Found this on the LG G4 subreddit. Could someone that understands this topic a bit more take a look at this? Seems to be a new exploit.
http://arstechnica.com/security/201...tflips-to-root-android-phones-is-now-a-thing/
Ram is made up of cells in a grid-like pattern inside of a chip. If you know the particular memory location of a specific piece of software you can access the rows above and below with certain patterns of memory accesses and writes. This causes specific bits in the target memory location to change their contents. If the software at that target location happens to handle privilege escalation... This does not rely on buggy software but underlying properties of the ram itself. Some mitigating strategies include address space layout randomization and full encryption of ram. ECC ram can also help with this if you use the error detection abilities to cause an instant device reset.
There's an app to check if you're vulnerable to the Hammer bug.
Devs stated that they've rooted the G4 exploiting it... So... Is there hope for bootloader locked devices after all?
Now I'm a bit pessimistic about this mainly due to the fact that there have been several exploits since MM which didn't really help our situation. The only difference here is they've claimed that they were able to root our specific device using this method which is promising I suppose.
Some budy red about dirty cow bug in Linux kernel?
Wysłane z mojego LG-H815 przy użyciu Tapatalka
This actually seems very, very good news. I will try to get my hands on an apk and try it.
Link to the apk:
https://vvdveen.com/drammer/drammer.apk
It doesn't do anything.
It does not do anything YET. The researchers said that they did not release the exploit and are not so inclined to do so. I got a warning about the apk being malicious. Maybe someone will create an app in good faith that will only root out phones.
tmihai20 said:
It does not do anything YET. The researchers said that they did not release the exploit and are not so inclined to do so. I got a warning about the apk being malicious. Maybe someone will create an app in good faith that will only root out phones.
Click to expand...
Click to collapse
EN: It was a statement. I know that it does nothing. It is just a test. It doesn't root your phone.
RO: Era o afirmatie. Doar intaream ideea ca e un test si ca nu ajuta cu nimic in cazul de fata (si anume la root).
Yeah the app is simply to find out which phones are vulnerable.
I want to use Drammer to root my phone. Where can I download the exploit code?
You cannot. We decided to not (yet) release the exploit. We did open source our templating code, however.
So, maybe we need to wait until November Security Patch Release.
LaughingCarrot said:
Yeah the app is simply to find out which phones are vulnerable.
Click to expand...
Click to collapse
Exactly. Actually I ran it on my g4 and returned that it is not even exploitable
I think it takes some time, especially with the 3 GB of RAM. That slider is not very, very useful. I use the more aggressive approach and it killed the app itself. They said they ran it on a G4 and some other phones.
Dirty Cow, on the other hand, sounds a lot quicker. Looking forward to it.
Hopefully.
I think we just got the first dirty cow exploit for Android. This developer used it to root a V20 with Nougat https://github.com/jcadduono/android_external_dirtycow
tmihai20 said:
I think we just got the first dirty cow exploit for Android. This developer used it to root a V20 with Nougat https://github.com/jcadduono/android_external_dirtycow
Click to expand...
Click to collapse
I have to add that he has an unlocked bootloader.
But of course, it gives us more Hope
tmihai20 said:
I think we just got the first dirty cow exploit for Android. This developer used it to root a V20 with Nougat https://github.com/jcadduono/android_external_dirtycow
Click to expand...
Click to collapse
Yeah that method involved unlocking the bootloader so it's a little different. We need some sort of systemless root.
Any release on the row hammer exploit yet? :1 We need more researchers u.u
Related
FXZ SU4.21 Thanks to @stras1234 for the initial FXZ! Thanks to @Skrilax_CZ for posting them to the SBF site!
Use my RSD Flasher to flash it.
I guess it still needs to be spelled out in this day and age, but, yes, you WILL lose root if you use this. It's an FXZ that overwrites all partitions with stock. So uh, yea, there's that.
I love you.
In a not creepy way.
Sent from my XT1080DE
LOL you're welcome.
Thanks, I hope somebody finds a way to root it.
LMAO! It's not even out of soak yet. Here are the challenges you face for root on a locked bootloader:
1. Finding a new priv escalation vulnerability that works on the kernel that ships with 4.4.4. The pie exploit no longer works.
2. Finding someone to exploit the vulnerability once you find one that applies.
3. Finding a WP off exploit so you can persist su to the system partition for permanent, non-tethered, root.
I'm gonna say that's probably not all going to happen "soon". ROFLMAO
SamuriHL said:
LMAO! It's not even out of soak yet. Here are the challenges you face for root on a locked bootloader:
1. Finding a new priv escalation vulnerability that works on the kernel that ships with 4.4.4. The pie exploit no longer works.
2. Finding someone to exploit the vulnerability once you find one that applies.
3. Finding a WP off exploit so you can persist su to the system partition for permanent, non-tethered, root.
I'm gonna say that's probably not all going to happen "soon". ROFLMAO
Click to expand...
Click to collapse
v4.4.4 would not install and this fixed it ... all without losing any data ... big thanks!
NP enjoy! Stras1234 is the man for giving me the FXZ and allowing me to post it.
SamuriHL said:
LMAO! It's not even out of soak yet. Here are the challenges you face for root on a locked bootloader:
1. Finding a new priv escalation vulnerability that works on the kernel that ships with 4.4.4. The pie exploit no longer works.
2. Finding someone to exploit the vulnerability once you find one that applies.
3. Finding a WP off exploit so you can persist su to the system partition for permanent, non-tethered, root.
I'm gonna say that's probably not all going to happen "soon". ROFLMAO
Click to expand...
Click to collapse
Well, not easy! so far Im not needing root access, there are no roms and wifi tether works for me without doing anything, Im using the phone outside US of course. I would like to remove some bloatware.
I love modding and all that things but Im happy with stock kitkat. I think we could get android L sometime in the future.
SamuriHL said:
FXZ SU4.21 Thanks to @stras1234!
Use my RSD Flasher to flash it.
Click to expand...
Click to collapse
Great work samurihl! This isn't even out of soak and we already have the fxz!
I have no doubt these phones will get L. They'll only be a year old at that point so I'd not worry about it.
Does anyone know if you have to edit the xml file and remove the getvar line like in 4.4? Or just RSD Lite and go?
Is it supposed to take forever to flash the system.img?
I've let it go for between 5 and 10 minutes, and it's still on system.
ad fu said:
Does anyone know if you have to edit the xml file and remove the getvar line like in 4.4? Or just RSD Lite and go?
Click to expand...
Click to collapse
That's why I gave a link to my tool. It does all that for you plus allowing you to keep your data.
LunaticSerenade said:
Is it supposed to take forever to flash the system.img?
I've let it go for between 5 and 10 minutes, and it's still on system.
Click to expand...
Click to collapse
Yes, it's over a gig in size. It takes a while.
SamuriHL said:
That's why I gave a link to my tool. It does all that for you plus allowing you to keep your data.
Yes, it's over a gig in size. It takes a while.
Click to expand...
Click to collapse
Ah. Makes sense. Thanks!
Samuri thanks a lot I love you to but in a creepy way . This has to be a record for an fxz being available.
Sent from my XT1080 using XDA Premium 4 mobile app
Yea, stras1234 rocks on that FXZ front. He got the HD/M FXZ's early for us last time, too. You checked out my new tool yet, btw? I made it as easy to flash FXZ's as possible now.
Not yet I saw you were working on it. I will check it out when I get home and use it. I always like to run a fxz after an update.
Sent from my XT1080 using XDA Premium 4 mobile app
It's pretty simple to use.
I would like to know if this is the final version or when the final ota update is released there will be another?
I take it you don't know what a soak test is? Unless something goes wrong, which is unlikely, this will be pushed OTA in the next few days.
When the time comes for Verizon to push the Marshmallow update, do I take it? I would like to eventually root/rom my device.
Would this update potentially break any vulnerabilities in the bootloader that may be present in lollipop?
You should already know this answer...no do not take the update
Michaelmansour1997 said:
You should already know this answer...no do not take the update
Click to expand...
Click to collapse
That's what I figured, thanks!
We can't root the phone because the factory bootloader is locked, that has nothing to do with the OS version.
mjones73 said:
We can't root the phone because the factory bootloader is locked, that has nothing to do with the OS version.
Click to expand...
Click to collapse
So it may be possible if either Motorola or Verizon release a tool to unlock it?
It wouldn't need a vulnerability then, would it?
The reason why I ask is an update to the LG g3 (my friends device) broke the ability to root it (unfortunately he updated before it could be rooted), and I figured it was a common thing throughout Verizon devices.
I highly doubt Verizon or Motorola will unlock it. Someone will have to find an exploit, nothing has been reported so far. The updates for the G3 most likely updated the firmware on the phone and patched whatever exploit they were using to crack the bootloader. With no exploit on the DT2 yet, there's nothing to patch.
if you hope someone will find a exploit to root this phone, dont upgrade. root exploits are usually found on older firmware, so if plan to wait, dont upgrade.
Hope some XDAers are able to get it rooted before it gets patched.
http://www.androidheadlines.com/201...te-available-for-android-root-access-bug.html
This has already been patched and pushed out, BB was actually impressively quick to patch the issue and push out a new update. A few carriers in the US might not yet have signed off on the update, but the vast majority of reports from users say they've gotten this update. I know I have.
But, can we just load an older build using an auto-loader ?
Artemis-kun said:
This has already been patched and pushed out, BB was actually impressively quick to patch the issue and push out a new update. A few carriers in the US might not yet have signed off on the update, but the vast majority of reports from users say they've gotten this update. I know I have.
Click to expand...
Click to collapse
I haven't.
santimaster2000 said:
But, can we just load an older build using an auto-loader ?
Click to expand...
Click to collapse
On blackberry 10, when an update fixed security issues, they put the older versions in a blacklist, so you couldn't downgrade with the autoloader
Tipika said:
On blackberry 10, when an update fixed security issues, they put the older versions in a blacklist, so you couldn't downgrade with the autoloader
Click to expand...
Click to collapse
This is not BB10, this is Android, and yes, I can downgrade, I've tested it.
can root using this exploit?
A small group of devs wrote a script to get root using this exploit for a few Sony phones. Ive looked through there git and if i understand it correctly then the script should be modifiable to work for the priv but you first need to figure out the physical addresses in the memory for the kernel in order to make it work. I don't know awhole lot about this stuff so correct me if I'm wrong.
Seeing all those one click root apps i was thinking it was going to be easier to root the priv once an exploit was found
Sent from my Nexus 5X using XDA-Developers mobile app
FrankenDroid said:
A small group of devs wrote a script to get root using this exploit for a few Sony phones. Ive looked through there git and if i understand it correctly then the script should be modifiable to work for the priv but you first need to figure out the physical addresses in the memory for the kernel in order to make it work. I don't know awhole lot about this stuff so correct me if I'm wrong.
Click to expand...
Click to collapse
Could you link me to that post please ?
Boom, right here: https://github.com/dosomder/iovyroot
So does this mean one can downgrade and then root using iovyroot?
Shani Ace said:
So does this mean one can downgrade and then root using iovyroot?
Click to expand...
Click to collapse
Theoretically, yes, you would need to add the absolute kernel addresses of the Priv to the source code, then compile it, but still, you would only get temp root, that's only good for using Titanium Backup and the like.
Ah okay, I understand.
So this root is only temp then? Still hoping something comes out but the community seems very small.
A set of exploits has been found by Check Point, allowing malicious apps to get root privilege.
blog.checkpoint.com/2016/08/07/quadrooter/
I'll turn off OTA from now on and wait for tools that make use of this exploit.
QuadRooter is a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets. Qualcomm is the world’s leading designer of LTE chipsets with a 65% share of the LTE modem baseband market. If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations for the purpose of gaining root access to a device.
Click to expand...
Click to collapse
How do you turn off ota ? I can't find it
there are 4 exploits that are already patched
might be a way if you have pre-April firmware installed
https://gwolf2u.com/quadrooter-android-security-bugs-affect-over-900-million-devices/
I have 3 of the 4 exploits. I have Sprint
I have the latest v10d firmware on my H850 and the app shows me 4 of 4 vulnerable.
