Idk if anyone has seen this yet, but this might be a possible zero day exploit that can be used for root on the vzw pixel 2 xl. https://bugs.chromium.org/p/project-zero/issues/detail?id=1942
Someone with more knowledge on root can probable exploit it.
t2noob said:
Idk if anyone has seen this yet, but this might be a possible zero day exploit that can be used for root on the vzw pixel 2 xl. https://bugs.chromium.org/p/project-zero/issues/detail?id=1942
Someone with more knowledge on root can probable exploit it.
Click to expand...
Click to collapse
I certainly hope so, it would be great news.
Better hurry. It's gonna be patched on October security patch
The poc works on the latest security update. It just needs to be updated to elevate permissions to root or unlock bootloader. So we just need someone who knows how to code to elevate permissions using this poc any takers ???
This on pixel 1 xl forum
I'm not up to date on what Android has become, so I'm not sure how to get from temproot to OEM unlock partitions, but here's temproot for the Verizon Pixel 2 XL anyway.
The output of 'uname -a' must be:
Code:
Linux localhost 4.4.177-g83bee1dc48e8 #1 SMP PREEMPT Mon Jul 22 20:12:03 UTC 2019 aarch64
Now I, too, will wait for someone to write up the rest
EDIT:
Updated code and binary here: https://github.com/kangtastic/cve-2019-2215
If you're an end user who already has the .zip from here, you're good. There's no change to the rooting part, and it won't directly help with unlocking the Verizon bootloader.
If you're a developer thinking about touching other affected phones/kernels, then I hope you find my work useful
comradesven said:
I'm not up to date on what Android has become, so I'm not sure how to get from temproot to OEM unlock partitions, but here's temproot for the Verizon Pixel 2 XL anyway.
The output of 'uname -a' must be:
Now I, too, will wait for someone to write up the rest
Click to expand...
Click to collapse
what does this mean?
kancrutt said:
what does this mean?
Click to expand...
Click to collapse
As far as i see, it is just a temporary solution to "root", to be more concrete this screen shows that SELinux has been set to passive, which ofc open lot of possibilities. However this particular method here will not unlock bootloader. Now let's hope someone actually comes up with some idea to unlock it.
P.S Huge thanks to comradesven for making this !
Here is POC zip if this any help,someone built it on s8 forum.Picture conversation so up to date on zip.sean
I can confirm the temp root works
comradesven said:
I'm not up to date on what Android has become, so I'm not sure how to get from temproot to OEM unlock partitions, but here's temproot for the Verizon Pixel 2 XL anyway.
The output of 'uname -a' must be:
Code:
Linux localhost 4.4.177-g83bee1dc48e8 #1 SMP PREEMPT Mon Jul 22 20:12:03 UTC 2019 aarch64
Now I, too, will wait for someone to write up the rest
Click to expand...
Click to collapse
Before I try to work out a method to unlock the bootloader, once I run this, will I be able to reboot my phone before I unlock the bootloader?
EDIT: I've been working with the temproot for a few hours. If progress stays steady, I'll have an unlock method before the end of the night.
Mine worked too!
It does work, however, it does not grant access to everything. SElinux is permissive tho, so, i hope all of this will be enough for unlocking bootloader
Hexlay said:
It does work, however, it does not grant access to everything
Click to expand...
Click to collapse
Weird, I am able to access build.prop
https://imgur.com/a/68vvUNx
logan2611 said:
Weird, I am able to access build.prop
https://imgur.com/a/68vvUNx
Click to expand...
Click to collapse
Hmm... now i'm sad. Did you reboot device after this or how it's different?
Hexlay said:
Hmm... now i'm sad. Did you reboot device after this or?
Click to expand...
Click to collapse
I have not rebooted. Also as far as I know the root does not persist.
logan2611 said:
I have not rebooted. Also as far as I know the root does not persist.
Click to expand...
Click to collapse
Ye i guess so... Well, very strange, i did everything, my selinux is set to permissive, how i have a half of permissions
P.S repeated process and now i have full access, very strange, however at least repeating works
P.S 2 ah, so killing terminal emulator and getting back gives same result, so once you run it, you should not close terminal or you will lose access
Hexlay said:
As far as i see, it is just a temporary solution to "root", to be more concrete this screen shows that SELinux has been set to passive, which ofc open lot of possibilities. However this particular method here will not unlock bootloader. Now let's hope someone actually comes up with some idea to unlock it.
P.S Huge thanks to comradesven for making this !
Click to expand...
Click to collapse
fingers crossed!
damn I just install Oct security patch :/
Does anyone know what eomlock-bridge-client do? I see an option for device_lock 0
How are you guys getting the file to even copy? Every time I attempt to copy it I get "cp: ./taimen: Read-only file system"
Related
Non of the rooting methods are working for me.
What is not working? I was having difficulties as well but found a workaround.
I have rooted and flashed my Vibrant but cannot understand the directions enough to attempt to root the Nexus S. I have tried hooking the phone up to adb which is installed on my PC but it does not recognize the device and says permission denied. I am confused do I use adb? Do I use fast boot ( which I have no idea how to use)? I have used Terminal Emulator on the Vibrant and my Nexus One but you have to have root to use it. I know I am not very educated in these matters but any all help would be greatly appreciated, other than I should take the phone back and get a refund as I am not bright enough to own one!! Which I have been told.They may be right LOL LOL
In my opinion, the creators of wonderful one click rooting apps like z4root, universal one click root, visionary etc. should try to integrate support for nexus S in their upcoming builds.
aliwaqas said:
In my opinion, the creators of wonderful one click rooting apps like z4root, universal one click root, visionary etc. should try to integrate support for nexus S in their upcoming builds.
Click to expand...
Click to collapse
These root options use a security exploit that don't work anymore on Gingerbread (tested yesterday on IRC #NSdev)
What no more one-click roots! Err....
I get adbwinapi.dll not found when I type fastboot devices
siberslug said:
I get adbwinapi.dll not found when I type fastboot devices
Click to expand...
Click to collapse
I was just lazy in setting up my ADB/Fastboot and stopped for work at this point, but interesting that I have the same issue.
I don't think it can't get any easier than: fastboot oem unlock
siberslug said:
I get adbwinapi.dll not found when I type fastboot devices
Click to expand...
Click to collapse
in the latest SDK revision they moved adb to \platform-tools. you need to change the PATH variable to that folder and restart your computer for it to take effect
Good call. Thanks >;]
slowz3r said:
in the latest SDK revision they moved adb to \platform-tools. you need to change the PATH variable to that folder and restart your computer for it to take effect
Click to expand...
Click to collapse
Sent from my Nexus S using XDA App
southeastbeast said:
Good call. Thanks >;]
Sent from my Nexus S using XDA App
Click to expand...
Click to collapse
no problemo, at first I didnt realize it either
Enjoy. Don't forget to thank @beaups too, he discovered the eMMC backdoor and exploited it!
UPDATE: [8/2/16] I have recompiled the binary to fix issues with older ROMs like 4.4. This should fix all the issues with "This is for samsung device only" errors.
THIS WILL NOT WORK ON GALAXY S3/GALAXY S4/GALAXY S6|e/Galaxy S7|e. It will NOT work on AT&T
More info on doing this: here
DON'T UPDATE YOUR BOOTLOADER TO ANYTHING AFTER THE LATEST BUILD AS OF 4/19/16
Disclosure: I do not own a Note 4. The exploit happened to be applicable to the Note 4, and we compiled it for your devices rather than not release it at all. This seems like a reasonable and friendly thing to do for the community. I can't help you root or teach you how to use ADB. It's important you have the ability to do these things or research them a bit before blindly using this. I am very familiar with Samsung however, and time permitting, will do my best to help anyone having issues.
You should not run this if you don't understand it. For those who are capable but need some help go here
ROOT REQUIRED, we aren't responsible for anything you do with this.
You NEED a MicroSD, and it WILL be formatted during this process.
YOU MUST DISABLE REACTIVATION LOCK OR YOU WILL HAVE ISSUES!!!!!!!!!
You can download the eMMC brick bug check app on the Play Store to verify your CID starts with 15. If it does, you are good. If not, it will not work.
UPDATE: Anyone having issues with the "this is for samsung devices only error, please the fix attached to this post
Download
The code below is NOT a script, you must enter the commands manually.
First you must unzip the file.
Code:
adb push unlock_n4 /data/local/tmp/
adb shell
su
cd /data/local/tmp/
chmod 777 unlock_n4
chown root.root unlock_n4
./unlock_n4
Allow device to reboot. After full reboot, power down and pull battery. May need to run it twice if it doesn't work after the battery pull.
Paypal: [email protected] [COMPLETELY VOLUNTARY AND OPTIONAL]
Wow! Awesome. Would like to pay my bounty now.
Sent from my SM-N910V using Tapatalk
I can confirm this works. I tested on my Note 4 with 5.1.1 with temp root for Ryan. Running TWRP and about to install CM
Anyway now we can look into doing this for the AT&T model ? N910A? Since we have the Verizon model taken care of
Sent from my SAMSUNG-SM-N910A using Tapatalk
please post a video on how to do this because I don't know squat about adb. I have the Verizon note 4 with unlimited data. I know ill have to back up all of my data to my pc but I haven't even used the temp root and don't know how to do that either
nemopsp said:
Anyway now we can look into doing this for the AT&T model ? N910A? Since we have the Verizon model taken care of
Sent from my SAMSUNG-SM-N910A using Tapatalk
Click to expand...
Click to collapse
Won't work unfortunately.
Akashp2011 said:
please post a video on how to do this because I don't know squat about adb. I have the Verizon note 4 with unlimited data. I know ill have to back up all of my data to my pc but I haven't even used the temp root and don't know how to do that either
Click to expand...
Click to collapse
That is out of the scope of this thread.
Akashp2011 said:
please post a video on how to do this because I don't know squat about adb. I have the Verizon note 4 with unlimited data. I know ill have to back up all of my data to my pc but I haven't even used the temp root and don't know how to do that either
Click to expand...
Click to collapse
right to learn adb bro ...
http://forum.xda-developers.com/showthread.php?t=2266638
Wow...waiting my device arrived tomorrow...thank it awesome
ryanbg said:
That is out of the scope of this thread.
Click to expand...
Click to collapse
okay then can you please provide step by step instructions on how to do this? I can manage to temp root my device
Great! Can't wait to get home!
Sent from my SM-N910V using XDA-Developers mobile app
munchy_cool said:
right to learn adb bro ...
http://forum.xda-developers.com/showthread.php?t=2266638
Click to expand...
Click to collapse
preciate ya
sixtythreechevy said:
Wow! Awesome. Would like to pay my bounty now.
Sent from my SM-N910V using Tapatalk
Click to expand...
Click to collapse
Updated OP with address
Akashp2011 said:
okay then can you please provide step by step instructions on how to do this? I can manage to temp root my device
Click to expand...
Click to collapse
once you are comfortable with adb, the instructions in OP are a walk in the park. Read the other thread I linked to and try some adb commands like
adb reboot bootloader
it's easy , just give it a try first.
and this works for retail note 4, right? im just making sure because ive waited so d*mn long for this moment.. lol
Akashp2011 said:
and this works for retail note 4, right? im just making sure because ive waited so d*mn long for this moment.. lol
Click to expand...
Click to collapse
yes, make sure your cid is 15. Download brickbug app from Playstore and check cid, it should start with 15.
ryanbg said:
Won't work unfortunately.
Click to expand...
Click to collapse
Well Congrats for Verizon users!! #HAPPYDAY
Now wish someone could at least permanently root N910A model.
Sent from my SAMSUNG-SM-N910A using Tapatalk
Do I just leave the file in my downloads on my pc or will it just transfer it automatically to my phone
HORIZONx720 said:
Do I just leave the file in my downloads on my pc or will it just transfer it automatically to my phone
Click to expand...
Click to collapse
like it says in OP, your card will be wiped so you have to backup card contents manually.
ryanbg said:
Enjoy. Don't forget to thank @beaups too
ROOT REQUIRED, we aren't responsible for anything you do with this.
You NEED a MicroSD, and it WILL be formatted during this process.
Download
Code:
adb push samsung_unlock_n4-2 /data/local/tmp/
adb shell
su
cd /data/local/tmp/
chmod 777 samsung_unlock_n4-2
chown root.root samsung_unlock_n4-2
./samsung_unlock_n4-2
Allow device to reboot. After full reboot, power down and pull battery. May need to run it twice if it doesn't work after the battery pull.
Paypal: [email protected] [COMPLETELY VOLUNTARY AND OPTIONAL]
Click to expand...
Click to collapse
How does one obtain root for this though?
I have the Verizon Pixel XL and can now toggle the oem unlock switch in developers settings. Annoyed with the "grey out" I have done several things to make the switch useable. Well... Something worked. Now it's time to figure out what did the trick.
Solved. Using a root file explorer, got to /data/system/users/ 0.xml Open it up and edit it to reflect no restrictions. Or clone mine, might wanna remove my name though.. One requirement for this to work, all testing shows it will not work on stock kernel. Not sure if its a selinux issue or not but the modified ElementalX I made does boot up permissive and removes forceencryption. And using it Confirmed working..
I am decrypted and running permissive. All done through kernel editing. Not sure that made a difference or not but did notice any changes beforehand.
So you added the supercid through the kernel editing?
blueyes said:
I am decrypted and running permissive. All done through kernel editing. Not sure that made a difference or not but did notice any changes beforehand.
Click to expand...
Click to collapse
Sorry to be a bit off-topic but do you plan to document how you did the decrypt and permissive mode anywhere?
I'm guessing one of the unlock properties is what did it. I think something on the phone is recognizing it as a VZW model and is setting one of the properties to 0 and graying it out. I'll do some digging this weekend
dualityim said:
Sorry to be a bit off-topic but do you plan to document how you did the decrypt and permissive mode anywhere?
Click to expand...
Click to collapse
To decrypt you must fastboot format userdata. Flash a kernel the does NOT force encryption. Don't know if any are available so I edited the radial my self , on both kernel and boot-to-root images. To run permissive you simply add androidboot.selinux=permissive. I can upload the edited images later if your unfamiliar with modifications
jjayzx said:
So you added the supercid through the kernel editing?
Click to expand...
Click to collapse
Just added it to the kernel cmdline
blueyes said:
Just added it to the kernel cmdline
Click to expand...
Click to collapse
Thanks. I'll be back in a moment.
Update: It didn't work that way. Trying something a little different.
Update 2: Managed to change cid but still 0 for unlock support and grey. Going to try 1 more thing.
jjayzx said:
Thanks. I'll be back in a moment.
Update: It didn't work that way. Trying something a little different.
Update 2: Managed to change cid but still 0 for unlock support and grey. Going to try 1 more thing.
Click to expand...
Click to collapse
The kernel cmdline has to be edited before flashing. Try adding the persist.sys.oem_unlock... Line. Before run su , then set enforce 0
Why is being able to toggle it a big deal? If your unlocked then why does that matter ?
Rootuser3.0 said:
Why is being able to toggle it a big deal? If your unlocked then why does that matter ?
Click to expand...
Click to collapse
Who said it was a big deal. I clearly stated in op that it annoyed me. If you've got nothing positive to say then don't say anything.
blueyes said:
Who said it was a big deal. I clearly stated in op that it annoyed me. If you've got nothing positive to say then don't say anything.
Click to expand...
Click to collapse
And it's not just about being greyed out. I can now lock my bootloader and unlock it without any exploits. Simply using fastboot. Which sir, I do find to be a nice feature...
blueyes said:
Who said it was a big deal. I clearly stated in op that it annoyed me. If you've got nothing positive to say then don't say anything.
Click to expand...
Click to collapse
I never said you said" it was a big deal" I said that. Go kick rocks
I lost my ability of changing the cid but then i remembered it was after i had did the supercid. So when i put them both back my cid is now changed but my unlock support is still 0. I tried adding persist to default.prop but it didn't take or i did it wrong.
blueyes said:
To decrypt you must fastboot format userdata. Flash a kernel the does NOT force encryption. Don't know if any are available so I edited the radial my self , on both kernel and boot-to-root images. To run permissive you simply add androidboot.selinux=permissive. I can upload the edited images later if your unfamiliar with modifications
Click to expand...
Click to collapse
Did you do the kernel command on the phone? How do I edit default. Prop? I feel like that's where the transformation takes place since it's not editable like the build prop
jjayzx said:
I lost my ability of changing the cid but then i remembered it was after i had did the supercid. So when i put them both back my cid is now changed but my unlock support is still 0. I tried adding persist to default.prop but it didn't take or i did it wrong.
Click to expand...
Click to collapse
Did you add the line persist.sys.oem_unlock_supported=1.
Persists seems to be equivalent to a system override
Rootuser3.0 said:
I never said you said" it was a big deal" I said that. Go kick rocks
Click to expand...
Click to collapse
Go troll somewhere else.
blueyes said:
Did you add the line persist.sys.oem_unlock_supported=1.
Persists seems to be equivalent to a system override
Click to expand...
Click to collapse
Here's my build.prop
https://www.dropbox.com/s/bxgrk7ug66jiuz1/logs.zip?dl=0
cam30era said:
Use Android Image Kitchen > http://forum.xda-developers.com/showthread.php?t=2073775
Click to expand...
Click to collapse
Ok thank you and is this done through terminal or pc
cam30era said:
There are Windows and Linux versions (which I use). There's also a mobile version, but I've never used it.. Read @osm0sis thread. Very helpful.
Click to expand...
Click to collapse
That may be over my head as far as my abilities and I hate to create a new brick
Just got an update at 2:30CST.
Oh great...now what. Kingroot updated today. It keeps telling me I have root. I don't. But I did fool around with permissions in ADB...I was trying to issue it permissions it didn't have. It only started to tell me I had root after I did that. Though ADB gave me an error when adding some of them.
updated too, no chancelog
This is great! People - use No root Firewall to block OTA so you won't get it because this must mean there is an exploit in 5.3.3.0
savvytechwinner said:
This is great! People - use No root Firewall to block OTA so you won't get it because this must mean there is an exploit in 5.3.3.0
Click to expand...
Click to collapse
Or NetGuard. I bought a license a while back so it can resolve hostnames. I have every Amazon app on wifi lockdown and all of their current known servers and IPS blocked. It takes a bit to get used to and to figure out what apps use what IPs. But I finally got it set up pretty darn good. Still in 5.3.3.0 as well.
---------- Post added at 01:50 PM ---------- Previous post was at 01:42 PM ----------
savvytechwinner said:
This is great! People - use No root Firewall to block OTA so you won't get it because this must mean there is an exploit in 5.3.3.0
Click to expand...
Click to collapse
BTW look out for exploits of the CVE type. Those seem to be what a lot of Android exploits are written from. I managed to get a dirtycow cow sript to run, unfortunately all I got out of it was a wiped internal sdcard and no SuperUser. But it was the first time I've been able to execute a dirtycow script successfully on fireOS. Successful as in at least it ran.
savvytechwinner said:
This is great! People - use No root Firewall to block OTA so you won't get it because this must mean there is an exploit in 5.3.3.0
Click to expand...
Click to collapse
Doubtful - more likely extended feature/functionality (especially around Alexa), optimizations and bug fixes.
Davey126 said:
Doubtful - more likely extended feature/functionality (especially around Alexa), optimizations and bug fixes.
Click to expand...
Click to collapse
It might be Cast Screen. I just noticed they added an option in developers options for the wireless display certification. Also now have access to some Accessibility features that were hidden, almost like usage access but not quite.
DragonFire1024 said:
Or NetGuard. I bought a license a while back so it can resolve hostnames. I have every Amazon app on wifi lockdown and all of their current known servers and IPS blocked. It takes a bit to get used to and to figure out what apps use what IPs. But I finally got it set up pretty darn good. Still in 5.3.3.0 as well.
---------- Post added at 01:50 PM ---------- Previous post was at 01:42 PM ----------
BTW look out for exploits of the CVE type. Those seem to be what a lot of Android exploits are written from. I managed to get a dirtycow cow sript to run, unfortunately all I got out of it was a wiped internal sdcard and no SuperUser. But it was the first time I've been able to execute a dirtycow script successfully on fireOS. Successful as in at least it ran.
Click to expand...
Click to collapse
When you ran C0ward/DirtyC0W/moo it gave you temp root? Interestingly my tablet updated to Fire 5.4 >: | I don't know how. Also KingRoot used a different stragity in the new update - I think they released a few security patches
savvytechwinner said:
When you ran C0ward/DirtyC0W/moo it gave you temp root? Interestingly my tablet updated to Fire 5.4 >: | I don't know how. Also KingRoot used a different stragity in the new update - I think they released a few security patches
Click to expand...
Click to collapse
I never saw a #. All I know it the script ran, finished but I didn't have su so far as I could tell. I tried sudo and su and got "not found". Rootchecker said no root as well. But the internal sdcard storage was completely erased.
EDIT: this is the one I ran: https://github.com/timwr/CVE-2016-5195 It was updated recently to fix the exploit couldn't be downloaded error. It ran for a while too. All the way. At the end said done. I guess it meant done erasing your card lol.
DragonFire1024 said:
It might be Cast Screen. I just noticed they added an option in developers options for the wireless display certification. Also now have access to some Accessibility features that were hidden, almost like usage access but not quite.
Click to expand...
Click to collapse
Quite possible. Amazon and other distributors have been working through ridiculous DRM restrictions in the US and elsewhere. One reason you see additional content now available for download on standard Android devices. Possible they have secured agreements around generic casting. Obviously shameless speculation but I can see those dots being connected.
DragonFire1024 said:
I never saw a #. All I know it the script ran, finished but I didn't have su so far as I could tell. I tried sudo and su and got "not found". Rootchecker said no root as well. But the internal sdcard storage was completely erased.
EDIT: this is the one I ran: https://github.com/timwr/CVE-2016-5195 It was updated recently to fix the exploit couldn't be downloaded error. It ran for a while too. All the way. At the end said done. I guess it meant done erasing your card lol.
Click to expand...
Click to collapse
Here is a question. When an actual SDcard is placed into the slot, what are the permissions? Are they set the same across all devices?
I have 5.4.0.0 waiting in system updates. It's trying to get past my firewall.
I got my 7" 7th gen already updated to 5.3.3.0 rigjt after first power on I went out 10 mins and it updated while I was outside... I'm so unlucky
The firmware is available for download now, so I got it, and extracted the bootloader files.
Surprisingly, the preloader_prod.img and lk.img files haven't changed since 5.3.3.0 (which seems to suggest that a rollback might be possible???) but tz.img and preloader.img have.
The build.prop file contains
Code:
ro.build.mktg.fireos=Fire OS 5.4.0.0
ro.build.version.name=Fire OS 5.3.4.0 (579225620)
They must have been in a hurry... also what about the size? They lost more than 10%...
steve8x8 said:
The firmware is available for download now, so I got it, and extracted the bootloader files.
Surprisingly, the preloader_prod.img and lk.img files haven't changed since 5.3.3.0 (which seems to suggest that a rollback might be possible???) but tz.img and preloader.img have.
The build.prop file contains
Code:
ro.build.mktg.fireos=Fire OS 5.4.0.0
ro.build.version.name=Fire OS 5.3.4.0 (579225620)
They must have been in a hurry... also what about the size? They lost more than 10%...
Click to expand...
Click to collapse
A rollback won't do any good if there's no root.
It's a damn shame when Amazon won't even let you run Live Wallpapers. They really know how to take all the fun out of it. A real shame.
DragonFire1024 said:
It's a damn shame when Amazon won't even let you run Live Wallpapers. They really know how to take all the fun out of it. A real shame.
Click to expand...
Click to collapse
Although I agree with your sentiments Amazon is not alone in that choice. Seen several custom ROMs omit the necessary underpinnings for live wallpapers citing resource consumption (dubious claim IMO) and additional complexity/size for a service that only serves one purpose. Latter might be Amazon's motivation.
Davey126 said:
Although I agree with your sentiments Amazon is not alone in that choice. Seen several custom ROMs omit the necessary underpinnings for live wallpapers citing resource consumption (dubious claim IMO) and additional complexity/size for a service that only serves one purpose. Latter might be Amazon's motivation.
Click to expand...
Click to collapse
I have had a few of the several Live Wallpapers on my XT907 for sometime now. It drains little if any noticable resources and or battery power. Amazon has it set so you can only have wallpapers if the images are uploaded to prime photos.
DragonFire1024 said:
I have had a few of the several Live Wallpapers on my XT907 for sometime now. It drains little if any noticable resources and or battery power. Amazon has it set so you can only have wallpapers if the images are uploaded to prime photos.
Click to expand...
Click to collapse
Well that's a dart in the ass. Really no call for such a restriction IMHO.
Davey126 said:
Well that's a dart in the ass. Really no call for such a restriction IMHO.
Click to expand...
Click to collapse
I can get the wallpapers to run...just not as wallpapers. Activity Launcher brings them out, but They run over the top of everything. And they aren't gifs so I can't upload them and even if I could i would need to register back with Amazon.
Since Android O implements a mechanism for us to "overlay" frameworks values via OMS, I thought maybe we could leverage that to find a way to disable the OEM unlock check that block Verizon Pixels from unlocking the bootloader.
For science, let's do an experiment If this works, then great, we have a bootloader unlock method for our Verizon brethren. If not, at least the APK is easy to uninstall.
Before proceeding, be advised that any experiments performed here may result in unforeseen consequences. By proceeding, you agree that neither I nor anyone else will be held responsible for said consequences, and that this will solely be at your own risk. Since this experiment applies only to Verizon phones, assume all warranties are null and void.
Prerequisites:
- Verizon Pixel/Pixel 2/XL
- Android OS updated to 8.1.0
- USB debugging enabled on the phone
- ADB installed and properly configured on your PC
- USB-C to USB-A cable (unless you have a USB C port on your PC, then you can use a C-to-C cable instead)
How to enable the experiment:
Download the attached APK
Sideload the APK
Open Command Prompt/PowerShell/Terminal, and type in "adb shell"
Type in "cmd overlay list" and hit enter
Confirm that "[ ] com.pixeloembypass" is in the list
Type in "cmd overlay enable com.pixeloembypass", and hit enter
Reboot the phone
Go into Developer Options to see if "OEM unlocking" can now be toggled on. If so, congratulations!
If "OEM unlocking" is able to be enabled, do so, and reboot the phone into fastboot mode. Unlock as per directions on the factory images site.
NOTE: As usual, if bootloader is unlocked/relocked, a factory reset will be performed.
How to uninstall the experiment:
Open Command Prompt/PowerShell/Terminal, and type in "adb shell"
Type in "cmd overlay list" and hit enter
Confirm that "[x] com.pixeloembypass" is in the list
Type in "cmd overlay disable com.pixeloembypass", and hit enter
Go into Settings->Apps, and uninstall "Pixel OEM Bypass"
Reboot the phone
This is amazing! Will try it here in about an hour and report back
Maybe tell these guys. They've been at it for a while. You might even get the bounty.
https://forum.xda-developers.com/pixel-2-xl/how-to/temp-root-bounty-verizon-users-t3710652
TBH I have serious doubts about this working im inclined to believe this is just an overlay to make the toggle look visible but doesn't actually toggle anything when u try to push the toggle..I'll try it out in a few minutes
Sent from my iPhone using Tapatalk
djkinetic said:
TBH I have serious doubts about this working im inclined to believe this is just an overlay to make the toggle look visible but doesn't actually toggle anything when u try to push the toggle..I'll try it out in a few minutes
Sent from my iPhone using Tapatalk
Click to expand...
Click to collapse
So? Come on dj! Lol
Sent from my Pixel 2 using XDA-Developers Legacy app
djkinetic said:
TBH I have serious doubts about this working im inclined to believe this is just an overlay to make the toggle look visible but doesn't actually toggle anything when u try to push the toggle..I'll try it out in a few minutes
Click to expand...
Click to collapse
have more faith.. john mccain posted it after all
Hope it works
Sent from my Pixel 2 XL using Tapatalk
PresidentMcCain said:
Since Android O implements a mechanism for us to "overlay" frameworks values via OMS, I thought maybe we could leverage that to find a way to disable the OEM unlock check that block Verizon Pixels from unlocking the bootloader.
For science, let's do an experiment If this works, then great, we have a bootloader unlock method for our Verizon brethren. If not, at least the APK is easy to uninstall.
Before proceeding, be advised that any experiments performed here may result in unforeseen consequences. By proceeding, you agree that neither I nor anyone else will be held responsible for said consequences, and that this will solely be at your own risk. Since this experiment applies only to Verizon phones, assume all warranties are null and void.
Prerequisites:
- Verizon Pixel/Pixel 2/XL
- Android OS updated to 8.1.0
- USB debugging enabled on the phone
- ADB installed and properly configured on your PC
- USB-C to USB-A cable (unless you have a USB C port on your PC, then you can use a C-to-C cable instead)
Click to expand...
Click to collapse
Have you tested this? Also what is all included in this APK? My concern is just installing random APK files that are added to a forum. Sorry, I am not trying to be a Debbie downer.
Edit:
I downloaded it on my phone just to see what permissions is calls for and it doesn't open the file.
Didn't work for me. Any tips to try?
thompatry said:
Have you tested this? Also what is all included in this APK? My concern is just installing random APK files that are added to a forum. Sorry I am not trying to be a Debbie downer.
Click to expand...
Click to collapse
u can decompile the apk lol.. pretty sure its just an overlay thats suppose to "ungrey" the oem unlock switch to allow u to toggle it.. had afew ppl trying it.. first report it didnt do anything
elliwigy said:
u can decompile the apk lol.. pretty sure its just an overlay thats suppose to "ungrey" the oem unlock switch to allow u to toggle it.. had afew ppl trying it.. first report it didnt do anything
Click to expand...
Click to collapse
Ehh I am just lazy to decompile it. Just tell everyone what's inside of it from the get go and move on from there.
I figure it wouldn't work but hey, worth the try.
thompatry said:
Ehh I am just lazy to decompile it. Just tell everyone what's inside of it from the get go and move on from there.
I figure it wouldn't work but hey, worth the try.
Click to expand...
Click to collapse
i understand lol.. when im lazy i just use a file browser n view as an archive lol
collinjames said:
Didn't work for me. Any tips to try?
Click to expand...
Click to collapse
Only thing I can think of is, after step 6, do this:
Code:
cmd overlay disable android.auto_generated_rro__
And then reboot.
To revert, just re-enable it and reboot.
If it still doesn't work, then I'm afraid the experiment failed
thompatry said:
Have you tested this? Also what is all included in this APK? My concern is just installing random APK files that are added to a forum. Sorry, I am not trying to be a Debbie downer.
Click to expand...
Click to collapse
That's okay, it's completely understandable. I agree - typically, you wouldn't want to install a random APK built by a stranger.
I wish I could test it myself, but both my Pixels are from the Google Store, and shelling out $650+ for a test device for a shot-in-the-dark experiment doesn't sound like very responsible spending.
Tried on my P2XL device and no luck..
nelsonTituaAa said:
Tried on my P2XL device and no luck..
Click to expand...
Click to collapse
Thanks for volunteering...have you gave this a try?
PresidentMcCain said:
Only thing I can think of is, after step 6, do this:
Code:
cmd overlay disable android.auto_generated_rro__
And then reboot.
To revert, just re-enable it and reboot.
If it still doesn't work, then I'm afraid the experiment failed
Click to expand...
Click to collapse
nelsonTituaAa said:
oops.. no haha.. will try again
Click to expand...
Click to collapse
PresidentMcCain said:
Thanks for volunteering...have you gave this a try?
Click to expand...
Click to collapse
tried it and still no luck.
PresidentMcCain said:
Only thing I can think of is, after step 6, do this:
Code:
cmd overlay disable android.auto_generated_rro__
And then reboot.
To revert, just re-enable it and reboot.
If it still doesn't work, then I'm afraid the experiment failed
Click to expand...
Click to collapse
Tried the command and doesn't seem like it disable android.auto_generated_rro__ on the overlay list.
tried this plus added recommendation and no luck. Verizon Pixel, 8.1
Anybody tried this on a Verizon Pixel 2? I'm willing to give it a shot, but would need a little more detail on the procedure if anyone is willing to help out.