[dev][kernel][kexec]

Search This thread
By:
Advanced…
munjeni

munjeni

Senior Member
Jun 2, 2011
9,720
22,376
smgdev said:
I think the fwrite line doesn't make its job, but anyway I tried echo boot > /dev/kexec_driver but the device did not reboot. So I checked the dmesg. The only thing I could find about this process or module or driver was that line:
"<6>[83652.446275] procfs_rw: procfile_read (/proc/atags) called"
Click to expand...
Click to collapse

Well, I had the same situation and problem was:
- stock kernels on locked bootloader have no enabled config ATAGS, so atags is all time empty, you can hack atags by making them available in proc directory but it will be all time empty. I have tried to port ATAGS part of kernel to module but I must say thats a hard job, good luck to you proting them! Atags is created on boot time so you need a very good idea to hack/port them trought an kernel module or whatever. I had no luck making kexec working on locked bootloader since I had no idea how to enable atags and make them no empty.
 
Last edited:
  • Like
Reactions: baga255, viper9586 and mirhl
munjeni

munjeni

Senior Member
Jun 2, 2011
9,720
22,376
Hey @delewer! Need help! Status of my implementation:

1. implemented hardboot page reservation (success)
2. implemented kexec_load by hijacking sys_call_table (success)
3. implemented device tree (success)
4. implemented the rest (success but kernel panic in func machine_kexec_prepare)

log 1 (seems everything right kexec binary side):
insmod /system/lib/modules/kexecmod.ko
root@D5503:/ # kexec --load-hardboot /storage/sdcard1/kernel --initrd=/storage/s
dcard1/initrd.gz --mem-min=0x20000000 --command-line="$(cat /proc/cmdline)" --dtb=/storage/sdcard1/dt.img

kernel: 0xb5eeb008 kernel_size: 6f8f80
DTB: Using DTB from file /storage/sdcard1/dt.img
DTB: platform 126 hw 8 soc 0x20002 board 185
DTB: match 0x20002 185, my id 0x20002 185, len 217769
DTB: add dtb segment 0x21ec2000
kexec_load: entry = 0x20008000 flags = 280004
nr_segments = 3
segment[0].buf = 0xb5eeb008
segment[0].bufsz = 6f8f80
segment[0].mem = 0x20008000
segment[0].memsz = 6f9000
segment[1].buf = 0xb6c05008
segment[1].bufsz = 2dddc4
segment[1].mem = 0x21be4000
segment[1].memsz = 2de000
segment[2].buf = 0xb6b63008
segment[2].bufsz = 356a9
segment[2].mem = 0x21ec2000
segment[2].memsz = 36000
Click to expand...
Click to collapse

Log 2 (last_kmsg):
- http://pastebin.com/1CMJxyTe

Makefile for module:
kexecmod-objs := ../../arch/arm/kernel/relocate_kernel.o \
../../fs/proc/proc_devtree.o \
kexec_mod.o
obj-m += kexecmod.o
Click to expand...
Click to collapse

Here is my source code, please see if I have missing something!
 

Attachments

  • kexec_mod.c
    56 KB · Views: 53
  • Like
Reactions: pendragon11, baga255, abbychauhan and 2 others
R

richmaster1o2

Guest
I thank you so much for dev on kexec... I hope you can make it... if i can help with testing just say it...
 
delewer

delewer

Senior Member
Aug 20, 2011
186
233
Paris
hi munjeni

Your kexec mod is not grant by MMU to write in memory. It's a S800 security implemented in kernel by sony

I haven't found yet how to, in the fly, unabled this.

Your panic is on the "mem_text_write_kernel_word" instructions

I see how to mod memory driver, but, it's not easy.

Sent from my C6903 using XDA Free mobile app
 
  • Like
Reactions: munjeni, Fat_boy555, viper9586 and 2 others
munjeni

munjeni

Senior Member
Jun 2, 2011
9,720
22,376
delewer said:
hi munjeni

Your kexec mod is not grant by MMU to write in memory. It's a S800 security implemented in kernel by sony

I haven't found yet how to, in the fly, unabled this.

Your panic is on the "mem_text_write_kernel_word" instructions

I see how to mod memory driver, but, it's not easy.

Sent from my C6903 using XDA Free mobile app
Click to expand...
Click to collapse

Yes it fail on mem_text_write_kernel_word but I realy not found why. These function working on other modules without any problem, but on this kexec it failed. I have searched a lot by grep KEXEC and have analysed every file which contain these word, but unable to get reason for that. From my thinking probably module can not write to these memory region, but builtin module can. MAybe only builtin modules have rights for that? What you think? Apsolutly I have no ideas why it happen :( Allso I found some complains in reboot function while I using strace for analysing kexec binary! I have tried your module, everything seems right but reboot function allso fail trought strace analyse!

