Initial Commit

wh1te4ever · Jul 15, 2023 · b0e6156 · b0e6156
1 parent 4595a53
commit b0e6156
Show file tree

Hide file tree

Showing 9 changed files with 109 additions and 23 deletions.
diff --git a/README.md b/README.md
@@ -1,7 +1,18 @@
 # openra1n
-custom pongoOS booter for checkra1n 1337
+palera1n booter for windows / s8003
+
+## Dumped image from palera1n v2.0.0 beta 7 
+- pongoOS_shellcode(already compressed).bin 
+- checkra1n-kpf-ploosh.bin
+- ramdisk.bin
+- overlay.bin
+
+## Usage
+1. openra1n.exe
+2. python3 boot.py
 
 ## Attributions
+- [openra1n](https://github.com/mineek/openra1n) - Origin of the project
 - [gaster](https://github.com/0x7ff/gaster) - base of the project
 - [checkra1n](https://checkra.in/) - yeah, do i really need to explain this one?
 - [ra1npoc15](https://github.com/kok3shidoll/ra1npoc) - payloads
diff --git a/boot.py b/boot.py
@@ -0,0 +1,76 @@
+#!/usr/bin/env python3
+#
+#  Copyright (C) 2019-2023 checkra1n team
+#  This file is part of pongoOS.
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+# 
+import sys
+import time
+import usb.core
+import struct
+
+kpf = open("payloads/checkra1n-kpf-ploosh.bin", "rb").read()
+rdsk = open("payloads/ramdisk.bin", "rb").read()
+overlay = open("payloads/overlay.bin", "rb").read()
+dev = usb.core.find(idVendor=0x05ac, idProduct=0x4141)
+if dev is None:
+    raise ValueError('Device not found')
+dev.set_configuration()
+
+#fuse lock / sep auto
+dev.ctrl_transfer(0x21, 4, 0, 0, 0)
+dev.ctrl_transfer(0x21, 3, 0, 0, "fuse lock\n")
+dev.ctrl_transfer(0x21, 4, 0, 0, 0)
+dev.ctrl_transfer(0x21, 3, 0, 0, "sep auto\n")
+
+#Send kpf / modload
+dev.ctrl_transfer(0x21, 2, 0, 0, 0)
+dev.ctrl_transfer(0x21, 1, 0, 0, struct.pack('I', len(kpf)))
+dev.write(2,kpf,1000000)
+dev.ctrl_transfer(0x21, 4, 0, 0, 0)
+dev.ctrl_transfer(0x21, 3, 0, 0, "modload\n")
+
+#kpf_flags 0x1 / checkra1n_flags 0x0 / palera1n_flags 0x0
+dev.ctrl_transfer(0x21, 4, 0, 0, 0)
+dev.ctrl_transfer(0x21, 3, 0, 0, "kpf_flags 0x1\n")
+dev.ctrl_transfer(0x21, 4, 0, 0, 0)
+dev.ctrl_transfer(0x21, 3, 0, 0, "checkra1n_flags 0x0\n")
+dev.ctrl_transfer(0x21, 4, 0, 0, 0)
+dev.ctrl_transfer(0x21, 3, 0, 0, "palera1n_flags 0x0\n")
+
+#Send ramdisk / ramdisk
+dev.ctrl_transfer(0x21, 2, 0, 0, 0)
+dev.ctrl_transfer(0x21, 1, 0, 0, struct.pack('I', len(rdsk)))
+dev.write(2,rdsk,1000000)
+dev.ctrl_transfer(0x21, 4, 0, 0, 0)
+dev.ctrl_transfer(0x21, 3, 0, 0, "ramdisk\n")
+
+#Send overlay / overlay
+dev.ctrl_transfer(0x21, 2, 0, 0, 0)
+dev.ctrl_transfer(0x21, 1, 0, 0, struct.pack('I', len(overlay)))
+dev.write(2,overlay,1000000)
+dev.ctrl_transfer(0x21, 4, 0, 0, 0)
+dev.ctrl_transfer(0x21, 3, 0, 0, "overlay\n")
+
+#xargs  rootdev=md0 / bootx
+dev.ctrl_transfer(0x21, 4, 0, 0, 0)
+dev.ctrl_transfer(0x21, 3, 0, 0, "xargs  rootdev=md0\n")
+dev.ctrl_transfer(0x21, 4, 0, 0, 0)
+dev.ctrl_transfer(0x21, 3, 0, 0, "bootx\n")
diff --git a/lz4/lz4.c b/lz4/lz4.c
@@ -115,7 +115,7 @@
 #endif
 
 #define LZ4_STATIC_LINKING_ONLY  /* LZ4_DISTANCE_MAX */
-#include <lz4/lz4.h>
+#include "../include/lz4/lz4.h"
 /* see also "memory routines" below */
 
