[MOD][KERNEL MODULE] wp_mod: disable system write protection

Search This thread
By:
Advanced…
M

musti35

Senior Member
Apr 7, 2009
214
20
izmir
Hi friends;

I have HTC M8 Marshmallow with Sense 7.
I rooted my device with SuperSU 2.65.

I want to disable system write protection.

Can I do this with "m8-mmgpe-wp_mod.zip"?
"m8-mmgpe-wp_mod.zip" is for HTC M8 GPE edition.
 
M

mc_365

Senior Member
Sep 17, 2009
367
63
Jersey City
Bump Im in the same position running vzw stock sense 7 on marshmallow.
S-Off
Unlocked
Rooted

Hoping somebody would just post a tut on removing the write protection from a stock rom.

musti35 said:
Hi friends;

I have HTC M8 Marshmallow with Sense 7.
I rooted my device with SuperSU 2.65.

I want to disable system write protection.

Can I do this with "m8-mmgpe-wp_mod.zip"?
"m8-mmgpe-wp_mod.zip" is for HTC M8 GPE edition.
Click to expand...
Click to collapse
 
B

blackbolt22

Member
Jan 31, 2013
44
8
how do i get this on the 5.0.2 android version. I am on stock rom, rooted, custom recovery.

Anyone? I see everything listed but 5.0.2

my build # is 4.28.502.2, kernel version is 3.4.0-..... htc sense 6.0
 
hellobbn

hellobbn

Senior Member
Jun 21, 2014
127
3
@flar2 Sorry to trouble you. But I want to ask :
I 've known that wp_mod.c should me compiled with the kernel source . But I don't exactly understand how. Is putting the folder I cloned wherever in the source code folder fine?
 
D

Dandaivin

Member
May 5, 2016
38
3
SO is this module a replacement for s-off by using this will I be able to flash the config.dat file to sim unnnlock my htc one m8 or will this not work?
 
MUNISH MONGA

MUNISH MONGA

Senior Member
Nov 14, 2015
79
94
DELHI
[NEED HELP]wp_mod for HTC Desire 826

flar2 said:
It's extremely easy to disable write protection if you compile your own kernel, you just turn off MMC_MUST_PREVENT_WP_VIOLATION.

Previously, the wp_mod hack was dead simple. All we had to do was call an existing kernel function to change the number of the partition that write protection applied to. In the new source (below), HTC got rid of all this extraneous code and just hardcoded it to apply the write protection to /system. This happens in block/blk-core.c as you can see below. We need to skip over the quoted code.
Click to expand...
Click to collapse

Hello Sir,
I'm trying to disable S-ON system write protection on HTC Desire 826 (3.10.49-perf-gca7b0f1), In this device also, HTC uses MMC_MUST_PREVENT_WP_VIOLATION for /system write protection (commit: b75b4f2).
Code: 
(bootloader) version: 0.5
(bootloader) version-bootloader: 3.19.0.0000
(bootloader) version-baseband: 1.0.U20410.1@60201
(bootloader) version-cpld: None
(bootloader) version-microp: None
(bootloader) version-main:
(bootloader) version-misc: PVT SHIP S-ON
(bootloader) serialno: CC55EYG01638
(bootloader) imei: 
(bootloader) imei2: 
(bootloader) meid: 00000000000000
(bootloader) product: a52_dtul
(bootloader) platform: hTCBmsm8939
(bootloader) modelid: 0PHC10000
(bootloader) cidnum: HTC__038
(bootloader) battery-status: good
(bootloader) battery-voltage: 0mV
(bootloader) partition-layout: Generic
(bootloader) security: on
(bootloader) build-mode: SHIP
(bootloader) boot-mode: FASTBOOT
(bootloader) commitno-bootloader: 7b3f8116
(bootloader) hbootpreupdate: 11
(bootloader) gencheckpt: 0
(bootloader) mfg-name: 1001
all: Done!
finished. total time: 0.109s

With reference to your quoted post. . .
https://xdaforums.com/showpost.php?p=54577811&postcount=124

I've hexedited the module to match the CRC checks for my device kernel-3.10.49-perf-gca7b0f1 but it doesn't seems to work. . .
Code: 
insmod: init_module 'system/lib/modules/wp_mod.ko' failed (Exec format error)

I've attached the module I'm using (wp_mod.ko) and the reference module (mmc_test.ko) to match module_layout

With reference to your quoted post. . .
https://xdaforums.com/showpost.php?p=51586322&postcount=25
and this commit: b75b4f2

This can be done by changing. . .
Code: 
 	might_sleep();
  
  #ifdef CONFIG_MMC_MUST_PREVENT_WP_VIOLATION
 	sprintf(wp_ptn, "mmcblk0p%d", get_partition_num_by_name("system"));

  	if (!strcmp(bdevname(bio->bi_bdev, b), wp_ptn) && !board_mfg_mode() &&
  			(get_tamper_sf() == 1) && (get_atsdebug() != 1) && (bio->bi_rw & WRITE)) {
  		pr_info("blk-core: Attempt to write protected partition %s block %Lu \n",
to
Code: 
 	might_sleep();
  
  #ifdef CONFIG_MMC_MUST_PREVENT_WP_VIOLATION
 	sprintf(wp_ptn, "mmcblk0p%d", get_partition_num_by_name("xxxxxx"));
  	if (!strcmp(bdevname(bio->bi_bdev, b), wp_ptn) && !board_mfg_mode() &&
  			(get_tamper_sf() == 1) && (get_atsdebug() != 1) && (bio->bi_rw & WRITE)) {
  		pr_info("blk-core: Attempt to write protected partition %s block %Lu \n",

Now that I'm a bit new to modifying kernel through this kernel source, I need your help Sir!
What I'm trying to do here is remove this /system write protection by any means: modifiying the kernel or by using wp_mod.ko
I've also attached the stock boot.img for my device for your reference.

Thank You
 

Attachments

  • wp_mod.zip
    14.4 KB · Views: 28
  • mmc_test.zip
    43.8 KB · Views: 13
  • boot_img.zip
    8.6 MB · Views: 13
You must log in or register to reply here.

Similar threads

flar2
[KERNEL] [Nov 26] ElementalX-m8 (7.01 Sense) (6.04 GPE)
Replies
6K
Views
977K
D
Developer0fTruth
flar2
[MOD] [KERNEL MODULE] [July 26] Sweep2sleep
Replies
164
Views
54K
mrrocketdog
mrrocketdog
faux123
[KERNEL] (007) Sense/GPE (3.4+Hybrid/UV/OC/Intelliplug/active/FauxSound) [08-02-2014]
Replies
983
Views
166K
munkyvirus
munkyvirus
lyapota
[KERNEL][Jul 31] lONElyX #038|Sense/GPE| GSM*WHL*VZW | KEXEC*HotPlugs*UV*OC*ets
Replies
812
Views
161K
Stickman89
Stickman89
lyapota
[MOD][Aug 01][#011] modPack for GPE 5.1.0 Stock/SkyDragon
Replies
381
Views
80K
lyapota
lyapota

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 74
    flar2
    flar2
    wp_mod: Module to disable system write protection

    This is a kernel module that disables write protection on the system partition while running the stock kernel.


    HTC changed the MMC_MUST_PREVENT_WP_VIOLATION code to make it much harder to crack. I had to redo the module completely, so this is experimental. In the past, it was a simple matter of changing a variable, now we have to replace a function in the kernel so it returns something different, causing the kernel to skip over the write protection code.

    I would caution against loading the module after attempting to make changes to the system partition. It could end up corrupting the filesystem. If the module is loaded at boot, there should be no worries.

    This module will probably need to be updated to load with future kernels when they are released.


    Please consider a donation to support ongoing development
    Many thanks to those who have donated!

    Download:

    wp_mod for GPE Marshmallow 6.0 can be found here:
    http://xdaforums.com/htc-one-m8/general/root-root-marshmallow-gpe-supersu-t3242210


    Sense 4.4.4 (thanks @migascalp):
    http://www.mediafire.com/download/4vyqslnc4crsnto/wp_mod_3.28.401.6.zip


    Sense 4.4.3 (2.22 base):
    wp_mod.ko

    Sense 4.4.2:
    wp_mod.ko

    GPE 4.4.4 (thanks to @italyforever):
    wp_mod.ko

    GPE 4.4.2:
    wp_mod.ko




    Installation:
    Wait for it to be implemented in your favourite ROM

    * or *

    Copy the module to your device, and type
    Code: 
    su
insmod /location-where-you-copied-it/wp_mod.ko


    Changes:

    April 2, 2014 - wp_mod 4.1
    -only return non-existing partition number if called by generic_make_request_checks
    -remove exit from module (we don't want to be able to unload it)
    -clean up code


    March 31, 2014 - wp_mod 4.0
    -new method for HTC One m8



    Source:
    https://github.com/flar2/wp_mod

    Module was compiled against m8 Google Play Edition source. Some symbol CRC checks had to be hexedited in the compiled module to match the stock kernel. Thanks to Michael Coppola for example of function hooking on arm: http://poppopret.org/2013/01/07/suterusu-rootkit-inline-kernel-function-hooking-on-x86-and-arm/#arm
    View
    9
    flar2
    flar2
    m03sizlak said:
    AWESOME work flar2.

    After examining the source, it is indeed *much* more complicated than it has been in the past. Just curious, if you have the kernel source, what is to stop you from just rewriting the hooked functions instead of hijacking them with this code, which appears to be proof of concept code for ARM rootkits?

    Second question, the very informative page you linked to, and based this on, says this about ARM instruction caching:

    http://poppopret.org/2013/01/07/suterusu-rootkit-inline-kernel-function-hooking-on-x86-and-arm/#arm


    Any reason why you do not use this approach in your module?


    Last and possibly most important question. The page also says this:

    The code uses this approach only to avoid detection by rootkit detectors, something that we should have zero concerns about. Why not use the other approach, system call hooking by swapping out function pointers in the system call table?


    THANK YOU.
    Click to expand...
    Click to collapse

    I did rewrite the function. Remember, we have to do this in the running kernel. Whenever the original function is called, it jumps to my new function instead. Hooking/hijacking are the same thing. That site also shows how to hide the module and a bunch of other stealth stuff, but none of that was necessary for this.

    It's extremely easy to disable write protection if you compile your own kernel, you just turn off MMC_MUST_PREVENT_WP_VIOLATION.

    Previously, the wp_mod hack was dead simple. All we had to do was call an existing kernel function to change the number of the partition that write protection applied to. In the new source (below), HTC got rid of all this extraneous code and just hardcoded it to apply the write protection to /system. This happens in block/blk-core.c as you can see below. We need to skip over the quoted code.

    Code: 
    static noinline_for_stack bool
generic_make_request_checks(struct bio *bio)
{

......

#ifdef CONFIG_MMC_MUST_PREVENT_WP_VIOLATION
	sprintf(wp_ptn, "mmcblk0p%d", get_partition_num_by_name("system"));   //hardcoded to look for system partition
	if (!strcmp(bdevname(bio->bi_bdev, b), wp_ptn) && !board_mfg_mode() &&   //wp_ptn == mmcblk0p45  (/system)
			(get_tamper_sf() == 1) && (bio->bi_rw & WRITE)) {
		pr_info("blk-core: Attempt to write protected partition %s block %Lu \n",
				bdevname(bio->bi_bdev, b), (unsigned long long)bio->bi_sector);
		err = 0;
		goto wp_end_io;
	} else if (atomic_read(&emmc_reboot) && (bio->bi_rw & WRITE)) {
		pr_info("%s: Attempt to write eMMC, %s block %Lu \n", current->comm,
				bdevname(bio->bi_bdev, b), (unsigned long long)bio->bi_sector);
		err = -EROFS;
		goto wp_end_io;
	}
#endif

..............

}


    It's a *bad idea* to replace a big complicated important function like static noinline_for_stack bool
    generic_make_request_checks() so I decided to modify a simpler function within it, get_partition_num_by_name(). I changed get_partition_num_by_name() to return a different partition number when name == system. I didn't see any code in the kernel source where it would cause a problem to return the wrong partition number for system. After loading wp_mod.ko, write protection is applied to a non-existent partition instead of /system. The end result is exactly the same as my old wp_mod that has proven to work on many devices.


    Why didn't I just change the address in the system call table? I don't think that is so easy on contemporary kernels. I found the function hooking method simpler and more foolproof.


    EDIT: in my haste while answering this at work, I quoted the wrong function containing the write protection code. It's static noinline_for_stack bool
    generic_make_request_checks not bio_check_eod (which is the function right above it in blk-core.c)
    View
    9
    flar2
    flar2
    I've updated the module a bit to make it easier to port to future kernels and other devices that use this form of write protection. All that needs to be done is to edit the CRC value for module_layout. I've also made it so the module can't be unloaded, we don't want to do that. In the process, I was able to reduce the module's overhead. Also, as per @m03sizlak's suggestion, I made it so it will only return the non-existent partition if the calling function is generic_make_request_checks.

    The first version works, but we should start testing this version.


    Download:
    wp_mod.ko

    (downloads not showing up for some reason, hold on)


    Changes:
    -only return non-existing partition number if called by generic_make_request_checks
    -remove exit from module (we don't want to be able to unload it)
    -clean up code
    View
    9
    flar2
    flar2
    wp_mod for Sense 6 Android 4.4.3 2.22.401.4

    wp_mod.ko
    View
    8
    drakeymcmb
    drakeymcmb
    For users who have init.d support in their ROM. Flash this and your good to go

    https://mega.co.nz/#!XINyDIrB!QcdP3sZJjgKAivkEa7iN8Jusx0e78T1rpA5PT7VGAxQ

    Sent from my Note 3
    View

New posts