DirtyCow Test

adds08 · Oct 30, 2016 at 3:55 AM

Honestly Annoying said:
Even if we get a root shell, there will be no SuperSu or TWRP unless we get an unlocked bootloader. The goal is to get a root shell so we can work on getting an unlocked bootloader through a root shell and/or I can pull the system.img and make a custom system like with the G4. Just letting everyone know so I can stop getting all of these PMs asking "WHEN WILL I HAVE ROOT WHAT'S THE ETA ON SUPERSU GIVE ME ROOT"

U do realize that jist modifying the system img and injecting it with root is not enough due to strict kernel policy.. Plus if system img injection could root i am pretty sure someone would have extracted the image and injected it with root...so thats that..
Also having root will not by any means ease with bootloader unlock...
And abt supersu ..if true rootbis achieved then it will come..

Anyways dirtycow need alot of other exploits in MM bl-locked i guess .. In other phones with <MM and bootlocked it is feasible.

oranget · Oct 30, 2016 at 4:00 AM

happy_5 said:
Wait, I thought we needed root to run Xposed. So at least we can flash via Flashfire and (certain) Xposed modules will work?

No..flashfire will only work on rooted device.

Sergykm · Oct 30, 2016 at 9:41 AM

Honestly Annoying said:
Even if we get a root shell, there will be no SuperSu or TWRP unless we get an unlocked bootloader. The goal is to get a root shell so we can work on getting an unlocked bootloader through a root shell and/or I can pull the system.img and make a custom system like with the G4. Just letting everyone know so I can stop getting all of these PMs asking "WHEN WILL I HAVE ROOT WHAT'S THE ETA ON SUPERSU GIVE ME ROOT"

thanks for explain, but I read one interesting new http://www.xda-developers.com/verizon-pixelpixel-xl-bootloader-unlock-has-been-released/
How they can did bootloader exploit? Maybe they can help us for unlock bootloader for our phone?
I don't know, this just an interesting info for me.
Sorry, for the trouble.

Sent from my LG-H850 using XDA-Developers mobile app

adds08 · Oct 30, 2016 at 2:13 PM

Sergykm said:
thanks for explain, but I read one interesting new http://www.xda-developers.com/verizon-pixelpixel-xl-bootloader-unlock-has-been-released/
How they can did bootloader exploit? Maybe they can help us for unlock bootloader for our phone?
I don't know, this just an interesting info for me.
Sorry, for the trouble.

Sent from my LG-H850 using XDA-Developers mobile app

Different bootloader ..
And as per my knowing some people involved in that have contributed hugely to LG phones and are now no more interested LG bcuz of some thieves who are wanabe hackers..
Sad..

Honestly Annoying · Oct 30, 2016 at 6:15 PM

Let's give it up for @jcadduono!!! This works for the LG V20 but in theory should work for all devices if built the correct way. I don't know if this will mess up a non-bootloader unlocked phone so I recommend trying this on a T-Mobile device first...

http://forum.xda-developers.com/v20/development/h918-recowvery-unlock-v20-root-shell-t3490594

adds08 · Oct 31, 2016 at 5:23 AM

Honestly Annoying said:
Let's give it up for @jcadduono!!! This works for the LG V20 but in theory should work for all devices if built the correct way. I don't know if this will mess up a non-bootloader unlocked phone so I recommend trying this on a T-Mobile device first...

http://forum.xda-developers.com/v20/development/h918-recowvery-unlock-v20-root-shell-t3490594

Honestly annoying...
It is just a root shell for bootloader unlocked device.. Not even supersu is present at the moment.. He is working on twrp for unlocked device..

YassGo · Oct 31, 2016 at 9:57 AM

Honestly Annoying said:
Let's give it up for @jcadduono!!! This works for the LG V20 but in theory should work for all devices if built the correct way. I don't know if this will mess up a non-bootloader unlocked phone so I recommend trying this on a T-Mobile device first...

http://forum.xda-developers.com/v20/development/h918-recowvery-unlock-v20-root-shell-t3490594

I've just tried all the Commands on a H860 and we can have a root shell

Now we must find out how we can root this phone (even without TWRP) and so we can use Flash Fire...
@Honestly Annoying : Can someone from the V20 thread can help us ? We seem so close !

Veliion · Sep 18, 2013 426 97 0

adds08 said:
Honestly annoying...
It is just a root shell for bootloader unlocked device.. Not even supersu is present at the moment.. He is working on twrp for unlocked device..

Maybe I'm reading this wrong but it gives you instructions on how to unlock the bootloader through ADB

maksover · Oct 31, 2016

lg h860 works

Honestly Annoying · Oct 31, 2016 at 12:30 PM

maksover said:
lg h860 works

That isn't a root shell, it is still a regular adb shell. That is why there is no "#"

Try "run-as exec sh"

Rayman31 · Feb 14, 2015 3 1 0

H831 (Canadian Variant)

Sorry m8,

When trying to use the command, "adb reboot bootloader" on a H831 (Canadian Variant), it only reboots the device. Can't unlock bootloader, thus can't run exploit...

ADB does recognize the phone under the command, "adb devices" however fastboot/bootloader appears to be locked down here. And yes, under developer options the "Enable OEM unlock" option is selected. Nice to hear other variants can run the exploit but for us lonely Canadians, our first step is to unlock the bootloader lol.

Nathamio · Oct 31, 2016

Game Plan:
Use this to get elevated privileges to enable booting into bootloader.
Use dirty cow recovery exploit.
BAMBAM
I will poke all the ****ing buttons on my phone and if it breaks I'll get another (insurance :3) @Honestly Annoying if you have anything you need tested I'm your man!

Nathamio · Nov 1, 2016 at 12:00 AM

Honestly Annoying said:
Someone please test this. I can't right now (at work, don't have G5) so please update me. It works on my HTC 10 but I do not know if it will work on the G5...

CODE:

adb push arm64-v8a/dirtycow /data/local/tmp
adb push arm64-v8a/run-as /data/local/tmp
adb shell 'chmod 777 /data/local/tmp/run-as'
adb shell 'chmod 777 /data/local/tmp/dirtycow'
adb shell '/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as'
adb shell /system/bin/run-as

I'm currently using this to manipulate ALL KINDS of files on this phone. You can replace pretty much any file with something else, might be able to trick it into thinking it's a different model and letting me OEM unlock :3

Sergykm · Nov 1, 2016 at 12:11 AM

Nathamio said:
I'm currently using this to manipulate ALL KINDS of files on this phone. You can replace pretty much any file with something else, might be able to trick it into thinking it's a different model and letting me OEM unlock :3

can you edit build.prop or replace any file? Is it really work?

Nathamio · Nov 1, 2016 at 12:15 AM

Sergykm said:
can you edit build.prop or replace any file? Is it really work?

I managed to replace build.prop but it didn't hold after a reboot, i tried messing with settings.apk and it's too big.

ExtraDan · Nov 1, 2016 at 1:33 AM

you guys are getting there!

Nathamio · Nov 2, 2016 at 12:51 AM

Okay so, we need to replace the file /sys/fs/selinux/enforce with a version where the "1" is set to "0". we can't do that with dirtycow because we don't have read access. If we can modify a script that is run with permissions automatically by the android OS, we can have that script change the value, which will disable selinux and allow us to use dirtycow to enter a root shell! Then we can use said root shell to find an exploit to unlock the bootloader, and by seeing how hard it is to get around selinux, I can't imagine flipping some switch in some file to enable oem unlocking will be too hard.

MoistPicklez · Nov 2, 2016 at 2:28 PM

Goodluck guys!

michaelagaudio · Nov 4, 2016

Nathamio said:
I'm currently using this to manipulate ALL KINDS of files on this phone. You can replace pretty much any file with something else, might be able to trick it into thinking it's a different model and letting me OEM unlock :3

When I try this I get permission denied. "failed to copy 'dirtycow' to '/data/local/temp': Permission denied"

I am trying to modify files and folders on my phone that are locked. this is all. 20$ thru to whoever can help me accomplish root level browsing, and deletion of files and folders using this method. (preferably using windows or a shell on the g5 as I always have access to these.)

what is the arm64-v8a is it significant that the files come from this folder?

Please be patient. I am a novice. but I'm a novice with 20$ to the guy who helps me.

michaelagaudio · Nov 4, 2016

michaelagaudio said:
When I try this I get permission denied. "failed to copy 'dirtycow' to '/data/local/temp': Permission denied"

I am trying to modify files and folders on my phone that are locked. this is all. 20$ thru to whoever can help me accomplish root level browsing, and deletion of files and folders using this method. (preferably using windows or a shell on the g5 as I always have access to these.)

what is the arm64-v8a is it significant that the files come from this folder?

Please be patient. I am a novice. but I'm a novice with 20$ to the guy who helps me.

I can push the runas file but not dirtycow. why? (i tried just pushing run-as...corrected the command from the above post image to not be from the arm64-v8a directory)

DirtyCow Test

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Member

Senior Member

New member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Member

Attachments

Member