-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexplore_hidden_features.c
More file actions
271 lines (225 loc) · 8.04 KB
/
explore_hidden_features.c
File metadata and controls
271 lines (225 loc) · 8.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>
#include <sys/ioctl.h>
#include <linux/usbdevice_fs.h>
#include <stdint.h>
void try_wakeup_sequences(int fd) {
struct usbdevfs_ctrltransfer ctrl = {0};
uint8_t buffer[64];
printf("=== Trying wake-up sequences ===\n");
// Sequence 1: Power state change
uint8_t wake_patterns[][4] = {
{0xFF, 0xFF, 0xFF, 0xFF}, // All bits high
{0xAA, 0x55, 0xAA, 0x55}, // Alternating pattern
{0x57, 0x41, 0x4B, 0x45}, // "WAKE"
{0x01, 0x02, 0x04, 0x08}, // Bit sequence
{0x80, 0x00, 0x00, 0x00}, // MSB set
{0x00, 0x00, 0x00, 0x01}, // LSB set
};
for (int i = 0; i < 6; i++) {
printf("\nTrying pattern %d: ", i);
for (int j = 0; j < 4; j++) printf("%02x ", wake_patterns[i][j]);
printf("\n");
// Try as SET command
ctrl.bRequestType = 0x41;
ctrl.bRequest = 0x90; // Power command?
ctrl.wValue = 0x0001;
ctrl.wIndex = 0x0000;
ctrl.wLength = 4;
ctrl.data = wake_patterns[i];
ctrl.timeout = 500;
if (ioctl(fd, USBDEVFS_CONTROL, &ctrl) >= 0) {
printf(" Power command accepted\n");
// Return to telemetry
uint8_t telemetry[] = {0x00, 0x40, 0xbf, 0x00};
ctrl.bRequest = 0x01;
ctrl.data = telemetry;
ioctl(fd, USBDEVFS_CONTROL, &ctrl);
// Check if IMU activated
ctrl.bRequestType = 0xC1;
ctrl.bRequest = 0x01;
ctrl.wLength = 64;
ctrl.data = buffer;
if (ioctl(fd, USBDEVFS_CONTROL, &ctrl) >= 64) {
int non_zero = 0;
for (int j = 4; j < 40; j++) {
if (buffer[j] != 0) non_zero++;
}
if (non_zero > 0) {
printf(" ✅ IMU ACTIVATED! Data: ");
for (int j = 4; j < 16; j++) {
printf("%02x ", buffer[j]);
}
printf("\n");
return; // Success!
}
}
}
usleep(100000);
}
}
void explore_interface_specific_commands(int fd) {
struct usbdevfs_ctrltransfer ctrl = {0};
uint8_t buffer[256];
printf("\n=== Exploring interface-specific commands ===\n");
// Try commands on different interfaces
for (int iface = 0; iface < 4; iface++) {
printf("\nInterface %d:\n", iface);
// Try enable on this interface
uint8_t enable[] = {0x01, 0x00, 0x00, 0x00};
ctrl.bRequestType = 0x41;
ctrl.bRequest = 0x01;
ctrl.wValue = 0x0001;
ctrl.wIndex = iface; // Target specific interface
ctrl.wLength = 4;
ctrl.data = enable;
ctrl.timeout = 500;
if (ioctl(fd, USBDEVFS_CONTROL, &ctrl) >= 0) {
printf(" Enable sent to interface %d\n", iface);
// Read from this interface
ctrl.bRequestType = 0xC1;
ctrl.bRequest = 0x01;
ctrl.wIndex = iface;
ctrl.wLength = 64;
ctrl.data = buffer;
int ret = ioctl(fd, USBDEVFS_CONTROL, &ctrl);
if (ret > 0) {
printf(" Response: ");
for (int i = 0; i < 16 && i < ret; i++) {
printf("%02x ", buffer[i]);
}
printf("\n");
}
}
}
}
void check_hid_reports(int fd) {
struct usbdevfs_ctrltransfer ctrl = {0};
uint8_t buffer[256];
printf("\n=== Checking HID report descriptors ===\n");
// Get HID descriptor
ctrl.bRequestType = 0x81; // Interface, device-to-host
ctrl.bRequest = 0x06; // GET_DESCRIPTOR
ctrl.wValue = 0x2200; // HID Report descriptor
ctrl.wIndex = 0x0001; // Interface 1 (HID)
ctrl.wLength = 256;
ctrl.data = buffer;
