a1exdandy / checkm8-a5 Goto Github PK

View Code? Open in Web Editor NEW

159.0 15.0 126.0 7 KB

checkm8 port for S5L8940X/S5L8942X/S5L8945X

License: MIT License

C++ 32.13% C 67.87%

checkm8-a5's Introduction

A5/A5X checkm8

checkm8 port for S5L8940X/S5L8942X/S5L8945X based on Arduino and MAX3421E-based USB Host Shield

Building

Follow the instructions here. Note that the patch for USB Host Library Rev. 2.0 is different.

USB Host Library Rev. 2.0 installation and patching

cd path/to/Arduino/libraries
git clone https://github.com/felis/USB_Host_Shield_2.0
cd USB_Host_Shield_2.0
git checkout cd87628af4a693eeafe1bf04486cf86ba01d29b8
git apply path/to/usb_host_library.patch

SoC selection

Before using the exploit change this line in the beginning of checkm8-a5.ino with target SoC CPID:

#define A5_8942

S5L8940X/S5L8942X/S5L8945X-specific exploitation notes

This article may be helpful for better understanding.

1. `HOST2DEVICE` control request without data phase processing

In newer SoCs this request is processed as follows. Note that there are different cases for request_handler_ret == 0 and request_handler_ret > 0:

void __fastcall usb_core_handle_usb_control_receive(void *ep0_rx_buffer, __int64 is_setup, __int64 data_rcvd, bool *data_phase)
{
  ...
  // get interface control request handler
  request_handler = ep.registered_interfaces[(unsigned __int16)setup_request.wIndex]->request_handler;
  if ( !request_handler )
    goto error_handling;
  // call to interface control request handler
  // set global buffer pointer
  request_handler_ret = request_handler(&g_setup_request, &ep0_data_phase_buffer);
  if ( !(g_setup_request.bmRequestType & 0x80000000) )
  {
    // HOST2DEVICE
    if ( request_handler_ret >= 1 )
    {
      // set global data phase length and ifnum
      ep0_data_phase_length = request_handler_ret; 
      ep0_data_phase_if_num = intf_num;
      goto continue;
    }
    if ( !request_handler_ret )
    {
      // acknowledge transaction with zlp, do not touch global state
      usb_core_send_zlp();
      goto continue;
    }
  ...
}

But in our target SoCs this request is processed slightly different:

unsigned int __fastcall usb_core_handle_usb_control_receive(unsigned int rx_buffer, int is_setup, unsigned int data_received, int *data_phase)
{
  ...
  if ( is_setup )
  {
    v11 = memmove((unsigned int)&g_setup_packet, rx_buffer, 8);
    if ( g_setup_packet.bmRequestType & 0x60 )
    {
      if ( (g_setup_packet.bmRequestType & 0x60) != 0x20
        || (g_setup_packet.bmRequestType & 0x1F) != 1
        || (v29 = LOBYTE(g_setup_packet.wIndex) | (HIBYTE(g_setup_packet.wIndex) << 8), v29 >= ep_size)
        || (request_handler = *(int (__fastcall **)(setup_req *, _DWORD *))(ep_array[LOBYTE(g_setup_packet.wIndex) | (HIBYTE(g_setup_packet.wIndex) << 8)]
                                                                          + 32)) == 0
        || (request_handler_ret = request_handler(&g_setup_packet, &ep0_data_phase_buffer), request_handler_ret < 0) )
      {
        // error handling
        rx_buffer = sub_2E7C(0x80, 1);
        v10 = 0;
        goto LABEL_103;
      }
      // if request_handler_ret >= 0, then data phase length will be touched anyway
      ep0_data_phase_length = request_handler_ret;
      ep0_data_phase_if_num = v29;
      *data_phase = 1;
      goto continue;
    }
  ...
}

So, if we send any HOST2DEVICE control request without data phase, then ep0_data_phase_length will be reset to zero. Because of this we can't use ctrlReq(0x21,4,0) to reenter DFU. But there is another way to reenter DFU:

ctrlReq(bmRequestType = 0x21,bRequest = 1,wLength = 0x40) with any data
ctrlReq(0x21,1,0)
ctrlReq(0xa1,3,1)
ctrlReq(0xa1,3,1)
USB bus reset

So, to be able to write to the freed io_buffer, we do steps 1-4, then send an incomplete HOST2DEVICE control transaction to set global state, then trigger bus reset. This algorithm is fully described here by littlelailo.

But, if we use any normal OS with default USB stack for exploitation, then we can't avoid standard device requests (e.g. SET_ADDRESS, see this for more info) sent by OS before we can work with device. Because of it in our PoC we use Arduino and MAX3421E to control early initialization of USB.

2. Zero length packet processing

In newer SoCs data packets are processed as follows. Note that in case of zero length packet processing is not performed.

void __fastcall usb_core_handle_usb_control_receive(void *ep0_rx_buffer, __int64 is_setup, __int64 data_rcvd, bool *data_phase)
{
  ...
  if ( !(is_setup & 1) )
  {
    if ( !(_DWORD)data_rcvd ) // check for zero length packet
      return;
    if ( ep0_data_phase_rcvd + (unsigned int)data_rcvd <= ep0_data_phase_length )
    {
      if ( ep0_data_phase_length - ep0_data_phase_rcvd >= (unsigned int)data_rcvd )
        to_copy = (unsigned int)data_rcvd;
      else
        to_copy = ep0_data_phase_length - ep0_data_phase_rcvd;
      memmove(ep0_data_phase_buffer, ep0_rx_buffer, to_copy);// copy received data to IO-buffer
      ep0_data_phase_buffer += (unsigned int)to_copy;// update global buffer pointer
      ep0_data_phase_rcvd += to_copy;           // update received counter
      *data_phase = 1;
      // stop transfer if received expected number of bytes
      // or received less then 0x40 bytes packet
      if ( (_DWORD)data_rcvd == 0x40 )
        end_of_transfer = ep0_data_phase_rcvd == ep0_data_phase_length;
      else
        end_of_transfer = 1;
  ...
}

But in our target SoCs zero length packets are processed in the same way as non-zero length packets.

unsigned int __fastcall usb_core_handle_usb_control_receive(unsigned int rx_buffer, int is_setup, unsigned int data_received, int *data_phase)
{
  ...
  // data packet processing starts here
  rx_buffer = ep0_data_phase_buffer;
  if ( !ep0_data_phase_buffer )
    return rx_buffer;
  if ( data_received + ep0_data_phase_rcvd > ep0_data_phase_length )
  {
    rx_buffer = sub_2E7C(128, 1);
reset_global_state:
    v10 = 0;
    ep0_data_phase_rcvd = 0;
    ep0_data_phase_length = 0;
    ep0_data_phase_buffer = 0;
    ep0_data_phase_if_num = -2;
LABEL_103:
    *v6 = v10;
    return rx_buffer;
  }
  if ( data_received >= ep0_data_phase_length - ep0_data_phase_rcvd )
    v7 = ep0_data_phase_length - ep0_data_phase_rcvd;
  else
    v7 = data_received;
  memmove(ep0_data_phase_buffer, rx_buffer_1, v7);
  end_of_transfer = data_received_1 != 0x40;  // in case of zero length packet `end_of_transfer` will be `true`
                                              // and global state will be reseted
  ep0_data_phase_buffer += v7;
  ep0_data_phase_rcvd += v7;
  rx_buffer = ep0_data_phase_rcvd;
  *v6 = 1;
  if ( rx_buffer == ep0_data_phase_length )
    end_of_transfer = 1;
  if ( end_of_transfer )
  {
    if ( (int)ep0_data_phase_if_num >= 0 && ep0_data_phase_if_num < ep_size )
    {
      v9 = *(void (**)(void))(ep_array[ep0_data_phase_if_num] + 36);
      if ( v9 )
      {
        v9();
        rx_buffer = usb_core_send_zlp();
      }
    }
    goto reset_global_state;
  }
  return rx_buffer;
}

As in the previous case, if we use normal OS with default USB stack, we can't avoid sending of zero length packets in status phase of standard device USB controll requests.

Important notes

Do not use any cables with embedded USB hubs (DCSD/Kong/Kanzi/etc.), as it might prevent a device from being recognized by the program. Normal USB-cables will do the trick just fine
This exploit demotes your device by default, so SWD-debugging will be available. But that also makes your device use development KBAG when decrypting Image3s. Keep that in mind if you're going to use this to decrypt firmware components

Authors

License

This project is licensed under the MIT License - see the LICENSE file for details

checkm8-a5's People

Contributors

Stargazers

Watchers

checkm8-a5's Issues

Will you consider adding a few lines to the Arduino sketch?

logs.txt

I added a line in setup(), just before the return:
Serial.println("usb init");

...by the way, if Usb.Init() fails, you print an error and then proceed with no USB...

I also added a line in loop(), after the test for vendorId and productId:
Serial.print("Apple DFU found (vendorId: "); Serial.print(0x5ac); Serial.print(", productId: "); Serial.print(0x1227); Serial.println(")");

I noticed that I got different product IDs, based on how the device booted. If the iPad was running, I got one number, if it was in 'restore mode', I got a different number. If i reset into DFU, the code proceeded correctly!

running:
Non Apple DFU found (vendorId: 1452, productId: 4737)
...then, in 'restore':
Non Apple DFU found (vendorId: 1452, productId: 4779)
...then in DFU:
Apple DFU found (vendorId: 1452, productId: 4647)

Would it be possible to switch the Arduino out for a Raspberry Pi or NodeMCU?

I've ordered an Arduino Uno but I'm in a bit of a time crunch, would it be possible to run this code from a NodeMCU or Raspberry Pi?

Checkm8

avrdude: skt500_recv():programmer is not responding

when I try to upload the sketch he give me a error Arduino: 1.8.13 (Mac OS X), Board: "Arduino Uno"

In file included from /Users/salahsimac/Desktop/checkm8-a5/checkm8-a5.ino:4:0:
sketch/constants.h:2:17: note: #pragma message: Building for A5 S5L8942X
#pragma message "Building for A5 S5L8942X"
^~~~~~~~~~~~~~~~~~~~~~~~~~
Sketch uses 7956 bytes (24%) of program storage space. Maximum is 32256 bytes.
Global variables use 807 bytes (39%) of dynamic memory, leaving 1241 bytes for local variables. Maximum is 2048 bytes.
avrdude: stk500_recv(): programmer is not responding
avrdude: stk500_getsync() attempt 1 of 10: not in sync: resp=0x00
avrdude: stk500_recv(): programmer is not responding
avrdude: stk500_getsync() attempt 2 of 10: not in sync: resp=0x00
avrdude: stk500_recv(): programmer is not responding
avrdude: stk500_getsync() attempt 3 of 10: not in sync: resp=0x00
avrdude: stk500_recv(): programmer is not responding
avrdude: stk500_getsync() attempt 4 of 10: not in sync: resp=0x00
avrdude: stk500_recv(): programmer is not responding
avrdude: stk500_getsync() attempt 5 of 10: not in sync: resp=0x00
avrdude: stk500_recv(): programmer is not responding
avrdude: stk500_getsync() attempt 6 of 10: not in sync: resp=0x00
avrdude: stk500_recv(): programmer is not responding
avrdude: stk500_getsync() attempt 7 of 10: not in sync: resp=0x00
avrdude: stk500_recv(): programmer is not responding
avrdude: stk500_getsync() attempt 8 of 10: not in sync: resp=0x00
avrdude: stk500_recv(): programmer is not responding
avrdude: stk500_getsync() attempt 9 of 10: not in sync: resp=0x00
avrdude: stk500_recv(): programmer is not responding
avrdude: stk500_getsync() attempt 10 of 10: not in sync: resp=0x00
Problem uploading to board. See http://www.arduino.cc/en/Guide/Troubleshooting#upload for suggestions.

This report would have more information with
"Show verbose output during compilation"
option enabled in File -> Preferences.

without USB Host shield upload successful ? how to fix that

No LED status - trying jailbreak ATV3,1 (A1427)

I have patched the USB Host library as per instructions.
I do not get any response from the external LED (Pin 6 + Gnd) when plugging in the ATV3 that is already in DFU Mode in to the USB Host Shield?

Can anyone provide any suggestions please?

having some issues trying to crack open an iPod five with Arduino and sliver

I have tried nearly everything I could imagine and I'm kinda new to this. I've tried running different versions of the Arduino software, tried installing all the different files for the Arduino board, and still just can't seem to get it to work I keep getting this error message for something called "usb.ctrlReq_SETUP" if anyone has any ideas let me know please

In file included from /Users/prestongriffin/Downloads/checkm8-a5-master/checkm8-a5/checkm8-a5.ino:4:0:
/Users/prestongriffin/Downloads/checkm8-a5-master/checkm8-a5/constants.h:2:17: note: #pragma message: Building for A5 S5L8942X
#pragma message "Building for A5 S5L8942X"
^~~~~~~~~~~~~~~~~~~~~~~~~~
/Users/prestongriffin/Downloads/checkm8-a5-master/checkm8-a5/checkm8-a5.ino: In function 'uint8_t heap_feng_shui_req(uint8_t, bool)':
/Users/prestongriffin/Downloads/checkm8-a5-master/checkm8-a5/checkm8-a5.ino:113:21: error: 'class USB' has no member named 'ctrlReq_SETUP'; did you mean 'ctrlReq'?
setup_rcode = Usb.ctrlReq_SETUP(0, 0, 0x80, 6, serial_idx, 3, 0x40a, sz);
^~~~~~~~~~~~~
ctrlReq
/Users/prestongriffin/Downloads/checkm8-a5-master/checkm8-a5/checkm8-a5.ino: In function 'void set_global_state()':
/Users/prestongriffin/Downloads/checkm8-a5-master/checkm8-a5/checkm8-a5.ino:159:15: error: 'class USB' has no member named 'ctrlReq_SETUP'; did you mean 'ctrlReq'?
rcode = Usb.ctrlReq_SETUP(0, 0, 0x21, 1, 0, 0, 0, 0x40);
^~~~~~~~~~~~~
ctrlReq
/Users/prestongriffin/Downloads/checkm8-a5-master/checkm8-a5/checkm8-a5.ino:178:15: error: 'class USB' has no member named 'ctrlReq_SETUP'; did you mean 'ctrlReq'?
rcode = Usb.ctrlReq_SETUP(0, 0, 0x21, 1, 0, 0, 0, padding + 0x40);
^~~~~~~~~~~~~
ctrlReq
/Users/prestongriffin/Downloads/checkm8-a5-master/checkm8-a5/checkm8-a5.ino: In function 'void heap_occupation()':
/Users/prestongriffin/Downloads/checkm8-a5-master/checkm8-a5/checkm8-a5.ino:206:15: error: 'class USB' has no member named 'ctrlReq_SETUP'; did you mean 'ctrlReq'?
rcode = Usb.ctrlReq_SETUP(0, 0, 0, 0, 0, 0, 0, 0x40);
^~~~~~~~~~~~~
ctrlReq
/Users/prestongriffin/Downloads/checkm8-a5-master/checkm8-a5/checkm8-a5.ino:218:15: error: 'class USB' has no member named 'ctrlReq_SETUP'; did you mean 'ctrlReq'?
rcode = Usb.ctrlReq_SETUP(0, 0, 0x21, 1, 0, 0, 0, sizeof(payload));
^~~~~~~~~~~~~
ctrlReq
Multiple libraries were found for "Usb.h"
Used: /Users/prestongriffin/Documents/Arduino/libraries/USB_Host_Shield_Library_2.0
Not used: /Users/prestongriffin/Documents/Arduino/libraries/USBHost
exit status 1

Compilation error: 'class USB' has no member named 'ctrlReq_SETUP'; did you mean 'ctrlReq'?

Question: Why only the Arduino Uno?

Just a question, not a pressing issue, what stops you from writing this port of CheckM8 for a mac, or Linux. Why can it not be edited slightly to run on a desktop or laptop computer?

Thanks in advance.

sketch error upload (Avro

Please post offsets and details.

Hello
If possible please post offset details for A5x devices for ipwndfu so we can update main repo.
"version, cpid, large_leak, overwrite, hole, leak"
s7000_overwrite = b'\0' * 32 + struct.pack('<32xQ8x', 0x180380000) + b'\0' * 8
DeviceConfig('iBoot-1992.0.0.1.19', 0x7000, None, s7000_overwrite, 40, 3),
0x180380000, # 1 - LOAD_ADDRESS
0x6578656365786563, # 2 - EXEC_MAGIC
0x646F6E65646F6E65, # 3 - DONE_MAGIC
0x6D656D636D656D63, # 4 - MEMC_MAGIC
0x6D656D736D656D73, # 5 - MEMS_MAGIC
0x10000EBB4, # 6 - USB_CORE_DO_IO
0x180088760, # 1 - gUSBDescriptors
0x1800888C8, # 2 - gUSBSerialNumber
0x10000E074, # 3 - usb_create_string_descriptor
0x18008062A, # 4 - gUSBSRNMStringDescriptor
0x1800E0C00, # 5 - PAYLOAD_DEST
PAYLOAD_OFFSET_ARM64, # 6 - PAYLOAD_OFFSET
PAYLOAD_SIZE_ARM64, # 7 - PAYLOAD_SIZE
0x180088878, # 8 - PAYLOAD_PTR
This so far i can test but its keep failing i guess data is wrong.can you please help to test it ?

Not sure if this is the right output from the Arduino?

I get the following output in the serial monitor from Arduino, but can't get the bypass tool to work as it says the device is not in pwned mode:

_checkm8 started

heap feng-shui
Stall status: 5
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 1, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 1, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 1, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 1
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 1, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 1
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 1, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 1, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 1
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 1
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = D, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
heap_feng_shui_req: setup status = 0, data status = 4
set global state
OUT pre-packet: 0
Send random 0x40 bytes: 0
Send random 0x40 bytes HS: 0
Send zero length packet: 0
Send get status #1: 0
Send get status #2: 0
data: 0
data: 0
data: 0
data: 0
data: 0
data: 0
data: 0
data: 0
data: 0
data: 0
data: 0
data: 0
data: 0
data: 0
data: 0
data: 0
data: 0
data: 0
data: 0
data: 0
data: 0
data: 0
data: 0
data: 0
data: 0
data: 0
data: 0
data: 0
heap occupation
heap_feng_shui_req: setup status = 0, data status = 0
overwrite sending ...
SETUP: 0
OUT (pre packet): 0
OUT: 0
payload sending ...
SETUP: 0
OUT (pre packet): 0
OUT: 0
OUT: 0
OUT: 0
OUT: 0
OUT: 0
OUT: 0
OUT: 0
OUT: 0
OUT: 0
OUT: 0
OUT: 0
Done!_

Jailbreak

Usb.ctrlReq_SETUP

Hello, I do not fully understand such things, please help
When I try to record this sketch on Arduino, I write this error:
'class USB' has no member named 'ctrlReq_SETUP'; did you mean 'ctrlReq'?
I completely don’t know what to do now, maybe at least you can tell me please = (

Is it possible to run it on Arduino Mega 2560 clone?

I have only that model and don't want to buy an uno. Can I use it instead of the uno?

I can't enter PWNED DFU on 4s with Arduino UNO and USB Host Shield.

Greetings, a few weeks or months ago, I started researching icloud bypass methods for A5 devices. After trying all methods (which I read are compatible) I bought an arduino uno with Atmega16U2 usb chip and a host shield with MAX3421E chip. I got an error in Arduino IDE when I tried with Synackuk or A1exdandy checkm8. Then I learned that I had to solder 3 jumpers on the Host Shield and change the CPID number. In my attempts after soldering and changing the number, the .ino file was successfully written, but when I connected the iPhone 4S model device to the Host Shield, the LED did not flash (by the way, I connected the negative part of the LED to the first 2nd port and the positive part to the other 2nd port.). I also removed the LED and touched it to a battery and it was working. When I plugged it into the USB host shield with the iPhone turned on normally, I saw that it was not charging, but when I connected the LED to a USB cable and plugged it in, I saw that it was on. Just to make sure one more time, I plugged my Android phone into the host shield and it charged too. I then tried with a new 24 pin Lightning Cable but it didn't charge either. Ignoring the problems such as the LED not lit and the iPhone not charging, I started the process to enter the PWNED DFU, but none of the Alternate Ramdisk, Standard Ramdisk and ibss only methods were successful. (In other words, the screen of the device remained in DFU mode and did not switch to the verbose screen.) I used a hackintosh system installed in Monterey to perform these operations. If there is any information or system feature you want, feel free to ask. Google Translate was used to write this text, sorry for any errors. (I took this video as a guide https://www.youtube.com/watch?v=v_fWwCaGWU8)

unable to compile in windows

good day sir,

trying to compile in windows but it says,

class USB' has no member named 'ctrlReq_SETUP'; did you mean 'ctrlReq'?

any thoughts?

ctrlReq_SETUP did you mean ctrlReq. Cant get passed this error to upload to Arduino.

Arduino: 1.8.13 (Mac OS X), Board: "Arduino Uno"

In file included from /Users/victorcopino/Downloads/checkm8-a5-master/checkm8-a5/checkm8-a5.ino:4:0:
sketch/constants.h:2:17: note: #pragma message: Building for A5 S5L8942X
#pragma message "Building for A5 S5L8942X"
^~~~~~~~~~~~~~~~~~~~~~~~~~
/Users/victorcopino/Downloads/checkm8-a5-master/checkm8-a5/checkm8-a5.ino: In function 'uint8_t heap_feng_shui_req(uint8_t, bool)':
checkm8-a5:113:21: error: 'class USB' has no member named 'ctrlReq_SETUP'; did you mean 'ctrlReq'?
setup_rcode = Usb.ctrlReq_SETUP(0, 0, 0x80, 6, serial_idx, 3, 0x40a, sz);
^~~~~~~~~~~~~
ctrlReq
/Users/victorcopino/Downloads/checkm8-a5-master/checkm8-a5/checkm8-a5.ino: In function 'void set_global_state()':
checkm8-a5:159:15: error: 'class USB' has no member named 'ctrlReq_SETUP'; did you mean 'ctrlReq'?
rcode = Usb.ctrlReq_SETUP(0, 0, 0x21, 1, 0, 0, 0, 0x40);
^~~~~~~~~~~~~
ctrlReq
checkm8-a5:178:61: error: no matching function for call to 'USB::ctrlReq(int, int, int, int, int, int, int, int)'
rcode = Usb.ctrlReq(0, 0, 0x21, 1, 0, 0, 0, padding + 0x40);
^
In file included from /Users/victorcopino/Documents/Arduino/libraries/USB_Host_Shield_Library_2.0/Usb.h:44:0,
from /Users/victorcopino/Downloads/checkm8-a5-master/checkm8-a5/checkm8-a5.ino:1:
/Users/victorcopino/Documents/Arduino/libraries/USB_Host_Shield_Library_2.0/UsbCore.h:271:17: note: candidate: uint8_t USB::ctrlReq(uint8_t, uint8_t, uint8_t, uint8_t, uint8_t, uint8_t, uint16_t, uint16_t, uint16_t, uint8_t*, USBReadParser*)
uint8_t ctrlReq(uint8_t addr, uint8_t ep, uint8_t bmReqType, uint8_t bRequest, uint8_t wValLo, uint8_t wValHi,
^~~~~~~
/Users/victorcopino/Documents/Arduino/libraries/USB_Host_Shield_Library_2.0/UsbCore.h:271:17: note: candidate expects 11 arguments, 8 provided
/Users/victorcopino/Downloads/checkm8-a5-master/checkm8-a5/checkm8-a5.ino: In function 'void heap_occupation()':
checkm8-a5:206:48: error: no matching function for call to 'USB::ctrlReq(int, int, int, int, int, int, int, int)'
rcode = Usb.ctrlReq(0, 0, 0, 0, 0, 0, 0, 0x40);
^
In file included from /Users/victorcopino/Documents/Arduino/libraries/USB_Host_Shield_Library_2.0/Usb.h:44:0,
from /Users/victorcopino/Downloads/checkm8-a5-master/checkm8-a5/checkm8-a5.ino:1:
/Users/victorcopino/Documents/Arduino/libraries/USB_Host_Shield_Library_2.0/UsbCore.h:271:17: note: candidate: uint8_t USB::ctrlReq(uint8_t, uint8_t, uint8_t, uint8_t, uint8_t, uint8_t, uint16_t, uint16_t, uint16_t, uint8_t*, USBReadParser*)
uint8_t ctrlReq(uint8_t addr, uint8_t ep, uint8_t bmReqType, uint8_t bRequest, uint8_t wValLo, uint8_t wValHi,
^~~~~~~
/Users/victorcopino/Documents/Arduino/libraries/USB_Host_Shield_Library_2.0/UsbCore.h:271:17: note: candidate expects 11 arguments, 8 provided
checkm8-a5:218:62: error: no matching function for call to 'USB::ctrlReq(int, int, int, int, int, int, int, unsigned int)'
rcode = Usb.ctrlReq(0, 0, 0x21, 1, 0, 0, 0, sizeof(payload));
^
In file included from /Users/victorcopino/Documents/Arduino/libraries/USB_Host_Shield_Library_2.0/Usb.h:44:0,
from /Users/victorcopino/Downloads/checkm8-a5-master/checkm8-a5/checkm8-a5.ino:1:
/Users/victorcopino/Documents/Arduino/libraries/USB_Host_Shield_Library_2.0/UsbCore.h:271:17: note: candidate: uint8_t USB::ctrlReq(uint8_t, uint8_t, uint8_t, uint8_t, uint8_t, uint8_t, uint16_t, uint16_t, uint16_t, uint8_t*, USBReadParser*)
uint8_t ctrlReq(uint8_t addr, uint8_t ep, uint8_t bmReqType, uint8_t bRequest, uint8_t wValLo, uint8_t wValHi,
^~~~~~~
/Users/victorcopino/Documents/Arduino/libraries/USB_Host_Shield_Library_2.0/UsbCore.h:271:17: note: candidate expects 11 arguments, 8 provided
Multiple libraries were found for "Usb.h"
Used: /Users/victorcopino/Documents/Arduino/libraries/USB_Host_Shield_Library_2.0
Not used: /Users/victorcopino/Documents/Arduino/libraries/USB_Host_Shield_2.0
exit status 1
'class USB' has no member named 'ctrlReq_SETUP'; did you mean 'ctrlReq'?

