KernelSU - Kernel-Assisted Superuser for Android Root Shell

[zx2c4]

Like being able to do quick cycles of `fastboot boot out/arch/arm64/boot/Image.lz4-dtb`, but annoyed by the lack of root this way? Well this atrocious idea might be the thing for you!

Git repo: https://git.zx2c4.com/kernel-assisted-superuser/about/

Instructions:

1. cd into your kernel tree.
2. Run this command:

curl -LsS "https://git.zx2c4.com/kernel-assisted-superuser/plain/fetch-and-patch.sh" | bash -

3. Enable CONFIG_ASSISTED_SUPERUSER=y in your config.
4. Gain root by running su.

For so many reasons, this is an awful idea and totally insecure. Don't ship kernels to your users with this enabled! I've tested this on the Pixel 3.

XDA:DevDB Information
KernelSU - Kernel-Assisted Superuser for Android Root Shell, Kernel for all devices (see above for details)

Contributors
zx2c4
Source Code: https://git.zx2c4.com/kernel-assisted-superuser/about/

Kernel Special Features:

Version Information
Status: Snapshot

Created 2018-11-22
Last Updated 2018-11-23

 

[Parthib]

Good stuff! Keep it up

 

[LazerL0rd]

Great, actually amazing, work on this,. I'm sure Google will be having a meeting of angry "security specialists" sometime soon crying about the future of Android.

Also can't wait for the first idiot to put this in their production kernel.

 

[linuxct]

A really amazing idea that needs to improve it's implementation. Kinda curious to see how this will connect with an userland "Manager" app to allow or deny root permissions to specific apps.
Best of luck

 

[janjan]

Can't get the patch to apply.

[+] Downloading
Please run this from the top level of your kernel tree.

 

[Xihexa.io]

Can't get the patch to apply.


[+] Downloading
Please run this from the top level of your kernel tree.

I'm having the same problem, not really tripping on it tho since it's still a new thing.
Question though, would this theoretically become a solution/work-around having a locked bootloader? Or does the OEM toggle still need to be a thing?

 

[freeza]

Brilliant. Compiled and used successfully!

 

[joluke]

Awesome stuff. Can't wait to see more development on it! Keep it up

Enviado do meu SM-N950F através do Tapatalk

 

[zzs20020430]

interesting:good:

 

[Haxk20]

This is really cool. Keep up the great work !

 

[zx2c4]

Can't get the patch to apply.


[+] Downloading
Please run this from the top level of your kernel tree.

Could you give me a link to the github for your kernel source?

 

[Yousef Algadri]

Super cool works, awesome!
Keep up the good work :good:

Sent from my Redmi Note 5 using Tapatalk

 

[janjan]

Brilliant. Compiled and used successfully!

Do u mind to share your secret? How did u apply the patch?

---------- Post added at 12:17 PM ---------- Previous post was at 12:13 PM ----------

Could you give me a link to the github for your kernel source?

Here you go. I tired with this kernel source. Theoretically it should work with every kernel source or?

https://android.googlesource.com/kernel/msm.git/+/android-wear-8.0.0_r0.51

Thank you for your time.

 

[ianmacd]

Great concept. Thanks for developing it.

It's working like a charm here on an engineering build of APGK, although a lot of apps (e.g. AdGuard and Titanium Backup) don't recognise the availability of root via this mechanism.

 

[ananjaser1211]

This is a really interesting way of getting root access. this combined with an application to direct it would be amazing!, great work !
Cant wait to implement it in my test kernels. reflashing root every build is annoying :laugh:

 

[jprimero15]

For arm64 only?? I tried it in 3.4 kernel, arm device and it gives error when compiling with this patch..

 

[zx2c4]

Here you go. I tired with this kernel source. Theoretically it should work with every kernel source or?

https://android.googlesource.com/kernel/msm.git/+/android-wear-8.0.0_r0.51

Thank you for your time.

Works for me:

[email protected] /tmp $ git clone --depth=1 -b android-wear-8.0.0_r0.51 https://android.googlesource.com/kernel/msm.git
Cloning into 'msm'...
remote: Counting objects: 54085, done
remote: Finding sources: 100% (54085/54085)
remote: Total 54085 (delta 1547), reused 16213 (delta 1547)
Receiving objects: 100% (54085/54085), 150.50 MiB | 4.91 MiB/s, done.
Resolving deltas: 100% (1547/1547), done.
Note: checking out 'd168a1c746673da2b858fd8be7e09553a9dd87a2'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b <new-branch-name>

Checking out files: 100% (51192/51192), done.
[email protected] /tmp $ cd msm
[email protected] /tmp/msm $ curl -LsS "https://git.zx2c4.com/kernel-assisted-superuser/plain/fetch-and-patch.sh" | bash -
[+] Downloading
[+] Patching
[+] Committing
[detached HEAD faebd9fb] android: Add superuser driver
 3 files changed, 153 insertions(+)
 create mode 100644 drivers/base/superuser.c
[+] Done!
[*] Remember to enable CONFIG_ASSISTED_SUPERUSER=y for this to work. Then simply use `su` for root.

 

[zx2c4]

For arm64 only?? I tried it in 3.4 kernel, arm device and it gives error when compiling with this patch..

Right now, yes. Feel free to send me a patch if you want it to work on arm. Shouldn't be too hard to do.

 

[janjan]

Works for me:

[email protected] /tmp $ git clone --depth=1 -b android-wear-8.0.0_r0.51 https://android.googlesource.com/kernel/msm.git
Cloning into 'msm'...
remote: Counting objects: 54085, done
remote: Finding sources: 100% (54085/54085)
remote: Total 54085 (delta 1547), reused 16213 (delta 1547)
Receiving objects: 100% (54085/54085), 150.50 MiB | 4.91 MiB/s, done.
Resolving deltas: 100% (1547/1547), done.
Note: checking out 'd168a1c746673da2b858fd8be7e09553a9dd87a2'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b <new-branch-name>

Checking out files: 100% (51192/51192), done.
[email protected] /tmp $ cd msm
[email protected] /tmp/msm $ curl -LsS "https://git.zx2c4.com/kernel-assisted-superuser/plain/fetch-and-patch.sh" | bash -
[+] Downloading
[+] Patching
[+] Committing
[detached HEAD faebd9fb] android: Add superuser driver
 3 files changed, 153 insertions(+)
 create mode 100644 drivers/base/superuser.c
[+] Done!
[*] Remember to enable CONFIG_ASSISTED_SUPERUSER=y for this to work. Then simply use `su` for root.

Yes. It works now. It works when I use "git clone --depth=1 -b".
It patched successfully and I also compiled without any issue. I will test the kernel later tonight and see if it works for arm. It is very useful for Android Wear/wear os. No need to use supersu and magisk. I will let u know later. Thanks again for your effort to bring this. keep it up.

UPDATE: I just tried to use it with the following kernel source.
https://android.googlesource.com/kernel/msm/+/android-wear-p-preview_r0.5
It applied successfully but it give me error when I try to compile.

CC      fs/debugfs/file.o
../drivers/base/superuser.c: In function 'superuser_init':
../drivers/base/superuser.c:120:39: error: '__NR_newfstatat' undeclared (first use in this function)
  read_syscall((void **)&old_ ## name, __NR_ ## name); \
                                       ^
../drivers/base/superuser.c:133:2: note: in expansion of macro 'read_and_replace_syscall'
  read_and_replace_syscall(newfstatat);
  ^
../drivers/base/superuser.c:120:39: note: each undeclared identifier is reported only once for each function it appears in
  read_syscall((void **)&old_ ## name, __NR_ ## name); \
                                       ^
../drivers/base/superuser.c:133:2: note: in expansion of macro 'read_and_replace_syscall'
  read_and_replace_syscall(newfstatat);
  ^
../scripts/Makefile.build:257: recipe for target 'drivers/base/superuser.o' failed
make[3]: *** [drivers/base/superuser.o] Error 1
../scripts/Makefile.build:402: recipe for target 'drivers/base' failed
make[2]: *** [drivers/base] Error 2
make[2]: *** Waiting for unfinished jobs....
  CC      fs/devpts/inode.o

It is kinda strange. It applied and let me compiled successfully with source "android-wear-8.0.0_r0.51" but failed to compile with "android-wear-p-preview_r0.5". It gives me the above error.

 

[ante0]

Good job!

Kind of works as intended for me... Though, when I run 'su' in terminal I get:
"You are now root.
Killed".

However. I do have 'su' access in terminal without running it, so I guess it's kind of working as it should?
Only Root explorer has managed, so far, to work using your kernel su.
Titanium Backup complains about su not being found (It does look in /system/bin/su, so it should work I guess).

Edit: This is on a Mate 10 Pro using Pie.