
||||
if(response_len - 16 > 0)
|
||||
{
|
||||
checkm8_debug_indent("\tcopying %i bytes of output to response data section\n", response_len - 8);
|
||||
cmd_resp->data = calloc(1, response_len - 8);
|
||||
memcpy(cmd_resp->data, &resp_buf[8], response_len - 8);
|
||||
checkm8_debug_indent("\tcopying %i bytes of output to response data section\n", response_len - 16);
|
||||
cmd_resp->data = calloc(1, response_len - 16);
|
||||
memcpy(cmd_resp->data, &resp_buf[16], response_len - 16);
|
||||
}
|
||||
|
||||
cmd_resp->len = response_len - 8;
|
||||
cmd_resp->len = response_len - 16;
|
||||
|
||||
if(close) close_device_session(dev);
|
||||
return cmd_resp;
|
||||
}
|
||||
|
||||
|
||||
@@ -169,7 +169,7 @@ int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p)
|
||||
return CHECKM8_SUCCESS;
|
||||
}
|
||||
|
||||
struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int nargs, ...)
|
||||
struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int response_len, int nargs, ...)
|
||||
{
|
||||
checkm8_debug_indent("execute_payload(dev = %p, p = %i, nargs = %i, ...)\n", dev, p, nargs);
|
||||
int ret, i;
|
||||
@@ -205,47 +205,39 @@ struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int
|
||||
}
|
||||
va_end(arg_list);
|
||||
|
||||
resp = dev_exec(dev, 16, nargs + 1, args);
|
||||
resp = dev_exec(dev, response_len, nargs + 1, args);
|
||||
close_device_session(dev);
|
||||
return resp;
|
||||
}
|
||||
|
||||
struct dev_cmd_resp *read_payload(struct pwned_device *dev, long long addr, int len)
|
||||
struct dev_cmd_resp *read_gadget(struct pwned_device *dev, long long addr, int len)
|
||||
{
|
||||
checkm8_debug_indent("read_payload(dev = %p, addr = %lx, len = %i)\n", dev, addr, len);
|
||||
int ret;
|
||||
struct dev_cmd_resp *resp;
|
||||
|
||||
ret = open_device_session(dev);
|
||||
if(IS_CHECKM8_FAIL(ret))
|
||||
{
|
||||
checkm8_debug_indent("\tfailed to get device bundle\n");
|
||||
resp = calloc(1, sizeof(struct dev_cmd_resp));
|
||||
resp->ret = ret;
|
||||
return resp;
|
||||
}
|
||||
|
||||
resp = dev_read_memory(dev, addr, len);
|
||||
close_device_session(dev);
|
||||
return resp;
|
||||
checkm8_debug_indent("read_gadget(dev = %p, addr = %lx, len = %i)\n", dev, addr, len);
|
||||
return dev_read_memory(dev, addr, len);
|
||||
}
|
||||
|
||||
struct dev_cmd_resp *write_payload(struct pwned_device *dev, long long addr, unsigned char *data, int len)
|
||||
struct dev_cmd_resp *write_gadget(struct pwned_device *dev, long long addr, unsigned char *data, int len)
|
||||
{
|
||||
checkm8_debug_indent("write_payload(dev = %p, addr = %lx, data = %p, len = %i)\n", dev, addr, data, len);
|
||||
int ret;
|
||||
struct dev_cmd_resp *resp;
|
||||
|
||||
ret = open_device_session(dev);
|
||||
if(IS_CHECKM8_FAIL(ret))
|
||||
{
|
||||
checkm8_debug_indent("\tfailed to get device bundle\n");
|
||||
resp = calloc(1, sizeof(struct dev_cmd_resp));
|
||||
resp->ret = ret;
|
||||
return resp;
|
||||
}
|
||||
|
||||
resp = dev_write_memory(dev, addr, data, len);
|
||||
close_device_session(dev);
|
||||
return resp;
|
||||
checkm8_debug_indent("write_gadget(dev = %p, addr = %lx, data = %p, len = %i)\n", dev, addr, data, len);
|
||||
return dev_write_memory(dev, addr, data, len);
|
||||
}
|
||||
|
||||
struct dev_cmd_resp *execute_gadget(struct pwned_device *dev, long long addr, int response_len, int nargs, ...)
|
||||
{
|
||||
checkm8_debug_indent("execute_gadget(dev = %p, addr = %lx, nargs = %i)\n", dev, addr, nargs);
|
||||
int i;
|
||||
|
||||
unsigned long long args[nargs + 1];
|
||||
args[0] = addr;
|
||||
|
||||
va_list arg_list;
|
||||
va_start(arg_list, nargs);
|
||||
for(i = 0; i < nargs; i++)
|
||||
{
|
||||
args[i + 1] = va_arg(arg_list, unsigned long long);
|
||||
checkm8_debug_indent("\textracted arg %lx\n", args[i + 1]);
|
||||
}
|
||||
va_end(arg_list);
|
||||
|
||||
return dev_exec(dev, response_len, nargs + 1, args);
|
||||
}
|
||||
@@ -528,23 +528,12 @@ int ctrl_transfer(struct pwned_device *dev,
|
||||
index = 0;
|
||||
while(index < data_len)
|
||||
{
|
||||
if(data_len - index > ARD_BUF_SIZE) amount = ARD_BUF_SIZE;
|
||||
else amount = data_len - index;
|
||||
|
||||
amount = 0;
|
||||
while(read(dev->ard_fd, &amount, 1) == 0);
|
||||
checkm8_debug_indent("\twriting data chunk of size %i\n", amount);
|
||||
write(dev->ard_fd, &data[index], amount);
|
||||
|
||||
while(read(dev->ard_fd, &buf, 1) == 0);
|
||||
if(buf == PROT_ACK)
|
||||
{
|
||||
checkm8_debug_indent("\treceived data ack\n");
|
||||
index += amount;
|
||||
}
|
||||
else
|
||||
{
|
||||
checkm8_debug_indent("\treceived unexpected response %x\n", buf);
|
||||
return CHECKM8_FAIL_PROT;
|
||||
}
|
||||
index += amount;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user