Database Info

No CP command in Dev Magic

I've been messing around with my Dev Magic and found a site for the G1 with some stuff to try:
http://gettinthru.blogspot.com/2009/04/mods-for-tmobile-g1-at-your-own-risk.html
In there, some of the things suggested use the linux command "cp" to copy files from/to the SD card. Problem is, I can't see it listed. Here is the listing of commands in /system/bin:
system_server
mediaserver
app_process
surfaceflinger
dalvikvm
dexopt
rild
wlan_loader
sdutil
service
netcfg
dumpsys
hcid
dd
cmp
df
date
cat
bugreport
chmod
chown
wpa_supplicant
wpa_cli
wipe
watchprops
vmstat
umount
top
vold
sync
stop
start
smd
sleep
setprop
setconsole
sendevent
schedtop
set_grp_id
route
rmmod
rmdir
renice
rm
reboot
radiooptions
ps
qemud
printenv
notify
netstat
mv
mount
mkdosfs
lsmod
mkdir
ls
log
ln
ioctl
kill
installd
iftop
insmod
ifconfig
id
hd
htclogkernel
getevent
getprop
flash_image
dvz
dmesg
dumpcrash
dhcpcd
debug_tool
toolbox
dumpstate
servicemanager
hciattach
logcat
sdptool
dbus-daemon
gzip
showlease
sh
schedtest
ping
logwrapper
iptables
linker
debuggerd
dosfsck
gdbserver
pm
svc
input
am
ime
monkey
akmd
As you can see, no cp. Any suggestions like a .apk of the command to push over to it?
Cheers

you can use dd to copy files aslong as you dont have busybox ( on the dream "all" the rooted images come with busybox )...
However you can use busybox from a non-rooted device by copying it to the folder "sqlite_stmt_journals" as it has both exec/write rights...

Seem to be sorted now...
I found that I can install Busybox like the G1 owners have as standard:
http://www.androidfanatic.com/cms/community-forums.html?func=view&id=228&catid=9
Folowed the guide and have cp and loads of stuff to play with now.
Cheers for your responses.

No problem... Wont take long before custom images are put together that include busybox as the magic now can also be rooted like the dream.

the "rootme" rom i provide in my rooting procedure has busybox installed, as well as apps2sd

the easiest way to replace the "cp" command is using "cat"
cat "sourcefile" > "targetfile"
if you need to copy more files, create a small script with a "for" loop.
Tom

What is wrong with my script - going crazy

so I'm new to scripting, and I have a TON of lg optimus S's to root for work. So I figured I'd write a script to make life easy. I know all the shell commands are correct as if I manually type everything in it works. What happens is it gets through gingerbreak exploit and when the prompt returns # - everything seems to go to hell.
Here is my script I am using. I'm using Kubuntu 11.04 writing it in Kate, name of my script is Script2 and I'm executing it in bash via $sh Script2
echo "removing TMP directory";adb shell rm -r /data/local/tmp
echo "creating TMP directory";adb shell mkdir /data/local/tmp
echo "pushing gingerbreak";adb push gingerbreak /data/local/tmp/gingerbreak
echo "CD TMP";adb shell cd /data/local/tmp
echo "CHMOD TMP";adb shell chmod 777 /data/local/tmp/*
echo "running gingerbreak";adb shell /data/local/tmp/gingerbreak &
sleep 32
adb shell mount -o remount,rw -t yaffs2 /dev/block/mtdblock5 /system
adb shell cat /sdcard/flash_image > /system/bin/flash_image
adb shell chmod 755 /system/bin/flash_image
adb shell mount -o remount,ro -t yaffs2 /dev/block/mtdblock5 /system
adb shell flash_image recovery /sdcard/xionia_cwma_12518.6.img
adb shell reboot recovery
I've tried with out sleep command and also with out "&" at the end of gingerbreak, and when I do that and it returns # it seems like no commands will work, even if I type them in it returns just a blank line with out #.
With that current script after sleep 32, it returns #, few seconds later it tries to mount and I get (including the end of gingerbreak exploit).
[!] dance forever my only one
# mount: Operation not permitted
Script2: 9: cannot create /system/bin/flash_image: Directory nonexistent
Unable to chmod /system/bin/flash_image Read-only file system
mount -o: permission denied
reboot: Operation not permitted
then it returns me to bash$
Thanks!

So something interesting, I've been playing with this for awhile, and I took everything out past the
adb shell /data/local/tmp/gingerbreak
it seems if I run it as
bash$ adb shell /data/local/tmp/gingerbreak
vs
bash$ adb shell
$ cd /data/local/tmp
$ ./gingerbreak
when # is returned, the first option won't take any commands its like it hangs, if I type out the next command it will just return a blank line with out $ or #, I have to forcibly end the process by CTRL+C and it will return me to bash, if I do the second option it works and I can enter the next command in and it takes and returns me to #. Anyone know why this is? I'm pretty sure this is the problem.
I would happily use the second option, but I'm not sure how to get the script to take any android shell commands without a "adb shell" infront. If anyone knows how to get around this, that would be awesome =)

Panasonic Eluga Power P-07D

Greetings,
I have received my shiny new Eluga Power and I am wondering if anybody else has this device and if anybody has rooted there's?
Sent from my P-07D using xda premium

Edit: moved to Q&A, lets see if you can get some help but do search for your device.
First welcome...
Next time post in the Q&A section for questions. To better serve you do a search for your device and look in the Dev section for your model device...also you will find a Q&A section there, Thank you.
Btw ensure you read the forum rules.
Sent from a closet, at Arkham Asylum using Forum Runner.

ianford10 said:
Greetings,
I have received my shiny new Eluga Power and I am wondering if anybody else has this device and if anybody has rooted there's?
Sent from my P-07D using xda premium
Click to expand...
Click to collapse
Where did you get it from?HOw much? How's it first impression?

mixmaster said:
Where did you get it from?HOw much? How's it first impression?
Click to expand...
Click to collapse
Had to import it from a Japanese eBay store with a cost of £560 with delivery. First impressions of the phone are very good, nice big clear screen, batter life is okay considering the screen size, calls are crisp and clear, feels good in the hand to hold. Will have more info as I use it over the next couple of weeks
Sent from my P-07D using xda premium

Rooting P-07D success...
I was able to root my Panasonic Eluga Power (P-07D) you can check the screenshot below. As of the moment I am re-writing the steps for others so they can easily follow the instructions as this was written in Japanese (Thanks to http://sithxi.blog49.fc2.com/blog-entry-51.html and goroh_kun. Hopefully this would help others root there device just like me. The only main problem for me now is SIM unlock the device.

