[Q] How Root Toshiba Excite Pro AT10LE-A-108

Search This thread

Drahflow

Member
Mar 22, 2021
22
4
bf000180 t cleanup_module [sealime]

That's different from my kernel layout, so we'd need a build a different glomus.ko patch. :(

If you are willing to spend a few more hours on this; I'd need the output of
[email protected]:/ # cat /proc/kallsyms | grep register_sealime
[email protected]:/ # cat /proc/kallsyms | grep print_hex_dump

and a copy of your /system/lib/modules/gps_drv.ko

Then I can patch that into a glomus.ko with instructions to dump (via print_hex_dump) the instructions of register_sealime (which you'll need to pull via adb logcat) and then with that info I can prepare a second version of glomus.ko to disable sealime on your device. It'll take a bit of back-and-forth I think, but OTOH you don't need to do any patching on windows.
 

PM128

Member
Jan 3, 2022
23
0
Was not so easy since that shell doesn't have grep. I had to max the term buffer to 9999 then copy the output (was still truncated) and search in it:
c0857494 r __kstrtab_register_sealime
c08595b2 r __kstrtab_print_hex_dump_bytes
c08595c7 r __kstrtab_print_hex_dump
 

Attachments

  • gps_drv.zip
    61.7 KB · Views: 3
  • Output of cat proc-kallsyms.zip
    75.2 KB · Views: 3

Drahflow

Member
Mar 22, 2021
22
4
Unfortunately, those you found are the addresses in the string table which contains the symbol names, i.e. not useful for this.

Does
cat /proc/kallsyms > /data/local/tmp/kallsyms.txt
give you the full list?
 

PM128

Member
Jan 3, 2022
23
0
Here you go.
Hmm I don't know why are the addresses all 0s now. I had the tabby off for a while and now it doesn't boot (stuck in the sparkling stars). I don't get even the temp root # after ./su.
 

Attachments

  • kallsyms.zip
    280.4 KB · Views: 2
Last edited:

PM128

Member
Jan 3, 2022
23
0
Since I luckily still have access to the shell while the tabby is stuck on the booting I managed to let the dirtycow chow the system again and got the temp root again. With it I was able to get the complete dump of the kallsyms (had to chown it back to shell since adb pull couldn't get it otherwise). Would it be useful for you now?

c02145c4 t register_sealime
c0252878 T print_hex_dump
c02529a0 T print_hex_dump_bytes

Complete dump is attached.
 

Attachments

  • kallsyms.zip
    414.3 KB · Views: 4

Drahflow

Member
Mar 22, 2021
22
4
Please find attached a sightly "improved" version of your gps_drv.ko, which you can use like so:

1. Get temp root
2. Replace (in memory only) the original gps_drv.ko with the new one via dirtycow:
[email protected]:/data/local/tmp # ./dirtycow dump_memory.ko /system/lib/modules/gps_drv.ko
3. Load the new gps_drv.ko
[email protected]:/data/local/tmp # insmod /system/lib/modules/gps_drv.ko
It should say:
insmod: init_module '/system/lib/modules/gps_drv.ko' failed (Identifier removed)

4. Dump the kernel error log and search for the code-dump via glomus (should be near the end)
[email protected]:/data/local/tmp # dmesg

It should look like a bunch of lines like this one:
<3>[ 2669.888648] glomusc02096d0: 00 41 3f e2 00 40 bd e8 20 3a 3a e1 dd aa 27 e3 [email protected]@..(=...0L.

Please copy them into a .txt and upload. Those are the (hex representation of) the init_sealime instructions. I should be able to use those as a template where to reset whatever init_sealime did (most likely by just clearing two pointers at the right address).
 

Attachments

  • dump_memory.zip
    63.6 KB · Views: 4

PM128

Member
Jan 3, 2022
23
0
First of all thanks so much for your time and dedication to help me.
I pushed the dump_memory.ko into that /data/local/tmp folder (as shell of course, was wondering if I should have chown it to root before letting the dirtycow chew it). Got the temp root and issued the command ad 2.) ... didn't get the desired # prompt back even waited for like 20 minutes (got stuck on something):
[email protected]:/ # ./dirtycow dump_memory.ko /system/lib/modules/gps_drv.ko
/system/bin/sh: ./dirtycow: not found
127|[email protected]:/ # cd /data/local/tmp
o /system/lib/modules/gps_drv.ko <
dcow dump_memory.ko /system/lib/modules/gps_drv.ko
[*] size 152743
[*] mmap 0x40192000
[*] currently 0x40192000=464c457f
[*] using ptrace method
[*] madvise = 0x40192000 152743
[*] ptrace 0 5
[*] exploited 14500 0x40192000=464c457f
[email protected]:/data/local/tmp # [*] madvise = 0 16777216
[*] exploited 0 0x40192000=464c457f
<--- here it stopped and no further progress
[email protected]:/data/local/tmp # <--- after pressing Enter

So instead of proceeding to the step 3.) here is the dmesg output so far no glomus there. Please note that the tablet is stuck in the boot process somewhere.
 

Attachments

  • dmesg.zip
    19.2 KB · Views: 2

Drahflow

Member
Mar 22, 2021
22
4
I'm not exactly sure what's going on in your terminal (I think it didn't like to display one of the longer commands and the display / copy-paste got jumbled somewhat after that). But otherwise everything seems fine. Maybe it'll be better if you use a wider terminal, but no idea.
Anyway... Please redo step 2 (as soon as enter gets you a new prompt it's done; no need to wait 20 minutes) and then proceed to step 3 and 4. That the tablet is stuck somewhere in UI startup shouldn't matter.
 

PM128

Member
Jan 3, 2022
23
0
My Win terminal/cmd has 132 chars width, it must be some limitation either by adb or the shell of the device but this doesn't really matter since the command is always taken.
I tried to redo the step 2.) after I got the prompt by clicking enter several times, see the attached log of my attempts. So then the step 2.) seemed to get through giving me prompt but then by step 3.) the whole tablet froze hard. I had to kill the terminal and make hard reset of the tablet since the sparkling stars froze too. Tried to make the whole procedure after the half boot again... total freeze by step 3.) 😰
I am afraid if I would try to do factory reset of the tablet in recovery mode I might lose the settings for USB debugging (the adb gateway into the device) and the tablet would become completely unaccessible dead brick.
Do you still have energy to continue? Doesn't have to be today...
 

Attachments

  • procedure attempts failing log.txt
    5 KB · Views: 3

Drahflow

Member
Mar 22, 2021
22
4
Sorry, I fear I confused the versions of the .ko file between my device and the new development for yours. Could you kindly retry step 3 with the attached .ko?

And indeed, DO NOT factory reset. There is nothing to be gained and potentially the adb access to be lost.
 

Attachments

  • dump_memory.zip
    63.6 KB · Views: 2

PM128

Member
Jan 3, 2022
23
0
Heureka! :D I finally got the desired message about 'Identifier removed'. So here are the kernel messages attached. There are 16 lines with glomus in them.
 

Attachments

  • dmesg.zip
    14.2 KB · Views: 3

Drahflow

Member
Mar 22, 2021
22
4
Perfect! Based on this, I prepared a glomus.ko for your (and I sure hope all) at300se.

It should work like this:
1. Get temp root
2. Replace (in memory only) gps_drv.ko with glomus.ko
[email protected]:/data/local/tmp # ./dirtycow glomus.ko /system/lib/modules/gps_drv.ko
3. Load replaced driver
[email protected]:/data/local/tmp # insmod /system/lib/modules/gps_drv.ko
Should again complain about "Identifier removed."
4. Try to mount /system read-write
[email protected]:/data/local/tmp # mount -o remount,rw /system
5. Enjoy your new power to modify the system image any way you like. (No replacing the kernel though, as I said initially.)
 

Attachments

  • glomus.zip
    63.6 KB · Views: 2

PM128

Member
Jan 3, 2022
23
0
Thank you for the glomus.ko But seems today still no victory. System freezes again at step 4.):

stem/lib/modules/gps_drv.ko <
dcow glomus.ko /system/lib/modules/gps_drv.ko
[*] size 152743
[*] mmap 0x4013a000
[*] currently 0x4013a000=464c457f
[*] using ptrace method
[*] madvise = 0x4013a000 152743
[*] ptrace 0 4
[*] exploited 537 0x4013a000=464c457f
[email protected]:/data/local/tmp #
[email protected]:/data/local/tmp #
[email protected]:/data/local/tmp # [*] madvise = 0 16777216 <--- wonder what output of some running process this is
[*] exploited 0 0x4013a000=464c457f

[email protected]:/data/local/tmp #
[email protected]:/data/local/tmp #
[email protected]:/data/local/tmp # insmod /system/lib/modules/gps_drv.ko
insmod: init_module '/system/lib/modules/gps_drv.ko' failed (Identifier removed)
255|[email protected]:/data/local/tmp #
255|[email protected]:/data/local/tmp #
255|[email protected]:/data/local/tmp # mount -o remount,rw /system
[email protected]:/data/local/tmp # <--- system freezes no prompt back no Enter
 

Drahflow

Member
Mar 22, 2021
22
4
Now that is sad. :( It *could* be something entirely else is wrong with your tablet (e.g. it dies upon remounting the filesystem due to corruption or problems with the flash chip), but how likely is that?

Can you do other sealime-restricted operations, e.g.
[email protected]:/data/local/tmp # cp /modules/sealime.ko /data/local/tmp/

Test before and after loading glomus.ko. Without it loaded, it should give you a permission denied error, with glomus.ko loaded, it should work (and not freeze the tablet). If it still freezes, something has changed in how sealime can be unregistered between the at300se and the excite pro.

Even in that case, don't declare the tablet useless yet, someone posted a cheap at300se on ebay a few days ago so I can test locally.
 

PM128

Member
Jan 3, 2022
23
0
It didn't freeze the tablet but both ways before and after it's the same: Operation not permitted. 'cp' command is not recognized by the shell so I tried to use 'dd' instead see attached log. My knowledge of Linux is very limited.
If you would find a solution so that I could at least have it bootable again I would be so thankful. I understand it might take longer time but I guess I am not the only one who have successfully bricked the AT300SE device so it would help the community as well.
 

Attachments

  • procedure log 20220112_1.zip
    639 bytes · Views: 2

PM128

Member
Jan 3, 2022
23
0
You are right when I look back on that txt file that I created from some cut-off parts of the terminal window. But it may also be that Dr. Alzheimer suddenly called me interrupting my work :rolleyes: as he usually starts bugging me already at my age :D.
Anyway I tried again today (hopefully all the steps), it didn't freeze but 'Operation not permitted' :cry:
I am still wondering if the dirtycow chews the system successfully. Why are always coming still some messages within like 10~15 secs when it gave the # prompt already? At that moment the prompt disappears until I press the Enter again. Strange what is it doing. Like if the sealime would still win the race over the dirty cow...
 

Attachments

  • procedure log 20220113.zip
    929 bytes · Views: 2

Drahflow

Member
Mar 22, 2021
22
4
I read your last procedure log. Did you dcow the dump_memory.ko, maybe? You need to dcow the glomus.ko (and only that).

I.e.

1. Get temp root
2. dcow glomus.ko /system/lib/modules/gps_drv.ko
3. insmod /system/lib/modules/gps_drv.ko
4. Try some restricted operation: E.g. dd if=/modules/sealime.ko of=/data/local/tmp/sealime.ko

(Wouldn't hurt to have an adb logcat running in parallel to some other window, maybe we can still see some errors if it freezes again.)
 

PM128

Member
Jan 3, 2022
23
0
Hi Drahflow thank you for your persistence I thought you gave up on it. I dcow'd indeed the dump_memory.ko which came as instruction in your Post#127. So now I tried to dcow the glomus.ko and managed to get the sealime.ko module (see attached). The adb logcat runs constantly in the second terminal so I just copied some excerpts from it since it overwrites the buffer and runs and runs mostly with Fatal error 11.
 

Attachments

  • procedure log 20220129.txt
    4.3 KB · Views: 2
  • logcat running constantly 20220129.zip
    6 KB · Views: 2
  • sealime.zip
    17 KB · Views: 2

Top Liked Posts