internal byte[] Rebuild() { if (GPTBuffer == null) { TableSize = 0x4200; TableOffset = 0; GPTBuffer = new byte[TableSize]; } else { Array.Clear(GPTBuffer, (int)TableOffset, (int)TableSize); } UInt32 PartitionOffset = TableOffset; foreach (Partition CurrentPartition in Partitions) { ByteOperations.WriteGuid(GPTBuffer, PartitionOffset + 0x00, CurrentPartition.PartitionTypeGuid); ByteOperations.WriteGuid(GPTBuffer, PartitionOffset + 0x10, CurrentPartition.PartitionGuid); ByteOperations.WriteUInt64(GPTBuffer, PartitionOffset + 0x20, CurrentPartition.FirstSector); ByteOperations.WriteUInt64(GPTBuffer, PartitionOffset + 0x28, CurrentPartition.LastSector); ByteOperations.WriteUInt64(GPTBuffer, PartitionOffset + 0x30, CurrentPartition.Attributes); ByteOperations.WriteUnicodeString(GPTBuffer, PartitionOffset + 0x38, CurrentPartition.Name, 0x48); PartitionOffset += PartitionEntrySize; } ByteOperations.WriteUInt32(GPTBuffer, HeaderOffset + 0x58, ByteOperations.CRC32(GPTBuffer, TableOffset, TableSize)); ByteOperations.WriteUInt32(GPTBuffer, HeaderOffset + 0x10, 0); ByteOperations.WriteUInt32(GPTBuffer, HeaderOffset + 0x10, ByteOperations.CRC32(GPTBuffer, HeaderOffset, HeaderSize)); return(GPTBuffer); }
internal static void PatchImg(string dump) { using (var fil = File.Open(dump, FileMode.Open)) { byte[] gptbuffer = new byte[0x4200]; fil.Seek(0x200, SeekOrigin.Begin); fil.Read(gptbuffer, 0, 0x4200); uint BackupLBA = ByteOperations.ReadUInt32(gptbuffer, 0x20); uint LastUsableLBA = ByteOperations.ReadUInt32(gptbuffer, 0x30); LogFile.Log("Previous BackupLBA: " + BackupLBA, LogType.ConsoleOnly); LogFile.Log("Previous LastUsableLBA: " + LastUsableLBA, LogType.ConsoleOnly); uint NewBackupLBA = 62078975u; uint NewLastUsableLBA = 62078942u; ByteOperations.WriteUInt32(gptbuffer, 0x20, NewBackupLBA); ByteOperations.WriteUInt32(gptbuffer, 0x30, NewLastUsableLBA); uint HeaderSize = ByteOperations.ReadUInt32(gptbuffer, 0x0C); uint PrevCRC = ByteOperations.ReadUInt32(gptbuffer, 0x10); LogFile.Log("Previous CRC: " + PrevCRC, LogType.ConsoleOnly); ByteOperations.WriteUInt32(gptbuffer, 0x10, 0); uint NewCRC = ByteOperations.CRC32(gptbuffer, 0, HeaderSize); LogFile.Log("New CRC: " + NewCRC, LogType.ConsoleOnly); ByteOperations.WriteUInt32(gptbuffer, 0x10, NewCRC); LogFile.Log("Writing", LogType.ConsoleOnly); fil.Seek(0x200, SeekOrigin.Begin); fil.Write(gptbuffer, 0, 0x4200); LogFile.Log("Done!", LogType.ConsoleOnly); } }
public void SwitchMode(SaharaMode Mode) { byte[] SwitchModeCommand = new byte[] { 0x0C, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; ByteOperations.WriteUInt32(SwitchModeCommand, 8, (UInt32)Mode); byte[] ResponsePattern = null; switch (Mode) { case SaharaMode.ImageTransferPending: ResponsePattern = new byte[] { 0x04, 0x00, 0x00, 0x00 }; break; case SaharaMode.MemoryDebug: ResponsePattern = new byte[] { 0x09, 0x00, 0x00, 0x00 }; break; case SaharaMode.Command: ResponsePattern = new byte[] { 0x0B, 0x00, 0x00, 0x00 }; break; } Serial.SendCommand(SwitchModeCommand, ResponsePattern); }
public bool ConnectToProgrammerInTestMode() { byte[] HelloPacketFromPcToProgrammer = new byte[0x20C]; ByteOperations.WriteUInt32(HelloPacketFromPcToProgrammer, 0, 0x57503730); ByteOperations.WriteUInt32(HelloPacketFromPcToProgrammer, 0x28, 0x57503730); ByteOperations.WriteUInt32(HelloPacketFromPcToProgrammer, 0x208, 0x57503730); ByteOperations.WriteUInt16(HelloPacketFromPcToProgrammer, 0x48, 0x4445); bool HandshakeCompleted = ConnectToProgrammer(HelloPacketFromPcToProgrammer); if (HandshakeCompleted) { LogFile.Log("Handshake completed with programmer in testmode", LogType.FileOnly); } else { LogFile.Log("Handshake with programmer failed", LogType.FileOnly); } return(HandshakeCompleted); }
