abcz316 / skroot-linuxkernelroot Goto Github PK
View Code? Open in Web Editor NEW新一代SKRoot,挑战全网root检测手段,跟面具完全不同思路,摆脱面具被检测的弱点,完美隐藏root功能,全程不需要暂停SELinux,实现真正的SELinux 0%触碰,通用性强,通杀所有内核,不需要内核源码,直接patch内核,兼容安卓APP直接JNI调用,稳定、流畅、不闪退。
新一代SKRoot,挑战全网root检测手段,跟面具完全不同思路,摆脱面具被检测的弱点,完美隐藏root功能,全程不需要暂停SELinux,实现真正的SELinux 0%触碰,通用性强,通杀所有内核,不需要内核源码,直接patch内核,兼容安卓APP直接JNI调用,稳定、流畅、不闪退。
在未来是否存在支持开发模块(类似 Kernel SU Magisk)的计划
如题
你好,我的设备是Nexus 6(android8.1),根据readme文档path内核后能正常开机,但是好像并没有root成功,调试源代码查看错误信息
create_su_hide_folder error:/data/local/tmp/su_40ab264ef2659a3da13690e41d41a8274c9cc1086dfd016989de0561fc61a4d47bec2d5094d9125e98db3c4785e61c54ae22628934aa30478ec301759b33ba3b5b9bd21fbb2ca823bd13699dc0294ab5c2/
上传两个内核文件
里面文件分别是
kernel_core_rebuild 是经过patch_kernel_root 后的内核文件,
kernel_core_bak 是原内核文件
kernel_core_rebuild.zip
patch_kernel_root执行步骤,不知道是不是这几个函数入口和偏移没有找对(我是结合 一个很旧的内核cred偏移值无法确定 里的图片找的这几个入口和偏移)
请输入do_execve函数的入口位置:
0x291dbc
请输入avc_denied函数的入口位置:
0x37bc34
请输入task_struct结构体里cred的十六进制偏移值(从proc_pid_status里能看到):
0x4e8
请输入task_struct结构体里seccomp的十六进制偏移值(从proc_pid_status里能看到):
0x940
是否需要自动随机生成ROOT密匙(1需要;2不需要):
1
;;;;
你好,我的设备是小米mix2,内核为linux4.4.153-perf+,aarch64架构,解压获得的boot,ida加载起始地址FFFFFF8008080000
boot.zip
通过ida搜索函数do_execve得到入口地址FFFFFF80081C83F4(减去起始地址为0x1483f4)
通过ida搜索函数avc_denied得到入口地址FFFFFF80082E20D0(减去起始地址为0x2620d0)
通过搜索task_struct并没有得到我想要的cred偏移值,通过拖拽内核的方法并未得到任何结果,通过搜索proc_pid_status函数从伪代码中仍旧无法得到Uid的值,可以得到seccomp的值(0x858)
通过一些合理的猜测cred的值进行测试,手机不能正常开机。
大佬好,附件在:
123pan:https://www.123pan.com/s/w51tVv-QGe6d.html
google:https://drive.google.com/file/d/15X6V9_N0m592f-A-elEEH1gqCZvUpjG4/view?usp=sharing
固件是小米5s capricorn_images_9.8.29_20190829.0000.00_8.0_cn线刷包提取的
附件包含boot.img 以及用Android-Image-Tools-windows从boot.img提取的boot.img-zImage 。boot是从boot.img-zImage 解压后的内核文件!d把boot文件拖到find_do_execve.exe会提示:
盼望大佬有空能给看下
Cannot find source file:
../../../../../testRoot/process64_inject.cpp
Tried extensions .c .C .c++ .cc .cpp .cxx .m .M .mm .h .hh .h++ .hm .hpp
.hxx .in .txx
有一加5的lineageos源码编译的环境 包括kernel源码
测试hook 挑战过去什么不操作在跳转回来是可以开机的
patch_kernel_root 后就无法开机了,
单独hook path_do_execve 或者 path_avc_denied 都无法开机
是因为我内核版本太低了吗?
do_execve 141E58
avc_denied 293750
cred 668
seccomp AD8
cred 是 get_task_cred 里面 0x660 + 8
函数入口是直接打印了内核符号表看到的
安装部署su报错
install su err:-52
什么发布正式版本
Hello,I follow your tutorial patched the boot.img. The phone open normally,but can't get su privilege.
My device is xiaomi8 UD.The images is "equuleus_images_V12.5.1.0.QECCNXM_20210705.0000.00_10.0_cn_3cb808c7f4".
Here is my boot.img after zip:
boot.zip
cred:0x840
seccomp:0x8E0
do_execve:0x1c0f7c
avc_denied:0x38A8AC
here is the img file after after patching and 0 padding :
image-new-patch.zip
After flashing the image-new-patch.img,it did't work properly and I don't konw how to do next.Can you give me some instructions,thanks.
There is some conjecture which I might did wrong.I get the boot.img from xiaomi images.This kernel file "boot.img-kernel" after unpacking from Android Image Kitchen still need to be unziped.Only after that the kernel file can be read by IDA arm.After I patched it I need zip it back.But the kernel file after patching and zipping it's size is bigger than it unpack from AIK.
If you think I didn't describe it clearly,I can make a video to show you all procedure.
大佬沒有提供下載方式嗎?
之前提及的 内核无痕注入 啥时候能落实一下呢,谢谢
i want to patch other syscall, openat and other ... can u tell me how please ?
Sent from PPHub
proc_pid_status一直无法正确找到偏移,或者教下如何用ida来查找,
内核文件:
Image
还有就是如果直接拖入kernel.img或者解包后的kernel.img-kernel,均无法通过find找到任何数据
我的手机是小米6x,从官方的9.0刷机包提取的boot,并且函数定位我是导出的手机里的符号文件,使用ida脚本批量设置函数,然后把每个需要的偏移地址拿到,并且补丁后我也用ida看了,感觉hook也在正确的位置上,但是打包刷入后,使用管理器检测root权限时手机就重启了,请问我应该排查哪里的问题?
请问可以放个第四步的patch_kernel_root.cpp的exe嘛,我编译遇到了Error: immediate offset out of range
按照教程,我成功完成了基本所有的工作,在这十分感谢,但是我的菜单功能缺少了几样 比如授权ADB的权限,现在我无法给与我的shell
ROOT权限 请帮助我
ida 跳转过去以后
real_cred = ((__int64 (__fastcall *)(__int64))loc_3E768)(task);
v25 = *(_DWORD *)(real_cred + 0x14);
sub_155D0C(a1, "Seccomp:\t%d\n", *(unsigned int *)(task + 0xAD8));
Seccomp 应该是0xAD8吧?
Cred 怎么取啊?
希望可以试用隐藏root的功能
使用do_execve 001AEBBC avc:003A65C8 cred 0x840 seccomp 0x8F8
这几个入口点
内核文件
Image
pm点击获取root权限的时候软件闪退 ,dmesg获取到下面几个日志:
[ 1463.174682] [pid:981,cpu1,wificond][W][vap:0]{wal_cfg80211_get_station::rssi -23.} [F:1205][L:4427]
[ 1463.328186] [pid:396,cpu0,kworker/u16:6]wifi sleep cmd send ,wakelock cnt 1
[ 1463.421325] [pid:108,cpu1,kworker/u16:1]wifi wakeup cmd send,wakelock cnt 2
[ 1463.577606] [pid:6165,cpu1,kworker/u16:2]wifi sleep cmd send ,wakelock cnt 1
[ 1463.620727] [pid:396,cpu3,kworker/u16:6][hisi_coul_core]coul_ntc_temperature_compensation: current = 0, temp_without_compensation = 330, temp_with_compensation = 330
[ 1463.620758] [pid:396,cpu3,kworker/u16:6][hisi_coul_core]stably temp!,old_temp =330,cnt =1, temp = 330
[ 1463.625579] [pid:108,cpu1,kworker/u16:1]wifi wakeup cmd send,wakelock cnt 2
[ 1463.716461] [pid:6167,cpu0,rmissionmanager]UID root escalation!
[ 1463.716491] [pid:6188,cpu3,Profile Saver]UID root escalation!
[ 1463.716888] [pid:6188,cpu3,Profile Saver]UID root escalation!
[ 1463.716888] [pid:6188,cpu3,Profile Saver]UID root escalation!
