Recent content by freddierice

  1. F

    Post Samsung Galaxy S7 Active Root! (SUCCESS)

    I'm trying to get code execution in the kernel to get a ramdump. If someone already has a ramdump or code execution as the kernel, let me know :D. Otherwise I'll wait for more info on CVE-2017-2403 and 2017-0404 from https://source.android.com/security/bulletin/2017-01-01.html.
  2. F

    Post Samsung Galaxy S7 Active Root! (SUCCESS)

    This is an ATT galaxy s7 active engineering boot.img. Disclaimer: I did not use Odin, but instead leveraged root from trident to flash the image directly. Although this should have the same effect. Also, I only tested this on an ATT qualcomm s7 active device. Not sure if it works on other...
  3. F

    Post Samsung Galaxy S7 Active Root! (SUCCESS)

    I ripped the upload apart, and it looks like this is the engineering build from august. If this is malware, then the hacker must have spent a lot of time disguising it as an engineering build, or works for samsung. In any case, this seems legit. I'm going to flash this to my recovery partition...
  4. F

    Post Dirty Cow

    adb pull /sepolicy
  5. F

    Thread [DEV] S7 Active Bootloader Unlock Development

    This thread is for people currently working on unlocking the Galaxy S7 Active bootloader. Developers only. If you do not want to help unlock the device, please do not post in this thread. Here are possible attack vectors -- let me know if you are aware of any others: 1. crafted boot.img that...
  6. F

    Post Samsung Galaxy S7 Active Root! (SUCCESS)

    This is a temp root. Unless you are developing a permanent root, this won't help you. That being said, this exploit should work on the May security patch with an appropriate INIT_OFFSET. The /init file is readable by root, even with SELinux intact. Escalate to root, then extract it to...
  7. F

    Post Dirty Cow

    You should be able to use the same approach. Can you read /init from your root shell?
  8. F

    Post Samsung Galaxy S7 Active Root! (SUCCESS)

    Yin-Yang. Your phone is more vulnerable to attack. This is good for you (trying to root your phone) and for the hacker (also trying to root your phone).
  9. F

    Post Dirty Cow

    Dirty cow is sufficient to circumvent SEAndroid. https://www.redtile.io/security/galaxy shows how to get temp root on the galaxy s7 active and arbitrarily change sepolicies.
  10. F

    Post Samsung Galaxy S7 Active Root! (SUCCESS)

    I wrote up what I have so far here: https://www.redtile.io/security/galaxy/ The source code with instructions is here: https://github.com/freddierice/trident Let me know how it works out
  11. F

    Post Samsung Galaxy S7 Active Root! (SUCCESS)

    Im afk today, but I'll write something up tomorrow. Its a temp root (resets after reboot). It doesn't trip knox. Obviously don't modify any of the ro partitions with it or else you will lose the ability to boot (samsung is signed from the pbl down to /system).
  12. F

    Post Samsung Galaxy S7 Active Root! (SUCCESS)

    I used dirty cow to gain temp root/manipulate the sepolicies, so I can pull any september images. It is heavily dependant on the init binary, so it may/may not work on other patches. I'd like to look at your aboot img -- want to trade? :) I can hand them over tomorrow
  13. F

    Post Samsung Galaxy S7 Active Root! (SUCCESS)

    I've been sinking some time into this. I pulled aboot from a device with the september security patch. I just unzipped the recent OTA, and its aboot is different. If anyone has tips for analyzing the diffs, I'll take all the help I can get. My hope is that they patched a security vulnerability...