FORUMS
Remove All Ads from XDA

Experimental Software Root for HD 8 & HD 10

835 posts
Thanks Meter: 1,030
 
By diplomatic, Senior Member on 26th February 2019, 02:58 AM
Post Reply Email Thread
23rd April 2019, 02:20 PM |#591  
OP Senior Member
Thanks Meter: 1,030
 
Donate to Me
More
@undertaker00, please check the FAQ and download the latest release. If you're still having problems, post back for more assistance.
The Following User Says Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
 
 
23rd April 2019, 02:42 PM |#592  
Junior Member
Thanks Meter: 7
 
More
Updated?
Quote:
Originally Posted by Datastream33

I will be sure to include the correct version of SuperSU. I will also add device detection, and architecture detection to ensure the proper mtk-su is used. Perhaps even the version of mtk-su that Rortiz has in there can be updated?

---------- Post added at 09:26 PM ---------- Previous post was at 09:21 PM ----------



Rortiz, you are the man. I give you props for your script. Your not bad dude, you are actually pretty good at batch programming and I would of never said you weren't (cause your not bad at all, by any stretch). I just wanted to help you make it fully automatic. That's all.

---------- Post added at 09:27 PM ---------- Previous post was at 09:26 PM ----------



Oh , ok you've updated it! Nice!

er... is it? md5 checksum is identical
23rd April 2019, 05:02 PM |#593  
Member
Thanks Meter: 64
 
More
Quote:
Originally Posted by undertaker00

After use semiautomated root 2.1 , and no errors, I got this error
255|[email protected]:/ # mount -o remount -rw /system
mount -o remount -rw /system
mount: Permission denied

could you help me ?
PD: fire 8 hd 2017

Sometimes the exploit fails and you aren't in a fully rooted shell. If you get permission denied, you need to exit and run the exploit again. For most people the failure is rare, but sometimes it takes takes 5+ tries.

Make sure you exit fully, because as @diplomatic has pointed out, the shell can actually be more restrictive after the exploit fails. I believe this happens with root user when the selinux policy isn't correctly modified.

Make sure you're using the latest mtk-su while you're at it
23rd April 2019, 07:32 PM |#594  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by dutchthomas

Sometimes the exploit fails and you aren't in a fully rooted shell. If you get permission denied, you need to exit and run the exploit again. For most people the failure is rare, but sometimes it takes takes 5+ tries.

Make sure you exit fully, because as @diplomatic has pointed out, the shell can actually be more restrictive after the exploit fails. I believe this happens with root user when the selinux policy isn't correctly modified.

Make sure you're using the latest mtk-su while you're at it

Thanks.

It`s working.
Selinux problem finally resolved
23rd April 2019, 08:46 PM |#595  
Junior Member
Thanks Meter: 0
 
More
I did it. Got this messages. Then I installed SuperSU but it says. Root Undetected.
Also, my device keeps disconnecting (last few lines)

[email protected]:/ $ cd /data/local/tmp
[email protected]:/data/local/tmp $ chmod 755 mtk-su
[email protected]:/data/local/tmp $ ./mtk-su -v
armv8l machine
param1: 0x3000, param2: 0x10000, type: 1
Building symbol table
kallsyms_addresses pa 0x40af3b00
kallsyms_num_syms 67820, addr_count 67820
kallsyms_names pa 0x40b78400, size 815336
kallsyms_markers pa 0x40c3f500
kallsyms_token_table pa 0x40c3fe00
kallsyms_token_index pa 0x40c40200
Patching credentials
init_task VA: 0xffffffc000efaa20
Possible list_head tasks at offset 0x338
0xffffffc0030c8338 0xffffffc00ca125b8 0x000000000000008c
comm offset 0x5a8 comm: swapper/0
Found own task_struct at node 1
real_cred VA: 0xffffffc050403680
Parsing sel_read_enforce
ffffffc0002d8fb8+04: ADRP x0, 0xffffffc001069000
ffffffc0002d8fb8+1c: LDR [x0, 4028]
selinux_enforce VA: 0xffffffc001069fbc
Setting selinux_enforce
Switched selinux to permissive
Trying this again...
Switched selinux to permissive
Trying this again...
Switched selinux to permissive
New UID/GID: 0/0
starting /system/bin/sh
[email protected]:/data/local/tmp #
C:\Users\jcaporal\AppData\Local\Android\Sdk\platfo rm-tools>adb shell
[email protected]:/ $ id
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1011
(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_a dmin),3002(net_bt),3003(inet),
3006(net_bw_stats) context=u:r:shell:s0
[email protected]:/ $
C:\Users\jcaporal\AppData\Local\Android\Sdk\platfo rm-tools>adb shell
[email protected]:/ $
C:\Users\jcaporal\AppData\Local\Android\Sdk\platfo rm-tools>adb shell
[email protected]:/ $
C:\Users\jcaporal\AppData\Local\Android\Sdk\platfo rm-tools>


Quote:
Originally Posted by diplomatic

Software root method found for Mediatek MT816x, MT817x and MT67xx!

So once upon a time I was browsing Mediatek's source code, you know, as most normal people do, when I noticed something peculiar. There might be a small chance this thing could be used to access "illegal" memory, I thought, but probably not. So I decided to probe it anyway. First probe, success. Next one too. At each successive step, nothing prevented me from doing what I originally suspected was possible. It turns out I discovered a major vulnerability in Mediatek's code. It affects most of its 64-bit Android platforms. When taken advantage of, it simply allows one to read and write any location in memory using unprivileged code. No big deal. So fast forward a couple of months and I have a working root exploit. It's been quite a journey. I know a lot of people on the Fire HD forum have been waiting for something like this for a long time. Well, today I am proud to present my MTK-SU project to you guys.

As mentioned, what this tool does is give you a temporary root shell with Selinux enforcement disabled to do with as you please. I have managed to make it work on my Asus Zenpad Z380M. And thanks to @Supersonic27543, I have added support for the Fire HD 8 7th gen and Fire OS 5. I expect it to eventually be compatible with all mt8163 and mt8173-based Fire tablets, but there are no guarantees. I am relying on you guys for feedback for untested devices. If necessary, I will add support for the currently untested tablets as soon as I can. This is still new and experimental, so problems are to be expected.

By the way, I don't own any Amazon tablets.

STATUS
Confirmed Working
Fire HD 8 8th gen (2018) (thanks @xyz`)
Fire HD 8 7th gen (2017)
Fire HD 8 6th gen (2016) (thanks @bibikalka)
Fire HD 10 7th gen (2017) (thanks @bibikalka)
Fire TV 2 2015 (mt8173-based) (thanks @el7145)
ASUS Zenpad Z380M
BQ Aquaris M8 (thanks @Rortiz2)
Various MT67xx phones up to Android 7.x
Some MT67xx phones with Android 8.x

Needs Testing
Oreo-based devices (see post 3 for instructions)
32-bit kernels

Work in progress
Optimization

DISCLAIMER
Anything you do that is described in this thread is at your own risk. No one else is responsible for any data loss, corruption or damage of your device, including that which results from bugs in this software.

REQUIREMENTS
A Fire HD tablet based on mt8163 or mt8173 (or another MTK ARMv8 device)
A PC with ADB installed to interact with your device
Familiarity with ADB and basic Linux shell commands
Familiarity with the Thanks button under XDA posts

INSTRUCTIONS
  1. Download the current mtk-su zip file to your PC and unzip it. Inside will be 3 directories: 'arm', 'arm64' & armv7-kernel with an 'mtk-su' binary in each. The arm64 one is suitable for most devices. The notable device that needs the arm version is the Fire HD 8 2018. The armv7-kernel version is for 32-bit kernels (on 64-bit HW).
  2. Connect your device to ADB and push mtk-su to your /data/local/tmp folder
    Code:
    adb push path/to/mtk-su /data/local/tmp/
  3. Open an adb shell
    Code:
    adb shell
  4. Change to your tmp directory
    Code:
    cd /data/local/tmp
  5. Add executable permissions to the binary
    Code:
    chmod 755 mtk-su
  6. At this point keep your tablet screen on and don't let it go to sleep. Run the exploit
    Code:
    ./mtk-su -v
    If the program gets stuck for more than a few seconds, press Ctrl+C to close it.
    The -v option turns on verbose printing, which is necessary for me to debug any problems.
    It will take several seconds, but eventually you should see output similar to this (with id command added):
    Code:
    P00A_2:/data/local/tmp $ ./mtk-su -v
    param1: 0x3000, param2: 0x18040, type: 2
    Building symbol table
    kallsyms_addresses pa 0x40bdd500
    kallsyms_num_syms 70337, addr_count 70337
    kallsyms_names pa 0x40c66d00, size 862960
    kallsyms_markers pa 0x40d39800
    kallsyms_token_table pa 0x40d3a100
    kallsyms_token_index pa 0x40d3a500
    Patching credentials
    init_task VA: 0xffffffc000fa2a20
    Possible list_head tasks at offset 0x340
    0xffffffc003148340 0xffffffc021fac9c0 0x000000000000008c
    comm offset 0x5c0 comm: swapper/0
    Found own task_struct at node 0
    real_cred VA: 0xffffffc053c739c0
    Parsing sel_read_enforce
    ffffffc0002fadb4+04: ADRP x0, 0xffffffc001113000
    ffffffc0002fadb4+1c: LDR [x0, 404]
    selinux_enforce VA: 0xffffffc001113194
    Setting selinux_enforce
    Switched selinux to permissive
    New UID/GID: 0/0
    starting /system/bin/sh
    P00A_2:/data/local/tmp # id
    uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc) context=u:r:shell:s0
    Some other options:
    mtk-su -c <command>: Runs <command> as root. Default command is /system/bin/sh.
    mtk-su -s: Prints the kernel symbol table
    If you see any errors or don't get a root shell, please report it here.

    Important: it may be necessary to run the tool several times before you hit UID 0 and get selinux permissive. If you don't achieve root on a particular run, it will say 'New UID/GID: 2000/2000" instead of "...0/0". In that case, type exit to close the subshell and try mtk-su again.

If you succeed in getting temporary root, at that point you might want to install SuperSU for a more permanent root solution. Here is the official guide on which files should be present to kickstart SuperSU from temporary root. They are available in the latest SuperSU zip file. Remember that this only applies to Fire OS 5

WARNING FOR FIRE HD 8 2018 AND OTHER FIRE OS 6 DEVICES: If you have achieved root on such a device, do not remount the system partition as read/write. The remount command will probably not work. But forcing it will trigger dm-verity, which will result in a very bad day. Your tablet will become inoperable until you restore the stock system partition. You can accomplish a lot without modifying /system. But if you would like to get persistent root with Magisk by unlocking the bootloader, head on over to @bibikalka's outstanding Unlock/Magisk/TWRP Tutorial.

DOWNLOAD
Current Version
Release 11

Changelog
Release 11 - April 10, 2019
  • Fix up and enable rooting for 32-bit kernels -- first such device confirmed (thanks @anthonykb)
  • Improve criteria for detecting strong stack protection

Release 10 - April 7, 2019
  • Fix support for the latest Oreo devices
  • Add compatibility for kernels with stack protection (Nokia phones)
  • Improve reliability
  • Initial support for 32-bit (armv7) kernels -- needs testing

Release 9 - April 1, 2019
  • Confirmed support for at least some Oreo devices
  • Fix bugs with R8

Release 8 - March 30, 2019 (REMOVED)
  • Lay the groundwork for Oreo devices
  • Improve performance
  • Improve reliability

Release 7 - March 17, 2019
  • Add/fix support for many Linux ver. ≤ 3.18.22 devices
  • Fix arm binary on Fire HD 10

Release 6 - March 13, 2019
  • Add support for some devices with kernel 4.4.x (MT8167 confirmed by @cybersaga)
  • Minor bug fixes

Release 5 - March 7, 2019
  • Support kernels with CONFIG_KALLSYMS_ALL disabled
  • Improve reliability

Release 4 - March 4, 2019
  • Improve compatibility with phones
  • Support Fire TV 2 new FW
  • Minor bug fixes
  • Improve reliability

Release 3 - March 1, 2019
  • Add support for HD 10 7th gen
  • Add support for 3.10 kernel layout
  • Add possible support for MT67xx phones
  • Improve reliability

Release 2 - Feb. 27, 2019
  • Add support for HD 8 8th gen and 32-bit only user stacks

FAQ
Will this work on the Fire 7?
This binary in particular, no. Regarding this method in general, it is very doubtful it can be used at all on the MT8127 chipset. The same also goes for the Fire TV stick.

After getting a root shell I'm still getting 'permission denied' errors. WTH?
It may be that selinux is still being enforced. Having root with selinux enabled is somehow more restrictive than a normal shell user. First, check that mtk-su succeeded in setting selinux to permissive by running getenforce. If it says Enforcing, then exit your shell and run mtk-su again.

Does this thing unlock the bootloader?
No, it does nothing to unlock the bootloader. But after running mtk-su, you may be able to use @xyz`'s revolutionary LK exploit or derivative works to achieve what is effectively an unlocked bootloader on some devices. Namely, you should be able to flash the specially crafted TWRP image using dd from Android.

Will you release the source code?
Yes, but in due time. Like any software exploit, the associated vulnerability can be patched very easily. I imagine a certain vendor will be very interested in learning how this works. And I want this exploit to be effective for as long as possible.

How does this exploit work?
It overwrites the user credentials in the kernel associated with its own process in order to escalate privileges. It turns off selinux enforcement by overwriting the selinux_enforce variable in the kernel. As for how it accesses memory, I don't think I should discuss that as of yet.

Will this work on the Fire TV Stick 4K?
Unfortunately, no. This vulnerability is not present in its kernel.

CREDITS
@Supersonic27543 for helping me port it to Fire OS 5 and namely the HD 8 7th gen

24th April 2019, 12:51 AM |#596  
Junior Member
Flag Allen Park
Thanks Meter: 0
 
More
well i feel stupid
I can't even get step one to work properly. Is there a version of this for people who are new to linux? I can only assume that's the problem, as I've typed exactly what was in the box, and received

"adb: error: failed to get feature set: device unauthorized. This adb server's $ADB_VENDOR_KEYS is not set
Try 'adb kill-server' if that seems wrong.
Otherwise check for a confirmation dialog on your device."
24th April 2019, 02:10 PM |#597  
Member
Thanks Meter: 64
 
More
Quote:
Originally Posted by bigg6987

I can't even get step one to work properly. Is there a version of this for people who are new to linux? I can only assume that's the problem, as I've typed exactly what was in the box, and received

"adb: error: failed to get feature set: device unauthorized. This adb server's $ADB_VENDOR_KEYS is not set
Try 'adb kill-server' if that seems wrong.
Otherwise check for a confirmation dialog on your device."

Check the device status with adb devices. If it shows up as unauthorized, try this

Computer:
-adb kill-server

Device:
-Go to the developer settings
-Toggle USB debugging off
-Revoke USB debugging authorizations
-Toggle USB debugging on

Computer
adb start-server

The device should ask for authorization when you try to connect next time
26th April 2019, 07:01 AM |#598  
Junior Member
Thanks Meter: 0
 
More
Updating Fire
Pulled out my Fire HD 8 (2017) and it's on 5.4.0.0, should I update or stay on my current version? I already completed this I just don't know if there's anything I'm missing out on.
26th April 2019, 02:49 PM |#599  
Junior Member
Thanks Meter: 7
 
More
Quote:
Originally Posted by Rortiz2

It's what I'm doing..

---------- Post added at 08:08 PM ---------- Previous post was at 07:55 PM ----------

Updated!

Have re-downloaded your excellent tool from here

I cant see any difference in the files (md5 checksum), could you post a new link here please to the updated version?
Very grateful for the work you have done btw.
The Following User Says Thank You to borissprat For This Useful Post: [ View ] Gift borissprat Ad-Free
26th April 2019, 07:29 PM |#600  
OP Senior Member
Thanks Meter: 1,030
 
Donate to Me
More
Quote:
Originally Posted by caporal

I did it. Got this messages. Then I installed SuperSU but it says. Root Undetected.
Also, my device keeps disconnecting (last few lines)

How exactly did you install SuperSU? Did you follow the steps to copy su, libsupol.so, daemonsu, etc?
27th April 2019, 02:12 AM |#601  
OP Senior Member
Thanks Meter: 1,030
 
Donate to Me
More
Release 12
The next release is out. This is the biggest update in years. Some of the highlights:
  • Unify the arm and armv7-kernel binaries into one
  • Support devices with kernel 4.9.x
  • Improve speed and possibly reliability
  • Fix arm64 support for phones on kernel 3.10.65
  • Fix stack protection workaround for armv7 kernels
  • Update readme file
This is the fastest and smoothest version yet. Everyone should update to it. As with any update, previously compatible devices could have become not-compatible. Let me know if that's the case.

The file is actually uploaded at the new MTK Temp Root thread. I will keep linking the OP here, but that will be the home of new releases from now on...
The Following 8 Users Say Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
Post Reply Subscribe to Thread

Tags
fire hd 10, fire hd 8, root

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes