add widevine and move back to pi4 kernel for now
This commit is contained in:
parent
5709b8b2f1
commit
391ebb0f5e
|
@ -41,6 +41,7 @@
|
|||
"start4.elf"
|
||||
"start4x.elf"
|
||||
|
||||
"bcm2712-rpi-5-b.dtb"
|
||||
"overlays/vc4-kms-v3d-pi5.dtbo"
|
||||
] (file: {
|
||||
"${file}" = "${piBootFw}/${file}";
|
||||
|
@ -73,7 +74,8 @@
|
|||
'';
|
||||
# UEFI Files
|
||||
"RPI_EFI.fd" = "${edk2}/RPI_EFI.fd";
|
||||
"bcm2712-rpi-5-b.dtb" = "${edk2}/bcm2712-rpi-5-b.dtb";
|
||||
# Using a more updated dtb
|
||||
# "bcm2712-rpi-5-b.dtb" = "${edk2}/bcm2712-rpi-5-b.dtb";
|
||||
}
|
||||
// piBootFwFiles;
|
||||
in {
|
||||
|
@ -86,10 +88,14 @@ in {
|
|||
"fbdev"
|
||||
];
|
||||
|
||||
environment.systemPackages = [config.boot.kernelPackages.cpupower];
|
||||
environment.systemPackages = with pkgs; [
|
||||
config.boot.kernelPackages.cpupower
|
||||
raspberrypi-utils
|
||||
raspberrypi-eeprom
|
||||
];
|
||||
|
||||
boot = {
|
||||
kernelPackages = pkgs.linuxPackages_rpi5;
|
||||
kernelPackages = pkgs.linuxPackages_rpi4;
|
||||
supportedFilesystems = mkForce ["vfat"];
|
||||
kernelParams = [
|
||||
"kunit.enable=0"
|
||||
|
|
|
@ -1,9 +1,6 @@
|
|||
{pkgs, ...}: let
|
||||
kodiPackage = pkgs.kodi-wayland.withPackages (kodiPkgs:
|
||||
with kodiPkgs; [
|
||||
keymap
|
||||
sendtokodi
|
||||
sponsorblock
|
||||
pvr-iptvsimple
|
||||
inputstreamhelper
|
||||
inputstream-adaptive
|
||||
|
@ -14,17 +11,36 @@
|
|||
visualization-starburst
|
||||
visualization-spectrum
|
||||
]);
|
||||
|
||||
gamescope-kodi = pkgs.writeShellScriptBin "gamescope-kodi" ''
|
||||
gamescope --expose-wayland --hdr-enabled -- kodi --windowing=wayland
|
||||
'';
|
||||
|
||||
gamescopeKodiSessionFile =
|
||||
(pkgs.writeTextDir "share/wayland-sessions/kodi.desktop" ''
|
||||
[Desktop Entry]
|
||||
Name=Kodi
|
||||
Comment=Kodi
|
||||
Exec=${gamescope-kodi}/bin/gamescope-kodi
|
||||
Type=Application
|
||||
'')
|
||||
.overrideAttrs (_: {passthru.providedSessions = ["kodi"];});
|
||||
in {
|
||||
environment.systemPackages = [
|
||||
kodiPackage
|
||||
];
|
||||
|
||||
security.wrappers.gamescope = {
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${pkgs.gamescope}/bin/gamescope";
|
||||
capabilities = "cap_sys_nice+pie";
|
||||
};
|
||||
|
||||
services.displayManager.sessionPackages = [gamescopeKodiSessionFile];
|
||||
|
||||
services.xserver = {
|
||||
enable = true;
|
||||
desktopManager.kodi = {
|
||||
enable = true;
|
||||
package = kodiPackage;
|
||||
};
|
||||
extraConfig = ''
|
||||
Section "OutputClass"
|
||||
Identifier "vc4"
|
||||
|
@ -40,15 +56,16 @@ in {
|
|||
allowedUDPPorts = [8080];
|
||||
};
|
||||
|
||||
home-manager.users.chaos = {
|
||||
# only for x86_64
|
||||
# home.file.widevine-lib = {
|
||||
# source = "${pkgs.widevine-cdm}/share/google/chrome/WidevineCdm/_platform_specific/linux_x64/libwidevinecdm.so";
|
||||
# target = ".kodi/cdm/libwidevinecdm.so";
|
||||
# };
|
||||
# home.file.widevine-manifest = {
|
||||
# source = "${pkgs.widevine-cdm}/share/google/chrome/WidevineCdm/manifest.json";
|
||||
# target = ".kodi/cdm/manifest.json";
|
||||
# };
|
||||
home-manager.users.chaos = let
|
||||
widevine = pkgs.widevine-aarch64-4k;
|
||||
in {
|
||||
home.file.widevine-lib = {
|
||||
source = "${widevine}/share/google/chrome/WidevineCdm/_platform_specific/linux_arm64/libwidevinecdm.so";
|
||||
target = ".kodi/cdm/libwidevinecdm.so";
|
||||
};
|
||||
home.file.widevine-manifest = {
|
||||
source = "${widevine}/share/google/chrome/WidevineCdm/manifest.json";
|
||||
target = ".kodi/cdm/manifest.json";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -50,6 +50,7 @@ in
|
|||
inherit (pkgs) gotosocial mpd-headless;
|
||||
inherit (pkgs) kitty-terminfo;
|
||||
inherit (pkgs) linux_rpi5 raspberrypifw raspberrypiWirelessFirmware raspberrypi-utils;
|
||||
inherit (pkgs) widevine-aarch64-4k widevine-aarch64-16k;
|
||||
inherit (inputs.home-manager-unstable.packages."${system}") home-manager;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -55,6 +55,9 @@ final: prev: rec {
|
|||
|
||||
raspberrypi-utils = final.callPackage ./raspberrypi-utils.nix {};
|
||||
|
||||
widevine-aarch64-4k = final.callPackage ./widevine-aarch64 {pageSize = 4096;};
|
||||
widevine-aarch64-16k = final.callPackage ./widevine-aarch64 {pageSize = 16384;};
|
||||
|
||||
mpd-headless =
|
||||
(prev.mpdWithFeatures.override {
|
||||
ffmpeg = final.ffmpeg_6-headless;
|
||||
|
|
45
overlay/widevine-aarch64/default.nix
Normal file
45
overlay/widevine-aarch64/default.nix
Normal file
|
@ -0,0 +1,45 @@
|
|||
{
|
||||
stdenv,
|
||||
fetchurl,
|
||||
squashfsTools,
|
||||
python3,
|
||||
# Depends on kernel used
|
||||
pageSize ? 4096,
|
||||
}:
|
||||
stdenv.mkDerivation {
|
||||
pname = "widevine-aarch64-${toString pageSize}k";
|
||||
version = "4.10.2662.3";
|
||||
|
||||
srcs = fetchurl {
|
||||
url = "https://commondatastorage.googleapis.com/chromeos-localmirror/distfiles/chromeos-lacros-arm64-squash-zstd-120.0.6098.0";
|
||||
hash = "sha256-OKV8w5da9oZ1oSGbADVPCIkP9Y0MVLaQ3PXS3ZBLFXY=";
|
||||
};
|
||||
|
||||
unpackPhase = ":";
|
||||
sourceRoot = ".";
|
||||
|
||||
buildPhase = ''
|
||||
unsquashfs -q $srcs 'WidevineCdm/*'
|
||||
env TARGET_PAGE_SIZE=${toString pageSize} python3 "${./widevine_fixup.py}" squashfs-root/WidevineCdm/_platform_specific/cros_arm64/libwidevinecdm.so libwidevinecdm.so
|
||||
'';
|
||||
|
||||
# TODO: systemwide install
|
||||
installPhase = ''
|
||||
install -d -m 0755 "$out"
|
||||
install -p -m 0755 -t "$out" libwidevinecdm.so
|
||||
install -p -m 0644 -t "$out" squashfs-root/WidevineCdm/manifest.json
|
||||
install -p -m 0644 -t "$out" squashfs-root/WidevineCdm/LICENSE
|
||||
|
||||
mkdir -p "$out/share/google/chrome/WidevineCdm/_platform_specific/linux_arm64"
|
||||
mkdir -p "$out/share/google/chrome/WidevineCdm/_platform_specific/linux_x64"
