Search results

I'm trying to get code execution in the kernel to get a ramdump. If someone already has a ramdump or code execution as the kernel, let me know :D. Otherwise I'll wait for more info on CVE-2017-2403 and 2017-0404 from https://source.android.com/security/bulletin/2017-01-01.html.

In this case, no.

This is an ATT galaxy s7 active engineering boot.img. Disclaimer: I did not use Odin, but instead leveraged root from trident to flash the image directly. Although this should have the same effect. Also, I only tested this on an ATT qualcomm s7 active device. Not sure if it works on other...

I ripped the upload apart, and it looks like this is the engineering build from august. If this is malware, then the hacker must have spent a lot of time disguising it as an engineering build, or works for samsung. In any case, this seems legit. I'm going to flash this to my recovery partition...

adb pull /sepolicy

This thread is for people currently working on unlocking the Galaxy S7 Active bootloader. Developers only. If you do not want to help unlock the device, please do not post in this thread. Here are possible attack vectors -- let me know if you are aware of any others: 1. crafted boot.img that...

3) no.

This is a temp root. Unless you are developing a permanent root, this won't help you. That being said, this exploit should work on the May security patch with an appropriate INIT_OFFSET. The /init file is readable by root, even with SELinux intact. Escalate to root, then extract it to...

You should be able to use the same approach. Can you read /init from your root shell?

Yin-Yang. Your phone is more vulnerable to attack. This is good for you (trying to root your phone) and for the hacker (also trying to root your phone).

Dirty cow is sufficient to circumvent SEAndroid. https://www.redtile.io/security/galaxy shows how to get temp root on the galaxy s7 active and arbitrarily change sepolicies.

I wrote up what I have so far here: https://www.redtile.io/security/galaxy/ The source code with instructions is here: https://github.com/freddierice/trident Let me know how it works out

Im afk today, but I'll write something up tomorrow. Its a temp root (resets after reboot). It doesn't trip knox. Obviously don't modify any of the ro partitions with it or else you will lose the ability to boot (samsung is signed from the pbl down to /system).

I used dirty cow to gain temp root/manipulate the sepolicies, so I can pull any september images. It is heavily dependant on the init binary, so it may/may not work on other patches. I'd like to look at your aboot img -- want to trade? :) I can hand them over tomorrow

I've been sinking some time into this. I pulled aboot from a device with the september security patch. I just unzipped the recent OTA, and its aboot is different. If anyone has tips for analyzing the diffs, I'll take all the help I can get. My hope is that they patched a security vulnerability...

I can escalate to root and arbitrarily change SELinux policies. The kicker is that I cannot modify the /system partition, boot.img, recovery.img, or aboot.img without breaking signatures. Is there a way to make the entire supersu system work without modifying these partitions? I tried making an...

I gave the context I was running under (dnsmasq) setenforce privileges, so nothing was logged underlogcat. It appears as though my kernel was compiled with DCONFIG_ALWAYS_ENFORCE=true

I successfully wrote a 0 to /sys/fs/selinux/enforce. But selinux did not get disabled. On my phone, the kernel was compiled to never disable selinux. I also cannot transition to the kernel context without causing my phone to reboot. However, I can load arbitrary sepolicy files, and give...

I injected shellcode into init as another member in here had suggested, and it works as a charm. Unfortunately, I couldn't turn off selinux from my init process (galaxy s7 active). However, I do have the ability to load new policies. When I loaded a new policy (by writing the contents of the new...

Anyone care to share a datasheet on the msm8996? Also called APQ8096? I want to learn about the fuses to see just how hard it will be to pop the bootloader. If anyone has any leads, I'd appreciate it :)

I looked into it, and it seems like they do sign aboot. A few years ago, someone dumped the pbl for a Note, and it had "pbl_auth\secboot_rsa_math.c". Bad news -- I can't blindly overwrite aboot.img. Good news -- at the time, they were rolling their own crypto. Maybe they still are? Does...

Yes. Totally fair. I overwrote my recovery image (galaxy s7 active) and it told me something along the lines of ``**** you, I'm not booting''. It will be along the lines of a systemless-su + re-pwn at startup. I'm going to try taking a look at my bootloader. I really want real root. And I...

How did you fork init? On my phone, it only executes under ueventd and watchdogd after the kernel runs init, and no contexts can [dyn]transition to init.

Does anyone know if the bootloader is (cryptographically) verified at boot? I'm thinking about taking a crack at popping it open, but I don't want to skip easy mode if its available. Long story short -- if I land a patched bootloader (aboot.img, not boot.img) will I have a paperweight?

I guess so. I didn't realize that SELinux policies varied so drastically. I am surprised though that you do not have read privs to /system/bin/dumpstate. Could you post `adb shell ls -laZ /system/bin/`? I'm curious

I flashed a Galaxy S7 Active (ATT) with a TWRP recovery image that I built. To my dismay, when I rebooted I got: "Custom binary blocked by SECURE BOOT (recovery.img)" This is different from the OEM lock in the developer menu since that has been turned on. Is there any way around this, short...

Same procedure as before. Just untar the files in the project directory. I ran `make clean all` on my box, then threw them up on the web.

Yup! I pulled the recovery partition for the Galaxy S7 Active.

This project makes the binaries when you run `make`. You don't have the ndk installed. Or at least don't have the binaries sourced in your PATH.

1. connect your phone with usb debugging allowed 2. open a terminal window and run `make log` 3. open a second terminal window and run `make pull`

I just haven't tested other devices. Try replacing `arm64-v8a` in the Makefile with your architecture, and see if it works.

Some of you might want to check out: http://forum.xda-developers.com/general/security/farm-root-recovery-image-pulling-t3490089

Hey all, I wrote an exploit to use cow root to pull/push images. I've only tested it on the Galaxy S7 Active, but it should also work for other arm64 phones. Let me know how it works out for you all! https://github.com/freddierice/farm-root Also, don't run `make push` if you don't know what...

Well done! I gave up on init. I just pulled the recovery image on a galaxy s7 active. Root here I come :D

I'm pretty close (I think) to pulling a recovery image from my phone. How can I get init to run app_process64? Its the only part I need working.

don't waste your time -- vold does not have access to /system. ---------- Post added at 04:30 AM ---------- Previous post was at 04:26 AM ---------- (wow that came out blunt. sorry. I tried vold and there are explicit policies against its use with /system and other key devices.)

No, we are stuck in dnsmasq root uid=0(root) gid=0(root) groups=0(root) context=u:r:dnsmasq:s0

We are all trying to get said temp root. SELinux is getting in the way.

I just tried. I couldn't remount /system from fsck_msdos's sepolicy. I'm currently downloading 6.0.1 r3 for the selinux tools. I'm thinking we can use dirtycow to give ourselves a defacto permissive :D.

libc timwr's code does work, however /system/bin/run-as is not a setuid on my phone. I'm going to overwrite libc's mount... wish my phone luck!