Shofel payloader source & prebuild for jib with some old payloads i had made

these payloads may not work , i have no clue honestly i attached them ,
also there are 2 helper py scripts that might work with some of these
payloads

depricated payloads/source/LICENSE

@@ -0,0 +1,27 @@
+// Copyright (c) 2020 lordrafa. All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//    * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//    * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//    * Neither my name nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

depricated payloads/source/LICENSE.chromiumos

@@ -0,0 +1,27 @@
+// Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//    * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//    * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//    * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

depricated payloads/source/hello.c

@@ -0,0 +1,20 @@
+#define GPIO_BASE 0x6000d000
+#define CLK_RST_BASE 0x60006000
+
+void _start() {
+  *(volatile unsigned int *)(CLK_RST_BASE + 0x10) |= (1 << 8);
+
+  *(volatile unsigned int *)(0x7000e400 + 0x0) |=
+      (1 << 16); // Force CPU Power On
+
+  for (int i = 0; i < 100; i++) {
+    *(volatile unsigned int *)(GPIO_BASE + 0x418) = 0xFF; // Pulse High
+    for (volatile int j = 0; j < 1000; j++)
+      ;
+    *(volatile unsigned int *)(GPIO_BASE + 0x418) = 0x00; // Pulse Low
+    for (volatile int j = 0; j < 1000; j++)
+      ;
+  }
+
+  *(volatile unsigned int *)(0x7000e400 + 0x30) = 0x10;
+}

depricated payloads/source/jibo_blink.c

@@ -0,0 +1,18 @@
+#define GPIO_BASE 0x6000d000
+
+void _start() {
+  *(volatile unsigned int *)(0x60006010) |= (1 << 8);
+
+  *(volatile unsigned int *)(GPIO_BASE + 0x500 + 0x14) = 0xFF; // Port U OE
+  *(volatile unsigned int *)(GPIO_BASE + 0x600 + 0x14) = 0xFF; // Port V OE
+  *(volatile unsigned int *)(GPIO_BASE + 0x500 + 0x10) = 0xFF; // Port U CNF
+  *(volatile unsigned int *)(GPIO_BASE + 0x600 + 0x10) = 0xFF; // Port V CNF
+
+  while (1) {
+    *(volatile unsigned int *)(GPIO_BASE + 0x500 + 0x18) ^= 0xFF;
+    *(volatile unsigned int *)(GPIO_BASE + 0x600 + 0x18) ^= 0xFF;
+
+    for (volatile int i = 0; i < 200000; i++)
+      ; // Visible delay
+  }
+}

depricated payloads/source/jibo_exit.c

@@ -0,0 +1,4 @@
+void _start() {
+  *(volatile unsigned int *)0x40001000 = 0xDEADC0DE;
+
+}

depricated payloads/source/jibo_intercept.c

@@ -0,0 +1,18 @@
+#define SRC_ADDR 0xFFF00000  // The BootROM Mirror
+#define DEST_ADDR 0x40009000 // A different safe spot
+#define COPY_SIZE 0x100      // Just a tiny 256-byte sniff
+#define PMC_SCRATCH0 0x7000e450
+
+void _start() {
+  unsigned int *src = (unsigned int *)SRC_ADDR;
+  unsigned int *dest = (unsigned int *)DEST_ADDR;
+
+  for (int i = 0; i < (COPY_SIZE / 4); i++) {
+    dest[i] = src[i];
+  }
+
+  *(volatile unsigned int *)PMC_SCRATCH0 = 0x90909090;
+
+  while (1)
+    ;
+}

depricated payloads/source/jibo_leak.c

@@ -0,0 +1,12 @@
+#define PMC_SCRATCH0 0x7000e450
+#define PMC_CNTRL 0x7000e400
+#define EMMC_BASE 0x70000000 // Just a test address for mapping
+
+void _start() {
+  unsigned int val = *(volatile unsigned int *)0x40000000;
+
+  *(volatile unsigned int *)(PMC_SCRATCH0) = val;
+  *(volatile unsigned int *)(PMC_CNTRL) |= (1 << 4);
+  while (1)
+    ;
+}

depricated payloads/source/jibo_leak_ram.c

@@ -0,0 +1,15 @@
+#define PMC_BASE 0x7000e400
+#define PMC_SCRATCH0 (PMC_BASE + 0x50)
+#define PMC_CNTRL (PMC_BASE + 0x0)
+#define BOOTROM_START 0xFFF00000
+
+void _start() {
+  unsigned int rom_data = *(volatile unsigned int *)(BOOTROM_START);
+
+  *(volatile unsigned int *)(PMC_SCRATCH0) = rom_data;
+
+  *(volatile unsigned int *)(PMC_CNTRL) |= (1 << 4);
+
+  while (1)
+    ;
+}

depricated payloads/source/jibo_leaker.c

@@ -0,0 +1,24 @@
+#include "target_config.h"
+#define START_ADDR 0x00000000
+#define WDT_EN 0x60005000
+#define WDT_SEL 0x60005008
+#define TMR_WDT_RESTART 0x6000501c
+
+typedef int (*usb_send_ptr)(void *buffer, unsigned int length,
+                            unsigned int *transferred);
+usb_send_ptr usb_send_raw = (usb_send_ptr)0x000035e5;
+
+void _start() {
+
+  unsigned char *source = (unsigned char *)0x40000000;
+  unsigned int transferred = 0;
+
+  for (int i = 0; i < 100; i++) {
+    *(volatile unsigned int *)0x6000501c = 0xcafe;
+
+    usb_send_raw(source + (i * 64), 64, &transferred);
+
+    for (volatile int d = 0; d < 200000; d++)
+      ;
+  }
+}

depricated payloads/source/jibo_leakerv1.c

@@ -0,0 +1,19 @@
+#define PMC_SCRATCH0 0x7000e450 // Data storage
+#define PMC_SCRATCH1 0x7000e454 // Address storage
+#define PMC_CNTRL 0x7000e400
+
+void _start() {
+  unsigned int *target =
+      (unsigned int *)(*(volatile unsigned int *)PMC_SCRATCH1);
+
+  if ((unsigned int)target == 0)
+    target = (unsigned int *)0xFFF00000;
+
+  *(volatile unsigned int *)PMC_SCRATCH0 = *target;
+
+  *(volatile unsigned int *)PMC_SCRATCH1 = (unsigned int)target + 4;
+
+  *(volatile unsigned int *)PMC_CNTRL |= (1 << 4);
+  while (1)
+    ;
+}

depricated payloads/source/jibo_leakerv2.c

@@ -0,0 +1,35 @@
+#define PMC_BASE 0x7000e400
+#define PMC_SCRATCH0 (PMC_BASE + 0x50)
+#define PMC_SCRATCH1 (PMC_BASE + 0x54)
+#define PMC_CNTRL (PMC_BASE + 0x0)
+
+void _start() {
+  __asm__ volatile("mrs r0, cpsr\n"
+                   "orr r0, r0, #0xc0\n" // Disable IRQ/FIQ
+                   "bic r0, r0, #0x1f\n" // Clear mode bits
+                   "orr r0, r0, #0x13\n" // Set Supervisor (SVC) mode
+                   "msr cpsr, r0\n"
+
+                   "mrc p15, 0, r0, c1, c0, 0\n"
+                   "bic r0, r0, #0x0001\n" // MMU Off
+                   "bic r0, r0, #0x0004\n" // D-Cache Off
+                   "mcr p15, 0, r0, c1, c0, 0\n");
+
+  unsigned int *target =
+      (unsigned int *)(*(volatile unsigned int *)PMC_SCRATCH1);
+
+  if ((unsigned int)target < 0x40000000 || (unsigned int)target > 0xFFF10000) {
+    target = (unsigned int *)0x40000000;
+  }
+
+  unsigned int val = *target;
+
+  *(volatile unsigned int *)PMC_SCRATCH0 = val;
+
+  *(volatile unsigned int *)PMC_SCRATCH1 = (unsigned int)target + 4;
+
+  *(volatile unsigned int *)PMC_CNTRL |= (1 << 4);
+
+  while (1)
+    ;
+}

depricated payloads/source/jibo_leakerv3.c

@@ -0,0 +1,30 @@
+#define PMC_BASE 0x7000e400
+#define PMC_SCRATCH0 (PMC_BASE + 0x50)
+#define PMC_SCRATCH1 (PMC_BASE + 0x54)
+#define PMC_CNTRL (PMC_BASE + 0x0)
+
+void _start() {
+  __asm__ volatile("mrs r0, cpsr\n"
+                   "bic r0, r0, #0x1f\n"
+                   "orr r0, r0, #0x13\n"
+                   "msr cpsr, r0\n");
+
+  unsigned int *target =
+      (unsigned int *)(*(volatile unsigned int *)PMC_SCRATCH1);
+
+  if ((unsigned int)target < 0x40000000 || (unsigned int)target > 0xFFF10000) {
+    target = (unsigned int *)0x40000000;
+  }
+
+  unsigned int val = *target;
+
+  *(volatile unsigned int *)PMC_SCRATCH0 = val;
+  *(volatile unsigned int *)PMC_SCRATCH1 = (unsigned int)target + 4;
+
+  __asm__ volatile("mcr p15, 0, r0, c7, c10, 4\n");
+
+  *(volatile unsigned int *)PMC_CNTRL |= (1 << 4);
+
+  while (1)
+    ;
+}

depricated payloads/source/jibo_leakerv4.c

@@ -0,0 +1,11 @@
+#define PMC_SCRATCH0 0x7000e450
+
+void _start() {
+  unsigned int val = *(volatile unsigned int *)0x40000000;
+
+  *(volatile unsigned int *)PMC_SCRATCH0 = val;
+
+  while (1) {
+    __asm__("nop");
+  }
+}

depricated payloads/source/jibo_leakerv5SIG.c

@@ -0,0 +1,24 @@
+#define PMC_BASE 0x7000e400
+#define PMC_SCRATCH0 (PMC_BASE + 0x50)
+#define PMC_SCRATCH1 (PMC_BASE + 0x54)
+#define PMC_CNTRL (PMC_BASE + 0x0)
+
+void _start() {
+  unsigned int *target =
+      (unsigned int *)(*(volatile unsigned int *)PMC_SCRATCH1);
+
+  if ((unsigned int)target < 0x40000000 || (unsigned int)target > 0x40010000) {
+    target = (unsigned int *)0x40000000;
+  }
+
+  unsigned int val = *target;
+
+  *(volatile unsigned int *)PMC_SCRATCH0 = val;
+
+  *(volatile unsigned int *)PMC_SCRATCH1 = (unsigned int)target + 4;
+
+  *(volatile unsigned int *)PMC_CNTRL |= (1 << 4);
+
+  while (1)
+    ;
+}

depricated payloads/source/jibo_mosfet_uart.c

@@ -0,0 +1,25 @@
+#define APB_MISC_BASE 0x70000000
+#define PIN_UART1_TX 0x70003114
+#define PAD_UART1_TX 0x700008BC
+
+void _start() {
+  *(volatile unsigned int *)(PIN_UART1_TX) = (1 << 6) | (1 << 4);
+
+  *(volatile unsigned int *)(PAD_UART1_TX) = 0x00000000;    // Reset to defaults
+  *(volatile unsigned int *)(PAD_UART1_TX) |= (0x1F << 12); // Max Drive Up
+  *(volatile unsigned int *)(PAD_UART1_TX) |= (0x1F << 20); // Max Drive Down
+
+  *(volatile unsigned int *)(0x60006010) |= (1 << 6);
+  *(volatile unsigned int *)(0x7000600C) = 0x83;
+  *(volatile unsigned int *)(0x70006000) = 0x71; // DLL for 1200 Baud @ 12MHz
+  *(volatile unsigned int *)(0x70006004) = 0x02; // DLM
+  *(volatile unsigned int *)(0x7000600C) = 0x03;
+
+  while (1) {
+    while (!(*(volatile unsigned int *)(0x70006014) & 0x20))
+      ;
+    *(volatile unsigned int *)(0x70006000) = 0x55; // Alternating bits
+    for (volatile int i = 0; i < 1000000; i++)
+      ;
+  }
+}

