Skip to content

Instantly share code, notes, and snippets.

four0four / seal_installer.scad
Created May 26, 2023 06:07
janky seal press
View seal_installer.scad
inner_dia = 47.5;
outer_dia = 57.5;
clearance = 1.0;
height = 10;
four0four /
Created April 14, 2023 02:12
GetProcAddressEx "in Rust"
use windows::core::*;
use windows::Win32::Foundation::HMODULE;
use windows::Win32::System::LibraryLoader::{GetProcAddress, LoadLibraryA};
//use windows::Win32::UI::Input::XboxController::XINPUT_STATE;
// ref:
four0four / ring_thing.scad
Last active March 24, 2023 03:16
Simple piston-ring-pusher tool to help with measuring gaps repeatably. Requires for the chamfer.
View ring_thing.scad
include <BOSL2/std.scad>
difference() {
union() {
difference() {
cylinder(h=25, r = 50, center = false);
up(25) #chamfer_cylinder_mask(r=50, chamfer=2);
four0four /
Last active January 8, 2023 03:21 — forked from joshwatson/
Microcorruption Memory Dump BinaryView for Binary Ninja
import struct
import traceback
from binaryninja import (
BinaryView, Architecture, log
from binaryninja.enums import (
class MicrocorruptionView(BinaryView):
four0four / safety_wire_jig.scad
Last active July 28, 2022 06:52
openscad safety wire jig
View safety_wire_jig.scad
/*[ Bolt properties (Machinery's pp. 1446, 25th ed) ]*/
//Width across flats (S)
bolt_head_width=16; // [13:M8,16:M10,18:M12,21:M14]
//shank nominal diameter
bolt_body_diam=10; //[8:M8,10:M10,12:M12,14:M14]
//bolt head depth
bolt_head_depth=6.6; //[5.5:M8, 6.6:M10, 7.8:M12, 9:M14]
// clearance for fitment around bolt parts
four0four /
Last active February 12, 2022 09:27
Unicorn Engine - based Zynq bootrom emulation harness
#!/usr/bin/env python
import sys
from colors import *
from unicorn import *
from unicorn.arm_const import *
from capstone import Cs, CS_ARCH_ARM, CS_MODE_ARM, CsError
View binaryninja-svd.patch
diff --git a/ b/
index 5d325b4..b99f313 100644
--- a/
+++ b/
@@ -3,17 +3,17 @@ import requests
import shutil
from zipfile import ZipFile
from tempfile import TemporaryDirectory
-from PySide2.QtWidgets import (QPushButton, QWidget, QVBoxLayout,
+from PySide6.QtWidgets import (QPushButton, QWidget, QVBoxLayout,
four0four /
Last active May 2, 2022 22:06
Zynq SDIO DMA overflow PoC
#!/bin/env python3
from struct import pack as p
from struct import unpack as up
import time
import sys
inits = [\
four0four / 0_PoC.png
Last active February 12, 2022 09:31
zynq exploit loader shellcode
four0four /
Last active November 6, 2022 02:25
Zynq BootROM Secrets: BootROM dump exploit

Zynq BootROM Secrets: Exposing the bootROM with the UART loader

Last time I wrote about this, I lied a little - There is an interesting bug in the UART loader, and it may have been exactly why Xilinx didn't document it. In short: The UART loader writes the entire UART payload to a location in memory (nominally 0x4_0000). The ROM is architected such that when the boot mode is selected, it registers a callback that is called when the ROM wants more data from the boot device. For the UART loader, this is pretty simple - here's the whole thing:

; void uart_callback(u32 r0_offset, void* r1_dest, i32 r2_nbytes)
ROM:0000A578 PUSH            {R3,LR}
ROM:0000A57C MOV             R3, #uart_buff
ROM:0000A584 MOV             R12, #1
ROM:0000A588 LDR             R3, [R3]