[EXPLOIT][HOW-TO] BypassLKM: bypass module signature verification on TW 4.3

[Surge1223]

Careful running this on unsupported kernels..I didn't add any sanity checking.

Thanks! Just cross-compiled and loaded Lime. After I dump the ram, ill start working on getting more stuff over to our device. Have you been doing anything module related lately?

Edit: Successfully compiled lime.ko from kernel source and dumped the ram --couple gigs worth. FYI after a few tries of uncommenting lines in .config, modifying lime.c, and writing my own makefile instead of using limes, I was skeptical that it would even successfully compile the module. Not only did it compile but it loaded and worked as well, dmesg showed the tz accepted it and lime successfully created the dump.


Sent from my SCH-I545 using XDA Premium 4 mobile app

 

[cyrushehe]

Just to be clear...

Just to be clear, could this lead to allowing AOSP based roms on MJ7/MK2 Galaxy S4 devices?

 

[jeboo]

Just to be clear, could this lead to allowing AOSP based roms on MJ7/MK2 Galaxy S4 devices?

Theoretically, yes.

 

[Easton999GS]

Theoretically, yes.

Ok heres a better just to be clear question, Is there anything that a Loki Device can do with custom kernels that we cant do with kexec/thisexploit.

 

[tommydrum]

Ok heres a better just to be clear question, Is there anything that a Loki Device can do with custom kernels that we cant do with kexec/thisexploit.

Loki already makes it possible to load custom kernels, therefore allowing kernels to load that loads unsigned modules. So no, this won't give you anything more at all.. You already got everything

 

[Easton999GS]

Loki already makes it possible to load custom kernels, therefore allowing kernels to load that loads unsigned modules. So no, this won't give you anything more at all.. You already got everything

So if I download the 4.3 Ktoonz kernel. extract the modules from the zip. and try to load them with this exploit I will essentially be running Ktoonz kernel with all features?

 

[tommydrum]

So if I download the 4.3 Ktoonz kernel. extract the modules from the zip. and try to load them with this exploit I will essentially be running Ktoonz kernel with all features?

You don't need this exploit, the ktoonz kernel should read unsigned modules anyways. Yes to flashing the modules though. I wouldn't flash modules unless you know what you're doing. You'd want mdl modules if on a Loki device. Most all kernels made for the i337 are already set up for mdl, so it's kind of pointless.

 

[cyrushehe]

How long could it be before an implementation of this for the average user on XDA? Days? Weeks? Months?

 

[RK]

How long could it be before an implementation of this for the average user on XDA? Days? Weeks? Months?

Your guess is as good as anyone else's. All I know is that @Hashcode knows about this and is trying to get kexec working using this.

Sent from my SGH-I337 using Tapatalk

 

[Hashcode]

Hello @jeboo and community,

I deciding to open this up a bit and at least give everyone an update on where I'm at with the kexec process on the S4.

These instructions are based on my test device: JFLTEVZW running MJ7. The future is: if we get this working, I'll update and rebase against the MK# kernel sources as well as have other testers on other devices.

Current bootlog of the kexec attempt:

[    3.806488] Running Safestrap hijack
[    4.306549] [mdnie lite] is negative Mode On = 0
[    4.306549] [mdnie lite] negative off when resume, tuning again!
[    4.306549] [mdnie lite] mDNIe_Set_Mode start , mode(0), background(1)
[    4.306549] [mdnie lite]  = UI MODE =
[    4.306579] [mdnie lite]  = STANDARD MODE =
[    4.306579] [mdnie lite]  send tuning cmd!!
[    4.339782] [mdnie lite] mDNIe_Set_Mode end , mode(0), background(1)
[    5.489624] [TouchKey]press=1, code=0
[    5.666046] [TouchKey]press=0, code=0
[    8.833953] Running bypasslkm jfltevzw JSS15J.I545VRUEMJ7
[    8.837127] 
[    8.837127] BypassLKM patch by Jeboo
[    8.837127] usage: -r will restore kernel to original
[    8.837127] Big thanks to fi01 & CUBE for their awesome CVE-2013-6282 exploit source!
[    8.837127] 
[    8.837127] Found devicename=jfltevzw
[    8.837158] Found buildid=JSS15J.I545VRUEMJ7
[    8.837158] 
[    8.837158] Patching kernel @ 0xC00C9D58: Done.
[   10.396148] pid 1's current affinity list: 0-3
[   10.396148] pid 1's new affinity list: 0
[   11.244873] synaptics_rmi4_i2c 3-0020: synaptics_ta_cb: device is in suspend state or reflash.
[   11.422241] init: /init.rc: 75: invalid command 'powerctl'
[   11.424194] init: cannot find '/sbin/healthd', disabling 'healthd'
[   11.425720] init: invalid uid 'fm_radio'
[   11.425964] init: invalid uid 'fm_radio'
[   11.663604] power_supply sec-fuelgauge: driver failed to report `status' property: 4294967274
[   11.667419] power_supply sec-charger: driver failed to report `power_now' property: 4294967274
[   11.688232] init: Unable to open persistent property directory /data/property errno: 2
[   11.688751] init: untracked pid 163 exited
[   11.688873] init: untracked pid 164 exited
[   11.688964] init: untracked pid 268 exited
[   12.436737] [mdnie lite] is negative Mode On = 0
[   12.437072] [mdnie lite] negative off when resume, tuning again!
[   12.437286] [mdnie lite] mDNIe_Set_Mode start , mode(0), background(1)
[   12.437622] [mdnie lite]  = UI MODE =
[   12.437805] [mdnie lite]  = STANDARD MODE =
[   12.438140] [mdnie lite]  send tuning cmd!!
[   12.486511] [mdnie lite] mDNIe_Set_Mode end , mode(0), background(1)
[   40.014373] [TouchKey]press=1, code=1
[   40.093597] [TouchKey]press=0, code=1
[   81.530334] kexec: KEXEC_IOC_LOAD
[   83.554534] kexec: KEXEC_IOC_CHECK_LOADED (1)
[   83.556427] kexec: KEXEC_IOC_REBOOT
[   83.556640] KEXEC: preempt_disable
[   83.556823] KEXEC: disable interrupts
[   83.557159] KEXEC: kernel_restart_prepare_ptr
[   83.557342] set_dload_mode <0> ( c007b340 )
[   83.557708] (sec_debug_set_upload_magic) 0
[   83.565917] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.568267] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.600341] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.619934] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.639984] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.660186] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.679931] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.699951] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.719909] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.739898] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.759979] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.760650] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.779907] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.830535] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.830596] qup_i2c qup_i2c.2: QUP: I2C status flags :0x1300c8, irq:228
[   83.879791] qup_i2c qup_i2c.2: I2C slave addr:0x26 not connected
[   83.879974] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.899810] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.901123] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.903015] mdm_power_down_common: MDM2AP_STATUS went low successfully.
[   83.903320] KEXEC: machine_shutdown
[   83.903930] MKEXEC: found gic_raise_softirq: c002c590
[   83.903961] MKEXEC: waiting for CPUs ...(1000000)
[   83.904083] KEXEC: machine_kexec
[   83.904113] MKEXEC: va: dd7a9000
[   83.904174] MKEXEC: pa: 9eba9000
[   83.904235] MKEXEC: kexec_start_address: 80208000
[   83.904327] MKEXEC: kexec_indirection_page: 9ebab000
[   83.904388] MKEXEC: kexec_mach_type: 00000f6d
[   83.904479] MKEXEC: kexec_boot_atags: 80201000
[   83.904541] MKEXEC: copy relocate code: addr=0xdd7a9000, len==164
[   83.904632] MKEXEC: flush_icache_range
[   83.904693] MKEXEC: kexec_reinit
[   83.904754] MKEXEC: soft_restart
[   83.904815] MKEXEC: outer_flush_all
[   83.904907] MKEXEC: outer_disable
[   83.904968] MKEXEC: kexec_identity_mapping_add
[   83.905181] MKEXEC: end mappings end==0xbf000000: 0xbf000000
[   83.905273] MKEXEC: kexec_setup_mm_for_reboot
[   83.905944] MKEXEC: kexec_call_with_stack (kexec_call_with_stack=0xbf004578, __soft_reset=0xbf00400c, addr=0x9eba9000, stack=0xbf004db8)

And then it just hangs there. (I've disabled the msm_watchdog so that I have all the time I need to jump kernels without it triggering a reboot.)
I'm obviously not killing off mmu correctly or leaving something up which is hanging the process inside the kernel remapping code.

The kernel/kernel modules git I'm working from:
https://github.com/Hashcode/android_kernel_samsung-jf-common

I have a set of working files for the JFLTEVZW MJ7 release in the "build" dir.

To build the kexec binary:
check out: https://github.com/Hashcode/kexec-tools (master branch)

To build the kexec modules:
check out: https://github.com/Hashcode/android_kernel_samsung-jf-common

cd <kernel git location>
export PATH=$PATH:~/android/<your android basedir>/prebuilts/gcc/linux-x86/arm/arm-eabi-4.6/bin
export JAVA_HOME=/usr/lib/jvm/java-6-sun
export CROSS_COMPILE=arm-eabi-
export KERNEL_DIR=`pwd`
export KERNELDIR=$KERNEL_DIR
make ARCH=arm VARIANT_DEFCONFIG=jf_vzw_defconfig SELINUX_DEFCONFIG=jfselinux_defconfig SELINUX_LOG_DEFCONFIG=jfselinux_log_defconfig jf_defconfig
make -j8 ARCH=arm zImage
make -j8 ARCH=arm modules

Currently, I'm using the stock boot.img split back into zImage and ramdisk.gz for kexec testing.

I have a special version of Safestrap 3.71 which includes the bypass code so that modules can be loaded in recovery:
JFLTEVZW: http://hosting.crackflasher.com/get...rap/Safestrap-JFLTEVZW-3.71-KEXEC-TESTING.apk
JFLTEATT: @jeboo if you want, I'll run a build for you in a bit

(Note: there is NOTHING special about this Safestrap other than:
1. It loads the module bypass prior to entering recovery
2. It mounts /firmware so that when insmod is used the tz firmware can be found by the kernel
-- no need for the every day user to "try it out")

Here's my testing process (after installing the "special" version of Safestrap above):
Once I'm in recovery, I run the following commands via PC:

# push kexec binary, kexec modules, zImage, recovery.gz and 2 scripts to /datamedia/local/tmp
adb push <kerneldir>build /datamedia/local/tmp
# run the "push.sh" script which copies the files to the rootfs and sets perms
adb shell "/datamedia/local/tmp/push.sh"
# run the "setup.sh" script which unmounts the 
adb shell "/setup.sh"

Eventually the screen will either fade to white or black and the device is not responsive.
Unplug USB
Hold power button while quickly sliding the contact of the battery out and back in.

On the reset: re-enter safestrap recovery and you'll have a /proc/last_kmsg to look at (similar to the above).

NEXT STEPS:
The goal would be to find a small bit of machine code that I can execute directly inside the kernel remapping code that is insignificant but will show a "sign of life".. Such items are writing to the serial port (which I'm currently trying to work out), setting off a vibrator pulse, etc).

 

[jeboo]

Hello @jeboo and community,

I deciding to open this up a bit and at least give everyone an update on where I'm at with the kexec process on the S4.

NICE work so far man! I get back home this weekend, I will definitely start debugging things so we can make progress on this project.

 

[ryanbg]

NICE work so far man! I get back home this weekend, I will definitely start debugging things so we can make progress on this project.

@jeboo would you be able to modify this exploit to also enable the ability to use insmod? if the kernel was vulnerable, it's technically possible right?

 

[jeboo]

@jeboo would you be able to modify this exploit to also enable the ability to use insmod? if the kernel was vulnerable, it's technically possible right?

That's exactly the point of the exploit.

 

[ryanbg]

That's exactly the point of the exploit.

Okay, I thought it was to patch lkmauth, I didn't realize it enabled kernel modules too. I'm combing through MI9 zImage now.

edit: I don't think I was making myself clear, I mean enable insmod as it's not implemented in N3 kernels.

 

[jeboo]

Okay, I thought it was to patch lkmauth, I didn't realize it enabled kernel modules too. I'm combing through MI9 zImage now.

edit: I don't think I was making myself clear, I mean enable insmod as it's not implemented in N3 kernels.

Ah, I was wondering what you meant..I havent looked at how they disabled it.

Sent from my SAMSUNG-SGH-I337 using xda app-developers app

 

[ryanbg]

Ah, I was wondering what you meant..I havent looked at how they disabled it.

Sent from my SAMSUNG-SGH-I337 using xda app-developers app

If you get any free time and feel up to take a look, I'm currently uploading the kernel source which I'll link here. I'm looking through it right now, but I'm not sure what I'm looking for. I can run insmod, and it prompts me to supply a kernel module (.ko), and when you do try one, it'll say "Function not implemented." So it appears it's there, something is just preventing it from running.

I'm setting up a build environment right now, I'm not really prepared to do anything on Windows.

 

[Walter.White]

If you get any free time and feel up to take a look, I'm currently uploading the kernel source which I'll link here. I'm looking through it right now, but I'm not sure what I'm looking for. I can run insmod, and it prompts me to supply a kernel module (.ko), and when you do try one, it'll say "Function not implemented." So it appears it's there, something is just preventing it from running.

I'm setting up a build environment right now, I'm not really prepared to do anything on Windows.

Can't we just enable Kernel Module support using menuconfig and changing CONFIG_MODULES=n and CONFIG_MODULE_UNLOAD=n to
CONFIG_MODULES=y and CONFIG_MODULE_UNLOAD=y

Just a guess.

 

[Hashcode]

Can't we just enable Kernel Module support using menuconfig and changing CONFIG_MODULES=n and CONFIG_MODULE_UNLOAD=n to
CONFIG_MODULES=y and CONFIG_MODULE_UNLOAD=y

Just a guess.

This only works if you're the one compiling the kernel. And in the case of locked devices (newer S4 builds and the N3).. we don't build the stock kernel. Samsung does.

 

[Walter.White]

This only works if you're the one compiling the kernel. And in the case of locked devices (newer S4 builds and the N3).. we don't build the stock kernel. Samsung does.

Gotcha. I guess then they are just rubbing it in our face by releasing the source code for locked devices. Smh.

 

[ryanbg]

Gotcha. I guess then they are just rubbing it in our face by releasing the source code for locked devices. Smh.

It's the law if they want to use GPL code in their devices.