5,603,920 Members 41,249 Now Online
XDA Developers Android and Mobile Development Forum

[EXPLOIT][HOW-TO] BypassLKM: bypass module signature verification on TW 4.3

Tip us?
 
DeadlySin9
Old
#61  
DeadlySin9's Avatar
Senior Member
Thanks Meter 394
Posts: 828
Join Date: Sep 2012

 
DONATE TO ME
Quote:
Originally Posted by numbR7 View Post
Sorry, I posted this earlier in the i9505 SHOstock-i v5.0b4 thread:

"This may be the most embarrassing question to date--but here goes. If the SHOstock-i 4.4.2 ported ROM above does not require the 4.4 bootloader and the kernal has been z-patched (fooling the MK2 bootloader) could this be a way to get a KK ROM--using SafeStrap--on the MK2 locked device?

EDIT: meant exploit BypassLKM"

I meant to post here and I meant to say your exploit BypassLKM NOT z-patched and refer over to the SHOstock ROM. I think I understand I was mixing apples and oranges. I hope it makes a tad more sense now. Anyway, I'm trying to understand the new practical options this brings to the SS locked BL user. Since you can load a different kernel in memory (the new option I can see), does that mean I could load a none TW 4.3 ROM in a slot? Are you pretty much "locked" into the 4.3 TW stuff? I believe--if this is possible--that it would be a one-off--when I changed slots--to be re-applied but would do the job? I've been cruising along flashing with a custom recovery for awhile--recently, my S4 was damaged and with the replacement I ended up in the fun new hard locked bootloader world. I will get the hang of it. I fully understand that there must be valid question in order to get and answer. I hope this is closer to the mark. Thanks...
This does not load a different kernel. This allows the loading of modules to the current kernel. Hashcode, the developer behind safestrap, has been working on using this on order to implement the loading of a kexec module - a module that would load a kernel over the stock kernel. If that works, then yes, non TW ROMs will be an option. For now, it's not happening though. If it were a simple process then it would have been done already.
Current Device: ATT Samsung Galaxy S4 (i337)

Past Devices:
Droid Bionic (GSM Hacked)
HTC Inspire 4G (Desire HD)
Nexus One
Motorola Backflip
HTC Dev Phone 1 (Dream/G1)
The Following 5 Users Say Thank You to DeadlySin9 For This Useful Post: [ Click to Expand ]
 
numbR7
Old
#62  
numbR7's Avatar
Senior Member
Thanks Meter 70
Posts: 140
Join Date: Dec 2011
Location: via lactea
Quote:
Originally Posted by DeadlySin9 View Post
This does not load a different kernel. This allows the loading of modules to the current kernel. Hashcode, the developer behind safestrap, has been working on using this on order to implemtheihe loading of a kexec module - a module that would load a kernel over the stock kernel. If this works, then yes, non TW ROMs will be an option. For now, it's not happening though. If it were a simple process then it would have been done already.
Thanks. Apparently I need to study this a little more. I need to understand the term "module" like the jfltatt-MK2-modules.zip that needs to be flashed on many of the SS ROMs. Are they the same type modules? Is thier mode and function the same? What is the goal--the pratical result? Any way, the question is--can you provide a link to some reading on this?

Thanks again...
 
DeadlySin9
Old
#63  
DeadlySin9's Avatar
Senior Member
Thanks Meter 394
Posts: 828
Join Date: Sep 2012

 
DONATE TO ME
Quote:
Originally Posted by numbR7 View Post
Thanks. Apparently I need to study this a little more. I need to understand the term "module" like the jfltatt-MK2-modules.zip that needs to be flashed on many of the SS ROMs. Are they the same type modules? Is thier mode and function the same? What is the goal--the pratical result? Any way, the question is--can you provide a link to some reading on this?

Thanks again...
I can't link you to any specific readings, I've just googled a few things like kexec and modules and such.

AFAIK kexec is a module just like those in the zip. They hook in to the kernel to provide some functionality (like wifi in the case of the zip). Our kernel checks the modules to make sure they're signed before using them. This exploit allows us to get around that signing however. Different modules have different functions to allow the phone different functions. It's like adding sections to a machine that let it do other different tasks along with previous ones. The goal in the case of kexec is to enable a function to boot another kernel over the current kernel. If implemented to Safestrap, it will be the next best thing to an exploit, as it will basically give us back custom kernels.

Sent from Black<3's I337 running Foxhound ROM
Current Device: ATT Samsung Galaxy S4 (i337)

Past Devices:
Droid Bionic (GSM Hacked)
HTC Inspire 4G (Desire HD)
Nexus One
Motorola Backflip
HTC Dev Phone 1 (Dream/G1)
The Following 3 Users Say Thank You to DeadlySin9 For This Useful Post: [ Click to Expand ]
 
numbR7
Old
#64  
numbR7's Avatar
Senior Member
Thanks Meter 70
Posts: 140
Join Date: Dec 2011
Location: via lactea
Quote:
Originally Posted by DeadlySin9 View Post
I can't link you to any specific readings, I've just googled a few things like kexec and modules and such.

AFAIK kexec is a module just like those in the zip. They hook in to the kernel to provide some functionality (like wifi in the case of the zip). Our kernel checks the modules to make sure they're signed before using them. This exploit allows us to get around that signing however. Different modules have different functions to allow the phone different functions. It's like adding sections to a machine that let it do other different tasks along with previous ones. The goal in the case of kexec is to enable a function to boot another kernel over the current kernel. If implemented to Safestrap, it will be the next best thing to an exploit, as it will basically give us back custom kernels.

Sent from Black<3's I337 running Foxhound ROM
Thanks a lot. You provided a ton of info. That's great start for me! Nice succinct lesson.
 
the_mentor
Old
#65  
Senior Member
Thanks Meter 52
Posts: 151
Join Date: Jul 2010
Default Would this exploit work on a galaxy s3?

I know this might be the wrong place to ask and I'm sorry if it is.
but do you think the exploit described above would also work with a verizon galaxy s3 on 4.3 ?

Thanks.
 
DeadlySin9
Old
#66  
DeadlySin9's Avatar
Senior Member
Thanks Meter 394
Posts: 828
Join Date: Sep 2012

 
DONATE TO ME
Quote:
Originally Posted by the_mentor View Post
I know this might be the wrong place to ask and I'm sorry if it is.
but do you think the exploit described above would also work with a verizon galaxy s3 on 4.3 ?

Thanks.
You shouldn't need it. You can flash custom kernels that don't require module signing.

Sent from Black<3's I337 running Foxhound ROM
Current Device: ATT Samsung Galaxy S4 (i337)

Past Devices:
Droid Bionic (GSM Hacked)
HTC Inspire 4G (Desire HD)
Nexus One
Motorola Backflip
HTC Dev Phone 1 (Dream/G1)
 
Surge1223
Old
(Last edited by Surge1223; 13th March 2014 at 11:27 PM.)
#67  
Surge1223's Avatar
Recognized Contributor
Thanks Meter 2223
Posts: 1,362
Join Date: Nov 2012
Location: Iowa

 
DONATE TO ME
This depends on whether or not you are able to root using saferoot or not (since its dependent on the get/put_user exploit) and whether your stock kernel was compiled with support for loading modules. You can check your kernel source config file to see.

After checking your kernel source you can create or compile modules from the source direcctory. You should probably know how to compile kernels before continuing but here are a couple things you should do anyways. In terminal emulator or with adb shell type:

Quote:
user@jfltevzw:/ $ su
root@jfltevzw:/ # mount -o remount, rw /system
root@jfltevzw:/ # echo 1 > /proc/sys/kernel/kptr_restrict
root@jfltevzw:/ # echo 1 > /proc/sys/kernel/dmesg_restrict
root@jfltevzw:/ # cat /proc/kallsyms >/sdcard/kallsyms
Next, compile your kernel from source with its defconfig. After you have successfully compiled the kernel change the .config file to allow module loading and compile a module.

Or if compiling is not for you then just to test compile a module using memory data from the kallsyms file you made earlier if the source for the module requires it. And adb push-it to /data/local/tmp. Next:

Quote:
user@jfltevzw:/ $ su
root@jfltevzw:/ # mount -o remount, rw /system
root@jfltevzw:/ # cd /data/local/tmp
root@jfltevzw:/data/local/tmp # chmod 755 your_module.ko
root@jfltevzw:/data/local/tmp # ./bypasslkm
root@jfltevzw:/data/local/tmp # insmod
root@jfltevzw:/data/local/tmp # dmesg |grep TIMA
Then youd have to follow the directions jeboo gives in the OP and patch compile bypasslkm making sure to change all address and settings to comply with the s3.
The Following User Says Thank You to Surge1223 For This Useful Post: [ Click to Expand ]
 
the_mentor
Old
#68  
Senior Member
Thanks Meter 52
Posts: 151
Join Date: Jul 2010
Quote:
Originally Posted by DeadlySin9 View Post
You shouldn't need it. You can flash custom kernels that don't require module signing.

Sent from Black<3's I337 running Foxhound ROM
If you have the Verizon s3 with Android 4.3 it has a locked bootloader that won't allow you to flash any custom rom and I was hoping this can be useful.
 
WordsworthESP
Old
#69  
WordsworthESP's Avatar
Senior Member
Thanks Meter 454
Posts: 751
Join Date: Jul 2012
Location: Macon
This isn't ready, so no... it won't help. As stated, this thread is for devs to post. If they ever get it working, we'll know about it.

Sent from my Hyperdriven S4

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes