Fire TV Stick 5.2.1.1 rootable with dirtycow
Hello,
I just can confirm, that Fire TV Stick (montoya) on version 5.2.1.1 is rootable through dirtycow. It actually took me 5 days of research and trying. I'll not post a step by step howto, but some hints. At first you compile the dirtycow.c with toolchain for android and you need the su binary from SuperSU. You will notice, that root in nearly all selinux contexts can't read emulated sdcard, nor /data/local/tmp, while shell user can only write to these locations. So already data exchange between shell and root is very problematic. But of course you can use dirtycow, but only for small files.
Here are the hints:
- /system/bin/watchdogd is started as root in context init. It can remount /system (but cannot write to any directory in /system) and read/write raw devices.
- Exchange /system/bin/vcdbg (it's fairly big) with su. This can be used to start su in the exchanged watchdogd shell Script, like:
Code:
#!/system/bin/sh
/system/bin/vcdbg -ad
Reboot, now you can use "vcdbg -c <command>", e.g. test it with "vcdbg -c id". Then do something like:
Code:
vcdbg -c mkdir /data/tmp
vcdbg -c chmod 777 /data/tmp
vcdbg -c dd if=/dev/block/platform/sdhci.1/by-name/system of=/data/tmp/system.img
vcdbg -c chmod 777 /data/tmp/system.img
vcdbg -c chmod 777 /data
cp -a /data/tmp/system.img /data/local/tmp/system.img
And
Code:
adb pull /data/local/tmp/system.img
Then loop-mount the image in your computer, add su, supolicy, libsupol.so and SuperSU.apk (you see files and needed locations in the pre-rooted images). Also watch out for the default contexts these files need to be in (u
bject_r:system_file:s0). If you have a linux without active selinux, copy an existing file, e.g.:
Code:
/root/temp/mount/system/bin # ls -laZ ip
-rwxr-xr-x 1 root 2000 u:object_r:system_file:s0 165484 6. Aug 2016 ip
/root/temp/mount/system/bin # cp -a ip su
/root/temp/mount/system/bin # cat /root/SuperSU/su > su
/root/temp/mount/system/bin # ls -laZ su
-rwxr-xr-x 1 root 2000 u:object_r:system_file:s0 75364 5. Aug 2017 su
push back the file to /data/local/tmp/system.img. Now you need to find a way to get this file readable for root. I did that like this:
Code:
cat /data/local/tmp/system.img | vcdbg -c 'echo "$(cat)" > /data/tmp/system.img'
Now check size and write everything back with dd:
Code:
ls -la /data/tmp/system.img
vcdbg -c dd if=/data/tmp/system.img of=/dev/block/platform/sdhci.1/by-name/system
Reboot and you are fully root.
Afterwards you can install TWRP and install latest pre-root image.
Best
Tim