Status
Not open for further replies.
Search This thread

eousphoros

Senior Member
Feb 8, 2010
908
2,237
San Francisco
Not looking for any fancy one click all. Just a method to obtain uid 0. I can handle adb, I have a functioning toolchain and a sys admin level knowledge of Linux. Unfortunately I haven't had any success yet getting root.

My laziness and frustration has won over my cheapness. To that effect I would like to offer a 0.3 BTC bounty for a method to obtain root on this swanky device.

Update: Bounty paid. Received functioning method. Unfortunately I've been asked to not release it which I am happy to comply. Thanks! :)
 
Last edited:
  • Like
Reactions: kiddecks

eousphoros

Senior Member
Feb 8, 2010
908
2,237
San Francisco
jcase already rooted his. But I don't think he's shared it publicly yet.

I'll believe it when I see it. The kallsyms dump is pretty convincing but isn't absolute proof. I'll continue beating my firetv up in the meantime I guess. If i root mine first, I'll send myself the BTC. ;)

On that note any one know why adb shell has an LD_PRELOAD library called libnimswrap.. looks like it touches a few interesting calls.
 

Cpasjuste

Senior Member
Jun 8, 2007
962
1,358
If someone have a spare device to donate (France) I'm willing to spent some time on it. I did a few cool things on the fire hdx 7" and could probably do some on this device. I think this device could be great if we get a stock ROM running !
 

TooSlo

Senior Member
Feb 20, 2009
744
72
Seattle, WA
I'll believe it when I see it.

http://forum.xda-developers.com/showpost.php?p=51688189&postcount=105

For those who don't want to click the link. Indeed it was @jcase. No, it wasn't released.

oxbg1H1.jpg
 

eousphoros

Senior Member
Feb 8, 2010
908
2,237
San Francisco

jcase

Retired Forum Mod / Senior Recognized Developer
Feb 20, 2010
6,331
15,774
Sequim WA
I'll believe it when I see it. The kallsyms dump is pretty convincing but isn't absolute proof. I'll continue beating my firetv up in the meantime I guess. If i root mine first, I'll send myself the BTC. ;)

On that note any one know why adb shell has an LD_PRELOAD library called libnimswrap.. looks like it touches a few interesting calls.

Personally I don't care if anyone believes me or not, any looking back at the history of Android exploits will likely see my work more often than not, especially with the Amazon FireOS. When appropriate, I will release.

Bonus tease for everyone else, modified recovery booting (just edited /res/ images to test booting unsigned code)

 

jcase

Retired Forum Mod / Senior Recognized Developer
Feb 20, 2010
6,331
15,774
Sequim WA
That is of no use to me or others who are looking/needing a priv esclation method for this device until its released. In the meantime I will continue down my path. If I get it before he releases I plan to do full disclosure. Hope I don't burn his exploits.

Why not join me in the process, instead of racing against? I'm looking to find less valuable bugs to use, instead of the more dangerous ones I am currently using. Feel free to ping me on freenode or gtalk.

Full disclosure, is something I do often, I believe I have accounted for the majority of open source android exploits. I really appreciate it when ppl explain what they are doing, love seeing the work of others, and love not having to reverse it.
 

jcase

Retired Forum Mod / Senior Recognized Developer
Feb 20, 2010
6,331
15,774
Sequim WA
Root and recovery would be good. I got like 28 days left before I can return my FireTV. Hopefully this will be done before then.

Current issues with releasing my work right now:

1) No way to interact with a custom recovery (possibly doable with keyboard) and no way to load files to flash without booting into android (possible to mount usb disk in recovery mode?).

2) Looking for a bug to exploit that is less abusable by others

#1 Someone more versed at recoveries is lookign at

#2 I'm working on currently.
 

mknrls

Senior Member
Sep 12, 2013
666
748
Ottawa, ON
mknrls.com
Current issues with releasing my work right now:

1) No way to interact with a custom recovery (possibly doable with keyboard) and no way to load files to flash without booting into android (possible to mount usb disk in recovery mode?).

2) Looking for a bug to exploit that is less abusable by others

#1 Someone more versed at recoveries is lookign at

#2 I'm working on currently.

From what im reading the only recovery that would would work on this device would be cwm because twrp is fully touch. Right @jcase

Sent from my Galaxy Nexus using Tapatalk
 
Last edited:

jcase

Retired Forum Mod / Senior Recognized Developer
Feb 20, 2010
6,331
15,774
Sequim WA
From what im seeing the only recovery that would would work on this device would be cwm because twrp is fully touch.

Sent from my Galaxy Nexus using Tapatalk

or another recovery, even standard AOSP recovery would work fine for my needs, but need to have both input, and a way to provide files to it
 

mknrls

Senior Member
Sep 12, 2013
666
748
Ottawa, ON
mknrls.com
or another recovery, even standard AOSP recovery would work fine for my needs, but need to have both input, and a way to provide files to it

True, i personally have never build a recovery from source but i think cwm would be ours best bet if only could find someone to do it lol

btw i think the odroid u2/u3 (dev board) uses the cwm recovery with the keyboard inputs and is supported by CM if that help man

Sent from my Galaxy Nexus using Tapatalk
 
Last edited:

jcase

Retired Forum Mod / Senior Recognized Developer
Feb 20, 2010
6,331
15,774
Sequim WA
True, i personally have never build a recovery from source but i think cwm would be ours best bet if only could find someone to do it lol

btw i think the odroid u2/u3 (dev board) uses the cwm recovery with the keyboard inputs and is supported by CM if that help man

Sent from my Galaxy Nexus using Tapatalk

Yeah keyboard is no issue, but still need a mountable media to store update.zip on, in the even /system or /userdata gets messed up
 

robclark

Member
Apr 7, 2014
35
10
On that note any one know why adb shell has an LD_PRELOAD library called libnimswrap.. looks like it touches a few interesting calls.

It's overriding the following symbols:

bind
connect
getaddrinfo

so tampering with network somehow.. if no one knows what it does I'll spend some time reading the disasm and figure out.. first guess is intercepting connections to some address, possibly redirecting elsewhere?
 

jcase

Retired Forum Mod / Senior Recognized Developer
Feb 20, 2010
6,331
15,774
Sequim WA
http://pastebin.com/NAZKjiPu

It's overriding the following symbols:

bind
connect
getaddrinfo

so tampering with network somehow.. if no one knows what it does I'll spend some time reading the disasm and figure out.. first guess is intercepting connections to some address, possibly redirecting elsewhere?

I'll believe it when I see it. The kallsyms dump is pretty convincing but isn't absolute proof. I'll continue beating my firetv up in the meantime I guess. If i root mine first, I'll send myself the BTC. ;)

On that note any one know why adb shell has an LD_PRELOAD library called libnimswrap.. looks like it touches a few interesting calls.
 

robclark

Member
Apr 7, 2014
35
10

ok.. yeah, short version it looks like it is blocking some network connections. For example, the overridden connect() seems to open up a (I think local) socket connection (cached per thread), does some communication on that socket, then based on result fakes an error result (setting errno) or forwards the call to the real connect.


seems to be controlled by:

Code:
  v0 = isFeatureEnabled(1);
  v1 = isFeatureEnabled(3);
  v2 = isFeatureEnabled(4);

not sure what those feature constants correspond to.. googling for isFeatureEnabled() just digs up some java crap..
 
  • Like
Reactions: batcave
Status
Not open for further replies.

Top Liked Posts

  • There are no posts matching your filters.
  • 16
    It's bad form to ask a dev about updates... it's equally bad form for a dev to not release updates for extended periods of time.

    How the heck do you want me to update something that hasn't been released? FireTV hasn't even been out long.

    Do it yourself instead of complaining if you don't like me doing things on my own terms.

    Sent from my HTC One_M8 using XDA Premium 4 mobile app
    7
    I'll believe it when I see it. The kallsyms dump is pretty convincing but isn't absolute proof. I'll continue beating my firetv up in the meantime I guess. If i root mine first, I'll send myself the BTC. ;)

    On that note any one know why adb shell has an LD_PRELOAD library called libnimswrap.. looks like it touches a few interesting calls.

    Personally I don't care if anyone believes me or not, any looking back at the history of Android exploits will likely see my work more often than not, especially with the Amazon FireOS. When appropriate, I will release.

    Bonus tease for everyone else, modified recovery booting (just edited /res/ images to test booting unsigned code)

    6
    You are the first person to post "everything <but> root" in the whole thread.

    This thread should be closed.. Started off as a bounty.. bounty was paid and root was received..
    A different thread should be started if we are still looking for root. Very inconvenient for people to have to read the headlines on the internet that this device was rooted on the release day, then to have to read this whole thread to discover we still dont have root.
    6
    please share the root:(

    The root will be shared when the dev is ready. Asking for it is in poor taste and it was said that if it were released now, then amazon would be able to patch it with their next update. As soon as amazon releases the next update, then it will be shared when it is ready
    4
    That is of no use to me or others who are looking/needing a priv esclation method for this device until its released. In the meantime I will continue down my path. If I get it before he releases I plan to do full disclosure. Hope I don't burn his exploits.

    Why not join me in the process, instead of racing against? I'm looking to find less valuable bugs to use, instead of the more dangerous ones I am currently using. Feel free to ping me on freenode or gtalk.

    Full disclosure, is something I do often, I believe I have accounted for the majority of open source android exploits. I really appreciate it when ppl explain what they are doing, love seeing the work of others, and love not having to reverse it.