Skip to content

Instantly share code, notes, and snippets.

View bb33bb's full-sized avatar
💭
I may be slow to respond.

boy1337 bb33bb

💭
I may be slow to respond.
485 followers · 569 following
View GitHub Profile
@bb33bb
bb33bb / exp.c
Created August 19, 2024 03:20 — forked from soez/exp.c
CVE-2022-22265 Samsung A25 npu driver
/*
*
* Author: @javierprtd
* Date : 01-08-2024
* Kernel: 5.10.177
* Samsung A25 NPU: CVE-2022-22265 (bug patched - reintroduced)
*
*/
// echo 1 > /sys/module/memlogger/holders/npu/drivers/platform:exynos-npu/npu_exynos/npu_err_in_dmesg
@bb33bb
bb33bb / 1_Snippet_Instructions.txt
Created August 7, 2024 04:46 — forked from psifertex/1_Snippet_Instructions.txt
my current collection of snippets
Welcome to Jordan's grab-bag of common Binary Ninja Snippets.
These snippest are meant to run with the Binary Ninja Snippets Plugin
(http://github.com/Vector35/snippets) though they can all also be pasted
directly into the python console or turned into stand-alone plugins if needed.
To install the entire collection at once, just install the Snippets plugin via
the plugin manager (CMD/CTL-SHIFT-M), confirm the Snippet Editor works
(Tool/Snippets/Snippet Editor), and unzip this bundle (Download ZIP above) into
your Snippets folder.
@bb33bb
bb33bb / moto-g60-gsi-update.md
Created December 20, 2023 04:13 — forked from surfaceflinger/moto-g60-gsi-update.md
Update firmware and install/update GSI on motorola moto g60 (hanoip)
  1. First, download latest stock firmware from lolinet. You probably want those which names begin with RET but tbh I don't know what the difference is between them. Personally, I used RETEU because that's what I had from factory.
  2. Download latest "Light" variant of LineageOS 20 GSI. You can find everything here. "Light" variant has limited compatibility with legacy devices, but it works PERFECTLY on hanoip.
  3. Unpack stock firmware into stock directory.
  4. Unpack GSI into gsi directory and rename it to system.img.
  5. Make sure that you have files structure like this:
nat@blahaj [~/Downloads] ✨ tree
.
├── gsi-update.sh
├── gsi
@bb33bb
bb33bb / ios-downgrade-dualboot.md
Created December 3, 2023 10:43 — forked from LukeZGD/ios-downgrade-dualboot.md
Downgrade and dualboot status of almost all iOS devices

Downgrade and dualboot status of almost all iOS devices

UPDATED: 2023-12-02

@bb33bb
bb33bb / load_wrapper.cc
Created November 22, 2023 07:08 — forked from singleghost2/load_wrapper.cc
Disable ASLR on macOS for dylib include those loaded with `dlopen`
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <spawn.h>
#include <sys/wait.h>
#include <string.h>
/* ASLR disabling magic constant from Apple LLDB source code
https://opensource.apple.com/source/lldb/lldb-76/tools/darwin-debug/darwin-debug.cpp
*/
@bb33bb
bb33bb / deboot.sh
Created October 2, 2023 03:53 — forked from knotdevel/deboot.sh
script to build Ubuntu rootfs (for arm64, armhf, powerpc, ppc64el)
#!/bin/bash
#
# deboot.sh
# script to build Ubuntu rootfs (for arm64, armhf, powerpc, ppc64el)
#
# Copyright 2017 knotdevel
# Released under the MIT license
# http://opensource.org/licenses/mit-license.php
#
#
@bb33bb
bb33bb / CVE-2021-1048.c
Created August 13, 2023 07:12 — forked from vngkv123/CVE-2021-1048.c
// https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1048.html
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <mqueue.h>
@bb33bb
bb33bb / internationalhackingsolutionsfbi.s
Created July 18, 2023 06:45 — forked from exploit3dguy/internationalhackingsolutionsfbi.s
PTE patch code (RWX map) for new iBoot
.text
.pool
.set ARM_TTE_BLOCK_PNX, 0x0020000000000000
.set ARM_TTE_BLOCK_NX, 0x0040000000000000
.set SDRAM_PAGE1, 0x180082000
.set SRAM_PAGE1, 0x1800841F0
.global _main
@bb33bb
bb33bb / a9x_sepfw_keys
Created July 18, 2023 06:45 — forked from exploit3dguy/a9x_sepfw_keys
iPad6,3
iOS 9.3 (13E234)
sep-firmware.j127.RELEASE.im4p
IV: 0F91420AA134E6D8D6807EFA7FFAB446
KEY: 42F908A3012E9E2DC22EDD818621C4BECFB41AED43D78671AB28BB8126268DB4
iPad6,8
iPadOS 13.2 (17B84)
sep-firmware.j99a.RELEASE.im4p
@bb33bb
bb33bb / blackbird_a8_a9.txt
Created July 18, 2023 03:11
A8/A9 blackbird exploitation
On Aug 6 2020 @windknown posted about SEPROM bug called "blackbird" with attached presentation: https://twitter.com/windknown/status/1291308058493116416?s=20
@littlailo also posted that he had the bug, and their own gist/explanation: https://twitter.com/littlelailo/status/1296774861344432131?s=20
Short recap of the bug: The function where SEPROM prepares it's external TZ0 memory reads the TZ0/TZ1 base/end regs it shifts them out of bounds (<< 12) making any bit above 20 invisible to SEPROM, whereas AMCC (Apple’s Memory Cache Controller) casts the 32-bit register into 64-bit therefore which can result in arbitrary TZ0 r/w from AP side.
NOTE: there will be no much explanation of how some things work there, just pure exploitation from my perspective. To learn more about SEPROM/bug itself you should read windknown's presentation first.
How to get the bug working:
1. read the TZ0/TZ1 base/end reg values from iBoot (platform_bootprep)