Hello everybody !
I'm a noob on Android and I have a strange problem. I rooted my Wiko Pulp Fab (Lollipop 5.1) with KingRoot (after so many tries with other solutions) and now when I get root internet seems doesn't work.
I intend to use Linux Deploy and it can't download distribs (I tried use domain names and IPs, no difference)
And when I connect to my phone's shell with adb I have the same problem.
Normal user in shell, connection work:
Code:
[email protected]:/ $ ping wikipedia.fr
PING wikipedia.fr (78.109.84.114) 56(84) bytes of data.
64 bytes from wikimedia2.typhon.net (78.109.84.114): icmp_seq=1 ttl=56 time=17.9 ms
64 bytes from wikimedia2.typhon.net (78.109.84.114): icmp_seq=2 ttl=56 time=29.8 ms
64 bytes from wikimedia2.typhon.net (78.109.84.114): icmp_seq=3 ttl=56 time=30.1 ms
64 bytes from wikimedia2.typhon.net (78.109.84.114): icmp_seq=4 ttl=56 time=30.0 ms
64 bytes from wikimedia2.typhon.net (78.109.84.114): icmp_seq=5 ttl=56 time=29.1 ms
...
Root in shell, connection doesn't work:
Code:
[email protected]:/ # ping wikipedia.fr
connect: Bad file number
2|[email protected]:/ # ping 78.109.84.114
connect: Bad file number
I tried ping and other binaries, it doesn't work.
What's wrong ? I heard that is a C message error about socket usage, but how can I fix it ?
Maybe it is a problem with KingRoot ? I tried many many solutions to root my phone but nothing work. I tried to install "su" myself with adb or fastboot but it doesn't work (I don't know very much Android yet, I'd just beginning learn few days ago).
Many thanks for your help !
EDIT
I found a solution so I publish it here, maybe it can help !
If this error appear, it is probably beacause SELinux is in enforce mode. SELinux is a security module who restrict users.
To display refused operations:
Code:
# dmesg | grep -i denied
To activate SELinux permissive mode:
Code:
# setenforce 0
That's all !
The issue is that with LP root now needs a kernel change to make root work properly. King root is a joke and should never be used
zelendel said:
The issue is that with LP root now needs a kernel change to make root work properly. King root is a joke and should never be used
Click to expand...
Click to collapse
OK so what can i do ? Where can I found doc about kernel change ?
remipassmoilesel said:
OK so what can i do ? Where can I found doc about kernel change ?
Click to expand...
Click to collapse
The ingest issue is that this OEM doesn't comply with gpl laws so you may not even be able to find the source code for the kernel. Let alone having an unlocked bootloader to flash the kernel.
I'll be honest. With these small companies your best bet is just use the phone as it comes.
In fact I have downloaded the whole source code, available online. I tried to build it once but finally I'm not sure of what can I do with that.
Do you think I can build my own /system image with a su binary or that will be not enought ?
remipassmoilesel said:
In fact I have downloaded the whole source code, available online. I tried to build it once but finally I'm not sure of what can I do with that.
Do you think I can build my own /system image with a su binary or that will be not enought ?
Click to expand...
Click to collapse
You found the kernel source code? You do know that the kernel source and android source are different. Also you will need to have an unlocked bootloader to even flash it.
zelendel said:
You found the kernel source code? You do know that the kernel source and android source are different. Also you will need to have an unlocked bootloader to even flash it.
Click to expand...
Click to collapse
I think I have both, kernel and android: http://www.wikogeek.com
So what can I do ?
1) Build all and obtain the 3 img files (boot.img, ....),
2) Mount the img files and insert su binary and others custom files,
3) Push the img files to the phone with fastboot
Is that correct ?
I have one question more. With Fastboot, can I push just some files or I can just overwirte the whole partition ?
Thanks for your help.
I found a solution so I publish it here, maybe it can help !
If this error appear, it is probably beacause SELinux is in enforce mode. SELinux is a security module who restrict users.
To display refused operations:
Code:
# dmesg | grep -i denied
To activate SELinux permissive mode:
Code:
# setenforce 0
That's all !
