Iovyroot

Материал из Toshiba AC100 wiki
Перейти к навигации Перейти к поиску

PoC

https://github.com/dosomder/iovyroot

Find offsets

If kallsyms exist

  1. Unpack kernel
  2. Grab https://github.com/fi01/kallsymsprint
  3. Print kernel kallsyms: kallsymsprint.x86 kernel.unpacked
  4. For 32bit platform grep for: egrep (ptmx_fops|sidtab|policydb|selinux_enabled|selinux_enforcing)

Add device

  1. Here is offseet order https://github.com/zombah/iovyroot/blob/master/jni/include/offsets.h#L12
  2. Patch source:
--- a/jni/offsets.c
+++ b/jni/offsets.c
@@ -419,6 +419,12 @@ struct offsets offsets[] = {
        { "MI 2", "Linux version 3.4.0-perf-g9b728b6-00625-ge66671e (builder@qh-miui-ota-bd53) (gcc version 4.8 (GCC) ) #1 SMP PREEMPT Mon Mar 7 20:05:25 CST 2016",
          { (void*)FSYNC_OFFSET(0xC12D5298) },
          (void*)0xC12BC530, (void*)0xC12BC420, (void*)0xC0F5332C, (void*)0xC12BA9D0 },
+
+       /********************** ALCATEL ************************/
+       //Alcatel/TCL 5065D Pop35, 5.1.1 LMY47V
+       { "5065D", "Linux version 3.10.49-g17d9d71 (android-bld@aclgcl-ubnt) (gcc version 4.8 (GCC) ) #1 SMP PREEMPT Tue Sep 29 19:51:34 CST 2015",
+         { (void*)FSYNC_OFFSET(0xc0e82728) },
+         (void*)0xc0e08a40, (void*)0xc0e08930, (void*)0xc0cf76c0, (void*)0xc0e06edc },
 };
 
 #endif /* (__LP64__) */

Compile

  1. Copy whole poc folder to android/device/vendor/model folder and run mmm into it from android build env root