sh-06e root

1.  
2. #include <android/log.h>
3.  
4. #include <dirent.h>
5. #include <errno.h>
6. #include <fcntl.h>
7. #include <memory.h>
8. #include <stdio.h>
9. #include <stdlib.h>
10. #include <string.h>
11. #include <sys/ioctl.h>
12. #include <sys/mman.h>
13. #include <sys/stat.h>
14. #include <sys/types.h>
15. #include <sys/wait.h>
16. #include <unistd.h>
17.  
18. #define LTAG "ERoot"
19. #ifndef _NDEBUG
20. #ifndef BUILD_SHARED_LIBRARY
21. #define LOGD(fmt, ...) do { __android_log_print(ANDROID_LOG_VERBOSE, LTAG, fmt, ##__VA_ARGS__); } while (0)
22. #else
23. #define LOGD(fmt, ...) do { fprintf(stderr, fmt"\n", ##__VA_ARGS__); fflush(stderr); } while (0)
24. #endif
25. #else
26. #define LOGD(fmt, ...)
27. #endif
28.  
29. #define MSM_CAM_IOCTL_MAGIC 'm'
30.  
31. struct msm_mem_map_info {
32.     uint32_t cookie;
33.     uint32_t length;
34.     uint32_t mem_type;
35. };
36.  
37. #define MSM_CAM_IOCTL_SET_MEM_MAP_INFO \
38.         _IOR(MSM_CAM_IOCTL_MAGIC, 41, struct msm_mem_map_info *)
39.  
40. #define MSM_MEM_MMAP 0
41.  
42.  
43. static void memsave(const char *f, const void *addr, int size) {
44.     int fd, n, c, rc;
45.    
46.     LOGD("memsave: file = %s, size = %08x", f, size);
47.     fd = open(f, O_CREAT | O_WRONLY);
48.     if (fd < 0) {
49.         LOGD("open() failed: %s.", strerror(errno));
50.         return;
51.     }
52.     n = 0;
53.     while (n < size) {
54.         c = size - n;
55.         if (c > 65536) c = 65536;
56.         rc = write(fd, (char *) addr + n, size - n);
57.         if (rc <= 0) break;
58.         n += rc;
59.         LOGD("memsave: write %08x.", rc);
60.     }
61.     if (n != size)
62.         LOGD("write() failed: %s.", strerror(errno));
63.     close(fd);
64. }
65.  
66. // sh06e 1.0.01
67. // uevent_helper c10312b0
68. // miyabi_security_ops c082d0b8
69. // take a look from kernel source, default_security_ops is totally disabled
70. // TODO: manual for now, should be able to rebuild kallsyms
71.  
72. struct miyabi_security_patch {
73.     int index;
74.     unsigned long old_value;
75.     unsigned long new_value;
76. };
77.  
78. static unsigned long addr_uevent_helper = 0xc10312b0;
79. static unsigned long addr_miyabi_security_ops = 0xc082d0b8;
80. static struct miyabi_security_patch preset[] = {
81.     {3, 0xc0262848, 0xc02603fc},   // miyabi_ptrace_access_check
82.     {4, 0xc0262850, 0xc0260494},   // miyabi_ptrace_traceme
83.     {13, 0xc0263180, 0xc026085c},  // miyabi_bprm_set_creds
84.     {25, 0xc0262fa8, 0xc0262538},  // miyabi_sb_mount
85.     {26, 0xc026298c, 0xc0262540},  // miyabi_sb_umount
86.     {27, 0xc0262e14, 0xc0262548},  // miyabi_sb_pivotroot
87.     {36, 0xc0262e94, 0xc0262630},  // miyabi_path_symlink
88.     {37, 0xc0262858, 0xc0262638},  // miyabi_path_link
89.     {39, 0xc02628f8, 0xc0262650},  // miyabi_path_chmod
90.     {41, 0xc0262d94, 0xc0262660},  // miyabi_path_chroot
91.     {80, 0xc02629f8, 0xc02626b4},  // miyabi_dentry_open
92.     {90, 0xc0262860, 0xc0260da4},  // miyabi_task_fix_setuid
93.     {0, 0, 0},
94. };
95.  
96.  
97. int main(int argc, char **argv) {
98.     int rc, i, gd1, gd2, ng, fd_conf, fd_video0;
99.     struct msm_mem_map_info args;
100.     unsigned long kaddr, ksize, koffs, *vaddr, test;
101.     void *mapped;
102.     char *uehelper;
103.     struct miyabi_security_patch *p;
104.  
105.     uehelper = argc > 1 ? argv[1] : 0;
106.     LOGD("start.");
107.     fd_video0 = open("/dev/video0", O_RDWR);
108.     if (fd_video0 < 0) {
109.         LOGD("open() failed: %s.", strerror(errno));
110.         return -1;
111.     }
112.     close(fd_video0);
113.     fd_video0 = open("/dev/video0", O_RDWR);
114.     if (fd_video0 < 0) {
115.         LOGD("open() failed: %s.", strerror(errno));
116.         return -1;
117.     }
118.     fd_conf = open("/dev/msm_camera/config0", O_RDWR);
119.     if (fd_conf < 0) {
120.         LOGD("open() failed: %s.", strerror(errno));
121.         close(fd_video0);
122.         return -1;
123.     }
124.     ksize = 32 * 1024 * 1024;
125.     kaddr = 0x80000000;
126.     koffs = 0x00200000;
127.     args.cookie = kaddr;
128.     args.length = ksize;
129.     args.mem_type = MSM_MEM_MMAP;
130.     rc = ioctl(fd_conf, MSM_CAM_IOCTL_SET_MEM_MAP_INFO, &args);
131.     if (rc < 0) {
132.         close(fd_conf);
133.         close(fd_video0);
134.         return -1;
135.     }
136.     mapped = mmap(0, ksize, PROT_READ | PROT_WRITE, MAP_SHARED, fd_conf, kaddr);
137.     if (mapped == MAP_FAILED) {
138.         LOGD(" mmap() failed: %s.", strerror(errno));
139.     }
140.     vaddr = (unsigned long *)((char *) mapped + koffs + (addr_miyabi_security_ops - 0xc0000000));
141.     if (memcmp(vaddr, "miyabi", 6) == 0) {
142.         LOGD("patch miyabi.");
143.         for (i = 0, p = &preset[0], gd1 = gd2 = ng = 0; p->index; i++, p++) {
144.             test = vaddr[p->index];
145.             if (test == p->old_value) {
146.                 vaddr[p->index] = p->new_value;
147.                 gd1 += 1;
148.             } else if (test == p->new_value) {
149.                 gd2 += 1;
150.             } else {
151.                 ng += 1;
152.                 LOGD(" mismatch %d.", p->index);
153.             }
154.         }
155.         if (gd1 == i)
156.             LOGD(" patched!!!");
157.         else if (gd2 == i)
158.             LOGD(" already patched.");
159.         else if (ng < i)
160.             LOGD(" partial patched!!!");
161.         else
162.             LOGD(" not patched.");
163.     }
164.     if (uehelper) {
165.         LOGD("set uevent_helper to %s.", uehelper);
166.         vaddr = (unsigned long *)((char *) mapped + koffs + (addr_uevent_helper - 0xc0000000));
167.         strncpy((char *) vaddr, uehelper, 256);
168.     }
169.     msync(mapped, ksize, MS_SYNC);
170.     munmap(mapped, ksize);
171.     close(fd_conf);
172.     close(fd_video0);
173.     LOGD("exit.");
174.     return 0;
175. }