Related
I was looking up the partition layout of the Galaxy S III while I stumbled upon this problem.
The first time you run a command in 'adb shell' everything is fine, but when you try to run a second command, it just hangs. It doesn't crash, it just hangs.
So, I tried to find out what could be wrong, by doing the following: Instead of going into the shell itself, I just entered a semi-random command 'adb shell mount', which returned the normal result.
Then, I typed 'adb shell' and guess what? It returns a commonly known error: 'error: protocol fault (status 72 6f 6f 74?!)'
The status code is HEX, which translates to: 'error: protocol fault (status root?!)'
So I suppose this has something to do with the fact that my SGS3 is rooted.
I don't feel like unrooting it, but if someone would be so kind to test this on an unrooted SGS3 and report back the results here so we can investigate this further that would be greatly appreciated.
it works without any error.
do you know what to backup which contains kernel and ramdisk ?
Mine is rooted, with Omega Rom V3 and everything works perfect with adb.
Cranck said:
Mine is rooted, with Omega Rom V3 and everything works perfect with adb.
Click to expand...
Click to collapse
Have you tried multiple shell commands? I know adb functions, but it's about using adb shell.
I'm on the stock rom, rooted manually with CF's insecure kernel by the way.
I'm not sure this is related, but there is some very suspicious new functionality in the FactoryTest.apk, called "SysScope". Its some kind of service checking and verifying the authenticity of "something". But I have no idea of what, only that a related java file (ResultCode.class [sysscope.service] contain the following code segment:
Code:
[SIZE=2] arrayOfResultCode[0] = OK;
arrayOfResultCode[1] = ADB_RUNNING_AS_ROOT;
arrayOfResultCode[2] = PARTITION_TAMPERED;
arrayOfResultCode[3] = ROOT_PROCESS_FOUND;
arrayOfResultCode[4] = DANGEROUS_FILE_DETECTED;
arrayOfResultCode[5] = NOT_OFFICIAL_BINARY;
[/SIZE]
Then it looks for SysScope files in the SysScopeVerifyer.class like this:
Code:
[SIZE=2]/data/app/com.sec.android.app.sysscope-1.apk
/data/app/com.sec.android.app.sysscope-2.apk[/SIZE]
I suggest you to back these up, and then replace them, with empty files of the same name, and see what happens.
I have the exact same problem on the GS2, OneX, and OneS. I have no problem shelling into the devices using another system, but on one of my computers I have the same issue. Windows 7 64bit with jdk7 installed.
Also, I enabled adb trace to see what was being returned: set ADB_TRACE=all
-Entering ls three times on the OneX, the first time works correctly
Code:
ls
system/core/adb/commandline.c::stdin_read_thread():stdin_read_thread(): post uni
x_read(fdi=0,...)
system/core/adb/commandline.c::stdin_read_thread():stdin_read_thread(): pre unix
_read(fdi=0,...)
system/core/adb/commandline.c::read_and_dump():read_and_dump(): post adb_read(fd
=101): len=5
ls
system/core/adb/commandline.c::read_and_dump():read_and_dump(): pre adb_read(fd=
101)
system/core/adb/commandline.c::read_and_dump():read_and_dump(): post adb_read(fd
=101): len=32
acct
cache
config
cwkeys
d
system/core/adb/commandline.c::read_and_dump():read_and_dump(): pre adb_read(fd=
101)
system/core/adb/commandline.c::read_and_dump():read_and_dump(): post adb_read(fd
=101): len=318
data
default.prop
dev
devlog
etc
firmware_dsps
firmware_q6
firmware_radio
firmware_wcnss
init
init.elite.rc
init.goldfish.rc
init.qcom.rc
init.qcom.sh
init.rc
init.target.rc
init.usb.rc
mnt
proc
root
sbin
sdcard
sys
system
tombstones
ueventd.goldfish.rc
ueventd.rc
vendor
[email protected]:/ $ system/core/adb/commandline.c::read_and_dump():read_and_dump()
: pre adb_read(fd=101)
ls
system/core/adb/commandline.c::stdin_read_thread():stdin_read_thread(): post uni
x_read(fdi=0,...)
system/core/adb/commandline.c::stdin_read_thread():stdin_read_thread(): pre unix
_read(fdi=0,...)
ls
system/core/adb/commandline.c::stdin_read_thread():stdin_read_thread(): post uni
x_read(fdi=0,...)
system/core/adb/commandline.c::stdin_read_thread():stdin_read_thread(): pre unix
_read(fdi=0,...)
There's a lot of nifty tools that will automatically root my phone with pre-packaged system images (CF-Auto-Root et al). However, I'd prefer not to load my phone with firmwares from internet strangers. Also, I try to avoid apps whose code I can't see (e.g. SuperSu).
What I'd like to do is take the system preloaded on my Galaxy Note 4 by Samsung (or the recovery image) and modify it manually so that I have root access. As I understand it, this should be a fairly reproducible process. (Chainfire wrote somewhere that he has a script that automatically generates rooted images from vendor images as new versions are released.)
Please, help me do it manually. Assume I have some general Linux knowledge (your typical Ubuntu user), but no Android development skills.
bump
bump
You can't. You will have to use one of the SU binaries and SU packages. Other then that you will have to find an exploit in the base system and then code a whole new binary and app.
Yes he has a script, but that is only after years of working on the exploit for root.
Axure said:
There's a lot of nifty tools that will automatically root my phone with pre-packaged system images (CF-Auto-Root et al). However, I'd prefer not to load my phone with firmwares from internet strangers. Also, I try to avoid apps whose code I can't see (e.g. SuperSu).
What I'd like to do is take the system preloaded on my Galaxy Note 4 by Samsung (or the recovery image) and modify it manually so that I have root access. As I understand it, this should be a fairly reproducible process. (Chainfire wrote somewhere that he has a script that automatically generates rooted images from vendor images as new versions are released.)
Please, help me do it manually. Assume I have some general Linux knowledge (your typical Ubuntu user), but no Android development skills.
Click to expand...
Click to collapse
1º Download source code or unpack boot.img with unpackbootimg tool,
2º then unpack the ramdisk,
3º edit default.prop
Code:
ro.secure=0
ro.debuggable=1
persist.service.adb.enable=1
4º $ cd ramdisk
5º $ find . | cpio -o -H newc | gzip > ../newramdisk.cpio.gz
6º mkbootimg with the proper settings
7º ???
8º profit
Q&A for [GUIDE][LINUX][MIUI] MIUI PatchROM -- BUILD YOUR OWN MIUI ROM
Some developers prefer that questions remain separate from their main development thread to help keep things organized. Placing your question within this thread will increase its chances of being answered by a member of the community or by the developer.
Before posting, please use the forum search and read through the discussion thread for [GUIDE][LINUX][MIUI] MIUI PatchROM -- BUILD YOUR OWN MIUI ROM. If you can't find an answer, post it here, being sure to give as much information as possible (firmware version, steps to reproduce, logcat if available) so that you can get help.
Thanks for understanding and for helping to keep XDA neat and tidy!
[MIUI PATCHROM for WALTON PrimoF2[How to solve this??Please somebody help me...
Code:
[email protected]:~$ cd patchrom
[email protected]:~/patchrom$ . build/envsetup.sh
PATCHROM_BRANCH = jellybean42-mtk
ANDROID_PLATFORM = v17
PORT_ROOT = /home/atiq/patchrom
ANDROID_TOP =
ANDROID_OUT =
PORT_PRODUCT = Unknown
USE_ANDROID_OUT =
ANDROID_BRANCH =
[email protected]:~/patchrom$ cd primof2
bash: cd: primof2: No such file or directory
[email protected]:~/patchrom$ mkdir primof2
[email protected]:~/patchrom$ cd primof2
[email protected]:~/patchrom/primof2$ /home/atiq/patchrom/tools/releasetools/ota_target_from_phone -n
Wait for the device to be online...
Copy target file template into current working directory
Warning: the ota package will not contain bootimage!!!
Maybe you forget to pass the ota-package parameter.
Are you sure this is really what you want(yes/no):yes
Build recovery.fstab from device
Extract the whole /system from device
pull: building file list...
1423 files pulled. 0 files skipped.
2943 KB/s (570754099 bytes in 189.331s)
Remount /system to be writable
You don't have a rooted kernel. Please run the following command mannually
(1) adb shell
(2) su
(3) mount -o remount,rw /[email protected] /system
(3) chmod 0777 /system /system/*
If you finish running the above commands on your phone(yes/no):yes
/system/xbin/getfilesysteminfo: No such file or directory
Run getfilesysteminfo to build filesystem_config.txt
125 KB/s (5572 bytes in 0.043s)
Run getfilesysteminfo and recoverylink.py to recover symlink
Recovery link files success
Build apkcerts.txt
failed to copy '/data/system/packages.xml' to '/home/atiq/patchrom/primof2/out/target_files/packages.xml': Permission denied
Error: /home/atiq/patchrom/primof2/out/target_files/packages.xml doesn't exist or isn't a vaild xml file
rm: cannot remove ‘/home/atiq/patchrom/primof2/out/target_files/packages.xml’: No such file or directory
Generate metadata used to build target files...
Compress the target_files dir into zip file
/home/atiq/patchrom/primof2
Build full ota package: /home/atiq/patchrom/primof2/stockrom.zip
unzipping target target-files...
using device-specific extensions in .
unable to load device-specific module; assuming none
[MIUI CUST] OTA: copy data files
[MIUI CUST] OTA: handle relink
[MIUI CUST] OTA: SetPermissions
Picked up JAVA_TOOL_OPTIONS: -javaagent:/usr/share/java/jayatanaag.jar
done.
[email protected]:~/patchrom/primof2$
Where should I put the bellow commands
Code:
You don't have a rooted kernel. Please run the following command mannually
(1) adb shell
(2) su
(3) mount -o remount,rw /[email protected] /system
(3) chmod 0777 /system /system/*
If you finish running the above commands on your phone(yes/no):
here?? After this line?? Here I have only two option to input "yes" or "no" in this shell. Otherwise it shows too many arguments. Please tell me where to put those commands exactly?? another question: Is everything OK there except "packages.xml". I manually copied the packages.xml file from my device and paste it to target_files then zipped it. Will it work?? Please help..
Anyone here successfully booted miui 8 on MTK 32 bit kernel 3.18.19 can help me with bootloop!?
I already built the rom based on AOSP android one but it bootloops
Mysteryagr said:
Anyone here successfully booted miui 8 on MTK 32 bit kernel 3.18.19 can help me with bootloop!?
I already built the rom based on AOSP android one but it bootloops
Click to expand...
Click to collapse
Hook it up and run a log at on your pc. That will tell you what is bootlooping. It that should have been the first hinges you did. It is rom building basics
zelendel said:
Hook it up and run a log at on your pc. That will tell you what is bootlooping. It that should have been the first hinges you did. It is rom building basics
Click to expand...
Click to collapse
Thank you for your reply.
I already did that, and yes I edited defualt.prop inside the ramdisk to enable logcat during bootloop.
I have ported many roms, and also built some from source, and I noticed that I can only take logcat in bootloop if the rom is partially booted, notification led lights in red as a sign of that.
In Miui case the led doesn't light up, also I noticed that no space occupied in data partition (except for the extracted miui apps)
So I guess something prevent the rom to start and optimize any app, maybe it is the boot.img
If someone booted miui on MTK 32 bit chipset and MM kernel 3.18.19 can help me, I will be very thankful.
My device is Infinix Hot 2 running Android one 6.0 marshmallow, chipset: MT6580
Thanks in advance.
Mysteryagr said:
Thank you for your reply.
I already did that, and yes I edited defualt.prop inside the ramdisk to enable logcat during bootloop.
I have ported many roms, and also built some from source, and I noticed that I can only take logcat in bootloop if the rom is partially booted, notification led lights in red as a sign of that.
