Has anybody tried to implement this in KitKat ?
When I mount my server by sshfs on my Nexus 5 I can see this mount only in su, every other App/User is not seeing the mountpoint.
As explained here http://forum.xda-developers.com/showthread.php?t=2106480 this is a "Security-Feature" for MultiUser-Support.
So I've applied the Dalvik-Patch in android-4.4_r1 and compiled a new libdvm.so for my Nexus 5 und modified my boot.img (init.rc).
But this does not solve the Problem as expected.
Anybody has patched this in KitKat or has in depth knowlege of Zygote and Dalvik and could explain?
I've digged a litte deeper and found those threads:
http://forum.xda-developers.com/showthread.php?t=1781411
http://forum.xda-developers.com/showthread.php?t=2062768
http://forum.xda-developers.com/showthread.php?t=2107224
All of those basicly say that it is possible to mount using adb and all apps will be able to access them, because adb is not running as a child-process of dalvik.
This is why mounts are not visible to other apps when an app run by dalvik mounts them.
What I don't really get is why mounts by sshfs are not visible to other processes even when I use adb to run sshfs:
[email protected]:~$ adb shell
[email protected]:/ $ su
[email protected]:/ # sshfs [email protected]: /sdcard/mountpoint
[email protected]:/ # mount
...
sshfs#[email protected]: /storage/emulated/legacy/mountpoint fuse rw,nosuid,nodev,relatime,user_id=0,group_id=0 0 0
...
[email protected]:/ # exit
[email protected]:/ $ mount
...
<sshfs mount not listed>
....
So why is the mount only visible when I'am root (in su)?
I'am still working on it and tried the following without using sshfs, but even bind-mounts are not accessible by other users.
Does anyone know why and how to workaround it?
[email protected]:~$ android/android-sdk-linux/platform-tools/adb shell
[email protected]:/ $ su
[email protected]:/ # mount -o rw,remount /
[email protected]:/ # mkdir /mnt/test
[email protected]:/ # chown media_rw:media_rw /mnt/test/
[email protected]:/ # chmod 777 /mnt/test/
[email protected]:/ # busybox mount --bind /mnt/sdcard/ /mnt/test
[email protected]:/ # ls /mnt/test/ -la
drwxrwx--- root sdcard_r 2013-11-06 14:10 .MySecurityData
-rw-rw---- root sdcard_r 33 2013-11-20 18:17 .bugsense
drwxrwx--- root sdcard_r 2013-11-21 14:00 .estrongs
drwxrwx--- root sdcard_r 1970-01-02 01:01 Alarms
drwxrwx--x root sdcard_r 2013-11-06 01:12 Android
drwxrwx--- root sdcard_r 2013-11-12 18:10 DCIM
drwxrwx--- root sdcard_r 2013-11-18 23:38 Download
...
[email protected]:/ # exit
[email protected]:/ $ ls /mnt/test -la
[email protected]:/ $
Hi,
Can you please help me how I can CODE in my mobile ( SAMSUNG GALAXY S - GTI9003)
I m happy to see the solution given by you.. but dont know how to code on ADB shell in my device
Thanks in advance
vssvaas
01binary01 said:
I think every issue to do with losing the baseband has a slight twist, I'm beginning to think not every problem can use the same solution.
I've fixed mine, using similar lines as the posting in http://forum.xda-developers.com/showthread.php?t=1261948
As I couldn't get 7Zip to edit/modify the tar file without the file getting corrupt.
Finally I resorted did the unpacking and re-tarring via my Mac (with android sdk installed) to preserve id's etc.
