Does anybody know the interpretation of KernelIoControl with dwIoControlCode = 0x010125E0? The breakdown of the Control Code is:
DeviceType = 0x0101 = FILE_DEVICE_HAL
Access = 0 = ANY_ACCESS
Function = 0x978 = 2424 dec = ?
Method = 0 = BUFFERED
So what is function 0x978 (2424)?
I searched through the WinCE Platform Builder 5.00 files and did not see any definition of 0x978 nor 2424.
thx,
((&->
Structure Full Flash Update Image (.FFU) for Windows Phone 7 Device
Full Flash Update - This is a System Flash Image for update WP7 Device. We upgrade this OS, example in tool UpdateWP.exe(from Zune catalog in PC).
In Part SDLR, from general ROM structure, we have too more files and modules, which reads the image system and its syntax.
Physical Flash Layout:
HashTable.blob
Partition Table Info
User Store Space
Bootloader/Modem -> (amss, fsbl, osbl, etc.)
SLDR
NK
IMGFS
User Store Space
Partition Table Info (ImageFlash) - example:
Code:
[FullFlash]
Version = 1.0
MigrateUserSettings = False
UpdateType = Normal
DevicePlatformID = {5B8F8B62-8E55-4531-8D70-15269B68C43E}
FormatUserStore = True
[BinaryRegion]
Size = 24924572
Name = Modem
[Store]
SectorSize = 2048
Name = OS
SectorCount = 479296
ID = {ACE7CC5C-5F30-474b-A662-989B9B9DBA90}
[Partition]
UsedSectors = 2590
Name = SLDR
PartitionType = 32
BootDataSize = 12
TotalSectors = 3136
TargetStore = {ACE7CC5C-5F30-474b-A662-989B9B9DBA90}
[Partition]
UsedSectors = 2540
Name = NK
PartitionType = 35
BootDataSize = 12
TotalSectors = 2944
TargetStore = {ACE7CC5C-5F30-474b-A662-989B9B9DBA90}
[Partition]
UsedSectors = 66059
Name = IMGFS
PartitionType = 37
TotalSectors = 70719
TargetStore = {ACE7CC5C-5F30-474b-A662-989B9B9DBA90}
More Information:
.ffu (Full Flash Update) file format (XML) will be used to pass information to the Zune software on which partitions are to be updated, etc. FFUs are signed just as .cabs are signed and only an .ffu which passes validation against the certificates on-device will be allowed to update a device.
Click to expand...
Click to collapse
Nokser
What does this mean?
Can install custom rom, downgrade bootloader?
Structure Full Flash Update Image (.FFU) for Windows Phone 7 HTC Mazaa
Full Flash Update - This is a System Flash Image for update WP7 Device. We upgrade this OS, example in tool UpdateWP.exe(from Zune catalog in PC).
In Part SDLR, from general ROM structure, we have too more files and modules, which reads the image system and its syntax.
Physical Flash Layout:
HashTable.blob
Partition Table Info
User Store Space
Bootloader/Modem -> (amss, fsbl, osbl, etc.)
BSP
SLDR1
SLDR2
NK
USP
DPP
IMGFS
PADUSER
User Store
Partition Table Info (ImageFlash):
Code:
[FullFlash]
Version = 1.0
MigrateUserSettings = False
UpdateType = Clean
Description =
DevicePlatformID = {2527F725-F4B7-404e-8379-F0CAE045AAB8}
FormatUserStore = False
[BinaryRegion]
Size = 27547389
Name = Modem
[Store]
SectorSize = 512
Name = OS
SectorCount = 62324736
ID = {7EF3850B-A401-4699-9821-7A4C483F6BAA}
[Partition]
UsedSectors = 1
Name = BSP
PartitionType = 41
BootDataSize = 12
TotalSectors = 512
TargetStore = {7EF3850B-A401-4699-9821-7A4C483F6BAA}
[Partition]
UsedSectors = 10199
Name = SLDR1
PartitionType = 32
BootDataSize = 12
TotalSectors = 13260
TargetStore = {7EF3850B-A401-4699-9821-7A4C483F6BAA}
[Partition]
UsedSectors = 10199
Name = SLDR2
PartitionType = 32
BootDataSize = 12
TotalSectors = 13260
TargetStore = {7EF3850B-A401-4699-9821-7A4C483F6BAA}
[Partition]
UsedSectors = 8107
Name = NK
PartitionType = 35
BootDataSize = 12
TotalSectors = 11776
TargetStore = {7EF3850B-A401-4699-9821-7A4C483F6BAA}
[Partition]
UsedSectors = 0
Name = USP
PartitionType = 27
TotalSectors = 6912
TargetStore = {7EF3850B-A401-4699-9821-7A4C483F6BAA}
[Partition]
UsedSectors = 1
Name = DPP
PartitionType = 41
TotalSectors = 512
TargetStore = {7EF3850B-A401-4699-9821-7A4C483F6BAA}
[Partition]
UsedSectors = 528254
Name = IMGFS
PartitionType = 37
TotalSectors = 1028088
TargetStore = {7EF3850B-A401-4699-9821-7A4C483F6BAA}
[Partition]
UsedSectors = 0
Name = PADUSER
PartitionType = 42
TotalSectors = 8
TargetStore = {7EF3850B-A401-4699-9821-7A4C483F6BAA}
[Partition]
UsedSectors = 0
UseAllSpace = True
Name = User
PartitionType = 4
TotalSectors = 0
TargetStore = {7EF3850B-A401-4699-9821-7A4C483F6BAA}
More Information:
.ffu (Full Flash Update) file format (XML) will be used to pass information to the Zune software on which partitions are to be updated, etc. FFUs are signed just as .cabs are signed and only an .ffu which passes validation against the certificates on-device will be allowed to update a device.
Click to expand...
Click to collapse
Nokser
shape of the above
the program is doing what
thanks
Can downgrade spl 5 with this??
Magpir said:
Can downgrade spl 5 with this??
Click to expand...
Click to collapse
+1 for this
what does this do?
hmm... this has been around for weeks Nokser, but thanks!
Does this actually work?
All In One Tweaks Except Kernel (Global Table)
up_threshold = 90
up_threshold_any_cpu_load = 85
up_threshold_multi_core = 85
sampling_rate = 75000
sampling_down_factor = 2
down_differential = 10
freq_step = 35
sched_boost = 0
perf_cpu_time_max_percent = 5
sched_autogroup_enabled = 1
sched_child_runs_first = 1
sched_tunable_scaling = 0
sched_latency_ns = 1000000
sched_min_granularity_ns = 130000
scaling_governor = performance
sched_wakeup_granularity_ns = 750000
sched_migration_cost_ns = 3000000
sched_min_task_util_for_colocation = 0
sched_nr_migrate = 8
sched_schedstats = 0
touchboost = 1
boost_ms = 100
sched_boost_on_input = 100
stune_background_prefer_idle = 1
stune_foreground_prefer_idle = 1
stune_topapp_prefer_idle = 1
stune_topapp_schedtune_boost = 1
stune_global_prefer_idle = 1
stune_rt_prefer_idle = 1
use_deepest_state = 1
boost = true
power_efficient = false
persist.sys.ui.hw = 1
debug.egl.buffcount = 4
debug.egl.hw = 1
debug.hwui.renderer = skiagl
gpufreq_limited_thermal_ignore = 1
dvfs_enable = 1
simple_gpu_activate = 1
adreno_idler_idleworkload = 6000
adreno_idler_downdifferential = 15
adreno_idler_idlewait = 15
adrenoboost = 2
throttling = 0
max_pwrlevel = 0
force_no_nap = 1
bus_split = 0
force_bus_on = 1
force_clk_on = 1
force_rail_on = 1
add_random =0
nomerges = 2
rq_affinity = 2
ro.sf.compbypass.enable = 0
ro.config.enable.hw_accel = true
debug.gralloc.enable_fb_ubwc = 1
dev.pm.dyn_samplingrate = 1
ro.vold.umsdirtyratio = 20
fs.lease-break-time = 20
fs.file-max = 524288
fs.nr_open = 1048576
fs.inotify.max_queued_events = 32000
fs.inotify.max_user_instances = 256
fs.inotify.max_user_watches = 10240
vold.post_fs_data_done = 1
ro.vendor.qti.sys.fw.bservice_enable = true
ro.config.low_ram = true
sys.use_fifo_ui = 1
GPUTUNER_SWITCH = true
All In One Kernel Tweaks (Global Table)
kernel.timer_migration = 1
kernel.panic = 30
kernel.panic_on_oops = 1
kernel.msgmni = 2048
kernel.msgmax = 65536
kernel.random.read_wakeup_threshold = 128
kernel.random.write_wakeup_threshold = 256
kernel.shmmni = 4096
kernel.shmall = 2097152
kernel.shmmax = 268435456
kernel.sem = 500 512000 64 2048
kernel.sched_features = 24189
kernel.hung_task_timeout_secs = 30
kernel.sched_latency_ns = 1000000
kernel.sched_min_granularity_ns = 100000
kernel.sched_wakeup_granularity_ns = 2000000
kernel.sched_compat_yield = 1
kernel.sched_shares_ratelimit = 256000
kernel.sched_child_runs_first = 0
kernel.sched_child_runs_first = 1
kernel.sched_enable_thread_grouping = 1
kernel.sched_autogroup_enabled = 1
kernel.perf_cpu_time_max_percent = 5
kernel.sched_schedstats = 0
kernel.sched_nr_migrate = 64
kernel.sched_min_task_util_for_colocation = 50
kernel.sched_min_task_util_for_boost = 25
kernel.sched_migration_cost_ns = 1000000
kernel.sched_min_granularity_ns = 1000000
kernel.sched_tunable_scaling = 0
kernel.sched_upmigrate = 80 80
kernel.sched_group_upmigrate = 80
kernel.sched_group_downmigrate = 20
kernel.threads-max = 524288
