Hey all,
I wrote an exploit to use cow root to pull/push images. I've only tested it on the Galaxy S7 Active, but it should also work for other arm64 phones. Let me know how it works out for you all!
https://github.com/freddierice/farm-root
Also, don't run `make push` if you don't know what you're doing. Its dangerous.
If you don't have the ndk, feel free to download the prebuilt binaries here: http://static.freddierice.co/868ab104ae202545f2d8aa97442073f3/farm-root-bins.tgz
Going back to stock on my T-Mobile Galaxy S7 Edge. Then going to poke around. Thank you sir
Sent from my SM-G935U using Tapatalk
freddierice said:
Hey all,
I wrote an exploit to use cow root to pull/push images. I've only tested it on the Galaxy S7 Active, but it should also work for other arm64 phones. Let me know how it works out for you all!
https://github.com/freddierice/farm-root
Also, don't run `make push` if you don't know what you're doing. Its dangerous.
Click to expand...
Click to collapse
I don't have a arm64v8 device to test on.
I tested on my x86 and armeabi doesn't work on either, thanks for sharing should helps those that have arm64v8
vampirefo said:
I don't have a arm64v8 device to test on.
Click to expand...
Click to collapse
I just haven't tested other devices. Try replacing `arm64-v8a` in the Makefile with your architecture, and see if it works.
How exactly would one use this tool. I have it on my PC at ~/farm-root and it is also pushed to /data/local/tmp on my phone
Sent from my Z981 using XDA Premium
Masterchief87 said:
How exactly would one use this tool. I have it on my PC at ~/farm-root and it is also pushed to /data/local/tmp on my phone
Click to expand...
Click to collapse
1. connect your phone with usb debugging allowed
2. open a terminal window and run `make log`
3. open a second terminal window and run `make pull`
freddierice said:
I just haven't tested other devices. Try replacing `arm64-v8a` in the Makefile with your architecture, and see if it works.
Click to expand...
Click to collapse
Yes, I already tried that as well as changing location of recovery, but just doesn't work for me.
Masterchief87 said:
How exactly would one use this tool. I have it on my PC at ~/farm-root and it is also pushed to /data/local/tmp on my phone
Sent from my Z981 using XDA Premium
Click to expand...
Click to collapse
Sent from my R1HD(ZenUI) via Tapatalk
freddierice said:
1. connect your phone with usb debugging allowed
2. open a terminal window and run `make log`
3. open a second terminal window and run `make pull`
Click to expand...
Click to collapse
Running `make log` yields
adb logcat | grep -a farm-root
Running `make pull` in the 2nd terminal window yields
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk
make: ndk-build: Command not found
make: *** [build] error 127
Any idea what I'm doing wrong?
Masterchief87 said:
Running `make log` yields
adb logcat | grep -a farm-root
Running `make pull` in the 2nd terminal window yields
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk
make: ndk-build: Command not found
make: *** [build] error 127
Any idea what I'm doing wrong?
Click to expand...
Click to collapse
This project makes the binaries when you run `make`. You don't have the ndk installed. Or at least don't have the binaries sourced in your PATH.
OK. What is the procedure for using the pre built binaries?
Sent from my Z981 using XDA Premium
Masterchief87 said:
OK. What is the procedure for using the pre built binaries?
Click to expand...
Click to collapse
Same procedure as before. Just untar the files in the project directory. I ran `make clean all` on my box, then threw them up on the web.
Guess I'm SOL on this one?
Code:
[email protected]:/data/local/tmp $ logcat |grep farm
10-30 17:29:05.794 10572 10572 I farm-root: [*] farm-root started
10-30 17:29:05.795 10572 10572 I farm-root: [*] building a bridge
10-30 17:29:05.797 10572 10572 I farm-root: ERROR: could not open /system/bin/dumpstate
10-30 17:29:05.797 10572 10572 I farm-root: ERROR: could not overwrite /system/bin/dumpstate
10-30 17:30:40.315 10672 10672 W farm : type=1400 audit(0.0:7): avc: denied { read } for name="dumpstate" dev="mmcblk0p14" ino=105 scontext=u:r:shell:s0 tcontext=u:object_r:dumpstate_exec:s0 tclass=file permissive=0
Guess I'm SOL on this one?
Click to expand...
Click to collapse
I guess so. I didn't realize that SELinux policies varied so drastically. I am surprised though that you do not have read privs to /system/bin/dumpstate. Could you post `adb shell ls -laZ /system/bin/`? I'm curious
Here yuh go.
Code:
[email protected]:/ $ ls -laZ /system/bin
lstat '/system/bin/ClockworkProxy' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 acpi -> toybox
lstat '/system/bin/adspd' failed: Permission denied
-rwxr-xr-x root shell u:object_r:system_file:s0 am
lrwxr-xr-x root shell u:object_r:system_file:s0 app_process -> app_process32
-rwxr-xr-x root shell u:object_r:zygote_exec:s0 app_process32
-rwxr-xr-x root shell u:object_r:system_file:s0 applypatch
-rwxr-xr-x root shell u:object_r:system_file:s0 appops
-rwxr-xr-x root shell u:object_r:system_file:s0 appwidget
-rwxr-xr-x root shell u:object_r:system_file:s0 atrace
lrwxr-xr-x root shell u:object_r:system_file:s0 basename -> toybox
-rwxr-xr-x root shell u:object_r:system_file:s0 bcc
lstat '/system/bin/blkid' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 blockdev -> toybox
-rwxr-xr-x root shell u:object_r:system_file:s0 bmgr
lstat '/system/bin/bootanimation' failed: Permission denied
-rwxr-xr-x root shell u:object_r:system_file:s0 bu
-rwxr-xr-x root shell u:object_r:system_file:s0 bugreport
lrwxr-xr-x root shell u:object_r:system_file:s0 bzcat -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 cal -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 cat -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 chcon -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 chgrp -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 chmod -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 chown -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 chroot -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 cksum -> toybox
lstat '/system/bin/clatd' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 clear -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 cmp -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 comm -> toybox
-rwxr-xr-x root shell u:object_r:system_file:s0 content
lrwxr-xr-x root shell u:object_r:system_file:s0 cp -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 cpio -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 cut -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 dalvikvm -> dalvikvm32
-rwxr-xr-x root shell u:object_r:system_file:s0 dalvikvm32
lrwxr-xr-x root shell u:object_r:system_file:s0 date -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 dd -> toolbox
lstat '/system/bin/debuggerd' failed: Permission denied
-rwxr-xr-x root shell u:object_r:dex2oat_exec:s0 dex2oat
lrwxr-xr-x root shell u:object_r:system_file:s0 df -> toolbox
lstat '/system/bin/dhcpcd' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 dirname -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 dmesg -> toybox
lstat '/system/bin/dnsmasq' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 dos2unix -> toybox
-rwxr-xr-x root shell u:object_r:system_file:s0 dpm
lrwxr-xr-x root shell u:object_r:system_file:s0 du -> toolbox
lstat '/system/bin/dumpstate' failed: Permission denied
-rwxr-xr-x root shell u:object_r:system_file:s0 dumpsys
lstat '/system/bin/e2fsck' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 echo -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 egrep -> grep
lrwxr-xr-x root shell u:object_r:system_file:s0 env -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 expand -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 expr -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 fallocate -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 false -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 fgrep -> grep
lrwxr-xr-x root shell u:object_r:system_file:s0 find -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 free -> toybox
lstat '/system/bin/fsck_msdos' failed: Permission denied
lstat '/system/bin/gatekeeperd' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 getenforce -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 getevent -> toolbox
lrwxr-xr-x root shell u:object_r:system_file:s0 getprop -> toybox
-rwxr-xr-x root shell u:object_r:system_file:s0 grep
lrwxr-xr-x root shell u:object_r:system_file:s0 groups -> toybox
-rwxr-xr-x root shell u:object_r:system_file:s0 gzip
-rwxr-xr-x root shell u:object_r:system_file:s0 hciattach
lrwxr-xr-x root shell u:object_r:system_file:s0 head -> toybox
-rwxr-xr-x root shell u:object_r:system_file:s0 hid
lrwxr-xr-x root shell u:object_r:system_file:s0 hostname -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 hwclock -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 id -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 ifconfig -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 iftop -> toolbox
-rwxr-xr-x root shell u:object_r:system_file:s0 ime
lstat '/system/bin/init.mmi.boot.sh' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 inotifyd -> toybox
-rwxr-xr-x root shell u:object_r:system_file:s0 input
lrwxr-xr-x root shell u:object_r:system_file:s0 insmod -> toybox
lstat '/system/bin/install-recovery.sh' failed: Permission denied
lstat '/system/bin/installd' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 ioctl -> toolbox
lrwxr-xr-x root shell u:object_r:system_file:s0 ionice -> toolbox
-rwxr-xr-x root shell u:object_r:system_file:s0 ip
-rwxr-xr-x root shell u:object_r:system_file:s0 ip6tables
-rwxr-xr-x root shell u:object_r:system_file:s0 iptables
lstat '/system/bin/keystore' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 kill -> toybox
-rwxr-xr-x root shell u:object_r:system_file:s0 ld.mc
-rwxr-xr-x root shell u:object_r:system_file:s0 linker
lstat '/system/bin/lmkd' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 ln -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 load_policy -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 log -> toolbox
-rwxr-xr-x root shell u:object_r:logcat_exec:s0 logcat
lstat '/system/bin/logd' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 logname -> toybox
-rwxr-xr-x root shell u:object_r:system_file:s0 logwrapper
lrwxr-xr-x root shell u:object_r:system_file:s0 losetup -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 ls -> toolbox
lrwxr-xr-x root shell u:object_r:system_file:s0 lsmod -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 lsof -> toolbox
lrwxr-xr-x root shell u:object_r:system_file:s0 lsusb -> toybox
lstat '/system/bin/m4setup' failed: Permission denied
-rwxr-xr-x root shell u:object_r:system_file:s0 make_ext4fs
lstat '/system/bin/mbm_spy' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 md5sum -> toybox
-rwxr-xr-x root shell u:object_r:system_file:s0 media
lstat '/system/bin/mediaserver' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 mkdir -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 mknod -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 mkswap -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 mktemp -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 modinfo -> toybox
-rwxr-xr-x root shell u:object_r:system_file:s0 monkey
lrwxr-xr-x root shell u:object_r:system_file:s0 more -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 mount -> toolbox
lrwxr-xr-x root shell u:object_r:system_file:s0 mountpoint -> toybox
lstat '/system/bin/mtpd' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 mv -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 nandread -> toolbox
-rwxr-xr-x root shell u:object_r:system_file:s0 ndc
lstat '/system/bin/netd' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 netstat -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 newfs_msdos -> toolbox
lrwxr-xr-x root shell u:object_r:system_file:s0 nice -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 nl -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 nohup -> toybox
-rwxr-xr-x root shell u:object_r:system_file:s0 oatdump
lrwxr-xr-x root shell u:object_r:system_file:s0 od -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 paste -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 patch -> toybox
-rwxr-xr-x root shell u:object_r:dex2oat_exec:s0 patchoat
lrwxr-xr-x root shell u:object_r:system_file:s0 pgrep -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 pidof -> toybox
-rwxr-xr-x root shell u:object_r:system_file:s0 ping
-rwxr-xr-x root shell u:object_r:system_file:s0 ping6
lrwxr-xr-x root shell u:object_r:system_file:s0 pkill -> toybox
-rwxr-xr-x root shell u:object_r:system_file:s0 pm
lrwxr-xr-x root shell u:object_r:system_file:s0 pmap -> toybox
lstat '/system/bin/pppd' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 printenv -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 printf -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 prlimit -> toolbox
lrwxr-xr-x root shell u:object_r:system_file:s0 ps -> toolbox
lstat '/system/bin/pvrsrvctl_SGX530_125' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 pwd -> toybox
lstat '/system/bin/racoon' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 readlink -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 realpath -> toybox
-rwxr-xr-x root shell u:object_r:system_file:s0 reboot
lrwxr-xr-x root shell u:object_r:system_file:s0 renice -> toolbox
-rwxr-xr-x root shell u:object_r:system_file:s0 resize2fs
lrwxr-xr-x root shell u:object_r:system_file:s0 restorecon -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 rm -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 rmdir -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 rmmod -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 route -> toybox
-rwxr-x--- root shell u:object_r:runas_exec:s0 run-as
lrwxr-xr-x root shell u:object_r:system_file:s0 runcon -> toybox
-rwxr-xr-x root shell u:object_r:system_file:s0 schedtest
-rwxr-xr-x root shell u:object_r:system_file:s0 screencap
-rwxr-xr-x root shell u:object_r:system_file:s0 screenrecord
lstat '/system/bin/sdcard' failed: Permission denied
-rwxr-xr-x root shell u:object_r:system_file:s0 secdiscard
lrwxr-xr-x root shell u:object_r:system_file:s0 sed -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 sendevent -> toolbox
-rwxr-xr-x root shell u:object_r:system_file:s0 sensorservice
lrwxr-xr-x root shell u:object_r:system_file:s0 seq -> toybox
-rwxr-xr-x root shell u:object_r:system_file:s0 service
lstat '/system/bin/servicemanager' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 setenforce -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 setprop -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 setsid -> toybox
-rwxr-xr-x root shell u:object_r:system_file:s0 settings
lstat '/system/bin/setup_fs' failed: Permission denied
lstat '/system/bin/sgdisk' failed: Permission denied
-rwxr-xr-x root shell u:object_r:shell_exec:s0 sh
lrwxr-xr-x root shell u:object_r:system_file:s0 sha1sum -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 sleep -> toybox
-rwxr-xr-x root shell u:object_r:system_file:s0 sm
lrwxr-xr-x root shell u:object_r:system_file:s0 sort -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 split -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 start -> toolbox
lrwxr-xr-x root shell u:object_r:system_file:s0 stat -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 stop -> toolbox
lrwxr-xr-x root shell u:object_r:system_file:s0 strings -> toybox
lstat '/system/bin/surfaceflinger' failed: Permission denied
-rwxr-xr-x root shell u:object_r:system_file:s0 svc
lrwxr-xr-x root shell u:object_r:system_file:s0 swapoff -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 swapon -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 sync -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 sysctl -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 tac -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 tail -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 tar -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 taskset -> toybox
-rwxr-xr-x root shell u:object_r:system_file:s0 tc
lrwxr-xr-x root shell u:object_r:system_file:s0 tee -> toybox
-rwxr-xr-x root shell u:object_r:system_file:s0 telecom
lrwxr-xr-x root shell u:object_r:system_file:s0 time -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 timeout -> toybox
-rwxr-xr-x root shell u:object_r:system_file:s0 tinycap
-rwxr-xr-x root shell u:object_r:system_file:s0 tinymix
-rwxr-xr-x root shell u:object_r:system_file:s0 tinyplay
-rwxr-xr-x root shell u:object_r:toolbox_exec:s0 toolbox
lrwxr-xr-x root shell u:object_r:system_file:s0 top -> toolbox
lrwxr-xr-x root shell u:object_r:system_file:s0 touch -> toybox
lstat '/system/bin/touch_ramoops.sh' failed: Permission denied
-rwxr-xr-x root shell u:object_r:toolbox_exec:s0 toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 tr -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 true -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 truncate -> toybox
lstat '/system/bin/tzdatacheck' failed: Permission denied
-rwxr-xr-x root shell u:object_r:system_file:s0 uiautomator
lstat '/system/bin/uim-sysfs' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 umount -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 uname -> toybox
lstat '/system/bin/uncrypt' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 uniq -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 unix2dos -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 uptime -> toolbox
lrwxr-xr-x root shell u:object_r:system_file:s0 usleep -> toybox
lstat '/system/bin/vdc' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 vmstat -> toybox
lstat '/system/bin/vold' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 watchprops -> toolbox
lrwxr-xr-x root shell u:object_r:system_file:s0 wc -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 which -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 whoami -> toybox
-rwxr-xr-x root shell u:object_r:system_file:s0 wm
lstat '/system/bin/wpa_supplicant' failed: Permission denied
lrwxr-xr-x root shell u:object_r:system_file:s0 xargs -> toybox
lrwxr-xr-x root shell u:object_r:system_file:s0 yes -> toybox
[email protected]:/ $
It looks super strict. I forgot to mention I'm attempting this on a moto 360. It's stripped down android so there probably less mistakes in a policy making it more secure. It's a watch why would I need to read those files was probably their thought. Beggining to think root won't be possible without damaging its water resistance.
freddierice said:
Hey all,
I wrote an exploit to use cow root to pull/push images. I've only tested it on the Galaxy S7 Active, but it should also work for other arm64 phones. Let me know how it works out for you all!
https://github.com/freddierice/farm-root
Also, don't run `make push` if you don't know what you're doing. Its dangerous.
If you don't have the ndk, feel free to download the prebuilt binaries here: http://static.freddierice.co/868ab104ae202545f2d8aa97442073f3/farm-root-bins.tgz
Click to expand...
Click to collapse
Did this ultimately root this device?
Could you get this to flash the LAF partition for LG phones? I would love to work with you on flashing the LAF partition as my LG G5's is nuked and I can no longer work on finding a root exploit for it...
root
Please help me to root infocus epic 1..
freddierice said:
Hey all,
I wrote an exploit to use cow root to pull/push images. I've only tested it on the Galaxy S7 Active, but it should also work for other arm64 phones. Let me know how it works out for you all!
https://github.com/freddierice/farm-root
Also, don't run `make push` if you don't know what you're doing. Its dangerous.
If you don't have the ndk, feel free to download the prebuilt binaries here: http://static.freddierice.co/868ab104ae202545f2d8aa97442073f3/farm-root-bins.tgz
Click to expand...
Click to collapse
So does your tool will allow us to flash twrp on S7 active and hence get a stable root method instead of the engineered kernel method which is very buggy
Sent from my SAMSUNG-SM-G891A using XDA-Developers Legacy app
I was able to run the makefile but recovery_pull and boot_pull don't seem to get written. Make log returns an error about not being able to open /system/bin/dumpstate.
Am I missing something? I might be in the same boat as Geofferey but if there's something I'm glossing over I'd love to hear about it.
I'm a forker! Thanks for the awesome code, seriously man
***** Warning: This is an unfinished, powerful, tool for developers. When I have it working I will compile it with easy instructions *****
1. Updated Makefile to retrieve the device via adb. Android.mk <snippet> APP_ABI=$(ARCH) APP_PLATFORM=android-$(SDK_VERSION)
2. Updated dirtycow to use the new improved version. e.g. prefer ptrace as well as large file support
3. Added printf statements to farm.c to echo progress to the console.
and I dunno if I made other changes but github does, just check..
I'm not an Android developer I'm a C programmer with a new passion for Android. It is not implausible that your device will never boot again!!
Here's my repo. I'm open source in everything I do and I ask that if you use any work that I've contributed please be 100% open source as well!
https://github.com/droidvoider/N920A-farm-root
but if you can't be open source then just don't charge people for fixing their miserable devices!
Notice: Scope of this tool, i.e. CVE-2016-5195 for Google & SVE-2016-7504 for Samsung <== we are patched by SVE patch
****** Samsung owner's please note the patch date was November 2016 by Samsung, 14 patches were in that package ******
Even though Google patches were Nov 1st, 2016 = partial and Nov 5th, 2016 = full this may not be a rule for us! My AT&T Note 5 with Security Patch Level Date Nov 1, 2016 is patched. If you're with AT&T that might be it, see SETTINGS==>SYSTEM|ABOUT|"Security Patch Level.
(I am patched but I downgraded my kernel by using boot.img + recovery.img from October 2016 firmware!! It isn't checked you can downgrade those!)
The Samsung SVE-2016-7504 is stated to be included in November's patches so if you have a patch post Nov 1st from your carrier that's likely the end of the story. But if you are with other than AT&T, Verizon for example, I don't know how to look up the details of when you were patched. But Samsung had 14 patches in that set. AT&T N920AUCS4CPK1 has a note about 14 patches from Samsung, the exact number. So match that logic with your carrier, or whatever, to figure it out. If you're patched and you can't downgrade kernels there's no work around for that. I don't mind helping you but this is super risky stuff...
updated: farm-root to work on note 5 and added some more info on compiling this yourself
https://forum.xda-developers.com/an...nux-stages-t3573036/post71528270#post71528270
seems to work
Related
Here is the commands I used:
cd\
cd androidsdk\tools
adb push try3.dat /data/local
adb shell chmod 0755 /data/local/try3
adb shell
/data/local/try3 /system/bin/sh
mount -o rw,remount /dev/st9 /system
chmod 04755 /system/bin/sh
cat /sdcard/su.dat > /system/bin/su1
cat /sdcard/su.dat > /system/bin/su
chmod 04755 /system/bin/su
su
cat /system/bin/playlogo > /system/bin/playlogo_real
/system/bin/chmod 0755 /system/bin/playlogo_real
echo “#!/system/bin/sh
/data/local/try3.dat /system/bin/sh
mount -o rw,remount /dev/st9 /system
chmod 04755 /system/bin/sh
cat /system/bin/su1 > /system/bin/su
chmod 04755 /system/bin/su
/system/bin/playlogo_real” > /system/bin/playlogo
exit
exit
exit
adb install Superuser.apk
adb shell reboot
It said Superuser.apk installed successful. When I tried to reboot it said permission denied.
Here is the CMD pasted. Please help me I have no idea what I am doing wrong.
C:\AndroidSDK>cd\
C:\>reboot
'reboot' is not recognized as an internal or external command,
operable program or batch file.
C:\>cd\
C:\>cd androidsdk\
C:\AndroidSDK>adb shell
error: device not found
C:\AndroidSDK>adb shell
error: device not found
C:\AndroidSDK>adb shell
$ su
su
su: permission denied
$ exit
exit
C:\AndroidSDK>adb devices
List of devices attached
SGH-T939 device
C:\AndroidSDK>adb shell
$ su.dat
su.dat
su.dat: permission denied
$ exit
exit
C:\AndroidSDK>adb shell
$ su
su
su: permission denied
$ su.dat
su.dat
su.dat: permission denied
$ exit
exit
I'm posting this in order to show how to use Super Tool under Linux (for Windows & Mac users, changes should be minimal) and also to show some weird results when rooting HTC Desire Z (aka Vision or G2) phones, which may lead to enhancements in the tool.
Also, the Super Tool thread is already over 90 pages long, and has to do with several phones; I thought that a separate thread about these HTC phones would be useful; I hope this won't be against the forum rules, but please accept my apologies in advance if I'm wrong about this!
A summary:
To sum everything up in advance, results are sort of weird... you can get root using the ZergRush exploit, then install "su", "SuperUser", and "BusyBox", but after a while they just disappear. This makes me suspect that there is some kind of "behind the lines" software running, which sets things back to normal, but I don't know the solution yet.
Some experiments
I set up an Android development environment. I'm working in its platform-tools directory, where the "adb" command resides. I extracted the Super Tool files in the root of the Android directory, two levels up, so they are found at the ../../htcsupertoolv2 directory.
I set my phone for USB Debugging, and then, working from the Linux shell:
Code:
$ ./adb kill-server
$ ./adb start-server
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
$ ./adb devices
List of devices attached
HT0B9RT01278 device
OK, my device is attached and ready. Let's see if we already had root:
Code:
$ ./adb shell
$ su
su: permission denied
$ exit
The device is in its basic state, and we haven't got root. Let's install the ZergRush code.
Code:
$ ./adb shell "rm /data/local/tmp/*"
$ ./adb push ../../htcsupertoolv2/root/zergRush /data/local/tmp/.
451 KB/s (23056 bytes in 0.049s)
$ ./adb shell "chmod 777 /data/local/tmp/zergRush"
$ ./adb shell "./data/local/tmp/zergRush"
[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.
[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
[+] Found a GingerBread ! 0x00015118
[*] Scooting ...
[*] Sending 149 zerglings ...
[+] Zerglings found a way to enter ! 0x10
[+] Overseer found a path ! 0x000151e0
[*] Sending 149 zerglings ...
[+] Zerglings caused crash (good news): 0x401219d4 0x0054
[*] Researching Metabolic Boost ...
[+] Speedlings on the go ! 0xafd194d3 0xafd395bf
[*] Popping 24 more zerglings
[*] Sending 173 zerglings ...
[+] Rush did it ! It's a GG, man !
[+] Killing ADB and restarting as root... enjoy!
$ ./adb shell
# exit
Nice, it managed to get root, at least for the time being! Now, let's set the system R/W.
Code:
./adb remount
remount succeeded
./adb shell
# mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
[COLOR="Red"]/dev/block/mmcblk0p25 /system ext3 rw,relatime,errors=continue,barrier=0,data=ordered 0 0[/COLOR]
/dev/block/mmcblk0p26 /data ext3 rw,relatime,errors=continue,barrier=0,data=ordered 0 0
/dev/block/mmcblk0p27 /cache ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0
/dev/block/mmcblk0p28 /devlog ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0
[I][...many lines snipped out...][/I]
# exit
So, /system is now r/w. Let's push "su".
Code:
./adb push ../../htcsupertoolv2/root/su /system/bin/su
411 KB/s (22228 bytes in 0.052s)
./adb shell "chown root.shell /system/bin/su"
./adb shell "chmod 06755 /system/bin/su"
./adb shell "rm /system/xbin/su"
rm failed for /system/xbin/su, No such file or directory
./adb shell "ln -s /system/bin/su /system/xbin/su"
./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
2861 KB/s (785801 bytes in 0.268s)
$ ./adb push ../../htcsupertoolv2/root/su /system/bin/su
516 KB/s (22228 bytes in 0.041s)
$ ./adb shell
# cd /system/bin
# ls -l s*
-rwxr-xr-x root shell 5392 2011-08-02 01:09 schedtest
[I][...many lines snipped out...][/I]
lrwxrwxrwx root shell 2010-10-26 09:02 stop -> toolbox
[COLOR="Red"]-rw-rw-rw- root root 22228 2011-11-10 12:53 su[/COLOR]
-rwxr-xr-x root shell 5456 2011-08-02 01:09 surfaceflinger
-rwxr-xr-x root shell 192 2010-09-23 06:51 svc
lrwxrwxrwx root shell 2010-10-26 09:02 sync -> toolbox
-rwxr-xr-x root shell 5480 2011-08-02 01:09 system_server
# chmod 755 su
# chown root.shell su
# ls -l su
-rwxr-xr-x root shell 22228 2011-11-10 12:53 su
As we see, "su" is installed, with the same owner/group/permissions as the other commands. Let's add a symlink in /system/xbin to "su".
Code:
# cd /system/xbin/
# ls -l *
-rwxr-xr-x root shell 5536 2011-08-02 01:11 crasher
-rwxr-xr-x root shell 60276 2008-08-01 09:00 dexdump
-rwxr-xr-x root shell 22256 2011-08-02 01:11 wireless_modem
# ln -s /system/bin/su /system/xbin/su
# cd /system/xbin/
# ls -l *
-rwxr-xr-x root shell 5536 2011-08-02 01:11 crasher
-rwxr-xr-x root shell 60276 2008-08-01 09:00 dexdump
[COLOR="Red"]lrwxrwxrwx root root 2011-12-30 16:48 su -> /system/bin/su[/COLOR]
-rwxr-xr-x root shell 22256 2011-08-02 01:11 wireless_modem
# exit
There's the symlink, all right. Now, let's push "Superuser.apk".
Code:
$ ./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
2689 KB/s (785801 bytes in 0.285s)
$ ./adb shell
# cd /system/app
# ls -l S*
-rw-r--r-- root root 7221765 2011-08-02 01:08 Settings.apk
[I][...many lines snipped out...][/I]
-rw-r--r-- root root 296419 2011-08-02 01:09 Street.apk
-rw-rw-rw- root root 785801 2011-11-10 12:54 Superuser.apk
-rw-r--r-- root root 551020 2008-08-01 09:00 SystemUI.apk
-rw-r--r-- root root 255720 2008-08-01 09:00 SystemUI.odex
# chmod 644 Superuser.apk
# ls -l Super*
[COLOR="Red"]-rw-r--r-- root root 785801 2011-11-10 12:54 Superuser.apk
[/COLOR]# exit
So, there is Superuser.apk, with appropriate user/group/permissions. It's time for a reboot!
Code:
$ ./adb remount
remount succeeded
$ ./adb reboot
A short while afterwards...
Code:
$ ./adb shell
$ su
[B][COLOR="Red"]su: permission denied[/COLOR][/B]
$ cd /system/bin/
$ ls -l s*
-rwxr-xr-x root shell 5392 2011-08-02 01:09 schedtest
[I][...many lines snipped out...][/I]
lrwxrwxrwx root shell 2010-10-26 09:02 stop -> toolbox
-rwxr-xr-x root shell 5456 2011-08-02 01:09 surfaceflinger
-rwxr-xr-x root shell 192 2010-09-23 06:51 svc
lrwxrwxrwx root shell 2010-10-26 09:02 sync -> toolbox
-rwxr-xr-x root shell 5480 2011-08-02 01:09 system_server
$ cd /system/xbin/
$ ls -l *
-rwxr-xr-x root shell 5536 2011-08-02 01:11 crasher
-rwxr-xr-x root shell 60276 2008-08-01 09:00 dexdump
-rwxr-xr-x root shell 22256 2011-08-02 01:11 wireless_modem
So, "su" is gone?! The exploit managed a temp root, but after the reboot, something set things back to standard, removing "su" and "Superuser.apk".
Doing this with scripts
I set up a pair of scripts to automate the previous work (and included BusyBox installation, by the way) but the results are the same.
The first script, htc1.sh, is:
Code:
#!/bin/sh
./adb shell "rm /data/local/tmp/*"
./adb push ../../htcsupertoolv2/root/zergRush /data/local/tmp/.
./adb shell "chmod 777 /data/local/tmp/zergRush"
./adb shell "./data/local/tmp/zergRush"
The second script, htc2.sh, to be run afterwards, when (temp) root has been achieved, is:
Code:
#!/bin/sh
./adb remount
./adb push ../../htcsupertoolv2/root/busybox /data/local/tmp/.
./adb shell "chmod 755 /data/local/tmp/busybox"
./adb shell "dd if=/data/local/tmp/busybox of=/system/xbin/busybox"
./adb shell "cd /system/xbin; chown root.shell busybox; chmod 04755 busybox"
./adb shell "/system/xbin/busybox --install -s /system/xbin"
./adb shell "rm -r /data/local/tmp/busybox"
./adb push ../../htcsupertoolv2/root/su /system/bin/su
./adb shell "cd /system/bin; chown root.shell su; chmod 06755 su"
./adb shell "rm /system/xbin/su; ln -s /system/bin/su /system/xbin/su"
./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
./adb shell "cd /system/app; chmod 644 Superuser.apk"
If you run ./htc1.sh and then ./htc2.sh results will be the same; the added commands will be gone, and you won't be able to "su" no more.
The attached scripts should help Linux users to root other phones (which are known to work) but the Desire Z question still remains; there seems to be something missing, at least for the time being.
G2 Temp Root
Hi, I got a tmo g2 2.3.4
i used the superhtctoolv2 on win7, and htcdrivers linked in the original thread.
i performed the option 1 and 2, and was able to gain temp root, but just like every1 else it goes away with a reboot, or even after prolong period of inactivity, it works as long as i keep messing with Titanium backup or other root apps.
Any way to combine this temp root with older options to gain a perm root?
Cool man! Thanks!
HTC security measure?
Looking around, I found this page about a security method by HTC... to quote:
The HTC software implementation on the G2 stores some components in read-only memory as a security measure to prevent key operating system software from becoming corrupted and rendering the device inoperable. There is a small subset of highly technical users who may want to modify and re-engineer their devices at the code level, known as rooting, but a side effect of HTCs security measure is that these modifications are temporary and cannot be saved to permanent memory. As a result the original code is restored.
Click to expand...
Click to collapse
This sure looks like the problem we are having with the HTC DESIRE Z/G2/VISION...
Cannot get S-OFF
I tried adapting the third script (get S-OFF) for Linux but it didn't work out.
I first tried everything by hand. I ran ht1.sh first (to get root) and then went on to:
Code:
$ ./adb push ../../htcsupertoolv2/root/gfree /data/local
2127 KB/s (134401 bytes in 0.061s)
followed by
Code:
$ ./adb shell
# chmod 777 /data/local/gfree
# ./data/local/gfree -f
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.35.10-g7b95729
New .modinfo section size: 204
Attempting to power cycle eMMC... [B][COLOR="Red"]Failed.
Module failed to load: No such file or directory[/COLOR][/B]
So I'm guessing the DESIRE Z/G2/VISION cannot be perm rooted with Super Tool, at least "as is" --- I'll possibly be trying backdating the firmware next.
fkereki said:
I tried adapting the third script (get S-OFF) for Linux but it didn't work out.
I first tried everything by hand. I ran ht1.sh first (to get root) and then went on to:
Code:
$ ./adb push ../../htcsupertoolv2/root/gfree /data/local
2127 KB/s (134401 bytes in 0.061s)
followed by
Code:
$ ./adb shell
# chmod 777 /data/local/gfree
# ./data/local/gfree -f
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.35.10-g7b95729
New .modinfo section size: 204
Attempting to power cycle eMMC... [B][COLOR="Red"]Failed.
Module failed to load: No such file or directory[/COLOR][/B]
So I'm guessing the DESIRE Z/G2/VISION cannot be perm rooted with Super Tool, at least "as is" --- I'll possibly be trying backdating the firmware next.
Click to expand...
Click to collapse
well that sucks!
There was a thread on the SU model, I'm interested if anyone else has a One SC. There's a family of One S-lookalikes that HTC makes for the three major Chinese networks. It's a dual-SIM device supporting CDMA2000 and GSM mainly for the China market. Outside specs are similar to the One SU but the SoC is supposedly an ST-Ericsson U8500.
Anyway, I've been trying to root the thing using Root_with_Restore_by_Bin4ry (http://forum.xda-developers.com/showthread.php?t=1886460) but it always fails. I've modified the script and managed to remount /system as read-write and copy su to /system/xbin/su. ls shows that su is in the right folder with the right permissions. However, after rebooting, all changes are lost. Anyone else having success rooting this phone? Do I need to unlock the bootloader first?
# ls -l
-rwxr-xr-x root shell 9756 2013-01-02 13:35 battery_params
-rwxr-xr-x root shell 71700 2013-01-02 13:35 dexdump
-rwxr-xr-x root shell 35660 2013-01-02 13:35 kexec.dyn
-rwxr-xr-x root shell 22280 2013-01-02 13:35 pppoe
-rwxr-xr-x root shell 13920 2013-01-02 13:35 ste-cg29xx_ctrl
-rwsr-sr-x root root 380532 2013-03-17 17:14 su
-rwxr-xr-x root shell 34668 2013-01-02 13:36 wireless_modem
Click to expand...
Click to collapse
THIS IS NOT A ROM! IT IS NOT FLASHABLE. THIS IS INTENDED TO HELP THE COMMUNITY CREATE GPE-BASED ROMS FOR NORMAL RETAIL VARIANTS. DO NOT ASK HOW TO FLASH THIS. YOU CAN'T.
Hi all -
Here is the system dump for the XT1032 Google Play Edition. This is the Google Play Edition ROM, completely unmodified. It is not rooted, it has had nothing changed. This dump came from my personal device. I can verify and stand behind its authenticity. Keep in mind that the Moto G GPE currently has no booting custom recoveries and no working non-recovery root methods. This means I am unable to dump the kernel, radio, or anything else. The system dump will have to do for now until Motorola drops kernel source and we can get a custom recovery that will actually boot on the GPE.
In the meantime, you can download the system dump here: https://drive.google.com/file/d/0B_zuNWpIf1ujeFNUUUtOSTlxMG8/edit?usp=sharing
EDIT: I managed to get the phone rooted with Superboot and I have dumped the kernel and boot images.
The system dump not include any symlinks, obviously, but here is a list of them and where they're supposed to go:
lrwxr-xr-x root shell 2013-12-28 13:42 [ -> motobox
lrwxr-xr-x root shell 2013-12-28 13:42 cat -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 chcon -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 chmod -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 chown -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 clear -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 cmp -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 cp -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 date -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 dd -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 df -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 dmesg -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 du -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 getconfig -> motobox
lrwxr-xr-x root shell 2013-12-28 13:42 getenforce -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 getevent -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 getprop -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 getsebool -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 grep -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 hd -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 id -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 ifconfig -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 iftop -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 insmod -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 ioctl -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 ionice -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 kill -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 ln -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 load_policy -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 log -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 ls -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 lsmod -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 lsof -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 md5 -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 mkdir -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 mkswap -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 mount -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 mv -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 nandread -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 netstat -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 newfs_msdos -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 notify -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 printenv -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 ps -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 ptf -> motobox
lrwxr-xr-x root shell 2013-12-28 13:42 readlink -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 renice -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 restorecon -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 rm -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 rmdir -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 rmmod -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 route -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 runcon -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 schedtop -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 sendevent -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 sendevent2 -> motobox
lrwxr-xr-x root shell 2013-12-28 13:42 setconsole -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 setenforce -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 setprop -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 setsebool -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 sh -> mksh
lrwxr-xr-x root shell 2013-12-28 13:42 sleep -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 smd -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 start -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 stop -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 swapoff -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 swapon -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 sync -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 test -> motobox
lrwxr-xr-x root shell 2013-12-28 13:42 top -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 touch -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 umount -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 uptime -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 vmstat -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 watchprops -> toolbox
lrwxr-xr-x root shell 2013-12-28 13:42 wipe -> toolbox
lrw-r--r-- root root 2013-12-28 13:42 wcd9306_anc.bin -> /data/misc/audio/wcd9320_anc.bin
lrw-r--r-- root root 2013-12-28 13:42 wcd9306_mbhc.bin -> /data/misc/audio/mbhc.bin
lrw-r--r-- root root 2013-12-28 13:42 WCNSS_qcom_wlan_factory_nv.bin -> /persist/WCNSS_qcom_wlan_factory_nv.bin
lrw-r--r-- root root 2013-12-28 13:42 DroidSans-Bold.ttf -> Roboto-Bold.ttf
lrw-r--r-- root root 2013-12-28 13:42 DroidSans.ttf -> Roboto-Regular.ttf
lrw-r--r-- root root 2013-12-28 13:42 libGLESv3.so -> libGLESv2.so
lrw-r--r-- root root 2013-12-28 13:42 wlan.ko -> /system/lib/modules/pronto/pronto_wlan.ko
If you have any other questions, let me know.
Hi! Is there a way to use 'tar' in order to dump /system folder? Using 'tar' we dump permissions and symlinks. I think root explorer (without root) can 'tar' /system folder.
ffosilva said:
Hi! Is there a way to use 'tar' in order to dump /system folder? Using 'tar' we dump permissions and symlinks. I think root explorer (without root) can 'tar' /system folder.
Click to expand...
Click to collapse
I'll give it a try.
Sent from my Galaxy Note 3 using Tapatalk
i just made a repack with this using the motorola 4.4 boot.img and it works, same with faux kernel, wifi seems to be the only thing not working
oldblue910 said:
I'll give it a try.
Sent from my Galaxy Note 3 using Tapatalk
Click to expand...
Click to collapse
Yes! You can dump using Root Explorer / Explorer. Long press on system and click on tar -> use compression. It will create a system.tar.gz file into "sdcard".
https://play.google.com/store/apps/details?id=com.speedsoftware.explorer
Explorer
ffosilva said:
Yes! You can dump using Root Explorer / Explorer. Long press on system and click on tar -> use compression. It will create a system.tar.gz file into "sdcard".
https://play.google.com/store/apps/details?id=com.speedsoftware.explorer
Explorer
Click to expand...
Click to collapse
I'm doing it in Solid Explorer. I'll upload the tar.gz to Google Drive when it's done.
Sent from my Moto G Google Play Edition using Tapatalk
oldblue910 said:
I'm doing it in Solid Explorer. I'll upload the tar.gz to Google Drive when it's done.
Sent from my Moto G Google Play Edition using Tapatalk
Click to expand...
Click to collapse
Ugh. Solid Explorer is coming trying to tar the symlinks. I'll try root explorer.
Sent from my Moto G Google Play Edition using Tapatalk
tillaz said:
i just made a repack with this using the motorola 4.4 boot.img and it works, same with faux kernel, wifi seems to be the only thing not working
Click to expand...
Click to collapse
same here, tried stock, faux and replacing system/lib/modules and still nothing
oldblue910 said:
Ugh. Solid Explorer is coming trying to tar the symlinks. I'll try root explorer.
Sent from my Moto G Google Play Edition using Tapatalk
Click to expand...
Click to collapse
Solid and Root Explorer both fail when tarring the symlinks.
Sent from my Moto G Google Play Edition using Tapatalk
I got it working will post tomorrow
Sent from my XT1032 using Tapatalk
https://mega.co.nz/#!RRATgYrI!UbJHGzXQscUiV6YDOhA4711lX90sJF0SbRur0QTyuoY
Add that and wifi works...
Enviado desde mi XT1034 usando Tapatalk 2
The link is broken. =(
If we can get root on the device we can us the dd if command to get the boot IMG and recovery IMG but now it's just finding root
joemossjr said:
If we can get root on the device we can us the dd if command to get the boot IMG and recovery IMG but now it's just finding root
Click to expand...
Click to collapse
It's pretty easy to get root from the flashable zip, dont worry
anerik said:
It's pretty easy to get root from the flashable zip, dont worry
Click to expand...
Click to collapse
Yeah, but flashable zips don't work unless you have a custom recovery. Right now none of the custom recoveries for the Moto G will boot on the GPE variant. After speaking to a1Pha (who built CWM and TWRP for the Moto G), he seems to believe we're going to have to wait for Motorola to drop the kernel source before we can get a booting recovery.
couldnt you use cwm builder and get the recovery.fstab and the graphics.c file and the boot img when we achieve root and build one?
joemossjr said:
couldnt you use cwm builder and get the recovery.fstab and the graphics.c file and the boot img when we achieve root and build one?
Click to expand...
Click to collapse
Possibly, but achieving root is the hard part on the GPE. We can't dump the kernel, and non-recovery root methods like superboot don't work with the GPE either.
Can we use the bootloader of this gpe on moto not gpe with the purpose to unlock it like nexus way? Someone can try?
denzel09 said:
Can we use the bootloader of this gpe on moto not gpe with the purpose to unlock it like nexus way? Someone can try?
Click to expand...
Click to collapse
I wouldn't try it if it were me, but I'm sure someone here will be crazy enough to try!
Sent from my Galaxy Note 3 using Tapatalk
josalaito said:
https://mega.co.nz/#!RRATgYrI!UbJHGzXQscUiV6YDOhA4711lX90sJF0SbRur0QTyuoY
Add that and wifi works...
Enviado desde mi XT1034 usando Tapatalk 2
Click to expand...
Click to collapse
what was the files? the links not working
I have an old Samsung Galaxy S4. It's been off the network for a while and its system clock has drifted. However, adb works and I can use the old phone as a sandbox environment to learn about low level Android fundamentals. I would like to learn how to root the phone, ideally without using any apps - I prefer to learn how to compile my own local privilege escalation exploit and run it on my old phone.
adb shell getprop ro.build.version.release
5.0.1
adb shell getprop ro.build.version.sdk
21
dumpstate:
Build: LRX22C.I337UCSGOK3
Build fingerprint: 'samsung/jflteuc/jflteatt:5.0.1/LRX22C/I337UCSGOK3:user/release-keys'
Bootloader: I337UCSGOK3
Radio: mdm
Network: (unknown)
Kernel: Linux version 3.4.0-6185444 ([email protected]) (gcc version 4.8 (GCC) ) #1 SMP PREEMPT Wed Nov 30 21:31:59 KST 2016
Command line: console=null androidboot.hardware=qcom user_debug=23 msm_rtb.filter=0x3F ehci-hcd.park=3 [email protected] [email protected] sec_debug.reset_reason=0x1a2b3c00 androidboot.warranty_bit=0 lcd_attached=1 lcd_id=0x418047 androidboot.debug_level=0x4f4c sec_debug.enable=0 sec_debug.enable_user=0 androidboot.cp_debug_level=0x55FF sec_debug.enable_cp_debug=0 cordon=a569d279d878ac52077d6cfb9721d339 connie=SGH-I337_ATT_USA_76d68869445a30d9d8d06ffe689dd803 lpj=67678 loglevel=4 samsung.hardware=SGH-I337 androidboot.emmc_checksum=3 androidboot.warranty_bit=0 androidboot.bootloader=I337UCSGOK3 androidboot.nvdata_backup=0 androidboot.boot_recovery=0 androidboot.check_recovery_condition=0x0 level=0x574f4c44 vmalloc=450m sec_pvs=0 batt_id_value=0 diag=0 androidboot.csb_val=1 androidboot.emmc=true androidboot.serialno=95e836b4 androidboot.baseband=mdm
cat /proc/cpuinfo:
Processor : ARMv7 Processor rev 0 (v7l)
processor : 0
BogoMIPS : 13.53
processor : 1
BogoMIPS : 13.53
processor : 2
BogoMIPS : 13.53
processor : 3
BogoMIPS : 13.53
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4
CPU implementer : 0x51
CPU architecture: 7
CPU variant : 0x1
CPU part : 0x06f
CPU revision : 0
Hardware : SAMSUNG JF
Revision : 000a
Serial : 000095e8000036b4
Android is a ported Linux, hence rooting Android means adding su ( read: switchuser ) functionality welllknown from Linux to device's Android. That's all.
Can get achieved with ADB having a suitable su at hands.
https://forum.xda-developers.com/attachments/su-binaries-zip.5566949/
Do you have source code for that su? I believe it would still require an exploit to escalate privileges, since normally su needs to run with root permissions, and I don't have a way of elevating to root without it.
What you believe ist totally wrong: su doesn't need root permissions to run a shell command, su is what in general is called root.
Code:
su -c "<SHELL-COMMAND-HERE>"
Become familiar with Linux shell commands.
I can already run shell commands using adb shell. However, I cannot run privileged commands because the adb shell process does not run with root privileges. Can you please elaborate further?
OMG.
Code:
adb shell
simply opens a remote Android terminal what doesn't require any elevated privileges per se.
To run shell commands what require elevated privileges ( e.g. mount ) is achieved as follows
Code:
adb shell "<PATH-OF-SU-BINARY-HERE> -c '<SHELL-COMMAND-HERE>'"
Example:
Code:
adb shell "/data/local/tmp/su -c 'mount -o rw,remount /data'"
The adb shell allows running unprivileged commands but there are numerous things which cannot be done without the root privilege, such as remounting filesystems, changing permissions, accessing directories which require elevated privileges, etc. This is what I am asking about. Am I misunderstanding you - are you trying to say that adb shell can be used by an unprivileged user to run privileged commands?
See my revised post above yours.
@jf80dEf
The Samsung Galaxy S4 variant you have is from AT&T (model number SGH-I337) and it's running the final software release (OK3).
For this model, you need to downgrade to a lower firmware (NB1) and achieve root access by exploiting the vulnerability formally known as CVE-2014-3153. More details can be found here.
Thank you @SkandaH for answering my question! I believe the method you suggest involves using Odin to wipe the phone to make it vulnerable to the towelroot exploit. Reading between the lines, am I interpreting correctly that there is no known (at least to you) exploit that runs on the OK3 software?
jf80dEf said:
... am I interpreting correctly that there is no known (at least to you) exploit that runs on the OK3 software?
Click to expand...
Click to collapse
Yes, that's correct.
just for fun, I tried that method on rooted device, it doesn't work for Android 5+
Code:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
C:\Android>adb devices
List of devices attached
ca1296db7d29 device
C:\Android>adb push su /data/local/tmp
su: 1 file pushed. 0.7 MB/s (75344 bytes in 0.105s)
C:\Android>adb shell
cereus:/ $ cd /data/local/tmp
cereus:/data/local/tmp $ chmod 6775 ./su
cereus:/data/local/tmp $ ls -la
total 84
drwxrwx--x 2 shell shell 4096 2022-12-27 15:22 .
drwxr-x--x 4 root root 4096 2022-07-24 14:19 ..
-rwsrwsr-x 1 shell shell 75344 2022-12-27 15:22 su
cereus:/data/local/tmp $ ./su
"./su": error: Android 5.0 and later only support position-independent executables (-fPIE).
1|cereus:/data/local/tmp $ rm ./su
cereus:/data/local/tmp $ exit
C:\Android>
copied another su binary from stock rooted android tv box (no superuser app required, permissions granted automatically.
Code:
C:\Android>adb push su /data/local/tmp
adb: error: failed to get feature set: more than one device/emulator
C:\Android>adb -s ca1296db7d29 push su /data/local/tmp
su: 1 file pushed. 1.4 MB/s (100068 bytes in 0.070s)
C:\Android>adb shell
error: more than one device/emulator
C:\Android>adb -s ca1296db7d29 shell
cereus:/ $ cd /data/local/tmp
cereus:/data/local/tmp $ chmod 6775 ./su
cereus:/data/local/tmp $ ls -la
total 108
drwxrwx--x 2 shell shell 4096 2022-12-27 15:39 .
drwxr-x--x 4 root root 4096 2022-07-24 14:19 ..
-rwsrwsr-x 1 shell shell 100068 2022-12-27 15:38 su
cereus:/data/local/tmp $ ./su
255|cereus:/data/local/tmp $ ./su --help
Usage: su [options] [--] [-] [LOGIN] [--] [args...]
Options:
--daemon start the su daemon agent
-c, --command COMMAND pass COMMAND to the invoked shell
-h, --help display this help message and exit
-, -l, --login pretend the shell to be a login shell
-m, -p,
--preserve-environment do not change environment variables
-s, --shell SHELL use SHELL instead of the default /system/bin/sh
-u display the multiuser mode and exit
-v, --version display version number and exit
-V display version code and exit,
this is used almost exclusively by Superuser.apk
cereus:/data/local/tmp $ ./su --version
16 com.thirdparty.superuser
cereus:/data/local/tmp $
still it doesn't work from /data/local/tmp as the uid is 2000 (shell) so tried from /data/local where uid is 0 (root)
but I had to use Magisk /sbin/su for this already
Code:
cereus:/data/local/tmp $ ls -la /data/local
ls: /data/local: Permission denied
1|cereus:/data/local/tmp $ ls -la /data/local/tmp
total 108
drwxrwx--x 2 shell shell 4096 2022-12-27 15:39 .
drwxr-x--x 4 root root 4096 2022-07-24 14:19 ..
-rwsrwsr-x 1 shell shell 100068 2022-12-27 15:38 su
cereus:/data/local/tmp $ cp ./su ..
cp: ../su: Permission denied
1|cereus:/data/local/tmp $ which su
/sbin/su
cereus:/data/local/tmp $ /sbin/su -c 'cp ./su ..'
cereus:/data/local/tmp $ cd ..
cereus:/data/local $ ls -la
ls: .: Permission denied
1|cereus:/data/local $ /sbin/su -c 'chmod 6775 ./su'
cereus:/data/local $ /sbin/su -c 'ls -la'
total 120
drwxr-x--x 4 root root 4096 2022-12-27 15:45 .
drwxrwx--x 48 system system 4096 2022-07-24 20:32 ..
-rwsrwsr-x 1 root root 100068 2022-12-27 15:45 su
drwxrwx--x 2 shell shell 4096 2022-12-27 15:39 tmp
drwxrwxrwx 2 shell shell 4096 2022-07-24 14:19 traces
cereus:/data/local $ ./su
255|cereus:/data/local $
despites the SUID bit is set correctly still it doesn't work. so I removed the nosuid mount flag for /data partition and double checked selinux isn't the problem
Code:
255|cereus:/data/local $ grep ' /data ' /proc/mounts
/dev/block/dm-1 /data ext4 rw,seclabel,nosuid,nodev,noatime,noauto_da_alloc,resuid=10010,resgid=1065,errors=panic,data=ordered 0 0
cereus:/data/local $ /sbin/su -c 'busybox mount -o remount,rw,suid /data'
cereus:/data/local $ grep ' /data ' /proc/mounts
/dev/block/dm-1 /data ext4 rw,seclabel,nodev,noatime,noauto_da_alloc,resuid=10010,resgid=1065,errors=panic,data=ordered 0 0
cereus:/data/local $ ./su
255|cereus:/data/local $ getenforce
Permissive
cereus:/data/local $
still no way to get the root shell with that su binary, maybe prevented to run from /data at all. decided to try from other partition but there was no way. although permissions 2000 (shell) should at least see the file, but that wasn't the case. Magisk mount namespaces are set to global, no idea why the file is invisible in /cache
Code:
cereus:/data/local $ grep ' /cache ' /proc/mounts
/dev/block/platform/bootdevice/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,discard,noauto_da_alloc,data=ordered 0 0
cereus:/data/local $ /sbin/su -c 'busybox mount -o remount,rw,suid /cache'
cereus:/data/local $ grep ' /cache ' /proc/mounts
/dev/block/platform/bootdevice/by-name/cache /cache ext4 rw,seclabel,nodev,noatime,discard,noauto_da_alloc,data=ordered 0 0
cereus:/data/local $ /sbin/su -c 'cp ./su /cache'
cereus:/data/local $ cd /cache
/system/bin/sh: cd: /cache: Permission denied
2|cereus:/data/local $ /sbin/su -c 'cd /cache'
cereus:/data/local $ /sbin/su -c 'mkdir /cache/tmp'
cereus:/data/local $ /sbin/su -c 'chown 0.2000 /cache/tmp'
cereus:/data/local $ cd /cache/tmp
/system/bin/sh: cd: /cache/tmp: Permission denied
2|cereus:/data/local $ /sbin/su -c 'chown 2000.2000 /cache/tmp'
cereus:/data/local $ cd /cache/tmp
/system/bin/sh: cd: /cache/tmp: Permission denied
2|cereus:/data/local $ /sbin/su -c 'ls -la /cache/tmp'
total 16
drwxr-xr-x 2 shell shell 4096 2022-12-27 15:54 .
drwxrwx--- 8 system cache 4096 2022-12-27 15:54 ..
cereus:/data/local $ /sbin/su
cereus:/data/local # cd /cache/tmp
cereus:/cache/tmp # cp /cache/su .
cereus:/cache/tmp # chmod 6775 ./su
cereus:/cache/tmp # exit
cereus:/data/local $ /cache/tmp/su
/system/bin/sh: /cache/tmp/su: not found
127|cereus:/data/local $ /sbin/su
cereus:/data/local # cd /cache/tmp
cereus:/cache/tmp # ls -la
total 120
drwxr-xr-x 2 shell shell 4096 2022-12-27 15:58 .
drwxrwx--- 8 system cache 4096 2022-12-27 15:54 ..
-rwsrwsr-x 1 root root 100068 2022-12-27 15:58 su
cereus:/cache/tmp # ./su
255|cereus:/cache/tmp # chown -R 0.2000 .
cereus:/cache/tmp # ls -la
total 120
drwxr-xr-x 2 root shell 4096 2022-12-27 15:58 .
drwxrwx--- 8 system cache 4096 2022-12-27 15:54 ..
-rwxrwxr-x 1 root shell 100068 2022-12-27 15:58 su
cereus:/cache/tmp # ./su
255|cereus:/cache/tmp # exit
255|cereus:/data/local $ /cache/tmp/su
/system/bin/sh: /cache/tmp/su: not found
127|cereus:/data/local $ /sbin/su -c 'chmod 6775 /cache/tmp/su'
cereus:/data/local $ /cache/tmp/su
/system/bin/sh: /cache/tmp/su: not found
127|cereus:/data/local $
finally, even tried from within Magisk root shell. still the binary throws error 255. as you can see the su binary owns the sticky bit and uid 0 (root)
Code:
127|cereus:/data/local $ /sbin/su
cereus:/data/local # /cache/tmp/su --version
16 com.thirdparty.superuser
cereus:/data/local # /cache/tmp/su
255|cereus:/data/local # exit
255|cereus:/data/local $ /cache/tmp/su
/system/bin/sh: /cache/tmp/su: not found
127|cereus:/data/local $ /sbin/su -c 'ls -la /cache/tmp'
total 120
drwxr-xr-x 2 root shell 4096 2022-12-27 15:58 .
drwxrwx--- 8 system cache 4096 2022-12-27 15:54 ..
-rwsrwsr-x 1 root shell 100068 2022-12-27 15:58 su
cereus:/data/local $
to confirm the binary is working at least, I wanted to install in /system. Because of systemless-root and avb/dm-verity i can't place file /system partition directly, so I used Magisk bind mount overlay
Code:
cereus:/data/local $ /sbin/su
cereus:/data/local # cd /data/adb/modules
cereus:/data/adb/modules # mkdir su_test
cereus:/data/adb/modules # cd su_test/
cereus:/data/adb/modules/su_test # mkdir -p system/xbin
cereus:/data/adb/modules/su_test # cp /cache/tmp/su system/xbin
cereus:/data/adb/modules/su_test # chown -R 0.2000 system
cereus:/data/adb/modules/su_test # chmod 6775 system/xbin/su
cereus:/data/adb/modules/su_test # ls -la system/xbin
total 108
drwxr-xr-x 2 root shell 4096 2022-12-27 16:10 .
drwxr-xr-x 3 root shell 4096 2022-12-27 16:10 ..
-rwsrwsr-x 1 root shell 100068 2022-12-27 16:10 su
cereus:/data/adb/modules/su_test # echo 'id=su_test' > module.prop
cereus:/data/adb/modules/su_test # echo 'name=su_test' >> module.prop
cereus:/data/adb/modules/su_test # echo 'version=0.0.1' >> module.prop
cereus:/data/adb/modules/su_test # echo 'versionCode=001' >> module.prop
cereus:/data/adb/modules/su_test # echo 'author=aIecxs @ XDA' >> module.prop
cereus:/data/adb/modules/su_test # echo 'description=proof that su binary is "suitable" >> module.prop
cereus:/data/adb/modules/su_test # cat module.prop
id=su_test
name=su_test
version=0.0.1
versionCode=001
author=aIecxs @ XDA
description=proof that su binary is "suitable"
cereus:/data/adb/modules/su_test # ./system/xbin/su --version
16 com.thirdparty.superuser
cereus:/data/adb/modules/su_test # exit
cereus:/data/local $ exit
C:\Android>
after installing the magisk module, rebooted the phone and confirmed su binary works when running from system.
Code:
C:\Android>adb -s ca1296db7d29 shell
cereus:/ $ which su
/sbin/su
cereus:/ $ ls -l /system/xbin/su
-rwsrwsr-x 1 root shell 100068 2022-12-27 16:10 /system/xbin/su
cereus:/ $ /system/xbin/su --version
16 com.thirdparty.superuser
cereus:/ $ /system/xbin/su
cereus:/ #
(note the /sbin/su binary is Magisk while the /system/xbin/su binary is the file copied from android tv box)
as on stock android device user/release-keys build adb root cannot work, there is no way to use the chown command. because it is impossible to place the file into /system or any proper location with directory owner 0 (root) from adb, it's not possible to get root shell from adb.
conclusion: an additional exploit (like mtk-su) is required to achieve this.
edit: fun fact. Magisk complains the foreign su binary that is provided by Magisk module xD