Notice: Once you installed latest version, you can ignore reminder and samyGOso related steps in patching procedures.
Reminder:
*For E/F/H series, follow both steps below.
*For D series (arm), replace instances of /mnt by /mtd_rwcommon/widgets/user/SamyGO/SamyGO
*For C series (arm), replace instances of /mnt by /SamyGO on your rooting USB device
*For B series, latest samyGOso is there.
- Extract archive and copy/overwrite samyGOso file (not folder) to /mnt/opt/privateer/usr/bin
- Set permissions if needed (usually not if overwritten)
Code: Select all
chmod +x /mnt/opt/privateer/usr/bin/samyGOso
hi,
i've modified http://www.mulliner.org/android/feed/co ... bi_v02.zip to work on my F8000. might work on others as well i guess.
Code: Select all
cat /proc/2204/maps
00008000-00009000 r-xp 00000000 b3:10 818 /mtd_rwarea/root/srv
00010000-00011000 rwxp 00000000 b3:10 818 /mtd_rwarea/root/srv
0109e000-010bf000 rwxp 00000000 00:00 0 [heap]
40045000-40046000 rwxp 00000000 00:00 0
400f0000-400f1000 rwxp 00000000 00:00 0
4018d000-4018e000 rwxp 00000000 00:00 0
41000000-4101f000 r-xp 00000000 b3:12 530 /mtd_exe/lib/ld-2.14.1.so
41026000-41027000 r-xp 0001e000 b3:12 530 /mtd_exe/lib/ld-2.14.1.so
41027000-41028000 rwxp 0001f000 b3:12 530 /mtd_exe/lib/ld-2.14.1.so
41e80000-41fa5000 r-xp 00000000 b3:12 529 /mtd_exe/lib/libc-2.14.1.so
41fa5000-41fad000 ---p 00125000 b3:12 529 /mtd_exe/lib/libc-2.14.1.so
41fad000-41faf000 r-xp 00125000 b3:12 529 /mtd_exe/lib/libc-2.14.1.so
41faf000-41fb0000 rwxp 00127000 b3:12 529 /mtd_exe/lib/libc-2.14.1.so
41fb0000-41fb3000 rwxp 00000000 00:00 0
42058000-42062000 r-xp 00000000 b3:12 547 /mtd_exe/lib/libgcc_s.so.1
42062000-42069000 ---p 0000a000 b3:12 547 /mtd_exe/lib/libgcc_s.so.1
42069000-4206a000 rwxp 00009000 b3:12 547 /mtd_exe/lib/libgcc_s.so.1
42310000-42314000 r-xp 00000000 b3:12 533 /mtd_exe/lib/libdl-2.14.1.so
42314000-4231b000 ---p 00004000 b3:12 533 /mtd_exe/lib/libdl-2.14.1.so
4231b000-4231c000 r-xp 00003000 b3:12 533 /mtd_exe/lib/libdl-2.14.1.so
4231c000-4231d000 rwxp 00004000 b3:12 533 /mtd_exe/lib/libdl-2.14.1.so
be8f0000-be8f0000 rw-p 00000000 00:00 0
be8f0000-be911000 rwxp 00000000 00:00 0 [stack]
ffff0000-ffff1000 r-xp 00000000 00:00 0 [vectors]
Code: Select all
./hijack -l /mtd_exe/Comp_LIB/libz.so -d -p 2204
mprotect: 0x41e96f80
dlopen: 0x42310c5c
pc=41e962bc lr=41f16074 sp=be910994 fp=be910b54
r0=fffffffc r1=be910b28
r2=0 r3=8
libaddr: be910928
stack: 0xbe8f0000-0xbe911000 length = 135168
executing injection code at 0xbe910944
library injection completed!
Code: Select all
cat /proc/2204/maps
00008000-00009000 r-xp 00000000 b3:10 818 /mtd_rwarea/root/srv
00010000-00011000 rwxp 00000000 b3:10 818 /mtd_rwarea/root/srv
0109e000-010bf000 rwxp 00000000 00:00 0 [heap]
40045000-40046000 rwxp 00000000 00:00 0
40046000-4005a000 r-xp 00000000 b3:12 1228 /mtd_exe/Comp_LIB/libz.so
4005a000-40061000 ---p 00014000 b3:12 1228 /mtd_exe/Comp_LIB/libz.so
40061000-40062000 rwxp 00013000 b3:12 1228 /mtd_exe/Comp_LIB/libz.so
400f0000-400f1000 rwxp 00000000 00:00 0
4018d000-4018e000 rwxp 00000000 00:00 0
41000000-4101f000 r-xp 00000000 b3:12 530 /mtd_exe/lib/ld-2.14.1.so
41026000-41027000 r-xp 0001e000 b3:12 530 /mtd_exe/lib/ld-2.14.1.so
41027000-41028000 rwxp 0001f000 b3:12 530 /mtd_exe/lib/ld-2.14.1.so
41e80000-41fa5000 r-xp 00000000 b3:12 529 /mtd_exe/lib/libc-2.14.1.so
41fa5000-41fad000 ---p 00125000 b3:12 529 /mtd_exe/lib/libc-2.14.1.so
41fad000-41faf000 r-xp 00125000 b3:12 529 /mtd_exe/lib/libc-2.14.1.so
41faf000-41fb0000 rwxp 00127000 b3:12 529 /mtd_exe/lib/libc-2.14.1.so
41fb0000-41fb3000 rwxp 00000000 00:00 0
42058000-42062000 r-xp 00000000 b3:12 547 /mtd_exe/lib/libgcc_s.so.1
42062000-42069000 ---p 0000a000 b3:12 547 /mtd_exe/lib/libgcc_s.so.1
42069000-4206a000 rwxp 00009000 b3:12 547 /mtd_exe/lib/libgcc_s.so.1
42310000-42314000 r-xp 00000000 b3:12 533 /mtd_exe/lib/libdl-2.14.1.so
42314000-4231b000 ---p 00004000 b3:12 533 /mtd_exe/lib/libdl-2.14.1.so
4231b000-4231c000 r-xp 00003000 b3:12 533 /mtd_exe/lib/libdl-2.14.1.so
4231c000-4231d000 rwxp 00004000 b3:12 533 /mtd_exe/lib/libdl-2.14.1.so
be8f0000-be8f0000 rw-p 00000000 00:00 0
be8f0000-be911000 rwxp 00000000 00:00 0 [stack]
ffff0000-ffff1000 r-xp 00000000 00:00 0 [vectors]
I've completely rewritten the shellcode. hijack now has support for temporarily and resident .so injection (-r), default is temporary.
also there is no need for __attribute__(ctor) anymore. just export lib_init().
temp injection:
dlopen(), lib_init(), lib_deinit(), dl_close()
resident injection:
dlopen(), lib_init()
check source for exact declarations of lib_init/lib_deinit. update2:
-added support for json config (-c configfile)
Code: Select all
[
{
"keep": 0,
"path": "/mtd_rwarea/test/lib_test.so"
},
{
"keep": 0,
"path": "/mtd_rwarea/test/lib_test2.so"
}
]
- added support for passing command line arguments to injected .so (check lib_test.c for usage)
- some fixes update4:
Some fixes to version 1.2.1 of samyGOso:
- * now loading non-existent .so will not succeed
* added -n option so now you can use procname instead of pid
* added -D,-A,T for using standard proc names (exeDSP,exeAPP,exeTV)
* added -B switch which causes samyGOso to use exeDSP if exeAPP/exeTV fails
Code: Select all
/tmp/samyGOso -d -l /tmp/test.so -n exeAPP
Code: Select all
/tmp/samyGOso -d -l /tmp/test.so -A
Code: Select all
/tmp/samyGOso -d -l /tmp/test.so -A -B
Code: Select all
samyGOso v1.2.4 (c) bugficks 2013, sectroyer 2014
usage: samyGOso [-p PID | -n procname | -A | -T | -D ] [-B ] {-c CONFIG | -l /full/path/to/inject.so [-r (=resident)]} [-d (=debug on)] [-a (=add libc addressoffset )] [arg0,...,argN]
Code: Select all
_mandatory parameters:
__targeting (choose one of these parameters):
-p [PID] specifies target process by PID [decimal value] (old parameter, usually used like -p `pidof exeDSP` to automatically get the right PID)
-n [procname] specifies target process by name of process
-A specifies "exeAPP" as target process name
-D specifies "exeDSP" as target process name
-T specifies "exeTV" as target process name
___optional additional targeting:
-B usable in combination with -A -T, sets "exeDSP" as fallback target (need more details here)
__source lib
-l [path to lib] specifies the lib*.so to be used
_optional parameters:
-r switch on resident mode, causes samyGOso to inject the libso in resident mode, depending on type of libso wether it's necessary
-d switch on debug mode, causes samyGOso to create a Logfile with debug output in /dtv (tmpfs, deleted at poweroff/reboot)
-a [0x#######] sets an addtess offset [?bit hex value], only use if you exactly know why (need more details here)
you may additionally add arguments to be passed to lib*.so to influence its behavior