[Hisense A5 Pro CC] How to root/unlock bootloader?

Search This thread

KoboldDeekin

New member
Nov 12, 2021
1
0
Hello everyone, it's nice to meet ya all.
Are there any updates in this topic? I was wondering if I should buy the A5 Pro CC since I love the idea of an e-ink phone but this rooting problem and not being able to use some really basic apps is a real pain in the ..s if I could say that.
 

hrurg

New member
Oct 30, 2021
2
0
KoboldDeekin said:
Hello everyone, it's nice to meet ya all.
Are there any updates in this topic? I was wondering if I should buy the A5 Pro CC since I love the idea of an e-ink phone but this rooting problem and not being able to use some really basic apps is a real pain in the ..s if I could say that.
Good any time of the day!
In your case, I can only advise so far only A5 \ A5C for which there are already alternative firmware.
Or we are waiting)))
 

hrurg

New member
Oct 30, 2021
2
0
Hello everyone, it's nice to meet ya all.
Are there any updates in this topic? I was wondering if I should buy the A5 Pro CC since I love the idea of an e-ink phone but this rooting problem and not being able to use some really basic apps is a real pain in the ..s if I could say that.
Suggest to anyone with the technical skill to consider a few questions:
1. What is responsible for checking the signature in the update, the integrity of the update?
2. Where is this part of the program located and on which section of the android?
3. Can this section be deleted via Unisoc COM4?
4. Will Unisoc COM4 work after the luck in step 3?
It seems to me that in the absence of verification from the android SPD_Research_Tool will be able to write any ROM.

For my part, I can offer testing on my device.
 

ahmouse

Member
Jan 18, 2022
13
5
I have some (possibly) great news for everyone! I found a public exploit that likely works on this phone and would essentially allow full RW access to the ram, including kernel space. It is possible, according to the author of the exploit, to get temp root with this, so I'll post an update once I get a working demo (hopefully in a week or two, but no promises). I don't wanna post specifics publically just yet, in case a patch is pushed out or someone takes the idea and charges for it or does something malicious with it, but if you have knowledge about OpenCL and/or the Linux kernel please message me.

It probably won't allow unlocking the bootloader, but hopefully it can be a springboard to things such as installing Google Play, uninstalling bloatware, and especially gathering more info to get a permanent root solution.

I posted here so I can get as much help as possible from developers with OpenCL or Linux kernel experience, so again please let me know if you do have experience with those
 

drshaggh

Member
Feb 3, 2019
6
0
Hi, are you making any progress here? I have very limited Linux kernel experience but happy to provide what assistance I can
 

ahmouse

Member
Jan 18, 2022
13
5
Hi, are you making any progress here? I have very limited Linux kernel experience but happy to provide what assistance I can
I think so, but I'll have to do some testing first before I know for sure. As for how to help, this is gonna be the next step: lets say we have full R/W access to ram, including kernel memory, do you know where and what code to inject into kernel memory so that the kernel executes it for us?
 
  • Like
Reactions: markov aquamarine

ferlanero

Senior Member
Nov 4, 2008
289
103
León
www.ubuntuleon.com
I think so, but I'll have to do some testing first before I know for sure. As for how to help, this is gonna be the next step: lets say we have full R/W access to ram, including kernel memory, do you know where and what code to inject into kernel memory so that the kernel executes it for us?
Is there any updates regarding A5Pro CC rooting? I am following this process with great interest :)
 

ahmouse

Member
Jan 18, 2022
13
5
Is there any updates regarding A5Pro CC rooting? I am following this process with great interest :)
TL;DR I've tried a few different methods, slowly getting closer to root by process of elimination.
Also, if anyone wants to help, go to the Android Security Bulletin and check for any vulnerabilities with "High" severity, and a type of "EoP" that were posted later than June 5, 2020. If it doesn't say EoP, copy the vulnerability name ("CVE-XXXX-XXXXX") and search for it online. If it mentions privilege escalation, memory access, use-after-free, arbitrary code execution, or something similar, post it here

So far, not much. However I'll write about exactly what I'm trying to use to achieve root so more people can help. Firstly, the latest update for the phone that I know about uses the Android security patch for June 5, 2020. So, I've been looking for any privilege escalation exploits in the Android Security Bulletin that were posted later than that, meaning they're not patched on our phones.
After some research, I stumbled upon CVE-2021-28663, a security vulnerability on Mali GPUs that allows for full read-write memory access. The problem though is that the memory is read-only from the CPU, so only programs running on the GPU have full write access. There is a proof-of-concept script here, which seems to work on this phone, telling me that the phone is in fact vulnerable. A translation of the original white paper that describes the vulnerability (originally in Chinese) can be found here, and it has tons of useful information, especially the fact that the author said he gained root privileges using the exploit. The hard part is having a program execute on the GPU.
The author used OpenCL, however it turns out that the Hisense A5 Pro does not support it, and while looking for alternatives I found OpenGL and Vulkan. OpenGL doesn't have any way to write arbitrarily to memory, so I looked at Vulkan instead, which turned out to have an extension, VK_EXT_buffer_device_address, that let's us do just that. To my dismay, after spending many hours trying to get a Vulkan program to exploit this vulnerability, I learned that our phone doesn't support the VK_EXT_buffer_device_address extension, and thus Vulkan wouldn't work.

Now I'm trying to find another way to have our code execute on the GPU, and I've been reading through the Mali driver source code (available here) to find a way to do so. I plan to try to message the author of the original exploit, as well as some developers here on XDA that have successfully gained root via similar exploits.

In the mean time, if you can help with the programming and kernel-related stuff that would be awesome, otherwise, if you can find, or know of any other exploits that can be used, please let me know. The best way is to go to the Android Security Bulletin and check for any vulnerabilities with "High" severity, and a type of "EoP" that were posted later than June 5, 2020. If it doesn't say EoP, copy the vulnerability name ("CVE-XXXX-XXXXX") and search for it online. If it mentions privilege escalation, memory access, use-after-free, arbitrary code execution, or something similar, post it here!
 

Limio

Member
Jan 17, 2013
12
2
Thanks for the update :)

Are you sure about the Hisense A5 Pro not supporting OpenCL? I found the lib under: /system/vendor/lib/egl/libGLES_mali.so

Edit: there is also another OpenCL-lib here: /system/vendor/lib64/libGLES_mali.so

So when you check the OpenCL library, make sure you also check the corresponding lib64 folder (if you prefer arm64-v8a as the first ABI for your app, you may want to first check lib64 folder).

See also:
 
Last edited:

ahmouse

Member
Jan 18, 2022
13
5
Thanks for the update :)

Are you sure about the Hisense A5 Pro not supporting OpenCL? I found the lib under: /system/vendor/lib/egl/libGLES_mali.so

Edit: there is also another OpenCL-lib here: /system/vendor/lib64/libGLES_mali.so

So when you check the OpenCL library, make sure you also check the corresponding lib64 folder (if you prefer arm64-v8a as the first ABI for your app, you may want to first check lib64 folder).

See also:
You are correct. I didn't check the 32-bit library, however the 64 lib didn't have any symbols related to opencl after checking withstrings, objdump, and readelf. Also, I tried a few OpenCL testing apps, and none worked, but who knows how reliable they are. I'll double check the 32 bit library, though, just in case
 

Limio

Member
Jan 17, 2013
12
2
I guess the 32-bit library didn't include something promising regarding to opencl-support?

By the way, I found a russian forum which also is pretty active related to this phone...

They actually uploaded all the older firmware versions for the phone:

Of course all those are also .bin files and not .pac (unfortunately).
However, my guess would be that older versions of the firmware would be more vulnerable to exploits.
 

hodgsonw

New member
Feb 18, 2022
1
0
Hi,
I want to say best of luck, I'm also cheering for you ahmouse.

Checking the Android Security Bulletin there seem to be many High Severity EoP CVEs in the System, Framework, and Kernel categories since 2020.

I found a few High severity Unisoc CVEs in case a hardware specific approach to rooting is preferred.
Here I list them with their effected component.

The most promising two vulnerabilities look to be
a) CVE-2021-0635
which involves an error when extracting incorrectly formatted FLV files

and

b) CVE-2021-39658
which seems to involve an sms service that doesn't check permissions of a caller entity.
It says 3rd party apps could exploit this to modify system properties.



LIST OF UNISOC CVE SINCE JUNE 1 2020
Feb 2022
---------------------------
CVE-2021-39616 sprd-vowifi
CVE-2021-39635 ims_ex
CVE-2021-39658 IsmsEx

Jan 2022
---------------------------
CVE-2021-1049 slogmodem

Sep 2021
---------------------------
CVE-2021-0635 Video
CVE-2021-0636 Video

May 2021
--------------------------
CVE-2021-0324 Framework
I hope this helps, I'd love to see these phones rooted.
 

benathan

Member
Feb 19, 2022
5
1
Just stumbled on CVE-2021-33909. It affects many Linux distrubution but requires at least 5GB memory for exploitation. I haven't figured out how to port it to Android yet.
Exp: Here
Details: Here and Here
 
Last edited:

ahmouse

Member
Jan 18, 2022
13
5
I guess the 32-bit library didn't include something promising regarding to opencl-support?

By the way, I found a russian forum which also is pretty active related to this phone...

They actually uploaded all the older firmware versions for the phone:

Of course all those are also .bin files and not .pac (unfortunately).
However, my guess would be that older versions of the firmware would be more vulnerable to exploits.
I've made a useful bit of progress thanks to @hodgsonw
Scroll to the bottom to see how to modify your system properties, equivalent to using setprop but works on more properties ofc

@Limio
No it didn't, though it was a long shot.
Thanks for linking the forum and firmware, those may come in handy in the future. I'm glad to know there's enough people interested in rooting this phone that there's 4 or 5 forums dedicated to it

@hodgsonw
Thank you for posting your findings!
I briefly glanced over those CVEs before, but after looking more closely I realized they could be more useful than I thought. In fact, thanks to your post, I not only looked into CVE-2021-39658, but was able to successfully use it! It took a few days, but I'm now able to modify most system properties, however, the exploit wasn't able to change the important ones such as ro.secure and ro.adb.secure. I'm not sure if this will be of much use without those two, but if someone knows any other useful system properties please be sure to post it

@benathan Interesting find, I have a 6gb model so thankfully I can try to test it. I managed to compile it for the phone, however it didn't run properly since I didn't link the required libraries properly, so I'll look into that when I can.


Please be careful when modifying system properties!
In order to modify a property, run
Code:
adb shell service call ismsEx 6 i32 0 s16 "prop.to.change" s16 "value"
Also, this should work on any Unisoc/Spreadtrum based phone, not just Hisense

If it says something like "Not a data message" it means it failed, usually because the property is protected

Looking forward to finding more things like this!
 
Last edited:

timo.helfer

Senior Member
Jul 12, 2017
60
11
Awesome! Gonna try some stuff when I have time. Have you checked my post #52 if it could help to gain temp root?
 

ahmouse

Member
Jan 18, 2022
13
5
Awesome! Gonna try some stuff when I have time. Have you checked my post #52 if it could help to gain temp root?
Great!
I have, it seems to only check the system property via the corresponding get function to whats shown below, rather than setting it. I found that in the same class db.class, is another function which allows setting properties arbitrarily. It looks like this:
Java:
  public static void g(String paramString1, String paramString2) {
    try {
      Method method = Class.forName("android.os.SystemProperties").getMethod("set", new Class[] { String.class, String.class });
      method.setAccessible(true);
      method.invoke(null, new Object[] { paramString1, paramString2 });
    } catch (Exception exception) {
      exception.printStackTrace();
    }
  }

It's referenced a lot for setting various factory test related props, including ctl.start, which is used to have init start a service post-boot, and if the app can set that it can probably also change something like ro.secure. I don't even know if ro.secure can be changed while the system is running, but if we find a way to slip our own props in there may be a chance
 

benathan

Member
Feb 19, 2022
5
1
Just found out that we have a limited escalated shell (system(uid=1000)). To access it, go to EngineerMode -> DEBUG&LOG -> Adb shell.
 

ahmouse

Member
Jan 18, 2022
13
5
Just found out that we have a limited escalated shell (system(uid=1000)). To access it, go to EngineerMode -> DEBUG&LOG -> Adb shell.
Ty! I saw that shell but didn't even think to check its privileges, though it seems commands such as setprop are blocked. Some system services have functions that require certain permissions, so this shell probably has the permissions to run them, and I've confirmed the service call command isn't blocked. Using the shell and a service might provide us with even more options on the road to root

In more news, and I'm quite proud of myself for this new discovery: a way to read almost every system file.
Thanks to yet another system service that doesn't check permissions, I was able to read partitions such as boot and recovery, as well as build.prop and other files.

Unfortunately I wasn't able to read from init.rc and its related files. The deleting and writing functions don't seem to work, which is probably a good thing, and I couldn't find parameters that worked for them. I posted them anyways so everyone knows not to run those commands, just in case.

WARNING: Do not attempt to write to or delete any system files. Doing so will trip dm-verity and brick your device.

Like the previous service command, this should work on all unisoc phones. If you wanna test it on another phone, run
Code:
service list | grep factory_test
to see if your phone has the service installed.

Now, the command(s) you've been waiting for:
Replace /my/file/ with the path to the file you want to read from
Replace OFFSET with how many characters to skip in the beginning of the file
Replace LENGTH with how many characters to read, must be <= size of the file or the command won't return anything
If you want to read the whole file, run ls -l /my/file/, and replace LENGTH with the number that comes right before the date

Code:
service call factory_test 3 s16 "/my/file/" i32 OFFSET i32 LENGTH
Write to system file (unknown parameters, pretty useless):
Code:
service call factory_test 4
Delete system file (unknown parameters, pretty useless):
Code:
service call factory_test 5

Using this I was able to read from the partitions in /dev/block/by-name/, meaning we can take a full backup of the entire ROM, including some partitions that weren't even in the leaked firmware package

I'll keep on the hunt for any other services that expose very convenient functions like these last two
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 3
    A new tablet, for the turkish market. General Mobile e-tab 20 has the same T610 Unisoc chip in it. The thing is that there is a way to download the pac file of this tablet. I was wondering, do you guys and girls think, it would be a good idea to use the fdl files from this tablet to my a5 pro cc or Q5, in order to root it?
    3
    Seems Hisense just released an update a few days ago and now some of the google apps work, Youtube works without a bypassing app and Google search too. Just play store still doesnt.

    EDIT: Seems to stop working as soon as you login though.
    EDIT 2: After looking around more, it seems as long as you dont install Google Services Framework AT ALL apps like Google Search, Youtube and Playstore will open and work, but you won't be able to sign in. The fact that com.google.android.gms is still in the blacklist hasn't changed with the update.
    3
    I have some (possibly) great news for everyone! I found a public exploit that likely works on this phone and would essentially allow full RW access to the ram, including kernel space. It is possible, according to the author of the exploit, to get temp root with this, so I'll post an update once I get a working demo (hopefully in a week or two, but no promises). I don't wanna post specifics publically just yet, in case a patch is pushed out or someone takes the idea and charges for it or does something malicious with it, but if you have knowledge about OpenCL and/or the Linux kernel please message me.

    It probably won't allow unlocking the bootloader, but hopefully it can be a springboard to things such as installing Google Play, uninstalling bloatware, and especially gathering more info to get a permanent root solution.

    I posted here so I can get as much help as possible from developers with OpenCL or Linux kernel experience, so again please let me know if you do have experience with those
    3
    Guys, I fear I cannot help, but I just registered to cheer you up and tell you that many of us are waiting for this to happen! So, thank you very much for the efforts!
    Looking forward to a solution hopefully :)
    2
    I just received this phone. But It cannot be unlocked by using identifier token(normal way to unlock SPD). And the official ROM of it have not been released yet.
    I had Linux and Win PC. A little bit of knowledge related to Android. By the way, this phone is running Android 10 in default.
    I could share the official ROM with you when it been published.
    I'm very glad if I could help you with anything.

    And I'm interest in rooting or unlocking this phone. If you know the way to do that, I'm glad to try it.

    This is not a perfect product. And the ppi of colored e-ink is very low(1/3 of normal e-ink). But it really make me feel exciting.
    I pretty want to share some images with you. But XDA could only insert the pic by URL. Could anyone share me some website could used for store my pics?