|
||||
# Hack because Chromium hardcodes a check for this right now...
|
||||
touch "$out/share/google/chrome/WidevineCdm/_platform_specific/linux_x64/libwidevinecdm.so"
|
||||
ln -sf ../../../../manifest.json "$out/share/google/chrome/WidevineCdm"
|
||||
ln -sf ../../../../../../libwidevinecdm.so "$out/share/google/chrome/WidevineCdm/_platform_specific/linux_arm64/"
|
||||
'';
|
||||
|
||||
nativeBuildInputs = [
|
||||
squashfsTools
|
||||
python3
|
||||
];
|
||||
}
|
445
overlay/widevine-aarch64/widevine_fixup.py
Normal file
445
overlay/widevine-aarch64/widevine_fixup.py
Normal file
|
@ -0,0 +1,445 @@
|
|||
#!/usr/bin/python3
|
||||
|
||||
"""
|
||||
MIT License
|
||||
|
||||
Copyright (c) 2023 David Buchanan
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
|
||||
Original script:
|
||||
https://gist.github.com/DavidBuchanan314/c6b97add51b97e4c3ee95dc890f9e3c8
|
||||
"""
|
||||
|
||||
import sys
|
||||
|
||||
verbose = False
|
||||
args = sys.argv[1:]
|
||||
if len(args) >= 1 and args[0] == "-v":
|
||||
verbose = True
|
||||
args = args[1:]
|
||||
|
||||
if len(args) != 2:
|
||||
print(f"Usage: {sys.argv[0]} [-v] input.so output.so")
|
||||
exit()
|
||||
|
||||
def log(s):
|
||||
if verbose:
|
||||
print(s)
|
||||
|
||||
"""
|
||||
Widevine fixup tool for aarch64 systems
|
||||
|
||||
Old aarch64 widevine builds currently only support 4k page sizes.
|
||||
|
||||
This script fixes that, by pre-padding the LOAD segments so that they meet
|
||||
the alignment constraints required by the loader, and then fixing up the
|
||||
relevant header offsets to keep the file valid.
|
||||
|
||||
It also injects two functions that are not exported from typical libgccs, into
|
||||
the empty space at the end of the .text segment. This avoids any LD_PRELOAD
|
||||
workarounds. (The injected functions are __aarch64_ldadd4_acq_rel
|
||||
and __aarch64_swp4_acq_rel)
|
||||
|
||||
IMPORTANT NOTE: On systems with >4k page size (e.g. Apple Silicon devices),
|
||||
using the resulting binary *significantly* weakens the security of your web
|
||||
browser, in two ways. Firstly, it disables the RELRO security mitigation, and
|
||||
secondly it creates a RWX mapping.
|
||||
|
||||
This script also adds the necessary GLIBC_ABI_DT_RELR version tag so that
|
||||
current glibc versions can load the library without requiring any patches.
|
||||
|
||||
Newer Widevine versions do have 64K aligned segments, and do not need the
|
||||
padding process. They also do not have the same security implications, so its
|
||||
use is recommended. However, we still adjust the segment offsets to open up
|
||||
space for adding the missing functions, and to insert the GLIBC_ABI_DT_RELR
|
||||
version.
|
||||
|
||||
This process is fragile, and may not work as-is on future revisions of widevine.
|
||||
"""
|
||||
|
||||
import ctypes
|
||||
import os
|
||||
|
||||
class Elf64_Ehdr(ctypes.Structure):
|
||||
_fields_ = [
|
||||
('e_ident', ctypes.c_ubyte * 16),
|
||||
('e_type', ctypes.c_uint16),
|
||||
('e_machine', ctypes.c_uint16),
|
||||
('e_version', ctypes.c_uint32),
|
||||
('e_entry', ctypes.c_uint64),
|
||||
('e_phoff', ctypes.c_uint64),
|
||||
('e_shoff', ctypes.c_uint64),
|
||||
('e_flags', ctypes.c_uint32),
|
||||
('e_ehsize', ctypes.c_uint16),
|
||||
('e_phentsize', ctypes.c_uint16),
|
||||
('e_phnum', ctypes.c_uint16),
|
||||
('e_shentsize', ctypes.c_uint16),
|
||||
('e_shnum', ctypes.c_uint16),
|
||||
('e_shstrndx', ctypes.c_uint16),
|
||||
]
|
||||
|
||||
class Elf64_Phdr(ctypes.Structure):
|
||||
_fields_ = [
|
||||
('p_type', ctypes.c_uint32),
|
||||
('p_flags', ctypes.c_uint32),
|
||||
('p_offset', ctypes.c_uint64),
|
||||
('p_vaddr', ctypes.c_uint64),
|
||||
('p_paddr', ctypes.c_uint64),
|
||||
('p_filesz', ctypes.c_uint64),
|
||||
('p_memsz', ctypes.c_uint64),
|
||||
('p_align', ctypes.c_uint64),
|
||||
]
|
||||
|
||||
class P_FLAGS:
|
||||
""" Flag values for the p_flags field of program headers
|
||||
"""
|
||||
PF_X=0x1
|
||||
PF_W=0x2
|
||||
PF_R=0x4
|
||||
PF_MASKOS=0x00FF0000
|
||||
PF_MASKPROC=0xFF000000
|
||||
|
||||
class PT:
|
||||
PT_NULL=0
|
||||
PT_LOAD=1
|
||||
PT_DYNAMIC=2
|
||||
PT_INTERP=3
|
||||
PT_NOTE=4
|
||||
PT_SHLIB=5
|
||||
PT_PHDR=6
|
||||
PT_TLS=7
|
||||
PT_LOOS=0x60000000
|
||||
PT_HIOS=0x6fffffff
|
||||
|
||||
PT_GNU_EH_FRAME=0x6474e550
|
||||
PT_GNU_STACK=0x6474e551
|
||||
PT_GNU_RELRO=0x6474e552
|
||||
PT_GNU_PROPERTY=0x6474e553
|
||||
|
||||
class Elf64_Shdr(ctypes.Structure):
|
||||
_fields_ = [
|
||||
('sh_name', ctypes.c_uint32),
|
||||
('sh_type', ctypes.c_uint32),
|
||||
('sh_flags', ctypes.c_uint64),
|
||||
('sh_addr', ctypes.c_uint64),
|
||||
('sh_offset', ctypes.c_uint64),
|
||||
('sh_size', ctypes.c_uint64),
|
||||
('sh_link', ctypes.c_uint32),
|
||||
('sh_info', ctypes.c_uint32),
|
||||
('sh_addralign', ctypes.c_uint64),
|
||||
('sh_entsize', ctypes.c_uint64),
|
||||
]
|
||||
|
||||
class Elf64_Sym(ctypes.Structure):
|
||||
_fields_ = [
|
||||
('st_name', ctypes.c_uint32),
|
||||
('st_info', ctypes.c_ubyte),
|
||||
('st_other', ctypes.c_ubyte),
|
||||
('st_shndx', ctypes.c_uint16),
|
||||
