Recent content by freddierice

I'm trying to get code execution in the kernel to get a ramdump. If someone already has a ramdump or code execution as the kernel, let me know :D. Otherwise I'll wait for more info on CVE-2017-2403 and 2017-0404 from https://source.android.com/security/bulletin/2017-01-01.html.

In this case, no.

This is an ATT galaxy s7 active engineering boot.img. Disclaimer: I did not use Odin, but instead leveraged root from trident to flash the image directly. Although this should have the same effect. Also, I only tested this on an ATT qualcomm s7 active device. Not sure if it works on other...

I ripped the upload apart, and it looks like this is the engineering build from august. If this is malware, then the hacker must have spent a lot of time disguising it as an engineering build, or works for samsung. In any case, this seems legit. I'm going to flash this to my recovery partition...

adb pull /sepolicy

This thread is for people currently working on unlocking the Galaxy S7 Active bootloader. Developers only. If you do not want to help unlock the device, please do not post in this thread. Here are possible attack vectors -- let me know if you are aware of any others: 1. crafted boot.img that...

3) no.

This is a temp root. Unless you are developing a permanent root, this won't help you. That being said, this exploit should work on the May security patch with an appropriate INIT_OFFSET. The /init file is readable by root, even with SELinux intact. Escalate to root, then extract it to...

You should be able to use the same approach. Can you read /init from your root shell?

Yin-Yang. Your phone is more vulnerable to attack. This is good for you (trying to root your phone) and for the hacker (also trying to root your phone).

Dirty cow is sufficient to circumvent SEAndroid. https://www.redtile.io/security/galaxy shows how to get temp root on the galaxy s7 active and arbitrarily change sepolicies.

I wrote up what I have so far here: https://www.redtile.io/security/galaxy/ The source code with instructions is here: https://github.com/freddierice/trident Let me know how it works out

Im afk today, but I'll write something up tomorrow. Its a temp root (resets after reboot). It doesn't trip knox. Obviously don't modify any of the ro partitions with it or else you will lose the ability to boot (samsung is signed from the pbl down to /system).

I used dirty cow to gain temp root/manipulate the sepolicies, so I can pull any september images. It is heavily dependant on the init binary, so it may/may not work on other patches. I'd like to look at your aboot img -- want to trade? :) I can hand them over tomorrow

I've been sinking some time into this. I pulled aboot from a device with the september security patch. I just unzipped the recent OTA, and its aboot is different. If anyone has tips for analyzing the diffs, I'll take all the help I can get. My hope is that they patched a security vulnerability...