Sorry, I posted this earlier in the i9505 SHOstock-i v5.0b4 thread:
"This may be the most embarrassing question to date--but here goes. If the SHOstock-i 4.4.2 ported ROM above does not require the 4.4 bootloader and the kernal has been z-patched (fooling the MK2 bootloader) could this be a way to get a KK ROM--using SafeStrap--on the MK2 locked device?
EDIT: meant exploit BypassLKM"
I meant to post here and I meant to say your exploit BypassLKM NOT z-patched and refer over to the SHOstock ROM. I think I understand I was mixing apples and oranges. I hope it makes a tad more sense now. Anyway, I'm trying to understand the new practical options this brings to the SS locked BL user. Since you can load a different kernel in memory (the new option I can see), does that mean I could load a none TW 4.3 ROM in a slot? Are you pretty much "locked" into the 4.3 TW stuff? I believe--if this is possible--that it would be a one-off--when I changed slots--to be re-applied but would do the job? I've been cruising along flashing with a custom recovery for awhile--recently, my S4 was damaged and with the replacement I ended up in the fun new hard locked bootloader world. I will get the hang of it. I fully understand that there must be valid question in order to get and answer. I hope this is closer to the mark. Thanks...
This does not load a different kernel. This allows the loading of modules to the current kernel. Hashcode, the developer behind safestrap, has been working on using this on order to implement the loading of a kexec module - a module that would load a kernel over the stock kernel. If that works, then yes, non TW ROMs will be an option. For now, it's not happening though. If it were a simple process then it would have been done already.
This does not load a different kernel. This allows the loading of modules to the current kernel. Hashcode, the developer behind safestrap, has been working on using this on order to implemtheihe loading of a kexec module - a module that would load a kernel over the stock kernel. If this works, then yes, non TW ROMs will be an option. For now, it's not happening though. If it were a simple process then it would have been done already.
Thanks. Apparently I need to study this a little more. I need to understand the term "module" like the jfltatt-MK2-modules.zip that needs to be flashed on many of the SS ROMs. Are they the same type modules? Is thier mode and function the same? What is the goal--the pratical result? Any way, the question is--can you provide a link to some reading on this?
Thanks. Apparently I need to study this a little more. I need to understand the term "module" like the jfltatt-MK2-modules.zip that needs to be flashed on many of the SS ROMs. Are they the same type modules? Is thier mode and function the same? What is the goal--the pratical result? Any way, the question is--can you provide a link to some reading on this?
I can't link you to any specific readings, I've just googled a few things like kexec and modules and such.
AFAIK kexec is a module just like those in the zip. They hook in to the kernel to provide some functionality (like wifi in the case of the zip). Our kernel checks the modules to make sure they're signed before using them. This exploit allows us to get around that signing however. Different modules have different functions to allow the phone different functions. It's like adding sections to a machine that let it do other different tasks along with previous ones. The goal in the case of kexec is to enable a function to boot another kernel over the current kernel. If implemented to Safestrap, it will be the next best thing to an exploit, as it will basically give us back custom kernels.
I can't link you to any specific readings, I've just googled a few things like kexec and modules and such.
AFAIK kexec is a module just like those in the zip. They hook in to the kernel to provide some functionality (like wifi in the case of the zip). Our kernel checks the modules to make sure they're signed before using them. This exploit allows us to get around that signing however. Different modules have different functions to allow the phone different functions. It's like adding sections to a machine that let it do other different tasks along with previous ones. The goal in the case of kexec is to enable a function to boot another kernel over the current kernel. If implemented to Safestrap, it will be the next best thing to an exploit, as it will basically give us back custom kernels.
I know this might be the wrong place to ask and I'm sorry if it is.
but do you think the exploit described above would also work with a verizon galaxy s3 on 4.3 ?
I know this might be the wrong place to ask and I'm sorry if it is.
but do you think the exploit described above would also work with a verizon galaxy s3 on 4.3 ?
This depends on whether or not you are able to root using saferoot or not (since its dependent on the get/put_user exploit) and whether your stock kernel was compiled with support for loading modules. You can check your kernel source config file to see.
After checking your kernel source you can create or compile modules from the source direcctory. You should probably know how to compile kernels before continuing but here are a couple things you should do anyways. In terminal emulator or with adb shell type:
Next, compile your kernel from source with its defconfig. After you have successfully compiled the kernel change the .config file to allow module loading and compile a module.
Or if compiling is not for you then just to test compile a module using memory data from the kallsyms file you made earlier if the source for the module requires it. And adb push-it to /data/local/tmp. Next:
user@jfltevzw:/ $ su
root@jfltevzw:/ # mount -o remount, rw /system
root@jfltevzw:/ # cd /data/local/tmp
root@jfltevzw:/data/local/tmp # chmod 755 your_module.ko
root@jfltevzw:/data/local/tmp # ./bypasslkm
root@jfltevzw:/data/local/tmp # insmod
root@jfltevzw:/data/local/tmp # dmesg |grep TIMA
Then youd have to follow the directions jeboo gives in the OP and patch compile bypasslkm making sure to change all address and settings to comply with the s3.
If you have the Verizon s3 with Android 4.3 it has a locked bootloader that won't allow you to flash any custom rom and I was hoping this can be useful.
I got this idea after reading about CVE-2013-6282 and seeing the source for it.
As we all know, anyone with MF3+ bootloaders on ATT/VZW cannot load custom kernels/recoveries. Hashcode saved the day with Safestrap, which allowed users to run custom ROMs using stock, signed boot.imgs (initramfs/kernel). Unfortunately booting a custom kernel is still not possible due to BL restrictions.
With this latest root exploit, it is possible to overwrite kernel memory and thus remove some of the restrictions of the stock kernel. Most important is the ability to insert kernel modules not signed by Samsung, specifically kexec. This module can allow one to load any custom kernel regardless of BL restrictions. Before you ask, I have never compiled nor worked with kexec!
I'm going to go over the process just for completeness, you can skip this section if you want. It's mostly for devs:
With 4.3, when you insert one of the included modules (ie, /system/lib/modules), you will see the following in dmesg:
Code:
<4>[ 2003.009063] TIMA: lkmauth--launch the tzapp to check kernel module; module len is 3224
<4>[ 2003.009124] TIMA: lkmauth -- hdr before kreq is : e3003000
<4>[ 2003.009155] TIMA: lkmauth--send cmd (tima_lkm) cmdlen(304:320), rsplen(264:320) id 0x00050000, req (0xE511C000), rsp(0xE511C140), module_start_addr(0xE3003000) module_len 3224
<4>[ 2003.012237] TIMA: lkmauth--verification succeeded.
Though I'm not intimately familiar with the workings of lkmauth, it's obvious it's querying the trustzone (TZ) to verify the module. If we now change one insignificant byte in the module, you get:
Code:
<4>[ 2301.298980] TIMA: lkmauth--launch the tzapp to check kernel module; module len is 3224
<4>[ 2301.299011] TIMA: lkmauth -- hdr before kreq is : e300c000
<4>[ 2301.299041] TIMA: lkmauth--send cmd (tima_lkm) cmdlen(304:320), rsplen(264:320) id 0x00050000, req (0xE511C000), rsp(0xE511C140), module_start_addr(0xE300C000) module_len 3224
<3>[ 2301.301391] TIMA: lkmauth--verification failed -1
<4>[ 2301.301544] TIMA: MSG=lkm_modified; result (TIMA_RESULT=MSG=lkm_modified;)
We can use these messages to narrow down the code in the kernel. I'm using ATT MK2 as the example here:
kernel/module.c
Code:
/* parse result */
if (krsp->ret == 0) {
pr_warn("TIMA: lkmauth--[B]verification succeeded[/B].\n");
ret = 0; /* ret should already be 0 before the assignment. */
} else {
pr_err("TIMA: lkmauth--[B]verification failed[/B] %d\n", krsp->ret);
ret = -1;
....
If we unpack boot.img, then decompress the zImage, we can find this code in the binary. Fire up IDA and set the base address to 0xC0008000. You should be able to resolve the above string reference to:
That BNE is the target for our patch. So bypasslkm will basically overwrite that test with a NOP instruction thus forcing the authentication to succeed.
I tested inserting a modified stock module and one I compiled. Btw, if you wanna use the modules from the kernel source tree, be sure to add
-fno-pic to CFLAGS_MODULE in the Makefile.
bypasslkm is run alone, and patches the kernel in memory. It does NOT make any changes to the filesystem, and a reboot will require re-executing the patch. Please note the patch will remain in memory until you run 'bypasslkm -r' OR reboot. THIS CAN LEAVE YOUR OS IN A VULNERABLE STATE TO MALWARE. Ideally, you would run the patch, insert your module, then run the patch with -r.
Typical usage:
adb push bypasslkm /data/local/tmp
cd /data/local/tmp
chmod 755 bypasslkm
./bypasslkm
insmod <modulename.ko>
./bypasslkm -r
Supported stock kernels: ATT MK2, VZW MK2, VZW MJ7
CREDITS
fi01 - awesome source for the CVE!
CUBE - getroot source!
djrbliss - thanks for the makefile =P
I have question where i have to put this commands ?
ON CMD or some program, cuz now i have i337 Rooted 4.3 with baseband 4.4.2 and the Wifi doesnet work.
I am trying to play around with kexec, and dont mind having to odin stock ML2 if something blows chunks all over the system.
Can this be used against either MF3 or ML2. If it could be used against MF3, Its possible to boot 4.3 with the MF3 kernel, I think thats how I used saferoot to root 4.3.
So one could downgrade their kernel to MF3 and run this against the kernel to load kexec_load.ko in, and then work on kexec itself.
For those reading this: do not try this, I am only asking for information.
I am trying to play around with kexec, and dont mind having to odin stock ML2 if something blows chunks all over the system.
Can this be used against either MF3 or ML2. If it could be used against MF3, Its possible to boot 4.3 with the MF3 kernel, I think thats how I used saferoot to root 4.3.
So one could downgrade their kernel to MF3 and run this against the kernel to load kexec_load.ko in, and then work on kexec itself.
For those reading this: do not try this, I am only asking for information.
How hard would it be to build BypassLKM against MF3? Or is it out of the question? I am willing to do a little learning and some trial and error, now that I have another phone on the way.
How hard would it be to build BypassLKM against MF3? Or is it out of the question? I am willing to do a little learning and some trial and error, now that I have another phone on the way.
You'll have to look at the process stated in the OP to get the exploit and see if you can recreate those steps on MF3 I believe. Also, I believe you might need to find a method to write to the kernel memory to execute it.
You'll have to look at the process stated in the OP to get the exploit and see if you can recreate those steps on MF3 I believe. Also, I believe you might need to find a method to write to the kernel memory to execute it.
I was able to run the bypasslkm binary on MF3, and it said it was patched. But loading a module built for another 3.4.0 phone fails with LKMauth error.
I was able to run the bypasslkm binary on MF3, and it said it was patched. But loading a module built for another 3.4.0 phone fails with LKMauth error.
The MF3 kernel is vulnerable, but the patch address would have to be changed in bypasslkm.c and recompiled. I figured most people on MF3 have since upgraded to MK2. They're both vulnerable, rootable, etc..
The MF3 kernel is vulnerable, but the patch address would have to be changed in bypasslkm.c and recompiled. I figured most people on MF3 have since upgraded to MK2. They're both vulnerable, rootable, etc..
You should be able to follow the directions outlined in the OP and find the address to patch then simply change the address in bypasslkm.c before recompiling.
Hate to revive an old thread, but this interests me. I know this is for Jellybean, but is there an updates for it? I'd be willing to help unlock the bootloader of my i537, and whoever wants to do this can get the 1k bounty..
I got this idea after reading about CVE-2013-6282 and seeing the source for it.
As we all know, anyone with MF3+ bootloaders on ATT/VZW cannot load custom kernels/recoveries. Hashcode saved the day with Safestrap, which allowed users to run custom ROMs using stock, signed boot.imgs (initramfs/kernel). Unfortunately booting a custom kernel is still not possible due to BL restrictions.
With this latest root exploit, it is possible to overwrite kernel memory and thus remove some of the restrictions of the stock kernel. Most important is the ability to insert kernel modules not signed by Samsung, specifically kexec. This module can allow one to load any custom kernel regardless of BL restrictions. Before you ask, I have never compiled nor worked with kexec!
I'm going to go over the process just for completeness, you can skip this section if you want. It's mostly for devs:
With 4.3, when you insert one of the included modules (ie, /system/lib/modules), you will see the following in dmesg:
Code:
<4>[ 2003.009063] TIMA: lkmauth--launch the tzapp to check kernel module; module len is 3224
<4>[ 2003.009124] TIMA: lkmauth -- hdr before kreq is : e3003000
<4>[ 2003.009155] TIMA: lkmauth--send cmd (tima_lkm) cmdlen(304:320), rsplen(264:320) id 0x00050000, req (0xE511C000), rsp(0xE511C140), module_start_addr(0xE3003000) module_len 3224
<4>[ 2003.012237] TIMA: lkmauth--verification succeeded.
Though I'm not intimately familiar with the workings of lkmauth, it's obvious it's querying the trustzone (TZ) to verify the module. If we now change one insignificant byte in the module, you get:
Code:
<4>[ 2301.298980] TIMA: lkmauth--launch the tzapp to check kernel module; module len is 3224
<4>[ 2301.299011] TIMA: lkmauth -- hdr before kreq is : e300c000
<4>[ 2301.299041] TIMA: lkmauth--send cmd (tima_lkm) cmdlen(304:320), rsplen(264:320) id 0x00050000, req (0xE511C000), rsp(0xE511C140), module_start_addr(0xE300C000) module_len 3224
<3>[ 2301.301391] TIMA: lkmauth--verification failed -1
<4>[ 2301.301544] TIMA: MSG=lkm_modified; result (TIMA_RESULT=MSG=lkm_modified;)
We can use these messages to narrow down the code in the kernel. I'm using ATT MK2 as the example here:
kernel/module.c
Code:
/* parse result */
if (krsp->ret == 0) {
pr_warn("TIMA: lkmauth--[B]verification succeeded[/B].\n");
ret = 0; /* ret should already be 0 before the assignment. */
} else {
pr_err("TIMA: lkmauth--[B]verification failed[/B] %d\n", krsp->ret);
ret = -1;
....
If we unpack boot.img, then decompress the zImage, we can find this code in the binary. Fire up IDA and set the base address to 0xC0008000. You should be able to resolve the above string reference to:
That BNE is the target for our patch. So bypasslkm will basically overwrite that test with a NOP instruction thus forcing the authentication to succeed.
I tested inserting a modified stock module and one I compiled. Btw, if you wanna use the modules from the kernel source tree, be sure to add
-fno-pic to CFLAGS_MODULE in the Makefile.
bypasslkm is run alone, and patches the kernel in memory. It does NOT make any changes to the filesystem, and a reboot will require re-executing the patch. Please note the patch will remain in memory until you run 'bypasslkm -r' OR reboot. THIS CAN LEAVE YOUR OS IN A VULNERABLE STATE TO MALWARE. Ideally, you would run the patch, insert your module, then run the patch with -r.
Typical usage:
adb push bypasslkm /data/local/tmp
cd /data/local/tmp
chmod 755 bypasslkm
./bypasslkm
insmod <modulename.ko>
./bypasslkm -r
Supported stock kernels: ATT MK2, VZW MK2, VZW MJ7
CREDITS
fi01 - awesome source for the CVE!
CUBE - getroot source!
djrbliss - thanks for the makefile =P
I deciding to open this up a bit and at least give everyone an update on where I'm at with the kexec process on the S4.
These instructions are based on my test device: JFLTEVZW running MJ7. The future is: if we get this working, I'll update and rebase against the MK# kernel sources as well as have other testers on other devices.
And then it just hangs there. (I've disabled the msm_watchdog so that I have all the time I need to jump kernels without it triggering a reboot.)
I'm obviously not killing off mmu correctly or leaving something up which is hanging the process inside the kernel remapping code.
(Note: there is NOTHING special about this Safestrap other than:
1. It loads the module bypass prior to entering recovery
2. It mounts /firmware so that when insmod is used the tz firmware can be found by the kernel
-- no need for the every day user to "try it out")
Here's my testing process (after installing the "special" version of Safestrap above):
Once I'm in recovery, I run the following commands via PC:
Code:
# push kexec binary, kexec modules, zImage, recovery.gz and 2 scripts to /datamedia/local/tmp
adb push <kerneldir>build /datamedia/local/tmp
# run the "push.sh" script which copies the files to the rootfs and sets perms
adb shell "/datamedia/local/tmp/push.sh"
# run the "setup.sh" script which unmounts the
adb shell "/setup.sh"
Eventually the screen will either fade to white or black and the device is not responsive. Unplug USB
Hold power button while quickly sliding the contact of the battery out and back in.
On the reset: re-enter safestrap recovery and you'll have a /proc/last_kmsg to look at (similar to the above).
NEXT STEPS:
The goal would be to find a small bit of machine code that I can execute directly inside the kernel remapping code that is insignificant but will show a "sign of life".. Such items are writing to the serial port (which I'm currently trying to work out), setting off a vibrator pulse, etc).
Well, I'm back again with another essay on removing the annoying module authentication that Sammy uses across the S4 phones. This tutorial will focus on those phones with either loki-vulnerable BLs (MDB, MDL, etc) or unlocked BLs (i9505).
It seems with the last few releases, Sammy has started tying the kernel modules to the BLs, instituting a TZ-based authentication system. We will focus on bypassing this "protection" by modifying the kernel binary itself. This is useful when we dont have source yet to build our own versions, as is the current case with KK. This also allows us to use newer stock kernels without having to update the BLs to match.
*** This is strictly intended for developers, do NOT try any of the below for fear of bricking! ***
1. Confirm modules are being rejected by BL-based authentication.
Simple, try to turn on WiFi and keep on eye on dmesg/logcat. You should see some module-related errors (dmesg | grep 'tzapp').
2. How to extract the kernel binary
In post #1, I mention this but figure it's worth detailing for future use! To deconstruct boot.img is pretty trivial, I use the Adi_Pat package and simply run 'extract.sh boot.img' (you may need to update some of the binaries in that package). This will separate out zImage and ramdisk (expanded) into their respective folders.
zImage is composed of some important loader code and the gzip compressed kernel binary. We need to extract the kernel and then decompress it.
This is a snippet of a script Entropy512 used for s2 unpacking..
3. Analyze the unpacked kernel binary.
Now load up zImage_unpacked into IDA, set to ARM CPU and base address 0xc0008000. Post #1 pretty much details how to isolate the exact ARM code to be patched. I patched things a little differently this time (this is MLD ATT KK leak):
The patch is trivial, we simply change R5 to equal 0 and the function will always return successful.
4. Patch and restore zImage, or not?
While the patch is easy, recompressing the kernel and popping it back into zImage is not. The zImage structure is very finicky, so I thought of a better way. Since we know the kernel binary in zImage is decompressed before the kernel is jumped to, why not inject a little patch after realtime decompression. This way we avoid having to decompress, patch, recompress to size, etc..So what we need to do is load up zImage (which has the loader code) in IDA and find the relevant code/injection point.
I will just tell you that arch/arm/boot/compressed/head.S from the kernel src pretty much lays it out for us.
Code:
mov r1, sp @ malloc space above stack
add r2, sp, #0x10000 @ 64k max
mov r3, r7
[COLOR="Red"]bl decompress_kernel[/COLOR]
bl cache_clean_flush
bl cache_off
mov r0, #0 @ must be zero
mov r1, r7 @ restore architecture number
mov r2, r8 @ restore atags pointer
ARM( mov pc, r4 ) @ call kernel <<<< [COLOR="red"]Remember R4 here![/COLOR]
THUMB( bx r4 ) @ entry point is always ARM
in misc.c
Code:
void
decompress_kernel(unsigned long output_start, unsigned long free_mem_ptr_p,
unsigned long free_mem_ptr_end_p,
int arch_id)
{
int ret;
output_data = (unsigned char *)output_start;
free_mem_ptr = free_mem_ptr_p;
free_mem_end_ptr = free_mem_ptr_end_p;
__machine_arch_type = arch_id;
arch_decomp_setup();
putstr("Uncompressing Linux...");
ret = do_decompress(input_data, input_data_end - input_data,
output_data, error);
if (ret)
error("decompressor returned an error");
else
putstr(" done, booting the kernel.\n");
}
So we need a little codespace for our patch, I see 2 log messages that really serve no meaningful purpose. Let's look at the ARM of decompress_kernel in zImage:
5. With our patch points figured out in zImage and the unpacked kernel, we need to generate our new ARM code and make the changes!
- With R4 representing our kernel base address, we need to calculate a relative offset to patch: C00C91C8 - C0008000 = 0xC11C8
- To generate ARM code, you can write it up in a simple, unformatted .s file and compile with arm-as.
- So our patch @964 in zImage above will be the following:
And that's it, hex edit that code starting @0x964 into the zImage, repack the zImage+ramdisk into boot.img/lok and we're done! I call it z-patching for lack of a better name
I was verbose with this post since it can be applied to pretty much any kernel downstream of an unlocked/compromised BL.