446 lines
15 KiB
Python
446 lines
15 KiB
Python
#!/usr/bin/python3
|
|
|
|
"""
|
|
MIT License
|
|
|
|
Copyright (c) 2023 David Buchanan
|
|
|
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
of this software and associated documentation files (the "Software"), to deal
|
|
in the Software without restriction, including without limitation the rights
|
|
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
copies of the Software, and to permit persons to whom the Software is
|
|
furnished to do so, subject to the following conditions:
|
|
|
|
The above copyright notice and this permission notice shall be included in all
|
|
copies or substantial portions of the Software.
|
|
|
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
SOFTWARE.
|
|
|
|
Original script:
|
|
https://gist.github.com/DavidBuchanan314/c6b97add51b97e4c3ee95dc890f9e3c8
|
|
"""
|
|
|
|
import sys
|
|
|
|
verbose = False
|
|
args = sys.argv[1:]
|
|
if len(args) >= 1 and args[0] == "-v":
|
|
verbose = True
|
|
args = args[1:]
|
|
|
|
if len(args) != 2:
|
|
print(f"Usage: {sys.argv[0]} [-v] input.so output.so")
|
|
exit()
|
|
|
|
def log(s):
|
|
if verbose:
|
|
print(s)
|
|
|
|
"""
|
|
Widevine fixup tool for aarch64 systems
|
|
|
|
Old aarch64 widevine builds currently only support 4k page sizes.
|
|
|
|
This script fixes that, by pre-padding the LOAD segments so that they meet
|
|
the alignment constraints required by the loader, and then fixing up the
|
|
relevant header offsets to keep the file valid.
|
|
|
|
It also injects two functions that are not exported from typical libgccs, into
|
|
the empty space at the end of the .text segment. This avoids any LD_PRELOAD
|
|
workarounds. (The injected functions are __aarch64_ldadd4_acq_rel
|
|
and __aarch64_swp4_acq_rel)
|
|
|
|
IMPORTANT NOTE: On systems with >4k page size (e.g. Apple Silicon devices),
|
|
using the resulting binary *significantly* weakens the security of your web
|
|
browser, in two ways. Firstly, it disables the RELRO security mitigation, and
|
|
secondly it creates a RWX mapping.
|
|
|
|
This script also adds the necessary GLIBC_ABI_DT_RELR version tag so that
|
|
current glibc versions can load the library without requiring any patches.
|
|
|
|
Newer Widevine versions do have 64K aligned segments, and do not need the
|
|
padding process. They also do not have the same security implications, so its
|
|
use is recommended. However, we still adjust the segment offsets to open up
|
|
space for adding the missing functions, and to insert the GLIBC_ABI_DT_RELR
|
|
version.
|
|
|
|
This process is fragile, and may not work as-is on future revisions of widevine.
|
|
"""
|
|
|
|
import ctypes
|
|
import os
|
|
|
|
class Elf64_Ehdr(ctypes.Structure):
|
|
_fields_ = [
|
|
('e_ident', ctypes.c_ubyte * 16),
|
|
('e_type', ctypes.c_uint16),
|
|
('e_machine', ctypes.c_uint16),
|
|
('e_version', ctypes.c_uint32),
|
|
('e_entry', ctypes.c_uint64),
|
|
('e_phoff', ctypes.c_uint64),
|
|
('e_shoff', ctypes.c_uint64),
|
|
('e_flags', ctypes.c_uint32),
|
|
('e_ehsize', ctypes.c_uint16),
|
|
('e_phentsize', ctypes.c_uint16),
|
|
('e_phnum', ctypes.c_uint16),
|
|
('e_shentsize', ctypes.c_uint16),
|
|
('e_shnum', ctypes.c_uint16),
|
|
('e_shstrndx', ctypes.c_uint16),
|
|
]
|
|
|
|
class Elf64_Phdr(ctypes.Structure):
|
|
_fields_ = [
|
|
('p_type', ctypes.c_uint32),
|
|
('p_flags', ctypes.c_uint32),
|
|
('p_offset', ctypes.c_uint64),
|
|
('p_vaddr', ctypes.c_uint64),
|
|
('p_paddr', ctypes.c_uint64),
|
|
('p_filesz', ctypes.c_uint64),
|
|
('p_memsz', ctypes.c_uint64),
|
|
('p_align', ctypes.c_uint64),
|
|
]
|
|
|
|
class P_FLAGS:
|
|
""" Flag values for the p_flags field of program headers
|
|
"""
|
|
PF_X=0x1
|
|
PF_W=0x2
|
|
PF_R=0x4
|
|
PF_MASKOS=0x00FF0000
|
|
PF_MASKPROC=0xFF000000
|
|
|
|
class PT:
|
|
PT_NULL=0
|
|
PT_LOAD=1
|
|
PT_DYNAMIC=2
|
|
PT_INTERP=3
|
|
PT_NOTE=4
|
|
PT_SHLIB=5
|
|
PT_PHDR=6
|
|
PT_TLS=7
|
|
PT_LOOS=0x60000000
|
|
PT_HIOS=0x6fffffff
|
|
|
|
PT_GNU_EH_FRAME=0x6474e550
|
|
PT_GNU_STACK=0x6474e551
|
|
PT_GNU_RELRO=0x6474e552
|
|
PT_GNU_PROPERTY=0x6474e553
|
|
|
|
class Elf64_Shdr(ctypes.Structure):
|
|
_fields_ = [
|
|
('sh_name', ctypes.c_uint32),
|
|
('sh_type', ctypes.c_uint32),
|
|
('sh_flags', ctypes.c_uint64),
|
|
('sh_addr', ctypes.c_uint64),
|
|
('sh_offset', ctypes.c_uint64),
|
|
('sh_size', ctypes.c_uint64),
|
|
('sh_link', ctypes.c_uint32),
|
|
('sh_info', ctypes.c_uint32),
|
|
('sh_addralign', ctypes.c_uint64),
|
|
('sh_entsize', ctypes.c_uint64),
|
|
]
|
|
|
|
class Elf64_Sym(ctypes.Structure):
|
|
_fields_ = [
|
|
('st_name', ctypes.c_uint32),
|
|
('st_info', ctypes.c_ubyte),
|
|
('st_other', ctypes.c_ubyte),
|
|
('st_shndx', ctypes.c_uint16),
|
|
('st_value', ctypes.c_uint64),
|
|
('st_size', ctypes.c_uint64),
|
|
]
|
|
|
|
class Elf64_Dyn(ctypes.Structure):
|
|
_fields_ = [
|
|
('d_tag', ctypes.c_uint64),
|
|
('d_val', ctypes.c_uint64), # union with d_ptr
|
|
]
|
|
|
|
class D_TAG: # XXX: this is very incomplete
|
|
DT_NULL=0
|
|
DT_NEEDED=1
|
|
DT_STRTAB=5
|
|
DT_SONAME=14
|
|
DT_VERNEED=0x6ffffffe
|
|
|
|
class Elf64_Rela(ctypes.Structure):
|
|
_fields_ = [
|
|
('r_offset', ctypes.c_uint64),
|
|
#('r_info', ctypes.c_uint64),
|
|
('r_type', ctypes.c_uint32),
|
|
('r_symbol', ctypes.c_uint32),
|
|
('r_addend', ctypes.c_int64),
|
|
]
|
|
|
|
class Elf64_Verneed(ctypes.Structure):
|
|
_fields_ = [
|
|
('vn_version', ctypes.c_uint16),
|
|
('vn_cnt', ctypes.c_uint16),
|
|
('vn_file', ctypes.c_uint32),
|
|
('vn_aux', ctypes.c_uint32),
|
|
('vn_next', ctypes.c_uint32),
|
|
]
|
|
|
|
class Elf64_Vernaux(ctypes.Structure):
|
|
_fields_ = [
|
|
('vna_hash', ctypes.c_uint32),
|
|
('vna_flags', ctypes.c_uint16),
|
|
('vna_other', ctypes.c_uint16),
|
|
('vna_name', ctypes.c_uint32),
|
|
('vna_next', ctypes.c_uint32),
|
|
]
|
|
|
|
|
|
|
|
TARGET_PAGE_SIZE = int(os.getenv("TARGET_PAGE_SIZE", default = 4096))
|
|
WEAKEN_SECURITY = TARGET_PAGE_SIZE > 4096
|
|
inject_addr = None
|
|
|
|
weakened_security = False
|
|
|
|
"""
|
|
0000000000000b24 <__aarch64_ldadd4_acq_rel>:
|
|
b24: 2a0003e2 mov w2, w0
|
|
b28: 885ffc20 ldaxr w0, [x1]
|
|
b2c: 0b020003 add w3, w0, w2
|
|
b30: 8804fc23 stlxr w4, w3, [x1]
|
|
b34: 35ffffa4 cbnz w4, b28 <__aarch64_ldadd4_acq_rel+0x4>
|
|
b38: d65f03c0 ret
|
|
|
|
0000000000000b3c <__aarch64_swp4_acq_rel>:
|
|
b3c: 2a0003e2 mov w2, w0
|
|
b40: 885ffc20 ldaxr w0, [x1]
|
|
b44: 8803fc22 stlxr w3, w2, [x1]
|
|
b48: 35ffffc3 cbnz w3, b40 <__aarch64_swp4_acq_rel+0x4>
|
|
b4c: d65f03c0 ret
|
|
"""
|
|
|
|
injected_code = bytes.fromhex("e203002a20fc5f880300020b23fc0488a4ffff35c0035fd6e203002a20fc5f8822fc0388c3ffff35c0035fd6")
|
|
|
|
with open(args[0], "rb") as infile:
|
|
elf = bytearray(infile.read())
|
|
|
|
print(f"Fixing up ChromeOS Widevine CDM module for Linux compatibility...")
|
|
|
|
elf_length = len(elf)
|
|
elf += bytearray(0x100000) # pre-expand the buffer by more than enough
|
|
|
|
ehdr = Elf64_Ehdr.from_buffer(elf)
|
|
|
|
phdrs = [
|
|
Elf64_Phdr.from_buffer(memoryview(elf)[ehdr.e_phoff + i * ehdr.e_phentsize:])
|
|
for i in range(ehdr.e_phnum)
|
|
]
|
|
|
|
adjustments = []
|
|
|
|
def adjust_offset(x):
|
|
for index, delta in adjustments:
|
|
if x >= index:
|
|
x += delta
|
|
return x
|
|
|
|
def align(a, b):
|
|
return (a + b - 1) & ~(b - 1)
|
|
|
|
prev = None
|
|
remove_relro = False
|
|
for phdr in phdrs:
|
|
phdr.p_offset = adjust_offset(phdr.p_offset)
|
|
if phdr.p_type == PT.PT_DYNAMIC:
|
|
phdr_dynamic = phdr
|
|
if phdr.p_type == PT.PT_LOAD:
|
|
if phdr.p_align < TARGET_PAGE_SIZE:
|
|
phdr.p_align = TARGET_PAGE_SIZE
|
|
delta_needed = (phdr.p_vaddr - phdr.p_offset) % phdr.p_align
|
|
skip_perms_hack = False
|
|
if phdr.p_vaddr != phdr.p_offset and not inject_addr:
|
|
# Newer CDM versions use 64K alignment, so no longer require this hack.
|
|
# However, we still need space to inject the code & modified headers, so
|
|
# we might as well still do it.
|
|
delta_needed = phdr.p_vaddr - phdr.p_offset
|
|
skip_perms_hack = True
|
|
if delta_needed:
|
|
log(f" Inserting {hex(delta_needed)} bytes at offset {hex(phdr.p_offset)}")
|
|
if not inject_addr:
|
|
pad_bytes = injected_code + bytes(delta_needed - len(injected_code))
|
|
inject_addr = phdr.p_offset
|
|
log(f" Also injecting code at offset {hex(phdr.p_offset)}")
|
|
else:
|
|
pad_bytes = bytes(delta_needed)
|
|
elf[phdr.p_offset:] = pad_bytes + elf[phdr.p_offset:-delta_needed]
|
|
adjustments.append((phdr.p_offset, delta_needed))
|
|
elf_length += delta_needed
|
|
phdr.p_offset += delta_needed
|
|
|
|
# Load the injected bytes up to the align size as part of the previous phdr
|
|
align_off = align(prev.p_vaddr + prev.p_filesz, prev.p_align) - prev.p_vaddr - prev.p_filesz
|
|
# This could fail if we get unlucky, let's hope not
|
|
assert align_off >= len(injected_code)
|
|
prev.p_filesz += min(delta_needed, align_off)
|
|
prev.p_memsz += min(delta_needed, align_off)
|
|
|
|
if WEAKEN_SECURITY and not skip_perms_hack:
|
|
phdr.p_flags |= P_FLAGS.PF_X # XXX: this is a hack!!! (at the very least, we should apply it only to the mappings that need it)
|
|
remove_relro = True
|
|
weakened_security = True
|
|
prev = phdr
|
|
|
|
if WEAKEN_SECURITY and remove_relro and phdr.p_type == PT.PT_GNU_RELRO:
|
|
print(" Neutering relro") # XXX: relro is a security mechanism
|
|
phdr.p_type = PT.PT_NOTE
|
|
weakened_security = True
|
|
|
|
if inject_addr is None:
|
|
inject_addr = (elf_length + 3) & ~3
|
|
elf[inject_addr: inject_addr + len(injected_code)] = injected_code
|
|
elf_length += 0x10000
|
|
|
|
|
|
free_addr = inject_addr + len(injected_code)
|
|
# the section headers have moved
|
|
ehdr.e_shoff = adjust_offset(ehdr.e_shoff)
|
|
|
|
shdrs = [
|
|
Elf64_Shdr.from_buffer(memoryview(elf)[ehdr.e_shoff + i * ehdr.e_shentsize:])
|
|
for i in range(ehdr.e_shnum)
|
|
]
|
|
|
|
for shdr in shdrs:
|
|
shdr.sh_offset = adjust_offset(shdr.sh_offset)
|
|
|
|
strtab = shdrs[ehdr.e_shstrndx]
|
|
|
|
def resolve_string(elf, strtab, stridx, count=False):
|
|
if count:
|
|
str_start = strtab.sh_offset
|
|
for _ in range(stridx):
|
|
str_start = elf.index(b"\0", str_start) + 1
|
|
else:
|
|
str_start = strtab.sh_offset + stridx
|
|
str_end = elf.index(b"\0", str_start)
|
|
return bytes(elf[str_start:str_end])
|
|
|
|
shdr_by_name = {
|
|
resolve_string(elf, strtab, shdr.sh_name): shdr
|
|
for shdr in shdrs
|
|
}
|
|
|
|
# XXX: unfortunately this does not do anything useful!
|
|
# It doesn't hurt either, so I'm leaving it here just in case.
|
|
dynsym = shdr_by_name[b".dynsym"]
|
|
dynstr = shdr_by_name[b".dynstr"]
|
|
for i in range(0, dynsym.sh_size, dynsym.sh_entsize):
|
|
sym = Elf64_Sym.from_buffer(memoryview(elf)[dynsym.sh_offset + i:])
|
|
name = resolve_string(elf, dynstr, sym.st_name)
|
|
if name in [b"__aarch64_ldadd4_acq_rel", b"__aarch64_swp4_acq_rel"]:
|
|
log(f" Weak binding {name}")
|
|
sym.st_info = (sym.st_info & 0x0f) | (2 << 4) # STB_WEAK
|
|
|
|
"""
|
|
dynamic = shdr_by_name[b".dynamic"]
|
|
for i in range(0, dynamic.sh_size, dynamic.sh_entsize):
|
|
dyn = Elf64_Dyn.from_buffer(memoryview(elf)[dynamic.sh_offset + i:])
|
|
if dyn.d_tag == D_TAG.DT_SONAME:
|
|
print("hijacking SONAME tag to point to NEEDED libgcc_hide.so")
|
|
dyn.d_tag = D_TAG.DT_NEEDED
|
|
dyn.d_val = inject_addr - dynstr.sh_offset
|
|
dynstr.sh_size = (inject_addr - dynstr.sh_offset) + len(PATH_TO_INJECT) + 1
|
|
"""
|
|
|
|
rela_plt = shdr_by_name[b".rela.plt"]
|
|
for i in range(0, rela_plt.sh_size, rela_plt.sh_entsize):
|
|
rela = Elf64_Rela.from_buffer(memoryview(elf)[rela_plt.sh_offset + i:])
|
|
sym = resolve_string(elf, dynstr, rela.r_symbol, count=True)
|
|
if sym in [b"__aarch64_ldadd4_acq_rel", b"__aarch64_swp4_acq_rel"]:
|
|
log(f" Modifying {sym} plt reloc to point into injected code")
|
|
rela.r_type = 1027 # R_AARCH64_RELATIVE
|
|
rela.r_addend = inject_addr
|
|
if sym == b"__aarch64_swp4_acq_rel":
|
|
rela.r_addend += 6*4
|
|
|
|
# Move the dynstr section to the hole and add the missing GLIBC_ABI_DT_RELR
|
|
log(" Moving .dynstr to free space and adding GLIBC_ABI_DT_RELR...")
|
|
free_addr = (free_addr + 3) & ~3
|
|
dynstr = shdr_by_name[b".dynstr"]
|
|
dynstr_data = elf[dynstr.sh_offset:dynstr.sh_offset + dynstr.sh_size]
|
|
abi_dt_relr_off = len(dynstr_data)
|
|
dynstr_data += b"GLIBC_ABI_DT_RELR\0"
|
|
dynstr.sh_offset = free_addr
|
|
dynstr.sh_addr = free_addr
|
|
dynstr.sh_size = len(dynstr_data)
|
|
elf[free_addr:free_addr + dynstr.sh_size] = dynstr_data
|
|
free_addr += dynstr.sh_size
|
|
|
|
log(" Moving .gnu.version_r to free space and adding GLIBC_ABI_DT_RELR...")
|
|
ver_r = shdr_by_name[b".gnu.version_r"]
|
|
ver_r_data = elf[ver_r.sh_offset:ver_r.sh_offset + ver_r.sh_size]
|
|
# We need one more vernaux entry
|
|
ver_r_data += bytes(16)
|
|
|
|
p = 0
|
|
offset = 0
|
|
while True:
|
|
need = Elf64_Verneed.from_buffer(memoryview(ver_r_data)[p: p + 16])
|
|
filename = resolve_string(elf, dynstr, need.vn_file)
|
|
need.vn_aux += offset
|
|
if filename == b'libc.so.6':
|
|
q = p + need.vn_aux
|
|
for i in range(need.vn_cnt):
|
|
aux = Elf64_Vernaux.from_buffer(memoryview(ver_r_data)[q: q + 16])
|
|
ver = resolve_string(elf, dynstr, aux.vna_name)
|
|
q += aux.vna_next
|
|
need.vn_cnt += 1
|
|
aux.vna_next = 16
|
|
q += 16
|
|
# Make space here
|
|
ver_r_data[q + 16:] = ver_r_data[q:-16]
|
|
aux = Elf64_Vernaux.from_buffer(memoryview(ver_r_data)[q: q + 16])
|
|
aux.vna_hash = 0xfd0e42
|
|
aux.vna_name = abi_dt_relr_off
|
|
aux.vna_other = 3
|
|
|
|
# Shift the rest of the aux offsets
|
|
offset = 16
|
|
|
|
if need.vn_next == 0:
|
|
break
|
|
p += need.vn_next
|
|
|
|
free_addr = (free_addr + 3) & ~3
|
|
ver_r.sh_offset = free_addr
|
|
ver_r.sh_addr = free_addr
|
|
ver_r.sh_size = len(ver_r_data)
|
|
elf[free_addr:free_addr + ver_r.sh_size] = ver_r_data
|
|
free_addr += ver_r.sh_size
|
|
|
|
# Now fix the DYNAMIC section
|
|
log(" Fixing up DYNAMIC section...")
|
|
for p in range(phdr_dynamic.p_offset, phdr_dynamic.p_offset + phdr_dynamic.p_filesz, 16):
|
|
dyn = Elf64_Dyn.from_buffer(memoryview(elf)[p: p + 16])
|
|
if dyn.d_tag == D_TAG.DT_VERNEED:
|
|
dyn.d_val = ver_r.sh_offset
|
|
if dyn.d_tag == D_TAG.DT_STRTAB:
|
|
dyn.d_val = dynstr.sh_offset
|
|
|
|
if not weakened_security:
|
|
print()
|
|
print("Good news! This CDM version supports your page size, so we didn't have")
|
|
print("to weaken memory permissions. Rejoice!")
|
|
else:
|
|
print()
|
|
print("It looks like you're running Asahi, or some other device with >4k page size.")
|
|
print("This CDM only supports smaller page sizes, so we had to weaken memory")
|
|
print("permissions to make it work.")
|
|
|
|
with open(args[1], "wb") as outfile:
|
|
outfile.write(memoryview(elf)[:elf_length])
|
|
|