What you thing about some part of code:
Code:
//----- (00405B8C) --------------------------------------------------------
void *__cdecl sub_405B8C(int a1, void *a2, size_t a3)
{
char *v3; // [email protected]
size_t v4; // [email protected]
size_t v5; // [email protected]
size_t v6; // [email protected]
size_t v7; // [email protected]
char v9; // [sp+14h] [bp-34h]@1
char v10; // [sp+15h] [bp-33h]@1
char v11; // [sp+16h] [bp-32h]@1
char v12; // [sp+17h] [bp-31h]@1
char v13; // [sp+18h] [bp-30h]@1
char v14; // [sp+19h] [bp-2Fh]@1
char v15; // [sp+1Ah] [bp-2Eh]@1
char v16; // [sp+1Bh] [bp-2Dh]@1
char v17; // [sp+1Ch] [bp-2Ch]@1
char v18; // [sp+1Dh] [bp-2Bh]@1
char v19; // [sp+1Eh] [bp-2Ah]@1
char v20; // [sp+1Fh] [bp-29h]@1
int v21; // [sp+20h] [bp-28h]@1
int v22; // [sp+24h] [bp-24h]@1
int v23; // [sp+28h] [bp-20h]@1
int v24; // [sp+2Ch] [bp-1Ch]@1
const char *v25; // [sp+30h] [bp-18h]@4
const char *j; // [sp+34h] [bp-14h]@4
unsigned int i; // [sp+38h] [bp-10h]@1
int v28; // [sp+3Ch] [bp-Ch]@1
int v29; // [sp+50h] [bp+8h]@1
v21 = 0;
v22 = 0;
v23 = 0;
v24 = 0;
v9 = 102;
v10 = 115;
v11 = 102;
v12 = 16;
v13 = 7;
v14 = 20;
v15 = 21;
v16 = 11;
v17 = 12;
v18 = 114;
v19 = 118;
v20 = 0;
v28 = (int)"Hello reverse engineer :-),\n\n We see you've beaten our UPX 'obfuscation' to keep the script kiddies out, so now we'd like to appeal to your obvious intelligence.\n\n The purpose of the beta key is absolutely not to restrict Revolutionary from some users, it's to enable us to have a kill-switch as it were incase the beta turns into a brickfest.\n\n We'd very much like to have and retain the ability to 'effectively' kill off beta builds of Revolutionary that are causing bricks and real damage to end users' phones.\n\n By all means bypass the check, generate your own key and make use of Revolutionary, you've certainly earned it. All we ask/plead of you is to not distribute a hacked Revolutionary beta binary with our safety measure removed.\n\n Thanks,\n The Revolutionary team\n ";
v29 = a1 + 4;
for ( i = 0; i <= 0xA; ++i )
*(&v9 + i) ^= 0x42u;
v3 = sub_406538(v29, (int)&v9);
v25 = v3 + 12;
for ( j = v3 + 12; strlen((const char *)&v21) <= 3; ++j )
{
v4 = strlen(v25);
if ( &v25[v4] <= j )
break;
if ( asc_119E535[0] != *j )
{
if ( a__0[0] != *j )
strncat((char *)&v21, j, 1u);
}
}
v5 = strlen(v25);
for ( j = &v25[v5]; strlen((const char *)&v21) <= 7 && j >= v25; --j )
{
if ( asc_119E535[0] != *j )
{
if ( a__0[0] != *j )
strncat((char *)&v21, j, 1u);
}
}
for ( j = v25 + 10; strlen((const char *)&v21) <= 0xB; ++j )
{
v6 = strlen(v25);
if ( &v25[v6] <= j )
break;
if ( asc_119E535[0] != *j )
{
if ( a__0[0] != *j )
strncat((char *)&v21, j, 1u);
}
}
v7 = strlen(v25);
for ( j = &v25[v7 - 12]; strlen((const char *)&v21) <= 0xF && j >= v25; --j )
{
if ( asc_119E535[0] != *j )
{
if ( a__0[0] != *j )
strncat((char *)&v21, j, 1u);
}
}
return memcpy(a2, &v21, a3);
}
I think the Revolutionary guys have a very good sense of humor
Oh ahaha that's funny
Sent from my insertcoined sensation
Lol that made me laugh but can u tell me how and about U decompiled it or maybe send me the code....thanks in advance
xmc wildchild22 said:
Lol that made me laugh but can u tell me how and about U decompiled it or maybe send me the code....thanks in advance
Click to expand...
