Iovyroot
Перейти к навигации
Перейти к поиску
PoC
https://github.com/dosomder/iovyroot
Find offsets
If kallsyms exist
- Unpack kernel
- Grab https://github.com/fi01/kallsymsprint
- Print kernel kallsyms: kallsymsprint.x86 kernel.unpacked
- For 32bit platform grep for: egrep (ptmx_fops|sidtab|policydb|selinux_enabled|selinux_enforcing)
Add device
- Here is offseet order https://github.com/zombah/iovyroot/blob/master/jni/include/offsets.h#L12
- Patch source:
--- a/jni/offsets.c +++ b/jni/offsets.c @@ -419,6 +419,12 @@ struct offsets offsets[] = { { "MI 2", "Linux version 3.4.0-perf-g9b728b6-00625-ge66671e (builder@qh-miui-ota-bd53) (gcc version 4.8 (GCC) ) #1 SMP PREEMPT Mon Mar 7 20:05:25 CST 2016", { (void*)FSYNC_OFFSET(0xC12D5298) }, (void*)0xC12BC530, (void*)0xC12BC420, (void*)0xC0F5332C, (void*)0xC12BA9D0 }, + + /********************** ALCATEL ************************/ + //Alcatel/TCL 5065D Pop35, 5.1.1 LMY47V + { "5065D", "Linux version 3.10.49-g17d9d71 (android-bld@aclgcl-ubnt) (gcc version 4.8 (GCC) ) #1 SMP PREEMPT Tue Sep 29 19:51:34 CST 2015", + { (void*)FSYNC_OFFSET(0xc0e82728) }, + (void*)0xc0e08a40, (void*)0xc0e08930, (void*)0xc0cf76c0, (void*)0xc0e06edc }, }; #endif /* (__LP64__) */
Compile
- Copy whole poc folder to android/device/vendor/model folder and run mmm into it from android build env root