[MOD][KERNEL MODULE] wp_mod: disable system write protection

Search This thread
By:
Advanced…
flar2

flar2

Recognized Developer
Jun 11, 2012
18,897
87,868
Southwestern Ontario
elementalx.org
wp_mod: Module to disable system write protection

This is a kernel module that disables write protection on the system partition while running the stock kernel.


HTC changed the MMC_MUST_PREVENT_WP_VIOLATION code to make it much harder to crack. I had to redo the module completely, so this is experimental. In the past, it was a simple matter of changing a variable, now we have to replace a function in the kernel so it returns something different, causing the kernel to skip over the write protection code.

I would caution against loading the module after attempting to make changes to the system partition. It could end up corrupting the filesystem. If the module is loaded at boot, there should be no worries.

This module will probably need to be updated to load with future kernels when they are released.


Please consider a donation to support ongoing development
Many thanks to those who have donated!

Download:

wp_mod for GPE Marshmallow 6.0 can be found here:
http://xdaforums.com/htc-one-m8/general/root-root-marshmallow-gpe-supersu-t3242210


Sense 4.4.4 (thanks @migascalp):
http://www.mediafire.com/download/4vyqslnc4crsnto/wp_mod_3.28.401.6.zip


Sense 4.4.3 (2.22 base):
wp_mod.ko

Sense 4.4.2:
wp_mod.ko

GPE 4.4.4 (thanks to @italyforever):
wp_mod.ko

GPE 4.4.2:
wp_mod.ko




Installation:
Wait for it to be implemented in your favourite ROM

* or *

Copy the module to your device, and type
Code: 
su
insmod /location-where-you-copied-it/wp_mod.ko


Changes:

April 2, 2014 - wp_mod 4.1
-only return non-existing partition number if called by generic_make_request_checks
-remove exit from module (we don't want to be able to unload it)
-clean up code


March 31, 2014 - wp_mod 4.0
-new method for HTC One m8



Source:
https://github.com/flar2/wp_mod

Module was compiled against m8 Google Play Edition source. Some symbol CRC checks had to be hexedited in the compiled module to match the stock kernel. Thanks to Michael Coppola for example of function hooking on arm: http://poppopret.org/2013/01/07/suterusu-rootkit-inline-kernel-function-hooking-on-x86-and-arm/#arm
 
Last edited:
  • Like
Reactions: alex6600, n1234d, iDpC1 and 71 others
G

gjlowe

Senior Member
Oct 7, 2008
540
71
So as an end user, before it gets baked into ROMs, we need to load this after each boot?
 
graffixnyc

graffixnyc

Retired Forum Mod / Inactive Recognized Developer
Jan 21, 2011
6,627
6,486
New York City
www.graffixnyc.com
Worked here as well on the AT&T variant. I added the line to the install recovery script that chainfire uses for SuperSU and it loads it on boot now :)

what i did was run the insmod command in terminal emulator, made the system rw/ edited /system/etc/install-recovery.sh and added the insmod line in there :) Sure it would be easier if I had init.d support but I'm on stock and am too lazy to change to a custom rom :p
 
JEANRIVERA

JEANRIVERA

Senior Member
Mar 30, 2007
3,049
1,503
42
Nazareth, PA
HTC U12+
ASUS ROG Phone 3
graffixnyc said:
Worked here as well on the AT&T variant. I added the line to the install recovery script that chainfire uses for SuperSU and it loads it on boot now :)

what i did was run the insmod command in terminal emulator, made the system rw/ edited /system/etc/install-recovery.sh and added the insmod line in there :) Sure it would be easier if I had init.d support but I'm on stock and am too lazy to change to a custom rom :p
Click to expand...
Click to collapse

Can you share your zip please

Sent from my HTC One_M8 using Tapatalk
 
  • Like
Reactions: m03sizlak
-4ndr01d-

-4ndr01d-

Senior Member
Mar 28, 2012
497
54
im on the vzw m8. we have temp 'root access' to /system/xbin. is it ok to do this as well? which will make /system writable?
 
-4ndr01d-

-4ndr01d-

Senior Member
Mar 28, 2012
497
54
flar2 said:
I don't know what method they use to get root access to /system/xbin. This is probably compatible, if it loads with the Verizon kernel. Backup all your data and try it.
Click to expand...
Click to collapse

jcase has got us root access ...its only writable to /system/xbin and has to run on every boot. the app used is called WeakSauce

but i was thinking. once my phone boots up, i wait til i have root access, then download the file, place it in the correct directory, download terminal emulator and run the commands. then /system becomes writable until next reboot?
 
You must log in or register to reply here.

Similar threads

flar2
[KERNEL] [Nov 26] ElementalX-m8 (7.01 Sense) (6.04 GPE)
Replies
6K
Views
977K
D
Developer0fTruth
flar2
[MOD] [KERNEL MODULE] [July 26] Sweep2sleep
Replies
164
Views
54K
mrrocketdog
mrrocketdog
faux123
[KERNEL] (007) Sense/GPE (3.4+Hybrid/UV/OC/Intelliplug/active/FauxSound) [08-02-2014]
Replies
983
Views
166K
munkyvirus
munkyvirus
lyapota
[KERNEL][Jul 31] lONElyX #038|Sense/GPE| GSM*WHL*VZW | KEXEC*HotPlugs*UV*OC*ets
Replies
812
Views
161K
Stickman89
Stickman89
lyapota
[MOD][Aug 01][#011] modPack for GPE 5.1.0 Stock/SkyDragon
Replies
381
Views
80K
lyapota
lyapota

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 74
    flar2
    flar2
    wp_mod: Module to disable system write protection

    This is a kernel module that disables write protection on the system partition while running the stock kernel.


    HTC changed the MMC_MUST_PREVENT_WP_VIOLATION code to make it much harder to crack. I had to redo the module completely, so this is experimental. In the past, it was a simple matter of changing a variable, now we have to replace a function in the kernel so it returns something different, causing the kernel to skip over the write protection code.

    I would caution against loading the module after attempting to make changes to the system partition. It could end up corrupting the filesystem. If the module is loaded at boot, there should be no worries.

    This module will probably need to be updated to load with future kernels when they are released.


    Please consider a donation to support ongoing development
    Many thanks to those who have donated!

    Download:

    wp_mod for GPE Marshmallow 6.0 can be found here:
    http://xdaforums.com/htc-one-m8/general/root-root-marshmallow-gpe-supersu-t3242210


    Sense 4.4.4 (thanks @migascalp):
    http://www.mediafire.com/download/4vyqslnc4crsnto/wp_mod_3.28.401.6.zip


    Sense 4.4.3 (2.22 base):
    wp_mod.ko

    Sense 4.4.2:
    wp_mod.ko

    GPE 4.4.4 (thanks to @italyforever):
    wp_mod.ko

    GPE 4.4.2:
    wp_mod.ko




    Installation:
    Wait for it to be implemented in your favourite ROM

    * or *

    Copy the module to your device, and type
    Code: 
    su
insmod /location-where-you-copied-it/wp_mod.ko


    Changes:

    April 2, 2014 - wp_mod 4.1
    -only return non-existing partition number if called by generic_make_request_checks
    -remove exit from module (we don't want to be able to unload it)
    -clean up code


    March 31, 2014 - wp_mod 4.0
    -new method for HTC One m8



    Source:
    https://github.com/flar2/wp_mod

    Module was compiled against m8 Google Play Edition source. Some symbol CRC checks had to be hexedited in the compiled module to match the stock kernel. Thanks to Michael Coppola for example of function hooking on arm: http://poppopret.org/2013/01/07/suterusu-rootkit-inline-kernel-function-hooking-on-x86-and-arm/#arm
    View
    9
    flar2
    flar2
    m03sizlak said:
    AWESOME work flar2.

    After examining the source, it is indeed *much* more complicated than it has been in the past. Just curious, if you have the kernel source, what is to stop you from just rewriting the hooked functions instead of hijacking them with this code, which appears to be proof of concept code for ARM rootkits?

    Second question, the very informative page you linked to, and based this on, says this about ARM instruction caching:

    http://poppopret.org/2013/01/07/suterusu-rootkit-inline-kernel-function-hooking-on-x86-and-arm/#arm


    Any reason why you do not use this approach in your module?


    Last and possibly most important question. The page also says this:

    The code uses this approach only to avoid detection by rootkit detectors, something that we should have zero concerns about. Why not use the other approach, system call hooking by swapping out function pointers in the system call table?


    THANK YOU.
    Click to expand...
    Click to collapse

    I did rewrite the function. Remember, we have to do this in the running kernel. Whenever the original function is called, it jumps to my new function instead. Hooking/hijacking are the same thing. That site also shows how to hide the module and a bunch of other stealth stuff, but none of that was necessary for this.

    It's extremely easy to disable write protection if you compile your own kernel, you just turn off MMC_MUST_PREVENT_WP_VIOLATION.

    Previously, the wp_mod hack was dead simple. All we had to do was call an existing kernel function to change the number of the partition that write protection applied to. In the new source (below), HTC got rid of all this extraneous code and just hardcoded it to apply the write protection to /system. This happens in block/blk-core.c as you can see below. We need to skip over the quoted code.

    Code: 
    static noinline_for_stack bool
generic_make_request_checks(struct bio *bio)
{

......

#ifdef CONFIG_MMC_MUST_PREVENT_WP_VIOLATION
	sprintf(wp_ptn, "mmcblk0p%d", get_partition_num_by_name("system"));   //hardcoded to look for system partition
	if (!strcmp(bdevname(bio->bi_bdev, b), wp_ptn) && !board_mfg_mode() &&   //wp_ptn == mmcblk0p45  (/system)
			(get_tamper_sf() == 1) && (bio->bi_rw & WRITE)) {
		pr_info("blk-core: Attempt to write protected partition %s block %Lu \n",
				bdevname(bio->bi_bdev, b), (unsigned long long)bio->bi_sector);
		err = 0;
		goto wp_end_io;
	} else if (atomic_read(&emmc_reboot) && (bio->bi_rw & WRITE)) {
		pr_info("%s: Attempt to write eMMC, %s block %Lu \n", current->comm,
				bdevname(bio->bi_bdev, b), (unsigned long long)bio->bi_sector);
		err = -EROFS;
		goto wp_end_io;
	}
#endif

..............

}


    It's a *bad idea* to replace a big complicated important function like static noinline_for_stack bool
    generic_make_request_checks() so I decided to modify a simpler function within it, get_partition_num_by_name(). I changed get_partition_num_by_name() to return a different partition number when name == system. I didn't see any code in the kernel source where it would cause a problem to return the wrong partition number for system. After loading wp_mod.ko, write protection is applied to a non-existent partition instead of /system. The end result is exactly the same as my old wp_mod that has proven to work on many devices.


    Why didn't I just change the address in the system call table? I don't think that is so easy on contemporary kernels. I found the function hooking method simpler and more foolproof.


    EDIT: in my haste while answering this at work, I quoted the wrong function containing the write protection code. It's static noinline_for_stack bool
    generic_make_request_checks not bio_check_eod (which is the function right above it in blk-core.c)
    View
    9
    flar2
    flar2
    I've updated the module a bit to make it easier to port to future kernels and other devices that use this form of write protection. All that needs to be done is to edit the CRC value for module_layout. I've also made it so the module can't be unloaded, we don't want to do that. In the process, I was able to reduce the module's overhead. Also, as per @m03sizlak's suggestion, I made it so it will only return the non-existent partition if the calling function is generic_make_request_checks.

    The first version works, but we should start testing this version.


    Download:
    wp_mod.ko

    (downloads not showing up for some reason, hold on)


    Changes:
    -only return non-existing partition number if called by generic_make_request_checks
    -remove exit from module (we don't want to be able to unload it)
    -clean up code
    View
    9
    flar2
    flar2
    wp_mod for Sense 6 Android 4.4.3 2.22.401.4

    wp_mod.ko
    View
    8
    drakeymcmb
    drakeymcmb
    For users who have init.d support in their ROM. Flash this and your good to go

    https://mega.co.nz/#!XINyDIrB!QcdP3sZJjgKAivkEa7iN8Jusx0e78T1rpA5PT7VGAxQ

    Sent from my Note 3
    View

New posts