[SM-P605V] Verizon Temporary Root & Bootloader Unlock Research - Galaxy Note 10.1 (2014 Edition) General

Further research proves this has been done before, although perhaps not on our device. While root in a technical sense, it's severely SElinux-limited & thus not of significant utility as it is. I've made some inroads re. patching init going toward full root, but nothing certain yet. Either way, what exists should be enough to get us to an unlocked bootloader if we can get our hands on the right CID & aboot.
------
This is how I achieved temproot on the P605V. This is not a permanent root as, since our tablets run a Samsung eMMC and are/should be vulnerable to the eMMC bug, if we have the right CID and aboot & if my understanding is correct, we can convert these to developer units and unlock their bootloader!
What this basically does is downgrade to a dirtycow-vulnerable kernel & launch a temporary root shell. At the moment it can't do much as it runs within dnsmasq's SElinux context, but it's a start.
This does not apply if you're on 4.4.2, there are probably better rooting methods then. Do not upgrade to 5.1.1 in that case as you will burn fuses and will be unable to downgrade back to 4.4.2.
However, we can still crossflash between 5.1.1 versions! For our tablet, there are two: P605VVRSDPL1 (latest, patched) and P605VVRUDOH2 (earlier, unpatched). You must downgrade to P605VVRUDOH2. You will need the P605VVRUDOH2 tar.md5 and Odin - this is covered extensively for every Samsung device (including the non-VZW version of ours) so I will not repeat it here.
Once you're on P605VVRUDOH2, go through the initial setup, enable Developer Tools, then enable ADB.
The manual process (compiling from source):
Spoiler
You will need to obtain the following (on Linux, not tested on Windows):
- the Android 22 NDK
- https://github.com/timwr/CVE-2016-5195
- https://github.com/freddierice/trident
0. If you don't yet have it installed, install the Android NDK. I don't usually compile for Android, so I installed Android Studio from https://developer.android.com/studio/#downloads and added NDK 22 from its menus. You can likely (and perhaps should) use an earlier NDK, such as 14 or 15. Your mileage may vary.
1. Extract CVE-2016-5195 and trident
2. In CVE-2016-5195, rename 'run-as.c' to 'old-run-as.c'
3. Copy 'reverse.c' from trident into CVE-2016-5195
4. In CVE-2016-5195, rename the copied 'reverse.c' to 'run-as.c' - we're basically replacing the original payload from CVE-2016-5195 with a reverse shell from trident
5. Edit the Makefile and replace the 'root: push' section as follows:
root: push
adb shell 'chmod 777 /data/local/tmp/dcow'
adb push libs/$(ARCH)/run-as /data/local/tmp/run-as
adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/dnsmasq'
6. Run 'make root'
7. On the tablet, go into Settings -> More networks -> Mobile Hotspot, and turn it on. You will need a SIMcard to do this, any SIM will do - even if the device is still Verizon-locked. As we've written our reverse root shell spawning code into dnsmasq, and dnsmasq as root, our shell will run as root as well!
8. Verify it worked by running 'adb shell' and running 'netstat' - you should see a process listening on 0.0.0.0:4040. That's our shell! If you run 'ps' you should also see /system/bin/dnsmasq followed by /system/bin/shell, both running as root.
9. Run 'adb forward tcp:4040 tcp:4040'
10. Run netcat to connect to the shell: 'nc localhost 4040' (on Windows, you can get a precompiled netcat binary from http://nmap.org/dist/ncat-portable-5.59BETA1.zip )
11. Profit!
The precompiled process (easier, binaries attached to this post):
Spoiler
1. Download and unzip the attached package.
2. Open up a shell/command prompt, change into the directory you unzipped the files into, and run:
adb push dcow /data/local/tmp/dcow
adb push rshell /data/local/tmp/rshell
adb shell 'chmod 777 /data/local/tmp/*'
adb shell '/data/local/tmp/dcow /data/local/tmp/rshell /system/bin/dnsmasq'
3. On the tablet, go into Settings -> More networks -> Mobile Hotspot, and turn it on. You will need a SIMcard to do this, any SIM will do - even if the device is still Verizon-locked. As we've written our reverse root shell spawning code into dnsmasq, and dnsmasq as root, our shell will run as root as well!
4. Verify it worked by running 'adb shell' and running 'netstat' - you should see a process listening on 0.0.0.0:4040. That's our shell! If you run 'ps' you should also see /system/bin/dnsmasq followed by /system/bin/shell, both running as root.
5. Run 'adb forward tcp:4040 tcp:4040'
6. Run netcat to connect to the shell: 'nc localhost 4040' (on Windows, you can get a precompiled netcat binary from http://nmap.org/dist/ncat-portable-5.59BETA1.zip )
7. Profit!
Keep in mind, this is only temporary; a reboot will clear it and you'll have to exploit again. It is also not an extensive root as my end goal is to unlock the bootloader and get rid of the (awful) stock firmware.
Credits to timwr and all involved in the dirtycow exploit, freddierice for trident, as well as everyone on XDA whose research and comments over the past 4 years pointed me in the right direction. This tablet is still quite decent in 2020/2021, it deserves to be "free"!
----
As I understand it, as per @beaups https://github.com/beaups/SamsungCID & SamDunk, we will need two things - I hope someone in the community will volunteer these!
1. A dev-edition CID
2. An aboot dump from a dev-edition P605V (I'm not sure the regular P605 will work)
@ryanbg has made much inroad here as well. All input/assistance is appreciated!
Should these turn out to be unobtainium in some time, I will look into a permanent root solution.

Related

question for romanian Tattoo users

hello!!
is there someone that managed to obtain root acces? if that's true, please tell me what method you used and how it went...
Root Access is quite easy to Achieve.
[GUIDE] All Tattoo questions and answers see here (from A to Z)!
http://forum.xda-developers.com/showthread.php?t=716282
1. How can I root my phone?
1.1 General information/Basic adb-commands
Rooting a phone enables you to do things, which normally aren't possible for the average user like:
- Removing apps which were preinstalled by the provider (like Orange, Vodafone, etc.). My Tattoo had Vodafone apps for buying music and other sh*t, which was installed on the system partition (to which a "normal" user has no rights to write to, including deleting).
The Tattoo was successfully rooted by a bunch of guys here, namely -bm-, mainfram3 and Coburn64 (maybe, I don't remember quite correctly ). Also the Tattoo was the first phone having a security mechanism hindering a user to mount the filesystems as read/write, which had to be overridden by remapping the read only memory region to a read/write one. This is done by the module Tattoo-hack.ko, also made by mainfram3. He also created the first boot.img, which enabled su directly from adb and loading Tattoo-hack directly from boot on.
A few words about adb:
ADB is a tool for communicating from the PC with the mobile phone. For this a service is running on the phone enabling the communication via Terminal Emulator. Here are the most useful adb-commands:
Click to expand...
Click to collapse
Code:
adb push localFileFromPC /path/on/mobilephone
-> pushes a file "localFileFromPC" to a specified location on the phone
adb pull /path/to/file pathFromPC
-> receives a file from the phone and stores it to "pathFromPC"
adb remount
-> This is only possible in custom ROMs, remounts the file system to r/w automatically
adb shell "command"
-> executes "command" and returns to the computer shell
adb shell
-> opens a shell session on the phone (from here on you have to be very careful! Also you can execute now normal linux commands like rm, mv, ls, chmod and so on, but not cp (this can done through busybox)). You will have to use this more often, so get used to it ;)