Edit:
probably ssize_t sys_kexec_load (which live on 0xc01b4d38):
<6>[ 71.333237] Hooking function 0xc01b4d38 with 0xbf36915c
Click to expand...
Click to collapse

probably we can not hook sys_kexec_load function since after hooking these function mem addresse is changed to xbf36915c so it looks like this:
<1>[ 86.554454] Unable to handle kernel paging request at virtual address 0xbf3680e4
Click to expand...
Click to collapse

0xbf3680e4 is near hooked sys_kexec_load which looks like kexec fail since its not 0xcXXXXXXX, instead it is now 0xbXXXXXXX

next thing:
<6>[ 86.557062] [<c01136b4>] (mem_text_write_kernel_word+0x28/0x48) from [<bf368d80>] (machine_kexec_prepare+0x64/0xd4 [kexecmod])
Click to expand...
Click to collapse

I have no idea how to solve this. Do you have info where is limit? For example 0xCfffffff is kernel space end & 0xB0000000 is userspace start (just example :)).

Edit:
Probably all external modules is limited since it lives in 0xBxxxxxxx memory so all calls from 0xBxxxxxxx is blocked by mmu, while builtin modules which live in 0xCxxxxxxx memory have rights for that :( Or at least maybe there is diferencies in page size between 0xbxxxxxxx and 0xcxxxxxxx ? Probably we will need to locate function which is used for limiting that and hook them?
 
Last edited:
  • Like
Reactions: viper9586, mirhl, delewer and 1 other person
delewer

delewer

Senior Member
Aug 20, 2011
186
233
Paris
Thx a lot for this review !

I thinks it's not a pb from addresses, but TO addresses.
For ex, in kexec.c you have a mem_text_write_kernel_word, and work perfect
It's because the target addresses write are located in a rwx memory range.
I have solve this part of kexec by a user memory use, to code the reloc_kernel
My kexec panic at the "soft_restart" function, module coded or "in kernel" called.

MMU panic at every step ;)

I have thinking of a looot of solution.
One of them is to rewrite in the fly memory driver
Another, a custom "insmod" to load in a not protected memory range;
None of theses ideas are nice.

Welcome ! ;)


Edit 1:
Search a way to use another virtual memory in 0xB addreses is brillant, and stop to use 0xC !
I see to do that.

Sent from my C6903 using XDA Free mobile app
 
Last edited:
  • Like
Reactions: munjeni, viper9586 and mirhl
munjeni

munjeni

Senior Member
Jun 2, 2011
9,720
22,376
I not understand why soft_restart fail, seems these kernel function is bad?

Edit:
This function is tested by me by separate kernel module and I confirm it is working (I have sucesfully rebooted into few modes which mean func is ok):
#define RESTART_ADDRESS 0xFA00A65C
#define RECOVERY_MODE 0x77665502
#define FASTBOOT_MODE 0x77665500
#define ADB_REBOOT_MODE 0x77665501
#define SW_REBOOT_MODE 0x776655AA

static void msm_kexec_hardboot_hook(void)
{
void (*set_dload_mode_new)(int) = (void *)kallsyms_lookup_name("set_dload_mode");
void (*msm_disable_wdog_debug_new)(void) = (void *)kallsyms_lookup_name("msm_disable_wdog_debug");
void (*halt_spmi_pmic_arbiter_new)(void) = (void *)kallsyms_lookup_name("halt_spmi_pmic_arbiter");
void *restart_reason_new = (void *)RESTART_ADDRESS;

set_dload_mode_new(0);
//pm8xxx_reset_pwr_off(1); // no definition for this
__raw_writel(SW_REBOOT_MODE, restart_reason_new);
msm_disable_wdog_debug_new();
halt_spmi_pmic_arbiter_new();
}
Click to expand...
Click to collapse

I do not know why reboot call complain in my kexec module because soft_restart func call is til after kexec_hardboot_hook in machine_kexec function! Maybe kexec binary have his own reboot function? On separate module harboot_hook reboot is working so probably reboot comming from kexec binary, or I am wrong :)
 
Last edited:
  • Like
Reactions: delewer and mirhl
munjeni

munjeni

Senior Member
Jun 2, 2011
9,720
22,376
Maybe we can try to write to 0xBxxxxxxx with __raw_writel just for testing if problem is mmu or we have paging problem!
 
  • Like
Reactions: delewer
Surge1223

Surge1223

Recognized Contributor
Nov 6, 2012
2,622
7,466
Florida
Google Pixel 6 Pro
munjeni said:
Hey @delewer! Need help! Status of my implementation:

1. implemented hardboot page reservation (success)
2. implemented kexec_load by hijacking sys_call_table (success)
3. implemented device tree (success)
4. implemented the rest (success but kernel panic in func machine_kexec_prepare)

log 1 (seems everything right kexec binary side):


Log 2 (last_kmsg):
- http://pastebin.com/1CMJxyTe

Makefile for module:


Here is my source code, please see if I have missing something!
Click to expand...
Click to collapse

I am using some of your source but my implementation of machine kexec is different and subsequently I can get past machine_kexec_prepare to kexec call w/ stack where it hangs (No panics though) maybe a few of us can talk kexec on hangouts?