[ 1463.812652] [pid:6198,cpu5,mali-utility-wo]mali gpufreq: kctx 0000000000000000 being destroyed
[ 1463.883361] [pid:108,cpu1,kworker/u16:1]wifi sleep cmd send ,wakelock cnt 1
[ 1463.932189] [pid:108,cpu0,kworker/u16:1]wifi wakeup cmd send,wakelock cnt 2
[ 1464.092712] [2023:04:15 02:44:37][pid:6165,cpu1,kworker/u16:2]wifi sleep cmd send ,wakelock cnt 1
[ 1464.137359] [pid:108,cpu2,kworker/u16:1]wifi wakeup cmd send,wakelock cnt 2
[ 1464.291687] [pid:108,cpu3,kworker/u16:1]wifi sleep cmd send ,wakelock cnt 1
[ 1464.387207] [pid:241,cpu0,kworker/0:1H]sp805-wdt e8a06000.watchdog0: watchdog kick now 32K 47979182 rqclock 1450718691067 ret 1
[ 1464.547485] [pid:6165,cpu2,kworker/u16:2]wifi wakeup cmd send,wakelock cnt 2
[ 1464.704040] [pid:396,cpu2,kworker/u16:6]wifi sleep cmd send ,wakelock cnt 1
[ 1464.751708] [pid:396,cpu1,kworker/u16:6]wifi wakeup cmd send,wakelock cnt 2
[ 1464.912139] [pid:6165,cpu1,kworker/u16:2]wifi sleep cmd send ,wakelock cnt 1
[ 1464.956390] [pid:108,cpu1,kworker/u16:1]wifi wakeup cmd send,wakelock cnt 2
[ 1465.111541] [2023:04:15 02:44:38][pid:396,cpu1,kworker/u16:6]wifi sleep cmd send ,wakelock cnt 1
[ 1465.111938] [pid:396,cpu1,kworker/u16:6]wifi wakeup cmd send,wakelock cnt 2
[ 1465.216186] [pid:396,cpu3,kworker/u16:6]wifi sleep cmd send ,wakelock cnt 1
[ 1465.375915] [pid:396,cpu1,kworker/u16:6][hisi_get_charger_type]type: sdp
[ 1465.376220] [pid:396,cpu1,kworker/u16:6][I/usb_short_circuit_protect] tusb adc value [0]=32
使用的内核源代码:
https://github.com/wutaijieing/Code_Opensource_kirin710/tree/main/kernel
大佬,求救,是入口点问题还是内核限制了?
<< "LDR X10, [X8, #" << task_struct_offset_cred << "]" << endl
<< "MOV X7, #4" << endl
<< "MOV W9, WZR" << endl
<< "STR W9, [X10, X7]" << endl
您好,请教下, cred + i * 4 写0,就会导致死机自动重启
我测试目前可以正常开机,rootkey校验正常, 点击测试root就会死机重启
我搜索到RKP好像对cred有保护,请教下是因为写cred触发了保护机制吗?
PS C:\Users\Ad\Downloads\SKRoot-linuxKernelRoot-master\patch_kernel_root>g++ --version
g++.exe (Rev10, Built by MSYS2 project) 12.2.0
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
PS C:\Users\Ad\Downloads\SKRoot-linuxKernelRoot-master\patch_kernel_root> g++ patch_kernel_root.cpp -o patch_root.exe
In file included from patch_kernel_root.cpp:9:
ArmAsmHelper.h: In function 'std::string AsmToBytes(const std::string&)':
ArmAsmHelper.h:59:43: warning: ignoring return value of 'bool std::__cxx11::basic_string<_CharT, _Traits, _Alloc>::empty() const [with _CharT = char; _Traits = std::char_traits; _Alloc = std::allocator]', declared with attribute 'nodiscard' [-Wunused-result]
59 | word.empty();
| ~~~~~~~~~~^~
In file included from C:/msys64/mingw64/include/c++/12.2.0/string:53,
from C:/msys64/mingw64/include/c++/12.2.0/bits/locale_classes.h:40,
from C:/msys64/mingw64/include/c++/12.2.0/bits/ios_base.h:41,
from C:/msys64/mingw64/include/c++/12.2.0/ios:42,
from C:/msys64/mingw64/include/c++/12.2.0/ostream:38,
from C:/msys64/mingw64/include/c++/12.2.0/iostream:39,
from patch_kernel_root.cpp:4:
C:/msys64/mingw64/include/c++/12.2.0/bits/basic_string.h:1183:7: note: declared here
1183 | empty() const _GLIBCXX_NOEXCEPT
| ^~~~~
patch_kernel_root.cpp: In function 'size_t path_do_execve(const char*, const std::string&, size_t, size_t, size_t, size_t, std::vector<patch_bytes_data>&)':
patch_kernel_root.cpp:69:63: error: expected primary-expression before 'const'
69 | string str_show_root_key_mem_byte = bytesToHexString((const byte*)str_root_key.c_str(), str_root_key.length());
| ^~~~~
patch_kernel_root.cpp:69:63: error: expected ')' before 'const'
69 | string str_show_root_key_mem_byte = bytesToHexString((const byte*)str_root_key.c_str(), str_root_key.length());
| ~^~~~~
| )
patch_kernel_root.cpp:124:51: error: expected primary-expression before 'const'
124 | string strHookOrigCmd = bytesToHexString((const byte*)hookOrigCmd, sizeof(hookOrigCmd));
| ^~~~~
patch_kernel_root.cpp:124:51: error: expected ')' before 'const'
124 | string strHookOrigCmd = bytesToHexString((const byte*)hookOrigCmd, sizeof(hookOrigCmd));
| ~^~~~~
| )
patch_kernel_root.cpp: In function 'size_t path_avc_denied(const char*, size_t, size_t, size_t, std::vector<patch_bytes_data>&)':
patch_kernel_root.cpp:175:51: error: expected primary-expression before 'const'
175 | string strHookOrigCmd = bytesToHexString((const byte*)hookOrigCmd, sizeof(hookOrigCmd));
| ^~~~~
patch_kernel_root.cpp:175:51: error: expected ')' before 'const'
175 | string strHookOrigCmd = bytesToHexString((const byte*)hookOrigCmd, sizeof(hookOrigCmd));
| ~^~~~~
| )
patch_kernel_root.cpp: In function 'int main(int, char**)':
patch_kernel_root.cpp:305:25: error: 'shared_ptr' was not declared in this scope
305 | shared_ptr spData(new (std::nothrow) char[item.str_bytes.length() / 2], std::default_delete<char[]>());
| ^~~~~~~~~~
patch_kernel_root.cpp:10:1: note: 'std::shared_ptr' is defined in header ''; did you forget to '#include '?
9 | #include "ArmAsmHelper.h"
+++ |+#include
10 |
patch_kernel_root.cpp:305:36: error: expected primary-expression before 'char'
305 | shared_ptr spData(new (std::nothrow) char[item.str_bytes.length() / 2], std::default_delete<char[]>());
| ^~~~
patch_kernel_root.cpp:306:78: error: 'spData' was not declared in this scope
306 | hex2byte((uint8_t*)item.str_bytes.c_str(), (uint8_t*)spData.get());
代码不易, 既然开源, 就彻底一些吧,
都不知道 3个 .exe 干了啥
期待早日发布
支付宝监测到了,公积金无法刷脸了
Base: FFFFFF9B1E680000
do_execve
FFFFFF9B1EAAA880 SUB SP, SP, #0x30; patch 前
FFFFFF9B1EAAA880 B sub_FFFFFF9B1E6803C8; patch后
FFFFFF9B1EAAA884 STP X29, X30, [SP,#0x30]
FFFFFF9B1EAAA888 ADD X29, SP, #0x30
......
......
FFFFFF9B1EAAA8F0 LDP X29, X30, [SP,#0x30+var_10]
FFFFFF9B1EAAA8F4 ADD SP, SP, #0x30
FFFFFF9B1EAAA8F8 RET
avc_denied
FFFFFF9B1E8CBF24 STP X29, X30, [SP,#-0x10]!; patch前
FFFFFF9B1E8CBF20 B sub_FFFFFF9B1E680330; patch 后
......
......
FFFFFF9B1E8CBF50 LDP X29, X30, [SP+0x10],#0x10
FFFFFF9B1E8CBF54 RET
我按照步骤一步步patch后,patch后的函数入口位置如上,每个函数第一条指令都被替换成了跳转指令
刷入patch后的内核没法获取root权限
是我函数入口位置选择有问题吗?
为什么没有使用说明,不会用呀
请问能否大致解释下添加的汇编代码的意义?感觉明白为什么要添加这些代码,能更好的自己查错解决
k2
请问大佬,unpackimg boot.img得到的kernel文件拖动到find_cred_has_capability有结果,但是其余两个exe文件没有结果是什么原因?
两年了还没发布吗?
这个函数有例子吗,第一个rootkey,第二个目标进程pid,第三个待注入的so路径,第四个是待注入so里面的函数吗?
safe_inject_process64_so_wrapper函数 执行不成功阿
safe_inject_process_run_exit_wrapper 这个函数我可以执行
Is there an example of this function, the first rootkey, the second target process pid, the third so path to be injected, and the fourth is the function to be injected into so?
The safe_inject_process64_so_wrapper function failed to execute
safe_inject_process_run_exit_wrapper I can execute this function
patch后无法开机。
然后我在未patch的kernel的ffffffc000080300添加了一个汇编函数,仅仅一个指令RET,不使用这个函数,可以正常启动内核。我把do_execve的BL nullsub替换为BL 我创建的函数,便依然无法开机。请问为什么无法调用自己添加的函数?希望大佬能给些思路。
04-22 07:54:28.411 467 467 E SELinux : avc: denied { find } for service=window pid=2848 uid=0 scontext=u:r:untrusted_app:s0:c102,c256,c512,c768 tcontext=u:object_r:window_service:s0 tclass=service_manager permissive=0
请问大佬,为何这个操作依然被selinux拦截?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.