depricated payloads/source/jibo_mule.c

@@ -0,0 +1,19 @@
+#define SRC_ADDR                                                               \
+  0x00000000 // Let's try to grab the very beginning of the EMMC/ROM
+#define DEST_ADDR 0x40008000 // Safe staging area in IRAM
+#define COPY_SIZE 0x2000     // 8KB chunk
+#define PMC_SCRATCH0 0x7000e450
+
+void _start() {
+  unsigned int *src = (unsigned int *)SRC_ADDR;
+  unsigned int *dest = (unsigned int *)DEST_ADDR;
+
+  for (int i = 0; i < (COPY_SIZE / 4); i++) {
+    dest[i] = src[i];
+  }
+
+  *(volatile unsigned int *)PMC_SCRATCH0 = 0x55AA55AA;
+
+  while (1)
+    ;
+}

depricated payloads/source/jibo_mulev2.c

@@ -0,0 +1,22 @@
+#define SRC_ADDR 0x40030000 // Higher IRAM, usually less guarded
+#define DEST_ADDR 0x40008000
+#define COPY_SIZE 0x1000 // Just 4KB for now
+#define PMC_SCRATCH0 0x7000e450
+#define PMC_CNTRL 0x7000e400
+
+void _start() {
+  unsigned int *src = (unsigned int *)SRC_ADDR;
+  unsigned int *dest = (unsigned int *)DEST_ADDR;
+
+  unsigned int test_val = src[0];
+
+  for (int i = 0; i < (COPY_SIZE / 4); i++) {
+    dest[i] = src[i];
+  }
+
+  *(volatile unsigned int *)PMC_SCRATCH0 = 0x11223344;
+
+  *(volatile unsigned int *)PMC_CNTRL |= (1 << 4);
+  while (1)
+    ;
+}

depricated payloads/source/jibo_signal.c

@@ -0,0 +1,11 @@
+void _start() {
+  volatile unsigned int *signal = (unsigned int *)0x40001000;
+
+  unsigned int counter = 0;
+  while (1) {
+    *signal = 0xABC00000 | (counter & 0xFFFFF);
+    counter++;
+    for (volatile int i = 0; i < 10000; i++)
+      ;
+  }
+}

depricated payloads/source/ping.c

@@ -0,0 +1,4 @@
+void _start() {
+  *(volatile unsigned int *)0x40000800 = 0xDEADBEEF;
+  *(volatile unsigned int *)0x40000804 = 0xCAFEBABE;
+}

depricated payloads/source/pmic_wake.c

@@ -0,0 +1,41 @@
+#define GPIO_BASE 0x6000d000
+#define SCL_BIT (1 << 3)
+#define SDA_BIT (1 << 2)
+#define GPIO_P_OFFSET 0x400
+
+void delay() {
+  for (volatile int i = 0; i < 500; i++)
+    ;
+}
+
+void i2c_start() {
+  *(volatile unsigned int *)(GPIO_BASE + GPIO_P_OFFSET + 0x18) =
+      SDA_BIT; // SDA High
+  *(volatile unsigned int *)(GPIO_BASE + GPIO_P_OFFSET + 0x18) =
+      SCL_BIT; // SCL High
+  delay();
+  *(volatile unsigned int *)(GPIO_BASE + GPIO_P_OFFSET + 0x18) &=
+      ~SDA_BIT; // SDA Low
+  delay();
+  *(volatile unsigned int *)(GPIO_BASE + GPIO_P_OFFSET + 0x18) &=
+      ~SCL_BIT; // SCL Low
+}
+
+void _start() {
+  *(volatile unsigned int *)(0x60006010) |= (1 << 8);
+
+  *(volatile unsigned int *)(GPIO_BASE + GPIO_P_OFFSET + 0x10) =
+      (SCL_BIT | SDA_BIT);
+  *(volatile unsigned int *)(GPIO_BASE + GPIO_P_OFFSET + 0x14) =
+      (SCL_BIT | SDA_BIT);
+
+  i2c_start();
+
+  *(volatile unsigned int *)(GPIO_BASE + 0x500 + 0x14) = 0x01;
+
+  while (1) {
+    *(volatile unsigned int *)(GPIO_BASE + 0x500 + 0x18) ^= 0x01; // Toggle TX
+    for (volatile int i = 0; i < 10000; i++)
+      ;
+  }
+}

depricated payloads/source/ports.c

@@ -0,0 +1,16 @@
+void _start() {
+  *(volatile unsigned int *)(0x60006010) |=
+      (1 << 6) | (1 << 7); // UARTA & UARTB
+  *(volatile unsigned int *)(0x60006014) |=
+      (1 << 23) | (1 << 16); // UARTC & UARTD
+
+  unsigned int uarts[] = {0x70006000, 0x70006040, 0x70006200, 0x70006300};
+
+  while (1) {
+    for (int j = 0; j < 4; j++) {
+      *(volatile unsigned int *)(uarts[j] + 0x00) = 0x55;
+    }
+    for (volatile int i = 0; i < 50000; i++)
+      ;
+  }
+}

depricated payloads/source/power.c

@@ -0,0 +1,20 @@
+#define PMC_BASE 0x7000e400
+#define APB_MISC_BASE 0x70000000
+
+void _start() {
+  *(volatile unsigned int *)(PMC_BASE + 0x1b4) = 0x0; // Clear PWR_DET_LATCH
+  *(volatile unsigned int *)(PMC_BASE + 0x1b8) =
+      0xFFFFFFFF; // Force High Voltage Mode
+
+  *(volatile unsigned int *)(APB_MISC_BASE + 0x8BC) =
+      0x00000000; // UART1_TX Pad Control
+
+  *(volatile unsigned int *)(PMC_BASE + 0x50) = 0x50575221; // "PWR!"
+
+  volatile unsigned int *uart = (unsigned int *)0x70006000;
+  while (1) {
+    *uart = 0x55; // 01010101 pattern
+    for (volatile int i = 0; i < 1000; i++)
+      ;
+  }
+}

depricated payloads/source/stay_alive.c

@@ -0,0 +1,10 @@
+#define PMC_SCRATCH0 0x7000e450
+
+void _start() {
+  *(volatile unsigned int *)(PMC_SCRATCH0) = 0xDEADBEEF;
+
+  while (1) {
+    for (volatile int i = 0; i < 1000; i++)
+      ;
+  }
+}

depricated payloads/source/toggle.c

@@ -0,0 +1,17 @@
+#define GPIO_BASE 0x6000d000
+
+void _start() {
+  *(volatile unsigned int *)(0x60006010) |= (1 << 8);
+
+  *(volatile unsigned int *)(GPIO_BASE + 0x500 + 0x10) = 0x01; // CNF: GPIO
+  *(volatile unsigned int *)(GPIO_BASE + 0x500 + 0x14) = 0x01; // OE: Output
+
+  while (1) {
+    *(volatile unsigned int *)(GPIO_BASE + 0x500 + 0x18) = 0x01; // HIGH
+    for (volatile int i = 0; i < 5000; i++)
+      ;
+    *(volatile unsigned int *)(GPIO_BASE + 0x500 + 0x18) = 0x00; // LOW
+    for (volatile int i = 0; i < 5000; i++)
+      ;
+  }
+}

depricated payloads/source/usb_echo.c

@@ -0,0 +1,25 @@
+#include <stdint.h>
+
+#define WDT_RESTART 0x6000501c
+#define PMC_SCRATCH0 0x7000e450
+#define BOOTROM_USB_SEND 0x000035e5 // Low-level raw send function
+
+typedef void (*usb_send_raw_fn)(void *buffer, uint32_t length);
+
+void _start() {
+  *(volatile uint32_t *)WDT_RESTART = 0xcafe;
+
+  *(volatile uint32_t *)PMC_SCRATCH0 = 0xdeadbeef;
+
+  char msg[] = "JIBOWORKS";
+
+  usb_send_raw_fn send_to_pc = (usb_send_raw_fn)BOOTROM_USB_SEND;
+
+  send_to_pc(msg, 10);
+
+  while (1) {
+    *(volatile uint32_t *)WDT_RESTART = 0xcafe;
+    for (volatile int i = 0; i < 10000; i++)
+      ;
+  }
+}

depricated payloads/source/verify.c

@@ -0,0 +1,14 @@
+#define PMC_BASE 0x7000e400
+#define PMC_SCRATCH0 (PMC_BASE + 0x50)
+#define PMC_CNTRL (PMC_BASE + 0x0)
+
+void _start() {
+  *(volatile unsigned int *)(PMC_SCRATCH0) = 0xCAFEBABE;
+
+  *(volatile unsigned int *)(PMC_SCRATCH0) |= (1 << 2);
+
+  *(volatile unsigned int *)(PMC_CNTRL) |= (1 << 4);
+
+  while (1)
+    ;
+}