rokidmaxwmdapi/final_safe_test.c at main · xelsed/rokidmaxwmdapi · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>
#include <sys/ioctl.h>
#include <linux/usbdevice_fs.h>
#include <stdint.h>
#include "usb_cleanup.h"  // Cleanup handler utilities

void check_authentication_need(int fd) {
    struct usbdevfs_ctrltransfer ctrl = {0};
    uint8_t buffer[256];

    printf("=== Checking for authentication requirements ===\n");

    // Try to read secure/locked status
    ctrl.bRequestType = 0xC1;
    ctrl.bRequest = 0x88;  // Security status?
    ctrl.wValue = 0x0000;
    ctrl.wIndex = 0x0000;
    ctrl.wLength = 64;
    ctrl.data = buffer;
    ctrl.timeout = 500;

    int ret = ioctl(fd, USBDEVFS_CONTROL, &ctrl);
    if (ret > 0) {
        printf("Security status (%d bytes): ", ret);
        for (int i = 0; i < 16 && i < ret; i++) {
            printf("%02x ", buffer[i]);
        }
        printf("\n");
    }

    // Check feature flags
    ctrl.bRequest = 0x87;  // Feature flags?
    ret = ioctl(fd, USBDEVFS_CONTROL, &ctrl);
    if (ret > 0) {
        printf("Feature flags (%d bytes): ", ret);
        for (int i = 0; i < 16 && i < ret; i++) {
            printf("%02x ", buffer[i]);
        }
        printf("\n");
    }
}

void document_findings(int fd) {
    struct usbdevfs_ctrltransfer ctrl = {0};
    uint8_t buffer[512];

    printf("\n=== Final Documentation Scan ===\n");

    // Get extended telemetry one more time
    uint8_t telemetry[] = {0x00, 0x40, 0xbf, 0x00};
    ctrl.bRequestType = 0x41;
    ctrl.bRequest = 0x01;
    ctrl.wValue = 0x0000;
    ctrl.wIndex = 0x0000;
    ctrl.wLength = 4;
    ctrl.data = telemetry;
    ctrl.timeout = 500;
    ioctl(fd, USBDEVFS_CONTROL, &ctrl);

    // Read extended format
    ctrl.bRequestType = 0xC1;
    ctrl.bRequest = 0x01;
    ctrl.wLength = 512;
    ctrl.data = buffer;

    int ret = ioctl(fd, USBDEVFS_CONTROL, &ctrl);

    printf("\nExtended telemetry analysis:\n");
    printf("- Total size: %d bytes\n", ret);
    printf("- Header: %02x %02x %02x %02x\n", buffer[0], buffer[1], buffer[2], buffer[3]);
    printf("- IMU region (4-39): All %s\n",
           buffer[4] == 0 && buffer[20] == 0 ? "zeros (inactive)" : "active");

    if (ret > 64) {
        printf("- Extended region (64+): ");
        int non_zero = 0;
        for (int i = 64; i < ret; i++) {
            if (buffer[i] != 0) non_zero++;
        }
        printf("%d non-zero bytes\n", non_zero);

        // Show memory addresses
        printf("- Memory pointers found:\n");
        for (int i = 76; i < 120 && i < ret; i += 4) {
            uint32_t addr = *(uint32_t*)&buffer[i];
            if ((addr & 0xFF000000) == 0x20000000) {
                printf("  Offset %d: 0x%08X (SRAM)\n", i, addr);
            }
        }
    }
}

int main() {
    int usb_fd = -1;
    char *fd_str = getenv("TERMUX_USB_FD");
    if (fd_str) usb_fd = atoi(fd_str);

    if (usb_fd < 0) {
        fprintf(stderr, "ERROR: No USB file descriptor\n");
        fprintf(stderr, "Run via: termux-usb -r /dev/bus/usb/XXX/YYY ./final_safe_test\n");
        return 1;
    }

    // Setup cleanup handlers for graceful shutdown
    setup_cleanup_handlers(usb_fd);

    printf("Final safe exploration after crashes...\n");
    printf("Press Ctrl+C to exit safely\n\n");

    check_authentication_need(usb_fd);
    document_findings(usb_fd);

    printf("\n=== CONCLUSIONS ===\n");
    printf("1. Device architecture:\n");
    printf("   - Rokid Max2 has built-in displays (controlled via HDMI/DP)\n");
    printf("   - USB provides IMU sensor access\n");
    printf("   - Station 2 is a Linux box for processing\n\n");

    printf("2. USB findings:\n");
    printf("   - Protocol mapped: SET/GET commands work\n");
    printf("   - Extended telemetry contains memory addresses\n");
    printf("   - IMU currently inactive (returns zeros)\n");
    printf("   - Interface 3 causes crashes\n\n");

    printf("3. Why IMU is inactive:\n");
    printf("   - Requires Station 2 authentication\n");
    printf("   - Power management when standalone\n");
    printf("   - Missing initialization sequence\n\n");

    printf("4. What we CAN do:\n");
    printf("   - Read firmware version (0.17)\n");
    printf("   - Access extended telemetry format\n");
    printf("   - Send configuration commands\n");
    printf("   - Map memory structure\n\n");

    printf("5. What we CANNOT do:\n");
    printf("   - Activate IMU without Station 2\n");
    printf("   - Control displays (HDMI/DP only)\n");
    printf("   - Access cameras (if they exist)\n");
    printf("   - Enable 6DOF tracking\n");

    // Clean up before exit
    cleanup_usb();
    printf("\nUSB device released cleanly\n");

    return 0;
}