// V3 exploit // Magic // internal async static Task LumiaV3CustomFlash(PhoneNotifierViewModel Notifier, List <FlashPart> FlashParts, bool CheckSectorAlignment = true, SetWorkingStatus SetWorkingStatus = null, UpdateWorkingStatus UpdateWorkingStatus = null, ExitSuccess ExitSuccess = null, ExitFailure ExitFailure = null) { if (SetWorkingStatus == null) { SetWorkingStatus = (m, s, v, a, st) => { } } ; if (UpdateWorkingStatus == null) { UpdateWorkingStatus = (m, s, v, st) => { } } ; if (ExitSuccess == null) { ExitSuccess = (m, s) => { } } ; if (ExitFailure == null) { ExitFailure = (m, s) => { } } ; uint chunkSize = 131072u; int chunkSizes = 131072; if (FlashParts != null) { foreach (FlashPart Part in FlashParts) { if (Part.Stream == null) { throw new ArgumentException("Stream is null"); } if (!Part.Stream.CanSeek) { throw new ArgumentException("Streams must be seekable"); } if (((Part.StartSector * 0x200) % chunkSize) != 0) { throw new ArgumentException("Invalid StartSector alignment"); } if (CheckSectorAlignment) { if ((Part.Stream.Length % chunkSize) != 0) { throw new ArgumentException("Invalid Data length"); } } } } try { NokiaFlashModel Model = (NokiaFlashModel)Notifier.CurrentModel; PhoneInfo Info = Model.ReadPhoneInfo(); if ((Info.SecureFfuSupportedProtocolMask & ((ushort)FfuProtocol.ProtocolSyncV2)) == 0) // Exploit needs protocol v2 -> This check is not conclusive, because old phones also report support for this protocol, although it is really not supported. { throw new WPinternalsException("Flash failed!", "Protocols not supported. The phone reports that it does not support the Protocol Sync V2."); } if (Info.FlashAppProtocolVersionMajor < 2) // Old phones do not support the hack. These phones have Flash protocol 1.x. { throw new WPinternalsException("Flash failed!", "Protocols not supported. The phone reports that Flash App communication protocol is lower than 2. Reported version by the phone: " + Info.FlashAppProtocolVersionMajor + "."); } if (Info.UefiSecureBootEnabled) { throw new WPinternalsException("Flash failed!", "UEFI Secureboot must be disabled for the Flash V3 exploit to work."); } // The payloads must be ordered by the number of locations // // FlashApp processes payloads like this: // - First payloads which are with one location, those can be sent in bulk // - Then payloads with more than one location, those should not be sent in bulk // // If you do not order payloads like this, you will get an error, most likely hash mismatch // LumiaV2UnlockBootViewModel.FlashingPayload[] payloads = new LumiaV2UnlockBootViewModel.FlashingPayload[0]; if (FlashParts != null) { payloads = LumiaV2UnlockBootViewModel.GetNonOptimizedPayloads(FlashParts, chunkSizes, (uint)(Info.WriteBufferSize / chunkSize), SetWorkingStatus, UpdateWorkingStatus).OrderBy(x => x.TargetLocations.Count()).ToArray(); } MemoryStream Headerstream1 = new MemoryStream(); // ============================== // Header 1 start ImageHeader image = new ImageHeader(); FullFlash ffimage = new FullFlash(); Store simage = new Store(); // Todo make this read the image itself ffimage.OSVersion = "10.0.11111.0"; ffimage.DevicePlatformId0 = Info.PlatformID; ffimage.AntiTheftVersion = "1.1"; simage.SectorSize = 512; simage.MinSectorCount = Info.EmmcSizeInSectors; //Logging.Log("Generating image manifest..."); string manifest = ManifestIni.BuildUpManifest(ffimage, simage);//, partitions); byte[] TextBytes = System.Text.Encoding.ASCII.GetBytes(manifest); image.ManifestLength = (UInt32)TextBytes.Length; byte[] ImageHeaderBuffer = new byte[0x18]; ByteOperations.WriteUInt32(ImageHeaderBuffer, 0, image.Size); ByteOperations.WriteAsciiString(ImageHeaderBuffer, 0x04, image.Signature); ByteOperations.WriteUInt32(ImageHeaderBuffer, 0x10, image.ManifestLength); ByteOperations.WriteUInt32(ImageHeaderBuffer, 0x14, image.ChunkSize); Headerstream1.Write(ImageHeaderBuffer, 0, 0x18); Headerstream1.Write(TextBytes, 0, TextBytes.Length); RoundUpToChunks(Headerstream1, chunkSize); // Header 1 stop + round // ============================== MemoryStream Headerstream2 = new MemoryStream(); // ============================== // Header 2 start StoreHeader store = new StoreHeader(); store.WriteDescriptorCount = (UInt32)payloads.Count(); store.FinalTableIndex = (UInt32)payloads.Count() - store.FinalTableCount; store.PlatformId = Info.PlatformID; foreach (LumiaV2UnlockBootViewModel.FlashingPayload payload in payloads) { store.WriteDescriptorLength += payload.GetStoreHeaderSize(); } foreach (LumiaV2UnlockBootViewModel.FlashingPayload payload in payloads) { /*if (payload.TargetLocations.First() > PlatEnd) * break;*/ store.FlashOnlyTableIndex += 1; } byte[] StoreHeaderBuffer = new byte[0xF8]; ByteOperations.WriteUInt32(StoreHeaderBuffer, 0, store.UpdateType); ByteOperations.WriteUInt16(StoreHeaderBuffer, 0x04, store.MajorVersion); ByteOperations.WriteUInt16(StoreHeaderBuffer, 0x06, store.MinorVersion); ByteOperations.WriteUInt16(StoreHeaderBuffer, 0x08, store.FullFlashMajorVersion); ByteOperations.WriteUInt16(StoreHeaderBuffer, 0x0A, store.FullFlashMinorVersion); ByteOperations.WriteAsciiString(StoreHeaderBuffer, 0x0C, store.PlatformId); ByteOperations.WriteUInt32(StoreHeaderBuffer, 0xCC, store.BlockSizeInBytes); ByteOperations.WriteUInt32(StoreHeaderBuffer, 0xD0, store.WriteDescriptorCount); ByteOperations.WriteUInt32(StoreHeaderBuffer, 0xD4, store.WriteDescriptorLength); ByteOperations.WriteUInt32(StoreHeaderBuffer, 0xD8, store.ValidateDescriptorCount); ByteOperations.WriteUInt32(StoreHeaderBuffer, 0xDC, store.ValidateDescriptorLength); ByteOperations.WriteUInt32(StoreHeaderBuffer, 0xE0, store.InitialTableIndex); ByteOperations.WriteUInt32(StoreHeaderBuffer, 0xE4, store.InitialTableCount); ByteOperations.WriteUInt32(StoreHeaderBuffer, 0xE8, store.FlashOnlyTableIndex); ByteOperations.WriteUInt32(StoreHeaderBuffer, 0xEC, store.FlashOnlyTableCount); ByteOperations.WriteUInt32(StoreHeaderBuffer, 0xF0, store.FinalTableIndex); ByteOperations.WriteUInt32(StoreHeaderBuffer, 0xF4, store.FinalTableCount); Headerstream2.Write(StoreHeaderBuffer, 0, 0xF8); byte[] descriptorsBuffer = new byte[store.WriteDescriptorLength]; UInt32 NewWriteDescriptorOffset = 0; foreach (LumiaV2UnlockBootViewModel.FlashingPayload payload in payloads) { ByteOperations.WriteUInt32(descriptorsBuffer, NewWriteDescriptorOffset + 0x00, (UInt32)payload.TargetLocations.Count()); // Location count ByteOperations.WriteUInt32(descriptorsBuffer, NewWriteDescriptorOffset + 0x04, payload.ChunkCount); // Chunk count NewWriteDescriptorOffset += 0x08; foreach (UInt32 location in payload.TargetLocations) { ByteOperations.WriteUInt32(descriptorsBuffer, NewWriteDescriptorOffset + 0x00, 0x00000000); // Disk access method (0 = Begin, 2 = End) ByteOperations.WriteUInt32(descriptorsBuffer, NewWriteDescriptorOffset + 0x04, location); // Chunk index NewWriteDescriptorOffset += 0x08; } } Headerstream2.Write(descriptorsBuffer, 0, (Int32)store.WriteDescriptorLength); RoundUpToChunks(Headerstream2, chunkSize); // Header 2 stop + round // ============================== SecurityHeader security = new SecurityHeader(); Headerstream1.Seek(0, SeekOrigin.Begin); Headerstream2.Seek(0, SeekOrigin.Begin); security.HashTableSize = 0x20 * (UInt32)((Headerstream1.Length + Headerstream2.Length) / chunkSize); foreach (LumiaV2UnlockBootViewModel.FlashingPayload payload in payloads) { security.HashTableSize += payload.GetSecurityHeaderSize(); } byte[] HashTable = new byte[security.HashTableSize]; BinaryWriter bw = new BinaryWriter(new MemoryStream(HashTable)); SHA256 crypto = SHA256.Create(); for (int i = 0; i < Headerstream1.Length / chunkSize; i++) { byte[] buffer = new byte[chunkSize]; Headerstream1.Read(buffer, 0, (Int32)chunkSize); byte[] hash = crypto.ComputeHash(buffer); bw.Write(hash, 0, hash.Length); } for (int i = 0; i < Headerstream2.Length / chunkSize; i++) { byte[] buffer = new byte[chunkSize]; Headerstream2.Read(buffer, 0, (Int32)chunkSize); byte[] hash = crypto.ComputeHash(buffer); bw.Write(hash, 0, hash.Length); } foreach (LumiaV2UnlockBootViewModel.FlashingPayload payload in payloads) { bw.Write(payload.ChunkHashes[0], 0, payload.ChunkHashes[0].Length); } bw.Close(); //Logging.Log("Generating image catalog..."); byte[] catalog = GenerateCatalogFile(HashTable); security.CatalogSize = (UInt32)catalog.Length; byte[] SecurityHeaderBuffer = new byte[0x20]; ByteOperations.WriteUInt32(SecurityHeaderBuffer, 0, security.Size); ByteOperations.WriteAsciiString(SecurityHeaderBuffer, 0x04, security.Signature); ByteOperations.WriteUInt32(SecurityHeaderBuffer, 0x10, security.ChunkSizeInKb); ByteOperations.WriteUInt32(SecurityHeaderBuffer, 0x14, security.HashAlgorithm); ByteOperations.WriteUInt32(SecurityHeaderBuffer, 0x18, security.CatalogSize); ByteOperations.WriteUInt32(SecurityHeaderBuffer, 0x1C, security.HashTableSize); MemoryStream retstream = new MemoryStream(); retstream.Write(SecurityHeaderBuffer, 0, 0x20); retstream.Write(catalog, 0, (Int32)security.CatalogSize); retstream.Write(HashTable, 0, (Int32)security.HashTableSize); RoundUpToChunks(retstream, chunkSize); Headerstream1.Seek(0, SeekOrigin.Begin); Headerstream2.Seek(0, SeekOrigin.Begin); byte[] buff = new byte[Headerstream1.Length]; Headerstream1.Read(buff, 0, (Int32)Headerstream1.Length); Headerstream1.Close(); retstream.Write(buff, 0, buff.Length); buff = new byte[Headerstream2.Length]; Headerstream2.Read(buff, 0, (Int32)Headerstream2.Length); Headerstream2.Close(); retstream.Write(buff, 0, buff.Length); // -------- // Go back to the beginning retstream.Seek(0, SeekOrigin.Begin); byte[] FfuHeader = new byte[retstream.Length]; await retstream.ReadAsync(FfuHeader, 0, (int)retstream.Length); retstream.Close(); byte Options = 0; if (!Info.IsBootloaderSecure) { Options = (byte)((FlashOptions)Options | FlashOptions.SkipSignatureCheck); } LogFile.Log("Flash in progress...", LogType.ConsoleOnly); SetWorkingStatus("Flashing...", null, (UInt64?)payloads.Count(), Status: WPinternalsStatus.Flashing); Model.SendFfuHeaderV1(FfuHeader, Options); UInt64 counter = 0; int numberOfPayloadsToSendAtOnce = (int)Math.Round((double)Info.WriteBufferSize / chunkSize); byte[] payloadBuffer; for (int i = 0; i < payloads.Count(); i += numberOfPayloadsToSendAtOnce) { if (i + numberOfPayloadsToSendAtOnce - 1 >= payloads.Count()) { numberOfPayloadsToSendAtOnce = payloads.Count() - i; } payloadBuffer = new byte[numberOfPayloadsToSendAtOnce * chunkSizes]; string ProgressText = "Flashing resources"; for (int j = 0; j < numberOfPayloadsToSendAtOnce; j++) { LumiaV2UnlockBootViewModel.FlashingPayload payload = payloads[i + j]; UInt32 StreamIndex = payload.StreamIndexes.First(); FlashPart flashPart = FlashParts[(int)StreamIndex]; if (flashPart.ProgressText != null) { ProgressText = flashPart.ProgressText; } Stream Stream = flashPart.Stream; Stream.Seek(payload.StreamLocations.First(), SeekOrigin.Begin); Stream.Read(payloadBuffer, j * chunkSizes, chunkSizes); counter++; } Model.SendFfuPayloadV2(payloadBuffer, int.Parse((counter * 100 / (ulong)payloads.Count()).ToString())); UpdateWorkingStatus(ProgressText, null, counter, WPinternalsStatus.Flashing); } Model.ResetPhone(); await Notifier.WaitForRemoval(); ExitSuccess("Flash succeeded!", null); } catch { throw new WPinternalsException("Custom flash failed"); } } } }
private void ClearEfiChecksum(byte[] EfiFile) { UInt32 PEHeaderOffset = ByteOperations.ReadUInt32(EfiFile, 0x3C); ByteOperations.WriteUInt32(EfiFile, PEHeaderOffset + 0x58, 0); }
internal byte[] Rebuild() { // The new binary will include the Qualcomm header, but not the signature and certificates, because they won't match anyway. byte[] NewBinary = new byte[Binary.Length]; Buffer.BlockCopy(Binary, 0, NewBinary, 0, (int)CompressedSubImageOffset); ByteOperations.WriteUInt32(NewBinary, 0x10, ByteOperations.ReadUInt32(NewBinary, 0x14)); // Complete image size - does not include signature and certs anymore ByteOperations.WriteUInt32(NewBinary, 0x18, 0x00000000); // Address of signature ByteOperations.WriteUInt32(NewBinary, 0x1C, 0x00000000); // Signature length ByteOperations.WriteUInt32(NewBinary, 0x20, 0x00000000); // Address of certificate ByteOperations.WriteUInt32(NewBinary, 0x24, 0x00000000); // Certificate length // Compress volume byte[] NewCompressedImage = LZMA.Compress(DecompressedImage, 0, (UInt32)DecompressedImage.Length); // Replace compressed volume and add correct padding // First copy new image Buffer.BlockCopy(NewCompressedImage, 0, NewBinary, (int)CompressedSubImageOffset, NewCompressedImage.Length); // Determine padding UInt32 OldSectionPadding = ByteOperations.Align(0, CompressedSubImageSize, 4) - CompressedSubImageSize; UInt32 NewSectionPadding = ByteOperations.Align(0, (UInt32)NewCompressedImage.Length, 4) - (UInt32)NewCompressedImage.Length; UInt32 OldFileSize = ByteOperations.ReadUInt24(Binary, FileHeaderOffset + 0x14); // Filesize includes fileheader. But it does not include the padding-bytes. Not even the padding bytes of the last section. UInt32 NewFileSize; if ((CompressedSubImageOffset + CompressedSubImageSize + OldSectionPadding) >= (FileHeaderOffset + OldFileSize)) { // Compressed image is the last section of this file NewFileSize = CompressedSubImageOffset - FileHeaderOffset + (UInt32)NewCompressedImage.Length; } else { // Compressed image is NOT the last section of this file NewFileSize = OldFileSize - CompressedSubImageSize - OldSectionPadding + (UInt32)NewCompressedImage.Length + NewSectionPadding; } // Add section padding for (int i = 0; i < NewSectionPadding; i++) { NewBinary[CompressedSubImageOffset + NewCompressedImage.Length + i] = PaddingByteValue; } // If there are more bytes after the section padding of the compressed image, then copy the trailing sections if (((Int32)FileHeaderOffset + OldFileSize - CompressedSubImageOffset - CompressedSubImageSize - OldSectionPadding) > 0) { Buffer.BlockCopy(Binary, (int)(CompressedSubImageOffset + CompressedSubImageSize + OldSectionPadding), NewBinary, (int)(CompressedSubImageOffset + NewCompressedImage.Length + NewSectionPadding), (int)(FileHeaderOffset + OldFileSize - CompressedSubImageOffset - CompressedSubImageSize - OldSectionPadding)); } // Add file padding // Filesize does not include last section padding or file padding UInt32 OldFilePadding = ByteOperations.Align(0, OldFileSize, 8) - OldFileSize; UInt32 NewFilePadding = ByteOperations.Align(0, NewFileSize, 8) - NewFileSize; for (int i = 0; i < NewFilePadding; i++) { NewBinary[FileHeaderOffset + NewFileSize + i] = PaddingByteValue; } if (NewCompressedImage.Length > CompressedSubImageSize) { Buffer.BlockCopy(Binary, (int)(FileHeaderOffset + OldFileSize + OldFilePadding), NewBinary, (int)(FileHeaderOffset + NewFileSize + NewFilePadding), (int)(VolumeHeaderOffset + VolumeSize - FileHeaderOffset - NewFileSize - NewFilePadding)); } else { Buffer.BlockCopy(Binary, (int)(FileHeaderOffset + OldFileSize + OldFilePadding), NewBinary, (int)(FileHeaderOffset + NewFileSize + NewFilePadding), (int)(VolumeHeaderOffset + VolumeSize - FileHeaderOffset - OldFileSize - OldFilePadding)); for (int i = (int)(VolumeHeaderOffset + VolumeSize - OldFileSize - OldFilePadding + NewFileSize + NewFilePadding); i < VolumeHeaderOffset + VolumeSize; i++) { NewBinary[i] = PaddingByteValue; } } CompressedSubImageSize = (UInt32)NewCompressedImage.Length; // Fix section ByteOperations.WriteUInt24(NewBinary, SectionHeaderOffset, CompressedSubImageSize + ByteOperations.ReadUInt16(Binary, SectionHeaderOffset + 0x14)); // Fix file ByteOperations.WriteUInt24(NewBinary, FileHeaderOffset + 0x14, NewFileSize); CalculateFileChecksum(NewBinary, FileHeaderOffset); // Fix volume (volume size is fixed) CalculateVolumeChecksum(NewBinary, VolumeHeaderOffset); Binary = NewBinary; return(Binary); }
internal void ReplaceFile(string Name, byte[] Binary) { EFI File = EFIs.Where(f => (string.Compare(Name, f.Name, true) == 0) || (string.Compare(Name, f.Guid.ToString(), true) == 0)).FirstOrDefault(); if (File == null) { throw new ArgumentOutOfRangeException(); } UInt32 OldBinarySize = File.Size; UInt32 NewBinarySize = (UInt32)Binary.Length; UInt32 OldSectionPadding = ByteOperations.Align(0, OldBinarySize, 4) - OldBinarySize; UInt32 NewSectionPadding = ByteOperations.Align(0, NewBinarySize, 4) - NewBinarySize; UInt32 OldFileSize = ByteOperations.ReadUInt24(DecompressedImage, File.FileOffset + 0x14); UInt32 NewFileSize = OldFileSize - OldBinarySize - OldSectionPadding + NewBinarySize + NewSectionPadding; UInt32 OldFilePadding = ByteOperations.Align(0, OldFileSize, 8) - OldFileSize; UInt32 NewFilePadding = ByteOperations.Align(0, NewFileSize, 8) - NewFileSize; if ((OldBinarySize + OldSectionPadding) != (NewBinarySize + NewSectionPadding)) { byte[] NewImage = new byte[DecompressedImage.Length - OldFileSize - OldFilePadding + NewFileSize + NewFilePadding]; // Also preserve space for File-alignement here // Copy Volume-head and File-head Buffer.BlockCopy(DecompressedImage, 0, NewImage, 0, (int)File.BinaryOffset); // Copy new binary Buffer.BlockCopy(Binary, 0, NewImage, (int)File.BinaryOffset, Binary.Length); // Insert section-padding for (int i = 0; i < NewSectionPadding; i++) { NewImage[File.BinaryOffset + NewBinarySize + i] = PaddingByteValue; } // Copy file-tail Buffer.BlockCopy( DecompressedImage, (int)(File.BinaryOffset + OldBinarySize + OldSectionPadding), NewImage, (int)(File.BinaryOffset + NewBinarySize + NewSectionPadding), (int)(File.FileOffset + OldFileSize - File.BinaryOffset - OldBinarySize - OldSectionPadding)); // Insert file-padding for (int i = 0; i < NewFilePadding; i++) { NewImage[File.BinaryOffset + NewFileSize + i] = PaddingByteValue; } // Copy volume-tail Buffer.BlockCopy( DecompressedImage, (int)(File.FileOffset + OldFileSize + OldFilePadding), NewImage, (int)(File.FileOffset + NewFileSize + NewFilePadding), (int)(DecompressedImage.Length - File.FileOffset - OldFileSize - OldFilePadding)); Int32 NewOffset = (int)(NewFileSize + NewFilePadding) - (int)(OldFileSize - OldFilePadding); // Fix section-size ByteOperations.WriteUInt24(NewImage, File.SectionOffset, (UInt32)(ByteOperations.ReadUInt24(NewImage, File.SectionOffset) + NewOffset)); // Fix file-size ByteOperations.WriteUInt24(NewImage, File.FileOffset + 0x14, (UInt32)(ByteOperations.ReadUInt24(NewImage, File.FileOffset + 0x14) + NewOffset)); // Fix volume-size - TODO: This is actually a QWORD ByteOperations.WriteUInt32(NewImage, DecompressedVolumeHeaderOffset + 0x20, (UInt32)(ByteOperations.ReadUInt32(NewImage, DecompressedVolumeHeaderOffset + 0x20) + NewOffset)); // Fix section-size ByteOperations.WriteUInt24(NewImage, DecompressedVolumeSectionHeaderOffset, (UInt32)(ByteOperations.ReadUInt24(NewImage, DecompressedVolumeSectionHeaderOffset) + NewOffset)); DecompressedImage = NewImage; // Modify all sizes in EFI's foreach (EFI CurrentFile in EFIs) { if (CurrentFile.FileOffset > File.FileOffset) { CurrentFile.FileOffset = (UInt32)(CurrentFile.FileOffset + NewOffset); CurrentFile.SectionOffset = (UInt32)(CurrentFile.SectionOffset + NewOffset); CurrentFile.BinaryOffset = (UInt32)(CurrentFile.BinaryOffset + NewOffset); } } } else { Buffer.BlockCopy(Binary, 0, DecompressedImage, (int)File.BinaryOffset, Binary.Length); for (int i = 0; i < NewSectionPadding; i++) { DecompressedImage[File.BinaryOffset + Binary.Length + i] = PaddingByteValue; } } // Calculate File-checksum CalculateFileChecksum(DecompressedImage, File.FileOffset); // Calculate Volume-checksum CalculateVolumeChecksum(DecompressedImage, DecompressedVolumeHeaderOffset); }
internal byte[] GenerateExtraSector(byte[] PartitionHeader) { UInt32?Offset = ByteOperations.FindPattern(Binary, new byte[] { 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, null, null); if (Offset == null) { throw new BadImageFormatException(); } UInt32 PartitionLoaderTableOffset = (UInt32)Offset; byte[] FoundPattern = new byte[0x10]; Offset = ByteOperations.FindPattern(Binary, new byte[] { 0x04, 0x00, 0x9F, 0xE5, 0x28, 0x00, 0xD0, 0xE5, 0x1E, 0xFF, 0x2F, 0xE1, 0xFF, 0xFF, 0xFF, 0xFF }, new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF }, FoundPattern); if (Offset == null) { throw new BadImageFormatException(); } UInt32 SharedMemoryAddress = ByteOperations.ReadUInt32(FoundPattern, 0x0C); UInt32 GlobalIsSecurityEnabledAddress = SharedMemoryAddress + 0x28; Offset = ByteOperations.FindPattern(Binary, new byte[] { 0x01, 0xFF, 0xA0, 0xE3, 0xFF, 0xFF, 0xA0, 0xE1, 0x1C, 0xD0, 0x8D, 0xE2, 0xF0, 0x4F, 0xBD, 0xE8, 0x1E, 0xFF, 0x2F, 0xE1 }, new byte[] { 0x00, 0xFF, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, null); if (Offset == null) { throw new BadImageFormatException(); } UInt32 ReturnAddress = (UInt32)Offset - ImageOffset + ImageAddress; byte[] Sector = new byte[0x200]; Array.Clear(Sector, 0, 0x200); byte[] Content = new byte[] { 0x16, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x28, 0xBD, 0x02, 0x00, 0xD8, 0x01, 0x00, 0x00, 0xD8, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0xE3, 0x3C, 0x10, 0x9F, 0xE5, 0x00, 0x00, 0xC1, 0xE5, 0x38, 0x00, 0x9F, 0xE5, 0x38, 0x10, 0x9F, 0xE5, 0x00, 0x00, 0x81, 0xE5, 0x34, 0x10, 0x9F, 0xE5, 0x00, 0x00, 0x81, 0xE5, 0x30, 0x00, 0x9F, 0xE5, 0x20, 0x10, 0x9F, 0xE5, 0x2C, 0x30, 0x9F, 0xE5, 0x00, 0x20, 0x90, 0xE5, 0x00, 0x20, 0x81, 0xE5, 0x04, 0x00, 0x80, 0xE2, 0x04, 0x10, 0x81, 0xE2, 0x03, 0x00, 0x50, 0xE1, 0xF9, 0xFF, 0xFF, 0xBA, 0x14, 0xF0, 0x9F, 0xE5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x02, 0x00, 0x90, 0xBF, 0x02, 0x00, 0xD0, 0xBF, 0x02, 0x00, 0xA0, 0xBD, 0x02, 0x00, 0xA0, 0xBE, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00 }; byte[] PartitionTypeGuid = new byte[] { 0x74, 0x74, 0x74, 0x74, 0x74, 0x74, 0x74, 0x74, 0x74, 0x74, 0x74, 0x74, 0x74, 0x74, 0x74, 0x74 }; Buffer.BlockCopy(Content, 0, Sector, 0, Content.Length); // Overwrite first part of partition-header with model-specific header Buffer.BlockCopy(PartitionHeader, 0, Sector, 0, PartitionHeader.Length); ByteOperations.WriteUInt32(Sector, 0x70, GlobalIsSecurityEnabledAddress); ByteOperations.WriteUInt32(Sector, 0x88, ReturnAddress); Buffer.BlockCopy(Binary, (int)PartitionLoaderTableOffset, Sector, 0xA0, 0x50); ByteOperations.WriteUInt32(Sector, 0xA0 + 0x30, 0); Buffer.BlockCopy(Binary, (int)PartitionLoaderTableOffset, Sector, 0xF0, 0x50); ByteOperations.WriteUInt32(Sector, 0xF0 + 0x2C, 0); ByteOperations.WriteUInt32(Sector, 0xF0 + 0x38, 0x210F0); Buffer.BlockCopy(PartitionTypeGuid, 0, Sector, 0x190, 0x10); ByteOperations.WriteUInt32(Sector, 0x1FC, 0x0002BD28); return(Sector); }
public bool ConnectToProgrammerInTestMode() { // Behaviour of old firehose: // Takes about 20 ms to be started. // Then PC has to start talking to the phone. // Behaviour of new firehose: // After 2000 ms the firehose starts talking to the PC // // For the duration of 2.5 seconds we will send Hello packages // And also wait for incoming messages // An incoming message can be a response to our outgoing Hello packet (read incoming until "response value") // Or it can be an incoming Hello-packet from the programmer (always 2 packets, starting with "Chip serial num") // Sending the hello-packet can succeed immediately, or it can timeout. // When sending succeeds, an answer should be incoming immediately to complete the handshake. // When an incoming Hello was received, the phone still expects to receive another Hello. byte[] HelloPacketFromPcToProgrammer = new byte[0x20C]; ByteOperations.WriteUInt32(HelloPacketFromPcToProgrammer, 0, 0x57503730); ByteOperations.WriteUInt32(HelloPacketFromPcToProgrammer, 0x28, 0x57503730); ByteOperations.WriteUInt32(HelloPacketFromPcToProgrammer, 0x208, 0x57503730); ByteOperations.WriteUInt16(HelloPacketFromPcToProgrammer, 0x48, 0x4445); int HelloSendCount = 0; bool HandshakeCompleted = false; string Incoming; do { Serial.SetTimeOut(200); HelloSendCount++; try { LogFile.Log("Send Hello to programmer (" + HelloSendCount.ToString() + ")", LogType.FileOnly); Serial.SendData(HelloPacketFromPcToProgrammer); LogFile.Log("Hello packet accepted", LogType.FileOnly); } catch { LogFile.Log("Hello packet not accepted", LogType.FileOnly); } try { Serial.SetTimeOut(500); Incoming = System.Text.Encoding.ASCII.GetString(Serial.GetResponse(null)); LogFile.Log("In: " + Incoming, LogType.FileOnly); Serial.SetTimeOut(200); if (Incoming.Contains("Chip serial num")) { Incoming = System.Text.Encoding.ASCII.GetString(Serial.GetResponse(null)); LogFile.Log("In: " + Incoming, LogType.FileOnly); LogFile.Log("Incoming Hello-packets received", LogType.FileOnly); } while (Incoming.IndexOf("response value") < 0) { Incoming = System.Text.Encoding.ASCII.GetString(Serial.GetResponse(null)); LogFile.Log("In: " + Incoming, LogType.FileOnly); } ; LogFile.Log("Incoming Hello-response received", LogType.FileOnly); HandshakeCompleted = true; } catch { } }while (!HandshakeCompleted && (HelloSendCount < 6)); if (HandshakeCompleted) { LogFile.Log("Handshake completed with programmer in testmode", LogType.FileOnly); } else { LogFile.Log("Handshake with programmer failed", LogType.FileOnly); } return(HandshakeCompleted); }