blob: f2e685ab896bf7c11f093051fea19486d7719a6a [file] [log] [blame]
/*
* loki_unlok
*
* A utility to revert the changes made by loki_patch.
*
* by Dan Rosenberg (@djrbliss)
*
*/
#include <stdio.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include "loki.h"
static unsigned char patch[] = PATCH;
/* Find the original address of the ramdisk, which
* was embedded in the shellcode. */
int find_ramdisk_addr(void *img, int sz)
{
int i, ramdisk = 0;
for (i = 0; i < sz - (sizeof(patch) - 9); i++) {
if (!memcmp((char *)img + i, patch, sizeof(patch)-9)) {
ramdisk = *(int *)(img + i + sizeof(patch) - 5);
break;
}
}
return ramdisk;
}
int loki_unlok(const char* in_image, const char* out_image)
{
int ifd, ofd;
unsigned int orig_ramdisk_size, orig_kernel_size, orig_ramdisk_addr;
unsigned int page_kernel_size, page_ramdisk_size, page_size, page_mask, fake_size;
void *orig;
struct stat st;
struct boot_img_hdr *hdr;
struct loki_hdr *loki_hdr;
ifd = open(in_image, O_RDONLY);
if (ifd < 0) {
printf("[-] Failed to open %s for reading.\n", in_image);
return 1;
}
ofd = open(out_image, O_WRONLY|O_CREAT|O_TRUNC, 0644);
if (ofd < 0) {
printf("[-] Failed to open %s for writing.\n", out_image);
return 1;
}
/* Map the original boot/recovery image */
if (fstat(ifd, &st)) {
printf("[-] fstat() failed.\n");
return 1;
}
orig = mmap(0, (st.st_size + 0x2000 + 0xfff) & ~0xfff, PROT_READ|PROT_WRITE, MAP_PRIVATE, ifd, 0);
if (orig == MAP_FAILED) {
printf("[-] Failed to mmap input file.\n");
return 1;
}
hdr = orig;
loki_hdr = orig + 0x400;
if (memcmp(loki_hdr->magic, "LOKI", 4)) {
printf("[-] Input file is not a Loki image.\n");
/* Copy the entire file to the output transparently */
if (write(ofd, orig, st.st_size) != st.st_size) {
printf("[-] Failed to copy Loki image.\n");
return 1;
}
printf("[+] Copied Loki image to %s.\n", out_image);
return 0;
}
page_size = hdr->page_size;
page_mask = hdr->page_size - 1;
/* Infer the size of the fake block based on the newer ramdisk address */
if (hdr->ramdisk_addr > 0x88f00000 || hdr->ramdisk_addr < 0xfa00000)
fake_size = page_size;
else
fake_size = 0x200;
orig_ramdisk_addr = find_ramdisk_addr(orig, st.st_size);
if (orig_ramdisk_addr == 0) {
printf("[-] Failed to find original ramdisk address.\n");
return 1;
}
/* Restore the original header values */
hdr->ramdisk_addr = orig_ramdisk_addr;
hdr->kernel_size = orig_kernel_size = loki_hdr->orig_kernel_size;
hdr->ramdisk_size = orig_ramdisk_size = loki_hdr->orig_ramdisk_size;
/* Erase the loki header */
memset(loki_hdr, 0, sizeof(*loki_hdr));
/* Write the image header */
if (write(ofd, orig, page_size) != page_size) {
printf("[-] Failed to write header to output file.\n");
return 1;
}
page_kernel_size = (orig_kernel_size + page_mask) & ~page_mask;
/* Write the kernel */
if (write(ofd, orig + page_size, page_kernel_size) != page_kernel_size) {
printf("[-] Failed to write kernel to output file.\n");
return 1;
}
page_ramdisk_size = (orig_ramdisk_size + page_mask) & ~page_mask;
/* Write the ramdisk */
if (write(ofd, orig + page_size + page_kernel_size, page_ramdisk_size) != page_ramdisk_size) {
printf("[-] Failed to write ramdisk to output file.\n");
return 1;
}
/* Write the device tree if needed */
if (hdr->dt_size) {
printf("[+] Writing device tree.\n");
/* Skip an additional fake_size (page_size of 0x200) bytes */
if (write(ofd, orig + page_size + page_kernel_size + page_ramdisk_size + fake_size, hdr->dt_size) != hdr->dt_size) {
printf("[-] Failed to write device tree to output file.\n");
return 1;
}
}
close(ifd);
close(ofd);
printf("[+] Output file written to %s\n", out_image);
return 0;
}