在未来是否存在支持开发模块（类似 Kernel SU Magisk）的计划

如题

你好，我的设备是Nexus 6（android8.1），根据readme文档path内核后能正常开机，但是好像并没有root成功，调试源代码查看错误信息
create_su_hide_folder error:/data/local/tmp/su_40ab264ef2659a3da13690e41d41a8274c9cc1086dfd016989de0561fc61a4d47bec2d5094d9125e98db3c4785e61c54ae22628934aa30478ec301759b33ba3b5b9bd21fbb2ca823bd13699dc0294ab5c2/

上传两个内核文件
里面文件分别是
kernel_core_rebuild 是经过patch_kernel_root 后的内核文件，
kernel_core_bak 是原内核文件
kernel_core_rebuild.zip
patch_kernel_root执行步骤，不知道是不是这几个函数入口和偏移没有找对（我是结合 一个很旧的内核cred偏移值无法确定 里的图片找的这几个入口和偏移）
请输入do_execve函数的入口位置：
0x291dbc
请输入avc_denied函数的入口位置：
0x37bc34
请输入task_struct结构体里cred的十六进制偏移值（从proc_pid_status里能看到）：
0x4e8
请输入task_struct结构体里seccomp的十六进制偏移值（从proc_pid_status里能看到）：
0x940
是否需要自动随机生成ROOT密匙（1需要；2不需要）：
1

;;;;

你好，我的设备是小米mix2，内核为linux4.4.153-perf+，aarch64架构，解压获得的boot，ida加载起始地址FFFFFF8008080000
boot.zip
通过ida搜索函数do_execve得到入口地址FFFFFF80081C83F4（减去起始地址为0x1483f4）

通过ida搜索函数avc_denied得到入口地址FFFFFF80082E20D0（减去起始地址为0x2620d0）

通过搜索task_struct并没有得到我想要的cred偏移值，通过拖拽内核的方法并未得到任何结果，通过搜索proc_pid_status函数从伪代码中仍旧无法得到Uid的值，可以得到seccomp的值（0x858）


通过一些合理的猜测cred的值进行测试，手机不能正常开机。

大佬好，附件在:
123pan:https://www.123pan.com/s/w51tVv-QGe6d.html
google:https://drive.google.com/file/d/15X6V9_N0m592f-A-elEEH1gqCZvUpjG4/view?usp=sharing

固件是小米5s capricorn_images_9.8.29_20190829.0000.00_8.0_cn线刷包提取的
附件包含boot.img 以及用Android-Image-Tools-windows从boot.img提取的boot.img-zImage 。boot是从boot.img-zImage 解压后的内核文件！d把boot文件拖到find_do_execve.exe会提示:

盼望大佬有空能给看下

Cannot find source file:

  ../../../../../testRoot/process64_inject.cpp

Tried extensions .c .C .c++ .cc .cpp .cxx .m .M .mm .h .hh .h++ .hm .hpp
.hxx .in .txx

请教下,只要读取cred里的偏移 就一定会卡开机
可能是因为 开机阶段cred没初始化出来吗?

有一加5的lineageos源码编译的环境 包括kernel源码

测试hook 挑战过去什么不操作在跳转回来是可以开机的
patch_kernel_root 后就无法开机了,
单独hook path_do_execve 或者 path_avc_denied 都无法开机
是因为我内核版本太低了吗?

do_execve 141E58
avc_denied 293750
cred 668
seccomp AD8
cred 是 get_task_cred 里面 0x660 + 8
函数入口是直接打印了内核符号表看到的

安装部署su报错
install su err:-52

什么发布正式版本

Hello,I follow your tutorial patched the boot.img. The phone open normally,but can't get su privilege.
My device is xiaomi8 UD.The images is "equuleus_images_V12.5.1.0.QECCNXM_20210705.0000.00_10.0_cn_3cb808c7f4".

Here is my boot.img after zip:
boot.zip
cred:0x840
seccomp:0x8E0
do_execve:0x1c0f7c
avc_denied:0x38A8AC
here is the img file after after patching and 0 padding :
image-new-patch.zip
After flashing the image-new-patch.img,it did't work properly and I don't konw how to do next.Can you give me some instructions,thanks.

There is some conjecture which I might did wrong.I get the boot.img from xiaomi images.This kernel file "boot.img-kernel" after unpacking from Android Image Kitchen still need to be unziped.Only after that the kernel file can be read by IDA arm.After I patched it I need zip it back.But the kernel file after patching and zipping it's size is bigger than it unpack from AIK.

