The cmd frama tool allows you to invoke functions from the frama lib. We don't need to install it as APK since the native tool will load the lib itself. Its important that the framalib is in the same folder as the tool.
I added an option where the user can choose a mode (1=normal, 0=adb).
See attached cmd-frama4.zip
Usage:
Code:
adb push libframalib.so /data/local/.
adb push sploit /data/local
adb shell chmod 755 /data/local/sploit
Now try each of the following and check for root after each try:
adb shell LD_LIBRARY_PATH=/data/local /data/local/sploit 0 Gimli 0
adb shell LD_LIBRARY_PATH=/data/local /data/local/sploit 1 Gimli 0
adb shell LD_LIBRARY_PATH=/data/local /data/local/sploit 0 Gimli 1
adb shell LD_LIBRARY_PATH=/data/local /data/local/sploit 1 Gimli 1
adb shell LD_LIBRARY_PATH=/data/local /data/local/sploit 0 Gimli 2
adb shell LD_LIBRARY_PATH=/data/local /data/local/sploit 1 Gimli 2
At this point, I need someone to run cmd-frama4 on actual unit. My emulator cannot emulate the SCT.
I can see the stacktrace that the framalib methods are invoked.
The following 2 parameters should have the highest succes rate:
# use normal activity with Gimli exploit and selected idx 0 from root menu
adb shell LD_LIBRARY_PATH=/data/local /data/local/sploit 1 Gimli 0
# use ADB activity with Gimli exploit and selected idx 0 from root menu
adb shell LD_LIBRARY_PATH=/data/local /data/local/sploit 0 Gimli 0
Please post output and adb logcat in case of problems.