FORUMS

T-Mobile Galaxy S6 Battery Woes

I’ve been using a T-Mobile Galaxy S6 since the device launched with T-mobile’s … more

Earthquake Early Warning in Your Pocket

Probably all of us reading this have a smartphone in our pocket. For many of us, the … more

Sony: The OEM You Want To Save

In our recent Discuss article, we asked you readers on which OEM you would like to help. While the … more

How to Lock and Protect Your Apps – XDA Xposed Tuesday

The smartphone revolution has passed. Everybody has mobile apps. Some of … more

Samsung Galaxy Tab 2 7: GT-P3113

53 posts
Thanks Meter: 1
 
By jkim5708, Member on 24th April 2012, 11:21 PM
Post Reply Subscribe to Thread Email Thread
27th April 2012, 07:14 PM |#11  
Junior Member
Flag Monterrey
Thanks Meter: 2
 
More
Quote:
Originally Posted by GRZLA

I found a universal root method that may be able to help us, but I am no developer. This appears to work on a number of phones and tablets.

Tu use mempodroid you need the exit and call "offsets", this is the usage command for the Galaxy Nexus:
$ ./mempodroid 0xd7f4 0xad4b mount -o remount,rw '' /system
$ ./mempodroid 0xd7f4 0xad4b sh
#
Galaxy Nexus 4.0.2: 0xd7f4 0xad4b
Does anyone know how to obtain this parameters for the galaxy tab 2 ???

Using this post:
Quote:
Originally Posted by Nesquick95

Saurik's mempodroid exploit needs offsets of "exit" and "setresuid" fuctions calls in order to work.

Here's a tool that may find this two offsets while running on your ICS device and give you the mempodroid command line to run for gaining a temporary root shell.

This tool doesn't add any capability to Saurik's exploit.
Please let me know if you have any idea for improvement.
Feel free to use this tool, at your own risks.

1- download and unzip
2- push the two binaries to /data/local/tmp with adb
3- chmod 755
4- run n95-offsets
5- copy / paste the command line given by the tool

If the trick works, you will see the $ prompt change to a # one.

Hope it will help.

I got this offsets for mempodroid:
Quote:

n95-offsets by Nesquick95
Gets requiered offsets for mempodroid exploit

./mempodroid 0xd904 0xae5f sh

But when i try to copy the "su binary" file it still displays error
Quote:

C:\Program Files (x86)\Android\android-sdk\platform-tools>adb push su /system/bin
failed to copy 'su' to '/system/bin/su': Read-only file system

Any clues... anyone ??
Last edited by volt255; 27th April 2012 at 08:18 PM. Reason: got more info
 
 
elitrix
27th April 2012, 08:42 PM |#12  
Guest
Thanks Meter: 0
 
More
do this:

adb push <path to mempodroid> /data/local/tmp/
adb shell

$ chmod 755 /data/local/tmp/mempodroid
$ /data/local/tmp/mempodroid 0xd904 0xae5f sh
# id

what is the output of the id command after running those commands in adb shell?

if it says uid=0 then i'll be happy
Last edited by elitrix; 27th April 2012 at 08:45 PM.
27th April 2012, 08:57 PM |#13  
Junior Member
Flag Monterrey
Thanks Meter: 2
 
More
Quote:
Originally Posted by elitrix

do this:

adb push <path to mempodroid> /data/local/tmp/
adb shell

$ chmod 755 /data/local/tmp/mempodroid
$ /data/local/tmp/mempodroid 0xd904 0xae5f sh
# id

what is the output of the id command after running those commands in adb shell?

if it says uid=0 then i'll be happy

This is what i tried on my GT-3113 Galaxy Tab 2:
Code:
C:\Program Files (x86)\Android\android-sdk\platform-tools>adb shell
shell@android:/ $ cd /data/local/tmp
cd /data/local/tmp
shell@android:/data/local/tmp $ ls
ls
boomsh
busybox
mempodroid
n95-offsets
output
psneuter
sh
zergRush
shell@android:/data/local/tmp $ chmod 777 mempodroid
chmod 777 mempodroid
shell@android:/data/local/tmp $ chmod 755 n95-offsets
shell@android:/data/local/tmp $ ./n95-offsets

n95-offsets by Nesquick95
Gets requiered offsets for mempodroid exploit

./mempodroid 0xd904 0xae5f sh

1|shell@android:/data/local/tmp $ ./mempodroid 0xd904 0xae5f mount -o remount,rw
 '' /system
ae5f mount -o remount,rw '' /system                                           <
then

Code:
1|shell@android:/data/local/tmp $ ./mempodroid 0xd904 0xae5f sh 
./mempodroid 0xd904 0xae5f sh
1|shell@android:/data/local/tmp $
STILL the '$' sign !!! i dont have "su" privileges, this feels I'm so close...

when i try again with....
Code:
1|shell@android:/data/local/tmp $ /data/local/tmp/mempodroid 0xd904 0xae5f sh
/data/local/tmp/mempodroid 0xd904 0xae5f sh
1|shell@android:/data/local/tmp $
I still get the '$' sign instead of the '#'.
elitrix
27th April 2012, 09:02 PM |#14  
Guest
Thanks Meter: 0
 
More
exploit doesn't work on this tab then... on to the next.
27th April 2012, 09:14 PM |#15  
Senior Member
Thanks Meter: 141
 
Donate to Me
More
Quote:
Originally Posted by elitrix

exploit doesn't work on this tab then... on to the next.

Either that or the offsets reported by n95-offsets are incorrect. I have no idea how reliable it is or how it works though. Wish I had my tablet with me to dig deeper.
27th April 2012, 09:36 PM |#16  
Junior Member
Flag Monterrey
Thanks Meter: 2
 
More
Quote:
Originally Posted by machx0r

Either that or the offsets reported by n95-offsets are incorrect. I have no idea how reliable it is or how it works though. Wish I had my tablet with me to dig deeper.

I went ahead and check the source code for the “n95-offsets” and found that this code searches for a pattern in memory. :

Quote:

static const unsigned char exit_pattern[8] = { 0xB0, 0xFF, 0xFF, 0xFF, 0x04, 0x46, 0x00, 0x20};

static const unsigned char suid_pattern[8] = { 0xD0, 0x40, 0xE0, 0x3D, 0x68, 0x28, 0x46, 0x29};

So maybe it’s a different pattern for the GT-3113, cause it depends on the kernel version, so my theory is that the offsets are incorrect.
28th April 2012, 01:55 AM |#17  
Junior Member
Thanks Meter: 3
 
More
I had spoken to saurik and supplied him the run-as from the tab and he confirmed those offsets...of course he could've been using.the same tool on his end didn't ask so take with a grain of salt in the face of your theory.
28th April 2012, 05:03 AM |#18  
Senior Member
Flag Tampa, FL
Thanks Meter: 47
 
Donate to Me
More
Chase Bank app, trying to make a check deposit, it fails when it tries to start the camera. The deposit part of the app wants to take pictures of the check front & back. Then it uploads the pictures.

Sent from my Samsung Galaxy Tab 2 7.0
28th April 2012, 07:20 AM |#19  
OP Member
Thanks Meter: 1
 
More
Wifi antenna seems 2 be a little weak..erratic. i think my old dellstreak 5" had better signal....battery sure takes long to charge
28th April 2012, 07:55 AM |#20  
Senior Member
Flag Tampa, FL
Thanks Meter: 47
 
Donate to Me
More
How do you bring up My Apps in Play Store on the Samsung Galaxy Tab 2 - 7.0?

Sent from my Samsung Galaxy Tab 2. - 7.0
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes