Share
## https://sploitus.com/exploit?id=75C01FD0-1A43-555F-8666-6EBA2D109C14
# smt878u-ionstack-poc

Pure-C, host-assisted re-root proof of concept for **Samsung Galaxy Tab S7
(SM-T878U / gts7l)** against **CVE-2026-43499** (IonStack / GhostLock).

The runtime chain uses native C/ELF components only. It does not require
Python, Java, DEX, `app_process`, or a JVM on the Android target. ADB is used
for deployment and verification.

## Supported profile

This POC intentionally fails closed unless all profile checks match:

```text
device:      gts7l
Android:     13 / SDK 33
fingerprint: samsung/gts7lsqwnc/gts7l:13/TP1A.220624.014/T878USQS8DXE1:user/release-keys
kernel:      4.19.113
build:       T878USQS8DXE1
```

Unsupported or failed runs can panic or reboot the device. Keep a recovery
path available.

This repository is narrowly scoped to the firmware profile above. It is not a
general-purpose rooting tool, and offsets or assumptions must not be reused on
other devices without independent validation.

## Security research only

- Use only on hardware you own or are explicitly authorized to test.
- Successful exploitation can panic, reboot, or brick devices.
- Root produced by this POC is ephemeral and does not modify AVB, boot images,
  or system partitions; reboot removes it.

## Quick start

1. Build on a macOS or Linux host (see [Build](#build)).
2. Install the official Android SDK Platform Tools and connect the supported
   device with USB debugging enabled.
3. Confirm ADB sees the device:

```sh
adb devices -l
```

Then:

```sh
./build/smt878u-ionstack-reroot -s SERIAL --preflight-only
./build/smt878u-ionstack-reroot -s SERIAL --validate-only
./build/smt878u-ionstack-reroot -s SERIAL
```

After the host reports success, verify root and open a shell:

```sh
adb -s SERIAL shell /data/local/tmp/su -c id
adb -s SERIAL shell /data/local/tmp/su
```

`-s SERIAL` is optional when exactly one ADB device is connected.

## Build

Requirements:

- macOS or Linux host with `clang`, `make`, and `adb`
- Android NDK (API 35 is the default build API)
- an arm64/compat32 target matching the profile above

```sh
make -j4
```

Override discovery when needed:

```sh
make NDK_ROOT=/path/to/android-ndk API=35 -j4
```

All artifacts are emitted under `build/`.

### Host platforms

The host controller supports macOS arm64, Linux x86_64, and Windows x86_64.
The Android device artifacts are identical across host platforms.

```sh
# native host controller only
make host

# Windows x86_64 controller with LLVM-MinGW
make host-windows \
  WINDOWS_CC=/path/to/llvm-mingw/bin/x86_64-w64-mingw32-clang
```

## Run

Start with the non-exploit profile check, then validation, then the full chain:

```sh
./build/smt878u-ionstack-reroot -s SERIAL --preflight-only
./build/smt878u-ionstack-reroot -s SERIAL --validate-only
./build/smt878u-ionstack-reroot -s SERIAL
```

Logs are written below `results/YYYY-MM-DD/` by default.

### Collect reboot / crash artifacts

```sh
./tools/collect_reboot_artifacts.sh SERIAL
```

## Using `su` after a successful run

The supported user-facing client is installed at `/data/local/tmp/su`. It
connects to the temporary root daemon through
`/data/local/tmp/temp_su.sock`. Do not move it into `/system/bin`, and do not
rely on it surviving reboot.

## Layout

| Path | What |
|---|---|
| `src/host/` | Host-side ADB orchestrator |
| `src/device/` | On-device reroot / perf helpers |
| `src/exploit/` | IonStack-derived exploit chain (SM-T878U offsets) |
| `src/trigger/` | Chainwalk / diagnostic probe |
| `tools/su_daemon.c` | Temporary `su` daemon client/server bits |
| `tools/collect_reboot_artifacts.sh` | Post-reboot artifact collector |
| `build/` | Build outputs (gitignored) |
| `results/` | Run logs (gitignored) |

## Provenance

This tree started from the public `xpad2-ionstack-poc` packaging layout and an
IonStack CVE-2026-43499 source snapshot, then was re-ported to SM-T878U
(`gts7l` / `T878USQS8DXE1`).

- Combined project: `GPL-3.0-or-later` (`LICENSE`)
- IonStack-derived files under `src/exploit/` and `tools/su_daemon.c`: Apache-2.0
  provenance retained (`NOTICE`, `licenses/Apache-2.0.txt`)

## Security reports

Please do not include device identifiers, private firmware images, crash dumps,
or other sensitive data in a public issue. See `SECURITY.md`.

## Disclaimer

Provided **as-is**, without warranty of any kind. Authors and contributors are
not responsible for misuse, damage, or legal consequences arising from use of
this material.