Related
hello at all
i have a little problem. i buyed a used x10i with older firmware but rooted. first of all i only have debian linux 6 64bit and an virtual windows xp. could update to newest firmware 2.1.1.a.0.6 with seus on virtualbox (i did the "repair"). then the root was gone. so i tryed out every version of superoneclick on virtual windows but not working, it freezes everytime. also tried z4mod and flashtool, not working
so i tried manual with adb (i have installed android sdk). i used the binaries from superoneclick 1.9.5. i think the best is when i post my cmd-session:
(i have to replace the shell-prompt from debian with [debian]$, because the forum says me this is an external link...)
Code:
[debian]$ adb push psneuter /data/local/tmp
1635 KB/s (585731 bytes in 0.349s)
[debian]$ adb push su-v1 /sdcard/
430 KB/s (26256 bytes in 0.059s)
[debian]$ adb push su-v2 /sdcard/
579 KB/s (26264 bytes in 0.044s)
[debian]$ adb push su-v3 /sdcard/
437 KB/s (26324 bytes in 0.058s)
[debian]$ adb push Superuser.apk /sdcard/
2063 KB/s (196521 bytes in 0.092s)
[debian]$ adb shell
$ busybox chmod +x /data/local/tmp/psneuter
$ /data/local/tmp/psneuter
property service neutered.
killing adbd. (should restart in a second or two)
[debian]$ adb shell
# mount -o remount,rw -t yaffs2 /dev/block/mmcblk0p12 /system
# mv /system/bin/su /system/bin/su.bak
# mv /system/xbin/su /system/xbin/su.bak
# busybox cp /sdcard/su-v* /system/xbin
# cd /system/xbin
# busybox chmod +x su-v*
# su-v1
reloc_library[1245]: 3712 cannot locate '_ZNK7android6Parcel15setDataPositionEj'...CANNOT LINK EXECUTABLE
# exit
[debian]$ adb shell
# su-v2
# exit
# su-v3
# exit
# rm /system/xbin/su-v1
# rm /system/xbin/su-v2
# mv /system/xbin/su-v3 /system/xbin/su
# busybox cp /sdcard/Superuser.apk /system/app
# busybox chmod 06755 /system/xbin/su
# busybox chown 0.2000 /system/xbin/su
# busybox ln -s /system/xbin/su /system/bin/su
# su
# exit
# reboot
[debian]$ adb shell
$ su
Permission denied
$
you can see i get a rootshell and mount system, copy su and everything, but when i reboot everything is gone. if i don't reboot and check with "root-checker" it says me that i don't have root access.
what i'm doing wrong? i'm a noob in "hacking" phones but have some knowledge with linux&shells
thanks a lot for some help
could solve it: was using superoneclick on a windows-pc from my friend.works great.. but still iterested in a linux-only solution because i want to develop a shell-script for rooting for linux users
There is a thread for rooting .28, but it only includes a windows bat file:
http://forum.xda-developers.com/showthread.php?t=1706588
XDA blocks me from posting to that developer thread because I have not posted enough! LOL.
Here is the logic for a linux bash script - just download DebugfsRoot_v1.8.zip, point the ADB var at your adb binary, and run it. Worked for me - first time I've rooted the prime after just getting the .28 update. It's a prime purchased in Australia.
Enjoy,
Jason.
#!/bin/bash
ADB=./adb
$ADB kill-server
$ADB wait-for-device
read -p "ECHO Step 1 - Pushing files... (press a key to continue)"
$ADB push debugfs /data/local/
$ADB push su /data/local/
$ADB push debugfsinput /data/local/
$ADB shell "mv /data/local/tmp /data/local/tmp.bak"
$ADB shell "ln -s /dev/block/mmcblk0p1 /data/local/tmp"
read -p "Rebooting... (press a key to continue)"
$ADB reboot
$ADB wait-for-device
read -p "Step 2 - Rooting... (press a key to continue)"
$ADB shell "chmod 777 /data/local/debugfs"
$ADB shell "/data/local/debugfs -w /dev/block/mmcblk0p1 < /data/local/debugfsinput"
$ADB shell "rm /data/local/tmp"
$ADB shell "mv /data/local/tmp.bak /data/local/tmp"
$ADB shell "rm /data/local/su"
$ADB shell "rm /data/local/debugfs"
$ADB shell "rm /data/local/debugfsinput"
read -p "Rebooting... (press a key to continue)"
$ADB reboot
$ADB wait-for-device
read -p "Testing superuser... (press a key to continue)"
$ADB shell "/system/xbin/su -c id"
read -p "Installing Superuser.apk... (press a key to continue)"
$ADB install Superuser.apk
read -p "Rebooting..."
read -p "Once your Prime reboots, it will be rooted! (press a key to continue)"
$ADB reboot
Hi,
Holding in my hands this Chinese pretty well made and fast thing (maybe just border plastic looks little bit loose).
But in this post I will not tell about quality of this tablet, writing this just for other people who "googled" to solve problems :cyclops:
Device spec:
Freelander PD80 Shangpin
Exynos quadcore
Android 4.0.4
So nothing new here just flow what you need to perform.
Really this article not about rooting actually it's how to get root work here.
I'm using linux so everything below aligned to linux but with some modification you can perform everything under windows.
This flow can be applicable to any device with such problem.
And as usual - Whatever you do with your device, you do that at your own risk.
Description:
1. Executing "su" in connectbot or android terminal emulator return next:
Code:
$ su
su: uid xxxxx not allowed to su
2. By executing "su" from adb shell I'm getting the root rights:
Code:
linux$ ./adb shell
android$ su
android#
Conclusion:
So device is rooted problem just with "wrong" su binary (even busybox inside).
Let's solve it if it's really your problem.
Steps to solve:
1. Download "chainsdd superuser" (site http://androidsu.com/superuser/ direct link http://downloads.noshufou.netdna-cdn.com/superuser/Superuser-3.1.3-arm-signed.zip)
2. extract archive and find inside Superuser.apk and su
3. Put Superuser.apk and su into folder with adb
4. Upload them to android device sdcard by executing from PC:
Code:
# ./adb push ./su_free /sdcard/su_free
Code:
# ./adb push ./Superuser.apk /sdcard/superuser.apk
5. Now we need to move them into system
Launch adb shell:
Code:
$ ./adb shell
$ su
#
6. Make sure that system partition writable (it was my case):
Code:
# mount|grep system
As result you will see:
Code:
/dev/block/mmcblk0p2 /system ext4 rw,relatime,barrier=1,data=ordered 0 0
In our case we don't need that. But if you see "ro" instead of "rw", you need to simply remount it:
Code:
# mount -o remount,rw /system
7. Back up old su binary by executing
Code:
# cp /system/xbin/su /system/xbin/su_ori
8. Copy su binary from sdcard to system
Code:
# cp /sdcard/su /system/xbin/su
Fix permissions:
Code:
# chmod 6755 /system/xbin/su
Check permissions:
Code:
# ls -l /system/xbin/|grep su
You'll see something like this:
Code:
-rwsr-sr-x root root 380532 2013-11-17 01:02 su
-rwsr-sr-x root root 64412 2013-11-17 01:18 su_ori
and link it
Code:
# ln -s /system/xbin/su /system/bin/su
9. Copy superuser.apk to system applications:
Code:
# cp /sdcard/Superuser.apk /system/app/superuser.apk
Fix permissions:
Code:
# chmod 644 /system/app/superuser.apk
Check permissions:
Code:
# ls -l /system/app|grep superuser.apk
You'll see something like this:
Code:
-rw-r--r-- root root 1468798 2013-11-17 01:10 superuser.apk
10. Reboot. And try to execute su from connectbot or android terminal emulator.
You'll be asked about granting permission.
That's all now we can do everything.
Good luck.
I have rooted my hdx8.9, and then I reroot it. Now I have some problem, I want to root my hdx again, but Ican't root it again, I have pushed the 4 files, but it didn't continue. It shows
Waiting for device ...
Pushing files ...
push: .\scripts\superuser/superuser.sh -> /data/local/tmp/superuser.sh
push: .\scripts\superuser/Superuser.apk -> /data/local/tmp/Superuser.apk
push: .\scripts\superuser/su -> /data/local/tmp/su
push: .\scripts\superuser/exploit -> /data/local/tmp/exploit
4 files pushed. 0 files skipped.
3401 KB/s (2845659 bytes in 0.817s)
/system/bin/sh: chmod: not found
/system/bin/sh: chmod: not found
Running the exploit ...
/system/bin/sh: /data/local/tmp/exploit: can't execute: Permission denied
Check the output. Does it looks fine?
What can I do, I want to full restore to stock rom to fix some proble as the post 'http://forum.xda-developers.com/showthread.php?t=2582773' says, but it
need your device rooted first.
Thanks.
Show us the script body you're pushing.
If you're using some ready scripts I assume the name of it is superuser.sh
CrashThump said:
Show us the script body you're pushing.
If you're using some ready scripts I assume the name of it is superuser.sh
Click to expand...
Click to collapse
I use the tool from the post “[ROOT] Rooting tutorial - hdx 8.9" 14.3.1.0” http://http://forum.xda-developers.com/showthread.php?t=2545957
@sdcardsd, Did you tried to use expression '/system/bin/toolbox chmod' instead of '/system/bin/chmod' in rootme.sh? For me it seems that you've lost the symlink. This may be caused by some busybox installation and removal.
CrashThump said:
@sdcardsd, Did you tried to use expression '/system/bin/toolbox chmod' instead of '/system/bin/chmod' in rootme.sh? For me it seems that you've lost the symlink. This may be caused by some busybox installation and removal.
Click to expand...
Click to collapse
I don't know whether I use these expression '/system/bin/toolbox chmod' instead of '/system/bin/chmod' in rootme.sh, I only use the tools to root my kindle. But I really installed busybox and then removal it by recovery to the factory reset after I reroot my device. Then I have some problem on my kindle, I think the system files be destoryed, so I want to full restore the original ROM, but I can't root my device again. And if it is caused by losing the symlink, how to fix it ? Thanks.
@sdcardsd, then make a suggested replace
CrashThump said:
@sdcardsd, then make a suggested replace
Click to expand...
Click to collapse
The only way is to replace my device? But it is very inconvenient for me, I'am not in America.
15 8556535
@sdcardsd, just replace '/system/bin/chmod' by '/system/bin/toolbox chmod' in 'rootme.sh' file.
CrashThump said:
@sdcardsd, just replace '/system/bin/chmod' by '/system/bin/toolbox chmod' in 'rootme.sh' file.
Click to expand...
Click to collapse
#!/system/bin/sh
/system/bin/mount -o remount,rw /system
/system/bin/cat /data/local/tmp/su > /system/xbin/su
/system/bin/chown 0.0 /system/xbin/su
/system/bin/chmod 06755 /system/xbin/su
your mean I modify the rootme.sh into
#!/system/bin/sh
/system/bin/mount -o remount,rw /system
/system/bin/cat /data/local/tmp/su > /system/xbin/su
/system/bin/chown 0.0 /system/xbin/su
/system/bin/toolbox chmod 06755 /system/xbin/su
CrashThump said:
@sdcardsd, just replace '/system/bin/chmod' by '/system/bin/toolbox chmod' in 'rootme.sh' file.
Click to expand...
Click to collapse
I have replace the rootme.sh into
/system/bin/sh
/system/bin/mount -o remount,rw /system
/system/bin/cat /data/local/tmp/su > /system/xbin/su
/system/bin/chown 0.0 /system/xbin/su
/system/bin/toolbox chmod 06755 /system/xbin/su
but it didn't work
the display is
======================================================================
======================================================================
Welcome to Kindle Root Utility (Faznx92 version)
Special Thanks to:
jcase
fi01
======================================================================
======================================================================
WARNING THIS WORKS ONLY WITH KINDLE HDX 8.9" version 14.3.1.0
======================================================================
======================================================================
Please connect Device with enabled USB-Debugging to your Computer!
Device connected. Pushing files...
680 KB/s (104564 bytes in 0.150s)
1 KB/s (196 bytes in 0.168s)
2024 KB/s (507888 bytes in 0.245s)
Changing permissions...
/system/bin/sh: chmod: not found
/system/bin/sh: chmod: not found
Executing Exploit (could take some minutes, be patient!)
Hit ENTER to continue
/system/bin/sh: /data/local/tmp/exploit: can't execute: Permission denied
Type "su" to check for root!
/system/bin/sh: /system/etc/mkshrc[8]: id: not found
@android:/ $
@android:/ $ su
su
/system/bin/sh: su: not found
127 @android:/ $
same for lines 24-25 of runme.bat
Code:
adb shell chmod 755 /data/local/tmp/rootme.sh
adb shell chmod 755 /data/local/tmp/exploit
change to
Code:
adb shell /system/bin/toolbox chmod 755 /data/local/tmp/rootme.sh
adb shell /system/bin/toolbox chmod 755 /data/local/tmp/exploit
CrashThump said:
same for lines 24-25 of runme.bat
Code:
adb shell chmod 755 /data/local/tmp/rootme.sh
adb shell chmod 755 /data/local/tmp/exploit
change to
Code:
adb shell /system/bin/toolbox chmod 755 /data/local/tmp/rootme.sh
adb shell /system/bin/toolbox chmod 755 /data/local/tmp/exploit
Click to expand...
Click to collapse
I replace the runme.bat
the display is changed, but it didn't work.
======================================================================
======================================================================
Welcome to Kindle Root Utility (Faznx92 version)
Special Thanks to:
jcase
fi01
======================================================================
======================================================================
WARNING THIS WORKS ONLY WITH KINDLE HDX 8.9" version 14.3.1.0
======================================================================
======================================================================
Please connect Device with enabled USB-Debugging to your Computer!
Device connected. Pushing files...
1041 KB/s (104564 bytes in 0.098s)
2 KB/s (196 bytes in 0.083s)
2128 KB/s (507888 bytes in 0.233s)
Changing permissions...
Executing Exploit (could take some minutes, be patient!)
Hit ENTER to continue
press any key to continue. . .
Device detected: KFAPWI (JDQ39)
Attempt acdb exploit...
KFAPWI (JDQ39) is not supported.
Attempt fj_hdcp exploit...
Attempt msm_cameraconfig exploit...
Detected kernel physical address at 0x00008000 form iomem
Attempt put_user exploit...
/data/local/tmp/rootme.sh[2]: /system/bin/mount: not found
/data/local/tmp/rootme.sh[3]: can't create /system/xbin/su: Read-only file syste
m
Unable to chown /system/xbin/su: No such file or directory
Unable to chmod /system/xbin/su: No such file or directory
press any key to continue. . .
Type "su" to check for root!
/system/bin/sh: /system/etc/mkshrc[8]: id: not found
@android:/ $ SU
SU
/system/bin/sh: SU: not found
127 @android:/ $
Hummmm. I'm looking into this but can't this week I'm super busy. I don't have the 8.9" I have the 7" so it is hard for me to test. I'm not sure if moving the rootme.sh was a good idea. I think the exploit code isn't finding it. You may need a rebuild of the exploit file. I say throw your question in here to see if someone can help. Still, just hope for the best.
@sdcardsd,
Code:
#!/system/bin/sh
/system/bin/toolbox mount -o remount,rw /system
/system/bin/toolbox cat /data/local/tmp/su > /system/xbin/su
/system/bin/toolbox chown 0.0 /system/xbin/su
/system/bin/toolbox chmod 6755 /system/xbin/su
/system/bin/toolbox ln -s /system/xbin/su /system/bin/su
CrashThump said:
@sdcardsd,
Code:
#!/system/bin/sh
/system/bin/toolbox mount -o remount,rw /system
/system/bin/toolbox cat /data/local/tmp/su > /system/xbin/su
/system/bin/toolbox chown 0.0 /system/xbin/su
/system/bin/toolbox chmod 6755 /system/xbin/su
/system/bin/toolbox ln -s /system/xbin/su /system/bin/su
Click to expand...
Click to collapse
I replace the rootme.sh into
#!/system/bin/sh
/system/bin/toolbox toolbox mount -o remount,rw /system
/system/bin/toolbox cat /data/local/tmp/su > /system/xbin/su
/system/bin/toolbox chown 0.0 /system/xbin/su
/system/bin/toolbox chmod 06755(or 6755) /system/xbin/su
/system/bin/toolbox ln -s /system/xbin/su /system/bin/su
but it didn't work
======================================================================
======================================================================
Welcome to Kindle Root Utility (Faznx92 version)
Special Thanks to:
jcase
fi01
======================================================================
======================================================================
WARNING THIS WORKS ONLY WITH KINDLE HDX 8.9" version 14.3.1.0
======================================================================
======================================================================
Please connect Device with enabled USB-Debugging to your Computer!
Device connected. Pushing files...
1215 KB/s (104564 bytes in 0.084s)
5 KB/s (284 bytes in 0.050s)
2194 KB/s (507888 bytes in 0.226s)
Changing permissions...
Executing Exploit (could take some minutes, be patient!)
Hit ENTER to continue
press any key to continue. . .
Device detected: KFAPWI (JDQ39)
Attempt acdb exploit...
KFAPWI (JDQ39) is not supported.
Attempt fj_hdcp exploit...
Attempt msm_cameraconfig exploit...
Detected kernel physical address at 0x00008000 form iomem
Attempt put_user exploit...
link failed File exists
press any key to continue. . .
Type "su" to check for root!
/system/bin/sh: /system/etc/mkshrc[8]: id: not found
@android:/ $ su
su
[email protected]:/ #
Faznx92 said:
Hummmm. I'm looking into this but can't this week I'm super busy. I don't have the 8.9" I have the 7" so it is hard for me to test. I'm not sure if moving the rootme.sh was a good idea. I think the exploit code isn't finding it. You may need a rebuild of the exploit file. I say throw your question in here to see if someone can help. Still, just hope for the best.
Click to expand...
Click to collapse
Thanks, I will wait for the good news.
@sdcardsd, what didn't work? you've got the su working. you've got the root.
CrashThump said:
@sdcardsd, what didn't work? you've got the su working. you've got the root.
Click to expand...
Click to collapse
I can rostore my device, thanks.
sdcardsd said:
But I didn't have the Superuser,and I can‘t edit the system file, such as the build.prop, it don't have the root right. and the root explorer also can't be opened.
Click to expand...
Click to collapse
this root exploit doesn't auto-install superuser (well it didn't for me), you either have to side-load it or get it through a store. Also if root explorer isn't working have you tried es file explorer? Additionally, you'll have to remount the system folder as rw before you can edit any system files. This can be done through adb shell with the command "mount -o rw,remount /system" after you use the su command. Just as a forewarning, be super careful when editing everything, the kindle is super sensitive to build.prop changes. I boot looped early on, so just as a warning.
S_transform said:
this root exploit doesn't auto-install superuser (well it didn't for me), you either have to side-load it or get it through a store. Also if root explorer isn't working have you tried es file explorer? Additionally, you'll have to remount the system folder as rw before you can edit any system files. This can be done through adb shell with the command "mount -o rw,remount /system" after you use the su command. Just as a forewarning, be super careful when editing everything, the kindle is super sensitive to build.prop changes. I boot looped early on, so just as a warning.
Click to expand...
Click to collapse
Thanks, I have full restore my device, and I think all is ok now.
temp root exploit for sony XPERIA 1 and XPERIA 5 with android 10 firmware
including temporal magisk setup from the exploit
The exploit uses CVE-2020-0041 originally designed for Pixel 3 running kernel 4.9.
This is a modification of the Pixel 3 specific exploit to be compatible with kernel 4.14 that is used with xperia 1/5 phones.
This work has been done in collaboration with @bb-qq, who has implemented support of JP model of xperia 1.
The exploit is extended in a way allowing setup of magisk v20.4 from the temp root, including working su permission asking notification support.
It uses some novel techniques to overcome the limitations caused by magisk run from a temp root instead of being integrated in boot process as android service.
There are also many extensions implemented to make the exploit stable with kernel 4.14.
SUPPORTED TARGETS
802SO-55.1.B.0.202 (xperia 1 Japan model)
J8110-55.1.A.0.748 (xperia 1 single sim)
J8170-55.1.A.0.748 (xperia 1 US model)
J9110-55.1.A.0.748 (xperia 1 dual sim)
J9110-55.1.A.3.107 (xperia 1 dual sim)
J9150-55.1.A.3.107 (xperia 1 Japan dual sim)
J9180-55.1.A.0.748 (xperia 1 China model)
J9180-55.1.A.3.107 (xperia 1 China model)
J8210-55.1.A.0.748 (xperia 5 single sim)
J9210-55.1.A.0.748 (xperia 5 dual sim)
J9210-55.1.A.3.112 (xperia 5 dual sim)
The exploit has been tested only with the JP model of xperia 1 (the 802SO-55.1.B.0.202 target), but support for other targets have been implemented based on static analysis of each kernel image from target firmware.
Please note, it is unlikely that any other fw version than those listed above would work.
The only (unlikely) case when the exploit could work with different fw version (or different phone model) would be that they would use binary identical kernel image in the firmware.
USAGE HOWTO INCLUDING MAGISK SETUP
be sure to run supported firmware version on your phone (you may need to downgrade, involving factory reset)
enable developer mode options and in there adb debugging (eventually install adb drivers)
download the x1x5-mroot.zip with the exploit attached in this post
download Magisk-v20.4.zip from magisk releases page on github here
use 'adb push x1x5-mroot.zip Magisk-v20.4.zip /data/local/tmp' to copy the zips to the phone
unzip and prepare magisk setup with following commands in 'adb shell'
Code:
cd /data/local/tmp
unzip x1x5-mroot.zip
chmod 755 x1x5-mroot magisk-setup.sh magisk-start.sh
./magisk-setup.sh
get temp root and start magisk up with following commands in 'adb shell' - do not copy paste them all at once, but enter (or copy&paste) each line separately one by one:
Code:
cd /data/local/tmp
./x1x5-mroot
./magisk-start.sh -1
./magisk-start.sh -2
./magisk-start.sh -3
If it worked, you should see something like this:
Code:
802SO:/ $ cd /data/local/tmp
802SO:/data/local/tmp $ ./x1x5-mroot
[+] factoryversion = '802SO-55.1.B.0.202'
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
[+] pipe file: 0xffffffe5cd6e3b00
[+] file epitem at ffffffe54d87eb00
[+] Reallocating content of 'write8_inode' with controlled data..[DONE]
[+] Overwriting 0xffffffe5cd6e3b20 with 0xffffffe54d87eb50...[DONE]
[+] Write done, should have arbitrary read now.
[+] file operations: ffffff90392212d0
[+] kernel base: ffffff9037e80000
[+] init_cred: ffffff903a02d808
[+] memstart_addr: 0xffffffdbc0000000
[+] First level entry: 145437003 -> next table at ffffffe585437000
[+] Second level entry: 1e6b41003 -> next table at ffffffe626b41000
[+] sysctl_table_root = ffffff903a05d380
[+] Reallocating content of 'write8_sysctl' with controlled data.[DONE]
[+] Overwriting 0xffffffe6352bcb68 with 0xffffffe54b8a3000...[DONE]
[+] Injected sysctl node!
[+] Reallocating content of 'write8_selinux' with controlled data.[DONE]
[+] Overwriting 0xffffff903a772ffc with 0x0...[DONE]
[+] Node write8_inode, pid 10824, kaddr ffffffe4e3d18c00
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_selinux, pid 11452, kaddr ffffffe58324c400
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_sysctl, pid 11338, kaddr ffffffe4e3c05980
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Cleaned up sendmsg threads
[+] epitem.next = ffffffe5cd6e3b20
[+] epitem.prev = ffffffe5cd6e3bd0
[+] Launching privileged shell
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1
+ FRESH=false
+ '[' -1 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ FRESH=true
+ ./magiskpolicy --live --magisk 'allow dumpstate * * *'
Load policy from: /sys/fs/selinux/policy
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -2
+ FRESH=false
+ '[' -2 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ FRESH=true
+ STAGE=2
+ '[' 2 '=' 2 ']'
+ mount -t tmpfs -o 'mode=755' none /sbin
+ chcon u:object_r:rootfs:s0 /sbin
+ chmod 755 /sbin
+ cp -a magisk/boot_patch.sh /sbin
+ cp -a magisk/magiskboot /sbin
+ cp -a magisk/magiskinit64 /sbin
+ cp -a magisk/busybox /sbin
+ cp -a magisk/util_functions.sh /sbin
+ cd /sbin
+ chmod 755 boot_patch.sh busybox magiskboot magiskinit64 util_functions.sh
+ mkdir r
+ mount -o bind / r
+ cp -a r/sbin/. /sbin
+ umount r
+ rmdir r
+ mv magiskinit64 magiskinit
+ ./magiskinit -x magisk magisk
+ ln -s /sbin/magiskinit /sbin/magiskpolicy
+ ln -s /sbin/magiskinit /sbin/supolicy
+ true
+ rm -rf /data/adb/magisk.db /data/adb/magisk
+ mkdir -p /data/adb/magisk
+ chmod 700 /data/adb
+ cp -a busybox /data/adb/magisk
+ cp -a magisk /data/adb/magisk
+ cp -a magiskboot /data/adb/magisk
+ cp -a magiskinit /data/adb/magisk
+ cp -a util_functions.sh /data/adb/magisk
+ cp -a boot_patch.sh /data/adb/magisk
+ chmod -R 755 /data/adb/magisk
+ chown -R root:root /data/adb/magisk
+ chcon -R u:object_r:magisk_file:s0 /data/adb/magisk
+ rm -f magiskboot util_functions.sh boot_patch.sh
+ ln -s /sbin/magisk /sbin/su
+ ln -s /sbin/magisk /sbin/resetprop
+ ln -s /sbin/magisk /sbin/magiskhide
+ mkdir /sbin/.magisk
+ chmod 755 /sbin/.magisk
+ >/sbin/.magisk/config
+ echo 'KEEPVERITY=true'
+ >>/sbin/.magisk/config
+ echo 'KEEPFORCEENCRYPT=true'
+ chmod 000 /sbin/.magisk/config
+ mkdir -p /sbin/.magisk/busybox
+ chmod 755 /sbin/.magisk/busybox
+ mv busybox /sbin/.magisk/busybox
+ mkdir -p /sbin/.magisk/mirror
+ chmod 000 /sbin/.magisk/mirror
+ mkdir -p /sbin/.magisk/block
+ chmod 000 /sbin/.magisk/block
+ mkdir -p /sbin/.magisk/modules
+ chmod 755 /sbin/.magisk/modules
+ mkdir -p /data/adb/modules
+ chmod 755 /data/adb/modules
+ mkdir -p /data/adb/post-fs-data.d
+ chmod 755 /data/adb/post-fs-data.d
+ mkdir -p /data/adb/service.d
+ chmod 755 /data/adb/service.d
+ chcon -R -h u:object_r:rootfs:s0 /sbin/.magisk
+ chcon u:object_r:magisk_file:s0 /sbin/.magisk/busybox/busybox
+ /sbin/magisk --daemon
client: launching new main daemon process
+ pidof magiskd
+ MP=14100
+ '[' -z 14100 ']'
+ >/sbin/.magisk/escalate
+ echo 14100
+ '[' -e /sbin/.magisk/escalate ']'
+ sleep 1
+ '[' -e /sbin/.magisk/escalate ']'
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -3
+ FRESH=false
+ '[' -3 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ STAGE=3
+ '[' 3 '=' 2 ']'
+ >/sbin/.magisk/magiskd
+ echo -e '#!/system/bin/sh\n/sbin/magisk --daemon'
+ chmod 755 /sbin/.magisk/magiskd
+ chcon u:object_r:dumpstate_exec:s0 /sbin/.magisk/magiskd
+ getprop init.svc.dumpstate
+ SVC=''
+ timeout=10
+ '[' 10 -gt 0 ']'
+ stop dumpstate
+ killall -9 magiskd
+ stop dumpstate
+ mount -o bind /sbin/.magisk/magiskd /system/bin/dumpstate
+ start dumpstate
+ timeout=10
+ '[' 10 -le 0 ']'
+ pidof magiskd
+ MP=14131
+ '[' -n 14131 ']'
+ break
+ stop dumpstate
+ sleep 1
+ umount /system/bin/dumpstate
+ rm -f /sbin/.magisk/magiskd
+ '[' '' '=' running ']'
+ rm -f /dev/.magisk_unblock
+ /sbin/magisk --post-fs-data
+ timeout=10
+ '[' -e /dev/.magisk_unblock -o 10 -le 0 ']'
+ sleep 1
+ timeout=9
+ '[' -e /dev/.magisk_unblock -o 9 -le 0 ']'
+ /sbin/magisk --service
+ sleep 1
+ /sbin/magisk --boot-complete
+ chmod 751 /sbin
root_by_cve-2020-0041:/data/local/tmp # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:magisk:s0
root_by_cve-2020-0041:/data/local/tmp # uname -a
Linux localhost 4.14.117-perf+ #1 SMP PREEMPT Wed Jan 15 23:36:28 2020 aarch64
root_by_cve-2020-0041:/data/local/tmp # getenforce
Permissive
Now you can exit the temp root shell and use 'su' to get a root shell controlled by magisk manager or allow other apps that need root as asking for root permission should work now.
Please be sure to use 'exit' command to cleanly end the temp root shell. Do not close the window instead. It is needed for proper cleanup.
Please be careful what you use the temp root for.
Changing something in partitions protected by dm-verity (or Android Verified Boot 2.0), like for example /system, /vendor or kernel boot image, can result with a not anymore booting phone.
This is why it is called 'temp root' - you get a root shell only temporarily, it is lost with reboot and it does not allow to make permanent changes in crucial partitions - you would need to unlock bootloader for that.
Some partitions might still be possible to modify - for example in case of sony xperia xz1 phones it was possible to do permanent debloat via changes in /oem partition and such debloat would survive even factory reset. Similarly some modem configs have been present in /oem allowing to setup IMS for different operators/regions or tune other modem related stuff.
DRM KEY / TA PARTITION BACKUP POSSIBILITY
Please note, this exploit will get you a root shell with still locked xperia 1 and 5 phones that could allow to backup TA partition in still locked state, having drm keys (the device key) still there.
Even though xperia 1 and 5 allows to relock bootloader after unlock, possibly returning drm functionalities, it is very probable that a device key (device specific drm key residing in 66667 ta unit) is still erased on bootloader unlock (and re-lock), so backing up and restoring TA with the key present may actually be useful.
This is something to be tested - anybody considering bootloader unlock of xperia 1 or 5, please be sure to backup TA from still locked state via this exploit and also TA after unlock for comparison.
For more details see here and following post.
SOURCES
Exploit sources are available at my github here.
CREDITS
Big thanks to Blue Frost Security for the excellent writeup and the exploit itself.
Thanks to @bb-qq for initial xperia 1 support and testing.
DONATIONS
If you like my work, you can donate using the Donate to Me button with several methods there.
Thank you very much to all who donate.
DOWNLOAD
reserved
factoryversion = '802SO-55.1.B.0.300'
target is not supported.
Testr=ed yesterday on J9210-55.1.A.0.748
But had to enter these
cd /data/local/tmp
./x1x5-mroot
./magisk-start.sh -1
./magisk-start.sh -2
./magisk-start.sh -3
Click to expand...
Click to collapse
with an interval of several seconds to avoid reboot
@Coolty, you need to run one of the listed firmware versions in order for the exploit to work. You may need to downgrade.
@nos1609, yes, it may be like that. You should enter (or copy&paste) each line separatelly one by one, not all of them at once to have it more stable. It does not work from a script or pasted as a block of commands.
Also be sure to use 'exit' command to end the temp root shell. Do not just close the adb shell window without using the 'exit' command. The 'exit' command is needed to finish proper cleanup after the exploit.
You can disconnect from usb after terminating adb shell with 'exit' command, do not disconnect before exiting it.
@j4nn boss xperia 10 please it is the only new model of xperia that hasn't had temp root yet
@nitrams, xperia 10 kernel is not vulnerable to CVE-2019-2215, at least the two kernel source packages (53.1.A.2.2 and 53.0.A.2.139) released by sony contain the fix for it.
These two kernels are not vulnerable to CVE-2020-0041 either.
j4nn said:
@nitrams, xperia 10 kernel is not vulnerable to CVE-2019-2215, at least the two kernel source packages (53.1.A.2.2 and 53.0.A.2.139) released by sony contain the fix for it.
These two kernels are not vulnerable to CVE-2020-0041 either.
Click to expand...
Click to collapse
If i can flash back to older build like android 9 53.0.A.14.47 is there a possibility?
@nitrams, I have no idea how it is with other fw versions or other possible vulnerabilities. Sources are released only for the two I have mentioned above (and one of them is even corrupted, so it cannot be fully unpacked). I would assume that 53.0.A.2.139 is android 9.
Thank you for publishing this!
Here is all FTFs for Japanese models:
https://ftf.andro.plus/
any possible use CVE-2020-0041 exploit temp root for mi10pro?
@aolaol, you need to check kernel source to see if or which kernel is vulnerable first.
See The patch overview here:
https://www.synacktiv.com/en/publications/binder-analysis-and-exploitation-of-cve-2020-0041.html
This is great. But a functional twrp would be amazing
@TrustAugustus, with a functional twrp it would not be a temp root any more, would be?
Just backup TA partition and then unlock the bootloader.
You can re-lock with xperia 1/5 if you need.
After re-lock, use the temp root again and restore the locked state TA backup.
j4nn said:
@aolaol, you need to check kernel source to see if or which kernel is vulnerable first.
See The patch overview here:
https://www.synacktiv.com/en/publications/binder-analysis-and-exploitation-of-cve-2020-0041.html
Click to expand...
Click to collapse
Do you want to develop it for mi10pro
can anyone report this as 100% working and when relocking the bootloader and restoring the TA, does the phone go back completely to manufacturer state?
j4nn said:
Just backup TA partition and then unlock the bootloader.
You can re-lock with xperia 1/5 if you need.
After re-lock, use the temp root again and restore the locked state TA backup.
Click to expand...
Click to collapse
Could you please give me a hint how to backup the TA area, preferably from the command line ?
Regards,
RV.
Dear folks,
lack of some precise details of using this method ...
Can somebody please tell me the exact procedure to do after the
Code:
cd /data/local/tmp
unzip x1x5-mroot.zip
chmod 755 x1x5-mroot magisk-setup.sh magisk-start.sh
./magisk-setup.sh
just to avoid painfil errors ...?
I have all my prerequisites together and I'm on J9210-55.1.A.3.112 stock, bootloader locked.
1. After the magisk-setup.sh has finished, can/should I directly proceed in the same adb shell with
Code:
./x1x5-mroot
./magisk-start.sh -1
./magisk-start.sh -2
./magisk-start.sh -3
?
2. Where to enter the "su" ?
3. I want to install some apps that require root (titanium backup, greenify, afwall+ ...). Using the proposed method, at what point and in which way am I able to do so?
4. I want to backup the TA with the script by devshaft. Can I do this when the temp root shell is still open ?
The section od Post 1 that confuses me most is
j4nn said:
Now you can exit the temp root shell and use 'su' to get a root shell controlled by magisk manager or allow other apps that need root as asking for root permission should work now.
Please be sure to use 'exit' command to cleanly end the temp root shell. Do not close the window instead. It is needed for proper cleanup.
Click to expand...
Click to collapse
Best regards,
RV.
Okay, Update:
I followed the steps from post 1 an am stuck now.
Everything went okay regarding the run of the scripts, then I typed "exit" in tthe adb shell. Now my phone is dead after getting slower and slower over a minute.
Some hints what to do ?
Edit: After hard reset (volume up + power few seconds) and a second run now all works fine.
Thanks for support.
Okay, a few last questions:
I was able to install apps that need root. What to do if an app needs permanent root ? Is there a way with the magisk manager ?