Hi All
two days ago I rooted my LAB Onepluse 7 pro , after that we succeed to connect trough ADB shell .
to connected as like as root (sudo ) we re edited the build.prop (ro.secure=0 and ro.debuggable=1 ) but after changing the ro.secure to 0 we failed to connect at all via adb ( adb devices not showing the phone ) and if we are setting only the
ro.debuggable=1 we are able to do adb shell but if we are trying to do adb root we are losing the adb connectivity .
First i suggest u to install TWRP through fastboot. And interact with it. Also check Magisk utility for better ROOT contol.
Before the build.prop was modified
jimmy123322 said:
First i suggest u to install TWRP through fastboot. And interact with it. Also check Magisk utility for better ROOT contol.
Click to expand...
Click to collapse
First the mobile was rooted with
twrp - 3.4.0.0 img , twrp-3.4.0.0 installer and Magisk-v20.4
After that i used prop editor to allowing the su root access
but unfortunately I able to access only to the shell with no option to access like adb root
and when the ro.secure is modified to 0 there is no option to access via ADB at all .
can you please be more accurate what to do.
Someone can answer
I'm quite new and have to know what to do
[email protected] said:
I'm quite new and have to know what to do
Click to expand...
Click to collapse
Try an earlier version of twrp
how to executing files via shell
last week i've asked about adb root but i didn't succeed to solve it .
means ro.secure=0 is still blocking my adb shell or adb root.
my question now is that we are trying to running iperf via the shell and not via the vysor.
but we are rejecting because permission deny.
drwxr-xr-x 3 root root 60 1970-04-21 23:37 vendor
1|OnePlus7Pro:/mnt $ ./ipef
/system/bin/sh: ./ipef: inaccessible or not found
127|OnePlus7Pro:/mnt $ ./iperf
/system/bin/sh: ./iperf: can't execute: Permission denied
126|OnePlus7Pro:/mnt $ ./iperf
/system/bin/sh: ./iperf: can't execute: Permission denied
126|OnePlus7Pro:/mnt $ ls -lrt
ls: ./media_rw: Permission denied
ls: ./asec: Permission denied
ls: ./product: Permission denied
total 168
drwxr-xr-x 3 root root 60 1970-04-21 23:37 user
drwx------ 3 root root 60 1970-04-21 23:37 secure
drwxr-xr-x 2 root system 40 1970-04-21 23:37 obb
drwxrwx--x 2 system system 40 1970-04-21 23:37 expand
lrwxrwxrwx 1 root root 21 1970-04-21 23:37 sdcard -> /storage/self/primary
drwx------ 6 root root 120 1970-04-21 23:37 runtime
drwx--x--x 2 root root 40 1970-04-21 23:37 appfuse
drwxr-xr-x 3 root root 60 1970-04-21 23:37 vendor
-rwxr-xr-x 1 root root 170480 2020-07-14 11:06 iperf
1|OnePlus7Pro:/mnt $ cd user
OnePlus7Pro:/mnt/user $ ls
0
OnePlus7Pro:/mnt/user $ cd ..
OnePlus7Pro:/mnt $ cp iperf /mnt/user/
cp: /mnt/user//iperf: Permission denied
1|OnePlus7Pro:/mnt $ cp iperf /mnt/user/
cp: /mnt/user//iperf: Permission denied
1|OnePlus7Pro:/mnt $
1|OnePlus7Pro:/mnt $
1|OnePlus7Pro:/mnt $
1|OnePlus7Pro:/mnt $
1|OnePlus7Pro:/mnt $
1|OnePlus7Pro:/mnt $
1|OnePlus7Pro:/mnt $
1|OnePlus7Pro:/mnt $
1|OnePlus7Pro:/mnt $ exit
MacBook-Pro-de-Victor-2latform-tools root#
MacBook-Pro-de-Victor-2latform-tools root#
MacBook-Pro-de-Victor-2latform-tools root# ./adb shell /data/iperf -h
/system/bin/sh: /data/iperf: can't execute: Permission denied
MacBook-Pro-de-Victor-2latform-tools root#
replaying to my self
Have use x-plore app to changing /data/app permission then iperf file was copied to this folder
1|OnePlus7Pro:/bin $
1|OnePlus7Pro:/bin $ cd /data/app
OnePlus7Pro:/data/app $ ./iperf -h
Usage: iperf [-s|-c host] [options]
iperf [-h|--help] [-v|--version]
Client/Server:
-f, --format [kmKM] format to report: Kbits, Mbits, KBytes, MBytes
-i, --interval # seconds between periodic bandwidth reports
-l, --len #[KM] length of buffer to read or write (default 8 KB)
-m, --print_mss print TCP maximum segment size (MTU - TCP/IP header)
-o, --output <filename> output the report or error message to this specified file
-p, --port # server port to listen on/connect to
-u, --udp use UDP rather than TCP
-w, --window #[KM] TCP window size (socket buffer size)
-B, --bind <host> bind to <host>, an interface or multicast address
-C, --compatibility for use with older versions does not sent extra msgs
-M, --mss # set TCP maximum segment size (MTU - 40 bytes)
-N, --nodelay set TCP no delay, disabling Nagle's Algorithm
-V, --IPv6Version Set the domain to IPv6
Server specific:
-s, --server run in server mode
-U, --single_udp run in single threaded UDP mode
-D, --daemon run the server as a daemon
Client specific:
-b, --bandwidth #[KM] for UDP, bandwidth to send at in bits/sec
(default 1 Mbit/sec, implies -u)
-c, --client <host> run in client mode, connecting to <host>
-d, --dualtest Do a bidirectional test simultaneously
-n, --num #[KM] number of bytes to transmit (instead of -t)
-r, --tradeoff Do a bidirectional test individually
-t, --time # time in seconds to transmit for (default 10 secs)
-F, --fileinput <name> input the data to be transmitted from a file
-I, --stdin input the data to be transmitted from stdin
-L, --listenport # port to receive bidirectional tests back on
-P, --parallel # number of parallel client threads to run
-T, --ttl # time-to-live, for multicast (default 1)
-Z, --linux-congestion <algo> set TCP congestion control algorithm (Linux only)
Miscellaneous:
-x, --reportexclude [CDMSV] exclude C(connection) D(data) M(multicast) S(settings) V(server) reports
-y, --reportstyle C report as a Comma-Separated Values
-h, --help print this message and quit
-v, --version print version information and quit
[KM] Indicates options that support a K or M suffix for kilo- or mega-
The TCP window size option can be set by the environment variable
TCP_WINDOW_SIZE. Most other options can be set by an environment variable
IPERF_<long option name>, such as IPERF_BANDWIDTH.
Report bugs to <[email protected]>
1|OnePlus7Pro:/data/app $
Related
I'm posting this in order to show how to use Super Tool under Linux (for Windows & Mac users, changes should be minimal) and also to show some weird results when rooting HTC Desire Z (aka Vision or G2) phones, which may lead to enhancements in the tool.
Also, the Super Tool thread is already over 90 pages long, and has to do with several phones; I thought that a separate thread about these HTC phones would be useful; I hope this won't be against the forum rules, but please accept my apologies in advance if I'm wrong about this!
A summary:
To sum everything up in advance, results are sort of weird... you can get root using the ZergRush exploit, then install "su", "SuperUser", and "BusyBox", but after a while they just disappear. This makes me suspect that there is some kind of "behind the lines" software running, which sets things back to normal, but I don't know the solution yet.
Some experiments
I set up an Android development environment. I'm working in its platform-tools directory, where the "adb" command resides. I extracted the Super Tool files in the root of the Android directory, two levels up, so they are found at the ../../htcsupertoolv2 directory.
I set my phone for USB Debugging, and then, working from the Linux shell:
Code:
$ ./adb kill-server
$ ./adb start-server
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
$ ./adb devices
List of devices attached
HT0B9RT01278 device
OK, my device is attached and ready. Let's see if we already had root:
Code:
$ ./adb shell
$ su
su: permission denied
$ exit
The device is in its basic state, and we haven't got root. Let's install the ZergRush code.
Code:
$ ./adb shell "rm /data/local/tmp/*"
$ ./adb push ../../htcsupertoolv2/root/zergRush /data/local/tmp/.
451 KB/s (23056 bytes in 0.049s)
$ ./adb shell "chmod 777 /data/local/tmp/zergRush"
$ ./adb shell "./data/local/tmp/zergRush"
[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.
[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
[+] Found a GingerBread ! 0x00015118
[*] Scooting ...
[*] Sending 149 zerglings ...
[+] Zerglings found a way to enter ! 0x10
[+] Overseer found a path ! 0x000151e0
[*] Sending 149 zerglings ...
[+] Zerglings caused crash (good news): 0x401219d4 0x0054
[*] Researching Metabolic Boost ...
[+] Speedlings on the go ! 0xafd194d3 0xafd395bf
[*] Popping 24 more zerglings
[*] Sending 173 zerglings ...
[+] Rush did it ! It's a GG, man !
[+] Killing ADB and restarting as root... enjoy!
$ ./adb shell
# exit
Nice, it managed to get root, at least for the time being! Now, let's set the system R/W.
Code:
./adb remount
remount succeeded
./adb shell
# mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
[COLOR="Red"]/dev/block/mmcblk0p25 /system ext3 rw,relatime,errors=continue,barrier=0,data=ordered 0 0[/COLOR]
/dev/block/mmcblk0p26 /data ext3 rw,relatime,errors=continue,barrier=0,data=ordered 0 0
/dev/block/mmcblk0p27 /cache ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0
/dev/block/mmcblk0p28 /devlog ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0
[I][...many lines snipped out...][/I]
# exit
So, /system is now r/w. Let's push "su".
Code:
./adb push ../../htcsupertoolv2/root/su /system/bin/su
411 KB/s (22228 bytes in 0.052s)
./adb shell "chown root.shell /system/bin/su"
./adb shell "chmod 06755 /system/bin/su"
./adb shell "rm /system/xbin/su"
rm failed for /system/xbin/su, No such file or directory
./adb shell "ln -s /system/bin/su /system/xbin/su"
./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
2861 KB/s (785801 bytes in 0.268s)
$ ./adb push ../../htcsupertoolv2/root/su /system/bin/su
516 KB/s (22228 bytes in 0.041s)
$ ./adb shell
# cd /system/bin
# ls -l s*
-rwxr-xr-x root shell 5392 2011-08-02 01:09 schedtest
[I][...many lines snipped out...][/I]
lrwxrwxrwx root shell 2010-10-26 09:02 stop -> toolbox
[COLOR="Red"]-rw-rw-rw- root root 22228 2011-11-10 12:53 su[/COLOR]
-rwxr-xr-x root shell 5456 2011-08-02 01:09 surfaceflinger
-rwxr-xr-x root shell 192 2010-09-23 06:51 svc
lrwxrwxrwx root shell 2010-10-26 09:02 sync -> toolbox
-rwxr-xr-x root shell 5480 2011-08-02 01:09 system_server
# chmod 755 su
# chown root.shell su
# ls -l su
-rwxr-xr-x root shell 22228 2011-11-10 12:53 su
As we see, "su" is installed, with the same owner/group/permissions as the other commands. Let's add a symlink in /system/xbin to "su".
Code:
# cd /system/xbin/
# ls -l *
-rwxr-xr-x root shell 5536 2011-08-02 01:11 crasher
-rwxr-xr-x root shell 60276 2008-08-01 09:00 dexdump
-rwxr-xr-x root shell 22256 2011-08-02 01:11 wireless_modem
# ln -s /system/bin/su /system/xbin/su
# cd /system/xbin/
# ls -l *
-rwxr-xr-x root shell 5536 2011-08-02 01:11 crasher
-rwxr-xr-x root shell 60276 2008-08-01 09:00 dexdump
[COLOR="Red"]lrwxrwxrwx root root 2011-12-30 16:48 su -> /system/bin/su[/COLOR]
-rwxr-xr-x root shell 22256 2011-08-02 01:11 wireless_modem
# exit
There's the symlink, all right. Now, let's push "Superuser.apk".
Code:
$ ./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
2689 KB/s (785801 bytes in 0.285s)
$ ./adb shell
# cd /system/app
# ls -l S*
-rw-r--r-- root root 7221765 2011-08-02 01:08 Settings.apk
[I][...many lines snipped out...][/I]
-rw-r--r-- root root 296419 2011-08-02 01:09 Street.apk
-rw-rw-rw- root root 785801 2011-11-10 12:54 Superuser.apk
-rw-r--r-- root root 551020 2008-08-01 09:00 SystemUI.apk
-rw-r--r-- root root 255720 2008-08-01 09:00 SystemUI.odex
# chmod 644 Superuser.apk
# ls -l Super*
[COLOR="Red"]-rw-r--r-- root root 785801 2011-11-10 12:54 Superuser.apk
[/COLOR]# exit
So, there is Superuser.apk, with appropriate user/group/permissions. It's time for a reboot!
Code:
$ ./adb remount
remount succeeded
$ ./adb reboot
A short while afterwards...
Code:
$ ./adb shell
$ su
[B][COLOR="Red"]su: permission denied[/COLOR][/B]
$ cd /system/bin/
$ ls -l s*
-rwxr-xr-x root shell 5392 2011-08-02 01:09 schedtest
[I][...many lines snipped out...][/I]
lrwxrwxrwx root shell 2010-10-26 09:02 stop -> toolbox
-rwxr-xr-x root shell 5456 2011-08-02 01:09 surfaceflinger
-rwxr-xr-x root shell 192 2010-09-23 06:51 svc
lrwxrwxrwx root shell 2010-10-26 09:02 sync -> toolbox
-rwxr-xr-x root shell 5480 2011-08-02 01:09 system_server
$ cd /system/xbin/
$ ls -l *
-rwxr-xr-x root shell 5536 2011-08-02 01:11 crasher
-rwxr-xr-x root shell 60276 2008-08-01 09:00 dexdump
-rwxr-xr-x root shell 22256 2011-08-02 01:11 wireless_modem
So, "su" is gone?! The exploit managed a temp root, but after the reboot, something set things back to standard, removing "su" and "Superuser.apk".
Doing this with scripts
I set up a pair of scripts to automate the previous work (and included BusyBox installation, by the way) but the results are the same.
The first script, htc1.sh, is:
Code:
#!/bin/sh
./adb shell "rm /data/local/tmp/*"
./adb push ../../htcsupertoolv2/root/zergRush /data/local/tmp/.
./adb shell "chmod 777 /data/local/tmp/zergRush"
./adb shell "./data/local/tmp/zergRush"
The second script, htc2.sh, to be run afterwards, when (temp) root has been achieved, is:
Code:
#!/bin/sh
./adb remount
./adb push ../../htcsupertoolv2/root/busybox /data/local/tmp/.
./adb shell "chmod 755 /data/local/tmp/busybox"
./adb shell "dd if=/data/local/tmp/busybox of=/system/xbin/busybox"
./adb shell "cd /system/xbin; chown root.shell busybox; chmod 04755 busybox"
./adb shell "/system/xbin/busybox --install -s /system/xbin"
./adb shell "rm -r /data/local/tmp/busybox"
./adb push ../../htcsupertoolv2/root/su /system/bin/su
./adb shell "cd /system/bin; chown root.shell su; chmod 06755 su"
./adb shell "rm /system/xbin/su; ln -s /system/bin/su /system/xbin/su"
./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
./adb shell "cd /system/app; chmod 644 Superuser.apk"
If you run ./htc1.sh and then ./htc2.sh results will be the same; the added commands will be gone, and you won't be able to "su" no more.
The attached scripts should help Linux users to root other phones (which are known to work) but the Desire Z question still remains; there seems to be something missing, at least for the time being.
G2 Temp Root
Hi, I got a tmo g2 2.3.4
i used the superhtctoolv2 on win7, and htcdrivers linked in the original thread.
i performed the option 1 and 2, and was able to gain temp root, but just like every1 else it goes away with a reboot, or even after prolong period of inactivity, it works as long as i keep messing with Titanium backup or other root apps.
Any way to combine this temp root with older options to gain a perm root?
Cool man! Thanks!
HTC security measure?
Looking around, I found this page about a security method by HTC... to quote:
The HTC software implementation on the G2 stores some components in read-only memory as a security measure to prevent key operating system software from becoming corrupted and rendering the device inoperable. There is a small subset of highly technical users who may want to modify and re-engineer their devices at the code level, known as rooting, but a side effect of HTCs security measure is that these modifications are temporary and cannot be saved to permanent memory. As a result the original code is restored.
Click to expand...
Click to collapse
This sure looks like the problem we are having with the HTC DESIRE Z/G2/VISION...
Cannot get S-OFF
I tried adapting the third script (get S-OFF) for Linux but it didn't work out.
I first tried everything by hand. I ran ht1.sh first (to get root) and then went on to:
Code:
$ ./adb push ../../htcsupertoolv2/root/gfree /data/local
2127 KB/s (134401 bytes in 0.061s)
followed by
Code:
$ ./adb shell
# chmod 777 /data/local/gfree
# ./data/local/gfree -f
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.35.10-g7b95729
New .modinfo section size: 204
Attempting to power cycle eMMC... [B][COLOR="Red"]Failed.
Module failed to load: No such file or directory[/COLOR][/B]
So I'm guessing the DESIRE Z/G2/VISION cannot be perm rooted with Super Tool, at least "as is" --- I'll possibly be trying backdating the firmware next.
fkereki said:
I tried adapting the third script (get S-OFF) for Linux but it didn't work out.
I first tried everything by hand. I ran ht1.sh first (to get root) and then went on to:
Code:
$ ./adb push ../../htcsupertoolv2/root/gfree /data/local
2127 KB/s (134401 bytes in 0.061s)
followed by
Code:
$ ./adb shell
# chmod 777 /data/local/gfree
# ./data/local/gfree -f
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.35.10-g7b95729
New .modinfo section size: 204
Attempting to power cycle eMMC... [B][COLOR="Red"]Failed.
Module failed to load: No such file or directory[/COLOR][/B]
So I'm guessing the DESIRE Z/G2/VISION cannot be perm rooted with Super Tool, at least "as is" --- I'll possibly be trying backdating the firmware next.
Click to expand...
Click to collapse
well that sucks!
I have model sm-732 purchased in US and i am the least bit close to a developer.
Went to sell it today because it had been sitting in a drawer and thought that somebody should have it. I only wore it a few times and then it became of no use to me after i was involved in a robbery wearing it.
It worked after that, dont get me wrong, but i decided to not wear it and but it in a drawer were it has been ever since. I did take it out once to reset it via the software which was successfull. I then placed it in the drawer again and forgot about it. Until i remembered i could sell it. Took it out and charged it up and went to sell it. Turned it on when i got to the buyer and it wouldnt work saying it had failed to start and if it persisted to take it to samsung. I am way out if warrenty to they wont do anything for me. I watched a video on bootlooping and i went to the reset screen where download mode is, and just tried to restore. It came back in russian. All russian.
So i went to the internet. People namely said flash it so i got ap, bl, and csc pack for it and flashed it wirelessly with a passing rating from odin.
I have done this twice now and it will say installing new configuration... (which was displayed in russian but now is displayed in english) after that the gear s2 logo will flash and then the samsung logo and then poof it just shuts down and goes back to russian!
Goodlord help me. I am an idiot.
Same here! If I flash Combinations-FTMA it work (but limited) , after flashing full firmware ... Failed.If the Same here! If I flash Combinations-FTMA it work (but limited) , after flashing full firmware ... Failed.If the problem persists, visit a customer service centre.
@Karmaus
Sorry. Less time...
1.
I can see Warranty Void blabla... so something with Knox happens in Photo 1...
2.
No idea what exact fail...
I can remember during my experiments 1 time I have killed BT address in CSA area...
So first boot ends with Error as no connection possible with Phone...
It was very hard for me to restore BT... but it is not impossible... :angel:
2.1
Maybe check BT AND WiFi connection in FTMA Combination Firmware...
2.2
You could also try to catch Log Files...
Code:
*#9900#
Best Regards
Edit 1.
Forgotten...
SM-R732 have 2 Regions... OXA AND OXX...
Maybe this is the reason... if CSC is not inside Firmware package...
@adfree
adfree said:
@Karmaus
Sorry. Less time...
1.
I can see Warranty Void blabla... so something with Knox happens in Photo 1...
2.
No idea what exact fail...
I can remember during my experiments 1 time I have killed BT address in CSA area...
So first boot ends with Error as no connection possible with Phone...
It was very hard for me to restore BT... but it is not impossible... :angel:
2.1
Maybe check BT AND WiFi connection in FTMA Combination Firmware...
2.2
You could also try to catch Log Files...
Code:
*#9900#
Best Regards
Edit 1.
Forgotten...
SM-R732 have 2 Regions... OXA AND OXX...
Maybe this is the reason... if CSC is not inside Firmware package...
Click to expand...
Click to collapse
1. i've try to write both ftma & full firmware , same result
2. indeed bt is killed ...
Edit1. Thanks for regions!
So can you remember how to restore bt ?
My Edit 1 : I've added my dump log ...
@Karmaus
Limited time... and long time ago...
But if I remember correct.
You can use easy Shell script *.sh inside Combination Firmware...
Write me PM... and I will try to search in my Computers... how I solved lost BT...
Best Regards
Code:
#!/bin/sh
#
# Script for setting Bluetooth Address
#
#if [ -e /opt/etc/.bd_addr ]
#then
# echo "Already .bd_addr exists"
# exit 0
#fi
/usr/bin/setbd
echo "Set BT address successes"
bt-set-addr.sh
@Karmaus
Something like this I did to restore BT...
This Shell Script is inside Combination Firmware...
All my attempts to restore my own CSA dump failed... Seems higher secured...
But with this easy Script it was easy...
Best Regards
adfree said:
Code:
#!/bin/sh
#
# Script for setting Bluetooth Address
#
#if [ -e /opt/etc/.bd_addr ]
#then
# echo "Already .bd_addr exists"
# exit 0
#fi
/usr/bin/setbd
echo "Set BT address successes"
bt-set-addr.sh
@Karmaus
Something like this I did to restore BT...
This Shell Script is inside Combination Firmware...
All my attempts to restore my own CSA dump failed... Seems higher secured...
But with this easy Script it was easy...
Best Regards
Click to expand...
Click to collapse
Thanks so much ... i Will try right now and come with a reply in few minutes!
About BT address...
Example to check if file is absent...
Code:
sh-3.2$ cd csa
sh-3.2$ ls
bluetooth csc factory lost+found prov prov_data sensor
sh-3.2$ cd bluetooth
sh-3.2$ ls
sh-3.2$ ls -a -1 -l
total 6
drwxr-xr-x 2 root root 1024 Sep 4 2015 .
drwxr-xr-x 9 root root 1024 Jan 1 2015 ..
-rw-r--r-- 1 root root 14 Sep 4 2015 .bd_addr
sh-3.2$ cat .bd_addr
0002
fc
68f142sh-3.2$
Here is all okay... BT address is not gone/erased...
BUT IMHO this requires ROOT... Combination Firmware...
Best Regards
adfree said:
About BT address...
Example to check if file is absent...
Code:
sh-3.2$ cd csa
sh-3.2$ ls
bluetooth csc factory lost+found prov prov_data sensor
sh-3.2$ cd bluetooth
sh-3.2$ ls
sh-3.2$ ls -a -1 -l
total 6
drwxr-xr-x 2 root root 1024 Sep 4 2015 .
drwxr-xr-x 9 root root 1024 Jan 1 2015 ..
-rw-r--r-- 1 root root 14 Sep 4 2015 .bd_addr
sh-3.2$ cat .bd_addr
0002
fc
68f142sh-3.2$
Here is all okay... BT address is not gone/erased...
BUT IMHO this requires ROOT... Combination Firmware...
Best Regards
Click to expand...
Click to collapse
In my similar case, I haven't seen anything
Code:
C:\Users\msdda\Desktop\WiFi_Odin V1.0\GearFit2>adb shell
sh-3.2# ls
bin csa etc initrd lost+found mnt proc run sdcard srv tmp var
boot dev home lib media opt root sbin smack sys usr
sh-3.2# cd csa
sh-3.2# ls -l
total 0
sh-3.2#
My post: https://forum.xda-developers.com/smartwatch/gear-s2/gear-s2-rm-720-loop-t3977853
Edit:
I tried to run /usr/bin/setbd but I can't.
Bluetooth Address Setting
mkdir: Read-only file system (30) File not exist
Can't open address file
Code:
C:\Users\msdda\Desktop\WiFi_Odin V1.0\GearFit2>adb shell chmod 777 /usr/bin/
chmod: changing permissions of `/usr/bin/': Read-only file system
C:\Users\msdda\Desktop\WiFi_Odin V1.0\GearFit2>adb root on
C:\Users\msdda\Desktop\WiFi_Odin V1.0\GearFit2>adb shell chmod 777 /usr/bin/
chmod: changing permissions of `/usr/bin/': Read-only file system
C:\Users\msdda\Desktop\WiFi_Odin V1.0\GearFit2>adb root off
Switched to 'developer' account mode
C:\Users\msdda\Desktop\WiFi_Odin V1.0\GearFit2>adb shell chmod 777 /usr/bin/
chmod: changing permissions of `/usr/bin/': Read-only file system
C:\Users\msdda\Desktop\WiFi_Odin V1.0\GearFit2>adb shell /usr/bin/setbd
-l: /usr/bin/setbd: Permission denied
C:\Users\msdda\Desktop\WiFi_Odin V1.0\GearFit2>adb shell cp /usr/bin/setbd /opt/usr/media/
cp: cannot stat `/usr/bin/setbd': Permission denied
C:\Users\msdda\Desktop\WiFi_Odin V1.0\GearFit2>adb root on
Switched to 'root' account mode
C:\Users\msdda\Desktop\WiFi_Odin V1.0\GearFit2>adb shell cp /usr/bin/setbd /opt/usr/media/
C:\Users\msdda\Desktop\WiFi_Odin V1.0\GearFit2>adb shell ls -l /opt/usr/media/
total 24
drwxrwxrwx 2 app app 4096 Oct 6 2015 Downloads
drwxrwxrwx 2 app app 4096 Oct 6 2015 Images
drwxrwxrwx 2 app app 4096 Oct 6 2015 Music
drwxrwxrwx 3 app app 4096 Oct 6 2015 Sounds
-rwxr-xr-x 1 root root 6004 Jan 5 11:51 setbd
C:\Users\msdda\Desktop\WiFi_Odin V1.0\GearFit2>adb shell chmod 777 /opt/usr/media/setbd
C:\Users\msdda\Desktop\WiFi_Odin V1.0\GearFit2>adb shell ls -l /opt/usr/media/
total 24
drwxrwxrwx 2 app app 4096 Oct 6 2015 Downloads
drwxrwxrwx 2 app app 4096 Oct 6 2015 Images
drwxrwxrwx 2 app app 4096 Oct 6 2015 Music
drwxrwxrwx 3 app app 4096 Oct 6 2015 Sounds
-rwxrwxrwx 1 root root 6004 Jan 5 11:51 setbd
C:\Users\msdda\Desktop\WiFi_Odin V1.0\GearFit2>adb shell /opt/usr/media/setbd
Bluetooth Address Setting
mkdir: Read-only file system(30)File not exist
Can't open address file
C:\Users\msdda\Desktop\WiFi_Odin V1.0\GearFit2>
@danicifu01
Is sooooooooo looooooooong ago....
Code:
mount -o remount,rw /
Try this Command before in:
Code:
sdb shell
Best Regards
adfree said:
@danicifu01
Is sooooooooo looooooooong ago....
Code:
mount -o remount,rw /
Try this Command before in:
Code:
sdb shell
Best Regards
Click to expand...
Click to collapse
thanks but:
Code:
sh-3.2# ls -l
total 44
drwxr-xr-x 3 root root 4096 Oct 6 2015 abuild
drwxr-xr-x 10 app app 4096 Jan 6 09:57 app
-rwxrwxrwx 1 root root 136 Jan 10 18:14 bt.sh
drwxr-xr-x 2 developer developer 4096 Oct 6 2015 developer
drwxr-xr-x 4 root root 4096 Jan 5 13:49 root
drwxr-xr-x 5 system system 4096 Jan 5 11:10 system
sh-3.2# sh bt.sh
bt.sh: line 1: cript: command not found
Bluetooth Address Setting
mkdir: Permission denied(13)File not exist
Can't open address file
bt.sh is the script
i try run the script but the file not exit. why?
last week i've asked about adb root but i didn't succeed to solve it .
means ro.secure=0 is still blocking my adb shell or adb root.
my question now is that we are trying to running iperf via the shell and not via the vysor.
but we are rejecting because permission deny.
drwxr-xr-x 3 root root 60 1970-04-21 23:37 vendor
1|OnePlus7Pro:/mnt $ ./ipef
/system/bin/sh: ./ipef: inaccessible or not found
127|OnePlus7Pro:/mnt $ ./iperf
/system/bin/sh: ./iperf: can't execute: Permission denied
126|OnePlus7Pro:/mnt $ ./iperf
/system/bin/sh: ./iperf: can't execute: Permission denied
126|OnePlus7Pro:/mnt $ ls -lrt
ls: ./media_rw: Permission denied
ls: ./asec: Permission denied
ls: ./product: Permission denied
total 168
drwxr-xr-x 3 root root 60 1970-04-21 23:37 user
drwx------ 3 root root 60 1970-04-21 23:37 secure
drwxr-xr-x 2 root system 40 1970-04-21 23:37 obb
drwxrwx--x 2 system system 40 1970-04-21 23:37 expand
lrwxrwxrwx 1 root root 21 1970-04-21 23:37 sdcard -> /storage/self/primary
drwx------ 6 root root 120 1970-04-21 23:37 runtime
drwx--x--x 2 root root 40 1970-04-21 23:37 appfuse
drwxr-xr-x 3 root root 60 1970-04-21 23:37 vendor
-rwxr-xr-x 1 root root 170480 2020-07-14 11:06 iperf
1|OnePlus7Pro:/mnt $ cd user
OnePlus7Pro:/mnt/user $ ls
0
OnePlus7Pro:/mnt/user $ cd ..
OnePlus7Pro:/mnt $ cp iperf /mnt/user/
cp: /mnt/user//iperf: Permission denied
1|OnePlus7Pro:/mnt $ cp iperf /mnt/user/
cp: /mnt/user//iperf: Permission denied
1|OnePlus7Pro:/mnt $
1|OnePlus7Pro:/mnt $
1|OnePlus7Pro:/mnt $
1|OnePlus7Pro:/mnt $
1|OnePlus7Pro:/mnt $
1|OnePlus7Pro:/mnt $
1|OnePlus7Pro:/mnt $
1|OnePlus7Pro:/mnt $
1|OnePlus7Pro:/mnt $ exit
MacBook-Pro-de-Victor-2latform-tools root#
MacBook-Pro-de-Victor-2latform-tools root#
MacBook-Pro-de-Victor-2latform-tools root# ./adb shell /data/iperf -h
/system/bin/sh: /data/iperf: can't execute: Permission denied
MacBook-Pro-de-Victor-2latform-tools root#
replaying to my self
Have use x-plore app to changing /data/app permission then iperf file was copied to this folder
1|OnePlus7Pro:/bin $
1|OnePlus7Pro:/bin $ cd /data/app
OnePlus7Pro:/data/app $ ./iperf -h
Usage: iperf [-s|-c host] [options]
iperf [-h|--help] [-v|--version]
Client/Server:
-f, --format [kmKM] format to report: Kbits, Mbits, KBytes, MBytes
-i, --interval # seconds between periodic bandwidth reports
-l, --len #[KM] length of buffer to read or write (default 8 KB)
-m, --print_mss print TCP maximum segment size (MTU - TCP/IP header)
-o, --output <filename> output the report or error message to this specified file
-p, --port # server port to listen on/connect to
-u, --udp use UDP rather than TCP
-w, --window #[KM] TCP window size (socket buffer size)
-B, --bind <host> bind to <host>, an interface or multicast address
-C, --compatibility for use with older versions does not sent extra msgs
-M, --mss # set TCP maximum segment size (MTU - 40 bytes)
-N, --nodelay set TCP no delay, disabling Nagle's Algorithm
-V, --IPv6Version Set the domain to IPv6
Server specific:
-s, --server run in server mode
-U, --single_udp run in single threaded UDP mode
-D, --daemon run the server as a daemon
Client specific:
-b, --bandwidth #[KM] for UDP, bandwidth to send at in bits/sec
(default 1 Mbit/sec, implies -u)
-c, --client <host> run in client mode, connecting to <host>
-d, --dualtest Do a bidirectional test simultaneously
-n, --num #[KM] number of bytes to transmit (instead of -t)
-r, --tradeoff Do a bidirectional test individually
-t, --time # time in seconds to transmit for (default 10 secs)
-F, --fileinput <name> input the data to be transmitted from a file
-I, --stdin input the data to be transmitted from stdin
-L, --listenport # port to receive bidirectional tests back on
-P, --parallel # number of parallel client threads to run
-T, --ttl # time-to-live, for multicast (default 1)
-Z, --linux-congestion <algo> set TCP congestion control algorithm (Linux only)
Miscellaneous:
-x, --reportexclude [CDMSV] exclude C(connection) D(data) M(multicast) S(settings) V(server) reports
-y, --reportstyle C report as a Comma-Separated Values
-h, --help print this message and quit
-v, --version print version information and quit
[KM] Indicates options that support a K or M suffix for kilo- or mega-
The TCP window size option can be set by the environment variable
TCP_WINDOW_SIZE. Most other options can be set by an environment variable
IPERF_<long option name>, such as IPERF_BANDWIDTH.
Report bugs to <[email protected]rceforge.net>
1|OnePlus7Pro:/data/app $
[email protected] said:
last week i've asked about adb root but i didn't succeed to solve it .
means ro.secure=0 is still blocking my adb shell or adb root.
...
Click to expand...
Click to collapse
@[email protected] THREAD CLOSED as you've created already another thread with this topic, and to which your above posts have been copied: https://forum.xda-developers.com/oneplus-7-pro/help/oneplus7-pro-ro-secure0-t4127227
XDA Forum Rules (excerpt):
...
5. Create a thread topic or post a message only once, this includes external links & streaming media.
As a large forum, we don't need unnecessary clutter. You're free to edit your message as you like, so if you do not receive an answer, revisit your message and see if you can describe your problem better. Not everyone is online at the same time so it might take a while before you receive an answer.
You can bump your unanswered question once every 24 hours
Duplicate threads and posts will be removed
Always post in an existing thread if a topic already exists, before creating a new thread.
Use our search function to find the best forum for your device.
Links to an external source are only allowed if relevant to the topic in hand. A description must be included, no copy & pasting from the original source.
Self-promotion is forbidden, this includes blogs, social media and video channels etc. Random links will be removed.
...
Click to expand...
Click to collapse
Please note above that I've highlighted in red, and please refrain from creating a new thread everytime!
i can't root Samsung galaxy a02 -- SM-A022F/DS Build No: A022FXXU2BUI3 , android 11 , i dont know what to do for rooting and i dont have firmware file (bootloader unlocked)
To get the superuser access ( AKA root ) to be able to control various aspects of Android OS means you need to perform a certain modification that will root your phone's Android. An unlocked bootloader isn't needed to root Android.
Here is what you have to do to root your device's Android:
Replace Android's Toybox binary - what is a restricted version by default - by unrestricted Toybox v0.8.5.
This e.g. can get achieved by means of a Windows command script making use of ADB coomands.
jwoegerbauer said:
To get the superuser access ( AKA root ) to be able to control various aspects of Android OS means you need to perform a certain modification that will root your phone's Android. An unlocked bootloader isn't needed to root Android.
Here is what you have to do to root your device's Android:
Replace Android's Toybox binary - what is a restricted version by default - by unrestricted Toybox v0.8.5.
This e.g. can get achieved by means of a Windows command script making use of ADB coomands.
Click to expand...
Click to collapse
hi , i dont know what is toybox or i dont know really what to do can you tell me step by step please? i have ADB already
dleaderp said:
hi , i dont know what is toybox or i dont know really what to do
Click to expand...
Click to collapse
Typically people do a Google search like "Android Toybox" ...
To save you this search: Toybox is a suite of Linux commands ported to Android.
The commands supported are
Code:
acpi arch ascii base64 basename blkid blockdev bunzip2 bzcat cal cat
catv chattr chgrp chmod chown chroot chrt chvt cksum clear cmp comm
count cp cpio crc32 cut date devmem df dirname dmesg dnsdomainname
dos2unix du echo egrep eject env expand factor fallocate false fgrep
file find flock fmt free freeramdisk fsfreeze fstype fsync ftpget
ftpput getconf grep groups gunzip halt head help hexedit hostname
hwclock i2cdetect i2cdump i2cget i2cset iconv id ifconfig inotifyd
insmod install ionice iorenice iotop kill killall killall5 link ln
logger login logname losetup ls lsattr lsmod lspci lsusb makedevs
mcookie md5sum microcom mix mkdir mkfifo mknod mkpasswd mkswap mktemp
modinfo mount mountpoint mv nbd-client nc netcat netstat nice nl nohup
nproc nsenter od oneit partprobe passwd paste patch pgrep pidof ping
ping6 pivot_root pkill pmap poweroff printenv printf prlimit ps pwd
pwdx readahead readlink realpath reboot renice reset rev rfkill rm
rmdir rmmod sed seq setfattr setsid sha1sum shred sleep sntp sort
split stat strings su swapoff swapon switch_root sync sysctl tac tail
tar taskset tee test time timeout top touch true truncate tty tunctl
ulimit umount uname uniq unix2dos unlink unshare uptime usleep uudecode
uuencode uuidgen vconfig vmstat w watch wc which who whoami xargs
xxd yes zcat
As you might see su is the ROOT functionality.
dleaderp said:
can you tell me step by step please? i have ADB already
Click to expand...
Click to collapse
Actually I'm working on a Windows command script that makes use of ADB what does the job. I'll publish it here when finished:
[TOOL][ADB]][Windows] A 100% Safe Non-systemless Root Tool - No Soft-bricked Adroid Guaranteed
Grant Root Privileges to Regular Users Using Devices With Android 6 and up by Simply Upgrading Android's Multi-command Applet Toybox.
forum.xda-developers.com
jwoegerbauer said:
Actually I'm working on a Windows command script that makes use of ADB what does the job. I'll publish it here when finished:
Click to expand...
Click to collapse
happy to hear that xd
i got a last question, i think my phone's storage is shrunked after i used firmware is it possible ? if yes how can i fix it. it was 32 gb now its 8gb
i fixed i used another firmware i'll be wait for your ADB
I have an old Samsung Galaxy S4. It's been off the network for a while and its system clock has drifted. However, adb works and I can use the old phone as a sandbox environment to learn about low level Android fundamentals. I would like to learn how to root the phone, ideally without using any apps - I prefer to learn how to compile my own local privilege escalation exploit and run it on my old phone.
adb shell getprop ro.build.version.release
5.0.1
adb shell getprop ro.build.version.sdk
21
dumpstate:
Build: LRX22C.I337UCSGOK3
Build fingerprint: 'samsung/jflteuc/jflteatt:5.0.1/LRX22C/I337UCSGOK3:user/release-keys'
Bootloader: I337UCSGOK3
Radio: mdm
Network: (unknown)
Kernel: Linux version 3.4.0-6185444 ([email protected]) (gcc version 4.8 (GCC) ) #1 SMP PREEMPT Wed Nov 30 21:31:59 KST 2016
Command line: console=null androidboot.hardware=qcom user_debug=23 msm_rtb.filter=0x3F ehci-hcd.park=3 [email protected] [email protected] sec_debug.reset_reason=0x1a2b3c00 androidboot.warranty_bit=0 lcd_attached=1 lcd_id=0x418047 androidboot.debug_level=0x4f4c sec_debug.enable=0 sec_debug.enable_user=0 androidboot.cp_debug_level=0x55FF sec_debug.enable_cp_debug=0 cordon=a569d279d878ac52077d6cfb9721d339 connie=SGH-I337_ATT_USA_76d68869445a30d9d8d06ffe689dd803 lpj=67678 loglevel=4 samsung.hardware=SGH-I337 androidboot.emmc_checksum=3 androidboot.warranty_bit=0 androidboot.bootloader=I337UCSGOK3 androidboot.nvdata_backup=0 androidboot.boot_recovery=0 androidboot.check_recovery_condition=0x0 level=0x574f4c44 vmalloc=450m sec_pvs=0 batt_id_value=0 diag=0 androidboot.csb_val=1 androidboot.emmc=true androidboot.serialno=95e836b4 androidboot.baseband=mdm
cat /proc/cpuinfo:
Processor : ARMv7 Processor rev 0 (v7l)
processor : 0
BogoMIPS : 13.53
processor : 1
BogoMIPS : 13.53
processor : 2
BogoMIPS : 13.53
processor : 3
BogoMIPS : 13.53
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4
CPU implementer : 0x51
CPU architecture: 7
CPU variant : 0x1
CPU part : 0x06f
CPU revision : 0
Hardware : SAMSUNG JF
Revision : 000a
Serial : 000095e8000036b4
Android is a ported Linux, hence rooting Android means adding su ( read: switchuser ) functionality welllknown from Linux to device's Android. That's all.
Can get achieved with ADB having a suitable su at hands.
https://forum.xda-developers.com/attachments/su-binaries-zip.5566949/
Do you have source code for that su? I believe it would still require an exploit to escalate privileges, since normally su needs to run with root permissions, and I don't have a way of elevating to root without it.
What you believe ist totally wrong: su doesn't need root permissions to run a shell command, su is what in general is called root.
Code:
su -c "<SHELL-COMMAND-HERE>"
Become familiar with Linux shell commands.
I can already run shell commands using adb shell. However, I cannot run privileged commands because the adb shell process does not run with root privileges. Can you please elaborate further?
OMG.
Code:
adb shell
simply opens a remote Android terminal what doesn't require any elevated privileges per se.
To run shell commands what require elevated privileges ( e.g. mount ) is achieved as follows
Code:
adb shell "<PATH-OF-SU-BINARY-HERE> -c '<SHELL-COMMAND-HERE>'"
Example:
Code:
adb shell "/data/local/tmp/su -c 'mount -o rw,remount /data'"
The adb shell allows running unprivileged commands but there are numerous things which cannot be done without the root privilege, such as remounting filesystems, changing permissions, accessing directories which require elevated privileges, etc. This is what I am asking about. Am I misunderstanding you - are you trying to say that adb shell can be used by an unprivileged user to run privileged commands?
See my revised post above yours.
@jf80dEf
The Samsung Galaxy S4 variant you have is from AT&T (model number SGH-I337) and it's running the final software release (OK3).
For this model, you need to downgrade to a lower firmware (NB1) and achieve root access by exploiting the vulnerability formally known as CVE-2014-3153. More details can be found here.
Thank you @SkandaH for answering my question! I believe the method you suggest involves using Odin to wipe the phone to make it vulnerable to the towelroot exploit. Reading between the lines, am I interpreting correctly that there is no known (at least to you) exploit that runs on the OK3 software?
jf80dEf said:
... am I interpreting correctly that there is no known (at least to you) exploit that runs on the OK3 software?
Click to expand...
Click to collapse
Yes, that's correct.
just for fun, I tried that method on rooted device, it doesn't work for Android 5+
Code:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
C:\Android>adb devices
List of devices attached
ca1296db7d29 device
C:\Android>adb push su /data/local/tmp
su: 1 file pushed. 0.7 MB/s (75344 bytes in 0.105s)
C:\Android>adb shell
cereus:/ $ cd /data/local/tmp
cereus:/data/local/tmp $ chmod 6775 ./su
cereus:/data/local/tmp $ ls -la
total 84
drwxrwx--x 2 shell shell 4096 2022-12-27 15:22 .
drwxr-x--x 4 root root 4096 2022-07-24 14:19 ..
-rwsrwsr-x 1 shell shell 75344 2022-12-27 15:22 su
cereus:/data/local/tmp $ ./su
"./su": error: Android 5.0 and later only support position-independent executables (-fPIE).
1|cereus:/data/local/tmp $ rm ./su
cereus:/data/local/tmp $ exit
C:\Android>
copied another su binary from stock rooted android tv box (no superuser app required, permissions granted automatically.
Code:
C:\Android>adb push su /data/local/tmp
adb: error: failed to get feature set: more than one device/emulator
C:\Android>adb -s ca1296db7d29 push su /data/local/tmp
su: 1 file pushed. 1.4 MB/s (100068 bytes in 0.070s)
C:\Android>adb shell
error: more than one device/emulator
C:\Android>adb -s ca1296db7d29 shell
cereus:/ $ cd /data/local/tmp
cereus:/data/local/tmp $ chmod 6775 ./su
cereus:/data/local/tmp $ ls -la
total 108
drwxrwx--x 2 shell shell 4096 2022-12-27 15:39 .
drwxr-x--x 4 root root 4096 2022-07-24 14:19 ..
-rwsrwsr-x 1 shell shell 100068 2022-12-27 15:38 su
cereus:/data/local/tmp $ ./su
255|cereus:/data/local/tmp $ ./su --help
Usage: su [options] [--] [-] [LOGIN] [--] [args...]
Options:
--daemon start the su daemon agent
-c, --command COMMAND pass COMMAND to the invoked shell
-h, --help display this help message and exit
-, -l, --login pretend the shell to be a login shell
-m, -p,
--preserve-environment do not change environment variables
-s, --shell SHELL use SHELL instead of the default /system/bin/sh
-u display the multiuser mode and exit
-v, --version display version number and exit
-V display version code and exit,
this is used almost exclusively by Superuser.apk
cereus:/data/local/tmp $ ./su --version
16 com.thirdparty.superuser
cereus:/data/local/tmp $
still it doesn't work from /data/local/tmp as the uid is 2000 (shell) so tried from /data/local where uid is 0 (root)
but I had to use Magisk /sbin/su for this already
Code:
cereus:/data/local/tmp $ ls -la /data/local
ls: /data/local: Permission denied
1|cereus:/data/local/tmp $ ls -la /data/local/tmp
total 108
drwxrwx--x 2 shell shell 4096 2022-12-27 15:39 .
drwxr-x--x 4 root root 4096 2022-07-24 14:19 ..
-rwsrwsr-x 1 shell shell 100068 2022-12-27 15:38 su
cereus:/data/local/tmp $ cp ./su ..
cp: ../su: Permission denied
1|cereus:/data/local/tmp $ which su
/sbin/su
cereus:/data/local/tmp $ /sbin/su -c 'cp ./su ..'
cereus:/data/local/tmp $ cd ..
cereus:/data/local $ ls -la
ls: .: Permission denied
1|cereus:/data/local $ /sbin/su -c 'chmod 6775 ./su'
cereus:/data/local $ /sbin/su -c 'ls -la'
total 120
drwxr-x--x 4 root root 4096 2022-12-27 15:45 .
drwxrwx--x 48 system system 4096 2022-07-24 20:32 ..
-rwsrwsr-x 1 root root 100068 2022-12-27 15:45 su
drwxrwx--x 2 shell shell 4096 2022-12-27 15:39 tmp
drwxrwxrwx 2 shell shell 4096 2022-07-24 14:19 traces
cereus:/data/local $ ./su
255|cereus:/data/local $
despites the SUID bit is set correctly still it doesn't work. so I removed the nosuid mount flag for /data partition and double checked selinux isn't the problem
Code:
255|cereus:/data/local $ grep ' /data ' /proc/mounts
/dev/block/dm-1 /data ext4 rw,seclabel,nosuid,nodev,noatime,noauto_da_alloc,resuid=10010,resgid=1065,errors=panic,data=ordered 0 0
cereus:/data/local $ /sbin/su -c 'busybox mount -o remount,rw,suid /data'
cereus:/data/local $ grep ' /data ' /proc/mounts
/dev/block/dm-1 /data ext4 rw,seclabel,nodev,noatime,noauto_da_alloc,resuid=10010,resgid=1065,errors=panic,data=ordered 0 0
cereus:/data/local $ ./su
255|cereus:/data/local $ getenforce
Permissive
cereus:/data/local $
still no way to get the root shell with that su binary, maybe prevented to run from /data at all. decided to try from other partition but there was no way. although permissions 2000 (shell) should at least see the file, but that wasn't the case. Magisk mount namespaces are set to global, no idea why the file is invisible in /cache
Code:
cereus:/data/local $ grep ' /cache ' /proc/mounts
/dev/block/platform/bootdevice/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,discard,noauto_da_alloc,data=ordered 0 0
cereus:/data/local $ /sbin/su -c 'busybox mount -o remount,rw,suid /cache'
cereus:/data/local $ grep ' /cache ' /proc/mounts
/dev/block/platform/bootdevice/by-name/cache /cache ext4 rw,seclabel,nodev,noatime,discard,noauto_da_alloc,data=ordered 0 0
cereus:/data/local $ /sbin/su -c 'cp ./su /cache'
cereus:/data/local $ cd /cache
/system/bin/sh: cd: /cache: Permission denied
2|cereus:/data/local $ /sbin/su -c 'cd /cache'
cereus:/data/local $ /sbin/su -c 'mkdir /cache/tmp'
cereus:/data/local $ /sbin/su -c 'chown 0.2000 /cache/tmp'
cereus:/data/local $ cd /cache/tmp
/system/bin/sh: cd: /cache/tmp: Permission denied
2|cereus:/data/local $ /sbin/su -c 'chown 2000.2000 /cache/tmp'
cereus:/data/local $ cd /cache/tmp
/system/bin/sh: cd: /cache/tmp: Permission denied
2|cereus:/data/local $ /sbin/su -c 'ls -la /cache/tmp'
total 16
drwxr-xr-x 2 shell shell 4096 2022-12-27 15:54 .
drwxrwx--- 8 system cache 4096 2022-12-27 15:54 ..
cereus:/data/local $ /sbin/su
cereus:/data/local # cd /cache/tmp
cereus:/cache/tmp # cp /cache/su .
cereus:/cache/tmp # chmod 6775 ./su
cereus:/cache/tmp # exit
cereus:/data/local $ /cache/tmp/su
/system/bin/sh: /cache/tmp/su: not found
127|cereus:/data/local $ /sbin/su
cereus:/data/local # cd /cache/tmp
cereus:/cache/tmp # ls -la
total 120
drwxr-xr-x 2 shell shell 4096 2022-12-27 15:58 .
drwxrwx--- 8 system cache 4096 2022-12-27 15:54 ..
-rwsrwsr-x 1 root root 100068 2022-12-27 15:58 su
cereus:/cache/tmp # ./su
255|cereus:/cache/tmp # chown -R 0.2000 .
cereus:/cache/tmp # ls -la
total 120
drwxr-xr-x 2 root shell 4096 2022-12-27 15:58 .
drwxrwx--- 8 system cache 4096 2022-12-27 15:54 ..
-rwxrwxr-x 1 root shell 100068 2022-12-27 15:58 su
cereus:/cache/tmp # ./su
255|cereus:/cache/tmp # exit
255|cereus:/data/local $ /cache/tmp/su
/system/bin/sh: /cache/tmp/su: not found
127|cereus:/data/local $ /sbin/su -c 'chmod 6775 /cache/tmp/su'
cereus:/data/local $ /cache/tmp/su
/system/bin/sh: /cache/tmp/su: not found
127|cereus:/data/local $
finally, even tried from within Magisk root shell. still the binary throws error 255. as you can see the su binary owns the sticky bit and uid 0 (root)
Code:
127|cereus:/data/local $ /sbin/su
cereus:/data/local # /cache/tmp/su --version
16 com.thirdparty.superuser
cereus:/data/local # /cache/tmp/su
255|cereus:/data/local # exit
255|cereus:/data/local $ /cache/tmp/su
/system/bin/sh: /cache/tmp/su: not found
127|cereus:/data/local $ /sbin/su -c 'ls -la /cache/tmp'
total 120
drwxr-xr-x 2 root shell 4096 2022-12-27 15:58 .
drwxrwx--- 8 system cache 4096 2022-12-27 15:54 ..
-rwsrwsr-x 1 root shell 100068 2022-12-27 15:58 su
cereus:/data/local $
to confirm the binary is working at least, I wanted to install in /system. Because of systemless-root and avb/dm-verity i can't place file /system partition directly, so I used Magisk bind mount overlay
Code:
cereus:/data/local $ /sbin/su
cereus:/data/local # cd /data/adb/modules
cereus:/data/adb/modules # mkdir su_test
cereus:/data/adb/modules # cd su_test/
cereus:/data/adb/modules/su_test # mkdir -p system/xbin
cereus:/data/adb/modules/su_test # cp /cache/tmp/su system/xbin
cereus:/data/adb/modules/su_test # chown -R 0.2000 system
cereus:/data/adb/modules/su_test # chmod 6775 system/xbin/su
cereus:/data/adb/modules/su_test # ls -la system/xbin
total 108
drwxr-xr-x 2 root shell 4096 2022-12-27 16:10 .
drwxr-xr-x 3 root shell 4096 2022-12-27 16:10 ..
-rwsrwsr-x 1 root shell 100068 2022-12-27 16:10 su
cereus:/data/adb/modules/su_test # echo 'id=su_test' > module.prop
cereus:/data/adb/modules/su_test # echo 'name=su_test' >> module.prop
cereus:/data/adb/modules/su_test # echo 'version=0.0.1' >> module.prop
cereus:/data/adb/modules/su_test # echo 'versionCode=001' >> module.prop
cereus:/data/adb/modules/su_test # echo 'author=aIecxs @ XDA' >> module.prop
cereus:/data/adb/modules/su_test # echo 'description=proof that su binary is "suitable" >> module.prop
cereus:/data/adb/modules/su_test # cat module.prop
id=su_test
name=su_test
version=0.0.1
versionCode=001
author=aIecxs @ XDA
description=proof that su binary is "suitable"
cereus:/data/adb/modules/su_test # ./system/xbin/su --version
16 com.thirdparty.superuser
cereus:/data/adb/modules/su_test # exit
cereus:/data/local $ exit
C:\Android>
after installing the magisk module, rebooted the phone and confirmed su binary works when running from system.
Code:
C:\Android>adb -s ca1296db7d29 shell
cereus:/ $ which su
/sbin/su
cereus:/ $ ls -l /system/xbin/su
-rwsrwsr-x 1 root shell 100068 2022-12-27 16:10 /system/xbin/su
cereus:/ $ /system/xbin/su --version
16 com.thirdparty.superuser
cereus:/ $ /system/xbin/su
cereus:/ #
(note the /sbin/su binary is Magisk while the /system/xbin/su binary is the file copied from android tv box)
as on stock android device user/release-keys build adb root cannot work, there is no way to use the chown command. because it is impossible to place the file into /system or any proper location with directory owner 0 (root) from adb, it's not possible to get root shell from adb.
conclusion: an additional exploit (like mtk-su) is required to achieve this.
edit: fun fact. Magisk complains the foreign su binary that is provided by Magisk module xD