configfs: support mouse gadget

- check interruption signal in more places

Author: Netdex

app/src/main/assets/scripts/downloadrun.lua

@@ -24,16 +24,16 @@ while true do
     if runAs then
         -- when running elevated prompt sometimes it pops in background, so we need
         -- to go to the desktop
-        kb.press_keys(kb.LSUPER, kb.D)
+        kb.press_keys(MOD_LSUPER, KEY_D)
         usb.delay(500)
-        kb.press_keys(kb.LSUPER, kb.R)
+        kb.press_keys(MOD_LSUPER, KEY_R)
         usb.delay(2000)
         kb.send_string("powershell Start-Process powershell -Verb runAs\n")
         usb.delay(3000)
-        kb.press_keys(kb.LALT, kb.Y)
+        kb.press_keys(MOD_LALT, KEY_Y)
         usb.delay(2000)
     else
-        kb.press_keys(kb.LSUPER, kb.R)
+        kb.press_keys(MOD_LSUPER, KEY_R)
         usb.delay(2000)
         kb.send_string("powershell\n")
         usb.delay(2000)

app/src/main/assets/scripts/test.lua renamed to app/src/main/assets/scripts/massstorage.lua

@@ -0,0 +1,10 @@
+usb = luausb.create({ type = "mouse", id = 0 })
+
+ms1 = usb.dev[1]
+
+while true do
+    ms1.click(BTN_LEFT)
+    ms1.move(30, 0)
+    ms1.scroll(128)
+    usb.delay(1000)
+end

app/src/main/assets/scripts/mouse.lua

@@ -5,7 +5,7 @@
 usb = luausb.create({ id = 0, type = "keyboard" })
 kb = usb.dev[1]
 
-local file = usb.ask("Wallpaper to download?", "https://i.redd.it/ur1mqcbpxou51.png")
+local file = usb.ask("Wallpaper to download?", "https://i.imgur.com/46wWHZ3.png")
 
 while true do
     usb.log("idle")
@@ -18,7 +18,7 @@ while true do
     usb.log("running")
     usb.delay(1000)
 
-    kb.press_keys(kb.LSUPER, kb.R)
+    kb.press_keys(MOD_LSUPER, KEY_R)
     usb.delay(2000)
     kb.send_string("powershell\n")
     usb.delay(2000)

app/src/main/assets/scripts/wallpaper.lua

@@ -30,52 +30,46 @@ public Parameters(String manufacturer, String serial,
         }
     }
 
-    public static final String CONFIG_DIR = "c.1";
+    private static final String CONFIG_DIR = "c.1";
+    // https://android.googlesource.com/platform/system/core/+/master/rootdir/init.usb.configfs.rc
+    private static final String SYSTEM_GADGET = "g1";
 
-    private final Parameters params_;
-    private final String name_;
+    private final String gadget_name_;
     private final String configFsPath_;
 
     private final ArrayList<UsbGadgetFunction> functions_;
 
-    private String oldGadgetUsingUDC_ = null;
-    private String oldGadgetUDCDriver_ = null;
-
-    public UsbGadget(Parameters parameters, String name, String configFsPath) {
-        this.params_ = parameters;
-        this.name_ = name;
+    public UsbGadget(String name, String configFsPath) {
+        this.gadget_name_ = name;
         this.configFsPath_ = configFsPath;
 
         this.functions_ = new ArrayList<>();
     }
 
-    public void addFunction(UsbGadgetFunction function) {
-        functions_.add(function);
-    }
-
-    public void create(Shell.Threaded su) throws Shell.ShellDiedException {
-        String gadgetPath = getGadgetPath();
-        if (Command.pathExists(su, gadgetPath)) {
+    public void create(Shell.Threaded su, Parameters params) throws Shell.ShellDiedException {
+        String gadgetPath = getGadgetPath(gadget_name_);
+        if (!Command.getSystemProp(su, "sys.usb.configfs").equals("1"))
+            throw new IllegalStateException("Device does not support ConfigFS");
+        if (isCreated(su))
             throw new IllegalStateException("USB gadget already exists");
-        }
 
         su.run(new String[]{
                 "mkdir " + gadgetPath,
                 "cd " + gadgetPath,
-                Command.echoToFile(params_.idProduct, "idProduct"),
-                Command.echoToFile(params_.idVendor, "idVendor"),
+                Command.echoToFile(params.idProduct, "idProduct"),
+                Command.echoToFile(params.idVendor, "idVendor"),
                 Command.echoToFile("239", "bDeviceClass"),
                 Command.echoToFile("0x02", "bDeviceSubClass"),
                 Command.echoToFile("0x01", "bDeviceProtocol"),
 
                 "mkdir strings/0x409",
-                Command.echoToFile(params_.serial, "strings/0x409/serialnumber"),
-                Command.echoToFile(params_.manufacturer, "strings/0x409/manufacturer"),
-                Command.echoToFile(params_.product, "strings/0x409/product"),
+                Command.echoToFile(params.serial, "strings/0x409/serialnumber"),
+                Command.echoToFile(params.manufacturer, "strings/0x409/manufacturer"),
+                Command.echoToFile(params.product, "strings/0x409/product"),
 
                 String.format("mkdir \"configs/%s\"", CONFIG_DIR),
                 String.format("mkdir \"configs/%s/strings/0x409\"", CONFIG_DIR),
-                Command.echoToFile(params_.configName, String.format("configs/%s/strings/0x409/configuration", CONFIG_DIR)),
+                Command.echoToFile(params.configName, String.format("configs/%s/strings/0x409/configuration", CONFIG_DIR)),
         });
 
         for (UsbGadgetFunction function : this.functions_) {
@@ -84,62 +78,42 @@ public void create(Shell.Threaded su) throws Shell.ShellDiedException {
     }
 
     public void bind(Shell.Threaded su) throws Shell.ShellDiedException {
-        String gadgetPath = getGadgetPath();
-        if (isBound(su)) {
+        String gadgetPath = getGadgetPath(gadget_name_);
+        if (!isCreated(su))
+            throw new IllegalStateException("USB gadget does not exist");
+        if (isBound(su))
             throw new IllegalStateException("USB gadget is already bound to UDC");
-        }
 
         for (UsbGadgetFunction function : this.functions_) {
             function.bind(su, gadgetPath, CONFIG_DIR);
         }
 
-        ArrayList<String> drivers = Command.ls(su, "/sys/class/udc");
-        if (drivers.size() != 1) {
-            // TODO allow multiple USB drivers
-            throw new IllegalStateException("There must be exactly one USB driver");
-        }
-        String udc = drivers.get(0);
-        this.oldGadgetUDCDriver_ = udc;
-
-        // Look for other gadgets using the same usb driver
-        ArrayList<String> otherUsbGadgets = Command.ls(su, Paths.get(gadgetPath, "..").toString());
-        for (String otherUsbGadgetPath : otherUsbGadgets) {
-            String udcPath = Paths.get(gadgetPath, "..", otherUsbGadgetPath, "UDC").toString();
-            String driver = Command.readFile(su, udcPath);
-            if (driver.equals(udc)) {
-                // Backup the driver so we can restore it later
-                this.oldGadgetUsingUDC_ = udcPath;
-                su.run(Command.echoToFile("", udcPath));
-                break;
-            }
-        }
+        String udc = getSystemUDC(su);
+        if (udc.isEmpty()) throw new IllegalStateException("Could not determine system UDC");
 
-        su.run(Command.echoToFile(udc, Paths.get(gadgetPath, "UDC").toString()));
+        su.run(Command.echoToFile("", getUDCPath(SYSTEM_GADGET)));
+        su.run(Command.echoToFile(udc, getUDCPath(gadget_name_)));
     }
 
     public void unbind(Shell.Threaded su) throws Shell.ShellDiedException {
-        if (!isBound(su)) {
+        if (!isCreated(su))
+            throw new IllegalStateException("USB gadget does not exist");
+        if (!isBound(su))
             throw new IllegalStateException("USB gadget is not bound to UDC");
-        }
 
-        // Disable gadget
-        su.run(Command.echoToFile("", getUDCPath()));
-        // Restore old driver if we need to
-        if (oldGadgetUsingUDC_ != null) {
-            su.run(Command.echoToFile(oldGadgetUDCDriver_, oldGadgetUsingUDC_));
-        }
+        su.run(Command.echoToFile("", getUDCPath(gadget_name_)));
+        su.run(Command.echoToFile(getSystemUDC(su), SYSTEM_GADGET));
 
-        String gadgetPath = getGadgetPath();
+        String gadgetPath = getGadgetPath(gadget_name_);
         for (UsbGadgetFunction function : this.functions_) {
             function.unbind(su, gadgetPath, CONFIG_DIR);
         }
     }
 
     public void remove(Shell.Threaded su) throws Shell.ShellDiedException {
-        String gadgetPath = getGadgetPath();
-        if (!Command.pathExists(su, gadgetPath)) {
+        String gadgetPath = getGadgetPath(gadget_name_);
+        if (!isCreated(su))
             throw new IllegalStateException("USB gadget does not exist");
-        }
 
         for (UsbGadgetFunction function : this.functions_) {
             function.remove(su, gadgetPath);
@@ -150,28 +124,52 @@ public void remove(Shell.Threaded su) throws Shell.ShellDiedException {
                 String.format("rmdir \"configs/%s\"", CONFIG_DIR),
                 "rmdir strings/0x409",
                 "cd ..",
-                String.format("rmdir \"%s\"", this.name_)
+                String.format("rmdir \"%s\"", this.gadget_name_)
         });
     }
 
-    public String getGadgetPath() {
-        return String.format("%s/usb_gadget/%s", configFsPath_, name_);
+    public String getGadgetPath(String gadgetName) {
+        return String.format("%s/usb_gadget/%s", configFsPath_, gadgetName);
     }
 
-    public String getUDCPath() {
-        return Paths.get(getGadgetPath(), "UDC").toString();
+    public String getUDCPath(String gadgetName) {
+        return Paths.get(getGadgetPath(gadgetName), "UDC").toString();
     }
 
-    public String getUDC(Shell.Threaded su) {
-        return Command.readFile(su, getUDCPath());
+    public String getActiveUDC(Shell.Threaded su, String gadgetName) throws Shell.ShellDiedException {
+        return Command.readFile(su, getUDCPath(gadgetName));
     }
 
-    public String getUDCState(Shell.Threaded su, String udc) {
-        return Command.readFile(su, String.format("/sys/class/udc/%s/state", udc));
+    public boolean isCreated(Shell.Threaded su) throws Shell.ShellDiedException {
+        return Command.pathExists(su, getGadgetPath(gadget_name_));
     }
 
-    public boolean isBound(Shell.Threaded su) {
-        return !getUDC(su).isEmpty();
+    public boolean isBound(Shell.Threaded su) throws Shell.ShellDiedException {
+        return !getActiveUDC(su, gadget_name_).isEmpty();
+    }
+
+    public void addFunction(UsbGadgetFunction function) {
+        functions_.add(function);
+    }
+
+    public ArrayList<UsbGadgetFunction> getFunctions() {
+        return functions_;
+    }
+
+    public String serial() {
+        ArrayList<String> functionDir = new ArrayList<>();
+        for (UsbGadgetFunction function : getFunctions()) {
+            functionDir.add(function.getFunctionDir());
+        }
+        return String.format("%x", functionDir.hashCode());
+    }
+
+    public static String getSystemUDC(Shell.Threaded su) throws Shell.ShellDiedException {
+        return Command.getSystemProp(su, "sys.usb.controller");
+    }
+
+    public static String getUDCState(Shell.Threaded su, String udc) throws Shell.ShellDiedException {
+        return Command.readFile(su, String.format("/sys/class/udc/%s/state", udc));
     }
 
 }

app/src/main/java/org/netdex/hidfuzzer/configfs/UsbGadget.java

@@ -15,46 +15,6 @@ public static class Parameters extends UsbGadgetFunction.Parameters {
         public int reportLength;
         public byte[] descriptor;
 
