├── README.md ├── arm7-dasm ├── extract_address_and_disassemble ├── get-perf_swevent_enabled ├── get-ptmx_fops └── kallsymsprint.x86 /README.md: -------------------------------------------------------------------------------- 1 | helper_tools 2 | ============ 3 | 4 | This repo will contain scripts, binaries which will speed up the kernel address extraction process 5 | 6 | Extract address: 7 | 8 | user@buildhost:/SO-04D/9.1.C.0.475$ /helper_tools/extract_address_and_disassemble kernel.bin 9 | Searching for zImage compression 10 | LZO compression detected 11 | Unpacking zImage 12 | lzop: : warning: ignoring trailing garbage in lzop file 13 | DONE unpacking zImage 14 | Grabbing addresses 15 | [+]mmap 16 | mem=f69f7000 length=00bfb544 offset=c9611000 17 | [+]kallsyms_addresses=c0789cb0 18 | count=0000e7c7 19 | [+]kallsyms_num_syms=0000e7c7 20 | [+]kallsyms_names=c07c3be0 21 | [+]kallsyms_markers=c086b630 22 | [+]kallsyms_token_table=c086b9d0 23 | [+]kallsyms_token_index=c086bd80 24 | [+]kallsyms_lookup_name 25 | Disassembling kernel for specific functions 26 | 59188 symbols are loaded. 27 | 59188 symbols are loaded. 28 | end at 0xc00e45c4 by rnv requested 29 | searching for ptmx_fops 30 | searching for perf_swevent_enabled 31 | 32 | See result: 33 | 34 | user@buildhost:/SO-04D/9.1.C.0.475$ cat addresses.txt 35 | c0095cb0 prepare_kernel_cred 36 | c00957d4 commit_creds 37 | c010aaf8 remap_pfn_range 38 | c0d02498 + 8 = (hexdec addition) ptmx_fops 39 | c0ced2b4 perf_swevent_enabled 40 | -------------------------------------------------------------------------------- /arm7-dasm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/android-rooting-tools/helper_tools/0dbaa5b2d4bf997662c1b4a7ffb93146eebccfaa/arm7-dasm -------------------------------------------------------------------------------- /extract_address_and_disassemble: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Author: DooMLoRD@XDA 4 | # 5 | # Script to extract and search for required address for perf_event exploit 6 | # 7 | # Usage: 8 | # extract_address_and_disassemble zImage 9 | # 10 | # Output: 11 | # addresses.txt - this will contain the 5 crucial addresses from the kallsyms 12 | # kernel.dasm - this will contain the disassembelled kernel 13 | # 14 | 15 | # Update path to toolchain 16 | echo "Searching for zImage compression" 17 | 18 | # following is only for kernels packed with XZ compression 19 | LOC1=`grep -P -a -b -m 1 --only-matching '\xfd7zXZ\x00' $1 | tail -1 | cut -d: -f 1` 20 | if [ $LOC1 ] 21 | then 22 | echo "XZ compression detected" 23 | echo "Unpacking zImage" 24 | dd if=$1 bs=$LOC1 skip=1 | xz -dc > kernel.Image 25 | else 26 | 27 | # following is only for kernels packed with LZO compression 28 | LOC1=`grep -P -a -b --only-matching '\x89LZO\x00' $1 | tail -1 | cut -d: -f 1` 29 | if [ $LOC1 ] 30 | then 31 | echo "LZO compression detected" 32 | echo "Unpacking zImage" 33 | dd if=$1 bs=$LOC1 skip=1 | lzop -do kernel.Image 34 | else 35 | # following is only for kernels packed with LZ4 compression 36 | LOC1=`grep -P -a -b --only-matching '\x02\x21\x4c\x18' $1 | tail -1 | cut -d: -f 1` 37 | if [ $LOC1 ] 38 | then 39 | echo "LZ4 compression detected" 40 | echo "Unpacking zImage" 41 | dd if=$1 bs=$LOC1 skip=1 | lz4 -d > kernel.Image 42 | else 43 | # following is only for kernels packed with GZ compression 44 | LOC1=`grep -P -a -b -m 1 --only-matching '\x1f\x8b\x08' $1 | tail -1 | cut -d: -f 1` 45 | if [ $LOC1 ] 46 | then 47 | echo "GZ compression detected" 48 | echo "Unpacking zImage" 49 | dd if=$1 bs=$LOC1 skip=1 | gzip -dc > kernel.Image 50 | else 51 | echo "Unsupported compression!" 52 | fi 53 | fi 54 | 55 | fi 56 | 57 | fi 58 | 59 | LOC=$LOC1 60 | if [ $LOC ] 61 | then 62 | if [ -e kernel.Image ] 63 | then 64 | echo "DONE unpacking zImage" 65 | echo "Grabbing addresses" 66 | ~/android/scripts/kallsymsprint.x86 kernel.Image > kallsyms.txt 67 | 68 | cat kallsyms.txt | grep " prepare_kernel_cred" >> addresses.txt 69 | cat kallsyms.txt | grep " commit_creds" >> addresses.txt 70 | cat kallsyms.txt | grep " remap_pfn_range" >> addresses.txt 71 | cat kallsyms.txt | grep " vmalloc_exec" >> addresses.txt 72 | 73 | echo "Disassembling kernel for specific functions" 74 | ~/android/scripts/arm7-dasm kernel.Image c0008000 pty_init kallsyms.txt > pty_init.dasm 75 | ~/android/scripts/arm7-dasm kernel.Image c0008000 unix98_pty_init kallsyms.txt >> pty_init.dasm 76 | ~/android/scripts/arm7-dasm kernel.Image c0008000 sw_perf_event_destroy kallsyms.txt > sw_perf_event_destroy.dasm 77 | 78 | echo "searching for ptmx_fops" 79 | ADDR_PTMX_FOPS=`~/android/scripts/get-ptmx_fops pty_init.dasm` 80 | echo "$ADDR_PTMX_FOPS = (hexdec addition) ptmx_fops" >> addresses.txt 81 | 82 | echo "searching for perf_swevent_enabled" 83 | ADDR_SWPREF=`~/android/scripts/get-perf_swevent_enabled sw_perf_event_destroy.dasm` 84 | echo "$ADDR_SWPREF perf_swevent_enabled" >> addresses.txt 85 | 86 | else 87 | echo "ERROR! unpacking zImage" 88 | fi 89 | else 90 | echo "ERROR! zImage has different compression" 91 | fi 92 | -------------------------------------------------------------------------------- /get-perf_swevent_enabled: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | ASM_FILE=$1 3 | TMP_FILE=/tmp/perf_swevent_enabled-$$.tmp 4 | 5 | LINES=`grep -m 1 -n 'ADD[ ]*R5, R3, R5 ,LSL #2' $ASM_FILE | cut -d ':' -f 1` 6 | 7 | if [ -z "$LINES" ]; then 8 | exit 1; 9 | fi 10 | 11 | head -n $LINES $ASM_FILE | tail -4 > $TMP_FILE 12 | 13 | if ! grep warn_slowpath_null $TMP_FILE >/dev/null; then 14 | rm -f $TMP_FILE 15 | exit 2 16 | fi 17 | 18 | RESULT=`grep 'LDR[ ]*R3, =' $TMP_FILE | cut -d '=' -f 2 | cut -c 2-9` 19 | 20 | echo $RESULT 21 | 22 | rm -f $TMP_FILE 23 | exit 0 24 | -------------------------------------------------------------------------------- /get-ptmx_fops: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | ASM_FILE=$1 3 | TMP_FILE=/tmp/ptms_fops-$$.tmp 4 | 5 | LINES=`grep -m 1 -n '' $ASM_FILE | cut -d ':' -f 1` 6 | 7 | if [ -z "$LINES" ]; then 8 | exit 1; 9 | fi 10 | 11 | head -$LINES $ASM_FILE | tail -2 | head -1 > $TMP_FILE 12 | 13 | if ! grep 'ADD[ ]*R0, R., #\$' $TMP_FILE >/dev/null; then 14 | cat $TMP_FILE 15 | rm -f $TMP_FILE 16 | exit 2 17 | fi 18 | 19 | REGNAME=`sed -e 's/.*R0, //' $TMP_FILE | cut -c 1-2` 20 | OFFSET=`sed -e 's/.*#.//' $TMP_FILE | cut -d ' ' -f 1` 21 | 22 | if [ -z "$REGNAME" -o -z "$OFFSET" ]; then 23 | exit 1; 24 | fi 25 | 26 | head -$LINES $ASM_FILE | grep "LDR[ ]*$REGNAME, =\\$" | tail -1 > $TMP_FILE 27 | 28 | BASEADDR=`sed -e "s/.*, =.//" $TMP_FILE | cut -d ' ' -f 1` 29 | 30 | if [ -z "$BASEADDR" ]; then 31 | exit 1; 32 | fi 33 | 34 | echo $BASEADDR + $OFFSET 35 | 36 | rm -f $TMP_FILE 37 | exit 0 38 | -------------------------------------------------------------------------------- /kallsymsprint.x86: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/android-rooting-tools/helper_tools/0dbaa5b2d4bf997662c1b4a7ffb93146eebccfaa/kallsymsprint.x86 --------------------------------------------------------------------------------