[Bounty] root@firetv

[eousphoros]

Not looking for any fancy one click all. Just a method to obtain uid 0. I can handle adb, I have a functioning toolchain and a sys admin level knowledge of Linux. Unfortunately I haven't had any success yet getting root.

My laziness and frustration has won over my cheapness. To that effect I would like to offer a 0.3 BTC bounty for a method to obtain root on this swanky device.

Update: Bounty paid. Received functioning method. Unfortunately I've been asked to not release it which I am happy to comply. Thanks!

 

[Luxferro]

jcase already rooted his. But I don't think he's shared it publicly yet.

 

[eousphoros]

jcase already rooted his. But I don't think he's shared it publicly yet.

I'll believe it when I see it. The kallsyms dump is pretty convincing but isn't absolute proof. I'll continue beating my firetv up in the meantime I guess. If i root mine first, I'll send myself the BTC.

On that note any one know why adb shell has an LD_PRELOAD library called libnimswrap.. looks like it touches a few interesting calls.

 

[MicroMod777]

Root and recovery would be good. I got like 28 days left before I can return my FireTV. Hopefully this will be done before then.

 

[Cpasjuste]

If someone have a spare device to donate (France) I'm willing to spent some time on it. I did a few cool things on the fire hdx 7" and could probably do some on this device. I think this device could be great if we get a stock ROM running !

 

[TooSlo]

I'll believe it when I see it.

http://forum.xda-developers.com/showpost.php?p=51688189&postcount=105

For those who don't want to click the link. Indeed it was @jcase. No, it wasn't released.

 

[eousphoros]

http://forum.xda-developers.com/showpost.php?p=51688189&postcount=105

For those who don't want to click the link. Indeed it was @jcase. No, it wasn't released.

That is of no use to me or others who are looking/needing a priv esclation method for this device until its released. In the meantime I will continue down my path. If I get it before he releases I plan to do full disclosure. Hope I don't burn his exploits.

 

[jcase]

I'll believe it when I see it. The kallsyms dump is pretty convincing but isn't absolute proof. I'll continue beating my firetv up in the meantime I guess. If i root mine first, I'll send myself the BTC.

On that note any one know why adb shell has an LD_PRELOAD library called libnimswrap.. looks like it touches a few interesting calls.

Personally I don't care if anyone believes me or not, any looking back at the history of Android exploits will likely see my work more often than not, especially with the Amazon FireOS. When appropriate, I will release.

Bonus tease for everyone else, modified recovery booting (just edited /res/ images to test booting unsigned code)

 

[jcase]

That is of no use to me or others who are looking/needing a priv esclation method for this device until its released. In the meantime I will continue down my path. If I get it before he releases I plan to do full disclosure. Hope I don't burn his exploits.

Why not join me in the process, instead of racing against? I'm looking to find less valuable bugs to use, instead of the more dangerous ones I am currently using. Feel free to ping me on freenode or gtalk.

Full disclosure, is something I do often, I believe I have accounted for the majority of open source android exploits. I really appreciate it when ppl explain what they are doing, love seeing the work of others, and love not having to reverse it.

 

[jcase]

Root and recovery would be good. I got like 28 days left before I can return my FireTV. Hopefully this will be done before then.

Current issues with releasing my work right now:

1) No way to interact with a custom recovery (possibly doable with keyboard) and no way to load files to flash without booting into android (possible to mount usb disk in recovery mode?).

2) Looking for a bug to exploit that is less abusable by others

#1 Someone more versed at recoveries is lookign at

#2 I'm working on currently.

 

[mknrls]

Current issues with releasing my work right now:

1) No way to interact with a custom recovery (possibly doable with keyboard) and no way to load files to flash without booting into android (possible to mount usb disk in recovery mode?).

2) Looking for a bug to exploit that is less abusable by others

#1 Someone more versed at recoveries is lookign at

#2 I'm working on currently.

From what im reading the only recovery that would would work on this device would be cwm because twrp is fully touch. Right @jcase

Sent from my Galaxy Nexus using Tapatalk

 

[jcase]

From what im seeing the only recovery that would would work on this device would be cwm because twrp is fully touch.

Sent from my Galaxy Nexus using Tapatalk

or another recovery, even standard AOSP recovery would work fine for my needs, but need to have both input, and a way to provide files to it

 

[mknrls]

or another recovery, even standard AOSP recovery would work fine for my needs, but need to have both input, and a way to provide files to it

True, i personally have never build a recovery from source but i think cwm would be ours best bet if only could find someone to do it lol

btw i think the odroid u2/u3 (dev board) uses the cwm recovery with the keyboard inputs and is supported by CM if that help man

Sent from my Galaxy Nexus using Tapatalk

 

[jcase]

True, i personally have never build a recovery from source but i think cwm would be ours best bet if only could find someone to do it lol

btw i think the odroid u2/u3 (dev board) uses the cwm recovery with the keyboard inputs and is supported by CM if that help man

Sent from my Galaxy Nexus using Tapatalk

Yeah keyboard is no issue, but still need a mountable media to store update.zip on, in the even /system or /userdata gets messed up

 

[mknrls]

Yeah keyboard is no issue, but still need a mountable media to store update.zip on, in the even /system or /userdata gets messed up

Wouldn't that be done in the fstab or something like that?

Sent from my Galaxy Nexus using Tapatalk

 

[jcase]

Would that be done in the fstab or something like that?

Sent from my Galaxy Nexus using Tapatalk

Sure, probably require usb splitter

 

[mknrls]

Sure, probably require usb splitter

I see lol now just need a dev to work on the recovery

Sent from my Galaxy Nexus using Tapatalk

 

[robclark]

On that note any one know why adb shell has an LD_PRELOAD library called libnimswrap.. looks like it touches a few interesting calls.

It's overriding the following symbols:

bind
connect
getaddrinfo

so tampering with network somehow.. if no one knows what it does I'll spend some time reading the disasm and figure out.. first guess is intercepting connections to some address, possibly redirecting elsewhere?

 

[jcase]

http://pastebin.com/NAZKjiPu

It's overriding the following symbols:

bind
connect
getaddrinfo

so tampering with network somehow.. if no one knows what it does I'll spend some time reading the disasm and figure out.. first guess is intercepting connections to some address, possibly redirecting elsewhere?

I'll believe it when I see it. The kallsyms dump is pretty convincing but isn't absolute proof. I'll continue beating my firetv up in the meantime I guess. If i root mine first, I'll send myself the BTC.

On that note any one know why adb shell has an LD_PRELOAD library called libnimswrap.. looks like it touches a few interesting calls.

 

[robclark]

http://pastebin.com/NAZKjiPu

ok.. yeah, short version it looks like it is blocking some network connections. For example, the overridden connect() seems to open up a (I think local) socket connection (cached per thread), does some communication on that socket, then based on result fakes an error result (setting errno) or forwards the call to the real connect.


seems to be controlled by:

  v0 = isFeatureEnabled(1);
  v1 = isFeatureEnabled(3);
  v2 = isFeatureEnabled(4);

not sure what those feature constants correspond to.. googling for isFeatureEnabled() just digs up some java crap..