In Miui case the led doesn't light up, also I noticed that no space occupied in data partition (except for the extracted miui apps)
So I guess something prevent the rom to start and optimize any app, maybe it is the boot.img
If someone booted miui on MTK 32 bit chipset and MM kernel 3.18.19 can help me, I will be very thankful.
My device is Infinix Hot 2 running Android one 6.0 marshmallow, chipset: MT6580
Thanks in advance.
Click to expand...
Click to collapse
To be honest I have no other ideas. Devices with that chip maker are not sold in my country.
@zelendel
What is the difference between
make firstpatch
Click to expand...
Click to collapse
and
make second patch
Click to expand...
Click to collapse
?
Mysteryagr said:
@zelendel
What is the difference between
and
?
Click to expand...
Click to collapse
I don't know. To be honest I wouldn't touch miui with a 10 foot pole personally.
Hello,
I have a device called RATEL CELL R1020 with OS android 8.0 oreo.
I tried some applications for rooting this smartphone like kingroot, kingoroot, etc but failed. This device can't unlock bootloader, so I see rooting with exploit in youtube like thomasking. Please anyone here help me to rooting my smartphone?
4.4.78perf+ kernel
this attachment is screenshot of the system
Thankyou
j4nn said:
@arifincaesar, do you have your phone's firmware in a downloadable form? Can you obtain linux kernel source code for your phone?
I could imagine adapting this (exploit source code here) for your phone, but the kernel binary that is running on the phone is a must pre-requisite. Obviously it would be only a temp root.
Click to expand...
Click to collapse
arifincaesar said:
there is no way to get firmware of this phone sir..
and there's no way to unlock bootloader..
i think the only way to backup firmware this device is exploit and getting root access without ubl..
there is just said 4.4.78-perf+
Click to expand...
Click to collapse
In my opinion, there is no exploit that would not need offsets within kernel image in advance.
Because of that you need a copy of kernel binary that is running on the phone.
Obviously it is not possible to back up kernel partition from the phone, so you would need the original fw (the same version that is running on the phone) and a way to extract the kernel from the fw package.
Without that you are out of luck, sorry...
Since there is linux kernel running on the phone (android uses linux kernel) you have legal options to request corresponding kernel source code, because linux kernel is distributed under gpl license.
But even if you obtained the kernel source, you would still need the binary, because most likely the new build from source would not be binary identical. The source code would just make it easy to decide which exploit could work, so it would make sense to adapt it for the kernel binary.
j4nn said:
In my opinion, there is no exploit that would not need offsets within kernel image in advance.
Because of that you need a copy of kernel binary that is running on the phone.
Obviously it is not possible to back up kernel partition from the phone, so you would need the original fw (the same version that is running on the phone) and a way to extract the kernel from the fw package.
Without that you are out of luck, sorry...
Since there is linux kernel running on the phone (android uses linux kernel) you have legal options to request corresponding kernel source code, because linux kernel is distributed under gpl license.
But even if you obtained the kernel source, you would still need the binary, because most likely the new build from source would not be binary identical. The source code would just make it easy to decide which exploit could work, so it would make sense to adapt it for the kernel binary.
Click to expand...
Click to collapse
is that bug when i had activated oem unlock in dev options but cannot unlock with fastboot mode?
j4nn said:
In my opinion, there is no exploit that would not need offsets within kernel image in advance.
Because of that you need a copy of kernel binary that is running on the phone.
Obviously it is not possible to back up kernel partition from the phone, so you would need the original fw (the same version that is running on the phone) and a way to extract the kernel from the fw package.
Without that you are out of luck, sorry...
Since there is linux kernel running on the phone (android uses linux kernel) you have legal options to request corresponding kernel source code, because linux kernel is distributed under gpl license.
But even if you obtained the kernel source, you would still need the binary, because most likely the new build from source would not be binary identical. The source code would just make it easy to decide which exploit could work, so it would make sense to adapt it for the kernel binary.
Click to expand...
Click to collapse
can you help me please?
arifincaesar said:
can you help me please?
Click to expand...
Click to collapse
Interesting. Getting kernel space R/W primitives is a nice first step.
But without kernel binary, that still may be difficult - with kernel 4.4.78 version, KASLR would be there for sure.
j4nn said:
Interesting. Getting kernel space R/W primitives is a nice first step.
But without kernel binary, that still may be difficult - with kernel 4.4.78 version, KASLR would be there for sure.
Click to expand...
Click to collapse
hehe i keep watching your work for exploit sir
if there something new exploit i'll try to my phone
thx before
@arifincaesar, try this please:
Code:
cd /data/local/tmp
echo -e '#!/system/bin/sh\ncase "$1" in\n*model) echo G8441 ;;*) echo 47.1.A.8.49 ;;esac' > getprop
chmod 755 getprop
PATH=`pwd`:$PATH ./bindershell
That should try the offsets defined for xz1c. It's a blind try, but let's see.
Please post the log in a text form (copy it via clipboard from the terminal), using the CODE tags in the message (can be used with the # icon in advanced post).
Code:
cd /data/local/tmp
echo -e '#!/system/bin/sh\ncase "$1" in\n*model) echo G8441 ;;*) echo 47.1.A.8.49 ;;esac' > getprop
chmod 755 getprop
PATH=`pwd`:$PATH ./bindershell
i can't believe, it work bro i swear :v
is that my phone rooted?
nope i think my phone is not rooted yet..
i check from root checker it say "sorry root access is not properly installed on this device."
@j4nn heres the output
bindershell - temp root shell for xperia XZ1c/XZ1/XZp using CVE-2019-2215
https://github.com/j4nn/renoshell/tree/CVE-2019-2215
MAIN: starting exploit for devices with waitqueue at 0x98
PARENT: Reading leaked data
PARENT: leaking successful
MAIN: thread_info should be in stack
MAIN: parsing kernel stack to find thread_info
PARENT: Reading leaked data
PARENT: Reading extra leaked data
PARENT: leaking successful
MAIN: task_struct_ptr = ffffffcfe0d68000
MAIN: thread_info_ptr = ffffffd04aa3c000
MAIN: Clobbering addr_limit
MAIN: should have stable kernel R/W now
kernel slide invalid (0x4ffabc7b50)
kaslr slide 0x0
selinux set to permissive
current task credentials patched
got root, start shell...
Cell:/data/local/tmp # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc) context=u:r:shell:s0
Cell:/data/local/tmp # cd
Cell:/ # ls
ls: ./cache: Permission denied
ls: ./init: Permission denied
ls: ./init.environ.rc: Permission denied
ls: ./init.rc: Permission denied
ls: ./init.recovery.qcom.rc: Permission denied
ls: ./init.usb.configfs.rc: Permission denied
ls: ./init.usb.rc: Permission denied
ls: ./init.zygote32.rc: Permission denied
ls: ./init.zygote64_32.rc: Permission denied
ls: ./postinstall: Permission denied
ls: ./ueventd.rc: Permission denied
ls: ./verity_key: Permission denied
acct bt_firmware bugreports charger config d data default.prop dev dsp etc firmware lost+found mnt oem persist proc res root sbin sdcard storage sys system vendor
1|Cell:/ #
@arifincaesar, well, as expected, detecting KASLR slide failed, therefore selinux could not be disabled and security context has not been patched either.
Without a kernel binary, it is difficult to implement a full temp root exploit.
I guess it could be doable, unfortunately I do not have the time for it.
j4nn said:
@arifincaesar, well, as expected, detecting KASLR slide failed, therefore selinux could not be disabled and security context has not been patched either.
Without a kernel binary, it is difficult to implement a full temp root exploit.
I guess it could be doable, unfortunately I do not have the time for it.
Click to expand...
Click to collapse
hehe thanks for information sir..
@arifincaesar, see PM please...
j4nn said:
@arifincaesar, see PM please...
Click to expand...
Click to collapse
ok sir, thank you very much for helping me.. T_T
pm sent
cve-2019-2215 based temp root exploit for ratel cell r1020
Here is a temp root exploit tailored specifically for RATEL CELL r1020 phone as described in the OP (Android 8.0 with security patch level of January 5, 2018). The exploit uses CVE-2019-2215, which can get you a temporal root shell very quickly and reliably (it's nearly instant).
Unfortunately RATEL CELL r1020 firmware is not publicly available, so it had not been possible to get a kernel image for analysis.
Luckily the first stage of the exploit designed for sony xperia xz1/xz1/xz1c worked, providing kernel space R/W primitives.
Eventually kernel memory dump has been retrieved (after KASLR bypass done in a generic way), so implementation of the final stage to bypass selinux and patch credentials to get root could be done.
Please find the result of my work attached here, it obviously is not tested as I do not have that phone, but I assume it would work as using similarly calculated stuff worked with my xz1c phone.
Please see the xperia phones exploit here for usage howto, including possibility to setup magisk from the exploit (modified script without sony specific stuff is already included). Just download the Magisk-v19.3-Manager-v7.1.2.zip from the linked post and use together with stuff from ratel-cell-temp-root.zip attached here.
EDIT: Updated ratel cell temp root with v2, supposed to work also with ratel cell having May 1, 2018 security patch level.
Please post the log (in [ CODE ] tags) and/or screenshots from your testing, possibly including even magisk setup, if bindershell exploit worked.
If you like my work, you can donate to me via paypal (including card payment) or bitcoin - for details just follow the "Donate to Me" button please. Thank you.
Thread closed per OP request.
MOD ACTION:
Thread reopened per OP's request
j4nn said:
Here is a temp root exploit tailored specifically for RATEL CELL r1020 phone as described in the OP (Android 8.0 with security patch level of January 5, 2018). The exploit uses CVE-2019-2215, which can get you a temporal root shell very quickly and reliably (it's nearly instant).
Unfortunately RATEL CELL r1020 firmware is not publicly available, so it had not been possible to get a kernel image for analysis.
Luckily the first stage of the exploit designed for sony xperia xz1/xz1/xz1c worked, providing kernel space R/W primitives.
Eventually kernel memory dump has been retrieved (after KASLR bypass done in a generic way), so implementation of the final stage to bypass selinux and patch credentials to get root could be done.
Please find the result of my work attached here, it obviously is not tested as I do not have that phone, but I assume it would work as using similarly calculated stuff worked with my xz1c phone.
Please see the xperia phones exploit here for usage howto, including possibility to setup magisk from the exploit (modified script without sony specific stuff is already included). Just download the Magisk-v19.3-Manager-v7.1.2.zip from the linked post and use together with stuff from ratel-cell-temp-root.zip attached here.
Please post the log (in [ CODE ] tags) and/or screenshots from your testing, possibly including even magisk setup, if bindershell exploit worked.
Click to expand...
Click to collapse
yes, it work sir thank you so much here is the log
but i think there other problem i will posting it later here
Code:
Cell:/data/local/tmp $ ./bindershellnew
bindershell - temp root shell using CVE-2019-2215, tailored for RATEL CELL R1020
https://github.com/j4nn/renoshell/tree/CVE-2019-2215
MAIN: starting exploit for devices with waitqueue at 0x98
PARENT: Reading leaked data
PARENT: leaking successful
MAIN: thread_info should be in stack
MAIN: parsing kernel stack to find thread_info
PARENT: Reading leaked data
PARENT: Reading extra leaked data
PARENT: leaking successful
MAIN: task_struct_ptr = ffffffd4316e9b00
MAIN: thread_info_ptr = ffffffd471268000
MAIN: Clobbering addr_limit
MAIN: should have stable kernel R/W now
attempting kaslr bypass: leaked ptr 0xffffff8a82608658
kernel base=0xffffff8a81480000 slide=0xa79400000
selinux set to permissive
current task credentials patched
got root, start shell...
Cell:/data/local/tmp # getenforce
Permissive
Cell:/data/local/tmp # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc) context=u:r:toolbox:s0
Cell:/data/local/tmp # uname -a
Linux localhost 4.4.78-perf+ #1 SMP PREEMPT Tue Mar 6 11:00:11 CST 2018 aarch64
Cell:/data/local/tmp #
Hi there sir @j4nn .