This report would have more information with
"Show verbose output during compilation"
option enabled in File -> Preferences.

checkm8-a5:1:1: error: stray '`' in program `#include "Usb.h"

Arduino: 1.8.19 (Mac OS X), Board: "Arduino Uno"

checkm8-a5:1:1: error: stray '' in program #include "Usb.h"
^
checkm8-a5:1:2: error: stray '#' in program
#include "Usb.h" ^ checkm8-a5:1:3: error: 'include' does not name a type #include "Usb.h"
^~~~~~~
In file included from /Users/gautamvandar/Desktop/checkm8-a5/checkm8-a5.ino:4:0:
constants.h:2:43: error: expected declaration before end of line
#pragma message "Building for A5 S5L8942X"
^
exit status 1
stray '`' in program

This report would have more information with
"Show verbose output during compilation"
option enabled in File -> Preferences.

wii support?

wii also has weird usb so could it connect to iphone 4s?

Led stay still but device is not in PWN DFU mode

Hello, I get the 3 lights and then the lights stay still but the log says this:

https://pastebin.com/RRzZvFD5

Sliver fail with every option after that.

Any idea why am I not getting in to PWND DFU?

"usb init error" when running

Hello, I have followed all the instructions and have the correct hardware (arduino uno and MAX3421E based USB host shield), I also correctly patched the usb host library files, but when I try to use this with my iPhone 4s (8940) in DFU mode and watch the serial monitor on my PC, it says "checkm8 started" and then instantly "usb init error", I have also tried this without it connected to my PC, but have no luck as the LED never lights up at the end. What could the issue be?

Addresses question

Hallo. Can you help me with addresses? Padding for point from uaf until usb_device_io_request firt object? And owervrite usb_device_io_request value?

Compilation Error

113: Compilation error: 'class USB' has no member named 'ctrlReq_SETUP'; did you mean 'ctrlReq'?

/home/scott/Desktop/checkm8-a5/constants.h:2:17: note: #pragma message: Building for A5 S5L8942X
 #pragma message "Building for A5 S5L8942X"
                 ^~~~~~~~~~~~~~~~~~~~~~~~~~
/home/scott/Desktop/checkm8-a5/checkm8-a5.ino: In function 'uint8_t heap_feng_shui_req(uint8_t, bool)':
/home/scott/Desktop/checkm8-a5/checkm8-a5.ino:113:21: error: 'class USB' has no member named 'ctrlReq_SETUP'; did you mean 'ctrlReq'?
   setup_rcode = Usb.ctrlReq_SETUP(0, 0, 0x80, 6, serial_idx, 3, 0x40a, sz);
                     ^~~~~~~~~~~~~
                     ctrlReq
/home/scott/Desktop/checkm8-a5/checkm8-a5.ino: In function 'void set_global_state()':
/home/scott/Desktop/checkm8-a5/checkm8-a5.ino:159:15: error: 'class USB' has no member named 'ctrlReq_SETUP'; did you mean 'ctrlReq'?
   rcode = Usb.ctrlReq_SETUP(0, 0, 0x21, 1, 0, 0, 0, 0x40);
               ^~~~~~~~~~~~~
               ctrlReq
/home/scott/Desktop/checkm8-a5/checkm8-a5.ino:178:15: error: 'class USB' has no member named 'ctrlReq_SETUP'; did you mean 'ctrlReq'?
   rcode = Usb.ctrlReq_SETUP(0, 0, 0x21, 1, 0, 0, 0, padding + 0x40);
               ^~~~~~~~~~~~~
               ctrlReq
/home/scott/Desktop/checkm8-a5/checkm8-a5.ino: In function 'void heap_occupation()':
/home/scott/Desktop/checkm8-a5/checkm8-a5.ino:206:15: error: 'class USB' has no member named 'ctrlReq_SETUP'; did you mean 'ctrlReq'?
   rcode = Usb.ctrlReq_SETUP(0, 0, 0, 0, 0, 0, 0, 0x40);
               ^~~~~~~~~~~~~
               ctrlReq
/home/scott/Desktop/checkm8-a5/checkm8-a5.ino:218:15: error: 'class USB' has no member named 'ctrlReq_SETUP'; did you mean 'ctrlReq'?
   rcode = Usb.ctrlReq_SETUP(0, 0, 0x21, 1, 0, 0, 0, sizeof(payload));
               ^~~~~~~~~~~~~
               ctrlReq
Multiple libraries were found for "Usb.h"
  Used: /home/scott/Arduino/libraries/USB_Host_Shield_Library_2.0
  Not used: /home/scott/Arduino/libraries/USBHost
exit status 1

Compilation error: 'class USB' has no member named 'ctrlReq_SETUP'; did you mean 'ctrlReq'?```

Is it possible to port this to the Raspberry Pi Pico?

It seems the Raspberry Pi Pico has a built-in USB host feature. And there are other commercial software already utilized it: https://blog.elcomsoft.com/2022/05/checkm8-unlocking-and-imaging-the-iphone-4s/

nintendo wii support?

i know it sounds weird, but it has been done before iirc.

Errors when compiling for Intel Arduino/Genuino 101

I understand that this project is for Arduino Uno but I do not currently have one on hand and only have a Arduino/Genuino 101 board. From what I know the Genuino 101 is suppost to be compatable with Arduino Code but obviously there will be imcompatabilities with hardware differences.

Despite the erros the compiler still uploads the code to the board and the board executes it.

Here is the error I get when Verifying / Uploading the code:

In file included from /Users/USERNAME/Downloads/checkm8-a5-master/checkm8-a5/checkm8-a5.ino:4:0:
/Users/USERNAME/Downloads/checkm8-a5-master/checkm8-a5/constants.h:2:17: note: #pragma message: Building for A5 S5L8942X
#pragma message "Building for A5 S5L8942X"
^
/Users/USERNAME/Downloads/checkm8-a5-master/checkm8-a5/checkm8-a5.ino: In function ‘void heap_occupation()’:
/Users/USERNAME/Downloads/checkm8-a5-master/checkm8-a5/checkm8-a5.ino:224:36: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
for(int i = 0; i < sizeof(payload); i += 0x40)
^
/Users/USERNAME/Downloads/checkm8-a5-master/checkm8-a5/checkm8-a5.ino: In function ‘uint8_t heap_feng_shui_req(uint8_t, bool)’:
/Users/USERNAME/Downloads/checkm8-a5-master/checkm8-a5/checkm8-a5.ino:124:67: warning: ‘data_rcode’ may be used uninitialized in this function [-Wmaybe-uninitialized]
Serial.print(", data status = "); Serial.println(data_rcode, HEX);
^
Sketch uses 23764 bytes (15%) of program storage space. Maximum is 155648 bytes.

When plugging an iPad in the LED added to the usb host doesnt show any signs and when checking serial monitor there are no outputs accept from when I press RESET with the iPad plugged in I get "usb init error".

Verfying for the Uno grants no errors

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

a1exdandy / checkm8-a5 Goto Github PK

checkm8-a5's Introduction

A5/A5X checkm8

Building

USB Host Library Rev. 2.0 installation and patching

SoC selection

S5L8940X/S5L8942X/S5L8945X-specific exploitation notes

1. HOST2DEVICE control request without data phase processing

2. Zero length packet processing

Important notes

Authors

License

checkm8-a5's People

Contributors

Stargazers

Watchers

Forkers

checkm8-a5's Issues

Recommend Projects

Recommend Topics

Recommend Org

1. `HOST2DEVICE` control request without data phase processing