If you think I didn't describe it clearly,I can make a video to show you all procedure.

大佬沒有提供下載方式嗎？

之前提及的 内核无痕注入 啥时候能落实一下呢,谢谢

i want to patch other syscall, openat and other ... can u tell me how please ?

_{Sent from PPHub}

proc_pid_status一直无法正确找到偏移，或者教下如何用ida来查找，
内核文件：
Image

还有就是如果直接拖入kernel.img或者解包后的kernel.img-kernel，均无法通过find找到任何数据

我的手机是小米6x，从官方的9.0刷机包提取的boot，并且函数定位我是导出的手机里的符号文件，使用ida脚本批量设置函数，然后把每个需要的偏移地址拿到，并且补丁后我也用ida看了，感觉hook也在正确的位置上，但是打包刷入后，使用管理器检测root权限时手机就重启了，请问我应该排查哪里的问题？

请问可以放个第四步的patch_kernel_root.cpp的exe嘛，我编译遇到了Error: immediate offset out of range

按照教程，我成功完成了基本所有的工作，在这十分感谢，但是我的菜单功能缺少了几样 比如授权ADB的权限，现在我无法给与我的shell
ROOT权限 请帮助我

ida 跳转过去以后
real_cred = ((__int64 (__fastcall *)(__int64))loc_3E768)(task);

v25 = *(_DWORD *)(real_cred + 0x14);

sub_155D0C(a1, "Seccomp:\t%d\n", *(unsigned int *)(task + 0xAD8));

Seccomp 应该是0xAD8吧?
Cred 怎么取啊?

希望可以试用隐藏root的功能

使用do_execve 001AEBBC avc:003A65C8 cred 0x840 seccomp 0x8F8
这几个入口点

内核文件
Image

pm点击获取root权限的时候软件闪退 ，dmesg获取到下面几个日志：
[ 1463.174682] [pid:981,cpu1,wificond][W][vap:0]{wal_cfg80211_get_station::rssi -23.} [F:1205][L:4427]
[ 1463.328186] [pid:396,cpu0,kworker/u16:6]wifi sleep cmd send ,wakelock cnt 1
[ 1463.421325] [pid:108,cpu1,kworker/u16:1]wifi wakeup cmd send,wakelock cnt 2
[ 1463.577606] [pid:6165,cpu1,kworker/u16:2]wifi sleep cmd send ,wakelock cnt 1
[ 1463.620727] [pid:396,cpu3,kworker/u16:6][hisi_coul_core]coul_ntc_temperature_compensation: current = 0, temp_without_compensation = 330, temp_with_compensation = 330
[ 1463.620758] [pid:396,cpu3,kworker/u16:6][hisi_coul_core]stably temp!,old_temp =330,cnt =1, temp = 330
[ 1463.625579] [pid:108,cpu1,kworker/u16:1]wifi wakeup cmd send,wakelock cnt 2
[ 1463.716461] [pid:6167,cpu0,rmissionmanager]UID root escalation!
[ 1463.716491] [pid:6188,cpu3,Profile Saver]UID root escalation!
[ 1463.716888] [pid:6188,cpu3,Profile Saver]UID root escalation!
[ 1463.716888] [pid:6188,cpu3,Profile Saver]UID root escalation!
[ 1463.812652] [pid:6198,cpu5,mali-utility-wo]mali gpufreq: kctx 0000000000000000 being destroyed
[ 1463.883361] [pid:108,cpu1,kworker/u16:1]wifi sleep cmd send ,wakelock cnt 1
[ 1463.932189] [pid:108,cpu0,kworker/u16:1]wifi wakeup cmd send,wakelock cnt 2
[ 1464.092712] [2023:04:15 02:44:37][pid:6165,cpu1,kworker/u16:2]wifi sleep cmd send ,wakelock cnt 1
[ 1464.137359] [pid:108,cpu2,kworker/u16:1]wifi wakeup cmd send,wakelock cnt 2
[ 1464.291687] [pid:108,cpu3,kworker/u16:1]wifi sleep cmd send ,wakelock cnt 1
[ 1464.387207] [pid:241,cpu0,kworker/0:1H]sp805-wdt e8a06000.watchdog0: watchdog kick now 32K 47979182 rqclock 1450718691067 ret 1
[ 1464.547485] [pid:6165,cpu2,kworker/u16:2]wifi wakeup cmd send,wakelock cnt 2
[ 1464.704040] [pid:396,cpu2,kworker/u16:6]wifi sleep cmd send ,wakelock cnt 1
[ 1464.751708] [pid:396,cpu1,kworker/u16:6]wifi wakeup cmd send,wakelock cnt 2
[ 1464.912139] [pid:6165,cpu1,kworker/u16:2]wifi sleep cmd send ,wakelock cnt 1
[ 1464.956390] [pid:108,cpu1,kworker/u16:1]wifi wakeup cmd send,wakelock cnt 2
[ 1465.111541] [2023:04:15 02:44:38][pid:396,cpu1,kworker/u16:6]wifi sleep cmd send ,wakelock cnt 1
[ 1465.111938] [pid:396,cpu1,kworker/u16:6]wifi wakeup cmd send,wakelock cnt 2
[ 1465.216186] [pid:396,cpu3,kworker/u16:6]wifi sleep cmd send ,wakelock cnt 1
[ 1465.375915] [pid:396,cpu1,kworker/u16:6][hisi_get_charger_type]type: sdp
[ 1465.376220] [pid:396,cpu1,kworker/u16:6][I/usb_short_circuit_protect] tusb adc value [0]=32

