def install(): tmp = utils.runGetOutput(['adb shell lsmod'], 1) output.Info(tmp) if re.search('prdbg', tmp): tmp = utils.runGetOutput(['adb shell su -c "rmmod prdbg"'], 1) output.Info(tmp) # unhide addresses when reading /proc/kallsyms tmp = utils.runGetOutput(['adb shell su -c "echo 0 > /proc/sys/kernel/kptr_restrict"'], 1) output.Info(tmp) # copy the gofer tmp = utils.runGetOutput(['adb push ./gofer/gofer /data/local/tmp'], 1) output.Info(tmp) # copy the driver tmp = utils.runGetOutput(['adb push ./driver/prdbg.ko /data/local/tmp'], 1) output.Info(tmp) # insmod the driver tmp = utils.runGetOutput(['adb shell su -c "insmod /data/local/tmp/prdbg.ko"'], 1) output.Info(tmp) # create the character device if it doesn't exist tmp = utils.runGetOutput(['adb shell ls /dev/prdbg'], 1) output.Info(tmp) if re.search('No such file or directory', tmp): tmp = utils.runGetOutput(['adb shell su -c "/data/local/tmp/busybox mknod /dev/prdbg c 500 1"'], 1) output.Info(tmp) tmp = utils.runGetOutput(['adb shell su -c "chmod 666 /dev/prdbg"'], 1) output.Info(tmp)
def install(): tmp = utils.runGetOutput(['lsmod'], 1) output.Info(tmp) if re.search('prdbg', tmp): tmp = utils.runGetOutput(['sudo rmmod prdbg'], 1) output.Info(tmp) # unhide addresses when reading /proc/kallsyms # gotta do fancy shit here that I don't understand yet tmp = utils.runGetOutput(['echo 0 | sudo tee /proc/sys/kernel/kptr_restrict'], 1) output.Info(tmp) # copy the gofer tmp = utils.runGetOutput(['cp ./gofer/gofer /tmp'], 1) output.Info(tmp) # insmod the driver tmp = utils.runGetOutput(['sudo insmod ./driver/prdbg.ko'], 1) output.Info(tmp) # create the character device if it doesn't exist tmp = utils.runGetOutput(['ls /dev/prdbg 2>&1'], 1) output.Info(tmp) if re.search('No such file or directory', tmp): tmp = utils.runGetOutput(['sudo mknod /dev/prdbg c 500 1'], 1) output.Info(tmp) tmp = utils.runGetOutput(['sudo chmod 666 /dev/prdbg'], 1) output.Info(tmp)
def writeCode(addr, data): cmd = ['/tmp/gofer MEMWRITECODE %X' % addr] while data: cmd[0] += ' %02X' % struct.unpack('B', data[0]) data = data[1:] text = utils.runGetOutput(cmd, 1) Info(text) return
def read(addr, amt): if prefer_kmem: cmd = ['/tmp/gofer RMDK %X L%X' % (addr, amt)] else: cmd = ['/tmp/gofer MEMREAD %X L%X' % (addr, amt)] text = utils.runGetOutput(cmd, 1) Info(text) return parsing.parseBytesFromHexDump(text)
def write(addr, data): if prefer_kmem: cmd = ['/tmp/gofer WMDK %X' % addr] else: cmd = ['/tmp/gofer MEMWRITE %X' % addr] while data: cmd[0] += ' %02X' % struct.unpack('B', data[0]) data = data[1:] text = utils.runGetOutput(cmd, 1) Info(text) return
def vmalloc(amt): cmd = ['/tmp/gofer VMALLOC %X' % amt] text = utils.runGetOutput(cmd, 1); Info(text) return parsing.parseHexValue(text)
def call(addr, arg): cmd = ['adb shell su -c "/data/local/tmp/gofer CALL %X"' % addr] text = utils.runGetOutput(cmd, 1); Info(text)
def vfree(addr): cmd = ['adb shell su -c "/data/local/tmp/gofer VFREE %X"' % addr] text = utils.runGetOutput(cmd, 1); Info(text)
def getKAllSyms(): temp = utils.runGetOutput(['echo 0 > /proc/sys/kernel/kptr_restrict'], 1) output.Info(temp) temp = utils.runGetOutput(['cat /proc/kallsyms'], 1) return temp
def uninstall(): tmp = utils.runGetOutput(['lsmod'], 1) output.Info(tmp) if re.search('prdbg', tmp): tmp = utils.runGetOutput(['sudo rmmod prdbg'], 1) output.Info(tmp)
def disassemble(addr, data, toolchainSettings, **kwargs): result = '' littleEnd = kwargs.get('littleEnd', True) verbose = kwargs.get('verbose', False) # objdump doesn't like unaligned sections prepad = 0 postpad = 0 if 'DONT_ALIGN' in toolchainSettings: pass else: while addr % 4: #print "data was: ", data data = '\x00' + data #print "data is: ", data addr -= 1 prepad += 1 while len(data) % 4: #print "data was: ", data data = data + '\x00' #print "data is: ", data postpad += 1 #print "prepad: ", prepad #print "postpad: ", postpad (asm_handle, asm_name) = tempfile.mkstemp(suffix='.s') (obj0_handle, obj0_name) = tempfile.mkstemp(suffix='.o') (obj1_handle, obj1_name) = tempfile.mkstemp(suffix='.o') (ld_handle, ld_name) = tempfile.mkstemp(suffix='.ld') # create asm input file asm_obj = os.fdopen(asm_handle, 'w') input_text = '' #input_text = '.org 0x%X\n' % addr input_text += '.byte' while data: input_text += ' 0x%02X' % struct.unpack('B', data[0]) #print "input_text is: ", input_text data = data[1:] if data: input_text += ',' input_text += "\n" asm_obj.write(input_text) asm_obj.close() # create asm output file obj0_obj = os.fdopen(obj0_handle) obj0_obj.close() # assemble to object file cmd = '%s %s %s -o %s' % \ (toolchainSettings['as'], toolchainSettings['as_flags'], asm_name, obj0_name) output = utils.runGetOutput(cmd, verbose) # create linker file ld_obj = os.fdopen(ld_handle, 'w') ld_obj.write("SECTIONS\n") ld_obj.write("{\n") ld_obj.write(" . = 0x%X;\n" % addr) ld_obj.write(" .text . : { %s(.text) }\n" % obj0_name) ld_obj.write("}\n"); ld_obj.close() # link object file to new object file with the relocation of .text cmd = '%s %s --script %s -o %s' % (toolchainSettings['ld'], obj0_name, ld_name, obj1_name) output = utils.runGetOutput(cmd, verbose) # replace all symbols '$d' with '$a' so that objdump won't distinguish between # code and data within .text (see "mapping symbols" in arm eabi pdf) # note some elf's don't have a string table (eg: HC12) try: elf.replaceStrtabString(obj1_name, '$d', '$a') except Exception as e: pass #print e #print "possibly strtab doesn't exist, skipping this step..." # disassemble output file cmd = '%s -d %s %s' % (toolchainSettings['objdump'], toolchainSettings['objdump_flags'], obj1_name) output = utils.runGetOutput(cmd, verbose) # delete temp files if verbose: print "file input: " + asm_name print "file obj0: " + obj0_name print "file obj1: " + obj1_name print "file linker: " + ld_name else: os.unlink(asm_name) os.unlink(obj0_name) os.unlink(obj1_name) os.unlink(ld_name) # output here looks like: # /tmp/tmpiCaOBI.o: file format elf64-x86-64 # # Disassembly of section .text: # # 000000000040349d <.text>: # 40349d: 5b pop rbx # 40349e: 6a 01 push 0x1 # ... # output into list of lines lines = output.split("\n") # filter only disassembly lines # fuse_copy_do: 0f 1f 44 00 00 nop DWORD PTR [rax+rax*1+0x0] instrBytes = [] instrStrings = [] for l in lines: result = parseObjdumpDisasmLine(l, littleEnd=littleEnd) if not result: continue instrBytes.append(result[0]) instrStrings.append(result[1]) return (instrBytes, instrStrings)
def assemble(source, toolchainSettings, **kwargs): verbose = kwargs.get('verbose', False) (asm_handle, asm_name) = tempfile.mkstemp(suffix='.s') (obj0_handle, obj0_name) = tempfile.mkstemp(suffix='.o') if verbose: print "asm_name: %s" % asm_name print "obj0_name: %s" % obj0_name # create asm input file asm_obj = os.fdopen(asm_handle, 'w') asm_obj.write(source + "\n") asm_obj.close() # assemble to object file cmd = '%s %s %s -o %s' % \ (toolchainSettings['as'], toolchainSettings['as_flags'], asm_name, obj0_name) output = utils.runGetOutput(cmd, verbose) # disassemble output file cmd = '%s -d %s %s' % (toolchainSettings['objdump'], toolchainSettings['objdump_flags'], obj0_name) output = utils.runGetOutput(cmd, verbose) # parse disassembly output blob = '' lines = output.split("\n") for l in lines: # is it a disassembly line, for example; # (arm example) # 192c: f8d8 300c ldr.w r3, [r8, #12] # (x86_64 example) # 400520: bf d4 05 40 00 mov $0x4005d4,%edi reStr = r'^\s*(?:0x)?[a-f0-9]{1,16}:\s+' + \ r'(.*?)\t' + \ r'.*' m = re.match(reStr, l) if m: #print "parsing: " + m.group(1) blob += parsing.parseDwordsWordsBytes(m.group(1)) #print "got blob: ", bytes.getStrAsHex(blob) # parse symbol table cmd = '%s -t %s %s' % (toolchainSettings['objdump'], toolchainSettings['objdump_flags'], obj0_name) output = utils.runGetOutput(cmd, verbose) syms = {} lines = output.split("\n") for l in lines: # eg: # 00000000 l d .text 00000000 .text # 00000000 l d .data 00000000 .data # 00000000 l d .bss 00000000 .bss # deadbef0 l *ABS* 00000000 MARKER_ORIG_BYTES0 # deadbef1 l *ABS* 00000000 MARKER_ORIG_BYTES1 # deadbef2 l *ABS* 00000000 MARKER_ADDR_RETURN # 00000060 l .text 00000000 context reStr = r'^' + \ r'(?P<val_addr>[a-f0-9]{8})\s+' + \ r'(?P<flags>[lgu\!wCWIidDFfo ]+)\s+' + \ r'(?P<section>\S+)\s+' + \ r'(?P<align_size>[a-f0-9]{8})\s+' + \ r'(?P<name>\S+)\s*' + \ r'$' m = re.match(reStr, l) if m: #if verbose: # print "DID MATCH ON SYMBOL INFO LINE:\n%s" % l #syms.append( \ # { 'val_addr' : int(m.group('val_addr'), 16), \ # 'flags' : m.group('flags'), \ # 'section' : m.group('section'), \ # 'align_size' : int(m.group('align_size'), 16), \ # 'name' : m.group('name') # } #) syms[m.group('name')] = int(m.group('val_addr'), 16) else: #if verbose: # print "COULDN'T MATCH SYMBOL INFO ON LINE:\n%s" % l pass # delete temp files if not verbose: os.unlink(asm_name) os.unlink(obj0_name) return [blob, syms]
def getKAllSyms(): temp = utils.runGetOutput(['adb shell su -c "echo 0 > /proc/sys/kernel/kptr_restrict"'], 1) output.Info(temp) temp = utils.runGetOutput(['adb shell su -c "cat /proc/kallsyms"'], 1) return temp
def uninstall(): tmp = utils.runGetOutput(['adb shell lsmod'], 1) output.Info(tmp) if re.search('prdbg', tmp): tmp = utils.runGetOutput(['adb shell su -c "rmmod prdbg"'], 1) output.Info(tmp)
def vfree(addr): cmd = ['/tmp/gofer VFREE %X' % addr] text = utils.runGetOutput(cmd, 1); Info(text)
def vmalloc(amt): cmd = ['adb shell su -c "/data/local/tmp/gofer VMALLOC %X"' % amt] text = utils.runGetOutput(cmd, 1); Info(text) return parsing.parseHexValue(text)
def call(addr, arg): cmd = ['/tmp/gofer CALL %X' % addr] text = utils.runGetOutput(cmd, 1); Info(text)
import utils print "deleting %s" % tempjpgs g = glob.glob(tempjpgs) for (i, f) in enumerate(g): print 'deleting %s (%d/%d)' % (f, i, len(g)) os.remove(f) print "copying while resizing files to ~/Downloads/tmp" g = glob.glob(picsjpgs) for (i, srcPath) in enumerate(sorted(g)): fname = os.path.basename(srcPath) dstPath = os.path.join(tempdir, '%06d.JPG' % i) cmd = 'convert %s -resize 640x480 %s' % (srcPath, dstPath) print 'calling `%s` (%d/%d)' % (cmd, i, len(g)) utils.runGetOutput(cmd) print "encoding files" cmd = 'ffmpeg -framerate 4 -i %s/%%06d.JPG -c:v libx264 -r 30 -pix_fmt yuv420p derp.mp4' % tempdir print "calling `%s`" % cmd utils.runGetOutput(cmd) print "about to delete files from camera! press ctrl+c to quit!" raw_input() print "deleting %s" % picsjpgs g = glob.glob(picsjpgs) for (i, f) in enumerate(g): print 'deleting %s (%d/%d)' % (f, i, len(g)) os.remove(f)