2016-06-01 security patch
fsi09 said:
I have the latest v10d firmware on my H850 and the app shows me 4 of 4 vulnerable.
2016-06-01 security patch
Click to expand...
Click to collapse
mine as well
on v10d
H868 reports 4/4 with the latest security patch.
For those who want to root their G5, search for "update" in Settings and turn off auto update.
Is this what we've been waiting for? Ridiculously excited if so, will this help rs988?
muppetmaster916 said:
Is this what we've been waiting for? Ridiculously excited if so, will this help rs988?
Click to expand...
Click to collapse
Download the Quadrooter Scanner and see if 4/4 vulnerabilities. If so, hope is right there.
cdiscrete said:
Download the Quadrooter Scanner and see if 4/4 vulnerabilities. If so, hope is right there.
Click to expand...
Click to collapse
I have 4/4, will this lead to development for our phones?
muppetmaster916 said:
I have 4/4, will this lead to development for our phones?
Click to expand...
Click to collapse
Yes. The last step is a tool that makes use of these vulnerabilities. That's what we are waiting for.
I've looked,searched and looked again.I can not find the turn off automatic updates. Can some one screen shot please. I posted a picture,there is no option for it
On Latest OTA installed, on sprint. I have 3 of the four
4/4 south América H840 variant here, i hope we do get root
AT&T H820, 4/4 shown here with April 01 security update. Will pledge $50 towards the bounty if someone can make use of this.
RS988 with 2016-06-01 Android security patch level. 4/4 vulnerabilities. If this is what we were waiting for, I'm excited!
It's not, I spoke to jcase earlier and he pretty much stated that until a solution to the locked bootloader is found we're screwed. No bump possibility either.
muppetmaster916 said:
It's not, I spoke to jcase earlier and he pretty much stated that until a solution to the locked bootloader is found we're screwed. No bump possibility either.
Click to expand...
Click to collapse
But at least we can get some xposed stuff right?
BR7fan said:
I've looked,searched and looked again.I can not find the turn off automatic updates. Can some one screen shot please. I posted a picture,there is no option for it
Click to expand...
Click to collapse
Seems your Settings is different from mine.
We need a great hacker for this exploit to work..
I will patiently wait
Probably a stupid question but i did not find a clear answer anywhere. I'm mainly asking so i know wich xposed version to flash. The SoC SD650 is 64bit that i know but since 64bit CPU can run both 32bit and 64bit versions it does not tell me specificly if XC is using 64bit version of Android or not.
ARM64
Thank you. That's what i thought. Just needed confirmation. Sticking with Marshmallow for now because Xposed for Nougat is not yet available.
Too bad that i can't get root permissions without unlocking the bootloader. On earlier Sony Compacts there was usually one or two exploits that allowed privilege escalation. I guess Marsmallow is a lot more secure because of the monthly security patches. Im coming from Z3 Compact btw. Skipped Z5C.
RaXelliX said:
Thank you. That's what i thought. Just needed confirmation. Sticking with Marshmallow for now because Xposed for Nougat is not yet available.
Too bad that i can't get root permissions without unlocking the bootloader. On earlier Sony Compacts there was usually one or two exploits that allowed privilege escalation. I guess Marsmallow is a lot more secure because of the monthly security patches. Im coming from Z3 Compact btw. Skipped Z5C.
Click to expand...
Click to collapse
I'm on MM too because of the same reason. But you can actually backup TA partition using dirtycow exploit already. Then you can unlock and root your phone.
itandy said:
I'm on MM too because of the same reason. But you can actually backup TA partition using dirtycow exploit already. Then you can unlock and root your phone.
Click to expand...
Click to collapse
Yep already done. Installed Flashtool along with patch too and updated xposed related stuff prior to unlocking and flashing. Now im just browsing and deciding on what kernel/rom to use. I guessing the only logical choice is OmniROM.
If you do not want to run stock rom with a kernel that have been patched with rootkernel or TA-poc to keep drm functions which only exist on stock anyway heh. I guess you know that. Then the guy who put AOSP 7.1.2 together (@davidteri91) also have AOSP 6.0 builds, you can find it on the afh download link or look to he's twipper thing. Just thought I would add it. Good luck