使用的内核源代码：
https://github.com/wutaijieing/Code_Opensource_kirin710/tree/main/kernel

大佬，求救，是入口点问题还是内核限制了？

<< "LDR X10, [X8, #" << task_struct_offset_cred << "]" << endl
<< "MOV X7, #4" << endl
<< "MOV W9, WZR" << endl
<< "STR W9, [X10, X7]" << endl
您好,请教下, cred + i * 4 写0,就会导致死机自动重启
我测试目前可以正常开机,rootkey校验正常, 点击测试root就会死机重启
我搜索到RKP好像对cred有保护,请教下是因为写cred触发了保护机制吗?

PS C:\Users\Ad\Downloads\SKRoot-linuxKernelRoot-master\patch_kernel_root>g++ --version
g++.exe (Rev10, Built by MSYS2 project) 12.2.0
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

-------------------------------------------------------------------------------------------------

PS C:\Users\Ad\Downloads\SKRoot-linuxKernelRoot-master\patch_kernel_root> g++ patch_kernel_root.cpp -o patch_root.exe
In file included from patch_kernel_root.cpp:9:
ArmAsmHelper.h: In function 'std::string AsmToBytes(const std::string&)':
ArmAsmHelper.h:59:43: warning: ignoring return value of 'bool std::__cxx11::basic_string<_CharT, _Traits, _Alloc>::empty() const [with _CharT = char; _Traits = std::char_traits; _Alloc = std::allocator]', declared with attribute 'nodiscard' [-Wunused-result]
59 | word.empty();
| ~~~~~~~~~~^~
In file included from C:/msys64/mingw64/include/c++/12.2.0/string:53,
from C:/msys64/mingw64/include/c++/12.2.0/bits/locale_classes.h:40,
from C:/msys64/mingw64/include/c++/12.2.0/bits/ios_base.h:41,
from C:/msys64/mingw64/include/c++/12.2.0/ios:42,
from C:/msys64/mingw64/include/c++/12.2.0/ostream:38,
from C:/msys64/mingw64/include/c++/12.2.0/iostream:39,
from patch_kernel_root.cpp:4:
C:/msys64/mingw64/include/c++/12.2.0/bits/basic_string.h:1183:7: note: declared here
1183 | empty() const _GLIBCXX_NOEXCEPT
| ^~~~~
patch_kernel_root.cpp: In function 'size_t path_do_execve(const char*, const std::string&, size_t, size_t, size_t, size_t, std::vector<patch_bytes_data>&)':
patch_kernel_root.cpp:69:63: error: expected primary-expression before 'const'
69 | string str_show_root_key_mem_byte = bytesToHexString((const byte*)str_root_key.c_str(), str_root_key.length());
| ^~~~~
patch_kernel_root.cpp:69:63: error: expected ')' before 'const'
69 | string str_show_root_key_mem_byte = bytesToHexString((const byte*)str_root_key.c_str(), str_root_key.length());
| ~^~~~~
| )
patch_kernel_root.cpp:124:51: error: expected primary-expression before 'const'
124 | string strHookOrigCmd = bytesToHexString((const byte*)hookOrigCmd, sizeof(hookOrigCmd));
| ^~~~~
patch_kernel_root.cpp:124:51: error: expected ')' before 'const'
124 | string strHookOrigCmd = bytesToHexString((const byte*)hookOrigCmd, sizeof(hookOrigCmd));
| ~^~~~~
| )
patch_kernel_root.cpp: In function 'size_t path_avc_denied(const char*, size_t, size_t, size_t, std::vector<patch_bytes_data>&)':
patch_kernel_root.cpp:175:51: error: expected primary-expression before 'const'
175 | string strHookOrigCmd = bytesToHexString((const byte*)hookOrigCmd, sizeof(hookOrigCmd));
| ^~~~~
patch_kernel_root.cpp:175:51: error: expected ')' before 'const'
175 | string strHookOrigCmd = bytesToHexString((const byte*)hookOrigCmd, sizeof(hookOrigCmd));
| ~^~~~~
| )
patch_kernel_root.cpp: In function 'int main(int, char**)':
patch_kernel_root.cpp:305:25: error: 'shared_ptr' was not declared in this scope
305 | shared_ptr spData(new (std::nothrow) char[item.str_bytes.length() / 2], std::default_delete<char[]>());
| ^~~~~~~~~~
patch_kernel_root.cpp:10:1: note: 'std::shared_ptr' is defined in header ''; did you forget to '#include '?
9 | #include "ArmAsmHelper.h"
+++ |+#include
10 |
patch_kernel_root.cpp:305:36: error: expected primary-expression before 'char'
305 | shared_ptr spData(new (std::nothrow) char[item.str_bytes.length() / 2], std::default_delete<char[]>());
| ^~~~
patch_kernel_root.cpp:306:78: error: 'spData' was not declared in this scope
306 | hex2byte((uint8_t*)item.str_bytes.c_str(), (uint8_t*)spData.get());

代码不易, 既然开源, 就彻底一些吧,
都不知道 3个 .exe 干了啥

期待早日发布

支付宝监测到了，公积金无法刷脸了

Base: FFFFFF9B1E680000
do_execve
FFFFFF9B1EAAA880                 SUB            SP, SP, #0x30; patch 前
FFFFFF9B1EAAA880                 B               sub_FFFFFF9B1E6803C8; patch后
FFFFFF9B1EAAA884                 STP             X29, X30, [SP,#0x30]
FFFFFF9B1EAAA888                 ADD             X29, SP, #0x30
......
......
FFFFFF9B1EAAA8F0                 LDP             X29, X30, [SP,#0x30+var_10]
FFFFFF9B1EAAA8F4                 ADD             SP, SP, #0x30
FFFFFF9B1EAAA8F8                 RET

avc_denied
FFFFFF9B1E8CBF24                 STP             X29, X30, [SP,#-0x10]!; patch前
FFFFFF9B1E8CBF20                 B               sub_FFFFFF9B1E680330; patch 后
......
......
FFFFFF9B1E8CBF50                 LDP             X29, X30, [SP+0x10],#0x10
FFFFFF9B1E8CBF54                 RET

我按照步骤一步步patch后，patch后的函数入口位置如上，每个函数第一条指令都被替换成了跳转指令
刷入patch后的内核没法获取root权限

是我函数入口位置选择有问题吗？

为什么没有使用说明，不会用呀

请问能否大致解释下添加的汇编代码的意义？感觉明白为什么要添加这些代码，能更好的自己查错解决

k2

请问大佬，unpackimg boot.img得到的kernel文件拖动到find_cred_has_capability有结果，但是其余两个exe文件没有结果是什么原因？

两年了还没发布吗？

这个函数有例子吗,第一个rootkey,第二个目标进程pid,第三个待注入的so路径，第四个是待注入so里面的函数吗?
safe_inject_process64_so_wrapper函数 执行不成功阿
safe_inject_process_run_exit_wrapper 这个函数我可以执行

Is there an example of this function, the first rootkey, the second target process pid, the third so path to be injected, and the fourth is the function to be injected into so?
The safe_inject_process64_so_wrapper function failed to execute
safe_inject_process_run_exit_wrapper I can execute this function

patch后无法开机。
然后我在未patch的kernel的ffffffc000080300添加了一个汇编函数，仅仅一个指令RET，不使用这个函数，可以正常启动内核。我把do_execve的BL nullsub替换为BL 我创建的函数，便依然无法开机。请问为什么无法调用自己添加的函数？希望大佬能给些思路。

04-22 07:54:28.411 467 467 E SELinux : avc: denied { find } for service=window pid=2848 uid=0 scontext=u:r:untrusted_app:s0:c102,c256,c512,c768 tcontext=u:object_r:window_service:s0 tclass=service_manager permissive=0
请问大佬，为何这个操作依然被selinux拦截？