nforest / droidimg Goto Github PK

Detected file format: Android/Linux Kernel Image(ARM)
[+]kallsyms_arch = arm64
[!]could be offset table...
[+]numsyms: 134453
[+]kallsyms_address_table = 0x2180600
[+]kallsyms_relative_base = 0x20d35
[+]kallsyms_num = 134453 (6869120560323428100)
[!]not equal, maybe error...
[!]get kallsyms error...

Please more guidance

i'm try extract symbol from boot_image of device samsung. It works fine with pixel but with the boot_image version of samsung, I can't by pass KASLR.

boot.img version: samsung A8 A530FXXU2BRG1

"if ((size_t)p - (size_t)kern_buf >= kern_mmap_size) { "

should be

if ((size_t)p + sizeof(*p) - (size_t)kern_buf >= kern_mmap_size) {

Trying to load the attached image (after) KALSR fix the symbol table seems off, some of the symbols written even seem to overwrite others at the same offset wondering if anyone who's following this has an idea on what might be going wrong.

Example of offsets being overwritten by the same symbols:

ffffff8008080000 T _text
ffffff8008080000 T do_undefinstr
ffffff8008080000 T _stext
ffffff8008080800 T __exception_text_start
ffffff8008080800 T do_cp15instr
ffffff8008080800 T do_sysinstr

ffffff80080810a0 T __irqentry_text_end
ffffff80080810a0 T __irqentry_text_start
ffffff80080810a0 T __softirqentry_text_start
ffffff80080810a0 T __entry_text_start
ffffff80080810a0 T __softirqentry_text_end

ffffff8008082970 t el1_sp_pc
ffffff8008082970 t el1_undef

When looking at various functions against the actual kernel source in a decompiler it was pretty clear that the symbol table being generated by the vmlinux.py script was off/wrong, I've been reading through the source to see how all of this works and try to correct it but figured in the mean time path of least resistance may be asking those who are already familiar with what it's doing.

Any help would be greatly appreciated...

extracted.zip

Sample kernel
vmlinux.zip

support for radare2 can be useful

https://gist.github.com/anonymous/008aaaa48262a3dc34eac206d2a8c0e5

for example is hacky, would you be interested in a more polished version that supports both ida and r2?

[My ENV]
OS : Windows 10 x64 Enterprise
i use IDA 7.5
My android device is SAMSUNG Galaxy A33 5G(A336NKSU3CWB3)
Security Patch : 2023-02-01

Can't find _start in android kernel image

IDA Warning log

C:\IDA Pro 7.5\loaders\vmlinux.py: Traceback (most recent call last):
  File "C:/IDA Pro 7.5/loaders/vmlinux.py", line 1028, in load_file
    do_kallsyms(kallsyms, vmlinux)
  File "C:/IDA Pro 7.5/loaders/vmlinux.py", line 788, in do_kallsyms
    do_guess_start_address(kallsyms, vmlinux)
  File "C:/IDA Pro 7.5/loaders/vmlinux.py", line 459, in do_guess_start_address
    assert False,"  [!]kernel start address error..."
AssertionError:   [!]kernel start address error...

how to fix?

Loading file 'D:\kernel' into database...
Detected file format: Android/Linux Kernel Image(ARM)
[+]kallsyms_arch = arm64
[!]could be offset table...
[+]numsyms: 128652
[+]kallsyms_address_table = 0x1a80600
[+]kallsyms_relative_base = 0x1f68c
[+]kallsyms_num = 128652 (6869121646950153988)
[!]not equal, maybe error...
[!]get kallsyms error...

In lieu of accepting the PR creating a BN plugin, would you consider creating this as a pip package? That would let me more easily separate out the BN plugin logic while still relying on this as an upstream package and not having to constantly maintain a fork which is suboptimal.

Firmware version 13.0.0 (TQ1A.221205.011, Dec 2022)
Pixel6a

index string out of range.

Running the script over the Pixel 3 kernel I get this error:

input image Pixel 3 blueline-qq1a.200205.002

python3 vmlinux.py  ../../extrkern/blueline-qq1a.200205.002/keree/extracted/kernelimage

b'Linux version 4.9.185-g15c0389f9d0d-ab6076840 (android-build@abfarm-us-east1-c-0059) (Android (5484270 based on r353983c) clang version 9.0.3 (https://android.googlesource.com/toolchain/clang 745b335211bb9eadfa6aa6301f84715cee4b37c5) (https://android.googlesource.com/toolchain/llvm 60cf23e54e46c807513f7a36d0a7b777920b5881) (based on LLVM 9.0.3svn)) #0 SMP PREEMPT Mon Dec 16 20:48:48 UTC 2019'
[+]kallsyms_arch = arm64
[!]could be offset table...
[+]numsyms: 177502
[+]kallsyms_address_table = 0x1985000
[+]kallsyms_relative_base = 0x2b55e
[+]kallsyms_num = 177502 (6869121621180350212)
  [!]not equal, maybe error...
[!]get kallsyms error...

kernelimage.zip

fix_kaslr_arm64.c

crashes inside relocate_kernel() function! i think the negative sym_offset is the problem!

Program received signal SIGSEGV, Segmentation fault. 0x0000000008000aa9 in relocate_kernel () at fix_kaslr_arm64.c:228 228 *(size_t *)LOCAL_VA(p) = new_addr; (gdb) info locals new_addr = 18446743798860776160 p = 0xffffffc000092998 rela_entry = 0x7ffffe7a35c8 sym_offset = -274877306472 sym_info = 1027 sym_addr = 18446743798860776160 count = 0

also samsung fix code works but vmlinux is not able to find the symbol table!

if needed the kernel image im attaching
image.zip

It's not working for me when use ur script
this file isn't disassembling

Not working for me
If it works for you than can you try giving me the database of this exported from Ida ?

I can't do it when I select Ida 32bit or I launch it from 32bit icon and than script option isn't there but for 64bit it's there.
Why?
Is it a bug?

pixel_vmlinux.zip

Linux version 4.4.155-g897374879e0c ([email protected]) (Android clang version 5.0.300080 (based on LLVM 5.0.300080)) #1 SMP PREEMPT Fri Nov 30 04:06:13 UTC 2018
[+]kallsyms_arch = arm64
[!]could be offset table...
[!]lookup_address_table error...
[!]get kallsyms error...

I am sorry for meeting so many error to use this tool.And the following is logs of ida_7.5
Detected file format: Android/Linux Kernel Image(ARM)
[+]kallsyms_arch = arm64
[!]could be offset table...
[!]lookup_address_table error...
[!]get kallsyms error...
and then ida stoped.
I don't know why.If you has time could you please tell me how to resolve this problem?Thank you every much!!!