Share
## https://sploitus.com/exploit?id=12533797-8D67-5F19-890A-9348A8DDFBE8
# GhostLock โ€” OnePlus Ace 6T Jailbreak

Kernel exploit for OnePlus Ace 6T with locked bootloader. Achieves root + KernelSU installation without unlocking bootloader or modifying boot image.

## Target

| | |
|---|---|
| Device | OnePlus Ace 6T (SM8845 / Snapdragon 8s Elite) |
| OS | Android 16, ColorOS |
| Kernel | 6.12.38-android16-5 |
| Bootloader | Locked |
| Security Patch | 2025-12-01 |

## Vulnerability

**CVE-2026-43499** โ€” Futex PI (Priority Inheritance) Use-After-Free

The `pselect6` syscall copies `fd_set` data onto the kernel stack. When combined with the futex PI waiter mechanism, a freed stack frame can be reclaimed as an `rt_mutex_waiter` structure. The rb-tree rebalance during PI chain walk then writes controlled values to arbitrary kernel addresses.

## Exploit Flow

```
Write 1 (mode=1)  โ†’  SELinux enforcing = 0
                      (low byte of kernel ptr = 0x00)

Write 2 (mode=2)  โ†’  task->cred = init_cred
                      (uid=0, all capabilities)

Root shell         โ†’  ksud late-load (KernelSU LKM)
                   โ†’  load_policy (fix policycap)
                   โ†’  dynamic manager registration
```

### Bootstrap Mode (phone standalone)

```
App (seccomp)  โ†’  Write 1 (no perf needed)
               โ†’  mini-adb connect TCP 5555
               โ†’  adb shell: full exploit (perf works, no seccomp)
               โ†’  root โ†’ KSU โ†’ network fix
```

## Key Technical Details

### perf_find_task Fix (kernel 6.12)

```c
// Bug: bit 32 invalid on ARM64 โ†’ kernel rejects entire REGS_INTR
pe.sample_regs_intr = (1ULL  symbols.txt` (needs root or kptr_restrict=0)
2. Extract struct offsets from BTF: `pahole -C task_struct /sys/kernel/btf/vmlinux`
3. Update `target.h` with new offsets
4. Tune timing parameters in `common.h`

Alternatively, extract `vmlinux` from boot.img/OTA and use `nm`/`objdump` for symbols.

## Files

| File | Description |
|------|-------------|
| `src/targets/ace6t/main.c` | Exploit entry, Write 1/2, bootstrap, root script |
| `src/targets/ace6t/target.h` | Device-specific kernel offsets |
| `src/targets/ace6t/util.c` | Heap spray, kernelsnitch, slab drain |
| `src/targets/ace6t/fops.c` | pselect route, PI write mechanism |
| `src/targets/ace6t/miniadb.c` | Mini ADB client (TCP + RSA auth) |
| `src/targets/ace6t/common.h` | Timing parameters, macros |
| `src/slide.c` | SLIDE kernel address leak |
| `src/pipe.c` | Pipe buffer manipulation |
| `src/root.c` | Root shell setup |

## License

For authorized security research and educational purposes only.