Share
## https://sploitus.com/exploit?id=12533797-8D67-5F19-890A-9348A8DDFBE8
# GhostLock โ OnePlus Ace 6T Jailbreak
Kernel exploit for OnePlus Ace 6T with locked bootloader. Achieves root + KernelSU installation without unlocking bootloader or modifying boot image.
## Target
| | |
|---|---|
| Device | OnePlus Ace 6T (SM8845 / Snapdragon 8s Elite) |
| OS | Android 16, ColorOS |
| Kernel | 6.12.38-android16-5 |
| Bootloader | Locked |
| Security Patch | 2025-12-01 |
## Vulnerability
**CVE-2026-43499** โ Futex PI (Priority Inheritance) Use-After-Free
The `pselect6` syscall copies `fd_set` data onto the kernel stack. When combined with the futex PI waiter mechanism, a freed stack frame can be reclaimed as an `rt_mutex_waiter` structure. The rb-tree rebalance during PI chain walk then writes controlled values to arbitrary kernel addresses.
## Exploit Flow
```
Write 1 (mode=1) โ SELinux enforcing = 0
(low byte of kernel ptr = 0x00)
Write 2 (mode=2) โ task->cred = init_cred
(uid=0, all capabilities)
Root shell โ ksud late-load (KernelSU LKM)
โ load_policy (fix policycap)
โ dynamic manager registration
```
### Bootstrap Mode (phone standalone)
```
App (seccomp) โ Write 1 (no perf needed)
โ mini-adb connect TCP 5555
โ adb shell: full exploit (perf works, no seccomp)
โ root โ KSU โ network fix
```
## Key Technical Details
### perf_find_task Fix (kernel 6.12)
```c
// Bug: bit 32 invalid on ARM64 โ kernel rejects entire REGS_INTR
pe.sample_regs_intr = (1ULL symbols.txt` (needs root or kptr_restrict=0)
2. Extract struct offsets from BTF: `pahole -C task_struct /sys/kernel/btf/vmlinux`
3. Update `target.h` with new offsets
4. Tune timing parameters in `common.h`
Alternatively, extract `vmlinux` from boot.img/OTA and use `nm`/`objdump` for symbols.
## Files
| File | Description |
|------|-------------|
| `src/targets/ace6t/main.c` | Exploit entry, Write 1/2, bootstrap, root script |
| `src/targets/ace6t/target.h` | Device-specific kernel offsets |
| `src/targets/ace6t/util.c` | Heap spray, kernelsnitch, slab drain |
| `src/targets/ace6t/fops.c` | pselect route, PI write mechanism |
| `src/targets/ace6t/miniadb.c` | Mini ADB client (TCP + RSA auth) |
| `src/targets/ace6t/common.h` | Timing parameters, macros |
| `src/slide.c` | SLIDE kernel address leak |
| `src/pipe.c` | Pipe buffer manipulation |
| `src/root.c` | Root shell setup |
## License
For authorized security research and educational purposes only.