shoulda wrapped it up  ¯\_(ツ)_/¯

day in the life…

Character Inspiration - Hannah Kim

Okay, I really liked making one for Lila so I figured I'd keep going and make one for Hannah too! :) Maybe I'll even do Zeki!

So, let's get into the characters!

Beauty (The Wolf Among Us) Hannah stayed long past when she should’ve, believing love could fix what loyalty couldn’t. Like Beauty, she wanted to protect her family, her image, her normalcy—until the truth finally shattered it all.

Joyce Byers (Stranger Things) The moms who won’t stop fighting, even if it breaks them. Just like Joyce, Hannah’s love is feral in its strength, even when she’s worn down.

Yoon Jin Ah (Something in the Rain) She wants love, but is terrified of looking foolish again. Zeki catches her off guard, just like Joon Hee's love does Jin Ah —something new and risky after something that left scars. She’s hesitant, yet aching to believe in love again.

Charlotte Branwell (The Infernal Devices) Although their situations are wildly different, Charlotte, like Hannah, manages a household of chaos with more strength than she’s given credit for. Both carry wounds beneath composed exteriors.

Pamela Last (Our Life - Beginnings and Always) Hannah poured herself into motherhood. Her identity is so wrapped around being a mom and wife that she has to relearn herself after Gédéons betrayal. Pamela reflects her nurturing side—the part that’s always creating warmth, even while breaking.

Nerissa (The Wolf Among Us) Okay this one warrant's a little thought, because Nerissa is more Hannah's past self. The one that just got married, just had a baby. Hannah’s anger at Clara was deep, cold, and rooted in unhealed generational trauma. Like Nerissa, she’s learned to hold pain in silence, weaponize grace, and protect herself by pushing others away. (Something she actually passed on to her daughter Lila!)

Templates:

STRUCK BY LOVE LEGACY CHALLENGE - GENERATION 1: Age Gap

You got lucky; your accidental pregnancy turned into true love! …Until you catch your spouse cheating nearing your 20th anniversary. Unsure what to do, you take your children and move into the only apartment you can afford, determined to finish the book you've been trying to write for three years. You vow to never fall in love again… That is until your next-door neighbour (who is much younger than you) sweeps you off your feet.

Meet Shannon Lovett (she/her), founder of the Stuck by Love Legacy Challenge by @fruitysimsy and @hellohopesims.

Her traits are Gloomy, Bookworm and Loyal. She has the Bestselling Author aspiration, which also gives her the Muser trait. Her main colours are Brown and Red and she will be entering the Writer career.

instead of carrying on with my current legacies, i just start new ones xD. i'm really excited to start this legacy as it's based on romance tropes in books, and i'm an avid reader. it probably won't be posted for a little while as there's some setup i want to do. i also want to try a different way of posting with this legacy; not sure if i want to do big, long posts with a bunch of screenies and storytelling or short, minimal posts with next to no writing just yet.

also i'm in love with shannon, she's literally so cute qwq.

Tying It All Together - Pwning To Own on LG phones

Last year I detailed a secure EL3 vulnerability which affected (and still affects, for devices with discontinued updates) LG Android devices. However, this vulnerability alone isn't actually all that useful for a number of reasons, the more immediate being that many phones simply do not allow writing to eMMC without root or a custom recovery. Additionally, gaining full control over all privilege levels requires draining the battery to below 0%, which while it would be possible to create a modchip that facilitated this, is impractical. To finish off my exploit chain, I would like to detail two additional vulnerabilities that I have found and utilized in my coldboot process. It's worth noting though that these vulnerabilities were reported to LG and may be patched on updated units.

Live, LAF, Love

The first exploit is an obvious necessity: In order to write the rle888 payload into the eMMC's boot graphics, I need to be able to achieve an arbitrary partition write. While exploiting Android *is* an option for this (as are hardware methods), I instead opted to attack LAF, LG's recovery/flashing component. While many Android phones in the past have used fastboot in order to flash radios and other system components to eMMC, fastboot has been completely removed on the Q710/Q720. Some phones such as the Nexus 5 actually maintain both fastboot methods and LAF, but for maximum spread, LAF is the clear target.

LAF is designed to work with LGUP, a frequently-leaked LG-internal flashing tool that allows flashing KDZ update files. While LAF in the past was able to read and write eMMC partitions without any restriction, in recent years LG has opted to sign all of their KDZ files in order to make it more difficult for things like cross-carrier flashing, version mixing/matching between partitions and other modifications to occur. Flashing is done via USB, and most of the protocol has been documented at https://github.com/Lekensteyn/lglaf.

The LAF update process largely consists of an ioctl-over-USB shim: The OPEN command is able to open a partition block device, and READ/WRTE will seek into the file and write contents. However, reading and writing are explicitly blocked until a list of partitions, their eMMC offsets, their KDZ content offsets, and their content hashes is sent via the SIGN command, all of which is hashed and signed by LG. If the contents of the partitions in the KDZ are modified, the partition list hashes will fail to verify, and modifying the hashes in the partition list will make the SIGN check fail. The private key is not stored in LGUP; KDZs are downloaded from LG's servers, signed presumably by their build servers.

So, how can we manage to activate WRTE commands, with valid partition content hashes of our arbitrary contents, if we cannot sign our own? To start, I investigated how the WRTE commands actually handled hash checking--if the partition list is sent with SIGN, then at some point the WRTE command must be able to figure out which partition the current write is for, and the current partition's contents must be buffered in RAM somewhere along with an updating SHA context, because if the SHA check fails, then it shouldn't write at all. As it turns out, most of the checks in this area were fairly solid (the write must be in the range of a partition in the list, the entire transaction is one bulk packet of the hashed size, etc). However, this led me to realize: The partition list signature is only checked once, and there is nothing stopping me from, say, sending another SIGN command.

The SIGN verification process works as follows:

The partition information is sent along with a signature in one bulk transaction.

The partition information is copied into a global .bss array from the USB buffer with a fixed size.

The partition information hash buffer is prepared: An allocation is made for N partitions and an optional string, the string being the device model (to prevent cross-flashing). The number of partitions is determined by a signed portion of the header. If the allocation fails, an error is returned.

The partition information is copied again into this allocation along with the string, and the contents are hashed. The signature is crypted with the public key and the signature hash is verified against the partition info hash. If the check fails, the global .bss array is cleared and an error is returned. If the check passes, some write threads and structs are initialized and a success value is returned.

The .bss buffer storing partition info (used by other functions) is copied to before the packet is verified

The .bss buffer is cleared when the signature mismatches, but not with this malloc fail...?

The flaw here is subtle, but not terribly difficult to notice: The number of partitions is user-controlled even though it is signed, and the partition info was copied into a global variable before verification. In all other error conditions, LAF will memset the partition information before returning an error code, however if the hashing allocation fails (ie by setting the number of partitions to -1), then the allocation will fail and an error is returned without clearing the partition information. Thus, we can fakesign our own update KDZs by

Sending a valid SIGN command, which will start the write threads

Sending a fakesigned SIGN command with the number of partitions set to -1, and all partition information set however we want. The partition information in .bss is now set without a signature being checked.

While this fakesign has the potential to hang WRTE commands while due to the number of partitions being set much larger than the global partition array, all loops when WRTE checks the partition list hashes will break once a valid partition is found. So, as long as the hash contents of the WRTE command are existent in the first few entries, it will not hang, however any writes sent that do not match will hang lafd.

Another S-EL3 vuln to wrap it all up

This might seem a bit pointless given that the former vulnerability paired with 🔋 📱❄️🥾🔓 at aboot is more than enough to unlock bootloaders, since aboot is usually the code that handles bootloader unlocking/wiping/boot image signature verification, but the downside to unlocking your bootloader is that you lose SafetyNet. To most effectively mitigate SafetyNet issues you basically need an S-EL3 exploit in order to patch Qualcomm's TrustZone to spoof a locked bootloader. While 🔋 📱❄️🥾🔓 has a vector for S-EL3 code execution via SBL1 and its charging graphic, it only triggers at extremely low battery voltages and it would be more convenient to find an alternative means to gaining S-EL3 code execution via aboot, which runs at EL2/EL1.

One of the first things I noticed when I began to look for SBL vulnerabilities, and actually the reason I looked at SBL in the first place is its crash handler. Since at least the Nexus 5, LG has shipped its "Demigod Crash Handler" which can print registers and stack information and RAM console logs from EL1 kernel, S-EL3 SBL, TrustZone, etc. I first discovered it while trying to exploit a kernel stack overflow. It also allows the user to dump memory contents over USB via its Sahara protocol which also gets used in PBL for Firehose bootstrapping.

Naturally, SBL cannot know the exact details of every execution environment it displays stack dumps for, it requires the faulting environment to store that information before warm-resetting into SBL. Consequently, this means there are portions of RAM writable by EL1 which will be later parsed at an S-EL3 execution level, and of course to make matters worse it also expects EL1 to handle the memory allocation for both the RAM console as well as for the framebuffer. These structures are also plainly visible in LG's kernel sources available in their Android OSS zips.

Above roughly shows the arbitrary write which is possible with this ramconsole parsing. The ramconsole offset is not bounds checked, so we are able to achieve an arbitrary write to a limited set of addresses based on ramconsole_offs, the limit being that the offset factors both into what you write and where you write it. However, I found that since DRAM takes up such a significant portion of the address space, it was more than enough to specifically write a function pointer to the stack. To keep the exploit as simple as possible, I chose to force console_init_maybe to return to the missing battery graphic draw routine, which then triggered 🔋 📱❄️🥾🔓 without the need to drain the battery below 1% and made loading additional payloads significantly easier.

As an interesting sidenote, this vulnerability is extremely similar to hexkyz's Wii U boot1 exploit, which also abuses warmboot behavior to take over the secondary bootloader of the Wii U's ARM boot processor. In that case, however, the Wii U encrypted its PRSH/PRST structure in RAM, and rather than displaying syslogs, it uses the structure to store boot timings and other info between IOS reboots.

For most practical usecases, this vulnerability is a bit difficult to exploit, due to SBL's text and stack differing between devices. However, S-EL3 vulnerabilities aren't all that frequently documented on Android, so I hope that it will at least be useful for anyone interested in examining Qualcomm's TrustZone components or avoiding weird SafetyNet junk.

Code for both of these exploits can be seen at https://github.com/shinyquagsire23/Q710-SIGNhax-EL3-Warmboot

SGT BLUFF ROLLS OUT THE WELCOME MAT FOR RAGBRAI RIDERS

SGT BLUFF ROLLS OUT THE WELCOME MAT FOR RAGBRAI RIDERS

SERGEANT BLUFF IS QUICKLY FILLING UP WITH THOUSANDS OF VISITORS PREPARING FOR THE START OF THE ANNUAL RAGBRAI BICYCLE TREK ACROSS IOWA. RON HANSON, CO-CHAIRMAN OF THE CITY’S RAGBRAI COMMITTEE, SAYS THE WHOLE TOWN IS HELPING TO MAKE THE RIDERS AND VISITORS FEEL WELCOME: https://kscj.com/wp-content/uploads/2022/07/SBL1.mp3 SBL1 OC………. HOUSE A BUNCH. :24 COMMITTEE MEMBER ANDREA JOHNSON SAYS THERE’S…

View On WordPress

فول دامپ XML هارد هواوی Tablet Huawei MediaPad T3 - KOB-L09 - تست شده

فول دامپ XML هارد هواوی Tablet Huawei MediaPad T3 - KOB-L09 - تست شده

  Tablet Huawei MediaPad T3 - KOB-L09 Full XML Dump __________________________________________ در این مطلب برای شما فول دامپ هواوی MediaPad T3  مدل KOB-L09 آماده کرده ایم که پس از رایت به راحتی گوشی کامل بالا می آید  . _________________________________________________ هارد های مورد استفاده و تست شده گوشی KOB-L09  eMMC: H9TQ17ABJTCC 16G   _________________________________________________  

xml-boot-repair-dr-emmc.org       __________________________________________   Operation: Connect to Qualcomm HS-USB QDLoader 9008 Search Qualcomm HS-USB QDLoader 9008 devices ... Qualcomm HS-USB QDLoader 9008 (COM27) is found Connect to Sahara ... Connection with Sahara was successful Serial: 0x0000000049FD061D HW_ID: 0x000560E10015003A HASH: 0x6BC369511DA9CADB3A7AF61574F89DB385003D6241BDD1FF573DBA61BF6AE119 SBL_SW: 0x0000000000000000 CPU: Qualcomm Snapdragon 425 (MSM8917) Internal loader found Firehose Info: Filename: 7f362c7745a4065a31e0be34ae9554d7 Filesize: 382048, CheckSum: 0xC4E27505 HW_ID: 0x000560E10015003A HASH: 0x6BC369511DA9CADB3A7AF61574F89DB385003D6241BDD1FF573DBA61BF6AE119 SBL_SW: 0x0000000000000003 Publisher: QUALCOMM MSM: MSM8917 Sending FlashLoader. Please, wait ... FlashLoader was successfully uploaded to the device Connect to FlashLoader ... EMMC NAME: HAG4A2 Vendor: SKHYNIX Serial: 1EC40C0D EMMC ROM 1 (Main User Data) Capacity: 15028 MB (0x0003AB400000) EMMC ROM 2/3 (Boot Partition 1/2) Capacity: 4096 KB (0x000000400000) Connected successfully Operation: Scan PartitionTable from Source (Vendor: Binary Read/Write) Scanning soft partitions from ROM2 GPT header is not found Scanning soft partitions from ROM3 GPT header is found Partition: PrimaryGPT, , Size: 000000004400 (17.00 KB), Type: GPT Partition: CDT, , Size: 000000000800 (2.00 KB), Type: Raw Partition: last_grow, , Size: 0000003F7200 (3.97 MB), Type: Blank Partition: BackupGPT, , Size: 000000004200 (16.50 KB), Type: BackupGPT GPT header successfully parsed Scanning soft partitions from ROM1 GPT header is found Partition: PrimaryGPT, , Size: 000000004400 (17.00 KB), Type: GPT Partition: sbl1, , Size: 000000080000 (512.00 KB), Type: Raw Partition: rpm, , Size: 000000080000 (512.00 KB), Type: Raw Partition: tz, , Size: 000000200000 (2.00 MB), Type: Raw Partition: devcfg, , Size: 000000040000 (256.00 KB), Type: Raw Partition: sbl1bak, , Size: 000000080000 (512.00 KB), Type: Raw Partition: rpmbak, , Size: 000000080000 (512.00 KB), Type: Raw Partition: tzbak, , Size: 000000200000 (2.00 MB), Type: Raw Partition: devcfgbak, , Size: 000000040000 (256.00 KB), Type: Raw Partition: dsp, , Size: 000001000000 (16.00 MB), Type: Linux Partition: pad0, , Size: 00000097BC00 (9.48 MB), Type: Blank Partition: aboot, , Size: 000000800000 (8.00 MB), Type: Raw Partition: cmnlib, , Size: 000000040000 (256.00 KB), Type: Raw Partition: cmnlib64, , Size: 000000040000 (256.00 KB), Type: Raw Partition: keymaster, , Size: 000000040000 (256.00 KB), Type: Raw Partition: abootbak, , Size: 000000800000 (8.00 MB), Type: Raw Partition: cmnlibbak, , Size: 000000040000 (256.00 KB), Type: Raw Partition: cmnlib64bak, , Size: 000000040000 (256.00 KB), Type: Raw Partition: keymasterbak, , Size: 000000040000 (256.00 KB), Type: Raw Partition: fsg, , Size: 000000400000 (4.00 MB), Type: Raw Partition: DDR, , Size: 000000008000 (32.00 KB), Type: Raw Partition: sec, , Size: 000000004000 (16.00 KB), Type: Raw Partition: devinfo, , Size: 000000100000 (1.00 MB), Type: Raw Partition: limits, , Size: 000000008000 (32.00 KB), Type: Blank Partition: oeminfo, , Size: 000004000000 (64.00 MB), Type: Raw Partition: misc, , Size: 000000400000 (4.00 MB), Type: Raw Partition: modemst1, , Size: 000000400000 (4.00 MB), Type: Raw Partition: modemst2, , Size: 000000400000 (4.00 MB), Type: Raw Partition: fsc, , Size: 000000000400 (1.00 KB), Type: Blank Partition: ssd, , Size: 000000002000 (8.00 KB), Type: Blank Partition: nff, , Size: 000000800000 (8.00 MB), Type: Blank Partition: splash2, , Size: 000000800000 (8.00 MB), Type: Linux Partition: pad1, , Size: 0000003FDC00 (3.99 MB), Type: Blank Partition: modem, , Size: 00000A000000 (160.00 MB), Type: Fat16 Partition: erecovery, , Size: 000005000000 (80.00 MB), Type: Boot Partition: boot, , Size: 000005000000 (80.00 MB), Type: Boot Partition: recovery, , Size: 000005000000 (80.00 MB), Type: Boot Partition: cache, , Size: 000010000000 (256.00 MB), Type: Linux (/cache) Partition: persist, , Size: 000004000000 (64.00 MB), Type: Linux (/persist) Partition: log, , Size: 000004000000 (64.00 MB), Type: Fat32 Partition: keystore, , Size: 000000080000 (512.00 KB), Type: Blank Partition: config, , Size: 000000080000 (512.00 KB), Type: FRP Partition: mota, , Size: 000000080000 (512.00 KB), Type: Blank Partition: dip, , Size: 000000100000 (1.00 MB), Type: Blank Partition: mdtp, , Size: 000002000000 (32.00 MB), Type: Raw Partition: syscfg, , Size: 000000080000 (512.00 KB), Type: Blank Partition: mcfg, , Size: 000000400000 (4.00 MB), Type: Blank Partition: lksecapp, , Size: 000000020000 (128.00 KB), Type: Raw Partition: lksecappbak, , Size: 000000020000 (128.00 KB), Type: Raw Partition: apdp, , Size: 000000040000 (256.00 KB), Type: Raw Partition: msadp, , Size: 000000040000 (256.00 KB), Type: Raw Partition: dpo, , Size: 000000002000 (8.00 KB), Type: Blank Partition: rrecord, , Size: 000001000000 (16.00 MB), Type: Blank Partition: patch, , Size: 000006000000 (96.00 MB), Type: Blank Partition: bootfail_info, , Size: 000000200000 (2.00 MB), Type: Raw Partition: pad2, , Size: 00000063E000 (6.24 MB), Type: Raw Partition: logdump, , Size: 000004000000 (64.00 MB), Type: Linux Partition: version, , Size: 000002000000 (32.00 MB), Type: Linux Partition: vendor, , Size: 00002E000000 (736.00 MB), Type: Linux Partition: product, , Size: 00000C000000 (192.00 MB), Type: Linux Partition: cust, , Size: 00000C000000 (192.00 MB), Type: Linux Partition: system, , Size: 0000B8000000 (2.88 GB), Type: Linux Partition: userdata, , Size: 0002613FBE00 (9.52 GB), Type: Raw Partition: BackupGPT, , Size: 000000004200 (16.50 KB), Type: BackupGPT GPT header successfully parsed   _________________________________________________ فایل قابل رایت با کلیه باکس های پروگرم هارد فول دامپ XML هارد هواوی Tablet Huawei MediaPad T3 - KOB-L09 - تست شده _________________________________________________ اطلاع از جدیدترین محصولات و برخورداری از محصولات رایگان و کدهای تخفیف در : ->>کانال تلگرام فروش فایل ماکانال تلگرام فروش ابزار ، ایسی و باکس Read the full article

How to manually upgrade or revert a Samsung Galaxy Tab A (SM-T355Y) to stock ROM on Mac OS X, Windows or Linux

This MAY work on other Samsung Galaxy Tablets and will help if you want to force an Android update or have a custom ROM installed but need to revert to stock for warranty. Read the warning at the bottom FIRST though if you have a device other than the SM-T355Y!

Get Heimdall

Get the ROM for your phone from SamFW or SAMFREW.com (make sure you get the latest ROM for your phone, if the Baseband version/PDA/CSC matches the one in your phones Settings > About you’ve got the right one ;) For the SM-T355Y in Australia, the latest ROM is T355YDOS1CTJ2)

Open the ZIP containing the ROM.

Extract the TAR files/s that are within the ZIP to the same directory that Heimdall is installed (or anywhere on Linux if installed from your package manager)

Boot your tablet into Download Mode by turning it off, then holding down the Volume Down, Home and Power Buttons.

Navigate to the directory that Heimdall/ROM files are in.

Open a command prompt in that location and type:

heimdall flash --APNHLOS NON-HLOS.bin --MODEM modem.bin --SBL1 sbl1.mbn --ABOOT aboot.mbn --RPM rpm.mbn --QSEE tz.mbn --QHEE hyp.mbn --sec sec.dat --BOOT boot.img --RECOVERY recovery.img --PERSIST persist.img.ext4 --SYSTEM system.img.ext4 --CACHE cache.img.ext4 --HIDDEN hidden.img.ext4 --USERDATA userdata.img.ext4 --PIT GT58LTE_SEA_XSA.pit

Your tablet will reboot and voilà! Your tablet is upgraded.

You could also install Nova Launcher and SwiftKey Keyboard to get some customisation on the stock ROM to get a more AOSP feel. (As there are no custom ROMs for the SM-T355Y) ;)

WARNING! NOT ALL GALAXY DEVICES ARE THE SAME!

Each Samsung Galaxy device (by model number) will have slight variations and could have different partition allocations or partition names which could cause the above Heimdall flash code to not work on your device as the partition names may not match your device. The only way to overcome this is to get the decoded PIT (Partition Information Table) file from your device before flashing using the following command and matching the partition names from your device with the partition files from the firmware archive you downloaded.

heimdall print-pit > phone.pit

An example of the PIT file from the SM-T355Y can be found here: https://gist.github.com/duyfken/9704ff5d6be192c453c2653098340db8

Banner Engineering – Scanner Block (SB)L1- Multi-Beam

Banner Engineering – Scanner Block (SB)L1- Multi-Beam

For More Information Visit: www.KJContractingDigital.com

from KJContracting Digital | Electrical Supplier | Surplus Electronic Equipment http://kjcontractingdigital.com/banner-engineering-scanner-block-sbl1-multi-beam/

فایل بکاپ xml هواوی Huawei G630-U20 دانگل CM2 با چیپست MSM8610

فایل بکاپ xml هواوی Huawei G630-U20 دانگل CM2 با چیپست MSM8610

  در این پست برای شما فایل فلش بکاپ گوشی هواوی مدل هواوی Huawei G630-U20 با دانگل CM2  برای ترمیم بوت، تعویض هارد، رفع مشکلات سیاهی بعد از فلش ، خاموشی  و ویروسی بودن و دیگر مشکلات استفاده می شود .

مزیت های " فایل بکاپ xml هواوی Huawei G630-U20 دانگل CM2 با چیپست MSM8610"  :   1- امکان ترمیم بوت از طریق پورت یو اس بی بدون نیاز به باز کردن گوشی در کمتر از ده دقیقه 2- ترمیم بوت از طریق پورت یو اس بی و درایور Qhsusb 3- امکان نصب هارد خام و فلش با این روش بدون نیاز به دامپ   توجه داشته باشید این اموزش زمانی کاربرد خواهد داشت که هارد گوشی سالم باشد و در گوشی هایی که خودبخود خاموش شده کاربرد نخواهد داشت. فایل کاملا تست شده وبدون مشکل می باشد.

مشخصات فایل مورد بحث : Device Brand : Huawei Device Manufact.: HUAWEI Device Model : hwG630-U20 Device CPU : MSM8610 Device IntName : G630-U20 Device Version : 4.3 CU_SWVer : HUAWEI Device Compile : 25.04.2015 9:10:27 Device ExtInfo : G630-U20 Operation : Read Flash 1. Power Off Phone , Remove battery , Insert back 2. PRESS and HOLD BOTH VOLUME KEYS! 3. Insert USB cable. In some cases require use EDL cable or TP to force EDL mode! Wait for phone... Device Found! Initialize ... Handshake passed! BB_IDC_CPU : SnapDragon 2x/4x|00 ID_BLOCK_S : 06C43964 ID_BLOCK_I : 008140E1 ID_BLOCK_L : 6183F905B03E2B2601769E87401B9BB3 ID_BLOCK_L : 9FF658F3E46FDF54694409C6CC233D1E Use CM2 Internal Loader Loader Sent! Initializing ... Running FireHose on BBID : MSM8x10 , FLASH : eMMC , mVER : 1 ExtInfo : 0x0000C000/0000C000/00001000/00001000 Boot Ok! Brand : Huawei ProdName : G630-U20 ProdModel : G630-U20 Device : hwG630-U20 AndroidVer: 4.3 Manufact. : HUAWEI QLMxCPU : MSM8610 Reading Flash Content ... : gpt_main0.bin : sbl1.mbn : deploy.mbn : rpm.mbn : tz.mbn : emmc_appsboot.mbn : oemdata.bin : NON-HLOS.bin : fs_gc.img : persist.img : boot.img : recovery.img : cust.img : cache.img : misc.img : system.img : userdata.img : gpt_backup0.bin Android Info saved! Read finished! Configuration : MSM8x10 / eMMC Firmware Size : 1427 MiB Done! Elapsed: 00:02:44 Reconnect Power/Cable!

ویژگی های دانگل قدرتمند Infinity-Box Dongle) CM2) :  پشتیبانی از چیپست های spd، MTK ، Rokchip ، پشتیبانی ازجدید از گوشی های سامسونگ و Qualcomm حل مشکلات ویروسی بودن گوشی به 2 روش - یک روش استفاده از پایگاه داده هایی که از قبل تنظیم شده یا روش دستی که شما خودتان با توجه به تاریخ و اسم نرم افزار ویروس را پاک کرده و می توانید به پایگاه داده روش اول ویروس ها را اضافه نمایید. بکاپ کامل و مطمئن از گوشی که می توانید با آن مشکلات خاموشی گوشی را بر اثر فایل اشتباه یا مشکلات تصویر و .... را حل نمایید. باز کردن قفل گوشی بدون پاک شدن اطلاعات در اکثر چیپست ها ترمیم سریال IMEI در گوشی ها و همچنین پریدن بیس باند در گوشی های MTK که به راحتی آن را تعمیر می نمایید . و کلی ویژگی مفید و خوب که تعمیر کاران حرفه ای را وادار می نمایید به فکرخریداری آن باشند.  

آیدی تلگرام درصورت وجود هرگونه مشکل در فایل دانلود شده: moh3n7249@

اطلاع از جدیدترین محصولات و برخورداری از محصولات رایگان و کدهای تخفیف در: ->>کانال تلگرام ما Read the full article

struck by love legacy challenge - gen one

meet bobbie maier, our gen one heir!! she's a loyal bookworm who loves the outdoors. bobbie loves collecting things, especially frogs. she has a goal to collect every breed of frog out there. she dreams of completing the curator aspiration while also making time to write books on her research out in the field. as a writer by trade, she's been able to travel and work on the road- which works out great for her because she loves the van life. that's actually where she met her best friend sadie. the two of them are currently residing in their RVs in the mountains of chestnut ridge. they've made a good little home for themselves there and really settled into the area as of late. even though she might seem settled, bobbie isn't someone who can sit still for long...

i've been craving some gameplay so here i am. i'm using the struck by love legacy rules as a loose guide but i'm making lots of changes along the way. i like the challenge of limitations but i also don't wanna be so limited in what i can do that it boxes me in 🙃 happy middle ground. excited to play some more with our granola girls.

the finished parts of sunny’s new house

Wait, what do we have here...??? It's the Meet My Couple-Challenge by @misspepeshi that's been going around. I really love things like that - might even keep it up going forward, who knows - so I figured I'd join in! I don't have anyone to tag since I'm currently pretty much flying solo on here, so I'll just do it like this: Wanna do it? Feel tagged and go ahead! You can find the templates here!

2018 genuine leather women sandals handmade round head elegant summer shoes high heels cutout D238-2 Actmdall

2018 genuine leather women sandals handmade round head elegant summer shoes high heels cutout D238-2 Actmdall

2018 genuine leather women sandals handmade round head elegant summer shoes high heels cutout D238-2 Actmdall

How to Get The Right Hat for Your Face Shape & Body Type - Fedora, Panama Hats, & Felt Hats For Men 2018 genuine leather women sandals handmade round head elegant summer shoes high heels cutout D238-2 Actmdall 2018 Fashion Vintage Summer Women Sandals Genuine leather women sandals handmade round head handmade casual women shoes genuine leather ,2018 …. . РекламаБлог про Информационные Технологии, Инфо-Безопасность и Защиту Персональных Данных! · пн 11:00-20:00, вт 12:00-21:00, ср 11:00-20:00, чт 12:00-21:00, пт 11:00-20:00. . HSN | Italian Shoemakers 05.17.2018 - 09 AM. HSN | Slinky Brand Fashions 06.10.2018 - 06 PM. new mules genuine leather embroidered round toe thick Handmade Genuine leather sandals women sandals summer 2018 new fashion elegant pointed toe. . Full Post 2016 Holiday Critmas gifts & hangout w Marisha, Matt, Taliesin & Brian [SPOILERS E81]. DIY 10 Easy Phone Projects. DIY Phone (Case, Pouch & More). 5 Men's Necklace Styles | Masculine Male Necklaces Every Man Should Consider | Jewelry For Men. Krieghoff: Classic Ejektor live. Олег Шаров - Умови прийому на навчання на молодшого спеціаліста. WXWSWZ 2018 new shoes Women Sandals Summer shoes Sandals WXWSWZ 2018 spring and summer Soft bottom handmade genuine leather women single shoes round head with. . HSN | The List with Colleen Lopez 03.15.2018 - 10 PM. HSN | The Sneaker Guide 04.26.2017 - 02 PM. HSN | Silver Designs By Nicky Butler Jewelry 06.18.2018 - 10 AM. sandals for,summer sandals,ladies sandals,women leather 2018 genuine leather high heels shoes round 2018 summer vintage handmade women sandals. . HSN | Patricia Nash Handbags 08.15.2017 - 05 PM. Freddie Gets A Bedroom Makeover • Ladylike. Black Ladies Shoes High Heel Pumps Genuine Leather Women Shoes Elegant Retro Handmade women flat summer sandals Genuine leather women shoes round head. . How to Crochet in the Round | Crocheting. HSN | Rarities Fine Jewelry with Carol Brodie 03.23.2018 - 02 PM. 2018 autumn winter women leather shoes round head female ankle boots Handmade Women Pumps Genuine Leather Shoes 2018 summer leather women sandals …. . HSN | Designer Gallery Jewelry Clearance up to 60% Off 03.28.2018 - 10 PM. HSN | Shoe Lover's Closet 04.30.2018 - 04 PM. Parenting by Sasha. How to make a powerful Fume Extractor for less than $30. HSN | The Birthday List with Colleen Lopez 07.19.2018 - 09 PM. РекламаДарим 40 банок краски при первом оптовом заказе Бесплатная доставка! Акция!. . For the First Time in Forever Reprise - in Real Life | Disney Frozen | #frozen. How to Become More Disciplined (animated short story). HSN | Sam Edelman Shoes 03.26.2018 - 11 AM.

2018 genuine leather women sandals handmade round head elegant summer shoes high heels cutout D238-2 Actmdall

New Arrival Ankle Boots Women 2018 Autumn Natural Leather Women Shoes Low Heel Elastic Band Handmade Women' s Short Shoes

New Arrival Ankle Boots Women 2018 Autumn Natural Leather Women Shoes Low Heel Elastic Band Handmade Women' s Short Shoes

Girl Knitted Fly weaving cloth Tenis Flats shoes Sneakers Women Gray Black RED Breathable Casual Flats shoes LF-45

Girl Knitted Fly weaving cloth Tenis Flats shoes Sneakers Women Gray Black RED Breathable Casual Flats shoes LF-45

Genuine leather woman size 9 designer yinzo vintage flat shoes round toe handmade brown black blue oxford shoes for women 2017

Genuine leather woman size 9 designer yinzo vintage flat shoes round toe handmade brown black blue oxford shoes for women 2017

2017 winter men's cotton shoes casual high-help plus cashmere warm boots Genuine leather ankle motorcycle boots cowhide

2017 winter men's cotton shoes casual high-help plus cashmere warm boots Genuine leather ankle motorcycle boots cowhide

MORAZORA Hot sale 2018 ankle boots for women genuine leather boots fashion punk motorcycle boots lace-up black

MORAZORA Hot sale 2018 ankle boots for women genuine leather boots fashion punk motorcycle boots lace-up black

Ekoak Women Winter Boots New 2018 Fashion Shoes Woman Autumn Ankle Boots Classic High Heels Platform Boots Casual Cowboy Boots

Ekoak Women Winter Boots New 2018 Fashion Shoes Woman Autumn Ankle Boots Classic High Heels Platform Boots Casual Cowboy Boots

Krazing pot 2018 cow leather brand summer shoes thick heels women sandals British school ankle buckle straps dating shoes L63

Krazing pot 2018 cow leather brand summer shoes thick heels women sandals British school ankle buckle straps dating shoes L63

Summer Gladiator Sandals Flip Flops Fisherman Shoes Woman Genuine Leather Flats Women Shoes Size 35-40 XW517031101

Summer Gladiator Sandals Flip Flops Fisherman Shoes Woman Genuine Leather Flats Women Shoes Size 35-40 XW517031101

LIN KING Leisure Big Size Thin Heel Women Pumps Slim Shallow Pointed Toe High Heel Shoes Sweet Bowtie Ladies Lolita Office Shoes

LIN KING Leisure Big Size Thin Heel Women Pumps Slim Shallow Pointed Toe High Heel Shoes Sweet Bowtie Ladies Lolita Office Shoes

Phenkang Genuine Leather summer tassel brogues shoes for Women lace up Sheepskin brown Flats Lady Shoes Handmade woman sneakers

Phenkang Genuine Leather summer tassel brogues shoes for Women lace up Sheepskin brown Flats Lady Shoes Handmade woman sneakers

doershow 2018 yellow colorNewest Italian Shoes With Matching Bag Set African Women Party Shoes And Bag Set Women Sandals SBL1-25

doershow 2018 yellow colorNewest Italian Shoes With Matching Bag Set African Women Party Shoes And Bag Set Women Sandals SBL1-25

Men Summer Hollow casual shoess Flat Loafer Beach Rubber Sandal Slipper Shoes

Men Summer Hollow casual shoess Flat Loafer Beach Rubber Sandal Slipper Shoes

http://ragicuspeo1979.blogspot.com/2018/09/new-pet-genuine-original-lps-1921.html

🔋 📱❄️🥾🔓, an EL1/EL3 coldboot vulnerability affecting 7 years of LG Android devices

I should probably preface all of this by saying that I'm not really a security professional in the sense that I don't actually do security stuff for a living; I reported this vulnerability in March and gave a 90 day delay on releasing specific details mostly just because that's A Thing That Security Researchers Do. Also the vulnerability doesn't require user interaction from coldboot so it's a bit nasty in that regard. But also this vulnerability sat around for 7 years so it could be argued that, if anything, 90 days is too long.

Anyhow jumping into things, this is a writeup documenting CVE-2020-12753, a bootloader vulnerability affecting most Qualcomm-based LG phones since the Nexus 5, all the way up to the my test device, the LG Stylo 4 Q710 (and 5 Q720), and probably others. While working on the implementation of this vulnerability I thought it was odd how few bootloader vulnerabilities for Android actually get properly documented, and given the sheer spread of affected devices of this particular vuln I thought it'd be interesting to document it in detail.

A Quick Primer on the (Qualcomm) Android Boot Process

The device I'm working with, the Stylo 4, operates on 2013-2016 variant of Qualcomm's boot sequence described at https://lineageos.org/engineering/Qualcomm-Firmware/:

- On power-on, the Primary Bootloader (PBL) initializes DRAM, eMMC, etc and then loads and verifies SBL1 (Secondary Bootloader 1) from eMMC. - SBL1 then loads and verifies the Trusted Execution Environment (TEE), aboot, and a few other bits and pieces and then jumps to the TEE, in this case Qualcomm's Secure Execution Environment (QSEE) - QSEE sets up secure EL3/EL1 (TrustZone) and jumps down to aboot (non-secure EL1) - aboot loads and verifies the Linux kernel and jumps to it

Some Android devices allow "bootloader unlocking", which allows unsigned kernels to be loaded and run. Generally this unlocking occurs via aboot, and the implementation varies from vendor to vendor, however in most cases what happens is that a fastboot command gets sent to the phone to unlock/lock the phone, and as part of Android's Verified Boot, the phone's storage is wiped on this transition. There's also some requirements on user verification so that, in theory, this unlock cannot occur without user interaction.

Additionally, with verified boot enabled, Android will use dm-verity to verify all files on the root/system partition, and SELinux is run as Enforcing.

Variants on the Boot Process, added by LG

In practice, the boot process isn't quite so simple: Vendors are able to add modifications to the boot process as they see fit. In LG's case, these differences can be summarized as follows: - Hardware bringup in SBL for charging PMICs, LEDs, and other misc hardware - Misc logging/debugging modifications - Additional TEE processes for SIM unlocking, backed by RPMB - In aboot, vendor-specific fastboot commands (or no fastboot at all in the case of my device), restrictions on unlocking via certificates, verification modifications, additional boot args for Linux, etc - Vendor-specific recoveries/flashers, LAF in the case of LG

While I initially started in a privesc from within Linux (and got ~close to getting kernel execution), Google has done a lot of work to ensure that vendors can’t mess up Android security. However, bootloaders have a lot less oversight, so going after these vendor-specific bits of hardware bringup seemed extremely opportune for errors.

Introducing: raw_resources

At an undetermined point in time (likely prior to the Nexus 5 releasing), LG added an "imgdata" partition on eMMC to store boot graphics for Download Mode, fastboot graphics, charging graphics, the unlock graphic and so on. Image data is stored RLE compressed and for each image, metadata for the image width, height, x and y position are specified. The Nexus 5’s final bootloader image, as far as I can tell, only accesses this partition from aboot; SBL1 is not affected on this device. For the curious, I have a Python3 script which can extract these images at https://gist.github.com/shinyquagsire23/ba0f6209592d50fb8e4166620228aaa5.

A few examples of Nexus 5 imgdata resources

imgdata later became raw_resources, and at an undetermined point, the same RLE decompression and metadata interpreting was copied into SBL1 for use in boot paths where the battery has discharged significantly. If the battery is discharged too far, SBL1’s pm_sbl_chg_check_weak_battery_status will display LGE_PM_NO_CHARGER for boot attempts made without a charger connected, LGE_PM_WEAK_CHARGING_ON for boot attempts with a charger connected, and LGE_PM_NO_BATERY_ANI_* for boot attempts made without a battery. A script for extracting raw_resources can be found at https://gist.github.com/shinyquagsire23/b69ca343fd2f246aee882ecb5af702bd.

A few examples of Q710 resources

On normal boot paths, aboot reads raw_resources to display the boot logo, download mode graphic, and verified boot statuses for devices which allow unlocking. In my case, the Q710/Q720 does not allow for unlocking, so this boot path is never reached on these devices. However, the graphics still exist I guess on the off chance that they allowed it to happen.

For the C inclined, the format of raw_resources can be summarized in these structs: typedef struct boot_img_header {    char magic[0x10];    uint32_t num_imgs;    uint32_t version;    char device[0x10];    uint32_t signature_offs; } boot_img_header;

typedef struct img_info {    char name[0x28];    uint32_t data_offset;    uint32_t data_size;    uint32_t width;    uint32_t height;    uint32_t offs_x;    uint32_t offs_y; } img_info;

The following calculation is performed in order to determine the output pointer to be used during decompression: bpp = 24 screen_stride = fbinfo->screen_width; fbuf_offset = offs_x + (screen_stride * offs_y); fbuf_out = (fbuf_offset * (bpp / 8)) + fbinfo->buffer;

offs_x and offs_y are not bounds checked, and fbinfo->buffer is known in SBL1 and aboot, allowing for a controlled arbitrary write in both environments.

SBL1 load_res_888rle_image Arbitrary Write

This boot path requires discharging the battery to below 0%. While this is less feasible for any practical usage, performing the arbitrary write at this point allows patching SBL1 to disable signature verification before TEE and aboot are loaded. Any of the LGE_PM_* images can be hijacked selectively for arbitrary code execution, though for my PoC I used LGE_PM_NO_CHARGER specifically because I didn't want to accidentally brick myself (or well, I didn't want to have to beep out eMMC wires on the board to unbrick).

A 32-bit x offset can be calculated for any given address divisible by 3 using the following calculation: offset_x = (((0x100000000 + target_addr) - 0x90000000) / 3) & 0xFFFFFFFF

Data written to this arbitrary address can be kept contiguous by specifying the image width to be the same as the screen width. The height should then be rounded up from the payload size to ensure all data is written properly. So really by the end, this isn't an arbitrary write so much as it is an arbitrary memcpy at Secure EL3.

aboot Arbitrary Write

The aboot arbitrary write functions identically to SBL1: Any image can be selected to perform the arbitrary write. Most notably, this includes any lglogo_image_* graphic, which is displayed by default on every boot. The framebuffer is generally fixed to address 0x90001000, which means that by using the arbitrary write to gain code execution, the original graphic which was used to obtain the arbitrary write can be written to the screen following hijacking to, in effect, make it appear as if boot flow has not been modified at all, for better or for worse.

A good question that might be raised after looking briefly at the structs earlier would be, "wait, there's a signature offset, why does any of this work if raw_resources contains a signature?" And yes, raw_resources contains a signature! But it's a useless signature because this signature is only checked in aboot while displaying verifiedboot_* images. At some point, XDA users found out that you could swap the LG boot logos over the verifiedboot_* images so that when they unlocked their devices they wouldn't have to see the AVB boot nag messages. Naturally, this defeats the point of Google's Verified Boot spec since it would potentially allow a bootloader be unlocked without the user knowing, so LG added a signature. But it’s only checked for the verified boot images.

As a minor note, unlike SBL1, aboot will also select between raw_resources_a and raw_resources_b depending on the A/B boot slot.

Practical Exploitation

I started by exploiting SBL1, partially because Secure EL3 is just cooler than nonsecure EL1, but also because the framebuffer address was more obviously seen than in aboot (though I later found the aboot framebuffer address anyhow). At this point in execution all of the hardware is initialized and no other bootloaders have been loaded, so we're basically free to patch sigchecks and control the entire phone!

As it turns out though, SBL1 takes a bit more work to actually exploit, because unlike aboot, its segments aren't set RWX. I'm not really sure why aboot has all of its segments RWX, like at that point it's more of a 'boot' than a 'secure boot' if they can't even bother to use the easiest security option available.

In any case, ROP is required briefly to bypass the MMU's NX bit. This isn't too terrible, since SBL1 actually has a routine we can jump to to disable the MMU, though it requires a bit of finnagling to get correct.

So in summary, the exploitation process goes as follows: - Flash raw_resources_a.img to eMMC (ie via kernel execution, LG LAF, soldered wires and a hardware flasher, etc). - For SBL1 hax, drain the battery to below 0%. For my Q710, I drained most of the battery by leaving the screen at max brightness with sleep disabled until the phone powered off on its own after several hours. To drain the remaining battery, I charged enough to enter LAF download mode and left it to drain with the screen on for 2-3 hours. - Hold Power and Volume Down until the phone restarts. If the phone discharged enough, the phone should restart into the payload. - The phone can be plugged in to boot into aboot and Android normally, but the payload will now execute every time the payload-injected graphic is displayed.

To exploit SBL1: - raw_resources_a is modified such that the x offset is set to 0x2801CF5C, the width to 1080, and the height to 5. This will decompress LGE_PM_NO_CHARGER (now containing the contents of payload.bin) to 0x08056E14, slightly higher than the stack pointer during decompression. - The image is decompressed and load_res_888rle_image exits. The previous LR has now been overwritten by a pointer to a Thumb-mode pop {pc} ROP slide, to account for possible offsetting error. - At the end of the ROP slide, the following ROP instruction sequence is executed:

pop {r4-r12, pc}    ; r8 is now set to SBL1_ARM_MMU_DISABLE, and r12 is now set to SBL1_THUMB_BX_R8

pop {r4-r6, lr}     ; LR is set to the payload pointer orr r12, r12, #0x1 bx r12 ; jump to SBL1_THUMB_BX_R8

bx r8 ; jump to SBL1_ARM_MMU_DISABLE with lr now set to our payload

Proof-of-Concept, and Future Plans

For those interested in experimenting, a PoC can be found here. Note that this is specifically for the LG Q710, and contains offset specific to the AMZ LG Stylo 4 (Q710ULM, 20c_00_AMZ_US_OP_1121). I'm planning on polishing things up further, however my current boot takeover involves two other vulnerabilities that I'd like to give a bit more time to make sure they're actually fixed/close to being fixed before releasing.

In the meantime I'd be interested in seeing if anyone else is interested in porting this to other LG devices, since I only own a Nexus 5, a Q710 and a Q720. As it is, these vulns will allow bootloader unlocking at a minimum on most older Qualcomm LG devices, and secure EL3 on newer ones, which should be very interesting for anyone interested in finding vulnerabilities in QSEE/similar on LG devices.

台銀「快樂籃球」，7勝3敗穩住第一

SBL超籃打完三分之一賽季，台銀7勝3敗，已經連續兩周站上第一，成為本季最大驚奇，將奪冠兩大熱門球隊富邦(5勝5敗)、璞園(6勝5敗)拋在後頭。

台銀本季最大改變除了戰績更好，勝率高達七成之外，最重要的是「快樂」。

台銀教練團職員透露，台銀現在上下一心，球隊氣氛好極了，球員享受訓練，快樂比賽，這成為一股形勢，當球員都能快樂打球，願意拚命，無私做出所有奉獻，攻防兩端都能營造出快樂氛圍。

台銀本季由韋陳明回鍋執掌兵符，韋陳明台銀球員出身，曾經在SBL1-4季和第10-11季兩度執掌兵符。台銀SBL隊史最高勝率是SBL第3季(2005-06)15勝15敗，勝率五成，季後賽5戰3勝制對決裕隆，雙方糾纏到第5戰台銀才失手輸球，台銀SBL隊史最好績和季後賽表現，都是韋陳明帶出來的成績。

韋陳明用耐心和溝通，讓台銀球員在一種「成熟」的氛圍中打球，創造「快樂」比賽氣氛，加上台銀幾名核心主力都在成熟或顛峰期，包括陳順詳、李維哲、張博勝、龍弘元都能發揮老將作用。

陳順詳自律嚴謹，認真努力，發揮領袖作用，老將張博勝、李維哲、龍弘元都能打出關鍵作用。另外最重要的洋將帶來的意外之喜。

台銀洋將賈西亞24.1分、13.7籃板是SBL高水準洋將，態度積極、配合度高、攻防均衡，208公分賈西亞身高並不出色，但他能裡能外，速度快、打球態度積極，他能用速度對抗 226公分布拉和220公分拉莫斯，也能用穩定外線、投籃拉開空間，禁區二波籃板和跟進又有侵略性。

韋陳明讓台銀球員重新找到快樂打球的動力和團隊，洋將又意外融入，效率甚高，一切水到渠成。

除了球隊氛圍更好，球員能夠快樂打球，享受比賽和一起贏球，台銀本季有幾個數據非常關鍵。

#三分球命中率3成61，每場可以命中8.3個三分球，排名七隊第一。

#每場攻下83.6分，得分排名第一。

#每場失誤10.5次，是七隊中失誤率最低的球隊。

#每場製造17.5次罰球，每場罰進12.5個球，都排名七隊第二，僅次於擁有226公分MVP印度巨塔布拉的達欣。

#台銀10人輪換，每場至少有9人平均上場時間至少11分鐘，更好的陣容深度和板凳，幫助台銀打出更有韌性團隊戰力。

#本土球員有5人場均得分在8分以上，給合洋將賈西亞，台銀在進攻端武器更豐富。

只要不受主力球員傷病困擾，今年快樂打球的台銀，下半季還會讓所有球迷更震撼。

看過此篇新聞的人也看了… 騎士3日戰拓荒者 Thomas將首度出賽 火箭Harden腿筋拉傷 至少休2週 進入二十年奪冠週期的洋基！？大聯盟2018年最熱門話題 從風城到山城的女孩。陳映慈