FORUMS
Remove All Ads from XDA

Experimental Software Root for HD 8 & HD 10

775 posts
Thanks Meter: 951
 
By diplomatic, Senior Member on 26th February 2019, 02:58 AM
Post Reply Email Thread
Software root method found for Mediatek MT816x, MT817x and MT67xx!

So once upon a time I was browsing Mediatek's source code, you know, as most normal people do, when I noticed something peculiar. There might be a small chance this thing could be used to access "illegal" memory, I thought, but probably not. So I decided to probe it anyway. First probe, success. Next one too. At each successive step, nothing prevented me from doing what I originally suspected was possible. It turns out I discovered a major vulnerability in Mediatek's code. It affects most of its 64-bit Android platforms. When taken advantage of, it simply allows one to read and write any location in memory using unprivileged code. No big deal. So fast forward a couple of months and I have a working root exploit. It's been quite a journey. I know a lot of people on the Fire HD forum have been waiting for something like this for a long time. Well, today I am proud to present my MTK-SU project to you guys.

As mentioned, what this tool does is give you a temporary root shell with Selinux enforcement disabled to do with as you please. I have managed to make it work on my Asus Zenpad Z380M. And thanks to @Supersonic27543, I have added support for the Fire HD 8 7th gen and Fire OS 5. I expect it to eventually be compatible with all mt8163 and mt8173-based Fire tablets, but there are no guarantees. I am relying on you guys for feedback for untested devices. If necessary, I will add support for the currently untested tablets as soon as I can. This is still new and experimental, so problems are to be expected.

By the way, I don't own any Amazon tablets.

STATUS
Confirmed Working
Fire HD 8 8th gen (2018) (thanks @xyz`)
Fire HD 8 7th gen (2017)
Fire HD 8 6th gen (2016) (thanks @bibikalka)
Fire HD 10 7th gen (2017) (thanks @bibikalka)
Fire TV 2 2015 (mt8173-based) (thanks @el7145)
ASUS Zenpad Z380M
BQ Aquaris M8 (thanks @Rortiz2)
Various MT67xx phones up to Android 7.x
Some MT67xx phones with Android 8.x

Needs Testing
Oreo-based devices (see post 3 for instructions)
32-bit kernels

Work in progress
Optimization

DISCLAIMER
Anything you do that is described in this thread is at your own risk. No one else is responsible for any data loss, corruption or damage of your device, including that which results from bugs in this software.

REQUIREMENTS
A Fire HD tablet based on mt8163 or mt8173 (or another MTK ARMv8 device)
A PC with ADB installed to interact with your device
Familiarity with ADB and basic Linux shell commands
Familiarity with the Thanks button under XDA posts

INSTRUCTIONS
  1. Download the current mtk-su zip file to your PC and unzip it. Inside will be 3 directories: 'arm', 'arm64' & armv7-kernel with an 'mtk-su' binary in each. The arm64 one is suitable for most devices. The notable device that needs the arm version is the Fire HD 8 2018. The armv7-kernel version is for 32-bit kernels (on 64-bit HW).
  2. Connect your device to ADB and push mtk-su to your /data/local/tmp folder
    Code:
    adb push path/to/mtk-su /data/local/tmp/
  3. Open an adb shell
    Code:
    adb shell
  4. Change to your tmp directory
    Code:
    cd /data/local/tmp
  5. Add executable permissions to the binary
    Code:
    chmod 755 mtk-su
  6. At this point keep your tablet screen on and don't let it go to sleep. Run the exploit
    Code:
    ./mtk-su -v
    If the program gets stuck for more than a few seconds, press Ctrl+C to close it.
    The -v option turns on verbose printing, which is necessary for me to debug any problems.
    It will take several seconds, but eventually you should see output similar to this (with id command added):
    Code:
    P00A_2:/data/local/tmp $ ./mtk-su -v
    param1: 0x3000, param2: 0x18040, type: 2
    Building symbol table
    kallsyms_addresses pa 0x40bdd500
    kallsyms_num_syms 70337, addr_count 70337
    kallsyms_names pa 0x40c66d00, size 862960
    kallsyms_markers pa 0x40d39800
    kallsyms_token_table pa 0x40d3a100
    kallsyms_token_index pa 0x40d3a500
    Patching credentials
    init_task VA: 0xffffffc000fa2a20
    Possible list_head tasks at offset 0x340
    0xffffffc003148340 0xffffffc021fac9c0 0x000000000000008c
    comm offset 0x5c0 comm: swapper/0
    Found own task_struct at node 0
    real_cred VA: 0xffffffc053c739c0
    Parsing sel_read_enforce
    ffffffc0002fadb4+04: ADRP x0, 0xffffffc001113000
    ffffffc0002fadb4+1c: LDR [x0, 404]
    selinux_enforce VA: 0xffffffc001113194
    Setting selinux_enforce
    Switched selinux to permissive
    New UID/GID: 0/0
    starting /system/bin/sh
    P00A_2:/data/local/tmp # id
    uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc) context=u:r:shell:s0
    Some other options:
    mtk-su -c <command>: Runs <command> as root. Default command is /system/bin/sh.
    mtk-su -s: Prints the kernel symbol table
    If you see any errors or don't get a root shell, please report it here.

    Important: it may be necessary to run the tool several times before you hit UID 0 and get selinux permissive. If you don't achieve root on a particular run, it will say 'New UID/GID: 2000/2000" instead of "...0/0". In that case, type exit to close the subshell and try mtk-su again.

If you succeed in getting temporary root, at that point you might want to install SuperSU for a more permanent root solution. Here is the official guide on which files should be present to kickstart SuperSU from temporary root. They are available in the latest SuperSU zip file. Remember that this only applies to Fire OS 5

WARNING FOR FIRE HD 8 2018 AND OTHER FIRE OS 6 DEVICES: If you have achieved root on such a device, do not remount the system partition as read/write. The remount command will probably not work. But forcing it will trigger dm-verity, which will result in a very bad day. Your tablet will become inoperable until you restore the stock system partition. You can accomplish a lot without modifying /system. But if you would like to get persistent root with Magisk by unlocking the bootloader, head on over to @bibikalka's outstanding Unlock/Magisk/TWRP Tutorial.

DOWNLOAD
Current Version
Release 11

Changelog
Release 11 - April 10, 2019
  • Fix up and enable rooting for 32-bit kernels -- first such device confirmed (thanks @anthonykb)
  • Improve criteria for detecting strong stack protection

Release 10 - April 7, 2019
  • Fix support for the latest Oreo devices
  • Add compatibility for kernels with stack protection (Nokia phones)
  • Improve reliability
  • Initial support for 32-bit (armv7) kernels -- needs testing

Release 9 - April 1, 2019
  • Confirmed support for at least some Oreo devices
  • Fix bugs with R8

Release 8 - March 30, 2019 (REMOVED)
  • Lay the groundwork for Oreo devices
  • Improve performance
  • Improve reliability

Release 7 - March 17, 2019
  • Add/fix support for many Linux ver. ≤ 3.18.22 devices
  • Fix arm binary on Fire HD 10

Release 6 - March 13, 2019
  • Add support for some devices with kernel 4.4.x (MT8167 confirmed by @cybersaga)
  • Minor bug fixes

Release 5 - March 7, 2019
  • Support kernels with CONFIG_KALLSYMS_ALL disabled
  • Improve reliability

Release 4 - March 4, 2019
  • Improve compatibility with phones
  • Support Fire TV 2 new FW
  • Minor bug fixes
  • Improve reliability

Release 3 - March 1, 2019
  • Add support for HD 10 7th gen
  • Add support for 3.10 kernel layout
  • Add possible support for MT67xx phones
  • Improve reliability

Release 2 - Feb. 27, 2019
  • Add support for HD 8 8th gen and 32-bit only user stacks

FAQ
Will this work on the Fire 7?
This binary in particular, no. Regarding this method in general, it is very doubtful it can be used at all on the MT8127 chipset. The same also goes for the Fire TV stick.

After getting a root shell I'm still getting 'permission denied' errors. WTH?
It may be that selinux is still being enforced. Having root with selinux enabled is somehow more restrictive than a normal shell user. First, check that mtk-su succeeded in setting selinux to permissive by running getenforce. If it says Enforcing, then exit your shell and run mtk-su again.

Does this thing unlock the bootloader?
No, it does nothing to unlock the bootloader. But after running mtk-su, you may be able to use @xyz`'s revolutionary LK exploit or derivative works to achieve what is effectively an unlocked bootloader on some devices. Namely, you should be able to flash the specially crafted TWRP image using dd from Android.

Will you release the source code?
Yes, but in due time. Like any software exploit, the associated vulnerability can be patched very easily. I imagine a certain vendor will be very interested in learning how this works. And I want this exploit to be effective for as long as possible.

How does this exploit work?
It overwrites the user credentials in the kernel associated with its own process in order to escalate privileges. It turns off selinux enforcement by overwriting the selinux_enforce variable in the kernel. As for how it accesses memory, I don't think I should discuss that as of yet.

Will this work on the Fire TV Stick 4K?
Unfortunately, no. This vulnerability is not present in its kernel.

CREDITS
@Supersonic27543 for helping me port it to Fire OS 5 and namely the HD 8 7th gen
Attached Files
File Type: zip mtk-su_r6.zip - [Click for QR Code] (24.4 KB, 538 views)
File Type: zip mtk-su_r7.zip - [Click for QR Code] (25.0 KB, 1672 views)
File Type: zip mtk-su_r9.zip - [Click for QR Code] (31.3 KB, 808 views)
File Type: zip mtk-su_r10.zip - [Click for QR Code] (44.9 KB, 308 views)
File Type: zip mtk-su_r11.zip - [Click for QR Code] (46.0 KB, 1304 views)
The Following 87 Users Say Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
 
 
26th February 2019, 03:02 AM |#2  
Senior Member
Thanks Meter: 271
 
More
I want to thank you again for your efforts on this! I was ill the days before, so I didn't get much time to test SuperSU, and I'm trying to make a script as of now. Good luck for everyone who tries this!
EDIT: Oops, sorry for the reserve post.
The Following 5 Users Say Thank You to Supersonic27543 For This Useful Post: [ View ] Gift Supersonic27543 Ad-Free
26th February 2019, 03:10 AM |#3  
OP Senior Member
Thanks Meter: 951
 
Donate to Me
More
Instructions for Oreo -- or for use without a PC
Mtk-su has been confirmed to work with Android 8.x. But due to reasons having to do with security, it won't be able to run successfully in an adb shell like it does on previous OSs. At least not initially. But it may work if executed from a terminal emulator such as Termux or Terminal Emulator. The gist of the process is to copy the executable to the terminal app's internal directory and run it from there. These are the instructions for Termux, but a similar procedure applies to all terminal shell apps. You don't need a PC to try this.
  1. Download the current mtk_su zip to your device and unzip it. Take note of where you extracted it. Use the arm64 binary for most devices. You'd only need the arm binary if your phone has a 32-bit only userspace with a 64-bit kernel. (32-bit kernels are not supported yet.)
  2. Open Termux and copy the mtk-su binary to its home directory, which in this case is the shell's initial working directory.
    General idea: cp path/to/mtk-su ./
    For example,
    Code:
    cp /sdcard/mtk-su_r8/arm64/mtk-su ./
    For this to work, you have to enable the Storage permission for your term app before accessing internal storage. Do not try to circumvent the cp command with clever copying methods involving file managers or external tools. You will not get the right permissions to run mtk-su that way. Also note that it's been reported that the terminal shell may not be able to access your external SD card.
  3. Run the program
    Code:
    ./mtk-su -v
  4. Copy the output to clipboard and post it here.

Now if this succeeds, from that point on you will be able to run mtk-su in an adb shell according to OP instructions (until next reboot). If this doesn't work, I will either have to adjust something to fix it, or in worst case, declare it not possible.

Note that for most terminal shell apps, the internal app directory is stored in the variable $HOME. So in general you would do
cp path/to/mtk-su $HOME/
cd $HOME
./mtk-su -v
The Following 3 Users Say Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
26th February 2019, 03:18 AM |#4  
cybersaga's Avatar
Senior Member
Loyalist, ON
Thanks Meter: 60
 
More
Great work!

So could this theoretically work for any Mediatek device? Or do specific modifications need to be done for another model chip?

What do you think is likely the worst to happen if this is tried as-is on another device? Will it just not work? Or explode the device?

I have an Acer B3-A40 that has an MT8167 chip that I wouldn't mind rooting.
26th February 2019, 03:47 AM |#5  
OP Senior Member
Thanks Meter: 951
 
Donate to Me
More
@cybersaga, yes, it's very possible it will work on an mt8167 device. Although I can't 100% guarantee it won't damage your device, I would just go ahead and try it. The risk is very minimal. It will print some error if it fails. I think realistically, I would need to tweak some parameters or make a workaround if there's a problem.

The method should be applicable to most 64-bit platforms. There are newer 4.x kernels where the necessary hole is not present, though. But time will tell what devices this ultimately will be compatible with.
The Following 3 Users Say Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
26th February 2019, 03:54 AM |#6  
cybersaga's Avatar
Senior Member
Loyalist, ON
Thanks Meter: 60
 
More
That's super neat. I'll probably give it a try sometime this week.
26th February 2019, 04:04 AM |#7  
Member
Thanks Meter: 179
 
More
Very cool from what I can see, however it doesn't work on HD8 2018 because there's no 64-bit userspace (only the kernel is 64-bit), could you recompile it for arm?
26th February 2019, 04:27 AM |#8  
OP Senior Member
Thanks Meter: 951
 
Donate to Me
More
Oh, that's a bummer, @xyz`. Why would they do that? I think there's some other tweaks I have to make besides compiling it. I'll post a test version as soon as I can. This might be the case for other devices too...
The Following 2 Users Say Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
26th February 2019, 04:59 AM |#9  
Member
Thanks Meter: 179
 
More
Quote:
Originally Posted by diplomatic

Oh, that's a bummer, @xyz`. Why would they do that? I think there's some other tweaks I have to make besides compiling it. I'll post a test version as soon as I can. This might be the case for other devices too...

Maybe you can just compile it as a static binary instead if that's easier.
26th February 2019, 12:10 PM |#10  
Member
Thanks Meter: 53
 
More
Awesome! I just rooted my HD8 2017

Try the automated script by @Rortiz2

Previous instructions:

For anyone that is confused by the process of manually installing SuperSu, I did the following...

IMPORTANT: This is for FireOS 5 devices such as HD8 2017. Do not attempt this on HD8 2018
  1. Install SuperSu from Playstore
  2. Download SuperSu and unzip somewhere
  3. adb push arm64/su arm64/supolicy arm64/libsupol.so /data/local/tmp
  4. Follow directions from OP to get a root shell. You should not get permission denied when running ls. If you see permission denied, run exit and try again. Took me a few tries
  5. mount -o remount -rw /system
  6. cp /data/local/tmp/su /system/xbin/su
  7. cp /data/local/tmp/su /system/xbin/daemonsu
  8. cp /data/local/tmp/supolicy /system/xbin/
  9. cp /data/local/tmp/libsupol.so /system/lib/
  10. cp /data/local/tmp/libsupol.so /system/lib64/
  11. chmod 0755 /system/xbin/su
  12. chcon u:object_r:system_file:s0 /system/xbin/su
  13. chmod 0755 /system/xbin/daemonsu
  14. chcon u:object_r:system_file:s0 /system/xbin/daemonsu
  15. at this point, running su should work and show a root shell
  16. daemonsu --auto-daemon
  17. Open SuperSu app and allow it to update the su binary

My tablet hung at the boot logo when I manually installed SuperSu via the linked instructions. Installing the bare minimum and letting the SuperSu app do the rest seems less error-prone
The Following 32 Users Say Thank You to dutchthomas For This Useful Post: [ View ] Gift dutchthomas Ad-Free
26th February 2019, 02:49 PM |#11  
Senior Member
Thanks Meter: 944
 
More
@diplomatic

Wow!!! This is crazy !!! Where have you been before??? I almost had to drill a hole into HD8 2016!!!

I tried this on HD8 2016, FireOS 5.3.2.1, and the method worked! It takes less than 1 second to run, way faster than any Kingoroot. I had to exit and run again to get system mounting permissions rw as per @dutchthomas recommendation {mount -o remount -rw /system}. Then I updated su manually (using armv7 binaries from SR5-SuperSU-v2.82-SR5-20171001224502.zip - on HD10 2017 I am always using armv7 versions as well), and let SuperSu update itself. Full success! SuperSu needs to be set to "Grant" as per this link.

Now, for HD8 2018 I believe the following could work. 0) Drain the battery to really minimal amount ~ 3% 1) Run this to get temp root. 2) Zero out boot0 {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. At this point the device should be booting into BootRom mode (as claimed by others - @xyz`, @hwmod, @k4y0z, can you confirm?). In BootRom, run the scripts from this link. If it hangs in BootRom, just let it sit disconnected from anything. The low battery should shut it down, and you can try again later in BootRom. Low battery would remove the need to open the case should the amonet script hang.

Actually, for HD8 2018, if RPMB does not need to be cleared, all of amonet steps could be done via dd while having a temporary root shell. One could dd all of LK/TZ/boot/recovery/preloader. If RPMB needs clearing, then one should still dd everything but the preloader, which instead should be zeroed out {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. Then amonet would be used to clear our RPMB, and put the preloader back. One of the current seeming issues is that amonet appears to write LK exploit into the memory area outside of boot0 size (thus precluding dd operation for that piece of code into boot0) - see this link for details. If this issue could be addressed, then HD8 2018 could be unlockable without ever opening the case.

My HD8 2016 output:
Code:
C:\Program Files\Minimal ADB and Fastboot>adb shell
[email protected]:/ $ cd /data/local/tmp
[email protected]:/data/local/tmp $ chmod 755 mtk-su
[email protected]:/data/local/tmp $ ./mtk-su  -v
Building symbol table
kallsyms_addresses_pa 0x40ad8f00
kallsyms_num_syms 67082, addr_count 67082
kallsyms_names_pa 0x40b5c100
Size of kallsyms_names 805834 bytes
kallsyms_markers_pa 0x40c20d00
kallsyms_token_table_pa 0x40c21600
kallsyms_token_index_pa 0x40c21a00
Patching credentials
init_task va: ffffffc000edaa20
Possible list_head tasks at offset 0x338
0xffffffc0030c8338 0xffffffc050347638 0x000000000000008c
comm offset 0x5a8 comm: swapper/0
Found own task_struct at node 0
real_cred: 0xffffffc052669900, cred: 0xffffffc052669900
New UID/GID: 0/0
Setting selinux permissive
Found adrp at offset 4
ADRP x0, base is 0xffffffc001030000
Found ldr at offset 28
LDR [x0,444], selinux_enforce VA is 0xffffffc0010301bc
Switched selinux to permissive
starting /system/bin/sh
[email protected]:/data/local/tmp #

Edit: Despite my super careful SuperSu injection into FireOS 5.3.6.4 system image, I still could not get SuperSu to work after I restored this image using FlashFire. Regardless, the method from this thread also rooted 5.3.6.4 in no time! Awesome!
The Following 4 Users Say Thank You to bibikalka For This Useful Post: [ View ] Gift bibikalka Ad-Free
Post Reply Subscribe to Thread

Tags
fire hd 10, fire hd 8, root

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread