[Q] ro.secure seems to have no effet on my kernel - Galaxy S II Q&A, Help & Troubleshooting

Hi,
I am trying to compile my own kernel for the GT-I9100 running ICS and make it unsecure for a school project.
Compiling and running that kernel works well, except for the ro.secure=0 property set in the default.prop file. The property is correctly defined as a getprop ro.secure will return 0 when the phone is running, but ADB won't give me a root access by default, which I need for my project.
The same parameter in previous Gingerbread Roms I have been using worked like a charm.
Is there anything I've been missing ? The Kernel I use is the one provided by Samsung and is not heavily modified.
Thanks !

Related

Compile Kernel Module

Whats the right way of compiling a module for the Atrix kernel?
I'm currently using the stock android 2.6.32.9 linux sources and the Atrix's config, although I can't get the kernel to agree with the modules I'm trying to build.
Motorola didn't use froyo sources to compile the kernel, they used vanilla 2.6.32.9 to do it.
The last problem is that modules are built as ARMv5 instead of ARMv7, probably since there is a patch setting the system type to Tegra 2.
Compile Atrix 2.3.6 kernel mods
I've grabbed the source for the 91 kernel source since the 141 kernel source has not be release. I need to get iso9660 and udf file system support.
I've followed this thread on compiling the kernel http://forum.xda-developers.com/showthread.php?t=1141506
I can successfully compile the kernel and the kernel modules, but I keep getting an invalid module format error, what's a revised way for compiling kernel mods?
[email protected]:/opt/dev/kernel modules/kmods$ sudo insmod ext4.ko
insmod: error inserting 'ext4.ko': -1 Invalid module format
[email protected]:/opt/dev/kernel modules/kmods$ sudo insmod udf.ko
insmod: error inserting 'udf.ko': -1 Invalid module format
My end Goal after I get the kernel mods working is to compile a kernel with swap support.
Thanks for any help rendered.
When you get the insmod errors try looking at dmesg at the tail end of the log, usually that error means the version string doesn't match what is baked into the kernel.
Cheers!
cpuchip said:
My end Goal after I get the kernel mods working is to compile a kernel with swap support.
Thanks for any help rendered.
Click to expand...
Click to collapse
The general rule is that you do not want to enable swap on a flash based file system, but that is up to you.
Are you getting the module load errors against your own kernel, or are you trying to reproduce the stock kernel and your modules fail when loading against the real stock kernel?
If the latter, there are many things to look at. First would be your cross tools. These could easily produce incompatable code. But if the error is just a symble not found, then most likely your kernel config does not match the running kernel.
EDIT: missed the error messages, but it still is about the same answer. The compiler is generating the wrong code either becasue it is different from that whcih generated the running kernel, or the config options comming out of your kernel tree are not matching.
Have you tried actually running your kernel?
Thanks so much for the advice from the two of you. These are my dmesg errors. they pop up right after I enter the command: insmod isofs.ko
[505123.289798] usb_ether_get_stats
[505123.322414] isofs: no symbol version for module_layout
I'm new to kernel work. I used the config from my phone directly, it was located at /proc/config.gz
I used the cross compilers as defined in the post I linked to in my first post. unfortunately I don't have the source to 141, just 91, what's on source forge from motorola. I don't know if they did any changes between the two, but the release version was slightly different between the two.
I'm okay with burning through external sd cards for the sake of having more browser tabs open, and an overall more responsive system.
---------- Post added at 10:44 PM ---------- Previous post was at 10:20 PM ----------
I saw in one thread that you have to compile the kernel first before the modules. I did that, and now I'm getting a new error:
[506616.823352] usb_ether_get_stats
[506616.867837] isofs: disagrees about version of symbol module_layout
seems to be a version conflict. do I have to inject that in on compile?
Have a look here: http://forum.xda-developers.com/showthread.php?t=1014010
Not the modules you are talking about, but same error.
For cifs/smb I ended up using smbnetfs, taking advantage of the fuse fs already in place. /dev/fuse has to be set group fuse with rw for group, and user adas has to be in group fuse.
Cheers!

[Q] Can any kernel developer help me?

I am trying to compile and insert the CFG80211.ko module
I have built an Ubuntu VM and installed the correct codesourcery cross compiler.
I have been able to build several modules which successfully insert. (ntfs, lib80211, all three lib80211_crypt modules, all three wusb modules, uwb, veth etc etc)
however the cfg80211.ko module always fails with invalid argument.
dmesg reports :-
Code:
[140146.246732] cfg80211: disagrees about version of symbol wireless_send_event
[140146.246751] cfg80211: Unknown symbol wireless_send_event (err -22)
cfg80211 depends on rfkill which is, as far as I cant tell, precompiled into the phone kernel.
the relevant section of the config file is as follows:-
Code:
#
# Bluetooth device drivers
#
# CONFIG_BT_HCIBTUSB is not set
# CONFIG_BT_HCIBTSDIO is not set
CONFIG_BT_HCIUART=y
CONFIG_BT_HCIUART_H4=y
# CONFIG_BT_HCIUART_BCSP is not set
# CONFIG_BT_HCIUART_LL is not set
# CONFIG_BT_HCIBCM203X is not set
# CONFIG_BT_HCIBPA10X is not set
# CONFIG_BT_HCIBFUSB is not set
# CONFIG_BT_HCIVHCI is not set
# CONFIG_BT_MRVL is not set
CONFIG_BT_HID=m
# CONFIG_AF_RXRPC is not set
CONFIG_FIB_RULES=y
CONFIG_WIRELESS=y
CONFIG_WIRELESS_EXT=y
CONFIG_WEXT_CORE=y
CONFIG_WEXT_PROC=y
CONFIG_WEXT_SPY=y
CONFIG_WEXT_PRIV=y
CONFIG_WIRELESS_COMPAT=m
CONFIG_CFG80211=m
# CONFIG_NL80211_TESTMODE is not set
# CONFIG_CFG80211_DEVELOPER_WARNINGS is not set
# CONFIG_CFG80211_REG_DEBUG is not set
# CONFIG_CFG80211_DEFAULT_PS is not set
# CONFIG_CFG80211_DEBUGFS is not set
# CONFIG_CFG80211_INTERNAL_REGDB is not set
CONFIG_CFG80211_WEXT=y
# CONFIG_WIRELESS_EXT_SYSFS is not set
CONFIG_LIB80211=m
CONFIG_LIB80211_CRYPT_WEP=m
CONFIG_LIB80211_CRYPT_CCMP=m
CONFIG_LIB80211_CRYPT_TKIP=m
# CONFIG_LIB80211_DEBUG is not set
CONFIG_MAC80211=m
CONFIG_MAC80211_HAS_RC=y
# CONFIG_MAC80211_RC_PID is not set
CONFIG_MAC80211_RC_MINSTREL=y
# CONFIG_MAC80211_RC_DEFAULT_PID is not set
CONFIG_MAC80211_RC_DEFAULT_MINSTREL=y
CONFIG_MAC80211_RC_DEFAULT="minstrel"
# CONFIG_MAC80211_MESH is not set
# CONFIG_MAC80211_LEDS is not set
# CONFIG_MAC80211_DEBUGFS is not set
# CONFIG_MAC80211_DEBUG_MENU is not set
# CONFIG_WIMAX is not set
CONFIG_RFKILL=y
CONFIG_RFKILL_PM=y
# CONFIG_RFKILL_INPUT is not set
# CONFIG_NET_9P is not set
# CONFIG_CAIF is not set
#
# Device Drivers
#
Full .config file attached below.
I have tried converting RFKILL to a module, in order to enable CONFIG_RFKILL_INPUT to yes but the compile completely fails when this is set.
I have added WIRELESS_COMPAT details in the Kconfig file but this did not help and I am now lost as to how to troubleshoot this?
Anyone have any idea on what might be missing?
If you're able to compile the modules, you should be able to compile the kernel - do the modules insmod against the compiled kernel?
Entropy512 said:
If you're able to compile the modules, you should be able to compile the kernel - do the modules insmod against the compiled kernel?
Click to expand...
Click to collapse
Yes all the other modules I mentioned all insert fine the ones that I have compiled that dont insert have dependancies that all stem back to the cfg80211.ko that is giving me the messages in the first post.
from the documentation cfg80211 is dependant on RFKILL which is precompiled into the kernel.
Entropy512 said:
If you're able to compile the modules, you should be able to compile the kernel - do the modules insmod against the compiled kernel?
Click to expand...
Click to collapse
Ahhh rereading your post, I see what you mean, I haven't installed the built kernel (though I did do the full build) on the phone, not entirely sure how to package it and I haven't tried to look because I really dont want to install a full kernel on the phone.
In any case I have used the default samsung config to build from fro the correct kernel.
curioct said:
I am trying to compile and insert the CFG80211.ko module
I have built an Ubuntu VM and installed the correct codesourcery cross compiler.
I have been able to build several modules which successfully insert. (ntfs, lib80211, all three lib80211_crypt modules, all three wusb modules, uwb, veth etc etc)
however the cfg80211.ko module always fails with invalid argument.
dmesg reports :-
Code:
[140146.246732] cfg80211: disagrees about version of symbol wireless_send_event
[140146.246751] cfg80211: Unknown symbol wireless_send_event (err -22)
cfg80211 depends on rfkill which is, as far as I cant tell, precompiled into the phone kernel.
the relevant section of the config file is as follows:-
Code:
#
# Bluetooth device drivers
#
# CONFIG_BT_HCIBTUSB is not set
# CONFIG_BT_HCIBTSDIO is not set
CONFIG_BT_HCIUART=y
CONFIG_BT_HCIUART_H4=y
# CONFIG_BT_HCIUART_BCSP is not set
# CONFIG_BT_HCIUART_LL is not set
# CONFIG_BT_HCIBCM203X is not set
# CONFIG_BT_HCIBPA10X is not set
# CONFIG_BT_HCIBFUSB is not set
# CONFIG_BT_HCIVHCI is not set
# CONFIG_BT_MRVL is not set
CONFIG_BT_HID=m
# CONFIG_AF_RXRPC is not set
CONFIG_FIB_RULES=y
CONFIG_WIRELESS=y
CONFIG_WIRELESS_EXT=y
CONFIG_WEXT_CORE=y
CONFIG_WEXT_PROC=y
CONFIG_WEXT_SPY=y
CONFIG_WEXT_PRIV=y
CONFIG_WIRELESS_COMPAT=m
CONFIG_CFG80211=m
# CONFIG_NL80211_TESTMODE is not set
# CONFIG_CFG80211_DEVELOPER_WARNINGS is not set
# CONFIG_CFG80211_REG_DEBUG is not set
# CONFIG_CFG80211_DEFAULT_PS is not set
# CONFIG_CFG80211_DEBUGFS is not set
# CONFIG_CFG80211_INTERNAL_REGDB is not set
CONFIG_CFG80211_WEXT=y
# CONFIG_WIRELESS_EXT_SYSFS is not set
CONFIG_LIB80211=m
CONFIG_LIB80211_CRYPT_WEP=m
CONFIG_LIB80211_CRYPT_CCMP=m
CONFIG_LIB80211_CRYPT_TKIP=m
# CONFIG_LIB80211_DEBUG is not set
CONFIG_MAC80211=m
CONFIG_MAC80211_HAS_RC=y
# CONFIG_MAC80211_RC_PID is not set
CONFIG_MAC80211_RC_MINSTREL=y
# CONFIG_MAC80211_RC_DEFAULT_PID is not set
CONFIG_MAC80211_RC_DEFAULT_MINSTREL=y
CONFIG_MAC80211_RC_DEFAULT="minstrel"
# CONFIG_MAC80211_MESH is not set
# CONFIG_MAC80211_LEDS is not set
# CONFIG_MAC80211_DEBUGFS is not set
# CONFIG_MAC80211_DEBUG_MENU is not set
# CONFIG_WIMAX is not set
CONFIG_RFKILL=y
CONFIG_RFKILL_PM=y
# CONFIG_RFKILL_INPUT is not set
# CONFIG_NET_9P is not set
# CONFIG_CAIF is not set
#
# Device Drivers
#
Full .config file attached below.
I have tried converting RFKILL to a module, in order to enable CONFIG_RFKILL_INPUT to yes but the compile completely fails when this is set.
I have added WIRELESS_COMPAT details in the Kconfig file but this did not help and I am now lost as to how to troubleshoot this?
Anyone have any idea on what might be missing?
Click to expand...
Click to collapse
Are you installing the kernel and modules, or just the modules? If you are just installing the modules, are you using an IDENTICAL version of gcc, with nothing changed between N<=>M<=>Y except for your rt2x00 module in the .config?
useful information would be:
Your kernel version string from the phone: uname -a
A diff of the base .config and the new .config: diff -ubw orig.config new.config
A diff of the phone's working .config and your .config.
You can generally get the .config your running kernel was compiled with from /proc/config.gz on the device. You would then need to gunzip that and compare it to your .config with the diff command above.
s0be said:
Are you installing the kernel and modules, or just the modules? If you are just installing the modules, are you using an IDENTICAL version of gcc, with nothing changed between N<=>M<=>Y except for your rt2x00 module in the .config?
useful information would be:
Your kernel version string from the phone: uname -a
A diff of the base .config and the new .config: diff -ubw orig.config new.config
A diff of the phone's working .config and your .config.
You can generally get the .config your running kernel was compiled with from /proc/config.gz on the device. You would then need to gunzip that and compare it to your .config with the diff command above.
