APatch not working on Samsung devices #123
Comments
|
Building a custom kernel image with disabled Samsung security drivers (Mesa-Labs-Archive/android_kernel_samsung_sm7325@7569eb2) solves this.
Perhaps extra patches are required to handle Samsung shipped kernels? Custom built kernel image file: Image.zip kptools output:❯ ./kptools-linux -p Image --kpimg kpimg-android --skey test
[+] kptools version: 803
[+] kptools image size 0x02a6a200
[+] kptools kernel patch image size: 0x00027380
[+] kptools kpimg version: 803
[+] kptools kpimg compile time: 10:55:17 Jan 13 2024
[+] kernel image_size: 0x02a6a200
[+] kernel uefi header: true
[+] kernel load_offset: 0x00080000
[+] kernel kernel_size: 0x02e84000
[+] kernel page_shift: 12
[+] kptools kernel new size 0x02eab380
[+] kallsyms linux_banner 1: Linux version 5.4.233-qgki-16133-g886f0b784ccc (mesa@salvo-z390aorusmaster) (Android (6877366 based on r383902b1) clang version 11.0.2 (https://android.googlesource.com/toolchain/llvm-project b397f81060ce6d701042b782172ed13bee898b79), LLD 11.0.2 (https://android.googlesource.com/toolchain/llvm-project b397f81060ce6d701042b782172ed13bee898b79)) #1 SMP PREEMPT Sat Jan 13 14:58:48 CET 2024
[+] kallsyms linux_banner offset: 0x22ff904
[+] kernel version major: 5, minor: 4, patch: 233
[+] kallsyms kallsyms_token_table offset: 0x01f74780
[+] kallsyms endian: little
[+] kallsyms kallsyms_token_index offset: 0x01f74aa8
[?] kallsyms can't find arm64 relocation table
[+] kallsyms kallsyms_markers range: [0x01f73be8, 0x01f74780), count: 0x000002e6
[+] kallsyms approximate kallsyms_offsets range: [0x01abc56c, 0x01b75bb4) count: 0x0002e592
[+] kallsyms kallsyms_names offset: 0x01b75bc0
[+] kallsyms kallsyms_num_syms offset: 0x01b75bb8, value: 0x0002e590
[+] kallsyms names table linux_banner index: 0x0001b391
[+] kallsyms sure linux_banner index: 0
[+] kallsyms kallsyms_offsets offset: 0x01abc570
[+] kallsyms tcp_init_sock: type: T, offset: 0x0146b490
[+] kptools map_start: 0x146b490, max_size: 0x800
[+] kallsyms kallsyms_lookup_name: type: T, offset: 0x00375970
[+] kallsyms printk: type: T, offset: 0x0031ebcc
[+] kallsyms paging_init: type: T, offset: 0x025eb524
[+] kallsyms memblock_reserve: type: T, offset: 0x004a0d74
[+] kallsyms memblock_phys_alloc_try_nid: type: T, offset: 0x026052d4
[+] kallsyms memblock_mark_nomap: type: T, offset: 0x004a1028
[+] kallsyms memstart_addr: type: D, offset: 0x02435480
[+] kallsyms vabits_actual: type: D, offset: 0x024ed038
[+] kallsyms kimage_voffset: type: D, offset: 0x024354a0
[+] kptools supercall key: test
[+] kallsyms panic: type: T, offset: 0x00290410
[+] kallsyms rest_init: type: T, offset: 0x016fd2c4
[+] kallsyms cgroup_init: type: T, offset: 0x025f89e8
[?] kallsyms no symbol: kernel_init
[?] kallsyms no symbol: report_cfi_failure
[?] kallsyms no symbol: __cfi_slowpath_diag
[+] kallsyms __cfi_slowpath: type: T, offset: 0x00419e20
[+] kallsyms copy_process: type: t, offset: 0x0028d008
[+] kallsyms cgroup_post_fork: type: T, offset: 0x003803d8
[+] kallsyms __do_execve_file: type: t, offset: 0x004e1838
[?] kallsyms no symbol: do_execveat_common
[?] kallsyms no symbol: do_execve_common
[+] kallsyms avc_denied: type: t, offset: 0x00716e24
[+] kallsyms slow_avc_audit: type: T, offset: 0x00715ed8
[+] kallsyms input_handle_event: type: t, offset: 0x00c853c4
[+] kallsyms vfs_statx: type: T, offset: 0x004ddd8c
[?] kallsyms no symbol: do_statx
[?] kallsyms no symbol: vfs_fstatat
[+] kallsyms do_faccessat: type: T, offset: 0x004d17d8
[?] kallsyms no symbol: sys_faccessat
[+] kptools patch done: Image_patched |
|
By taking a look at Magisk, we can see Samsung kernel images are patched out to address a few issues: # Remove Samsung RKP
./magiskboot hexpatch kernel \
49010054011440B93FA00F71E9000054010840B93FA00F7189000054001840B91FA00F7188010054 \
A1020054011440B93FA00F7140020054010840B93FA00F71E0010054001840B91FA00F7181010054 \
&& PATCHEDKERNEL=true
# Remove Samsung defex
# Before: [mov w2, #-221] (-__NR_execve)
# After: [mov w2, #-32768]
./magiskboot hexpatch kernel 821B8012 E2FF8F12 && PATCHEDKERNEL=trueSamsung RKP patch was originally made by Chainfire back in the days for SuperSU to bypass CONFIG_RKP_NS_PROT, this isn't a thing anymore in modern devices but it's still present on older ones. Notice this patch still doesn't works on every device (topjohnwu/Magisk#7254). |
Yes sir, We need to disable all the samsung anti root techniques like RKP, Defex and integrity subsystem to make APatch work :-). Not working in every samsung device btw. |
|
Could I patch using Magisk boot to disable security features and then patch with APatch? |
As explained in #123 (comment), those patches are old and don't work on newer devices (tho they're still there to support them), the non-booting issue seems also not related to either RKP_NS or DEFEX. @bmax121 you might want to check ❯ grep -r -w 'CONFIG_RKP'
arch/arm64/include/asm/pgalloc.h:#ifdef CONFIG_RKP
arch/arm64/include/asm/pgalloc.h:#ifdef CONFIG_RKP
arch/arm64/include/asm/pgalloc.h:#ifdef CONFIG_RKP
arch/arm64/include/asm/pgalloc.h:#ifdef CONFIG_RKP
arch/arm64/include/asm/pgtable.h:#ifdef CONFIG_RKP
arch/arm64/include/asm/pgtable.h:#ifdef CONFIG_RKP
arch/arm64/mm/mmu.c:#ifdef CONFIG_RKP
arch/arm64/mm/mmu.c:#ifdef CONFIG_RKP
arch/arm64/mm/mmu.c:#ifdef CONFIG_RKP
arch/arm64/mm/mmu.c:#ifdef CONFIG_RKP
arch/arm64/mm/mmu.c:#ifdef CONFIG_RKP
arch/arm64/mm/mmu.c:#ifdef CONFIG_RKP
arch/arm64/mm/mmu.c://#ifndef CONFIG_RKP
arch/arm64/mm/pgd.c:#ifdef CONFIG_RKP
arch/arm64/mm/pgd.c:#ifdef CONFIG_RKP
arch/arm64/mm/pgd.c:#ifdef CONFIG_RKP
arch/arm64/net/bpf_jit_comp.c:#ifdef CONFIG_RKP
arch/arm64/net/bpf_jit_comp.c:#ifdef CONFIG_RKP
drivers/uh/Makefile:obj-$(CONFIG_RKP) += rkp.o
init/main.c:#ifdef CONFIG_RKP
init/main.c:#ifdef CONFIG_RKP
init/main.c:#ifdef CONFIG_RKP
mm/slub.c:#ifdef CONFIG_RKP
mm/slub.c:#if defined(CONFIG_KDP) && defined(CONFIG_RKP)
mm/slub.c:#if defined(CONFIG_KDP) && defined(CONFIG_RKP)
mm/slub.c:#if defined(CONFIG_KDP) && defined(CONFIG_RKP)
mm/slub.c:#ifdef CONFIG_RKP
kernel/bpf/core.c:#ifdef CONFIG_RKP
kernel/bpf/core.c:#ifdef CONFIG_RKP
kernel/module.c:#ifdef CONFIG_RKP
kernel/module.c:#ifdef CONFIG_RKP
kernel/module.c:#ifdef CONFIG_RKP
kernel/module.c:#ifdef CONFIG_RKP
kernel/module.c:#ifdef CONFIG_RKP
kernel/module.c:#ifdef CONFIG_RKP |
|
See this. (All samsung anti root mechanisms) - https://github.com/ravindu644/APatch/tree/main/docs/guides/kernel_compilation#how-to-disable-kernel-securities--enable-the-required-features-from-menuconfig |
|
Currently building kernel is not even a solution on Samsung Mediatek devices because their kernel source is uncomplete and building is impossible without loosing full connectivity or something else |
Also, isn't this project's main goal to patch kernel images automatically? Building custom kernel images just for Samsung devices is redundant, might as well just stick with KSU. |
Yes, yes, of course. I just said that building wasn't an option |
|
so what now, should we wait or leave rooting the device? |
|
I still don’t understand the principles of RKP and Defex, I’ll figure it out when I have time. |
Defex isn't relevant to the issue, this is mainly caused by those security components running on microHypervisor (µH) such as RKP and KDP. What I believe is happening is those alter the kernel struct in some way, so KernelPatch generates a malformed kernel image in the end, explaining why there's no output in kmsg when trying to debug the issue. |
|
Regarding https://github.com/ravindu644/APatch-Samsung, I've already explained in #123 (comment) those patches are useless in this case because they don't address this issue. RKP namespace protection is not anymore a thing in modern device and it would've been visible in kmsg if this was the case (eg. topjohnwu/Magisk#7665 (comment)), while Defex LSM only blocks userspace executables basing off its set of rules/policy. This one also automatically disables if an unlocked bootloader status is detected (eg. https://github.com/BlackMesa123/android_kernel_samsung_s5e8835/blob/ed39d840e85ab23495efb36001d0cd792862c5c6/security/samsung/defex_lsm/core/defex_lsm.c#L68-L77) |
|
I have personally tried patching my stock boot.img file with APatch and I am having the same problem. I am currently using the Galaxy Tab S9 FE. I honestly suprised as I can boot just fine with KSU GKI kernels just fine; the only problem I have with that I can't read or write anything on my SD Card. I will be sticking with KSU for now. |
Samsung doesn't use standard GKI. Samsung has its GKI sources which are device specific but contain all needed drivers like SDCard or SPen hardware. This means that GKI Samsung devices may miss some small features when using non Samsung kernel |
|
@Fede2782 Thanks for the information! Yes, this is why I am excited for APatch. As I mentioned the SDCard isn't being read; APatch could fix that issue by patching the boot.img specific to my device. I am using KSU for now and it is less detectable than Magisk. I don't how to compile my own kernel and I am missing out on some small things (actually the SPen works completely fine), so that's why I am currently waiting for APatch to support Samsung devices. |
Is there anyway I can access those resources? I am thinking about building a custom kernel for my S9 FE. I can't seem to find any source code at the moment which makes sense as it was released back in October 2023. |
https://opensource.samsung.com/uploadSearch?searchValue=X516 |
There is just Android 13 kernel. I am sending every week a request to Samsung for P615 and X516B sources without any response |
I found the source code! Thanks man! Also big fan of your work! Especially KnoxPatch! |
Hey, I am new to building kernels, but does the source code have to match with the exact model and version? I have the SM-X510 with Android 14 on it. I currently have the source code for the specific model, but it is for Android 13. The current GKI kernel is Android-13-5.15.104. |
|
Thread is unclear - is it safe to try and patch Samsung devices? |
I just tried to install APatch on my S9 with custom ROM. Patch written and installed okay but just bootloops. So I'd say 'no'. |
sorry a bit confused. so you did it on the samsung tablet? |
|
I don't know if it will work, I have 5.4 gki boot img. If you want, I can share it. (Not Patched) |
Please check before submitting an issue
Describe the bug
The stock kernel image patched with APatch doesn't boots. Manual patching the kernel image with KernelPatch was also tested.
To Reproduce
Patch the boot.img via the APatch app and flash the newly generated boot.img via a custom recovery.
Expected behavior
Device should boot and function as normal.
Screenshots
No response
Logs
last_kmsg file of the boot.img patched via app: last_kmsg-app.zip
last_kmsg file of the boot.img patched manually: last_kmsg-manual.zip
For some strange reason, no kernel kmsg output is visible. If you have another way to obtain logs please let me know.
Device info
Additional context
Original untouched kernel image file: Image-stock.zip
Patched kernel image file: Image_patched.zip
kptools output:
Stock kernel binaries can be downloaded here: https://github.com/BlackMesa123/proprietary_vendor_samsung_a52sxq/releases/tag/A528BXXS5FWL4_BTU
The text was updated successfully, but these errors were encountered: