Skip to content
/ qc-tz-es-activated-exploit Public

A rewrite of laginimaineb MSM8974_exploit as a stand alone kernel module.

18 stars 11 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ghassani/qc-tz-es-activated-exploit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
shellcode
shellcode
 
 
.gitignore
.gitignore
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
debug.h
debug.h
 
 
exploit.c
exploit.c
 
 
exploit.h
exploit.h
 
 
file_io.c
file_io.c
 
 
file_io.h
file_io.h
 
 
main.c
main.c
 
 
symbols.h
symbols.h
 
 

Repository files navigation

This is a rewrite of laginimaineb TrustZone zero-write exploit as a kernel module instead of using a user space program and using a custom kernel, which is the case for his FuzzZone application. See:

http://bits-please.blogspot.com/2015/08/full-trustzone-exploit-for-msm8974.html

https://github.com/laginimaineb/MSM8974_exploit

The original exploit was built around the Nexus 5 hammerhead. My test device was both a Nexus 5 and a LG G2

####Build:

  1. Update environment paths in ./Makefile
  2. Update environment paths in ./shellcode/Makefile
  3. Run make

####Install:

  1. Transfer compiled module and shellcode to device

  2. Run insmod tz_exploit.ko [SHELLCODE_PATH] [SHELLCODE_IS_THUMB]

    ex for thumb code:  insmod tz_exploit.ko /sdcard/shellcode.bin 1  
ex for arm code: 	insmod tz_exploit.ko /sdcard/shellcode.bin 0

The provided shell code template has two helper functions you can use to call other truztzone functions by address, either from arm -> to thumb or from thumb -> to arm. Also known as a trampoline and is required when switching between modes.

About

A rewrite of laginimaineb MSM8974_exploit as a stand alone kernel module.

Resources

Readme
Activity

Stars

18 stars

Watchers

2 watching

Forks

11 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages