forked from xairy/lights-out
-
Notifications
You must be signed in to change notification settings - Fork 0
/
srom.py
executable file
·110 lines (92 loc) · 2.71 KB
/
srom.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
#!/usr/bin/env python3
#
# https://github.com/xairy/lights-out
#
# Author: Andrey Konovalov <[email protected]>
import array
import binascii
import sys
import time
import usb.core
import usb.util
command = sys.argv[1]
filename = sys.argv[2]
VENDOR_ID = 0x5986
PRODUCT_ID = 0x02d2
dev = usb.core.find(idVendor=VENDOR_ID, idProduct=PRODUCT_ID)
if dev is None:
raise ValueError('Device not found')
def log(write, bRequest, wValue, wIndex, msg, e):
print('%s, request = 0x%02x, value = 0x%02x, index = 0x%02x' % \
('write' if write else 'read', bRequest, wValue, wIndex))
if not(e):
if write:
print(' => success: %d' % (msg,))
else:
print(' => success: %d' % (len(msg),))
print(' ', binascii.hexlify(msg))
if e:
print(' => %s' % (str(e),))
def request_read(bRequest, wValue, wIndex, wLength):
bmRequestType = usb.util.CTRL_TYPE_VENDOR | \
usb.util.CTRL_RECIPIENT_DEVICE | \
usb.util.CTRL_IN
try:
msg = dev.ctrl_transfer(bmRequestType=bmRequestType, bRequest=bRequest,
wValue=wValue, wIndex=wIndex,
data_or_wLength=wLength)
log(False, bRequest, wValue, wIndex, msg, None)
return msg
except usb.core.USBError as e:
log(False, bRequest, wValue, wIndex, None, e)
raise
def request_write(bRequest, wValue, wIndex, data):
bmRequestType = usb.util.CTRL_TYPE_VENDOR | \
usb.util.CTRL_RECIPIENT_DEVICE | \
usb.util.CTRL_OUT
try:
msg = dev.ctrl_transfer(bmRequestType=bmRequestType, bRequest=bRequest,
wValue=wValue, wIndex=wIndex,
data_or_wLength=data)
log(True, bRequest, wValue, wIndex, msg, None)
except usb.core.USBError as e:
log(True, bRequest, wValue, wIndex, None, e)
raise
# 0x01: Unlock SROM.
def unlock_srom():
request_write(0x01, 0, 0, '')
time.sleep(0.1)
# 0x03: Lock SROM.
def lock_srom():
request_write(0x03, 0, 0, '')
time.sleep(0.1)
# 0x02: Write SROM at offset.
# Overwrites a whole 4 KB block.
# Can be done in chunks of 64 bytes at most (buffer overflow?).
def write_srom_once(offset, data):
request_write(0x02, 0, offset, data)
time.sleep(0.1)
# 0x07: Read SROM.
# Can be done in chunks of 64 bytes at most (buffer overflow?).
def read_srom_once(offset, length):
return request_read(0x07, 0, offset, length)
def read_srom(filename, length):
with open(filename, 'wb') as f:
for i in range(length // 64):
part = read_srom_once(i * 64, 64)
f.write(part)
def write_srom(filename, length):
data = None
with open(filename, 'rb') as f:
data = f.read()
assert(len(data) == length)
unlock_srom()
for i in range(0, len(data) // 64):
write_srom_once(i * 64, data[i * 64 : (i + 1) * 64])
lock_srom()
if command == 'read':
read_srom(filename, 0x10000)
elif command == 'write':
write_srom(filename, 0x10000)
else:
raise ValueError('Unknown command')