diff --git a/README.md b/README.md index 021f717..a284a93 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,18 @@ # openra1n -custom pongoOS booter for checkra1n 1337 +palera1n booter for windows / s8003 + +## Dumped image from palera1n v2.0.0 beta 7 +- pongoOS_shellcode(already compressed).bin +- checkra1n-kpf-ploosh.bin +- ramdisk.bin +- overlay.bin + +## Usage +1. openra1n.exe +2. python3 boot.py ## Attributions +- [openra1n](https://github.com/mineek/openra1n) - Origin of the project - [gaster](https://github.com/0x7ff/gaster) - base of the project - [checkra1n](https://checkra.in/) - yeah, do i really need to explain this one? - [ra1npoc15](https://github.com/kok3shidoll/ra1npoc) - payloads diff --git a/boot.py b/boot.py new file mode 100644 index 0000000..a316225 --- /dev/null +++ b/boot.py @@ -0,0 +1,76 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019-2023 checkra1n team +# This file is part of pongoOS. +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in all +# copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. +# +import sys +import time +import usb.core +import struct + +kpf = open("payloads/checkra1n-kpf-ploosh.bin", "rb").read() +rdsk = open("payloads/ramdisk.bin", "rb").read() +overlay = open("payloads/overlay.bin", "rb").read() +dev = usb.core.find(idVendor=0x05ac, idProduct=0x4141) +if dev is None: + raise ValueError('Device not found') +dev.set_configuration() + +#fuse lock / sep auto +dev.ctrl_transfer(0x21, 4, 0, 0, 0) +dev.ctrl_transfer(0x21, 3, 0, 0, "fuse lock\n") +dev.ctrl_transfer(0x21, 4, 0, 0, 0) +dev.ctrl_transfer(0x21, 3, 0, 0, "sep auto\n") + +#Send kpf / modload +dev.ctrl_transfer(0x21, 2, 0, 0, 0) +dev.ctrl_transfer(0x21, 1, 0, 0, struct.pack('I', len(kpf))) +dev.write(2,kpf,1000000) +dev.ctrl_transfer(0x21, 4, 0, 0, 0) +dev.ctrl_transfer(0x21, 3, 0, 0, "modload\n") + +#kpf_flags 0x1 / checkra1n_flags 0x0 / palera1n_flags 0x0 +dev.ctrl_transfer(0x21, 4, 0, 0, 0) +dev.ctrl_transfer(0x21, 3, 0, 0, "kpf_flags 0x1\n") +dev.ctrl_transfer(0x21, 4, 0, 0, 0) +dev.ctrl_transfer(0x21, 3, 0, 0, "checkra1n_flags 0x0\n") +dev.ctrl_transfer(0x21, 4, 0, 0, 0) +dev.ctrl_transfer(0x21, 3, 0, 0, "palera1n_flags 0x0\n") + +#Send ramdisk / ramdisk +dev.ctrl_transfer(0x21, 2, 0, 0, 0) +dev.ctrl_transfer(0x21, 1, 0, 0, struct.pack('I', len(rdsk))) +dev.write(2,rdsk,1000000) +dev.ctrl_transfer(0x21, 4, 0, 0, 0) +dev.ctrl_transfer(0x21, 3, 0, 0, "ramdisk\n") + +#Send overlay / overlay +dev.ctrl_transfer(0x21, 2, 0, 0, 0) +dev.ctrl_transfer(0x21, 1, 0, 0, struct.pack('I', len(overlay))) +dev.write(2,overlay,1000000) +dev.ctrl_transfer(0x21, 4, 0, 0, 0) +dev.ctrl_transfer(0x21, 3, 0, 0, "overlay\n") + +#xargs rootdev=md0 / bootx +dev.ctrl_transfer(0x21, 4, 0, 0, 0) +dev.ctrl_transfer(0x21, 3, 0, 0, "xargs rootdev=md0\n") +dev.ctrl_transfer(0x21, 4, 0, 0, 0) +dev.ctrl_transfer(0x21, 3, 0, 0, "bootx\n") diff --git a/lz4/lz4.c b/lz4/lz4.c index 81dfe2d..27495f2 100644 --- a/lz4/lz4.c +++ b/lz4/lz4.c @@ -115,7 +115,7 @@ #endif #define LZ4_STATIC_LINKING_ONLY /* LZ4_DISTANCE_MAX */ -#include +#include "../include/lz4/lz4.h" /* see also "memory routines" below */ diff --git a/lz4/lz4hc.c b/lz4/lz4hc.c index 77a35a0..46af56c 100644 --- a/lz4/lz4hc.c +++ b/lz4/lz4hc.c @@ -51,7 +51,7 @@ /*=== Dependency ===*/ #define LZ4_HC_STATIC_LINKING_ONLY -#include +#include "../include/lz4/lz4hc.h" /*=== Common definitions ===*/ diff --git a/openra1n.c b/openra1n.c index 813f958..e7edf67 100644 --- a/openra1n.c +++ b/openra1n.c @@ -36,6 +36,7 @@ #define DFU_CLR_STATUS (4) #define MAX_BLOCK_SZ (0x50) #define DFU_MODE_PID (0x1227) +#define PONGO_MODE_PID (0x4141) #define DFU_STATE_MANIFEST (7) #define EP0_MAX_PACKET_SZ (0x40) #define DFU_FILE_SUFFIX_LEN (16) @@ -90,6 +91,15 @@ extern unsigned payloads_yolo_s8000_bin_len, payloads_yolo_s8001_bin_len, payloa extern uint8_t payloads_Pongo_bin[], payloads_shellcode_bin[]; extern unsigned payloads_Pongo_bin_len, payloads_shellcode_bin_len; +extern uint8_t payloads_pongoOS_shellcode_bin[]; +extern unsigned payloads_pongoOS_shellcode_bin_len; +extern uint8_t payloads_checkra1n_kpf_ploosh_bin[]; +extern unsigned payloads_checkra1n_kpf_ploosh_bin_len; +extern uint8_t payloads_overlay_bin[]; +extern unsigned payloads_overlay_bin_len; +extern uint8_t payloads_ramdisk_bin[]; +extern unsigned payloads_ramdisk_bin_len; + #include #include #include @@ -102,6 +112,11 @@ extern unsigned payloads_Pongo_bin_len, payloads_shellcode_bin_len; #include #include +#include +#include +#include +#include + static uint16_t cpid; static uint32_t payload_dest_armv7; static const char *pwnd_str = " YOLO:checkra1n"; @@ -959,26 +974,9 @@ static void compress_pongo(void *out, size_t *out_len) { static void checkm8_boot_pongo(usb_handle_t *handle) { transfer_ret_t transfer_ret; LOG_INFO("Booting pongoOS"); - LOG_DEBUG("Compressing pongoOS"); - LOG_DEBUG("Appending shellcode to the top of pongoOS (512 bytes)"); - void *shellcode = malloc(512); - memcpy(shellcode, payloads_shellcode_bin, payloads_shellcode_bin_len); - size_t out_len = payloads_Pongo_bin_len; - void *out = malloc(out_len); - compress_pongo(out, &out_len); - LOG_DEBUG("Compressed pongoOS from %u to %zu bytes", payloads_Pongo_bin_len, out_len); - void *tmp = malloc(out_len + 512); - memcpy(tmp, shellcode, 512); - memcpy(tmp + 512, out, out_len); - free(out); - out = tmp; - out_len += 512; - free(shellcode); - LOG_DEBUG("Setting the compressed size into the shellcode"); - uint32_t* size = (uint32_t*)(out + 0x1fc); - LOG_DEBUG("size = 0x%" PRIX32 "", *size); - *size = out_len - 512; - LOG_DEBUG("size = 0x%" PRIX32 "", *size); + void *out = malloc(payloads_pongoOS_shellcode_bin_len); + memcpy(out, payloads_pongoOS_shellcode_bin, payloads_pongoOS_shellcode_bin_len); + size_t out_len = payloads_pongoOS_shellcode_bin_len; LOG_DEBUG("Reconnecting to device"); init_usb_handle(handle, APPLE_VID, DFU_MODE_PID); LOG_DEBUG("Waiting for device to be ready"); @@ -1059,5 +1057,6 @@ int main(int argc, char **argv) { gaster_checkm8(&handle); sleep_ms(3000); checkm8_boot_pongo(&handle); + return ret; } diff --git a/payloads/checkra1n-kpf-ploosh.bin b/payloads/checkra1n-kpf-ploosh.bin new file mode 100644 index 0000000..67540d6 Binary files /dev/null and b/payloads/checkra1n-kpf-ploosh.bin differ diff --git a/payloads/overlay.bin b/payloads/overlay.bin new file mode 100644 index 0000000..54c0ba6 Binary files /dev/null and b/payloads/overlay.bin differ diff --git a/payloads/pongoOS_shellcode.bin b/payloads/pongoOS_shellcode.bin new file mode 100644 index 0000000..d54aeb9 Binary files /dev/null and b/payloads/pongoOS_shellcode.bin differ diff --git a/payloads/ramdisk.bin b/payloads/ramdisk.bin new file mode 100644 index 0000000..5a30430 Binary files /dev/null and b/payloads/ramdisk.bin differ