Edit: Can you or @delewer look at my relocate kernel code? I'm thinking I'm having issues writing to memory...

https://github.com/surge1223/kernel...blob/master/arch/arm/kernel/relocate_kernel.S

Code: 
[  198.929656] kexec: kexec: KEXEC_IOC_LOAD
[  201.055480] kexec: kexec: KEXEC_IOC_CHECK_LOADED (1)
[  201.115417] kexec: kexec: KEXEC_IOC_REBOOT
[  201.115509] KEXEC: preempt_disable
[  201.115631] KEXEC: disable interrupts
[  201.115722] KEXEC: kernel_restart_prepare_ptr
[  201.115783] set_dload_mode  ( c00788e4 )
[  201.115936] (sec_debug_set_upload_magic) 0
[  201.121337] BUG: scheduling while atomic: kexec/664/0x00000003
[  201.134979] BUG: scheduling while atomic: kexec/664/0x00000003
[  201.155181] BUG: scheduling while atomic: kexec/664/0x00000003
[  201.174865] BUG: scheduling while atomic: kexec/664/0x00000003
[  201.195098] BUG: scheduling while atomic: kexec/664/0x00000003
[  201.214843] BUG: scheduling while atomic: kexec/664/0x00000003
[  201.234954] BUG: scheduling while atomic: kexec/664/0x00000003
[  201.255340] BUG: scheduling while atomic: kexec/664/0x00000003
[  201.276275] BUG: scheduling while atomic: kexec/664/0x00000003
[  201.295318] BUG: scheduling while atomic: kexec/664/0x00000003
[  201.315307] BUG: scheduling while atomic: kexec/664/0x00000003
[  201.335418] BUG: scheduling while atomic: kexec/664/0x00000003
[  201.355285] BUG: scheduling while atomic: kexec/664/0x00000003
[  201.357696] BUG: scheduling while atomic: kexec/664/0x00000003
[  201.375274] BUG: scheduling while atomic: kexec/664/0x00000003
[  201.427337] BUG: scheduling while atomic: kexec/664/0x00000003
[  201.427581] qup_i2c qup_i2c.2: QUP: I2C status flags :0x1300c8, irq:228
[  201.429626] qup_i2c qup_i2c.2: I2C slave addr:0x26 not connected
[  201.430206] BUG: scheduling while atomic: kexec/664/0x00000003
[  201.447265] BUG: scheduling while atomic: kexec/664/0x00000003
[  201.451995] BUG: scheduling while atomic: kexec/664/0x00000003
[  201.454193] KEXEC: machine_shutdown
[  201.455383] MKEXEC: found gic_raise_softirq: c001e914
[  201.455596] MKEXEC: waiting for CPUs ...(1000000)
[  201.455718] KEXEC: machine_kexec
[  201.455841] MKEXEC: va: da3c9000
[  201.456054] MKEXEC: kexec_start_address: 80208000
[  201.456176] MKEXEC: kexec_indirection_page: 9b825000
[  201.456390] MKEXEC: kexec_mach_type: 00000f6d
[  201.456512] MKEXEC: kexec_boot_atags: 80201000
[  201.456604] MKEXEC: copy relocate code: addr=0xda3c9000, len==136
[  201.456817] MKEXEC: kexec_reinit
[  201.456939] MKEXEC: soft_restart
[  201.457061] MKEXEC: outer_flush_all
[  201.457275] MKEXEC: outer_disable
[  201.457366] MKEXEC: kexec_identity_mapping_add 0x16640000-0x16641000
[  201.457580] MKEXEC: end mappings end==0x16641000
[  201.457702] MKEXEC: flush_cache_all() 
[  201.458007] MKEXEC: local_flush_tlb_all() 
[  201.458251] MKEXEC: kexec_call_with_stack (va: 0xbf0046c0, __soft_reset: 0xbf00416c, addr: 0x9b8c9000, stack: 0xbf004fc8)
 
Last edited:
  • Like
Reactions: capt_planit, vkass and mirhl
mirhl

mirhl

Senior Member
Oct 15, 2012
3,129
1,171
Anything interesting/useful in here?

Sent from my Xperia S using XDA Free mobile app
 
A

Aphole

Member
Jun 1, 2014
19
0
what are the the commands to disable: kernel level write protection, ssm, and change sony bootloader to a brown device?


i am on an xperia c6606 it has a snapdragon i believe,... so these would be similar methods right??????????
 
[NUT]

[NUT]

Senior Member
Oct 17, 2012
5,379
10,393
Cyberspace and the Universe
nut.xperia-files.com
It would be great if we can finally get this thing to work properly, that way we can finally bring locked bootloader root to the devices from the Z3+ upwards, getting root is not hard (any more) but it's impossible to have it stick. Because if you modify system on those devices they end up in a bootloop due to dm-verity...

If we could load the kexec module to the running kernel to eventually make that boot an alternate system partition instead (stored in a disk image) that would be the safest way to have root and complete control over the device/rom, without ending up in a bootloop...

@delewer @Surge1223 @munjeni @smgdev

I'm not a C/C++ programmer myself, I'd love to take on this task if I could... but all I can do is help to structure the search for a solution and do a project lead... but I just hope to jolt your memory on this project and focus you back on this project... it would be the best news ever for Z3+/Z4/Z5 owners around the world.
 
Surge1223

Surge1223

Recognized Contributor
Nov 6, 2012
2,622
7,466
Florida
Google Pixel 6 Pro
[NUT] said:
It would be great if we can finally get this thing to work properly, that way we can finally bring locked bootloader root to the devices from the Z3+ upwards, getting root is not hard (any more) but it's impossible to have it stick. Because if you modify system on those devices they end up in a bootloop due to dm-verity...

If we could load the kexec module to the running kernel to eventually make that boot an alternate system partition instead (stored in a disk image) that would be the safest way to have root and complete control over the device/rom, without ending up in a bootloop...

@delewer @Surge1223 @munjeni @smgdev

I'm not a C/C++ programmer myself, I'd love to take on this task if I could... but all I can do is help to structure the search for a solution and do a project lead... but I just hope to jolt your memory on this project and focus you back on this project... it would be the best news ever for Z3+/Z4/Z5 owners around the world.
Click to expand...
Click to collapse

Agreed. After bypassing module loading restrictions and loading kexec and machine_kexec modules + atags/device tree info/modules it should be possible to kexec to another kernel, I have successfully got the kexec kernel to load into cache but usually that's where progress gets difficult. Normal kexec always gets corrupted in purgatory/cache but this might be a issue with cpu reset and shutdown implementations.

I had more successful using kexec-hardboot as a module, as that actually got me past the issues with cache I was having with normal kexec, I stopped messing with that module a while back when I got frustrated with memory remapping. But defs id like to see more projects like this.
 
  • Like
Reactions: [NUT]
S

smgdev

Senior Member
Jan 13, 2013
321
48
Ankara
[NUT] said:
It would be great if we can finally get this thing to work properly, that way we can finally bring locked bootloader root to the devices from the Z3+ upwards, getting root is not hard (any more) but it's impossible to have it stick. Because if you modify system on those devices they end up in a bootloop due to dm-verity...

If we could load the kexec module to the running kernel to eventually make that boot an alternate system partition instead (stored in a disk image) that would be the safest way to have root and complete control over the device/rom, without ending up in a bootloop...

@delewer @Surge1223 @munjeni @smgdev

I'm not a C/C++ programmer myself, I'd love to take on this task if I could... but all I can do is help to structure the search for a solution and do a project lead... but I just hope to jolt your memory on this project and focus you back on this project... it would be the best news ever for Z3+/Z4/Z5 owners around the world.
Click to expand...
Click to collapse
I am not a z device owner, I actually joined this thread for another device but I had some experience with kexec and would love to help you guys.

Sent from my ASUS_T00F using Tapatalk
 
  • Like
Reactions: [NUT]
capt_planit

capt_planit

Senior Member
Apr 6, 2016
63
17
I'm using V10 from page one. For some reason I just get couldn't find free memory when I run from internal storage. When I run from sdcard I get this:
dmesg | grep kexec
<4>[ 7242.237476] c0 Kexec: - Starting kexec_load...
<4>[ 7296.988567] c1 Kexec: - Starting kexec_load...
<6>[ 7296.988604] c1 Kexec: machine_kexec_prepare
<4>[ 7296.988642] c1 Kexec: kexec_info - Information
<4>[ 7296.988671] c1 Kexec: kexec_info - segment[0]: 0x40001000 - 0x40002000 (0x00001000) => zImage
<4>[ 7296.988718] c1 Kexec: kexec_info - segment[1]: 0x40008000 - 0x404ac000 (0x004a4000) => initrd
<4>[ 7296.988763] c1 Kexec: kexec_info - start : 0x40008000
<6>[ 7296.988805] c1 Kexec: machine_kexec_prepare - kexec_boot_atags : '0x4'
<6>[ 7296.988841] c1 Kexec: machine_kexec_prepare - image->start : '0x40008000'
<6>[ 7296.988880] c1 Kexec: machine_kexec_prepare - page_list : '0x0'
<6>[ 7296.988915] c1 Kexec: machine_kexec_prepare - machine_arch_type : '0xeb5'
<6>[ 7296.988952] c1 Kexec: machine_kexec_prepare - kexec_start_address ==> '0x40008000'
<6>[ 7296.988994] c1 Kexec: machine_kexec_prepare - kexec_indirection_page ==> '0x0'
<6>[ 7296.989032] c1 Kexec: machine_kexec_prepare - kexec_mach_type ==> '0xeb5'
<6>[ 7296.989072] c1 Kexec: machine_kexec_prepare - kexec_boot_atags ==> '0x40001000'
<6>[ 7296.989113] c1 Kexec: machine_kexec_prepare - reboot_code_buffer ==> '0xebdbf000'
<6>[ 7296.989155] c1 Kexec: machine_kexec_prepare - reboot_code_buffer_phys ==> '0x6bdbf000'
<6>[ 7296.989197] c1 Kexec: machine_kexec_prepare - my_reloc_kernel ==> '0xbf021bc0'
<6>[ 7296.989238] c1 Kexec: machine_kexec_prepare - relocate_new_kernel_size ==> '0x88'
<6>[ 7296.989330] c1 Kexec: C(")(") - kexec by delewer...
<6>[ 7296.989359] c1 Kexec: machine_kexec_prepare - End
<4>[ 7297.004716] c1 Kexec: - ---- kexec_load - result : '0'
The sad thing is, of the 3 different modules I've got currently compiled, this seems to be the closest to success. How do I debug this further? Am I right in assuming that this is caused by my lack of the system call in the running kernel?
 
capt_planit

capt_planit

Senior Member
Apr 6, 2016
63
17
delewer said:
I m block at "soft_restart" function because of "cpu_proc_fin" freeze ("mcr p15" mmu roolback can't be exec)
So, i search...
Click to expand...
Click to collapse

Well, here I am, one year later--still can't get it to work. If cpu_proc_fin won't return thanks to above issue you can try to use a proc-v7.S from a previous implementation. I used that available from the kexec_emulation module. Hope this helps someone. c_p
 
You must log in or register to reply here.

