Samsung_S7/source/exploit/test_dwc3.c

#include <stdint.h>

//  Create external function at 0x00006f88
extern void maybe_usb_setup_read(char endpoint,void *fun,uint32_t target_buffer);
extern void dwc3_ep0_start_trans(char endpoint,uint32_t target_buf, uint32_t len);
extern int usb_event_handler(void);
extern uint32_t get_endpoint_recv_buffer(char endpoint);
extern void sleep(int endpoint,uint32_t timeout);
extern void usb_send(uint32_t address,uint32_t size);
extern void rom_send();

#define recv_buffer 0x02021800 + 0x3000
#define data_received 0x02021800 + 0x2004

void recv_data_cb(uint32_t endpoint, uint32_t len){
    // void *rbuf;
    char *dest_buf = (char *)recv_buffer;
    volatile void *dref = (void *)data_received;
    
    void *rbuf = get_endpoint_recv_buffer(endpoint);
    for(int i= 0; i < len; i++){
        // *(char *)dest_buf = *(char *)(void *)((int)rbuf + i);
        dest_buf[i] = *(char *)(void *)((int)rbuf + i);
    }
    *(uint8_t *)dref = 1; // Mark as ready
}

void recv_data(){
    // Set data_received to 0
    // uint32_t *r = (uint32_t *) data_received;
    // r = 0;
    volatile void *dref = (void *)data_received;
    *(uint8_t *)dref = 0;

    maybe_usb_setup_read(2, recv_data_cb, 0x200);
    uint32_t rbuf = get_endpoint_recv_buffer(2);
    dwc3_ep0_start_trans(2, rbuf, 0x200);
    while(1){
        usb_event_handler();
        if(*(uint8_t *)dref == 1){
            break;
        }
    }
}

void send_data_cb(uint32_t endpoint, uint32_t len){
    // void *rbuf;
    // void *dest_buf = (void *)recv_buffer;
    volatile void *dref = (void *)data_received;
    
    // rbuf = get_endpoint_buffer(endpoint);
    // for(int i= 0; i < len; i++){
    //     *(char *)dest_buf = *(char *)(void *)((int)rbuf + i);
    // }
    *(uint8_t *)dref = 1; // Mark as ready
}

void send_data(uint32_t address, uint32_t size){
    volatile void *dref = (void *)data_received;
    *(uint8_t *)dref = 0;
    uint32_t val = 0x0;
    maybe_usb_setup_read(0x1, send_data_cb, 0x200);
    uint32_t rbuf = get_endpoint_recv_buffer(1);
    dwc3_ep0_start_trans(1, address, 0x200);
    while(1){
        usb_event_handler();
        if(*(uint8_t *)dref == 1){
            break;
        }
    }
}


int main() {
    
    uint32_t count = 0;
    while(1){
        recv_data();
        // rom_send();
        send_data(recv_buffer, 0x200);
    }
    
    

    // recv_data();
    // sleep(1, 5000);
    asm("mov x0, #0x0");
    asm("br x0");
}