- Private kernel r4 how to#
- Private kernel r4 install#
- Private kernel r4 drivers#
- Private kernel r4 driver#
- Private kernel r4 for android#
Start up: $ export kernel_path=ranchu_3.10_zImage bin/avdmanager create avd -k "system-images android-19 google_apis armeabi-v7a" -d 5 -n "kernel_test" Not having carefully analyzed the reason, I use the lower version of Android-19.Ĭreate an Android virtual device.
Private kernel r4 driver#
PS: Because it is 32-bit, so I choose armeabi-v7a.Īnd I have tested Android-19, 24, 25, and found that in Android-24, 25, the driver that contains the vulnerability is only accessible to privileged users. bin/sdkmanager -install "system-images android-19 google_apis armeabi-v7a" bin/sdkmanager -install "platforms android-19"
Private kernel r4 install#
$ mkdir android_sdkįirstly you need to install some tools via tools / bin / sdkmanager. The latest version of java 11 cannot be used, and I use java 8.Ĭreate a directory and put the downloaded tools in it. Fortunately, the official command line tools are available, and you can only download it if you think Studio is too big.
You can use Android Studio directly, but if you don't develop it, it seems that Studio is too bloated, and it will take a long time to download.
Private kernel r4 for android#
Having compiled the kernel, it’s time for Android environment. Preparations for Android simulation environment There are two files: one is zImage-the kernel boot image the other one is vmlinux-the kernel binary file, which is either used to analyze the kernel IDA or to provide symbolic information to gdb. The compiled kernel is in the /tmp/qemu-kernel directory. PS: I encountered a problem when reproducing the environment in docker, you can refer to: Modify Makefile: $ echo "obj-y += vulnerabilities/" > drivers/MakefileĪfter importing the environment variables, compile with one-click compilation script: $ export PATH=/root/arm-linux-androideabi-4.6/bin/:$PATH
Private kernel r4 how to#
This article is intended to study Android privilege escalation exploits, so I add a driver that contains stack overflow by myself, and the steps are to learn how to add the driver written by yourself.Ĭopy the vulnerabilities/ directory in the Github project that I’ve mentioned before to the driver directory of the kernel source code.
Private kernel r4 drivers#
(2) Add drivers that contain vulnerabilities There are already debug symbols in the default configuration of ranchu, so you don't need to modify it. If it is goldfish, you need to add by yourself. To add debug symbols to the kernel just needs to add CONFIG_DEBUG_INFO=y in the above configuration file. I have compiled is a 32-bit Android kernel by using goldfish_armv7, and the configuration files are: arch/arm/configs/goldfish_armv7_defconfig.īut I don't know why there is no such configuration file in 3.10, but there is no problem to use ranchu: There are two points to modify the kernel source code:įirstly, you need to know which version to compile. It is estimated that the kernel is below Android 3.4, and there are various problems in 3.10 or above, so I made some modifications myself, and opened a Github source as well. When I learn the Android kernel pwn at the beginning, I have studied a project on Github, which relies on the old kernel. $ cp -r qemu-kernel/kernel-toolchain/ goldfish/ Modify the kernel $ cp qemu-kernel/build-kernel.sh goldfish/ $ tar zxf goldfish-android-goldfish-3.10.tar.gz PS: If git clone is slow, you can use the domestic mirror to speed up: The download addresses of the tools used in this article are as follows: If you want to study that version, you can download the "tar.gz" for that branch directly. It is very troublesome to clone directly and compile under the git directory because the Android kernel source code is goldfish. Preparations Android kernel compilation Download related source code dependencies The Linux system privilege escalation of arm instruction set is basically Android root and iOS jailbreak, while there is a few about mips instruction set, which may because there are few application scenes. The kernel that can be studied is just privilege escalation, among which what has been studied most is the Linux system privilege escalation of x86 and arm instruction set. It’s very easy under the circumstances of x86 instruction set, but the arm instruction set is very different, so I encountered many problems. There is very little information about the simplest exploits of stack overflow in Android kernel, and the new version of the kernel has a big difference. Use ROP to bypass PXN for Android privilege escalation.Research on Android kernel privilege escalation.Preparations for Android simulation environment.Download related source code dependencies.