Share
## https://sploitus.com/exploit?id=529FD1C2-FD47-576F-AE7C-1F592B7CB594
# OPPO Find X6 Pro GhostLock Adaptation Project

## Overview

This project focuses on adapting the CVE-2026-43499 (GhostLock) vulnerability in the OPPO Find X6 Pro (PGEM10). Based on the original exploit architecture of [NebuSec CyberMeowfia](https://github.com/NebuSec/CyberMeowfia), this project follows the adaptation approach outlined in [oppo-ghostlock](https://github.com/pubglite55/oppo-ghostlock).

## Device Information

| Project | Value |
|--------|-------|
| Device | OPPO Find X6 Pro (PGEM10) |
| Chip | Snapdragon 8 Gen 2 (SM8550) |
| Kernel | Linux 5.15.149-android13 #1 SMP PREEMPT |
| Compilation Date | Thu Feb 13 2025 |
| Android | 15 (ColorOS 15.0) |
| ROM Version | PGEM10_15.0.0.600(CN01) |
| PAC | CONFIG_ARM64_PTR_AUTH_KERNEL=y |
| BTI | CONFIG_ARM64_BTI_KERNEL=y |
| KASLR | CONFIG_RANDOMIZE_BASE=y |
| VA_BITS | 39 |
| VA Offset | P0_PAGE_OFFSET = 0xffffff8000000000 |

## Summary of Project Results

### โœ… Completed

| Module | Status | Description |
|--------|-------|-------|
| **Perf KASLR bypass** | โœ… | Major breakthrough โ€” Achieved through perf_event_open + callchain sampling, 0x620) |

Call chain analysis confirmed that **0** call chains in the kernel have a depth โ‰ฅ 0x800 (2048B). Maximum single frame depth: 0x1F0 (496B). 

## Reference Resources

- Original project: https://github.com/NebuSec/CyberMeowfia
- OPPO Find N2 adaptation: https://github.com/pubglite55/oppo-ghostlock
- NebuSec research: https://nebusec.ai/research/ionstack-part-2/
- Android kernel source code: https://github.com/oppo-source/android_kernel_oppo_sm8550
- General kernel source code: https://github.com/oppo-source/android_kernel_common_oppo_sm8550