From 87c5ce75c90ab5cbe0afe6de513ffacf364fe35b Mon Sep 17 00:00:00 2001
From: Eljakim Herrewijnen <eljakim.herrewijnen@gmail.com>
Date: Fri, 2 Aug 2024 21:18:08 +0200
Subject: [PATCH] full send/recv working but need to clean up code

---
 source/exploit/dwc3.elf    | Bin 7912 -> 7928 bytes
 source/exploit/dwc3.o      | Bin 1848 -> 1864 bytes
 source/exploit/exploit.py  |   4 +++-
 source/exploit/test_dwc3.c |  21 +++++++++++----------
 4 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/source/exploit/dwc3.elf b/source/exploit/dwc3.elf
index ddd1232814a19e61f8e9840899c459426efe3b26..9fb9c66f7e594c9bedd634a3337d026a89029e2e 100755
GIT binary patch
delta 360
zcmaE1`@?pE24lrUO>@p0k_=#QV`JuYamM_~j1tp5rZBVz{jFwP`PZ3Y;%8<?tq_L=
zMI|%prwcPOm~hlMOn%8Mtkw0&ej>N1gM}t5!$)sX28)IN|A%NWGz4`pF<Absc3k<z
z|Imub0g|GVKT3$p&YxO8-2o^W1vKO#GlLe0&E(J!^ly6o^o5gWN=i?5kQAx^;=gYt
z$ZAFgh6$g6szBB%3aCz0fU1T$X+F@3MxcoxaT}nCF!_f-XFUL#*bEfwU~;gOXJse^
zISb~T1I+Q){#Nf_`Inht;)(zNr!z2g1~~xjcm!ns`Tu|OamksCj4qQCrR5m|CO1l}
zGd`KTQrew!k0cWlD2QYx|CF}pjDYe|Hap6+Gcw+od{WjNNHWUVGx|<;1d<abHv-9y
I$p_`s0pulyk^lez

delta 289
zcmexi`@(jD24luVO>@o@k_=#QVq@lXamL)qj1tqWL>StG{#G-t{Oimx@iQ}{R*1ub
zqLLZ)(?2sXm~hlMOn%8Mti>hjV4=y%@Ue@D!E)jM{~;O-4M813ldnmb$u5{$KivVy
zjRtCY$jqPxVlz231pS|0KYh_;O-cR9Pb36Q7*r=JKqX*y)dS6H25JV0+W|Gh<R3E2
zYdr#LZUt(V7W`Yif8}3hhKVQt|DXO8i2rTADmj~x(P46-v^=BF<cZSij1MO7ly>Lb
zBFV%A@|(zHP8oa75GXHUbD&H+Bjbt5H)YL%q@bKVqwVBCAlWc^B9N?@d{Isv05h#+
AHvj+t

diff --git a/source/exploit/dwc3.o b/source/exploit/dwc3.o
index 83c6d7fc9070bc685266d51a39f87d69c81b3111..6ecab744ba84c2bd8c1cdb66e26ca362ca4fe865 100644
GIT binary patch
delta 439
zcmdnNcY<$%24lxWO=-I+4DCUGs~K1Rb!M3OnVC^5#9=`Z0|UbpVMYcMjv9x_FPVk4
zx<1)Y<Q8?X&}3!!=q<`%vGD)@5DkWgpbn;qbxnd_{P(Q{nZn4xFyS*ZgI367UPkfI
z`AiI!AafLe>R>dJLqpI*pm`uZ2zM|!Sjw|96oSnATkW{=i~pe&2bklp{jJ`=@-H*P
z#1sGjPiJ803~~Uv=@F3qXLBKAI3uS9&?XR&nS7B+oiSkYPbPWI0EiI7ejqKxz{GF_
z%1?pPGoa!dCOb0QGe%5qWEPi9fXayi&Etf!K~%-$jm+Y_4Nwtjpe*a;x6I;`-!St?
zg4_)PAW<F&6HK0&EXX3xdjl#0GLd_-FN^r(JwQD_prT-tko0g&E@TmB<k{TG;?Bsp
lVe&;*cSe`Vl5FOT6_W$m>=|1oPXv;dlP>~EhslEM>Hu?pXq^B6

delta 392
zcmX@Xw}Wqj24lrUO=&9;hW4Pp)r>3uIx|fC%*?12;;^8Ifq`MlX9flnjv9x_FPVk4
zxI`T+G+7xwb}=znF8u#LM1!Frs6%LCQ`5u=B7zD)4wFLz+>rXox{Q)c@>&xwC<y+o
z-oNrMGsDD_|Nl>a3dH|5H!_AZaw;$aZ2$t1$q$*-8GR;mGRtfFK!h0f18E@!CWZr0
zegc%90i;3VYbFOW+cSntp2#dN83UCQ1)9eRWrL`a$p?Y5HBb?0pe!qrY|rG6K-mdM
zvOGw#CnhVhh)Z68ihxY!Mv{F2Hu(dRUSyLQCO5K(GqP-+$>Pq)xM1=_R(D2|$(n5D
aj2V*?+3XohCNBh%nv)*_NrTCX?CJn~fm0^{

diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py
index e37507f..d6cbd79 100644
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@@ -277,9 +277,10 @@ def usb_debug():
     
     transferred = ctypes.c_int()
     # Send some data
+    count = 0
     def send_data():
         transferred.value = 0
-        p = b"\xaa" * 0x200
+        p = p32(count) + b"\xaa" * (0x200 - 4)
         res = libusb1.libusb_bulk_transfer(exynos.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, p, len(p), ctypes.byref(transferred), 100)
         assert res == 0, "Error sending data"
         
@@ -295,6 +296,7 @@ def usb_debug():
     while True:
         send_data()
         recv_data()
+        count += 1
     pass
     pass
 
diff --git a/source/exploit/test_dwc3.c b/source/exploit/test_dwc3.c
index 9488bb4..24acf4c 100644
--- a/source/exploit/test_dwc3.c
+++ b/source/exploit/test_dwc3.c
@@ -9,17 +9,18 @@ extern void sleep(int endpoint,uint32_t timeout);
 extern void usb_send(uint32_t address,uint32_t size);
 extern void rom_send();
 
-#define recv_buffer 0x02021800 + 0x2000
+#define recv_buffer 0x02021800 + 0x3000
 #define data_received 0x02021800 + 0x2004
 
 void recv_data_cb(uint32_t endpoint, uint32_t len){
-    void *rbuf;
-    void *dest_buf = (void *)recv_buffer;
+    // void *rbuf;
+    char *dest_buf = (char *)recv_buffer;
     volatile void *dref = (void *)data_received;
     
-    rbuf = get_endpoint_recv_buffer(endpoint);
+    void *rbuf = get_endpoint_recv_buffer(endpoint);
     for(int i= 0; i < len; i++){
-        *(char *)dest_buf = *(char *)(void *)((int)rbuf + i);
+        // *(char *)dest_buf = *(char *)(void *)((int)rbuf + i);
+        dest_buf[i] = *(char *)(void *)((int)rbuf + i);
     }
     *(uint8_t *)dref = 1; // Mark as ready
 }
@@ -43,8 +44,8 @@ void recv_data(){
 }
 
 void send_data_cb(uint32_t endpoint, uint32_t len){
-    void *rbuf;
-    void *dest_buf = (void *)recv_buffer;
+    // void *rbuf;
+    // void *dest_buf = (void *)recv_buffer;
     volatile void *dref = (void *)data_received;
     
     // rbuf = get_endpoint_buffer(endpoint);
@@ -54,13 +55,13 @@ void send_data_cb(uint32_t endpoint, uint32_t len){
     *(uint8_t *)dref = 1; // Mark as ready
 }
 
-void send_data(void *address, uint32_t size){
+void send_data(uint32_t address, uint32_t size){
     volatile void *dref = (void *)data_received;
     *(uint8_t *)dref = 0;
     uint32_t val = 0x0;
     maybe_usb_setup_read(0x1, send_data_cb, 0x200);
     uint32_t rbuf = get_endpoint_recv_buffer(1);
-    dwc3_ep0_start_trans(1, (uint32_t)0x0, 0x200);
+    dwc3_ep0_start_trans(1, address, 0x200);
     while(1){
         usb_event_handler();
         if(*(uint8_t *)dref == 1){
@@ -76,7 +77,7 @@ int main() {
     while(1){
         recv_data();
         // rom_send();
-        send_data(0x0, 0x200);
+        send_data(recv_buffer, 0x200);
     }