kernel.sched_downmigrate = 20 20
vm.min_free_order_shift = 4
vm.laptop_mode = 0
vm.block_dump = 0
vm.compact_unevictable_allowed = 0
vm.dirty_background_ratio = 10
vm.dirty_ratio = 30
vm.dirty_expire_centisecs = 1000
vm.dirty_writeback_centisecs = 0
vm.extfrag_threshold = 750
vm.oom_dump_tasks = 0
vm.page-cluster = 0
vm.reap_mem_on_sigkill = 1
vm.stat_interval = 10
vm.swappiness = 80
vm.vfs_cache_pressure = 200
hispeed_load = 80
input_boost_freq = 1.4 GHz
input_boost_ms = 250 ms
iostats = 0
readahead = 0
nr_requests = 512
Oblivon23 said:
Does this actually work?
All In One Tweaks Except Kernel (Global Table)
up_threshold = 90
up_threshold_any_cpu_load = 85
up_threshold_multi_core = 85
sampling_rate = 75000
sampling_down_factor = 2
down_differential = 10
freq_step = 35
sched_boost = 0
perf_cpu_time_max_percent = 5
sched_autogroup_enabled = 1
sched_child_runs_first = 1
sched_tunable_scaling = 0
sched_latency_ns = 1000000
sched_min_granularity_ns = 130000
scaling_governor = performance
sched_wakeup_granularity_ns = 750000
sched_migration_cost_ns = 3000000
sched_min_task_util_for_colocation = 0
sched_nr_migrate = 8
sched_schedstats = 0
touchboost = 1
boost_ms = 100
sched_boost_on_input = 100
stune_background_prefer_idle = 1
stune_foreground_prefer_idle = 1
stune_topapp_prefer_idle = 1
stune_topapp_schedtune_boost = 1
stune_global_prefer_idle = 1
stune_rt_prefer_idle = 1
use_deepest_state = 1
boost = true
power_efficient = false
persist.sys.ui.hw = 1
debug.egl.buffcount = 4
debug.egl.hw = 1
debug.hwui.renderer = skiagl
gpufreq_limited_thermal_ignore = 1
dvfs_enable = 1
simple_gpu_activate = 1
adreno_idler_idleworkload = 6000
adreno_idler_downdifferential = 15
adreno_idler_idlewait = 15
adrenoboost = 2
throttling = 0
max_pwrlevel = 0
force_no_nap = 1
bus_split = 0
force_bus_on = 1
force_clk_on = 1
force_rail_on = 1
add_random =0
nomerges = 2
rq_affinity = 2
ro.sf.compbypass.enable = 0
ro.config.enable.hw_accel = true
debug.gralloc.enable_fb_ubwc = 1
dev.pm.dyn_samplingrate = 1
ro.vold.umsdirtyratio = 20
fs.lease-break-time = 20
fs.file-max = 524288
fs.nr_open = 1048576
fs.inotify.max_queued_events = 32000
fs.inotify.max_user_instances = 256
fs.inotify.max_user_watches = 10240
vold.post_fs_data_done = 1
ro.vendor.qti.sys.fw.bservice_enable = true
ro.config.low_ram = tru
sys.use_fifo_ui = 1
GPUTUNER_SWITCH = true
All In One Kernel Tweaks (Global Table)
kernel.timer_migration = 1
kernel.panic = 30
kernel.panic_on_oops = 1
kernel.msgmni = 2048
kernel.msgmax = 65536
kernel.random.read_wakeup_threshold = 128
kernel.random.write_wakeup_threshold = 256
kernel.shmmni = 4096
kernel.shmall = 2097152
kernel.shmmax = 268435456
kernel.sem = 500 512000 64 2048
kernel.sched_features = 24189
kernel.hung_task_timeout_secs = 30
kernel.sched_latency_ns = 1000000
kernel.sched_min_granularity_ns = 100000
kernel.sched_wakeup_granularity_ns = 2000000
kernel.sched_compat_yield = 1
kernel.sched_shares_ratelimit = 256000
kernel.sched_child_runs_first = 0
kernel.sched_child_runs_first = 1
kernel.sched_enable_thread_grouping = 1
kernel.sched_autogroup_enabled = 1
kernel.perf_cpu_time_max_percent = 5
kernel.sched_schedstats = 0
kernel.sched_nr_migrate = 64
kernel.sched_min_task_util_for_colocation = 50
kernel.sched_min_task_util_for_boost = 25
kernel.sched_migration_cost_ns = 1000000
kernel.sched_min_granularity_ns = 1000000
kernel.sched_tunable_scaling = 0
kernel.sched_upmigrate = 80 80
kernel.sched_group_upmigrate = 80
kernel.sched_group_downmigrate = 20
kernel.threads-max = 524288
kernel.sched_downmigrate = 20 20
vm.min_free_order_shift = 4
vm.laptop_mode = 0
vm.block_dump = 0
vm.compact_unevictable_allowed = 0
vm.dirty_background_ratio = 10
vm.dirty_ratio = 30
vm.dirty_expire_centisecs = 1000
vm.dirty_writeback_centisecs = 0
vm.extfrag_threshold = 750
vm.oom_dump_tasks = 0
vm.page-cluster = 0
vm.reap_mem_on_sigkill = 1
vm.stat_interval = 10
vm.swappiness = 80
vm.vfs_cache_pressure = 200
hispeed_load = 80
input_boost_freq = 1.4 GHz
input_boost_ms = 250 ms
iostats = 0
readahead = 0
nr_requests = 512
Click to expand...
Click to collapse
Nah fake, except GPUTUNER...
A lot of these are goofy af so I believe it's fake
GitHub - Markakd/CVE-2021-4154: CVE-2021-4154 exploit
CVE-2021-4154 exploit. Contribute to Markakd/CVE-2021-4154 development by creating an account on GitHub.
github.com
It allows privilege escalation on a LOT of linux kernels. There's a new one: https://github.com/Markakd/CVE-2022-2588 that might be even better for this (exploit demo is not currently available). We theoretically could just make a new su file in /etc/xbin with the required data with cat.
Could be viable on a LOT of androids.
I tried it. But it not working my android tablet TAB-A05-BD.
What's wrong?
Code:
TAB-A05-BD:/data/local/tmp $ ./strace ./dirtycred
execve("./dirtycred", ["./dirtycred"], 0x7fc2bfc8a0 /* 21 vars */) = 0
brk(NULL) = 0x31850000
brk(0x31850f90) = 0x31850f90
uname({sysname="Linux", nodename="localhost", ...}) = 0
set_tid_address(0x318500d0) = 28651
set_robust_list(0x318500e0, 24) = 0
rt_sigaction(SIGRTMIN, {sa_handler=0x406e48, sa_mask=[], sa_flags=SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=0x406f08, sa_mask=[], sa_flags=SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlinkat(AT_FDCWD, "/proc/self/exe", "/data/local/tmp/dirtycred", 4096) = 25
brk(0x31871f90) = 0x31871f90
brk(0x31872000) = 0x31872000
mprotect(0x49b000, 4096, PROT_READ) = 0
getcwd("/data/local/tmp", 4096) = 16
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
rt_sigaction(SIGINT, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
mmap(NULL, 36864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7ca69bd000
rt_sigprocmask(SIG_BLOCK, ~[], [CHLD], 8) = 0
clone(child_stack=0x7ca69c6000, flags=CLONE_VM|CLONE_VFORK|SIGCHLD) = 28652
munmap(0x7ca69bd000, 36864) = 0
rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
wait4(28652, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 28652
rt_sigaction(SIGINT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, NULL, 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, NULL, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=28652, si_uid=2000, si_status=0, si_utime=0, si_stime=0} ---
fchmodat(AT_FDCWD, "exp_dir", 0777) = 0
chdir("exp_dir") = 0
mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EACCES (Permission denied)
getuid() = 2000
getgid() = 2000
mprotect(0x4c0000, 4096, PROT_NONE) = 0
clone(child_stack=0x5bffc0, flags=CLONE_NEWUSER|CLONE_NEWPID) = -1 EINVAL (Invalid argument)
exit_group(1) = ?
+++ exited with 1 +++