Re: [Vol-users] Insmod lime.lo on stock Samsung Galaxy S3 results in Exec format error

Hello list, This is my first post to this list. My name is Rob, I'm located in the Netherlands and am looking for some help in dumping the memory of an Android phone so I can inspect it in Volatility. A bit of background as to where I'm currently at with Volatility. I've successfully compiled LiME against a standard linux kernel running on Intel, created a profile with dwarfdump etc., dumped the memory and can use the plugins successfully. I've also installed Cyanogenmod 12.1 on a GalaxyS2 and can run LiMe on it and dump the RAM. I have a problem with the profile not loading in Volatility but that's for another post :-) I can run strings on the dump and recover meaningful information though. Cutting to the chase... My target phone is a stock Samsung Galaxy S3. I've looked at the device settings and have downloaded the matching kernel source code from Samsungs opensource website, taking care to make sure the build versions string matches. The phone has developer settings and usb debugging enabled. I have also rooted the phone and the SuperSU binary is installed and configured to grant root always without prompting. I've tried using toolchain versions 4.9 and 4.8 but the Samsung source code will not compile without modifications to the makefile relating to warnings being interpreted as errors. I'm therefore using version 4.7. I've compiled the kernel modules which generated a module.symvers: *** 0x82d9772c bcmsdh_remove drivers/net/wireless/bcmdhd/dhd EXPORT_SYMBOL 0x9cad0f4b bcmsdh_probe drivers/net/wireless/bcmdhd/dhd EXPORT_SYMBOL *** I then compiled LiME with this make file... *** obj-m := lime.o lime-objs := tcp.o disk.o main.o KDIR :=~/ANDROID/S3Kernel/Kernel PWD := $(shell pwd) CROSS_COMPILE := /home/dfir/ANDROID/android-ndk-r10e/toolchains/arm-linux-androideabi-4.7/bin/arm-linux-androideabi- ARCH := arm .PHONY: modules modules_install clean distclen help default: $(MAKE) ARCH=arm SUBARCH=arm -C $(KDIR) M=$(PWD) CROSS_COMPILE=$(CROSS_COMPILE) EXTRA_CFLAGS=-fno-pic modules mv lime.ko limeS3.ko *** ...and this generates the following output *** dfir@ThinkPad-T420:~/ANDROID/S3Kernel/LiME/src$ make make ARCH=arm SUBARCH=arm -C ~/ANDROID/S3Kernel/Kernel M=/home/dfir/ANDROID/S3Kernel/LiME/src CROSS_COMPILE=/home/dfir/ANDROID/android-ndk-r10e/toolchains/arm-linux-androideabi-4.7/bin/arm-linux-androideabi- EXTRA_CFLAGS=-fno-pic modules make[1]: Entering directory `/home/dfir/ANDROID/S3Kernel/Kernel' CC [M] /home/dfir/ANDROID/S3Kernel/LiME/src/tcp.o CC [M] /home/dfir/ANDROID/S3Kernel/LiME/src/disk.o CC [M] /home/dfir/ANDROID/S3Kernel/LiME/src/main.o LD [M] /home/dfir/ANDROID/S3Kernel/LiME/src/lime.o Building modules, stage 2. MODPOST 1 modules CC /home/dfir/ANDROID/S3Kernel/LiME/src/lime.mod.o LD [M] /home/dfir/ANDROID/S3Kernel/LiME/src/lime.ko make[1]: Leaving directory `/home/dfir/ANDROID/S3Kernel/Kernel' mv lime.ko limeS3.ko *** After successfully compilation there is also a module.symvers file located in LiME directory but it is empty. I wonder if this is indicative of my problem? I then move limeS3.ko to my phone and connect to it with adb adb forward tcp:4444 tcp:4444 adb shell su this gets me to a root prompt on the device and I can move freely around the file system. I then move to the location where limeS3.ko is installed and enter the command root@m0:/storage/extSdCard # insmod ./limeS3.ko "path=tcp:4444 format=lime" which gives the following error. insmod: init_module './limeS3.ko' failed (Exec format error) I've searched for this error and ensured the kernel version is correct. Can anyone tell me what I'm doing wrong so I can get the driver loaded? I realize that this was a long first post. Thank-you for taking the time to read this far. I hope someone can point me in the right direction. regards, Rob _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users