IDA Pro script for Linux ARM64/AArch64 kernel relocation (__relocate_kernel)

linux_arm64_relocate.py

import idaapi
import re

def get_reloc_region():
    relocFunc = idaapi.get_name_ea(idaapi.BADADDR, '__relocate_kernel')
    #nexthead = lambda ea: idaapi.next_head(ea, idaapi.BADADDR)
    
    d = idc.GetDisasm(relocFunc)
    try:
        relocOff = re.findall(r'LDR *.*?, =(0x[0-9A-F]+)', d)[0]
    except:
        raise Exception('invalid disasm: %s' % d)
    relocOff = int(relocOff, 16)
    
    d = idc.GetDisasm(idaapi.next_head(relocFunc, idaapi.BADADDR))
    try:
        relocSize = re.findall(r'LDR *.*?, =(0x[0-9A-F]+)', d)[0]
    except:
        raise Exception('invalid disasm: %s' % d)
    relocSize = int(relocSize, 16)
    
    kernel_base = 0xFFFFFFC008000000
    
    return kernel_base + relocOff, kernel_base + relocOff + relocSize

relocStart, relocEnd = get_reloc_region()

def processReloc(relocStart, relocEnd, dryrun=True):
    assert (relocEnd - relocStart) % 24 == 0
    
    for relocEntryEA in range(relocStart, relocEnd, 24):
        target = idaapi.get_qword(relocEntryEA)
        typ = idaapi.get_qword(relocEntryEA + 8)
        content = idaapi.get_qword(relocEntryEA + 16)
        assert typ in (0x403, 0) # 0 means no action
        if typ == 0x403:
            print('Reloc entry %x: typ=%x 0x%x <- 0x%x' % (relocEntryEA, typ, target, content))
            
            if not dryrun:
                print("    Patching %x to %x" % (target,content))
                idaapi.patch_qword(target,content)
                idaapi.op_offset(target, 0, idaapi.REF_OFF64)

processReloc(relocStart, relocEnd, dryrun=True)
processReloc(relocStart, relocEnd, dryrun=False)