2 files changed, 35 insertions, 3 deletions

diff --git a/src/irecovery.c b/src/irecovery.c
index 7150f90..98b1e90 100644
--- a/src/irecovery.c
+++ b/src/irecovery.c
@@ -27,7 +27,7 @@
 #define debug(...) if(verbose) fprintf(stderr, __VA_ARGS__)
 
 enum {
-	kResetDevice, kStartShell, kSendCommand, kSendFile
+	kResetDevice, kStartShell, kSendCommand, kSendFile, kSendExploit
 };
 
 static unsigned int quit = 0;
@@ -146,9 +146,9 @@ void print_usage() {
 	printf("iRecovery - iDevice Recovery Utility\n");
 	printf("Usage: ./irecovery [args]\n");
 	printf("\t-v\t\tStart irecovery in verbose mode.\n");
-	printf("\t-u <uuid>\ttarget specific client by its 40-digit client UUID\n");
 	printf("\t-c <cmd>\tSend command to client.\n");
 	printf("\t-f <file>\tSend file to client.\n");
+	printf("\t-k [exploit]\tSend usb exploit to client.\n");
 	printf("\t-h\t\tShow this help.\n");
 	printf("\t-r\t\tReset client.\n");
 	printf("\t-s\t\tStart interactive shell.\n");
@@ -162,7 +162,7 @@ int main(int argc, char** argv) {
 	char* argument = NULL;
 	irecv_error_t error = 0;
 	if(argc == 1) print_usage();
-	while ((opt = getopt(argc, argv, "vhrsc:f:")) > 0) {
+	while ((opt = getopt(argc, argv, "vhrsc:f:k::")) > 0) {
 		switch (opt) {
 		case 'v':
 			verbose += 1;
@@ -190,6 +190,11 @@ int main(int argc, char** argv) {
 			argument = optarg;
 			break;
 
+		case 'k':
+			action = kSendExploit;
+			argument = optarg;
+			break;
+
 		default:
 			fprintf(stderr, "Unknown argument\n");
 			return -1;
@@ -225,6 +230,18 @@ int main(int argc, char** argv) {
 		debug("%s\n", irecv_strerror(error));
 		break;
 
+	case kSendExploit:
+		if(argument != NULL) {
+			error = irecv_send_file(client, argument);
+			if(error != IRECV_E_SUCCESS) {
+				debug("%s\n", irecv_strerror(error));
+				break;
+			}
+		}
+		error = irecv_send_exploit(client);
+		debug("%s\n", irecv_strerror(error));
+		break;
+
 	case kStartShell:
 		init_shell(client);
 		break;
diff --git a/src/libirecovery.c b/src/libirecovery.c
index 78745b1..6587fe0 100644
--- a/src/libirecovery.c
+++ b/src/libirecovery.c
@@ -428,6 +428,21 @@ irecv_error_t irecv_get_ecid(irecv_client_t client, unsigned long long* ecid) {
 	return IRECV_E_SUCCESS;
 }
 
+
+irecv_error_t irecv_send_exploit(irecv_client_t client) {
+	if(client == NULL || client->handle == NULL) {
+		return IRECV_E_NO_DEVICE;
+	}
+
+	irecv_error_t error = irecv_set_interface(client, 1, 1);
+	if(error != IRECV_E_SUCCESS) {
+		return error;
+	}
+
+	libusb_control_transfer(client->handle, 0x21, 2, 0, 0, NULL, 0, 100);
+	return IRECV_E_SUCCESS;
+}
+
 const char* irecv_strerror(irecv_error_t error) {
 	switch(error) {
 	case IRECV_E_SUCCESS: