NOT SYSTEMLESS!
This writes to system, so systemless master race stay away.
Someone wanna make a Magisk version?
Instructions:
0. Download zip below and place inside internal storage.
1. Boot to TWRP.
2. Mount>System
3. Flash zip
4. Boot to Android and open a terminal emulator
5. Run dnscrypt enable. You probably have to do this every reboot.
Changing resolver:
Edit /system/etc/init.d/99dnscrypt. There's a line RESOLVER_NAME, change it to a suitable one from here under Name. I suggest you ping every server geographically nearby and go with the lowest ping.
Changing DNS server:
On Nexus 5X at least, use a Terminal Emulator and run
Code:
setprop net.dns1 127.0.0.1:53
Self-compile guide:
Requirements:
Linux computer (x86_64)
Android NDK (r12b is the newest so far, get the 64-bit one)
libsodium
dnscrypt-proxy
Here's how I did it:
1. Extract the NDK (unzip android-ndk-rXXb.zip )
2. Run
Code:
export ANDROID_NDK_HOME=<NDK Location>
3. Extract libsodium and dnscrypt-proxy.
4. Enter the folder of libsodium/dist-build, then edit android-build.sh such that NDK_PLATFORM:-android-16 becomes NDK_PLATFORM:-android-24. Then modify android-armv8-a.sh and add
Code:
-mtune=cortex-a57.cortex-a53 -mcpu=cortex-a57.cortex-a53
to the end of CFLAGS.
5. Return to libsodium root folder (cd ..) and do ./autogen.sh then ./dist-build/android-armv8-a.sh. When the script finishes it will tell you where the output is.
6. (Optional) Run android-toolchain-armv8-a/aarch64-linux-android/bin/strip on the output .so (typically in libsodium-android-armv8-a/lib/libsodium.so)
7. Now we do
Code:
export SODIUM_ANDROID_PREFIX=<libsodium output>
8. Enter the folder of dnscrypt, do the same modifications to dnscrypt's dist-builds. Again, do ./autogen.sh and ./dist-build/android-armv8-a.sh.
9. Now you have a fresh compilation of AArch64 dnscrypt-proxy!
It's usually dnscrypt-proxy-android-armv8-a.zip
10. Finally, we need to edit the zip file and rename the /system/lib folder to lib64, and change references in updater-script and /system/addon.d/75-dnscrypt.sh.
11. (Optional) Add --ephemeral-keys to 99dnscrypt for extra security.
Credits:
qwerty12 for the basic instructions
Changelog:
02/19: Updated libsodium (1.0.8->master) and dnscrypt-proxy(01/27 master->master)
03/17: Pulled freshest code from masters, compiled with NDK r11b and platform android-23
09/26: Latest stable branch of libsodium and master of dnscrypt. Compilation target now android-24. Compiled with NDK r12b
Changes to both dnscrypt-proxy and libsodium:
dist-build/android-build.sh:
Code:
NDK_PLATFORM:-android-16 to NDK_PLATFORM:-android-24
dist-build/android-arm-v8-a.sh:
Code:
Appended:
-mtune=cortex-a57.cortex-a53 -mcpu=cortex-a57.cortex-a53
to end of CFLAGS
Why not just release the compiled binaries ? would safe others with tinkering compiling it
Flashable zip
DragonHunt3r said:
Why not just release the compiled binaries ? would safe others with tinkering compiling it
Click to expand...
Click to collapse
Uploaded. I just thought most people would be more comfortable compiling their own code rather than trust a stranger. I still don't know how to fix the updater script though, it's the default one for now.
aschere said:
Uploaded. I just thought most people would be more comfortable compiling their own code rather than trust a stranger. I still don't know how to fix the updater script though, it's the default one for now.
Click to expand...
Click to collapse
That's true, but at the other side we trust random flashable zips for roms, mods etc from XDA
Thanks for the upload will take a look
Edit: well it works but in DNSManager for example it shows greyed out "Enable DnsCrypt"
dnsleaktest.com shows dnscrypt works though
DragonHunt3r said:
That's true, but at the other side we trust random flashable zips for roms, mods etc from XDA
Thanks for the upload will take a look
Edit: well it works but in DNSManager for example it shows greyed out "Enable DnsCrypt"
dnsleaktest.com shows dnscrypt works though
Click to expand...
Click to collapse
Shows up OK in my device.
So can I just flash the zip and use dns manager? nothing else?
---------- Post added at 03:25 AM ---------- Previous post was at 03:17 AM ----------
Will this work with a non 64 bit snapdragon 805
gangrenius said:
So can I just flash the zip and use dns manager? nothing else?
---------- Post added at 03:25 AM ---------- Previous post was at 03:17 AM ----------
Will this work with a non 64 bit snapdragon 805
Click to expand...
Click to collapse
This works only on 64-bit devices. For 32-bit devices, a download is provided here.
Yes, this is a flashable zip. However, DNS needs to be changed manually such as through DNS Manager because iptables doesn't entirely work.
Any major changes with 4/6? Thanks for updating this BTW.
th3g1z said:
Any major changes with 4/6? Thanks for updating this BTW.
Click to expand...
Click to collapse
It's all commits from 03/17 to 04/06.
Installed the zip successfully, when in terminal emulator, its not working, pls help!:crying:
Using rooted Lenovo A7000
Here's the full text directly copied from terminal emulator:
[email protected]:/ $ dnscrypt enable
Enabling dnscrypt-proxy...
iptables v1.4.20: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.20: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
[INFO] - [cs-uswest] does not support DNS Security Extensions
[INFO] + Namecoin domains can be resolved
[INFO] + Provider supposedly doesn't keep logs
[NOTICE] Starting dnscrypt-proxy 1.6.1
[INFO] Generating a new session key pair
[INFO] Done
[INFO] Server certificate #808464433 received
[INFO] This certificate is valid
[INFO] Chosen certificate #808464433 is valid from [2015-11-05] to [2016-11-04]
[INFO] Server key fingerprint is 881A:AED0:0427:BAF0:47D6:BDFA:6161A38:F019:571C:9BD2:A083:4A5F:C938:7E5D:8434
iptables v1.4.20: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
Done
[email protected]:/ $
kuchienkz said:
Installed the zip successfully, when in terminal emulator, its not working, pls help!:crying:
Using rooted Lenovo A7000
Here's the full text directly copied from terminal emulator:
[email protected]:/ $ dnscrypt enable
Enabling dnscrypt-proxy...
iptables v1.4.20: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.20: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.20: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
Done
[email protected]:/ $
Click to expand...
Click to collapse
Did you read the error you got? You have to be root. Try running 'su' before 'dnscrypt enable'
aschere said:
Did you read the error you got? You have to be root. Try running 'su' before 'dnscrypt enable'
Click to expand...
Click to collapse
Lol, i would not post my problem here if that could solve my problem :v
Already tried that several times. Still gives the same error.
kuchienkz said:
Lol, i would not post my problem here if that could solve my problem :v
Already tried that several times. Still gives the same error.
Click to expand...
Click to collapse
Can you post what version of Android, what phone?
aschere said:
Can you post what version of Android, what phone?
Click to expand...
Click to collapse
Android Version: 5.0.2
Lenovo A7000 : Phone Spec
kuchienkz said:
Android Version: 5.0.2
Lenovo A7000 : Phone Spec
Click to expand...
Click to collapse
Hmmm... I can't really think of anything other than the root: are you sure you rooted it? When you type su, do you switch to the root user?
aschere said:
Hmmm... I can't really think of anything other than the root: are you sure you rooted it? When you type su, do you switch to the root user?
Click to expand...
Click to collapse
Ah nevermind, i just reinstalled my phone with stock ROM, then rooted it. Now it works. :good:
If you curious about last rom, it is MIUI 7
Thank you so much for your help :victory:
Btw now that i understand how to run it. But as u said that i have to run it on every boot. Is there a way to run it automatically? Actually, im quite new to Terminal Emulator
kuchienkz said:
Ah nevermind, i just reinstalled my phone with stock ROM, then rooted it. Now it works. :good:
If you curious about last rom, it is MIUI 7
Thank you so much for your help :victory:
Btw now that i understand how to run it. But as u said that i have to run it on every boot. Is there a way to run it automatically? Actually, im quite new to Terminal Emulator
Click to expand...
Click to collapse
Good to hear that!
For automatic execution, you can create a script in /system/su.d or /system/addon.d I guess.
Ah actually, it should be in /system/etc/init.d
aschere said:
Ah actually, it should be in /system/etc/init.d
Click to expand...
Click to collapse
And.... how to make that script?
Im seriously beginner here
I dont have any idea what kind of script it is and what language it uses.
Maybe you can give me link to a site where i could learn to make one
kuchienkz said:
And.... how to make that script?
Im seriously beginner here
I dont have any idea what kind of script it is and what language it uses.
Maybe you can give me link to a site where i could learn to make one
Click to expand...
Click to collapse
Actually, the script should already be in there. See this.
Related
OpenVPN on SENSE & Buzz OC/UV 1.51Ghz 1.1.4 HOW TO
NEW UPDATE: 17/12/2010
OpenVpn.zip - FLASH IN CLOCKWORK MOD AND FOLLOW ON FROM STEP 4!!
WHAT IT DOES.
- New iptables
- New Openvpn binary
- All Symlinks created.
- All Permissions.
- Folders Created.
REQUIREMENTS:
-ROOT
-CWM-RECOVERY
-BusyBox
-OpenVpn config files, certs etc in /sdcard/openvpn
CONFIRMED WORKING ON :
-LeeDroid 1.2
-[RUU_Ace_HTC_WWE_1.32.405.6 Stock Sense Rom] - thanks to Walker Street For Testing.
Please inform me if you can confirm this working on Other ROM'S Thank you.
I AM USING ,
[KERNEL]Buzz OC/UV 1.51Ghz CFS+BFQ+SmartAss+TUN+EXT4+.27 ACE 1.1.4 [15/12/2010]
IN THEORY THIS SHOULD WORK WITH ANY SENSE ROM & KERNEL..
JUST MAKE SURE YOU THE KERNEL HAS A TUN.KO ETC CONFIGURED FOR IT.
DOWNLOAD :
http://dl.dropbox.com/u/15057375/mero01-xda/OpenVPN.zip
And a BIG thanks to ecips for helping with this
NO LONGER NEED TO DO ANY OF THIS , JUST USE OpenVPN.zip & FOLLOW ON FROM STEP 4!!
Ok guys had alot of problems gettings this too were it working, hopefully you guys might see some errors/fix's to improve on this
Requirements:
OpenVPN-Settings - Market
OpenVpn Binary File - Located in the openvpn4DesireHD.ZIP
LeeDrOiD HD v1.2 - http://forum.xda-developers.com/showthread.php?t=842802
Buzz OC/UV 1.51Ghz 1.1.4 - http://forum.xda-developers.com/showthread.php?t=835616
UPDATED 17/12/2010: CONFIRMED WORKING ON, LeeDroiD HD v1.2 & Buzz OC/UV 1.51Ghz 1.1.4
A) Not sure if this matters or not but i copied LeeDroids iptables file from the Desire.
B) Copy your client.conf or .ovpn file and certs to /sdcard/openvpn
C) Implementation:
1. Unzip/copy openvpn binary file to device.
1.b replace the current openvpn file in /system/xbin with this new one
1.c -- chmod +x with it.
Code:
adb remount
adb push openvpn /system/xbin/
adb shell
chmod +x /system/xbin/openvpn
exit
If " adb remount " didnt work
Code:
su
mount -o rw,remount -t yaffs2 /dev/block/mmcblk0p25 /system
in order to mount system as read/write
2. Make folder /system/xbin/bb
Code:
adb remount
adb shell mkdir /system/xbin/bb
exit
3. Make symbolic links to ifconfig and route & busy box.
THIS IS WERE THE PROBLEMS ALL COME FROM AND IF YOU HAVE ISSUES THIS IS WHAT WILL BE CAUSEING IT! SOMETHING TO DO WITH LINK BETWEEN BUSY BOX AND IFCONFIG......BUT I TRIED FROM FRESH BOOT AND IT WORKS FLAWLESSLY NOW WILL TALK TOO LEE ABOUT GETTING EVERYTHING INBUILT IN LEEDROID
Code:
adb remount
adb shell
ln -s /system/xbin/ifconfig /system/xbin/bb/ifconfig
ln -s /system/xbin/route /system/xbin/bb/route
ln -s /system/xbin/busybox /system/xbin/ifconfig
reboot
4. Install/Configure OpenVPN-Settings
4.0 Install OpenVPN-Settings from "Market" its free dont worrie
Code:
4.1 On device, launch OpenVPN Settings.
4.2 Long press openvpn.conf, Preferences.
4.3 Check "Use VPN DNS Server"
4.4 Enter your VPN DNS Server
4.5 Script Security Level Select Built-in + scripts
4.5 press back
4.6 Click click the sub-menu option select Advanced
4.7 Load tun kernel module and make it 'insmod /system/lib/modules/tun.ko' before starting openvpn.
7.8 Change path to openvpn binary to /system/xbin/openvpn
Click " Fix HTC Routes "
You should now be connected
IF I FORGOT ANYTHING PLS LET ME KNOW VERY TIRED WHEN I DID THIS HAHA
Here is my config anyways for reference and here is my client config
Code:
client
dev tun
proto udp
remote XXX.XXX.XXX.XX 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert mero-android.crt
key mero-android.key
comp-lzo
verb 6
script-security 2
Have also realised if you go terminal and do following gives you nice log
basicly , su root, cd to your openvpn folder location, run openvpn on your client conf
Code:
su
cd /sdcard/openvpn
openvpn client.ovpn
For added security. To make the OpenVPN request a password on connect. do the following
change step 4.5 to Script Security Level Select Built-in + scripts + passwords
add the following to your server conf.
Code:
username-as-common-name
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
and this to your client
Code:
auth-user-pass
Change Log:
Use OpenVPN.zip & step 4 and beyond.
17/12/2010
DOWNLOAD:
http://dl.dropbox.com/u/15057375/mero01-xda/OpenVPN.zip
Out of curiosity, what is OpenVPN used for?
Then i will know if i have to use your spot on tutorial
no1male said:
Out of curiosity, what is OpenVPN used for?
Then i will know if i have to use your spot on tutorial
Click to expand...
Click to collapse
It's a VPN (virtual private network). I can access my home and work computers from my android.
I am super-impressed mero. But I wasn't able to get it to work .... I think it's my fault .... I've stuffed around so much. I'm right now starting a clean install.... It should work..... I hope.
Walker Street said:
I am super-impressed mero. But I wasn't able to get it to work .... I think it's my fault .... I've stuffed around so much. I'm right now starting a clean install.... It should work..... I hope.
Click to expand...
Click to collapse
thanks
I did alot of stuffing around aswell thats why i wanted to test it.
So i did a full wipe. then flash to 1.2 reboot. flash to 1.0.1.fix. and then first thing i did was follow those steps.
connection worked first go
please update me, as im sure i can help.
Walker Street,
I attached a screen shot of the actual adb session i did just incase. the bottom 3 commands to my knowledge and what i can see dont work so i ommited them from the tut. but they might do somthign and not display it so thought i might upload incase.
mero01 said:
Walker Street,
I attached a screen shot of the actual adb session i did just incase. the bottom 3 commands to my knowledge and what i can see dont work so i ommited them from the tut. but they might do somthign and not display it so thought i might upload incase.
Click to expand...
Click to collapse
Silly me. I forgot to set 'Fix HTC Routes'. Now I've done that and your method rules.
You're a genius mero. It works.
I changed permissions for the new openvpn and iptables using root explorer so they could execute. Maybe you didn't need to because you were doing adb push from linux (I was doing it from windows).
I don't have a DNS server, so I didn't need to specify one.
I would highly recommend these changes to LeeDroid for his rom. Have you messaged him yet?
Walker Street said:
Silly me. I forgot to set 'Fix HTC Routes'. Now I've done that and your method rules.
You're a genius mero. It works.
Click to expand...
Click to collapse
+1
Thank you very much
Walker Street said:
I changed permissions for the new openvpn and iptables using root explorer so they could execute. Maybe you didn't need to because you were doing adb push from linux (I was doing it from windows).
I don't have a DNS server, so I didn't need to specify one.
I would highly recommend these changes to LeeDroid for his rom. Have you messaged him yet?
Click to expand...
Click to collapse
to be honest the only part i did in adb was the symlinks did everything else in root explorer.i didnt change any permissions :S
Yes i have PM'd him, awaiting a reply
just updated to Buzz 1.0.2 , everything still works
Walker Street said:
It's a VPN (virtual private network). I can access my home and work computers from my android.
Click to expand...
Click to collapse
Yes and tunnel all your internet traffic back through the VPN encrypted in many ways
also works with buzz 1.0.8.
and after pushing the openvpn binary, you need to do chmod +x with it.
raw235 said:
also works with buzz 1.0.8.
and after pushing the openvpn binary, you need to do chmod +x with it.
Click to expand...
Click to collapse
No worries thanksss, i shall update
anyone tried with 1.1.0 ?
Hello,
i'm in trouble....
At first, i have an error when i try the adb remount command : Operation not permitted
Then i have a second message when i try to create the "bb" folder : mkdir failed for bb. Read-only file system.
I'm confused because tel is rooted, S-OFF and suped-CID. I even changed the Kernel with Buzz's one 1,2Ghz.
Did i miss something?
Thanks for your help
Lionel
EFCAugure said:
Hello,
i'm in trouble....
At first, i have an error when i try the adb remount command : Operation not permitted
Then i have a second message when i try to create the "bb" folder : mkdir failed for bb. Read-only file system.
I'm confused because tel is rooted, S-OFF and suped-CID. I even changed the Kernel with Buzz's one 1,2Ghz.
Did i miss something?
Thanks for your help
Lionel
Click to expand...
Click to collapse
hmm thats very strange... adb remount should work...
actually quite puzzled at that dunno why it wouldnt work if you do have root etc.
only other thing i can think of is have you got busybox installed ?
what state is your phone in when your trying to do this ? ie off. on, recovery mode.
Hi,
thanks for reply!
I have a branded SFR phone in France but i managed to root it and S-OFF it without problem.
I switched to another Kernel with the tun.ko file and that's all.
When i tried adb remount, the phone was ON (no recovery or anything else).
I will try in recovery mode.
Busybox is installed.
Note : impossible to connect adb while in recovery.
This seems to be the problem :
when switching kernel only, i don't change the property ro.secure because it's nested (of what i read) in the boot.img. I have a branded phone and this property is set to 1.
Is there a way to change this property without changing the whole ROM? I would llike to stay with this one.
Thanks for your advice
lionel
Ok,
switched to Leedroid 1.2 and re-changed kernel to Buzz 1,22Ghz.
This tutorial is awesome!
Thanks mero01!!!
Is there a way to use the WIFI connection instead of 3G?
EFCAugure said:
Ok,
switched to Leedroid 1.2 and re-changed kernel to Buzz 1,22Ghz.
This tutorial is awesome!
Thanks mero01!!!
Is there a way to use the WIFI connection instead of 3G?
Click to expand...
Click to collapse
no worries
yer just disable 3g and use wifi. just make sure that its not using the same wifi your openvpn server is on...
Yes, of course!
I will try from a friend's wifi this afternoon!
Thanks
lionel
Just wondering if the new Dirty Cow exploit means all those previously unrootable phones can now (or very soon) be rooted.
http://www.cyberciti.biz/faq/dirtyc...local-privilege-escalation-vulnerability-fix/
kennonk said:
Just wondering if the new Dirty Cow exploit means all those previously unrootable phones can now (or very soon) be rooted.
http://www.cyberciti.biz/faq/dirtyc...local-privilege-escalation-vulnerability-fix/
Click to expand...
Click to collapse
Based upon the early research into this, YES it would appear that this also has widespread affect into the Android Linux Kernel
https://www.nowsecure.com/blog/2016/10/21/dirty-cow-vulnerability-mobile-impact/
https://www.theguardian.com/technol...ow-linux-vulnerability-found-after-nine-years
(Bottom of Article Google confirms Android is susceptible)
PoC Code which would probably need to be slightly refactored for use in Android, but still highly relevant
https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
The bug affects the Android Linux kernel. I already tested it, and yes, you can change any file owned by root to whatever you want.
But that doesn't mean you can actually root the phone (that is, gain root access). Maybe it is possible, but I don't think is trivial. The thing is: you can modify root owned files, yes. But you need that some process owned by root executes your file, so you can gain root access. Editing init scripts won't work since they are recreated every time you boot your phone, and after the phone boots, as far as I know, nothing else is executed by root.
I don't mean that it can't be done, maybe there's some file that is executed by root after boot out there that you can modify, but I wouldn't know which one.
Scorpius666 said:
The thing is: you can modify root owned files, yes. But you need that some process owned by root executes your file, so you can gain root access.
Click to expand...
Click to collapse
Doesn't that mean you can install a custom su binary and just execute that as any user?
This exploit only allows you to replace the content of existing files with their existing mode/permissions, and the way su operates you need the setuid (set-user-ID) bit set in the mode, and from a brief look at the system I wanted to get root on, android doesn't seem to have any setuid binaries.
I'm thinking replacing something like wpa_supplicant could let us execute the payload as root, just disable and re-enable wifi, but I can't seem to get the exploit itself to work at the moment.
On further inspection (at least on this device), wpa_supplicant isn't readable by non-root (which I think the exploit requires). app_process is, but that's an executable I'd prefer not to mess with
Update:
Got the exploit itself working.
Tried replacing /system/bin/fsck_msdos's content to trigger it to be run as root by inserting a microSD card,
but something on this device (Amazon Fire 5th gen) keeps rebooting and restoring the system partition if any file is changed.
a___ said:
This exploit only allows you to replace the content of existing files
Click to expand...
Click to collapse
Not true. This code executes su as root, spawning a root shell. It can be modified to run a script that installs su in/system etc..
The counterside is that the kernel crashes/freezes after some seconds.
https://gist.github.com/scumjr/17d91f20f73157c722ba2aea702985d2
I'd like to port that to an apk using the ndk, but my pc is too old.
The /system partition is mounted read only by default. Because of this, you can't overwrite them. But I saw a exploit which used /sys/kernel/uevent_helper to execute a shell script as root. This would probably also work with the dirty cow exploit.
KillahKiwi said:
Doesn't that mean you can install a custom su binary and just execute that as any user?
Click to expand...
Click to collapse
You can't create a new file. You can modify an existing file. The su binary needs the setuid bit and there are no files in the Android filesystem with that bit set.
The only way to root a phone with this bug is to modify an executable that will change the owner of the su binary to root and set the setuid bit on this file. This part is trivial and very easy.
The difficult part is to find a binary that will be executed as root after you have booted. If somebody knows any file in /system/bin for example that will be executed as root doing some action on the phone tell me and the phone will be rooted in seconds.
---------- Post added at 11:32 AM ---------- Previous post was at 11:28 AM ----------
a___ said:
Got the exploit itself working.
Tried replacing /system/bin/fsck_msdos's content to trigger it to be run as root by inserting a microSD card,
but something on this device (Amazon Fire 5th gen) keeps rebooting and restoring the system partition if any file is changed.
Click to expand...
Click to collapse
I copied the su binary in /data/local/tmp. I can modify files in /system/bin for example and the phone does not reboot, but i don't have fsck_msdos in my phone.
---------- Post added at 11:35 AM ---------- Previous post was at 11:32 AM ----------
DP FH said:
Not true. This code executes su as root, spawning a root shell. It can be modified to run a script that installs su in/system etc..
The counterside is that the kernel crashes/freezes after some seconds.
https://gist.github.com/scumjr/17d91f20f73157c722ba2aea702985d2
I'd like to port that to an apk using the ndk, but my pc is too old.
Click to expand...
Click to collapse
I'm compiling on the phone using UXTerm, then apt install clang, and then using gcc. It's the quickest way to compile a single .c file on it.
Scorpius666 said:
. It's the quickest way to compile a single .c file on it.
Click to expand...
Click to collapse
I'd like to create a standard Android app that uses jni to run exploit and then roots the device. I can't test on my real phone because I need warranty and Knox counter to 0.
DP FH said:
Not true. This code executes su as root, spawning a root shell. It can be modified to run a script that installs su in/system etc..
The counterside is that the kernel crashes/freezes after some seconds.
https://gist.github.com/scumjr/17d91f20f73157c722ba2aea702985d2
I'd like to port that to an apk using the ndk, but my pc is too old.
Click to expand...
Click to collapse
At first try doesn't work for me:
Code:
[email protected]:/data/local/tmp $ ./dirtyc0w-mem b6dc0000 b6dc1000
[*] range: b6dc0000-b6dc1000]
[*] getuid = b6f79b18
[*] mmap 0xb6dd5000
[*] exploiting (patch)
./dirtyc0w-mem: failed to execute "su": Permission denied
[*] exploiting (unpatch)
[*] unpatched: uid=2000 (madviseThread)
[*] unpatched: uid=2000 (procselfmemThread)
But I'll modify a little bit to see if I can get it to work.
Scorpius666 said:
doesn't work for me.
Click to expand...
Click to collapse
I don't think you have su on the phone ????
By the way I'm trying to install some emulator on my pc so I can try
DP FH said:
I don't think you have su on the phone ????
By the way I'm trying to install some emulator on my pc so I can try
Click to expand...
Click to collapse
I do have the su, in /data/local/tmp, with users permission. The idea is to do a chown root:root and a chmod 4755.
But I know what the problem is. The SHELLCODE in the file is for x86, which seems to be a XOR AX, AX and a RET. I have to do the same for an ARM v7L in THUMB I think...
DP FH said:
Not true. This code executes su as root, spawning a root shell. It can be modified to run a script that installs su in/system etc..
The counterside is that the kernel crashes/freezes after some seconds.
<URL>
I'd like to port that to an apk using the ndk, but my pc is too old.
Click to expand...
Click to collapse
Well that assumes we have a setuid su already, this variant of the exploit won't help us.
julianwi said:
The /system partition is mounted read only by default. Because of this, you can't overwrite them. But I saw a exploit which used /sys/kernel/uevent_helper to execute a shell script as root. This would probably also work with the dirty cow exploit.
Click to expand...
Click to collapse
Somehow it did manage to overwrite it, but maybe the reboot and reset are caused by it being read-only and not actually writing the changes to persistent storage.
Will look into /sys/kernel/uevent_helper though, thanks
Scorpius666 said:
...
I copied the su binary in /data/local/tmp. I can modify files in /system/bin for example and the phone does not reboot, but i don't have fsck_msdos in my phone.
...
Click to expand...
Click to collapse
Just about any would work, you probably have some other fsck or mkfs utility you could do it with, then trying to format an SD card should run mkfs
a___ said:
Just about any would work, you probably have some other fsck or mkfs utility you could do it with, then trying to format an SD card should run mkfs
Click to expand...
Click to collapse
The thing is all my fsck* files are not readable, only by root, at least in my device. The exploit needs a readable file.
a___ said:
Well that assumes we have a setuid su already, this variant of the exploit won't help us
Click to expand...
Click to collapse
Nope. The su command is executed as root, and when you execute su as root it gives you a root shell. Try to execute sh instead of su.
DP FH said:
Nope. The su command is executed as root, and when you execute su as root it gives you a root shell. Try to execute sh instead of su.
Click to expand...
Click to collapse
No, it merely makes libc report that the user is root even though it isn't, it needs su to already have setuid to switch to the real root, and then running the shell. In this case (simplified) the exploit just bypasses the password prompt.
a___ said:
No, it merely makes libc report that the user is root even though it isn't, it needs su to already have setuid to switch to the real root, and then running the shell. In this case (simplified) the exploit just bypasses the password prompt.
Click to expand...
Click to collapse
I just noticed that. Using sh instead of su, the dirtycow-mem works in the phone and it spawns a shell, but with the same privileges than the user that executed it. So it's useless at least with that libc approach.
Scorpius666 said:
I just noticed that. Using sh instead of su, the dirtycow-mem works in the phone and it spawns a shell, but with the same privileges than the user that executed it. So it's useless at least with that libc approach.
Click to expand...
Click to collapse
Strange, on normal x86 works like a charm so something needs to be fixed
DP FH said:
Strange, on normal x86 works like a charm so something needs to be fixed
Click to expand...
Click to collapse
Of course it works on x86. If you read the code you'll see that it changes the function getuid() of libc (that is already loaded in memory) to return 0. The x86 su binary uses getuid() to know if it should ask for a password or not. Since getuid() is patched, it doesn't ask a password and spawn a root shell.
So basically for dirtycow-mem to work you need:
A su binary with setuid root
That su binary should ask for a password
The Android su binary doesn't ask for a password and doesn't have the setuid root so this exploit won't work.
hey there
did anyone try the dirtycow-vdso exploit? it works on SELinux (which AOSP uses) and doesn't require a SUID see
github . com/scumjr/dirtycow-vdso
Hi,
I've developed an universal & stable temporal root tool for "dirtycow-capable" Android M (and N?), i.e., without the 2016-11-06 patch.
It bypasses selinux via a vdso backdoor inside the init process which is injected by a memory-only dirtycow exploit.
This approach has the following advantages:
Memory-only: does not modify the filesystem
Scalable: easy to add new kernel and/or new devices
Stable: does not affect stability of your device
Reversible: the backdoor is cleared immediately after the root shell ends, which means no reboot is required after usage
Please use version v0.1.1 instead of v0.1 which has a severe bug!
Attention:
By "SELinux bypass" I mean the payload will run in init domian even if SELinux is in enforcing mode, however, a patch to sepolicy is still needed for making init domain unconfined. Usually this means a modified boot image is required.
Details, releases, usage and the source code is available at Github.
Maybe I'll turn it into a SuperSU installer in the future. Donations are welcome.
XDA:DevDB Information
VIKIROOT, Tool/Utility for all devices (see above for details)
Contributors
hyln9
Source Code: https://github.com/hyln9/VIKIROOT
Version Information
Status: Testing
Created 2017-01-20
Last Updated 2017-01-21
Hi, I am working on the LG Tribute HD model LGLS676 and we are looking for an exploit for MM 6.0.1 build MXB48T. is it possible to create a 32-bit version of this exploit? It's exactly what we need right now for a method to gain root as not even temp is not even close to possible, lg has this one airtight. I'm running Ubuntu 16.04.01 64 bit and can help test if needed on my device. Thanks in advance for any help you can or cannot provide ?
Sands207 said:
Hi, I am working on the LG Tribute HD model LGLS676 and we are looking for an exploit for MM 6.0.1 build MXB48T. is it possible to create a 32-bit version of this exploit? It's exactly what we need right now for a method to gain root as not even temp is not even close to possible, lg has this one airtight. I'm running Ubuntu 16.04.01 64 bit and can help test if needed on my device. Thanks in advance for any help you can or cannot provide
Click to expand...
Click to collapse
Thanks for your reply.
Unfortunately, 32-bit vDSO support is not available for Android currently.
hyln9 said:
Thanks for your reply.
Unfortunately, 32-bit vDSO support is not available for Android currently.
Click to expand...
Click to collapse
Could we use a different backdoor/exploit for x86 devices?
AptLogic said:
Could we use a different backdoor/exploit for x86 devices?
Click to expand...
Click to collapse
Great idea, I'll have a try in the emulator.
Hello and thank you for this!
I am stuck and need your help here please... I'm on an LG V10 (H960A) mm, and I think I followed the instructions on GitHub correctly:
1. Extracted the "exploit" binary
2. adb push /data/local/tmp
3. adb shell (cd to /data/local/tmp and made "exploit" executable)
4. Executed the "exploit"
and now I am stuck in "waiting for reverse connect shell". Turning device on/off, toggling Bluetooth etc does nothing... How should I proceed? Thanks in advance!
ftaios said:
Hello and thank you for this!
I am stuck and need your help here please... I'm on an LG V10 (H960A) mm, and I think I followed the instructions on GitHub correctly:
1. Extracted the "exploit" binary
2. adb push /data/local/tmp
3. adb shell (cd to /data/local/tmp and made "exploit" executable)
4. Executed the "exploit"
and now I am stuck in "waiting for reverse connect shell". Turning device on/off, toggling Bluetooth etc does nothing... How should I proceed? Thanks in advance!
Click to expand...
Click to collapse
A debug version was added to the download page.
Would you please run it as before and send me the two generated debug info file "vdso_orig.so" and "vdso_patched.so" to me? They are just dump of some part of kernel and don't contain any personal information.
My e-mail address is: hyln9$live.cn (replace $ with @)
Thanks!
@hyln9 how goes the looking for a 32bit exploit? I'm available to test any developments that have been made, using an AT&T Galaxy S5 running Android 5.0 ((I can upgrade to 5.1.1 or 6.0 if needed)
(Try exploiting wpa_supplicant )
hyln9 said:
A debug version was added to the download page.
Would you please run it as before and send me the two generated debug info file "vdso_orig.so" and "vdso_patched.so" to me? They are just dump of some part of kernel and don't contain any personal information.
My e-mail address is: hyln9$live.cn (replace $ with @)
Thanks!
Click to expand...
Click to collapse
Just sent them to you...
hyln9 said:
A debug version was added to the download page.
Would you please run it as before and send me the two generated debug info file "vdso_orig.so" and "vdso_patched.so" to me? They are just dump of some part of kernel and don't contain any personal information.
My e-mail address is: hyln9$live.cn (replace $ with @)
Thanks!
Click to expand...
Click to collapse
I also sent!!
Is there any way this can with for the at&t lg g5 h820 I believe. I hope so that is the only thing I hate with this phone. No root. So boring.
What port should we be using? When I use the non-debug version it hangs waiting for the reverse connection... using the debug version it dies before even creating a log file it says: "Internal error: unknown kernel." I'm running an AT&T G5 (H820) without the latest patches...
rvyhmeister said:
What port should we be using? When I use the non-debug version it hangs waiting for the reverse connection... using the debug version it dies before even creating a log file it says: "Internal error: unknown kernel." I'm running an AT&T G5 (H820) without the latest patches...
Click to expand...
Click to collapse
did you reboot phone?
and maybe you don't get error.
Not executable 64 bit elf file?
jcpowell said:
Not executable 64 bit elf file?
Click to expand...
Click to collapse
That means you're trying to run this 64 bit exploit on a 32 bit android system. The exploit doesn't work on 32 bit because 32bit systems don't have vdso. I'm working on a different exploit and I think this dev is too but I don't expect much out of my tests since it's mostly device specific.
iptr9 said:
did you reboot phone?
and maybe you don't get error.
Click to expand...
Click to collapse
Rebooted... running the debug
Now I get this
Syscall error: bind at line 392 with code 13.
No files are created... what port should I tell it? Thanks!
rvyhmeister said:
Rebooted... running the debug
Now I get this
Syscall error: bind at line 392 with code 13.
No files are created... what port should I tell it? Thanks!
Click to expand...
Click to collapse
maybe you have to cd into /data/local/tmp
and then ./exploit
iptr9 said:
maybe you have to cd into /data/local/tmp
and then ./exploit
Click to expand...
Click to collapse
I've done that... the interesting thing is that if I run simply
./exploit
it replies
CVE-2016-5195 POC FOR ANDROID 6.0.1 MARSHMALLOW
Usage:
./exploit port: use local terminal.
./exploit ip port: use remote terminal.
If I enter any number, it then fails...
rvyhmeister said:
I've done that... the interesting thing is that if I run simply
./exploit
it replies
CVE-2016-5195 POC FOR ANDROID 6.0.1 MARSHMALLOW
Usage:
./exploit port: use local terminal.
./exploit ip port: use remote terminal.
If I enter any number, it then fails...
Click to expand...
Click to collapse
try a port above 1024
saspipi said:
try a port above 1024
Click to expand...
Click to collapse
thanks.... it starts fine.... but then hangs waiting for the reverse shell to connect.... I've got the zip with the two debug files that I'm attaching
I'm not responsible for damage, loss, etc cause by this script. This script lacks of situation and error management. Please read the script and understand what it does. Please backup your /system/priv-app/MiuiSystemUI/MiuiSystemUI.apk
Tested on xiaomi.eu 11.0.4.0. Should work on any miui11, maybe even other devices with notch.
This scripts moves the system clock in the notch-enabled status bar to the right side of the notch. It does this by pulling the apk, decompiling it in tmp folder and recompiling it. I made this because I got annoyed by the fact that there is tons of space on the right side of the notch while there is no space for notification icons on the left side.
SafetyNet should pass. Reboot after execution to ensure root is read-only.
Requirements:
MIUI 11
Magisk v20+
apktool < v2.6.0 (-c option is required)
adb
a decent linux install
The patch.patch file on the same directory of where you run it. If you're dev you can edit this file to make your custom patch.
PS: xda doesn't let me upload sh, the script is script.txt, rename it into script.sh, make it executable and execute it
EDIT: Will bootloop on Android 10 MIUI 11!
Thanks, it's very useful.
But can you please explain how to run the script?
---------- Post added at 11:00 AM ---------- Previous post was at 11:00 AM ----------
Thanks, it's very useful.
But can you please explain how to run the script?
he script is script.txt, rename it into script.sh, make it executable and execute it
DP FH said:
he script is script.txt, rename it into script.sh, make it executable and execute it
Click to expand...
Click to collapse
I'd rename it. but how to execute it? dublle click on the file or how?
yamabokra1 said:
I'd rename it. but how to execute it? dublle click on the file or how?
Click to expand...
Click to collapse
Via terminal
DP FH said:
Via terminal
Click to expand...
Click to collapse
It seems that you don't have time to explain. thanks anyway
yamabokra1 said:
It seems that you don't have time to explain. thanks anyway
Click to expand...
Click to collapse
Mate, if you don't know how to execute scripts from terminal you probably shouldn't mess around with them.
JaSomTy said:
Mate, if you don't know how to execute scripts from terminal you probably shouldn't mess around with them.
Click to expand...
Click to collapse
Please, spend 10 second to tell here if it worked, so we know on which systems it works
DP FH said:
Please, spend 10 second to tell here if it worked, so we know on which systems it works
Click to expand...
Click to collapse
I'm not getting it right.
Can you assist?
https://ibb.co/N7GXpcS
https://ibb.co/XDMZSv9
I run it, but it says apktool not found?
Please check the link for the picture. Do i have the correct APK tool there? I see you said < 2.6.0, but the highest i can find is 2.4.1
Dude... Running Windows binaries from Linux ain't gonna work. Just install everything from apt.
V2.6.0 does not yet exist, I wrote it for the time being
Rooted phone?
Maybe an obvious question, but does the phone need to be rooted to allow that manipulation?
duplicate message lol
josephlegrand33 said:
Maybe an obvious question, but does the phone need to be rooted to allow that manipulation?
Click to expand...
Click to collapse
Requirements: Magisk v20+ so yes. You can unroot after a successful installation, but if the mod goes away (ota update) you need root to reinstall it
Hey, I think I set up everything right, but when I run it I get
Input file (MiuiSystemUI.apk) was not found or was not readable.
Script: modding
can't find file to patch at input line 3
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|--- /tmp/miuis/res/layout/drip_status_bar_contents_container.xml 2020-01-04 20:09:39.224390176 +0100
|+++ /tmp/miuis/res/layout/drip_status_bar_contents_container.new 2020-01-04 20:09:56.504390102 +0100
--------------------------
File to patch:
Am I missing something?
I'm attaching the output
Thx for your work
I also think I did it right, but get "MiuiSystemUI.apk was not found or was not readable".
(Redmi Note 8 Pro, MIUI Global 11.0.3)
I've also tried to move that stupid clock with Substratum, but overlays seem not affecting system stuff in statusbar and, sadly, CustoMIUIzer doesn't include this setting.
Hi, sorry if I didn't read it straight away. That means MiuiSystemUI.apk couldn't be read. Do you have correct permissions to write files in /tmp?
Try to execute the commands in the script manually. for example, adb pull /system/priv-app/MiuiSystemUI/MiuiSystemUI.apk /tmp/
Can you manage to read the file? Do you see it in /tmp?
If it is, apktool d -p /tmp -o /tmp/miuis/ -s MiuiSystemUI.apk
should work right away
Tancredus said:
I'm attaching the output
Click to expand...
Click to collapse
I've read the log, the apktool decompilation gets straight away skipped for some reason. I'm using 2.4.1 as well.
What happens when you run apktool d -p /tmp -o /tmp/miuis/ -s MiuiSystemUI.apk
manually?
Oh right! My fault. replace
apktool d -p /tmp -o /tmp/miuis/ -s MiuiSystemUI.apk
with
apktool d -p /tmp -o /tmp/miuis/ -s /tmp/MiuiSystemUI.apk
And try again.
Also, don't try using it on android 10. will bootloop.
Do you know why it will bootlop in android 10 miui 11?
Because it's only a change on one line of xml... Maybe it's a invalid positioning, let me see it...
adb root
I have already tried the following command, but it says:
adbd cannot run as root in production builds
xracerx123 said:
adb root
I have already tried the following command, but it says:
adbd cannot run as root in production builds
Click to expand...
Click to collapse
Uh.. What are you trying to do?
Are you trying to emulate a Pixel 6a on your computer, or do you want to have root privileges on your device?
I want to have write permission on /system/bin and /system/xbin, this is for the purpose of me importing nano into the devices. My main goal is to have a bashrc alias and and make it easy for me to edit files in the system.
xracerx123 said:
I want to have write permission on /system/bin and /system/xbin, this is for the purpose of me importing nano into the devices. My main goal is to have a bashrc alias and and make it easy for me to edit files in the system.
Click to expand...
Click to collapse
You'll have to look into rooting then. I suggest you use Magisk. There are many guides on xda (specifically for this device too).
Even magisk won't overcome that error, because at the end of the day, it is a production build.
But that doesn't mean you can't use root! You just can't call "adb root".
Code:
adb shell
$ su
# <-- do stuff as root
# exit
$
xracerx123 said:
I want to have write permission on /system/bin and /system/xbin, this is for the purpose of me importing nano into the devices. My main goal is to have a bashrc alias and and make it easy for me to edit files in the system.
Click to expand...
Click to collapse
Just to be clear, even if you have root, you can't easily write to the system partition. The system partition is mounted as read-only and to get around that you'd need several steps like a modified super partition, and potentially have verity/verification disabled.
Your best bet you be to use Magisk, and either use the Magisk mirror partitions to add nano, or use the Magisk nano module (https://github.com/Magisk-Modules-Repo/nano-ndk)
96carboard said:
Even magisk won't overcome that error, because at the end of the day, it is a production build.
But that doesn't mean you can't use root! You just can't call "adb root".
Code:
adb shell
$ su
# <-- do stuff as root
# exit
$
Click to expand...
Click to collapse
You can use Termux, or any other terminal emulator, type 'su', allow superuser privileges, and do stuff as root.
craigacgomez said:
Just to be clear, even if you have root, you can't easily write to the system partition. The system partition is mounted as read-only and to get around that you'd need several steps like a modified super partition, and potentially have verity/verification disabled.
Your best bet you be to use Magisk, and either use the Magisk mirror partitions to add nano, or use the Magisk nano module (https://github.com/Magisk-Modules-Repo/nano-ndk)
Click to expand...
Click to collapse
Btw, how do I install nano-ndk? There is no release on the GitHub page and when I try to download the .zip file and install, it say fail.
[ Error writing /etc/mkshrc: Read-only file system ]
How do I go about editing this when it is a read only file system
Ok I have successfully added nano, now how do I edit the following file to add alias
Lada333 said:
You can use Termux, or any other terminal emulator, type 'su', allow superuser privileges, and do stuff as root.
Click to expand...
Click to collapse
That's what I said in the message you quoted. There is no need to repeat it.
96carboard said:
That's what I said in the message you quoted. There is no need to repeat it.
Click to expand...
Click to collapse
You never really mentioned where you suggest them use that bit of code you provided, nor have you suggested they use a terminal emulator (where they can obtain root privileges), but alright.
Lada333 said:
You never really mentioned where you suggest them use that bit of code you provided, nor have you suggested they use a terminal emulator (where they can obtain root privileges), but alright.
Click to expand...
Click to collapse
Terminal emulator application is irrelevant. OP was asking about ADB specifically.
hope you are aware that if you modify /system you can't ota update anymore
see this https://topjohnwu.github.io/Magisk/ota.html
96carboard said:
Even magisk won't overcome that error, because at the end of the day, it is a production build.
But that doesn't mean you can't use root! You just can't call "adb root".
Click to expand...
Click to collapse
You CAN...but this can only be done in engineering and debug builds.
adb root restarts adbd with root permissions.
There is a way around this; use an elevated shell to write ro.debuggable=1 to /system/build.prop, /system/default.prop, or /data/local.prop
If you want adb shell to automatically start with root, add ro.secure=0