Related
I started working on this almost 8 months ago. Originally (and possibly at some point in the future) my goal was to provide a slightly modified kernel from the source code Xiaomi releases on Github for MIUI that is modified to allow CN or other hardware to boot with the Global ROM and pass a SafetyNet check. Ultimately, I had given up on this endeavor because I was able to accomplish that using the Magisk module I created and posted here. Due to needing to have a device that was not rooted (running it for work with both personal and work SIM, and Airwatch detects Magisk no matter what I do), I came full circle.
Due to a design decision made by Google, I have found it is possible to make the androidboot.verifiedbootstate show up in a manner that is perceived by Google as "green" without triggering the bootloop code that is included in the system services that Xiaomi is running. To that end, I am posting an AnyKernel3 file here with the stock Global 10.3.2.0 ROM kernel, configured in such a manner as to bypass SafetyNet checks.
I only have one device to test this with, so hopefully it works for you too.
Edit: The patcher version should work on most versions of anything MIUI. It does not contain a kernel, it simply patches the CMDLINE to make it pass SafetyNet.
Standard Disclaimer: I have tested this, and it's a stock kernel, just with modifications to the kernel boot cmdline. I am not responsible if your device bursts into flames, fails to alarm clock and you are late for work, sends inflamatory SMS messages to Kim Jun Un, etc.
Patcher V2: Updated with AnyKernel3 changes:
Download V2
NOTE: I was not able to get my device to allow Google Pay with this. I believe Google is doing even more stringent checking now. If others want to test and report back, please do. This sets androidboot.verifiedbootstate=green now, and sets the ro.boot.hwc to GLOBAL and ro.boot.hwcountry to GLOBAL to avoid the bootloop in Xiaomi's services.
Generalized version:
Download Patcher
10.3.2.0 Specific:
Download
Edit: I was just messaged via Github by someone from Xiaomi that they are aware the source no longer works. They provided patches that *should* fix it. If that ends up working out, my intent is to provide a compiled from source version, possibly with some optimizations, and certainly using Linaro.
The patcher version linked above does not contain a kernel image. It just patches the cmdline and should work on all Xiaomi ROMS, atleast for the Mix 3. I have not tested it outside of the global ROM. I spent about 25 hours in the last two weeks working to try to backport the patches that were suggested as fixes to get the kernel to boot, but it is not done yet.
Updated Patcher above. I believe the new attestation api changes are stopping anything like this from working.
is it support miui 12 eu now ?
thx
sorry if you felt I'm shouting in the title. I want to root my Lenovo K33a42, Android 7.0 (yes an old phone). I tried to root using KingRoot, KingoRoot, FramaRoot, Root Master (including PC versions) and none of them were able to root my phone. I seriously want to root my phone and I don't wanna risk bricking it as it's my primary. I know the method of Flashing TWRP and then flashing Magisk or SuperSU, but I'm scared of bricking. is there any better method to root my phone?
DamnBro304 said:
sorry if you felt I'm shouting in the title. I want to root my Lenovo K33a42, Android 7.0 (yes an old phone). I tried to root using KingRoot, KingoRoot, FramaRoot, Root Master (including PC versions) and none of them were able to root my phone. I seriously want to root my phone and I don't wanna risk bricking it as it's my primary. I know the method of Flashing TWRP and then flashing Magisk or SuperSU, but I'm scared of bricking. is there any better method to root my phone?
Click to expand...
Click to collapse
Well always do everything with extra care. I cound not assure that you will not brick your device.
Your phone is Lenovo K6 power.
Also, I recommend updating to a newer android version as android 7 is already too outdated and not safe to use. An example is this, which you can also flash in TWRP (wipe before installing)
[ROM][11.0.0_r19]LineageOS 18.1 for Lenovo K6 Power
LineageOS is a free, community-built, aftermarket firmware distribution of Android 6, which is designed to increase performance and reliability over stock Android for your device. LineageOS is based on the Android Open Source Project with extra...
forum.xda-developers.com
If you want to know why one click root apps doesn't work, those apps highly depends on a bug occuring on android 4.0 to android 6.0. Android 7 have this 'issue' , or exploit, patched, so one click root apps died instantly.
@DamnBro304
No Magisk, TWRP, SuperSu, etc.pp is needed to root a phone what has Android 5 and higher running.
Because your device's Android is version 7 to get the superuser access to be able to control various aspects of Android OS means you need to perform a certain modification that will root your phone's Android.
Here is what you have to do to root your device's Android: Replace Android's Toybox binary - what is a restricted version by default - by unrestricted Toybox v0.8.5. This can get achieved by means of ADB.
Toybox v0.8.5 is available here:
Index of /toybox/bin
jwoegerbauer said:
@DamnBro304
No Magisk, TWRP, SuperSu, etc.pp is needed to root a phone what has Android 5 and higher running.
Because your device's Android is version 7 to get the superuser access to be able to control various aspects of Android OS means you need to perform a certain modification that will root your phone's Android.
Here is what you have to do to root your device's Android: Replace Android's Toybox binary - what is a restricted version by default - by unrestricted Toybox v0.8.5. This can get achieved by means of ADB.
Toybox v0.8.5 is available here:
Index of /toybox/bin
Click to expand...
Click to collapse
thanks for your quick reply but I'm still kinda new to this flashing and stuff so can you give me the exact commands to root my phone? and I see there are many options of downloading toybox in the link you gave me I don't know which one I need so can u help me out in that too?
LR7875 said:
Well always do everything with extra care. I cound not assure that you will not brick your device.
Your phone is Lenovo K6 power.
Also, I recommend updating to a newer android version as android 7 is already too outdated and not safe to use. An example is this, which you can also flash in TWRP (wipe before installing)
[ROM][11.0.0_r19]LineageOS 18.1 for Lenovo K6 Power
LineageOS is a free, community-built, aftermarket firmware distribution of Android 6, which is designed to increase performance and reliability over stock Android for your device. LineageOS is based on the Android Open Source Project with extra...
forum.xda-developers.com
If you want to know why one click root apps doesn't work, those apps highly depends on a bug occuring on android 4.0 to android 6.0. Android 7 have this 'issue' , or exploit, patched, so one click root apps died instantly.
Click to expand...
Click to collapse
as I said in my previous reply I am new to these stuff and I see that the lineageos is of Android 6 and had a doubt. will flashing that ROM give me root access without doing anything else?
DamnBro304 said:
as I said in my previous reply I am new to these stuff and I see that the lineageos is of Android 6 and had a doubt. will flashing that ROM give me root access without doing anything else?
Click to expand...
Click to collapse
Ah **** posted wrong link, this is the right one:
[UNOFFICIAL][9.0.0_r46] Pixel Experience - Plus [karate]
PixelExperience Plus for Lenovo K6 Power(karate) What is this? Pixel Experience is an AOSP based ROM, with Google apps included and all Pixel goodies (launcher, wallpapers, icons, fonts, bootanimation) Our mission is to offer the maximum...
forum.xda-developers.com
You need to flash magisk.
jwoegerbauer said:
@DamnBro304
No Magisk, TWRP, SuperSu, etc.pp is needed to root a phone what has Android 5 and higher running.
Because your device's Android is version 7 to get the superuser access to be able to control various aspects of Android OS means you need to perform a certain modification that will root your phone's Android.
Here is what you have to do to root your device's Android: Replace Android's Toybox binary - what is a restricted version by default - by unrestricted Toybox v0.8.5. This can get achieved by means of ADB.
Toybox v0.8.5 is available here:
Index of /toybox/bin
Click to expand...
Click to collapse
Well how? Not heard about that, can you please elaborate? Thanks.
IMO out of scope of this thread, it would require a separate thread everyone on XDA can make use of,
May be I'll create one, stay tuned ...
LR7875 said:
Ah **** posted wrong link, this is the right one:
[UNOFFICIAL][9.0.0_r46] Pixel Experience - Plus [karate]
PixelExperience Plus for Lenovo K6 Power(karate) What is this? Pixel Experience is an AOSP based ROM, with Google apps included and all Pixel goodies (launcher, wallpapers, icons, fonts, bootanimation) Our mission is to offer the maximum...
forum.xda-developers.com
You need to flash magisk.
Well how? Not heard about that, can you please elaborate? Thanks.
Click to expand...
Click to collapse
thank you very very very much. Now what I have to do is just extract the boot.img from this OS and then patch it with Magisk and then flash this OS right? correct me if I'm wrong bcoz I don't at all wanna brick this phone and please mention the FULL method if I'm wrong and I'm new too new to these stuff. I will forever be indebted to you
DamnBro304 said:
thank you very very very much. Now what I have to do is just extract the boot.img from this os and then patch it with Magisk and then flash this right? correct me if I'm wrong bcoz I don't at all wanna brick this phone and please mention the FULL method if I'm wrong and I'm new too new to these stuff. I will forever be indebted to you
Click to expand...
Click to collapse
yes.
LR7875 said:
yes.
Click to expand...
Click to collapse
ok cool cool cool cool cool cool cool cool cool cool so this will get 3 advantages. I will get root + android 9 + Pixel Experience very noice thanks man ily
Hi everyone,
I've used Android-based custom roms for years on many of my devices. Now, I am only able to find one old Lineage OS 14 build for a rare, old tablet that I have.
The Android version is not a huge issue, as many Apps still support 7 and lower and the system itself runs reasonably well. However, the latest security patches are still from 2018.
The way I understand it, Google/AOSP publishes some sort of security update packages in regular intervals.
Is there an easy way to appy those patches to the rom that I have? Reinstalling the system is no problem and I can do some simple troubleshooting, but I'm probably not able to recompile the entire build, if that is necessary.
Unfortunately, since every custom rom has some "Security update" info, it's extremely hard to find any explanations of how to actually apply those patches, at least I couldn't find any.
Fell free to just send me a link if there is any sort of guide on how to accomplish this.
Thanks a lot!
NovusDeus said:
Hi everyone,
I've used Android-based custom roms for years on many of my devices. Now, I am only able to find one old Lineage OS 14 build for a rare, old tablet that I have.
The Android version is not a huge issue, as many Apps still support 7 and lower and the system itself runs reasonably well. However, the latest security patches are still from 2018.
The way I understand it, Google/AOSP publishes some sort of security update packages in regular intervals.
Is there an easy way to appy those patches to the rom that I have? Reinstalling the system is no problem and I can do some simple troubleshooting, but I'm probably not able to recompile the entire build, if that is necessary.
Unfortunately, since every custom rom has some "Security update" info, it's extremely hard to find any explanations of how to actually apply those patches, at least I couldn't find any.
Fell free to just send me a link if there is any sort of guide on how to accomplish this.
Thanks a lot!
Click to expand...
Click to collapse
You have two problems here.
First: Google does NOT publish security patches for every Android version forever. After some time (3 years i think) is that Version deprecated and does not become patches from Google.
Second: those patches are not in form of a "ready-to-install" software. They are source code patches. You can see them as something like _r67 after the Android Version. So you or someone else must build them.
For a recent, supported ROM like LineageOS 18.1 the ROM developer does this for you. You get it when you update Lineage.
For Android 7, which deprecated long ago, someone has to port this patch. It's not possible for every patch and if it is possible, nobody does it because it's a lot of work.
Short version: if there is no ROM based on Android 10 or 11 for your device you have to live without patches :-(
Hope that helps.
Well, yes and no.
But thanks for clarifying. I hoped there was a way to install those easily.
Do you happen to know if, hypothetically, I even had any chance to patch my rom with just the flashable zip or am I missing some crucial source files?
You can download the sources of Lineage OS 14, patch them, compile them, install them and you have all the security fixes.
As said. This is a lot of work and requires good amount of knowledge. With that time and energy you could port Lineage OS 17 for your tablet instead.
Devices & Linux Versions I or other Testers have Successfully Gained Root on:
(Likely All) MTK CPU Based Android devices UP TO 11 (Maybe 12? I haven't tested) (I.e LG, Sony, Select Samsung devices)
Android Devices with LINUX KERNEL VERSIONS - 5.8 - 4.14 - Maybe More? (Needs Testing)
-THIS GUIDE IS NOT BEGINNER FRIENDLY - BASIC UNDERSTANDING OF PYTHON, UNIX/LINUX ETC WILL BE REQUIRED!-
If you have been holding off updating your device, well here's some good news, your device may still be vulnerable to a method to gain root access (and subsequently, possibly the ability to edit Build.prop and therefore allow the ability for OEM unlocking on USA based devices.) <- correct me if I'm wrong, but this should be possible, and once done, should persist across updates, correct?
As of the time of writing this, there is not currently a simplified APK method, but, still this process is relatively straight forward.
Alot of the methods used HAVE been patched from what I understand, but there have got to be plenty of devices out there still which are not updated. This project aims to compile all current, former and future Root methods into an APK that will do all the leg-work. If its able to find a working method, the GUI will pop a root shell for the end user. This SHOULD work, regardless of the setting of the "OEM UNLOCK" option in the dev options. A bypass, essentially.
Regardless, The project linked below uses a myriad of known exploits & vulnerabilities and looks to find one that will work.
Methods used are:
Nearly all of GTFOBins
Writeable docker.sock
CVE-2022-0847 (Dirty pipe)
CVE-2021-4034 (pwnkit)
CVE-2021-3560
It'll exploit most sudo privileges listed in GTFOBins to pop a root shell, as well as exploiting issues like a writable docker.sock, or the recent dirty pipe (CVE-2022-0847). More methods to root will be added over time too.
There is also an alternative (Dirty Pipe) injection method the uses @topjohnwu 's Magisk , this should be implemented into the apk. See this Github repo, Here.
I would imagine this could be implented in a way to target devices that have stopped being supported for updates, aswell, that do not have TWRP, such as the SM-T307U.
One big note - I am betting there are still ALOT of devices that are in inventory at retailers that remain on the vulnerable OS. So keeping that in mind, I'd say this is worth building.
What needs to be done:
TESTING!
Build APK - HELP NEEDED WITH THIS!
Deploy
Main Goals:
Get bootloader unlock ability for devices normally not unlockable (I.e North American Samsung Galaxy S22, Etc)
Above can be achieved by getting temp root via methods detailed here or otherwise, then editing build.prop, altering the below settings (The settings may be worded differently or simply not present at all, depending on device and Firmware version):
sys.oem_unlocking_allowed to 1
ro.oem_unlock_supported to 1 (most devices are set to 1 by default.)
ro.boot.flash.locked to 0
ro.secure to 0
ro.debuggable to 1
I think there may be one or two more that pretaint to Flash.locked. I.e flash.locked.other--or something very close.
Locally, gain temp root (System preferred, but any root will do.) on as many device types as possible.
Give device control back to end user.
Stay up-to-date on new exploits for root access & update apk accordingly.
STAY ETHICAL!!!! This is, in the end, a research project. Meaning all work preformed in the context of this project could result in a damaged or bricked device. By participating in this project you acknoledge these risks and accept them, and agree to not hold me, XDA, or anyone else responsible if you do some dumb ****. - k0mraid3
Github Project link: HERE for my fork & HERE for the original project.
My fork will incorporate the original project, as well as other found root access methods, such as the magisk injection method mentioned above - my repo is mainly used as a hub for the APK's dev - i don't have enough time to work on it at the moment but all are welcome to help.
July 15th 2022 (UPDATE) (SAMSUNG DEVICES ONLY): A new Escalation method has been found via the Galaxy app store (Versions BEFORE Galaxy Store 4.5.41.8). No details known yet, but it is said to be very easy. See CVE-2022-33708 (July132022). Unknown if downgrading the app to 4.5.0.0 will enable the method again or not.
Cred: liamg
One method to run Traitor on device - Thanks @DevinDking for sharing this.
Steps to get script on phone.
//
#!/bin/sh
set -e
dir=/data/local/tmp
adb=${adb:-"adb"}
$adb push traitor ${dir} //This puts file on phone make sure to run the terminal where its located
$adb shell chmod 755 ${dir}/traitor"
//
Now to run script start a new terminal
//
adb shell
#!/bin/sh
set -e
dir=/data/local/tmp
adb=${adb:-"adb"}
${dir}/traitor //script opens
//
But I assume this wouldn't work right, and isn't right.
Idk trying my best here xD
Click to expand...
Click to collapse
Tools & References:
Linux (and Android, FTMP) Privilege Escalation Techniques
Dirty Pipe - Magisk Injection
Traitor - Main Repo
GTFOBins
CVE Database (Public Database for exploits, vulnerabilities, etc.)
Windows Subsystem For Linux (Great for Dev)
ADB App Control - Cred @Cyber.Cat
Leaked Samsung Source Code ***Mod Edit: Link Removed***
Crontab Root Template script (File Attached - you still must edit crontab with "crontab -e" and point it to this file, see comments for guide, I will add one to post later)
Android Image Kitchen Used to create custom image's etc.
MTK Client
MTK Meta Utility (Source-???)
Will add more as time goes on and more found.
Interesting Attack vectors -
GFX Componets of a system.
Issues with Linux itself (i.e Dirty Pipe)
Privilage escalation via any means (I.e GTFOBins)
unprotected system process - Hijack them if possible (i.e RILService Mode, and a wide range of other OEM apps left on devices after ship)
7/24/22 - Samsung, LG & Other OEM's obfuscating (Intentionally Hiding) Fastboot and ADB Bootloader interfaces on PC
So over the last week or so i dived head first into USB Dev - ill save you the time and sum it up.
Vendors and OEM's are actively obfuscating the USB connection between your smartphone and the PC to keep you from Rooting. As far as im aware, there is no Universal way to fix this as each OEM screws with the USB drivers differently. THIS needs to be a point of focus for the rooting community. However, i have found a few tools for Dev if you wish to screw with this. (I'll upload them tonight)
7/24/22 - MTK (MediaTek) based Exploits
I Will try to compile a few methods for FORCING Bootloader Unlock on MTK based Devices as well as a way for manipulating said devices. I will attach two tools to this thread, these tools are EXTREMELY POWERFUL and can completely **** up your device. When i say REALLY F*CK UP your device, I mean to the point you cant even access recovery, Download OR bootloader mode. I'm Talking a blank DEAD device. So use with caution.
With that said, lets talk about the tools. You will need a basic understanding of Python to make use of MTK Client
First up, we have MTK Meta Utility (Currently Version 44) (Download Below)
Next we have MTK Client (Github Link)
So what can you do? Well, you can crash the Preloader to Brom with MTK Meta Utility while at the same time using MTK Client to send any payload you like to the device via Fastboot.
I know, vague right now, but ill add detail over the coming days.
I will continue to update the below list as new methods are discovered.
If you find Guides, tutorials or new exploits, please link them in the comments so I can include them in future development!
Telegram Channel: Here.
Information on Vulnerabilities, exploits & methods - CVE-2022-0847 (Jfrog) - The Story Of "Dirty Pipe" - XDA - Dirty Pipe - PWNKIT (CVE--2021-4034) - CVE-2021-3560 - Docker Breakout / Privilege Escalation - CVE-2022-33708 (July132022) - CVE-2022-33701 (July122022) - CVE-2022-22268 (Unlock Knox Guard with DEX) (JAN2022) - MTK Client -
Dev Team & credit to -
@topjohnwu - LiamG - @wr3cckl3ss1 - bkerler -
UPDATED - 7/29/22
There is also a new vulnerability exploit by Zhenpeng Lin that allows for privilege escalation on Pixel 6 and and Galaxy S22 devices running 5.10 kernel.
Don't update... destroyer of worlds
I feel like I'm missing something because wouldn't their normally be a million responses of hype, hope and nay-saying going on here? Has this been shot down already?
olivehue512 said:
I feel like I'm missing something because wouldn't their normally be a million responses of hype, hope and nay-saying going on here? Has this been shot down already?
Click to expand...
Click to collapse
Lol, everybody already updated the patch
blackhawk said:
Lol, everybody already updated the patch
Click to expand...
Click to collapse
This is just sad panda. I'm gonna skip next update anyways unless it comes with an actual other phone that is BL unlocked. I feel like everyone wants this so bad it can't be that far out before it happens.
Does the Magisk injection method work after July patch? I was reading through the work they did to get it done. Props to those guys.
sierratango88 said:
There is also a new vulnerability exploit by Zhenpeng Lin that allows for privilege escalation on Pixel 6 and and Galaxy S22 devices running 5.10 kernel.
Click to expand...
Click to collapse
Has it got a fancy number yet?! Eager to try this!!!! Maybe it can be put in with the others.
olivehue512 said:
I feel like I'm missing something because wouldn't their normally be a million responses of hype, hope and nay-saying going on here? Has this been shot down already?
Click to expand...
Click to collapse
Well, because they are known and accepted vulnerabilities and exploits. A very few have even been marked as "WONTFIX" such as the TTY method.
olivehue512 said:
This is just sad panda. I'm gonna skip next update anyways unless it comes with an actual other phone that is BL unlocked. I feel like everyone wants this so bad it can't be that far out before it happens.
Does the Magisk injection method work after July patch? I was reading through the work they did to get it done. Props to those guys.
Click to expand...
Click to collapse
Honestly, it's worth a shot but I doubt it.
One of the goals behind building the APK compilation of all these different tactics is to enable the end user to "give it a shot" easily on different devices, without having to know how to run all of this manually. Basically imagine an apk that just tries all the above methods and if ones successful the gui will pop a root shell open. From there, the possibilities are endless. Edit Build.prop, SELinux, Verity, Etc.
FYI even you applied the July update, seems like the Kernel version is still from June 21st, is still 5.10xxxx so we could still benefit from this exploit. Very interested in how we can get root here in the US.
K0mraid3 said:
Has it got a fancy number yet?! Eager to try this!!!! Maybe it can be put in with the others.
Click to expand...
Click to collapse
There hasn't been a CVE assigned to it yet that I am aware of.
xgerryx said:
FYI even you applied the July update, seems like the Kernel version is still from June 21st, is still 5.10xxxx so we could still benefit from this exploit. Very interested in how we can get root here in the US.
Click to expand...
Click to collapse
Go to the Github linked and try the different methods, see if you can pop a root and nano build.prop to allow OEM unlocking?
sierratango88 said:
There hasn't been a CVE assigned to it yet that I am aware of.
Click to expand...
Click to collapse
GREAT news for us! LEts get this temp root! lol
Looks like another new one! CVE-2022-33708
Another Samsung Exclusive - CVE-2022-33701
So, ive just spent my entire friday and friday night MANUALLY testing all the GTFOBins & reproducing some of the newer CVE's on Samsung Galaxy S7 Edge (Android 9) -Galaxy tab A 8.4, (Android 11), Galaxy S21 & S22 (Android 12) --- A little bit of progress made. Again, ill need someone with better working knowledge on APKs & Java to really move forward. All i can say so far, is this all must be awk for sammie, because cronie is looking promising
"crontab -e"
interesting find. not "New" but still new-ish enough some may be able to use. CVE-2022-22268 (Unlock Knox Guard with DEX)
New to this all but not rooting. Anyone recommend a way tutorial on how to try these methods on Win 11?
I don't have a deep understanding of Linux, I have tried, debian and unbuntu. I get traitor to run but it's detecting the Linux kernel and not my phones. How can I get the program to search for vulnerability on my phone not my Linux. I would love a more in depth guide and I'd love to give feedback on methods.
DevinDking said:
I don't have a deep understanding of Linux, I have tried, debian and unbuntu. I get traitor to run but it's detecting the Linux kernel and not my phones. How can I get the program to search for vulnerability on my phone not my Linux. I would love a more in depth guide and I'd love to give feedback on methods.
Click to expand...
Click to collapse
i had the same issue but cant remember how i worked that out. let me see if i can find out what i did on win11
I have a Samsung A535w which doesn't have OEM unlock enabled so I can't unlock the bootloader and thus I can't get Root.
Is it possible to use a man in the middle attack to hijack an update to enable the option?
Alternatively, can I install a rootkit to do a similar thing?
Are either of these even theoretically possible?
I read about rootkits coming from apps in the PlayStore all the time.
Does the bootloader need to be unlocked to do this?
Ignore the implicit dangers of this and assume that I am going to craft the attack updates myself.
opticyclic said:
I have a Samsung A535w which doesn't have OEM unlock enabled so I can't unlock the bootloader and thus I can't get Root.
Is it possible to use a man in the middle attack to hijack an update to enable the option?
Alternatively, can I install a rootkit to do a similar thing?
Are either of these even theoretically possible?
I read about rootkits coming from apps in the PlayStore all the time.
Does the bootloader need to be unlocked to do this?
Ignore the implicit dangers of this and assume that I am going to craft the attack updates myself.
Click to expand...
Click to collapse
hello, i cannot find any info on this device, is the processor mtk, qcom, or exynos
To root a phone's Android it's never needed to unlock phone's bootloader: this is a fairy tale which is told hundreds of times here and elsewhere.
opticyclic said:
I have a Samsung A535w which doesn't have OEM unlock enabled so I can't unlock the bootloader and thus I can't get Root.
Is it possible to use a man in the middle attack to hijack an update to enable the option?
Alternatively, can I install a rootkit to do a similar thing?
Are either of these even theoretically possible?
I read about rootkits coming from apps in the PlayStore all the time.
Does the bootloader need to be unlocked to do this?
Ignore the implicit dangers of this and assume that I am going to craft the attack updates myself.
Click to expand...
Click to collapse
Assuming the OEM uses the AOSP model (which Samsung doesn't), no.
Hardware backed Keystore
SELinux
Trusty
Android Verified Boot
All of these work together.
When the bootloader is locked, the boot image is verified (using a cryptographic hash signed by the hardware keystore, which is itself verified) to determine its integrity. This prevents persistent rootkits.
During run time, SELinux enforces access control over all processes, even those with root privileges.
Trusty is a completely separate and isolated secure environment that runs alongside the Android kernel and is used as a "trusted verifier"
And this isn't even getting into the security features implemented in the update process.
For this attack vector you're describing to work, you would have to have the OEM's private and proprietary key used to sign everything in the update package, otherwise an unsigned or incorrectly signed package will be rejected. And even if you did manage to sign the update package, you'd have to essentially reprogram the hardware keys to match, because even if the update flashed to the device, all the images would fail verification because of the hardware keystore authentication.
xXx yYy said:
To root a phone's Android it's never needed to unlock phone's bootloader: this is a fairy tale which is told hundreds of times here and elsewhere.
Click to expand...
Click to collapse
Source?
How do you get elevated permissions in a protected environment without compromising the boot image, which would make the device fail to boot?
V0latyle said:
Source?
How do you get elevated permissions in a protected environment without compromising the boot image, which would make the device fail to boot?
Click to expand...
Click to collapse
You probably don't know how rooting Android is accomplished: no elevated permissions are needed to run SU binary.
xXx yYy said:
You probably don't know how rooting Android is accomplished: no elevated permissions are needed to run SU binary.
Click to expand...
Click to collapse
Explain?
$cronos_ said:
hello, i cannot find any info on this device, is the processor mtk, qcom, or exynos
Click to expand...
Click to collapse
Samsung Galaxy A53 5G - Full phone specifications
www.gsmarena.com
Although it says exynos on that page, I believe this is a Snapdragon as it has the W suffix on the model and as I am in Canada it looks to be the US version.
PSA: There is No OEM Unlock on US Galaxy A53's
Whether you get a carrier version or the factory unlocked U1 model, OEM unlock does not exist on this phone. So those in the US that were thinking of doing custom roms with this cheap new Android device, look elsewhere.
forum.xda-developers.com
V0latyle said:
Assuming the OEM uses the AOSP model (which Samsung doesn't), no.
Hardware backed Keystore
SELinux
Trusty
Android Verified Boot
All of these work together.
When the bootloader is locked, the boot image is verified (using a cryptographic hash signed by the hardware keystore, which is itself verified) to determine its integrity. This prevents persistent rootkits.
During run time, SELinux enforces access control over all processes, even those with root privileges.
Trusty is a completely separate and isolated secure environment that runs alongside the Android kernel and is used as a "trusted verifier"
And this isn't even getting into the security features implemented in the update process.
For this attack vector you're describing to work, you would have to have the OEM's private and proprietary key used to sign everything in the update package, otherwise an unsigned or incorrectly signed package will be rejected. And even if you did manage to sign the update package, you'd have to essentially reprogram the hardware keys to match, because even if the update flashed to the device, all the images would fail verification because of the hardware keystore authentication.
Click to expand...
Click to collapse
Thanks for the info.
@pndwal since you're much more knowledgeable on this topic than I, care to jump in here?
V0latyle said:
@pndwal since you're much more knowledgeable on this topic than I, care to jump in here?
Click to expand...
Click to collapse
Topic of temp root etc using vulns / exploits?; All I know is from reading...
This 'Deployment' developer doc was removed in January but mentioned Magisk deployment via exploits:
https://github.com/topjohnwu/Magisk...62964e41201b9f157923b/docs/deploy.md#exploits
I believe this temp MagiskSU from such a root shell can then often be used to flash/obtain full-fleged Magisk root...
Exploit / vulnerability based root certainly has benefits, one of which is ease of properly (and fully) bypassing device integrity attestations since kernel can be modified while bootloader remains locked... John commented here (and on future potential):
www.twitter.com/topjohnwu/status/1299903496028790785
... Doubt he'll be elaborating on this any more somehow...
There may not be many useful exploits for root due to security research, pen testing, patching, anti rollback etc... Here's a recent one that can be leveraged for Pixel 6; POC here:
https://github.com/polygraphene/DirtyPipe-Android
... This is already patched from 2022-04-05...
Could be used for Realme GT2 Pro, some Galaxy S22 models, others(?)... The process notes may be enlightening: https://github.com/polygraphene/DirtyPipe-Android/blob/master/TECHNICAL-DETAILS.md#exploit-process
XDA article re. 'infamous "Dirty Pipe" vulnerability can be exploited on the Samsung Galaxy S22 and the Google Pixel 6 Pro to gain root shell access':
https://www.xda-developers.com/tag/root-exploit/
This vuln caused a minor furore over Google anti-rollback w/ A13 update etc... Ex XDA editor Mishael commented:
www.twitter.com/MishaalRahman/status/1511036735433715719
Johns here:
www.twitter.com/topjohnwu/status/1511107456566390785
... I want "MagiPipe" One-Click Root app w/ the rainbow Magikarp icon!
Further:
www.twitter.com/topjohnwu/status/1559786740050644992
And Shawn Willden on patching, anti-rollback counters etc here:
www.twitter.com/shawnwillden/status/1559893884120928256
Older 'Linux Kernel bug dubbed 'Dirty Cow' can Root every version of Android' article by Mishael:
https://www.xda-developers.com/9-ye...-dirty-cow-can-root-every-version-of-android/
PW
V0latyle said:
Assuming the OEM uses the AOSP model (which Samsung doesn't), no.
Click to expand...
Click to collapse
...
Please can you explain what you mean here?... I understood '(AOSP) is the bedrock of modern Android skins like One UI and MIUI'...
https://www.androidauthority.com/aosp-explained-1093505/
Is this wrong?...
Can't see how even heavy OEM Android OS skins would make a difference to OEM unlock (or even using a root kit hypothetically)... Aren't unlock options etc determined by OEMs and re-sellers?...
And user does have Samsung device anyway... PW
pndwal said:
...
Please can you explain what you mean here?... I understood '(AOSP) is the bedrock of modern Android skins like One UI and MIUI'...
https://www.androidauthority.com/aosp-explained-1093505/
Is this wrong?...
Can't see how even heavy OEM Android OS skins would make a difference to OEM unlock (or even using a root kit hypothetically)... Aren't unlock options etc determined by OEMs and re-sellers?...
And user does have Samsung device anyway... PW
Click to expand...
Click to collapse
What I mean is whether Samsung follows the same Android security model, with verified boot, dm-verity, and so on. They do have security features implemented to prevent unsigned binaries (even if the bootloader is unlocked) but they also add a lot of their own stuff like Knox and Vaultkeeper. Either way, it would be difficult for a rootkit to persist after reboot because of these security features.
My understanding of OneUI is that it's not just a reskin/overlay but it also changes a lot of the core components as well. I could be wrong.
V0latyle said:
What I mean is whether Samsung follows the same Android security model, with verified boot, dm-verity, and so on.
Click to expand...
Click to collapse
Of course they do... AVB (ie Verified Boot 2.0) is mandated for any Android 8+ certified implementation...
An AOSP-compatible device must conform to the list of requirements in the Compatibility Definition Document (CDD). An Android-compatible device must conform to the list of requirements in the CDD and Vendor Software Requirements (VSR) and tests such as those in the Vendor Test Suite (VTS) and Compatability Test Suite (CTS).
Click to expand...
Click to collapse
https://source.android.com/docs/core/architecture#hidl
Eg. CCD:
https://source.android.com/docs/compatibility/cdd
see 9.9.2. File Based Encryption:
[C-1-4] MUST support Verified Boot and ensure that DE keys are cryptographically bound to the device's hardware root of trust. etc...
https://source.android.com/docs/compatibility/8.0/android-8.0-cdd
device-mapper-verity (dm-verity) is simply a kernel feature used since A 4.4 to implement Verified Boot...
V0latyle said:
They do have security features implemented to prevent unsigned binaries (even if the bootloader is unlocked) but they also add a lot of their own stuff like Knox and Vaultkeeper.
Click to expand...
Click to collapse
Sure; and MIUI adds Xiaomi Security Centre...
OEMs can add what they like as long as they comply with the CDD and VSR incl VTS and CTS...
V0latyle said:
Either way, it would be difficult for a rootkit to persist after reboot because of these security features.
Click to expand...
Click to collapse
Well maybe...
I'm unaware of any special safeguards against root whether userspace based or exploit based personally...
V0latyle said:
My understanding of OneUI is that it's not just a reskin/overlay but it also changes a lot of the core components as well. I could be wrong.
Click to expand...
Click to collapse
Well Android skins are necessarily software tweaks that live on top of stock Android; "They often look very different and offer features that other skins don't. In other words, underneath all the additional design and functionality tweaks, the core version of Android is on all Android devices." More on this here:
https://www.androidauthority.com/android-skins-945375/
Also these can't change security requirements for API/SDK level compliance... There is lattitude for OEMs to use their own components, but this is of course costly; Eg OEMs are free to implement their own TEE OS instead of Google's Trusty TEE, but most use Trusty as it's free and works fine!... PW
All very interesting. Thanks.
I remember using Dirty Cow to root a previous device.
My first phone was the Samsung Galaxy Nexus and after that I used several Chinese brands and got root on everything.
Because of the popularity of Samsung I assumed that root would be available.