I'm yusuv, ratel cell user. I've been following this thread.
And lately seems the exploit works as intended.
The things is, ratel cell not only have the January patch on all the devices. I've tried the exploit and its stuck on the build number prop and it won't go any further.
Afaik, ratel have 2 ROM builds, one patch is January which is you build the exploit for, the other one is May 1, 2018 patch. With also different build number.
On behalf Ratel Cell user with the may patch. I'm here to ask you, is there any way for us with the May patch being able to root our device?
Thanks in advance.
Dear sir @j4nn.
can you help us on how to install custom recovery in Ratel Cell, if you are willing to help, we will be very grateful.
Hello! After many years without development, today I'm sharing a new kernel with ZRAM and swap support for this device.
The kernel is based upon weritos' Cyanogenmod 13 kernel source code and should work on both rev. 1 and rev. 2 devices.
Installation procedure is as follows:
1. Download the latest TWRP, kernel build and modules.
2. Install the kernel and TWRP from ADB shell (the device must be booted into Android) or a terminal app:
Bash:
su (from a terminal app; not required from ADB shell)
cat </path/to/TWRP_image> > /dev/block/mmcblk0p13
cat </path/to/kernel_image> > /dev/block/mmcblk0p8
reboot recovery
3. Install the kernel modules:
Bash:
mount /dev/block/mmcblk0p21 /system
unzip -o </path/to/modules.zip> -d /system/lib/modules
4. Done! Reboot into Android.
NOTE: The < and > symbols should never be issued within the commands!
Version Information
Status: Beta (Bluetooth, camera recording and screen recording do not work.)
Created: 2021-05-11
Last Updated: 2021-05-12 (Import and enable Ultra KSM driver.)
I still have this device, will this kernel with twrp installed fix the crashing problems in cm 13, thanks for your effort
@Krush206 it's saying can't open zip file on the last step, how to fix??
SerjSX said:
@Krush206 it's saying can't open zip file on the last step, how to fix??
Click to expand...
Click to collapse
fixed it, I was supposed to write:
Code:
unzip -o /sdcard/modules.zip -d /system/lib/modules
instead of:
Code:
unzip -o /storage/emulated/0/modules.zip -d /system/lib/modules
in TWRP terminal.
However, how do I know if it successfully worked?? My phone booted up normally but no sign that shows if it worked 100% or not. @Krush206
not working
Turkish developers said:
I still have this device, will this kernel with twrp installed fix the crashing problems in cm 13, thanks for your effort
Click to expand...
Click to collapse
This is the reason I exported the ZRAM driver to the kernel. However, I have noticed it breaks Wi-Fi, so I will have to fix it for proper testing.
SerjSX said:
However, how do I know if it successfully worked?? My phone booted up normally but no sign that shows if it worked 100% or not.
Click to expand...
Click to collapse
Either install Termux (or a terminal app of your choice) or use ADB and issue the free -m command.
Krush206 said:
This is the reason I exported the ZRAM driver to the kernel. However, I have noticed it breaks Wi-Fi, so I will have to fix it for proper testing.
Either install Termux (or a terminal app of your choice) or use ADB and issue the free -m command.
Click to expand...
Click to collapse
Hi, thanks for your response. Just did i and looks like it worked, 59 total swap, used 58, and free 541.
Are you sure you checked the correct line? The total should be 255 (256), not 59.
can you compile a kernel for overclocking in stock room or cm 11 please our quttro needs it now
overclock kernel pls
Sorry for the delay. The battery of my device has swollen, so I cannot really check whether overclocking is possible or not.
However, though overclocking may be possible, it may cause system instability and crashes.
I could probably have a look at the code and see how to get it done, but I cannot post results and would not recommend overclocking.
The battery in my device was swollen, I found a battery and the best software for this device is 4.1.2. I want to try overclocking for this version. Bide 4.1.2 also does not play hd videos in the original software. Is there a code or a mod for this?
1.5 Ghz overclock pls
any update?
If you two, @Fever070720, @Turkish developers, are still looking into overclocking, please, send the output of the following command:
Code:
cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq