• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

KernelSU - Kernel-Assisted Superuser for Android Root Shell

Search This thread

zx2c4

Recognized Developer
Sep 12, 2013
213
836
Paris
www.zx2c4.com
Like being able to do quick cycles of `fastboot boot out/arch/arm64/boot/Image.lz4-dtb`, but annoyed by the lack of root this way? Well this atrocious idea might be the thing for you!

Git repo: https://git.zx2c4.com/kernel-assisted-superuser/about/

Instructions:

1. cd into your kernel tree.
2. Run this command:

curl -LsS "https://git.zx2c4.com/kernel-assisted-superuser/plain/fetch-and-patch.sh" | bash -

3. Enable CONFIG_ASSISTED_SUPERUSER=y in your config.
4. Gain root by running su.

For so many reasons, this is an awful idea and totally insecure. Don't ship kernels to your users with this enabled! I've tested this on the Pixel 3.

screenshot.png


XDA:DevDB Information
KernelSU - Kernel-Assisted Superuser for Android Root Shell, Kernel for all devices (see above for details)

Contributors
zx2c4
Source Code: https://git.zx2c4.com/kernel-assisted-superuser/about/

Kernel Special Features:

Version Information
Status: Snapshot

Created 2018-11-22
Last Updated 2018-11-23
 

Xihexa.io

Member
Jul 25, 2018
18
10
Can't get the patch to apply.


[+] Downloading
Please run this from the top level of your kernel tree.

I'm having the same problem, not really tripping on it tho since it's still a new thing.
Question though, would this theoretically become a solution/work-around having a locked bootloader? Or does the OEM toggle still need to be a thing?
 

joluke

Senior Member
Jan 29, 2014
1,688
723
Awesome stuff. Can't wait to see more development on it! Keep it up

Enviado do meu SM-N950F através do Tapatalk
 

janjan

Recognized Developer
May 20, 2007
3,176
3,420
Aalborg
tweaksyourandroid.weebly.com
Brilliant. Compiled and used successfully!

Do u mind to share your secret? How did u apply the patch?

---------- Post added at 12:17 PM ---------- Previous post was at 12:13 PM ----------

Could you give me a link to the github for your kernel source?

Here you go. I tired with this kernel source. Theoretically it should work with every kernel source or?

https://android.googlesource.com/kernel/msm.git/+/android-wear-8.0.0_r0.51

Thank you for your time.
 

ianmacd

Senior Member
Jan 5, 2016
2,355
3,809
Amsterdam
localhost
Great concept. Thanks for developing it.

It's working like a charm here on an engineering build of APGK, although a lot of apps (e.g. AdGuard and Titanium Backup) don't recognise the availability of root via this mechanism.
 
  • Like
Reactions: PlutoDelic

zx2c4

Recognized Developer
Sep 12, 2013
213
836
Paris
www.zx2c4.com
Here you go. I tired with this kernel source. Theoretically it should work with every kernel source or?

https://android.googlesource.com/kernel/msm.git/+/android-wear-8.0.0_r0.51

Thank you for your time.

Works for me:

Code:
[email protected] /tmp $ git clone --depth=1 -b android-wear-8.0.0_r0.51 https://android.googlesource.com/kernel/msm.git
Cloning into 'msm'...
remote: Counting objects: 54085, done
remote: Finding sources: 100% (54085/54085)
remote: Total 54085 (delta 1547), reused 16213 (delta 1547)
Receiving objects: 100% (54085/54085), 150.50 MiB | 4.91 MiB/s, done.
Resolving deltas: 100% (1547/1547), done.
Note: checking out 'd168a1c746673da2b858fd8be7e09553a9dd87a2'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b <new-branch-name>

Checking out files: 100% (51192/51192), done.
[email protected] /tmp $ cd msm
[email protected] /tmp/msm $ curl -LsS "https://git.zx2c4.com/kernel-assisted-superuser/plain/fetch-and-patch.sh" | bash -
[+] Downloading
[+] Patching
[+] Committing
[detached HEAD faebd9fb] android: Add superuser driver
 3 files changed, 153 insertions(+)
 create mode 100644 drivers/base/superuser.c
[+] Done!
[*] Remember to enable CONFIG_ASSISTED_SUPERUSER=y for this to work. Then simply use `su` for root.
 

janjan

Recognized Developer
May 20, 2007
3,176
3,420
Aalborg
tweaksyourandroid.weebly.com
Works for me:
Code:
[email protected] /tmp $ git clone --depth=1 -b android-wear-8.0.0_r0.51 https://android.googlesource.com/kernel/msm.git
Cloning into 'msm'...
remote: Counting objects: 54085, done
remote: Finding sources: 100% (54085/54085)
remote: Total 54085 (delta 1547), reused 16213 (delta 1547)
Receiving objects: 100% (54085/54085), 150.50 MiB | 4.91 MiB/s, done.
Resolving deltas: 100% (1547/1547), done.
Note: checking out 'd168a1c746673da2b858fd8be7e09553a9dd87a2'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b <new-branch-name>

Checking out files: 100% (51192/51192), done.
[email protected] /tmp $ cd msm
[email protected] /tmp/msm $ curl -LsS "https://git.zx2c4.com/kernel-assisted-superuser/plain/fetch-and-patch.sh" | bash -
[+] Downloading
[+] Patching
[+] Committing
[detached HEAD faebd9fb] android: Add superuser driver
 3 files changed, 153 insertions(+)
 create mode 100644 drivers/base/superuser.c
[+] Done!
[*] Remember to enable CONFIG_ASSISTED_SUPERUSER=y for this to work. Then simply use `su` for root.

