diff --git a/main.js b/main.js
index 7b82ef6..02fd37c 100644
--- a/main.js
+++ b/main.js
@@ -1,21 +1,21 @@
function logOutput(...message) {
- document.getElementById("output").innerHTML = document.getElementById("output").innerHTML + message.join(" ") + "
";
+ document.getElementById("output").innerHTML =
+ document.getElementById("output").innerHTML + message.join(" ") + "
";
}
function clearLog() {
document.getElementById("output").innerHTML = "";
}
-async function getPayloadList(){
+async function getPayloadList() {
return fetch("payloads/payloads.json")
- .then((response) => {
- if(!response.ok)
- throw new Error(response.status);
- return response.json();
- })
- .then((data) => {
- return data.payloads;
- });
+ .then((response) => {
+ if (!response.ok) throw new Error(response.status);
+ return response.json();
+ })
+ .then((data) => {
+ return data.payloads;
+ });
}
(async () => {
@@ -23,9 +23,10 @@ async function getPayloadList(){
let payloadList;
try {
payloadList = await getPayloadList();
-
} catch (error) {
- logOutput("There was a problem retreiving the payload list. Error: " + error);
+ logOutput(
+ "There was a problem retreiving the payload list. Error: " + error,
+ );
return;
}
payloadList.forEach((payload) => {
@@ -36,55 +37,60 @@ async function getPayloadList(){
payloadSelect.appendChild(payloadOption);
});
+})();
-})()
-
-async function getPayload(payloadSrc){
- return fetch(payloadSrc)
- .then((response) => {
- if(!response.ok)
- throw new Error(response.status);
- return response.arrayBuffer();
- });
+async function getPayload(payloadSrc) {
+ return fetch(payloadSrc).then((response) => {
+ if (!response.ok) throw new Error(response.status);
+ return response.arrayBuffer();
+ });
}
const intermezzo = new Uint8Array([
- 0x44, 0x00, 0x9F, 0xE5, 0x01, 0x11, 0xA0, 0xE3, 0x40, 0x20, 0x9F, 0xE5, 0x00, 0x20, 0x42, 0xE0,
- 0x08, 0x00, 0x00, 0xEB, 0x01, 0x01, 0xA0, 0xE3, 0x10, 0xFF, 0x2F, 0xE1, 0x00, 0x00, 0xA0, 0xE1,
- 0x2C, 0x00, 0x9F, 0xE5, 0x2C, 0x10, 0x9F, 0xE5, 0x02, 0x28, 0xA0, 0xE3, 0x01, 0x00, 0x00, 0xEB,
- 0x20, 0x00, 0x9F, 0xE5, 0x10, 0xFF, 0x2F, 0xE1, 0x04, 0x30, 0x90, 0xE4, 0x04, 0x30, 0x81, 0xE4,
- 0x04, 0x20, 0x52, 0xE2, 0xFB, 0xFF, 0xFF, 0x1A, 0x1E, 0xFF, 0x2F, 0xE1, 0x20, 0xF0, 0x01, 0x40,
- 0x5C, 0xF0, 0x01, 0x40, 0x00, 0x00, 0x02, 0x40, 0x00, 0x00, 0x01, 0x40
+ 0x44, 0x00, 0x9f, 0xe5, 0x01, 0x11, 0xa0, 0xe3, 0x40, 0x20, 0x9f, 0xe5, 0x00,
+ 0x20, 0x42, 0xe0, 0x08, 0x00, 0x00, 0xeb, 0x01, 0x01, 0xa0, 0xe3, 0x10, 0xff,
+ 0x2f, 0xe1, 0x00, 0x00, 0xa0, 0xe1, 0x2c, 0x00, 0x9f, 0xe5, 0x2c, 0x10, 0x9f,
+ 0xe5, 0x02, 0x28, 0xa0, 0xe3, 0x01, 0x00, 0x00, 0xeb, 0x20, 0x00, 0x9f, 0xe5,
+ 0x10, 0xff, 0x2f, 0xe1, 0x04, 0x30, 0x90, 0xe4, 0x04, 0x30, 0x81, 0xe4, 0x04,
+ 0x20, 0x52, 0xe2, 0xfb, 0xff, 0xff, 0x1a, 0x1e, 0xff, 0x2f, 0xe1, 0x20, 0xf0,
+ 0x01, 0x40, 0x5c, 0xf0, 0x01, 0x40, 0x00, 0x00, 0x02, 0x40, 0x00, 0x00, 0x01,
+ 0x40,
]);
const RCM_PAYLOAD_ADDRESS = 0x40010000;
-const INTERMEZZO_LOCATION = 0x4001F000;
+const INTERMEZZO_LOCATION = 0x4001f000;
const PAYLOAD_LOAD_BLOCK = 0x40020000;
function createRCMPayload(intermezzo, payload) {
const rcmLength = 0x30298;
- const intermezzoAddressRepeatCount = (INTERMEZZO_LOCATION - RCM_PAYLOAD_ADDRESS) / 4;
+ const intermezzoAddressRepeatCount =
+ (INTERMEZZO_LOCATION - RCM_PAYLOAD_ADDRESS) / 4;
- const rcmPayloadSize = Math.ceil((0x2A8 + (0x4 * intermezzoAddressRepeatCount) + 0x1000 + payload.byteLength) / 0x1000) * 0x1000;
+ const rcmPayloadSize =
+ Math.ceil(
+ (0x2a8 +
+ 0x4 * intermezzoAddressRepeatCount +
+ 0x1000 +
+ payload.byteLength) /
+ 0x1000,
+ ) * 0x1000;
- const rcmPayload = new Uint8Array(new ArrayBuffer(rcmPayloadSize))
+ const rcmPayload = new Uint8Array(new ArrayBuffer(rcmPayloadSize));
const rcmPayloadView = new DataView(rcmPayload.buffer);
rcmPayloadView.setUint32(0x0, rcmLength, true);
for (let i = 0; i < intermezzoAddressRepeatCount; i++) {
- rcmPayloadView.setUint32(0x2A8 + i * 4, INTERMEZZO_LOCATION, true);
+ rcmPayloadView.setUint32(0x2a8 + i * 4, INTERMEZZO_LOCATION, true);
}
- rcmPayload.set(intermezzo, 0x2A8 + (0x4 * intermezzoAddressRepeatCount));
- rcmPayload.set(payload, 0x2A8 + (0x4 * intermezzoAddressRepeatCount) + 0x1000);
+ rcmPayload.set(intermezzo, 0x2a8 + 0x4 * intermezzoAddressRepeatCount);
+ rcmPayload.set(payload, 0x2a8 + 0x4 * intermezzoAddressRepeatCount + 0x1000);
return rcmPayload;
}
-
-
function bufferToHex(data) {
let result = "";
for (let i = 0; i < data.byteLength; i++)
@@ -92,8 +98,6 @@ function bufferToHex(data) {
return result;
}
-
-
async function write(device, data) {
let length = data.length;
let writeCount = 0;
@@ -112,14 +116,12 @@ async function write(device, data) {
return writeCount;
}
-
-
function readFileAsArrayBuffer(file) {
return new Promise((res, rej) => {
const reader = new FileReader();
- reader.onload = e => {
+ reader.onload = (e) => {
res(e.target.result);
- }
+ };
reader.readAsArrayBuffer(file);
});
}
@@ -151,32 +153,41 @@ async function launchPayload(payload) {
logOutput("Trigging vulnerability...");
const vulnerabilityLength = 0x7000;
- const smash = await device.controlTransferIn({
- requestType: 'standard',
- recipient: 'interface',
- request: 0x00,
- value: 0x00,
- index: 0x00
- }, vulnerabilityLength);
+ const smash = await device.controlTransferIn(
+ {
+ requestType: "standard",
+ recipient: "interface",
+ request: 0x00,
+ value: 0x00,
+ index: 0x00,
+ },
+ vulnerabilityLength,
+ );
}
-
-
document.getElementById("goButton").addEventListener("click", async () => {
clearLog();
var debugCheckbox = document.getElementById("shouldDebug");
const payloadPath = document.getElementById("payloadSelect").value;
- if(!debugCheckbox.checked) {
+ if (!debugCheckbox.checked) {
+ if (!navigator.usb) {
+ logOutput(
+ "Your browser doesn't support Web USB, Web CFW Loader will not work!",
+ );
+ return;
+ }
- logOutput("Requesting access to device...");
- try {
- device = await navigator.usb.requestDevice({ filters: [{ vendorId: 0x0955 }] });
- } catch (error) {
- console.log(error);
- logOutput("Failed to get a device. Did you chose one?");
- return;
- }
+ logOutput("Requesting access to device...");
+ try {
+ device = await navigator.usb.requestDevice({
+ filters: [{ vendorId: 0x0955 }],
+ });
+ } catch (error) {
+ console.log(error);
+ logOutput("Failed to get a device. Did you chose one?");
+ return;
+ }
}
let payload;
@@ -186,19 +197,18 @@ document.getElementById("goButton").addEventListener("click", async () => {
alert("You need to upload a file, to use an uploaded file.");
return;
}
- logOutput("Using uploaded payload \"" + file.name + "\"");
+ logOutput('Using uploaded payload "' + file.name + '"');
payload = new Uint8Array(await readFileAsArrayBuffer(file));
-
} else {
try {
payload = new Uint8Array(await getPayload(payloadPath));
} catch (error) {
- logOutput("There was a problem retreiving the payload. Error: " + error)
+ logOutput("There was a problem retreiving the payload. Error: " + error);
return;
}
}
- if(debugCheckbox.checked) {
+ if (debugCheckbox.checked) {
logOutput("Logging payload bytes...");
var payloadToLog = "";
@@ -210,31 +220,26 @@ document.getElementById("goButton").addEventListener("click", async () => {
return;
}
- logOutput(`Preparing to launch ${payloadPath}...`);
+ logOutput(
+ `Preparing to launch ${payloadPath}...`,
+ );
launchPayload(payload);
});
-
-
function onSelectChange() {
if (document.getElementById("payloadSelect").value === "uploaded")
- document.getElementById("uploadContainer").style.display = "block"
- else
- document.getElementById("uploadContainer").style.display = "none"
+ document.getElementById("uploadContainer").style.display = "block";
+ else document.getElementById("uploadContainer").style.display = "none";
}
-
-
function openInfo() {
- if(document.getElementById("infodiv").innerHTML != "") {
+ if (document.getElementById("infodiv").innerHTML != "") {
document.getElementById("infodiv").innerHTML = "";
}
}
-
-
function openInstructions() {
- if(document.getElementById("infodiv").innerHTML != "") {
+ if (document.getElementById("infodiv").innerHTML != "") {
document.getElementById("infodiv").innerHTML = "";
}
}