Click to expand...
Click to collapse
Unfortunately /proc/config.gz support is not configured in the samsung kernel by default therefore the file is not present. uname gives 2.6.35.7-I9100XXKH3-CL479037
And I have tried the recommended codesourcery cross compiler and one other variant of this and the results are the same.
it's a stock rom with an insecure kernel (basically a repack of the stock kernel) to allow rooting from what I can gather.
I have tried many configuration of build from the default .config and just building the top dependancy module from the default config
In this case the top of the tree is CFG80211
(rt2x00usb depends on rt2x00lib, depends upon mac80211, mac8211 depends upon cfg80211 and cfg80211 depends upon rfkill. There are also some dependencies on kernel crypto libraries which I am unclear about but should be in the kernel build)
I have found it makes no difference at all if I build lots of modules at once or just the very bare CFG80211.ko with as few options as possible. The failures are the same trying to insert cfg80211.ko. as it is whether I use busybox insmod, standard insmod or insmod from within a chroot. (in the searches I read modules can behave differently with busybox)
the only changes I made from the samsung default config is switching some debugging options off as per this thread http://forum.xda-developers.com/showthread.php?t=1123643
other than that it is a stock samsung default config for a 2.6.25.7 kernel build, as distributed in the samsung source code.
I haven't had the nerve to install the fully built kernel because the phone is a key tool for me reflashing a kernel is kind of a last resort
The attached rar file includes the default config (c1_rev02_premium_defconfig) the config used (.config) the output of diff -uwb between the two (differences.txt) and the two modules built ntfs.ko and cfg80211.ko.
file reveal ELF 32-bit LSB relocatable, ARM, version 1 (SYSV), not stripped on both modules. (done chroot)
I use ntfs.ko as a control since it's a small module and in this build it inserts just fine. cfg80211.ko fails with the same message and dmesg info mentioned in the first post.
As I previously mentioned I did try modifying the RFKILL sections to be built as a module but when this is attempt the kernel build fails completely with the error:-
Code:
ERROR: "s3c_gpio_slp_cfgpin" [arch/arm/mach-s5pv310/c1-rfkill.ko] undefined!
ERROR: "s3c_gpio_slp_setpull_updown" [arch/arm/mach-s5pv310/c1-rfkill.ko] undefined!
WARNING: modpost: Found 1 section mismatch(es).
To see full details build your kernel with:
Thanks for looking at this for me
Do you have a link to your kernel tree? I'd suspect that CFG80211_WEXT being enabled makes some changes in the WEXT functions that get compiled in kernel. With CONFIG_WEXT_* being =Y, your enableing CFG80211_WEXT probably made things not agree. Also, I believe the rt2x00 driver is a mac80211 one, so you'll likely need that too.
In summary, you'll very likely have to use your own kernel to get this going. At least loading the ntfs.ko answers that it's not a toolchain/source tree issue.
curioct said:
I use ntfs.ko as a control since it's a small module and in this build it inserts just fine. cfg80211.ko fails with the same message and dmesg info mentioned in the first post.
As I previously mentioned I did try modifying the RFKILL sections to be built as a module but when this is attempt the kernel build fails completely with the error:-
Code:
ERROR: "s3c_gpio_slp_cfgpin" [arch/arm/mach-s5pv310/c1-rfkill.ko] undefined!
ERROR: "s3c_gpio_slp_setpull_updown" [arch/arm/mach-s5pv310/c1-rfkill.ko] undefined!
WARNING: modpost: Found 1 section mismatch(es).
To see full details build your kernel with:
Click to expand...
Click to collapse
This error is due to another missing dependency (and the lack of proper dependency definitions in KCONFIG). You need to do:
egrep "s3c_gpio_slp_" -rsn
to find where those functions are defined, and find out why they're not being compiled. It's quite likely something like enabling rfkill for your arch/tree pulled in that c1-rfkill file (is your board a c1?) which is either not for your actual device, or dependent on something else being enabled. This is wholly based on previous experience with HTC kernel trees, where files from other Boards seemed to tag along.
I have no samsung hardware (although the GSII is on the list of what I'm considering ;-) )
s0be said:
Do you have a link to your kernel tree? I'd suspect that CFG80211_WEXT being enabled makes some changes in the WEXT functions that get compiled in kernel. With CONFIG_WEXT_* being =Y, your enableing CFG80211_WEXT probably made things not agree. Also, I believe the rt2x00 driver is a mac80211 one, so you'll likely need that too.
In summary, you'll very likely have to use your own kernel to get this going. At least loading the ntfs.ko answers that it's not a toolchain/source tree issue.
Click to expand...
Click to collapse
I am aware I'll need other modules but they all come back to dependancy on CFG80211 so I am concentrating my efforts around that.
The link to the kernel tree is
git://opensource.samsung.com/p_497
but I have also used :-
https://github.com/GalaxySII/samsung-kernel-galaxysii
with the exact same results.
The config_wext elements are listed under the bluetooth elements, but I am firstly concerned that disabling these elements with adversely effect the standard wifi comms. which would not be acceptable even if I could package and install a fully kernel build. (which I can probably do enough research, on this site, to work out eventually, although I admit to some trepidation about this).
curioct said:
I am aware I'll need other modules but they all come back to dependancy on CFG80211 so I am concentrating my efforts around that.
The link to the kernel tree is
git://opensource.samsung.com/p_497
but I have also used :-
https://github.com/GalaxySII/samsung-kernel-galaxysii
with the exact same results.
The config_wext elements are listed under the bluetooth elements, but I am firstly concerned that disabling these elements with adversely effect the standard wifi comms. which would not be acceptable even if I could package and install a fully kernel build. (which I can probably do enough research, on this site, to work out eventually, although I admit to some trepidation about this).
Click to expand...
Click to collapse
Ok, per:
https://github.com/GalaxySII/samsun...gt-i9100-gingerbread/net/wireless/wext-core.c
Lines: 434, 548, and 613, 653
Your kernel will have to be replaced to have cfg80211, mac80211, and rt2x00 working. There is no way around this, as that code is compiled into the kernel, and cfg80211 and mac80211 depend on those function doing more than your kernel does. There's no way around it. That's only analyzing the wext-core... there may be other differences.
s0be said:
Ok, per:
https://github.com/GalaxySII/samsun...gt-i9100-gingerbread/net/wireless/wext-core.c
Lines: 434, 548, and 613, 653
Your kernel will have to be replaced to have cfg80211, mac80211, and rt2x00 working. There is no way around this, as that code is compiled into the kernel, and cfg80211 and mac80211 depend on those function doing more than your kernel does. There's no way around it. That's only analyzing the wext-core... there may be other differences.
Click to expand...
Click to collapse
thanks for a definitive answer
I guess I need to go away and learn about kernel packaging and the bootloader stuff cant afford to brick my phone regularly trying this stuff and must keep CWM alive
Thanks for your help

warning on compiling kernel from SE source

i followed this tutorial
http://developer.sonymobile.com/wp/2011/05/06/how-to-build-a-linux-kernel/
when i give the command
[email protected]:~/Desktop/sony/kernel$ ARCH=arm CROSS_COMPILE=~/Desktop/sony/arm-2010q1/bin/arm-none-eabi- make semc_coconut_defconfig
drivers/usb/gadget/Kconfig:826:warning: defaults for choice values not supported
#
# configuration written to .config
#
so whats this warning and why am i getting it?
everything else goes smooth and i get the zimage fine
i am using ubuntu 12.04
also since only play,neo and arc are mentioned in the link, what kernel source is to be used for the mini/coconut etc family?
from
http://developer.sonymobile.com/wportal/devworld/search-downloads/opensource/android
thank you

[Q] Insecure boot.img (Jelly Bean)

Hi,
I try to have my own insecure boot.img for my Galaxy S3 (GT-I9300) on Jelly Bean.
I have repack boot.img with ro.secure=0 and ro.debuggable=1, but it doesn't work on JB (it works on ICS).
Do you know why it doesn't work ? Have you a solution ?
PS : I wouldn't use Insecure Adbd by Chainfire, even if he has worked fine and I love his work.
Best regards,
adbd binaries from release builds of JB ignore the ro.secure setting. You can unpack the initrd of the Perseus kernel to use the JB adbd binary I built that doesn't drop root privileges, or extract adbd.png from adbd Insecure and use that binary in your initrd.
Sent from my GT-I9300 using Tapatalk 2
qwerty12 said:
adbd binaries from release builds of JB ignore the ro.secure setting. You can unpack the initrd of the Perseus kernel to use the JB adbd binary I built that doesn't drop root privileges, or extract adbd.png from adbd Insecure and use that binary in your initrd.
Sent from my GT-I9300 using Tapatalk 2
Click to expand...
Click to collapse
First, thanks you for you reply.
If I understand, two solutions :
1 - Use adbd binary built by you (but I don't understand : that doesn't drop root privileges -> That means our own read ro.secure value ?)
2 - Use adbd.png (not an image file ?) to replace the original one
It's right ?
If I understand, two solutions :
1 - Use adbd binary built by you (but I don't understand : that doesn't drop root privileges -> That means our own read ro.secure value ?)
Click to expand...
Click to collapse
adbd is started as root by init; however, it will usually switch user to the "shell" account, which is, well, not as powerful as root. I'm sure you see it when you run "adb shell" currently
If you look at adb.c, line 899 you'll see that if ALLOW_ADBD_ROOT is not defined then adbd will not even look at the ro.secure property to determine whether it should then drop its root privileges; it will always do so (the function always returns 1).
ALLOW_ADBD_ROOT is only defined when the build target is set to a debug one, not a release one. With ALLOW_ADBD_ROOT defined, only then adbd, through the now more "complete" should_drop_privileges function, will look at the ro.secure property to determine whether it should drop its privileges.
Instead of changing Android.mk to always define ALLOW_ADBD_ROOT, I changed "return 1" into "return 0" because I don't want to change the ro.secure property, but I don't want adbd to drop privileges. I don't know if it does it now, but the SysScope service on Samsung phones that checks for root may also look at the ro.secure property and I don't want to give it another reason to mark my device as Modified.
2 - Use adbd.png (not an image file ?) to replace the original one
It's right ?
Click to expand...
Click to collapse
adbd.png is the adbd binary in Chainfire's adbd Insecure apk. It has the .png extension so that some tool in the SDK won't attempt to compress it. It also doesn't drop privileges and is JB compatible. Just offering it as an alternative
Best regards
You are so helpful for me with your explanations about adb.c.
I'm so stupid, I haven't look the source code. Shame on me, I use and build apps for GNU/Linux for over 10 years and I don't look that.
Thanks man !

[help] ratel cell r1020 rooting

Hello,
I have a device called RATEL CELL R1020 with OS android 8.0 oreo.
I tried some applications for rooting this smartphone like kingroot, kingoroot, etc but failed. This device can't unlock bootloader, so I see rooting with exploit in youtube like thomasking. Please anyone here help me to rooting my smartphone?
4.4.78perf+ kernel
this attachment is screenshot of the system
Thankyou
j4nn said:
@arifincaesar, do you have your phone's firmware in a downloadable form? Can you obtain linux kernel source code for your phone?
I could imagine adapting this (exploit source code here) for your phone, but the kernel binary that is running on the phone is a must pre-requisite. Obviously it would be only a temp root.
Click to expand...
Click to collapse
arifincaesar said:
there is no way to get firmware of this phone sir..
and there's no way to unlock bootloader..
i think the only way to backup firmware this device is exploit and getting root access without ubl..
there is just said 4.4.78-perf+
Click to expand...
Click to collapse
In my opinion, there is no exploit that would not need offsets within kernel image in advance.
Because of that you need a copy of kernel binary that is running on the phone.
Obviously it is not possible to back up kernel partition from the phone, so you would need the original fw (the same version that is running on the phone) and a way to extract the kernel from the fw package.
Without that you are out of luck, sorry...
Since there is linux kernel running on the phone (android uses linux kernel) you have legal options to request corresponding kernel source code, because linux kernel is distributed under gpl license.
But even if you obtained the kernel source, you would still need the binary, because most likely the new build from source would not be binary identical. The source code would just make it easy to decide which exploit could work, so it would make sense to adapt it for the kernel binary.
j4nn said:
In my opinion, there is no exploit that would not need offsets within kernel image in advance.
Because of that you need a copy of kernel binary that is running on the phone.
Obviously it is not possible to back up kernel partition from the phone, so you would need the original fw (the same version that is running on the phone) and a way to extract the kernel from the fw package.
Without that you are out of luck, sorry...
Since there is linux kernel running on the phone (android uses linux kernel) you have legal options to request corresponding kernel source code, because linux kernel is distributed under gpl license.
But even if you obtained the kernel source, you would still need the binary, because most likely the new build from source would not be binary identical. The source code would just make it easy to decide which exploit could work, so it would make sense to adapt it for the kernel binary.
Click to expand...
Click to collapse
is that bug when i had activated oem unlock in dev options but cannot unlock with fastboot mode?
j4nn said:
In my opinion, there is no exploit that would not need offsets within kernel image in advance.
Because of that you need a copy of kernel binary that is running on the phone.
Obviously it is not possible to back up kernel partition from the phone, so you would need the original fw (the same version that is running on the phone) and a way to extract the kernel from the fw package.
Without that you are out of luck, sorry...
Since there is linux kernel running on the phone (android uses linux kernel) you have legal options to request corresponding kernel source code, because linux kernel is distributed under gpl license.
But even if you obtained the kernel source, you would still need the binary, because most likely the new build from source would not be binary identical. The source code would just make it easy to decide which exploit could work, so it would make sense to adapt it for the kernel binary.
Click to expand...
Click to collapse
can you help me please?
arifincaesar said:
can you help me please?
Click to expand...
Click to collapse
Interesting. Getting kernel space R/W primitives is a nice first step.
But without kernel binary, that still may be difficult - with kernel 4.4.78 version, KASLR would be there for sure.
j4nn said:
Interesting. Getting kernel space R/W primitives is a nice first step.
But without kernel binary, that still may be difficult - with kernel 4.4.78 version, KASLR would be there for sure.
Click to expand...
Click to collapse
hehe i keep watching your work for exploit sir
if there something new exploit i'll try to my phone
thx before
@arifincaesar, try this please:
Code:
cd /data/local/tmp
echo -e '#!/system/bin/sh\ncase "$1" in\n*model) echo G8441 ;;*) echo 47.1.A.8.49 ;;esac' > getprop
chmod 755 getprop
PATH=`pwd`:$PATH ./bindershell
That should try the offsets defined for xz1c. It's a blind try, but let's see.
Please post the log in a text form (copy it via clipboard from the terminal), using the CODE tags in the message (can be used with the # icon in advanced post).
Code:
cd /data/local/tmp
echo -e '#!/system/bin/sh\ncase "$1" in\n*model) echo G8441 ;;*) echo 47.1.A.8.49 ;;esac' > getprop
chmod 755 getprop
PATH=`pwd`:$PATH ./bindershell
i can't believe, it work bro i swear :v
is that my phone rooted?
nope i think my phone is not rooted yet..
i check from root checker it say "sorry root access is not properly installed on this device."
@j4nn heres the output
bindershell - temp root shell for xperia XZ1c/XZ1/XZp using CVE-2019-2215
https://github.com/j4nn/renoshell/tree/CVE-2019-2215
MAIN: starting exploit for devices with waitqueue at 0x98
PARENT: Reading leaked data
PARENT: leaking successful
MAIN: thread_info should be in stack
MAIN: parsing kernel stack to find thread_info
PARENT: Reading leaked data
PARENT: Reading extra leaked data
PARENT: leaking successful
MAIN: task_struct_ptr = ffffffcfe0d68000
MAIN: thread_info_ptr = ffffffd04aa3c000
MAIN: Clobbering addr_limit
MAIN: should have stable kernel R/W now
kernel slide invalid (0x4ffabc7b50)
kaslr slide 0x0
selinux set to permissive
current task credentials patched
got root, start shell...
Cell:/data/local/tmp # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc) context=u:r:shell:s0
Cell:/data/local/tmp # cd
Cell:/ # ls
ls: ./cache: Permission denied
ls: ./init: Permission denied
ls: ./init.environ.rc: Permission denied
ls: ./init.rc: Permission denied
ls: ./init.recovery.qcom.rc: Permission denied
ls: ./init.usb.configfs.rc: Permission denied
ls: ./init.usb.rc: Permission denied
ls: ./init.zygote32.rc: Permission denied
ls: ./init.zygote64_32.rc: Permission denied
ls: ./postinstall: Permission denied
ls: ./ueventd.rc: Permission denied
ls: ./verity_key: Permission denied
acct bt_firmware bugreports charger config d data default.prop dev dsp etc firmware lost+found mnt oem persist proc res root sbin sdcard storage sys system vendor
1|Cell:/ #
@arifincaesar, well, as expected, detecting KASLR slide failed, therefore selinux could not be disabled and security context has not been patched either.
Without a kernel binary, it is difficult to implement a full temp root exploit.
I guess it could be doable, unfortunately I do not have the time for it.
j4nn said:
@arifincaesar, well, as expected, detecting KASLR slide failed, therefore selinux could not be disabled and security context has not been patched either.
Without a kernel binary, it is difficult to implement a full temp root exploit.
I guess it could be doable, unfortunately I do not have the time for it.
Click to expand...
Click to collapse
hehe thanks for information sir..
@arifincaesar, see PM please...
j4nn said:
@arifincaesar, see PM please...
Click to expand...
Click to collapse
ok sir, thank you very much for helping me.. T_T
pm sent
cve-2019-2215 based temp root exploit for ratel cell r1020
Here is a temp root exploit tailored specifically for RATEL CELL r1020 phone as described in the OP (Android 8.0 with security patch level of January 5, 2018). The exploit uses CVE-2019-2215, which can get you a temporal root shell very quickly and reliably (it's nearly instant).
Unfortunately RATEL CELL r1020 firmware is not publicly available, so it had not been possible to get a kernel image for analysis.
Luckily the first stage of the exploit designed for sony xperia xz1/xz1/xz1c worked, providing kernel space R/W primitives.
Eventually kernel memory dump has been retrieved (after KASLR bypass done in a generic way), so implementation of the final stage to bypass selinux and patch credentials to get root could be done.
Please find the result of my work attached here, it obviously is not tested as I do not have that phone, but I assume it would work as using similarly calculated stuff worked with my xz1c phone.
Please see the xperia phones exploit here for usage howto, including possibility to setup magisk from the exploit (modified script without sony specific stuff is already included). Just download the Magisk-v19.3-Manager-v7.1.2.zip from the linked post and use together with stuff from ratel-cell-temp-root.zip attached here.
EDIT: Updated ratel cell temp root with v2, supposed to work also with ratel cell having May 1, 2018 security patch level.
Please post the log (in [ CODE ] tags) and/or screenshots from your testing, possibly including even magisk setup, if bindershell exploit worked.
If you like my work, you can donate to me via paypal (including card payment) or bitcoin - for details just follow the "Donate to Me" button please. Thank you.
Thread closed per OP request.
MOD ACTION:
Thread reopened per OP's request
j4nn said:
Here is a temp root exploit tailored specifically for RATEL CELL r1020 phone as described in the OP (Android 8.0 with security patch level of January 5, 2018). The exploit uses CVE-2019-2215, which can get you a temporal root shell very quickly and reliably (it's nearly instant).
Unfortunately RATEL CELL r1020 firmware is not publicly available, so it had not been possible to get a kernel image for analysis.
Luckily the first stage of the exploit designed for sony xperia xz1/xz1/xz1c worked, providing kernel space R/W primitives.
Eventually kernel memory dump has been retrieved (after KASLR bypass done in a generic way), so implementation of the final stage to bypass selinux and patch credentials to get root could be done.
Please find the result of my work attached here, it obviously is not tested as I do not have that phone, but I assume it would work as using similarly calculated stuff worked with my xz1c phone.
Please see the xperia phones exploit here for usage howto, including possibility to setup magisk from the exploit (modified script without sony specific stuff is already included). Just download the Magisk-v19.3-Manager-v7.1.2.zip from the linked post and use together with stuff from ratel-cell-temp-root.zip attached here.
Please post the log (in [ CODE ] tags) and/or screenshots from your testing, possibly including even magisk setup, if bindershell exploit worked.
Click to expand...
Click to collapse
yes, it work sir thank you so much here is the log
but i think there other problem i will posting it later here
Code:
Cell:/data/local/tmp $ ./bindershellnew
bindershell - temp root shell using CVE-2019-2215, tailored for RATEL CELL R1020
https://github.com/j4nn/renoshell/tree/CVE-2019-2215
MAIN: starting exploit for devices with waitqueue at 0x98
PARENT: Reading leaked data
PARENT: leaking successful
MAIN: thread_info should be in stack
MAIN: parsing kernel stack to find thread_info
PARENT: Reading leaked data
PARENT: Reading extra leaked data
PARENT: leaking successful
MAIN: task_struct_ptr = ffffffd4316e9b00
MAIN: thread_info_ptr = ffffffd471268000
MAIN: Clobbering addr_limit
MAIN: should have stable kernel R/W now
attempting kaslr bypass: leaked ptr 0xffffff8a82608658
kernel base=0xffffff8a81480000 slide=0xa79400000
selinux set to permissive
current task credentials patched
got root, start shell...
Cell:/data/local/tmp # getenforce
Permissive
Cell:/data/local/tmp # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc) context=u:r:toolbox:s0
Cell:/data/local/tmp # uname -a
Linux localhost 4.4.78-perf+ #1 SMP PREEMPT Tue Mar 6 11:00:11 CST 2018 aarch64
Cell:/data/local/tmp #
Hi there sir @j4nn .
I'm yusuv, ratel cell user. I've been following this thread.
And lately seems the exploit works as intended.
The things is, ratel cell not only have the January patch on all the devices. I've tried the exploit and its stuck on the build number prop and it won't go any further.
Afaik, ratel have 2 ROM builds, one patch is January which is you build the exploit for, the other one is May 1, 2018 patch. With also different build number.
On behalf Ratel Cell user with the may patch. I'm here to ask you, is there any way for us with the May patch being able to root our device?
Thanks in advance.
Dear sir @j4nn.
can you help us on how to install custom recovery in Ratel Cell, if you are willing to help, we will be very grateful.

Categories

Resources