FORUMS
Remove All Ads from XDA

[GUIDE] I Rooted my Fire TV via dirtycow

9 posts
Thanks Meter: 21
 
By christofsteel, Junior Member on 29th October 2016, 03:35 PM
Post Reply Email Thread
Hi,

i just rooted my Fire TV 1 (version 51.1.4.0) via dirtycow, and I wanted to share my experience. (Unfortunately I cannot post external Links here)

Dirtycow allows you to write to files, even if you have no permission to do so. Unfortunately there is no binary on the system with the suid bit set, so I could not replace this binary. (Other attempts on other Android devices replaced the run-as binary. This is not possible here). Another problem was, that the modification only last for the current boot, so I could not just modify boot scripts. I had to find a binary, that is executed as root while the system is running, preferably on demand. This binary is ip. Every time one modifies the network settings in the Fire TV gui, ip is executed as root. Yay. With that in mind, I replaced ip with a shell script, that deploys the su binary.

This is what I did:
  1. I compiled the dirtycow.c from timwr GitHub Repository CVE-2016-5195
  2. Then I put the resulting binary into /data/local/tmp on my Firetv (via adb)
  3. Now I pushed chainfires su binary to /data/local/tmp
  4. I copied the /system/bin/ip binary to /data/local/tmp
  5. I wrote this shell script, pushed it to /data/local/tmp and marked it executable (755)
    Code:
    #!/system/bin/sh
    mount -o remount,rw /system
    cp /data/local/tmp/su /system/xbin
    chmod 4755 /system/xbin/su    
    /data/local/tmp/ip "$@"
  6. After that, I used dirtycow to replace ip with my new ip script (./dirtycow /system/bin/ip ip_script) [This may take a while]
  7. Now I went to my network settings of my Fire TV and changed them to a static ip address.
  8. I reconnected to my amazon Fire tv and typed su
    Code:
    shell@android:/ $ su
    root@android:/ #
  9. Lastly I installed the Supersu.apk from chainfire

Root seems to work with the adb shell and the terminal app. Somehow it does not with amaze file manager. If I start it I get thrown into the amazon fire ui.

This rooting method should also work for other versions of the fireOS, though I have not tested them.
The Following 19 Users Say Thank You to christofsteel For This Useful Post: [ View ] Gift christofsteel Ad-Free
 
 
29th October 2016, 10:52 PM |#2  
Senior Member
Flag Sunderland
Thanks Meter: 142
 
More
Can you downgrade with being in the root state?
29th October 2016, 11:25 PM |#3  
OP Junior Member
Thanks Meter: 21
 
More
Quote:
Originally Posted by sconnyuk

Can you downgrade with being in the root state?

Yes. After rooting, I downgraded to 5.1.0.2 and did a full bootloader unlock. I am now running a rooted 5.2.1.1
The Following User Says Thank You to christofsteel For This Useful Post: [ View ] Gift christofsteel Ad-Free
30th October 2016, 12:04 AM |#4  
Senior Member
Flag Sunderland
Thanks Meter: 142
 
More
Quote:
Originally Posted by christofsteel

Yes. After rooting, I downgraded to 5.1.0.2 and did a full bootloader unlock. I am now running a rooted 5.2.1.1

Will have to try this for fire stick.
Excellent find, ive been watching the dirtycow and this will come in handy if it works for fire stick.
30th October 2016, 12:10 AM |#5  
OP Junior Member
Thanks Meter: 21
 
More
Quote:
Originally Posted by sconnyuk

Will have to try this for fire stick.
Excellent find, ive been watching the dirtycow and this will come in handy if it works for fire stick.

Please report back
I think it is important to note, that I configured a static ip address to trigger the ip script. Root is permanent btw. as soon as the su binary is deployed, you can reboot all you like.
30th October 2016, 12:13 AM |#6  
Junior Member
Thanks Meter: 20
 
More
firetv have selinux? what version linux is it?
30th October 2016, 12:18 AM |#7  
OP Junior Member
Thanks Meter: 21
 
More
Quote:
Originally Posted by christianrodher

firetv have selinux? what version linux is it?

I thought I read somewhere, that FireOS 5 had SELinux. I could not check, because I still ran FireOS 3. Seems like it does not have SELinux. I will remove the remark from my initial post.
30th October 2016, 12:21 AM |#8  
Junior Member
Thanks Meter: 20
 
More
Quote:
Originally Posted by christofsteel

I thought I read somewhere, that FireOS 5 had SELinux. I could not check, because I still ran FireOS 3. Seems like it does not have SELinux. I will remove the remark from my initial post.

can you double check if sepolicy is present or something similar?
30th October 2016, 12:34 AM |#9  
OP Junior Member
Thanks Meter: 21
 
More
Quote:
Originally Posted by christianrodher

can you double check if sepolicy is present or something similar?

Ok. In my FireOS version 5.2.1.1 there is SELinux activated and enforcing. In FireOS version 51.1.0.4 there was none. But I do not know if that hinders the rooting process.
30th October 2016, 12:50 AM |#10  
Junior Member
Thanks Meter: 20
 
More
Quote:
Originally Posted by christofsteel

Ok. In my FireOS version 5.2.1.1 there is SELinux activated and enforcing. In FireOS version 51.1.0.4 there was none. But I do not know if that hinders the rooting process.

ok so when you do the exploit u where at selinux enforcing.... ok if is that simple after weve been working our asses here https://github.com/timwr/CVE-2016-5195/issues/9 im going to break the pc and the cell phone lol
The Following User Says Thank You to christianrodher For This Useful Post: [ View ] Gift christianrodher Ad-Free
30th October 2016, 01:06 AM |#11  
refi64's Avatar
Member
Thanks Meter: 98
 
Donate to Me
More
@christianrodher No worries, I doubt this is the universal solution! I think it's that the TV runs `ip` with a really lenient SELinux context for some stupidly weird reason.
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes