Quote:

Originally Posted by GRZLA

I found a universal root method that may be able to help us, but I am no developer. This appears to work on a number of phones and tablets.

Tu use mempodroid you need the exit and call "offsets", this is the usage command for the Galaxy Nexus:
$ ./mempodroid 0xd7f4 0xad4b mount -o remount,rw '' /system
$ ./mempodroid 0xd7f4 0xad4b sh
#
Galaxy Nexus 4.0.2: 0xd7f4 0xad4b
Does anyone know how to obtain this parameters for the galaxy tab 2 ???

Using this post:

Quote:

Originally Posted by Nesquick95

Saurik's mempodroid exploit needs offsets of "exit" and "setresuid" fuctions calls in order to work.

Here's a tool that may find this two offsets while running on your ICS device and give you the mempodroid command line to run for gaining a temporary root shell.

This tool doesn't add any capability to Saurik's exploit.
Please let me know if you have any idea for improvement.
Feel free to use this tool, at your own risks.

1- download and unzip
2- push the two binaries to /data/local/tmp with adb
3- chmod 755
4- run n95-offsets
5- copy / paste the command line given by the tool

If the trick works, you will see the $ prompt change to a # one.

Hope it will help.

I got this offsets for mempodroid:

Quote:

n95-offsets by Nesquick95
Gets requiered offsets for mempodroid exploit

./mempodroid 0xd904 0xae5f sh

But when i try to copy the "su binary" file it still displays error

Quote:

C:\Program Files (x86)\Android\android-sdk\platform-tools>adb push su /system/bin
failed to copy 'su' to '/system/bin/su': Read-only file system

Any clues... anyone ??

do this:

adb push <path to mempodroid> /data/local/tmp/
adb shell

$ chmod 755 /data/local/tmp/mempodroid
$ /data/local/tmp/mempodroid 0xd904 0xae5f sh
# id

what is the output of the id command after running those commands in adb shell?

if it says uid=0 then i'll be happy

Quote:

Originally Posted by elitrix

do this:

adb push <path to mempodroid> /data/local/tmp/
adb shell

$ chmod 755 /data/local/tmp/mempodroid
$ /data/local/tmp/mempodroid 0xd904 0xae5f sh
# id

what is the output of the id command after running those commands in adb shell?

if it says uid=0 then i'll be happy

This is what i tried on my GT-3113 Galaxy Tab 2:

Code:

C:\Program Files (x86)\Android\android-sdk\platform-tools>adb shell
shell@android:/ $ cd /data/local/tmp
cd /data/local/tmp
shell@android:/data/local/tmp $ ls
ls
boomsh
busybox
mempodroid
n95-offsets
output
psneuter
sh
zergRush
shell@android:/data/local/tmp $ chmod 777 mempodroid
chmod 777 mempodroid
shell@android:/data/local/tmp $ chmod 755 n95-offsets
shell@android:/data/local/tmp $ ./n95-offsets

n95-offsets by Nesquick95
Gets requiered offsets for mempodroid exploit

./mempodroid 0xd904 0xae5f sh

1|shell@android:/data/local/tmp $ ./mempodroid 0xd904 0xae5f mount -o remount,rw
 '' /system
ae5f mount -o remount,rw '' /system                                           <

then

Code:

1|shell@android:/data/local/tmp $ ./mempodroid 0xd904 0xae5f sh 
./mempodroid 0xd904 0xae5f sh
1|shell@android:/data/local/tmp $

STILL the '$' sign !!! i dont have "su" privileges, this feels I'm so close...

when i try again with....

Code:

1|shell@android:/data/local/tmp $ /data/local/tmp/mempodroid 0xd904 0xae5f sh
/data/local/tmp/mempodroid 0xd904 0xae5f sh
1|shell@android:/data/local/tmp $

I still get the '$' sign instead of the '#'.

exploit doesn't work on this tab then... on to the next.

Quote:

Originally Posted by elitrix

exploit doesn't work on this tab then... on to the next.

Either that or the offsets reported by n95-offsets are incorrect. I have no idea how reliable it is or how it works though. Wish I had my tablet with me to dig deeper.

Quote:

Originally Posted by machx0r

Either that or the offsets reported by n95-offsets are incorrect. I have no idea how reliable it is or how it works though. Wish I had my tablet with me to dig deeper.

I went ahead and check the source code for the “n95-offsets” and found that this code searches for a pattern in memory. :

Quote:

static const unsigned char exit_pattern[8] = { 0xB0, 0xFF, 0xFF, 0xFF, 0x04, 0x46, 0x00, 0x20};

static const unsigned char suid_pattern[8] = { 0xD0, 0x40, 0xE0, 0x3D, 0x68, 0x28, 0x46, 0x29};

So maybe it’s a different pattern for the GT-3113, cause it depends on the kernel version, so my theory is that the offsets are incorrect.

I had spoken to saurik and supplied him the run-as from the tab and he confirmed those offsets...of course he could've been using.the same tool on his end didn't ask so take with a grain of salt in the face of your theory.

Chase Bank app, trying to make a check deposit, it fails when it tries to start the camera. The deposit part of the app wants to take pictures of the check front & back. Then it uploads the pictures.

Sent from my Samsung Galaxy Tab 2 7.0

Wifi antenna seems 2 be a little weak..erratic. i think my old dellstreak 5" had better signal....battery sure takes long to charge

How do you bring up My Apps in Play Store on the Samsung Galaxy Tab 2 - 7.0?

Sent from my Samsung Galaxy Tab 2. - 7.0