Panasonic Eluga Power rooting instructions...
As promised here are the steps: (This seems to look like a temporary root, as you will loose it once the device rebooted) But still it's a good primary step. For the source code it can be downloaded from here. Panasonic Eluga Power Source Code
goroh_kun
2012/10/18
root privileges acquisition & tomoyo released experimental version in
the p-07d
things to do
Run:
1. >adb restore p-07d.ab
I press OK authentication
After the restore is finished
2. Open another command prompt and type the following:
>adb shell
$cd /data/data/com.android.settings/a/
$ls -l -d
drwxrwxrwx system system a
- check directory called A exists, it is world readable, writable as
show above
3. $ ls -l
⇒ file00 〜 file99 check if files exists
Delete all file from file00 ~ file99
run the command below
4. >adb shell
$cd /data/data/com.android.settings/
$rm -r a/*
change permissions to 777 /persist
This is the tricky part as you need to to do this using two command prompt, one running the adb restore p-07d.ab while the other on the shell command running ln -s /persist a/file99 command.
5. First run: >adb restore p-07d.ab while it is restoring on the other command prompt run in shell $ ln-s / persist a/file99
6. Now lets check the permission to folder /persist by typing on the command prompt that is already in shell.
$ ls -l -d /persist
drwxrwxrwx system system persist <--(you should see this)
Now move on your other command prompt window and run the following commands. (you can download the needed file at this link
Then run the command below to push the files needed for rooting:
>adb push init.cne.rc /data/local/tmp
>adb push p07dgetroot /data/local/tmp
>adb push xsh /data/local/tmp/
>adb push libQ.so /persist
>adb shell rm /persist/init.cne.rc
>adb shell ln -s /data/local/tmp/init.cne.rc /persist/init.cne.rc
>adb reboot
The next step is kinda hard to understand and I qoute: "/persist at Startup directory of the recovery process because it will not be restored and persist the only symbolic links should be a basic /data/local/tmp to keep the change."
After re-move environment variable is changed to check (LD_PRELOAD= /presist/libQ.so and be sure it is).
7. > adb shell
$echo $LD_PRELOAD
/persist/libQ.so <--(you should see this)
8. To Unlock Tomoyo, follow this steps:
> adb shell
$ cat /data/local/tmp/p07dgetroot > /tmp/xsh
$ ls -l /tmp/xsh
-rw-rw-rw- shell shell xsh <--(you should see this)
Make sure that wirelss LAN is ON before doing the command below:
9. WLAN ON / TURN OFF WLAN / TURN ON WLAN (wait to be connected before typing the below command or you will have to do it again)
$ ls -l /tmp/xsh
-rwsr-sr-x root root xsh <--(you should see this)
$ /tmp/xsh
/tmp/xsh
/tmp/.mem fd=3
read ret = 256
write ret = 256
At this stage, Tomoyo is now unlocked
10.
$rm /tmp/xsh
$cat /data/local/tmp/xsh > /tmp/xsh
11. WLAN ON / TURN OFF WLAN / TURN ON WLAN (wait to be connected before typing the below command or you will have to do it again)
$ls -l /tmp/xsh
-rwsr-sr-x root root xsh <--(you should see this)
12. $/tmp/xsh
$(precmd)[email protected]$HOSTNAME:${PWD:-?} $ <--(you should see
this)
Here is a shell with root privileges, so stand up and be able to work a variety. You can also install the su
13. $(precmd)[email protected]$HOSTNAME:${PWD:-?} $
$ mount -o remount,rw /system /system
$ chmod 777 /system/app/
$ chmod 777 /system/bin/
$ chmod 777 /system/xbin/
Open another command prompt:
adb push Superuser.apk /system/app/
adb push su /system/bin/
adb push busybox /system/xbin/
Go back to ($(precmd)[email protected]$HOSTNAME:${PWD:-?} $) window:
chown root.root /system/bin/su
chmod 6755 /system/bin/su
chmod 644 /system/app/Superuser.apk
chown root.shell /system/xbin/busybox
chmod 755 /system/xbin/busybox
chmod 755 /system/app/
chmod 755 /system/bin/
chmod 755 /system/xbin/
Verify root access by installing "Root Checker".
Note: each time you reboot your device you will need to run Tomoyo Unlock script to regain root access (Step 8 - 12) which I re-wrote below:
8. Tomoyo Unlock
> adb shell
$ cat /data/local/tmp/p07dgetroot > /tmp/xsh
$ ls -l /tmp/xsh
-rw-rw-rw- shell shell xsh <--(you should see this)
WLAN ON / OFF / ON
$ ls -l /tmp/xsh
-rwsr-sr-x root root xsh <--(you should see this)
$ /tmp/xsh
/tmp/xsh
/tmp/.mem fd=3
read ret = 256
write ret = 256
At this stage, tomoyo is released
$rm /tmp/xsh
$cat /data/local/tmp/xsh > /tmp/xsh
WLAN ON / OFF / ON
$ls -l /tmp/xsh
-rwsr-sr-x root root xsh <--(you should see this)
$/tmp/xsh
$(precmd)[email protected]$HOSTNAME:${PWD:-?} $ <---(you should end up here to regain root access, if not redo it again)
Proof:

ask questions
hi,
If it unlocked the device of sim by docomo, when i root it, the condition of unlock sim whether will cancel????
---------- Post added at 12:10 AM ---------- Previous post was at 12:06 AM ----------
dear zyper95,
Can you make the picture to show the process of root??
thank a lot

Panasonic P-07D
Hello, Someone tell me how to reset to factory settings "Android system recovery -> wipe data / factory reset -> Yes-delete all user data -> Please input password". What is the password to be entered? Help please.

Panasonic Eluga Power P-07D hard reset plz:crying::crying::crying:

need help about rooting

i can't root Samsung galaxy a02 -- SM-A022F/DS Build No: A022FXXU2BUI3 , android 11 , i dont know what to do for rooting and i dont have firmware file (bootloader unlocked)

To get the superuser access ( AKA root ) to be able to control various aspects of Android OS means you need to perform a certain modification that will root your phone's Android. An unlocked bootloader isn't needed to root Android.
Here is what you have to do to root your device's Android:
Replace Android's Toybox binary - what is a restricted version by default - by unrestricted Toybox v0.8.5.
This e.g. can get achieved by means of a Windows command script making use of ADB coomands.

jwoegerbauer said:
To get the superuser access ( AKA root ) to be able to control various aspects of Android OS means you need to perform a certain modification that will root your phone's Android. An unlocked bootloader isn't needed to root Android.
Here is what you have to do to root your device's Android:
Replace Android's Toybox binary - what is a restricted version by default - by unrestricted Toybox v0.8.5.
This e.g. can get achieved by means of a Windows command script making use of ADB coomands.
Click to expand...
Click to collapse
hi , i dont know what is toybox or i dont know really what to do can you tell me step by step please? i have ADB already

dleaderp said:
hi , i dont know what is toybox or i dont know really what to do
Click to expand...
Click to collapse
Typically people do a Google search like "Android Toybox" ...
To save you this search: Toybox is a suite of Linux commands ported to Android.
The commands supported are
Code:
acpi arch ascii base64 basename blkid blockdev bunzip2 bzcat cal cat
catv chattr chgrp chmod chown chroot chrt chvt cksum clear cmp comm
count cp cpio crc32 cut date devmem df dirname dmesg dnsdomainname
dos2unix du echo egrep eject env expand factor fallocate false fgrep
file find flock fmt free freeramdisk fsfreeze fstype fsync ftpget
ftpput getconf grep groups gunzip halt head help hexedit hostname
hwclock i2cdetect i2cdump i2cget i2cset iconv id ifconfig inotifyd
insmod install ionice iorenice iotop kill killall killall5 link ln
logger login logname losetup ls lsattr lsmod lspci lsusb makedevs
mcookie md5sum microcom mix mkdir mkfifo mknod mkpasswd mkswap mktemp
modinfo mount mountpoint mv nbd-client nc netcat netstat nice nl nohup
nproc nsenter od oneit partprobe passwd paste patch pgrep pidof ping
ping6 pivot_root pkill pmap poweroff printenv printf prlimit ps pwd
pwdx readahead readlink realpath reboot renice reset rev rfkill rm
rmdir rmmod sed seq setfattr setsid sha1sum shred sleep sntp sort
split stat strings su swapoff swapon switch_root sync sysctl tac tail
tar taskset tee test time timeout top touch true truncate tty tunctl
ulimit umount uname uniq unix2dos unlink unshare uptime usleep uudecode
uuencode uuidgen vconfig vmstat w watch wc which who whoami xargs
xxd yes zcat
As you might see su is the ROOT functionality.
dleaderp said:
can you tell me step by step please? i have ADB already
Click to expand...
Click to collapse
Actually I'm working on a Windows command script that makes use of ADB what does the job. I'll publish it here when finished:
[TOOL][ADB]][Windows] A 100% Safe Non-systemless Root Tool - No Soft-bricked Adroid Guaranteed
Grant Root Privileges to Regular Users Using Devices With Android 6 and up by Simply Upgrading Android's Multi-command Applet Toybox.
forum.xda-developers.com

jwoegerbauer said:
Actually I'm working on a Windows command script that makes use of ADB what does the job. I'll publish it here when finished:
Click to expand...
Click to collapse
happy to hear that xd
i got a last question, i think my phone's storage is shrunked after i used firmware is it possible ? if yes how can i fix it. it was 32 gb now its 8gb

i fixed i used another firmware i'll be wait for your ADB

Learning to root my old Galaxy S4

I have an old Samsung Galaxy S4. It's been off the network for a while and its system clock has drifted. However, adb works and I can use the old phone as a sandbox environment to learn about low level Android fundamentals. I would like to learn how to root the phone, ideally without using any apps - I prefer to learn how to compile my own local privilege escalation exploit and run it on my old phone.
adb shell getprop ro.build.version.release
5.0.1
adb shell getprop ro.build.version.sdk
21
dumpstate:
Build: LRX22C.I337UCSGOK3
Build fingerprint: 'samsung/jflteuc/jflteatt:5.0.1/LRX22C/I337UCSGOK3:user/release-keys'
Bootloader: I337UCSGOK3
Radio: mdm
Network: (unknown)
Kernel: Linux version 3.4.0-6185444 ([email protected]) (gcc version 4.8 (GCC) ) #1 SMP PREEMPT Wed Nov 30 21:31:59 KST 2016
Command line: console=null androidboot.hardware=qcom user_debug=23 msm_rtb.filter=0x3F ehci-hcd.park=3 [email protected] [email protected] sec_debug.reset_reason=0x1a2b3c00 androidboot.warranty_bit=0 lcd_attached=1 lcd_id=0x418047 androidboot.debug_level=0x4f4c sec_debug.enable=0 sec_debug.enable_user=0 androidboot.cp_debug_level=0x55FF sec_debug.enable_cp_debug=0 cordon=a569d279d878ac52077d6cfb9721d339 connie=SGH-I337_ATT_USA_76d68869445a30d9d8d06ffe689dd803 lpj=67678 loglevel=4 samsung.hardware=SGH-I337 androidboot.emmc_checksum=3 androidboot.warranty_bit=0 androidboot.bootloader=I337UCSGOK3 androidboot.nvdata_backup=0 androidboot.boot_recovery=0 androidboot.check_recovery_condition=0x0 level=0x574f4c44 vmalloc=450m sec_pvs=0 batt_id_value=0 diag=0 androidboot.csb_val=1 androidboot.emmc=true androidboot.serialno=95e836b4 androidboot.baseband=mdm
cat /proc/cpuinfo:
Processor : ARMv7 Processor rev 0 (v7l)
processor : 0
BogoMIPS : 13.53
processor : 1
BogoMIPS : 13.53
processor : 2
BogoMIPS : 13.53
processor : 3
BogoMIPS : 13.53
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4
CPU implementer : 0x51
CPU architecture: 7
CPU variant : 0x1
CPU part : 0x06f
CPU revision : 0
Hardware : SAMSUNG JF
Revision : 000a
Serial : 000095e8000036b4

Android is a ported Linux, hence rooting Android means adding su ( read: switchuser ) functionality welllknown from Linux to device's Android. That's all.
Can get achieved with ADB having a suitable su at hands.
https://forum.xda-developers.com/attachments/su-binaries-zip.5566949/

Do you have source code for that su? I believe it would still require an exploit to escalate privileges, since normally su needs to run with root permissions, and I don't have a way of elevating to root without it.

What you believe ist totally wrong: su doesn't need root permissions to run a shell command, su is what in general is called root.
Code:
su -c "<SHELL-COMMAND-HERE>"
Become familiar with Linux shell commands.

I can already run shell commands using adb shell. However, I cannot run privileged commands because the adb shell process does not run with root privileges. Can you please elaborate further?

OMG.
Code:
adb shell
simply opens a remote Android terminal what doesn't require any elevated privileges per se.
To run shell commands what require elevated privileges ( e.g. mount ) is achieved as follows
Code:
adb shell "<PATH-OF-SU-BINARY-HERE> -c '<SHELL-COMMAND-HERE>'"
Example:
Code:
adb shell "/data/local/tmp/su -c 'mount -o rw,remount /data'"

The adb shell allows running unprivileged commands but there are numerous things which cannot be done without the root privilege, such as remounting filesystems, changing permissions, accessing directories which require elevated privileges, etc. This is what I am asking about. Am I misunderstanding you - are you trying to say that adb shell can be used by an unprivileged user to run privileged commands?

See my revised post above yours.

@jf80dEf
The Samsung Galaxy S4 variant you have is from AT&T (model number SGH-I337) and it's running the final software release (OK3).
For this model, you need to downgrade to a lower firmware (NB1) and achieve root access by exploiting the vulnerability formally known as CVE-2014-3153. More details can be found here.

Thank you @SkandaH for answering my question! I believe the method you suggest involves using Odin to wipe the phone to make it vulnerable to the towelroot exploit. Reading between the lines, am I interpreting correctly that there is no known (at least to you) exploit that runs on the OK3 software?

jf80dEf said:
... am I interpreting correctly that there is no known (at least to you) exploit that runs on the OK3 software?
Click to expand...
Click to collapse
Yes, that's correct.

just for fun, I tried that method on rooted device, it doesn't work for Android 5+
Code:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
C:\Android>adb devices
List of devices attached
ca1296db7d29 device
C:\Android>adb push su /data/local/tmp
su: 1 file pushed. 0.7 MB/s (75344 bytes in 0.105s)
C:\Android>adb shell
cereus:/ $ cd /data/local/tmp
cereus:/data/local/tmp $ chmod 6775 ./su
cereus:/data/local/tmp $ ls -la
total 84
drwxrwx--x 2 shell shell 4096 2022-12-27 15:22 .
drwxr-x--x 4 root root 4096 2022-07-24 14:19 ..
-rwsrwsr-x 1 shell shell 75344 2022-12-27 15:22 su
cereus:/data/local/tmp $ ./su
"./su": error: Android 5.0 and later only support position-independent executables (-fPIE).
1|cereus:/data/local/tmp $ rm ./su
cereus:/data/local/tmp $ exit
C:\Android>
copied another su binary from stock rooted android tv box (no superuser app required, permissions granted automatically.
Code:
C:\Android>adb push su /data/local/tmp
adb: error: failed to get feature set: more than one device/emulator
C:\Android>adb -s ca1296db7d29 push su /data/local/tmp
su: 1 file pushed. 1.4 MB/s (100068 bytes in 0.070s)
C:\Android>adb shell
error: more than one device/emulator
C:\Android>adb -s ca1296db7d29 shell
cereus:/ $ cd /data/local/tmp
cereus:/data/local/tmp $ chmod 6775 ./su
cereus:/data/local/tmp $ ls -la
total 108
drwxrwx--x 2 shell shell 4096 2022-12-27 15:39 .
drwxr-x--x 4 root root 4096 2022-07-24 14:19 ..
-rwsrwsr-x 1 shell shell 100068 2022-12-27 15:38 su
cereus:/data/local/tmp $ ./su
255|cereus:/data/local/tmp $ ./su --help
Usage: su [options] [--] [-] [LOGIN] [--] [args...]
Options:
--daemon start the su daemon agent
-c, --command COMMAND pass COMMAND to the invoked shell
-h, --help display this help message and exit
-, -l, --login pretend the shell to be a login shell
-m, -p,
--preserve-environment do not change environment variables
-s, --shell SHELL use SHELL instead of the default /system/bin/sh
-u display the multiuser mode and exit
-v, --version display version number and exit
-V display version code and exit,
this is used almost exclusively by Superuser.apk
cereus:/data/local/tmp $ ./su --version
16 com.thirdparty.superuser
cereus:/data/local/tmp $
still it doesn't work from /data/local/tmp as the uid is 2000 (shell) so tried from /data/local where uid is 0 (root)
but I had to use Magisk /sbin/su for this already
Code:
cereus:/data/local/tmp $ ls -la /data/local
ls: /data/local: Permission denied
1|cereus:/data/local/tmp $ ls -la /data/local/tmp
total 108
drwxrwx--x 2 shell shell 4096 2022-12-27 15:39 .
drwxr-x--x 4 root root 4096 2022-07-24 14:19 ..
-rwsrwsr-x 1 shell shell 100068 2022-12-27 15:38 su
cereus:/data/local/tmp $ cp ./su ..
cp: ../su: Permission denied
1|cereus:/data/local/tmp $ which su
/sbin/su
cereus:/data/local/tmp $ /sbin/su -c 'cp ./su ..'
cereus:/data/local/tmp $ cd ..
cereus:/data/local $ ls -la
ls: .: Permission denied
1|cereus:/data/local $ /sbin/su -c 'chmod 6775 ./su'
cereus:/data/local $ /sbin/su -c 'ls -la'
total 120
drwxr-x--x 4 root root 4096 2022-12-27 15:45 .
drwxrwx--x 48 system system 4096 2022-07-24 20:32 ..
-rwsrwsr-x 1 root root 100068 2022-12-27 15:45 su
drwxrwx--x 2 shell shell 4096 2022-12-27 15:39 tmp
drwxrwxrwx 2 shell shell 4096 2022-07-24 14:19 traces
cereus:/data/local $ ./su
255|cereus:/data/local $
despites the SUID bit is set correctly still it doesn't work. so I removed the nosuid mount flag for /data partition and double checked selinux isn't the problem
Code:
255|cereus:/data/local $ grep ' /data ' /proc/mounts
/dev/block/dm-1 /data ext4 rw,seclabel,nosuid,nodev,noatime,noauto_da_alloc,resuid=10010,resgid=1065,errors=panic,data=ordered 0 0
cereus:/data/local $ /sbin/su -c 'busybox mount -o remount,rw,suid /data'
cereus:/data/local $ grep ' /data ' /proc/mounts
/dev/block/dm-1 /data ext4 rw,seclabel,nodev,noatime,noauto_da_alloc,resuid=10010,resgid=1065,errors=panic,data=ordered 0 0
cereus:/data/local $ ./su
255|cereus:/data/local $ getenforce
Permissive
cereus:/data/local $
still no way to get the root shell with that su binary, maybe prevented to run from /data at all. decided to try from other partition but there was no way. although permissions 2000 (shell) should at least see the file, but that wasn't the case. Magisk mount namespaces are set to global, no idea why the file is invisible in /cache
Code:
cereus:/data/local $ grep ' /cache ' /proc/mounts
/dev/block/platform/bootdevice/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,discard,noauto_da_alloc,data=ordered 0 0
cereus:/data/local $ /sbin/su -c 'busybox mount -o remount,rw,suid /cache'
cereus:/data/local $ grep ' /cache ' /proc/mounts
/dev/block/platform/bootdevice/by-name/cache /cache ext4 rw,seclabel,nodev,noatime,discard,noauto_da_alloc,data=ordered 0 0
cereus:/data/local $ /sbin/su -c 'cp ./su /cache'
cereus:/data/local $ cd /cache
/system/bin/sh: cd: /cache: Permission denied
2|cereus:/data/local $ /sbin/su -c 'cd /cache'
cereus:/data/local $ /sbin/su -c 'mkdir /cache/tmp'
cereus:/data/local $ /sbin/su -c 'chown 0.2000 /cache/tmp'
cereus:/data/local $ cd /cache/tmp
/system/bin/sh: cd: /cache/tmp: Permission denied
2|cereus:/data/local $ /sbin/su -c 'chown 2000.2000 /cache/tmp'
cereus:/data/local $ cd /cache/tmp
/system/bin/sh: cd: /cache/tmp: Permission denied
2|cereus:/data/local $ /sbin/su -c 'ls -la /cache/tmp'
total 16
drwxr-xr-x 2 shell shell 4096 2022-12-27 15:54 .
drwxrwx--- 8 system cache 4096 2022-12-27 15:54 ..
cereus:/data/local $ /sbin/su
cereus:/data/local # cd /cache/tmp
cereus:/cache/tmp # cp /cache/su .
cereus:/cache/tmp # chmod 6775 ./su
cereus:/cache/tmp # exit
cereus:/data/local $ /cache/tmp/su
/system/bin/sh: /cache/tmp/su: not found
127|cereus:/data/local $ /sbin/su
cereus:/data/local # cd /cache/tmp
cereus:/cache/tmp # ls -la
total 120
drwxr-xr-x 2 shell shell 4096 2022-12-27 15:58 .
drwxrwx--- 8 system cache 4096 2022-12-27 15:54 ..
-rwsrwsr-x 1 root root 100068 2022-12-27 15:58 su
cereus:/cache/tmp # ./su
255|cereus:/cache/tmp # chown -R 0.2000 .
cereus:/cache/tmp # ls -la
total 120
drwxr-xr-x 2 root shell 4096 2022-12-27 15:58 .
drwxrwx--- 8 system cache 4096 2022-12-27 15:54 ..
-rwxrwxr-x 1 root shell 100068 2022-12-27 15:58 su
cereus:/cache/tmp # ./su
255|cereus:/cache/tmp # exit
255|cereus:/data/local $ /cache/tmp/su
/system/bin/sh: /cache/tmp/su: not found
127|cereus:/data/local $ /sbin/su -c 'chmod 6775 /cache/tmp/su'
cereus:/data/local $ /cache/tmp/su
/system/bin/sh: /cache/tmp/su: not found
127|cereus:/data/local $
finally, even tried from within Magisk root shell. still the binary throws error 255. as you can see the su binary owns the sticky bit and uid 0 (root)
Code:
127|cereus:/data/local $ /sbin/su
cereus:/data/local # /cache/tmp/su --version
16 com.thirdparty.superuser
cereus:/data/local # /cache/tmp/su
255|cereus:/data/local # exit
255|cereus:/data/local $ /cache/tmp/su
/system/bin/sh: /cache/tmp/su: not found
127|cereus:/data/local $ /sbin/su -c 'ls -la /cache/tmp'
total 120
drwxr-xr-x 2 root shell 4096 2022-12-27 15:58 .
drwxrwx--- 8 system cache 4096 2022-12-27 15:54 ..
-rwsrwsr-x 1 root shell 100068 2022-12-27 15:58 su
cereus:/data/local $
to confirm the binary is working at least, I wanted to install in /system. Because of systemless-root and avb/dm-verity i can't place file /system partition directly, so I used Magisk bind mount overlay
Code:
cereus:/data/local $ /sbin/su
cereus:/data/local # cd /data/adb/modules
cereus:/data/adb/modules # mkdir su_test
cereus:/data/adb/modules # cd su_test/
cereus:/data/adb/modules/su_test # mkdir -p system/xbin
cereus:/data/adb/modules/su_test # cp /cache/tmp/su system/xbin
cereus:/data/adb/modules/su_test # chown -R 0.2000 system
cereus:/data/adb/modules/su_test # chmod 6775 system/xbin/su
cereus:/data/adb/modules/su_test # ls -la system/xbin
total 108
drwxr-xr-x 2 root shell 4096 2022-12-27 16:10 .
drwxr-xr-x 3 root shell 4096 2022-12-27 16:10 ..
-rwsrwsr-x 1 root shell 100068 2022-12-27 16:10 su
cereus:/data/adb/modules/su_test # echo 'id=su_test' > module.prop
cereus:/data/adb/modules/su_test # echo 'name=su_test' >> module.prop
cereus:/data/adb/modules/su_test # echo 'version=0.0.1' >> module.prop
cereus:/data/adb/modules/su_test # echo 'versionCode=001' >> module.prop
cereus:/data/adb/modules/su_test # echo 'author=aIecxs @ XDA' >> module.prop
cereus:/data/adb/modules/su_test # echo 'description=proof that su binary is "suitable" >> module.prop
cereus:/data/adb/modules/su_test # cat module.prop
id=su_test
name=su_test
version=0.0.1
versionCode=001
author=aIecxs @ XDA
description=proof that su binary is "suitable"
cereus:/data/adb/modules/su_test # ./system/xbin/su --version
16 com.thirdparty.superuser
cereus:/data/adb/modules/su_test # exit
cereus:/data/local $ exit
C:\Android>
after installing the magisk module, rebooted the phone and confirmed su binary works when running from system.
Code:
C:\Android>adb -s ca1296db7d29 shell
cereus:/ $ which su
/sbin/su
cereus:/ $ ls -l /system/xbin/su
-rwsrwsr-x 1 root shell 100068 2022-12-27 16:10 /system/xbin/su
cereus:/ $ /system/xbin/su --version
16 com.thirdparty.superuser
cereus:/ $ /system/xbin/su
cereus:/ #
(note the /sbin/su binary is Magisk while the /system/xbin/su binary is the file copied from android tv box)
as on stock android device user/release-keys build adb root cannot work, there is no way to use the chown command. because it is impossible to place the file into /system or any proper location with directory owner 0 (root) from adb, it's not possible to get root shell from adb.
conclusion: an additional exploit (like mtk-su) is required to achieve this.
edit: fun fact. Magisk complains the foreign su binary that is provided by Magisk module xD