grg/checkm8_tool
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Working trigger (basic) and user key AES - good for experiments tomorrow!

Browse Source
This commit is contained in:
Gregor Haas
2020-01-05 22:25:27 -05:00
parent afae03eb78
commit d8f5e48598
8 changed files with 32 additions and 2248 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
c8_remote/include/usb_helpers.h
View File

@@ -41,7 +41,7 @@ int ctrl_transfer(struct pwned_device *dev,
unsigned char bmRequestType, unsigned char bRequest,
unsigned short wValue, unsigned short wIndex,
unsigned char *data, unsigned short data_len,
unsigned int timeout);
unsigned int timeout, unsigned int trigger);
int reset(struct pwned_device *dev);
int serial_descriptor(struct pwned_device *dev, unsigned char *serial_buf, int len);

18
c8_remote/main.c
View File

@@ -52,6 +52,7 @@ int main()
return -1;
}
unsigned char key[8] = {0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef};
unsigned char data0[8] = {0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef};
unsigned char data1[8] = {0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef};
@@ -62,7 +63,15 @@ int main()
return -1;
}
for(int i = 0; i < 100000; i++)
resp = write_gadget(dev, 0x180150000, key, 8);
if(IS_CHECKM8_FAIL(resp->ret))
{
printf("failed to write key to device\n");
return -1;
}
free_dev_cmd_resp(resp);
for(int i = 0; i < 257; i++)
{
printf("encrypting ");
for(int j = 0; j < 8; j++)
@@ -81,8 +90,9 @@ int main()
16, // action (AES_ENCRYPT)
0x1800b0048, 0x1800b0010, // dest and src addresses
16, // data size
0x20000201, // AES_UID_KEY
0, 0, // no
0x00000000, // AES_USER_KEY
0x180150000, // key address
0, // no IV
*((unsigned long long *) data0),
*((unsigned long long *) data1));
@@ -107,7 +117,7 @@ int main()
printf("%02X", ((unsigned char *) &data1)[j]);
}
printf("\n");
usleep(333333);
usleep(1000000);
}
close_device_session(dev);

18
c8_remote/src/command.c
View File

@@ -12,7 +12,7 @@ void free_dev_cmd_resp(struct dev_cmd_resp *resp)
free(resp);
}
int dfu_send_data(struct pwned_device *dev, unsigned char *data, long data_len)
int dfu_send_data(struct pwned_device *dev, unsigned char *data, long data_len, unsigned int trigger)
{
checkm8_debug_indent("dfu_send_data(dev = %p, data = %p, data_len = %li)\n", dev, data, data_len);
long long index = 0, amount;
@@ -25,7 +25,7 @@ int dfu_send_data(struct pwned_device *dev, unsigned char *data, long data_len)
checkm8_debug_indent("\tsending chunk of size %li at index %li\n", amount, index);
ret = ctrl_transfer(dev, 0x21, 1, 0, 0, &data[index], amount, 5000);
ret = ctrl_transfer(dev, 0x21, 1, 0, 0, &data[index], amount, 5000, trigger);
if(ret > 0) checkm8_debug_indent("\ttransferred %i bytes\n", ret);
else
{
@@ -64,14 +64,14 @@ struct dev_cmd_resp *command(struct pwned_device *dev,
}
}
ret = dfu_send_data(dev, nullbuf, 16);
ret = dfu_send_data(dev, nullbuf, 16, 0);
if(IS_CHECKM8_FAIL(ret))
{
cmd_resp->ret = ret;
return cmd_resp;
}
ret = ctrl_transfer(dev, 0x21, 1, 0, 0, nullbuf, 0, 100);
ret = ctrl_transfer(dev, 0x21, 1, 0, 0, nullbuf, 0, 100, 0);
if(ret >= 0) checkm8_debug_indent("\ttransferred %i bytes\n", ret);
else
{
@@ -80,7 +80,7 @@ struct dev_cmd_resp *command(struct pwned_device *dev,
return cmd_resp;
}
ret = ctrl_transfer(dev, 0xA1, 3, 0, 0, nullbuf, 6, 100);
ret = ctrl_transfer(dev, 0xA1, 3, 0, 0, nullbuf, 6, 100, 0);
if(ret >= 0) checkm8_debug_indent("\ttransferred %i bytes\n", ret);
else
{
@@ -89,7 +89,7 @@ struct dev_cmd_resp *command(struct pwned_device *dev,
return cmd_resp;
}
ret = ctrl_transfer(dev, 0xA1, 3, 0, 0, nullbuf, 6, 100);
ret = ctrl_transfer(dev, 0xA1, 3, 0, 0, nullbuf, 6, 100, 0);
if(ret >= 0) checkm8_debug_indent("\ttransferred %i bytes\n", ret);
else
{
@@ -98,7 +98,7 @@ struct dev_cmd_resp *command(struct pwned_device *dev,
return cmd_resp;
}
ret = dfu_send_data(dev, args, arg_len);
ret = dfu_send_data(dev, args, arg_len, 1);
if(IS_CHECKM8_FAIL(ret))
{
cmd_resp->ret = ret;
@@ -110,7 +110,7 @@ struct dev_cmd_resp *command(struct pwned_device *dev,
ret = ctrl_transfer(dev,
0xA1, 2, 0xFFFF, 0,
resp_buf, response_len + 1,
100);
100, 0);
if(ret >= 0) checkm8_debug_indent("\tfinal request transferred %i bytes\n", ret);
else
{
@@ -124,7 +124,7 @@ struct dev_cmd_resp *command(struct pwned_device *dev,
ret = ctrl_transfer(dev,
0xA1, 2, 0xFFFF, 0,
resp_buf, response_len,
100);
100, 0);
if(ret >= 0) checkm8_debug_indent("\tfinal request transferred %i bytes\n", ret);
else
{

3
c8_remote/src/usb_helpers.c
View File

@@ -480,7 +480,7 @@ int ctrl_transfer(struct pwned_device *dev,
unsigned char bmRequestType, unsigned char bRequest,
unsigned short wValue, unsigned short wIndex,
unsigned char *data, unsigned short data_len,
unsigned int timeout)
unsigned int timeout, unsigned int trigger)
{
checkm8_debug_indent(
"ctrl_transfer(dev = %p, bmRequestType = %X, bRequest = %X, wValue = %i, wIndex = %i, data = %p, data_len = %i, timeout = %i)\n",
@@ -495,6 +495,7 @@ int ctrl_transfer(struct pwned_device *dev,
args.wValue = wValue;
args.wIndex = wIndex;
args.data_len = data_len;
args.trigger = trigger;
checkm8_debug_indent("\tsending data to arduino\n");
write(dev->ard_fd, &PROT_CTRL_XFER, 1);