On a Pixel 2 (walleye) device running the latest LineageOS 18.1 build, here's the output from running the tool:
walleye:/data/local/tmp # ./usbgadget-tool.sh
| | (_ |_) _ _. _| _ _ _|_
|_| __) |_) (_| (_| (_| (_| (/_ |_
_| _|
v0.1
USB gadget generator for HID devices using ConfigFS
WARNING: experimental version, may crash the phone!!!
Inspired by vulnerable device driver package
installers allowing LPE attack on Windows
[*] Checking root...OK.
Select HID dev to mimic (with confirmed LPE vuln):
1: Razer Turret for Xbox One
(USB/VID_1532&PID_023E&MI_02)
2: SteelSeries Apex Mechanical Gaming Keyboard
(USB/VID_1038&PID_1200&MI_01)
C: Custom
> 1
[*] Using Product String:
fake Razer Turret for Xbox One
[*] Using Hardware Id:
USB/VID_1532&PID_023E&MI_02
[+] (Re)mounted ConfigFS
mkdir: '/sys/kernel/config/usb_gadget/pwn_hid_install': Out of memory
./usbgadget-tool.sh[109]: cd: /sys/kernel/config/usb_gadget/pwn_hid_install: No such file or directory
[!] Problem with usb_gadget in ConfigFS. Aborting.
1|walleye:/data/local/tmp # uname -a
Linux localhost 4.4.223-lineage-g138879d #1 SMP PREEMPT Tue Aug 24 07:35:43 UTC 2021 aarch64
Relevant dmesg output:
[ 488.224616] sysfs: cannot create duplicate filename '/devices/virtual/android_usb/android0'
[ 488.224663] ------------[ cut here ]------------
[ 488.224679] WARNING: at ../../../../../../kernel/google/wahoo/fs/sysfs/dir.c:31
[ 488.224692] Modules linked in:
[ 488.224710]
[ 488.224733] CPU: 6 PID: 4605 Comm: mkdir Not tainted 4.4.223-lineage-g138879d #1
[ 488.224747] Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT)
[ 488.224762] task: 0000000000000000 task.stack: 0000000000000000
[ 488.224805] PC is at sysfs_create_dir_ns+0xc8/0xf0
[ 488.224820] LR is at sysfs_create_dir_ns+0xc8/0xf0
[ 488.224832] pc : [<ffffff84a7272eac>] lr : [<ffffff84a7272eac>] pstate: 60400145
[ 488.224842] sp : ffffffd32fe9b9b0
[ 488.224854] x29: ffffffd32fe9b9b0 x28: 0000000000000000
[ 488.224876] x27: ffffffd374022280 x26: 0000000000000000
[ 488.224897] x25: 0000000000000000 x24: 0000000000000000
[ 488.224917] x23: ffffffd3796dfe00 x22: ffffffd32a772000
[ 488.224936] x21: ffffff84a88db366 x20: ffffffd2ef8be3c0
[ 488.224955] x19: ffffffffffffffef x18: 00000000fff9742c
[ 488.224975] x17: 000000000009742c x16: ffffff84a976c820
[ 488.224994] x15: 00000000000010f9 x14: 696f72646e612f62
[ 488.225013] x13: 73755f64696f7264 x12: 6e612f6c61757472
[ 488.225033] x11: 0000000000000000 x10: 0000000000000000
[ 488.225051] x9 : 60ebd968b586174d x8 : 60ebd968b586174d
[ 488.225071] x7 : ffffff84a94df1a0 x6 : 0000000000000069
[ 488.225090] x5 : 0000000000000000 x4 : ffffff84a986f059
[ 488.225108] x3 : 0000000000000000 x2 : ffffffd37e411468
[ 488.225127] x1 : ffffffd37e40ece8 x0 : 000000000000004f
[ 488.225149] \x0aPC: 0xffffff84a7272e6c:
[ 488.225162] 2e6c 52820002 aa1403e0 aa1603e1 97fff0ab aa0003e1 14000007 12800033 1400000c
[ 488.225229] 2e8c f9001ab3 2a1f03f3 14000009 aa1f03e1 f000aaa0 91257400 aa1503e2 97fa3b72
[ 488.225289] 2eac d4210000 aa1603e0 97fdb367 2a1303e0 a9424ff4 a94157f6 a8c37bfd d65f03c0
[ 488.225349] 2ecc d4210000 14000000 a9bd7bfd f9000bf5 a9024ff4 910003fd f9401813 d0013175
[ 488.225410] \x0aLR: 0xffffff84a7272e6c:
[ 488.225423] 2e6c 52820002 aa1403e0 aa1603e1 97fff0ab aa0003e1 14000007 12800033 1400000c
[ 488.225484] 2e8c f9001ab3 2a1f03f3 14000009 aa1f03e1 f000aaa0 91257400 aa1503e2 97fa3b72
[ 488.225544] 2eac d4210000 aa1603e0 97fdb367 2a1303e0 a9424ff4 a94157f6 a8c37bfd d65f03c0
[ 488.225604] 2ecc d4210000 14000000 a9bd7bfd f9000bf5 a9024ff4 910003fd f9401813 d0013175
[ 488.225667] \x0aSP: 0xffffffd32fe9b970:
[ 488.225679] b970 a7272eac ffffff84 2fe9b9b0 ffffffd3 a7272eac ffffff84 60400145 00000000
[ 488.225741] b990 00000000 00000000 a88db366 ffffff84 ffffffff 0000007f ffffffef ffffffff
[ 488.225803] b9b0 2fe9b9e0 ffffffd3 a739c1f0 ffffff84 a96c3000 ffffff84 25dff030 ffffffd3
[ 488.225862] b9d0 ef8c6580 ffffffd2 25dff010 ffffffd3 2fe9bb30 ffffffd3 a739b42c ffffff84
[ 488.225922]
[ 488.225934] ---[ end trace ed4ec29136517cf8 ]---
[ 488.225948] Call trace:
[ 488.225963] Exception stack(0xffffffd32fe9b850 to 0xffffffd32fe9b980)
[ 488.225979] b840: 0000000060400145 ffffffd32fe9b900
[ 488.225993] b860: ffffff84a7272eac 0000000082d48000 0000007fffffffff ffffffffffffffef
[ 488.226008] b880: 000000000000004f ffffffd37e40ece8 ffffffd37e411468 0000000000000000
[ 488.226022] b8a0: ffffff84a986f059 0000000000000000 0000000000000069 ffffff84a94df1a0
[ 488.226037] b8c0: 60ebd968b586174d 60ebd968b586174d 0000000000000000 0000000000000000
[ 488.226051] b8e0: 6e612f6c61757472 73755f64696f7264 696f72646e612f62 00000000000010f9
[ 488.226065] b900: ffffff84a976c820 000000000009742c 00000000fff9742c ffffffffffffffef
[ 488.226079] b920: ffffffd2ef8be3c0 ffffff84a88db366 ffffffd32a772000 ffffffd3796dfe00
[ 488.226094] b940: 0000000000000000 0000000000000000 0000000000000000 ffffffd374022280
[ 488.226108] b960: 0000000000000000 ffffffd32fe9b9b0 ffffff84a7272eac ffffffd32fe9b9b0
[ 488.226123] [<ffffff84a7272eac>] sysfs_create_dir_ns+0xc8/0xf0
[ 488.226146] [<ffffff84a739c1f0>] kobject_add_internal+0x18c/0x4ac
[ 488.226161] [<ffffff84a739b42c>] kobject_add+0xe0/0x114
[ 488.226183] [<ffffff84a768e474>] device_add+0x190/0x808
[ 488.226200] [<ffffff84a768fa88>] device_create_groups_vargs+0x150/0x1a8
[ 488.226212] [<ffffff84a768fb5c>] device_create+0x7c/0xa4
[ 488.226232] [<ffffff84a784ce9c>] gadgets_make+0x1b8/0x244
[ 488.226247] [<ffffff84a7274fe4>] configfs_mkdir+0x144/0x3c8
[ 488.226266] [<ffffff84a71f9bb8>] vfs_mkdir2+0xac/0x120
[ 488.226280] [<ffffff84a71f9cec>] SyS_mkdirat+0x9c/0x14c
[ 488.226300] [<ffffff84a7083ab0>] el0_svc_naked+0x24/0x28
[ 488.226318] kobject_add_internal failed for android0 with -EEXIST, don't try to register things with the same name in the same directory.
[ 488.227760] init: DM_DEV_STATUS failed for system: No such device or address
[ 488.227789] init: DM_DEV_STATUS failed for vroot: No such device or address
[ 488.228895] init: DM_DEV_STATUS failed for system: No such device or address
[ 488.228922] init: DM_DEV_STATUS failed for vroot: No such device or address
[ 488.230078] init: DM_DEV_STATUS failed for system: No such device or address
[ 488.230106] init: DM_DEV_STATUS failed for vroot: No such device or address
[ 488.231218] init: DM_DEV_STATUS failed for system: No such device or address
[ 488.231299] init: DM_DEV_STATUS failed for vroot: No such device or address
[ 488.232428] init: DM_DEV_STATUS failed for system: No such device or address
[ 488.232455] init: DM_DEV_STATUS failed for vroot: No such device or address
[ 488.237441] init: DM_DEV_STATUS failed for system: No such device or address
[ 488.237473] init: DM_DEV_STATUS failed for vroot: No such device or address
ghost
commented
3 years ago
On a Pixel 2 (walleye) device running the latest LineageOS 18.1 build, here's the output from running the tool:
Relevant dmesg output: