AERoot: Debugger can't read memory address
Hi. For any emulator except Android 11 I try to use AERoot I receive errors like the following:
[+] Detected: Android 10.0 (Q) x86 [+] Search for [adbd] process in memory (this may take a while) … [+] Exiting. Traceback (most recent call last): File “/home/vinicius/Tools/AERoot/./aeroot.py”, line 435, in <module> process_addr = find_task_struct(gdb_helper, avd_conf, target_process) File “/home/vinicius/Tools/AERoot/./aeroot.py”, line 216, in find_task_struct return next(filter(lambda x: process.match(gdb, avd, x), get_task_structs(gdb, avd)), None) File “/home/vinicius/Tools/AERoot/./aeroot.py”, line 221, in get_task_structs find_init(gdb, avd) File “/home/vinicius/Tools/AERoot/./aeroot.py”, line 212, in find_init avd[“init_addr”] = gdb.read_addr(mem_init_ptr) - avd.get(“offset_to_tasks”) File “/home/vinicius/Tools/AERoot/./aeroot.py”, line 131, in read_addr return int(response.split(“\t”)[1].replace(“\n”, “”), 16) ValueError: invalid literal for int() with base 16:
I’ve modified the script a bit to try to debug the issue, but I don’t know exactly how to proceed. It seems the debugger can’t access a memory address during the second read_addr of find_init.
[+] Search for [adbd] process in memory (this may take a while) ...
find_init1
[
{
"type": "log",
"message": null,
"payload": "x/a 0xfffffe0000034dc8\\n",
"stream": "stdout"
},
{
"type": "console",
"message": null,
"payload": "0xfffffe0000034dc8:\\t0x0\\n",
"stream": "stdout"
},
{
"type": "result",
"message": "done",
"payload": null,
"token": null,
"stream": "stdout"
}
]
find_init2
[
{
"type": "log",
"message": null,
"payload": "x/a -0x12ce0\\n",
"stream": "stdout"
},
{
"type": "console",
"message": null,
"payload": "0xfffffffffffed320:\\t",
"stream": "stdout"
},
{
"type": "log",
"message": null,
"payload": "Cannot access memory at address 0xfffffffffffed320\\n",
"stream": "stdout"
},
{
"type": "result",
"message": "error",
"payload": {
"msg": "Cannot access memory at address 0xfffffffffffed320"
},
"token": null,
"stream": "stdout"
}
]
[+] Exiting.
I think the hardcoded addresses on config.json may be the cause of this problem, but I don’t know how to adapt it for my emulator.
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 27
Commits related to this issue
- Fix the way to get into kernel text section for Pie x86 Resolve #3 — committed to quarkslab/AERoot by deleted user 3 years ago
- Fix the way to get into kernel text section for Android 8.1 / 9.0 / 10.0 x86 Resolve #3 — committed to quarkslab/AERoot by deleted user 3 years ago
- Fix/bad kaslr ptr (#7) * Fix the way to get into kernel text section for Android 8.1 / 9.0 / 10.0 Resolve #3 — committed to quarkslab/AERoot by Ha0ris 3 years ago
I am delighted that AEroot is now working properly on your setup.
Thank you for your comments, they really helped me.
Fine! Yep. I’ll try to implement this workaround in aeroot soon.
Thank you!
Your welcome. And thank you too, your feedback allows to increase the compatibility of aeroot on different setups.
Fixing Pie will need first a reverse engineering step from my part. I will keep you informed.
Thank you for your feedback.
So, it will take a little more to fix Pie.
For Oreo, I pushed a new branch poc/selinux_validation. Could you try it (without -append nokaslr).
The script will bypass the root credentials stage to try to set SElinux permissive. So could you just check SELinux mode after executing
aeroot.py daemon?Thank you very much for this information. Let’s try a lucky blind fix from your dump…
Could you try the fix/bad_kaslr_ptr branch on your Q AVD ? This should fix the issue on the Q x86 AVD (not the others). But if it works, I’ll fix the other Android versions.