HackTricks-wiki · carlospolop · Mar 17, 2026
diff --git a/src/binary-exploitation/rop-return-oriented-programing/README.md b/src/binary-exploitation/rop-return-oriented-programing/README.md
@@ -287,6 +287,21 @@ G3:
     ret
 ```
 
+## Shellcode via /proc/self/mem (Embedded Linux)
+
+If you already have a ROP chain but **no RWX mappings**, an alternative is to **write shellcode into the current process using** `/proc/self/mem` and then jump to it. This is common on embedded Linux targets where `/proc/self/mem` can ignore write protections on executable segments in default configurations.
+
+Typical chain idea:
+
+```c
+fd = open("/proc/self/mem", O_RDWR);
+lseek(fd, target_addr, SEEK_SET);   // e.g., a known RX mapping or code cave
+write(fd, shellcode, shellcode_len);
+((void(*)())target_addr)();         // ARM Thumb: jump to target_addr | 1
+```
+
+If preserving `fd` is hard, calling `open()` multiple times can make it feasible to **guess the descriptor** used for `/proc/self/mem`. On ARM Thumb targets, remember to **set the low bit** when branching (`addr | 1`).
+
 
 ## Protections Against ROP and JOP
 
@@ -328,6 +343,10 @@ rop-syscall-execv/
   - arm64, no ASLR, ROP gadget to make stack executable and jump to shellcode in stack
 - [https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-4.html](https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-4.html)
 
-{{#include ../../banners/hacktricks-training.md}}
+## References
 
+- [Now You See mi: Now You're Pwned](https://labs.taszk.io/articles/post/nowyouseemi/)
+- [TaszkSecLabs/xiaomi-c400-pwn](https://github.com/TaszkSecLabs/xiaomi-c400-pwn)
+
+{{#include ../../banners/hacktricks-training.md}}