View extendedBlock.js
var cabinet = 3333;
Block.defineBlock(cabinet,"Cabinet stone",[["stone",0],["stone",0],["stone",0],["stone",0],["stone",0],["stone",0]],5,false);
Block.setShape(cabinet, 0.2, 0, 0.2, 0.8, 1, 0.8);
View cmdline.bat
echo {}|java -jar polyglot.jar --proto_discovery_root=emer --command=call --endpoint=personalsafety-pa.googleapis.com:443 --full_method=google.internal.geo.personalsafety.v1.PersonalSafetyService/GetUserIncident --config_set_path=emer/config.json
View gist:775f88f54b4dece3d39dc7f560151df1
From 57beb8c9d0e68d30e02eadf705eaa1c6e6e7a8bb Mon Sep 17 00:00:00 2001
From: Zhuowei Zhang <_@_>
Date: Sat, 24 Sep 2016 11:17:20 -0700
Subject: [PATCH] kernel: add harambe backdoor syscall
This patch adds a new syscall for elevating any program to root and for
switching SELinux to permissive mode. There are no security checks,
so this should never be used in production.
Example program:
View gist:d445d58a4b457e0306acbce239e244d9
F/libc ( 4941): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 4959 (Thread-237)
I/DEBUG ( 139): request->uid:10057 > property debug.db.uid:0; NOT waiting for gdb.
I/DEBUG ( 139): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 139): Build fingerprint: 'google/nakasi/grouper:5.1/LMY47D/1743759:user/release-keys'
I/DEBUG ( 139): Revision: '0'
I/DEBUG ( 139): ABI: 'arm'
I/DEBUG ( 139): pid: 4941, tid: 4959, name: Thread-237 >>> com.mojang.minecraftpe <<<
I/DEBUG ( 139): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
I/DEBUG ( 139): r0 00000000 r1 00004000 r2 00000000 r3 00000000
I/DEBUG ( 139): r4 5f43dc60 r5 00000000 r6 5f441a2c r7 6c237d34
View blockid.h
struct BlockID {
unsigned char id;
operator unsigned char() const {
return id;
}
BlockID(BlockID const& other): id(other.id) {
}
BlockID(unsigned char id_): id(id_) {
}
};
View allactions.txt
"contentValues: alert.actions.title]contentValues_
"contentValues: alert.actions.title_
$contentObjects: alert.actions.action^contentObjects_
$contentObjects: alert.actions.action_
%@/%@/addAppId.action
%@/%@/addApplicationGroup.action
%@/%@/addDevice.action
%@/%@/addOMC.action
%@/%@/addOMCsForAppId.action
%@/%@/assignApplicationGroupToAppId.action
View gist:72e387f9225976162b9f
P14:
OS Lock Status Register: read
- c1, 0, c1, 4
Debug Status and Control Register: read
- c0, 0, c2, 2
P15: read c0, 0, c1, 2-debug feature register 0 &0xf = 4 jump
View startemu2.sh
#!/bin/sh
# You need QEMU_EFI.fd from http://snapshots.linaro.org/components/kernel/leg-virt-tianocore-edk2-upstream/latest/QEMU-ARM/DEBUG_GCC49/
# and dragon.img from a DragonBoard 410 or by converting the 410 wim image
qemu-system-arm -m 512 -cpu cortex-a15 -M virt -bios fromdragon/arm/QEMU_EFI.fd -serial stdio -drive file=dragon.img,id=hd0,if=none,readonly=on -device virtio-blk-device,drive=hd0 -device VGA
View certificates.smali
.class Lcom/google/android/gms/common/GoogleCertificates;
.super Ljava/lang/Object;
.source "GoogleCertificates.java"
# annotations
.annotation system Ldalvik/annotation/MemberClasses;
value = {
Lcom/google/android/gms/common/GoogleCertificates$VALID_AUTH_TEST_SUPPORT_SIGNATURES;,
Lcom/google/android/gms/common/GoogleCertificates$VALID_SOCIETY_SIGNATURES;,
View build.sh
arm-linux-androideabi-gcc -pie -Wl,--build-id=0x`perl -e 'print "41"x4096'` --sysroot /home/zhuowei/android/prebuilts/ndk/9/platforms/android-9/arch-arm c.c