Fix issue 0x7ff#11

gaster.c

@@ -56,6 +56,7 @@
 #define DFU_STATE_MANIFEST_WAIT_RESET (8)
 #define DONE_MAGIC (0x646F6E65646F6E65ULL)
 #define EXEC_MAGIC (0x6578656365786563ULL)
+#define MEMC_MAGIC (0x6D656D636D656D63ULL)
 #define USB_MAX_STRING_DESCRIPTOR_IDX (10)
 
 #define LZSS_F (18)
@@ -1239,10 +1240,10 @@ checkm8_stage_patch(const usb_handle_t *handle) {
 		uint32_t pwnd[4], payload_dest, dfu_handle_request, payload_off, payload_sz, memcpy_addr, gUSBSerialNumber, usb_create_string_descriptor, usb_serial_number_string_descriptor;
 	} notA9_armv7;
 	struct {
-		uint64_t handle_interface_request, insecure_memory_base, exec_magic, done_magic, usb_core_do_transfer;
+		uint64_t handle_interface_request, insecure_memory_base, exec_magic, done_magic, memc_magic, memcpy_addr, usb_core_do_transfer;
 	} handle_checkm8_request;
 	struct {
-		uint32_t handle_interface_request, insecure_memory_base, exec_magic, done_magic, usb_core_do_transfer;
+		uint32_t handle_interface_request, insecure_memory_base, exec_magic, done_magic, memc_magic, memcpy_addr, usb_core_do_transfer;
 	} handle_checkm8_request_armv7;
 	callback_t callbacks[] = {
 		{ write_ttbr0, insecure_memory_base },
@@ -1349,6 +1350,8 @@ checkm8_stage_patch(const usb_handle_t *handle) {
 				handle_checkm8_request.insecure_memory_base = insecure_memory_base;
 				handle_checkm8_request.exec_magic = EXEC_MAGIC;
 				handle_checkm8_request.done_magic = DONE_MAGIC;
+				handle_checkm8_request.memc_magic = MEMC_MAGIC;
+				handle_checkm8_request.memcpy_addr = memcpy_addr;
 				handle_checkm8_request.usb_core_do_transfer = usb_core_do_transfer;
 				memcpy(data + data_sz, &handle_checkm8_request, sizeof(handle_checkm8_request));
 				data_sz += sizeof(handle_checkm8_request);
@@ -1375,6 +1378,8 @@ checkm8_stage_patch(const usb_handle_t *handle) {
 				handle_checkm8_request.insecure_memory_base = insecure_memory_base;
 				handle_checkm8_request.exec_magic = EXEC_MAGIC;
 				handle_checkm8_request.done_magic = DONE_MAGIC;
+				handle_checkm8_request.memc_magic = MEMC_MAGIC;
+				handle_checkm8_request.memcpy_addr = memcpy_addr;
 				handle_checkm8_request.usb_core_do_transfer = usb_core_do_transfer;
 				memcpy(data + data_sz, &handle_checkm8_request, sizeof(handle_checkm8_request));
 				data_sz += sizeof(handle_checkm8_request);
@@ -1397,6 +1402,8 @@ checkm8_stage_patch(const usb_handle_t *handle) {
 				handle_checkm8_request_armv7.insecure_memory_base = (uint32_t)insecure_memory_base;
 				handle_checkm8_request_armv7.exec_magic = (uint32_t)EXEC_MAGIC;
 				handle_checkm8_request_armv7.done_magic = (uint32_t)DONE_MAGIC;
+				handle_checkm8_request_armv7.memc_magic = (uint32_t)MEMC_MAGIC;
+				handle_checkm8_request_armv7.memcpy_addr = (uint32_t)memcpy_addr;
 				handle_checkm8_request_armv7.usb_core_do_transfer = (uint32_t)usb_core_do_transfer;
 				memcpy(data + data_sz, &handle_checkm8_request_armv7, sizeof(handle_checkm8_request_armv7));
 				data_sz += sizeof(handle_checkm8_request_armv7);
@@ -1738,12 +1745,12 @@ gaster_command(usb_handle_t *handle, void *request_data, size_t request_len, uin
 static bool
 gaster_aes(usb_handle_t *handle, uint32_t cmd, const uint8_t *src, uint8_t *dst, size_t len, uint32_t options) {
 	uint8_t data[DFU_MAX_TRANSFER_SZ], *response;
+	struct {
+		uint32_t magic_0, magic_1, func, pad, r[8];
+	} exec_cmd_armv7;
 	struct {
 		uint64_t magic, func, x[8];
 	} exec_cmd;
-	struct {
-		uint32_t magic, func, r[8];
-	} exec_cmd_armv7;
 	uint32_t r_armv7;
 	size_t data_sz;
 	uint64_t r;
@@ -1778,11 +1785,13 @@ gaster_aes(usb_handle_t *handle, uint32_t cmd, const uint8_t *src, uint8_t *dst,
 			return true;
 		}
 	} else {
-		exec_cmd_armv7.magic = (uint32_t)EXEC_MAGIC;
+		exec_cmd_armv7.magic_0 = (uint32_t)EXEC_MAGIC;
+		exec_cmd_armv7.magic_1 = (uint32_t)EXEC_MAGIC;
 		exec_cmd_armv7.func = (uint32_t)aes_crypto_cmd;
+		exec_cmd_armv7.pad = 0;
 		exec_cmd_armv7.r[0] = cmd;
-		exec_cmd_armv7.r[1] = (uint32_t)(insecure_memory_base + 9 * sizeof(r_armv7));
-		exec_cmd_armv7.r[2] = (uint32_t)(insecure_memory_base + 2 * sizeof(r_armv7));
+		exec_cmd_armv7.r[1] = (uint32_t)(insecure_memory_base + 11 * sizeof(r_armv7));
+		exec_cmd_armv7.r[2] = (uint32_t)(insecure_memory_base + 4 * sizeof(r_armv7));
 		exec_cmd_armv7.r[3] = (uint32_t)len;
 		exec_cmd_armv7.r[4] = options;
 		exec_cmd_armv7.r[5] = 0;
@@ -1791,18 +1800,28 @@ gaster_aes(usb_handle_t *handle, uint32_t cmd, const uint8_t *src, uint8_t *dst,
 		data_sz = sizeof(exec_cmd_armv7) - sizeof(r_armv7);
 		memcpy(data + data_sz, src, len);
 		data_sz += len;
-		if(gaster_command(handle, data, data_sz, &response, len + 2 * sizeof(r_armv7))) {
+		if(gaster_command(handle, data, data_sz, &response, len + 4 * sizeof(r_armv7))) {
 			memcpy(&r_armv7, response, sizeof(r_armv7));
 			if(r_armv7 != (uint32_t)DONE_MAGIC) {
 				free(response);
 				return false;
 			}
 			memcpy(&r_armv7, response + sizeof(r_armv7), sizeof(r_armv7));
+			if(r_armv7 != (uint32_t)DONE_MAGIC) {
+				free(response);
+				return false;
+			}
+			memcpy(&r_armv7, response + 2 * sizeof(r_armv7), sizeof(r_armv7));
+			if(r_armv7 != 0) {
+				free(response);
+				return false;
+			}
+			memcpy(&r_armv7, response + 3 * sizeof(r_armv7), sizeof(r_armv7));
 			if(r_armv7 != 0) {
 				free(response);
 				return false;
 			}
-			memcpy(dst, response + 2 * sizeof(r_armv7), len);
+			memcpy(dst, response + 4 * sizeof(r_armv7), len);
 			free(response);
 			return true;
 		}

payload_handle_checkm8_request.S

@@ -20,7 +20,9 @@
 .set insecure_memory_base,     0x7FFFFFF1
 .set exec_magic,               0x7FFFFFF2
 .set done_magic,               0x7FFFFFF3
-.set usb_core_do_transfer,     0x7FFFFFF4
+.set memc_magic,               0x7FFFFFF4
+.set memcpy_addr,              0x7FFFFFF5
+.set usb_core_do_transfer,     0x7FFFFFF6
 
 .global _main
 _main:
@@ -41,17 +43,28 @@ _main:
 	ldr x0, [x20]
 	ldr x1, =exec_magic
 	cmp x0, x1
-	bne _request_done
+	bne _not_exec
 	str xzr, [x20]
 	ldp x0, x1, [x20, #0x10]
 	ldp x2, x3, [x20, #0x20]
 	ldp x4, x5, [x20, #0x30]
-	ldr x6, [x20, #0x40]
-	ldr x7, [x20, #0x48]
+	ldp x6, x7, [x20, #0x40]
 	ldr x8, [x20, #0x8]
 	blr x8
 	ldr x8, =done_magic
 	stp x8, x0, [x20]
+	b _request_done
+_not_exec:
+	ldr x1, =memc_magic
+	cmp x0, x1
+	bne _request_done
+	str xzr, [x20]
+	ldp x0, x1, [x20, #0x10]
+	ldr x2, [x20, #0x20]
+	ldr x3, =memcpy_addr
+	blr x3
+	ldr x8, =done_magic
+	stp x8, x0, [x20]
 _request_done:
 	mov w0, #0x80
 	mov x1, x20

payload_handle_checkm8_request_armv7.S

@@ -20,7 +20,9 @@
 .set insecure_memory_base,     0x7FFFFF1
 .set exec_magic,               0x7FFFFF2
 .set done_magic,               0x7FFFFF3
-.set usb_core_do_transfer,     0x7FFFFF4
+.set memc_magic,               0x7FFFFF4
+.set memcpy_addr,              0x7FFFFF5
+.set usb_core_do_transfer,     0x7FFFFF6
 
 .thumb
 .global _main
@@ -42,20 +44,38 @@ _main:
 	ldrd r0, r1, [r5]
 	ldr r2, =exec_magic
 	cmp r0, r2
-	bne _request_done
+	bne _not_exec
+	cmp r1, r2
+	bne _not_exec
 	mov r1, #0
 	str r1, [r5]
-	ldrd r0, r1, [r5, #0x18]
-	strd r0, r1, [sp]
 	ldrd r0, r1, [r5, #0x20]
+	strd r0, r1, [sp]
+	ldrd r0, r1, [r5, #0x28]
 	strd r0, r1, [sp, #0x8]
-	ldrd r0, r1, [r5, #0x8]
-	ldrd r2, r3, [r5, #0x10]
-	ldr r6, [r5, #0x4]
+	ldrd r0, r1, [r5, #0x10]
+	ldrd r2, r3, [r5, #0x18]
+	ldr r6, [r5, #0x8]
 	blx r6
 	ldr r2, =done_magic
-	str r0, [r5, #0x4]
-	str r2, [r5]
+	str r0, [r5, #0x8]
+	strd r2, r2, [r5]
+	b _request_done
+_not_exec:
+	ldr r2, =memc_magic
+	cmp r0, r2
+	bne _request_done
+	cmp r1, r2
+	bne _request_done
+	mov r1, #0
+	strd r1, r1, [r5]
+	ldrd r0, r1, [r5, #0x10]
+	ldr r2, [r5, #0x18]
+	ldr r3, =memcpy_addr
+	blx r3
+	ldr r2, =done_magic
+	str r0, [r5, #0x8]
+	strd r2, r2, [r5]
 _request_done:
 	mov r0, #0x80
 	mov r1, r5