-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vivo x80 pro dimnesty edition Failed #1
Comments
after stuck at first attempt: adb logcat -s BADSPIN 05-22 21:33:34.654 11258 11258 I BADSPIN : ========================================== |
It looks like the second attempt succeeded (shaping + vulnerability + found corrupted pipe) which is good news. For the rest of the exploit to work you will probably need to do some adjustments. In particular: the function to_lm(), which converts a kernel pointer to the linear mapping, will need to be modified. (If the vivo device behaves like the pixel 6 (have no physical kaslr) then the change should be trivial.) Also, the way the kernel base is found might need some modification. (Currently the kernel base is found by scanning for kallsyms for pixel 6.) Pro tip: consult /proc/iomem. |
yeah the main issue we can't use /cat/proc/iomem only returns permission denied neither is source code available for the device I'm not 100% sure if we do us kaslr either |
I see. Try assuming it's like the pixel 6 in the to_lm() and other places (look for is_device("Google Pixel 6")), might just work out of the box. |
i'll give you a output of log with verbose attached (since last two wasn't with verbose enabled) it seems like we do also get monitor_thread_a: Found dead binder (cookie = 0x5858585858585858) at the beginning then it seems to disappear. |
When it found the corrupted pipe it should work deterministically from this point onwards. You probably need to change the conversion to the linear mapping as I said earlier. |
@0xkol I'm not really sure what you mean by it. If it cannot be done from cat /proc/iomem is there any other way too get it,? Can we get it from kallsyms? |
Hi, please try the new version with the function pointers |
Yeah it still crashes. Tries to trigger the exploit and dies, I'm unsure if it can be due to vivo actually have security measures regarding root. Can it be the issue? |
Sorry I don't own such a device so there's nothing more I can do remotely.... |
Well, at least you have done your part trying to help, I'll try look into it when I have time. I have another phone i can try this on. I've heard vivo do block root trough kernel especially su command but who knows, I might try to log while running the exploit and see if i can get any more info. Thanks for taking your time 🙏 |
PD2186:/ $ LD_PRELOAD=/data/local/tmp/libbadspin.so sleep 1
Failed on dev_config_init:1341
Phone details:
Vivo x80 Pro Dimnesty Edition
[ro.build.fingerprint]: [vivo/PD2186/PD2186:12/SP1A.210812.003/compiler09052332:user/release-keys]
Patch Date:
[persist.vendor.connsys.patch.version]: [-1]
[ro.build.version.security_patch]: [2022-08-01]
[ro.vendor.build.security_patch]: [2021-12-05]
EDIT: i found out that we need to modify: dev_config.h
Failed on dev_config_init:1341
The text was updated successfully, but these errors were encountered: