Skip to content

Instantly share code, notes, and snippets.


Norm CreateRemoteThread

View GitHub Profile
four0four /
Last active Feb 24, 2021
Zynq BootROM Secrets - UART loader

Zynq BootROM Secrets: UART loader

Recently I acquired (md5: ADF639AFE9855EE86C8FAAD216C970D9) the Zynq bootrom, and during the reversing process uncovered some interesting secrets, one of which is an as-of-yet undocumented UART loader. As documented the Zynq bootrom will load from NOR/NAND/SPI flashes, eMMC/SDIO-based storage (unfortunately) not USB, or anything else more complex.

Not sure why Xilinx didn't document this. In my brief testing it is super unreliable if you just spit everything at once - they reset the RX/TX paths during the process, so timing is critical, but that might be the janky meter-long ftdi cable. You can change the baudrate during the process, but I was too lazy to do the math.

Here's the disassembly that made me look twice (that, and checks for the MIO boot_mode[2:0] that weren't specified in the docs :)):

ROM:0000A220 BL              uart_init
ErikAugust / spectre.c
Last active Jul 9, 2021
Spectre example code
View spectre.c
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#ifdef _MSC_VER
#include <intrin.h> /* for rdtscp and clflush */
#pragma optimize("gt",on)
#include <x86intrin.h> /* for rdtscp and clflush */
staaldraad /
Last active Sep 6, 2021
Fuzz Verifone PoS terminals through exposed port
Script for fuzzing verifone terminal/pos devices. This is a bad reverse-engineer and implementation of the official protocol:
Should work fine. Official docs were only found after the initial implementation. Not fully tested with CRC-16 checksum correctly implemented.
Version: 1.0
Tatsh / screenshot-win32.c
Created May 10, 2012
Make a screen shot (Win32)
View screenshot-win32.c
#include <windows.h>
#include <stdio.h>
void errhandler(char *msg) {
printf("%s\n", msg);
PBITMAPINFO CreateBitmapInfoStruct(HWND hwnd, HBITMAP hBmp)
ayosec /
Created Jan 29, 2012
GDB commands to trace calls to malloc/free

Attach to a running process with

  gdb -x trace-dyn-mem -p $PID

After every malloc the returned value (the allocated address) will be read from the RAX (64 bits) register.

After every free the last item in the backtrace (the free itself) will be shown. With the libc6-dbg package installed you can see the address passed as the first argument of free.