/* * loki_unlok * * A utility to revert the changes made by loki_patch. * * by Dan Rosenberg (@djrbliss) * */ #include #include #include #include #include #include #include #include "loki.h" static unsigned char patch[] = PATCH; /* Find the original address of the ramdisk, which * was embedded in the shellcode. */ int find_ramdisk_addr(void *img, int sz) { int i, ramdisk = 0; for (i = 0; i < sz - (sizeof(patch) - 9); i++) { if (!memcmp((char *)img + i, patch, sizeof(patch)-9)) { ramdisk = *(int *)(img + i + sizeof(patch) - 5); break; } } return ramdisk; } int loki_unlok(const char* in_image, const char* out_image) { int ifd, ofd; unsigned int orig_ramdisk_size, orig_kernel_size, orig_ramdisk_addr; unsigned int page_kernel_size, page_ramdisk_size, page_size, page_mask, fake_size; void *orig; struct stat st; struct boot_img_hdr *hdr; struct loki_hdr *loki_hdr; ifd = open(in_image, O_RDONLY); if (ifd < 0) { printf("[-] Failed to open %s for reading.\n", in_image); return 1; } ofd = open(out_image, O_WRONLY|O_CREAT|O_TRUNC, 0644); if (ofd < 0) { printf("[-] Failed to open %s for writing.\n", out_image); return 1; } /* Map the original boot/recovery image */ if (fstat(ifd, &st)) { printf("[-] fstat() failed.\n"); return 1; } orig = mmap(0, (st.st_size + 0x2000 + 0xfff) & ~0xfff, PROT_READ|PROT_WRITE, MAP_PRIVATE, ifd, 0); if (orig == MAP_FAILED) { printf("[-] Failed to mmap input file.\n"); return 1; } hdr = orig; loki_hdr = orig + 0x400; if (memcmp(loki_hdr->magic, "LOKI", 4)) { printf("[-] Input file is not a Loki image.\n"); /* Copy the entire file to the output transparently */ if (write(ofd, orig, st.st_size) != st.st_size) { printf("[-] Failed to copy Loki image.\n"); return 1; } printf("[+] Copied Loki image to %s.\n", out_image); return 0; } page_size = hdr->page_size; page_mask = hdr->page_size - 1; /* Infer the size of the fake block based on the newer ramdisk address */ if (hdr->ramdisk_addr > 0x88f00000 || hdr->ramdisk_addr < 0xfa00000) fake_size = page_size; else fake_size = 0x200; orig_ramdisk_addr = find_ramdisk_addr(orig, st.st_size); if (orig_ramdisk_addr == 0) { printf("[-] Failed to find original ramdisk address.\n"); return 1; } /* Restore the original header values */ hdr->ramdisk_addr = orig_ramdisk_addr; hdr->kernel_size = orig_kernel_size = loki_hdr->orig_kernel_size; hdr->ramdisk_size = orig_ramdisk_size = loki_hdr->orig_ramdisk_size; /* Erase the loki header */ memset(loki_hdr, 0, sizeof(*loki_hdr)); /* Write the image header */ if (write(ofd, orig, page_size) != page_size) { printf("[-] Failed to write header to output file.\n"); return 1; } page_kernel_size = (orig_kernel_size + page_mask) & ~page_mask; /* Write the kernel */ if (write(ofd, orig + page_size, page_kernel_size) != page_kernel_size) { printf("[-] Failed to write kernel to output file.\n"); return 1; } page_ramdisk_size = (orig_ramdisk_size + page_mask) & ~page_mask; /* Write the ramdisk */ if (write(ofd, orig + page_size + page_kernel_size, page_ramdisk_size) != page_ramdisk_size) { printf("[-] Failed to write ramdisk to output file.\n"); return 1; } /* Write the device tree if needed */ if (hdr->dt_size) { printf("[+] Writing device tree.\n"); /* Skip an additional fake_size (page_size of 0x200) bytes */ if (write(ofd, orig + page_size + page_kernel_size + page_ramdisk_size + fake_size, hdr->dt_size) != hdr->dt_size) { printf("[-] Failed to write device tree to output file.\n"); return 1; } } close(ifd); close(ofd); printf("[+] Output file written to %s\n", out_image); return 0; }