Some of you might remember me from over the years or maybe just from SamPWND root on the S8/S8+. I have had a number of devices since SamPWND with a few being Sammy's. I have been real busy with life and work but of course every spare time I get has been breaking Samsung devices!
I've found some exploits I never released publicly due to the devices being "unpopular" but figured since I am close now as well as what I have found so far most likely works on most Samsung devices (I've only tested on Tab S4 and N9 from Big Red) that I wouldn't keep this one away from everyone.
With that being said, I do not have FULL root yet but am very close. I wanted to create this thread as I don't have let's of free time these days to hopefully bounce ideas around to achieve our end goal a lot faster.
I am going to spare all the specific details to the masses but will let you know what I got so far. I prefer to collaborate over other applications that are more "real time" if there are any developers that read this then PM me and we can share contact info. If you just want to toss ideas in here then that is ok. I just don't want to have someone potentially take my hard work and claim it as their own before I can achieve root. I have been almost non stop since the N9 was released so you can understand hopefully why I want to be the one to bring root to you all!
With that being said, I will begin telling my story and what I have so far.
Some time last year I was working on another Sammy device after SamPWND as I wanted root of course. I spent weeks and weeks trying to find exploits until I finally did! For this time I wanted to see what Sammy would offer for it as it was a tablet, the XDA forum was deserted etc. They did pay out a 2500$ reward so it was ok.
The reason I bring this up is because the exploit plays a factor here as well. The exploit was a mix of SamPWND and SamFAIL as I used the same rooting script as SamPWND but with a custom partition that wasn't checked for integrity when flashing in ODIN.
On this partition there were some init rc scripts. I noticed these scripts could be executed on combo firmware as root user. This means I could mount the partition in Linux, modify the scripts to my liking, sparse it back up and flash in ODIN. Then I could execute them. Believe it or not, they were executed by entering a simple setprop command in ADB. So from start to finish I simply extracted this partition, modified the scripts to install root as well as packaged the root package in with the image, flash it and then execute an adb command and viola! I felt like a loser it took me so long to find yet was so simple to exploit.
This ties in to where I am at now. I spent months looking through various attack vectors with no luck due to enhanced security not just with Sammy but Android also. So one day last week I decided to take a look at combo firmware again. In no time I found something interesting and then I slapped myself for spending months again when I should have looked at init scripts first.
I found it on my Tab s4 initially but wanted to see if the same file was on my N9 on combo and it was!
The first script runs as system user. For some reason the entire folder it is in is world readable/writable which means there is a script I can modify. This one is not an init script but is a script none the less that runs as system user that I can modify and execute with a simple adb command. Of course we want root, not system so I keep looking.
So I started writing all sorts of scripts/commands and executing it as system user since it's better than running as shell user right? One day I decide I am going to try and change permissions on the entire device. To my surprise it actually changed permissions to ALOT of partitions/files including EFS. I start messing with efs but don't want to break my phone so I settled with backing it up, enabling hidden menu, changing my sales code, enabling factory test mode etc. Etc.
One day I decided to see if I could access the same scripts I used previously. The partition was not readable (perms denied) so initially I thought it was a dead end. Then for some reason I tried to go into the sub-directory where I knew the scripts were and guess what!? The parent directory perms were not changed but its sub directories were! Now I am somewhere I have been before and now I have some scripts that I know are executed by init and as root and how to trigger them.
I spent over a week and all my spare time trying to gain full root but progress is slow moving due to new security. I can make a script that backs up every partition on the device, mounts "most" partitions as rw, dd magisk boot images (of course secure check fail due to locked bl but I had to try lol), create folders and push files to roots etc. Etc. Its basically like having full root but you have to run it in a script for everything you do.
Since we have locked bootloaders, we cannot boot modified boot.img. There's also more security causing me to have issues with system root. One of those issues is the fact that system, vendor and odm partitions cause the kernel to panic instantly as soon as they are mounted.
I managed to force some stuff quickly before the crash but they also have something called "secure write protect" which basically backs out anything you might have written before it reboots. I have tried installing chains systemless root and even tried to install magisk without modifying the boot but I am just getting frustrated and tired.
One thing I am currently trying is a safestrap recovery. The end goal is to try and get a GSI on that is pre rooted. Yes, I also tried to dd a gsi and tried with a file manager... it appears to write but it doesn't. I think there is some security going on as it along with odm and vendor are "protected" partitions.
I can modify rootfs and just about every other partition on the device with ease but haven't successfully gained root via su or magisk etc. Some stuff will cause device to boot with good old custom unlock splash screen and even say custom and custom binary in ODIN. That plus it being project treble certified indicates we shouldn't have any issues using GSI's and more soon as we can get ot nailed down!
So in a nutshell, I now have the ability to do almost anything as root user using init scripts on our locked bootloader devices but we only have a little bit left to go in figuring out how to get su binaries onto the device thanks to sammy and googs enhanced security updates.
Hopefully this gets the convo going and I wanted everyone to know that it's not "impossible" and now seems like a guarantee! Let's get some ideas going in here on this last hurdle! If you are a developer please also PM me as I tend to forget to check xda sometimes plus I like a more real time conversation when it comes to this stuff.
We are almost there!
Donation Link: https://forum.xda-developers.com/don....php?u=3812611