patcher: Sort code, add remove and repatch function.

Author: sunflower2333

CMakeLists.txt

@@ -1,10 +1,14 @@
-cmake_minimum_required(VERSION 3.27)
+cmake_minimum_required(VERSION 3.18)
 project(DualBootKernelPatcher C)
 
 set(CMAKE_C_STANDARD 11)
+if (CMAKE_HOST_SYSTEM_NAME STREQUAL "Linux")
+    set(CMAKE_EXE_LINKER_FLAGS "-static")
+endif ()
 
 # Compile the patcher.
-add_executable(DualBootKernelPatcher patcher.c)
+add_executable(DualBootKernelPatcher patcher.c utils.c)
+add_executable(DualBootPatchRemover remover.c utils.c)
 
 # Compile Shell Codes with aarch64 gcc.
 add_subdirectory(ShellCode)

patcher.c

@@ -12,12 +12,8 @@
  *  MIT License
  *
  */
-#include <stdio.h>
-#include <malloc.h>
-#include <string.h>
-#include <stdint.h>
-#include <errno.h>
-#include "patcher.h"
+
+#include "utils.h"
 
 /**
  * The main function will check and read given files,
@@ -31,7 +27,7 @@
  */
 int main(int argc, char *argv[]) {
     // Print hello message.
-    printf("WOA-msmnile DualBoot Kernel Image Patcher v1.1.0.0\n");
+    printf("WOA-msmnile DualBoot Kernel Image Patcher v1.2.0.0\n");
     printf("Copyright (c) 2021-2024 The DuoWoA authors\n\n");
     if (argc != 6) {
         // Print usage if arg numbers not meet.
@@ -96,92 +92,7 @@ int main(int argc, char *argv[]) {
 
     // Print end message.
     printf("Image successfully patched.\n");
-    printf("Please find the newly made kernel image at %s.\n", outputImage.filePath);
-    return 0;
-}
-
-/**
- * Get file size based on given fileContent.
- *
- * @param fileContent provide filePath, will also set fileSize in it.
- * @retval 0    File does not exist.
- * @retval size_t   File size
- *
- */
-size_t get_file_size(FileContent *fileContent) {
-    FILE *pFile = fopen(fileContent->filePath, "r");
-    if (pFile == NULL) {
-        printf("Error: %s not found\n", fileContent->filePath);
-        return 0;
-    }
-    fseek(pFile, 0, SEEK_END);
-    size_t len = ftell(pFile);
-    fclose(pFile);
-    fileContent->fileSize = len;
-    return len;
-}
-
-/**
- * Read File buffer based on given fileContent.
- *
- * @param fileContent   provide filePath, will also set fileBuffer in it.
- * @return  Buffer read from file.
- */
-uint8_t *read_file_content(FileContent *fileContent) {
-    if (fileContent->fileBuffer == NULL)
-        return NULL;
-    FILE *pFile = fopen(fileContent->filePath, "rb");
-    if (pFile == NULL)
-        return NULL;
-    fread(fileContent->fileBuffer, fileContent->fileSize, 1, pFile);
-    fclose(pFile);
-    return fileContent->fileBuffer;
-}
-
-/**
- * Write buffer to filePath given by fileContent.
- *
- * @param fileContent   Contains file information.
- * @retval -EBADF   Failed to write file
- *
- */
-int write_file_content(pFileContent fileContent) {
-    FILE *pFile = fopen(fileContent->filePath, "wb");
-    if (pFile == NULL)
-        return -EBADF;
-    fwrite(fileContent->fileBuffer, fileContent->fileSize, 1, pFile);
-    fclose(pFile);
-    return 0;
-}
-
-/**
- * Parse given config.
- *
- * @param fileContent
- * @param config Config info read from config file
- * @retval -EINVAL Give File not found.
- *
- */
-int parse_config(FileContent *fileContent, pConfig config) {
-    // Check file size
-    if (!get_file_size(fileContent))
-        return -EINVAL;
-
-    // Open config file
-    FILE *pConfigFile = fopen(fileContent->filePath, "r");
-    char key[256];
-    uint32_t value = 0;
-
-    // Parse
-    while (fscanf(pConfigFile, "%[^=]=%x\n", key, &value) != EOF) {
-        if (strcmp(key, "StackBase") == 0) {
-            config->StackBase = value;
-        } else if (strcmp(key, "StackSize") == 0) {
-            config->StackSize = value;
-        }
-    }
-
-    fclose(pConfigFile);
+    printf("Please check the patched kernel image at %s.\n", outputImage.filePath);
     return 0;
 }
 
@@ -209,7 +120,7 @@ uint8_t *PatchKernel(pFileContent kernel, pFileContent uefi, pFileContent shellC
     memcpy(patchedKernel->fileBuffer + kernel->fileSize, uefi->fileBuffer, uefi->fileSize);
 
     // Check ShellCode binary magic.
-    if (uefi->fileSize > 0x40 && strcmp((char *) (shellCode->fileBuffer + 8), "SHLLCOD") != 0) {
+    if (shellCode->fileSize > 0x40 && strcmp((char *) (shellCode->fileBuffer + 8), "SHLLCOD") != 0) {
         printf("Error: shell code binary format not recognize.\n");
         return NULL;
     }
@@ -224,45 +135,65 @@ uint8_t *PatchKernel(pFileContent kernel, pFileContent uefi, pFileContent shellC
         hasHeader |= 0b1;
     }
 
-    // Check if kernel size % 0x10 == 0, which will cause copy loop issue.
-    if (kernel->fileSize % 0x10 != 0) {
+    // Check if kernel size % 0x10 == 0, which will cause copy loop(in shellcode) issue.
+    if (kernel->fileSize % 0x10) {
         printf("Align kernel size to 0x10.\n");
+
+        // Calculate align padding
+        uint8_t padding = 0x10 - (kernel->fileSize % 0x10);
+
+        // New kernel size and output size
+        kernel->fileSize += padding;
+        patchedKernel->fileSize += padding;
+
         // Reallocate patched kernel.
-        void *ptr = realloc(patchedKernel->fileBuffer, patchedKernel->fileSize + (kernel->fileSize % 10));
+        void *ptr = realloc(patchedKernel->fileBuffer, patchedKernel->fileSize);
         if (ptr == NULL) {
             printf("Failed to reallocate patched kernel buffer.");
             return NULL;
         } else patchedKernel->fileBuffer = ptr;
-        // Copy uefi image to 0x10 align place.
-        uint8_t padding = 0x10 - (kernel->fileSize % 0x10);
-        memmove(patchedKernel->fileBuffer + kernel->fileSize + padding,
-                patchedKernel->fileBuffer + kernel->fileSize, uefi->fileSize);
-        kernel->fileSize += padding;
-        patchedKernel->fileSize += padding;
-    }
 
-    // Check if kernel has EFI Stub, 4D5A0091, "MZ"
-    // Note: This magic is part of kernel
-    // We wil rewrite file header here.
-    // For kernel with EFI stub, we only need to patch the efi header.
-    memcpy(kernelHeader, kernel->fileBuffer, 0x4);
-    if (*(uint32_t *) kernelHeader == 0x91005A4D) {
-        printf("Kernel has EFI header.\n");
-        hasHeader |= 0b10;
+        // Copy uefi image to 0x10 align place and fill padding part to 0.
+        if (hasHeader & 0b1) // Kernel has header, need to add 0x14 offset while copying.
+        {
+            memmove(patchedKernel->fileBuffer + kernel->fileSize + 0x14,
+                    patchedKernel->fileBuffer + kernel->fileSize - padding + 0x14, uefi->fileSize);
+            memset(patchedKernel->fileBuffer + kernel->fileSize - padding + 0x14, 0, padding);
+        } else {
+            memmove(patchedKernel->fileBuffer + kernel->fileSize,
+                    patchedKernel->fileBuffer + kernel->fileSize - padding, uefi->fileSize);
+            memset(patchedKernel->fileBuffer + kernel->fileSize - padding, 0, padding);
+        }
     }
 
     // Kernel has uncompressed_img header,
-    if(hasHeader & 1)
+    if (hasHeader & 1)
         // Move our pointer after UNCOMPRESSED_IMG header before further processing,
         patchedKernel->fileBuffer += 0x14;
 
+    /* Reserved for feature use */
+    // Check if kernel was already patched.
+    //   if config in kernel was same with the config provided here,
+    //   set kernel size to previous kernel size. (which skipped copying previously uefi fd)
+    //    if (*(uint64_t *) (kernel->fileBuffer + 0x20) == config->StackBase &&
+    //        *(uint64_t *) (kernel->fileBuffer + 0x28) == config->StackSize) {
+    //        printf("Kernel was already patched previously!\n"
+    //               "Re-patching with new UEFI...\n");
+    //        kernel->fileSize = *(uint64_t *) (kernel->fileBuffer + 0x30);
+    //        patchedKernel->fileSize = kernel->fileSize + uefi->fileSize; // Update output kernel size
+    //        printf("Old kernel size %llx\n", *(uint64_t *) (kernel->fileBuffer + 0x30));
+    //        hasHeader |= 0b10;
+    //    }
+
     // Determine the loading offset of the kernel first,
     // we are either going to find a b instruction on the
     // first instruction or the second one. First is problematic,
     // second is fine.
 
     // 0x14 is AArch64 b opcode
-    if (patchedKernel->fileBuffer[3] == 0x14) {
+    // If Code1 is jump instruction, the kernel is an original kernel or a patched kernel.
+    // However, if Code2 is also jump instruction, the kernel should be a patched kernel.
+    if (patchedKernel->fileBuffer[3] == 0x14 && patchedKernel->fileBuffer[7] != 0x14) {
         // For kernel without EFI stub, we have to move the jump kernel instruction forward to Code2.
         // We have a branch instruction first, we need to fix things a bit.
 
@@ -282,8 +213,21 @@ uint8_t *PatchKernel(pFileContent kernel, pFileContent uefi, pFileContent shellC
         patchedKernel->fileBuffer[5] = offsetInstructionBuffer[1];
         patchedKernel->fileBuffer[6] = offsetInstructionBuffer[2];
         patchedKernel->fileBuffer[7] = 0x14;
-    }
-    else if (patchedKernel->fileBuffer[7] != 0x14) {
+    } else // Patched Kernel
+    if (patchedKernel->fileBuffer[3] == 0x14 && patchedKernel->fileBuffer[7] == 0x14) {
+        printf("Patched kernel detected, redo patch with new fd.\n");
+        kernel->fileSize = *(uint64_t *) (kernel->fileBuffer + 0x30);
+        patchedKernel->fileSize = kernel->fileSize + uefi->fileSize; // Update output kernel size
+    } else // Kernel with EFI Stub
+    if (*(uint16_t *) (patchedKernel->fileBuffer) == 0x5A4D && patchedKernel->fileBuffer[7] == 0x14) {
+        // Check if kernel has EFI Stub, 4D5A, "MZ"
+        // Note:
+        //   The magic is also an arm64 instruction, and the second instruction jump to kernel.
+        // We will only rewrite EFI header here. (This will break the kernel)
+        // For kernel with EFI stub, we only need to patch the efi header.
+        printf("Kernel has EFI header.\n");
+    } else // Unknown stuff
+    if (patchedKernel->fileBuffer[7] != 0x14) {
         // There is no branch instruction!
         printf("Error: Invalid Kernel Image. Branch instruction not found within first two instruction slots.\n");
         return NULL;

remover.c

@@ -0,0 +1,129 @@
+/** @file
+ *  Patch Remover Source File.
+ *
+ *  This Program will help you revert patched instructions in a patched kernel.
+ *
+ *  It only supports several formats of kernel:
+ *      1. Image file compile from source
+ *      2. Qualcomm patched kernel.
+ *      3. Image file kernel with efi stub.
+ *
+ *  Copyright (c) 2021-2024 The DuoWoa authors. All rights reserved.
+ *  MIT License
+ *
+ */
+
+#include "utils.h"
+
+/**
+ * Receive args and handle status.
+ *
+ * @param argc  argc is numbers of argues given in cmdline.
+ * @param argv  argv is a array that contains all given values.
+ * @return program status
+ */
+int main(int argc, char *argv[]) {
+    printf("WOA-msmnile DualBoot Patch Remover v1.2.0.0\n");
+    printf("Copyright (c) 2021-2024 The DuoWoA authors\n\n");
+    if (argc != 3) {
+        // Print usage if arg numbers not meet.
+        printf("args: %d\n", argc);
+        printf("Usage: <Input Patched Kernel> <Output Kernel>\n");
+        return -EINVAL;
+    }
+
+    // Program status.
+    int status = 0;
+
+    // Get file paths.
+    FileContent patchedImage = {.filePath = argv[1]};
+    FileContent outputImage = {.filePath = argv[2]};
+
+    // Read buffer from patched kernel.
+    if (!get_file_size(&patchedImage)) {
+        status = -EINVAL;
+        goto free_and_exit;
+    }
+    patchedImage.fileBuffer = malloc(patchedImage.fileSize);
+    read_file_content(&patchedImage);
+
+    // Remove!
+    Remove(&patchedImage, &outputImage);
+
+    // Output buffer to new kernel.
+    if (outputImage.fileBuffer != NULL) {
+        write_file_content(&outputImage);
+    } else {
+        printf("Error Removing Patch.\n");
+        status = -EINVAL;
+        goto free_and_exit;
+    }
+
+    // Free buffers we allocated.
+    free_and_exit:
+    free(patchedImage.fileBuffer);
+    free(outputImage.fileBuffer);
+
+    // Everything goes well
+    printf("Patch successfully removed.\n");
+    printf("Please check the unpatched kernel image at %s.\n", outputImage.filePath);
+    return status;
+}
+
+/**
+ * Revert patch in kernel and return output file buffer.
+ *
+ * @param patchedKernel Input Patched kernel.
+ * @param outputKernel Output Reverted kernel.
+ * @return Reverted kernel buffer, NULL if error processing.
+ */
+uint8_t *Remove(pFileContent patchedKernel, pFileContent outputKernel) {
+    // Get previous config from patched kernel.
+    size_t originKernelSize = *(uint64_t *) (patchedKernel->fileBuffer + 0x30);
+
+    // Check if kernel has UNCOMPRESSED_IMG Header.
+    char kernelHeader[0x11] = {0};
+    uint8_t hasHeader = 0;
+    memcpy(kernelHeader, patchedKernel->fileBuffer, 0x10);
+    if (strcmp(kernelHeader, "UNCOMPRESSED_IMG") == 0) {
+        printf("Kernel has UNCOMPRESSED_IMG header.\n");
+        originKernelSize = *(uint64_t *) (patchedKernel->fileBuffer + 0x30 + 0x14) + 0x14;
+        hasHeader |= 0b1;
+    }
+
+    // Allocate output buffer
+    outputKernel->fileSize = originKernelSize;
+    outputKernel->fileBuffer = malloc(outputKernel->fileSize);
+
+    // Copy new buffer into outputBuffer.
+    memcpy(outputKernel->fileBuffer, patchedKernel->fileBuffer, outputKernel->fileSize);
+
+    // After copying, jump over header
+    if (hasHeader & 0b1)
+        outputKernel->fileBuffer += 0x14;
+
+    // Now check if it is a patched kernel
+    if (outputKernel->fileBuffer[3] == 0x14 && outputKernel->fileBuffer[7] == 0x14) {
+        printf("Patched kernel detected.");
+        // Recover Code1 jump instruction, jump to linux kernel directly.
+        *(uint32_t *) outputKernel->fileBuffer =
+                ((*(uint32_t *) (outputKernel->fileBuffer + 4) & ~(0xFF << 24)) + 1) | (0x14 << 24);
+        // Clean Code2
+        *(uint32_t *) (outputKernel->fileBuffer + 4) = 0;
+    } else {
+        printf("Not an valid kernel.");
+        return NULL;
+    }
+
+    // Move back our pointer and recalculate kernel size in kernel
+    // header if the patched kernel buffer has UNCOMPRESSED_IMG header.
+    if (hasHeader & 0b1) {
+        outputKernel->fileBuffer -= 0x14;
+        size_t newKernelSize = outputKernel->fileSize - 0x14;
+        outputKernel->fileBuffer[0x10] = newKernelSize >> 0 & 0xFF;
+        outputKernel->fileBuffer[0x11] = newKernelSize >> 8 & 0xFF;
+        outputKernel->fileBuffer[0x12] = newKernelSize >> 16 & 0xFF;
+        outputKernel->fileBuffer[0x13] = newKernelSize >> 24 & 0xFF;
+    }
+    return outputKernel->fileBuffer;
+}