PIXEL C

[rakhenmanoa]

Hi, do you think shofel2 will work on the pixel C

[shuffle2]

yes

[24mu13]

I would say no instead.

Finally I got all the binaries successfully built, using the documentation.

But I have two problems:

1. Vendor & Product IDs are obviously different. In order to fix this I simply changed one line:

    #DEV_ID_SWITCH = (0x0955, 0x7321)
    DEV_ID_SWITCH = (0x18d1, 0x5201)

2. When I run the exploit it says the following (sanity check failed):

$ ./shofel2.py cbfs.bin ../../coreboot/build/coreboot.rom 
File descriptor: 7

Traceback (most recent call last):
  File "/home/samuel/Projects/fail0overflow/shofel2/exploit/./shofel2.py", line 258, in <module>
    rcm.pwn()
  File "/home/samuel/Projects/fail0overflow/shofel2/exploit/./shofel2.py", line 176, in pwn
    s.sanity_check(src_base, dst_base)
  File "/home/samuel/Projects/fail0overflow/shofel2/exploit/./shofel2.py", line 101, in sanity_check
    cur_src = parse32(buf, 0xc)
  File "/home/samuel/Projects/fail0overflow/shofel2/exploit/./shofel2.py", line 27, in parse32
    return struct.unpack('<L', buf[offset:offset+4])[0]
struct.error: unpack requires a buffer of 4 bytes

Any tip would be appreciated...

[shuffle2]

I got the exploit to work on pixel c but that was some years ago. Probably someone has already posted a working version online somewhere if you search around

[24mu13]

I got the exploit to work on pixel c but that was some years ago. Probably someone has already posted a working version online somewhere if you search around

Thank you very much: that's very encouraging to me...
But I am afraid RCM (the context where to launch your exploit) has nothing to do with the fastboot mode; more likely corresponds to the recovery mode.

Unfortunately I am able to run only the fastboot mode.