Skip to content

Instantly share code, notes, and snippets.

View puppykitten's full-sized avatar

puppykitten

14 followers · 0 following
View GitHub Profile
@puppykitten
puppykitten / example.c
Created November 16, 2017 14:31
void __fastcall __noreturn config_tbase_start_s0cb()
{
process_struct_1 *new_proc;
unsigned int max_processes;
unsigned int v2;
int v3;
void *process_structs_area_addr;
int process_structs_area_length;
memset_to_0_0(&tbase_conf_t, 60);
@puppykitten
puppykitten / fastcall2.c
Created January 25, 2018 14:35
int mc_fc_nsiq(void)
{
union mc_fc_generic fc;
int ret;
memset(&fc, 0, sizeof(fc));
fc.as_in.cmd = MC_SMC_N_SIQ;
mc_fastcall(&fc);
ret = convert_fc_ret(fc.as_out.ret);
if (ret)
@puppykitten
puppykitten / mcimcp.h
Created January 25, 2018 16:11
/** Possible MCP Command IDs
* Command ID must be between 0 and 0x7FFFFFFF.
*/
enum cmd_id {
/** Invalid command ID */
MC_MCP_CMD_ID_INVALID = 0x00,
/** Open a session */
MC_MCP_CMD_OPEN_SESSION = 0x01,
/** Close an existing session */
MC_MCP_CMD_CLOSE_SESSION = 0x03,
@puppykitten
puppykitten / tlc_server_main.c
Created January 28, 2018 01:21
v3 = argc;
v4 = argv;
__android_log_print(4LL, "TLC_SERVER", "tlc_cerver main starts");
if ( v3 == 1 )
{
__android_log_print(4LL, "TLC_SERVER", "service name was not provided: defaulting to CCM");
strncpy(&service_name, aCCM, 31LL);
}
else
{
@puppykitten
puppykitten / extreme_hacking.sh
Created January 28, 2018 01:58
shell@herolte:/ $ service list | grep com.sec
shell@herolte:/system/lib64 $ strings -f * | grep mcNotify
shell@herolte:/system/bin$ strings -f * | grep onTransact
root@herolte:/proc # strings -f /proc/*/maps | grep libtlc
@puppykitten
puppykitten / extreme_hacking.sh
Created January 28, 2018 01:58
shell@herolte:/ $ service list | grep com.sec
shell@herolte:/system/lib64 $ strings -f * | grep mcNotify
shell@herolte:/system/bin$ strings -f * | grep onTransact
root@herolte:/proc# strings -f /proc/*/maps | grep libtlc
@puppykitten
puppykitten / binder_handler.c
Created January 28, 2018 02:30
__int64 __fastcall binder_handler(android::IPCThreadState *IPCThreadState, unsigned int cmd_, const android::Parcel *data, android::Parcel *reply_, unsigned int flags_)
{
// (...)
switch ( cmd )
{
case 0u:
__android_log_print(4LL, "TLC_SERVER", "OPENSWCONN");
if ( !(unsigned __int8)android::Parcel::checkInterface(parcel_data, (char *)IPCThreadState_ + 16) )
goto LABEL_93;
if ( !reply )
@puppykitten
puppykitten / parse_tlvs_from_APDU.c
Created January 28, 2018 03:11
int __fastcall parse_tlvs_from_APDU(parsed_tlvs_t *out_apdus, char *in_buf, int start_offset, int total_length)
{
parsed_tlvs_t *parsed_tlvs_t; // r4
char *in_buf_; // r8
int total_length_; // r7
int offset; // r5
int i; // r6
tlv_t *tlv_obj; // r0
int ret; // r0
@puppykitten
puppykitten / parse_tlvs_from_APDU.c
Created January 28, 2018 03:11
int __fastcall parse_tlvs_from_APDU(parsed_tlvs_t *out_apdus, char *in_buf, int start_offset, int total_length)
{
parsed_tlvs_t *parsed_tlvs_t; // r4
char *in_buf_; // r8
int total_length_; // r7
int offset; // r5
int i; // r6
tlv_t *tlv_obj; // r0
int ret; // r0
@puppykitten
puppykitten / tlv structs
Created January 28, 2018 03:15
00000000 tlv_t struc ; (sizeof=0x413, mappedto_34)
00000000 filled DCB ?
00000001 multiple_tlvs_for_tag DCB ?
00000002 fill_1 DCB ?
00000003 fill_2 DCB ?
00000004 tag_obj_ptr DCD ? ; offset
00000008 len_field_len DCB ?
00000009 fill_3 DCB ?
0000000A fill_4 DCB ?
0000000B fill_5 DCB ?