How may I determine patching parameter?

[name-taken]

I compiled the .so file successfully. However that doesn't seem work. I think maybe the wrong parameter for patching the fastrpc_shell_0. Would you please tell me how to determine patching parameter? Thanks~~

original code listed:

define PATCH_ADDR 0x5200c

define PATCH_OLD "\x40\x3f\x20\x50"

define PATCH_NEW "\x40\x3f\x00\x5a"

define PATCH_LEN (sizeof(PATCH_OLD)-1)

[Ristovski]

You will have to reverse engineer your phones fastrpc_shell_0 and find the check.

Example for MSM8953 - Motorola Potter (relevant line highlighted, taken from Cutter):

The patch in this case would be:

#define PATCH_ADDR 0x30410 // MSM8953 - potter
#define PATCH_OLD "\x14\xc0\x40\x10" // p0 = cmp.eq (R0, 0x0) ; if (!p0.new) jump:nt 0x28
#define PATCH_NEW "\x14\xc0\x00\x10" // p0 = cmp.eq (R0, 0x0) ; if (p0.new) jump:nt 0x28

[anonymix007]

@Ristovski can you upload here your fastrpc_shell_0? I don't seen similar code in mine (SM8550), but there's a is_test_enabled function. Will it be enough to patch it so that it'll always return0xFFFFFFFF? Is this exploit even working for newer SoCs? I don't necessarily need to run arbitrary code on ADSP, just newer versions of libraries from SM8650.

[Ristovski]

@anonymix007 You are lucky my Motorola potter is still alive and kicking ;), here you go - fastrpc_shell.zip

Three years is a long time and I no longer remember the details, but hopefully this file will be enough to help.

I believe the exploit has been fixed on newer SoCs, but I haven't seen any definitive proof.. perhaps I should find some time to take a take a look at the fastrpc_shell_0 of my new sm7325 device..

[terafo]

@anonymix007 after looking at fastrpc_shell_0 on SDM845, I think this exploit is no longer viable. Maybe delivery method still works and there is a possibility to figure this out, but it's definitely not as easy as changing address. TBH running unsigned code is easier since hexagon allows for sandboxed unsigned code to be run for ~5 years now, but that doesn't affect system libraries.

[anonymix007]

@terafo that's unfortunate. Well, for me running unsigned code is not an option. I needed to run newer versions of libaptXAdaptiveEnc3.so and spf-aptx-adaptive3-ble-enc.so.1. I can't find how exactly they are called, so it's not easy to run them on cDSP.