I managed to patch the sealime_sb_mount() kernel method such that remounting /system with readwrite permissions is possible.
Just for fun (and to understand what's going on) I ported the CVE-2013-6282 exploit to C++ (ugly C++, but still.. ). Still don't understand how it manages to parse the kallsysms, though...
However, I managed to understand the assembler code of the sealime_sb_mount() (or any other sealime method, they're basically all identical...) and how to modify it so it doesn't care.
I'm interested, I'm a developer as well but don't know that much about Android exploits.
I had played w. CVE-2016-5195 and I see that it says it's vulnerable however the dcow command doesn't seem to overwrite the system run-as and I don't get a soft root.
I didn't look into it further really, if you have it working please share your findings / code
zezu: I'll try to get the code in useable shape (at the moment it's a mess) and put it on github. Stay tuned.