ctrl.timeout = 500;
int ret = ioctl(fd, USBDEVFS_CONTROL, &ctrl);
if (ret > 0) {
printf("HID Report Descriptor (%d bytes):\n", ret);
for (int i = 0; i < ret; i++) {
if (i % 16 == 0) printf("\n ");
printf("%02x ", buffer[i]);
}
printf("\n");
// Try to send HID report
uint8_t report[8] = {0x01, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
ctrl.bRequestType = 0x21; // Class, host-to-device, interface
ctrl.bRequest = 0x09; // SET_REPORT
ctrl.wValue = 0x0201; // Feature report, ID 1
ctrl.wIndex = 0x0001;
ctrl.wLength = 8;
ctrl.data = report;
if (ioctl(fd, USBDEVFS_CONTROL, &ctrl) >= 0) {
printf("\nHID report sent successfully\n");
}
}
}
void test_configuration_registers(int fd) {
struct usbdevfs_ctrltransfer ctrl = {0};
uint8_t buffer[64];
printf("\n=== Testing configuration registers ===\n");
// Common sensor configuration registers
struct {
uint8_t addr;
uint8_t value;
const char *desc;
} configs[] = {
{0x20, 0x0F, "Power control - all on"},
{0x21, 0x17, "Output data rate - 200Hz"},
{0x22, 0x00, "FIFO control"},
{0x23, 0x08, "Interrupt enable"},
{0x10, 0x80, "Control register 1"},
{0x11, 0x00, "Control register 2"},
};
for (int i = 0; i < 6; i++) {
printf("\nWriting register 0x%02X = 0x%02X (%s)\n",
configs[i].addr, configs[i].value, configs[i].desc);
// Write register
uint8_t write_cmd[2] = {configs[i].addr, configs[i].value};
ctrl.bRequestType = 0x41;
ctrl.bRequest = 0xC0; // Register write command?
ctrl.wValue = (configs[i].addr << 8) | configs[i].value;
ctrl.wIndex = 0x0000;
ctrl.wLength = 0;
ctrl.timeout = 500;
if (ioctl(fd, USBDEVFS_CONTROL, &ctrl) >= 0) {
printf(" Write accepted\n");
// Read back
ctrl.bRequestType = 0xC1;
ctrl.bRequest = 0xC0;
ctrl.wValue = configs[i].addr << 8;
ctrl.wLength = 1;
ctrl.data = buffer;
if (ioctl(fd, USBDEVFS_CONTROL, &ctrl) > 0) {
printf(" Read back: 0x%02X\n", buffer[0]);
}
}
}
}
int main() {
int usb_fd = -1;
char *fd_str = getenv("TERMUX_USB_FD");
if (fd_str) usb_fd = atoi(fd_str);
if (usb_fd < 0) {
printf("No USB file descriptor\n");
return 1;
}
printf("Exploring hidden features and activation methods...\n\n");
// Try different wake-up sequences
try_wakeup_sequences(usb_fd);
// Explore interface-specific commands
explore_interface_specific_commands(usb_fd);
// Check HID interface
check_hid_reports(usb_fd);
// Test configuration registers
test_configuration_registers(usb_fd);
// Final check
printf("\n=== Final IMU check ===\n");
struct usbdevfs_ctrltransfer ctrl = {0};
uint8_t buffer[64];
uint8_t telemetry[] = {0x00, 0x40, 0xbf, 0x00};
ctrl.bRequestType = 0x41;
ctrl.bRequest = 0x01;
ctrl.wValue = 0x0000;
ctrl.wIndex = 0x0000;
ctrl.wLength = 4;
ctrl.data = telemetry;
ctrl.timeout = 500;
ioctl(usb_fd, USBDEVFS_CONTROL, &ctrl);
ctrl.bRequestType = 0xC1;
ctrl.bRequest = 0x01;
ctrl.wLength = 64;
ctrl.data = buffer;
if (ioctl(usb_fd, USBDEVFS_CONTROL, &ctrl) >= 64) {
printf("IMU data: ");
for (int i = 4; i < 16; i++) {
printf("%02x ", buffer[i]);
}
int non_zero = 0;
for (int i = 4; i < 40; i++) {
if (buffer[i] != 0) non_zero++;
}
if (non_zero > 0) {
printf("\n✅ SUCCESS! IMU is now active!\n");
} else {
printf("\n❌ IMU still inactive (all zeros)\n");
}
}
return 0;
}