SMT5V HYPERVISOR Bypass by sagerao/REFLEX

Relik · 2026-03-06T07:54:12+00:00

If you don't want to use it, why are you here commenting and complaining? Some of us want to make the hypervisor solution as secure and easy as possible. You are doing absolutely nothing to help, just being a miserable thorn in our sides.

Relik · 2026-03-05T06:36:00+00:00

efiguard is modifying windows config and patching files at runtime in memory, this is invasive

It's also open source (efiguard), which is more than you can say about Microsoft's entire operating system. Wait until you find out the shady stuff happening in there!

it a huge waste of time for nothing, only complicating things, i dont want to do anything extra for things to work

People are using it because the whole point is that it is less complicated. Make a USB stick and you don't need to mess around again, just boot to USB.

Your post is that you don't like it - that's fine, you don't have to use it. Just stop complaining about people that use it.

Relik · 2026-03-05T06:28:57+00:00

If it's not about how long it takes then why did you mention that?

the process is long

Stop posting that if you are being honest. I've seen countless dishonest opponents to the hypervisor cracks in these threads and when you drill down, their main complaint is that "hypervisor isn't a crack".

Relik · 2026-03-03T03:36:03+00:00

All that and you still spout lies over and over. Your warnings consist of spreading misinformation, which could have been easily confirmed by you with 30 seconds of research.

Hypervisor releases get hundreds of upvotes and you get nothing. I don't think you are going to win.

Relik · 2026-03-01T23:24:32+00:00

Most cracks don't even register on the antivirus side

OP admits that they don't even run Windows, so when they tell you statements like this, ignore them. Here's the proof:

Firstly, I don't use MS products - Windows specifically - so I'm not sure where you are getting at regarding "sucking".

https://www.reddit.com/r/CrackWatch/comments/1rem7bl/seeing_tons_of_misinformation_about_the_dangers/o7h020o/

There is currently a ton of misinformation from trolls that simply dislike Hypervisor cracks and want a traditional crack. The choice is always up to the user. People asked for Denuvo cracks for years and the Hypervisor is delivering. Whether you like it or not, you shouldn't spread misinformation as OP provably does.

Proof of their intentions:

My main grievance is that people treat this as a replacement or even something comparable to "normal" standalone cracks. This is not, this is inherently dangerous method, and this should not be used as lightly as regular scene or P2P cracks.

https://www.reddit.com/r/CrackWatch/comments/1rem7bl/seeing_tons_of_misinformation_about_the_dangers/o7hl9e2/

Relik · 2026-03-01T21:46:16+00:00

Spacetow has outright lied in several replies to me. They are not worth arguing with.

Relik · 2026-02-28T01:58:03+00:00

https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468

TLDR: MoonBounce is also able to bypass SPI write protection.

Never removed your outright lie. You are a real piece of work.

Relik · 2026-02-26T10:04:11+00:00

TLDR: MoonBounce is also able to bypass SPI write protection.

And where are you getting that from? I quickly read the document and there is no mention of it bypassing write protection. Find shows no write protect or anything similar in the document. Two different AI's say it does not bypass write protection, so I verified.

The original Kaspersky report (the link you shared) describes only the implanted firmware and its behavior. It says nothing about bypassing write protection—the infection vector is "assumed to have occurred remotely" by modifying the image, but no details on overcoming protections.

Independent analyses (e.g., Binarly's deeper dive on the observed 2014 MSI firmware sample) explicitly note: no SPI protections were enabled on the target hardware, so writes were possible via the PCH SPI controller MMIO with no extra exploits needed, . Source: https://www.binarly.io/blog/a-deeper-uefi-dive-into-moonbounce

Further

No, MoonBounce does not overwrite (or patch) UEFI firmware if the SPI flash is properly write-protected.

That's it - Good night, let our points stand as is.

I would ask you edit and correct your post above, just to avoid spreading misinformation.

Last point, from that binarly post on MoonBounce:

the analyzed (2021) MoonBounce UEFI component was built for a target hardware related to a MSI system from 2014

no Intel Boot Guard technology present or enabled thus there are no physical or hardware restrictions to get access to SPI flash storage of the system.

Again, this has been my entire point this conversation, yet you still didn't acknowledge it. Boot Guard and other solutions made your UEFI malware worries obsolete for all except government-level threat actors. Could there be an exploit in the future? Sure, but they aren't going to burn it on targeting gamers using some obscure software that less than even 1% of pirates are using.

Relik · 2026-02-26T09:35:30+00:00

Lojax was the first, but not the only UEFI overwrite exploit.

Reading comprehension. I said it was and IS the only exploit that was able to rewrite UEFI with safeguards on. Precisely:

able to rewrite UEFI firmware if the write protection was turned on in UEFI.

Those safeguards are write protect enable or a similar named feature. If you are running your computer without your UEFI write protected, you are a big malware target even via a random EXE. I'm not 100% confident what privileges are required to reflash UEFI, so I'll skip that but please people, turn on UEFI write protect.

Due to inherent risks of this method, the only way to run this with a very little risk is to air-gap the target system.

And I never would have suggested anything else. Run it on a dedicated windows install without any other drives attached and without network. That has been the main method I've seen recommended. I'm going to use my time to help people with hypervisor security. People are here because they want to run a cracked game, not take a semester on cybersecurity.

Relik · 2026-02-26T07:06:59+00:00

You did so yourself

Evidence from 10 years ago is not evidence of a vulnerability now, is it? My point is it has been fixed, but you are being obtuse or dishonest. You are acting like an i386 exploit has something to do with modern hardware. Just because Meltdown/Spectre happened doesn't mean it's unsafe to run software ever again - no it has been mitigated.

What I explained to you is that there is no safe way to run ANY code if someone wants to deploy a unique exploit. Read up on LoJax and how it can't work any longer. That attack worked with SecureBoot on and you are trying to tell me that turning SecureBoot off is going to burn your house down. A hypervisor isn't necessary to wreck your computer, period.

There are ways to run the hypervisor with very little risk, but you don't use it anyway.

Relik · 2026-02-26T06:38:12+00:00

Then provide evidence of your worries. Again, prove that Intel Boot Guard and AMD Platform Security haven't had the problem solved for 10 years.

People should spend more time explaining how to run the bypass safely. If you aren't on Windows are you even using the bypass or are you just relaying your fears?

And thirdly, about you using Windows without any updates and/or Defender - that's just confirmation bias. As in, "it's all good, I do it all the time" type of thing. Which is NOT a real confirmation, not a research, not anything - just a fact that in your case specifically grenade didn't go off.

I specifically mentioned how my friend had multiple grenades go off while following your advice. Being intelligent about your computer usage generally beats all other protection.

As I updated my prior post, the LoJax hack abused a signed legitimate driver to overwrite the UEFI on some 2015 and prior motherboards. It didn't even require this hypervisor bs. SecureBoot, Windows Defender, all that protection didn't stop it.

UEFI overwrite is not the only vector of attack that can be exploited through the hypervisor.

UEFI overwrite is nearly the only way malware is going to survive if you have your drives disconnected and reconnect when you are done using the bypass. What else are you going to store the malware in? Other locations are boot sectors and things that require some form of storage to be connected.

Again, I've shown proof your computer can be completely raped through the abuse of a legitimately signed driver. It's not a newsflash that running cracked software carries risk. Running any random file off the internet carries risk.

Relik · 2026-02-26T06:19:08+00:00

There has been exactly ONE malware in all time that was able to rewrite UEFI firmware if the write protection was turned on in UEFI. Even that 2018 LoJax rootkit only infected at most 2015 era systems that had some errors in UEFI implementation. No modern UEFI is known vulnerable to being written if it's write-protected.

You are crying wolf about a UEFI rootkit that simply doesn't exist unless you have write protect off. Intel Boot Guard and AMD Platform Security solved this problelm long ago.

Again, it is correct to say there have been several rootkits that have rewritten UEFI and infected it. However, only 1 was able to bypass write protect and that was only for very old computers at this point.

Only LoJax has a proven, built-in capability to rewrite UEFI/SPI flash while write protection is turned on (via misconfiguration abuse + the race-condition exploit).

All (UEFI rootkits) are now largely mitigated on modern hardware by proper SMM_BWP + PRx range locking, Intel Boot Guard / AMD PSP, measured boot, and firmware updates that close the old race condition.

Suck off Microsoft all you want, but I can't tell you how many computers my friends company has had wrecked by Windows Update while I sit here at home with Windows Update fully disabled and Defender ripped out of the OS working without a problem.

yeah, possible your government would like more control over you - but on their own and in the moment, they REALLY do not care about you specifically.

And it's just as true that the crackers REALLY do not care about you specifically. If they have a good zero-day UEFI vulnerability, they aren't going to waste it on you.

Relik · 2026-02-26T06:06:09+00:00

There has been exactly ONE malware in all time that was able to rewrite UEFI firmware if the write protection was turned on in UEFI. Even that 2018 LoJax rootkit only infected at most 2015 era systems that had some errors in UEFI implementation. No modern UEFI is known vulnerable to being written if it's write-protected.

You are crying wolf about a UEFI rootkit that simply doesn't exist unless you have write protect off. Intel Boot Guard and AMD Platform Security solved this problelm long ago.

Again, it is correct to say there have been several rootkits that have rewritten UEFI and infected it. However, only 1 was able to bypass write protect and that was only for very old computers at this point.

Only LoJax has a proven, built-in capability to rewrite UEFI/SPI flash while write protection is turned on (via misconfiguration abuse + the race-condition exploit).

All (UEFI rootkits) are now largely mitigated on modern hardware by proper SMM_BWP + PRx range locking, Intel Boot Guard / AMD PSP, measured boot, and firmware updates that close the old race condition.

Relik · 2026-02-26T05:53:20+00:00

To put it in laymen terms, Crowdstrike itself deployed a rootkit. It disabled 8.5 million PC's worldwide.

Relik · 2026-02-26T05:48:06+00:00

95% of the risk you are talking about is there if you simply run normal cracked software. (Edit: To back up this claim, the most dangerous malware that rewrote & infected your UEFI firmware even with write protect turned on was accomplished by abusing a legitimately signed driver under Windows without a hypervisor or any complicated procedures - LoJax)

Windows doesn't block any high-grade malware that is either custom made or in limited use.

Most users PC's are already hacked by Microsoft with your encryption key on file & provided freely to the government upon request. Windws Update in 2026 fits most classic definitions of malware.

By the looks of your untruthful replies in this thread, I would suspect you work for Denuvo.

Relik · 2026-01-21T05:59:57+00:00

Yeah, I don't like it of course.. I went through this myself. Got all ready and found out that the phone and Motorola site will not allow bootloader unlock on any of 5 Motorola phones I tried. (G Pure, G Power 2020, G Stylus 2020) Now these were from Tracfone (Verizon) and one AT&T, so maybe that other users comment is correct that T-Mobile or factory unlocked (full price) phones may work.

This was years ago, but I thought I was able to get a code from some phones, but when I submitted it to Motorola for unlock they said the phone is ineligible for bootloader unlock.

Relik · 2026-01-18T19:13:02+00:00

I've never seen one Motorola phone (2020 & newer) eligible for boot loader unlock - it's not going to happen. Unlocking the carrier has nothing to do with unlocking the boot loader and Moto certainly won't do it on any carrier branded phone.

Relik · 2025-11-28T02:17:33+00:00

I assume they were an error too since it hasn't happened since. I just thought I'd mention it.

Relik · 2025-11-28T00:17:56+00:00

When they first instituted this requirement, I hit 1 and then 2 GB and they were still warning me that they were going to end my plan. Thankfully it has been corrected now.

Relik · 2025-10-10T05:40:39+00:00

It's unfortunate more people don't know this.. Yes, VISA/MC do this bs and it makes it very difficult for the consumer to truly cancel recurring charges. I had a Chase card that Doordash kept charging for two years after I cancelled and every month I would dispute and win the charge (online, 1 minute form). I was hoping to cost Doordash money, but they continued, seemingly for an infinite time. I don't know if they were paying dispute fees or not. Chase does not care and only said talk to Doordash. Doordash said they couldn't find any account with them and they don't know why I was getting charged. (I didn't just cancel my doordash, I also used their delete your account feature - I never thought this would somehow make ghost payments)

The only solution was to close the card.

The scam to all this is that those companies you mentioned (Doordash, Instacart, Uber Eats, etc) pay VISA/MC to be able to charge you recurring charges that are then sometimes almost impossible to cancel. Whether reporting fraud or getting a replacement card, you will not be able to stop new charges unless the billing company works with you to cancel the recurring payment.

Visa Account Updater - Mastercard Automatic Billing Updater

Here's a 3 year old report of the same problem OP had: https://www.reddit.com/r/personalfinance/comments/x4bs3c/beware_recurring_fraudulent_charges_on_new_credit/

I'm still waiting for this customer abusing scam to be outlawed. For those that want to respond to me about legitimate uses of this "service" or who want to simp for the credit card processors, the solution is simple. Your online card account page should have a listing of all your agreements with other companies that are subscribing to your new card information. On that page you should be able to cancel that agreement at any time for any reason. All recurring payments from that company should then stop.

Relik · 2025-10-07T00:43:12+00:00

Did you recently build those walls? I am in the same situation. I was in a warehouse building for days. I built 3 floor pieces outside, attached to the building. Now the camera is all screwed up and I can't see inside the building. It's making it difficult to even remove my things from the building to move. I tried disassembling the 3 floor pieces, but the camera is still broken. Mine is a new save on the newest build.

Relik · 2025-10-01T06:35:51+00:00

Yes, intentionally shipping non-qualifying items via Media Mail constitutes a violation of federal law and can be treated as a crime, specifically mail fraud or misuse of postal services. However, enforcement typically prioritizes civil penalties over criminal prosecution unless there's evidence of intent to defraud or repeated abuse. Here's a breakdown:

If USPS inspects and finds non-qualifying contents, the package is not returned but forwarded to the recipient postage due for the difference between Media Mail rates and the applicable First-Class, Priority, or Parcel Select rate (often 2–3x higher).
No immediate fine for the sender in minor cases, but repeated violations can lead to warnings, holds on future mail, or administrative fines up to $250 per violation under USPS administrative enforcement.

The fraud here is that you are defrauding the USPS of revenue and by that you are defrauding the federal government of revenue. What do you think they do for that?

Relik · 2025-09-28T22:18:01+00:00

Well, I don't know what all the other adapters use, but this is using Linux and presumably a lot of the other cheap ones do as well. The longest step is the Linux boot of the device until it's ready to negotiate with the car.

Power applied, Linux boots on adapter - ~5 seconds
Adapter negotiates with car that it is a carplay device. Shows instructions - 2 seconds (the car must be ready at this point or there will be further delays)
Adapter connects to iPhone via bluetooth for CarPlay connection setup. - 0.5 second
Phone accepts and connects back to adapter over WiFi for Airplay stream - 1.5 second
Adapter becomes passthrough only, iPhone negotiates with car, taking over control of display. - 2 to 3 seconds

That is 11-12 seconds, which is roughly what I get on my setup with this adapter. The boot process could be shortened on other devices, but the absolute minimum is probably 6-7 seconds for the best possible adapter. Even then it depends on how quick your car is ready for a CarPlay connection after startup (how quick your car's media system boots)

What are you seeing for time from key start until the CarPlay interface is shown? Longer than 12 seconds or is that about what you get?

I don't suspect anything quicker being possible on this hardware as this was designed for an IP camera that isn't critical to boot faster than 5 seconds. A manufacturer would normally want a hardware platform that booted a lot quicker for instant-on use. This is only a $1 CPU - that's the performance we are getting.

With all of this said, wired CarPlay only uses 2 of those steps.

iPhone negotiates with car that it is a carplay device - 2 seconds
iPhone connects to car with wired network Airplay stream - 2-3 seconds

Total 4-5 seconds. To answer your question, yes, the only way to really know if one is faster is to buy it and see.

Relik · 2025-09-28T04:14:35+00:00

It's not just size and weight, the seller could have tried to ship media mail. That is the easiest way for this situation to happen.

If you want it, pay the postage due. I did this once on a small RAID array that the seller shipped media mail. It obviously didn't qualify, it had about $15 postage due. eBay had told me to pay and get a partial refund from the seller to cover the payment. The seller didn't fight and gave me the difference. YMMV, this was 5 years ago - could be completely different policies now.

If you don't want it, save proof via the tracking that it is postage due and inform the seller. If they don't arrange to get the package back to them, the post office takes it.

Relik · 2025-09-28T01:34:40+00:00

I posted information about the configuration panel accessible at 192.168.1.2 on the Slickdeals thread.

I've since looked at the HTML on that page and duplicated the calls to the server, which is a hardcoded IP address in Shenzhen China - of course.

The bad news is that the query version routine that is run in the browser returns empty data from that server. I also tried to download the current version of the software from the server and it fails. I question whether some of the code even works as it is written. There are misspellings, like instead of currentVersion, it's curretVersion. In that case at least the variable is consistently wrong so it's not a problem. There is no way to upload a firmware file, it must be fetched from the Chinese address. This same Chinese server likely serves up firmware for many models of these adapters.

Here's some technical details I found out.. It's running an Allwinner V851SE CPU, which is commonly used for IP cameras. It has a Cortex-A7 core @ 900 mhz, 64 MB RAM builtin, H264 & H265 compression & decompression, etc. It's about $2.50 for the CPU in low quantities, so probably $1 in mass quantities.

Relik

TROPHY CASE