nixfiles/overlay/widevine-aarch64/widevine_fixup.py

446 lines
15 KiB
Python

#!/usr/bin/python3
"""
MIT License
Copyright (c) 2023 David Buchanan
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Original script:
https://gist.github.com/DavidBuchanan314/c6b97add51b97e4c3ee95dc890f9e3c8
"""
import sys
verbose = False
args = sys.argv[1:]
if len(args) >= 1 and args[0] == "-v":
verbose = True
args = args[1:]
if len(args) != 2:
print(f"Usage: {sys.argv[0]} [-v] input.so output.so")
exit()
def log(s):
if verbose:
print(s)
"""
Widevine fixup tool for aarch64 systems
Old aarch64 widevine builds currently only support 4k page sizes.
This script fixes that, by pre-padding the LOAD segments so that they meet
the alignment constraints required by the loader, and then fixing up the
relevant header offsets to keep the file valid.
It also injects two functions that are not exported from typical libgccs, into
the empty space at the end of the .text segment. This avoids any LD_PRELOAD
workarounds. (The injected functions are __aarch64_ldadd4_acq_rel
and __aarch64_swp4_acq_rel)
IMPORTANT NOTE: On systems with >4k page size (e.g. Apple Silicon devices),
using the resulting binary *significantly* weakens the security of your web
browser, in two ways. Firstly, it disables the RELRO security mitigation, and
secondly it creates a RWX mapping.
This script also adds the necessary GLIBC_ABI_DT_RELR version tag so that
current glibc versions can load the library without requiring any patches.
Newer Widevine versions do have 64K aligned segments, and do not need the
padding process. They also do not have the same security implications, so its
use is recommended. However, we still adjust the segment offsets to open up
space for adding the missing functions, and to insert the GLIBC_ABI_DT_RELR
version.
This process is fragile, and may not work as-is on future revisions of widevine.
"""
import ctypes
import os
class Elf64_Ehdr(ctypes.Structure):
_fields_ = [
('e_ident', ctypes.c_ubyte * 16),
('e_type', ctypes.c_uint16),
('e_machine', ctypes.c_uint16),
('e_version', ctypes.c_uint32),
('e_entry', ctypes.c_uint64),
('e_phoff', ctypes.c_uint64),
('e_shoff', ctypes.c_uint64),
('e_flags', ctypes.c_uint32),
('e_ehsize', ctypes.c_uint16),
('e_phentsize', ctypes.c_uint16),
('e_phnum', ctypes.c_uint16),
('e_shentsize', ctypes.c_uint16),
('e_shnum', ctypes.c_uint16),
('e_shstrndx', ctypes.c_uint16),
]
class Elf64_Phdr(ctypes.Structure):
_fields_ = [
('p_type', ctypes.c_uint32),
('p_flags', ctypes.c_uint32),
('p_offset', ctypes.c_uint64),
('p_vaddr', ctypes.c_uint64),
('p_paddr', ctypes.c_uint64),
('p_filesz', ctypes.c_uint64),
('p_memsz', ctypes.c_uint64),
('p_align', ctypes.c_uint64),
]
class P_FLAGS:
""" Flag values for the p_flags field of program headers
"""
PF_X=0x1
PF_W=0x2
PF_R=0x4
PF_MASKOS=0x00FF0000
PF_MASKPROC=0xFF000000
class PT:
PT_NULL=0
PT_LOAD=1
PT_DYNAMIC=2
PT_INTERP=3
PT_NOTE=4
PT_SHLIB=5
PT_PHDR=6
PT_TLS=7
PT_LOOS=0x60000000
PT_HIOS=0x6fffffff
PT_GNU_EH_FRAME=0x6474e550
PT_GNU_STACK=0x6474e551
PT_GNU_RELRO=0x6474e552
PT_GNU_PROPERTY=0x6474e553
class Elf64_Shdr(ctypes.Structure):
_fields_ = [
('sh_name', ctypes.c_uint32),
('sh_type', ctypes.c_uint32),
('sh_flags', ctypes.c_uint64),
('sh_addr', ctypes.c_uint64),
('sh_offset', ctypes.c_uint64),
('sh_size', ctypes.c_uint64),
('sh_link', ctypes.c_uint32),
('sh_info', ctypes.c_uint32),
('sh_addralign', ctypes.c_uint64),
('sh_entsize', ctypes.c_uint64),
]
class Elf64_Sym(ctypes.Structure):
_fields_ = [
('st_name', ctypes.c_uint32),
('st_info', ctypes.c_ubyte),
('st_other', ctypes.c_ubyte),
('st_shndx', ctypes.c_uint16),
('st_value', ctypes.c_uint64),
('st_size', ctypes.c_uint64),
]
class Elf64_Dyn(ctypes.Structure):
_fields_ = [
('d_tag', ctypes.c_uint64),
('d_val', ctypes.c_uint64), # union with d_ptr
]
class D_TAG: # XXX: this is very incomplete
DT_NULL=0
DT_NEEDED=1
DT_STRTAB=5
DT_SONAME=14
DT_VERNEED=0x6ffffffe
class Elf64_Rela(ctypes.Structure):
_fields_ = [
('r_offset', ctypes.c_uint64),
#('r_info', ctypes.c_uint64),
('r_type', ctypes.c_uint32),
('r_symbol', ctypes.c_uint32),
('r_addend', ctypes.c_int64),
]
class Elf64_Verneed(ctypes.Structure):
_fields_ = [
('vn_version', ctypes.c_uint16),
('vn_cnt', ctypes.c_uint16),
('vn_file', ctypes.c_uint32),
('vn_aux', ctypes.c_uint32),
('vn_next', ctypes.c_uint32),
]
class Elf64_Vernaux(ctypes.Structure):
_fields_ = [
('vna_hash', ctypes.c_uint32),
('vna_flags', ctypes.c_uint16),
('vna_other', ctypes.c_uint16),
('vna_name', ctypes.c_uint32),
('vna_next', ctypes.c_uint32),
]
TARGET_PAGE_SIZE = int(os.getenv("TARGET_PAGE_SIZE", default = 4096))
WEAKEN_SECURITY = TARGET_PAGE_SIZE > 4096
inject_addr = None
weakened_security = False
"""
0000000000000b24 <__aarch64_ldadd4_acq_rel>:
b24: 2a0003e2 mov w2, w0
b28: 885ffc20 ldaxr w0, [x1]
b2c: 0b020003 add w3, w0, w2
b30: 8804fc23 stlxr w4, w3, [x1]
b34: 35ffffa4 cbnz w4, b28 <__aarch64_ldadd4_acq_rel+0x4>
b38: d65f03c0 ret
0000000000000b3c <__aarch64_swp4_acq_rel>:
b3c: 2a0003e2 mov w2, w0
b40: 885ffc20 ldaxr w0, [x1]
b44: 8803fc22 stlxr w3, w2, [x1]
b48: 35ffffc3 cbnz w3, b40 <__aarch64_swp4_acq_rel+0x4>
b4c: d65f03c0 ret
"""
injected_code = bytes.fromhex("e203002a20fc5f880300020b23fc0488a4ffff35c0035fd6e203002a20fc5f8822fc0388c3ffff35c0035fd6")
with open(args[0], "rb") as infile:
elf = bytearray(infile.read())
print(f"Fixing up ChromeOS Widevine CDM module for Linux compatibility...")
elf_length = len(elf)
elf += bytearray(0x100000) # pre-expand the buffer by more than enough
ehdr = Elf64_Ehdr.from_buffer(elf)
phdrs = [
Elf64_Phdr.from_buffer(memoryview(elf)[ehdr.e_phoff + i * ehdr.e_phentsize:])
for i in range(ehdr.e_phnum)
]
adjustments = []
def adjust_offset(x):
for index, delta in adjustments:
if x >= index:
x += delta
return x
def align(a, b):
return (a + b - 1) & ~(b - 1)
prev = None
remove_relro = False
for phdr in phdrs:
phdr.p_offset = adjust_offset(phdr.p_offset)
if phdr.p_type == PT.PT_DYNAMIC:
phdr_dynamic = phdr
if phdr.p_type == PT.PT_LOAD:
if phdr.p_align < TARGET_PAGE_SIZE:
phdr.p_align = TARGET_PAGE_SIZE
delta_needed = (phdr.p_vaddr - phdr.p_offset) % phdr.p_align
skip_perms_hack = False
if phdr.p_vaddr != phdr.p_offset and not inject_addr:
# Newer CDM versions use 64K alignment, so no longer require this hack.
# However, we still need space to inject the code & modified headers, so
# we might as well still do it.
delta_needed = phdr.p_vaddr - phdr.p_offset
skip_perms_hack = True
if delta_needed:
log(f" Inserting {hex(delta_needed)} bytes at offset {hex(phdr.p_offset)}")
if not inject_addr:
pad_bytes = injected_code + bytes(delta_needed - len(injected_code))
inject_addr = phdr.p_offset
log(f" Also injecting code at offset {hex(phdr.p_offset)}")
else:
pad_bytes = bytes(delta_needed)
elf[phdr.p_offset:] = pad_bytes + elf[phdr.p_offset:-delta_needed]
adjustments.append((phdr.p_offset, delta_needed))
elf_length += delta_needed
phdr.p_offset += delta_needed
# Load the injected bytes up to the align size as part of the previous phdr
align_off = align(prev.p_vaddr + prev.p_filesz, prev.p_align) - prev.p_vaddr - prev.p_filesz
# This could fail if we get unlucky, let's hope not
assert align_off >= len(injected_code)
prev.p_filesz += min(delta_needed, align_off)
prev.p_memsz += min(delta_needed, align_off)
if WEAKEN_SECURITY and not skip_perms_hack:
phdr.p_flags |= P_FLAGS.PF_X # XXX: this is a hack!!! (at the very least, we should apply it only to the mappings that need it)
remove_relro = True
weakened_security = True
prev = phdr
if WEAKEN_SECURITY and remove_relro and phdr.p_type == PT.PT_GNU_RELRO:
print(" Neutering relro") # XXX: relro is a security mechanism
phdr.p_type = PT.PT_NOTE
weakened_security = True
if inject_addr is None:
inject_addr = (elf_length + 3) & ~3
elf[inject_addr: inject_addr + len(injected_code)] = injected_code
elf_length += 0x10000
free_addr = inject_addr + len(injected_code)
# the section headers have moved
ehdr.e_shoff = adjust_offset(ehdr.e_shoff)
shdrs = [
Elf64_Shdr.from_buffer(memoryview(elf)[ehdr.e_shoff + i * ehdr.e_shentsize:])
for i in range(ehdr.e_shnum)
]
for shdr in shdrs:
shdr.sh_offset = adjust_offset(shdr.sh_offset)
strtab = shdrs[ehdr.e_shstrndx]
def resolve_string(elf, strtab, stridx, count=False):
if count:
str_start = strtab.sh_offset
for _ in range(stridx):
str_start = elf.index(b"\0", str_start) + 1
else:
str_start = strtab.sh_offset + stridx
str_end = elf.index(b"\0", str_start)
return bytes(elf[str_start:str_end])
shdr_by_name = {
resolve_string(elf, strtab, shdr.sh_name): shdr
for shdr in shdrs
}
# XXX: unfortunately this does not do anything useful!
# It doesn't hurt either, so I'm leaving it here just in case.
dynsym = shdr_by_name[b".dynsym"]
dynstr = shdr_by_name[b".dynstr"]
for i in range(0, dynsym.sh_size, dynsym.sh_entsize):
sym = Elf64_Sym.from_buffer(memoryview(elf)[dynsym.sh_offset + i:])
name = resolve_string(elf, dynstr, sym.st_name)
if name in [b"__aarch64_ldadd4_acq_rel", b"__aarch64_swp4_acq_rel"]:
log(f" Weak binding {name}")
sym.st_info = (sym.st_info & 0x0f) | (2 << 4) # STB_WEAK
"""
dynamic = shdr_by_name[b".dynamic"]
for i in range(0, dynamic.sh_size, dynamic.sh_entsize):
dyn = Elf64_Dyn.from_buffer(memoryview(elf)[dynamic.sh_offset + i:])
if dyn.d_tag == D_TAG.DT_SONAME:
print("hijacking SONAME tag to point to NEEDED libgcc_hide.so")
dyn.d_tag = D_TAG.DT_NEEDED
dyn.d_val = inject_addr - dynstr.sh_offset
dynstr.sh_size = (inject_addr - dynstr.sh_offset) + len(PATH_TO_INJECT) + 1
"""
rela_plt = shdr_by_name[b".rela.plt"]
for i in range(0, rela_plt.sh_size, rela_plt.sh_entsize):
rela = Elf64_Rela.from_buffer(memoryview(elf)[rela_plt.sh_offset + i:])
sym = resolve_string(elf, dynstr, rela.r_symbol, count=True)
if sym in [b"__aarch64_ldadd4_acq_rel", b"__aarch64_swp4_acq_rel"]:
log(f" Modifying {sym} plt reloc to point into injected code")
rela.r_type = 1027 # R_AARCH64_RELATIVE
rela.r_addend = inject_addr
if sym == b"__aarch64_swp4_acq_rel":
rela.r_addend += 6*4
# Move the dynstr section to the hole and add the missing GLIBC_ABI_DT_RELR
log(" Moving .dynstr to free space and adding GLIBC_ABI_DT_RELR...")
free_addr = (free_addr + 3) & ~3
dynstr = shdr_by_name[b".dynstr"]
dynstr_data = elf[dynstr.sh_offset:dynstr.sh_offset + dynstr.sh_size]
abi_dt_relr_off = len(dynstr_data)
dynstr_data += b"GLIBC_ABI_DT_RELR\0"
dynstr.sh_offset = free_addr
dynstr.sh_addr = free_addr
dynstr.sh_size = len(dynstr_data)
elf[free_addr:free_addr + dynstr.sh_size] = dynstr_data
free_addr += dynstr.sh_size
log(" Moving .gnu.version_r to free space and adding GLIBC_ABI_DT_RELR...")
ver_r = shdr_by_name[b".gnu.version_r"]
ver_r_data = elf[ver_r.sh_offset:ver_r.sh_offset + ver_r.sh_size]
# We need one more vernaux entry
ver_r_data += bytes(16)
p = 0
offset = 0
while True:
need = Elf64_Verneed.from_buffer(memoryview(ver_r_data)[p: p + 16])
filename = resolve_string(elf, dynstr, need.vn_file)
need.vn_aux += offset
if filename == b'libc.so.6':
q = p + need.vn_aux
for i in range(need.vn_cnt):
aux = Elf64_Vernaux.from_buffer(memoryview(ver_r_data)[q: q + 16])
ver = resolve_string(elf, dynstr, aux.vna_name)
q += aux.vna_next
need.vn_cnt += 1
aux.vna_next = 16
q += 16
# Make space here
ver_r_data[q + 16:] = ver_r_data[q:-16]
aux = Elf64_Vernaux.from_buffer(memoryview(ver_r_data)[q: q + 16])
aux.vna_hash = 0xfd0e42
aux.vna_name = abi_dt_relr_off
aux.vna_other = 3
# Shift the rest of the aux offsets
offset = 16
if need.vn_next == 0:
break
p += need.vn_next
free_addr = (free_addr + 3) & ~3
ver_r.sh_offset = free_addr
ver_r.sh_addr = free_addr
ver_r.sh_size = len(ver_r_data)
elf[free_addr:free_addr + ver_r.sh_size] = ver_r_data
free_addr += ver_r.sh_size
# Now fix the DYNAMIC section
log(" Fixing up DYNAMIC section...")
for p in range(phdr_dynamic.p_offset, phdr_dynamic.p_offset + phdr_dynamic.p_filesz, 16):
dyn = Elf64_Dyn.from_buffer(memoryview(elf)[p: p + 16])
if dyn.d_tag == D_TAG.DT_VERNEED:
dyn.d_val = ver_r.sh_offset
if dyn.d_tag == D_TAG.DT_STRTAB:
dyn.d_val = dynstr.sh_offset
if not weakened_security:
print()
print("Good news! This CDM version supports your page size, so we didn't have")
print("to weaken memory permissions. Rejoice!")
else:
print()
print("It looks like you're running Asahi, or some other device with >4k page size.")
print("This CDM only supports smaller page sizes, so we had to weaken memory")
print("permissions to make it work.")
with open(args[1], "wb") as outfile:
outfile.write(memoryview(elf)[:elf_length])