search

polygraphene / DirtyPipe-Android

Dirty Pipe root exploit for Android (Pixel 6)
771 stars 130 forks source link

Sony Xperia 5 III (XQ-BQ62) #6

Closed DanaGoyette closed 2 years ago

DanaGoyette commented 2 years ago

I just got this phone, and it has an unlockable bootloader, but when you unlock it, it wipes some keys from the TA partition (/dev/block/by-name/TA). So, I'd like to get root just so I can make an image of that partition before I unlock it at some later date. Does that lessen the amount of work needed for temp root?

I haven't applied the Android 12 update yet, in case I need to install a specific version.

Product=XQ-BQ62 Fingerprint=Sony/XQ-BQ62/XQ-BQ62:11/61.0.A.15.45/061000A015004501036498572:user/release-keys Linux localhost 5.4.61-qgki-00383-g28c708f29a48 #1 SMP PREEMPT Tue Sep 28 20:31:15 JST 2021 aarch64

https://developer.sony.com/file/download/open-source-archive-for-61-0-a-15-45/

Results of the xxd and grep from the S22 ticket, cropped to those that match:

for i in vendor/lib/*.so; do echo $i; xxd $i | grep "001000: 5f" ; done
vendor/lib/libSForceVSE.so
00001000: 5f53 466f 7263 655f 4150 4450 3441 5044  _SForce_APDP4APD
vendor/lib/libacdbrtac.so
00001000: 5f5f 7562 7361 6e5f 6861 6e64 6c65 5f62  __ubsan_handle_b
vendor/lib/libadreno_utils.so
00001000: 5f6d 696e 5f6c 696e 655f 6f66 6673 6574  _min_line_offset
vendor/lib/libaudioalsa.so
00001000: 5f75 6273 616e 5f68 616e 646c 655f 6675  _ubsan_handle_fu
vendor/lib/libaudioconfigstore.so
00001000: 5f74 7265 6549 4e53 5f31 325f 5f76 616c  _treeINS_12__val
vendor/lib/libchilog.so
00001000: 5f70 6f73 6974 6976 655f 6d69 6e69 6d61  _positive_minima
vendor/lib/libcirrusspkrprot.so
00001000: 5f6d 696e 696d 616c 5f61 626f 7274 005f  _minimal_abort._
vendor/lib/libgpu_tonemapper.so
00001000: 5f00 5f5a 3230 656e 6769 6e65 5f64 656c  _._Z20engine_del
vendor/lib/libipebpsstriping.so
00001000: 5f68 616e 646c 655f 6e75 6c6c 6162 696c  _handle_nullabil
vendor/lib/libipebpsstriping170.so
00001000: 5f68 616e 646c 655f 6e75 6c6c 6162 696c  _handle_nullabil
vendor/lib/libjni_mfnrutil.so
00001000: 5f5f 7374 6163 6b5f 6368 6b5f 6661 696c  __stack_chk_fail
vendor/lib/libloc_socket.so
00001000: 5f31 3230 5f5f 7368 6172 6564 5f70 7472  _120__shared_ptr
vendor/lib/libmmcamera_lscv35.so
00001000: 5f75 7500 4373 7562 3634 5f73 7500 4373  _uu.Csub64_su.Cs
vendor/lib/libops.so
00001000: 5f61 626f 7274 005f 5f75 6273 616e 5f68  _abort.__ubsan_h
DanaGoyette commented 2 years ago

Wait, this kernel is probably just plain too old to even be vulnerable. I'll have to see if there's a version that is vulnerable, and maybe take the topic to a forum instead.

polygraphene commented 2 years ago

Linux 5.4 is definitely not vulnerable. It must be 5.8 and above.

DanaGoyette commented 2 years ago

Even with the Android 12 update applied, it's still on 5.4, so it may be best to just close this as invalid/infeasible. I hope I can find some other exploit to use to get root and back up that partition.