Get a Complete Set of Logs with Andy Log

The importance of proper logging is undeniable. No, we’re not talking about lumberjack work. … more

Try Some Android Lollipop Applications on Your Device

Android 5.0 Lollipop has been officially announced and lucky users of Google Nexus 5 … more

AutoCon Manages Your Connections to Perserve Battery Life

As we’ve talked about in the past, battery life is still somewhat of a sore … more

How to Unlock and Root a Nexus Device – XDA TV

It is official–Google has released the Nexus 6 and the Nexus 9. The Nexus family … more
Post Reply

Samsung Galaxy Tab 2 7: GT-P3113

OP jkim5708

27th April 2012, 07:14 PM   |  #11  
Junior Member
Flag Monterrey
Thanks Meter: 1
 
12 posts
Join Date:Joined: Apr 2012
More
Quote:
Originally Posted by GRZLA

I found a universal root method that may be able to help us, but I am no developer. This appears to work on a number of phones and tablets.

Tu use mempodroid you need the exit and call "offsets", this is the usage command for the Galaxy Nexus:
$ ./mempodroid 0xd7f4 0xad4b mount -o remount,rw '' /system
$ ./mempodroid 0xd7f4 0xad4b sh
#
Galaxy Nexus 4.0.2: 0xd7f4 0xad4b
Does anyone know how to obtain this parameters for the galaxy tab 2 ???

Using this post:
Quote:
Originally Posted by Nesquick95

Saurik's mempodroid exploit needs offsets of "exit" and "setresuid" fuctions calls in order to work.

Here's a tool that may find this two offsets while running on your ICS device and give you the mempodroid command line to run for gaining a temporary root shell.

This tool doesn't add any capability to Saurik's exploit.
Please let me know if you have any idea for improvement.
Feel free to use this tool, at your own risks.

1- download and unzip
2- push the two binaries to /data/local/tmp with adb
3- chmod 755
4- run n95-offsets
5- copy / paste the command line given by the tool

If the trick works, you will see the $ prompt change to a # one.

Hope it will help.

I got this offsets for mempodroid:
Quote:

n95-offsets by Nesquick95
Gets requiered offsets for mempodroid exploit

./mempodroid 0xd904 0xae5f sh

But when i try to copy the "su binary" file it still displays error
Quote:

C:\Program Files (x86)\Android\android-sdk\platform-tools>adb push su /system/bin
failed to copy 'su' to '/system/bin/su': Read-only file system

Any clues... anyone ??
Last edited by volt255; 27th April 2012 at 08:18 PM. Reason: got more info
27th April 2012, 08:42 PM   |  #12  
Junior Member
Flag Baltimore
Thanks Meter: 4
 
15 posts
Join Date:Joined: Nov 2009
More
do this:

adb push <path to mempodroid> /data/local/tmp/
adb shell

$ chmod 755 /data/local/tmp/mempodroid
$ /data/local/tmp/mempodroid 0xd904 0xae5f sh
# id

what is the output of the id command after running those commands in adb shell?

if it says uid=0 then i'll be happy
Last edited by elitrix; 27th April 2012 at 08:45 PM.
27th April 2012, 08:57 PM   |  #13  
Junior Member
Flag Monterrey
Thanks Meter: 1
 
12 posts
Join Date:Joined: Apr 2012
More
Quote:
Originally Posted by elitrix

do this:

adb push <path to mempodroid> /data/local/tmp/
adb shell

$ chmod 755 /data/local/tmp/mempodroid
$ /data/local/tmp/mempodroid 0xd904 0xae5f sh
# id

what is the output of the id command after running those commands in adb shell?

if it says uid=0 then i'll be happy

This is what i tried on my GT-3113 Galaxy Tab 2:
Code:
C:\Program Files (x86)\Android\android-sdk\platform-tools>adb shell
shell@android:/ $ cd /data/local/tmp
cd /data/local/tmp
shell@android:/data/local/tmp $ ls
ls
boomsh
busybox
mempodroid
n95-offsets
output
psneuter
sh
zergRush
shell@android:/data/local/tmp $ chmod 777 mempodroid
chmod 777 mempodroid
shell@android:/data/local/tmp $ chmod 755 n95-offsets
shell@android:/data/local/tmp $ ./n95-offsets

n95-offsets by Nesquick95
Gets requiered offsets for mempodroid exploit

./mempodroid 0xd904 0xae5f sh

1|shell@android:/data/local/tmp $ ./mempodroid 0xd904 0xae5f mount -o remount,rw
 '' /system
ae5f mount -o remount,rw '' /system                                           <
then

Code:
1|shell@android:/data/local/tmp $ ./mempodroid 0xd904 0xae5f sh 
./mempodroid 0xd904 0xae5f sh
1|shell@android:/data/local/tmp $
STILL the '$' sign !!! i dont have "su" privileges, this feels I'm so close...

when i try again with....
Code:
1|shell@android:/data/local/tmp $ /data/local/tmp/mempodroid 0xd904 0xae5f sh
/data/local/tmp/mempodroid 0xd904 0xae5f sh
1|shell@android:/data/local/tmp $
I still get the '$' sign instead of the '#'.
27th April 2012, 09:02 PM   |  #14  
Junior Member
Flag Baltimore
Thanks Meter: 4
 
15 posts
Join Date:Joined: Nov 2009
More
exploit doesn't work on this tab then... on to the next.
27th April 2012, 09:14 PM   |  #15  
Senior Member
Thanks Meter: 141
 
195 posts
Join Date:Joined: May 2011
Donate to Me
Quote:
Originally Posted by elitrix

exploit doesn't work on this tab then... on to the next.

Either that or the offsets reported by n95-offsets are incorrect. I have no idea how reliable it is or how it works though. Wish I had my tablet with me to dig deeper.
27th April 2012, 09:36 PM   |  #16  
Junior Member
Flag Monterrey
Thanks Meter: 1
 
12 posts
Join Date:Joined: Apr 2012
More
Quote:
Originally Posted by machx0r

Either that or the offsets reported by n95-offsets are incorrect. I have no idea how reliable it is or how it works though. Wish I had my tablet with me to dig deeper.

I went ahead and check the source code for the “n95-offsets” and found that this code searches for a pattern in memory. :

Quote:

static const unsigned char exit_pattern[8] = { 0xB0, 0xFF, 0xFF, 0xFF, 0x04, 0x46, 0x00, 0x20};

static const unsigned char suid_pattern[8] = { 0xD0, 0x40, 0xE0, 0x3D, 0x68, 0x28, 0x46, 0x29};

So maybe it’s a different pattern for the GT-3113, cause it depends on the kernel version, so my theory is that the offsets are incorrect.
28th April 2012, 01:55 AM   |  #17  
Junior Member
Thanks Meter: 3
 
4 posts
Join Date:Joined: Apr 2012
I had spoken to saurik and supplied him the run-as from the tab and he confirmed those offsets...of course he could've been using.the same tool on his end didn't ask so take with a grain of salt in the face of your theory.
28th April 2012, 05:03 AM   |  #18  
Senior Member
Flag Tampa, FL
Thanks Meter: 46
 
450 posts
Join Date:Joined: Mar 2006
Donate to Me
More
Chase Bank app, trying to make a check deposit, it fails when it tries to start the camera. The deposit part of the app wants to take pictures of the check front & back. Then it uploads the pictures.

Sent from my Samsung Galaxy Tab 2 7.0
28th April 2012, 07:20 AM   |  #19  
OP Member
Thanks Meter: 1
 
53 posts
Join Date:Joined: Nov 2007
Wifi antenna seems 2 be a little weak..erratic. i think my old dellstreak 5" had better signal....battery sure takes long to charge
28th April 2012, 07:55 AM   |  #20  
Senior Member
Flag Tampa, FL
Thanks Meter: 46
 
450 posts
Join Date:Joined: Mar 2006
Donate to Me
More
How do you bring up My Apps in Play Store on the Samsung Galaxy Tab 2 - 7.0?

Sent from my Samsung Galaxy Tab 2. - 7.0

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Top Threads in Galaxy Tab 2 General by ThreadRank