zhuowei’s gists

## extendedBlock.js
var cabinet = 3333;
Block.defineBlock(cabinet,"Cabinet stone",[["stone",0],["stone",0],["stone",0],["stone",0],["stone",0],["stone",0]],5,false);
Block.setShape(cabinet, 0.2, 0, 0.2, 0.8, 1, 0.8);

## cmdline.bat
echo {}|java -jar polyglot.jar --proto_discovery_root=emer --command=call --endpoint=personalsafety-pa.googleapis.com:443 --full_method=google.internal.geo.personalsafety.v1.PersonalSafetyService/GetUserIncident --config_set_path=emer/config.json

## gist:775f88f54b4dece3d39dc7f560151df1
From 57beb8c9d0e68d30e02eadf705eaa1c6e6e7a8bb Mon Sep 17 00:00:00 2001
From: Zhuowei Zhang <_@_>
Date: Sat, 24 Sep 2016 11:17:20 -0700
Subject: [PATCH] kernel: add harambe backdoor syscall

This patch adds a new syscall for elevating any program to root and for
switching SELinux to permissive mode. There are no security checks,
so this should never be used in production.

Example program:

## gist:d445d58a4b457e0306acbce239e244d9
F/libc    ( 4941): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 4959 (Thread-237)
I/DEBUG   (  139): request->uid:10057 > property debug.db.uid:0; NOT waiting for gdb.
I/DEBUG   (  139): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG   (  139): Build fingerprint: 'google/nakasi/grouper:5.1/LMY47D/1743759:user/release-keys'
I/DEBUG   (  139): Revision: '0'
I/DEBUG   (  139): ABI: 'arm'
I/DEBUG   (  139): pid: 4941, tid: 4959, name: Thread-237  >>> com.mojang.minecraftpe <<<
I/DEBUG   (  139): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
I/DEBUG   (  139):     r0 00000000  r1 00004000  r2 00000000  r3 00000000
I/DEBUG   (  139):     r4 5f43dc60  r5 00000000  r6 5f441a2c  r7 6c237d34

## blockid.h
struct BlockID {
	unsigned char id;
	operator unsigned char() const {
		return id;
	}
	BlockID(BlockID const& other): id(other.id) {
	}
	BlockID(unsigned char id_): id(id_) {
	}
};

## allactions.txt
"contentValues: alert.actions.title]contentValues_
"contentValues: alert.actions.title_
$contentObjects: alert.actions.action^contentObjects_
$contentObjects: alert.actions.action_
%@/%@/addAppId.action
%@/%@/addApplicationGroup.action
%@/%@/addDevice.action
%@/%@/addOMC.action
%@/%@/addOMCsForAppId.action
%@/%@/assignApplicationGroupToAppId.action

## gist:72e387f9225976162b9f
P14:

OS Lock Status Register: read
 - c1, 0, c1, 4
Debug Status and Control Register: read
 - c0, 0, c2, 2


P15: read c0, 0, c1, 2-debug feature register 0 &0xf = 4 jump

## startemu2.sh
#!/bin/sh
# You need QEMU_EFI.fd from http://snapshots.linaro.org/components/kernel/leg-virt-tianocore-edk2-upstream/latest/QEMU-ARM/DEBUG_GCC49/
# and dragon.img from a DragonBoard 410 or by converting the 410 wim image
qemu-system-arm -m 512 -cpu cortex-a15 -M virt -bios fromdragon/arm/QEMU_EFI.fd -serial stdio -drive file=dragon.img,id=hd0,if=none,readonly=on -device virtio-blk-device,drive=hd0 -device VGA

## certificates.smali
.class Lcom/google/android/gms/common/GoogleCertificates;
.super Ljava/lang/Object;
.source "GoogleCertificates.java"


# annotations
.annotation system Ldalvik/annotation/MemberClasses;
    value = {
        Lcom/google/android/gms/common/GoogleCertificates$VALID_AUTH_TEST_SUPPORT_SIGNATURES;,
        Lcom/google/android/gms/common/GoogleCertificates$VALID_SOCIETY_SIGNATURES;,

## build.sh
arm-linux-androideabi-gcc -pie -Wl,--build-id=0x`perl -e 'print "41"x4096'` --sysroot /home/zhuowei/android/prebuilts/ndk/9/platforms/android-9/arch-arm c.c