bb33bb

/*
 *
 * Author: @javierprtd
 * Date  : 01-08-2024
 * Kernel: 5.10.177
 * Samsung A25 NPU: CVE-2022-22265 (bug patched - reintroduced)
 *
 */

// echo 1 > /sys/module/memlogger/holders/npu/drivers/platform:exynos-npu/npu_exynos/npu_err_in_dmesg

soez

/*
 *
 * Author: @javierprtd
 * Date  : 01-08-2024
 * Kernel: 5.10.177
 * Samsung A25 NPU: CVE-2022-22265 (bug patched - reintroduced)
 *
 */

// echo 1 > /sys/module/memlogger/holders/npu/drivers/platform:exynos-npu/npu_exynos/npu_err_in_dmesg

soez

#define MEMSTART		0x80000000UL
#define VIRTUAL_KERNEL_START	0xffffffc008000000UL
#define LINEAR_MAP_START	0xffffff8000000000UL

bool is_lm_addr(uint64_t kaddr) 
{
	return (kaddr & (VIRTUAL_KERNEL_START - (0x8 << (6 * 4)))) == LINEAR_MAP_START;
}

uint64_t virt_to_phys(uint64_t kaddr) 

singleghost2

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <spawn.h>
#include <sys/wait.h>
#include <string.h>

/* ASLR disabling magic constant from Apple LLDB source code
   https://opensource.apple.com/source/lldb/lldb-76/tools/darwin-debug/darwin-debug.cpp
*/

RistBS

#include <Windows.h>
#include <stdio.h>


#define PRINTDEBUG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)

#define WORKER_FACTORY_FULL_ACCESS 0xf00ff 

typedef struct _UNICODE_STRING {

alfarom256

#include <Windows.h>
#include <winternl.h>
#include <stdio.h>

#define WORKER_FACTORY_FULL_ACCESS 0xf00ff 

// https://github.com/winsiderss/systeminformer/blob/17fb2e0048f062a04394c4ccd615b611e6ffd45d/phnt/include/ntexapi.h#LL1096C1-L1115C52
typedef enum _WORKERFACTORYINFOCLASS
{
	WorkerFactoryTimeout, // LARGE_INTEGER

surfaceflinger

1. First, download latest stock firmware from lolinet. You probably want those which names begin with RET but tbh I don't know what the difference is between them. Personally, I used RETEU because that's what I had from factory.
2. Download latest "Light" variant of LineageOS 20 GSI. You can find everything here. "Light" variant has limited compatibility with legacy devices, but it works PERFECTLY on hanoip.
3. Unpack stock firmware into stock directory.
4. Unpack GSI into gsi directory and rename it to system.img.
5. Make sure that you have files structure like this:

nat@blahaj [~/Downloads] ✨ tree
.
├── gsi-update.sh
├── gsi

exploit3dguy

.text

.pool

.set ARM_TTE_BLOCK_PNX, 0x0020000000000000
.set ARM_TTE_BLOCK_NX, 0x0040000000000000
.set SDRAM_PAGE1, 0x180082000
.set SRAM_PAGE1, 0x1800841F0

.global _main

bb33bb

-- Simple network hook script
addressOfSend = getAddress("WS2_32.send")
addressOfGetStatus1 = getAddress("Kernel32.GetQueuedCompletionStatus")
addressOfGetStatus2 = getAddress("Kernel32.GetQueuedCompletionStatusEx")
addressOfCreateIoCompletionPort = getAddress("Kernel32.CreateIoCompletionPort")
print(string.format("WS2_32.send = %x, Kernel32.GetQueuedCompletionStatus = %x, Kernel32.GetQueuedCompletionStatusEx = %x, Kernel32.CreateIoCompletionPort = %x", addressOfSend, addressOfGetStatus1, addressOfGetStatus2, addressOfCreateIoCompletionPort))

debug_removeBreakpoint(addressOfSend)
debug_removeBreakpoint(addressOfGetStatus1)
debug_removeBreakpoint(addressOfGetStatus2)

exploit3dguy

iPad6,3
iOS 9.3 (13E234)
sep-firmware.j127.RELEASE.im4p
IV: 0F91420AA134E6D8D6807EFA7FFAB446
KEY: 42F908A3012E9E2DC22EDD818621C4BECFB41AED43D78671AB28BB8126268DB4


iPad6,8 
iPadOS 13.2 (17B84)
sep-firmware.j99a.RELEASE.im4p