 

diff --git a/lz4/lz4hc.c b/lz4/lz4hc.c
@@ -51,7 +51,7 @@
 
 /*===    Dependency    ===*/
 #define LZ4_HC_STATIC_LINKING_ONLY
-#include <lz4/lz4hc.h>
+#include "../include/lz4/lz4hc.h"
 
 
 /*===   Common definitions   ===*/

diff --git a/openra1n.c b/openra1n.c
@@ -36,6 +36,7 @@
 #define DFU_CLR_STATUS (4)
 #define MAX_BLOCK_SZ (0x50)
 #define DFU_MODE_PID (0x1227)
+#define PONGO_MODE_PID (0x4141)
 #define DFU_STATE_MANIFEST (7)
 #define EP0_MAX_PACKET_SZ (0x40)
 #define DFU_FILE_SUFFIX_LEN (16)
@@ -90,6 +91,15 @@ extern unsigned payloads_yolo_s8000_bin_len, payloads_yolo_s8001_bin_len, payloa
 extern uint8_t payloads_Pongo_bin[], payloads_shellcode_bin[];
 extern unsigned payloads_Pongo_bin_len, payloads_shellcode_bin_len;
 
+extern uint8_t payloads_pongoOS_shellcode_bin[];
+extern unsigned payloads_pongoOS_shellcode_bin_len;
+extern uint8_t payloads_checkra1n_kpf_ploosh_bin[];
+extern unsigned payloads_checkra1n_kpf_ploosh_bin_len;
+extern uint8_t payloads_overlay_bin[];
+extern unsigned payloads_overlay_bin_len;
+extern uint8_t payloads_ramdisk_bin[];
+extern unsigned payloads_ramdisk_bin_len;
+
 #include <payloads/yolo_s8000.bin.h>
 #include <payloads/yolo_s8001.bin.h>
 #include <payloads/yolo_s8003.bin.h>
@@ -102,6 +112,11 @@ extern unsigned payloads_Pongo_bin_len, payloads_shellcode_bin_len;
 #include <payloads/Pongo.bin.h>
 #include <payloads/shellcode.bin.h>
 
+#include <payloads/pongoOS_shellcode.bin.h>
+#include <payloads/overlay.bin.h>
+#include <payloads/ramdisk.bin.h>
+#include <payloads/checkra1n-kpf-ploosh.bin.h>
+
 static uint16_t cpid;
 static uint32_t payload_dest_armv7;
 static const char *pwnd_str = " YOLO:checkra1n";
@@ -959,26 +974,9 @@ static void compress_pongo(void *out, size_t *out_len) {
 static void checkm8_boot_pongo(usb_handle_t *handle) {
 	transfer_ret_t transfer_ret;
 	LOG_INFO("Booting pongoOS");
-	LOG_DEBUG("Compressing pongoOS");
-	LOG_DEBUG("Appending shellcode to the top of pongoOS (512 bytes)");
-	void *shellcode = malloc(512);
-	memcpy(shellcode, payloads_shellcode_bin, payloads_shellcode_bin_len);
-	size_t out_len = payloads_Pongo_bin_len;
-	void *out = malloc(out_len);
-	compress_pongo(out, &out_len);
-	LOG_DEBUG("Compressed pongoOS from %u to %zu bytes", payloads_Pongo_bin_len, out_len);
-	void *tmp = malloc(out_len + 512);
-	memcpy(tmp, shellcode, 512);
-	memcpy(tmp + 512, out, out_len);
-	free(out);
-	out = tmp;
-	out_len += 512;
-	free(shellcode);
-	LOG_DEBUG("Setting the compressed size into the shellcode");
-	uint32_t* size = (uint32_t*)(out + 0x1fc);
-	LOG_DEBUG("size = 0x%" PRIX32 "", *size);
-	*size = out_len - 512;
-	LOG_DEBUG("size = 0x%" PRIX32 "", *size);
+    void *out = malloc(payloads_pongoOS_shellcode_bin_len);
+    memcpy(out, payloads_pongoOS_shellcode_bin, payloads_pongoOS_shellcode_bin_len);
+    size_t out_len = payloads_pongoOS_shellcode_bin_len;
 	LOG_DEBUG("Reconnecting to device");
 	init_usb_handle(handle, APPLE_VID, DFU_MODE_PID);
 	LOG_DEBUG("Waiting for device to be ready");
@@ -1059,5 +1057,6 @@ int main(int argc, char **argv) {
 	gaster_checkm8(&handle);
 	sleep_ms(3000);
 	checkm8_boot_pongo(&handle);
+
 	return ret;
 }
diff --git a/payloads/checkra1n-kpf-ploosh.bin b/payloads/checkra1n-kpf-ploosh.bin
diff --git a/payloads/overlay.bin b/payloads/overlay.bin
diff --git a/payloads/pongoOS_shellcode.bin b/payloads/pongoOS_shellcode.bin
diff --git a/payloads/ramdisk.bin b/payloads/ramdisk.bin