Click to collapse
Sorry mate, I have not plan to publish it, only maybe my own version compiled for htc gratia
Hi, I want to reverse it... here is some interesting stufs!
EDIT:
boomsh is used to gain root aces over adb shell
arx-helper curently is in testing stage (its have something with hboot check, maybe to check if hboot 1.02.0000 is instaled?)
EIT:
Guys, I want to say now, do not try to run these dumped binaries from revolutionary! I'm not responsible if you brick your device!
Is this a generic UPX or some modified version ?
Just asking ?
EDIT; nevermind, unpacked it and decompiled.
Questions or Problems Should Not Be Posted in the Development Forum
Please Post in the Correct Forums & Read the Forum Rules
Moving to Q&A
Hboot version check and enter serial patched ...trying to install revolutionary ower hboot 1.03 but getting some errors... will play with it
Here I'm now:
Code:
=============================================
| Revolutionary S-OFF & Recovery Tool 0.4pre4 |
=============================================
Brought to you by AlphaRev & unrEVOked.
Waiting for device...
Found your device: Liberty (liberty-1.03.0000, Android: 2.3.7, ROM version: pass
ion-user)
Beta key removed -- thank you munjeni for hack:)
Root acquired!
Sending in Caroline...
Retrieving Caroline from certain doom...
Retrying Caroline...
Caroline failed, but had this to say: Invalid parameters.
Errors (if any):-
Press (almost) any key to exit.
Whats use of the caroline?
EDIT:
Its something with arx-helper, but what is usage of arx-helper?
Code:
=============================================
| Revolutionary S-OFF & Recovery Tool 0.4pre4 |
=============================================
Brought to you by AlphaRev & unrEVOked.
Waiting for device...
Found your device: Liberty (liberty-6.02.1002, Android: 2.3.7, ROM version: pass
ion-user)
Your device is already S-OFF, but munjeni hacked it to get you to do it again :)
.
Your device: liberty, with HBOOT 6.02.1002 ...lets try to install new :).
Beta key removed -- thank you munjeni for hack:)
Root acquired!
Sending in Caroline...
Retrieving Caroline from certain doom...
Retrying Caroline...
Caroline failed, but had this to say: Invalid parameters.
Errors (if any):-
Cleaning up...
Rebooting to fastboot...
When life gives you lemons, don't make lemonade. Make life take the lemons back!
Waiting for fastboot...
Caroline is bypased now but revolutionary crashing when device reboot to bootloader Any other way to install hboot 1.02 ower hboot 1.03 ??? Testing now with revolutionary hboot but without success to overwrite allready installed hboot
Progress:
- arx-helper is for misc partition... he modify your misc partition
- caroline patched (patched getprop ro.bootloader to getprop ro.botloadee ) so before I run revolutionary I need setprop ro.bootloadee 1.02.0000 in order to arx-helper get right command "arx-helper liberty 1.02.0000"... but last step (3rd reboot when hboot need to be replaced) I have message fail "lemonade..."
Tomorrow I will snif fastboot usb packets to get what comunication was between phone and revolutionary
munjeni said:
Progress:
- arx-helper is for misc partition... he modify your misc partition
- caroline patched (patched getprop ro.bootloader to getprop ro.botloadee ) so before I run revolutionary I need setprop ro.bootloadee 1.02.0000 in order to arx-helper get right command "arx-helper liberty 1.02.0000"... but last step (3rd reboot when hboot need to be replaced) I have message fail "lemonade..."
Tomorrow I will snif fastboot usb packets to get what comunication was between phone and revolutionary
Click to expand...
Click to collapse
Please tell me someone has finished doing this, successfully, and, where I can get the tool for my HTC DInc2. I've been looking for days, now.
Related
I've made some modifications to drivers/usb/otg/msm_otg.c in order to support usb host mode for the Nexus 4: http://forum.xda-developers.com/showthread.php?t=2181820
So far, I've been building off Franco's sources, since I was using his kernel anyway. But this has its problems. I'm not looking to have to constantly keep up with Franco's nightlies. A good amount of posts from people are asking if I could compile a different kernel with the otg modifications, or if they could flash a different kernel on top. Franco's been getting requests to implement the modifications, and I didn't mean to put any onus on him.
I've been trying to do some research on creating a kernel module that could somehow hijack/hook/wrap the static functions I've made changes to in msm_otg.c. This is all way, way over my head though, and I could really use some help here. I've done some reading so far, but it hasn't gotten me anywhere. I got some good help on IRC, but am stuck again.
To get things rolling, I've manually found the address from /proc/kallsyms of static function msm_chg_detect_work to be 0xc03b4950. I'm trying to make a jump from here to my own function. I was provided make_jump_op for this purpose, although I have no understanding of how it works. Here is more or less what I've got so far (relevant bits..):
Code:
// max distance: 0x02000000
unsigned int make_jump_op(unsigned int src, unsigned int dst) {
unsigned int o;
int distance;
distance = (int)( ((long long)dst) - (((long long)src) + 8) );
if (distance > 32*1024*1024 || distance < -32*1024*1024) {
printk(KERN_ERR "distance too big!\n");
return 0; // crash, BOOOOM!
}
distance = distance / 4; // read: ">>2"
o = *((unsigned int *)(&distance)); // is there a proper way to do this, too?
o = (o & 0x00ffffff) + 0xea000000;
return o;
}
static void msm_chg_detect_work_MOD(struct work_struct *w) {
printk(KERN_INFO "TEST\n");
}
static int ziddey_otg_init(void) {
unsigned int *origcall;
printk(KERN_INFO "Loading kernel module '%s'\n", MODULE_NAME);
// 0xc03b4950: msm_chg_detect_work
origcall = (unsigned int *) 0xc03b4950;
preempt_disable();
*origcall = make_jump_op(0xc03b4950, (unsigned int)(void*)msm_chg_detect_work_MOD);
preempt_enable();
printk(KERN_INFO "Loaded kernel module '%s'\n", MODULE_NAME);
return 0;
}
Can anyone make sense of this? I get an Oops error and kernel panic.
Thank you
Code:
$ grep msm_chg_detect_work /proc/kallsyms
c03b4950 t msm_chg_detect_work
Hey,
a few months ago I read somewhere that android stores the wifi passwords in plain text (seems to be known since 2010: http://forum.xda-developers.com/showthread.php?t=794555 but no one cares?!)
Because I don't want my wifi password to be stored that way, I searched for a way to store the wpa passphrase. This wasn't difficult, because android usese wpa_supplicant, means I just had to find out my passphrase and replace the plain key in /data/misc/wifi/wpa_supplicant.conf with it. Everything still works fine and my phone is able to connect to wifi.
Now my question is: is there a way to store every new wifi password this way? It's annoying to have to edit the wpa_supplicant.conf file manually...
One problem is, that it seems like android doesn't have the wpa_passphrase binary included, even if the source code seems to exist in the wpa_supplicant repository ( https://android.googlesource.com/platform/external/wpa_supplicant_6/ ).
If someone could tell me, how to build the code (I'm not familiar with the ndk), I could try writing an app, which replaces all plain text passwords with the passphrases.
But it would be awesome, if it were possible to integrate this feature in a custom rom, so no more passwords are stored plain text.
Best regards,
David
Finally, I was able to build CarbonRom from source and found a way to integrate this in the rom! On my device, no wifi password is stored in plain text anymore It took a long time to figure out what file I have to change but finally, I got it
If you are interested, I could create a patch and post it here but I don't know how to submit patches to github.
The only thing that confuses me: I found out, that the SSID I use to generate the password hash is quoted. Means, ThisIsASSID is stored as "ThisIsASSID". But actually the password hash should be wrong because it doesn't use ThisIsASSID. Anyway, it works And the password in wpa_supplicant.conf is hashed.
Edit: Cheered too soon... The wpa_supplicant.conf is probably just read at boot time. After a reboot I couldn't connect to my wifi anymore... But if I change the hash in the wpa_supplicant.conf file manually to the right one it works, so now I have to solve the quoting thing. But that shouldn't be difficult.
So, all problems solved now
Here is a patch I created, if anyone is interested:
PHP:
--- original/external/wpa_supplicant_8/wpa_supplicant/config_file.c 2013-08-15 00:12:50.000000000 +0200
+++ carbon/external/wpa_supplicant_8/wpa_supplicant/config_file.c 2013-08-15 01:09:21.876028461 +0200
@@ -19,6 +19,7 @@
#include "p2p/p2p.h"
#include "eap_peer/eap_methods.h"
#include "eap_peer/eap.h"
+#include "crypto/sha1.h"
static int newline_terminated(const char *buf, size_t buflen)
@@ -483,10 +484,36 @@
static void write_psk(FILE *f, struct wpa_ssid *ssid)
{
+ unsigned char psk[32];
char *value = wpa_config_get(ssid, "psk");
- if (value == NULL)
+ char *s = wpa_config_get(ssid, "ssid");
+ if(value == NULL || s == NULL)
return;
- fprintf(f, "\tpsk=%s\n", value);
+ int slen = os_strlen(s);
+ int plen = os_strlen(value);
+ int pskquoted = (value[0] == '"' && value[plen - 1] == '"') ? 1 : 0;
+ int i;
+ //if passphrase length is 64 it's already hashed as well as hashed passphrases aren't quoted
+ if( pskquoted == 1 || plen < 64){
+ //Check for quotes and remove if necessary
+ if(s[slen - 1] == '"' && s[0] == '"') {
+ s[slen - 1] = '\0';
+ s++;
+ }
+ if(pskquoted == 1) {
+ value[plen - 1] = '\0';
+ value++;
+ }
+ //Hash passphrase
+ pbkdf2_sha1(value, (u8 *) s, os_strlen(s), 4096, psk, 32);
+ fprintf(f, "\tpsk=");
+ for (i = 0; i < 32; i++)
+ fprintf(f, "%02x", psk[i]);
+ fprintf(f, "\n");
+ } else {
+ fprintf(f, "\tpsk=%s\n", value);
+ }
+ os_free(s);
os_free(value);
}
I didn't found a place in the java code so I directly edited the c code of wpa_supplicant
Hello guys. i have been trying to compile cwm recovery for my phone. its using msm7627a board. am using the prebuilt kernel. i succeded compiling but when i flash its not displaying anything. i tried to see whats wrong , from the recovery log i found the frame buffer /dev/graphics is not available. Everything else works i can do a backup from ROM manager, even keystrokes work..adb shell works .. just the display not working..any ideas. ????
i also realise some other devices are not loaded.
how can i make the fb0 graphics loaded or any other fix.. ???
for those who have access to the source code ..
Code:
.................................................................................part of the concerned ui code..........................................................
int gr_init(void)
{
gglInit(&gr_context);
GGLContext *gl = gr_context;
gr_init_font();
gr_vt_fd = open("/dev/tty0", O_RDWR | O_SYNC);
if (gr_vt_fd < 0) {
// This is non-fatal; post-Cupcake kernels don't have tty0.
perror("can't open /dev/tty0");
}
else
{
if (ioctl(gr_vt_fd, KDSETMODE, (void*) KD_GRAPHICS)) {
// However, if we do open tty0, we expect the ioctl to work.
perror("failed KDSETMODE to KD_GRAPHICS on tty0");
gr_exit();
return -1;
}
}
gr_fb_fd = get_framebuffer(gr_framebuffer); // this is the call that fails because it tries opening /dev/graphics/fb0 which does then exists
if (gr_fb_fd < 0) {
gr_exit();
perror("cant get framebuffer");
return -1;
}
get_memory_surface(&gr_mem_surface);
fprintf(stderr, "framebuffer: fd %d (%d x %d)\n",
gr_fb_fd, gr_framebuffer[0].width, gr_framebuffer[0].height);
/* start with 0 as front (displayed) and 1 as back (drawing) */
gr_active_fb = 0;
set_active_framebuffer(0);
gl->colorBuffer(gl, &gr_mem_surface);
gl->activeTexture(gl, 0);
gl->enable(gl, GGL_BLEND);
gl->blendFunc(gl, GGL_SRC_ALPHA, GGL_ONE_MINUS_SRC_ALPHA);
gr_fb_blank(true);
gr_fb_blank(false);
return 0;
}
............................................................code,.........................................................
Hello XDA,
I am writing ADB TOOLs in C# but having a problem with PATH recognition
Code:
private void button6_Click(object sender, EventArgs e)
{
openFileDialog1.InitialDirectory = @"C:\";
openFileDialog1.Title = "Select Kernel File";
openFileDialog1.FileName = "Choose File";
openFileDialog1.CheckFileExists = true;
openFileDialog1.CheckFileExists = true;
openFileDialog1.Filter = ".IMG|*.img";
if (openFileDialog1 .ShowDialog () == DialogResult .OK)
{
label1.Text = openFileDialog1 .FileName;
var process = Process.Start("CMD.exe", "/c fastboot flash boot " [COLOR="Red"]+ textBox2.Text[/COLOR] );
process.WaitForExit();
}
The red marked code has a problem i think, when i select a kernel image file located inside multiple directory to flash the CMD opens and just closes in a second nothing actually happens in a phone but when i use a file from a desktop it flashes w/o any problem.
I tried using path.combine( ) but really don't know how to use it, just started writing things in C#.
Thanks!
Bump!:fingers-crossed:
Bump Bump:crying:
Basically, there has been an app ported to Android that allows even unrooted(stock) devices to deliver a bootrom exploit to the Nintendo Switch via USB-OTG and a USB cable (or C-to-C). USB 3.0 (xHCI) devices have no issues and deliver the exploit just fine. Apparently it is not even a USB 2.0 problem but rather how the EHCI performs, as certain USB 2.0 phones actually have the xHCI controller and can run the exploit just fine. What happens is that although it can detect the connected Switch in Tegra Recovery Mode, it just doesn't do anything and gives an error in the logs, "SUMBITURB failed".
On Linux desktop systems it is similar, but the exploit can still work with a kernel patch provided by a hacking group that discovered the exploit in the first place:
Code:
--- linux-4.14.27/drivers/usb/host/ehci-hcd.c.old 2018-04-17 18:00:00.000000000 +0000
+++ linux-4.14.27/drivers/usb/host/ehci-hcd.c 2018-04-17 18:00:00.000000000 +0000
@@ -873,14 +873,6 @@
INIT_LIST_HEAD (&qtd_list);
switch (usb_pipetype (urb->pipe)) {
- case PIPE_CONTROL:
- /* qh_completions() code doesn't handle all the fault cases
- * in multi-TD control transfers. Even 1KB is rare anyway.
- */
- if (urb->transfer_buffer_length > (16 * 1024))
- return -EMSGSIZE;
- /* FALLTHROUGH */
- /* case PIPE_BULK: */
default:
if (!qh_urb_transaction (ehci, urb, &qtd_list, mem_flags))
return -ENOMEM;
The author of the Android port had also written a Python "hotpatch" script for desktop Linux systems:
Code:
#!/usr/bin/env python3
import os
"""
Cursed Code.
