User PM128 with an AT300SE asked on the XDA forums for help with rooting their tablet, which might be similar to the Pro I did before.
And indeed, the same method works. Unfortunately, the kernel is a different version, so we had to shuffle files back and forth for a while, but the strategy remains:
1. Obtain temporary root by replacing /system/bin/debuggerd and /system/bin/netd with a shell script. (Don't forget to first backup the originals to /data/local/tmp/{debuggerd,netd}.orig)
2. Grab /system/lib/modules/gps_drv.ko for patching
3. Disable kernel address protection and dump symbols
4. Write code to call print_hex_dump on register_sealime (+ register_extra_hook which comes right after)
.macro mov32, reg, val
movw \reg, #:lower16:\val
movt \reg, #:upper16:\val
.endm
init_module:
push {r4,lr}
sub sp, sp, #20
adr r0, KERN_ERR
adr r1, PREFIX
mov r2, #1 // DUMP_PREFIX_ADDRESS
mov r3, #16 // rowsize
mov r4, #1
str r4, [sp] // groupsize
mov32 r4, 0xc02145c4 // register_sealime
str r4, [sp, #4] // buf
mov32 r4, 0x100
str r4, [sp, #8] // len
mov r4, #1
str r4, [sp, #12] // ascii
mov32 r4, 0xc0252878 // print_hex_dump
blx r4
mov r0, #-43
add sp, sp, #20
pop {r4,pc}
KERN_ERR:
.asciz "<3>"
PREFIX:
.asciz "glomus"
5. Assemble for arm and patch the resulting code into the .init.text section of the original gps_drv.ko
% readelf -a gps_drv.ko ... [ 3] .init.text PROGBITS 00000000 000a84 0000fc 00 AX 0 0 4 [ 4] .rel.init.text REL 00000000 01ca6c 000080 08 51 3 4 ... % cp gps_drv.ko dump_memory.ko % dd bs=1 count=128 skip=52 seek=2692 if=dump_memory.bin of=dump_memory.ko conv=notrunc
6. Kill gps_drv.ko's original relocation entries (so the code stays intact during loading) by setting the .rel.init.text section length to zero.
% readelf -a gps_drv.ko ... Start of section headers: 114180 (bytes into file) ... % # Either guess the offset or note it's 40 bytes per section header as per ELF spec % dd bs=1 count=1 skip=0 seek=114360 if=/dev/zero of=dump_memory.ko conv=notrunc % readelf -a dump_memory.ko [ 4] .rel.init.text REL 00000000 01ca6c 000000 08 51 3 4
7. dirtycow the dump_memory.ko over gps_drv.ko
root@tostab:/data/local/tmp # ./dirtycow dump_memory.ko /system/lib/modules/gps_drv.ko
8. Insmod the new "GPS driver"
root@tostab:/data/local/tmp # insmod /system/lib/modules/gps_drv.ko insmod: init_module '/system/lib/modules/gps_drv.ko' failed (Identifier removed)
9. Grab register_sealime instruction dump from dmesg
glomusc02145c4: 00 40 2d e9 00 40 bd e8 58 37 0f e3 a0 30 4c e3 .@-..@..X7...0L. glomusc02145d4: 00 00 83 e5 00 00 a0 e3 1e ff 2f e1 00 40 2d e9 ........../..@-. glomusc02145e4: 00 40 bd e8 58 37 0f e3 a0 30 4c e3 04 00 83 e5 .@..X7...0L..... glomusc02145f4: 00 00 a0 e3 1e ff 2f e1 f0 45 2d e9 0c d0 4d e2 ....../..E-...M. glomusc0214604: 00 40 2d e9 00 40 bd e8 78 40 9f e5 00 60 a0 e1 .@-..@..x@...`.. glomusc0214614: 01 70 a0 e1 02 50 a0 e1 03 80 a0 e1 00 c0 94 e5 .p...P.......... glomusc0214624: 28 a0 9d e5 00 00 5c e3 12 00 00 0a 00 a0 8d e5 (.....\......... glomusc0214634: a4 c1 9c e5 3c ff 2f e1 01 00 70 e3 0b 00 00 0a ....<./...p..... glomusc0214644: 04 30 94 e5 00 00 53 e3 08 00 00 0a a4 c1 93 e5 .0....S......... glomusc0214654: 00 00 5c e3 05 00 00 0a 00 a0 8d e5 06 00 a0 e1 ..\............. glomusc0214664: 07 10 a0 e1 05 20 a0 e1 08 30 a0 e1 3c ff 2f e1 ..... ...0..<./. glomusc0214674: 0c d0 8d e2 f0 85 bd e8 02 30 a0 e1 00 a0 8d e5 .........0...... glomusc0214684: cd fc ff eb eb ff ff ea 58 f7 a0 c0 f8 4f 2d e9 ........X....O-. glomusc0214694: 00 40 2d e9 00 40 bd e8 00 50 a0 e1 c4 60 9f e5 .@-..@...P...`.. glomusc02146a4: 01 90 a0 e1 00 00 96 e5 00 00 50 e3 02 00 00 0a ..........P..... glomusc02146b4: 10 00 80 e2 84 c9 00 eb 00 00 96 e5 00 40 90 e5 .............@..
10. Beautify, unhex and disassemble the dump
% cat > register_sealime.dump
00000000: 00 40 2d e9 00 40 bd e8 58 37 0f e3 a0 30 4c e3 .@-..@..X7...0L.
00000010: 00 00 83 e5 00 00 a0 e3 1e ff 2f e1 00 40 2d e9 ........../..@-.
00000020: 00 40 bd e8 58 37 0f e3 a0 30 4c e3 04 00 83 e5 .@..X7...0L.....
00000030: 00 00 a0 e3 1e ff 2f e1 f0 45 2d e9 0c d0 4d e2 ....../..E-...M.
00000040: 00 40 2d e9 00 40 bd e8 78 40 9f e5 00 60 a0 e1 .@-..@..x@...`..
00000050: 01 70 a0 e1 02 50 a0 e1 03 80 a0 e1 00 c0 94 e5 .p...P..........
00000060: 28 a0 9d e5 00 00 5c e3 12 00 00 0a 00 a0 8d e5 (.....\.........
00000070: a4 c1 9c e5 3c ff 2f e1 01 00 70 e3 0b 00 00 0a ....<./...p.....
00000080: 04 30 94 e5 00 00 53 e3 08 00 00 0a a4 c1 93 e5 .0....S.........
00000090: 00 00 5c e3 05 00 00 0a 00 a0 8d e5 06 00 a0 e1 ..\.............
000000A0: 07 10 a0 e1 05 20 a0 e1 08 30 a0 e1 3c ff 2f e1 ..... ...0..<./.
000000B0: 0c d0 8d e2 f0 85 bd e8 02 30 a0 e1 00 a0 8d e5 .........0......
000000C0: cd fc ff eb eb ff ff ea 58 f7 a0 c0 f8 4f 2d e9 ........X....O-.
000000D0: 00 40 2d e9 00 40 bd e8 00 50 a0 e1 c4 60 9f e5 .@-..@...P...`..
000000E0: 01 90 a0 e1 00 00 96 e5 00 00 50 e3 02 00 00 0a ..........P.....
000000F0: 10 00 80 e2 84 c9 00 eb 00 00 96 e5 00 40 90 e5 .............@..
% xxd -r register_sealime.dump > register_sealime
% objdump -D -b binary -m arm_any register_sealime
register_sealime: file format binary
Disassembly of section .data:
00000000 <.data>:
0: e92d4000 stmfd sp!, {lr}
4: e8bd4000 ldmfd sp!, {lr}
8: e30f3758 movw r3, #63320 ; 0xf758
c: e34c30a0 movt r3, #49312 ; 0xc0a0
10: e5830000 str r0, [r3]
14: e3a00000 mov r0, #0
18: e12fff1e bx lr
1c: e92d4000 stmfd sp!, {lr}
20: e8bd4000 ldmfd sp!, {lr}
24: e30f3758 movw r3, #63320 ; 0xf758
28: e34c30a0 movt r3, #49312 ; 0xc0a0
2c: e5830004 str r0, [r3, #4]
30: e3a00000 mov r0, #0
34: e12fff1e bx lr
...
11. Write code to unregister sealime:
.macro mov32, reg, val
movw \reg, #:lower16:\val
movt \reg, #:upper16:\val
.endm
init_module:
push {lr}
mov r0, #0
mov32 r1, 0xc0a0f758
str r0, [r1]
str r0, [r1, #4]
mov r0, #-43
pop {pc}
12. Assemble and patch into gps_drv.ko as before
% cp gps_drv.ko glomus.ko % dd bs=1 count=128 skip=52 seek=2692 if=glomus.bin of=glomus.ko conv=notrunc % dd bs=1 count=1 skip=0 seek=114360 if=/dev/zero of=glomus.ko conv=notrunc
13. Dirtycow and insmod
root@tostab:/data/local/tmp # ./dirtycow glomus.ko /system/lib/modules/gps_drv.ko root@tostab:/data/local/tmp # insmod /system/lib/modules/gps_drv.ko insmod: init_module '/system/lib/modules/gps_drv.ko' failed (Identifier removed) root@tostab:/data/local/tmp # mount -o remount,rw /system
... and only a few seconds later ... the tablet hangs.
With some more debugging, this is due to
<1>[ 949.984048] Unable to handle kernel NULL pointer dereference at virtual address 00000000 <1>[ 949.997201] pgd = c0004000 <1>[ 950.005097] [00000000] *pgd=00000000 <0>[ 950.011027] Internal error: Oops: 17 [#1] PREEMPT SMP <4>[ 950.016647] Modules linked in: bcmdhd cfg80211 sealime(P) <4>[ 950.025202] CPU: 0 Tainted: P (3.1.10-g9ebfa32 #1) <4>[ 950.031900] PC is at jbd2_journal_file_inode+0x3c/0x11c <4>[ 950.038178] LR is at mpage_da_map_and_submit+0x3d0/0x548 <4>[ 950.044073] pc : [<c01d6c88>] lr : [<c01982d8>] psr: 60000153 <4>[ 950.044117] sp : dcc55ce8 ip : effe2400 fp : dcc54000 <4>[ 950.057121] r10: e41d03c8 r9 : 00000000 r8 : 00000000 <4>[ 950.063354] r7 : 00000026 r6 : e65cd400 r5 : 00000000 r4 : cf5c3b00 <4>[ 950.070446] r3 : 00000000 r2 : 00000800 r1 : 00000000 r0 : 00000000 <4>[ 950.078010] Flags: nZCv IRQs on FIQs off Mode SVC_32 ISA ARM Segment kernel <4>[ 950.085980] Control: 10c5387d Table: a5b5404a DAC: 00000015 <4>[ 950.092722] <4>[ 950.092740] PC: 0xc01d6c08: <4>[ 950.098065] 6c08 e5953004 e2433001 e5853004 e5953000 e3130002 1a000008 e5943000 e3130601 <4>[ 950.112035] 6c28 1afffffc e5953004 e2833001 e5853004 eaffffd9 eb113066 eaffffeb eb113064 <4>[ 950.125541] 6c48 eafffff4 e92d40f8 e92d4000 e8bd4000 e1a05001 e5d03010 e5904000 e2033004 <4>[ 950.139050] 6c68 e6ef3073 e5946000 e3530000 13e00004 18bd80f8 e5960000 e2100002 1a000034 <4>[ 950.152977] 6c88 e5913000 e1530004 08bd80f8 e5913004 e1530004 08bd80f8 e2867e22 e1a00007 <4>[ 950.166923] 6ca8 eb113984 e5953000 e1530004 0a000010 e5952004 e1520004 0a00000d e5941080 <4>[ 950.180881] 6cc8 e3510000 03a03001 05843080 05953000 05952004 e3530000 0a000009 e3520000 <4>[ 950.194330] 6ce8 1a000015 e596203c e1520003 05854004 1a00000e e1a00007 eb113823 e3a00000 <4>[ 950.208272] <4>[ 950.208290] LR: 0xc0198258: <4>[ 950.213621] 8258 e2888001 eb02a949 e1a00007 ebfcfb4f e1590008 1affffea e28dc068 e59d2028 <4>[ 950.227557] 8278 e08c9109 e3520000 e519303c e5937008 e2877001 1a000002 e1540007 2affffcc <4>[ 950.241495] 8298 eaffff77 e28d0028 ebfd2897 eafffff9 e5131044 e3110901 1affff4a e5922044 <4>[ 950.255405] 82b8 e2022b03 e3520b02 1affff46 e35a0a01 3affff44 e5931168 e1a0000a eb00fa5c <4>[ 950.268926] 82d8 e3500000 05953000 1affff67 eaffff3d e595c010 e1a00004 e5913028 e1cd80f0 <4>[ 950.282863] 82f8 e591e058 e59f2120 e59f1120 e1a0ce3c e58d700c e58dc008 eb004c40 e1a00004 <4>[ 950.296769] 8318 e59f1108 e59f2108 eb004c3c e377001c 15951000 1affffa0 e5954000 e594301c <4>[ 950.310202] 8338 e1a00003 e59361d4 ebffd552 e1a02000 e1a03001 e59f00dc eb12168d e59f00d8 <4>[ 950.324161] <4>[ 950.324179] SP: 0xdcc55c68: <4>[ 950.329961] 5c68 0000003f dcc55c84 00000000 dcc55e68 dcc55c84 00000000 00000000 c0624afc <4>[ 950.343422] 5c88 dcc54000 c01d6c88 60000153 ffffffff dcc55cd4 c000e798 00000000 00000000 <4>[ 950.357315] 5ca8 00000800 00000000 cf5c3b00 00000000 e65cd400 00000026 00000000 00000000 <4>[ 950.371211] 5cc8 e41d03c8 dcc54000 effe2400 dcc55ce8 c01982d8 c01d6c88 60000153 ffffffff <4>[ 950.384672] 5ce8 e4242b70 e4242b70 dcc55dd0 00008000 00000026 c01982d8 ffffffff dcc55dcc <4>[ 950.398617] 5d08 00000000 e4242c48 000085c0 00000000 00000000 00000026 00000020 00000000 <4>[ 950.412541] 5d28 c0e46c00 c0e4b5d4 c12a35b4 c0e3733c c0cf4d40 c0e54448 c0e3ffdc c0d04ba4 <4>[ 950.426462] 5d48 c0e5d424 c0e4ec64 c0d8e58c c0e3f64c c0e1eac0 c0d96b00 e65cdda4 e4242b70 <4>[ 950.439974] <4>[ 950.439993] IP: 0xeffe2380: <4>[ 950.445760] 2380 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 <4>[ 950.459154] 23a0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 <4>[ 950.473060] 23c0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 <4>[ 950.486960] 23e0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 <4>[ 950.500886] 2400 0000c860 00031ffc 00000000 0000a84e 0000c1b6 00000000 00000002 00000002 <4>[ 950.514393] 2420 00008000 00008000 00001ca0 62c89ec6 55cb09a8 ffff0006 0001ef53 00000002 <4>[ 950.528333] 2440 00000000 00000000 00000000 00000001 00000000 0000000b 00000100 00000014 <4>[ 950.542296] 2460 00000046 00000003 bcf4f857 5f65f4ab 6f9467bf 5bf2f9c0 00000000 00000000 <4>[ 950.556219] <4>[ 950.556238] FP: 0xdcc53f80: <4>[ 950.561557] 3f80 2b007813 88b3d109 4282105a 1c10da01 1040e000 84281900 6afb8c2c d505009b <4>[ 950.575497] 3fa0 00438870 dc01428b e0002001 234b2000 683b5558 0f9b009b 22200098 632a4302 <4>[ 950.589017] 3fc0 68034816 d0002b00 2b002301 3040d003 42888800 4811d309 2b006803 2301d000 <4>[ 950.602956] 3fe0 d0052b00 42888c80 1a09d202 8c698469 d901428c 842b1a63 bdf0b002 1ea046c0 <4>[ 950.616899] 4000 00000000 00000002 00000000 e51b3aa0 c0944b10 00000000 00000015 e51b3aa0 <4>[ 950.630814] 4020 c15134a0 e614e8e0 dcc54000 efea3d28 ef85e080 00000000 dcc55a9c dcc559e8 <4>[ 950.644294] 4040 c06227a8 00000000 00000000 00000000 00000000 00000000 00000000 00000000 <4>[ 950.657747] 4060 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 <4>[ 950.671632] <4>[ 950.671651] R4: 0xcf5c3a80: <4>[ 950.676972] 3a80 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 <4>[ 950.690906] 3aa0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 <4>[ 950.704845] 3ac0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 <4>[ 950.718318] 3ae0 c00a4ce4 00000000 cf5c3ae8 cf5c3ae8 c00a8ee8 ffffffff ffffffff ffffffff <4>[ 950.731784] 3b00 e65cd400 00000101 00000000 00000000 00000000 00000000 00000000 00000000 <4>[ 950.745694] 3b20 00000000 00000000 00000000 00000000 00000000 cf5c3b34 cf5c3b34 00000000 <4>[ 950.759186] 3b40 00000000 00000000 0000fda9 00000000 00000000 00000000 00000000 00000001 <4>[ 950.773099] 3b60 00000008 00000000 00000000 0000ff9d 0af25ca2 000000dd 00000001 00000000 <4>[ 950.787017] <4>[ 950.787036] R6: 0xe65cd380: <4>[ 950.792356] d380 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 <4>[ 950.805811] d3a0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 <4>[ 950.819730] d3c0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 <4>[ 950.833241] d3e0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 <4>[ 950.847212] d400 00000038 00000000 ef5289c8 effd9000 00000002 00000000 00000000 00000000 <4>[ 950.861157] d420 00000001 00000000 00000000 e65cd42c e65cd42c 00000000 cf5c3b00 00000000 <4>[ 950.875058] d440 00000000 00000000 00000000 e65cd44c e65cd44c 00000000 00000000 e65cd45c <4>[ 950.888568] d460 e65cd45c 00000000 00000000 e65cd46c e65cd46c 00000000 00000000 e65cd47c <4>[ 950.902469] <4>[ 950.902488] R10: 0xe41d0348: <4>[ 950.907894] 0348 e41c4f70 e22bccb6 00000012 e41d035c 00000000 646c694d 6c41796c 696d7261 <4>[ 950.921796] 0368 6f2e676e ff006767 ff7fffff fffffeff ffffffff ffdffbff 00000000 00000000 <4>[ 950.935717] 0388 00000000 00000000 e65cdc00 ffffffff 00000000 e41d039c e41d039c e41d031c <4>[ 950.949673] 03a8 c01225f4 e41d03ac e41d03ac e41d03b4 e41d03b4 fffbebfb 00000070 00000004 <4>[ 950.963197] 03c8 cf5c3b00 00000008 00000001 00000000 00000000 e41d03e4 00000000 4564694d <4>[ 950.977097] 03e8 4a6c6976 746e7561 67676f2e ffffff00 ffffffff ffffffff ffffffff ffffd9ff <4>[ 950.991034] 0408 00000000 00000000 00000000 00000000 e65cdc00 ffbffff7 00000000 e41d0424 <4>[ 951.004970] 0428 e41d0424 e41d03a4 c01225f4 e41d0434 e41d0434 e41d043c e41d043c fffffb8f <0>[ 951.018485] Process flush-179:0 (pid: 304, stack limit = 0xdcc542f0) <0>[ 951.025859] Stack: (0xdcc55ce8 to 0xdcc56000) <0>[ 951.030804] 5ce0: e4242b70 e4242b70 dcc55dd0 00008000 00000026 c01982d8 <0>[ 951.040039] 5d00: ffffffff dcc55dcc 00000000 e4242c48 000085c0 00000000 00000000 00000026 <0>[ 951.049282] 5d20: 00000020 00000000 c0e46c00 c0e4b5d4 c12a35b4 c0e3733c c0cf4d40 c0e54448 <0>[ 951.058070] 5d40: c0e3ffdc c0d04ba4 c0e5d424 c0e4ec64 c0d8e58c c0e3f64c c0e1eac0 c0d96b00 <0>[ 951.067304] 5d60: e65cdda4 e4242b70 e4242b70 00000000 00008000 00000000 dcc55e68 e41d03c8 <0>[ 951.076533] 5d80: 00000001 c0198bf8 00002000 c004dd2c ffffffe2 c08f14a0 e4242c48 00000000 <0>[ 951.085760] 5da0: 00000000 00000000 e65cd80
Hm, is the file-system actually broken?
root@android:/data/local/tmp # dd if=/dev/block/platform/sdhci-tegra.3/by-name/APP of=/data/local/tmp/system.img [... some adb pull omitted ...] /tmp % /sbin/e2fsck -fn system.img | wc -l e2fsck 1.45.4 (23-Sep-2019) 2281838
Uh.
Or is it just the kernel doing dumb things because of the page-cache hackery?
root@android:/data/local/tmp # echo 50000 > /proc/sys/vm/dirty_writeback_centiseconds
Yes, that "fixes" (aka arbitrarily delays) the crash.
Unfortunately, further experiments trying to do unholy things to /system ended in /system/bin/netd being non-executable and the tablet un-bootable. Anyone needs replacement parts (excl. CPU board) for AT300SE?