Yes. It works now. It works when I use "git clone --depth=1 -b".
It patched successfully and I also compiled without any issue. I will test the kernel later tonight and see if it works for arm. It is very useful for Android Wear/wear os. No need to use supersu and magisk. I will let u know later. Thanks again for your effort to bring this. keep it up.

UPDATE: I just tried to use it with the following kernel source.
https://android.googlesource.com/kernel/msm/+/android-wear-p-preview_r0.5
It applied successfully but it give me error when I try to compile.

Code:
CC      fs/debugfs/file.o
../drivers/base/superuser.c: In function 'superuser_init':
../drivers/base/superuser.c:120:39: error: '__NR_newfstatat' undeclared (first use in this function)
  read_syscall((void **)&old_ ## name, __NR_ ## name); \
                                       ^
../drivers/base/superuser.c:133:2: note: in expansion of macro 'read_and_replace_syscall'
  read_and_replace_syscall(newfstatat);
  ^
../drivers/base/superuser.c:120:39: note: each undeclared identifier is reported only once for each function it appears in
  read_syscall((void **)&old_ ## name, __NR_ ## name); \
                                       ^
../drivers/base/superuser.c:133:2: note: in expansion of macro 'read_and_replace_syscall'
  read_and_replace_syscall(newfstatat);
  ^
../scripts/Makefile.build:257: recipe for target 'drivers/base/superuser.o' failed
make[3]: *** [drivers/base/superuser.o] Error 1
../scripts/Makefile.build:402: recipe for target 'drivers/base' failed
make[2]: *** [drivers/base] Error 2
make[2]: *** Waiting for unfinished jobs....
  CC      fs/devpts/inode.o

It is kinda strange. It applied and let me compiled successfully with source "android-wear-8.0.0_r0.51" but failed to compile with "android-wear-p-preview_r0.5". It gives me the above error.
 
Last edited:

ante0

Senior Member
Dec 28, 2009
3,207
1,577
Stockholm
Good job!

Kind of works as intended for me... Though, when I run 'su' in terminal I get:
"You are now root.
Killed".

However. I do have 'su' access in terminal without running it, so I guess it's kind of working as it should?
Only Root explorer has managed, so far, to work using your kernel su.
Titanium Backup complains about su not being found (It does look in /system/bin/su, so it should work I guess).

Edit: This is on a Mate 10 Pro using Pie.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 58
    Like being able to do quick cycles of `fastboot boot out/arch/arm64/boot/Image.lz4-dtb`, but annoyed by the lack of root this way? Well this atrocious idea might be the thing for you!

    Git repo: https://git.zx2c4.com/kernel-assisted-superuser/about/

    Instructions:

    1. cd into your kernel tree.
    2. Run this command:

    curl -LsS "https://git.zx2c4.com/kernel-assisted-superuser/plain/fetch-and-patch.sh" | bash -

    3. Enable CONFIG_ASSISTED_SUPERUSER=y in your config.
    4. Gain root by running su.

    For so many reasons, this is an awful idea and totally insecure. Don't ship kernels to your users with this enabled! I've tested this on the Pixel 3.

    screenshot.png


    XDA:DevDB Information
    KernelSU - Kernel-Assisted Superuser for Android Root Shell, Kernel for all devices (see above for details)

    Contributors
    zx2c4
    Source Code: https://git.zx2c4.com/kernel-assisted-superuser/about/

    Kernel Special Features:

    Version Information
    Status: Snapshot

    Created 2018-11-22
    Last Updated 2018-11-23
    3
    Great, actually amazing, work on this,. I'm sure Google will be having a meeting of angry "security specialists" sometime soon crying about the future of Android.

    Also can't wait for the first idiot to put this in their production kernel.
    3
    Great work @zx2c4
    Worked fine on my OnePlus 5T, and even my kernel manager gained root privilege...
    Looking forward to seeing this concept as a fully developed rooting solution in the near future...
    Cheers...
    attachment.php

    attachment.php
    2
    A really amazing idea that needs to improve it's implementation. Kinda curious to see how this will connect with an userland "Manager" app to allow or deny root permissions to specific apps.
    Best of luck
    2
    Idk how LG works but if it's like Samsung with Odin you could potentially inject this SU into the kdz file or wherever the kernel is and flash with th LG Tool. Of course, if this were possible it would probably be more ideal to inject Magisk in there off the bat. Again, this is theoretical, idk if the kdz's have to be unmodified stock so it can be verified. Odin you can just flash as long as its the correct format


    LG has done a really good job at locking down the bootloader you can't inject any unsigned code. I've been poring over research manuals as well as known exploits and even a few zero-day exploits I know of from a few friends of mine and nothing seems to work to get past the lot bootloader and as I've said before LG doesn't seem to be willing to add this to their unlock list I do appreciate the input though