('st_value', ctypes.c_uint64),
|
||||
('st_size', ctypes.c_uint64),
|
||||
]
|
||||
|
||||
class Elf64_Dyn(ctypes.Structure):
|
||||
_fields_ = [
|
||||
('d_tag', ctypes.c_uint64),
|
||||
('d_val', ctypes.c_uint64), # union with d_ptr
|
||||
]
|
||||
|
||||
class D_TAG: # XXX: this is very incomplete
|
||||
DT_NULL=0
|
||||
DT_NEEDED=1
|
||||
DT_STRTAB=5
|
||||
DT_SONAME=14
|
||||
DT_VERNEED=0x6ffffffe
|
||||
|
||||
class Elf64_Rela(ctypes.Structure):
|
||||
_fields_ = [
|
||||
('r_offset', ctypes.c_uint64),
|
||||
#('r_info', ctypes.c_uint64),
|
||||
('r_type', ctypes.c_uint32),
|
||||
('r_symbol', ctypes.c_uint32),
|
||||
('r_addend', ctypes.c_int64),
|
||||
]
|
||||
|
||||
class Elf64_Verneed(ctypes.Structure):
|
||||
_fields_ = [
|
||||
('vn_version', ctypes.c_uint16),
|
||||
('vn_cnt', ctypes.c_uint16),
|
||||
('vn_file', ctypes.c_uint32),
|
||||
('vn_aux', ctypes.c_uint32),
|
||||
('vn_next', ctypes.c_uint32),
|
||||
]
|
||||
|
||||
class Elf64_Vernaux(ctypes.Structure):
|
||||
_fields_ = [
|
||||
('vna_hash', ctypes.c_uint32),
|
||||
('vna_flags', ctypes.c_uint16),
|
||||
('vna_other', ctypes.c_uint16),
|
||||
('vna_name', ctypes.c_uint32),
|
||||
('vna_next', ctypes.c_uint32),
|
||||
]
|
||||
|
||||
|
||||
|
||||
TARGET_PAGE_SIZE = int(os.getenv("TARGET_PAGE_SIZE", default = 4096))
|
||||
WEAKEN_SECURITY = TARGET_PAGE_SIZE > 4096
|
||||
inject_addr = None
|
||||
|
||||
weakened_security = False
|
||||
|
||||
"""
|
||||
0000000000000b24 <__aarch64_ldadd4_acq_rel>:
|
||||
b24: 2a0003e2 mov w2, w0
|
||||
b28: 885ffc20 ldaxr w0, [x1]
|
||||
b2c: 0b020003 add w3, w0, w2
|
||||
b30: 8804fc23 stlxr w4, w3, [x1]
|
||||
b34: 35ffffa4 cbnz w4, b28 <__aarch64_ldadd4_acq_rel+0x4>
|
||||
b38: d65f03c0 ret
|
||||
|
||||
0000000000000b3c <__aarch64_swp4_acq_rel>:
|
||||
b3c: 2a0003e2 mov w2, w0
|
||||
b40: 885ffc20 ldaxr w0, [x1]
|
||||
b44: 8803fc22 stlxr w3, w2, [x1]
|
||||
b48: 35ffffc3 cbnz w3, b40 <__aarch64_swp4_acq_rel+0x4>
|
||||
b4c: d65f03c0 ret
|
||||
"""
|
||||
|
||||
injected_code = bytes.fromhex("e203002a20fc5f880300020b23fc0488a4ffff35c0035fd6e203002a20fc5f8822fc0388c3ffff35c0035fd6")
|
||||
|
||||
with open(args[0], "rb") as infile:
|
||||
elf = bytearray(infile.read())
|
||||
|
||||
print(f"Fixing up ChromeOS Widevine CDM module for Linux compatibility...")
|
||||
|
||||
elf_length = len(elf)
|
||||
elf += bytearray(0x100000) # pre-expand the buffer by more than enough
|
||||
|
||||
ehdr = Elf64_Ehdr.from_buffer(elf)
|
||||
|
||||
phdrs = [
|
||||
Elf64_Phdr.from_buffer(memoryview(elf)[ehdr.e_phoff + i * ehdr.e_phentsize:])
|
||||
for i in range(ehdr.e_phnum)
|
||||
]
|
||||
|
||||
adjustments = []
|
||||
|
||||
def adjust_offset(x):
|
||||
for index, delta in adjustments:
|
||||
if x >= index:
|
||||
x += delta
|
||||
return x
|
||||
|
||||
def align(a, b):
|
||||
return (a + b - 1) & ~(b - 1)
|
||||
|
||||
prev = None
|
||||
remove_relro = False
|
||||
for phdr in phdrs:
|
||||
phdr.p_offset = adjust_offset(phdr.p_offset)
|
||||
if phdr.p_type == PT.PT_DYNAMIC:
|
||||
phdr_dynamic = phdr
|
||||
if phdr.p_type == PT.PT_LOAD:
|
||||
if phdr.p_align < TARGET_PAGE_SIZE:
|
||||
phdr.p_align = TARGET_PAGE_SIZE
|
||||
delta_needed = (phdr.p_vaddr - phdr.p_offset) % phdr.p_align
|
||||
skip_perms_hack = False
|
||||
if phdr.p_vaddr != phdr.p_offset and not inject_addr:
|
||||
# Newer CDM versions use 64K alignment, so no longer require this hack.
|
||||
# However, we still need space to inject the code & modified headers, so
|
||||
# we might as well still do it.
|
||||
delta_needed = phdr.p_vaddr - phdr.p_offset
|
||||
skip_perms_hack = True
|
||||
if delta_needed:
|
||||
log(f" Inserting {hex(delta_needed)} bytes at offset {hex(phdr.p_offset)}")
|
||||
if not inject_addr:
|
||||
pad_bytes = injected_code + bytes(delta_needed - len(injected_code))
|
||||
inject_addr = phdr.p_offset
|
||||
log(f" Also injecting code at offset {hex(phdr.p_offset)}")
|
||||
else:
|
||||
pad_bytes = bytes(delta_needed)
|
||||
elf[phdr.p_offset:] = pad_bytes + elf[phdr.p_offset:-delta_needed]
|
||||
adjustments.append((phdr.p_offset, delta_needed))
|
||||
elf_length += delta_needed
|
||||
phdr.p_offset += delta_needed
|
||||
|
||||
# Load the injected bytes up to the align size as part of the previous phdr
|
||||
align_off = align(prev.p_vaddr + prev.p_filesz, prev.p_align) - prev.p_vaddr - prev.p_filesz
|
||||
# This could fail if we get unlucky, let's hope not
|
||||
assert align_off >= len(injected_code)
|
||||
prev.p_filesz += min(delta_needed, align_off)
|
||||
prev.p_memsz += min(delta_needed, align_off)
|
||||
|
||||
if WEAKEN_SECURITY and not skip_perms_hack:
|
||||
phdr.p_flags |= P_FLAGS.PF_X # XXX: this is a hack!!! (at the very least, we should apply it only to the mappings that need it)
|
||||
remove_relro = True
|
||||
weakened_security = True
|
||||
prev = phdr
|
||||
|
||||
if WEAKEN_SECURITY and remove_relro and phdr.p_type == PT.PT_GNU_RELRO:
|
||||
print(" Neutering relro") # XXX: relro is a security mechanism
|
||||
phdr.p_type = PT.PT_NOTE
|
||||
weakened_security = True
|
||||
|
||||
if inject_addr is None:
|
||||
inject_addr = (elf_length + 3) & ~3
|
||||
elf[inject_addr: inject_addr + len(injected_code)] = injected_code
|
||||
elf_length += 0x10000
|
||||
|
||||
|
||||
free_addr = inject_addr + len(injected_code)
|
||||
# the section headers have moved
|
||||
ehdr.e_shoff = adjust_offset(ehdr.e_shoff)
|
||||
|
||||
shdrs = [
|
||||
Elf64_Shdr.from_buffer(memoryview(elf)[ehdr.e_shoff + i * ehdr.e_shentsize:])
|
||||
for i in range(ehdr.e_shnum)
|
||||
]
|
||||
|
||||
for shdr in shdrs:
|
||||
shdr.sh_offset = adjust_offset(shdr.sh_offset)
|
||||
|
||||
strtab = shdrs[ehdr.e_shstrndx]
|
||||
|
||||
def resolve_string(elf, strtab, stridx, count=False):
|
||||
if count:
|
||||
str_start = strtab.sh_offset
|
||||
for _ in range(stridx):
|
||||
str_start = elf.index(b"\0", str_start) + 1
|
||||
else:
|
||||
str_start = strtab.sh_offset + stridx
|
||||
str_end = elf.index(b"\0", str_start)
|
||||
return bytes(elf[str_start:str_end])
|
||||
|
||||
shdr_by_name = {
|
||||
resolve_string(elf, strtab, shdr.sh_name): shdr
|
||||
for shdr in shdrs
|
||||
}
|
||||
|
||||
# XXX: unfortunately this does not do anything useful!
|
||||
# It doesn't hurt either, so I'm leaving it here just in case.
|
||||
dynsym = shdr_by_name[b".dynsym"]
|
||||
dynstr = shdr_by_name[b".dynstr"]
|
||||
for i in range(0, dynsym.sh_size, dynsym.sh_entsize):
|
||||
sym = Elf64_Sym.from_buffer(memoryview(elf)[dynsym.sh_offset + i:])
|
||||
name = resolve_string(elf, dynstr, sym.st_name)
|
||||
if name in [b"__aarch64_ldadd4_acq_rel", b"__aarch64_swp4_acq_rel"]:
|
||||
log(f" Weak binding {name}")
|
||||
sym.st_info = (sym.st_info & 0x0f) | (2 << 4) # STB_WEAK
|
||||
|
||||
"""
|
||||
dynamic = shdr_by_name[b".dynamic"]
|
||||
for i in range(0, dynamic.sh_size, dynamic.sh_entsize):
|
||||
dyn = Elf64_Dyn.from_buffer(memoryview(elf)[dynamic.sh_offset + i:])
|
||||
if dyn.d_tag == D_TAG.DT_SONAME:
|
||||
print("hijacking SONAME tag to point to NEEDED libgcc_hide.so")
|
||||
dyn.d_tag = D_TAG.DT_NEEDED
|
||||
dyn.d_val = inject_addr - dynstr.sh_offset
|
||||
dynstr.sh_size = (inject_addr - dynstr.sh_offset) + len(PATH_TO_INJECT) + 1
|
||||
"""
|
||||
|
||||
rela_plt = shdr_by_name[b".rela.plt"]
|
||||
for i in range(0, rela_plt.sh_size, rela_plt.sh_entsize):
|
||||
rela = Elf64_Rela.from_buffer(memoryview(elf)[rela_plt.sh_offset + i:])
|
||||
sym = resolve_string(elf, dynstr, rela.r_symbol, count=True)
|
||||
if sym in [b"__aarch64_ldadd4_acq_rel", b"__aarch64_swp4_acq_rel"]:
|
||||
log(f" Modifying {sym} plt reloc to point into injected code")
|
||||
rela.r_type = 1027 # R_AARCH64_RELATIVE
|
||||
rela.r_addend = inject_addr
|
||||
if sym == b"__aarch64_swp4_acq_rel":
|
||||
rela.r_addend += 6*4
|
||||
|
||||
# Move the dynstr section to the hole and add the missing GLIBC_ABI_DT_RELR
|
||||
log(" Moving .dynstr to free space and adding GLIBC_ABI_DT_RELR...")
|
||||
free_addr = (free_addr + 3) & ~3
|
||||
dynstr = shdr_by_name[b".dynstr"]
|
||||
dynstr_data = elf[dynstr.sh_offset:dynstr.sh_offset + dynstr.sh_size]
|
||||
abi_dt_relr_off = len(dynstr_data)
|
||||
dynstr_data += b"GLIBC_ABI_DT_RELR\0"
|
||||
dynstr.sh_offset = free_addr
|
||||
dynstr.sh_addr = free_addr
|
||||
dynstr.sh_size = len(dynstr_data)
|
||||
elf[free_addr:free_addr + dynstr.sh_size] = dynstr_data
|
||||
free_addr += dynstr.sh_size
|
||||
|
||||
log(" Moving .gnu.version_r to free space and adding GLIBC_ABI_DT_RELR...")
|
||||
ver_r = shdr_by_name[b".gnu.version_r"]
|
||||
ver_r_data = elf[ver_r.sh_offset:ver_r.sh_offset + ver_r.sh_size]
|
||||
# We need one more vernaux entry
|
||||
ver_r_data += bytes(16)
|
||||
|
||||
p = 0
|
||||
offset = 0
|
||||
while True:
|
||||
need = Elf64_Verneed.from_buffer(memoryview(ver_r_data)[p: p + 16])
|
||||
filename = resolve_string(elf, dynstr, need.vn_file)
|
||||
need.vn_aux += offset
|
||||
if filename == b'libc.so.6':
|
||||
q = p + need.vn_aux
|
||||
for i in range(need.vn_cnt):
|
||||
aux = Elf64_Vernaux.from_buffer(memoryview(ver_r_data)[q: q + 16])
|
||||
ver = resolve_string(elf, dynstr, aux.vna_name)
|
||||
q += aux.vna_next
|
||||
need.vn_cnt += 1
|
||||
aux.vna_next = 16
|
||||
q += 16
|
||||
# Make space here
|
||||
ver_r_data[q + 16:] = ver_r_data[q:-16]
|
||||
aux = Elf64_Vernaux.from_buffer(memoryview(ver_r_data)[q: q + 16])
|
||||
aux.vna_hash = 0xfd0e42
|
||||
aux.vna_name = abi_dt_relr_off
|
||||
aux.vna_other = 3
|
||||
|
||||
# Shift the rest of the aux offsets
|
||||
offset = 16
|
||||
|
||||
if need.vn_next == 0:
|
||||
break
|
||||
p += need.vn_next
|
||||
|
||||
free_addr = (free_addr + 3) & ~3
|
||||
ver_r.sh_offset = free_addr
|
||||
ver_r.sh_addr = free_addr
|
||||
ver_r.sh_size = len(ver_r_data)
|
||||
elf[free_addr:free_addr + ver_r.sh_size] = ver_r_data
|
||||
free_addr += ver_r.sh_size
|
||||
|
||||
# Now fix the DYNAMIC section
|
||||
log(" Fixing up DYNAMIC section...")
|
||||
for p in range(phdr_dynamic.p_offset, phdr_dynamic.p_offset + phdr_dynamic.p_filesz, 16):
|
||||
dyn = Elf64_Dyn.from_buffer(memoryview(elf)[p: p + 16])
|
||||
if dyn.d_tag == D_TAG.DT_VERNEED:
|
||||
dyn.d_val = ver_r.sh_offset
|
||||
if dyn.d_tag == D_TAG.DT_STRTAB:
|
||||
dyn.d_val = dynstr.sh_offset
|
||||
|
||||
if not weakened_security:
|
||||
print()
|
||||
print("Good news! This CDM version supports your page size, so we didn't have")
|
||||
print("to weaken memory permissions. Rejoice!")
|
||||
else:
|
||||
print()
|
||||
print("It looks like you're running Asahi, or some other device with >4k page size.")
|
||||
print("This CDM only supports smaller page sizes, so we had to weaken memory")
|
||||
print("permissions to make it work.")
|
||||
|
||||
with open(args[1], "wb") as outfile:
|
||||
outfile.write(memoryview(elf)[:elf_length])
|
||||
|
Loading…
Reference in a new issue