Temp root on 2.3.20 firmware

It's not pretty, but I managed to get the exploit used by Archangel to work on the 2.3.20 firmware. Hopefully someone can think of something to automate this process, or knows of a better way to do this.
I believe what Archos is doing is simply restricting your ability to execute the Archangel application in the required directories, with the addition of the psneuter exploit, you can get around this.
This exploit requires that you have ADB setup, the Archangel APK, and the psneuter exploit.
Create a folder on your computer titled archosroot (or anything you would like)
Download Archangel from http://forum.xda-developers.com/showthread.php?t=928767 rename the apk to zip and extract the files.
From the extracted files navigate to "res" then to "raw"
In this folder copy "ls" and "su" to your "archosroot" folder
Download psneuter from http://www.thinkthinkdo.com/trac/project1/attachment/wiki/psneuter/psneuter.zip and extract the files.
Copy the extracted psneuter to your "archosroot" folder.
Enable USB Debugging on your Archos, and connect it to your computer with USB.
From a command prompt, navigate to the directory ADB is installed in.
Verify that the device is connected by running
adb devices
Your archos should be listed, if not please refer to the forum on how to setup ADB for the archos
Once your archos is detected run the following commands.
adb push pathto\archosroot\psneuter /data/local/tmp
(replace pathto with the location your archosroot folder is in, for example c:\archosroot\psneuter)
adb shell chmod 777 /data/local/tmp/psneuter
adb shell /data/local/tmp/psneuter
This may take a few moments
Copy ls and su to your sdcard
adb push pathto\archosroot\ls /sdcard
adb push pathto\archosroot\su /sdcard
Connect to the shell
adb shell
move ls and su to /tmp
mv /sdcard/ls /tmp/
mv /sdcard/su /tmp/
Execute the ls exploit
/tmp/ls 0x62c7a315 0x260de680
Install the superuser application from the market (if you don't already have it)
You should now be able to run su to get root access from a terminal.
Note 1: I was previously rooted with archangel so I already had these files, I have not tried without the files being installed at all, however since this is only a temp root, the process should be the same.
Note 2: I was not able to get Titanium Backup to work, it could be the psneuter exploit prevents the application from properly requesting the right permissions.
This is good, but you should post this in the developer sup-forum
its too hard to do this for beginners
Thanks! It's very simple instruction, will try it today. As easy as install Urukdroid.
I postponed to upgrage to 2.3.20 just due to lack of root method without SDK.
I need the root just for copy some scripts to \system\bin
this has already been done in the following thread with perm root.
http://forum.xda-developers.com/showthread.php?t=897877
Firmwares have already been made that include overclock as well, the first post reveals all.
cool.
the_Danzilla , the way you pointed to requires SDE installation. I don't want to use SDE.
Inciner8Fire said:
Download psneuter from http://www.thinkthinkdo.com/trac/project1/attachment/wiki/psneuter/psneuter.zip and extract the files.
Copy the extracted psneuter to your "archosroot" folder.
Enable USB Debugging on your Archos, and connect it to your computer with USB.
From a command prompt, navigate to the directory ADB is installed in.
Verify that the device is connected by running
adb devices
Your archos should be listed, if not please refer to the forum on how to setup ADB for the archos
Once your archos is detected run the following commands.
adb push pathto\archosroot\psneuter /data/local/tmp
(replace pathto with the location your archosroot folder is in, for example c:\archosroot\psneuter)
adb shell chmod 777 /data/local/tmp/psneuter
adb shell /data/local/tmp/psneuter
Click to expand...
Click to collapse
From what I can read psneuter is a root exploit for the adbd service. So you don't need archangel to complete the root.
Can you verify what user adbd is running after you execute psneuter.
adb shell whoami
The other thing that is mentioned in the first lines of the source code of psneuter is that it effectively disables reading the settings this will probably affect a lot of programs and probably is the reason Titanium backup is not working. So this method is effectively useless to have a working root.
wdl1908 said:
From what I can read psneuter is a root exploit for the adbd service. So you don't need archangel to complete the root.
Can you verify what user adbd is running after you execute psneuter.
adb shell whoami
The other thing that is mentioned in the first lines of the source code of psneuter is that it effectively disables reading the settings this will probably affect a lot of programs and probably is the reason Titanium backup is not working. So this method is effectively useless to have a working root.
Click to expand...
Click to collapse
I was doing some more looking and you are right that because of breaking the settings this is not a good long term root.
However I would not call it useless, since you should be able to manually back up an application.
Perhaps the property file that this setting is in can be modified with this, so that it can be rooted using a more standard method.
Not sure what I did, but I was able to get root with the properties intact.
My archos had froze today and I was forced to power it off so I know the properties were no longer be neutered. I was looking at some of the properties files and for the heck of it I tried running su from a terminal, and it worked.
I opened Titanium backup and it prompted for root permissions.
Perhaps something about the forced power cycle?
I found out that when I connect to a wireless network (as required by archangel) if the disable network shares option is chosen it's not possible to root.
However it would appear that if you connect and don't select this option Archangel will still work.
I suppose there could be something else I did without realizing it, but this has worked after rebooting 5 times so far.

[TUTORIAL] How to Manually ROOT your RK3066 Device (UG007, iMitio MX1/2, mk808?)

These are instructions for rooting Android devices that utilize the RK3066 chipset (Cortex A9 Dual Core, MALI Quad-Core GFX).
I have tested and verified that these instructions work for the UG007 Android-on-a-stick...they *should* work with any other devices that utilize the same USB chipset. I can almost guarantee this will work on the Imito MX1/2 as you can swap ROMS from this device.
(Basically, if you have the right ADB drivers, you should be good to go)
As per every other thread you read on this site - I TAKE NO RESPONSIBILITY FOR ANY DAMAGES YOU MAY CAUSE TO YOUR DEVICE.
This is a fairly risk-free mod, but you know...$hit happens.
Okay. Let's start.
THIS TUTORIAL ASSUMES YOU HAVE ADB AND KNOW HOW TO USE IT, and that you're in a Windows environment. There are numerous places on the web where you can find this info...and I ain't yo mamma.
1. Download all the files attached to this thread.
2. Attach your RK3066 device to your computer via it's microUSB port. You'll need to have it hooked to a display too.
3. Once booted, go to system settings. Under settings > developer options, enable USB Debugging. Under settings > USB, click "connect to computer" (This may vary depending on your ROM configuration. The point here is to have debugging enabled and your computer to recognize the stick in device manager as something other than USB storage)
4. Extract the right drivers for your system (x86/x64)
5. Go to device manager on your computer. Look for the new "unknown device". Right-click, pick "update driver software"., "browse my computer".
6. Browse to wherever you extracted the drivers in step 4. Click Next. Confirm that you want to install.
7. Open a command window in the directory where you have ADB. Type "adb devices". Still nothing, right?
8. Navigate to C:\users\MYUSERNAME\.android, where "MYUSERNAME" is your User Name. (Duh?)
9. Create a file called adb_usb.ini
10. Open it in a text editor. Add the following string and save (This tells ADB to look for our Vendor ID:
0x2207
11. You should now be able to type "adb devices" at CMD and see your device.
12. Now for the fun. Extract the stuff from "pushme" to the same directory as ADB.
13. Enter the following commands (note: The "$" and "#" symbols do not get keyed in):
Code:
adb push psneuter /data/local/tmp
adb shell
$ cd /data/local/tmp
$ chmod 777 psneuter
$ ./psneuter
14. Psneuter should run and close shell when done. Enter MOAR commands:
Code:
adb kill-server
adb devices
adb shell
15. Take a good look. Is there now a "#" sign? Good. You now have root access. You may continue. If not, then proceed to go yell at me in the comments. If yes, then proceed to enter the last batch of commands to make your newfound privileges permanent:
Code:
mount -o remount,rw -t rfs /dev/block/st19 /system
exit
adb push busybox /system/bin
adb push su /system/bin
adb install Superuser.apk
adb shell
# chmod 4755 /system/bin/busybox
# chmod 4755 /system/bin/su
# mount -o remount,ro -t rfs /dev/block/st19 /system
# exit
adb reboot
After a reboot, download a root app from Play Store to see if it worked! I find Root Checker is boffo for this sort of thing:
https://play.google.com/store/apps/...tcheck&feature=nav_result#?t=W251bGwsMSwyLDNd
THANKS/CREDITS:
Aaron Orquia @ Pocketables.com for the original "universal" root method.
AMJtech's tutorial where I found working ADB drivers and the adb_usb.ini bit to get it recognized.
The guy(s) who make Super1ClickRoot for putting all the necessary files in one easy-to-find spot.
Thanks for this tutorial.
A couple of notes:
Wow !! That's a lot of extra steps for you Windows users. Mac and Linux users start at step 11 (but if you are a Mac or Linux user, you already knew that. )
Linux: If the device still does not show up in Step 11, post, and I can help (Hint: It may not be /just/ the udev stuff.)
Is step 13 necessary? adb remount works on mine. (not sure if I had to adb root first or not) but I can have a root shell via adb without psnueter.
If adb remount succeeds, skip step 14, and continue with the 3rd line of step 15.
Linuxslate said:
Thanks for this tutorial.
A couple of notes:
Wow !! That's a lot of extra steps for you Windows users. Mac and Linux users start at step 11 (but if you are a Mac or Linux user, you already knew that. )
Linux: If the device still does not show up in Step 11, post, and I can help (Hint: It may not be /just/ the udev stuff.)
Is step 13 necessary? adb remount works on mine. (not sure if I had to adb root first or not) but I can have a root shell via adb without psnueter.
If adb remount succeeds, skip step 14, and continue with the 3rd line of step 15.
Click to expand...
Click to collapse
Thanks for the input! Yes, yes, I know windoze makes more work. It's also pretty widespread for folks.
For step 13 - I think it depends on the device. It would be nice for others to weigh in and let me know if it's needed. If not, I can totally remove it.
Also, in the other ROM thread, I made, it's even easier to root - you just grab one of the pre-rooted ROMS and drop it in SD card...the system does the rest. Mind you, this is for the UG007.
Links UG007
If you Bluetooth connection is not working properly, try to install this custom ROM: http://blog.geekbuying.com/index.php/category/android-tv-stick-tv-box/ug007/
How to install CWM-based Recovery: http://androtab.info/clockworkmod/rockchip/
Both worked for me. I was able to connect my BT Keyboard/Mouse Pad combo
./psneuter
Failed to set prot mask (Inappropriate ioctl for device) ??
nice tutorial.. while finding the best way to work my ug007 i stumbled upon this thread via armtvtech.com
currently i only knew this tutorial to root the device, but looking at yours ill give it a try first.
digitalhigh said:
Also, in the other ROM thread, I made, it's even easier to root - you just grab one of the pre-rooted ROMS and drop it in SD card...the system does the rest. Mind you, this is for the UG007.
Click to expand...
Click to collapse
you cant install custom roms without flashmode, cant do flashmode without opening device.. or did i get it wrong!? talking about the ug007
actually you can install a custom rom once you are rooted without opening the device, here
Linuxslate said:
(Hint: It may not be /just/ the udev stuff.)
Click to expand...
Click to collapse
ehm.. im still preparing to root, i guess you hint at the android sdk?
if not ill holla back at you and complain why you didnt write it out in first place
but very good to know that i skip alot by "almost" only installing ubuntu to a vm
I may be missing something, but I couldn't get this to work on my UG007
psneuter didn't work for me, gave me an error about 'invalid ioctl' or something. But the strangest thing is that "adb shell" already shows the # in the prompt.
To confirm my suspitions, I also typed "adb root", which returned "adb is already running as root".
So I proceeded with the rest of the instructions. No errors appeared, installed Superuser and I can see su and busybox in system/bin
But when I download root checker it says it wasn't properly rooted. installing terminal and type "su" says permission denied - and that's it.
Am I missing something? I'm new to this rooting thing, so please don't be angry with my noobish questions
I managed to do it - but *not* by following this tutorial.
I used this: armtvtech.com/armtvtechforum/viewtopic.php?t=28 (Cant post links yet, sorry!)
Only ran the "TPSarky-VonDroid-Root" bat, and presto! I had root on UG007.
I even fixed the changing MAC address problem with wlan.ko from armtvtech.com/armtvtechforum/viewtopic.php?f=69&t=632&start=10 (link on page 2). I just copied it to /data/local/tmp, set permissions as rwr--r-- and then used root explorer to copy it to /system/lib/modules - now I have wifi signal every time I boot the device, and don't need to mess with my router config every time
I also manage to get xbox360 wired controller working. xpad.ko on /data/local/tmp and then insmod /data/local/tmp/xpad.ko - just connect the joystick after that, and it will be recognized. Only problem is, after a reboot I have to insmod again.
I tried doing the same thing I did with wlan.ko, but nothing happens - system won't load it on boot. Am I missing something here?
The psneuter is broken
I'm on Linux, running a RK3066, and psneuter gives "Failed to set prot mask (Inappropriate ioctl for device)". Running Ice Cream Sandwich 4.1.1, kernel 3.0.8+, build RK30_anpei10w1am-r4.0.57.20121207, A10-2 cpu.
SLotman said:
I may be missing something, but I couldn't get this to work on my UG007
psneuter didn't work for me, gave me an error about 'invalid ioctl' or something. But the strangest thing is that "adb shell" already shows the # in the prompt.
To confirm my suspitions, I also typed "adb root", which returned "adb is already running as root".
So I proceeded with the rest of the instructions. No errors appeared, installed Superuser and I can see su and busybox in system/bin
But when I download root checker it says it wasn't properly rooted. installing terminal and type "su" says permission denied - and that's it.
Am I missing something? I'm new to this rooting thing, so please don't be angry with my noobish questions
Click to expand...
Click to collapse
Try renaming old "su".
Check permissions on the su and busybox you installed.
MK808, MK809 [model T002], and the MK802 III anyone?
Hi,
Thanks OP for this information.
I have a Samsung S3 [my first android device] which I rooted with no problem, but am a total noob when it comes to these android sticks.
One can say they are very similar, so I wont be completely in the dark. OK, now that we got that out of the way...
Can anyone please confirm whether they have used this with the MK808, MK809 [model T002], and the MK802 III,
I have ordered these from 1 from amazon and 2 from ebay and am expecting delivery shortly, therefore I just want to make sure before I go bricking them one by one...
I notice that they all have RK3066 Cortex A9 chips but are manufactured by different companies. The ones I see on eBay, although they all bear the same code MK8xx, they all look very different! I presume the MK8xx code is a universal model?? just like 80486 was to the PC? given the case does this method work universally?
I intend to set them up with XBMC media centres and to use with a Xbox controller. Any advice on the best way for achieving this would be nice too.
Thanks
:good:
Linuxslate said:
Thanks for this tutorial.
Linux: If the device still does not show up in Step 11, post, and I can help (Hint: It may not be /just/ the udev stuff.)
Click to expand...
Click to collapse
Linuxslate, I have an MK808 that shows up in lsusb as 2207:300a when I put it in "flash mode" but it never shows up via "adb devices".
I got mine the other day and it turned out to be rooted already?
I decided to install SuperSu and that's how I found out it was rooted.
Immediately, installed Busybox, System Tuner Pro and Titanium Backup.
Rob
Rob sent this from his SPH-D710 via Tapatalk
So would this possibly work on this - http://www.zoostorm.com/Products/357-zoostorm-sl8-3305-1030-tablet-pc.aspx
States it's a Rockchip RK3066 Cortex A9 Dual Core 1.5GHz, running 4.1.1 Jelly Bean, quite interested in getting one & root would be a bonus.
psneuter broken
Hello,
the psneuter attached to the first post doesn't do anything to my ug007. I have the same error others have posted here and haven't gotten a reply about.
To unlock, I used the script that's mentioned in a post above, TPSarky-VonDroid-Root. If you google that, you'll find a download link amongst the results.
Thank u very much...:thumbup:
................................................................................................
Linuxslate said:
Try renaming old "su".
Check permissions on the su and busybox you installed.
Click to expand...
Click to collapse
Can you elaborate a little bit what you mean by renaming "su"?
I'm having the same issue..
Both su and busybox are having the same permission -rwsr-xr-x.
Sent from my Transformer Prime TF201 using XDA Premium HD app
I configured one of these at work. Upon using the terminal app and typing in su I got the # sign. They seem to come from the factory rooted already.
Sent from my Nexus 4 using xda app-developers app
ageerer84 said:
I configured one of these at work. Upon using the terminal app and typing in su I got the # sign. They seem to come from the factory rooted already.
Click to expand...
Click to collapse
Not exactly: this particular su can be used only from adb console, or at least that how it was on my tablet. So you need to replace it with a Superuser apk's su to get all features of rooted android. You can get one e.g. from FDroid
--
blog
Not sure what u mean by on your tablet. Android devices don't typically come rooted but I was surprised to have root access via terminal emulator on this stick PC. I just took it out of the box and definitely didn't have to go through the adb interface on a computer to flash superuser or what have you. Is this just me or is this a typical experience with this particular device?
Sent from my Nexus 4 using xda app-developers app

Attempt to get root on Android 5 with locked bootloader

Hello everyone. I'm owner of Verizon version of Note 4 - N910V. Unfortunately, I've found that it has locked bootloader after I've bought it. It's even impossible to get root on Android 5.
I don't want to accept it, and going to try to get at least temporary root on that smartphone.
Why it is possible:
- it's matter of vulnerability. KingRoot is able to root latest Android 4.4, even with locked bootloader
- Android 5 was released more than 2 years ago, there was enough time to reveal some vulnerabilities, that we have in our ROMs
- Linux kernel we use is pretty old too: linux 3.10.40 was released in May 2014
- VTS for Android shows several existing vulnerabilities, that gives system-level privileges
Plan:
- Get system-level privileges
- Get root level privileges
- Get permanent root (bypass write protection)
Progress:
- How to run busybox through adb shell:
Download busybox executive from https://busybox.net/downloads/binaries/latest/
copy it to phone: adb push busybox-armv7l /data/local/tmp/
Run adb shell and execute commands
Code:
cd /data/local/tmp/
chmod 755 busybox-armv7l
mkdir busybox
for app in $(../busybox-armv7l --list); do ln -s ../busybox-armv7l $app; done
export PATH=$PATH:/data/local/tmp/busybox
Enjoy
Repeat last command on every adb shell session
Current:
I'm going to use CVE-2015-1528 vulnerability to try to get system-level privileges
This thread I'm opening to share my progress and to get any advices/help with this.
Sounds interesting. Keep us informed!
Sent from my SM-N910F using Tapatalk
Quick update. I switched to CVE-2015-3825 vulnerability. I should work on any Android by 5.1, it seems easier because you need to exploit only one service, and there is good documentation: https://www.usenix.org/system/files/conference/woot15/woot15-paper-peles.pdf.
Despite I understand how to use this vulnerability, unfortunately, I'm not Android developer, nor low-level hacker, so it may takes sometime for me to implement them all.
I've started work on this exploit already. Any help is appreciated.
Has somebody done successfully temporary root his retail edition Android 5 Note 4 with KingRoot 4.8.1? One guy from sibling thread said that he did it successfully on 5.1.1 android

[Guide]Temporary root(Dirty COW) Marshmallow , Honor 5x

This is a guide on how to obtain temporary root on marshmallow stock ROM for the Honor5x. Works on KIW-L24 and should work fine for other models.
1. Install Android Studio.
2. Install NDK within android studio.
3. If you run
Code:
ndk-build
and it says command not found, you'll need to add the ndk-build path to your environmental variable. After you install NDK, 'ndk-build' file will exist on your computer. In Linux, the path location is ~/Android/Sdk/ndk/22.1.7171670/build/ndk-build
Ex.
Code:
export PATH=$PATH:/home/user123/Android/Sdk/ndk/22.1.7171670/build/
4. Download Dirty COW exploit and extract zip to a folder: https://github.com/timwr/CVE-2016-5195
5. Open terminal and navigate to 'CVE-2016-5195' directory.
6. Plug your phone in and make sure you can 'adb devices'.
7.
Code:
make root && adb shell;
8.a If you get error 'CANNOT LINK EXECUTABLE cannot locate symbol'. Then go to ~/Android/Sdk/ndk/22.1.7171670/build/gmsl and modify line 512 of '__gmsl' to say:
Code:
int_encode = $(__gmsl_tr1)$(wordlist 1,$(words $1),$(__gmsl_input_int))
More Info See: https://stackoverflow.com/questions/17131691/non-numeric-second-argument-to-wordlist
8.b.
Code:
make root && adb shell;
9. If everything goes right, you should be inside the shell of the phone and you should see '#' instead of '$', which indicates root.
The command that gets executed that puts you in temporary root is
Code:
adb shell /system/bin/run-as
Now what I don't know is how to obtain permanent root from here. Most people are going to say 'unlock your bootloader and flash a different ROM'. While I agree, this is the ideal solution. But if you can't unlock bootloader then the next best thing is permanent root on your current build.
I got # after step 9. But how that is temporary root? Root checker app doesn't recognize as rooted device.

Categories

Resources