As some of you must have noticed, latest Samsung GT-I9500 firmwares carry a kernel configuration supposed to prevent SETUID privilege elevation.
Stock unmodified firmware with root is my preferred setup but also a strong dependency for all my development, for me this change is a massive setback if not a dealbreaker.
While poking around I found in about an hour something weird that reveled being a vulnerability, so I created a little thing to make it useful for now.
Stupid SU: Galaxy S4 root helper by François SIMOND aka @supercurio
Circumvent an extremely weak false-security "Anti Root" mechanism implemented
on latest Samsung Galaxy S4 devices (on both Exynos and Qualcomm versions)
Preventing proper root function on official firmware breaks all my Voodoo apps
requiring stock+root and is a move that's hostile to both users and developers.
Samsung security might be embarassed by this proof of concept, as it defeats
their mechanism in a single line... not even with complex ARM assembler
but *one* line of shell script.
However, the goal here is to show Superuser solutions developers how to
deal with those devices for now, and provide a working solution to people who
bought a Galaxy S4 expecting to root it cleanly and easily but cannot.
This proof of concept is slightly slowing down Superuser calls, but its
"plain text" implementation has the merit of showing how stupid this exploit is.
SELinux configuration stays unmodified and active.
- Detect and supports both SuperSU and Koush's Superuser
- Installs Super SU binary by default
Make sure you have one of those Superuser apps installed:
Root feature doesn't rely on a "StupidSU kernel" which is only an installer.
Feel free to flash back Samsung's original boot.img from their official firmware
after booting at least once.
This "exploit" is so lame that it will be fixed in no time, making updated S4
a pain to root again.
I wish Samsung will reconsider their "Anti Root" approach, which is damageable
in every regard and defective by design as demonstrated here.
Also, I'm simply not interested developing for and promoting devices from
manufacturers hostile to developers: It's just a waste of valuable time.
1/ copy rooting/ directory in your initramfs
Make sure "root.sh" file is has an executable permission (chmod 744 recommended)
2/ Add those lines at init.universal5410.rc end:
# Stupid SU
service rooting /stupidsu/root.sh
3/ Assemble your initramfs with the associated Samsung official kernel binary
of choice in a regular boot image
4/ flash as boot.img
5/ At each boot, Superuser app are detected automatically and su binary adjusted
Kernels downloads, only for demo purposes of the concept, you can flash back original Samsung boot.img once rooted
GT-I9500 Stock + root StupidSU v4 UBUAMDE
GT-I9500 Stock + root StupidSU v4 XXUAMDK
GT-I9500 Stock + root StupidSU v4 XXUAME1
Owners of Qualcomm Galaxy S 4 devices experiencing the same dificulties with Samsung the anti root strategy might want to try this method, please let me know if you're ready for some experimentations.