frederic/gist:6228d60b8ddcf959eb3bea105f49348e Secret

## gistfile1.txt
downloaded data over usb is stored into 'dl_buf' @0x02021800. it contains a size field uint32_t 'dl_size' at 0x4.
There's a check to ensure 'dl_size' is smaller than 0x4E800.
however, an integer overflow can bypass the check if size is higher than 0xFDFDE7FF.
'dl_buf' can be overflowed that way, but not sure if exploitable, because probably located at the end of memory.

however, there's another interesting detail if 'dl_size' is larger 0xfffe00 :
for every bulk transfer packet received, 'dl_size' is decreased by 0xfffe00 and 'dl_buf' is increased by 0xfffe00.
by sending empty bulk packets, we can overflow 'dl_buf' without writing any data to 'dl_buf'.

finally, when 'dl_size' is smaller than 0xfffe00, the last bulk transfer is written at arbitrary address 'dl_buf'.
To achieve finer granularity on 'dl_buf' pointer, the first bulk transfer can be used to increase 'dl_buf' up to 64kb.
	downloaded data over usb is stored into 'dl_buf' @0x02021800. it contains a size field uint32_t 'dl_size' at 0x4.
	There's a check to ensure 'dl_size' is smaller than 0x4E800.
	however, an integer overflow can bypass the check if size is higher than 0xFDFDE7FF.
	'dl_buf' can be overflowed that way, but not sure if exploitable, because probably located at the end of memory.

	however, there's another interesting detail if 'dl_size' is larger 0xfffe00 :
	for every bulk transfer packet received, 'dl_size' is decreased by 0xfffe00 and 'dl_buf' is increased by 0xfffe00.
	by sending empty bulk packets, we can overflow 'dl_buf' without writing any data to 'dl_buf'.

	finally, when 'dl_size' is smaller than 0xfffe00, the last bulk transfer is written at arbitrary address 'dl_buf'.
	To achieve finer granularity on 'dl_buf' pointer, the first bulk transfer can be used to increase 'dl_buf' up to 64kb.