FORUMS
Remove All Ads from XDA

Research on finding root exploit for N900V 4.4.4 (NJ6)

56 posts
Thanks Meter: 97
 
By scottgl9, Member on 29th February 2016, 07:43 PM
Post Reply Email Thread
I have serious doubts about the so called "proof of root" youtube video for 4.4.4 N900V, so I've decided to start a research related thread so we don't have to rely on someone who will probably give everyones hopes up. Since N900V NJ4 4.4.4 is the oldest flashable version on those of us stuck on 4.4.4 or 5.0, I will be focusing on that build. Here are a few exploits I've found so far which may definitely lead to a root exploit for everyone who is patiently waiting for root access (including me):

1) Android sensord Local Root Exploit - says tested on LG L7, but may also apply to N900V (unconfirmed)
2) Linux Kernel < 3.4.5 - Local Root Exploit (ARM - Android 4.2.2 / 4.4) - N900V NJ6 has kernel version 3.4.0, so this exploit may be a viable option
3) Nexus 5 Android 5.0 - Local Root Exploit - May also apply to other devices as it relies an selinux flaw

Here is a very interesting page I found about ABOOT, and details of the Android boot process: http://newandroidbook.com/Articles/aboot.html

We should also look into possibly using Loki for the note 3: https://github.com/djrbliss/loki

Here is an excellent site which lists all know Android root vulnerabilities categorized by Android software version: http://androidvulnerabilities.org/by/version/
1st March 2016, 04:17 PM |#2  
OP Member
Thanks Meter: 97
 
More
UPDATE: I have some really good news which I came across which applies to N900V NJ6 (build KTU84P):
http://www.androidpolice.com/2014/06...nexus-devices/
According to the above, the vulnerability which towelroot exploits was in fact not patched in build KTU84P.

I'm going to compile towelroot and add the N900V to the supported device list, and theoretically it should provide root.


Here are some ideas I'm investigating for achieving root on NJ6:

1) Inject su and SuperUser.apk into the sparse ext4 format system.img.ext4 from the odin package
2) If someone has a rooted N900V and is on 4.4.4 NJ6 firmware, please do a raw dump of your full system partition, and post it. I may be able to convert to a pre-rooted odin package
3) Find unused executable from system.img.ext4 (in sparse format), find the offset of the unused executable in the sparse image, and directly replace the binary data of the executable with the binary data of su (replaced e2fsck with su executable (zero padded to match size of e2fsck), haven't been able to successfully flash with ODIN yet, still investigating what aboot checks that is causing it to fail)
4) NJ6 is running Kernel version 3.4.0, I'm sure there are quite a few Linux exploits which work on Kernel version 3.4.0 and lower.
The Following User Says Thank You to scottgl9 For This Useful Post: [ View ] Gift scottgl9 Ad-Free
1st March 2016, 10:59 PM |#3  
OP Member
Thanks Meter: 97
 
More
This is successfully exploiting a vulnerability and is rebooting my note 3 (not installing su yet, haven't had time to fully research how this root exploit works:

https://github.com/retme7/CVE-2014-7911_poc/

I've attached the prebuilt apk for this vulnerability. I'm getting activity on logcat, just don't have time to look into it fully until I get off of work.
Attached Files
File Type: apk cve201479xx.apk - [Click for QR Code] (320.4 KB, 196 views)
The Following User Says Thank You to scottgl9 For This Useful Post: [ View ] Gift scottgl9 Ad-Free
31st March 2016, 12:51 AM |#4  
Senior Member
Thanks Meter: 88
 
More
i downgraded from of1 to nk1
i also tried going from of1 directly to nj6.
just tick on nand erase in odin
14th April 2016, 10:50 AM |#5  
yenkoPR's Avatar
Senior Member
Thanks Meter: 61
 
Donate to Me
More
Quote:
Originally Posted by scottgl9

This is successfully exploiting a vulnerability and is rebooting my note 3 (not installing su yet, haven't had time to fully research how this root exploit works:

https://github.com/retme7/CVE-2014-7911_poc/

I've attached the prebuilt apk for this vulnerability. I'm getting activity on logcat, just don't have time to look into it fully until I get off of work.

go on bro, we believe in you !
18th April 2016, 09:20 PM |#6  
SLver's Avatar
Senior Member
Thanks Meter: 36
 
More
sorry for annoy you guys, but I don't get it, this xploid is for get just root, or for unlock the boot loader (at least??)
14th May 2016, 09:50 PM |#7  
yenkoPR's Avatar
Senior Member
Thanks Meter: 61
 
Donate to Me
More
Quote:
Originally Posted by SLver

sorry for annoy you guys, but I don't get it, this xploid is for get just root, or for unlock the boot loader (at least??)

we need root to be able to unlock bootloader
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes