HD 10 (2017): Offline rooting

Search This thread
By:
Advanced…
G

Ganakim

Member
Oct 3, 2016
8
0
25
Orem
Getting access denied

I've followed the steps so far, but when I'm supposed to run the matrix command, it immediately tells me it can't access something... According to the ls above, it's not there, so it's not surprising it can't access it. I'm not sure what I'm missing
 
L

Leon298

New member
Jan 21, 2020
1
0
Works Great through Linux

Confirmed to work on Fire HD 10 5.3.7.0 (650601220)
Used through linux as it's super simple
noob guide ~~(Because i'm board)~~ open a terminal (Ctrl+Alt+T) and run these 3 cmds [Credits to @ k4y0z]
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial adb fastboot dos2unix

this installs adb and everything you need to connect to the fire device. to use adb simply enter
adb shell
and your golden. follow the guide
 
C

cgf

Member
Feb 1, 2008
29
6
Works great. Thanks!

I thought I was stuck with the suboptimal wait-five-second behavior with the launcher hijack package and the new FireOS 5.3.7.0. But, this technique for rooting worked perfectly so I can now disable the FireOS launcher and enable an Android launcher via su.

Thanks for the time and effort it took to researching this and for documenting it so well.

What a relief to just see a normal Android home screen!

Now, I have to wonder if I want to install Lineage OS for the complete experience...
 
A

Avishay.a

Member
Feb 22, 2013
35
1
Hi,
I followed all the steps until I got the result:

Code:
[*] exploited 0x7f83021000=f97cff8c
end!!!!!!!
<WSRoot><Exploit>0</Exploit></WSRoot>
<WSRoot><Done>0</Done></WSRoot>

After, I used su command and got to a root shell.
I Installed SuperSU, updated binary as Normal, rebooted.

Though, I do not get a prompt to set SuperSU to Grant. Moreover, when I check with Root Checker I get that there's no root.

Any advice would be highly appreciated!
 
Y

Yucieue

New member
Feb 18, 2020
1
0
Hi, I got the following error at the Matrix step:

[email protected]:/data/local/tmp $ ./Matrix /data/local/tmp 2
./Matrix /data/local/tmp 2
<WSRoot><Command>0</Command></WSRoot>
Can not access /data/local/tmp/su
<WSRoot><InitResource>0x00000154</InitResource></WSRoot>
1|[email protected]:/data/local/tmp $

Apparently I cannot access /data/local/tmp/su
Any idea how to fix? Thanks in advance.
 
K

kapsi3980

New member
Apr 18, 2020
1
0
hi experts,
I have finally given up searching rooting method for my fire HD 8 5th gen but fir OS is 5.3.6.4. Can someone guide me to remove all Amazon stuff from it and install android. Please help
 
B

Beltar89

Member
Jan 24, 2019
21
2
Leon298 said:
Confirmed to work on Fire HD 10 5.3.7.0 (650601220)
Used through linux as it's super simple
noob guide ~~(Because i'm board)~~ open a terminal (Ctrl+Alt+T) and run these 3 cmds [Credits to @ k4y0z]
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial adb fastboot dos2unix

this installs adb and everything you need to connect to the fire device. to use adb simply enter
adb shell
and your golden. follow the guide
Click to expand...
Click to collapse

Could you explain a little bit more?
Did you use files from first post? I have the same version but cannot get root yet.

regards
Beltar

Edit: Done, it works after hard reset
 
Last edited:
K

KingLeaf

New member
Dec 16, 2015
4
1
I can't get this to work on 5.6.8.0.
After getting root access and installing SuperSU and updating the binary, I'm not getting the pop-up to grand SuperSu access and root no longer works.
I've tried like 10 times and still no luck here.
 
M

Mlinko6

Member
Apr 10, 2020
23
7
Hi All,

I have a fire HD 10 7th gen, OS 5.6.8.0 and the script runs good:


[email protected]:/data/local/tmp/fire $ ./Matrix /data/local/tmp 2
<WSRoot><Command>0</Command></WSRoot>
<WSRoot><InitResource>0</InitResource></WSRoot>
Decrypt Success: /data/local/tmp/fileWork
Output File Name: /data/local/tmp/fileWork.
<WSRoot><Decrypt>0</Decrypt></WSRoot>
extracting: /data/local/tmp/Bridge_wsroot.sh
extracting: /data/local/tmp/krdirtyCow32
extracting: /data/local/tmp/krdirtyCow64
extracting: /data/local/tmp/libsupol.so
extracting: /data/local/tmp/my.sh
extracting: /data/local/tmp/mysupolicy
extracting: /data/local/tmp/patch_script.sh
extracting: /data/local/tmp/root3
<WSRoot><Decompression>0</Decompression></WSRoot>
execute string: /data/local/tmp/root3 /data/local/tmp/ 2
WARNING: linker: /data/local/tmp/root3: unused DT entry: type 0x6ffffffe arg 0x600
WARNING: linker: /data/local/tmp/root3: unused DT entry: type 0x6fffffff arg 0x1
ro.build.version.sdk :22
ro.product.cpu.abi :arm64-v8a
is x64
execute string: /data/local/tmp/krdirtyCow64 /data/local/tmp/ 2
WARNING: linker: /data/local/tmp/krdirtyCow64: unused DT entry: type 0x6ffffffe arg 0xd30
WARNING: linker: /data/local/tmp/krdirtyCow64: unused DT entry: type 0x6fffffff arg 0x1
path : /data/local/tmp/
path : /data/local/tmp
[*] path_script:/data/local/tmp/patch_script.sh /data/local/tmp
supolicy v2.76 (ndk:armeabi) - Copyright (C) 2014-2016 - Chainfire

Patching policy [/data/local/tmp/sepolicy] --> [/data/local/tmp/load] ...
-permissive:zygote=ok
-permissive:kernel=ok
-permissive:init=ok
-permissive:su=ok
-permissive:init_shell=ok
-permissive:shell=ok
-permissive:servicemanager=ok
- Success

find_opcode offset:2d0 opcode:aaffbbee
find ok star:7f9524a008 end:7f9524a2d8 size:2d0
sh : /data/local/tmp/my.sh /data/local/tmp 2 fwrite is count 214219 /data/local/tmp/load1
fwrite is count 55008 /data/local/tmp/load2
find_opcode offset:2b4 opcode:eaeaeaea
find_opcode offset:2b8 opcode:ebebebeb
find_opcode offset:22d opcode:abababab
load = 41bab load1 = 344cb load2 = d6e0
find_opcode offset:2b0 opcode:efefefef
find_opcode offset:24d opcode:cdcdcdcd
find_opcode offset:2bc opcode:acacacac
init_shellcode
loadsize:269227
loadpath:/data/local/tmp/load
shpath:/data/local/tmp/my.sh /data/local/tmp 2
shpath:2bc

open /proc
PID:204
find logd pid : cc
_inject_start_s:0x7f9524a008
Copying /sepolicy to /data/local/tmp/cp_sepolicy
cow_exploit_mv_file_init: Overriding /sepolicy from /data/local/tmp/load1
size: 214219

[*] mmap 0x7f9503b000;
[*] exploit (patch)
[*] currently 0x7f9503b000=8f97cff8c
sched_setaffinity: Function not implemented[*] madvise = 0x7f9503b000 214219
checking the patch ... exploit
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
check done
sched_setaffinity: Function not implementedmadviseThread() done
procselfmemThread() done
[*] exploited 0x7f9503b000=f97cff8c
[main]p_vdso_addr:0x7f95248000 p_vdso_buffer:0x400000
[*]set_ret_jmp
[*]set_ret_jmp 400410
[*]set_ret_jmp 400420

[main] write 1
Parent is over..status == 0
socket: No such file or directory
socket = 7
ret = ffffffff
connect
: No such file or directory
ret = ffffffff
find coe f
[main] write 2
Parent is over..status == 0
cow_exploit_mv_file_init: Overriding /sepolicy from /data/local/tmp/load2
warning: new file size (55008) and file old size (214219) differ
size: 55008

[*] mmap 0x7f95222000;
[*] exploit (patch)
[*] currently 0x7f95222000=8f97cff8c
sched_setaffinity: Function not implemented[*] madvise = 0x7f95222000 55008
checking the patch ... exploit
sleep 1s
sleep 1s
check done
sched_setaffinity: Function not implementedprocselfmemThread() done
madviseThread() done
[*] exploited 0x7f95222000=3a01dc
find coe 36
Parent is over..status == 0
cow_exploit_mv_file_init: Overriding /sepolicy from /data/local/tmp/cp_sepolicy
size: 214219

[*] mmap 0x7f95006000;
[*] exploit (patch)
[*] currently 0x7f95006000=10007003a01dc
sched_setaffinity: Function not implemented[*] madvise = 0x7f95006000 214219
checking the patch ... exploit
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
exit fork(), loop time more then 30s

<WSRoot><Exploit>0x00000332</Exploit></WSRoot>
check done
sched_setaffinity: Function not implemented<WSRoot><Exploit>0x00000382</Exploit></WSRoot>
FAIL : cp_sepolicy --> sepolicy
<WSRoot><Exploit>0x00000343</Exploit></WSRoot>
<WSRoot><Exploit>0x00000881</Exploit></WSRoot>
<WSRoot><Done>0x00000172</Done></WSRoot>


my folder output is:

2|[email protected]:/data/local/tmp/fire $ ls -la
-rwxr-xr-x shell shell 109400 2021-01-06 12:13 Matrix
-rwxr-xr-x shell shell 67 2021-01-06 12:14 ddexe
-rwxr-xr-x shell shell 1756 2021-01-06 12:14 debuggerd
-rwxr-xr-x shell shell 202824 2021-01-06 12:13 fileWork
-rwxr-xr-x shell shell 629 2021-01-06 12:14 install-recovery.sh
-rwxr-xr-x shell shell 757256 2021-01-06 12:14 krdem
-rwxr-xr-x shell shell 23 2021-01-06 12:14 mount
-rwxr-xr-x shell shell 32817 2021-01-06 12:14 patch_boot.sh
-rwxr-xr-x shell shell 13592 2021-01-06 12:14 pidof
-rwxr-xr-x shell shell 53881 2021-01-06 12:14 push_root.sh
-rwxr-xr-x shell shell 1912 2021-01-06 12:14 start_wssud.sh
-rwxr-xr-x shell shell 75348 2021-01-06 12:14 su
-rwxr-xr-x shell shell 108480 2021-01-06 12:14 su_arm64
-rwxr-xr-x shell shell 6352731 2021-01-06 12:15 supersu.apk
-rwxr-xr-x shell shell 5476175 2021-01-06 12:14 supersu.zip
-rwxr-xr-x shell shell 101852 2021-01-06 12:14 supolicy
-rwxr-xr-x shell shell 177316 2021-01-06 12:14 toolbox
-rw-rw-rw- shell shell 0 2021-01-07 16:08 w
-rwxr-xr-x shell shell 38830 2021-01-06 12:14 wsroot.sh

but I can't get SuperSU to work. I can start ./su:
[email protected]:/data/local/tmp/fire $ ./su
1|[email protected]:/data/local/tmp/fire $

Can someone please help me out?

thank you!

KR
Rok
 
Michajin

Michajin

Senior Member
Oct 23, 2012
1,347
536
HolyDonus said:
how important is that last step? I was able to follow your guide and got my device rooted, but I couldn't delete com.wondershare.DashRoot or wondershare

it said I have no permission, I think
Click to expand...
Click to collapse
If you have root and want to fully unlock it is not important. It is just removing the garbage installed with the kingoroot. If you have full root access you should work on the full unlock and install magisk for root.... Unlocking and magisk work so much better.
 
H

HolyDonus

New member
Mar 24, 2021
4
0
Michajin said:
If you have root and want to fully unlock it is not important. It is just removing the garbage installed with the kingoroot. If you have full root access you should work on the full unlock and install magisk for root.... Unlocking and magisk work so much better.
Click to expand...
Click to collapse
I'm very confused by your post^

there is no Kingoroot by using the method in this thread, or am I mistaken? I have followed every step in this guide, so I have it rooted and SuperUser installed - why would I install Magisk now?

the only thing not working was that last step, as mentioned in my initial post
 
Michajin

Michajin

Senior Member
Oct 23, 2012
1,347
536
HolyDonus said:
I'm very confused by your post^

there is no Kingoroot by using the method in this thread, or am I mistaken? I have followed every step in this guide, so I have it rooted and SuperUser installed - why would I install Magisk now?

the only thing not working was that last step, as mentioned in my initial post
Click to expand...
Click to collapse
Ok, there were a few options in the OP... Magisk can be hidden from apps that detect root and add modules and is still being supported. Unlocking gives you the option to install custom roms and make back-ups. If you have root access and that is all you want, likely you are good to go. The wondershare looked like adware to me...
 
JJ2017

JJ2017

Senior Member
Jan 7, 2017
91
52
Huawei P20 Pro
Can confirm still working (y)
Just rooted a device with Fire OS 5.6.8.0 (659656820).
Did have to repeat it a couple of times though - got root on 3rd attempt.
Amazed still working after all this time!
Brilliant exploit, many thanks to the OP.
 
D

DJWatson

New member
Aug 22, 2021
1
0
Looks like the files are offline, could someone resupply them ? Would want to try it on FireOS 5.6.9.0.
 
B

Barron Arrow

Member
Aug 15, 2017
25
2
Michajin said:
Ok, there were a few options in the OP... Magisk can be hidden from apps that detect root and add modules and is still being supported. Unlocking gives you the option to install custom roms and make back-ups. If you have root access and that is all you want, likely you are good to go. The wondershare looked like adware to me...
Click to expand...
Click to collapse
This method worked for me to get basic root with SuperSu. I've been trying figure out how to install a custom ROM. How do I install Magisk and get full unlock?
 
You must log in or register to reply here.

Similar threads

D
Rapid Temporary Root for HD 8 & HD 10
Replies
1K
Views
422K
LLBlumire
LLBlumire
B
[TUT] ROOT HD10 (2017), HD8(2016-2017) - EASY SuperSu
Replies
642
Views
298K
mayur.3.92
mayur.3.92
S
[MASTER THREAD] Fire HD 8 (2017) (7th Generation)
Replies
1K
Views
304K
zkrbandit
zkrbandit
S
[GUIDE][NO ROOT][7TH GEN/OLDER] Disable System Apps on Fire HD 7/8/10:
Replies
387
Views
218K
C
CuF
B
[GUIDE] Remove all bloatware from your Fire HD 10 (2017)
Replies
48
Views
119K
D
Davidavdav

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 54
    R
    retyre
    Update: While this still works, there's an easier method here. Please try that first.

    Disclaimer #1: KingoRoot, dr.fone, and most other one-click rooting tools are characterized as malware. Should you use these tools? That decision is yours and yours alone. I do not own any of the tools that follow. All the links are to files that are publicly available.

    Disclaimer #2: This is a risky undertaking. If you encounter issues or, worse, end up with a brick, I (or the others here) will try to help you, but the risk is all yours.

    Disclaimer #3: This approach is not for everyone. If you lack a half-decent linear combination of (1) troubleshooting skills, (2) patience, (3) reading-comprehension skills, and (4) some love of risk, please stop here.

    Disclaimer #4: I have only tried this on the 2017 HD 10. If you try this on another device type and it works, please post in the appropriate forum. If you try this on another device type and it does not work, don't be shocked.

    NAQ (Never-Asked Questions):
    a. What is "offline" rooting?
    -- Rooting your device without needing access to the Internet (i.e., the rooting process requires no Internet connection; not on the phone/tablet, not on the computer).
    b . Aren't there a gazillion rooting threads for the 2017 HD 10, each claiming to be easier than its predecessors? Why even bother with this fancy "offline" stuff?
    -- All of those rooting threads use tools that require Internet access on the PC. What if those tools stop working because of server issues on their end?
    -- More importantly, it's well known that these one-click rooting tools extract and transmit a ton of device-identifying information (e.g., IMEI, Serial Number, ...) that is not central to the rooting process. Why give that up?

    For a few weeks now, I have been trying to come up with a rooting process that does not require any Internet access on the computer (we know KingoRoot and dr.fone need Internet access on the computer). I have finally figured out how. As a result, we should be able to root the 2017 HD 10 even if these rooting options cease to exist (assuming Amz updates are blocked at 5.6.0.1).

    While Kingo does a good job of hiding its root exploits (i.e., the scripts it fetches from the cloud), the good doctor is a bit more generous (its files are downloaded onto a folder on the disk). I copied everything from that folder after a successful root attempt on my test tablet and examined each file. I was able to tinker with the scripts and binaries after moving them to /data/local/tmp on my tablet, but wasn't able to achieve anything meaningful ... until tonight. Noting the presence of some weirdly-named files in that folder, I did a simple Google search and came up with this hit. Of particular interest is method 2 (ELF). Based on that reading and armed with the files from the folder on the disk, I was able to achieve root without Internet access on my computer. I have done so multiple times, w/ and w/o a fresh sideload of the 5.6.0.0 update .bin. The process succeeds more often than it fails (when it does fail, a reboot and retry usually works), not unlike failures with Kingo or the doctor. It's the same exploit after all.

    I am guessing Kingo uses a similar process, but does enough to make its scripts difficult to obtain offline. Access to the doctor's scripts and some clarity on the rooting procedure should help others on this forum make even greater progress.

    Update: See my post #10 in this thread for Kingo-related instructions. To do this with Kingo, you would complete steps 4 and 5 in this OP and then move to the steps in post #10.

    You will need to download a few files (for which you will, of course, need Internet on your computer):
    1. Download the exploits here (it's clear that the exploit that's working for the 2017 HD 10 is Dirty COW: CVE-2016-5195): 20165195.zip and SuperSU_18+.zip and extract to their respective folders.
    2. Copy all the files from the SuperSU_18+ folder into the 20165195 folder (overwriting wsroot.sh). Rename 20165195 to something simpler, say c. Inside the c folder, you should have the following binaries and scripts: ddexe, debuggerd, fileWork, install-recovery.sh, Matrix, pidof, start_wssud.sh, su, su_arm64, Superuser.apk, supolicy, toolbox, and wsroot.sh. You can delete Superuser.apk (we will be downloading SuperSU next).
    3. Download the SuperSU 2.82 SR5 apk from here (or search for another source). Move it to the c folder.
    4. Install the Fire's drivers and ADB+fastboot from here (if you haven't already done so).
    You will not need Internet access from this point forward.
    You should now have the c folder with 12 files and the SuperSU apk handy. If you lose root for whatever reason (or if you just want to test this out), you do not need KingoRoot or dr.fone. Follow these steps:
    5. Do the basics:
    -- Fire up your Fire.
    -- On your first boot, start the process by clicking on Continue, then click on any of the WiFi choices, click Cancel, choose Not Now, and then Skip. Once the Fire gets to the home screen, pull down the notification bar and enable airplane mode.
    -- Become a developer by tapping Serial Number (in Device Options) 7 times, go to Developer Options, and Enable ADB.
    -- Go to Security in Settings and enable Apps from Unknown Sources.
    -- Connect your Fire to the computer, Allow USB debugging on the tablet, check the popup box to Always allow from this computer (if this does not happen here, it will when you start adb next).
    -- Type adb shell in an administrative command prompt. You should enter the tablet as a user.
    6. On your computer, copy all the files from the c folder to the Fire's internal storage (/sdcard). Next, go to the command prompt with adb shell and copy the files to /data/local/tmp:
    Code: 
    cp /sdcard/c/* /data/local/tmp
cd /data/local/tmp
ls -l
    7. Change permissions:
    Code: 
    chmod 755 *
    8. This is the ballgame: Run:
    Code: 
    ./Matrix /data/local/tmp 2
    This tells Matrix to look for files in /data/local/tmp, with "2" installing su in /system/xbin ("1" installs su8 in /system/xbin). Wait for the process to complete (it will take a minute or two). If it's successful, you will see something like the following as it completes:
    Code: 
    [*] exploited 0x7f83021000=f97cff8c
end!!!!!!!
<WSRoot><Exploit>0</Exploit></WSRoot>
<WSRoot><Done>0</Done></WSRoot>
    If it does not report success as depicted above (note that the memory address exploited might be different, but the end result has to be a "0" and "Done"), delete everything from /data/local/tmp/, (hard) reboot the tablet, and retry (starting from step 5). Failure is likely if an exploit check takes greater than 30 seconds, in which case the device may have to be manually rebooted.
    This is a sample of the entire output that should be generated:
    Code: 
    [email protected]:/data/local/tmp $ ./Matrix /data/local/tmp 2
<WSRoot><Command>0</Command></WSRoot>
<WSRoot><InitResource>0</InitResource></WSRoot>
Decrypt Success: /data/local/tmp/fileWork
Output File Name: /data/local/tmp/fileWork.
<WSRoot><Decrypt>0</Decrypt></WSRoot>
 extracting: /data/local/tmp/Bridge_wsroot.sh
 extracting: /data/local/tmp/krdirtyCow32
 extracting: /data/local/tmp/krdirtyCow64
 extracting: /data/local/tmp/libsupol.so
 extracting: /data/local/tmp/my.sh
 extracting: /data/local/tmp/mysupolicy
 extracting: /data/local/tmp/patch_script.sh
 extracting: /data/local/tmp/root3
<WSRoot><Decompression>0</Decompression></WSRoot>
execute string: /data/local/tmp/root3 /data/local/tmp/ 2
WARNING: linker: /data/local/tmp/root3: unused DT entry: type 0x6ffffffe arg 0x600
WARNING: linker: /data/local/tmp/root3: unused DT entry: type 0x6fffffff arg 0x1
ro.build.version.sdk :22
ro.product.cpu.abi :arm64-v8a
is x64
execute string: /data/local/tmp/krdirtyCow64 /data/local/tmp/ 2
WARNING: linker: /data/local/tmp/krdirtyCow64: unused DT entry: type 0x6ffffffe arg 0xd30
WARNING: linker: /data/local/tmp/krdirtyCow64: unused DT entry: type 0x6fffffff arg 0x1
path : /data/local/tmp/
path : /data/local/tmp
  [*] path_script:/data/local/tmp/patch_script.sh /data/local/tmp
rm: /data/local/tmp/sepolicy: No such file or directory
rm: /data/local/tmp/load: No such file or directory
supolicy v2.76 (ndk:armeabi) - Copyright (C) 2014-2016 - Chainfire

Patching policy [/data/local/tmp/sepolicy] --> [/data/local/tmp/load] ...
-permissive:zygote=ok
-permissive:kernel=ok
-permissive:init=ok
-permissive:su=ok
-permissive:init_shell=ok
-permissive:shell=ok
-permissive:servicemanager=ok
- Success

find_opcode offset:2d0 opcode:aaffbbee
find ok star:7f8325c008 end:7f8325c2d8 size:2d0
sh  : /data/local/tmp/my.sh /data/local/tmp 2 fwrite is count 210148 /data/local/tmp/load1
fwrite is count 54204 /data/local/tmp/load2
find_opcode offset:2b4 opcode:eaeaeaea
find_opcode offset:2b8 opcode:ebebebeb
find_opcode offset:22d opcode:abababab
 load = 408a0 load1 = 334e4 load2 = d3bc
find_opcode offset:2b0 opcode:efefefef
find_opcode offset:24d opcode:cdcdcdcd
find_opcode offset:2bc opcode:acacacac
init_shellcode
loadsize:264352
loadpath:/data/local/tmp/load
shpath:/data/local/tmp/my.sh /data/local/tmp 2
shpath:2bc

open /proc
PID:208
find logd pid : d0
_inject_start_s:0x7f8325c008
Copying /sepolicy to /data/local/tmp/cp_sepolicy
cow_exploit_mv_file_init: Overriding /sepolicy from /data/local/tmp/load1
size: 210148

[*] mmap 0x7f83055000;
[*] exploit (patch)
[*] currently 0x7f83055000=8f97cff8c
sched_setaffinity: Function not implemented[*] madvise = 0x7f83055000 210148
checking the patch ... exploit
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
check done
sched_setaffinity: Function not implementedmadviseThread() done
procselfmemThread() done
[*] exploited 0x7f83055000=f97cff8c
 [main]p_vdso_addr:0x7f8325a000  p_vdso_buffer:0x400000
[*]set_ret_jmp
  [*]set_ret_jmp  400410
  [*]set_ret_jmp  400420

 [main] write 1
Parent is over..status == 0
socket: No such file or directory
socket = 7
ret = ffffffff
connect
: No such file or directory
ret = ffffffff
 find coe f
 [main] write 2
Parent is over..status == 0
cow_exploit_mv_file_init: Overriding /sepolicy from /data/local/tmp/load2
warning: new file size (54204) and file old size (210148) differ
size: 54204

[*] mmap 0x7f83236000;
[*] exploit (patch)
[*] currently 0x7f83236000=8f97cff8c
sched_setaffinity: Function not implemented[*] madvise = 0x7f83236000 54204
checking the patch ... exploit
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
check done
sched_setaffinity: Function not implementedmadviseThread() done
procselfmemThread() done
[*] exploited 0x7f83236000=8600a5
 find coe 36
Parent is over..status == 0
cow_exploit_mv_file_init: Overriding /sepolicy from /data/local/tmp/cp_sepolicy
size: 210148

[*] mmap 0x7f83021000;
[*] exploit (patch)
[*] currently 0x7f83021000=10007008600a5
checking the patch ... exploit
sleep 1s
sched_setaffinity: Function not implementedsched_setaffinity: Function not implemented[*] madvise = 0x7f83021000 210148
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
check done
madviseThread() done
procselfmemThread() done
[*] exploited 0x7f83021000=f97cff8c
end!!!!!!!
<WSRoot><Exploit>0</Exploit></WSRoot>
<WSRoot><Done>0</Done></WSRoot>
    9. Confirm by getting to a root shell:
    Code: 
    su
    10. Install SuperSU from /sdcard/c/ (you can just click on Docs on your home screen, go to local storage, then the c directory, and install the apk).
    11. Open SuperSU and update binary as Normal (should be successful).
    12. Click to reboot.
    13. Set SuperSU to Grant as default access.
    14. Delete the two wondershare directories in /data/data-lib/:
    Code: 
    cd /data/data-lib
rm -r com.wondershare.DashRoot
rm -r wondershare
    15. Not required: Perform other cleanup as needed (look for files in /system/xbin, /system/bin, /data, ... based on install date/time, etc.). Mount /system writable if you're going to be cleaning up items in /system:
    Code: 
    su
mount -w -o remount /system
    View
    3
    R
    retyre
    The OP has been updated with all the steps and links to the required files. Please read the disclaimers before you begin.
    View
    3
    R
    retyre
    "Offline" rooting with Kingo

    This method is not as offline as the method in the OP, but here's how you can perform a variant of "offline" rooting with Kingo. I will begin by mentioning that Kingo's files are not easily accessible to the user, so you will have to have these files handy before you begin. Sadly, these files can only be obtained while Kingo is doing online rooting. Most (but not all, from what I have seen thus far) of these files are in your AppData\Local\Kingosoft\Kingo Root\files folder, but with different names.

    I figured out the actual file names by matching the file sizes in the \files folder on my PC with the files created by Kingo in /data/local/tmp on the tablet while the online Kingo rooting process is _ongoing_ (ls -al). As I mentioned earlier, not every file in /data/local/tmp is in \files, though (could be in other folders on the PC; I haven't looked yet). Following this post, I also did a hex dump of the traffic over USB, but nearly all of it was Kingo transferring its files to /data/local/tmp..

    Why does this have to be done while the rooting is in progress? Because Kingo cleans up the /data/local/tmp directory after the rooting is complete. In other words, you will have to copy the files from /data/local/tmp to /sdcard before the rooting completes. If you can do that, these are the files you will obtain: KingoUser.apk, busybox, ddexe, debuggerd, kingo, kingo_1b90d7d01 (likely a copy of KingoUser.apk), kingorootname, mkdevsh, su, suarm64, supolicy, suv7, install-recovery.sh, and libsupol.so (emphasis added to denote the required files). Some information is here as well.

    So, what's the best way to obtain these files at this point? Sadly, by rooting (again) with Kingo. (Since these files are not publicly available, I do not think it's right for me to upload them somewhere.) If you can get a hold of these files and save them off the tablet, your future Kingo rooting can be completely offline ... and _mucho_ simpler than the procedure currently in the OP.

    Here's what you would do with the aforementioned files:
    -- Do steps 4 and 5 in the OP.
    -- Download the SuperSU 2.79 apk from here and copy it to /sdcard.
    -- Copy all the files Kingo files to a folder on /sdcard (say, k).
    -- Copy everything from /sdcard/k to /data/local/tmp:
    Code: 
    cp /sdcard/k/* /data/local/tmp/
cd /data/local/tmp
ls -l
    -- Change permissions to execute:
    Code: 
    chmod 755 *
    -- This is the actual rooting command:
    Code: 
    ./kingo
    This should be done in less than a minute, after which you will be back at the shell prompt.
    -- Test root:
    Code: 
    su
    -- Mount /system writable to check:
    Code: 
    mount -w -o remount /system
    -- Install SuperSU 2.79 to get around the "su binary occupied" issue with later SuperSU versions. You should see installation failed (as usual), but things should be fine after the reboot.
    -- Set default access to Grant in SuperSU's settings.

    I have tested this multiple times. Works every time. Like I said, much easier than the method currently in the OP, but with the added challenge of obtaining non-public rooting files.

    How does Kingo root, you ask? The mkdevsh file in /data/local/tmp (it's not on the computer as far as I can tell) is the only script I could find. At this time, I do not know the exploit being used here; it appears to be significantly more efficient than the doctor's remedy, that's for sure. Anyone interested in reversing the "kingo" binary?
    View
    2
    F
    Finch32786
    german_psycho said:
    What exploit did you use?
    Tried the manual and Kingo method on 5.6.2.0, but still no root access for me :(
    Click to expand...
    Click to collapse

    I used the manual/offline method mentioned in post #1 (not the Kingo/step 10 one).
    I did have to reboot my device 1 or 2 times before it would apply (making sure to delete the files in /data/local/tmp & then copy them back)

    I have Nova Launcher & Google services all running on my 1st tablet now. I'm going to try this again on my 2nd tablet, hopefully tonight.
    View
    2
    F
    Finch32786
    Just to let everyone know, this method works on FireOS 5.6.2.0, build date: July 6th, 2018, 2:06PM.

    I recently purchased the 2-pack of Fire HD 10 Kids Edition Tablet (http://a.co/fUbZ7bg) for my 2 kids & was able to root using this method after accidentally allowing the OTA.
    View

New posts