FORUMS
Remove All Ads from XDA

[N960U/U1/W][DISCUSSION][Close to rooting]

11,297 posts
Thanks Meter: 8,320
 
Post Reply Email Thread
Hello Fellow XDA Users!

Some of you might remember me from over the years or maybe just from SamPWND root on the S8/S8+. I have had a number of devices since SamPWND with a few being Sammy's. I have been real busy with life and work but of course every spare time I get has been breaking Samsung devices!

I've found some exploits I never released publicly due to the devices being "unpopular" but figured since I am close now as well as what I have found so far most likely works on most Samsung devices (I've only tested on Tab S4 and N9 from Big Red) that I wouldn't keep this one away from everyone.

With that being said, I do not have FULL root yet but am very close. I wanted to create this thread as I don't have let's of free time these days to hopefully bounce ideas around to achieve our end goal a lot faster.

I am going to spare all the specific details to the masses but will let you know what I got so far. I prefer to collaborate over other applications that are more "real time" if there are any developers that read this then PM me and we can share contact info. If you just want to toss ideas in here then that is ok. I just don't want to have someone potentially take my hard work and claim it as their own before I can achieve root. I have been almost non stop since the N9 was released so you can understand hopefully why I want to be the one to bring root to you all!

With that being said, I will begin telling my story and what I have so far.

Some time last year I was working on another Sammy device after SamPWND as I wanted root of course. I spent weeks and weeks trying to find exploits until I finally did! For this time I wanted to see what Sammy would offer for it as it was a tablet, the XDA forum was deserted etc. They did pay out a 2500$ reward so it was ok.

The reason I bring this up is because the exploit plays a factor here as well. The exploit was a mix of SamPWND and SamFAIL as I used the same rooting script as SamPWND but with a custom partition that wasn't checked for integrity when flashing in ODIN.

On this partition there were some init rc scripts. I noticed these scripts could be executed on combo firmware as root user. This means I could mount the partition in Linux, modify the scripts to my liking, sparse it back up and flash in ODIN. Then I could execute them. Believe it or not, they were executed by entering a simple setprop command in ADB. So from start to finish I simply extracted this partition, modified the scripts to install root as well as packaged the root package in with the image, flash it and then execute an adb command and viola! I felt like a loser it took me so long to find yet was so simple to exploit.

This ties in to where I am at now. I spent months looking through various attack vectors with no luck due to enhanced security not just with Sammy but Android also. So one day last week I decided to take a look at combo firmware again. In no time I found something interesting and then I slapped myself for spending months again when I should have looked at init scripts first.

I found it on my Tab s4 initially but wanted to see if the same file was on my N9 on combo and it was!

The first script runs as system user. For some reason the entire folder it is in is world readable/writable which means there is a script I can modify. This one is not an init script but is a script none the less that runs as system user that I can modify and execute with a simple adb command. Of course we want root, not system so I keep looking.

So I started writing all sorts of scripts/commands and executing it as system user since it's better than running as shell user right? One day I decide I am going to try and change permissions on the entire device. To my surprise it actually changed permissions to ALOT of partitions/files including EFS. I start messing with efs but don't want to break my phone so I settled with backing it up, enabling hidden menu, changing my sales code, enabling factory test mode etc. Etc.

One day I decided to see if I could access the same scripts I used previously. The partition was not readable (perms denied) so initially I thought it was a dead end. Then for some reason I tried to go into the sub-directory where I knew the scripts were and guess what!? The parent directory perms were not changed but its sub directories were! Now I am somewhere I have been before and now I have some scripts that I know are executed by init and as root and how to trigger them.

I spent over a week and all my spare time trying to gain full root but progress is slow moving due to new security. I can make a script that backs up every partition on the device, mounts "most" partitions as rw, dd magisk boot images (of course secure check fail due to locked bl but I had to try lol), create folders and push files to roots etc. Etc. Its basically like having full root but you have to run it in a script for everything you do.

Since we have locked bootloaders, we cannot boot modified boot.img. There's also more security causing me to have issues with system root. One of those issues is the fact that system, vendor and odm partitions cause the kernel to panic instantly as soon as they are mounted.

I managed to force some stuff quickly before the crash but they also have something called "secure write protect" which basically backs out anything you might have written before it reboots. I have tried installing chains systemless root and even tried to install magisk without modifying the boot but I am just getting frustrated and tired.

One thing I am currently trying is a safestrap recovery. The end goal is to try and get a GSI on that is pre rooted. Yes, I also tried to dd a gsi and tried with a file manager... it appears to write but it doesn't. I think there is some security going on as it along with odm and vendor are "protected" partitions.

I can modify rootfs and just about every other partition on the device with ease but haven't successfully gained root via su or magisk etc. Some stuff will cause device to boot with good old custom unlock splash screen and even say custom and custom binary in ODIN. That plus it being project treble certified indicates we shouldn't have any issues using GSI's and more soon as we can get ot nailed down!

So in a nutshell, I now have the ability to do almost anything as root user using init scripts on our locked bootloader devices but we only have a little bit left to go in figuring out how to get su binaries onto the device thanks to sammy and googs enhanced security updates.

Hopefully this gets the convo going and I wanted everyone to know that it's not "impossible" and now seems like a guarantee! Let's get some ideas going in here on this last hurdle! If you are a developer please also PM me as I tend to forget to check xda sometimes plus I like a more real time conversation when it comes to this stuff.

We are almost there!

Donation Link: https://forum.xda-developers.com/don....php?u=3812611
The Following 55 Users Say Thank You to elliwigy For This Useful Post: [ View ]
7th February 2019, 11:31 AM |#2  
elliwigy's Avatar
OP Recognized Developer / Retired Forum Moderator
Flag Phoenix
Thanks Meter: 8,320
 
Donate to Me
More
Forgot as a reminder that I can confirm the scripts there on tab s4 and n9 combos.. it's very likely they are present on S9/S9+ also and potentially other devices but they will need to be confirmed once we get to that point.
The Following 13 Users Say Thank You to elliwigy For This Useful Post: [ View ]
7th February 2019, 02:47 PM |#3  
elliwigy's Avatar
OP Recognized Developer / Retired Forum Moderator
Flag Phoenix
Thanks Meter: 8,320
 
Donate to Me
More
Was just barely reading up on Samsung defex security.. hope that's not the problem since only fix I can find requires hex patching the boot.img
The Following 7 Users Say Thank You to elliwigy For This Useful Post: [ View ]
8th February 2019, 02:48 AM |#4  
Account currently disabled
Thanks Meter: 1,503
 
More
so i noticed you gave quite a lot of info without going too much into details. i understand that you don't want anyone to steal your ideas and take credit.

would be a shame to get root.
and not get the credit where it is due..

now, that being said, isn't making these statements public open up the door for samsung to notice these possible exploits and patch them up for good? thus rendering all your efforts in vain? As even if the details were kept at a minimum from kangers to use them, the samsung devs can probably read through the lines quite easily.

anyways, hope your effort will bare fruit for as long as it is possible.( samfail lasted what 3 or 4 months? before patches made it too difficult to keep up)


Regards
The Following 2 Users Say Thank You to bober10113 For This Useful Post: [ View ] Gift bober10113 Ad-Free
8th February 2019, 03:20 AM |#5  
elliwigy's Avatar
OP Recognized Developer / Retired Forum Moderator
Flag Phoenix
Thanks Meter: 8,320
 
Donate to Me
More
Quote:
Originally Posted by bober10113

so i noticed you gave quite a lot of info without going too much into details. i understand that you don't want anyone to steal your ideas and take credit.

would be a shame to get root.
and not get the credit where it is due..

now, that being said, isn't making these statements public open up the door for samsung to notice these possible exploits and patch them up for good? thus rendering all your efforts in vain? As even if the details were kept at a minimum from kangers to use them, the samsung devs can probably read through the lines quite easily.

anyways, hope your effort will bare fruit for as long as it is possible.( samfail lasted what 3 or 4 months? before patches made it too difficult to keep up)


Regards

I can see where youre coming from but I dont think they can glean exactly what I have as theres are probably hundreds of scripts throughout the system.

Also, this approach is far from new. People have been using init scripts for rooting purposes for many years.

I also tried it with newer firmware and it actually didnt work. So it already requires an older frmware and I expect Sammy will increment bootloaders soon making it unavailable to those who have updated at that poimt in time. I figured best to put out the word on progress now and those can choose to wait or not.

Exploits never last very long. The only way to ensure longevity is to remain on old firmware. There was SamPWND before there was SamFAIL. This could be the perfect time. Unless I am the only one working on this device there will be other exploits to be found.

With that being said, only you have posted all day and no devs have reached out to join in the fun so at this rate by the time full root is achieved it most likely will already be patched.

Thats just my thoughts though.
The Following 3 Users Say Thank You to elliwigy For This Useful Post: [ View ]
8th February 2019, 03:28 AM |#6  
Account currently disabled
Thanks Meter: 1,503
 
More
Quote:
Originally Posted by elliwigy

I can see where youre coming from but I dont think they can glean exactly what I have as theres are probably hundreds of scripts throughout the system.

Also, this approach is far from new. People have been using init scripts for rooting purposes for many years.

I also tried it with newer firmware and it actually didnt work. So it already requires an older frmware and I expect Sammy will increment bootloaders soon making it unavailable to those who have updated at that poimt in time. I figured best to put out the word on progress now and those can choose to wait or not.

Exploits never last very long. The only way to ensure longevity is to remain on old firmware. There was SamPWND before there was SamFAIL. This could be the perfect time. Unless I am the only one working on this device there will be other exploits to be found.

With that being said, only you have posted all day and no devs have reached out to join in the fun so at this rate by the time full root is achieved it most likely will already be patched.

Thats just my thoughts though.

the note 9 kinda missed the party bus.
ive had almost all Sammy's devices and i have to unfortuanly say this is by far the most bleek state of development ive ever experienced.

but back in the day, there was far less android competition.

edit:

and i think that if not the competition, the fact that alot of people feel content with what stock samsung is offering. when the device came out, the forums were littered with Shakespearean: 'to root or not to' type of threads.
The Following 2 Users Say Thank You to bober10113 For This Useful Post: [ View ] Gift bober10113 Ad-Free
8th February 2019, 04:54 AM |#7  
sacnotsack's Avatar
Senior Member
Thanks Meter: 154
 
More
This is great news. Hopefully some devs contact you. Loved your work with the S8.
The Following 3 Users Say Thank You to sacnotsack For This Useful Post: [ View ] Gift sacnotsack Ad-Free
8th February 2019, 05:47 AM |#8  
Yeeeeeeeesssssss!

Very exciting! If we're updated to Pie, are we out of luck then though, regarding the firmware?

I remember you doing some great stuff but I don't recall the phone... Galaxy S3? Note5? Note7? Note8? HTC M8? EVO 4G LTE? OG EVO? Anyway, I am excited to see you here. 😊
The Following User Says Thank You to PsiPhiDan For This Useful Post: [ View ] Gift PsiPhiDan Ad-Free
8th February 2019, 09:42 AM |#9  
a63548's Avatar
Senior Member
Thanks Meter: 281
 
More
Wow, this is very interesting, and I loved reading your detailed post. I am super exited, and can't thank you enough for all your work elliwigy!
The Following 3 Users Say Thank You to a63548 For This Useful Post: [ View ] Gift a63548 Ad-Free
8th February 2019, 09:57 AM |#10  
butchieboy's Avatar
Senior Member
springfield.il
Thanks Meter: 4,454
 
More
Full on beast!

Sent from my SM-N960U using Tapatalk
The Following 2 Users Say Thank You to butchieboy For This Useful Post: [ View ] Gift butchieboy Ad-Free
8th February 2019, 12:09 PM |#11  
teknowiz23's Avatar
Senior Member
Thanks Meter: 154
 
More
Quote:
Originally Posted by PsiPhiDan

Yeeeeeeeesssssss!

Very exciting! If we're updated to Pie, are we out of luck then though, regarding the firmware?

I remember you doing some great stuff but I don't recall the phone... Galaxy S3? Note5? Note7? Note8? HTC M8? EVO 4G LTE? OG EVO? Anyway, I am excited to see you here.

I wanna say s8/+ and the note 8.. both of which root solutions I used.

Word brotha 🤙🤙 thank you for your diligence. I love that your hobby can help out so many who don't have the time, will, or discipline to learn it.
The Following User Says Thank You to teknowiz23 For This Useful Post: [ View ] Gift teknowiz23 Ad-Free
Post Reply Subscribe to Thread

Tags
developer, galaxy, note9, root, samsung

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes