With ARM Exception Vector Info Leak it is possible to leak 4 bytes of memory. To get more data and more reliable, evasi0n attempts to dynamically locate the
memmove() function within the kernel module. This is done by leaking the first two pages of the kernel text section and following each branch instruction (leaking destination too) until the
memmove() signature is found.
With the address of
memmove(), it is possible to return data to a buffer that can be read from user-mode and returning more memory this way.
TODO: Explain how evasi0n does this in detail.
See also Patchfinder.