This code literally patches your kernel memory, proceed at your own risk.
Tested on Ubuntu 17.10 and Arch, x86_64. Should work on other distros, maybe even other architectures!
Run fusee-launcher.py with the "--override-checks" argument.
If you'd rather patch your drivers properly:
https://github.com/fail0verflow/shofel2/blob/master/linux-ehci-enable-large-ctl-xfers.patch
"""
ksyms = {
line[2]: int(line[0], 16)
for line in
map(lambda l: l.strip().split(),
open("/proc/kallsyms", "r").readlines())}
print(hex(ksyms["ehci_urb_enqueue"]))
patch_c = """
#include <linux/module.h>
#include <linux/kernel.h>
#include <asm/pgtable.h>
static u32 ORIG_MAX = 16*1024;
static u32 NEW_MAX = 0x1000000;
/* borrowed from MUSL because I'm lazy AF */
static char *fourbyte_memmem(const unsigned char *h, size_t k, const unsigned char *n)
{
uint32_t nw = n[0]<<24 | n[1]<<16 | n[2]<<8 | n[3];
uint32_t hw = h[0]<<24 | h[1]<<16 | h[2]<<8 | h[3];
for (h+=3, k-=3; k; k--, hw = hw<<8 | *++h)
if (hw == nw) return (char *)h-3;
return 0;
}
static pte_t* (*lookup_addr)(unsigned long, unsigned int*) = (void *) PLACE2;
static void set_addr_rw(unsigned long addr) {
unsigned int level;
pte_t *pte = lookup_addr(addr, &level);
set_pte_atomic(pte, pte_mkwrite(*pte));
}
int init_module(void) {
void * ehci_urb_enqueue_start = (void *) PLACEHOLDER;
u32 * patch_addr;
printk(KERN_INFO "Patch module loaded\\n");
patch_addr = (u32 *) fourbyte_memmem(ehci_urb_enqueue_start, 0x400, (void *)&ORIG_MAX);
if (patch_addr == NULL) {
printk(KERN_INFO "Failed to find patch site :(\\n");
return -1;
}
printk(KERN_INFO "patch_addr: 0x%px\\n", patch_addr);
set_addr_rw((unsigned long)patch_addr);
*patch_addr = NEW_MAX;
printk(KERN_INFO "Patching done!\\n");
return -1;
}
""".replace("PLACEHOLDER", hex(ksyms["ehci_urb_enqueue"])).replace("PLACE2", hex(ksyms["lookup_address"]))
makefile = """
obj-m += patch.o
all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
"""
with open("patch.c", "w") as patchfile:
patchfile.write(patch_c)
with open("Makefile", "w") as mf:
mf.write(makefile)
os.system("make")
print("About to insert patch module, 'Operation not permitted' means it probably worked, check dmesg output.")
os.system("insmod patch.ko")
I tried to see if running it in Termux would do anything but I got the following error:
Code:
0x0
Traceback (most recent call last):
File "ehci_patch.py", line 70, in <module>
" " ".replace("PLACEHOLDER", hex(ksyms["ehci_urb_enqueue"])).replace("PLACE2" hex(ksyms["lookup_address"]))
KeyError: 'lookup_address'
I know that script isn't meant for use on Android anyway but maybe it can lead to a solution. The author of it does not know how to go about it at this time either, but believes an entire recompile of the kernel would be necessary. I am hoping that something like a systemless Magisk module would be the easiest solution for users but do not know if that is possible. I am only guessing it might be possible to create a Magisk module because of audio drivers like VIPER4Android. If indeed a custom kernel is needed, does anyone know how to go about it? It could be difficult to implement for everyone because not everyone has a device where the source to the kernel is available, etc. I am willing, however, to test anything on my tablet which is USB 2.0 and gives the error in the app. Any advice for how to go about this will be greatly appreciated.
I feel ya man, i need this stuff too. NXLoader doesn't work on my Galaxy Grand Prime (G530T) and i really need it to Dx