[EXPLOIT][HOW-TO] BypassLKM: bypass module signature verification on TW 4.3

Surge1223

Recognized Contributor
Nov 6, 2012
2,603
7,395
203
Florida
Careful running this on unsupported kernels..I didn't add any sanity checking.
Thanks! Just cross-compiled and loaded Lime. After I dump the ram, ill start working on getting more stuff over to our device. Have you been doing anything module related lately?

Edit: Successfully compiled lime.ko from kernel source and dumped the ram --couple gigs worth. FYI after a few tries of uncommenting lines in .config, modifying lime.c, and writing my own makefile instead of using limes, I was skeptical that it would even successfully compile the module. Not only did it compile but it loaded and worked as well, dmesg showed the tz accepted it and lime successfully created the dump.


Sent from my SCH-I545 using XDA Premium 4 mobile app
 
Last edited:

tommydrum

Senior Member
Jun 10, 2013
169
47
0
Portlandia
Ok heres a better just to be clear question, Is there anything that a Loki Device can do with custom kernels that we cant do with kexec/thisexploit.
Loki already makes it possible to load custom kernels, therefore allowing kernels to load that loads unsigned modules. So no, this won't give you anything more at all.. You already got everything :p
 

Easton999GS

Senior Member
Aug 31, 2010
368
103
0
Loki already makes it possible to load custom kernels, therefore allowing kernels to load that loads unsigned modules. So no, this won't give you anything more at all.. You already got everything :p
So if I download the 4.3 Ktoonz kernel. extract the modules from the zip. and try to load them with this exploit I will essentially be running Ktoonz kernel with all features?
 

tommydrum

Senior Member
Jun 10, 2013
169
47
0
Portlandia
So if I download the 4.3 Ktoonz kernel. extract the modules from the zip. and try to load them with this exploit I will essentially be running Ktoonz kernel with all features?
You don't need this exploit, the ktoonz kernel should read unsigned modules anyways. Yes to flashing the modules though. I wouldn't flash modules unless you know what you're doing. You'd want mdl modules if on a Loki device. Most all kernels made for the i337 are already set up for mdl, so it's kind of pointless.
 

Hashcode

Senior Recognized Developer
Sep 3, 2011
3,426
23,729
263
Hello @jeboo and community,

I deciding to open this up a bit and at least give everyone an update on where I'm at with the kexec process on the S4.

These instructions are based on my test device: JFLTEVZW running MJ7. The future is: if we get this working, I'll update and rebase against the MK# kernel sources as well as have other testers on other devices.

Current bootlog of the kexec attempt:
Code:
[    3.806488] Running Safestrap hijack
[    4.306549] [mdnie lite] is negative Mode On = 0
[    4.306549] [mdnie lite] negative off when resume, tuning again!
[    4.306549] [mdnie lite] mDNIe_Set_Mode start , mode(0), background(1)
[    4.306549] [mdnie lite]  = UI MODE =
[    4.306579] [mdnie lite]  = STANDARD MODE =
[    4.306579] [mdnie lite]  send tuning cmd!!
[    4.339782] [mdnie lite] mDNIe_Set_Mode end , mode(0), background(1)
[    5.489624] [TouchKey]press=1, code=0
[    5.666046] [TouchKey]press=0, code=0
[    8.833953] Running bypasslkm jfltevzw JSS15J.I545VRUEMJ7
[    8.837127] 
[    8.837127] BypassLKM patch by Jeboo
[    8.837127] usage: -r will restore kernel to original
[    8.837127] Big thanks to fi01 & CUBE for their awesome CVE-2013-6282 exploit source!
[    8.837127] 
[    8.837127] Found devicename=jfltevzw
[    8.837158] Found buildid=JSS15J.I545VRUEMJ7
[    8.837158] 
[    8.837158] Patching kernel @ 0xC00C9D58: Done.
[   10.396148] pid 1's current affinity list: 0-3
[   10.396148] pid 1's new affinity list: 0
[   11.244873] synaptics_rmi4_i2c 3-0020: synaptics_ta_cb: device is in suspend state or reflash.
[   11.422241] init: /init.rc: 75: invalid command 'powerctl'
[   11.424194] init: cannot find '/sbin/healthd', disabling 'healthd'
[   11.425720] init: invalid uid 'fm_radio'
[   11.425964] init: invalid uid 'fm_radio'
[   11.663604] power_supply sec-fuelgauge: driver failed to report `status' property: 4294967274
[   11.667419] power_supply sec-charger: driver failed to report `power_now' property: 4294967274
[   11.688232] init: Unable to open persistent property directory /data/property errno: 2
[   11.688751] init: untracked pid 163 exited
[   11.688873] init: untracked pid 164 exited
[   11.688964] init: untracked pid 268 exited
[   12.436737] [mdnie lite] is negative Mode On = 0
[   12.437072] [mdnie lite] negative off when resume, tuning again!
[   12.437286] [mdnie lite] mDNIe_Set_Mode start , mode(0), background(1)
[   12.437622] [mdnie lite]  = UI MODE =
[   12.437805] [mdnie lite]  = STANDARD MODE =
[   12.438140] [mdnie lite]  send tuning cmd!!
[   12.486511] [mdnie lite] mDNIe_Set_Mode end , mode(0), background(1)
[   40.014373] [TouchKey]press=1, code=1
[   40.093597] [TouchKey]press=0, code=1
[   81.530334] kexec: KEXEC_IOC_LOAD
[   83.554534] kexec: KEXEC_IOC_CHECK_LOADED (1)
[   83.556427] kexec: KEXEC_IOC_REBOOT
[   83.556640] KEXEC: preempt_disable
[   83.556823] KEXEC: disable interrupts
[   83.557159] KEXEC: kernel_restart_prepare_ptr
[   83.557342] set_dload_mode <0> ( c007b340 )
[   83.557708] (sec_debug_set_upload_magic) 0
[   83.565917] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.568267] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.600341] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.619934] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.639984] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.660186] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.679931] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.699951] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.719909] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.739898] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.759979] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.760650] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.779907] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.830535] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.830596] qup_i2c qup_i2c.2: QUP: I2C status flags :0x1300c8, irq:228
[   83.879791] qup_i2c qup_i2c.2: I2C slave addr:0x26 not connected
[   83.879974] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.899810] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.901123] BUG: scheduling while atomic: kexec/511/0x00000003
[   83.903015] mdm_power_down_common: MDM2AP_STATUS went low successfully.
[   83.903320] KEXEC: machine_shutdown
[   83.903930] MKEXEC: found gic_raise_softirq: c002c590
[   83.903961] MKEXEC: waiting for CPUs ...(1000000)
[   83.904083] KEXEC: machine_kexec
[   83.904113] MKEXEC: va: dd7a9000
[   83.904174] MKEXEC: pa: 9eba9000
[   83.904235] MKEXEC: kexec_start_address: 80208000
[   83.904327] MKEXEC: kexec_indirection_page: 9ebab000
[   83.904388] MKEXEC: kexec_mach_type: 00000f6d
[   83.904479] MKEXEC: kexec_boot_atags: 80201000
[   83.904541] MKEXEC: copy relocate code: addr=0xdd7a9000, len==164
[   83.904632] MKEXEC: flush_icache_range
[   83.904693] MKEXEC: kexec_reinit
[   83.904754] MKEXEC: soft_restart
[   83.904815] MKEXEC: outer_flush_all
[   83.904907] MKEXEC: outer_disable
[   83.904968] MKEXEC: kexec_identity_mapping_add
[   83.905181] MKEXEC: end mappings end==0xbf000000: 0xbf000000
[   83.905273] MKEXEC: kexec_setup_mm_for_reboot
[   83.905944] MKEXEC: kexec_call_with_stack (kexec_call_with_stack=0xbf004578, __soft_reset=0xbf00400c, addr=0x9eba9000, stack=0xbf004db8)
And then it just hangs there. (I've disabled the msm_watchdog so that I have all the time I need to jump kernels without it triggering a reboot.)
I'm obviously not killing off mmu correctly or leaving something up which is hanging the process inside the kernel remapping code.

The kernel/kernel modules git I'm working from:
https://github.com/Hashcode/android_kernel_samsung-jf-common

I have a set of working files for the JFLTEVZW MJ7 release in the "build" dir.

To build the kexec binary:
check out: https://github.com/Hashcode/kexec-tools (master branch)

To build the kexec modules:
check out: https://github.com/Hashcode/android_kernel_samsung-jf-common

Code:
cd <kernel git location>
export PATH=$PATH:~/android/<your android basedir>/prebuilts/gcc/linux-x86/arm/arm-eabi-4.6/bin
export JAVA_HOME=/usr/lib/jvm/java-6-sun
export CROSS_COMPILE=arm-eabi-
export KERNEL_DIR=`pwd`
export KERNELDIR=$KERNEL_DIR
make ARCH=arm VARIANT_DEFCONFIG=jf_vzw_defconfig SELINUX_DEFCONFIG=jfselinux_defconfig SELINUX_LOG_DEFCONFIG=jfselinux_log_defconfig jf_defconfig
make -j8 ARCH=arm zImage
make -j8 ARCH=arm modules
Currently, I'm using the stock boot.img split back into zImage and ramdisk.gz for kexec testing.

I have a special version of Safestrap 3.71 which includes the bypass code so that modules can be loaded in recovery:
JFLTEVZW: http://hosting.crackflasher.com/get...rap/Safestrap-JFLTEVZW-3.71-KEXEC-TESTING.apk
JFLTEATT: @jeboo if you want, I'll run a build for you in a bit

(Note: there is NOTHING special about this Safestrap other than:
1. It loads the module bypass prior to entering recovery
2. It mounts /firmware so that when insmod is used the tz firmware can be found by the kernel
-- no need for the every day user to "try it out")

Here's my testing process (after installing the "special" version of Safestrap above):
Once I'm in recovery, I run the following commands via PC:
Code:
# push kexec binary, kexec modules, zImage, recovery.gz and 2 scripts to /datamedia/local/tmp
adb push <kerneldir>build /datamedia/local/tmp
# run the "push.sh" script which copies the files to the rootfs and sets perms
adb shell "/datamedia/local/tmp/push.sh"
# run the "setup.sh" script which unmounts the 
adb shell "/setup.sh"
Eventually the screen will either fade to white or black and the device is not responsive.
Unplug USB
Hold power button while quickly sliding the contact of the battery out and back in.

On the reset: re-enter safestrap recovery and you'll have a /proc/last_kmsg to look at (similar to the above).

NEXT STEPS:
The goal would be to find a small bit of machine code that I can execute directly inside the kernel remapping code that is insignificant but will show a "sign of life".. Such items are writing to the serial port (which I'm currently trying to work out), setting off a vibrator pulse, etc).
 

ryanbg

Inactive Recognized Developer
Jan 3, 2008
855
1,735
0
movr0.com
That's exactly the point of the exploit.
Okay, I thought it was to patch lkmauth, I didn't realize it enabled kernel modules too. I'm combing through MI9 zImage now.

edit: I don't think I was making myself clear, I mean enable insmod as it's not implemented in N3 kernels.
 
Last edited:

jeboo

Recognized Developer
Apr 2, 2010
815
4,059
98
Okay, I thought it was to patch lkmauth, I didn't realize it enabled kernel modules too. I'm combing through MI9 zImage now.

edit: I don't think I was making myself clear, I mean enable insmod as it's not implemented in N3 kernels.
Ah, I was wondering what you meant..I havent looked at how they disabled it.

Sent from my SAMSUNG-SGH-I337 using xda app-developers app
 
  • Like
Reactions: ALLDAT

ryanbg

Inactive Recognized Developer
Jan 3, 2008
855
1,735
0
movr0.com
Ah, I was wondering what you meant..I havent looked at how they disabled it.

Sent from my SAMSUNG-SGH-I337 using xda app-developers app
If you get any free time and feel up to take a look, I'm currently uploading the kernel source which I'll link here. I'm looking through it right now, but I'm not sure what I'm looking for. I can run insmod, and it prompts me to supply a kernel module (.ko), and when you do try one, it'll say "Function not implemented." So it appears it's there, something is just preventing it from running.

I'm setting up a build environment right now, I'm not really prepared to do anything on Windows.
 
Last edited:

Walter.White

Senior Member
Nov 28, 2013
1,273
2,062
0
If you get any free time and feel up to take a look, I'm currently uploading the kernel source which I'll link here. I'm looking through it right now, but I'm not sure what I'm looking for. I can run insmod, and it prompts me to supply a kernel module (.ko), and when you do try one, it'll say "Function not implemented." So it appears it's there, something is just preventing it from running.

I'm setting up a build environment right now, I'm not really prepared to do anything on Windows.
Can't we just enable Kernel Module support using menuconfig and changing CONFIG_MODULES=n and CONFIG_MODULE_UNLOAD=n to
CONFIG_MODULES=y and CONFIG_MODULE_UNLOAD=y

Just a guess.
 
Last edited:

Hashcode

Senior Recognized Developer
Sep 3, 2011
3,426
23,729
263
Can't we just enable Kernel Module support using menuconfig and changing CONFIG_MODULES=n and CONFIG_MODULE_UNLOAD=n to
CONFIG_MODULES=y and CONFIG_MODULE_UNLOAD=y

Just a guess.
This only works if you're the one compiling the kernel. And in the case of locked devices (newer S4 builds and the N3).. we don't build the stock kernel. Samsung does.
 

Walter.White

Senior Member
Nov 28, 2013
1,273
2,062
0
This only works if you're the one compiling the kernel. And in the case of locked devices (newer S4 builds and the N3).. we don't build the stock kernel. Samsung does.
Gotcha. I guess then they are just rubbing it in our face by releasing the source code for locked devices. Smh.