-        public static final Parameters DEFAULT = new Parameters(
-                1,
-                1,
-                8,
-                new byte[]{
-                        (byte) 0x05, (byte) 0x01,    /* USAGE_PAGE (Generic Desktop)	       */
-                        (byte) 0x09, (byte) 0x06,    /* USAGE (Keyboard)                       */
-                        (byte) 0xa1, (byte) 0x01,    /* COLLECTION (Application)               */
-                        (byte) 0x05, (byte) 0x07,    /*   USAGE_PAGE (Keyboard)                */
-                        (byte) 0x19, (byte) 0xe0,    /*   USAGE_MINIMUM (Keyboard LeftControl) */
-                        (byte) 0x29, (byte) 0xe7,    /*   USAGE_MAXIMUM (Keyboard Right GUI)   */
-                        (byte) 0x15, (byte) 0x00,    /*   LOGICAL_MINIMUM (0)                  */
-                        (byte) 0x25, (byte) 0x01,    /*   LOGICAL_MAXIMUM (1)                  */
-                        (byte) 0x75, (byte) 0x01,    /*   REPORT_SIZE (1)                      */
-                        (byte) 0x95, (byte) 0x08,    /*   REPORT_COUNT (8)                     */
-                        (byte) 0x81, (byte) 0x02,    /*   INPUT (Data,Var,Abs)                 */
-                        (byte) 0x95, (byte) 0x01,    /*   REPORT_COUNT (1)                     */
-                        (byte) 0x75, (byte) 0x08,    /*   REPORT_SIZE (8)                      */
-                        (byte) 0x81, (byte) 0x03,    /*   INPUT (Cnst,Var,Abs)                 */
-                        (byte) 0x95, (byte) 0x05,    /*   REPORT_COUNT (5)                     */
-                        (byte) 0x75, (byte) 0x01,    /*   REPORT_SIZE (1)                      */
-                        (byte) 0x05, (byte) 0x08,    /*   USAGE_PAGE (LEDs)                    */
-                        (byte) 0x19, (byte) 0x01,    /*   USAGE_MINIMUM (Num Lock)             */
-                        (byte) 0x29, (byte) 0x05,    /*   USAGE_MAXIMUM (Kana)                 */
-                        (byte) 0x91, (byte) 0x02,    /*   OUTPUT (Data,Var,Abs)                */
-                        (byte) 0x95, (byte) 0x01,    /*   REPORT_COUNT (1)                     */
-                        (byte) 0x75, (byte) 0x03,    /*   REPORT_SIZE (3)                      */
-                        (byte) 0x91, (byte) 0x03,    /*   OUTPUT (Cnst,Var,Abs)                */
-                        (byte) 0x95, (byte) 0x06,    /*   REPORT_COUNT (6)                     */
-                        (byte) 0x75, (byte) 0x08,    /*   REPORT_SIZE (8)                      */
-                        (byte) 0x15, (byte) 0x00,    /*   LOGICAL_MINIMUM (0)                  */
-                        (byte) 0x25, (byte) 0x65,    /*   LOGICAL_MAXIMUM (101)                */
-                        (byte) 0x05, (byte) 0x07,    /*   USAGE_PAGE (Keyboard)                */
-                        (byte) 0x19, (byte) 0x00,    /*   USAGE_MINIMUM (Reserved)             */
-                        (byte) 0x29, (byte) 0x65,    /*   USAGE_MAXIMUM (Keyboard Application) */
-                        (byte) 0x81, (byte) 0x00,    /*   INPUT (Data,Ary,Abs)                 */
-                        (byte) 0xc0                  /* END_COLLECTION                         */
-                }
-        );
-
         public Parameters(int protocol, int subclass, int reportLength, byte[] descriptor) {
             this.protocol = protocol;
             this.subclass = subclass;

app/src/main/java/org/netdex/hidfuzzer/configfs/function/UsbGadgetFunctionHid.java

@@ -23,9 +23,6 @@ public static class Parameters extends UsbGadgetFunction.Parameters {
 
         public long size = 256;   // in MB, ignored if the file already exists
 
-        public static final Parameters DEFAULT = new Parameters(
-                "/data/local/tmp/mass_storage-lun0.img", 256);
-
         public Parameters(String file, boolean ro, boolean removable,
                           boolean cdrom, boolean nofua, boolean stall, long size) {
             this.file = file;