** The following is just a simple guide, which worked for me, I made sure I had plenty of power on the phone and kept original states of my efs directory **
On my phone via 'adb shell'
Code:
$ su
# mkdir /sdcard/efsbck
# cd /
# busybox tar zcvf /sdcard/efsbck/orig-broke-efs.tar.gz efs
# exit
$ exit
On my mac
Code:
cd <where-ever-your-android-sdk-is>/platform-tools/
adb pull /sdcard/efsbck/orig-broke-efs.tar.gz
mkdir mod
sudo su
cd mod
sh-3.2# #*Note the 'p' on the tar to preserve the original id's etc on various files
sh-3.2# gunzip -c ../orig-broke-efs.tar.gz | tar xvpf -
sh-3.2# cd efs
sh-3.2# ls -ltra | grep nv_data
-rwx------ 1 1001 1001 32 31 Dec 2010 .nv_data.bak.md5
-rwx------ 1 1001 1001 2097152 31 Dec 2010 .nv_data.bak
-rwx------ 1 1001 1001 32 21 Sep 00:46 nv_data.bin.md5
-rwx------ 1 1001 1001 2097152 21 Sep 00:46 nv_data.bin
sh-3.2# rm nv_data.bin.md5
sh-3.2# rm nv_data.bin
sh-3.2# cp -p .nv_data.bak nv_data.bin
sh-3.2# cp -p .nv_data.bak.md5 nv_data.bin.md5
sh-3.2# cd ..
sh-3.2# tar cvf - efs | gzip -c - > mod-efs.tar.gz
a efstar: getpwuid(1001) failed: No such file or directory
a efs/.files
...
...
sh-3.2# ../adb push mod-efs.tar.gz /sdcard/efsbck/mod-efs.tar.gz
Then 'adb shell' back to the phone. I checked the tar file list was ok and wasn't corrupt.
Code:
$ su
# cd /sdcard/efsbck
# busybox tar ztvf mod-efs.tar.gz
Then for the final run, butt clenching bit, still on the phone via 'adb shell'
Code:
$ su
# cd /sdcard/efsbck
# umount /efs
# mke2fs /dev/block/mmcblk0p1
# mount -w -t ext4 /dev/block/mmcblk0p1 /efs
# ls /efs
lost+found
#
# busybox tar zxvf mod-efs.tar.gz -C /
# ls /efs
... check that the nv_data.bin is there ... and has radio radio id's
# exit
$ exit
Then after a reboot - Phone was still in 'airplane mode' - But went into settings - checked baseband - it was visible rolleyes ! , went to wireless network 'Flight Mode' was correctly green 'ticked', undid. And got my signal back.cool
I also had to re-activate data network settings for my GPS to sort itself out.
The procedure worked for me, I can't say it'll work for everyone.
Click to expand...
Click to collapse
is there a way to run a bash script on startup. i am trying to check the presence of a running program (that uses excessive cpu and drains my battery) then kill the process-id if it is running:
Code:
$ uname -a -m -p
Linux localhost 2.6.35.7-SPH-D710.EL13-CL806482 #2 SMP PREEMPT Tue D
ec 13 02:56:30 KST 2011 armv7l GNU/Linux
$ crontab -l
crontab: must be suid to work properly
$ su -
# crontab -l
crontab: unknown uid 0
# ls /etc/rc.d
ls: /etc/rc.d: No such file or directory
# ls /etc/rc.local
ls: /etc/rc.local: No such file or directory
the bash script runs fine. i am just tired of having to log into connectbot, navigate to the directory, and run the program each time i restart my fone.
schneidz said:
is there a way to run a bash script on startup. i am trying to check the presence of a running program (that uses excessive cpu and drains my battery) then kill the process-id if it is running:
Code:
$ uname -a -m -p
Linux localhost 2.6.35.7-SPH-D710.EL13-CL806482 #2 SMP PREEMPT Tue D
ec 13 02:56:30 KST 2011 armv7l GNU/Linux
$ crontab -l
crontab: must be suid to work properly
$ su -
# crontab -l
crontab: unknown uid 0
# ls /etc/rc.d
ls: /etc/rc.d: No such file or directory
# ls /etc/rc.local
ls: /etc/rc.local: No such file or directory
the bash script runs fine. i am just tired of having to log into connectbot, navigate to the directory, and run the program each time i restart my fone.
Click to expand...
Click to collapse
Put it in init.d folder to run on every boot, if you mean that.
Sent from my GOCLEVER TERRA L70 using Tapatalk
i created this file:
Code:
-rwxr-x--- 1 root shell 612 Jul 13 20:45 /system/etc/init.d/S80kill-acore.ksh
but it doesnt run on bootup.
I have an old Samsung Galaxy S4. It's been off the network for a while and its system clock has drifted. However, adb works and I can use the old phone as a sandbox environment to learn about low level Android fundamentals. I would like to learn how to root the phone, ideally without using any apps - I prefer to learn how to compile my own local privilege escalation exploit and run it on my old phone.
adb shell getprop ro.build.version.release
5.0.1
adb shell getprop ro.build.version.sdk
21
dumpstate:
Build: LRX22C.I337UCSGOK3
Build fingerprint: 'samsung/jflteuc/jflteatt:5.0.1/LRX22C/I337UCSGOK3:user/release-keys'
Bootloader: I337UCSGOK3
Radio: mdm
Network: (unknown)
Kernel: Linux version 3.4.0-6185444 ([email protected]) (gcc version 4.8 (GCC) ) #1 SMP PREEMPT Wed Nov 30 21:31:59 KST 2016
Command line: console=null androidboot.hardware=qcom user_debug=23 msm_rtb.filter=0x3F ehci-hcd.park=3 [email protected] [email protected] sec_debug.reset_reason=0x1a2b3c00 androidboot.warranty_bit=0 lcd_attached=1 lcd_id=0x418047 androidboot.debug_level=0x4f4c sec_debug.enable=0 sec_debug.enable_user=0 androidboot.cp_debug_level=0x55FF sec_debug.enable_cp_debug=0 cordon=a569d279d878ac52077d6cfb9721d339 connie=SGH-I337_ATT_USA_76d68869445a30d9d8d06ffe689dd803 lpj=67678 loglevel=4 samsung.hardware=SGH-I337 androidboot.emmc_checksum=3 androidboot.warranty_bit=0 androidboot.bootloader=I337UCSGOK3 androidboot.nvdata_backup=0 androidboot.boot_recovery=0 androidboot.check_recovery_condition=0x0 level=0x574f4c44 vmalloc=450m sec_pvs=0 batt_id_value=0 diag=0 androidboot.csb_val=1 androidboot.emmc=true androidboot.serialno=95e836b4 androidboot.baseband=mdm
cat /proc/cpuinfo:
Processor : ARMv7 Processor rev 0 (v7l)
processor : 0
BogoMIPS : 13.53
processor : 1
BogoMIPS : 13.53
processor : 2
BogoMIPS : 13.53
processor : 3
BogoMIPS : 13.53
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4
CPU implementer : 0x51
CPU architecture: 7
CPU variant : 0x1
CPU part : 0x06f
CPU revision : 0
Hardware : SAMSUNG JF
Revision : 000a
Serial : 000095e8000036b4
Android is a ported Linux, hence rooting Android means adding su ( read: switchuser ) functionality welllknown from Linux to device's Android. That's all.
Can get achieved with ADB having a suitable su at hands.
https://forum.xda-developers.com/attachments/su-binaries-zip.5566949/
Do you have source code for that su? I believe it would still require an exploit to escalate privileges, since normally su needs to run with root permissions, and I don't have a way of elevating to root without it.
What you believe ist totally wrong: su doesn't need root permissions to run a shell command, su is what in general is called root.
Code:
su -c "<SHELL-COMMAND-HERE>"
Become familiar with Linux shell commands.
I can already run shell commands using adb shell. However, I cannot run privileged commands because the adb shell process does not run with root privileges. Can you please elaborate further?
OMG.
Code:
adb shell
simply opens a remote Android terminal what doesn't require any elevated privileges per se.
To run shell commands what require elevated privileges ( e.g. mount ) is achieved as follows
Code:
adb shell "<PATH-OF-SU-BINARY-HERE> -c '<SHELL-COMMAND-HERE>'"
Example:
Code:
adb shell "/data/local/tmp/su -c 'mount -o rw,remount /data'"
The adb shell allows running unprivileged commands but there are numerous things which cannot be done without the root privilege, such as remounting filesystems, changing permissions, accessing directories which require elevated privileges, etc. This is what I am asking about. Am I misunderstanding you - are you trying to say that adb shell can be used by an unprivileged user to run privileged commands?
See my revised post above yours.
@jf80dEf
The Samsung Galaxy S4 variant you have is from AT&T (model number SGH-I337) and it's running the final software release (OK3).
For this model, you need to downgrade to a lower firmware (NB1) and achieve root access by exploiting the vulnerability formally known as CVE-2014-3153. More details can be found here.
Thank you @SkandaH for answering my question! I believe the method you suggest involves using Odin to wipe the phone to make it vulnerable to the towelroot exploit. Reading between the lines, am I interpreting correctly that there is no known (at least to you) exploit that runs on the OK3 software?
jf80dEf said:
... am I interpreting correctly that there is no known (at least to you) exploit that runs on the OK3 software?
Click to expand...
Click to collapse
Yes, that's correct.
just for fun, I tried that method on rooted device, it doesn't work for Android 5+
Code:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
C:\Android>adb devices
List of devices attached
ca1296db7d29 device
C:\Android>adb push su /data/local/tmp
su: 1 file pushed. 0.7 MB/s (75344 bytes in 0.105s)
C:\Android>adb shell
cereus:/ $ cd /data/local/tmp
cereus:/data/local/tmp $ chmod 6775 ./su
cereus:/data/local/tmp $ ls -la
total 84
drwxrwx--x 2 shell shell 4096 2022-12-27 15:22 .
drwxr-x--x 4 root root 4096 2022-07-24 14:19 ..
-rwsrwsr-x 1 shell shell 75344 2022-12-27 15:22 su
cereus:/data/local/tmp $ ./su
"./su": error: Android 5.0 and later only support position-independent executables (-fPIE).
1|cereus:/data/local/tmp $ rm ./su
cereus:/data/local/tmp $ exit
C:\Android>
copied another su binary from stock rooted android tv box (no superuser app required, permissions granted automatically.
Code:
C:\Android>adb push su /data/local/tmp
adb: error: failed to get feature set: more than one device/emulator
C:\Android>adb -s ca1296db7d29 push su /data/local/tmp
su: 1 file pushed. 1.4 MB/s (100068 bytes in 0.070s)
C:\Android>adb shell
error: more than one device/emulator
C:\Android>adb -s ca1296db7d29 shell
cereus:/ $ cd /data/local/tmp
cereus:/data/local/tmp $ chmod 6775 ./su
cereus:/data/local/tmp $ ls -la
total 108
drwxrwx--x 2 shell shell 4096 2022-12-27 15:39 .
drwxr-x--x 4 root root 4096 2022-07-24 14:19 ..
-rwsrwsr-x 1 shell shell 100068 2022-12-27 15:38 su
cereus:/data/local/tmp $ ./su
255|cereus:/data/local/tmp $ ./su --help
Usage: su [options] [--] [-] [LOGIN] [--] [args...]
Options:
--daemon start the su daemon agent
-c, --command COMMAND pass COMMAND to the invoked shell
-h, --help display this help message and exit
-, -l, --login pretend the shell to be a login shell
-m, -p,
--preserve-environment do not change environment variables
-s, --shell SHELL use SHELL instead of the default /system/bin/sh
-u display the multiuser mode and exit
-v, --version display version number and exit
-V display version code and exit,
this is used almost exclusively by Superuser.apk
cereus:/data/local/tmp $ ./su --version
16 com.thirdparty.superuser
cereus:/data/local/tmp $
still it doesn't work from /data/local/tmp as the uid is 2000 (shell) so tried from /data/local where uid is 0 (root)
but I had to use Magisk /sbin/su for this already
Code:
cereus:/data/local/tmp $ ls -la /data/local
ls: /data/local: Permission denied
1|cereus:/data/local/tmp $ ls -la /data/local/tmp
total 108
drwxrwx--x 2 shell shell 4096 2022-12-27 15:39 .
drwxr-x--x 4 root root 4096 2022-07-24 14:19 ..
-rwsrwsr-x 1 shell shell 100068 2022-12-27 15:38 su
cereus:/data/local/tmp $ cp ./su ..
cp: ../su: Permission denied
1|cereus:/data/local/tmp $ which su
/sbin/su
cereus:/data/local/tmp $ /sbin/su -c 'cp ./su ..'
cereus:/data/local/tmp $ cd ..
cereus:/data/local $ ls -la
ls: .: Permission denied
1|cereus:/data/local $ /sbin/su -c 'chmod 6775 ./su'
cereus:/data/local $ /sbin/su -c 'ls -la'
total 120
drwxr-x--x 4 root root 4096 2022-12-27 15:45 .
drwxrwx--x 48 system system 4096 2022-07-24 20:32 ..
-rwsrwsr-x 1 root root 100068 2022-12-27 15:45 su
drwxrwx--x 2 shell shell 4096 2022-12-27 15:39 tmp
drwxrwxrwx 2 shell shell 4096 2022-07-24 14:19 traces
cereus:/data/local $ ./su
255|cereus:/data/local $
despites the SUID bit is set correctly still it doesn't work. so I removed the nosuid mount flag for /data partition and double checked selinux isn't the problem
Code:
255|cereus:/data/local $ grep ' /data ' /proc/mounts
/dev/block/dm-1 /data ext4 rw,seclabel,nosuid,nodev,noatime,noauto_da_alloc,resuid=10010,resgid=1065,errors=panic,data=ordered 0 0
cereus:/data/local $ /sbin/su -c 'busybox mount -o remount,rw,suid /data'
cereus:/data/local $ grep ' /data ' /proc/mounts
/dev/block/dm-1 /data ext4 rw,seclabel,nodev,noatime,noauto_da_alloc,resuid=10010,resgid=1065,errors=panic,data=ordered 0 0
cereus:/data/local $ ./su
255|cereus:/data/local $ getenforce
Permissive
cereus:/data/local $
still no way to get the root shell with that su binary, maybe prevented to run from /data at all. decided to try from other partition but there was no way. although permissions 2000 (shell) should at least see the file, but that wasn't the case. Magisk mount namespaces are set to global, no idea why the file is invisible in /cache
Code:
cereus:/data/local $ grep ' /cache ' /proc/mounts
/dev/block/platform/bootdevice/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,discard,noauto_da_alloc,data=ordered 0 0
cereus:/data/local $ /sbin/su -c 'busybox mount -o remount,rw,suid /cache'
cereus:/data/local $ grep ' /cache ' /proc/mounts
/dev/block/platform/bootdevice/by-name/cache /cache ext4 rw,seclabel,nodev,noatime,discard,noauto_da_alloc,data=ordered 0 0
cereus:/data/local $ /sbin/su -c 'cp ./su /cache'
cereus:/data/local $ cd /cache
/system/bin/sh: cd: /cache: Permission denied
2|cereus:/data/local $ /sbin/su -c 'cd /cache'
cereus:/data/local $ /sbin/su -c 'mkdir /cache/tmp'
cereus:/data/local $ /sbin/su -c 'chown 0.2000 /cache/tmp'
cereus:/data/local $ cd /cache/tmp
/system/bin/sh: cd: /cache/tmp: Permission denied
2|cereus:/data/local $ /sbin/su -c 'chown 2000.2000 /cache/tmp'
cereus:/data/local $ cd /cache/tmp
/system/bin/sh: cd: /cache/tmp: Permission denied
2|cereus:/data/local $ /sbin/su -c 'ls -la /cache/tmp'
total 16
drwxr-xr-x 2 shell shell 4096 2022-12-27 15:54 .
drwxrwx--- 8 system cache 4096 2022-12-27 15:54 ..
cereus:/data/local $ /sbin/su
cereus:/data/local # cd /cache/tmp
cereus:/cache/tmp # cp /cache/su .
cereus:/cache/tmp # chmod 6775 ./su
cereus:/cache/tmp # exit
cereus:/data/local $ /cache/tmp/su
/system/bin/sh: /cache/tmp/su: not found
127|cereus:/data/local $ /sbin/su
cereus:/data/local # cd /cache/tmp
cereus:/cache/tmp # ls -la
total 120
drwxr-xr-x 2 shell shell 4096 2022-12-27 15:58 .
drwxrwx--- 8 system cache 4096 2022-12-27 15:54 ..
-rwsrwsr-x 1 root root 100068 2022-12-27 15:58 su
cereus:/cache/tmp # ./su
255|cereus:/cache/tmp # chown -R 0.2000 .
cereus:/cache/tmp # ls -la
total 120
drwxr-xr-x 2 root shell 4096 2022-12-27 15:58 .
drwxrwx--- 8 system cache 4096 2022-12-27 15:54 ..
-rwxrwxr-x 1 root shell 100068 2022-12-27 15:58 su
cereus:/cache/tmp # ./su
255|cereus:/cache/tmp # exit
255|cereus:/data/local $ /cache/tmp/su
/system/bin/sh: /cache/tmp/su: not found
127|cereus:/data/local $ /sbin/su -c 'chmod 6775 /cache/tmp/su'
cereus:/data/local $ /cache/tmp/su
/system/bin/sh: /cache/tmp/su: not found
127|cereus:/data/local $
finally, even tried from within Magisk root shell. still the binary throws error 255. as you can see the su binary owns the sticky bit and uid 0 (root)
Code:
127|cereus:/data/local $ /sbin/su
cereus:/data/local # /cache/tmp/su --version
16 com.thirdparty.superuser
cereus:/data/local # /cache/tmp/su
255|cereus:/data/local # exit
255|cereus:/data/local $ /cache/tmp/su
/system/bin/sh: /cache/tmp/su: not found
127|cereus:/data/local $ /sbin/su -c 'ls -la /cache/tmp'
total 120
drwxr-xr-x 2 root shell 4096 2022-12-27 15:58 .
drwxrwx--- 8 system cache 4096 2022-12-27 15:54 ..
-rwsrwsr-x 1 root shell 100068 2022-12-27 15:58 su
cereus:/data/local $
to confirm the binary is working at least, I wanted to install in /system. Because of systemless-root and avb/dm-verity i can't place file /system partition directly, so I used Magisk bind mount overlay
Code:
cereus:/data/local $ /sbin/su
cereus:/data/local # cd /data/adb/modules
cereus:/data/adb/modules # mkdir su_test
cereus:/data/adb/modules # cd su_test/
cereus:/data/adb/modules/su_test # mkdir -p system/xbin
cereus:/data/adb/modules/su_test # cp /cache/tmp/su system/xbin
cereus:/data/adb/modules/su_test # chown -R 0.2000 system
cereus:/data/adb/modules/su_test # chmod 6775 system/xbin/su
cereus:/data/adb/modules/su_test # ls -la system/xbin
total 108
drwxr-xr-x 2 root shell 4096 2022-12-27 16:10 .
drwxr-xr-x 3 root shell 4096 2022-12-27 16:10 ..
-rwsrwsr-x 1 root shell 100068 2022-12-27 16:10 su
cereus:/data/adb/modules/su_test # echo 'id=su_test' > module.prop
cereus:/data/adb/modules/su_test # echo 'name=su_test' >> module.prop
cereus:/data/adb/modules/su_test # echo 'version=0.0.1' >> module.prop
cereus:/data/adb/modules/su_test # echo 'versionCode=001' >> module.prop
cereus:/data/adb/modules/su_test # echo 'author=aIecxs @ XDA' >> module.prop
cereus:/data/adb/modules/su_test # echo 'description=proof that su binary is "suitable" >> module.prop
cereus:/data/adb/modules/su_test # cat module.prop
id=su_test
name=su_test
version=0.0.1
versionCode=001
author=aIecxs @ XDA
description=proof that su binary is "suitable"
cereus:/data/adb/modules/su_test # ./system/xbin/su --version
16 com.thirdparty.superuser
cereus:/data/adb/modules/su_test # exit
cereus:/data/local $ exit
C:\Android>
after installing the magisk module, rebooted the phone and confirmed su binary works when running from system.
Code:
C:\Android>adb -s ca1296db7d29 shell
cereus:/ $ which su
/sbin/su
cereus:/ $ ls -l /system/xbin/su
-rwsrwsr-x 1 root shell 100068 2022-12-27 16:10 /system/xbin/su
cereus:/ $ /system/xbin/su --version
16 com.thirdparty.superuser
cereus:/ $ /system/xbin/su
cereus:/ #
(note the /sbin/su binary is Magisk while the /system/xbin/su binary is the file copied from android tv box)
as on stock android device user/release-keys build adb root cannot work, there is no way to use the chown command. because it is impossible to place the file into /system or any proper location with directory owner 0 (root) from adb, it's not possible to get root shell from adb.
conclusion: an additional exploit (like mtk-su) is required to achieve this.
edit: fun fact. Magisk complains the foreign su binary that is provided by Magisk module xD