Related
[discussion][root] with [locked bl], vulnerabilities Snapdragon on <March2016 Android
There's an interesting article that got me thinking:
http://buysoft.greatsoftline.com/vu...m-snapdragon-chip-allow-for-easy-root-access/
CVE-2016-0819 vulnerability
Click to expand...
Click to collapse
We discovered this particular vulnerability, which is described as a logic bug when an object within the kernel is freed. A node is deleted twice before it is freed. This causes an information leakage and a Use After Free issue in Android. (UAF issues are well-known for being at the heart of exploits, particularly in Internet Explorer.)
CVE-2016-0805 vulnerability
This particular vulnerability lies in the function get_krait_evtinfo. (Krait refers to the processor core used by several Snapdragon processors). The function returns an index for an array; however, the validation of the inputs of this function are not sufficient. As a result, when the array krait_functions is accessed by the functions krait_clearpmu and krait_evt_setup, an out-of-bounds access results. This can be useful as part of a multiple exploit attack.
Gaining root access
Using these two exploits, one can gain root access on a Snapdragon-powered Android device. This can be done via a malicious app on the device. To prevent further attacks that may target either the patched vulnerabilities or similar ones that have yet to be discovered, security experts are not disclosing the full details of this attack.
Trend Micro researchers will disclose the full details of exactly how to leverage the bugs at the upcoming Hack In The Box security conference in the Netherlands to be held in late May 2016.
Click to expand...
Click to collapse
Once updates got applied,
flashing back via XperiFirm, exploit that vulnerability and gain root
What do you think ?
langeveld024 said:
It was already found.
.11 fw is vulnerable at several points, however, rooting is not possible due to dm-verity and Sony ric which prevents modify system.
If u search this thread you'll find more about it.
Click to expand...
Click to collapse
bummer
Pandemic said:
We are genius in Z3 forum !!!!
http://forum.xda-developers.com/showthread.php?p=65856403
“Sent From MWE V9.5.0 On My Z3”
Click to expand...
Click to collapse
There's progress on the Z3 front
Poor Sony's fan waiting root for locked BL so long, many 6.0 phone have got root already,
Gaining root with locked BL is actually great security risk, not something one should be proud of.
Saw this?
http://forum.xda-developers.com/showthread.php?p=65861217
Post 1677 by Pandemic
It looks promising, the Z3 just got Root on LB
Thx. Wolfbreak the developer since the X10i
Sent from my E6653 @ XDA Portal
Duvel999 said:
Saw this?
http://forum.xda-developers.com/showthread.php?p=65861217
Post 1677 by Pandemic
It looks promising, the Z3 just got Root on LB
Thx. Wolfbreak the developer since the X10i
Sent from my E6653 @ XDA Portal
Click to expand...
Click to collapse
Is it possible to port this root method on M with LB for z3 ????? They have the same problem with DRM keys like us.... But they win.
http://forum.xda-developers.com/z3/...oid-6-0-mm-t3337357/post65856403#post65856403
thanx.
I don't think there will be a way to root z5 with LB unfortunatelly.
The method there needs a custom recovery installed which is possible on Z3 due to an exploit used on an early firmware. Since there's no such achievement yet on the Z5 you will already fail with the first task and any other following.
Since they've made their success public before the final firmware is out Sony has enough time to fix everything else.
some people say the z5 and z3 use the same hardware and could technically use the z3 rom to root the z5.
however, the heading of this post should change. i thought we finally have root on the z5 family only to find out that it's just a post talking about root on the z3.....
zacharias.maladroit said:
There's an interesting article that got me thinking:
http://buysoft.greatsoftline.com/vu...m-snapdragon-chip-allow-for-easy-root-access/
Click to expand...
Click to collapse
I didn't know those information were to be disclosed in May, instead of being kept secret. Good news from our point of view...
I think that, if the vulnerabilities could be exploited also on the Z5 line (every exploit needs to be verified practically), then we could gain temporary shell root/system priviledge to backup the TA partition. If i remember well, we cannot achieve permanent root on locked bootloader, as the /system protection SONYric is embedded in the stock kernel image.
We would need some mobile flashing tool like this: http://forum.xda-developers.com/showthread.php?t=2334554
I think i misunderstood. The problem is the Verified Boot ("dm-verity") check introduced in Z3+/Z4 and Z5 line.
We cannot get permanent root because this would involve modified kernel (to write on /system partition), which would not boot using a Locked bootloader because of Verified boot process that uses an OEM key.
The whole process is described here: https://source.android.com/security/verifiedboot/verified-boot.html
Google intention is (or was) to allow the boot process, after a red warning, if the verification of the kernel image didn't succeed on a locked bootloader... But Sony devices bootloop without showing any warning and so the user is not allowed to continue (source: https://androplus.org/Entry/843/ thanks to the developer).
So, on locked bootloaders, it's impossible to have permanent root apps, xposed ,.... unless someone finds a hole in the bootloader (someone found a hole in Motorola's bootloader) or the OEM key gets copied and is used to sign modified firmwares...just exciting dreams.
Anyone, correct me if i'm wrong.
ninestarkoko said:
I think i misunderstood. The problem is the Verified Boot ("dm-verity") check introduced in Z3+/Z4 and Z5 line.
We cannot get permanent root because this would involve modified kernel (to write on /system partition), which would not boot using a Locked bootloader because of Verified boot process that uses an OEM key.
The whole process is described here: https://source.android.com/security/verifiedboot/verified-boot.html
Google intention is (or was) to allow the boot process, after a red warning, if the verification of the kernel image didn't succeed on a locked bootloader... But Sony devices bootloop without showing any warning and so the user is not allowed to continue (source: https://androplus.org/Entry/843/ thanks to the developer).
So, on locked bootloaders, it's impossible to have permanent root apps, xposed ,.... unless someone finds a hole in the bootloader (someone found a hole in Motorola's bootloader) or the OEM key gets copied and is used to sign modified firmwares...just exciting dreams.
Anyone, correct me if i'm wrong.
Click to expand...
Click to collapse
Personally, not having permanent root on a locked bootloader is fine with me. I just need temp root to back up TA partition.
I am pretty sure the rest of the Z5 owners who are not yet unlock are waiting to backup TA partition before doing anything else.
there already is a way to restore credentials to use the bravia engine and the sony goodies. but ultimately, people would like to keep their TA keys (something which they paid for) instead of losing them once they unlock bootloader.
frostmore said:
Personally, not having permanent root on a locked bootloader is fine with me. I just need temp root to back up TA partition.
Click to expand...
Click to collapse
Me too
ninestarkoko said:
I think i misunderstood. The problem is the Verified Boot ("dm-verity") check introduced in Z3+/Z4 and Z5 line.
We cannot get permanent root because this would involve modified kernel (to write on /system partition), which would not boot using a Locked bootloader because of Verified boot process that uses an OEM key.
The whole process is described here: https://source.android.com/security/verifiedboot/verified-boot.html
Google intention is (or was) to allow the boot process, after a red warning, if the verification of the kernel image didn't succeed on a locked bootloader... But Sony devices bootloop without showing any warning and so the user is not allowed to continue (source: https://androplus.org/Entry/843/ thanks to the developer).
So, on locked bootloaders, it's impossible to have permanent root apps, xposed ,.... unless someone finds a hole in the bootloader (someone found a hole in Motorola's bootloader) or the OEM key gets copied and is used to sign modified firmwares...just exciting dreams.
Anyone, correct me if i'm wrong.
Click to expand...
Click to collapse
I remember few month ago... Chainfire was working with a new form of root, it doesn't modifies system partition. This solution doesn't help us???? We don't want lose our sony's features. :silly:
uripiruli said:
I remember few month ago... Chainfire was working with a new form of root, it doesn't modifies system partition. This solution doesn't help us???? We don't want lose our sony's features. :silly:
Click to expand...
Click to collapse
That's the systemless root, where root is achieve without changing the system file.
but this kind of root requires modified boot image, which cannot be done without unlocked bootloader....
root is becoming harder to achieve as the years pass. with samdung introducing their crap knox and sony with dm-verify etc etc.. android is fast becoming another apple where everything is being locked up and end users are forced to adhere to the way their phones are "supposed" to be used.
F U C K U P Sony. Why we couldn't own our phone features we paid for. Give our freedom to use our own phone
devilmaycry2020 said:
F U C K U P Sony. Why we couldn't own our phone features we paid for. Give our freedom to use our own phone
Click to expand...
Click to collapse
here's an article on the subject http://www.xda-developers.com/a-look-at-marshmallow-root-verity-complications/
explaining your and my feelings (i really understand you).
If you want, you can comment there but please stay in topic here.
ninestarkoko said:
here's an article on the subject http://www.xda-developers.com/a-look-at-marshmallow-root-verity-complications/
explaining your and my feelings (i really understand you).
If you want, you can comment there but please stay in topic here.
Click to expand...
Click to collapse
ok,thanks for told me about that. i'll be more attention about my words next times
Maybe developer Wolfbreak from the Z3 forum can help us?
Sent from my E6653 @ XDA Portal
Samsung Galaxy s7 and the edge exynos version just got root, wtf Sony --'.
I think the main thing about Samsung phones is they have a recovery partition where as sony do not.
Sent from my Xperia™ Z5 using Tapatalk
Its been reported that merely having an unlocked bootloader now trips safetynet. Google has officially turned their backs on developers and enthusiasts.
I never had a problem with xposed or magisk tripping safetynet; but an unlocked bootloader is by no means a security risk. So I'm not happy having to choose between snapchat and an unlocked bootloader.
Sources: https://www.reddit.com/r/Android/comments/587ss9/psa_android_safetynet_now_tripped_by_unlocking/
https://www.reddit.com/r/Nexus6P/comments/586bq7/android_pay_stopped_working_on_nonrooted_device/
Discuss.
Well RIP AP....
Pixel and now this, I guess Google is becoming Apple 2.0
can confirm, I have unrooted stock 7.0 as my primary on multirom and is tripping safetynet, no more AP for me I guess since I'm NOT locking the bootloader, nice play Google
Sent from my Nexus 6 using Tapatalk
IIRC chainfire DID warn us about this..saying if we keep trying to hide root, they'll keep trying to make it harder for us to do so.
Doing it to the pixel? Fine..but to a nexus phone? Kinda murders the whole selling point of Nexus.
Either way elgoog has been making some really odd decisions this past month or so.
I have an unlocked bootloader with everything stock and no root and I got past safety net for Pokemon Go.
biggiesmalls657 said:
I have an unlocked bootloader with everything stock and no root and I got past safety net for Pokemon Go.
Click to expand...
Click to collapse
Last I heard pokemon go isn't working with safetynet properly right now. Download SafetyNet Helper Sample from the PlayStore, it'll tell you whether you pass or not.
geokhentix said:
Last I heard pokemon go isn't working with safetynet properly right now. Download SafetyNet Helper Sample from the PlayStore, it'll tell you whether you pass or not.
Click to expand...
Click to collapse
Well I guess that a smartphone isn't for me, I'm gonna get a dumb phone again. Google can suck it. This is so ridiculous.
geokhentix said:
IIRC chainfire DID warn us about this..saying if we keep trying to hide root, they'll keep trying to make it harder for us to do so.
Doing it to the pixel? Fine..but to a nexus phone? Kinda murders the whole selling point of Nexus.
Either way elgoog has been making some really odd decisions this past month or so.
Click to expand...
Click to collapse
The only pixel that is locked is the Verizon version
holeindalip said:
The only pixel that is locked is the Verizon version
Click to expand...
Click to collapse
Yeah, that one isn't a part of this as its not unlockable. I'm talking about the Google Pixel.
This f's people who just want to install the latest factory image too; non power users who don't root and just want the latest OS..considering you need an unlocked boot loader to flash the images.
geokhentix said:
Yeah, that one isn't a part of this as its not unlockable. I'm talking about the Google Pixel.
This f's people who just want to install the latest factory image too; non power users who don't root and just want the latest OS..considering you need an unlocked boot loader to flash the images.
Click to expand...
Click to collapse
Not if you side load the latest ota files posted the same day:good:
By the way, does re-locking bootloader wipe data or internal? Factory image page says that "Locking bootloader will wipe the data on some devices. ".
Pretty sure on the n6, we wipe everything on both unlock & relock.
I'm planning on getting a new Nexus 6. Is it not the right time? I'm afraid this issue will make me unable to customize my new phone.
jesuajovan said:
I'm planning on getting a new Nexus 6. Is it not the right time? I'm afraid this issue will make me unable to customize my new phone.
Click to expand...
Click to collapse
You can still customize. You just can't do crap that you probably shouldn't be worrying about anyway. Android pay is a sham, since your credit card has an RF chip in it that works on the same scanner... but ONE FEWER companies get to track all your purchases when you use it since it leaves google out of the loop.
Indeed; also as long as you log into Snapchat once before you install root, it seems to continue to work after root / magisk installation.
I'm on 7.0 stock, rooted and unlocked bootloader and snapchat works fine.
pharpe said:
I'm on 7.0 stock, rooted and unlocked bootloader and snapchat works fine.
Click to expand...
Click to collapse
I just want to say that Snapchat is one of the worst coded apps ever
For Snapchat to work, you have to login before rooting your device, just don't log out lol
holeindalip said:
I just want to say that Snapchat is one of the worst coded apps ever
Click to expand...
Click to collapse
Amen.
I wonder what the hook is that it uses to check if the bootloader is locked...? It *must* go through the kernel, so maybe this is as simple as telling the kernel to LIE about it.
Well, that is simple conceptually, but not necessarily *easy* to implement.
I recently installed Stock Marshmallow on my G4 plus and for some reason SafetyNet fails, I'm using MagiskSU and have not touched the ROM at all except I installed TWRP(not sure if this would cause it to fail?). Would appreciate some help with this because I can't install apps with the SafetyNet check.
Sent from my Moto G (4) using Tapatalk
Can you try checking again after disabling USB Debugging?
tywinlannister7 said:
Can you try checking again after disabling USB Debugging?
Click to expand...
Click to collapse
It still fails, what other possible reasons are there that makes it fail and what can I do to fix it?
Sent from my Moto G (4) using Tapatalk
SafetyNet will check your bootloader status and will fail if it is unlocked, if I'm not mistaken. I assume it is since you run TWRP and Magisk!
EDIT: Seems like its causing headaches for some users since some devices warranties are NOT voided when unlocking the bootloader (Ex. Nexus/Pixel), but Android Pay stops working when its unlocked. Kind of silly IMO. Seems like a defect if some advertised features stop working after a procedure that is accepted by the manufacturer.
daveribss said:
SafetyNet will check your bootloader status and will fail if it is unlocked, if I'm not mistaken. I assume it is since you run TWRP and Magisk!
EDIT: Seems like its causing headaches for some users since some devices warranties are NOT voided when unlocking the bootloader (Ex. Nexus/Pixel), but Android Pay stops working when its unlocked. Kind of silly IMO. Seems like a defect if some advertised features stop working after a procedure that is accepted by the manufacturer.
Click to expand...
Click to collapse
I was hoping that wasn't the case. It's really pain in the butt to not be able to download some apps because of SafetyNet.
Sent from my Moto G (4) using Tapatalk
Hey guys, so Netflix has blocked users (who have an unlocked bootloader) from being able to use their app...
Has anybody found a workaround?
I have magicak hide, and the universal safety net thing installed... Is there anything I can do to fix this?
I know that installing that app on their 'help.netflix' website fixes it for some people... But it is so outdated..
KMerchak2w said:
Hey guys, so Netflix has blocked users (who have an unlocked bootloader) from being able to use their app...
Has anybody found a workaround?
I have magicak hide, and the universal safety net thing installed... Is there anything I can do to fix this?
I know that installing that app on their 'help.netflix' website fixes it for some people... But it is so outdated..
Click to expand...
Click to collapse
You need to Pass The Safety Net Completely. If You Uninstall Root And Remove All Root Files In sys/etc. Then Netflix should be working
KMerchak2w said:
Hey guys, so Netflix has blocked users (who have an unlocked bootloader) from being able to use their app...
Has anybody found a workaround?
I have magicak hide, and the universal safety net thing installed... Is there anything I can do to fix this?
I know that installing that app on their 'help.netflix' website fixes it for some people... But it is so outdated..
Click to expand...
Click to collapse
Hey, have you find a solution?
I've got the same issue: i've installed magisk and safetynet fix (I manage to pass safetynet) but the latest versions of Netflix won't work..
Does your device pass SafetyNet test after the latest update? I've heard that somebody's device does not, but mine does. That ia strange behavior.
TrueMS said:
Does your device pass SafetyNet test after the latest update? I've heard that somebody's device does not, but mine does. That ia strange behavior.
Click to expand...
Click to collapse
Maybe he have the bootloader unlocked.
He may be using Xposed. Unlocked bootloader doesn't have anything to do with passing safetynet. My device is unlocked and it always passes safetynet check (except June OTA).
Rowdyy Ronnie said:
He may be using Xposed. Unlocked bootloader doesn't have anything to do with passing safetynet. My device is unlocked and it always passes safetynet check (except June OTA).
Click to expand...
Click to collapse
Wrong unlocked bootloader can break safetynet
It is the case for me and I don't care ?
Dead-neM said:
Wrong unlocked bootloader can break safetynet
It is the case for me and I don't care
Click to expand...
Click to collapse
Well, it never happened to me. Safetynet never fails after unlocking bootloader (not with me, never).