FORUMS
Remove All Ads from XDA

[dev][kernel][kexec]

186 posts
Thanks Meter: 235
 
By delewer, Senior Member on 23rd October 2013, 06:40 AM
Post Reply Email Thread
Last Update : August, 19, 2014
Hi,

I'm still try to bypass the MMU protection.
I have fixe a lot of bug, like memory misalignment, bad adresses allocation, dtb correction, etc...
Last sources and binaries here :
kexec-tools V11.zip : http://forum.xda-developers.com/atta...1&d=1408401794
kexec-tools binaries V11.zip : http://forum.xda-developers.com/atta...1&d=1408401794

Sorry, i have always 13 sec reboot after new kernel boot.
"cpu_proc_fin" use a "mcr p15" to init cache and proc that cause freeze.
I try to find solution for that.


Last Update : June, 22, 2014
Hi,

My sources are horrible... but i give something new.

This kexec is for stock kernel only (tested on .757). I thinks theses sources work on other kernel too.

In "kexec-tools V10.zip", you have all my sources. It's highly recommended to mod them to have something OK.

In "kexec binaries.zip", you have binaries to install
=> "kexec_load.ko" and "procfs_rw.ko" must be placed in "/system/lib/modules" folder with "chmod 777"
=> "kexec" must be placed in /system/bin" folder with "chmod 777"
=> cd /system/lib/modules
=> insmod kexec_load.ko

For sources :
Mod and adapt all you want, it's free.
You have 2 scripts in Zip : "./compil-kexec" in "kexec-tools" folder to rebuild and send in device directly (install Adbtcp on device and send by tcp with : adb connect xxx.xxx.xxx.xxx) = work perfectly with me.
"scriptZ1" is for compil stock kernel or another kernel (doomlord kernel for eg)
You must rename "custom_final_files" folder after compil to "final_file" manually ; You can have guest kernel in "custom_final_files" and stock kernel in "final_files" for "kexec-tools" path ... Don't mix a guest and host kernel please ^^

I am tired... i let you test and say if it's ok for you...

Thank a lot to munjeni for his help.

kexec-tools V10.zip : http://forum.xda-developers.com/atta...1&d=1403456181
kexec binaries.zip : http://forum.xda-developers.com/atta...1&d=1403456181


Last Update : November, 23, 2013
Hi,
For few days now, i haven't no more kernel panic with my kexec.
I have fixed few stuffs into sources, and add a lot.

These adds are, to include a "dt.img" image file into kexec load process.

This image file is a "device_tree" image to match hardware to software.

So, i assume to don't include atags into boot process, but pass bootloader informations by this DT.
I have programmed a little scan memory to found dynamicly all magic tags, because i found 3 device_tree into memory (magic is "0xd00dfeed").
These 2 device_tree are echo from first and nice structure.

The boot process need to have informations from this DT, and need all informations to initialize hardware (no HDW initialisation by the kernel)
I must first fix issues ; Regroup zImage and dt.img into memory to load a solid bloc to kexec_load module to boot into, and second, fix an offset i can't explain, 0x800 in memory causing misalignment memory

Keep tuned..



Last Update : November, 17, 2013

Hi everybody,

My kexec-tools work for Sony Xperia Z1 stock kernel "3.4.0-perf"
This tools can work on all locked bootloader for all locked device, not only Sony or Z1 models.
This kexec-tools add a kexec_load kernel module (LKM) and use a driver to grant a communication between "kexec" user program and kexec_load.ko module

what is for ?
"kexec" user program load in memory a custom kernel in zImage format, but can load ".tar" image too
This user tool load ramdisk in memory if necessary
This tool is for this purpose only, and don't keep in memory the custom kernel at device reboot.
It is a "user" program, not a "kernel" extension... So, to really do the magic, we need the host kernel (stock sony locked kernel) have a kexec_load capability to reboot in a new gest kernel (custom kernel).

Infortuntly, stock kernel don't have kexec_load capability.
Sony have compiled his stock kernel without this option, and "standard" kexec-tools "need" this option to work.

To see all system call capability of kernel, you can run theses command :
Code:
echo 0 > /proc/sys/kernel/dmesg_restrict 
echo 0 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms
Do all grep you want here.
The "echo 0" "restrict" is here to unmask logical adresses to "system calls"
Like you can see, "__NR_kexec_load" capability isn't here.

To add kexec_load capability in stock locked kernel, we need to add manualy a kernel module wich add this function into the kernel.
Why ? Because the way to keep in memory a custom kernel need to know a lot of parameters, and keep a specific memory range alive at reboot.
Only kernel can do this.
All user program will be terminated at reboot.

"Standard" kexec_load.ko module use a method to implement the "__NR_kexec_load" function in system call table.
Since 2.6.0 kernel, linux for security reason, have locked in memory the "system_call_table" ; No more add or modification is authorized.
If kexec tool try to add a value, "kexec_load" for us, we causes a kernel panic, and reboot device.

For this reason, i have modify kexec user program and kexec_load module to implement a driver to talk to each other.

this driver replace syscall method, and we no more need to use a system call table.
For this reason, this tool is now compatible with modern kernel like our "3.4.0"
For this reason, this tool must work for other device (Xperia X, P, S, etc...) and another brand
For this reason, if kernel is locked, we can bootstrap to run a new kernel.


Installation
First, you can compil your own kexec tool
Here, sources : http://forum.xda-developers.com/atta...1&d=1384689174

And here, the binaries : http://forum.xda-developers.com/atta...1&d=1384689406
(it's not a cwm zip, i have no time to create an installer for now ; use "./compil-kexec" if you want an automatic install)
Install *.ko in /system/lib/modules
Install kexec and kdump in /system/bin
Grant with "chmod 777"


Unzip in kexec-tools folder
Install a toolchain (sudo apt-get install gcc-arm-linux-gnueabi)
launch => ./compil-kexec

what's all
This script can do everythinks for you
- Compilation of tools
- Compilation of modules
- installation in device
This script can compil for every brand you have.
Except you must remove or adapt the patch (see below why)


Patch ??
This patch is because a module must be compiled in the same time the kernel himself.
For this reason a "vermagic", an identifier, is used by system to block every module not compil with kernel
Some custom kernel bypass this to authorize every modules.
But for stock kernel, it is not allowed.
You can easely strapp this by busybox.
"busybox modprobe" for help
"-f" to force load without vermagic

To see this vermagic :
Code:
# uname -r
This "uname -r" must be the same that
Code:
# strings kexec_load.ko | grep vermagic
vermagic=3.4.0-perf-g66807d4-02450-g9a218f1 SMP preempt mod_unload modversions ARMv7
If you want use automaticaly this vermagic, you can modify into the custom kernel this file :
Code:
"include/config/kernel.release" and add :
"3.4.0-perf-g66807d4-02450-g9a218f1"
This file will be use at module compil to match the vermagic.


Infortunatly, it is not enought.

The infamous "no symbol version for module_layout"
When a module compil is created, it use symbols link to system call function, translate by adresses
Theses symbols are not at same physical adresses in stock kernel and modules (compiled from DooMLoRD kernel).
So, theses adresses must be convert into modules itself to match with stock symbols adress.
A patch is needed.
If you use my script, modules are automatically patched.

Here patches :
Code:
sed -i 's/\x32\x76\x86\x29/\x72\xFF\x5E\x20/' procfs_rw.ko
sed -i 's/\x32\x76\x86\x29/\x72\xFF\x5E\x20/' kexec_load.ko
sed -i 's/\xBB\xD0\xF8\x4D/\x0E\x1C\x63\x77/' kexec_load.ko
sed -i 's/\xA6\x26\x81\x1A/\xD4\x56\x02\x7E/' kexec_load.ko
sed -i 's/\xA3\xD1\xEC\x96/\xEC\x43\x28\x1A/' kexec_load.ko
sed -i 's/\x8C\xE6\x6A\x5F/\x3D\xDF\x02\xF2/' kexec_load.ko
sed -i 's/\x3E\xF3\xEF\xE9/\x18\x7F\xA6\x8A/' kexec_load.ko
sed -i 's/\x8B\xD2\x92\x10/\xC8\x19\x08\x9C/' kexec_load.ko
sed -i 's/\x1C\xE8\x18\xE1/\x7C\x71\x9E\xEF/' kexec_load.ko
sed -i 's/\xAB\x2C\x2F\x8B/\x8E\xD7\x63\xC0/' kexec_load.ko
sed -i 's/\xF5\x62\xAA\x4B/\x34\x80\x1B\x74/' kexec_load.ko
sed -i 's/\x00\x52\xD6\xD7/\x6F\x80\x91\x20/' kexec_load.ko
sed -i 's/\x4F\x77\x57\x6A/\x0C\x57\xC7\x63/' kexec_load.ko
sed -i 's/\xCA\x2F\x65\x71/\x92\xB8\x7F\x53/' kexec_load.ko
sed -i 's/\x0F\xD0\xA0\x91/\xFA\x80\x15\xB4/' kexec_load.ko
sed -i 's/\x29\xA0\x6D\x48/\x6C\x6B\x96\x54/' kexec_load.ko
sed -i 's/\x6D\x1F\x1F\x37/\xCC\x5E\x79\x8B/' kexec_load.ko
sed -i 's/\xFD\x23\xD0\xFB/\xE3\xE3\x68\x52/' kexec_load.ko
You can use hexedit or hexdump to see these adresses :
Code:
hexdump kexec_load.ko | grep ff72         
0003d50 b0b0 80ac ff72 205e 6f6d 7564 656c 6c5f
how does it work ?
# kexec --help
For kexec help... nothing more to say.

# lsmod
List loaded modules... You must see
kexec_load 31369 0 - Live 0x00000000 (O)

# rmmod kexec_load.ko
Remove kexec_load module from memory.

# grep kexec /proc/device
To see installed driver.
You must see :
100 kexec_driver

First number is "major" number to identify your driver in system.

# mknod /dev/kexec_driver c 100 0
Install driver.
Major number (here 100), is important for module.
This Major must be the same between module and driver.
By default, 100 is used.

# insmod kexec_load.ko
To install "LKM", kexec_load kernel module.
If another Major is needed, you can use "insmod kexec_load.ko 101" for Major 101
You can use "modprob" if you want, but you must configure the module folder.


How kexec and module exchange informations ?
By the driver.
Normal output for a kernel module is to write in "dmsg" file.
To see kernel output, launch this command :
Code:
# dmesg
To see last kernel log, see in :
Code:
# cat /proc/last_kmsg
For kexec module, this normal way still exist, and give a lot of informations, but to speak with, you must use the driver.
/dev/kexec_driver

You can yourself test communication:
Code:
# cat /dev/kexec_driver
You can send kernel by this communication channel.
Type following commands for help
  => echo help >/dev/kexec_driver
  => dmesg | grep Kexec
Code:
# echo help >/dev/kexec_driver
# cat /dev/kexec_driver
Last command : 'help'
 Please type following command :
      => dmesg|grep Kexec
Every command send into driver is receive by kexec_load.ko module and running into the kernel.
The answer can by read thru the driver

Here, you can see that normal way to see messages is allway dmesg.

Code:
# dmesg|grep Kexec
<4>[15050.521628] Kexec: Starting kexec_module...
<6>[15050.521656] Kexec: kexec_driver_contener allocation
<6>[15050.521673] Kexec: kexec_memory_buffer allocation
<4>[15050.521691] Kexec:----------------------------------------------------
<4>[15050.521710] Kexec: kexec_driver created with major : '100'
<4>[15050.521728] Kexec: Please, prepare by typing the following commands :
<4>[15050.521746] Kexec:  => mknod /dev/kexec_driver c 100 0
<4>[15050.521761] Kexec:  => cat /dev/kexec_driver
<4>[15050.521775] Kexec:-----------------------------------------------------
<4>[15050.521791] Kexec:  For help
<4>[15050.521803] Kexec:  => echo help >/dev/kexec_driver
(...)
I have add a lot of informations to help to configure kexec.



rdtags, atags ??
Not sure for this part of kernel.
"atags" is the most used method to bootloader to parse commands and informations to kernel at boot.
"atags" is a form of structure in memory to organise informations.
At boot, a address chain is created and can be compulse in /proc/atags file.
This file is read only system.
"rdtags" is another way to bootloader to parse information to kernel.
"rdtags" is not stocked in "/proc"
But, as i see, stock kernel can use "atags" from bootloader.
kexec can substitute bootloader function to create fromscratch a atags chain, and parse to new kernel.
I have change this part to stock atags in "/data/atags", and reuse or change if need.

If this don't work, i must create a rdtags chain to replace atags ; It's not a hard work.


Status

For the moment, kexec tools works.
=> Phase one OK.

I can start Phase Two : new kernel patch.
If you want to help me...

Actually, load a custom kernel and boot into with kexec tools work.
But at boot into, a kernel panic occurs.

It seems, a part of kexec patch is missing in custom kernel.
The Following 21 Users Say Thank You to delewer For This Useful Post: [ View ] Gift delewer Ad-Free
 
 
23rd October 2013, 06:41 AM |#2  
Shaky156's Avatar
Senior Member
Thanks Meter: 2,532
 
Donate to Me
More
[dev][kernel][kexec]
Hi new thread created for kernel kexec development.

Status: not working: wrong values for mem defines under the kernel is giving segmentation fault as its attempting to write to memory areas that are currently being used byyyyy the system


Instructions:
Make kernel compatible?:
1. Download kernel diff patch from below
2. Terminal - diff patch > diff.txt

How to use:
1. Download kexec-tools (kexec binary) from below
2. Copy into system/bin directory and give it executable permission
3. Download compatible kernel
4. Terminal - kexec --load-hardboot zImage --initrd=initrd.img --mem-min=0x20000000 --command-line="$(cat /proc/cmdline)"
kexec -e

Download links:
Kexec tool- https://db.tt/8DZXQ9eV
Ramdisk firmware 1.548 : https://db.tt/8DZXQ9eV
zImage (kernel):


Source code:
Kernel diff patch: https://db.tt/Xi2htT7Q (currently contains wrong values for mem defines)
Kexec-tools: https://db.tt/I22ofr3b


Special thanks: @delewer @krabappel2548
The Following 7 Users Say Thank You to Shaky156 For This Useful Post: [ View ] Gift Shaky156 Ad-Free
23rd October 2013, 07:24 AM |#4  
krabappel2548's Avatar
Recognized Developer
Flag Zichem
Thanks Meter: 16,270
 
Donate to Me
More
Please move this thread to Xda Devdb, then I can also edit first post etc if I find new stuff

Sent from my C6903 using xda app-developers app
The Following User Says Thank You to krabappel2548 For This Useful Post: [ View ]
23rd October 2013, 07:29 AM |#5  
Shaky156's Avatar
Senior Member
Thanks Meter: 2,532
 
Donate to Me
More
Quote:
Originally Posted by krabappel2548

Please move this thread to Xda Devdb, then I can also edit first post etc if I find new stuff

Sent from my C6903 using xda app-developers app

Devdb?

Pm me i dont know what Devdb is lol
The Following User Says Thank You to Shaky156 For This Useful Post: [ View ] Gift Shaky156 Ad-Free
23rd October 2013, 07:46 AM |#6  
Shaky156's Avatar
Senior Member
Thanks Meter: 2,532
 
Donate to Me
More
Recieved segmentation fault with delewers calculated mem values too

We need to write to memory where we have write access to, maybe lockedbootloader is not allowing us to write? Orrr we are just writing to wrong area of memory
23rd October 2013, 09:12 AM |#7  
Knucklessg1's Avatar
Senior Member
Thanks Meter: 103
 
More
If kexec works on the Z1, can it be ported over to Xperia Z/ZL/T/Ultra? I believe they don't all share the same processor.
The Following User Says Thank You to Knucklessg1 For This Useful Post: [ View ] Gift Knucklessg1 Ad-Free
23rd October 2013, 09:38 AM |#8  
krabappel2548's Avatar
Recognized Developer
Flag Zichem
Thanks Meter: 16,270
 
Donate to Me
More
Quote:
Originally Posted by Shaky156

Devdb?

Pm me i dont know what Devdb is lol




Quote:
Originally Posted by Shaky156

Recieved segmentation fault with delewers calculated mem values too

We need to write to memory where we have write access to, maybe lockedbootloader is not allowing us to write? Orrr we are just writing to wrong area of memory

I'll discuss with Kali- today if he's available.



Quote:
Originally Posted by Knucklessg1

If kexec works on the Z1, can it be ported over to Xperia Z/ZL/T/Ultra? I believe they don't all share the same processor.

Doesn't need to be same processor, can be ported

Sent from my C6903 using xda app-developers app
The Following 2 Users Say Thank You to krabappel2548 For This Useful Post: [ View ]
23rd October 2013, 10:15 AM |#9  
Shaky156's Avatar
Senior Member
Thanks Meter: 2,532
 
Donate to Me
More
Quote:
Originally Posted by Knucklessg1

If kexec works on the Z1, can it be ported over to Xperia Z/ZL/T/Ultra? I believe they don't all share the same processor.

Yes it wont matter much, since its not s800 it should be easier for you guys , take the kexec-tool use that, implement the patch write to the correct mem addresses which is free, it should boot if you guys have issues let me know,

I need to calculate the correct addresses.

Ive noticed s800 uses a dt.img, might need to modify kexec-tool to support dt.img, not sure what dt.img does yet, only know it holds values
The Following User Says Thank You to Shaky156 For This Useful Post: [ View ] Gift Shaky156 Ad-Free
23rd October 2013, 11:03 AM |#10  
krabappel2548's Avatar
Recognized Developer
Flag Zichem
Thanks Meter: 16,270
 
Donate to Me
More
Quote:
Originally Posted by Shaky156

I need to calculate the correct addresses.

Ive noticed s800 uses a dt.img, might need to modify kexec-tool to support dt.img, not sure what dt.img does yet, only know it holds values

the dt.img is needed by the kernel to boot, so I guess we need to load that too in kexec.

EDIT: people that wanna try add kexec patch to their kernel, check github: android_kernel_sony_msm8974/commits/kexec
The Following 3 Users Say Thank You to krabappel2548 For This Useful Post: [ View ]
24th October 2013, 12:05 AM |#11  
delewer's Avatar
OP Senior Member
Flag Paris
Thanks Meter: 235
 
More
krabappel2548, i have compil your kernel by my script (fromscratch)

My script (instruction in "DoomLord Build kernel thread" : scriptZ1 http://forum.xda-developers.com/atta...3&d=1382568778
(for thoses who want to help us...)

You have a little mod to do here (bad compil) :
In "sound/soc/msm/qdsp6v2/rtac.c"

you must change
#include <q6voice.h>
by
#include "q6voice.h"

btw : no more ideas to load kexec for the moment ...
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes