Skip to content

Instantly share code, notes, and snippets.

View marccane's full-sized avatar

Marc Cané marccane

24 followers · 312 following
  • Spain
View GitHub Profile
@sleirsgoevy
sleirsgoevy / ps4.html
Created October 27, 2021 16:06
PS4 WebKit exploit on 9.00
<script>
var PAGE_SIZE = 16384;
var SIZEOF_CSS_FONT_FACE = 0xb8;
var HASHMAP_BUCKET = 208;
var STRING_OFFSET = 20;
var SPRAY_FONTS = 0x1000;
var GUESS_FONT = 0x200430000;
var NPAGES = 20;
var INVALID_POINTER = 0;
var HAMMER_FONT_NAME = "font8"; //must take bucket 3 of 8 (counting from zero)
@0x36
0x36 / jpeg.c
Created March 25, 2020 21:51
#if 0
Reported : 19-Jan-2020
Fixed in iOS 13.4 with CVE-2020-9768
AppleJPEGDriverUserClient : mach port use-after-free/type-confusion via race condition
AppleJPEGDriverUserClient external methods can be used synchronously or asynchronously, when used asynchronously,
it brings the registered mach port (via registerNotificationPort()) and put it inside jpegRequest data structure,
and no reference count was taken for this operation. since registerNotificationPort() is not gated, it is
possible to release the port (if the port got substituted) during the processing of jpeg request and end up
with dangling pointer passed to _mach_msg_send_from_kernel_proper().
@TheRadziu
TheRadziu / ultimate-vita-comparison.md
Last active April 6, 2024 13:11
Ultimate Vita Comparison (Firmwares & Rips vs Dumps)

Due to so many misinformation, false claims and confusion that goes around the web I've decided to make this quick comparison of all most known backup enabling tools, hackable vita firmwares and which one you should be using and why.
Date of last update: 13.01.2020

NoNpDRM Rips vs Dumps

NoNpDRM Rips Vitamin / MaiDumpTool Dumps
All original files untouched
Support Retail DLCs
Support Ripped (NoNpDRM) DLCs
Support Dumped (Vitamin/Mai) DLCs 1
@masterzorag
masterzorag / gist:06cadbc5fbe7d3375704fc52518f434e
Created May 19, 2018 15:02
clinfo on ps4 
cl_get_gt_device(): error, unknown device: 0                                                                                               

  Platform Name                                   Clover                                                                                   
Number of devices                                 1                                                                                        
  Device Name                                     AMD LIVERPOOL (DRM 2.50.0 / 4.14.4, LLVM 6.0.0)                                          
  Device Vendor                                   AMD                                                                                      
  Device Vendor ID                                0x1002                                                                                   
  Device Version                                  OpenCL 1.1 Mesa 18.0.2                                                                   
  Driver Version
@jason0597
jason0597 / Seedminer.md
Last active May 15, 2023 21:47
How seedminer works

DSiWare games are vulnerable to a specific set of exploits which allows you to install boot9strap with them. You can also export DSiWare games from the System settings (System settings --> Data Management --> Nintendo DSiWare), however, these DSiWare exports are encrypted with your console unique movable.sed encryption key. Unless you can get that key somehow, you cannot decrypt them/modify them/re-encrypt them/re-import them

The DSiWare games are encrypted with AES-128. 128 means 128 bits. A byte in computing means 8 bits together. Therefore, the encryption key is 128 bits aka 16 bytes (128 / 8 == 16) The first 8 bytes are the LocalFriendCodeSeed (L.F.C.S.). You can dump this if you have access to userland homebrew (things like ninjhax, freakyhax, stickerhaxx etc.). However, it is also possible to dump this for your friends if your 3DS is hacked. Therefore, somebody with a hacked 3DS can dump your LFCS for you. Now, you have the first 8 bytes of your movable.sed. However, there are still 8 bytes left which

@yifanlu
yifanlu / E80558325.md
Last active October 13, 2023 14:04
Vita 3.65 activation investigation (E-80558325)

On 7/29/2017, all hacked Vitas on 3.60 spoofing the latest firmware (3.65) were blocked from console activation. This is particularly odd because the PSN passphrase did not change in 3.65. Additionally with the release of ensō added to the confusion of what happened. Here is the result of a preliminary investigation of the situation.

Upon game activation, the Vita displays an dialog that shows the error number E-80558325. This error number is used in SceNpKdc, which is found in vs0:external/np_kdc.suprx. The error code itself is created when the activation response is received:

v5 = v45 | 0x80558300;

Here, v5 is the return code and v45 is the string error code from the server converted to a number. The request made to Sony's server looks like the following

@SciresM
SciresM / Signatures.txt
Last active October 13, 2023 14:04
"Perfect" sighax signatures for every Boot9 modulus.
Retail NAND FIRM:
Perfect Signature:
B6724531C448657A2A2EE306457E350A10D544B42859B0E5B0BED27534CCCC2A4D47EDEA60A7DD99939950A6357B1E35DFC7FAC773B7E12E7C1481234AF141B31CF08E9F62293AA6BAAE246C15095F8B78402A684D852C680549FA5B3F14D9E838A2FB9C09A15ABB40DCA25E40A3DDC1F58E79CEC901974363A946E99B4346E8A372B6CD55A707E1EAB9BEC0200B5BA0B661236A8708D704517F43C6C38EE9560111E1405E5E8ED356C49C4FF6823D1219AFAEEB3DF3C36B62BBA88FC15BA8648F9333FD9FC092B8146C3D908F73155D48BE89D72612E18E4AA8EB9B7FD2A5F7328C4ECBFB0083833CBD5C983A25CEB8B941CC68EB017CE87F5D793ACA09ACF7
Exponentiated Message:
0002B31331C710412333A587890F9CF0B6A86E71C8A78F96B76082903B3E54EA9AB935978BBF2493BB829E9A5A6060B0C7811881176BCF9FE8B1C5C5E0A95327DB8B52EC178A884AD9CF28DB8BBF2922C05FD034AC81BD231AEB0CBEF6F7DE6F3A30812B9F9A83BF33251891BFA18FA38A64C6FF5F77DBE11C3780C23EA9F6D00F9C01D6FC8A878591D36C4F64ACA6B8D11BBEB21476103C6E86FF2196D465BA4DB78F81F1D3BCCA186BDDD56739A12DD36122F3F5B3DD518DDAC4FA29395EA4CD9DFD80AF8A399990F4FDD3CD6B07EC2122437CCFC3B62B1D1493A7DBB442003
@marcan
marcan / linux.sh
Last active July 21, 2024 14:00
Linux kernel initialization, translated to bash
#!/boot/bzImage
# Linux kernel userspace initialization code, translated to bash
# (Minus floppy disk handling, because seriously, it's 2017.)
# Not 100% accurate, but gives you a good idea of how kernel init works
# GPLv2, Copyright 2017 Hector Martin <marcan@marcan.st>
# Based on Linux 4.10-rc2.
# Note: pretend chroot is a builtin and affects the current process
# Note: kernel actually uses major/minor device numbers instead of device name
@xvitaly
xvitaly / remove_crw.cmd
Last active July 21, 2024 21:01
Remove telemetry updates for Windows 7 and 8.1
@echo off
echo Uninstalling KB3075249 (telemetry for Win7/8.1)
start /w wusa.exe /uninstall /kb:3075249 /quiet /norestart
echo Uninstalling KB3080149 (telemetry for Win7/8.1)
start /w wusa.exe /uninstall /kb:3080149 /quiet /norestart
echo Uninstalling KB3021917 (telemetry for Win7)
start /w wusa.exe /uninstall /kb:3021917 /quiet /norestart
echo Uninstalling KB3022345 (telemetry)
start /w wusa.exe /uninstall /kb:3022345 /quiet /norestart
echo Uninstalling KB3068708 (telemetry)
@smealum
smealum / bin2wav.py
Last active July 12, 2024 18:59
bangai-o soundhax
import sys
import wave
import struct
# bit0 is a single period sine wave at 1024Hz with a given amplitude
# bit1 is the same but with ~2.7 times the amplitude
bits = [[0x00, 0x09, 0x12, 0x1A, 0x21, 0x27, 0x2C, 0x2F, 0x30, 0x2F, 0x2C, 0x27, 0x21, 0x1A, 0x12, 0x09, 0x00, 0xF6, 0xED, 0xE5, 0xDE, 0xD8, 0xD3, 0xD0, 0xD0, 0xD0, 0xD3, 0xD8, 0xDE, 0xE5, 0xED, 0xF6], [0x00, 0x18, 0x30, 0x46, 0x59, 0x69, 0x75, 0x7C, 0x7F, 0x7C, 0x75, 0x69, 0x59, 0x46, 0x30, 0x18, 0x00, 0xE7, 0xCF, 0xB9, 0xA6, 0x96, 0x8A, 0x83, 0x81, 0x83, 0x8A, 0x96, 0xA6, 0xB9, 0xCF, 0xE7]]
bits[0] = [b^0x80 for b in bits[0]]
bits[1] = [b^0x80 for b in bits[1]]
bits[0] = struct.pack('%sB' % len(bits[0]), *bits[0])