[MOD][KERNEL MODULE] wp_mod: disable system write protection

Search This thread
By:
Advanced…
furboom1240

furboom1240

Senior Member
Dec 19, 2013
293
59
Erie Canal Zone
Hello again. I tried the wp_mod posted recently on the OP, but when I try to execute the script, it stalls. Is there a line I can add in the build.prop that would disable system write protection? I'm using ROM Toolbox Pro so instructions that'd work best with that app would be valuable.

Of course, my intent is to have the ability to modify the file system to my liking on my rooted m8 running CM11 M12.

Thanks.

Sent from my One M8 using XDA Free mobile app
 
furboom1240

furboom1240

Senior Member
Dec 19, 2013
293
59
Erie Canal Zone
scoot0073 said:
I gave up trying to get the module to load. I just converted my at&t M8 to Developer Edition and now no more issue trying to write too system.

Sent from my HTC One_M8 using Tapatalk
Click to expand...
Click to collapse

If I remember correctly, that requires SuperCID, right? I have a GPE device, so my CID is default according to fastboot. Any advice on how to achieve SuperCID for my device?

Sent from my One M8 using XDA Free mobile app
 
C

chrisnz1947

Senior Member
Feb 25, 2008
118
1
Melbourne
wp_mod and Lolipop

would you expect the procedure to still work with android 5?

I recently received OTA 4.16.1504.8 and android 5.0.1 on my M8 developer and after rooting it I cannot get wp_mod to work.
 
scoot0073

scoot0073

Senior Member
Mar 27, 2010
875
205
Atl. Ga.
Google Pixel 3 XL
OnePlus 7T
furboom1240 said:
If I remember correctly, that requires SuperCID, right? I have a GPE device, so my CID is default according to fastboot. Any advice on how to achieve SuperCID for my device?

Sent from my One M8 using XDA Free mobile app
Click to expand...
Click to collapse

On my AT&T M8 I changed my CID to 11111111 as I was going back and forth from GPe to DE and it's still super cid. I don't know if the method applies to all M8's but I booted into fastboot and typed fastboot oem rewrite cid 11111111. And that's all I did.

Sent from my HTC One_M8 using Tapatalk
 
flar2

flar2

Recognized Developer
Jun 11, 2012
18,897
87,868
Southwestern Ontario
elementalx.org
Basically, I do the initial work to disable the write protection and leave the method here for other devs to use. The problem with HTC is they have many different kernels floating around and I can't possibly create the module for all of them.

Best thing to do is check for a custom Rom that uses the same kernel version and get a copy of wp_mod.ko from there, as nearly all custom Sense Roms use this module.
 
  • Like
Reactions: JTJTJ
Captain_Throwback

Captain_Throwback

Recognized Developer
Aug 22, 2008
20,445
23,058
The Nothing
Asus Eee Pad Transformer Prime
HTC One (M8)
chiman said:
Will there be a Lollipop version of this tool?
Click to expand...
Click to collapse

flar2 said:
Basically, I do the initial work to disable the write protection and leave the method here for other devs to use. The problem with HTC is they have many different kernels floating around and I can't possibly create the module for all of them.

Best thing to do is check for a custom Rom that uses the same kernel version and get a copy of wp_mod.ko from there, as nearly all custom Sense Roms use this module.
Click to expand...
Click to collapse
For example: http://xdaforums.com/showthread.php?p=59082003
 
You must log in or register to reply here.

Similar threads

flar2
[KERNEL] [Nov 26] ElementalX-m8 (7.01 Sense) (6.04 GPE)
Replies
6K
Views
977K
D
Developer0fTruth
flar2
[MOD] [KERNEL MODULE] [July 26] Sweep2sleep
Replies
164
Views
54K
mrrocketdog
mrrocketdog
faux123
[KERNEL] (007) Sense/GPE (3.4+Hybrid/UV/OC/Intelliplug/active/FauxSound) [08-02-2014]
Replies
983
Views
166K
munkyvirus
munkyvirus
lyapota
[KERNEL][Jul 31] lONElyX #038|Sense/GPE| GSM*WHL*VZW | KEXEC*HotPlugs*UV*OC*ets
Replies
812
Views
161K
Stickman89
Stickman89
lyapota
[MOD][Aug 01][#011] modPack for GPE 5.1.0 Stock/SkyDragon
Replies
381
Views
80K
lyapota
lyapota

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 74
    flar2
    flar2
    wp_mod: Module to disable system write protection

    This is a kernel module that disables write protection on the system partition while running the stock kernel.


    HTC changed the MMC_MUST_PREVENT_WP_VIOLATION code to make it much harder to crack. I had to redo the module completely, so this is experimental. In the past, it was a simple matter of changing a variable, now we have to replace a function in the kernel so it returns something different, causing the kernel to skip over the write protection code.

    I would caution against loading the module after attempting to make changes to the system partition. It could end up corrupting the filesystem. If the module is loaded at boot, there should be no worries.

    This module will probably need to be updated to load with future kernels when they are released.


    Please consider a donation to support ongoing development
    Many thanks to those who have donated!

    Download:

    wp_mod for GPE Marshmallow 6.0 can be found here:
    http://xdaforums.com/htc-one-m8/general/root-root-marshmallow-gpe-supersu-t3242210


    Sense 4.4.4 (thanks @migascalp):
    http://www.mediafire.com/download/4vyqslnc4crsnto/wp_mod_3.28.401.6.zip


    Sense 4.4.3 (2.22 base):
    wp_mod.ko

    Sense 4.4.2:
    wp_mod.ko

    GPE 4.4.4 (thanks to @italyforever):
    wp_mod.ko

    GPE 4.4.2:
    wp_mod.ko




    Installation:
    Wait for it to be implemented in your favourite ROM

    * or *

    Copy the module to your device, and type
    Code: 
    su
insmod /location-where-you-copied-it/wp_mod.ko


    Changes:

    April 2, 2014 - wp_mod 4.1
    -only return non-existing partition number if called by generic_make_request_checks
    -remove exit from module (we don't want to be able to unload it)
    -clean up code


    March 31, 2014 - wp_mod 4.0
    -new method for HTC One m8



    Source:
    https://github.com/flar2/wp_mod

    Module was compiled against m8 Google Play Edition source. Some symbol CRC checks had to be hexedited in the compiled module to match the stock kernel. Thanks to Michael Coppola for example of function hooking on arm: http://poppopret.org/2013/01/07/suterusu-rootkit-inline-kernel-function-hooking-on-x86-and-arm/#arm
    View
    9
    flar2
    flar2
    m03sizlak said:
    AWESOME work flar2.

    After examining the source, it is indeed *much* more complicated than it has been in the past. Just curious, if you have the kernel source, what is to stop you from just rewriting the hooked functions instead of hijacking them with this code, which appears to be proof of concept code for ARM rootkits?

    Second question, the very informative page you linked to, and based this on, says this about ARM instruction caching:

    http://poppopret.org/2013/01/07/suterusu-rootkit-inline-kernel-function-hooking-on-x86-and-arm/#arm


    Any reason why you do not use this approach in your module?


    Last and possibly most important question. The page also says this:

    The code uses this approach only to avoid detection by rootkit detectors, something that we should have zero concerns about. Why not use the other approach, system call hooking by swapping out function pointers in the system call table?


    THANK YOU.
    Click to expand...
    Click to collapse

    I did rewrite the function. Remember, we have to do this in the running kernel. Whenever the original function is called, it jumps to my new function instead. Hooking/hijacking are the same thing. That site also shows how to hide the module and a bunch of other stealth stuff, but none of that was necessary for this.

    It's extremely easy to disable write protection if you compile your own kernel, you just turn off MMC_MUST_PREVENT_WP_VIOLATION.

    Previously, the wp_mod hack was dead simple. All we had to do was call an existing kernel function to change the number of the partition that write protection applied to. In the new source (below), HTC got rid of all this extraneous code and just hardcoded it to apply the write protection to /system. This happens in block/blk-core.c as you can see below. We need to skip over the quoted code.

    Code: 
    static noinline_for_stack bool
generic_make_request_checks(struct bio *bio)
{

......

#ifdef CONFIG_MMC_MUST_PREVENT_WP_VIOLATION
	sprintf(wp_ptn, "mmcblk0p%d", get_partition_num_by_name("system"));   //hardcoded to look for system partition
	if (!strcmp(bdevname(bio->bi_bdev, b), wp_ptn) && !board_mfg_mode() &&   //wp_ptn == mmcblk0p45  (/system)
			(get_tamper_sf() == 1) && (bio->bi_rw & WRITE)) {
		pr_info("blk-core: Attempt to write protected partition %s block %Lu \n",
				bdevname(bio->bi_bdev, b), (unsigned long long)bio->bi_sector);
		err = 0;
		goto wp_end_io;
	} else if (atomic_read(&emmc_reboot) && (bio->bi_rw & WRITE)) {
		pr_info("%s: Attempt to write eMMC, %s block %Lu \n", current->comm,
				bdevname(bio->bi_bdev, b), (unsigned long long)bio->bi_sector);
		err = -EROFS;
		goto wp_end_io;
	}
#endif

..............

}


    It's a *bad idea* to replace a big complicated important function like static noinline_for_stack bool
    generic_make_request_checks() so I decided to modify a simpler function within it, get_partition_num_by_name(). I changed get_partition_num_by_name() to return a different partition number when name == system. I didn't see any code in the kernel source where it would cause a problem to return the wrong partition number for system. After loading wp_mod.ko, write protection is applied to a non-existent partition instead of /system. The end result is exactly the same as my old wp_mod that has proven to work on many devices.


    Why didn't I just change the address in the system call table? I don't think that is so easy on contemporary kernels. I found the function hooking method simpler and more foolproof.


    EDIT: in my haste while answering this at work, I quoted the wrong function containing the write protection code. It's static noinline_for_stack bool
    generic_make_request_checks not bio_check_eod (which is the function right above it in blk-core.c)
    View
    9
    flar2
    flar2
    I've updated the module a bit to make it easier to port to future kernels and other devices that use this form of write protection. All that needs to be done is to edit the CRC value for module_layout. I've also made it so the module can't be unloaded, we don't want to do that. In the process, I was able to reduce the module's overhead. Also, as per @m03sizlak's suggestion, I made it so it will only return the non-existent partition if the calling function is generic_make_request_checks.

    The first version works, but we should start testing this version.


    Download:
    wp_mod.ko

    (downloads not showing up for some reason, hold on)


    Changes:
    -only return non-existing partition number if called by generic_make_request_checks
    -remove exit from module (we don't want to be able to unload it)
    -clean up code
    View
    9
    flar2
    flar2
    wp_mod for Sense 6 Android 4.4.3 2.22.401.4

    wp_mod.ko
    View
    8
    drakeymcmb
    drakeymcmb
    For users who have init.d support in their ROM. Flash this and your good to go

    https://mega.co.nz/#!XINyDIrB!QcdP3sZJjgKAivkEa7iN8Jusx0e78T1rpA5PT7VGAxQ

    Sent from my Note 3
    View

New posts