-
Notifications
You must be signed in to change notification settings - Fork 128
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Port exploit to Realme GT2 Pro #12
Comments
BTW I also tried to use
The ROM build date is |
Check if mymod.ko is properly loaded. e.g. Removing code from mymod_init and put log output like following:
Perhaps you can use kernel code from Pixel6. |
Just tried and unfortunately I can't see |
You still see rebooting after exploit? pr_info write to dmesg instead of logcat. |
Yes, it still reboots. Didn't know that pr_info wrote to dmesg. |
It shouldn't reboot if module is properly loaded. Perhaps there is a issue before loading mod. DirtyPipe-Android/modprobe-payload.c Line 68 in ca23ffb
In addition, can you obtain kernel module for the device from firmware? |
Sorry, I made a mistake. After replacing
And it goes on until I reboot. |
That's good. It means the rebooting was caused by the code to setup permissive domain. DirtyPipe-Android/mymod/mymod.c Line 156 in ca23ffb
|
|
As I understand, finit_module is setting errno to EDIT2: The symbol version hashes take precedence over vermagic, and they seem to match, so this is not the problem. |
After a lot of tries, I boiled the issue down to this line: DirtyPipe-Android/mymod/mymod.c Line 203 in ca23ffb
|
Finally found out the problem, by a lot of trial and error. Well, almost everything worked: now I can't get root access. Magisk simply logs |
I created #13 with the changes I made to make it work on my device. It simply generates a smaller file and avoids putting important stuff at offset 0x2000. On my device it even works with As for Magisk not granting root, still no success. I also made a factory reset but nothing changed. |
Congrat! 👍 For magisk issue, try following checks.
|
Magisk is installed, both apps and adb can access root, and magiskd is running. I cannot see the logs since
I filtered only what I thought was relevant from the log. Needless to say, no reverse shell connected. EDIT: As I understand, it should be EAGAIN/EWOULDBLOCK. Maybe it's a socket failure. |
I don't know if DirtyPipe-Android/startup-root Line 67 in fb05d53
then run busybox telnet 127.0.0.1 10848 to access root shell.
magisk setup is very hacky and may be unstable. Try telnetd first. |
I can get a root shell by using telnet, so it's really something with Magisk initialization |
Can see magisk's log? |
This is the only thing in Magisk log:
How can I strace su and/or magiskd? |
Here is the output of |
Sorry for late response. Did you solve the issue? According to the log,
Check to see if When I developed the magisk installation script, I encountered similar problem. I got following error when running `am start having invalid mount namespace.
Following line should fix issue by entering proper mount namespace then launch magiskd. It may not work for some reason. DirtyPipe-Android/startup-root Line 84 in fb05d53
When |
In addition, check logcat output for crash log of |
Unfortunately, I don't think I can test anymore. My whole point was to just change a ro property and trick the official app into allowing me to unlock the bootloader, and it worked. So basically I just installed Magisk the regular way. That's a shame because I really wanted to help port the exploit to more devices. |
Permanent root is better than temporary magisk, because it is hacky and unstable. The main goal of this exploit is temporary root shell. It doesn't matter whether temp magisk is working or not for unlockable devices. |
Hi, I tried to run the exploit on a Realme GT2 Pro without success.
I modified the run file, adding
-f /vendor/lib/libdrmfs.so
(one of the libraries with 0x5F at offset 0x1000), but the phone reboots.This is the script output:
I think this is a problem with the included
mymod.ko
. Unfortunately Realme hasn't released yet the kernel sources. Do you think there's another way around?Thank you.
The text was updated successfully, but these errors were encountered: