If someone has a stock RC30 installed, can you tell me what user id runs adbd and debuggerd?
To be able to debug processes and take screenshots, those processes must running be with some sort of privileged permissions and may be exploitable...
debuggerd runs as root, adbd runs as shell (that's on my official RC30 phone)
Hmm, in that case, it may actually be possible to take a screenshot without root by writing an ADB client in Java to connect to the adb daemon. And, shell also has access to the surface flinger, so it may be possible to do autorotation as well.
Anyways, I'll take a look at debuggerd and see if there anything interesting.
I did find some funny code in debuggerd.c a minute ago. Watch your phone's LED and type this into a root shell:
echo 255 > /sys/class/leds/red/brightness
Yup.
http://forum.xda-developers.com/showthread.php?p=2905504&highlight=backlight#post2905504
Holy ****!!! There may be a root hole in installd:
installd runs as root; it is the daemon that allows you to do the following commands related to installing and uninstalling APKs and managing their DEX files.
Code:
{ "ping", 0, do_ping },
{ "install", 3, do_install },
{ "dexopt", 3, do_dexopt },
{ "movedex", 2, do_move_dex },
{ "rmdex", 1, do_rm_dex },
{ "remove", 1, do_remove },
{ "freecache", 1, do_free_cache },
{ "rmcache", 1, do_rm_cache },
{ "protect", 2, do_protect },
{ "getsize", 3, do_get_size },
{ "rmuserdata", 1, do_rm_user_data },
The install daemon reads these commands from a socket and then executes them.
The interesting command is the "install" command, which maps to the following function:
Code:
static int do_install(char **arg, char reply[REPLY_MAX])
{
return install(arg[0], atoi(arg[1]), atoi(arg[2])); /* pkgname, uid, gid */
}
int install(const char *pkgname, uid_t uid, gid_t gid)
{
char pkgdir[PKG_PATH_MAX];
char libdir[PKG_PATH_MAX];
if ((uid < AID_SYSTEM) || (gid < AID_SYSTEM)) {
LOGE("invalid uid/gid: %d %d\n", uid, gid);
return -1;
}
if (create_pkg_path(pkgdir, PKG_DIR_PREFIX, pkgname, PKG_DIR_POSTFIX))
return -1;
if (create_pkg_path(libdir, PKG_LIB_PREFIX, pkgname, PKG_LIB_POSTFIX))
return -1;
if (mkdir(pkgdir, 0755) < 0) {
LOGE("cannot create dir '%s': %s\n", pkgdir, strerror(errno));
return -errno;
}
if (chown(pkgdir, uid, gid) < 0) {
LOGE("cannot chown dir '%s': %s\n", pkgdir, strerror(errno));
unlink(pkgdir);
return -errno;
}
if (mkdir(libdir, 0755) < 0) {
LOGE("cannot create dir '%s': %s\n", libdir, strerror(errno));
unlink(pkgdir);
return -errno;
}
if (chown(libdir, AID_SYSTEM, AID_SYSTEM) < 0) {
LOGE("cannot chown dir '%s': %s\n", libdir, strerror(errno));
unlink(libdir);
unlink(pkgdir);
return -errno;
}
return 0;
}
The 2nd and 3rd arguments let you specify an ARBITRARY uid that owns that package. I think we can either rebuild adb to always pass in uid 0 and gid 0 (this may not be possible; adb may not have anything to do with the uid/gid selected). Or maybe connect to the socket from an application on the phone, and then marshall the command manually. That would get an APK onto the phone running as root.
Gonna give this a shot right now.
Look at the beginning of the function.
Code:
if ((uid < AID_SYSTEM) || (gid < AID_SYSTEM)) {
LOGE("invalid uid/gid: %d %d\n", uid, gid);
return -1;
That will disallow installing something with root access. AID_SYSTEM is 1000, the root uid is 0 of course.
But if we could get an app installed as the system user.. that may open up some more possibilities.
Also, I believe the socket that installd listens on is protected. If I remember correctly, it is restricted to the system user.
JesusFreke said:
Look at the beginning of the function.
Code:
if ((uid < AID_SYSTEM) || (gid < AID_SYSTEM)) {
LOGE("invalid uid/gid: %d %d\n", uid, gid);
return -1;
That will disallow installing something with root access. AID_SYSTEM is 1000, the root uid is 0 of course.
But if we could get an app installed as the system user.. that may open up some more possibilities.
Also, I believe the socket that installd listens on is protected. If I remember correctly, it is restricted to the system user.
Click to expand...
Click to collapse
Ahh goddamnit.
Related
Hello!
I need to set the system time!
What i read up to now is, that it is not possible! because it needs sec. level 3 (only System and Signed)....
I tryed it with:
Runtime rt=Runtime.getRuntime();
rt.exec("su");
rt.exec("date -s 19991212"); //And other sytax..
on the Tablet with ConnectBot its working, because connectBot was installed on the ROM!
The App i am writing is for internal use in my company, and it needs to sync with a Server!
My Tablet (Flytouch 3, Android 2.2) is rooted, so it should be possible to set the time! The App ClockSync (http://forum.xda-developers.com/showthread.php?t=688177) can do it too!
Please help me!
Thanks
Does it have to do so using root, or would launching an Intent to the system settings app be sufficient?
Setting Intend would be not an option!
but for everyone who is looking for a soution found one! (here on XDA (where else? ) http://forum.xda-developers.com/showthread.php?p=4528387#post4528387
calling:runRootCommand("date -s <date&time>");
Code:
public static boolean runRootCommand(String command) {
Process process = null;
DataOutputStream os = null;
try {
process = Runtime.getRuntime().exec("su");
os = new DataOutputStream(process.getOutputStream());
os.writeBytes(command+"\n");
os.writeBytes("exit\n");
os.flush();
process.waitFor();
} catch (Exception e) {
Log.d("*** DEBUG ***", "Unexpected error - Here is what I know: "+e.getMessage());
return false;
}
finally {
try {
if (os != null) {
os.close();
}
process.destroy();
} catch (Exception e) {
// nothing
}
}
return true;
}
just for ur information because i was looking for the syntax to set the date and time for about 2hours now, could find it in the inet :/
and finally i found it by hacking a lot of possible combinations in the terminal! and it is:
date -s yyymmdd.hhmmss
Example: 20110717.175930
Hi, i was developing a tasker and to kill the apps i was using this script
Code:
String command = "pidof -s " + intent.getComponent().getPackageName() + " | kill -9 .";
Process su = Runtime.getRuntime().exec("su");
DataOutputStream os = new DataOutputStream(su.getOutputStream());
os.writeBytes(command + "\n");
os.flush();
I tested doing that in the terminal and works fine, but in my tasker, when this command executes the phone reboot... is very strange
Any tip??
Any ideas????
Could you please more code? What's the cycle of your app?
I have a Service listening events, when a event occurs the BroadcastReceiver whose respond to that event respond calling a extended procedure called openKill,that proc checks if must open or kill the intent of the app received, here is when check the kill option:
Code:
else if(action.equals(TaskerConstants.KILL))
{
String command = "pidof -s " + intent.getComponent().getPackageName() + " | kill -9 .";
Root.sudo(command);//Si es 0 entonces no está corriendo
}
When the user check the option kill, the app request su, and if accepts, then the kill option is saved in the task created(which contains the intent of the app to open/kill)
sudo is like this:
Code:
public static void sudo(String command)
{
Process su = null;
try
{
su = Runtime.getRuntime().exec("su");
DataOutputStream os = new DataOutputStream(su.getOutputStream());
os.writeBytes(command + "\n");
os.flush();
os.writeBytes("exit\n");
os.flush();
} catch (IOException e)
{
e.printStackTrace();
}
}
I suspect a false intent reference. It's too less code to be able to figure everything out but thats what I were going to looking for.
intent.getComponent().getPackageName()
Click to expand...
Click to collapse
Do you've printed this simply in your logcat? What does it return? I think it's the PID of your own process.
Hi again... i'm still trying to figure out why is rebooting..., I checked your suggestion but the PID obtained is correct... is the PID of the app i'm trying to kill,
I think i have not rights to do the kill, and for that the Kernel crashes, because when my app exec the script, the phone lags, hot reboot and i get the Boot animation,
Any tip of how debug it?, and the logcat persist after the reboot??
Thats a problem, however, the log-data is just buffered in the RAM, that means, it doesn't persist after a reboot. You should log data in text-files on your own (add this part in your script or your java application) so you can see when the error appears. You can also print the logcat data in a file.
Ok, i tried to save the output in a file, but the file is empty... i changed the openKill method like this:
Code:
protected static void openKill(Intent intent, Integer action)
{
if(action.equals(TaskerConstants.OPEN))
{
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
ctx.startActivity(intent);
}
else if(action.equals(TaskerConstants.KILL))
{
if(Root.root())
{
String command = "pidof -s " + intent.getComponent().getPackageName() + " | kill . >> /mnt/sdcard/err.log";
Root.sudo(command);
}
}
and here is the Root class:
Code:
public class Root
{
public static boolean root()
{
Process su = null;
boolean ret = false,exit = false;
try
{
su = Runtime.getRuntime().exec("su"); //Obtengo un proceso asociado a root
DataOutputStream os = new DataOutputStream(su.getOutputStream());
DataInputStream is = new DataInputStream(su.getInputStream());
if (os != null && is != null)
{
os.writeBytes("id\n"); //Escribo en la consola y pido el id
os.flush();
String uid = is.readLine();
if(uid == null) //Si es null no pude pedir el comando con exito, por lo tanto no hay root!
{
ret = false;
exit = false;
}
else if(uid.contains("uid=0"))
{
ret = true;
exit = true;
}
else
{
ret = false;
exit = true;
}
if(exit)
{
os.writeBytes("exit\n");
os.flush();
}
}
}
catch (IOException e)
{
e.printStackTrace();
}
return ret;
}
public static void sudo(String command)//Antes de llamar a este metodo LLAMAR SIEMPRE A ROOT para verificar los permisos
{
Process su = null;
try
{
su = Runtime.getRuntime().exec("su");
DataOutputStream os = new DataOutputStream(su.getOutputStream());
DataInputStream is = new DataInputStream(su.getInputStream());
os.writeBytes(command + "\n");
os.flush();
Log.v("RET------------------------------------------------------------------>", is.readLine());
os.writeBytes("exit\n");
os.flush();
} catch (IOException e)
{
e.printStackTrace();
}
}
}
So why the script fails like this??, i think the problem is the way i'm calling the script, but i don't really know, the only "weird way" of calling the script is that i'm calling it from a BroadcastReceiver instantiated in a Service, and register the IntentFilter dinamically for each BroadcastReceiver, like, headset plug, screen off and stuff like that, but i don't know how to proceed in this point...
Any help will be very appreciated, thanks!
Is working!
I did it!! , i just changed the script like this and is working
Code:
String command = "killall -9 " + intent.getComponent().getPackageName();
well i still don't know why was not working with kill, but whatever, thanks for the help!
I have a huawei u8950d which I wanna root.
Its bootloader has been locked but I found a way to root a locked device: http://forum.xda-developers.com/showthread.php?t=1461736
So I've make those following codes to a bat file:
Code:
adb push mempodroid /data/local/tmp
adb push su /data/local/tmp
adb push Superuser.apk /data/local/tmp
adb shell
cd /data/local/tmp
chmod 777 ./mempodroid
./mempodroid 0xd524 0xab8f sh
[COLOR="red"]mount -o remount,rw -t ext4 /dev/block/mmcblk0p17 /system[/COLOR]
cat /data/local/tmp/su > /system/xbin/su
chown 0.0 /system/xbin/su
chmod 06755 /system/xbin/su
cat /data/local/tmp/Superuser.apk >/system/app/Superuser.apk
chown 0644 /system/app/Superuser.apk
When launching the red line I got this:
Code:
mount: Operation not permitted
Is it the issue of mempodroid?
The two addresses doesn't match my device.
Code:
./mempodroid 0x**** 0x**** sh
Maybe other reason?
I need help.Thx!
I found some interesting thing
Code:
#include <dlfcn.h>
#include <stddef.h>
#include <stdio.h>
int main(void)
{
void* lib = dlopen("libc.so", RTLD_NOW | RTLD_GLOBAL);
void* symbol;
if (lib == NULL) {
fprintf(stderr, "Could not open self-executable with dlopen(NULL) !!: %s\n", dlerror());
return 1;
}
symbol = dlsym(lib, "exit");
if (symbol == NULL) {
fprintf(stderr, "Could not lookup symbol exit !!: %s\n", dlerror());
return 2;
}
printf("exit() addr:%08x\n", symbol);
symbol = dlsym(lib, "setresuid");
if (symbol == NULL) {
fprintf(stderr, "Could not lookup symbol setresuid !!: %s\n", dlerror());
return 2;
}
printf("setresuid() addr:%08x\n", symbol);
dlclose(lib);
return 0;
}
Root a bootloader locked phone.(mempodroid way)
Hi,
Were you finally able to root the Huawei U8950D? How did you do it? I will be grateful if you give me a step by step process. Thanks
---------- Post added at 06:50 AM ---------- Previous post was at 06:45 AM ----------
fromnowon said:
I found some interesting thing
Code:
#include <dlfcn.h>
#include <stddef.h>
#include <stdio.h>
int main(void)
{
void* lib = dlopen("libc.so", RTLD_NOW | RTLD_GLOBAL);
void* symbol;
if (lib == NULL) {
fprintf(stderr, "Could not open self-executable with dlopen(NULL) !!: %s\n", dlerror());
return 1;
}
symbol = dlsym(lib, "exit");
if (symbol == NULL) {
fprintf(stderr, "Could not lookup symbol exit !!: %s\n", dlerror());
return 2;
}
printf("exit() addr:%08x\n", symbol);
symbol = dlsym(lib, "setresuid");
if (symbol == NULL) {
fprintf(stderr, "Could not lookup symbol setresuid !!: %s\n", dlerror());
return 2;
}
printf("setresuid() addr:%08x\n", symbol);
dlclose(lib);
return 0;
}
Click to expand...
Click to collapse
what is this code and who we have to use it????
I can retrieve the path of ./busybox cat or such process which is not terminated quickly.
However I cannot gather the path of processes which ended up quickly ./busybox ps
What is the easiest way to get all of the processes executable path in kernel level?
Code:
rcu_read_lock();
struct task_struct *task;
struct list_head *list;``
struct mm_struct *mm;
struct file *exe_file;
char *pathname,*path;
pathname = kmalloc(PATH_MAX, GFP_ATOMIC);
task = list_entry(list, struct task_struct, sibling);
for_each_process(task) {
printk("/----------------------------------/\n");
mm = get_task_mm(task);
if(mm != NULL) {
exe_file = get_mm_exe_file(mm);
path_get(&exe_file->f_path);
path = d_path(&mm->exe_file->f_path,pathname,PATH_MAX);
printk("CHILD %s[%d]->%s\n\n ", task->comm, task->pid ,path);
}
}
rcu_read_unlock();
I can retrieve the path of ./busybox cat or such process which is not terminated quickly.
However I cannot gather the path of processes which ended up quickly ./busybox ps
What is the easiest way to get all of the processes executable path in kernel level?
Code:
rcu_read_lock();
struct task_struct *task;
struct list_head *list;``
struct mm_struct *mm;
struct file *exe_file;
char *pathname,*path;
pathname = kmalloc(PATH_MAX, GFP_ATOMIC);
task = list_entry(list, struct task_struct, sibling);
for_each_process(task) {
printk("/----------------------------------/\n");
mm = get_task_mm(task);
if(mm != NULL) {
exe_file = get_mm_exe_file(mm);
path_get(&exe_file->f_path);
path = d_path(&mm->exe_file->f_path,pathname,PATH_MAX);
printk("CHILD %s[%d]->%s\n\n ", task->comm, task->pid ,path);
}
}
rcu_read_unlock();