Skip to content

Instantly share code, notes, and snippets.

four0four /
Last active Jan 8, 2023 — forked from joshwatson/
Microcorruption Memory Dump BinaryView for Binary Ninja
import struct
import traceback
from binaryninja import (
BinaryView, Architecture, log
from binaryninja.enums import (
class MicrocorruptionView(BinaryView):
four0four / safety_wire_jig.scad
Last active Jul 28, 2022
openscad safety wire jig
View safety_wire_jig.scad
/*[ Bolt properties (Machinery's pp. 1446, 25th ed) ]*/
//Width across flats (S)
bolt_head_width=16; // [13:M8,16:M10,18:M12,21:M14]
//shank nominal diameter
bolt_body_diam=10; //[8:M8,10:M10,12:M12,14:M14]
//bolt head depth
bolt_head_depth=6.6; //[5.5:M8, 6.6:M10, 7.8:M12, 9:M14]
// clearance for fitment around bolt parts
four0four /
Last active Feb 12, 2022
Unicorn Engine - based Zynq bootrom emulation harness
#!/usr/bin/env python
import sys
from colors import *
from unicorn import *
from unicorn.arm_const import *
from capstone import Cs, CS_ARCH_ARM, CS_MODE_ARM, CsError
View binaryninja-svd.patch
diff --git a/ b/
index 5d325b4..b99f313 100644
--- a/
+++ b/
@@ -3,17 +3,17 @@ import requests
import shutil
from zipfile import ZipFile
from tempfile import TemporaryDirectory
-from PySide2.QtWidgets import (QPushButton, QWidget, QVBoxLayout,
+from PySide6.QtWidgets import (QPushButton, QWidget, QVBoxLayout,
four0four /
Last active May 2, 2022
Zynq SDIO DMA overflow PoC
#!/bin/env python3
from struct import pack as p
from struct import unpack as up
import time
import sys
inits = [\
four0four / 0_PoC.png
Last active Feb 12, 2022
zynq exploit loader shellcode
four0four /
Last active Nov 6, 2022
Zynq BootROM Secrets: BootROM dump exploit

Zynq BootROM Secrets: Exposing the bootROM with the UART loader

Last time I wrote about this, I lied a little - There is an interesting bug in the UART loader, and it may have been exactly why Xilinx didn't document it. In short: The UART loader writes the entire UART payload to a location in memory (nominally 0x4_0000). The ROM is architected such that when the boot mode is selected, it registers a callback that is called when the ROM wants more data from the boot device. For the UART loader, this is pretty simple - here's the whole thing:

; void uart_callback(u32 r0_offset, void* r1_dest, i32 r2_nbytes)
ROM:0000A578 PUSH            {R3,LR}
ROM:0000A57C MOV             R3, #uart_buff
ROM:0000A584 MOV             R12, #1
ROM:0000A588 LDR             R3, [R3]
four0four /
Last active Oct 27, 2022
Zynq BootROM Secrets - UART loader

Zynq BootROM Secrets: UART loader

Recently I acquired (md5: ADF639AFE9855EE86C8FAAD216C970D9) the Zynq bootrom, and during the reversing process uncovered some interesting secrets, one of which is an as-of-yet undocumented UART loader. As documented the Zynq bootrom will load from NOR/NAND/SPI flashes, eMMC/SDIO-based storage (unfortunately) not USB, or anything else more complex.

Not sure why Xilinx didn't document this. In my brief testing it is super unreliable if you just spit everything at once - they reset the RX/TX paths during the process, so timing is critical, but that might be the janky meter-long ftdi cable. You can change the baudrate during the process, but I was too lazy to do the math.

Here's the disassembly that made me look twice (that, and checks for the MIO boot_mode[2:0] that weren't specified in the docs :)):

ROM:0000A220 BL              uart_init
four0four / main.c
Last active Sep 18, 2020
NA202MD08BC driver
View main.c
#include <stdint.h>
#include <string.h>
#include <avr/io.h>
#include <avr/interrupt.h>
* NA202MD08BC pinout:
* 1 2
* [-----|-----]
* [ vcc | vcc ]
four0four / urjtag-python3fix.patch
Created Dec 15, 2019
Patch to fix up urjtag python3 support
View urjtag-python3fix.patch
diff -Naur urjtag-2018.09.orig/bindings/python/chain.c urjtag-2018.09/bindings/python/chain.c
--- urjtag-2018.09.orig/bindings/python/chain.c 2018-09-25 14:32:40.583308869 -0700
+++ urjtag-2018.09/bindings/python/chain.c 2018-09-25 14:33:31.924518776 -0700
@@ -243,7 +243,7 @@
urj_pyc_partid (urj_pychain_t *self, PyObject *args)
urj_chain_t *urc = self->urchain;
- int partno;
+ unsigned int partno;
if (!PyArg_ParseTuple (args, "i", &partno))