| Nolen Johnson | 802fd00 | 2019-08-07 23:56:48 -0400 | [diff] [blame] | 1 | |
| 2 | WARNING: |
| 3 | |
| 4 | This project is no longer actively maintained, because the vulnerability that |
| 5 | it leverages was patched several years ago. No new updates will be provided. |
| 6 | The current codebase will remain here for reference purposes. |
| 7 | |
| 8 | |
| 9 | ============================= |
| 10 | Loki |
| 11 | by Dan Rosenberg (@djrbliss) |
| 12 | ============================= |
| 13 | |
| 14 | Loki is a set of tools for creating and flashing custom kernels and recoveries |
| 15 | on the AT&T and Verizon branded Samsung Galaxy S4, the Samsung Galaxy Stellar, |
| 16 | and various locked LG devices. For an explanation of how the exploit works, |
| 17 | please see the technical blog post at: |
| 18 | |
| 19 | http://blog.azimuthsecurity.com/2013/05/exploiting-samsung-galaxy-s4-secure-boot.html |
| 20 | |
| 21 | Devices must be rooted in order to flash custom kernels and recoveries. |
| 22 | |
| 23 | loki_tool: |
| 24 | [patch] option is primarily intended for developers to create custom |
| 25 | kernels and recoveries. It's designed to take a specific aboot image and an |
| 26 | unmodified boot or recovery image, and it generates an output image in a new |
| 27 | file format, ".lok". The resulting .lok image is specifically tailored for the |
| 28 | device build it was created with, and can be flashed directly to the recovery |
| 29 | or boot partition on the target device. |
| 30 | |
| 31 | [flash] option can be used to flash a .lok image to an actual device. |
| 32 | It will verify that the provided .lok image is safe to flash for a given target |
| 33 | and then perform the flashing if validation is successful. It is also possible |
| 34 | to simply use "dd" to flash a .lok image directly to the boot or recovery partition, |
| 35 | but using [flash] option is recommended in order to validate that the .lok matches |
| 36 | the target device. |
| 37 | |
| 38 | |
| 39 | ============= |
| 40 | Sample usage |
| 41 | ============= |
| 42 | |
| 43 | First, a developer must pull the aboot image from a target device: |
| 44 | |
| 45 | |
| 46 | dan@pc:~$ adb shell |
| 47 | shell@android:/ $ su |
| 48 | shell@android:/ # dd if=/dev/block/platform/msm_sdcc.1/by-name/aboot of=/data/local/tmp/aboot.img |
| 49 | shell@android:/ # chmod 644 /data/local/tmp/aboot.img |
| 50 | shell@android:/ # exit |
| 51 | shell@android:/ $ exit |
| 52 | dan@pc:~$ adb pull /data/local/tmp/aboot.img |
| 53 | 3293 KB/s (2097152 bytes in 0.621s) |
| 54 | |
| 55 | |
| 56 | Next, a .lok image can be prepared using loki_tool [patch]: |
| 57 | |
| 58 | |
| 59 | dan@pc:~$ loki_tool patch |
| 60 | Usage: ./loki_tool [patch] [boot|recovery] [aboot.img] [in.img] [out.lok] |
| 61 | dan@pc:~$ loki_tool patch recovery aboot.img cwm.img cwm.lok |
| 62 | [+] Detected target AT&T build JDQ39.I337UCUAMDB or JDQ39.I337UCUAMDL |
| 63 | [+] Output file written to cwm.lok |
| 64 | |
| 65 | |
| 66 | Finally, the .lok image can be flashed using loki_tool [flash]: |
| 67 | |
| 68 | |
| 69 | dan@pc:~$ adb push cwm.lok /data/local/tmp |
| 70 | dan@pc:~$ adb push loki_tool /data/local/tmp |
| 71 | dan@pc:~$ adb shell |
| 72 | shell@android:/ $ su |
| 73 | shell@android:/ # chmod 755 /data/local/tmp/loki_tool |
| 74 | shell@android:/ # /data/local/tmp/loki_tool |
| 75 | Usage: /data/local/tmp/loki_tool [flash] [boot|recovery] [in.lok] |
| 76 | shell@android:/ # /data/local/tmp/loki_tool flash recovery /data/local/tmp/cwm.lok |
| 77 | [+] Loki validation passed, flashing image. |
| 78 | 2253+1 records in |
| 79 | 2253+1 records out |
| 80 | 9230848 bytes transferred in 0.656 secs (14071414 bytes/sec) |
| 81 | [+] Loki flashing complete! |