From 97f367de2f7e39a5e6f66a90c76c0b01af80dbff Mon Sep 17 00:00:00 2001
From: JayPiKay <jpk@goatpr0n.de>
Date: Wed, 11 Aug 2021 10:58:02 +0200
Subject: [PATCH] PoC: Set SSID 77777777 and Pass 88888888

---
 main.c | 332 +++++++++++++++++++++++++++++++--------------------------
 1 file changed, 182 insertions(+), 150 deletions(-)

diff --git a/main.c b/main.c
index 7d70574..cb4703b 100644
--- a/main.c
+++ b/main.c
@@ -9,6 +9,12 @@
 
 #include "config.h"
 
+#define ERR_EXIT(errcode) do { perr("   %s\n", libusb_strerror((enum libusb_error)errcode)); return -1; } while (0)
+#define CALL_CHECK(fcall) do { int _r=fcall; if (_r < 0) ERR_EXIT(_r); } while (0)
+#define CALL_CHECK_CLOSE(fcall, hdl) do { int _r=fcall; if (_r < 0) { libusb_close(hdl); ERR_EXIT(_r); } } while (0)
+
+#define REQUEST_SENSE_LENGTH 0x12
+
 // Section 5.1: Command Block Wrapper (CBW)
 struct command_block_wrapper {
     uint8_t dCBWSignature[4];
@@ -45,14 +51,10 @@ static const uint8_t cdb_length[256] = {
     00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,  //  C
     00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,  //  D
     00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,  //  E
-    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,  //  F
+    00,00,00,00,00,00,00,00,00,00,00,00,00,16,16,16,  //  F
 };
 
-
-#define REQUEST_SENSE_LENGTH 0x12
-
-
-static struct libusb_device_handle *devh = NULL;
+// static struct libusb_device_handle *devh = NULL;
 
 static void perr(char const *format, ...)
 {
@@ -63,6 +65,34 @@ static void perr(char const *format, ...)
 	va_end(args);
 }
 
+static void display_buffer_hex(unsigned char *buffer, unsigned size)
+{
+	unsigned i, j, k;
+
+	for (i=0; i<size; i+=16) {
+		printf("\n  %08x  ", i);
+		for(j=0,k=0; k<16; j++,k++) {
+			if (i+j < size) {
+				printf("%02x", buffer[i+j]);
+			} else {
+				printf("  ");
+			}
+			printf(" ");
+		}
+		printf(" ");
+		for(j=0,k=0; k<16; j++,k++) {
+			if (i+j < size) {
+				if ((buffer[i+j] < 32) || (buffer[i+j] > 126)) {
+					printf(".");
+				} else {
+					printf("%c", buffer[i+j]);
+				}
+			}
+		}
+	}
+	printf("\n" );
+}
+
 static int send_mass_storage_command(libusb_device_handle *handle, uint8_t endpoint, uint8_t lun,
         uint8_t *cdb, uint8_t direction, int data_length, uint32_t *ret_tag)
 {
@@ -80,6 +110,8 @@ static int send_mass_storage_command(libusb_device_handle *handle, uint8_t endpo
         return -1;
     }
 
+    display_buffer_hex(cdb, cdb_length[cdb[0]]);
+
     cdb_len = cdb_length[cdb[0]];
     if ((cdb_len == 0) || (cdb_len > sizeof(cbw.CBWCB))) {
         perr("send_mass_storage_command: don't know how to handle this command (%02X, length %d)\n",
@@ -111,178 +143,178 @@ static int send_mass_storage_command(libusb_device_handle *handle, uint8_t endpo
         i++;
     } while ((r == LIBUSB_ERROR_PIPE) && (i<RETRY_MAX));
     if (r != LIBUSB_SUCCESS) {
-        perr("   send_mass_storage_command: %s\n", libusb_strerror((enum libusb_error)r));
+        perr("send_mass_storage_command: %s\n", libusb_strerror((enum libusb_error)r));
         return -1;
     }
 
-    printf("   sent %d CDB bytes\n", cdb_len);
+    printf("sent %d CDB bytes\n", cdb_len);
     return 0;
 }
 
-static libusb_device_handle *open_actionpro()
-{
-    ssize_t devc;
-    libusb_device **dev_list;
-    static libusb_device *dev = NULL;
-    struct libusb_device_descriptor dev_desc;
-    struct libusb_config_descriptor *dev_conf = NULL;
-    const struct libusb_interface *iface = NULL;
-    const struct libusb_interface_descriptor *iface_desc = NULL;
-
-    int res = 0;
-
-    devc = libusb_get_device_list(NULL, &dev_list);
-    if (devc < 1) {
-        return NULL;
-    }
-
-    for (int i = 0; i < devc; i++) {
-        dev = dev_list[i];
-        if (libusb_get_device_descriptor(dev, &dev_desc)) {
-            continue;
-        }
-
-        if ((dev_desc.idVendor != VENDOR_ID || dev_desc.idProduct != PRODUCT_ID)) {
-            continue;
-        }
-
-        res = libusb_open(dev, &devh);
-        if (res < 0) {
-            perror("libusb_open");
-            return(NULL);
-        }
-
-        for (int j = 0; j < dev_desc.bNumConfigurations; j++) {
-            if (libusb_get_config_descriptor(dev, j, &dev_conf)) {
-                continue;
-            }
-
-            for (int k = 0; k < dev_conf->bNumInterfaces; k++) {
-                iface = &dev_conf->interface[k];
-                for (int l = 0; l < iface->num_altsetting; l++) {
-                    iface_desc = &iface->altsetting[l];
-                    if (libusb_kernel_driver_active(devh, iface_desc->bInterfaceNumber)) {
-                        libusb_detach_kernel_driver(devh, iface_desc->bInterfaceNumber);
-                    }
-
-                    libusb_set_configuration(devh, dev_conf->bConfigurationValue);
-                    libusb_claim_interface(devh, iface_desc->bInterfaceNumber);
-
-                    int e = 0;
-                    while (libusb_claim_interface(devh, iface_desc->bInterfaceNumber) && (e < 10)) {
-                        sleep(1);
-                        e++;
-                    }
-                }
-            }
-
-            libusb_free_config_descriptor(dev_conf);
-        }
-
-        return devh;
-    }
-
-    devh = NULL;
-    return NULL;
-}
-
 static int get_mass_storage_status(libusb_device_handle *handle, uint8_t endpoint, uint32_t expected_tag)
 {
-	int i, r, size;
-	struct command_status_wrapper csw;
+    int i, r, size;
+    struct command_status_wrapper csw;
 
-	// The device is allowed to STALL this transfer. If it does, you have to
-	// clear the stall and try again.
-	i = 0;
-	do {
-		r = libusb_bulk_transfer(handle, endpoint, (unsigned char*)&csw, 13, &size, 1000);
-		if (r == LIBUSB_ERROR_PIPE) {
-			libusb_clear_halt(handle, endpoint);
-		}
-		i++;
-	} while ((r == LIBUSB_ERROR_PIPE) && (i<RETRY_MAX));
-	if (r != LIBUSB_SUCCESS) {
-		perr("   get_mass_storage_status: %s\n", libusb_strerror((enum libusb_error)r));
-		return -1;
-	}
-	if (size != 13) {
-		perr("   get_mass_storage_status: received %d bytes (expected 13)\n", size);
-		return -1;
-	}
-	if (csw.dCSWTag != expected_tag) {
-		perr("   get_mass_storage_status: mismatched tags (expected %08X, received %08X)\n",
-			expected_tag, csw.dCSWTag);
-		return -1;
-	}
-	// For this test, we ignore the dCSWSignature check for validity...
-	printf("   Mass Storage Status: %02X (%s)\n", csw.bCSWStatus, csw.bCSWStatus?"FAILED":"Success");
-	if (csw.dCSWTag != expected_tag)
-		return -1;
-	if (csw.bCSWStatus) {
-		// REQUEST SENSE is appropriate only if bCSWStatus is 1, meaning that the
-		// command failed somehow.  Larger values (2 in particular) mean that
-		// the command couldn't be understood.
-		if (csw.bCSWStatus == 1)
-			return -2;	// request Get Sense
-		else
-			return -1;
-	}
+    // The device is allowed to STALL this transfer. If it does, you have to
+    // clear the stall and try again.
+    i = 0;
+    do {
+        r = libusb_bulk_transfer(handle, endpoint, (unsigned char*)&csw, 13, &size, 1000);
+        if (r == LIBUSB_ERROR_PIPE) {
+            libusb_clear_halt(handle, endpoint);
+        }
+        i++;
+    } while ((r == LIBUSB_ERROR_PIPE) && (i<RETRY_MAX));
+    if (r != LIBUSB_SUCCESS) {
+        perr("get_mass_storage_status: %s\n", libusb_strerror((enum libusb_error)r));
+        return -1;
+    }
+    if (size != 13) {
+        perr("get_mass_storage_status: received %d bytes (expected 13)\n", size);
+        return -1;
+    }
+    if (csw.dCSWTag != expected_tag) {
+        perr("get_mass_storage_status: mismatched tags (expected %08X, received %08X)\n",
+                expected_tag, csw.dCSWTag);
+        return -1;
+    }
+    // For this test, we ignore the dCSWSignature check for validity...
+    printf("Mass Storage Status: %02X (%s)\n", csw.bCSWStatus, csw.bCSWStatus?"FAILED":"Success");
+    if (csw.dCSWTag != expected_tag)
+        return -1;
+    if (csw.bCSWStatus) {
+        // REQUEST SENSE is appropriate only if bCSWStatus is 1, meaning that the
+        // command failed somehow.  Larger values (2 in particular) mean that
+        // the command couldn't be understood.
+        if (csw.bCSWStatus == 1)
+            return -2;	// request Get Sense
+        else
+            return -1;
+    }
 
-	// In theory we also should check dCSWDataResidue.  But lots of devices
-	// set it wrongly.
-	return 0;
+    // In theory we also should check dCSWDataResidue.  But lots of devices
+    // set it wrongly.
+    return 0;
 }
 
-
 int main(int argc, char *argv[])
 {
-    int res = 0;
-    uint8_t cdb[16];
-    uint8_t sense[18];
-    int transferred = 0;
+    int r = 0, e = 0;
+    struct libusb_device_handle *handle = NULL;
+    struct libusb_device **devs;
+    struct libusb_device *dev;
+    struct libusb_device_descriptor desc;
+    
+    /* Init libusb */
+    r = libusb_init(NULL);
+    if (r < 0)
+    {
+        printf("\nfailed to initialise libusb\n");
+        return 1;
+    }
+
+    handle = libusb_open_device_with_vid_pid(NULL, VENDOR_ID, PRODUCT_ID);
+    if(handle == NULL) {
+        printf("\nError in device opening!");
+    } else {
+        printf("\nDevice Opened");
+    }
+
+    libusb_set_configuration(handle, 1);
+    if(libusb_kernel_driver_active(handle, 0) == 1) {
+        printf("\nKernel Driver Active");
+        if(libusb_detach_kernel_driver(handle, 0) == 0) {
+            printf("\nKernel Driver Detached!");
+        }
+    }
+
+    e = libusb_claim_interface(handle, 0);
+    if(e < 0) {
+        printf("\nCannot Claim Interface"); 
+    } else {
+        printf("\nClaimed Interface");
+    }
 
     uint32_t expected_tag = 0;
+    uint8_t cdb[16];
+    uint8_t sense[18];
+    int size;
+    int rc;
 
-    res = libusb_init(NULL);
-    if (res < 0) {
-        perror("libusb_init");
-        fprintf(stderr, "Error: %s\n", libusb_strerror(res));
-        exit(EXIT_FAILURE);
+    memset(cdb, 0, sizeof(cdb));
+    cdb[0] = 0x03;
+    cdb[4] = REQUEST_SENSE_LENGTH;
+    send_mass_storage_command(handle, 0x01, 0, cdb, LIBUSB_ENDPOINT_IN, REQUEST_SENSE_LENGTH, &expected_tag);
+    rc = libusb_bulk_transfer(handle, 0x81, (unsigned char*)&sense, REQUEST_SENSE_LENGTH, &size, 1000);
+    if (rc < 0)
+    {
+        printf("libusb_bulk_transfer failed: %s\n", libusb_error_name(rc));
+        return 1;
     }
+    printf("received %d bytes\n", size);
 
-    if (!open_actionpro()) {
-        fprintf(stderr, "Error opening device, no ACTIONPRO X7 found!\n");
-        libusb_exit(NULL);
-        exit(EXIT_FAILURE);
+    rc = libusb_bulk_transfer(handle, 0x81, (unsigned char*)&sense, REQUEST_SENSE_LENGTH, &size, 1000);
+    if (rc < 0)
+    {
+        printf("libusb_bulk_transfer failed: %s\n", libusb_error_name(rc));
+        return 1;
     }
+    printf("received %d bytes\n", size);
 
-    unsigned char cmd[] = "\xfe\x00\x58\x37\x41\x50\x50\x41\x53\x00\x00\x00\x00\x00\x00\x00";
-
-    memset(sense, 0, sizeof(sense));
     memset(cdb, 0, sizeof(cdb));
     cdb[0] = 0x03;
     cdb[4] = REQUEST_SENSE_LENGTH;
 
-    send_mass_storage_command(devh, 0x01, 0, cdb, LIBUSB_ENDPOINT_IN, REQUEST_SENSE_LENGTH, &expected_tag);
-    res = libusb_bulk_transfer(devh, 0x81, (unsigned char *)&sense, REQUEST_SENSE_LENGTH, &transferred, 1000);
-    if (res < 0) {
-        perror("libusb_bulk_transfer");
-        fprintf(stderr, "Error: %s\n", libusb_strerror(res));
-
-        libusb_release_interface(devh, 0);
-        libusb_reset_device(devh);
-        libusb_close(devh);
-        
-        libusb_exit(NULL);
-
-        exit(EXIT_FAILURE);
+    unsigned char cmd[] = "\xfe\x00\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x00\x00\x00\x00";
+    send_mass_storage_command(handle, 0x01, 0, cmd, LIBUSB_ENDPOINT_IN, REQUEST_SENSE_LENGTH, &expected_tag);
+    rc = libusb_bulk_transfer(handle, 0x81, (unsigned char*)&sense, REQUEST_SENSE_LENGTH, &size, 1000);
+    if (rc < 0)
+    {
+        printf("libusb_bulk_transfer failed: %s\n", libusb_error_name(rc));
+        return 1;
     }
+    printf("received %d bytes\n", size);
 
-    get_mass_storage_status(devh, 0x1, expected_tag);
+    memset(cdb, 0, sizeof(cdb));
+    cdb[0] = 0x03;
+    cdb[4] = REQUEST_SENSE_LENGTH;
+    send_mass_storage_command(handle, 0x01, 0, cdb, LIBUSB_ENDPOINT_IN, REQUEST_SENSE_LENGTH, &expected_tag);
+    rc = libusb_bulk_transfer(handle, 0x81, (unsigned char*)&sense, REQUEST_SENSE_LENGTH, &size, 1000);
+    if (rc < 0)
+    {
+        printf("libusb_bulk_transfer failed: %s\n", libusb_error_name(rc));
+        return 1;
+    }
+    printf("received %d bytes\n", size);
 
-    libusb_release_interface(devh, 0);
-    libusb_reset_device(devh);
-    libusb_close(devh);
+    rc = libusb_bulk_transfer(handle, 0x81, (unsigned char*)&sense, REQUEST_SENSE_LENGTH, &size, 1000);
+    if (rc < 0)
+    {
+        printf("libusb_bulk_transfer failed: %s\n", libusb_error_name(rc));
+        return 1;
+    }
+    printf("received %d bytes\n", size);
+
+    memset(cdb, 0, sizeof(cdb));
+    cdb[0] = 0x03;
+    cdb[4] = REQUEST_SENSE_LENGTH;
+
+    unsigned char cmd2[] = "\xfd\x00\x38\x38\x38\x38\x38\x38\x38\x38\x38\x38\x00\x00\x00\x00";
+    send_mass_storage_command(handle, 0x01, 0, cmd2, LIBUSB_ENDPOINT_IN, REQUEST_SENSE_LENGTH, &expected_tag);
+    rc = libusb_bulk_transfer(handle, 0x81, (unsigned char*)&sense, REQUEST_SENSE_LENGTH, &size, 1000);
+    if (rc < 0)
+    {
+        printf("libusb_bulk_transfer failed: %s\n", libusb_error_name(rc));
+        return 1;
+    }
+    printf("received %d bytes\n", size);
+
+    //get_mass_storage_status(handle, 0x01, expected_tag);
+
+    libusb_release_interface(handle, 0);
+    libusb_reset_device(handle);
+    libusb_close(handle);
 
     libusb_exit(NULL);