iovyroot
iovyroot copied to clipboard
dosomder
How can I get absolute kernel addresses
i try your code but when I execute in adb your code in Huawei G630, I get:
CANNOT LINK EXECUTABLE: cannot locate symbol "sendmmsg" referenced by "./iovyroot"...
How can I solve this?
Which android version are you using?
You can try replacing
sendmmsg(sockfd, &msg, 1, 0);
with
syscall(374, sockfd, &msg, 1, 0);
Now give me this:
iovyroot by zxz0O0 poc by idler1984
Error: Device not supported
I suppose that I must insert kernel absolute addresses in offset.c, but I don't know how I can find them. Can you give me some info?
I use the tools that you said me. But Now I have this error:
reloc_library[1306]: 31258 cannot locate 'getline'... CANNOT LINK EXECUTABLE
my device Samsung S6310N Android 4.1.2.
Thanks you in advance
The tool was made for Android Lollipop. If you want to try it on Android 4.1 you have to edit the APP_PLATFORM version in https://github.com/dosomder/iovyroot/blob/master/jni/Application.mk and possibly fix the code
@dosomder Your code is working when I run it at 32 bits devices.I can find address from zImage by IDA.But I can't find 'joploc' and 'jopret' in my 64 bits devices.Could you tell me how to find it ?? Thanks a lot.
You can find joploc through signature, see here: https://github.com/dosomder/iovyroot/blob/master/jni/getroot.c#L180
Just search for example for ADD X0, X29, #0x78 (copy it from getroot.c because of the spaces) in IDA until you find the right one.
jopret is the return of check_flags function, it's in setfl() from fcntl.c. Most of the time it's inlined in sys_fcntl, so you can find that address from kallsyms, then jump to that location in IDA. Scroll through the function until you find something like this
LOAD:FFFFFFC00030F4D0 LDR X1, [X0,#0xA0]
LOAD:FFFFFFC00030F4D4 CBZ X1, loc_FFFFFFC00030F4C0
LOAD:FFFFFFC00030F4D8 MOV W0, W22
LOAD:FFFFFFC00030F4DC BLR X1 ; call check_flags
LOAD:FFFFFFC00030F4E0 SBFM X19, X0, #0, #0x1F
LOAD:FFFFFFC00030F4E4 CBNZ W19, loc_FFFFFFC00030F740
LOAD:FFFFFFC00030F4E8 B loc_FFFFFFC00030F4C0
The location of the SBFM command is the address of jopret, so in this example it's 0xFFFFFFC00030F4E0
thanks for your answer! I have found the 'jopret' address ,but I still couldn't find 'joploc'.Can you give me a E-mail address? I want to ask you some details.Thank you very much...
Make sure you copy the exact command from getroot.c. There are 2 possible gadgets depending on the firmware. If you still can't find it, upload the kernel image and I'll check it out. For private questions you can message me on xda-developers.
Why do you need ADD X0, X29, #0x78 and not just:
LDR X1, [X0, #0x210]
BLR X1
@oblique X0 is the return register and X29 is the frame pointer register (something like stack pointer). Basically what this JOP gadget does is return the lower 4 bytes of the stack address, lower 4 bytes because the return value of fcntl() is int.
I have a Xperia Z3 Dual sim (D6633), with MM, like "Z3C(D5803) 23.5.A.0.575, Linux version 3.4.0-perf-g43ea728 (BuildUser@BuildHost)" But thats address don't work in my phone. I have extracted kernel image from firmware, but i can't find the addresses, how can i find it? I've loaded kernel with IDA, but not found anything. Any can give me some help? some start points... Thanks in advance Sorry by my english.
@gjmv You can use the tool https://github.com/fi01/kallsymsprint to get kallsyms from kernel image
Thanks for the answer. I have tried, and i get this error. root@kali:~/Desktop/celu# ./kallsymsprint.x86 ./fotakernel.elf [+]mmap mem=b6a5b000 length=00bd4de9 offset=095ad000 kallsyms_in_memory_addresses search failed
I think that i need some aditional step, but i havn't found what. Thanks!
I tried with kernel (and fotakernel). I opened firmware ftf, extracted kernel.sin (there is another called fotakernel.sin). With flashtool, extracted data (with sin editor), that is my kernel.elf but this file give me the error "kallsyms_in_memory_addresses search failed" I think that kernel.elf is packed, or joined with other file, but i dont found more info (i tried google and google). If you have any comment on this, i'm thankful to you.
Thanks
Kernel is packed inside kernel.elf. You can find out the offset with linux utility binwalk. Many times it's LZOP or GZIP
I got the addresses!!!! "got root lmao" Plus Recovery_for_MM575 and UPDATE-SuperSU-v2.76-20160630161323 i got Rooted my device! Thanks a lot!!! I'm thinking in pull request my model.
My problem: my kernel was compressed with lzop (and i had to split kernel and ramdisk before). Solved it, i got the addresses with kallsymsprint.
Hi, desomder, I extract the kernel from rom which is downloaded from google official link: https://dl.google.com/dl/android/aosp/nakasi-lmy47v-factory-b48bd71d.tgz. I can't find the "ptmx_fops" by kallsymsprint. My device is Nexus 7 (wifi) and how can I fix this issue?
@danieljiang0415 sometimes these symbols are removed for security reasons. You need to use IDA or any other disassembler to find it.
- Find ptmx**_open** in kallsyms
- Find xref to ptmx_open (code where ptmx_open is referenced)
=> This should be in
unix98_pty_inithttp://lxr.free-electrons.com/source/drivers/tty/pty.c#L860 - Analyze this function to get ptmx_fops address
How about adding 32-bit Samsung devices? I added offsets and stuff, but nothing more than that. Sometims the phone stays at Done and sometimes there is a reboot. I believe it's because of the PXN protection. Supposedly I should find a 32-bit equivalent joploc and jopret? If so, could you guide me through?
Are you sure it has PXN? Usually only 64bit devices have it. Finding joploc and jopret on 32bit is exactly the same, just registers are different (e.g. X0 is R0 on 32bit). Don't know if the gadgets even exist on 32bit.
How about this then? https://twitter.com/jduck/status/759174473710907392
Well I don't have any Samsung device, so can't help you much. But it shouldn't be too difficult to adapt the code.
According to ret2dir technique and KEEN team, there are jop gadgets which can be used.. I just something to start with.. a pattern maybe that I can find on 32-bit (Samsung) devices
@Trailblazer101
First of all I used bin2elf.sh to create an ELF file from the image. That way it's easier to analyze with IDA.
Open the s6_kernel.elf in IDA64.
Choose ELF for ARM (elf64.l64) as loader, ARM as Processor type and check Manual load.
In the next window, you would normally put the loading address of the kernel as the image base. But I found that you actually need to use 0xFFFFFFC0003B5624 with your kernel, otherwise everything will be shifted.
Go to the .text segment with the cursor, then go to Edit => Segments => Edit Segment... and change it to 64-bit segment.
@dosomder You are literally the best! That should help immensely. Thank you for taking some time out of your day to right that up for me. Do you have a PayPal or something I could send a beer your way?