Similar threads

DooMLoRD
[KERNEL][Z1] DooMKernel (v22-new)[20141019]
Replies
2K
Views
506K
M
Matrix329
Androguide.fr
  • Locked
[KERNEL][CM-based] Pimped Kernel (F2FS|SoundControl|DT2Wake|CPU & GPU OC|Color Control|Voltage|FastCharge|Intelliplug...)
Replies
1K
Views
170K
PG101
PG101
DooMLoRD
  • Locked
[DEV ONLY] Dual Recovery for Xperia Z1 (LOCKED BOOTLOADERS)
Replies
398
Views
140K
DooMLoRD
DooMLoRD
A
[Stock-Kernel] X-Honami v6 [Linaro-4.9.3] 18-February
Replies
376
Views
78K
S
SpyrosMLG
M
[KERNEL] CTS Kernel [Tap2Wake]
Replies
90
Views
49K
a2zonlyt
a2zonlyt

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 21
    delewer
    delewer
    Last Update : August, 19, 2014
    Hi,

    I'm still try to bypass the MMU protection.
    I have fixe a lot of bug, like memory misalignment, bad adresses allocation, dtb correction, etc...
    Last sources and binaries here :
    kexec-tools V11.zip : http://xdaforums.com/attachment.php?attachmentid=2902912&stc=1&d=1408401794
    kexec-tools binaries V11.zip : http://xdaforums.com/attachment.php?attachmentid=2902913&stc=1&d=1408401794

    Sorry, i have always 13 sec reboot after new kernel boot.
    "cpu_proc_fin" use a "mcr p15" to init cache and proc that cause freeze.
    I try to find solution for that.


    Last Update : June, 22, 2014
    Hi,

    My sources are horrible... but i give something new.

    This kexec is for stock kernel only (tested on .757). I thinks theses sources work on other kernel too.

    In "kexec-tools V10.zip", you have all my sources. It's highly recommended to mod them to have something OK.

    In "kexec binaries.zip", you have binaries to install
    => "kexec_load.ko" and "procfs_rw.ko" must be placed in "/system/lib/modules" folder with "chmod 777"
    => "kexec" must be placed in /system/bin" folder with "chmod 777"
    => cd /system/lib/modules
    => insmod kexec_load.ko

    For sources :
    Mod and adapt all you want, it's free.
    You have 2 scripts in Zip : "./compil-kexec" in "kexec-tools" folder to rebuild and send in device directly (install Adbtcp on device and send by tcp with : adb connect xxx.xxx.xxx.xxx) = work perfectly with me.
    "scriptZ1" is for compil stock kernel or another kernel (doomlord kernel for eg)
    You must rename "custom_final_files" folder after compil to "final_file" manually ; You can have guest kernel in "custom_final_files" and stock kernel in "final_files" for "kexec-tools" path ... Don't mix a guest and host kernel please ^^

    I am tired... i let you test and say if it's ok for you...

    Thank a lot to munjeni for his help.

    kexec-tools V10.zip : http://xdaforums.com/attachment.php?attachmentid=2811994&stc=1&d=1403456181
    kexec binaries.zip : http://xdaforums.com/attachment.php?attachmentid=2811995&stc=1&d=1403456181


    Last Update : November, 23, 2013
    Hi,
    For few days now, i haven't no more kernel panic with my kexec.
    I have fixed few stuffs into sources, and add a lot.

    These adds are, to include a "dt.img" image file into kexec load process.

    This image file is a "device_tree" image to match hardware to software.

    So, i assume to don't include atags into boot process, but pass bootloader informations by this DT.
    I have programmed a little scan memory to found dynamicly all magic tags, because i found 3 device_tree into memory (magic is "0xd00dfeed").
    These 2 device_tree are echo from first and nice structure.

    The boot process need to have informations from this DT, and need all informations to initialize hardware (no HDW initialisation by the kernel)
    I must first fix issues ; Regroup zImage and dt.img into memory to load a solid bloc to kexec_load module to boot into, and second, fix an offset i can't explain, 0x800 in memory causing misalignment memory

    Keep tuned..



    Last Update : November, 17, 2013

    Hi everybody,

    My kexec-tools work for Sony Xperia Z1 stock kernel "3.4.0-perf"
    This tools can work on all locked bootloader for all locked device, not only Sony or Z1 models.
    This kexec-tools add a kexec_load kernel module (LKM) and use a driver to grant a communication between "kexec" user program and kexec_load.ko module

    what is for ?
    "kexec" user program load in memory a custom kernel in zImage format, but can load ".tar" image too
    This user tool load ramdisk in memory if necessary
    This tool is for this purpose only, and don't keep in memory the custom kernel at device reboot.
    It is a "user" program, not a "kernel" extension... So, to really do the magic, we need the host kernel (stock sony locked kernel) have a kexec_load capability to reboot in a new gest kernel (custom kernel).

    Infortuntly, stock kernel don't have kexec_load capability.
    Sony have compiled his stock kernel without this option, and "standard" kexec-tools "need" this option to work. :eek:

    To see all system call capability of kernel, you can run theses command :
    Code: 
    echo 0 > /proc/sys/kernel/dmesg_restrict 
echo 0 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms
    Do all grep you want here.
    The "echo 0" "restrict" is here to unmask logical adresses to "system calls"
    Like you can see, "__NR_kexec_load" capability isn't here.

    To add kexec_load capability in stock locked kernel, we need to add manualy a kernel module wich add this function into the kernel.
    Why ? Because the way to keep in memory a custom kernel need to know a lot of parameters, and keep a specific memory range alive at reboot.
    Only kernel can do this.
    All user program will be terminated at reboot.

    "Standard" kexec_load.ko module use a method to implement the "__NR_kexec_load" function in system call table.
    Since 2.6.0 kernel, linux for security reason, have locked in memory the "system_call_table" ; No more add or modification is authorized.
    If kexec tool try to add a value, "kexec_load" for us, we causes a kernel panic, and reboot device.

    For this reason, i have modify kexec user program and kexec_load module to implement a driver to talk to each other.

    this driver replace syscall method, and we no more need to use a system call table.
    For this reason, this tool is now compatible with modern kernel like our "3.4.0"
    For this reason, this tool must work for other device (Xperia X, P, S, etc...) and another brand
    For this reason, if kernel is locked, we can bootstrap to run a new kernel.


    Installation
    First, you can compil your own kexec tool
    Here, sources : http://xdaforums.com/attachment.php?attachmentid=2397299&stc=1&d=1384689174

    And here, the binaries : http://xdaforums.com/attachment.php?attachmentid=2397305&stc=1&d=1384689406
    (it's not a cwm zip, i have no time to create an installer for now ; use "./compil-kexec" if you want an automatic install)
    Install *.ko in /system/lib/modules
    Install kexec and kdump in /system/bin
    Grant with "chmod 777"


    Unzip in kexec-tools folder
    Install a toolchain (sudo apt-get install gcc-arm-linux-gnueabi)
    launch => ./compil-kexec

    what's all
    This script can do everythinks for you
    - Compilation of tools
    - Compilation of modules
    - installation in device
    This script can compil for every brand you have.
    Except you must remove or adapt the patch (see below why)


    Patch ??
    This patch is because a module must be compiled in the same time the kernel himself.
    For this reason a "vermagic", an identifier, is used by system to block every module not compil with kernel
    Some custom kernel bypass this to authorize every modules.
    But for stock kernel, it is not allowed.
    You can easely strapp this by busybox.
    "busybox modprobe" for help
    "-f" to force load without vermagic

    To see this vermagic :
    Code: 
    # uname -r
    This "uname -r" must be the same that
    Code: 
    # strings kexec_load.ko | grep vermagic
vermagic=3.4.0-perf-g66807d4-02450-g9a218f1 SMP preempt mod_unload modversions ARMv7
    If you want use automaticaly this vermagic, you can modify into the custom kernel this file :
    Code: 
    "include/config/kernel.release" and add :
"3.4.0-perf-g66807d4-02450-g9a218f1"
    This file will be use at module compil to match the vermagic.


    Infortunatly, it is not enought. :silly:

    The infamous "no symbol version for module_layout"
    When a module compil is created, it use symbols link to system call function, translate by adresses
    Theses symbols are not at same physical adresses in stock kernel and modules (compiled from DooMLoRD kernel).
    So, theses adresses must be convert into modules itself to match with stock symbols adress.
    A patch is needed.
    If you use my script, modules are automatically patched.

    Here patches :
    Code: 
    sed -i 's/\x32\x76\x86\x29/\x72\xFF\x5E\x20/' procfs_rw.ko
sed -i 's/\x32\x76\x86\x29/\x72\xFF\x5E\x20/' kexec_load.ko
sed -i 's/\xBB\xD0\xF8\x4D/\x0E\x1C\x63\x77/' kexec_load.ko
sed -i 's/\xA6\x26\x81\x1A/\xD4\x56\x02\x7E/' kexec_load.ko
sed -i 's/\xA3\xD1\xEC\x96/\xEC\x43\x28\x1A/' kexec_load.ko
sed -i 's/\x8C\xE6\x6A\x5F/\x3D\xDF\x02\xF2/' kexec_load.ko
sed -i 's/\x3E\xF3\xEF\xE9/\x18\x7F\xA6\x8A/' kexec_load.ko
sed -i 's/\x8B\xD2\x92\x10/\xC8\x19\x08\x9C/' kexec_load.ko
sed -i 's/\x1C\xE8\x18\xE1/\x7C\x71\x9E\xEF/' kexec_load.ko
sed -i 's/\xAB\x2C\x2F\x8B/\x8E\xD7\x63\xC0/' kexec_load.ko
sed -i 's/\xF5\x62\xAA\x4B/\x34\x80\x1B\x74/' kexec_load.ko
sed -i 's/\x00\x52\xD6\xD7/\x6F\x80\x91\x20/' kexec_load.ko
sed -i 's/\x4F\x77\x57\x6A/\x0C\x57\xC7\x63/' kexec_load.ko
sed -i 's/\xCA\x2F\x65\x71/\x92\xB8\x7F\x53/' kexec_load.ko
sed -i 's/\x0F\xD0\xA0\x91/\xFA\x80\x15\xB4/' kexec_load.ko
sed -i 's/\x29\xA0\x6D\x48/\x6C\x6B\x96\x54/' kexec_load.ko
sed -i 's/\x6D\x1F\x1F\x37/\xCC\x5E\x79\x8B/' kexec_load.ko
sed -i 's/\xFD\x23\xD0\xFB/\xE3\xE3\x68\x52/' kexec_load.ko
    You can use hexedit or hexdump to see these adresses :
    Code: 
    hexdump kexec_load.ko | grep ff72         
0003d50 b0b0 80ac ff72 205e 6f6d 7564 656c 6c5f
    how does it work ?
    # kexec --help
    For kexec help... nothing more to say.

    # lsmod
    List loaded modules... You must see
    kexec_load 31369 0 - Live 0x00000000 (O)

    # rmmod kexec_load.ko
    Remove kexec_load module from memory.

    # grep kexec /proc/device
    To see installed driver.
    You must see :
    100 kexec_driver

    First number is "major" number to identify your driver in system.

    # mknod /dev/kexec_driver c 100 0
    Install driver.
    Major number (here 100), is important for module.
    This Major must be the same between module and driver.
    By default, 100 is used.

    # insmod kexec_load.ko
    To install "LKM", kexec_load kernel module.
    If another Major is needed, you can use "insmod kexec_load.ko 101" for Major 101
    You can use "modprob" if you want, but you must configure the module folder.


    How kexec and module exchange informations ?
    By the driver.
    Normal output for a kernel module is to write in "dmsg" file.
    To see kernel output, launch this command :
    Code: 
    # dmesg
    To see last kernel log, see in :
    Code: 
    # cat /proc/last_kmsg
    For kexec module, this normal way still exist, and give a lot of informations, but to speak with, you must use the driver.
    /dev/kexec_driver

    You can yourself test communication:
    Code: 
    # cat /dev/kexec_driver
You can send kernel by this communication channel.
Type following commands for help
  => echo help >/dev/kexec_driver
  => dmesg | grep Kexec
    Code: 
    # echo help >/dev/kexec_driver
# cat /dev/kexec_driver
Last command : 'help'
 Please type following command :
      => dmesg|grep Kexec
    Every command send into driver is receive by kexec_load.ko module and running into the kernel.
    The answer can by read thru the driver

    Here, you can see that normal way to see messages is allway dmesg.

    Code: 
    # dmesg|grep Kexec
<4>[15050.521628] Kexec: Starting kexec_module...
<6>[15050.521656] Kexec: kexec_driver_contener allocation
<6>[15050.521673] Kexec: kexec_memory_buffer allocation
<4>[15050.521691] Kexec:----------------------------------------------------
<4>[15050.521710] Kexec: kexec_driver created with major : '100'
<4>[15050.521728] Kexec: Please, prepare by typing the following commands :
<4>[15050.521746] Kexec:  => mknod /dev/kexec_driver c 100 0
<4>[15050.521761] Kexec:  => cat /dev/kexec_driver
<4>[15050.521775] Kexec:-----------------------------------------------------
<4>[15050.521791] Kexec:  For help
<4>[15050.521803] Kexec:  => echo help >/dev/kexec_driver
(...)
    I have add a lot of informations to help to configure kexec.



    rdtags, atags ??
    Not sure for this part of kernel.
    "atags" is the most used method to bootloader to parse commands and informations to kernel at boot.
    "atags" is a form of structure in memory to organise informations.
    At boot, a address chain is created and can be compulse in /proc/atags file.
    This file is read only system.
    "rdtags" is another way to bootloader to parse information to kernel.
    "rdtags" is not stocked in "/proc"
    But, as i see, stock kernel can use "atags" from bootloader.
    kexec can substitute bootloader function to create fromscratch a atags chain, and parse to new kernel.
    I have change this part to stock atags in "/data/atags", and reuse or change if need.

    If this don't work, i must create a rdtags chain to replace atags ; It's not a hard work.


    Status

    For the moment, kexec tools works.
    => Phase one OK.

    I can start Phase Two : new kernel patch.
    If you want to help me...

    Actually, load a custom kernel and boot into with kexec tools work.
    But at boot into, a kernel panic occurs.

    It seems, a part of kexec patch is missing in custom kernel.
    View
    12
    delewer
    delewer
    king960 said:
    Attempts on Xperia P (sorry IF i noob-ed with this post)

    http://xdaforums.com/showthread.php?t=2053466

    Sent from my LT22i using xda app-developers app
    Click to expand...
    Click to collapse

    It's a dead thread.
    Because, it's a epic failed (for now).

    ********

    Status of my attempts :

    Modules loads : OK for two modules (kexec_load and procfs_rw)
    - procfs_rw.ko => create "/proc/atags" => ok, but bad buf... it must be fix (easy part)
    - kexec_load.ko => Loaded => ok but, the way to use is "syscall" add for kexec_load function => failed
    why ? Because after 2.6 kernel (Z1 have 3.4.0 kernel), syscall_table is read only and had fixed size. So if i attempt to add value (kexec_load in our case), we have kernel panic.

    But i have a solution to add function in LKM, is to add a "real" module call.

    I have add a "kexec_driver" in "/dev" structure by :
    Code: 
    insmod kexec_load.ko
mknod /dev/kexec_driver c 254 0
(...)
crw-rw-rw- root     root     254,   0 2013-11-11 15:26 kexec_driver

    Driver is in alpha stage and highty experimental

    To be continue...
    View
    10
    munjeni
    munjeni
    delewer said:
    just for information...
    compressed kernel with lzma his bigger than no lzma lol
    4,1 Vs 4,15

    so, i thave try :
    kexec --load zImage.lzma --mem-min=0x0f00000000 --command-line="$(cat /proc/cmdline)"
    debug: Focus 1 - argc '5' ; argv 'bea96754' ; kernel_buf 'b6bdf008' ; kernel_size '3f5414' ; info 'bea96528' ; i '1' ; file_type.name 'zImage'
    debug: malloc - xmalloc mem_range '4511824'
    Could not find a free area of memory of 3fd414 bytes...

    lol ... if you could find a way to reduced size ?? :p
    Click to expand...
    Click to collapse


    Did you reserved and freed memory for kexec? Something like:
    +#if defined(CONFIG_KEXEC_HARDBOOT)
    +static void kexec_hardboot_reserve(void)
    +{
    + if (memblock_reserve(KEXEC_HARDBOOT_START, KEXEC_HARDBOOT_SIZE)) {
    + printk(KERN_ERR "Failed to reserve memory for KEXEC_HARDBOOT: "
    + "%dM@0x%.8X\n",
    + KEXEC_HARDBOOT_SIZE / SZ_1M, KEXEC_HARDBOOT_START);
    + return;
    + }
    + memblock_free(KEXEC_HARDBOOT_START, KEXEC_HARDBOOT_SIZE);
    + memblock_remove(KEXEC_HARDBOOT_START, KEXEC_HARDBOOT_SIZE);
    +
    + kexec_hardboot_device.num_resources = ARRAY_SIZE(kexec_hardboot_resources);
    + kexec_hardboot_device.resource = kexec_hardboot_resources;
    +}
    +#endif
    Click to expand...
    Click to collapse

    Standard kexec not working and allso kexec can boot only kexec patched kernels, so I get them only working using hard kexec, hard worked on them and finaly I had a fully working kexec for Sony Xperia Go, Sola, P and U, maybe this help -> https://github.com/munjeni/android_kernel_xperiago/commits/jb-dev?page=2

    I will start working on your work after I get Xperia Z1 Mini! You made a realy interesting thread, I am realy interested in this! Hope we get some progress. :good:

    And one more thing, I will backport my Boot Menu to Z1 and Z1S soon as we get kexec working! More info here -> http://xdaforums.com/showthread.php?t=2418241
    View
    10
    delewer
    delewer
    ikenley said:
    Excellent work Delewer!

    So is it currently functional but with bugs or does it still need work before others can start testing it?

    Are your tests at the moment with Sony stock kernel (i,e, DooMKernel) or with AOSP kernel (i.e. CM kernel running CM10 or equivalent)?
    Click to expand...
    Click to collapse

    It's not a fonctionnal kexec ; all i see in my sources say it work, but it is not yet, it's frustating to me to be so close.

    I test only with DoomKernel, to be sure when ok, to see it is.
    When ok, aosp will be kexeced immediatly after... for sure !!!

    Most important for now it's to have log from new kernel to debug the first crash ; if i have a log, we win the battle.
    View
    7
    S
    Shaky156
    Hi new thread created for kernel kexec development.

    Status: not working: wrong values for mem defines under the kernel is giving segmentation fault as its attempting to write to memory areas that are currently being used byyyyy the system


    Instructions:
    Make kernel compatible?:
    1. Download kernel diff patch from below
    2. Terminal - diff patch > diff.txt

    How to use:
    1. Download kexec-tools (kexec binary) from below
    2. Copy into system/bin directory and give it executable permission
    3. Download compatible kernel
    4. Terminal - kexec --load-hardboot zImage --initrd=initrd.img --mem-min=0x20000000 --command-line="$(cat /proc/cmdline)"
    kexec -e

    Download links:
    Kexec tool- https://db.tt/8DZXQ9eV
    Ramdisk firmware 1.548 : https://db.tt/8DZXQ9eV
    zImage (kernel):


    Source code:
    Kernel diff patch: https://db.tt/Xi2htT7Q (currently contains wrong values for mem defines)
    Kexec-tools: https://db.tt/I22ofr3b


    Special thanks: @delewer @krabappel2548
    View

New posts