leak.sh doesn't work - Githubissues

NewDwarf commented 2 years ago

On attempt to run the leak.sh script, I get:

blueline:/data/local/tmp # ./leak.sh brom                                                                                                                                           
Unable to stop service 'vendor.citadeld'
See dmesg for error reason.
Failed, retry index 0
Failed, retry index 0
Failed, retry index 0
...

The problem is the citadeld cannot be stopped by the 'stop vendor.citadeld' command. dmesg reports: init: Unable to set property 'ctl.stop' from uid:0 gid:0 pid:11245: Invalid permissions to perform 'stop' on 'vendor.citadeld'

Attaching the GDB debugger to the init process (PID 1) and hooking the

bool CheckControlPropertyPerms(const std::string& name, const std::string& value,
                               const std::string& source_context, const ucred& cr)

function by returning 1 helps to stop the citadeld process. I am using android version 11.0.0 (RQ3A.211001.001, Oct 2021). What android version you used to run the dumping script?

max-r-b commented 2 years ago

How did you root your device? Did you try to disable SELinux?

$ setenforce 0

NewDwarf commented 2 years ago

Perfect. It seems I know what is the reason of that behaviour. Device is "rooted" directly in the kernel, to prevent exposing of this state, I modified the kernel to tell always via the procfs that SELinux is in the enforcing state. I use approach similar to https://git.zx2c4.com/kernel-assisted-superuser/tree/ with more modification required for me.

max-r-b commented 2 years ago

Good to know, this is Interesting.

NewDwarf commented 2 years ago

Closing this ticket as the reason is clear now.

quarkslab / titanm

leak.sh doesn't work #2